WMDE
/
LDAPAccountManager
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
LDAPAccountManager/lam/docs/LDAPv3-HOWTO.html

4235 lines
218 KiB
HTML
Raw Normal View History

Some HowTos for LDAP and Samba
2003-03-13 19:29:17 +00:00
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"><html><head>
<meta http-equiv="CONTENT-TYPE" content="text/html; charset=iso-8859-1"><title>OpenLDAP, OpenSSL, SASL and KerberosV HOWTO</title>
<meta name="GENERATOR" content="StarOffice/5.2 (Win32)">
<meta name="AUTHOR" content="Turbo Fredriksson">
<meta name="CREATED" content="20010307;15554400">
<meta name="CHANGEDBY" content="Turbo Fredriksson">
<meta name="CHANGED" content="20021101;12575101">
<meta name="CLASSIFICATION" content="HOWTO">
<meta name="KEYWORDS" content="OpenLDAP OpenSSL SASL KerberosV BerkeleyDB SleepyCAT">
<style>
<!--
H1 { margin-top: 0.99cm; border: 1px solid #000000; padding: 0.05cm; font-family: "Helvetica", sans-serif; font-style: italic; line-height: 100%; text-decoration: none }
TH P { margin-top: 0.2cm; margin-bottom: 0cm; font-family: "Helvetica", sans-serif; font-size: 12pt; text-align: left; text-decoration: underline }
TD P { margin-top: 0.2cm; margin-bottom: 0cm; font-family: "Helvetica", sans-serif; font-size: 12pt }
H2 { margin-top: 0.5cm; margin-bottom: 0cm; border: none; padding: 0cm; font-family: "Helvetica", sans-serif; font-size: 16pt; text-decoration: underline }
H3 { margin-top: 0.4cm; margin-bottom: 0cm; font-family: "Helvetica", sans-serif; font-style: italic; font-weight: medium }
H4 { margin-top: 0.3cm; margin-bottom: 0cm }
H5 { margin-top: 0cm; margin-bottom: 0cm }
H6 { margin-top: 0cm; margin-bottom: 0cm; font-size: 10pt; font-weight: medium; text-decoration: underline }
P { margin-top: 0.2cm; margin-bottom: 0.05cm; font-family: "Helvetica", sans-serif; font-size: 12pt }
PRE { margin-left: 2.03cm; font-size: 8pt }
P.text-body-indent { margin-left: 2cm; margin-top: 0cm; font-size: 14pt }
P.sdfootnote { margin-left: 0.5cm; text-indent: -0.5cm; margin-top: 0cm; margin-bottom: 0cm; font-family: "Times New Roman", serif; font-size: 10pt }
BLOCKQUOTE { margin-left: 3cm; margin-right: 3cm; margin-top: 0.6cm; margin-bottom: 0.6cm; border: 1.10pt double #000000; padding: 0.05cm; font-size: 20pt; text-align: center }
-->
</style></head>
<body>
<center>
<table width="639" border="0" cellpadding="0" cellspacing="0" style="page-break-before: always;">
<col width="212">
<col width="214">
<col width="213">
<tbody><tr>
<td width="212" valign="bottom">
<p align="left" style="margin-top: 0,51cm;"><font size="3">Author</font></p>
</td>
<td width="214" valign="top">
<p align="center" style="margin-top: 0,51cm; text-decoration: none;">
<font face="Times New Roman, serif"><font size="6" style="font-size: 28pt;"><b>LDAPv3</b></font></font></p>
</td>
<td width="213" valign="bottom">
<p align="right" style="margin-top: 0,51cm;"><font size="3">Last
updated</font></p>
</td>
</tr>
<tr valign="top">
<td width="212">
<p align="left" style="margin-top: 0,51cm;">Turbo Fredriksson</p>
</td>
<td width="214">
<p align="center" style="margin-top: 0,51cm;"><br>
</p>
</td>
<td width="213">
<p align="right" style="margin-top: 0,51cm;"><font size="3"><sdfield type="DATETIME" sdnum="1053;0;D MMMM YYYY">1 november 2002</sdfield></font></p>
</td>
</tr>
</tbody></table>
</center>
<p align="center" style="margin-top: 0cm; margin-bottom: 0,51cm; text-decoration: none;">
<font face="Times New Roman, serif"><font size="6" style="font-size: 28pt;"><img src="LDAPv3-HOWTO_dateien/blurulr6" name="Graphic1" align="bottom" width="640" height="5" border="0"></font></font></p>
<p>Over the last year (around May, 2001) I have tried to rewrite this
HOWTO into a book, and get it published. So far my attempts have not
been that successful. No one want's to publish it. My language seems
to be lacking. The major concerns (it seems) is that it's not
"professional" enough. Maybe so, but this is the way <i>I</i><span style=""><span style="font-style: normal;">
want to read about something that's difficult.</span></span></p>
<p><span style=""><span style="font-style: normal;">Is
there any need for a book about this? Have a look at </span></span><a href="http://www.bayour.com/Implementing_LDAPv3/Implementing_LDAPv3.html">Implementing
LDAPv3</a> for the parts I have decided to show in public. It
contains the the Contents at A glance, Table of contents, and chapter
one and three. It is color encoded, to show what's done and what's
not... I'd <a href="mailto:turbo@bayour.com?subject=Comments%20on%20Implementing%20LDAPv3">appreciate
comments</a>. This example is a little old now, I can't be bothered
to update it (it is after all an EXAMPLE :). However, I also managed
to create <a href="http://www.bayour.com/Implementing_LDAPv3-p1_17.pdf">a
PDF of the first seventeen</a> (17) pages, which includes the title
page, Contents at a glance and Table of contents as it would look
like if it was printed. This I'll try to update every now and then.
Watch the bottom on the title page for date of PDF creation. It's
updated automatically.</p>
<p align="center" style="margin-top: 0cm; margin-bottom: 0,51cm; text-decoration: none;">
<font face="Times New Roman, serif"><font size="6" style="font-size: 28pt;"><img src="LDAPv3-HOWTO_dateien/blurulr6" name="Graphic4" align="bottom" width="640" height="5" border="0"></font></font></p>
<p>Quite a number of people (4000 unique web accesses in the first
three months it was up) have had help from this book. There's a
number of companies that got helped with this HOWTO. A lot of them
software companies. How about thanking me (if it actually helped and
saved time/money that is) by sending me something you/your company
makes? One successful company makes a Linux desktop distribution. I
would have liked a copy of that, it would have been nice :). No
requirenments though!</p>
<p align="center" style="margin-top: 0cm; margin-bottom: 0,51cm; text-decoration: none;">
<font face="Times New Roman, serif"><font size="6" style="font-size: 28pt;"><img src="LDAPv3-HOWTO_dateien/blurulr6" name="Graphic2" align="bottom" width="640" height="5" border="0"></font></font></p>
<h1>Preface</h1>
<p style="margin-top: 0,51cm; margin-bottom: 0,51cm;"><font face="Helvetica, sans-serif">These
are my notes about how I got <i>OpenLDAP</i> (v2.0.7), <i>OpenSSL</i>
(v0.9.5a), <i>SASL</i> (v1.5.24) and <i>MIT KerberosV</i> (v1.2.2) to
work together. This combination (according to some RFC I can't
remember the number of) is what's called <b>LDAPv3</b>.</font></p>
<p style="margin-top: 0,51cm; margin-bottom: 0,51cm;"><font face="Helvetica, sans-serif">I
have since I initially wrote this HOWTO, upgraded some packages. The
information about this can be found in the <a href="#5.7.Updates%7Coutline">Updates</a>
section. At the time of this writing (Sunday, August 19, 2001) I <span style="text-decoration: none;"><span style="">have
not successfully compiled and installed OpenLDAP v2.0.11! I'm still
working heavily on this, it is at the top of my todo list, since I
really (!!) need to upgrade because of a resent security alert.</span></span></font></p>
<p style="margin-top: 0,51cm; margin-bottom: 0,51cm;"><font face="Helvetica, sans-serif">You
might want to read the section <a href="#6.6.LDAPv3,%20why%20bother%7Coutline">LDAPv3,
why bother</a> to see the reasoning for this quite complicated issue.
