Setting up a kerberos realm.
This guide will set up a kerberos realm PHYS.ETHZ.CH using ldap as backend to allow multi-master replication of the kerberos db.
Proper DNS hostname resolution (forward and reverse) is required, but will not be covered by this guide.
The hosts and services are as follows (openssl, sshd and ntp will be required on all hosts):
os:
debian9 (stretch)hosts:
phd-aa1phd-aa2phd-aa3services:
krb5-kdckrb5-admin-serveropenldaprequired packages:
ntpkrb5-kdckrb5-admin-serverslapdldap-utilskrb5-kdc-ldaplibsasl2-modules-gssapi-mitcertbotSome terms may be misused and/or misleading in this guide (see below):
Whenever the term ldap is used as the ldap-service/ldap-server/ldap-client/ldap-software-package name, we actually mean OpenLDAP a community developed LDAP software
Whenever the term kerberos is used as the kerberos-service/kerberos-server/kerberos-client/kerberos-software-package name, we actually mean MIT Kerberos, the free implementation of this protocol from the Massachusetts Institute of Technology
it is very critical to generate a secure master password, as the database contains all the encryption keys.
we'll first get mkpw to generate secure passwords:
apt install whois git -y
mkdir /root/git
cd /root/git
git clone https://github.com/rda0/mkpw.git
ln -s /root/git/mkpw/mkpw.sh /usr/sbin/mkpwalternatively you can use the following command to generate a password:
< /dev/urandom tr -dc '[:graph:]' | head -c'40'; echogenerate a secure master password and store it in a secure way (encrypted):
mkpw 40install basic packages (not required, but makes life easier):
apt install vim man less tree psmisc bash-completion -ytime is critical, install ntp:
apt install ntp -y
cat > /etc/ntp.conf << 'EOF'
driftfile /var/lib/ntp/ntp.drift
statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
# add system clock as fallback
server 127.127.1.0
server time1.phys.ethz.ch minpoll 4 maxpoll 10 iburst
server time2.phys.ethz.ch minpoll 4 maxpoll 10 iburst
# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1
EOF
systemctl start ntpwe'll be using certbot to get a certificate signed by letsencrypt:
apt install certbot -y
cat > /etc/letsencrypt/cli.conf << EOF
rsa-key-size = 4096
email = isg@phys.ethz.ch
authenticator = standalone
preferred-challenges = tls-sni-01
domains = $(hostname -f)
EOF
/sbin/iptables -I INPUT -p tcp --dport 443 -j ACCEPT
/sbin/iptables -I OUTPUT -p tcp --dport 443 -j ACCEPT
/usr/bin/certbot -n --agree-tos -c /etc/letsencrypt/cli.conf certonly --dry-run
/sbin/iptables -D INPUT -p tcp --dport 443 -j ACCEPT
/sbin/iptables -D OUTPUT -p tcp --dport 443 -j ACCEPT
cat > /etc/cron.monthly/certbot-renew << EOF
/sbin/iptables -I INPUT -p tcp --dport 443 -j ACCEPT
/sbin/iptables -I OUTPUT -p tcp --dport 443 -j ACCEPT
/usr/bin/certbot -n --agree-tos -c /etc/letsencrypt/cli.conf certonly
/sbin/iptables -D INPUT -p tcp --dport 443 -j ACCEPT
/sbin/iptables -D OUTPUT -p tcp --dport 443 -j ACCEPT
EOF
chmod +x /etc/cron.monthly/certbot-renewprepare debconf configuration and install slapd:
cat > /root/debconf-slapd.conf << 'EOF'
slapd slapd/password1 password admin
slapd slapd/internal/adminpw password admin
slapd slapd/internal/generated_adminpw password admin
slapd slapd/password2 password admin
slapd slapd/unsafe_selfwrite_acl note
slapd slapd/purge_database boolean false
slapd slapd/domain string phys.ethz.ch
slapd slapd/ppolicy_schema_needs_update select abort installation
slapd slapd/invalid_config boolean true
slapd slapd/move_old_database boolean false
slapd slapd/backend select MDB
slapd shared/organization string ETH Zurich
slapd slapd/dump_database_destdir string /var/backups/slapd-VERSION
slapd slapd/no_configuration boolean false
slapd slapd/dump_database select when needed
slapd slapd/password_mismatch note
EOF
export DEBIAN_FRONTEND=noninteractive
cat /root/debconf-slapd.conf | debconf-set-selections
apt install ldap-utils slapd -ywe will create all our configuration ldif files in /etc/ldap/config:
mkdir /etc/ldap/config
chmod 0700 /etc/ldap/configuse certbot to get a certificate signed by letsencrypt:
cat >> /etc/cron.monthly/certbot-renew << EOF
mkdir -p /etc/ldap/cert/bak
cp /etc/ldap/cert/cacert.pem /etc/ldap/cert/bak/
cp /etc/ldap/cert/cert.pem /etc/ldap/cert/bak/
cp /etc/ldap/cert/privkey.pem /etc/ldap/cert/bak/
cp "/etc/letsencrypt/live/$(hostname -f)/fullchain.pem" /etc/ldap/cert/cacert.pem
cp "/etc/letsencrypt/live/$(hostname -f)/cert.pem" /etc/ldap/cert/cert.pem
cp "/etc/letsencrypt/live/$(hostname -f)/privkey.pem" /etc/ldap/cert/privkey.pem
chmod 0640 /etc/ldap/cert/privkey.pem
chgrp openldap /etc/ldap/cert/privkey.pem
EOF
/bin/bash /etc/cron.monthly/certbot-renewphd-aa1note: ldap server used as kerberos backend is to be installed on phd-aa1.
