FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 06-15-2011, 10:08 AM
Gioachino Bartolotta
 
Default About Kerberos and dirsrv

Hi all,

I have a problem in setup kerberos with 389 and I tried to do using
the documents available on 389 site and RedHat.

I followed everything, but I am unable to get the initial ticket from
kerberos. Have I to add these records as I have always done with
openldap??

dn: ou=KerberosPrincipals,ou=Users,dc=domain
ou: KerberosPrincipals
objectClass: top
objectClass: organizationalUnit

dn: krb5PrincipalName=ldapmaster/admin@DOMAN,ou=KerberosPrincipals,ou=Users,dc=doma in
objectClass: top
objectClass: person
objectClass: krb5Principal
objectClass: krb5KDCEntry
krb5PrincipalName: ldapmaster/admin@DOMAIN
krb5KeyVersionNumber: 1
krb5MaxLife: 86400
krb5MaxRenew: 604800
krb5KDCFlags: 126
cn: ldapmaster/admin@domain
sn: ldapmaster/admin@domain
userPassword: {MD5}5S2YxFmBmhF3WTbY37t5KQ==

Thanks

--
-------------------------------------------
Gioachino Bartolotta
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 06-15-2011, 10:55 AM
Juan Carlos Camargo Carrillo
 
Default About Kerberos and dirsrv

Hi,



It depends.* If you want to use 389ds as a Kerberos database backend* then you should import the schema into the directory and yes, you'll need to create principals or modify the existing ldap entries to accept kerberos attributes, as you've said you did with openldap.* I've done it with my 389ds lab and it works.



El mié, 15-06-2011 a las 12:08 +0200, Gioachino Bartolotta escribió:


Hi all,

I have a problem in setup kerberos with 389 and I tried to do using
the documents available on 389 site and RedHat.

I followed everything, but I am unable to get the initial ticket from
kerberos. Have I to add these records as I have always done with
openldap??

dn: ou=KerberosPrincipals,ou=Users,dc=domain
ou: KerberosPrincipals
objectClass: top
objectClass: organizationalUnit

dn: krb5PrincipalName=ldapmaster/admin@DOMAN,ou=KerberosPrincipals,ou=Users,dc=doma in
objectClass: top
objectClass: person
objectClass: krb5Principal
objectClass: krb5KDCEntry
krb5PrincipalName: ldapmaster/admin@DOMAIN
krb5KeyVersionNumber: 1
krb5MaxLife: 86400
krb5MaxRenew: 604800
krb5KDCFlags: 126
cn: ldapmaster/admin@domain
sn: ldapmaster/admin@domain
userPassword: {MD5}5S2YxFmBmhF3WTbY37t5KQ==

Thanks







--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 06-15-2011, 11:10 AM
Gioachino Bartolotta
 
Default About Kerberos and dirsrv

Hi !!

Yes, I want to use 389ds as a backend for kerberos.

So, everything will work just if I import the schemas on 389ds?

Another question. I have actually 2 389ds configured with multimaster
replica, and on each server there is a kdc (1 master and 1 slave).

I have to copy the same keytab on both servers?

Have I also to change the file /etc/sysconfig/saslauthd with these parameters??

MECH_OPTIONS=""
THREADS=5
START=yes
MECHANISMS="ldap"
OPTIONS="-m /var/run/saslauthd

Then ... I am missing something else??

Thank you.

2011/6/15 Juan Carlos Camargo Carrillo <juancar@eprinsa.es>:
> Hi,
>
> It depends.* If you want to use 389ds as a Kerberos database backend* then
> you should import the schema into the directory and yes, you'll need to
> create principals or modify the existing ldap entries to accept kerberos
> attributes, as you've said you did with openldap.* I've done it with my
> 389ds lab and it works.
>
> El mié, 15-06-2011 a las 12:08 +0200, Gioachino Bartolotta escribió:
>
> Hi all,
>
> I have a problem in setup kerberos with 389 and I tried to do using
> the documents available on 389 site and RedHat.
>
> I followed everything, but I am unable to get the initial ticket from
> kerberos. Have I to add these records as I have always done with
> openldap??
>
> dn: ou=KerberosPrincipals,ou=Users,dc=domain
> ou: KerberosPrincipals
> objectClass: top
> objectClass: organizationalUnit
>
> dn:
> krb5PrincipalName=ldapmaster/admin@DOMAN,ou=KerberosPrincipals,ou=Users,dc=doma in
> objectClass: top
> objectClass: person
> objectClass: krb5Principal
> objectClass: krb5KDCEntry
> krb5PrincipalName: ldapmaster/admin@DOMAIN
> krb5KeyVersionNumber: 1
> krb5MaxLife: 86400
> krb5MaxRenew: 604800
> krb5KDCFlags: 126
> cn: ldapmaster/admin@domain
> sn: ldapmaster/admin@domain
> userPassword: {MD5}5S2YxFmBmhF3WTbY37t5KQ==
>
> Thanks
>
>
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>



--
-------------------------------------------
Gioachino Bartolotta
ICQ #: 9103167
MSN Messenger: astraroth@email.it
Yahoo & Skype: gioachino_bartolotta
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 06-15-2011, 11:44 AM
Juan Carlos Camargo Carrillo
 
Default About Kerberos and dirsrv

To your former question, yes. Basically, and assuming you have experience with openldap:



0.- Backup your current installation or create a new 389ds instance.