It deals with all the discussed systems, such as SSL/TLS, SASL, LDAP
and Kerberos, and why we should run such a complicated system in the
first place.</font></p>
<h2 style="margin-top: 0cm; margin-bottom: 0,51cm;">Required knowledge</h2>
<p style="margin-top: 0,51cm; margin-bottom: 0,51cm;"><font face="Helvetica, sans-serif">Reading
and following this documentation will require a knowledge of LDAP in
general, knowing how to create and install software 'from scratch'
(i.e. building from source/tar balls) and also how to configure
OpenLDAP and also how to administer it... This issue (LDAPv3) is <u>not</u><span style="text-decoration: none;">
for the beginner, and I will usually <b>not</b><span style="">
answer any questions in the format of 'I get this when i try to
configure/make/install this-or-that-software'! In short, you will be
required to 'read between the lines' of this document, and draw you
own (correct! :) conclutions. That being said, it's not as difficult
as it might seem. If you belong to the group of people that I here
call 'beginner', I recommend installing the software while reading
the OpenLDAP web page on OpenLDAP administration.</span></span></font></p>
<h2 style="margin-top: 0cm; margin-bottom: 0,51cm;">Note about
building software</h2>
<p style="margin-top: 0,51cm; margin-bottom: 0,51cm;"><span style="text-decoration: none;"><font face="Helvetica, sans-serif">I'm
running </font><a href="http://www.debian.org/" target="_top"><span style="text-decoration: none;"><font face="Helvetica, sans-serif">Debian
GNU/Linux</font></span></a></span> on all my machines, both on the
Intel platform and the Sun SPARC<span style="text-decoration: none;"><font face="Helvetica, sans-serif"><span style="text-decoration: none;">,
and prefer to use the Debian package system as much as I can. Since
I'm also a Debian developer, I have a fairly good know-how about
making a Debian package. In my pursuit of getting this to work, I had
to modify some of the default packages since they lacked some
features that is necessary. I will try to guide you through the
process of rebuilding you package, if you to are running Debian
GNU/Linux. If you are not, I will at least tell you which parameters
to configure etc. the Debian package are using, giving you at least
SOME hint on getting all this software compiled and installed :).
Also, the progress and fast moving target that the Internet and the
OpenSource movement are, the versions I have described here are most
likely already out of date. Two weeks after I started with this
HOWTO, Cyrus-SASL had released version 1.5.26, that fixed the problem
described in the section <a href="#4.4.1.1.Bugs%20in%20Cyrus%20SASL,%20v1.5.24%7Coutline">Bugs
in Cyrus SASL, v1.5.24</a></span>. But I'm deploying this any day now
on a live server, so I won't be able to test if it indeed fixes the
problem.</font></span></p>
<h2 style="margin-top: 0cm; margin-bottom: 0,51cm;">Note about text
notation:</h2>
<p style="margin-top: 0,51cm; margin-bottom: 0,51cm;">Wherever you see
the <b>&lt;&gt;</b><span style=""> (in bold) part,
it means that that's where you input your own information. So for
example, when you see </span>
</p>
<pre style="margin-top: 0,51cm; margin-bottom: 0,51cm;"><b>&lt;YOUR KERBEROS REALM&gt;</b></pre><p style="margin-top: 0,51cm; margin-bottom: 0,51cm;">
It means that you should put your realm in there, like this:</p>
<pre style="margin-top: 0,51cm; margin-bottom: 0,51cm;">BAYOUR.COM</pre><p style="margin-top: 0,51cm; margin-bottom: 0,51cm;">
Note, that you should <u>NOT</u><span style="text-decoration: none;">
include the characters &lt; and &gt;!.</span></p>
<p style="margin-top: 0,51cm; margin-bottom: 0,51cm;">Also, I assume
in this document that the configuration for OpenLDAP2 is installed
into <b>/etc./ldap.</b><span style=""> If you
haven't installed it there, please remember to exchange that path to
<u>your</u><span style="text-decoration: none;"> path.</span></span></p>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;">Disclamer</h2>
<p style="margin-top: 0,51cm; margin-bottom: 0,51cm;"><span style="text-decoration: none;"><b><font size="5"><font face="Helvetica, sans-serif">Please
don't send any 'please help me' mails directly to me. Direct it to
the <a href="#6.5.Mailing%20lists%20for%20help%7Coutline">appropriate mailing
lists for help</a> instead, you stand a much better chance of getting
a reply if you do. I just don't have the time (or knowledge) to help
anyone/everyone in private.</font></font></b></span></p>
<p align="center" style="margin-top: 0,51cm; margin-bottom: 0,51cm; text-decoration: none;">
<font face="Helvetica, sans-serif"><font size="5"><b>Any mails sent to
me about <i>any</i><span style="font-style: normal;"> of this <u>will</u>
be replied to on a public list.</span></b></font></font></p>
<h1>Table of Contents &#8211; Core software</h1>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a href="http://www.sleepycat.com/amfeatures.html" target="_blank">BerkeleyDB</a></h2>
<p style="margin-left: 2,01cm; margin-top: 0cm; margin-bottom: 0,51cm;">
<font face="Helvetica, sans-serif"><font size="2">BerkeleyDB from
SleepyCAT is, from what I have read/tried a better database back-end
than gdbm, ndbm and db. It is used by OpenLDAP to store the database
on disk. Your call, you don't have to use it, but I like it and have
been using it all the time.</font></font></p>
<p class="text-body-indent"><a href="#4.2.1.Building%20and%20installing%20Berkeley%20DB%7Coutline">Building
and installing Berkeley DB</a></p>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a href="http://www.openssl.org/" target="_blank">OpenSSL</a></h2>
<p style="margin-left: 2,01cm; margin-top: 0cm; margin-bottom: 0,51cm; text-decoration: none;">
<font face="Helvetica, sans-serif"><font size="2">This is the software
that will give us TLS and SSL enabled LDAP (secure and encrypted
communication). It have nothing to do with AUTHENTICATING a user, it
just gives us a way to encrypt traffic to/from the LDAP server.</font></font></p>
<p class="text-body-indent"><a href="#4.1.OpenSSL%7Coutline">Build
OpenSSL</a></p>
<p class="text-body-indent"><a href="#4.1.4.Creating%20SSL%20certificate%7Coutline">Creating
SSL certificate</a></p>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a href="http://web.mit.edu/kerberos/www/" target="_blank">MIT
Kerberos V</a></h2>
<p style="margin-left: 2,01cm; margin-top: 0cm; margin-bottom: 0,51cm; text-decoration: none;">
<font color="#000000"><font face="Helvetica, sans-serif"><font size="2">This
is what we will use to store password in. It will, as a bonus, also
give us a 'single-sign-on' system (that is, you enter your
passphrase/password once, and the 'ticket' that is returned, will be
used for login authentication).</font></font></font></p>
<p class="text-body-indent"><a href="#4.3.1.Building%20MIT%20Kerberos%20V%7Coutline">Building
MIT Kerberos V</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#4.3.1.1.Bugs%20in%20MIT%20Kerberos%20V,%20v1.2.1%7Coutline">Bugs
in MIT Kerberos V, v1.2.1</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#4.3.1.2.Bugs%20in%20MIT%20Kerberos%20V,%20v1.2.2%7Coutline">Bugs
in MIT Kerberos V, v1.2.2</a></p>
<p class="text-body-indent"><a href="#4.3.2.Installing%20MIT%20Kerberos%20V%7Coutline">Installing
MIT Kerberos V</a></p>
<p class="text-body-indent"><a href="#4.3.3.Configure%20Kerberos%7Coutline">Configure
Kerberos</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#4.3.3.1.Preparing%20the%20DNS%20for%20KerberosV%7Coutline">Preparing
the DNS for KerberosV</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#4.3.3.2.Kerberos%20config%20file%7Coutline">Kerberos
config file</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#4.3.3.3.Create%20KerberosV%20realm%7Coutline">Create
KerberosV realm</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#4.3.3.4.Setting%20up%20KerberosV%20access%20rights%7Coutline">Setting
up KerberosV access rights</a></p>
<p class="text-body-indent"><a href="#4.3.4.Testing%20MIT%20Kerberos%20V%7Coutline">Testing
MIT Kerberos V</a></p>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a href="http://asg.web.cmu.edu/sasl/" target="_blank">Cyrus
SASL</a></h2>
<p style="margin-left: 2,01cm; margin-top: 0cm; margin-bottom: 0,51cm;">
<font face="Helvetica, sans-serif"><font size="2">This is the layer
<b>between</b><span style=""> OpenLDAP and
Kerberos. It gives you a secure way of AUTHENTICATING access to the
LDAP server. It will not encrypt the actual traffic (even though the
authentication session is encrypted).</span></font></font></p>