(optional) set admin passwords to safe values after installation as abofe (passwords see passkeeper.pl): (these modifications will be overridden in the following steps after this section)
cat > /etc/ldap/config/change_admin_pw_config_dit.ldif << 'EOF'
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {CRYPT}$6$rounds=10000$1jIS2ggyG8a97R4t$gFX5s3hVIvGdHeLWy7VgFUm5W1Bqqj3s4eWAkyFZCqbQkY6QJmThi3tYrXq.bjKv4oIxfgoCmzAOfIL5kEvM7.
EOF
cat > /etc/ldap/config/change_admin_pw_normal_dit.ldif << 'EOF'
dn: cn=admin,dc=phys,dc=ethz,dc=ch
changetype: modify
replace: userPassword
userPassword: {CRYPT}$6$rounds=10000$1jIS2ggyG8a97R4t$gFX5s3hVIvGdHeLWy7VgFUm5W1Bqqj3s4eWAkyFZCqbQkY6QJmThi3tYrXq.bjKv4oIxfgoCmzAOfIL5kEvM7.
EOF
ldapmodify -H ldapi:/// -x -D cn=admin,dc=phys,dc=ethz,dc=ch -w admin -f /etc/ldap/config/change_admin_pw_normal_dit.ldif
ldapmodify -H ldapi:/// -f /etc/ldap/config/change_admin_pw_config_dit.ldif
# verify
ldapsearch -H ldapi:/// -x -D cn=admin,dc=phys,dc=ethz,dc=ch -W -b dc=phys,dc=ethz,dc=ch cn=admin | grep 'userPassword'create database from scratch (truncate normal DIT first) and setup ldap:
remove the initial db, start slapd and test if db is empty using slapcat:
systemctl stop slapd
rm -rf /var/lib/ldap/*
systemctl start slapd
slapcat
# should give no outputschemas cosine, nis, inetorgperson were already loaded by default and do not need to be added (just for reference):
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldifmodify the database configuration DIT:
cat > /etc/ldap/config/config_init_access_rule.ldif << 'EOF'
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=phys,dc=ethz,dc=ch
-
replace: olcRootDN
olcRootDN: cn=admin,dc=phys,dc=ethz,dc=ch
-
replace: olcRootPW
olcRootPW: {CRYPT}$6$rounds=10000$1jIS2ggyG8a97R4t$gFX5s3hVIvGdHeLWy7VgFUm5W1Bqqj3s4eWAkyFZCqbQkY6QJmThi3tYrXq.bjKv4oIxfgoCmzAOfIL5kEvM7.
-
replace: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
by group="cn=rw,ou=ldap,dc=phys,dc=ethz,dc=ch" write
by group="cn=ro,ou=ldap,dc=phys,dc=ethz,dc=ch" read
by anonymous auth
by self write
by * none
-
add: olcAccess
olcAccess: to attrs=cn,dc,gecos,gidNumber,homeDirectory,loginShell,member,memberUid,objectClass,ou,sn,uid,uidNumber,uniqueMember,entry
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
by group="cn=rw,ou=ldap,dc=phys,dc=ethz,dc=ch" write
by group="cn=ro,ou=ldap,dc=phys,dc=ethz,dc=ch" read
by users read
by anonymous auth
by * none
-
add: olcAccess
olcAccess: to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
by group="cn=rw,ou=ldap,dc=phys,dc=ethz,dc=ch" write
by group="cn=ro,ou=ldap,dc=phys,dc=ethz,dc=ch" read
by * none
EOF
ldapmodify -Y EXTERNAL -H ldapi:/// -D cn=admin,cn=config -f /etc/ldap/config/config_init_access_rule.ldifinitialize the ldap db (normal DIT):
cat > /etc/ldap/config/init_ldap_db.ldif << 'EOF'
dn: dc=phys,dc=ethz,dc=ch
objectClass: top
objectClass: domain
objectClass: dcObject
dc: phys
dn: ou=people,dc=phys,dc=ethz,dc=ch
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=phys,dc=ethz,dc=ch
objectClass: organizationalUnit
ou: groups
dn: ou=ldap,dc=phys,dc=ethz,dc=ch
objectClass: organizationalUnit
ou: ldap
dn: cn=admin,ou=ldap,dc=phys,dc=ethz,dc=ch
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: admin
userPassword: {CRYPT}$6$rounds=10000$1jIS2ggyG8a97R4t$gFX5s3hVIvGdHeLWy7VgFUm5W1Bqqj3s4eWAkyFZCqbQkY6QJmThi3tYrXq.bjKv4oIxfgoCmzAOfIL5kEvM7.
