3.4 Managing Services

You can manage the KDC, Administration, and Password services by using the kdb5_ldap_util command. This section provides information about the following:

3.4.1 Creating a Service

You can use one of the following methods to create a service:

Command Line

Use the following syntax to create a service using kdb5_ldap_util:

kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldap_uri]
               [-t trusted_cert]

create_service  {-kdc|-admin|-pwd} [-servicehost service_host_list]
        [-realm realm_list][-randpw|-fileonly] [-f filename] service_dn

The service is created in eDirectory and appropriate rights are assigned over the realm, subtrees and principal container.

For example:

kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu create_service -kdc -randpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org

Output of the above command is similar to the following:

Password for "cn=admin,o=org":
File does not exist. Creating the file /home/andrew/conf_keyfile...

The following table describes the configuration parameters of create_service option of the kdb5_ldap_util command:

Table 3-10 create_service Parameters

Parameter

Description

-kdc

KDC service.

-admin

Administration service.

-pwd

Password service.

-servicehost

List of entries separated by a colon (:) where each entry consists of the hostname or IP address of the server hosting the service, transport protocol, and the port number of the service separated by a pound sign (#). For example, server1#tcp#88:server2#udp#89.

-realm

List of realms that can be serviced by the Kerberos service being created. The list contains the names of the realms separated by a colon (:).

-randpw

Generate and set a random password. This option cannot be specified with the -fileonly option. This option does not work when Universal Password is enabled in eDirectory.

-fileonly

Stores the password only in a file and not in eDirectory. The -randpw option cannot be used if this option is specified.

-f

Complete path of the service password file where the Service object password is stashed. The default path is/usr/local/var/service_passwd.

servicedn

DN of the Kerberos service to be created.

iManager

  1. In Novell iManager, click the Roles and Tasks button Roles and Tasks Button.

  2. Select Kerberos Management > New Service.

Refer to the iManager online help for more information.

NOTE:A service object must always be associated to a realm. During realm association, the service object is assigned the necessary rights to access the realm. A service can be associated to a realm either during Realm creation or modification, or Service creation or modification.

3.4.2 Modifying a Service

You can use one of the following methods to modify a service:

Command Line

Use the following syntax to modify a service:

kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldap_uri]
               [-t trusted_cert]

modify_service  [-servicehost service_host_list |
        [-clearservicehost service_host_list]
        [-addservicehost service_host_list]]
        [-realm realm_list | [-clearrealm realm_list]
        [-addrealm realm_list]] service_dn

This command modifies the attributes of a service and assigns appropriate rights over the realm, subtrees and principal container.

For example:

kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -w passwd modify_service -realm ATHENA.MIT.EDU cn=service-kdc,o=org

Output of the above command is similar to the following:

Password for "cn=admin,o=org":
Changing rights for the service object. Please wait ... done

The following table describes the modify_service parameters:

Table 3-11 modify_service Parameters

Parameter

Description

-servicehost

List of entries separated by a colon (:) where each entry consists of host name or IP address of the server hosting the service, the transport protocol, and the port number of the service separated by a pound sign (#). For example, server1#tcp#88:server2#udp#89. This service configuration parameter is not supported in this release.

-clearservicehost

List of servicehost entries to be removed from the existing list. The entries are separated by colon, where each entry consists of host name or IP address of the server hosting service, the transport protocol, and the port number of the service separated by a pound sign (#). This service configuration parameter is not supported in this release.

-addservicehost

List of servicehost entries to be added to the existing list. The entries are separated by colon, where each entry consists of host name or IP address of the server hosting service, the transport protocol, and the port number of the service separated by a pound sign (#). This service configuration parameter is not supported in this release.

-realm

List of realms that are associated with this service. The list contains the names of the realms separated by a colon (:). This list replaces the existing list.

-clearrealm

List of realms to be removed from the existing list. The list contains the names of the realms separated by a colon (:).

-addrealm

List of realms to be added to the existing list. The list contains the names of the realms separated by a colon (:).

servicedn

DN of the Kerberos service to be modified.

iManager

  1. In Novell iManager, click the Roles and Tasks button Roles and Tasks Button.

  2. Select Kerberos Management > Edit Service.

Refer to the iManager online help for more information.

3.4.3 Viewing a Service

Use the following syntax to view a service:

kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldap_uri]
               [-t trusted_cert]

view_service    service_dn

For example:

kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu view_service cn=kdc-service1,o=org

Output of the above command is similar to the following:

Password for "cn=admin,o=org":
Service dn: cn=service-kdc,o=org
Service type: kdc
Service host list:
Realm DN list: cn=NOVELL.COM,cn=kerberos,o=novell

Table 3-12 view_service Parameters

Parameter

Description

servicedn

DN of the Kerberos service to be viewed.

3.4.4 Listing Services

Use the following syntax to list the services:

kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldap_uri]
               [-t trusted_cert]

list_service [-basedn base_dn]

Table 3-13 list_service Parameters

Parameter

Description

-basedn

Base DN for searching the services. The basedn option is made available to limit the search to a particular subtree.

This command lists the name of all existing services.

For example:

kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list_service

The output of the above command is similar to the following:

Password for "cn=admin,o=org":
cn=service-kdc,o=org
cn=service-adm,o=org
cn=service-pwd,o=org

3.4.5 Destroying a Service

You can use one of the following methods to destroy a service:

Command Line

Use the following syntax to destroy a service:

kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldap_uri]
               [-t trusted_cert]

destroy_service [-force] [-f stashfilename] service_dn

Table 3-14 destroy_service Parameters

Parameter

Description

destroy_service

Destroys an existing server.