<p class="text-body-indent"><a href="#4.4.1.Building%20Cyrus%20SASL%7Coutline">Building
Cyrus SASL</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#4.4.1.1.Bugs%20in%20Cyrus%20SASL,%20v1.5.24%7Coutline">Bugs
in Cyrus SASL, v1.5.24</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#4.4.1.2.Build%20the%20Cyrus%20SASL%20packages%7Coutline">Build
the Cyrus SASL packages</a></p>
<p class="text-body-indent"><a href="#4.4.2.Installing%20Cyrus%20SASL%7Coutline">Installing
Cyrus SASL</a></p>
<p class="text-body-indent"><a href="#4.4.3.Testing%20Cyrus%20SASL%7Coutline">Testing
Cyrus SASL</a></p>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a href="http://www.openldap.org/" target="_blank">OpenLDAP</a></h2>
<p style="margin-left: 2,01cm; margin-top: 0cm; margin-bottom: 0,51cm;">
<font face="Helvetica, sans-serif"><font size="2">Well, we all know
what this is, don't we? It's a free LDAP server. A very (<b>VERY</b><span style="">)
good one to, in my opinion (even though I don't have much experience
in other LDAP server :).</span></font></font></p>
<p class="text-body-indent"><a href="#4.5.1.Building%20OpenLDAP%20v2%7Coutline">Building
OpenLDAP v2</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#4.5.1.1.Bugs%20in%20OpenLDAP,%20v2.0.7%7Coutline">Bugs
in OpenLDAP, v2.0.7</a></p>
<p class="text-body-indent"><a href="#4.5.2.Installing%20OpenLDAP%20v2%7Coutline">Installing
OpenLDAP v2</a></p>
<p class="text-body-indent"><a href="#4.5.3.Configuring%20OpenLDAP%20v2%7Coutline">Configuring
OpenLDAP v2</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#4.5.3.1.Configure%20OpenLDAP%20to%20use%20the%20new%20SSL%20certificate%7Coutline">Configure
OpenLDAP to use the new SSL certificate</a></p>
<p class="text-body-indent" style="margin-left: 14cm;"><a href="#4.5.3.1.1.Changes%20to%20the%20OpenLDAP%20config%20file%7Coutline">Changes
to the OpenLDAP config file</a></p>
<p class="text-body-indent" style="margin-left: 14cm;"><a href="#4.5.3.1.2.Changes%20to%20the%20OpenLDAP%20startup%20script%7Coutline">Changes
to the OpenLDAP startup script</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#4.5.3.2.The%20OpenLDAP%20config%20file%7Coutline">The
OpenLDAP config file</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#4.5.3.3.The%20OpenLDAP%20access%20file%7Coutline">The
OpenLDAP access file</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#4.5.3.4.Creating%20a%20LDAP%20service%20key%7Coutline">Creating
a LDAP service key</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#4.5.3.5.Populate%20the%20database%20to%20allow%20simple%20bind%20as%20user%7Coutline">Populate
the database to allow simple bind as user</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#4.5.3.6.Modify%20the%20LDAP%20database%20to%20allow%20simple%20bind%20as%20user.%7Coutline">Modify
the LDAP database to allow simple bind as user.</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#4.5.3.7.Notes%20about%20%27userPassword:%20%7BKERBEROS%7D%27%7Coutline">Notes
about 'userPassword: {KERBEROS}'</a></p>
<p class="text-body-indent"><a href="#4.5.4.Testing%20OpenLDAP%20v2%7Coutline">Testing
OpenLDAP v2</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#4.5.4.1.Testing%20OpenLDAP,%20simple/anonymous%20bind%7Coutline">Testing
OpenLDAP, simple/anonymous bind</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#4.5.4.2.Testing%20OpenLDAP,%20simple/anonymous%20bind,%20with%20SSL/TLS%7Coutline">Testing
OpenLDAP, simple/anonymous bind, with SSL/TLS</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#4.5.4.3.Testing%20OpenLDAP,%20using%20your%20Kerberos%20ticket%7Coutline">Testing
OpenLDAP, using your Kerberos ticket</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#4.5.4.4.Testing%20OpenLDAP,%20using%20your%20Kerberos%20ticket,%20with%20SSL/TLS%7Coutline">Testing
OpenLDAP, using your Kerberos ticket, with SSL/TLS</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#4.5.4.5.Testing%20OpenLDAP,%20simple%20user%20bind,%20with%20SSL/TLS%7Coutline">Testing
OpenLDAP, simple user bind, with SSL/TLS</a></p>
<p class="text-body-indent"><a href="#4.5.5.Setting%20up%20secure%20replication%7Coutline">Setting
up secure replication</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#4.5.5.1.Replication%20configuration,%20slave%20server%7Coutline">Replication
configuration, slave server</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#4.5.5.2.Replication%20configuration,%20master%20server%7Coutline">Replication
configuration, master server</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#4.5.5.3.Creating%20a%20replication%20principal%7Coutline">Creating
a replication principal</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#4.5.5.4.Automatically%20getting%20a%20ticket%20before%20starting%20slurpd%7Coutline">Automatically
getting a ticket before starting slurpd</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#4.5.5.5.Keeping%20replication%20ticket%20updated%7Coutline">Keeping
replication ticket updated</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#4.5.5.6.Give%20the%20replicator%20access%20to%20the%20database%7Coutline">Give
the replicator access to the database</a></p>
<h1>Table of Contents &#8211; Miscellaneous software</h1>
<p style="margin-left: 2,01cm; margin-top: 0,51cm; margin-bottom: 0,51cm;">
<font face="Helvetica, sans-serif"><font size="3">S<font size="2">ome
software to ease administration and migration to LDAP/Kerberos are
these softwares. I'm <span style="font-style: normal;">not going to go
in to how to get this configured and installed. That's an exercise
for the reader :). They have no <span style="text-decoration: none;">real
relevance for getting LDAPv3 to work, but I thought I'd plug for them
anyway, because I have found them invaluable in using and
administrating LDAP in general.</span></span></font></font></font></p>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a href="http://www.padl.com/nss_ldap.html" target="_blank">LibNSS-LDAP</a>/<a href="http://www.padl.com/pam_ldap.html" target="_blank">LibPAM-LDAP</a></h2>
<p style="margin-left: 2cm;">The LDAP <u>n</u>ame <u>s</u>ervice
<u>s</u>witch (NSS) module is an Open Source project to integrate
LDAP as a native name service under Linux, Solaris, and other
operating systems. The LDAP <u>p</u>luggable <u>a</u>uthentication
<u>m</u>odule (PAM) is an Open Source project to integrate LDAP
authentication into operating systems supporting the PAM API, such as
Linux, Solaris, and HP-UX.</p>
<p class="text-body-indent"><a href="#5.3.1.Building%20and%20installation%7Coutline">Building
and installation</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#5.3.1.1.Downloading%20source%7Coutline">Downloading
source</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#5.3.1.2.Building%20packages%7Coutline">Building
packages</a></p>
<p class="text-body-indent"><a href="#5.3.2.Install%20the%20newly%20made%20packages%7Coutline">Install
the newly made packages</a></p>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a href="http://www.cvshome.org/" target="_blank">Concurrent
Version System</a></h2>
<p style="margin-left: 2cm;">Not related with OpenLDAP really, but I'm
going to show you a little how to get CVS linked and compiled with
GSSAPI so that we can use our Kerberos key for authentication to the
cvs server.</p>
<p class="text-body-indent"><a href="#5.1.1.Building%20CVS%7Coutline">Building
CVS</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#5.1.1.1.Configure%20options%7Coutline">Configure
options</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#5.1.1.2.With%20Krb4%20option%7Coutline">With
Krb4 option</a></p>
<p class="text-body-indent"><a href="#5.1.2.Creating%20a%20CVS%20service%20key%7Coutline">Creating
a CVS service key</a></p>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a href="http://asg.web.cmu.edu/cyrus/imapd/" target="_blank">Cyrus
IMAP/POP3</a></h2>
<p style="margin-left: 2cm;">Quite naturally we would like the IMAP
and POP3 server to authenticate directly with SASL to the Kerberos
database as well.</p>
<p class="text-body-indent"><a href="#5.2.1.Building%20Cyrus%20IMAP%20and%20POP3%20server%7Coutline">Building
Cyrus IMAP and POP3 server</a></p>
<p class="text-body-indent"><a href="#5.2.2.Configure%20Cyrus%20IMAP%20and%20POP3%20server%7Coutline">Configure
Cyrus IMAP and POP3 server</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#5.2.2.1.Creating%20a%20IMAP/POP3%20service%20key%7Coutline">Creating
a IMAP/POP3 service key</a></p>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a href="http://www.openafs.org/" target="_blank">OpenAFS</a></h2>
