Configuring eDirectory for Novell Kerberos KDC

  1. Import the trusted root certificate from eDirectory using the following command:

    kdb5_util [-h ldap_server] [-p ssl_port] import_cert -f filename

    For example,

    kdb5_util -h kerberos.mit.edu -p 636 import_cert -f /opt/novell/kerberos/trustedroot.der

    NOTE:  The kdb5_util utility is present in the /opt/novell/kerberos/sbin directory.

  2. Extend the eDirectory schema by extending the untarred_path/ NovellKerberosKDC/setup/kerberos.ldif file as follows:

    /opt/novell/kerberos/bin/ldapmodify -D admin_dn -W -h server -p port -f untarred_path/NovellKerberosKDC/setup/kerberos.ldif -e trusted_root_certificate -c

    For example,

    /opt/novell/kerberos/bin/ldapmodify -D cn=admin,o=mit -W -h kerberos.mit.edu -p 636 -f untarred_path/NovellKerberosKDC/setup/kerberos.ldif -e /opt/novell/kerberos/trustedroot.der -c

    You can also extend the schema through Novell iManager as follows:

    1. In Novell iManager, click the Roles and Tasks button Roles and task button.

    2. Select Kerberos Management > Extend Schema.

    3. Click OK to extend the schema.

  3. Configure Kerberos LDAP extensions on the eDirectory server.

    1. Ensure that the Kerberos LDAP extensions are installed on the machine where eDirectory is installed.

      The kdc-install utility installs libkrbpwd.so in /usr/lib/nds-modules.

      In eDirectory 8.8, Directory Host modules are located at /opt/novell/eDirectory/lib/nds-modules, therefore, you need to complete these additional steps for eDirectory 8.8:

      • If eDirectory 8.8 is installed in default location then copy the libkrbpwd.so file from /usr/lib/nds-modules to /opt/novell/eDirectory/lib/nds-modules.
      • If eDirectory 8.8 is installed in a custom location then copy the libkrbpwd.so file from /usr/lib/nds-modules to custom_location/opt/novell/eDirectory/lib/nds-modules.

    2. Add the Kerberos LDAP extensions to eDirectory as follows:

      kdb5_util [-D user_dn [-w passwd]] [-h ldap_server] [-p ldap_port] [-t trusted_cert] ldapxtn_info -add|-clear

      For example:

      kdb5_util -D cn=admin,o=mit -w novell -h kerberos.mit.edu -t /opt/novell/kerberos/trustedroot.der ldapxtn_info -add

      Ensure that you run this command on the machine where KDC is installed.

    3. Restart nldap.

      To restart nldap, you need to first unload and then load nldap.

      On eDirectory 8.7.3:

      • eDirectory 8.7.3:

        Unload nldap as: /usr/sbin/nldap -u

        Load nldap as: /usr/sbin/nldap -l

      • eDirectory 8.8:

        Unload nldap as: /opt/novell/eDirectory/sbin/nldap -u

        Load nldap as: /opt/novell/eDirectory/sbin/nldap -l

  4. Configure Kerberos Password Agent on the eDirectory server:

    NOTE:  You need to configure the Kerberos Password Agent if you want to integrate universal password with Novell Kerberos KDC.

    1. Ensure that the Kerberos Password Agent is installed on the machine where eDirectory is installed.

      The kdc-install utility installs the libkpa.so in /usr/lib/nds-modules.

      In eDirectory 8.8, Directory Host modules are located at /opt/novell/eDirectory/lib/nds-modules, therefore, you need to complete these additional steps for eDirectory 8.8:

      • If eDirectory 8.8 is installed in default location then copy the libkpa.so from /usr/lib/nds-modules to /opt/novell/eDirectory/lib/nds-modules.
      • If eDirectory 8.8 is installed in a custom location then copy the libkpa.so from /usr/lib/nds-modules to custom_location/opt/novell/eDirectory/lib/nds-modules.

    2. Start the Kerberos Password Agent as follows:

      /opt/novell/kerberos/sbin/kpa -l