SiNotes-Grid
Friday, April 28, 2006
Use SASL(GSSAPI) in openLDAP
1.#ldapsearch -h localhost -p 389 -x -b "" -s base -LLL supportedSASLMechanisms
dn:
supportedSASLMechanisms: GSSAPI
*Because I have already disable other auth mechanisms when building Cyrus-SASL, only GSSAPI available here.
2.#ldapsearch -h localhost -p 389 -I -b "" -s base -LLL supportedSASLMechanisms
SASL/GSSAPI authentication started
SASL Interaction
Please enter your authorization name:
SASL username: ktang/admin@IERC.OX.AC.UK
SASL SSF: 56
SASL installing layers
dn:
supportedSASLMechanisms: GSSAPI
* Note*: Don't enter anything when promoted to enter username!!! just press "Enter"!
otherwise errors will occur:
ldap_sasl_interactive_bind_s: Insufficient access (50)
additional info: SASL(-14): authorization failure: Inappropriate authentication
*Of course you need to use "kinit ktang/admin" first to get the ticket.
Alternatively, you can use:
./ldapsearch -h localhost -p 389 -U 'ktang/admin@IERC.OX.AC.UK' -b "" -s base -LLL supportedSASLMechanisms
Then no need to input username.
3. Any user authenticaited by Kerberos will be mapped to an authentication request DN in LDAP server in form of :
uid=username,cn=realm,cn=gssapi,cn=auth
To check your authentication request DN, use "/usr/local/openLDAP/bin/ldapwhoami" command. In my case, I was authenciated as "ktang/admin@IERC.OX.AC.UK" in kerberos server, then my authentication request DN in LDAP is:
uid=ktang/admin,cn=ierc.ox.ac.uk,cn=gssapi,cn=auth
4. You can configure ACL in slapd.conf to give read/write access to the authentication request DN above, this might be the simplest way, for example, add following in slapd.conf will make I have write priviledge to all entries in LDAP server after I was authenticatied as ktang/admin by
kerberos:
access to *
by self write
by dn="uid=synew,cn=ierc.ox.ac.uk,cn=gssapi,cn=auth" write
by users read
by anonymous auth
by * none
However, usually we already has all entries for all the users who wanna access it in Ldap server,
but not in the authencation request format(e.g. not under auth subtree ). What we need is authentication identities mapping.
5. Wherever possbile, direct mapping is recommanded,which has the following format:
authz-regexp
uid=([^,]*),cn=oerc.ox.ac.uk,cn=gssapi,cn=auth
uid=$1,dc=oerc,dc=ox,dc=ac,dc=uk
*N.B. Don't use the following format, it doesn't work for me, although it should.
authz-regexp
uid=([^,]*),cn=[^,]*,cn=auth
uid=$1,dc=oerc,dc=ox,dc=ac,dc=uk
*N.B. With this mapping added, the ACL we just made will *NOT* work for the super user "synew"!! The reason is your authencation quest DN is no longer "uid=synew,cn=ierc.ox.ac.uk,cn=gssapi,cn=auth", but is
mapped to "uid=synew,dc=oerc,dc=ox,dc=ac,dc=uk" !!! Therefore we need to use the following
ACL policy instead:
access to *
by self write
by dn="uid=synew,dc=oerc,dc=ox,dc=ac,dc=uk" write
by users read
by anonymous auth
by * none
dn:
supportedSASLMechanisms: GSSAPI
*Because I have already disable other auth mechanisms when building Cyrus-SASL, only GSSAPI available here.
2.#ldapsearch -h localhost -p 389 -I -b "" -s base -LLL supportedSASLMechanisms
SASL/GSSAPI authentication started
SASL Interaction
Please enter your authorization name:
SASL username: ktang/admin@IERC.OX.AC.UK
SASL SSF: 56
SASL installing layers
dn:
supportedSASLMechanisms: GSSAPI
* Note*: Don't enter anything when promoted to enter username!!! just press "Enter"!
otherwise errors will occur:
ldap_sasl_interactive_bind_s: Insufficient access (50)
additional info: SASL(-14): authorization failure: Inappropriate authentication
*Of course you need to use "kinit ktang/admin" first to get the ticket.
Alternatively, you can use:
./ldapsearch -h localhost -p 389 -U 'ktang/admin@IERC.OX.AC.UK' -b "" -s base -LLL supportedSASLMechanisms
Then no need to input username.