<p style="margin-left: 2cm;">From the project page:</p>
<p style="margin-left: 4cm;">AFS is a distributed filesystem product,
pioneered at Carnegie Mellon University and supported and developed
as a product by Transarc Corporation (now IBM Pittsburgh Labs). It
offers a client-server architecture for file sharing, providing
location independence, scalability and transparent migration
capabilities for data.</p>
<p style="margin-left: 2cm;">Kind'a like NFS with Kerberos
authentication. Although AFS is a (network) file system and have
don't have anything to do with LDAPv3, it is 'essential' for a
distributed (and load balanced) server cluster.</p>
<p class="text-body-indent"><a href="#5.5.1.OpenAFS%7Coutline">OpenAFS</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#5.5.1.1.Building%20OpenAFS%7Coutline">Building
OpenAFS</a></p>
<p class="text-body-indent" style="margin-left: 14cm;"><a href="#5.5.1.1.1.Build%20OpenAFS%20kernel%20module%7Coutline">Build
OpenAFS kernel module</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#5.5.1.3.Installing%20OpenAFS%7Coutline">Installing
OpenAFS</a></p>
<p class="text-body-indent"><a href="#5.5.2.OpenAFS%20KerberosV%20support%20software%7Coutline">OpenAFS
KerberosV support software</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#5.5.2.1.Building%20OpenAFS%20KerberosV%20support%20software%7Coutline">Building
OpenAFS KerberosV support software</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#5.5.2.2.Installing%20OpenAFS%20KerberosV%20support%20software%7Coutline">Installing
OpenAFS KerberosV support software</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#5.5.2.3.Configure%20OpenAFS%20KerberosV%20support%20software%7Coutline">Configure
OpenAFS KerberosV support software</a></p>
<p class="text-body-indent"><a href="#5.5.3.OpenAFS%20PAM%20module%7Coutline">OpenAFS
PAM module</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#5.5.3.1.Building%20and%20Installing%20the%20OpenAFS%20PAM%20module%7Coutline">Building
and Installing the OpenAFS PAM module</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#5.5.3.2.Configure%20OpenAFS%20PAM%20module%7Coutline">Configure
OpenAFS PAM module</a></p>
<p class="text-body-indent"><a href="#5.5.4.Configure%20OpenAFS%7Coutline">Configure
OpenAFS</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#5.5.4.1.Creating%20a%20AFS%20service%20key%7Coutline">Creating
a AFS service key</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#5.5.4.2.Putting%20the%20AFS%20service%20key%20into%20the%20AFS%20KeyFile%7Coutline">Putting
the AFS service key into the AFS KeyFile</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#5.5.4.3.Mount%20the%20AFS%20volume%7Coutline">Mount
the AFS volume</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#5.5.4.4.Create%20the%20new%20cell%7Coutline">Create
the new cell</a></p>
<p class="text-body-indent" style="margin-left: 14cm;"><a href="#5.5.4.4.1.Setup%20the%20cell%20configuration%20files%7Coutline">Setup
the cell configuration files</a></p>
<p class="text-body-indent" style="margin-left: 14cm;"><a href="#5.5.4.4.2.Getting%20a%20Kerberos%20ticket%20and%20a%20AFS%20token%7Coutline">Getting
a Kerberos ticket and a AFS token</a></p>
<p class="text-body-indent" style="margin-left: 14cm;"><a href="#5.5.4.4.3.Setting%20up%20root%20volumes%7Coutline">Setting
up root volumes</a></p>
<p class="text-body-indent"><a href="#5.5.5.Testing%20the%20OpenAFS%20softwares%7Coutline">Testing
the OpenAFS softwares</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#5.5.5.1.Testing%20OpenAFS%20KerberosV%20support%20software%7Coutline">Testing
OpenAFS KerberosV support software</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#5.5.5.2.Testing%20OpenAFS%20PAM%20module%7Coutline">Testing
OpenAFS PAM module</a></p>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a href="http://www.samba.org/samba/development.html" target="_blank">Samba</a></h2>
<p style="margin-left: 2cm;">The idea here is to make a Windows 2000
server out of our Linux/UNIX box. In theory (at least from what I
have understood from mails on the openldap-software list) this should
be possible if using Krb5, SASL, LDAP and Samba. I'm currently
investigating this issue.</p>
<p style="margin-left: 2cm;">Check back every now and then to see how
far I have got with this.</p>
<p class="text-body-indent"><a href="#5.4.1.Building%20Samba/Samba-TNG%7Coutline">Building
Samba/Samba-TNG</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#5.4.1.2.1.Compile%20options%7Coutline">Compile
options</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#5.4.1.2.2.Make%20string%7Coutline">Make
string</a></p>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a href="http://sourceforge.net/projects/directoryadmin" target="_blank"><font face="Helvetica, sans-serif">Directory
Administrator</font></a></h2>
<p style="margin-left: 2cm;">From the project page:</p>
<p style="margin-left: 4cm;">Designed with the only focus of being a
tool to easily manage UNIX users and groups in an LDAP directory,
corporate information, access controls, and LDAP mail routing.</p>
<p style="margin-left: 2cm;">I'm currently writing a patch for this,
to allow it to add the principal to the KDC as well as adding the
user stuff in the LDAP server. Also in progress are SASL and SSL/TLS
binds to the LDAP server.</p>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a href="ftp://ftp.netexpress.net/pub/pam/" target="_blank"><font face="Helvetica, sans-serif">PAM/Kerberos
migration module</font></a></h2>
<p style="margin-left: 2cm;">I haven't gotten this to work yet, but
I'm working on it. From the source code README:</p>
<p style="margin-left: 4cm;">pam_krb5_migrate is a stackable
authentication module (for PAM) that takes a user name and password
from an earlier module (such as pam_ldap or pam_unix) in the stack,
and attempts to transparently add them to a Kerberos realm using the
Kerberos 5 kadmin service. The module can be used to ease the
administrative burdens of migrating a large installed user base from
pre-existing authentication methods to a Kerberos based setup.</p>
<p style="margin-left: 2cm;">Looks nice to me, if I just could get it
to work!</p>
<p style="margin-left: 2cm;">Have a look at <a href="#6.1.Migrating%20existing%20users%7Coutline">Migrating
existing users</a> for more information about migrating existing
users.</p>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a href="http://www.lifewithqmail.org/ldap/">QMAIL
with LDAP patches</a></h2>
<p style="margin-left: 2cm;">It is possible to have QMAIL look in a
LDAP database for it's email addresses, and to have QMAIL's pop/imap
server authenticate the users from a LDAP database.</p>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a href="http://www.sendmail.org/">Sendmail</a>
and LDAP</h2>
<p style="margin-left: 2cm;">I'm not using Sendmail, in fact, I
dislike sendmail quite heavily. In my opinion it's the most insecure
piece of software you can install on a UNIX (like) platform. But,
granted, it's the only (mail) server that can cope with hundred of
thousands (and above) of mails. I'll see if I can dig up some
information about this, and add this to this HOWTO/FAQ.</p>
<p style="margin-left: 2cm;">In the mean time, have a look at the URL:
<a href="http://www.stanford.edu/%7Ebbense/Inst.html">http://www.stanford.edu/~bbense/Inst.html</a>.</p>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;">Miscellaneous
information</h2>
<p style="margin-left: 2cm;">Here you can find some reference
material, and copies of my configurations discussed in this document</p>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="5.7.Updates|outline"></a>
<a href="#6.7.Updates%7Coutline">Updates</a></h2>
<p style="margin-left: 2cm;">Most things in the Open Source movement
change quite fast, and software naturally gets updated. Instead of
adding a 'updates' section under each software product, I have
gathered them here instead, sorted by the latest version at the time
of writing.</p>
<dl><dl><dd>
<table width="587" border="0" cellpadding="0" cellspacing="0">
<col width="144">
<col width="63">
<col width="63">
<col width="63">
<col width="63">
<col width="63">
<col width="63">
<col width="63">
<tbody><tr>
<td width="144" height="20">
<p><a href="#6.7.1.BerkeleyDB%7Coutline">BerkeleyDB</a></p>
</td>
<td width="63">
<p><a href="#6.7.1.1.v3.3.11%7Coutline">v3.3.11</a></p>
</td>
<td width="63">
<p><br>
</p>
</td>
<td width="63">
<p><br>
</p>
</td>
<td width="63">
<p><br>
</p>
</td>
<td width="63">
<p><br>
</p>
</td>
<td width="63">
<p><br>
</p>
</td>
<td width="63">
