You can manage the KDC, Administration, and Password services using the kdb5_util command. This section provides information about the following:
You can create a service using either of the following methods:
Use the following syntax to create a service using kdb5_util:
kdb5_util [-D user_dn] [-h ldap_server]
[-p ldap_port] [-t trusted_cert]
create_service {-kdc|-admin|-pwd} [-servicehost service_host_list]
[-realm realm_list]
[-randpw|-fileonly] [-f filename] service_dn
The service is created or modified in eDirectoryTM.
For example:
kdb5_util -D cn=admin,o=org create_service -kdc -randpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org
Output of the above command is similar to the following:
Password for "cn=admin,o=org":
File does not exist. Creating the file /home/andrew/conf_keyfile...
The following table describes the configuration parameters of create_service option of the kdb5_util command:
Table 20. create_service Parameter Description
You can modify a service using either of the following methods:
Use the following syntax to modify a service:
kdb5_util [-D user_dn [-w passwd]] [-h ldap_server]
[-p ldap_port] [-t trusted_cert]
modify_service [-servicehost service_host_list |
[-clearservicehost service_host_list]
[-addservicehost service_host_list]]
[-realm realm_list | [-clearrealm realm_list]
[-addrealm realm_list]] service_dn
This command modifies the attributes of a service and assigns appropriate rights.
For example:
kdb5_util -D cn=admin,o=org -w passwd modify_service -realm ATHENA.MIT.EDU cn=service-kdc,o=org
Output of the above command will be similar to the following:
Password for "cn=admin,o=org":
Changing rights for the service object. Please wait ... done
The following table describes the modify_service parameters:
Table 21. modify_service Parameter Options
Use the following syntax to view a service:
kdb5_util [-D user_dn [-w passwd]] [-h ldap_server]
[-p ldap_port] [-t trusted_cert]
view_service service_dn
For example:
kdb5_util -D cn=admin,o=org view_service cn=kdc-service1,o=org
Output of the above command will be similar to the following:
Password for "cn=admin,o=org":
Service dn: cn=service-kdc,o=org
Service type: kdc
Service host list:
Realm DN list:
Table 22. view_service Parameter Description
Parameter | Description |
---|---|
servicedn |
DN of the Kerberos service to be viewed. |
Use the following syntax to list a service:
kdb5_util [-D user_dn [-w passwd]] [-h ldap_server]
[-p ldap_port] [-t trusted_cert]
list_service [-basedn base_dn]
For more information on the parameters, refer to Table 20, create_service Parameter Description.
Table 23. list_service Parameter Description
This command lists the name of all existing services.
For example:
kdb5_util -D cn=admin,o=org list_service
The output of the above command is similar to the following:
Password for "cn=admin,o=org":
cn=service-kdc,o=org
cn=service-adm,o=org
cn=service-pwd,o=org
You can destroy a service using either of the following methods:
Use the following syntax to destroy a service:
kdb5_util [-D user_dn [-w passwd]] [-h ldap_server]
[-p ldap_port] [-t trusted_cert]
destroy_service [-force] [-f stashfilename] service_dn
For more information on the parameters, refer to Table 20, create_service Parameter Description.
The -f option becomes necessary if you have chosen to use a stash file of your choice while creating the service or setting the password for it. If this option is not provided, the entry for the service to be destroyed will be looked up in the default stash file. Therefore, though the service object gets destroyed, the entry might remain in the stash file of your choice.
For example:
kdb5_util -D cn=admin,o=org destroy_service cn=service-kdc,o=org
Output of the above command is similar to the following:
Password for "cn=admin,o=org":
This will delete the service object 'cn=service-kdc,o=org', are you sure?
(type 'yes' to confirm)? yes
** service object 'cn=service-kdc,o=org' deleted.
You can set a password for service objects such as KDC, Administration, and Password server in eDirectory and store them in a file. The -fileonly option stores the password in a file and not in the eDirectory object.
kdb5_util [-D user_dn [-w passwd]] [-h ldap_server]
[-p ldap_port] [-t trusted_cert]
setsrvpw [-randpw|-fileonly] [-f filename] service_dn
For example:
kdb5_util setsrvpw -fileonly -f /home/andrew/conf_keyfile
cn=service-kdc,o=org
If you do not specify a filename, the default path /usr/local/var/service_passwd is used.
kdb5_util does not store the password in plain text format in the file. It is encrypted using a unique machine-dependant key and then stored in the file.
IMPORTANT: The password file should not be edited manually. It must be modified using kdb5_util only. Also, because passwords in this file are encrypted using a unique machine-dependant key, the password file becomes unusable if it is moved to a different machine.
The following table describes the configuration parameters:
Table 24. setsrvpw Parameter Description
This section describes the steps to configure the Kerberos services (KDC, Administration and Password servers) for authenticating to eDirectory using LDAP SASL EXTERNAL (CertMutual) authentication.
To set up certificate-based authentication, complete the following procedure:
Create a new directory. For example, kerbcert.
Create a file called openssl.cnf in the kerbcert directory with the following contents:
[ req ]
distinguished_name = req_distinguished_name
prompt = no
[ req_distinguished_name ]
CN=service-kdc.O=org
Replace CN=service-kdc.O=org with the FDN of the service object in eDirectory.
NOTE: The attribute names 'CN', 'OU', 'O' must be in upper case. The components of the FDN must be separated by '.'(dot) and not by ','(comma).
Change directory
cd kerbcert/
Create a private key and certificate signing request (CSR).
Enter the following command:
openssl req -newkey rsa:1024 -keyout key.pem -out req.pem -config openssl.cnf
The private key will be written to key.pem and the certificate signing request to req.pem. For more information, refer to the OpenSSL Website.
Specify the password at the prompt.
This password protects the private key.
Connect to the eDirectory tree using iManager and issue a certificate as described in the Novell Certificate Server 2.21 Administration Guide.
When prompted for the certificate signing request, specify the req.pem file path.
Export the issued certificate in base 64 format (.b64) into a file called cert.b64 in the new directory (kerbcert in our example).
Concatenate the files key.pem and cert.b64 into a single file cert-key.pem as follows:
cat key.pem cert.b64 > cert-key.pem
Configure the service to use the issued certificate for authentication instead of the password as follows:
kdb5_util setsrvcert -f <path_of_the_password_stash_file> -cert cert-key.pem <service_dn>
service_dn should be the FDN specified in the openssl.cnf file (CN=service-kdc.O=org as per our example).
Enter the password, when you are prompted to do so. This password is same as the one you had given in Step 4.b.
The service is now configured to use certificate-based authentication instead of password-based authentication.
Before starting the service, configure eDirectory to accept certificate-based authentication as follows:
Modify the LDAP server SSL/TLS configuration using iManager or ConsoleOne as follows:
Change the Client Certificate field from Not requested to Requested as described in Novell eDirectory 8.7.3 Administration Guide.
Check whether the SASL EXTERNAL mechanism is installed as follows:
ldapsearch -x -h <eDirectory_host_name> -b "" -s base | grep 'supportedSASLMechanisms'
The SASL mechanisms supported by eDirectory will be listed. Check if the EXTERNAL mechanism is in the list. If not, the mechanism has to be installed as described in Novell eDirectory 8.7.3 Administration Guide.