1.- Configure the kdc to use ldap as a database backend.

2.- Get the 60kerberos.ldif from freeIPA (it works out of the box with 389ds) and copy it to the instance's "schema" folder. Add krb5principalname to your* suffix database indexes. Restart dirsrv.



3.- Create the realm with kdb5_ldap_util.

4.- Create kerberos principals for your users

*** 4.1 for new users , "addprinc <principal> "

*** 4.2 for existing ldap users, "addprinc -x dn=<full dn of the user> <principal". This will add kerberos attributes to an existing ldap user.



Regards!



El mié, 15-06-2011 a las 13:10 +0200, Gioachino Bartolotta escribió:


Hi !!

Yes, I want to use 389ds as a backend for kerberos.

So, everything will work just if I import the schemas on 389ds?

Another question. I have actually 2 389ds configured with multimaster
replica, and on each server there is a kdc (1 master and 1 slave).

I have to copy the same keytab on both servers?

Have I also to change the file /etc/sysconfig/saslauthd with these parameters??

MECH_OPTIONS=""
THREADS=5
START=yes
MECHANISMS="ldap"
OPTIONS="-m /var/run/saslauthd

Then ... I am missing something else??

Thank you.

2011/6/15 Juan Carlos Camargo Carrillo <juancar@eprinsa.es>:
> Hi,
>
> It depends.* If you want to use 389ds as a Kerberos database backend* then
> you should import the schema into the directory and yes, you'll need to
> create principals or modify the existing ldap entries to accept kerberos
> attributes, as you've said you did with openldap.* I've done it with my
> 389ds lab and it works.
>
> El mié, 15-06-2011 a las 12:08 +0200, Gioachino Bartolotta escribió:
>
> Hi all,
>
> I have a problem in setup kerberos with 389 and I tried to do using
> the documents available on 389 site and RedHat.
>
> I followed everything, but I am unable to get the initial ticket from
> kerberos. Have I to add these records as I have always done with
> openldap??
>
> dn: ou=KerberosPrincipals,ou=Users,dc=domain
> ou: KerberosPrincipals
> objectClass: top
> objectClass: organizationalUnit
>
> dn:
> krb5PrincipalName=ldapmaster/admin@DOMAN,ou=KerberosPrincipals,ou=Users,dc=doma in
> objectClass: top
> objectClass: person
> objectClass: krb5Principal
> objectClass: krb5KDCEntry
> krb5PrincipalName: ldapmaster/admin@DOMAIN
> krb5KeyVersionNumber: 1
> krb5MaxLife: 86400
> krb5MaxRenew: 604800
> krb5KDCFlags: 126
> cn: ldapmaster/admin@domain
> sn: ldapmaster/admin@domain
> userPassword: {MD5}5S2YxFmBmhF3WTbY37t5KQ==
>
> Thanks
>
>
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>









--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 06-15-2011, 02:30 PM
 
Default About Kerberos and dirsrv

Why don't you use freeipa. This is exactly what freeipa is for.
Sent on the TELUS Mobility network with BlackBerry

-----Original Message-----
From: Juan Carlos Camargo Carrillo <juancar@eprinsa.es>
Sender: 389-users-bounces@lists.fedoraproject.org
Date: Wed, 15 Jun 2011 13:44:09
To: <389-users@lists.fedoraproject.org>
Reply-To: "General discussion list for the 389 Directory server project."
<389-users@lists.fedoraproject.org>
Subject: Re: [389-users] About Kerberos and dirsrv

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 06-15-2011, 03:05 PM
Gioachino Bartolotta
 
Default About Kerberos and dirsrv

Well ...
I am new on 389ds ... but I'll give it a try ... also to freeipa

Regards

2011/6/15 <ide4you@gmail.com>:
> Why don't you use freeipa. This is exactly what freeipa is for.
> Sent on the TELUS Mobility network with BlackBerry
>
> -----Original Message-----
> From: Juan Carlos Camargo Carrillo <juancar@eprinsa.es>
> Sender: 389-users-bounces@lists.fedoraproject.org
> Date: Wed, 15 Jun 2011 13:44:09
> To: <389-users@lists.fedoraproject.org>
> Reply-To: "General discussion list for the 389 Directory server project."
> * * * *<389-users@lists.fedoraproject.org>
> Subject: Re: [389-users] About Kerberos and dirsrv
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>



--
-------------------------------------------
Gioachino Bartolotta
ICQ #: 9103167
MSN Messenger: astraroth@email.it
Yahoo & Skype: gioachino_bartolotta
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 06-16-2011, 08:52 AM
Gioachino Bartolotta
 
Default About Kerberos and dirsrv

Hi Juan!