<p><br>
</p>
</td>
</tr>
<tr>
<td width="144" height="20">
<p><a href="#6.7.2.OpenSSL%7Coutline">OpenSSL</a></p>
</td>
<td width="63">
<p><a href="#6.7.2.1.v0.9.6a%7Coutline">v0.9.6a</a></p>
</td>
<td width="63">
<p><a href="#6.7.2.2.v0.9.6b%7Coutline">v0.9.6b</a></p>
</td>
<td width="63">
<p><br>
</p>
</td>
<td width="63">
<p><br>
</p>
</td>
<td width="63">
<p><br>
</p>
</td>
<td width="63">
<p><br>
</p>
</td>
<td width="63">
<p><br>
</p>
</td>
</tr>
<tr>
<td width="144" height="20">
<p><a href="#6.7.3.OpenLDAP%7Coutline">OpenLDAP</a></p>
</td>
<td width="63">
<p><a href="#6.7.3.1.v2.0.10%7Coutline">v2.0.10</a></p>
</td>
<td width="63">
<p><a href="#6.7.3.2.v2.0.11%7Coutline">v2.0.11</a></p>
</td>
<td width="63">
<p><a href="#6.7.3.3.v2.0.14%7Coutline">v2.0.14</a></p>
</td>
<td width="63">
<p><a href="#6.7.3.4.v2.0.18%7Coutline">v2.0.18</a></p>
</td>
<td width="63">
<p><a href="#6.7.3.5.v2.0.21%7Coutline">v2.0.21</a></p>
</td>
<td width="63">
<p><a href="#6.7.3.6.v2.0.22%7Coutline">v2.0.22</a></p>
</td>
<td width="63">
<p><a href="#6.7.3.7.v2.0.23%7Coutline">v2.0.23</a></p>
</td>
</tr>
<tr>
<td width="144" height="20">
<p><a href="#6.7.4.CyrusSASL%7Coutline">CyrusSASL</a></p>
</td>
<td width="63">
<p><a href="#6.7.4.1.v1.5.27%7Coutline">v1.5.27</a></p>
</td>
<td width="63">
<p><br>
</p>
</td>
<td width="63">
<p><br>
</p>
</td>
<td width="63">
<p><br>
</p>
</td>
<td width="63">
<p><br>
</p>
</td>
<td width="63">
<p><br>
</p>
</td>
<td width="63">
<p><br>
</p>
</td>
</tr>
<tr>
<td width="144" height="20">
<p><a href="#6.7.5.MIT%20KerberosV%7Coutline">MIT KerberosV</a></p>
</td>
<td width="63">
<p><a href="#6.7.5.1.v1.2.4%7Coutline">v1.2.4</a></p>
</td>
<td width="63">
<p><br>
</p>
</td>
<td width="63">
<p><br>
</p>
</td>
<td width="63">
<p><br>
</p>
</td>
<td width="63">
<p><br>
</p>
</td>
<td width="63">
<p><br>
</p>
</td>
<td width="63">
<p><br>
</p>
</td>
</tr>
</tbody></table>
</dd></dl></dl>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a href="#6.8.My%20configuration%20files%7Coutline">My
configuration files</a></h2>
<p style="margin-left: 2cm;">These are copies on all my configuration
files. They are documented here in the document, but just a
preventive measure, I thought that I'd include the actual files as
well.</p>
<p class="text-body-indent"><a href="#6.8.1.Master%20LDAP%20server%7Coutline">Master
LDAP server</a></p>
<p class="text-body-indent"><a href="#6.8.2.Slave%20LDAP%20server%7Coutline">Slave
LDAP server</a></p>
<p class="text-body-indent"><a href="#6.8.3.PAM/LDAP%20files%7Coutline">PAM/LDAP
files</a></p>
<p class="text-body-indent"><a href="#6.8.4.Misc%20files%7Coutline">Misc
files</a></p>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a href="#7.Reference%20material%7Coutline">Reference
material</a></h2>
<p style="margin-left: 2cm;">This are some misc information about
where to find more information about RFC's and Internet drafts etc.</p>
<p class="text-body-indent"><a href="#7.1.Patches%7Coutline">Patches</a></p>
<p class="text-body-indent"><a href="#7.2.LDAP%7Coutline">LDAP</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#7.2.1.LDAPv2%7Coutline">LDAPv2</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#7.2.2.LDAPv3%7Coutline">LDAPv3</a></p>
<p class="text-body-indent"><a href="#7.3.Authentication%7Coutline">Authentication</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#7.3.1.SASL%7Coutline">SASL</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#7.3.2.Kerberos%7Coutline">Kerberos</a></p>
<p class="text-body-indent"><a href="#7.4.Other%7Coutline">Other</a></p>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a href="#6.3.Problems%20that%20can%20occur%7Coutline">Problems
that can occur</a></h2>
<p style="margin-left: 2cm;">After getting all this software
configured, compiled and installed, it will need to work independent
of the other. That is, each piece needs to work before we can start
gluing them together. There's always something that can go wrong.
Here's examples and solutions for some of (the most common?) ones.</p>
<p class="text-body-indent"><a href="#6.3.1.Problems%20when%20the%20KVNO%20don%27t%20match%20up.%7Coutline">Problems
when the KVNO don't match up.</a></p>
<p class="text-body-indent"><a href="#6.3.2.No%20such%20attribute%20error%7Coutline">No
such attribute error</a></p>
<p class="text-body-indent"><a href="#6.3.3.No%20such%20object%20error%7Coutline">No
such object error</a></p>
<p class="text-body-indent"><a href="#6.3.4.Local%20error%7Coutline">Local
error</a></p>
<p class="text-body-indent"><a href="#6.3.5.Problems%20with%20ACL%27s%7Coutline">Problems
with ACL's</a></p>
<p class="text-body-indent"><a href="#6.3.6.SLAPADD%20problems/messages%7Coutline">SLAPADD
problems/messages</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#6.3.6.1.Attribute%20type%20undefined%7Coutline">Attribute
type undefined</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#6.3.6.2.Attribute%20not%20allowed%7Coutline">Attribute
not allowed</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#6.3.6.3.Missing%20required%20attribute%7Coutline">Missing
required attribute</a></p>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="5.4.Shortcuts|outline"></a>
<a href="#6.4.Shortcuts%7Coutline">Shortcuts</a></h2>
<p style="margin-left: 2cm;">For the lazy ones, why not take a look at
this section.</p>
<p class="text-body-indent">No guaranties though!</p>
<p class="text-body-indent"><a href="#6.4.1.APT%20configuration%7Coutline">APT
configuration</a></p>
<p class="text-body-indent"><a href="#6.4.2.These%20are%20the%20packages%20that%20are%20available%20for%20installations%7Coutline">These
are the packages that are available for installations</a></p>
<p class="text-body-indent"><a href="#6.4.2.1.KerberosV%20server%7Coutline">KerberosV
server</a></p>
<p class="text-body-indent"><a href="#6.4.2.2.KerberosV%20client%7Coutline">KerberosV
client</a></p>
<p class="text-body-indent"><a href="#6.4.2.3.KerberosV%20services%7Coutline">KerberosV
services</a></p>
<p class="text-body-indent"><a href="#6.4.2.4.PAM/NSS%7Coutline">PAM/NSS</a></p>
<p class="text-body-indent"><a href="#6.4.2.5.Miscellaneous%7Coutline">Miscellaneous</a></p>
<p class="text-body-indent"><a href="#6.4.2.6.OpenSSL%7Coutline">OpenSSL</a></p>
<p class="text-body-indent"><a href="#6.4.2.7.Cyrus%20SASL%7Coutline">Cyrus
SASL</a></p>
<p class="text-body-indent"><a href="#6.4.2.8.OpenLDAP2%7Coutline">OpenLDAP2</a></p>
<p class="text-body-indent"><a href="#6.4.2.9.OpenAFS%7Coutline">OpenAFS</a></p>
<p class="text-body-indent"><a href="#6.4.2.10.PostgreSQL%7Coutline">PostgreSQL</a></p>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a href="#6.1.Migrating%20existing%20users%7Coutline">Migrating
existing users</a></h2>
<p style="margin-left: 2,01cm; margin-top: 0cm; margin-bottom: 0,51cm;">
Some notes about migrating an existing user database, be it the old
fashioned <i>/etc/passwd</i><span style="font-style: normal;">
approach, </span><i>NIS/NIS++</i> etc.</p>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;">Thanx to</h2>
<p style="margin-left: 2,01cm; margin-top: 0cm; margin-bottom: 0,51cm;">
I would like to thank the following people, <u>in no special
order(!)</u><span style="text-decoration: none;">,</span> for giving
me input on this document. I apologize if I forgot someone (I started
this thank you part quite late in the development :).</p>
<dl><dl><dd>
<table width="653" border="0" cellpadding="0" cellspacing="0">
<col width="203">
<col width="450">
<tbody><tr valign="top">
<td width="203">
<p style="margin-top: 0,51cm;"><font face="Times New Roman, serif"><font size="3">Johann
Botha</font></font></p>
</td>
<td width="450">
<p style="margin-top: 0,51cm;"><font face="Times New Roman, serif"><font size="3">For
noting that we have to start the SLAPD server on port 636 aswell</font></font></p>
</td>
</tr>
<tr valign="top">
<td width="203">
<p style="margin-top: 0,51cm; text-decoration: none;"><font face="Times New Roman, serif"><font size="3">Allan
Streib</font></font></p>
</td>
<td width="450">
<p style="margin-top: 0,51cm;"><font face="Times New Roman, serif"><font size="3">For
the patch to Cyrus SASL, v1.5.27</font></font></p>
</td>
</tr>
<tr valign="top">
<td width="203">
<p style="margin-top: 0,51cm;"><font face="Times New Roman, serif"><font size="3">Jorge
Santos</font></font></p>
</td>
<td width="450">
<p style="margin-top: 0,51cm;"><font face="Times New Roman, serif"><font size="3">For
pointing out that Berkeley DB 3.2.9 is in Debian GNU/Linux under
the name <b>libdb3</b><span style="">/</span><b>libdb3-dev</b><span style="">.