dn: cn=manage,ou=ldap,dc=phys,dc=ethz,dc=ch
objectClass: groupOfNames
member: cn=dumb,ou=ldap,dc=phys,dc=ethz,dc=ch
dn: cn=syncrepl,ou=ldap,dc=phys,dc=ethz,dc=ch
objectClass: groupOfNames
member: uid=ldap/phd-aa1.ethz.ch,cn=gssapi,cn=auth
member: uid=ldap/phd-aa2.ethz.ch,cn=gssapi,cn=auth
member: uid=ldap/phd-aa3.ethz.ch,cn=gssapi,cn=auth
dn: cn=rw,ou=ldap,dc=phys,dc=ethz,dc=ch
objectClass: groupOfNames
member: cn=dumb,ou=ldap,dc=phys,dc=ethz,dc=ch
member: cn=admin,ou=ldap,dc=phys,dc=ethz,dc=ch
dn: cn=ro,ou=ldap,dc=phys,dc=ethz,dc=ch
objectClass: groupOfNames
member: cn=dumb,ou=ldap,dc=phys,dc=ethz,dc=ch
EOF
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/config/init_ldap_db.ldifmake a test:
ldapsearch -x -LLL -H ldapi:/// -b dc=phys,dc=ethz,dc=ch -D cn=admin,ou=ldap,dc=phys,dc=ethz,dc=ch -W '(cn=admin)'modify /etc/default/slapd and add ldaps:/// to the SLAPD_SERVICES variable:
sed -i 's/SLAPD_SERVICES="ldap:\/\/\/ ldapi:\/\/\/"/SLAPD_SERVICES="ldap:\/\/\/ ldaps:\/\/\/ ldapi:\/\/\/"/' /etc/default/slapdenable and enforce TLS or GSSAPI on ldap server:
cat > /etc/ldap/config/config_enable_tls.ldif << 'EOF'
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/cert/cacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert/cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/cert/privkey.pem
-
# ssf = security strength factor (sets the min. required key length)
add: olcSecurity
olcSecurity: ssf=56
-
# allows access via ldapi:/// (set local ssf value to trust local access)
add: olcLocalSSF
olcLocalSSF: 128
EOF
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/config/config_enable_tls.ldifadd basic settings to /etc/ldap/ldap.conf:
cat >> /etc/ldap/ldap.conf << EOF
URI ldaps://phd-aa1.ethz.ch ldaps://phd-aa2.ethz.ch ldaps://phd-aa3.ethz.ch
BASE dc=phys,dc=ethz,dc=ch
TLS_REQCERT demand
EOFrestart slapd and make some tests:
systemctl restart slapdunencrypted connecting should not work (ldap_bind: Confidentiality required (13)):
ldapsearch -x -LLL -H "ldap://$(hostname -f)" -b dc=phys,dc=ethz,dc=ch -D cn=admin,ou=ldap,dc=phys,dc=ethz,dc=ch -W '(cn=admin)'connecting using TLS and StartTLS should work:
ldapsearch -x -LLL -H "ldaps://$(hostname -f)" -b dc=phys,dc=ethz,dc=ch -D cn=admin,ou=ldap,dc=phys,dc=ethz,dc=ch -W '(cn=admin)'
ldapsearch -x -LLL -ZZ -H "ldap://$(hostname -f)" -b dc=phys,dc=ethz,dc=ch -D cn=admin,ou=ldap,dc=phys,dc=ethz,dc=ch -W '(cn=admin)'phd-aa1add syncrepl provider to ldap config:
cat > /etc/ldap/config/config_add_syncrepl.ldif << 'EOF'
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov.la
EOF
ldapmodify -H ldapi:/// -f /etc/ldap/config/config_add_syncrepl.ldifadd syncprov overlay to ldap:
cat > /etc/ldap/config/config_add_syncprov.ldif << 'EOF'
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
EOF
ldapmodify -H ldapi:/// -f /etc/ldap/config/config_add_syncprov.ldifadd serverIDs to ldap config:
cat > /etc/ldap/config/config_add_serverids.ldif << 'EOF'
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 0x001 ldaps://phd-aa1.ethz.ch
olcServerID: 0x002 ldaps://phd-aa2.ethz.ch
olcServerID: 0x003 ldaps://phd-aa3.ethz.ch
EOF
ldapmodify -H ldapi:/// -f /etc/ldap/config/config_add_serverids.ldifgenerate two secure passwords for the dbroot administrative DNs using mkpw 40 2
and add the corresponding sha-512 hashes to the listing below:
cat > /etc/ldap/config/config_add_dbroot_dn.ldif << 'EOF'
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=dbroot,cn=config
-
replace: olcRootPW
olcRootPW: {CRYPT}$6$rounds=10000$O4GehX47tRp9pCGb$u.f3crPZXXjyL29coiAjVhqVe5/3W37O8aNGztPxAqTzaZM5Z9kbdAC48q3irS6U6AIwVfw.rgbU/EqJ/zjBL/
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=dbroot,dc=phys,dc=ethz,dc=ch
-
replace: olcRootPW
olcRootPW: {CRYPT}$6$rounds=10000$QwjWBJk1dKUkvRxW$bf1SLLyCaevImSgbWOZDBpf2DBfTDmOQF/DK58AIr1HczltzW3CDIPSPRNojOUa2biMXUQ3ddmw6C1IAi2acu/
EOF
ldapmodify -H ldapi:/// -f /etc/ldap/config/config_add_dbroot_dn.ldifnow add syncrepl consumer config.