3. Any user authenticaited by Kerberos will be mapped to an authentication request DN in LDAP server in form of :
uid=username
To check your authentication request DN, use "/usr/local/openLDAP/bin/ldapwhoami" command. In my case, I was authenciated as "ktang/admin@IERC.OX.AC.UK" in kerberos server, then my authentication request DN in LDAP is:
uid=ktang/admin,cn=ierc.ox.ac.uk,cn=gssapi,cn=auth
4. You can configure ACL in slapd.conf to give read/write access to the authentication request DN above, this might be the simplest way, for example, add following in slapd.conf will make I have write priviledge to all entries in LDAP server after I was authenticatied as ktang/admin by
kerberos:
access to *
by self write
by dn="uid=synew,cn=ierc.ox.ac.uk,cn=gssapi,cn=auth" write
by users read
by anonymous auth
by * none
However, usually we already has all entries for all the users who wanna access it in Ldap server,
but not in the authencation request format(e.g. not under auth subtree ). What we need is authentication identities mapping.
5. Wherever possbile, direct mapping is recommanded,which has the following format:
authz-regexp
uid=([^,]*),cn=oerc.ox.ac.uk,cn=gssapi,cn=auth
uid=$1,dc=oerc,dc=ox,dc=ac,dc=uk
*N.B. Don't use the following format, it doesn't work for me, although it should.
authz-regexp
uid=([^,]*),cn=[^,]*,cn=auth
uid=$1,dc=oerc,dc=ox,dc=ac,dc=uk
*N.B. With this mapping added, the ACL we just made will *NOT* work for the super user "synew"!! The reason is your authencation quest DN is no longer "uid=synew,cn=ierc.ox.ac.uk,cn=gssapi,cn=auth", but is
mapped to "uid=synew,dc=oerc,dc=ox,dc=ac,dc=uk" !!! Therefore we need to use the following
ACL policy instead:
access to *
by self write
by dn="uid=synew,dc=oerc,dc=ox,dc=ac,dc=uk" write
by users read
by anonymous auth
by * none
Tuesday, April 25, 2006
SAML,shibboleth,SSO,GSSAPI,Kerberos and webAuth
1.The single most important problem that SAML is trying to solve is the web single sign-on (SSO) problem. SSO solutions at the intranet level abound (using cookies, e.g.) but extending these solutions beyond the intranet has been problematic and has led to the proliferation of proprietary technologies that do not interoperate. SAML has become the definitive standard underlying many web SSO solutions in the identity management problem space.
2. The GSSAPI is a generic API for doing client-server authentication. The motivation behind it is that every security system has it's own API, and the effort involved with adding different security systems to applications is extremely difficult with the variance between security APIs. However, with a common API, application vendors could write to the generic API and it could work with any number of security systems. Most major Kerberos 5 distributions is a GSSAPI implementation. Thus, if a particular application or protocol says that it supports the GSSAPI, then that means that it supports Kerberos.
2. The GSSAPI is a generic API for doing client-server authentication. The motivation behind it is that every security system has it's own API, and the effort involved with adding different security systems to applications is extremely difficult with the variance between security APIs. However, with a common API, application vendors could write to the generic API and it could work with any number of security systems. Most major Kerberos 5 distributions is a GSSAPI implementation. Thus, if a particular application or protocol says that it supports the GSSAPI, then that means that it supports Kerberos.
Monday, April 24, 2006
openLDAP installation & Configuration
1.Prepare the prequired softwares:
2.After BerkeleyDB is installed. *Make sure * create the runtime links to BerkeleyDB's dynamic link library files by:
1) In EL4, create a new file "BerkeleyDB.conf" in /etc/ld.so.conf.d, add this line to it:
/usr/local/BerkeleyDB.4.4/lib, otherwise the later configure procedure will complain "BerkeleyDB version mismatched".
2) run " ldconfig" to load the config
3. To configure openLDAP, using:
1)env CPPFLAGS="-I/usr/local/BerkeleyDB.4.4/include" LDFLAGS="-L/usr/local/BerkeleyDB.4.4/lib" ./configure --with-cyrus-sasl --enable-slapd --enable-crypt --with-tls --enable-spasswd --enable-wrappers --prefix=/usr/local/openLDAP
*Note*
a. IMPORTANT If you use --disable-cleartext paraments when configure the code, the "test002-populate" later will fail! So better dont use it unless u dont wanna do the tests.
b. The env variables in this command will only be valid for this single process.)