Also found a missing '-exec' in a find command (in the Building
Packages subsection of the libpam-ldap and libnss-ldap section).</span></font></font></p>
</td>
</tr>
<tr valign="top">
<td width="203">
<p style="margin-top: 0,51cm;"><font face="Times New Roman, serif"><font size="3">John
Green</font></font></p>
</td>
<td width="450">
<p style="margin-top: 0,51cm;"><font face="Times New Roman, serif"><font size="3">Which
had a one month newer version than the file I had in my backup
when I lost the whole page because of user error :)</font></font></p>
</td>
</tr>
<tr valign="top">
<td width="203">
<p style="margin-top: 0,51cm;"><font face="Times New Roman, serif"><font size="3">Keith
R Lally</font></font></p>
</td>
<td width="450">
<p style="margin-top: 0,51cm;"><font face="Times New Roman, serif"><font size="3">For
finding the latest version of the lost document.</font></font></p>
</td>
</tr>
<tr valign="top">
<td width="203">
<p style="margin-top: 0,51cm;"><font face="Times New Roman, serif"><font size="3">Jasper
M<>ller</font></font></p>
</td>
<td width="450">
<p style="margin-top: 0,51cm;"><font face="Times New Roman, serif"><font size="3">For
some question and remarks about the DNS setup, migration of
existing users, SSL certificates etc.</font></font></p>
</td>
</tr>
</tbody></table>
</dd></dl></dl>
<p style="margin-left: 2cm;">A couple of days ago (around December 12,
2001) I lost this document. I managed to rescue a version from
August, but quite a number of things where missing.</p>
<p style="margin-left: 2cm;">For those other of you that mailed me
about different versions etc, THANX! I wasn't quite sure if this
document made any difference, but it seems like it does... It's
always nice to hear from users (just not TO much :).</p>
<p align="center" style="border-style: none none double; border-width: medium medium 1,1pt; border-bottom: 1,1pt double rgb(128, 128, 128); padding: 0cm 0cm 0,05cm; margin-top: 1cm; margin-bottom: 0,5cm;">
<font face="Matisse ITC, fantasy"><font size="5" style="font-size: 20pt;">Thanx
again for all the support</font></font></p>
<h1>Building required software</h1>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="4.1.OpenSSL|outline"></a><a name="4.1.OpenSSL|outline"></a><a name="4.1.OpenSSL|outline"></a>
OpenSSL</h2>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;">Installing the
Debian GNU/Linux package</h3>
<p>This package I just installed right of the <a href="ftp://non-us.debian.org/debian-non-US/pool/non-US/main/o/openssl/">Debian
GNU/Linux non-US FTP</a> site, using <b>apt-get install libssl09
libssl09-dev openssl</b><span style="">. The
development package are needed later when <a href="#4.5.1.Building%20OpenLDAP%20v2%7Coutline">building
OpenLDAP v2</a>.</span></p>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;">Building OpenSSL
from scratch</h3>
<p>For those of you that don't use Debian, this are the configure
command line:</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">./Configure shared --prefix=/usr --openssldir=/usr/lib/ssl</pre><p>
Then build the package by issuing this command:</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">make -f Makefile.ssl all</pre><h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;">
Install newly built OpenSSL software</h3>
<p>To install OpenSSL after executing make, issue this command:</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">make -f Makefile.ssl install.</pre><p>
That's about it about OpenSSL I think, but as I said, I just
installed the Debian packages, and where done with it :)</p>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="4.1.4.Creating SSL certificate|outline"></a><a name="4.1.4.Creating SSL certificate|outline"></a><a name="4.1.4.Creating SSL certificate|outline"></a>
Creating SSL certificate</h3>
<p>To create the certificate that OpenLDAP will use, we issue the
command <b>openssl</b> like this:</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">openssl req -new -x509 -nodes -out server.pem -keyout server.pem -days 365</pre><p>
This is what the command will output when I do it. The first line
might be different in your installation, and some of the wordings
might have changed if you are using a different version than me. The
important information you should input is on the last seven lines
(starting with Country Name and ending with Email Address. Parts in
<b>bold</b>+underline is my responses:</p>
<pre>Using configuration from /usr/lib/ssl/openssl.cnf
Generating a 1024 bit RSA private key
.....++++++
.................................................++++++
writing new private key to 'server.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:<b>SE</b>
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:<b>Gothenburg</b>
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:<b>egeria.bayour.com</b>
Email Address []:<b>turbo@bayour.com</b></pre><p>
It is very important that you don't give <i>localhost</i> for the
Common Name. It should be your hosts FQDN (Fully Qualified Domain
Name). That is, what's your IP address, and what name does the DNS
tell you belong to this IP address?</p>
<p><u>NOTE</u>: I can not stress this enough! 99% of all the "SSL/TLS
don't work" mails on the openldap-software list is due to the
fact that someone have not used a correct Common Name in the SSL
certificate! An IP address won't work either. It can however be used
to get your common name from the DNS. Find your IP address and issue
the command</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><b>host</b> &lt;YOUR IP ADDRESS HERE&gt;</pre><p>
The first line that reads Name: is what you should use as your common
name!</p>
<p>Keep the file <b>server.pem</b> created here handy, we will need
it later when <a href="#4.5.5.Setting%20up%20secure%20replication%7Coutline">setting
up secure replication</a> below.</p>
<p>Also, remember that since you're specifying the host name in the
certificate (which is <b><u><i>required</i></u></b>), you must have
one certificate for each of your LDAP server (if you're doing
replication to other machines).</p>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;">BerkeleyDB</h2>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="4.2.1.Building and installing Berkeley DB|outline"></a><a name="4.2.1.Building and installing Berkeley DB|outline"></a><a name="4.2.1.Building and installing Berkeley DB|outline"></a>
Building and installing Berkeley DB</h3>
<p>This software don't exists as Debian packages, so I had to make
and install it my self. To do this, I just downloaded the tarball
from the sleepycat website. I got version 3.0.55, and I see that the
version on there site is now 3.2.9. I can't guarantee that that will
work, but be my guest to try it. If it shouldn't work, you can get
<a href="http://www.bayour.com/kerberos/sleepycat_3.0.55.tar.gz">SleepyCAT
v3.0.55</a> at my site. This is how to build the software after
unpacking it in your favourite source directory.</p>
<pre><b>cd</b> build_unix
<b>../dist/configure</b>
<b>make</b>
<b>make</b> install</pre><p>
That's about all I have to say on the issue of installing Berkeley DB
mostly because there's not much more to it! :).</p>
<p><u>UPDATE</u>: With Debian GNU/Linux 2.3 (aka Woody) and later,