It's possible to do a bash script to import existing users into kerberos??
In my ldap I have already 2000 users ...

Thanks


2011/6/15 Juan Carlos Camargo Carrillo <juancar@eprinsa.es>:
> To your former question, yes. Basically, and assuming you have experience
> with openldap:
>
> 0.- Backup your current installation or create a new 389ds instance.
> 1.- Configure the kdc to use ldap as a database backend.
> 2.- Get the 60kerberos.ldif from freeIPA (it works out of the box with
> 389ds) and copy it to the instance's "schema" folder. Add krb5principalname
> to your* suffix database indexes. Restart dirsrv.
>
> 3.- Create the realm with kdb5_ldap_util.
> 4.- Create kerberos principals for your users
> *** 4.1 for new users , "addprinc <principal> "
> *** 4.2 for existing ldap users, "addprinc -x dn=<full dn of the user>
> <principal". This will add kerberos attributes to an existing ldap user.
>
> Regards!
>
> El mié, 15-06-2011 a las 13:10 +0200, Gioachino Bartolotta escribió:
>
> Hi !!
>
> Yes, I want to use 389ds as a backend for kerberos.
>
> So, everything will work just if I import the schemas on 389ds?
>
> Another question. I have actually 2 389ds configured with multimaster
> replica, and on each server there is a kdc (1 master and 1 slave).
>
> I have to copy the same keytab on both servers?
>
> Have I also to change the file /etc/sysconfig/saslauthd with these
> parameters??
>
> MECH_OPTIONS=""
> THREADS=5
> START=yes
> MECHANISMS="ldap"
> OPTIONS="-m /var/run/saslauthd
>
> Then ... I am missing something else??
>
> Thank you.
>
> 2011/6/15 Juan Carlos Camargo Carrillo <juancar@eprinsa.es>:
>> Hi,
>>
>> It depends.* If you want to use 389ds as a Kerberos database backend* then
>> you should import the schema into the directory and yes, you'll need to
>> create principals or modify the existing ldap entries to accept kerberos
>> attributes, as you've said you did with openldap.* I've done it with my
>> 389ds lab and it works.
>>
>> El mié, 15-06-2011 a las 12:08 +0200, Gioachino Bartolotta escribió:
>>
>> Hi all,
>>
>> I have a problem in setup kerberos with 389 and I tried to do using
>> the documents available on 389 site and RedHat.
>>
>> I followed everything, but I am unable to get the initial ticket from
>> kerberos. Have I to add these records as I have always done with
>> openldap??
>>
>> dn: ou=KerberosPrincipals,ou=Users,dc=domain
>> ou: KerberosPrincipals
>> objectClass: top
>> objectClass: organizationalUnit
>>
>> dn:
>>
>> krb5PrincipalName=ldapmaster/admin@DOMAN,ou=KerberosPrincipals,ou=Users,dc=doma in
>> objectClass: top
>> objectClass: person
>> objectClass: krb5Principal
>> objectClass: krb5KDCEntry
>> krb5PrincipalName: ldapmaster/admin@DOMAIN
>> krb5KeyVersionNumber: 1
>> krb5MaxLife: 86400
>> krb5MaxRenew: 604800
>> krb5KDCFlags: 126
>> cn: ldapmaster/admin@domain
>> sn: ldapmaster/admin@domain
>> userPassword: {MD5}5S2YxFmBmhF3WTbY37t5KQ==
>>
>> Thanks
>>
>>
>>
>> --
>> 389 users mailing list
>> 389-users@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>
>
>
>
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>



--
-------------------------------------------
Gioachino Bartolotta
ICQ #: 9103167
MSN Messenger: astraroth@email.it
Yahoo & Skype: gioachino_bartolotta
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 06-16-2011, 10:15 AM
Juan Carlos Camargo
 
Default About Kerberos and dirsrv

This link may help:

http://blogs.oracle.com/wfiveash/entry/the_rough_guide_to_configuring





El jue, 16-06-2011 a las 18:23 +0900, 夜神 岩男 escribió:


On Thu, 2011-06-16 at 10:52 +0200, Gioachino Bartolotta wrote:
> Hi Juan!
>
> It's possible to do a bash script to import existing users into kerberos??
> In my ldap I have already 2000 users ...
>
> Thanks

It is almost always possible to do a bash script to perform these sort
of tasks. This is one of the best reasons to learn how if you aren't
already good at it. If your sed/awk skills are well developed, this is
an excellent, repeatable, adaptable solution. I will be facing a similar
problem in the mid-term and if you have written a basic script by then
I'd love to get a copy. If not, I will be writing one myself in a few
months.

This problem is probably frequent enough that someone may have already
tackled it with a smart script... ? Anyone?

-Iwao

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users






--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 07:13 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org