4. make depend
5.make
6.make test
If no errors found during the tests procedure, you can start to configure the openldap now.
The configration file of slapd is located in /usr/local/openLDAP/etc/openldap/slapd.conf
Sightly modifications are required on the configuration file before you can start slapd service, my
slapd.conf is like:
###################start of slapd.conf##########################
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/openLDAP/etc/openldap/schema/core.schema
include /usr/local/openLDAP/etc/openldap/schema/corba.schema
include /usr/local/openLDAP/etc/openldap/schema/cosine.schema
include /usr/local/openLDAP/etc/openldap/schema/inetorgperson.schema
include /usr/local/openLDAP/etc/openldap/schema/misc.schema
include /usr/local/openLDAP/etc/openldap/schema/openldap.schema
include /usr/local/openLDAP/etc/openldap/schema/nis.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/openLDAP/var/run/slapd.pid
argsfile /usr/local/openLDAP/var/run/slapd.args
#Log level
loglevel 1
#######################################################################
#Backend definitions
#######################################################################
backend bdb
readonly off
# Load dynamic backend modules:
# modulepath /usr/local/openLDAP/libexec/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=ierc,dc=ox,dc=ac,dc=uk"
rootdn "cn=Manager,dc=ierc,dc=ox,dc=ac,dc=uk"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/openLDAP/var/openldap-data
# Indices to maintain
index objectClass eq
###########################End of slapd.conf#########################
2.After BerkeleyDB is installed. *Make sure * create the runtime links to BerkeleyDB's dynamic link library files by:
1) In EL4, create a new file "BerkeleyDB.conf" in /etc/ld.so.conf.d, add this line to it:
/usr/local/BerkeleyDB.4.4/lib, otherwise the later configure procedure will complain "BerkeleyDB version mismatched".
2) run " ldconfig" to load the config
3. To configure openLDAP, using:
1)env CPPFLAGS="-I/usr/local/BerkeleyDB.4.4/include" LDFLAGS="-L/usr/local/BerkeleyDB.4.4/lib" ./configure --with-cyrus-sasl --enable-slapd --enable-crypt --with-tls --enable-spasswd --enable-wrappers --prefix=/usr/local/openLDAP
*Note*
a. IMPORTANT If you use --disable-cleartext paraments when configure the code, the "test002-populate" later will fail! So better dont use it unless u dont wanna do the tests.
b. The env variables in this command will only be valid for this single process.)
4. make depend
5.make
6.make test
If no errors found during the tests procedure, you can start to configure the openldap now.
The configration file of slapd is located in /usr/local/openLDAP/etc/openldap/slapd.conf
Sightly modifications are required on the configuration file before you can start slapd service, my
slapd.conf is like:
###################start of slapd.conf##########################
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/openLDAP/etc/openldap/schema/core.schema
include /usr/local/openLDAP/etc/openldap/schema/corba.schema
include /usr/local/openLDAP/etc/openldap/schema/cosine.schema
include /usr/local/openLDAP/etc/openldap/schema/inetorgperson.schema
include /usr/local/openLDAP/etc/openldap/schema/misc.schema
include /usr/local/openLDAP/etc/openldap/schema/openldap.schema
include /usr/local/openLDAP/etc/openldap/schema/nis.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/openLDAP/var/run/slapd.pid
argsfile /usr/local/openLDAP/var/run/slapd.args
#Log level
loglevel 1
#######################################################################
#Backend definitions
#######################################################################
backend bdb
readonly off
# Load dynamic backend modules:
# modulepath /usr/local/openLDAP/libexec/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=ierc,dc=ox,dc=ac,dc=uk"
rootdn "cn=Manager,dc=ierc,dc=ox,dc=ac,dc=uk"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/openLDAP/var/openldap-data
# Indices to maintain
index objectClass eq
###########################End of slapd.conf#########################
Sunday, April 23, 2006
Cyrus SASL installation
References:
http://www.linuxfromscratch.org/hints/downloads/files/cyrus-sasl.txt
http://www.linuxfromscratch.org/blfs/view/stable/postlfs/cyrus-sasl.html
http://mah.everybody.org/docs/sasl-gssapi/
http://www.bayour.com/LDAPv3-HOWTO.html
1.Download Cyrus SASL from ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/
The current release is "cyrus-sasl-2.1.21.tar.gz"
2.Unpack the downloaded file. Because I only wanna use gssapi(Kerberos V5) mechanism,so it's good idea to disable other mechnisams. Config it using,
./configure --prefix=/usr/local/cyrus-SASL --enable-gssapi --with-gss_impl=mit --disable-cram --disable-digest --disable-otp
3. make
4.make install
At the end of installation, you will see following message:
* WARNING:
* Plugins are being installed into /usr/local/cyrus-SASL/lib/sasl2,
* but the library will look for them in /usr/lib/sasl2.