add config for olcDatabase={0}config,cn=config (replace <passwd> with password of cn=dbroot,cn=config):
cat > /etc/ldap/config/config_add_syncrepl_config_config.ldif << 'EOF'
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001 provider=ldaps://phd-aa1.ethz.ch
binddn="cn=dbroot,cn=config" bindmethod=simple
credentials=<passwd>
searchbase="cn=config" type=refreshAndPersist
retry="5 +" timeout=1
olcSyncRepl: rid=002 provider=ldaps://phd-aa2.ethz.ch
binddn="cn=dbroot,cn=config" bindmethod=simple
credentials=<passwd>
searchbase="cn=config" type=refreshAndPersist
retry="5 +" timeout=1
olcSyncRepl: rid=003 provider=ldaps://phd-aa3.ethz.ch
binddn="cn=dbroot,cn=config" bindmethod=simple
credentials=<passwd>
searchbase="cn=config" type=refreshAndPersist
retry="5 +" timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE
EOF
ldapmodify -H ldapi:/// -f /etc/ldap/config/config_add_syncrepl_config_config.ldifadd config for olcDatabase={1}mdb,cn=config (replace <passwd> with password of cn=dbroot,dc=phys,dc=ethz,dc=ch):
cat > /etc/ldap/config/config_add_syncrepl_config_mdb.ldif << 'EOF'
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=004 provider=ldaps://phd-aa1.ethz.ch
binddn="cn=dbroot,dc=phys,dc=ethz,dc=ch" bindmethod=simple
credentials=<passwd>
searchbase="dc=phys,dc=ethz,dc=ch" type=refreshAndPersist
interval=00:00:00:10 retry="5 +" timeout=1
olcSyncRepl: rid=005 provider=ldaps://phd-aa2.ethz.ch
binddn="cn=dbroot,dc=phys,dc=ethz,dc=ch" bindmethod=simple
credentials=<passwd>
searchbase="dc=phys,dc=ethz,dc=ch" type=refreshAndPersist
interval=00:00:00:10 retry="5 +" timeout=1
olcSyncRepl: rid=006 provider=ldaps://phd-aa3.ethz.ch
binddn="cn=dbroot,dc=phys,dc=ethz,dc=ch" bindmethod=simple
credentials=<passwd>
searchbase="dc=phys,dc=ethz,dc=ch" type=refreshAndPersist
interval=00:00:00:10 retry="5 +" timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE
EOF
ldapmodify -H ldapi:/// -f /etc/ldap/config/config_add_syncrepl_config_mdb.ldifadd config for db indexing:
cat > /etc/ldap/config/config_add_syncrepl_indexing.ldif << 'EOF'
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryUUID eq
olcDbIndex: entryCSN eq
EOF
ldapmodify -H ldapi:/// -f /etc/ldap/config/config_add_syncrepl_indexing.ldifcreate a dump of the config:
slapcat -n 0 -l /etc/ldap/config/config.ldifphd-aa2, phd-aa3listen on port 636 and configure the ldap client:
sed -i 's/SLAPD_SERVICES="ldap:\/\/\/ ldapi:\/\/\/"/SLAPD_SERVICES="ldap:\/\/\/ ldaps:\/\/\/ ldapi:\/\/\/"/' /etc/default/slapd
scp phd-aa1:/etc/ldap/ldap.conf /etc/ldap/ldap.confinject the config from phd-aa1:
mkdir -p /etc/ldap/config
scp phd-aa1:/etc/ldap/config/config.ldif /etc/ldap/config/config.ldif
systemctl stop slapd
mv /etc/ldap/slapd.d/ /etc/ldap/slapd.d.old/
mkdir /etc/ldap/slapd.d/
slapadd -F /etc/ldap/slapd.d/ -n 0 -l /etc/ldap/config/config.ldif
chown -R openldap:openldap /etc/ldap/slapd.d/
systemctl start slapdphd-aa1generating debconf parameters (not required, just for reference)
apt install krb5-user krb5-doc krb5-kdc krb5-admin-server
dpkg-reconfigure krb5-kdc
dpkg-reconfigure krb5-config
dpkg-reconfigure krb5-admin-server
debconf-get-selections | grep ^krb5 | sed 's/\t/ /g' > /root/debconf-krb5.conf
apt remove --purge krb5-user krb5-doc krb5-kdc krb5-admin-server -y
rm /etc/krb5kdc -r
rm /etc/krb5.confprepare debconf parameters:
cat > /root/debconf-krb5.conf << 'EOF'
krb5-config krb5-config/read_conf boolean true
krb5-kdc krb5-kdc/debconf boolean true
krb5-config krb5-config/kerberos_servers string
krb5-kdc krb5-kdc/purge_data_too boolean false
krb5-config krb5-config/add_servers boolean false
krb5-admin-server krb5-admin-server/newrealm note
krb5-config krb5-config/default_realm string PHYS.ETHZ.CH
krb5-config krb5-config/add_servers_realm string PHYS.ETHZ.CH
krb5-config krb5-config/admin_server string
EOF
export DEBIAN_FRONTEND=noninteractive
cat /root/debconf-krb5.conf | debconf-set-selections
# not required
# dpkg-reconfigure -f noninteractive krb5-user krb5-kdc krb5-admin-serverinstall the kerberos packages:
apt install krb5-user krb5-doc krb5-kdc krb5-admin-server -y
systemctl stop krb5-kdc
systemctl stop krb5-admin-server
cd /etc/
if [ -e /etc/krb5.conf ]; then rm /etc/krb5.conf; fi
if [ -e /etc/krb5kdc/kdc.conf ]; then rm /etc/krb5kdc/kdc.conf; ficreate the KDC config file using default parameters, except for:
master_key_type: use strongest encryption type (available from version >= 1.15)supported_enctypes: use new encryption types with sha2 hashing, and restrict to aes onlyaes256-sha2: short for aes256-cts-hmac-sha384-192, implicit salting (:normal) enabled by defaultaes128-sha2: short for aes128-cts-hmac-sha256-128, implicit salting (:normal) enabled by defaultaes256-cts: short for aes256-cts-hmac-sha1-96, implicit salting (:normal) enabled by defaultaes128-cts: short for aes128-cts-hmac-sha1-96, implicit salting (:normal) enabled by defaultmax_life: set max ticket lifetime to 10hmax_renewable_life: set max ticket renenwal time to 7d/var/log/auth.log)cat > /etc/krb5kdc/kdc.conf << 'EOF'
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
PHYS.ETHZ.CH = {
kadmind_port = 749
database_name = /var/lib/krb5kdc/principal
# admin_keytab optional, remove for highest security
#admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
# key stash optional, remove for highest security
key_stash_file = /etc/krb5kdc/stash
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = aes256-sha2
supported_enctypes = aes256-sha2 aes128-sha2 aes256-cts aes128-cts
default_principal_flags = +preauth
database_module = openldap_ldapconf
dict_file = /etc/krb5kdc/dict
}
[logging]
kdc = SYSLOG:DEBUG:AUTH
admin_server = SYSLOG:DEBUG:AUTH
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kerberos_container_dn = "cn=krbContainer,ou=mit-kerberos,dc=phys,dc=ethz,dc=ch"
ldap_kdc_dn = "cn=mit-kdc,ou=mit-kerberos,dc=phys,dc=ethz,dc=ch"
ldap_kadmind_dn = "cn=mit-kadmind,ou=mit-kerberos,dc=phys,dc=ethz,dc=ch"
ldap_service_password_file = "/etc/krb5kdc/service.keyfile"
ldap_servers = "ldapi:/// ldaps://phd-aa2.ethz.ch ldaps://phd-aa3.ethz.ch"
ldap_conns_per_server = 5
}
EOFset default daemon args, the default realm to use (here PHYS.ETHZ.CH):
echo 'DAEMON_ARGS="-r PHYS.ETHZ.CH"' >> /etc/default/krb5-kdc
echo 'DAEMON_ARGS="-r PHYS.ETHZ.CH"' >> /etc/default/krb5-admin-serverwe only want to use aes encryption with key length of 256 bit on our llinux clients.