BerkeleyDB 3.2.9 is availible in the <b>libdb3</b> and <b>libdb3-dev</b>
packages, so you won't really need to download and install BerkeleyDB
from source. Just execute</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><b>apt-get</b> install libdb3 libdb3-dev</pre><p>
and off you go...</p>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;">MIT Kerberos V</h2>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="4.3.1.Building MIT Kerberos V|outline"></a>
Building MIT Kerberos V</h3>
<p>Now, as promised I will here give you the configure parameters
that the Debian packages are using:</p>
<pre>--prefix=/usr
--enable-shared
--with-ccopts="-g -O2 -D_REENTRANT"
--localstatedir=/etc
--mandir=/usr/share/man
--without-tcl</pre><p>
Then, just make all is executed.</p>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="4.3.1.1.Bugs in MIT Kerberos V, v1.2.1|outline"></a>
Bugs in MIT Kerberos V, v1.2.1</h4>
<p><a name="patch-krb5"></a><u>NOTE1</u>: As said above, there is a
bug in all Kerberos implementations deriving from MIT KerberosIV
(yes, that spells out 4, it's a very old bug!). The bug is that it
have a temporary files race condition. For those that have a version
lower than 1.2.2 and don't want to/can't upgrade, there's a patch to
be found at the <a href="http://web.mit.edu/kerberos/www/advisories/krb4tkt_121_patch.txt" target="_blank">MIT
Kerberos advisories</a> site. For you that run Debian, please see the
<a href="#4.4.1.Building%20Cyrus%20SASL%7Coutline">Building Cyrus SASL</a>
example how to make a Debian package with this patch.</p>
<p><u>NOTE2</u>: Also, there have been discovered a buffer overflow
vulnerability in the telnetd that is distributed with Kerberos 5,
v1.2.2. See the URL <a href="http://www.securityfocus.com/bid/3064" target="_blank">http://www.securityfocus.com/bid/3064</a>
for more information about this vulnerability. A patch for this bug
can be found at the URL
<a href="http://web.mit.edu/kerberos/www/advisories/telnetd_122_patch.txt" target="_blank">http://web.mit.edu/kerberos/www/advisories/telnetd_122_patch.txt</a>.</p>
<p><u>NOTE3</u>: Debian are now distributing MIT Kerberos v1.2.2 in
it's unstable distribution, so just execute</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">apt-get update &amp;&amp; apt-get upgrade</pre><p>
(if you are getting your packages from Internet, and not from CD that
is). It should be installed into the testing and then the stable tree
after a couple of weeks (if there isn't any serious bugs against the
packages)...</p>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="4.3.1.2.Bugs in MIT Kerberos V, v1.2.2|outline"></a>
Bugs in MIT Kerberos V, v1.2.2</h4>
<p>NOTE1: A buffer overflow bug have been found in wu-ftpd (and
therefor gssftpd which is the origin of part of the wu-ftpd). Have a
look at the advisory at
<a href="http://web.mit.edu/Kerberos/www/advisories/ftpbuf.txt" target="_blank">http://web.mit.edu/Kerberos/www/advisories/ftpbuf.txt</a>.
The patch is also located without the advisory text on the URL:
<a href="http://web.mit.edu/Kerberos/www/advisories/ftpbuf.txt" target="_blank">http://web.mit.edu/Kerberos/www/advisories/ftpbuf_122_patch.txt</a>.</p>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="4.3.2.Installing MIT Kerberos V|outline"></a>
Installing MIT Kerberos V</h3>
<p>To prepare the Kerberos installation, one should read the <a href="http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html" target="_blank">Kerberos
FAQ</a>. This FAQ was a very good guide for me to learn (or at least
give me a rough understanding of Kerberos :). Basically nothing in
there needs to be done when using the Debian GNU/Linux packages. I
just used the default ones, even though the version I installed first
had a <b>/tmp</b> race condition bug. I have now upgraded to version
1.2.2-1 (the -1 is the Debian patch version). The installation is
very straight forward, just answer the questions correctly :).
However, there are some stuff that needs to be done before (or after
if you like) the installation begins. You will need a working DNS
system. And the KDC/KAdmin. server should really be on a separate
machine, but I didn't have that luxury, so I installed it on the main
system (I'll make a separate KDC/KAdmin/LDAP server later, but not
now).
</p>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="4.3.3.Configure Kerberos|outline"></a>
Configure Kerberos</h3>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="4.3.3.1.Preparing the DNS for KerberosV|outline"></a><a name="4.3.3.1.Preparing the DNS for KerberosV|outline"></a><a name="4.3.3.1.Preparing the DNS for KerberosV|outline"></a>
Preparing the DNS for KerberosV</h4>
<p>The DNS should be setup like follows to get full Kerberos network
support. However, it seems like very few programs (OpenLDAP doesn't
seem to) actually use the SRV entries, which is 'Server Location'
entries. So if you don't want to/can't change the DNS, it is not
required...</p>
<p><u>NOTE</u>: I upgraded my Kerberos server (from 1.2.2 to 1.2.4)
the other day, and I got the question if my DNS was listing the
location of my KDC's (which it does) so maybe Kerberos is now using
the SRV entries. I haven't verified what's the case here, it doesn't
matter that much to me at the moment... :)</p>
<pre>; IP addresses to the Kerberos/LDAP servers...
kerberos IN A <b>&lt;IP ADDRESS OF YOUR 1st KERBEROS SERVER&gt;</b>
kerberos-1 IN A <b>&lt;IP ADDRESS OF YOUR 2nd KERBEROS SERVER&gt;</b>
kerberos-2 IN A <b>&lt;IP ADDRESS OF YOUR 3rd KERBEROS SERVER&gt;</b>
ldap IN A <b> &lt;IP ADDRESS OF YOUR 1st LDAP SERVER&gt;</b>
ldap-1 IN A <b>&lt;IP ADDRESS OF YOUR 2nd LDAP SERVER&gt;</b>
ldap-2 IN A <b>&lt;IP ADDRESS OF YOUR 3rd LDAP SERVER&gt;</b>
;
; Master setup
_kerberos IN TXT "<b>&lt;YOUR KERBEROS REALM&gt;</b>"
_kerberos-master._udp IN SRV 0 0 88 kerberos
_kerberos-adm._tcp IN SRV 0 0 749 kerberos
_kpasswd._udp IN SRV 0 0 464 Kerberos
;
; Round-robin setup
_kerberos._udp IN SRV 0 0 88 kerberos
IN SRV 0 0 88 kerberos-1
IN SRV 0 0 88 kerberos-2
_ldap._tcp.<b>&lt;DOMAINNAME&gt;</b> IN SRV 0 0 389 ldap
IN SRV 0 0 389 ldap-1
IN SRV 0 0 389 ldap-2</pre><p>
Don't forget to make sure that the revers look-up works. Much of my
problems where that the KDC couldn't (wouldn't?) find my FQDN (Fully
Qualified Domain Name =&gt; Host name + Domain name) for my IP
address, or the other way around.
</p>
<p>And what's this SRV stuff doing in there? That's kind'a cool
feature in <a href="http://www.isc.org/products/BIND/" target="_blank">the
BIND DNS server</a>. See the page about <a href="http://rfc.net/rfc2052.html" target="_blank">specifying
the location of services</a> RFC for more about this.</p>
<p>The main KerberosV packages we will have to install on the KDC
(Kerberos server), are the following packages.</p>
<pre>krb5-kdc
krb5-admin-server
libkrb5-dev</pre><p>
To do this, all you have to do is execute (as root of course :) the
command line</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><span style="">apt-get </span>install krb5-kdc krb5-admin-server libkrb5-dev</pre><p>
and this will install and configure a KDC and Kerberos admin server.
We will need the development package later on when we build SASL.