* You need to make sure that the plugins will eventually
* be in /usr/lib/sasl2 -- the easiest way is to make a
* symbolic link from /usr/lib/sasl2 to /usr/local/cyrus-SASL/lib/sasl2,
* but this may not be appropriate for your site, so this
* installation procedure won't do it for you.
*
* If you don't want to do this for some reason, you can
* set the location where the library will look for plugins
* by setting the environment variable SASL_PATH to the path
* the library should use.
Cyrus-SASL will look for the lib files in /usr/lib/sasl2 by defualt, therefore it's important to copy lib files from /usr/local/cyrus-SASL/lib/sasl2 to /usr/lib/sasl2. The simplest way is create a link in /usr/lib/
ln -s /usr/local/cyrus-SASL/lib/sasl2 .
*If you found /usr/lib/sasl2 already exist b4 the installation, make sure to delete it!
To Test the installtion of SASL, we canuse Sample-Server/Client programs, which are located in the sample directory of cyrus-SASL source code. Because they are not compiled by default, manully compiling is necesssary, in /home/synew/download/cyrus-SASL/sample/ , use
make sample-server
make sample-client
*Important*
Before the test, configure the /etc/hosts and /etc/sysconfig/network as follow if you havn't.
*********/etc/hosts*************************
127.0.0.1 localhost.localdomain localhost
163.1.26.6 ktang.ierc.ox.ac.uk ktang
**********/etc/sysconfig/network*************
NETWORKING=yes
HOSTNAME=ktang.ierc.ox.ac.uk
********************************************
1. create " ktang/admin" as a administor(or user) for kerboeros database, more details about kerberos setup is available in my another post.
2. #kinit ktang/admin
this will get a ticket from kerberos server for user "ktang/admin", which will be stored in your temporary credensial cache(usually /tmp). You can use "klist" to check the information of the ticket cache, and use "kdestroy" to delete all information in the cache.
3, To use sample server/client, in addition to the user principal, a service principal is also required. Suppose we wanna add a new service named as "ldap" on host"ktang.ierc.ox.ac.uk", Use /usr/local/kerberos5/sbin/kadmin.local programm:
#
kadmin.local
listprincs
ank -randkey ldap/ktang.ierc.ox.ac.uk (create a host principal)
ktadd ldap/ktang.ierc.ox.ac.uk(generate a key for the principal and stored in /etc/krb5.keystab)
quit
Now we can start sample server/client to do the test:
In on session,
./sample-server -s ldap -p ../plugins/.libs
In another session,
./sample-client -s ldap -n ktang.ierc.ox.ac.uk -u ktang/admin -p ../plugins/.libs
Copy output from them around untill the "negoration complete" is displayed.
*********Possbile problems********************
1)DIGEST-MD5, instead of GSSAPI is selected, although GSSAPI is listed by the server.
*Because GSSAPI is stronger encrypt mechanism than DIGEST-MD5, so it should be choosed as best mechanism. This means there is sth wrong with GSSAPI mechanism,which makes it have to choose DIGEST-MD5. If we reconfigure cyrus-sasl without other mechanisms
such as digest-md5, gssapi will unavoidly be selected,but you will see some errors saying GSSAPI negorations failure etc if the server have error with it.
(you can re-configure SASL using:
./configure --prefix=/usr/local/cyrus-SASL --disable-cram --disable-digest --disable-otp --enable-gssapi --with-gss_impl=mit)
2)lt-sample-server: SASL Other: GSSAPI Error: Miscellaneous failure (key version number mismatched)
lt-sample-server: Starting SASL negotiation: generic failure (generic failure)
* Use "klist -k /usr/krb5.keytab" and "kvno ldap/ktang.ierc.ox.ac.uk" to check whether key version numbers of the service
you are interested in are matched.Everytime you use kadmin(ktadd) add a new key, kvno will increase by 1.
More details in http://www.bayour.com/LDAPv3-HOWTO.html
3)lt-sample-server: SASL Other: GSSAPI Error: Miscellaneous failure (No principal in keytab matches desired name)
lt-sample-server: Starting SASL negotiation: generic failure (generic failure)
*Make sure you have created the key to the correct keytab file. The default keytab from where KDC will look for principals is
/etc/krb5.keytab. Use klist -k /etc/krb5.keytab to check the keys you added.