this has to be specified in the encryption type parameters in `/etc/krb5.conf,
kerberos will negotiate the strongest possible key type between client and KDC.
(possible bug in v1.15, where not the strongest encryption type is used for session key,
probably due to the defaults, which according doc are still max. aes256-cts.
so use permitted_enctypes, default_tgs_enctypes, default_tkt_enctypes as below)
create kerberos client configuration /etc/krb5.conf:
cat > /etc/krb5.conf << 'EOF'
[libdefaults]
default_realm = PHYS.ETHZ.CH
permitted_enctypes = aes256-sha2 aes128-sha2 aes256-cts aes128-cts
default_tgs_enctypes = aes256-sha2 aes128-sha2 aes256-cts aes128-cts
default_tkt_enctypes = aes256-sha2 aes128-sha2 aes256-cts aes128-cts
ticket_lifetime = 10h
renew_lifetime = 7d
forwardable = true
canonicalize = true
[realms]
PHYS.ETHZ.CH = {
kdc = phd-aa1.ethz.ch:88
kdc = phd-aa2.ethz.ch:88
kdc = phd-aa3.ethz.ch:88
admin_server = phd-aa1.ethz.ch:749
kpasswd_server = phd-aa1.ethz.ch:464
kpasswd_server = phd-aa2.ethz.ch:464
kpasswd_server = phd-aa3.ethz.ch:464
}
[domain_realm]
.ethz.ch = PHYS.ETHZ.CH
.phys.ethz.ch = PHYS.ETHZ.CH
phys.ethz.ch = PHYS.ETHZ.CH
[logging]
default = SYSLOG:INFO:AUTH
EOFcreate access control list /etc/krb5kdc/kadm5.acl and grant full access to */admin principals:
cat > /etc/krb5kdc/kadm5.acl << 'EOF'
# */admin principals have full access
*/admin@PHYS.ETHZ.CH *
EOF
systemctl restart krb5-admin-server.servicephd-aa1install krb5-kdc-ldap:
apt install krb5-kdc-ldapcreate the kerberos schema ldif:
cd /root
zcat /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz > kerberos.schema
echo 'include kerberos.schema' > slapd.conf
mkdir slapd.conf.d
slaptest -f slapd.conf -F slapd.conf.d
cp 'slapd.conf.d/cn=config/cn=schema/cn={0}kerberos.ldif' kerberos.ldif
rm -r kerberos.schema slapd.conf slapd.conf.d
sed -i 's/^dn: cn={0}kerberos/dn: cn=kerberos,cn=schema,cn=config/' kerberos.ldif
sed -i 's/^cn: {0}kerberos/cn: kerberos/' kerberos.ldif
sed -i '/^structuralObjectClass:/d' kerberos.ldif
sed -i '/^entryUUID:/d' kerberos.ldif
sed -i '/^creatorsName:/d' kerberos.ldif
sed -i '/^createTimestamp:/d' kerberos.ldif
sed -i '/^entryCSN:/d' kerberos.ldif
sed -i '/^modifiersName:/d' kerberos.ldif
sed -i '/^modifyTimestamp:/d' kerberos.ldif
mv kerberos.ldif /etc/ldap/schema/add the kerberos schema to ldap:
ldapadd -H ldapi:/// -f /etc/ldap/schema/kerberos.ldifadd indexing to some attributes to increase performance:
cat > /etc/ldap/config/config_add_krb_indexing.ldif << 'EOF'
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: krbPrincipalName eq
olcDbIndex: krbPwdPolicyReference eq
EOF
ldapmodify -H ldapi:/// -f /etc/ldap/config/config_add_krb_indexing.ldifcreate the kerberos admin users:
cat > /etc/ldap/config/add_krb_admins.ldif << 'EOF'
dn: ou=mit-kerberos,dc=phys,dc=ethz,dc=ch
objectClass: organizationalUnit
ou: mit-kerberos
dn: cn=mit-kdc,ou=mit-kerberos,dc=phys,dc=ethz,dc=ch
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: mit-kdc
userPassword: {CRYPT}$6$rounds=10000$sC2Q4vxbWp8cxmjB$UWWhHsERB0WQLr8KLkr07wFB/87fGEES9OOg62oV2XweU5WG.Vd444znYqLCoTg.stCIf29DZEE5.bXJGBLdA.
