LDAP + Kerberos
LDAP and Kerberos together make for a great combination. Kerberos is used to manage credentials securely (authentication) while LDAP is used for determining criteria about the accounts, such as what they're allowed access to (authorization) and other account metadata. Most other LDAP setups involve in storing passwords in the LDAP directory itself using the userPassword attribute. While this is ok for a basic setup, one can do much better with just a little effort.
this is a work in progress, obv.
This guide is intended as a Debian-focused update to excellent guides, such as http://aput.net/~jheiss/krbldap/howto.html . Many of the workarounds have been fixed in recent releases of Debian, however there are still a few places one can easily get snagged.
The goal of this document is to create a Single Sign-On (SSO) system without using NIS or passwords stored in LDAP. This includes a client setup which can successfully use Kerberos for authentication and LDAP for authorization. A number of common clients are shown, such as a standard shell login and Apache2 integration.
With LDAP comes many solutions to very similar problems. Many people use LDAP due to an existing Active Directory setup so certain tools need to be used to deal with its quirks. As this starts from scratch, it can be done as simply as possible. By far the simplest way to integrate Kerberos + LDAP together on one system is to use PAM (authentication) and NSS (authorization).
This document was originally written based on experience with Debian/etch and Debian/lenny. Please update accordingly.
There are plenty of guides for setting up a Kerberos server on Debian. Once you have a KDC set up with a test principal, come back to this document.
Install the following packages:
libpam-krb5 krb5-config krb5-clients krb5-user
The Kerberos client setup is pretty straight forward using the krb5-config package's config. For libpam-krb5, you will have to modify your /etc/pam.d/common-* files according to /usr/share/doc/libpam-krb5/README.Debian.
If you're having trouble, check the following:
ensure krb5.conf is set properly. Things to check for:
ensure your domain is mapped in the domain_realm section at the bottom; this is used by the GSSAPI LDAP integration and will cause weird problems if you happen to be in a subdomain of any of the defaults.
ensure your default_realm is proper
ensure your realm is defined in the realms section
See ?"LDAP/OpenLDAPSetup" to get your server set up.
Getting your feet wet with LDAP
A very helpful tool for getting one's feet wet with LDAP is phpldapadmin. While it's certainly no replacement for a proper account management system, it lets you create accounts and tinker with attributes while conforming to the schemas.
LDAP data structure
Starting an LDAP server from scratch can be a bit daunting, as it starts out as a blank, unstructured slate. One tool to help get started is the migrationtools package. If one is familiar with /etc/passwd and /etc/group, one can see how that then translates to the world of LDAP using /usr/share/migrationtools/migrate_passwd.pl and friends. See ../MigrationTools for more information. These tools create posixGroup and posixAccount objects.
The common hierarchical structure of ou=Users,dc=example,dc=com and ou=Groups,dc=example,dc=com seems to work quite well for most software out-of-the-box.
Instead of using LDAP PAM as described in ?"LDAP/PAM", set up PAM to authenticate using Kerberos. Install libpam-krb5 and then proceed to /usr/share/doc/libpam-krb5/README.Debian which has great directions to get going. If your Kerberos environment was properly set up above, then you should have logins working nicely.
A common task is to restrict ssh logins to a given LDAP group. With NIS, you would do this with careful tweaking of your /etc/passwd file. With LDAP, the easiest way is to use the pam_access module.
Add the following line to /etc/pam.d/common-auth
account required pam_access.so
This will activate /etc/security/access.conf, to which you can tweak as follows:
# disallow all except people in the login group and root -:ALL EXCEPT root login:ALL
This assumes you have a posixGroup named login in your LDAP tree with ?"LDAP/NSS" set up properly.
See ?"LDAP/NSS" to get started. There is nothing special you need to do beyond ensure that you properly configure /etc/libnss-ldap.conf.
Basic authentication over SSL
Basic + SSL is a quick way to set up restricted access to websites. It's not the best, usability wise (this is usually the fault of most browsers for not exposing identity management at all), but it works well enough for most internal-use cases.
- Set up PAM. Ensure that you can login to the server using LDAP + Kerberos credentials
install libapache2-mod-auth-pam and then a2enmod auth_pam
Set up SSL. You never want to do Basic authentication across the wild 'net without some SSL protecting it. [http://www.debian-administration.org/articles/349 d-a.org article]
- In your virtual host for your given site, you can restrict a path as follows:
<Location /restrictedpath> AuthPAM_Enabled on AuthType basic AuthName "Example.com Restricted Login" AuthGROUP_Enabled on require valid-user </Location>
Other options are to use libapache2-mod-auth-kerb or libapache2-mod-authn-sasl, but neither of those provide group information from LDAP. It might be possible to pull that in using the authnz_ldap that comes with Apache2, but that module seems quite intent on performing the authentication phase, which is in our case is supposed to be handled by Kerberos, not LDAP.