4)lt-sample-server: SASL Other: GSSAPI Error: Miscellaneous failure (Decrypt integrity check failed)
lt-sample-server: Starting SASL negotiation: authentication failure (authentication failure)
*To avoid this error happen, make sure to use "kdestroy" to get rid of any old cached tickets by using kdestroy,
otherwise the various Kerberos programs will continue to use an old ticket encrypted with the wrong encryption key.
More details in http://www.faqs.org/faqs/kerberos-faq/general/section-73.html
5) In client side, if see the following:
............
recieved 153 byte message
C:
Waiting for server reply...
*It is *NOT* an error! what you should do is copy C: to server side.Note, there's a space after C:!
Reference:http://www.irbs.net/internet/cyrus-sasl/0506/0050.html
http://www.linuxfromscratch.org/hints/downloads/files/cyrus-sasl.txt
http://www.linuxfromscratch.org/blfs/view/stable/postlfs/cyrus-sasl.html
http://mah.everybody.org/docs/sasl-gssapi/
http://www.bayour.com/LDAPv3-HOWTO.html
1.Download Cyrus SASL from ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/
The current release is "cyrus-sasl-2.1.21.tar.gz"
2.Unpack the downloaded file. Because I only wanna use gssapi(Kerberos V5) mechanism,so it's good idea to disable other mechnisams. Config it using,
./configure --prefix=/usr/local/cyrus-SASL --enable-gssapi --with-gss_impl=mit --disable-cram --disable-digest --disable-otp
3. make
4.make install
At the end of installation, you will see following message:
* WARNING:
* Plugins are being installed into /usr/local/cyrus-SASL/lib/sasl2,
* but the library will look for them in /usr/lib/sasl2.
* You need to make sure that the plugins will eventually
* be in /usr/lib/sasl2 -- the easiest way is to make a
* symbolic link from /usr/lib/sasl2 to /usr/local/cyrus-SASL/lib/sasl2,
* but this may not be appropriate for your site, so this
* installation procedure won't do it for you.
*
* If you don't want to do this for some reason, you can
* set the location where the library will look for plugins
* by setting the environment variable SASL_PATH to the path
* the library should use.
Cyrus-SASL will look for the lib files in /usr/lib/sasl2 by defualt, therefore it's important to copy lib files from /usr/local/cyrus-SASL/lib/sasl2 to /usr/lib/sasl2. The simplest way is create a link in /usr/lib/
ln -s /usr/local/cyrus-SASL/lib/sasl2 .
*If you found /usr/lib/sasl2 already exist b4 the installation, make sure to delete it!
To Test the installtion of SASL, we canuse Sample-Server/Client programs, which are located in the sample directory of cyrus-SASL source code. Because they are not compiled by default, manully compiling is necesssary, in /home/synew/download/cyrus-SASL/sample/ , use
make sample-server
make sample-client
*Important*
Before the test, configure the /etc/hosts and /etc/sysconfig/network as follow if you havn't.
*********/etc/hosts*************************
127.0.0.1 localhost.localdomain localhost
163.1.26.6 ktang.ierc.ox.ac.uk ktang
**********/etc/sysconfig/network*************
NETWORKING=yes
HOSTNAME=ktang.ierc.ox.ac.uk
********************************************
1. create " ktang/admin" as a administor(or user) for kerboeros database, more details about kerberos setup is available in my another post.
2. #kinit ktang/admin
this will get a ticket from kerberos server for user "ktang/admin", which will be stored in your temporary credensial cache(usually /tmp). You can use "klist" to check the information of the ticket cache, and use "kdestroy" to delete all information in the cache.
3, To use sample server/client, in addition to the user principal, a service principal is also required. Suppose we wanna add a new service named as "ldap" on host"ktang.ierc.ox.ac.uk", Use /usr/local/kerberos5/sbin/kadmin.local programm:
#
kadmin.local
listprincs
ank -randkey ldap/ktang.ierc.ox.ac.uk (create a host principal)
ktadd ldap/ktang.ierc.ox.ac.uk(generate a key for the principal and stored in /etc/krb5.keystab)
quit
Now we can start sample server/client to do the test:
In on session,
./sample-server -s ldap -p ../plugins/.libs
In another session,
./sample-client -s ldap -n ktang.ierc.ox.ac.uk -u ktang/admin -p ../plugins/.libs
Copy output from them around untill the "negoration complete" is displayed.
