You can manage the KDC, Administration, and Password services by using the kdb5_ldap_util command. This section provides information about the following:
You can use one of the following methods to create a service:
Use the following syntax to create a service using kdb5_ldap_util:
kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldap_uri] [-t trusted_cert] create_service {-kdc|-admin|-pwd} [-servicehost service_host_list] [-realm realm_list][-randpw|-fileonly] [-f filename] service_dn
The service is created in eDirectory and appropriate rights are assigned over the realm, subtrees and principal container.
For example:
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu create_service -kdc -randpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org
Output of the above command is similar to the following:
Password for "cn=admin,o=org": File does not exist. Creating the file /home/andrew/conf_keyfile...
The following table describes the configuration parameters of create_service option of the kdb5_ldap_util command:
Table 3-10 create_service Parameters
In Novell iManager, click the
button .Select
> .Refer to the iManager online help for more information.
NOTE:A service object must always be associated to a realm. During realm association, the service object is assigned the necessary rights to access the realm. A service can be associated to a realm either during Realm creation or modification, or Service creation or modification.
You can use one of the following methods to modify a service:
Use the following syntax to modify a service:
kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldap_uri] [-t trusted_cert] modify_service [-servicehost service_host_list | [-clearservicehost service_host_list] [-addservicehost service_host_list]] [-realm realm_list | [-clearrealm realm_list] [-addrealm realm_list]] service_dn
This command modifies the attributes of a service and assigns appropriate rights over the realm, subtrees and principal container.
For example:
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -w passwd modify_service -realm ATHENA.MIT.EDU cn=service-kdc,o=org
Output of the above command is similar to the following:
Password for "cn=admin,o=org": Changing rights for the service object. Please wait ... done
The following table describes the modify_service parameters:
Table 3-11 modify_service Parameters
In Novell iManager, click the
button .Select
> .Refer to the iManager online help for more information.
Use the following syntax to view a service:
kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldap_uri] [-t trusted_cert] view_service service_dn
For example:
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu view_service cn=kdc-service1,o=org
Output of the above command is similar to the following:
Password for "cn=admin,o=org": Service dn: cn=service-kdc,o=org Service type: kdc Service host list: Realm DN list: cn=NOVELL.COM,cn=kerberos,o=novell
Use the following syntax to list the services:
kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldap_uri] [-t trusted_cert] list_service [-basedn base_dn]
Table 3-13 list_service Parameters
Parameter |
Description |
---|---|
-basedn |
Base DN for searching the services. The basedn option is made available to limit the search to a particular subtree. |
This command lists the name of all existing services.
For example:
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list_service
The output of the above command is similar to the following:
Password for "cn=admin,o=org": cn=service-kdc,o=org cn=service-adm,o=org cn=service-pwd,o=org
You can use one of the following methods to destroy a service:
Use the following syntax to destroy a service:
kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldap_uri] [-t trusted_cert] destroy_service [-force] [-f stashfilename] service_dn
Table 3-14 destroy_service Parameters
The -f option becomes necessary if you have chosen to use a stash file of your choice while creating the service or setting the password for it. If this option is not provided, the entry for the service to be destroyed is looked up in the default stash file. Therefore, the service object is destroyed, but the entry might remain in the stash file of your choice.
For example:
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu destroy_service cn=service-kdc,o=org
Output of the above command is similar to the following:
Password for "cn=admin,o=org": This will delete the service object ’cn=service-kdc,o=org’, are you sure? (type ’yes’ to confirm)? yes ** service object ’cn=service-kdc,o=org’ deleted.
In Novell iManager, click the
button .Click
> .Refer to the iManager online help for more information.
You can set a password for service objects such as the KDC, Administration, and Password server and store it in a file. The -fileonly option stores the password in a file and not in the eDirectory object.
kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldap_uri] [-t trusted_cert] setsrvpw [-randpw|-fileonly] [-f filename] service_dn
For example:
kdb5_ldap_util setsrvpw -fileonly -f /home/andrew/conf_keyfile cn=service-kdc,o=org
If you do not specify a filename, the default path /usr/local/var/service_passwd is used. When you set the service object password for the first time, the service object DN and the encrypted password are stored in the service password filename. During subsequent setting of the password for the same service object, the entry corresponding to the service object is located by comparing case insensitivity in the file, and it is replaced with the new password.
kdb5_ldap_util does not store the password in plain text format in the file. It is encrypted by using a unique machine-dependent key and then stored in the file.
IMPORTANT:The password file should not be edited manually. It must be modified using only the kdb5_ldap_util utility.Also, because passwords in this file are encrypted with a unique machine-dependent key, the password file becomes unusable if it is moved to a different machine.
The following table describes the configuration parameters:
Table 3-15 setsrvpw Parameters
This section describes the steps to configure the Kerberos services (KDC, Administration and Password servers) for authenticating to eDirectory using LDAP SASL EXTERNAL (CertMutual) authentication.
To set up certificate-based authentication:
Create a new directory. For example, kerbcert.
Change directory:
cd kerbcert/
Create a file called openssl.cnf in the kerbcert directory with the following contents:
[ req ] distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] CN=service-kdc.O=org
Replace CN=service-kdc.O=org with the FDN of the service object in eDirectory.
NOTE:The attribute names CN, OU, O must be in uppercase. The components of the FDN must be separated by “.” (dot) and not by “,” (comma).
Create a private key and certificate signing request (CSR):
Enter the following command:
openssl req -newkey rsa:1024 -keyout key.pem -out req.pem -config openssl.cnf
The private key is written to key.pem and the certificate signing request to req.pem. For more information, refer to the OpenSSL Web site.
Specify the password at the prompt.
This password protects the private key.
Use iManager to connect to the eDirectory tree and issue a certificate as described in the Novell Certificate Server 2.21 Administration Guide.
When prompted for the certificate signing request, specify the req.pem file path.
Export the issued certificate in Base 64 format (.b64) into a file called cert.b64 in the new directory (kerbcert in our example).
Concatenate the files key.pem and cert.b64 into a single cert-key.pem file as follows:
cat key.pem cert.b64 > cert-key.pem
Configure the service to use the issued certificate for authentication instead of the password as follows:
kdb5_ldap_util setsrvcert -f path_of_the_password_stash_file -cert cert-key.pem service_dn
service_dn should be the FDN specified in the openssl.cnf file (CN=service-kdc.O=org as per our example). The components of the FDN must be separated by a comma.
Enter the password, when you are prompted to do so. This password is same as the one you created in Step 4.b.
The service is now configured to use certificate-based authentication instead of password-based authentication.
Before starting the service, configure eDirectory to accept certificate-based authentication as follows:
Use iManager to modify the LDAP server SSL/TLS configuration.
Change Not requested to Requested as described in Section 14.6 Authentication and Security in the Novell eDirectory 8.8 Administration Guide.
fromCheck whether the SASL EXTERNAL mechanism is installed as follows:
ldapsearch -x -h ldaphost -b "" -s base | grep ’supportedSASLMechanisms’
The SASL mechanisms supported by eDirectory are listed. Check if the EXTERNAL mechanism is in the list. If not, the mechanism must be installed as described in Section 14.6 Authentication and Security in Novell eDirectory 8.8 Administration Guide.