dn: cn=mit-kadmind,ou=mit-kerberos,dc=phys,dc=ethz,dc=ch
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: mit-kadmind
userPassword: {CRYPT}$6$rounds=10000$sz5ZVm1xKkz0sJo0$wsc0RNERXl96JY7UKZKzb72v.KLbV03u7JaaBrFO/Xn7PtgL1vyQYg1bKZ2yVXWAVDHT09xYW9zI2ipr92iIW1
EOF
ldapadd -H ldapi:/// -f /etc/ldap/config/add_krb_admins.ldifremove limits from those two accounts:
cat > /etc/ldap/config/config_unlimit_krb_admins.ldif << 'EOF'
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcLimits
olcLimits: dn.exact="cn=mit-kdc,ou=mit-kerberos,dc=phys,dc=ethz,dc=ch" size=unlimited
olcLimits: dn.exact="cn=mit-kadmind,ou=mit-kerberos,dc=phys,dc=ethz,dc=ch" size=unlimited
EOF
ldapmodify -H ldapi:/// -f /etc/ldap/config/config_unlimit_krb_admins.ldifadd kerberos admins to the required ldap group (ldaprw):
cat > /etc/ldap/config/add_krb_admins_to_group.ldif << 'EOF'
dn: cn=rw,ou=ldap,dc=phys,dc=ethz,dc=ch
changetype: modify
add: member
member: cn=mit-kdc,ou=mit-kerberos,dc=phys,dc=ethz,dc=ch
member: cn=mit-kadmind,ou=mit-kerberos,dc=phys,dc=ethz,dc=ch
EOF
ldapmodify -H ldapi:/// -f /etc/ldap/config/add_krb_admins_to_group.ldifstop the KDC and kadmind services:
systemctl daemon-reload
systemctl stop krb5-kdc
systemctl stop krb5-admin-server(optional) dump the kdc db and destroy it:
kdb5_util dump /root/kdc.dump
kdb5_util destroyinitialize the kdc database in ldap (enter the respective passwords defined earlier) and
add tree ou=people,dc=phys,dc=ethz,dc=ch to the search list of kerberos:
kdb5_ldap_util create -D cn=admin,ou=ldap,dc=phys,dc=ethz,dc=ch -r PHYS.ETHZ.CH -s -sscope sub
kdb5_ldap_util stashsrvpw -D cn=admin,ou=ldap,dc=phys,dc=ethz,dc=ch -r PHYS.ETHZ.CH -f /etc/krb5kdc/service.keyfile cn=mit-kdc,ou=mit-kerberos,dc=phys,dc=ethz,dc=ch
kdb5_ldap_util stashsrvpw -D cn=admin,ou=ldap,dc=phys,dc=ethz,dc=ch -r PHYS.ETHZ.CH -f /etc/krb5kdc/service.keyfile cn=mit-kadmind,ou=mit-kerberos,dc=phys,dc=ethz,dc=ch
kdb5_ldap_util modify -D cn=admin,ou=ldap,dc=phys,dc=ethz,dc=ch -r PHYS.ETHZ.CH -subtrees ou=people,dc=phys,dc=ethz,dc=chsome initial principals have been created, check them with:
kadmin.local listprincscreate password policies:
kadmin.local addpol -maxlife 0 -minlife 0 -minlength 32 -minclasses 4 -history 10 -maxfailure 3 -failurecountinterval 0 -lockoutduration 0 root
kadmin.local addpol -maxlife 30d -minlife 0 -minlength 20 -minclasses 4 -history 10 -maxfailure 3 -failurecountinterval 0 -lockoutduration 0 admin
kadmin.local addpol -maxlife 0 -minlife 1d -minlength 12 -minclasses 3 -history 3 -maxfailure 6 -failurecountinterval 6m -lockoutduration 30m defaultcreate principal root/admin:
kadmin.local ank -policy root root/admin
kadmin.local modprinc -allow_svr root/adminstash passwords for kadmin/admin, kadmin/changepw:
/usr/sbin/kadmin.local ktadd -k /etc/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepwsync stash files to phd-aa2, phd-aa3
scp /etc/krb5kdc/stash /etc/krb5kdc/service.keyfile /etc/krb5kdc/kadm5.keytab phd-aa2:/etc/krb5kdc/
scp /etc/krb5kdc/stash /etc/krb5kdc/service.keyfile /etc/krb5kdc/kadm5.keytab phd-aa3:/etc/krb5kdc/phd-aa1, phd-aa2, phd-aa3start the services and check if it works:
systemctl daemon-reload
systemctl start krb5-kdc
systemctl start krb5-admin-server
systemctl status krb5-kdc
systemctl status krb5-admin-servercheck the supported SASL mechanisms:
ldapsearch -LLL -H ldapi:/// -b "" -s base supportedSASLMechanisms
ldapsearch -LLL -H ldapi:/// -x -b "" -s base supportedSASLMechanisms
ldapsearch -LLL -H ldaps://phd-aa1.ethz.ch -b "" -s base supportedSASLMechanisms
ldapsearch -LLL -H ldaps://phd-aa1.ethz.ch -x -b "" -s base supportedSASLMechanismsinstall SASL module GSS-API on all KDCs:
apt install libsasl2-modules-gssapi-mit -y
cat > /etc/ldap/sasl2/slapd.conf << 'EOF'
mech_list: GSSAPI EXTERNAL
EOF
systemctl restart slapdcheck the supported SASL mechanisms:
ldapsearch -LLL -H ldapi:/// -x -b "" -s base supportedSASLMechanisms
# dn:
# supportedSASLMechanisms: GSSAPI
# supportedSASLMechanisms: EXTERNAL
ldapsearch -LLL -H ldaps://phd-aa1.ethz.ch -x -b "" -s base supportedSASLMechanisms
# dn:
# supportedSASLMechanisms: GSSAPIkerberize ldap (use these commands on the respective KDCs):
kadmin.local ank -clearpolicy -randkey ldap/phd-aa1.ethz.ch
kadmin.local ank -clearpolicy -randkey ldap/phd-aa2.ethz.ch
kadmin.local ank -clearpolicy -randkey ldap/phd-aa3.ethz.ch
kadmin.local ktadd -k /etc/ldap/krb5.keytab ldap/phd-aa1.ethz.ch
kadmin.local ktadd -k /etc/ldap/krb5.keytab ldap/phd-aa2.ethz.ch
kadmin.local ktadd -k /etc/ldap/krb5.keytab ldap/phd-aa3.ethz.ch
chown openldap:openldap /etc/ldap/krb5.keytab
cat >> /etc/default/slapd << 'EOF'
KRB5_KTNAME=/etc/ldap/krb5.keytab
export KRB5_KTNAME
EOF
systemctl restart slapdtest a kerberized ldapsearch using gssapi:
from now on the TLS-security-layer could be deactivated and accessed via ldap:// (using SASL/GSS-API)
instead of ldaps://. using SASL/GSS-API we have strong encryption (256 bit), if kerberos is configured
as described in this tutorial using AES-256. although openldap does only recognize, that a security
layer using SASL/GSS-API is at hand but not the encryption algorithm used. in the worst case, kerberos
could use simple DES encryption, which has 56 bit keys. therefore we need to change the expected security
strength factor (SSF) down to 56.
