LDAPv3

The HOWTO I originally wrote (called Kerberos-MiniHOWTO) weren't so 'mini', and it wasn't really about Kerberos. If you are looking for the original HOWTO I wrote about LDAPv3, with all the steps involved into getting LDAPv3 to work, you should check out the LDAPv3-HOWTO URL instead.

This document will instead be the 'mini' HOWTO (very rudimentary) about getting LDAPv3 to work. It's intended for those of you that already done this once, but want a very condensed document on doing it again (on another system). I will not go into what to do if things don't work, check the original LDAPv3 HOWTO for this.

The Quick and Dirty order

To make it a little easier for me, the next time I will implement this (for a customer etc), I thought I write a very quick HOWTO, describing in short what needs to be done.

On the build system

Downloading all the source code

Patch broken software

Build all the software

Install all the software

Kerberos (KDC/KAdmin) server

LDAP server

Usage server

Configure/Setup all the software

Kerberos

SASL

OpenLDAP

SSH, Login, Ftp, etc

Security

On the build system

Usually one don't want a lot of development going on on the actual servers, so compilers etc should not be installed. In this micro-howto, I assume that all the building etc is done on a totally separate machine. This isn't true in real life, but...

Downloading all the source code

Running Debian GNU/Linux, these are the packages you will need to get source for (unless you don't opt to get the packages from me, see the shortcuts section in the original document). To do this, execute the following command in a empty source directory

apt-get source cvs cyrus-sasl libnss-ldap libpam-ldap openldap2

On top of that, you will need to install the following development packages, executing the following command line (as root):

apt-get install libc6-dev libkrb5-dev libpam0g-dev zlib1g-dev  libdb2-dev libwrap0-dev libiodbc2-dev dpkg-dev autoconf automake libtool patch debhelper

I thing those are all, but I might have missed some...

Patch broken software

Some of the software's described in the original document (especially the specific versions described) have bugs (or missing features). To fix this, download the following patches, and patch the appropriate source.

cyrus-sasl-1.5.24/plugins/gssapi.c (patch 1)
cyrus-sasl-1.5.24/plugins/gssapi.c (patch 2)
openldap2-2.0.7/libraries/libldap/open.c
openldap2-2.0.7/debian/patches/{004_libldap-open|rules}

Build all the software

If using a special build platform/machine, build the packages in this order:

1. Berkeley DB

2. OpenSSL

3. MIT Kerberos V

4. Cyrus SASL

5. OpenLDAP2

6. CVS

7. LibNSS/LDAP

8. LibPAM/LDAP

Install all the software

Install all the software on it's separate machine. I recommend to have one Kerberos (KDC) server, one LDAP server and one (or more) 'usage server' (ie, the server that will actually USE this system :). Berkeley DB does NOT need to be installed on these (neither does the development packages. These are the packages that needs to be installed:

Kerberos (KDC/KAdmin) server

apt-get install libcomerr2 libkrb53 libkadm54 krb5-user krb5-kdc krb5-admin-server

LDAP server

apt-get install libcomerr2 libkrb53 libgdbmg1 libpam0g libsasl7 libssl09 libwrap0 libiodbc2 slapd

Usage server

apt-get install libcomerr2 libdb2 libkrb53 libgdbmg1 libpam0g  libsasl7 libssl09 libldap2 libncurses5 krb5-clients krb5-doc netbase krb5-ftpd krb5-rsh-server krb5-telnetd libkadm54 krb5-user ldap-utils libnss-ldap libpam-krb5 libpam-ldap

As you might have seen, there is no libnss-ldap/libpam-ldap stuff in the two first servers. That's because they are supposed to have 'maximum security'. The MIT Kerberos V people don't recommend remote login on the KDC/KAdmin server, only via the terminal.

Configure/Setup all the software

To make sure everything works, test the system, one by one. This seems like a good order...

Kerberos

We need to be able to get a ticket. To do this, try kinit.

SASL

Make sure that the sample client/server distributed with Cyrus-SASL work.

OpenLDAP

Make sure that simple (with and without SSL and TLS) works.

Make sure that SASL binds (with and without SSL and TLS) works.

Make sure that it's possible to bind as user (with UserDN and with a principal)

SSH, Login, Ftp, etc

Make sure it's possible to login to the system, using either ssh, ftp and login

Security

When I build a separate system for my Kerberos KDC, I will most likley implement both the Kerberos server and the LDAP server on the same machine. That's because only MY machines are supposed to have access to the LDAP database. To make sure it's as secure I can, I'll have some ipchains/iptables rules that will limit access to the ports the LDAP and Kerberos servers are running on. One example of such script would probably be:

ETHR=[IP OF EXTERNAL INTERFACE]

TCP_PORTS="$TCP_PORTS    88"    # Kerberos `kdc' (v5)
TCP_PORTS="$TCP_PORTS   389"    # ldap
TCP_PORTS="$TCP_PORTS   636"    # LDAP over SSL
TCP_PORTS="$TCP_PORTS   749"    # Kerberos `kadmin' (v5)
TCP_PORTS="$TCP_PORTS   760"    # Kerberos registration

UDP_PORTS="$UDP_PORTS    88"    # Kerberos `kdc' (v5)
UDP_PORTS="$UDP_PORTS   389"    # ldap
UDP_PORTS="$UDP_PORTS   636"    # LDAP over SSL

echo -n "Setting up TCP accepts/rejects: "
for port in $TCP_PORTS; do
    echo -n "$port "
    /sbin/ipchains -A input -s [EXTERNAL NETWORK] -d $ETHR $port -p tcp -i $ETHR -j ACCEPT
    /sbin/ipchains -A input -s [INTERNAL NETWORK] -d $ETHR $port -p tcp -i $ETHR -j ACCEPT
    /sbin/ipchains -A input -s 0/0 -d $ETHR $port -p tcp -i $ETHR -j REJECT
done
echo ""

echo -n "Setting up UDP accepts/rejects: "
for port in $UDP_PORTS; do
    echo -n "$port "
    /sbin/ipchains -A input -s [EXTERNAL NETWORK] -d $ETHR $port -p udp -i $ETHR -j ACCEPT
    /sbin/ipchains -A input -s [INTERNAL NETWORK] -d $ETHR $port -p udp -i $ETHR -j ACCEPT
    /sbin/ipchains -A input -s 0/0 -d $ETHR $port -p udp -i $ETHR -j REJECT
done
echo ""