*********Possbile problems********************
1)DIGEST-MD5, instead of GSSAPI is selected, although GSSAPI is listed by the server.
*Because GSSAPI is stronger encrypt mechanism than DIGEST-MD5, so it should be choosed as best mechanism. This means there is sth wrong with GSSAPI mechanism,which makes it have to choose DIGEST-MD5. If we reconfigure cyrus-sasl without other mechanisms
such as digest-md5, gssapi will unavoidly be selected,but you will see some errors saying GSSAPI negorations failure etc if the server have error with it.
(you can re-configure SASL using:
./configure --prefix=/usr/local/cyrus-SASL --disable-cram --disable-digest --disable-otp --enable-gssapi --with-gss_impl=mit)
2)lt-sample-server: SASL Other: GSSAPI Error: Miscellaneous failure (key version number mismatched)
lt-sample-server: Starting SASL negotiation: generic failure (generic failure)
* Use "klist -k /usr/krb5.keytab" and "kvno ldap/ktang.ierc.ox.ac.uk" to check whether key version numbers of the service
you are interested in are matched.Everytime you use kadmin(ktadd) add a new key, kvno will increase by 1.
More details in http://www.bayour.com/LDAPv3-HOWTO.html
3)lt-sample-server: SASL Other: GSSAPI Error: Miscellaneous failure (No principal in keytab matches desired name)
lt-sample-server: Starting SASL negotiation: generic failure (generic failure)
*Make sure you have created the key to the correct keytab file. The default keytab from where KDC will look for principals is
/etc/krb5.keytab. Use klist -k /etc/krb5.keytab to check the keys you added.
4)lt-sample-server: SASL Other: GSSAPI Error: Miscellaneous failure (Decrypt integrity check failed)
lt-sample-server: Starting SASL negotiation: authentication failure (authentication failure)
*To avoid this error happen, make sure to use "kdestroy" to get rid of any old cached tickets by using kdestroy,
otherwise the various Kerberos programs will continue to use an old ticket encrypted with the wrong encryption key.
More details in http://www.faqs.org/faqs/kerberos-faq/general/section-73.html
5) In client side, if see the following:
............
recieved 153 byte message
C:
Waiting for server reply...
*It is *NOT* an error! what you should do is copy C: to server side.Note, there's a space after C:!
Reference:http://www.irbs.net/internet/cyrus-sasl/0506/0050.html
Install & Configure Kerberos V5 under SL4
Boz I need to install openLDAP for Idp installation in future, I need to install Kerberos, which is recommanded by openLDAP.
Either Heimdal or MIT Kerberos V5 are free implementation of Kerberos v5 protocol, you can choose the one u like, I have picked the latter.
1.Download the src code from MIT kerberos site
http://web.mit.edu/kerberos/dist/krb5/1.4/krb5-1.4.3-signed.tar
2. tar -xvf krb5-1.4.3-signed.tar
then u get krb5-1.4.3.tar.gz, unpack it by,
tar -zxvf krb5-1.4.3.tar.gz
3. cd krb5-1.4.3/src
*IMPORTANT* If you configure the code without any parameters, some tcl related error will usually occur when build the code .
After some googling, some guy said tcl is only used to perform some tests when u run "make check", therefore can be considered not necessary. So you can configure the code using,
./configure --prefix=/usr/local/kerberos5 --without-krb4 --without-tcl
Everything should be fine, but what if i want to do the unit tests depending on tcl to make sure my installation is all right? I searched my system and found tcl binary is already installed, but we need tcl.h and
tcl lib to build with tcl support. Therefore we need to install tcl-devel package.