man slapd.conf -> /olcSec, olcSasl: EXTERNAL vs. GSSAPI vs ldap:// vs ldapi:// vs ldaps://ldapwhoami:
ldapwhoami -Y GSSAPIdn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" in ldaprw?modify access rules:
cat > /etc/ldap/config/config_update_access_rule_to_krbPrincipalName.ldif << 'EOF'
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
by group="cn=rw,ou=ldap,dc=phys,dc=ethz,dc=ch" write
by group="cn=ro,ou=ldap,dc=phys,dc=ethz,dc=ch" read
by anonymous auth
by self write
by * none
-
add: olcAccess
olcAccess: to attrs=cn,dc,gecos,gidNumber,homeDirectory,loginShell,member,memberUid,objectClass,ou,sn,uid,uidNumber,uniqueMember,krbPrincipalName,entry
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
by group="cn=rw,ou=ldap,dc=phys,dc=ethz,dc=ch" write
by group="cn=ro,ou=ldap,dc=phys,dc=ethz,dc=ch" read
by users read
by anonymous auth
by * none
-
add: olcAccess
olcAccess: to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
by group="cn=rw,ou=ldap,dc=phys,dc=ethz,dc=ch" write
by group="cn=ro,ou=ldap,dc=phys,dc=ethz,dc=ch" read
by * none
EOF
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/config/config_update_access_rule_to_krbPrincipalName.ldifupdate authz mapping rule:
cat > /etc/ldap/config/config_update_mapping_rule.ldif << 'EOF'
dn: cn=config
changetype: modify
replace: olcAuthzRegexp
olcAuthzRegexp: "uid=(.*),cn=gssapi,cn=auth"
ldap:///dc=phys,dc=ethz,dc=ch??sub?(uid=$1)
EOF
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/config/config_update_mapping_rule.ldifat this point you should create pricipal aliases for all hosts using the short hostname
this should be done already for host foo, here an example for host bar, enter cmds on KDC:
cat > /usr/local/bin/addhostalias << 'EOF'
#!/bin/bash
domain="ethz.ch"
base="dc=phys,dc=ethz,dc=ch"
realm="PHYS.ETHZ.CH"
for hostname in "$@"
do
echo "dn: krbPrincipalName=host/${hostname}.${domain}@${realm},cn=${realm},cn=krbContainer,ou=mit-kerberos,${base}"
echo "changetype: modify"
echo "add: krbPrincipalName"
echo "krbPrincipalName: host/${hostname}@${realm}"
echo "-"
echo "add: krbCanonicalName"
echo "krbCanonicalName: host/${hostname}.${domain}@${realm}"
echo
done
EOF
chmod +x /usr/local/bin/addhostalias
addhostalias bar > /etc/ldap/config/add_host_principal_alias_bar.ldif
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/config/add_host_principal_alias_bar.ldifuse k5start to obtain TGT for ldap automatically on all phd-aa* hosts:
apt install kstart
cat > /etc/systemd/system/k5start-slapd.service << 'EOF'
[Unit]
Description=Initializes Keytab for slapd
After=network.target
Before=slapd.service
[Service]
Type=oneshot
RemainAfterExit=yes
#ExecStartPre=/bin/rm -f /PATH/TO/KEYTAB
ExecStart=/usr/bin/k5start -b -U -f /etc/ldap/krb5.keytab -K 10
#ExecStop=/bin/rm -f /PATH/TO/KEYTAB
User=openldap
[Install]
WantedBy=multi-user.target
EOF
usermod -s /bin/sh openldap
systemctl enable k5start-slapd
systemctl start k5start-slapd.service
# or:
su -c "/usr/bin/k5start -b -U -f /etc/ldap/krb5.keytab -K 10" -l openldapcreate slapd configuration modification ldifs:
cat > /etc/ldap/config/config_update_access_rule_syncrepl_by_syncrepl_group.ldif << 'EOF'
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcAccess
olcAccess: to *
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
by group="cn=manage,ou=ldap,dc=phys,dc=ethz,dc=ch" manage
by group="cn=syncrepl,ou=ldap,dc=phys,dc=ethz,dc=ch" read
by * break
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: to dn.subtree="ou=automount,dc=phys,dc=ethz,dc=ch"
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
by group="cn=manage,ou=ldap,dc=phys,dc=ethz,dc=ch" manage
by group="cn=syncrepl,ou=ldap,dc=phys,dc=ethz,dc=ch" read
by group="cn=rw,ou=ldap,dc=phys,dc=ethz,dc=ch" write
by group="cn=ro,ou=ldap,dc=phys,dc=ethz,dc=ch" read
by * read
-
add: olcAccess
olcAccess: to dn.subtree="ou=netgroup,dc=phys,dc=ethz,dc=ch"
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
by group="cn=manage,ou=ldap,dc=phys,dc=ethz,dc=ch" manage
by group="cn=syncrepl,ou=ldap,dc=phys,dc=ethz,dc=ch" read
by group="cn=rw,ou=ldap,dc=phys,dc=ethz,dc=ch" write
by group="cn=ro,ou=ldap,dc=phys,dc=ethz,dc=ch" read