-force

If specified, does not prompt for user's confirmation, but forces destruction of the service.

-f

Complete path of the service password file from where the entry corresponding to the service_dn needs to be removed.

The -f option becomes necessary if you have chosen to use a stash file of your choice while creating the service or setting the password for it. If this option is not provided, the entry for the service to be destroyed is looked up in the default stash file. Therefore, the service object is destroyed, but the entry might remain in the stash file of your choice.

For example:

kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu destroy_service cn=service-kdc,o=org

Output of the above command is similar to the following:

Password for "cn=admin,o=org":
This will delete the service object ’cn=service-kdc,o=org’, are you sure?
(type ’yes’ to confirm)? yes
** service object ’cn=service-kdc,o=org’ deleted.

iManager

  1. In Novell iManager, click the Roles and Tasks button Roles and Tasks Button.

  2. Click Kerberos Management > Delete Service.

Refer to the iManager online help for more information.

3.4.6 Setting a Password for Service Objects

You can set a password for service objects such as the KDC, Administration, and Password server and store it in a file. The -fileonly option stores the password in a file and not in the eDirectory object.

kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldap_uri]
               [-t trusted_cert] 
setsrvpw  [-randpw|-fileonly] [-f filename] service_dn

For example:

kdb5_ldap_util setsrvpw -fileonly -f /home/andrew/conf_keyfile 
cn=service-kdc,o=org

If you do not specify a filename, the default path /usr/local/var/service_passwd is used. When you set the service object password for the first time, the service object DN and the encrypted password are stored in the service password filename. During subsequent setting of the password for the same service object, the entry corresponding to the service object is located by comparing case insensitivity in the file, and it is replaced with the new password.

kdb5_ldap_util does not store the password in plain text format in the file. It is encrypted by using a unique machine-dependent key and then stored in the file.

IMPORTANT:The password file should not be edited manually. It must be modified using only the kdb5_ldap_util utility.Also, because passwords in this file are encrypted with a unique machine-dependent key, the password file becomes unusable if it is moved to a different machine.

The following table describes the configuration parameters:

Table 3-15 setsrvpw Parameters

Parameter

Description

-randpw

Generates and sets a random password. You can specify this option if you want to store the password both in eDirectory and a file. You cannot use the -fileonly option when you specify -randpw.

-fileonly

Stores the password only in a file and not in eDirectory. You cannot use the -randpw option when you specify -fileonly.

-f

Complete path of the service password file.

servicedn

DN of the service object whose password is to be set.

3.4.7 Setting the Server Certificate

This section describes the steps to configure the Kerberos services (KDC, Administration and Password servers) for authenticating to eDirectory using LDAP SASL EXTERNAL (CertMutual) authentication.

To set up certificate-based authentication:

  1. Create a new directory. For example, kerbcert.

  2. Change directory:

    cd kerbcert/

  3. Create a file called openssl.cnf in the kerbcert directory with the following contents:

    [ req ] 
distinguished_name = req_distinguished_name 
prompt = no 

[ req_distinguished_name ] 
CN=service-kdc.O=org

    Replace CN=service-kdc.O=org with the FDN of the service object in eDirectory.

    NOTE:The attribute names CN, OU, O must be in uppercase. The components of the FDN must be separated by “.” (dot) and not by “,” (comma).

  4. Create a private key and certificate signing request (CSR):

    1. Enter the following command:

      openssl req -newkey rsa:1024 -keyout key.pem -out req.pem -config openssl.cnf

      The private key is written to key.pem and the certificate signing request to req.pem. For more information, refer to the OpenSSL Web site.

    2. Specify the password at the prompt.

      This password protects the private key.

  5. Use iManager to connect to the eDirectory tree and issue a certificate as described in the Novell Certificate Server 2.21 Administration Guide.

    When prompted for the certificate signing request, specify the req.pem file path.

    Export the issued certificate in Base 64 format (.b64) into a file called cert.b64 in the new directory (kerbcert in our example).

  6. Concatenate the files key.pem and cert.b64 into a single cert-key.pem file as follows:

    cat key.pem cert.b64 > cert-key.pem

  7. Configure the service to use the issued certificate for authentication instead of the password as follows:

    kdb5_ldap_util setsrvcert -f path_of_the_password_stash_file -cert cert-key.pem service_dn

    service_dn should be the FDN specified in the openssl.cnf file (CN=service-kdc.O=org as per our example). The components of the FDN must be separated by a comma.

    Enter the password, when you are prompted to do so. This password is same as the one you created in Step 4.b.

The service is now configured to use certificate-based authentication instead of password-based authentication.

Before starting the service, configure eDirectory to accept certificate-based authentication as follows:

  1. Use iManager to modify the LDAP server SSL/TLS configuration.

    Change Client Certificate from Not requested to Requested as described in Section 14.6 Authentication and Security in the Novell eDirectory 8.8 Administration Guide.

  2. Check whether the SASL EXTERNAL mechanism is installed as follows:

    ldapsearch -x -h ldaphost -b "" -s base | grep ’supportedSASLMechanisms’

    The SASL mechanisms supported by eDirectory are listed. Check if the EXTERNAL mechanism is in the list. If not, the mechanism must be installed as described in Section 14.6 Authentication and Security in Novell eDirectory 8.8 Administration Guide.