yum install tcl-devel.i386
The "tcl.h" is located in /usr/include/, lib files in /usr/lib
Now we can configure the code using:
./configure --prefix=/usr/local/kerberos5 --without-krb4 --with-tcl=/usr
4, make
5, make install
6, make check
You should see no errors
7, configure /etc/krb5.conf and kdc.conf, instructions can be found at
http://web.mit.edu/kerberos/krb5-1.4/krb5-1.4.3/doc/krb5-install/Install-the-Master-KDC.html#Install%20the%20Master%20KDC
*Make sure to change the default var files directory to your installation dir
#krb5.conf#######################################
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = IERC.OX.AC.UK
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
IERC.OX.AC.UK = {
kdc = ktang.ierc.ox.ac.uk:88
admin_server = ktang.ierc.ox.ac.uk:749
default_domain = ierc.ox.ac.uk
}
[domain_realm]
.ierc.ox.ac.uk = IERC.OX.AC.UK
ierc.ox.ac.uk = IERC.OX.AC.UK
[kdc]
profile = /usr/local/kerberos5/var/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
#kdc.conf#######################################
[kdcdefaults]
kdc_ports = 88
[realms]
IERC.OX.AC.UK = {
database_name = /usr/local/kerberos5/var/krb5kdc/principal
admin_keytab = FILE:/usr/local/kerberos5/var/krb5kdc/kadm5.keyta
b
acl_file = /usr/local/kerberos5/var/krb5kdc/kadm5.acl
key_stash_file = /usr/local/kerberos5/var/krb5kdc/.k5.IERC.OX.AC
.UK
kdc_ports = 88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
}
[logging]
kdc = FILE:/usr/local/kerberos5/var/krb5kdc/kdc.log
admin_server = FILE:/usr/local/kerberos5/var/krb5kdc/kadmin.log
#########################END####################
8,Create a database on the system where KDC resides:
#/usr/local/kerberos5/sbin/kdb5_util create IERC.OX.AC.UK -s
the database related information files will be generated in the var directories you configured
kdc.conf file(/usr/local/kerberos5/var/krb5kdc/)
* If you dont wanna stash file to be generated, don't use " -s " parameter.
*To delete the existing database, delete all these new genenated files
* You can costomize the name of generated files by change the kdc name in "kdc.conf", default
name is "principal"
9, Create acl file "kadm5.acl" in /usr/local/kerberos5/var/krb5kdc(the location is determined by kdc.conf)
To understand acl, you need to understand the definition of principal and instance
http://web.mit.edu/kerberos/krb5-1.4/krb5-1.4.3/doc/krb5-user/What-is-a-Kerberos-Principal-.html
Mine is like this:
#####################
*/admin@IERC.OX.AC.UK *
ktang@IERC.OX.AC.UK ADMCIL
###########################
10. Add administrator to database, use
# ./kadmin.local
Authenticating as principal synew/admin@IERC.OX.AC.UK with password.
kadmin.local: addprinc ktang/admin@IERC.OX.AC.UK
WARNING: no policy specified for ktang/admin@IERC.OX.AC.UK; defaulting to no policy
Enter password for principal "ktang/admin@IERC.OX.AC.UK":
Re-enter password for principal "ktang/admin@IERC.OX.AC.UK":
Principal "ktang/admin@IERC.OX.AC.UK" created.
kadmin.local: addprinc synew/admin@IERC.OX.AC.UK
WARNING: no policy specified for synew/admin@IERC.OX.AC.UK; defaulting to no policy
Enter password for principal "synew/admin@IERC.OX.AC.UK":
Re-enter password for principal "synew/admin@IERC.OX.AC.UK":
Principal "synew/admin@IERC.OX.AC.UK" created.
kadmin.local:quit
11. Create keytab, use,
./kadmin.local
Authenticating as principal synew/admin@IERC.OX.AC.UK with password.
kadmin.local: ktadd -k /usr/local/kerberos5/var/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw
Entry for principal kadmin/admin with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/usr/local/kerberos5/var/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/usr/local/kerberos5/var/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/usr/local/kerberos5/var/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/usr/local/kerberos5/var/krb5kdc/kadm5.keytab.
kadmin.local: quit
12. Start the Kerberos daemons by:
./krb5kdc
./kadmind
Either Heimdal or MIT Kerberos V5 are free implementation of Kerberos v5 protocol, you can choose the one u like, I have picked the latter.
1.Download the src code from MIT kerberos site
http://web.mit.edu/kerberos/dist/krb5/1.4/krb5-1.4.3-signed.tar
2. tar -xvf krb5-1.4.3-signed.tar
then u get krb5-1.4.3.tar.gz, unpack it by,
tar -zxvf krb5-1.4.3.tar.gz
3. cd krb5-1.4.3/src
*IMPORTANT* If you configure the code without any parameters, some tcl related error will usually occur when build the code .