by * read
-
add: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
by group="cn=manage,ou=ldap,dc=phys,dc=ethz,dc=ch" manage
by group="cn=syncrepl,ou=ldap,dc=phys,dc=ethz,dc=ch" read
by group="cn=rw,ou=ldap,dc=phys,dc=ethz,dc=ch" write
by group="cn=ro,ou=ldap,dc=phys,dc=ethz,dc=ch" read
by anonymous auth
by self write
by * none
-
add: olcAccess
olcAccess: to attrs=cn,dc,gecos,gidNumber,homeDirectory,loginShell,member,memberUid,objectClass,ou,sn,uid,uidNumber,uniqueMember,krbPrincipalName,entry
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
by group="cn=manage,ou=ldap,dc=phys,dc=ethz,dc=ch" manage
by group="cn=syncrepl,ou=ldap,dc=phys,dc=ethz,dc=ch" read
by group="cn=rw,ou=ldap,dc=phys,dc=ethz,dc=ch" write
by group="cn=ro,ou=ldap,dc=phys,dc=ethz,dc=ch" read
by users read
by anonymous auth
by * none
-
add: olcAccess
olcAccess: to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
by group="cn=manage,ou=ldap,dc=phys,dc=ethz,dc=ch" manage
by group="cn=syncrepl,ou=ldap,dc=phys,dc=ethz,dc=ch" read
by group="cn=rw,ou=ldap,dc=phys,dc=ethz,dc=ch" write
by group="cn=ro,ou=ldap,dc=phys,dc=ethz,dc=ch" read
by * none
EOF
cat > /etc/ldap/config/config_update_syncrepl_krb.ldif << 'EOF'
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 0x001 ldap://phd-aa1.ethz.ch
olcServerID: 0x002 ldap://phd-aa2.ethz.ch
olcServerID: 0x003 ldap://phd-aa3.ethz.ch
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcSyncRepl
olcSyncRepl: rid=001
provider=ldap://phd-aa1.ethz.ch
bindmethod=sasl
saslmech=gssapi
searchbase="cn=config"
type=refreshAndPersist
retry="5 +"
timeout=1
olcSyncRepl: rid=002
provider=ldap://phd-aa2.ethz.ch
bindmethod=sasl
saslmech=gssapi
searchbase="cn=config"
type=refreshAndPersist
retry="5 +"
timeout=1
olcSyncRepl: rid=003
provider=ldap://phd-aa3.ethz.ch
bindmethod=sasl
saslmech=gssapi
searchbase="cn=config"
type=refreshAndPersist
retry="5 +"
timeout=1
-
replace: olcMirrorMode
olcMirrorMode: TRUE
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSyncRepl
olcSyncRepl: rid=004
provider=ldap://phd-aa1.ethz.ch
bindmethod=sasl
saslmech=gssapi
searchbase="dc=phys,dc=ethz,dc=ch"
type=refreshAndPersist
interval=00:00:00:10
retry="5 +"
timeout=1
olcSyncRepl: rid=005
provider=ldap://phd-aa2.ethz.ch
bindmethod=sasl
saslmech=gssapi
searchbase="dc=phys,dc=ethz,dc=ch"
type=refreshAndPersist
interval=00:00:00:10
retry="5 +"
timeout=1
olcSyncRepl: rid=006
provider=ldap://phd-aa3.ethz.ch
bindmethod=sasl
saslmech=gssapi
searchbase="dc=phys,dc=ethz,dc=ch"
type=refreshAndPersist
interval=00:00:00:10
retry="5 +"
timeout=1
-
replace: olcMirrorMode
olcMirrorMode: TRUE
EOF
ldapmodify -Y EXTERNAL -H ldapi:// -f /etc/ldap/config/config_update_access_rule_syncrepl_by_syncrepl_group.ldif
ldapmodify -Y EXTERNAL -H ldapi:// -f /etc/ldap/config/config_update_syncrepl_krb.ldifrestart all slapds
disable simple bind for rootDN:
cat > /etc/ldap/config/config_disable_rootdn_simple_bind.ldif << 'EOF'
dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcRootPW
dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcRootPW
EOF
ldapmodify -Y EXTERNAL -H ldapi:// -f /etc/ldap/config/config_disable_rootdn_simple_bind.ldifrestart all slapds
import the ldap schema:
cat > /etc/ldap/schema/dphys.ldif << 'EOF'
# todo
EOF
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/dphys.ldif/root/dump.ldifprepare the dump (remove some entries) and
add the dphys ldap data from dump file using ldapadd:
sed -i '/^createTimestamp/d' /root/dump.ldif
sed -i '/^creatorsName/d' /root/dump.ldif
sed -i '/^structuralObjectClass/d' /root/dump.ldif
sed -i '/^entryUUID/d' /root/dump.ldif
sed -i '/^entryCSN/d' /root/dump.ldif
sed -i '/^modifiersName/d' /root/dump.ldif
sed -i '/^modifyTimestamp/d' /root/dump.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /root/dump.ldifclean up:
shred -n10 /root/dump.ldif
rm /root/dump.ldifinsert ldap data:
cat > /etc/ldap/config/add_autofs.ldif << 'EOF'
# todo
EOF
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/config/add_autofs.ldifadd netgroup ldap data:
cat > /etc/ldap/config/add_netgroup.ldif << 'EOF'
# todo
EOF
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/config/add_netgroup.ldif