Categories
Uncategorised

Enable Kerberos on Apache Directory Server

In the last post I configured single sign on for users in the Apache Directory Server. Now we modify the server to supply Kerberos tickets to users at log on. There is a corresponding video here.

In this guide I presume that you have:

  • Followed my previous guide and installed the apacheds
  • Followed my previous guide and configured LDAP on apacheds

Lets get on with configuring the Kerberos service

  • Open Directory Studio
  • Right click your connection and select ‘Open Configuration’
  • Open the ‘Kerberos Server’ tab in the configuration pane
  • Check the enable Kerberos Server checkbox
  • Set the ‘port’ to 88
  • Set the ‘Primary KDC Realm to your capitalized domain suffix ie. everything after the hostname. eg. FUKR.ORG.UK or UBUNTU.COM, mine is just LAN
  • Set the search base to the partition that you set in the previous guide. Mine for example is ou=potato
  • Click ‘File’->’Save’
  • Exit Apache Directory Server
  • Restart ApacheDS service
sudo /etc/init.d/apacheds-2.0.0-M23-default restart
  • Start Directory Studio

Now we create an organizational unit to hold our service principals.

  • Open your connection\n* Right click our partition and select ‘New’->’New entry’
  • Select ‘Create entry from scratch’
  • Click ‘next’ then add ‘organizationalUnit’ from the list of available objectClasses
  • Click ‘Next’ and in the ‘RDN’ field, select ‘ou’
  • Set it’s value to ‘servicePrincipals’
  • Click ‘Next’ then ‘Finish’

Next we create a service principal for the ticket granting service.

  • Right click our new servicePrincipals ou and select ‘New’->’New entry’
  • Select ‘Create entry from scratch’
  • Click ‘next’ then add the following objectClasses:
    organizationalUnit
    krb5KDCEntry
    uidObject
  • Click ‘Next’ then in the ‘RDN’ field, select ‘uid’
  • Set it’s value to ‘krbtgt’
  • Click ‘Next’ and then set the ‘krb5keyVersionNumber’ to 1
  • Set the ‘krb5PrincipalName’ to ‘krbtgt/YOUR.REALM.NAME@DOMAIN.SUFFIX (case is important)
  • Set the ‘ou’ to TGT, I think this can be anything. I presume the ‘ou’ attribute is only needed because it is a structural requirement
  • Click ‘Finish’
  • Select the newly created user object in the DIT and right click in the blank space in the pane to the right of the DIT and select ‘New Attribute’
  • Set ‘Attribute Type’ to userPassword
  • Click ‘Finish’
  • In the ‘Password Editor’, set a really good password as you will not need to remember this. You’ll also see a set of keys created

Now we need to enable Kerberos for our test user

  • Navigate the DIT and click on the user we created in an earlier guide
  • Right click in the blank space in the pane to the right of the DIT and select ‘New Attribute’
  • Set the ‘Attribute type’ to ‘objectClass’ and then click ‘Finish’
  • Add ‘krb5KDCEntry’ to the list of selected object classes
  • Click ‘Next’
  • Enter 1 in the ‘Integer Editor’ window and click ‘OK’
  • Set the ‘krb5PrincipalName’ to user@REALM. In my case it is set to testuser@LAN (CASE is ImPorTaNT)
  • Set a new password for this user to create the necessary keys

That’s it. In the next post I’ll configure Kerberos on the Ubuntu 16.04 client.