After some googling, some guy said tcl is only used to perform some tests when u run "make check", therefore can be considered not necessary. So you can configure the code using,
./configure --prefix=/usr/local/kerberos5 --without-krb4 --without-tcl
Everything should be fine, but what if i want to do the unit tests depending on tcl to make sure my installation is all right? I searched my system and found tcl binary is already installed, but we need tcl.h and
tcl lib to build with tcl support. Therefore we need to install tcl-devel package.
yum install tcl-devel.i386
The "tcl.h" is located in /usr/include/, lib files in /usr/lib
Now we can configure the code using:
./configure --prefix=/usr/local/kerberos5 --without-krb4 --with-tcl=/usr
4, make
5, make install
6, make check
You should see no errors
7, configure /etc/krb5.conf and kdc.conf, instructions can be found at
http://web.mit.edu/kerberos/krb5-1.4/krb5-1.4.3/doc/krb5-install/Install-the-Master-KDC.html#Install%20the%20Master%20KDC
*Make sure to change the default var files directory to your installation dir
#krb5.conf#######################################
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = IERC.OX.AC.UK
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
IERC.OX.AC.UK = {
kdc = ktang.ierc.ox.ac.uk:88
admin_server = ktang.ierc.ox.ac.uk:749
default_domain = ierc.ox.ac.uk
}
[domain_realm]
.ierc.ox.ac.uk = IERC.OX.AC.UK
ierc.ox.ac.uk = IERC.OX.AC.UK
[kdc]
profile = /usr/local/kerberos5/var/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
#kdc.conf#######################################
[kdcdefaults]
kdc_ports = 88
[realms]
IERC.OX.AC.UK = {
database_name = /usr/local/kerberos5/var/krb5kdc/principal
admin_keytab = FILE:/usr/local/kerberos5/var/krb5kdc/kadm5.keyta
b
acl_file = /usr/local/kerberos5/var/krb5kdc/kadm5.acl
key_stash_file = /usr/local/kerberos5/var/krb5kdc/.k5.IERC.OX.AC
.UK
kdc_ports = 88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
}
[logging]
kdc = FILE:/usr/local/kerberos5/var/krb5kdc/kdc.log
admin_server = FILE:/usr/local/kerberos5/var/krb5kdc/kadmin.log
#########################END####################
8,Create a database on the system where KDC resides:
#/usr/local/kerberos5/sbin/kdb5_util create IERC.OX.AC.UK -s
the database related information files will be generated in the var directories you configured
kdc.conf file(/usr/local/kerberos5/var/krb5kdc/)
* If you dont wanna stash file to be generated, don't use " -s " parameter.
*To delete the existing database, delete all these new genenated files
* You can costomize the name of generated files by change the kdc name in "kdc.conf", default
name is "principal"
9, Create acl file "kadm5.acl" in /usr/local/kerberos5/var/krb5kdc(the location is determined by kdc.conf)
To understand acl, you need to understand the definition of principal and instance
http://web.mit.edu/kerberos/krb5-1.4/krb5-1.4.3/doc/krb5-user/What-is-a-Kerberos-Principal-.html
Mine is like this:
#####################
*/admin@IERC.OX.AC.UK *
ktang@IERC.OX.AC.UK ADMCIL
###########################
10. Add administrator to database, use
# ./kadmin.local
Authenticating as principal synew/admin@IERC.OX.AC.UK with password.
kadmin.local: addprinc ktang/admin@IERC.OX.AC.UK
WARNING: no policy specified for ktang/admin@IERC.OX.AC.UK; defaulting to no policy
Enter password for principal "ktang/admin@IERC.OX.AC.UK":
Re-enter password for principal "ktang/admin@IERC.OX.AC.UK":
Principal "ktang/admin@IERC.OX.AC.UK" created.
kadmin.local: addprinc synew/admin@IERC.OX.AC.UK
WARNING: no policy specified for synew/admin@IERC.OX.AC.UK; defaulting to no policy
Enter password for principal "synew/admin@IERC.OX.AC.UK":
Re-enter password for principal "synew/admin@IERC.OX.AC.UK":
Principal "synew/admin@IERC.OX.AC.UK" created.
kadmin.local:quit
11. Create keytab, use,
./kadmin.local
Authenticating as principal synew/admin@IERC.OX.AC.UK with password.
kadmin.local: ktadd -k /usr/local/kerberos5/var/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw
Entry for principal kadmin/admin with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/usr/local/kerberos5/var/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/usr/local/kerberos5/var/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/usr/local/kerberos5/var/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/usr/local/kerberos5/var/krb5kdc/kadm5.keytab.
kadmin.local: quit
12. Start the Kerberos daemons by:
./krb5kdc
./kadmind
Archives
