Managing Services

You can manage the KDC, Administration, and Password services using the kdb5_util command. This section provides information about the following:


Creating a Service

You can create a service using either of the following methods:


Command Line

Use the following syntax to create a service using kdb5_util:

kdb5_util [-D user_dn] [-h ldap_server] 
          [-p ldap_port] [-t trusted_cert] 
 
create_service  {-kdc|-admin|-pwd} [-servicehost service_host_list] 
        [-realm realm_list] 
        [-randpw|-fileonly] [-f filename] service_dn

The service is created or modified in eDirectoryTM.

For example:

kdb5_util -D cn=admin,o=org create_service -kdc -randpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org

Output of the above command is similar to the following:

Password for "cn=admin,o=org": 
File does not exist. Creating the file /home/andrew/conf_keyfile...

The following table describes the configuration parameters of create_service option of the kdb5_util command:


Table 20. create_service Parameter Description

Parameter Description

-kdc

KDC service

-admin

Administration service

-pwd

Password service

-servicehost

List of entries separated by a colon (:) where each entry consists of the hostname or IP address of the server hosting the service, transport protocol, and the port number of the service separated by a pound sign (#). For example,
server1#tcp#88:server2#udp#89.

-realm

List of realms that can be serviced by Kerberos. The list contains the names of the realms separated by a colon (:).

-randpw

Generate and set a random password. This option cannot be specified with -fileonly option. This option will not work when Universal Password is enabled.

-fileonly

Set the password in the service password file only, without updating the directory object. This is useful when the service object is shared by multiple hosts.

-f

Complete path of the service password file where the Service object password is stashed. The default path is /usr/local/var/service/passwd.

servicedn

dn of the Kerberos service to be created.


iManager

  1. In Novell iManager, click the Roles and Tasks button Roles and Tasks Button.

  2. Select Kerberos Management > New Service.

Refer to the iManager online help for more information.


Modifying a Service

You can modify a service using either of the following methods:


Command Line

Use the following syntax to modify a service:

kdb5_util [-D user_dn [-w passwd]] [-h ldap_server] 
         [-p ldap_port] [-t trusted_cert] 
 
modify_service  [-servicehost service_host_list | 
        [-clearservicehost service_host_list] 
        [-addservicehost service_host_list]] 
        [-realm realm_list | [-clearrealm realm_list] 
        [-addrealm realm_list]] service_dn

This command modifies the attributes of a service and assigns appropriate rights.

For example:

kdb5_util -D cn=admin,o=org -w passwd modify_service -realm ATHENA.MIT.EDU cn=service-kdc,o=org

Output of the above command will be similar to the following:

Password for "cn=admin,o=org": 
Changing rights for the service object. Please wait ... done

The following table describes the modify_service parameters:


Table 21. modify_service Parameter Options

Parameter Description

-servicehost

List of entries separated by a colon (:) where each entry consists of host name or IP Address of the Server hosting the Service, transport protocol, and port number of the Service separated by a pound sign (#). For example, server1#tcp#88:server2#udp#89.

-clearservicehost

List of servicehost entries to be removed from the existing list. This is a colon-seperated where each entry consists of host name or IP Address of the Server hosting Service, transport protocol, and port number of the Service separated by a pound sign (#).

-addservicehost

List of servicehost entries to be added to the existing list. This is a colon-separated list where each entry consists of host name or IP Address of the Server hosting Service, transport protocol, and port number of the service separated by a pound sign (#).

-realm

List of realms that are associated with this service. The list contains the names of the realms separated by a colon (:).

-clearrealm

List of realms to be removed from the existing list. The list contains the names of the realms separated by a colon (:).

-addrealm

List of realms to be added to the existing list. The list contains the names of the realms separated by a colon (:).

servicedn

DN of the Kerberos service to be modified.


iManager

  1. In Novell iManager, click the Roles and Tasks button Roles and Tasks Button.

  2. Select Kerberos Management > Edit Service.

Refer to the iManager online help for more information.


Viewing a Service

Use the following syntax to view a service:

kdb5_util [-D user_dn [-w passwd]] [-h ldap_server] 
        [-p ldap_port] [-t trusted_cert] 
 
view_service    service_dn

For example:

kdb5_util -D cn=admin,o=org view_service cn=kdc-service1,o=org

Output of the above command will be similar to the following:

Password for "cn=admin,o=org": 
        Service dn: cn=service-kdc,o=org 
        Service type: kdc 
Service host list: 
        Realm DN list:


Table 22. view_service Parameter Description

Parameter Description

servicedn

DN of the Kerberos service to be viewed.


Listing Services

Use the following syntax to list a service:

kdb5_util [-D user_dn [-w passwd]] [-h ldap_server] 
          [-p ldap_port] [-t trusted_cert] 
 
list_service [-basedn base_dn]

For more information on the parameters, refer to Table 20, create_service Parameter Description.


Table 23. list_service Parameter Description

Parameter Description

-basedn

Specifies the base DN for searching the services. The basedn option is made available to limit the search to a particular subtree. If this option is not provided, the entire tree will be searched, which means that the default value for the base DN is root. Therefore, this option is suitable in scenerios where the tree is distributed over more than one geographical location.

This command lists the name of all existing services.

For example:

kdb5_util -D cn=admin,o=org list_service

The output of the above command is similar to the following:

Password for "cn=admin,o=org": 
cn=service-kdc,o=org 
cn=service-adm,o=org 
cn=service-pwd,o=org


Destroying a Service

You can destroy a service using either of the following methods:


Command Line

Use the following syntax to destroy a service:

kdb5_util [-D user_dn [-w passwd]] [-h ldap_server] 
          [-p ldap_port] [-t trusted_cert] 
 
destroy_service [-force] [-f stashfilename] service_dn

For more information on the parameters, refer to Table 20, create_service Parameter Description.

The -f option becomes necessary if you have chosen to use a stash file of your choice while creating the service or setting the password for it. If this option is not provided, the entry for the service to be destroyed will be looked up in the default stash file. Therefore, though the service object gets destroyed, the entry might remain in the stash file of your choice.

For example:

kdb5_util -D cn=admin,o=org destroy_service cn=service-kdc,o=org

Output of the above command is similar to the following:

Password for "cn=admin,o=org": 
This will delete the service object 'cn=service-kdc,o=org', are you sure? 
(type 'yes' to confirm)? yes 
** service object 'cn=service-kdc,o=org' deleted.


iManager

  1. In Novell iManager, click the Roles and Tasks button Roles and Tasks Button.

  2. Click Kerberos Management > Delete Service.

Refer to the iManager online help for more information.


Setting a Password for Service Objects

You can set a password for service objects such as KDC, Administration, and Password server in eDirectory and store them in a file. The -fileonly option stores the password in a file and not in the eDirectory object.

kdb5_util [-D user_dn [-w passwd]] [-h ldap_server] 
          [-p ldap_port] [-t trusted_cert]  
setsrvpw  [-randpw|-fileonly] [-f filename] service_dn

For example:

kdb5_util setsrvpw -fileonly -f /home/andrew/conf_keyfile  
cn=service-kdc,o=org

If you do not specify a filename, the default path /usr/local/var/service_passwd is used.

kdb5_util does not store the password in plain text format in the file. It is encrypted using a unique machine-dependant key and then stored in the file.

IMPORTANT:  The password file should not be edited manually. It must be modified using kdb5_util only. Also, because passwords in this file are encrypted using a unique machine-dependant key, the password file becomes unusable if it is moved to a different machine.

The following table describes the configuration parameters:


Table 24. setsrvpw Parameter Description

Parameter Description

-D

Distinguished name of the user who has sufficient rights to authenticate to the LDAP server.

-w

Specifies the userdn password. This is not recommended.

-h

Host name or IP Address of the server hosting LDAP service for a Kerberos realm.

-p

SSL port number of the LDAP server.

-t

Specifies the filename that contains Trusted Root Certificate of the LDAP server.

-randpw

Generates and sets a random password. You can specify this option if you want to store the password both in eDirectory and a file. You cannot use the -fileonly option when you specify -randpw.

-fileonly

Stores the password only in a file and not in eDirectory. You cannot use the -randpw option when you specify -fileonly.

-f

Complete path of the service password file.

servicedn

DN of the service object whose password is to be set.


Setting the Server Certificate

This section describes the steps to configure the Kerberos services (KDC, Administration and Password servers) for authenticating to eDirectory using LDAP SASL EXTERNAL (CertMutual) authentication.

To set up certificate-based authentication, complete the following procedure:

  1. Create a new directory. For example, kerbcert.

  2. Create a file called openssl.cnf in the kerbcert directory with the following contents:

    [ req ]  
    distinguished_name = req_distinguished_name  
    prompt = no  
     
    [ req_distinguished_name ]  
    CN=service-kdc.O=org

    Replace CN=service-kdc.O=org with the FDN of the service object in eDirectory.

    NOTE:  The attribute names 'CN', 'OU', 'O' must be in upper case. The components of the FDN must be separated by '.'(dot) and not by ','(comma).

  3. Change directory

    cd kerbcert/

  4. Create a private key and certificate signing request (CSR).

    1. Enter the following command:

      openssl req -newkey rsa:1024 -keyout key.pem -out req.pem -config openssl.cnf

      The private key will be written to key.pem and the certificate signing request to req.pem. For more information, refer to the OpenSSL Website.

    2. Specify the password at the prompt.

      This password protects the private key.

  5. Connect to the eDirectory tree using iManager and issue a certificate as described in the Novell Certificate Server 2.21 Administration Guide.

    When prompted for the certificate signing request, specify the req.pem file path.

    Export the issued certificate in base 64 format (.b64) into a file called cert.b64 in the new directory (kerbcert in our example).

  6. Concatenate the files key.pem and cert.b64 into a single file cert-key.pem as follows:

    cat key.pem cert.b64 > cert-key.pem

  7. Configure the service to use the issued certificate for authentication instead of the password as follows:

    kdb5_util setsrvcert -f <path_of_the_password_stash_file> -cert cert-key.pem <service_dn>

    service_dn should be the FDN specified in the openssl.cnf file (CN=service-kdc.O=org as per our example).

    Enter the password, when you are prompted to do so. This password is same as the one you had given in Step 4.b.

The service is now configured to use certificate-based authentication instead of password-based authentication.

Before starting the service, configure eDirectory to accept certificate-based authentication as follows:

  1. Modify the LDAP server SSL/TLS configuration using iManager or ConsoleOne as follows:

    Change the Client Certificate field from Not requested to Requested as described in Novell eDirectory 8.7.3 Administration Guide.

  2. Check whether the SASL EXTERNAL mechanism is installed as follows:

    ldapsearch -x -h <eDirectory_host_name> -b "" -s base | grep 'supportedSASLMechanisms'

    The SASL mechanisms supported by eDirectory will be listed. Check if the EXTERNAL mechanism is in the list. If not, the mechanism has to be installed as described in Novell eDirectory 8.7.3 Administration Guide.