Since I'm running Debian GNU/Linux, I just installed these default
Debian packages, which also configured the stuff for me. What is also
good to have is these packages (just add those you want at the end of
the apt-get line. These packages should be installed on the Kerberos
client. In my case, the KDC lives on my main server, so I installed
these packages on the same system as the packages above. This is not
recommended, but I had no choise.</p>
<pre>krb5-doc
krb5-user
krb5-clients</pre><p>
If you like to offer Kerberos secured services like ftp, rsh, telnet
etc, these are the packages you will also need to install (I did):</p>
<pre>krb5-ftpd
krb5-rsh-server
krb5-telnetd</pre><p>
Now, apt is so very clever that it will download and install any
packages that the above packages are dependent on. So, for example,
if you are running with an older libc6 than the krb5 packages needs,
apt will download and install (!) those for you to.
</p>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="4.3.3.2.Kerberos config file|outline"></a>
Kerberos config file</h4>
<p><a name="krb5_config-file"></a>Now, there seems to be something
wrong in some install script or other, because sometimes when I
installed Kerberos, the file <b>/etc/krb5.conf</b> wasn't created
correctly. I installed, unistalled back and fourth to try to figure
out how to get this to work. I will here include the file I have, and
it should work for most cases. As said, this seems to be a random
problem, and I have not been able to successfully duplicate the
problem, so double check the file for accuracy first.</p>
<pre>&lt;libdefaults&gt;
default_realm = <b>&lt;YOUR KERBEROS REALM&gt;</b>
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
&lt;realms&gt;
<b>&lt;YOUR KERBEROS REALM&gt;</b> = {
kdc = kerberos.<b>&lt;YOUR DOMAINNAME&gt;</b>:88
admin_server = kerberos.<b>&lt;YOUR DOMAINNAME&gt;</b>:749
default_domain = <b>&lt;YOUR DOMAINNAME&gt;</b>
}
&lt;domain_realm&gt;
.<b>&lt;YOUR DOMAINNAME&gt;</b> = <b>&lt;YOUR KERBEROS REALM&gt;</b>
&lt;logging&gt;
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
default = FILE:/var/log/kerberos/krb5lib.log
&lt;login&gt;
krb4_convert = false
krb4_get_tickets = false</pre><h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;">
<a name="4.3.3.3.Create KerberosV realm|outline"></a><a name="4.3.3.3.Create KerberosV realm|outline"></a>
Create KerberosV realm</h4>
<p>When the <a href="#4.3.3.1.Preparing%20the%20DNS%20for%20KerberosV%7Coutline">DNS
is prepared</a> and the packages installed, we need to create the
realm data in the KDC. You will be notified by this by the Debian
installer scripts. The command that needs to be executed are
<b>krb5_newrealm</b>. It will create the stash file for you, and also
create some service keys. This is what the script does (for those of
you that aren't running Debian):</p>
<pre><a name="krb5_newrealm-command"></a>kdb5_util create -s
kadmin.local -q "ktadd -k /etc/krb5kdc/kadm5.keytab kadmin/admin"
kadmin.local -q "ktadd -k /etc/krb5kdc/kadm5.keytab kadmin/changepw"
/etc/init.d/krb5-kdc start || true
/etc/init.d/krb5-admin-server start ||true</pre><p>
The last two lines are however a little premature. We need some form
of administrator user in the KDC to, so execute this line</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">kadmin.local -q "addprinc krbadm@<b>&lt;YOUR KERBEROS REALM&gt;</b>"</pre><p>
Also, while we are creating administrators, we will create a LDAP
administrator principal. This principal will have full access to the
LDAP database. For those of you that are migrating from OpenLDAP1 or
OpenLDAP2 without SASL etc (or basically any other LDAP server I
guess) will recognise this as the AdminDN (or rootdn as it's called
sometimes).</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">kadmin.local -q "addprinc ldapadm@&lt;YOUR KERBEROS REALM&gt;"</pre><h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;">
<a name="4.3.3.4.Setting up KerberosV access rights|outline"></a>Setting
up KerberosV access rights</h4>
<p><a name="krb5_acl-file"></a>Also, some access lists should be
installed/configured. In the file /etc/krb5kdc/kadm5.acl you should
enter these lines:</p>
<pre>kadmin/admin@<b>&lt;YOUR KERBEROS REALM&gt;</b> *
<b>&lt;YOUR USERNAME&gt;</b>@<b>&lt;YOUR KERBEROS REALM&gt;</b> *
krbadm@<b>&lt;YOUR KERBEROS REALM&gt;</b> *
*/*@<b>&lt;YOUR KERBEROS REALM&gt;</b> i</pre><p>
For me, the second line reads <b><u><span style="font-style: normal;">turbo@BAYOUR.COM
*</span></u></b> and that gives me full access to the database as my
ordinary login. Might not be a good thing, but then you don't have to
give out the kadmin/admin password to all of those that you want to
have (full or partial) access to your kerberos system. See the
<a href="http://www.bayour.com/doc/krb5-doc/install.html#SEC43" target="_blank">Kerberos
V5 Installation Guide:ACL</a> file for other values you can have
besides * and i.</p>
<p>As you can see in this ACL file, we have not listed the ldapadm
principal we created above, only the krbadm. That's because we will
separate the Kerberos administration from the LDAP administration.
<u>Even</u> if you are running this system on only one machine, and
you are alone in administrating this (and will be in a foreseeable
future), I still recommend that you to separate the functions. Have
you read the section <a href="#5.6.LDAPv3,%20why%20bother%7Coutline">LDAPv3,
why bother</a>. Remember the discussion about security? Let's not
allow things to slip through the cracks in such a minor detail as two
separate principals...</p>
<p>The default keytab depends on your installation, but for Debian
GNU/Linux it is <b>/etc/krb5.keytab</b>. This file have to be
(<b><u><i>securely</i></u></b>) copied to the LDAP server before
being able to authenticate with SASL. I had a number of problems with
a faulty keytab. The kvno didn't matchup for some reason. Most likely
because I'm not (or at least wasn't) very good at Kerberos
administration. See the section about <a href="#6.3.1.Problems%20when%20the%20KVNO%20don%27t%20match%20up.%7Coutline">Problems
when the KVNO don't match up</a> for ways of fixing/preventing this.</p>
<p>This about raps' up the Kerberos installation/configuration, now
we can (re)start the KDC and Kerberos admin server.</p>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="4.3.4.Testing MIT Kerberos V|outline"></a><a name="4.3.4.Testing MIT Kerberos V|outline"></a>
Testing MIT Kerberos V</h3>
<p>[I haven't written this part yet, please contribute!]</p>
<p>I can't really remember how I tested it, but if
ktelnet/kftp/krsh/ksu works to/from you machine, it works. If not,
take a look at the <a href="http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html" target="_blank">Kerberos
FAQ</a>.</p>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;">Cyrus SASL</h2>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="4.4.1.Building Cyrus SASL|outline"></a><a name="4.4.1.Building Cyrus SASL|outline"></a><a name="4.4.1.Building Cyrus SASL|outline"></a><a name="4.4.1.Building Cyrus SASL|outline"></a>
Building Cyrus SASL</h3>
<p>This is the first package that we will have to modify, since the
default's isn't good enough (we need GSSAPI). To get the full source
code (inclusive the patches applied by the Debian maintainer etc),
there's the tool <b>apt-get</b>. With the parameter <b>source</b>, it
downloads the latest source code and unpacks it in the current
directory. So, the source package for Cyrus-SASL is, you guessed it
<b>cyrus-sasl</b> (Debian have lowercased package names over the
board, that eases things). To double check, the command line is:</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">apt-get source cyrus-sasl</pre><p>
This is the second part. This one we need to modify a little from the
default Debian GNU/Linux packages. The changes are the following,
please edit the file <b>debian/rules</b>.</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">--enable-gssapi instead of --disable-gssapi</pre><p>
And all the option, for those of you that aren't running Debian
GNU/Linux, are:</p>
<pre>--prefix=/usr
--enable-static
--enable-login
--without-des
--without-rc4
--enable-gssapi
--disable-krb4
--mandir=/usr/share/man
--infodir=/usr/share/info</pre><h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;">
<a name="4.4.1.1.Bugs in Cyrus SASL, v1.5.24|outline"></a><a name="4.4.1.1.Bugs in Cyrus SASL, v1.5.24|outline"></a><a name="4.4.1.1.Bugs in Cyrus SASL, v1.5.24|outline"></a>
Bugs in Cyrus SASL, v1.5.24</h4>
<p><a name="patch-sasl"></a>There is a bug in the version 1.5.24 that
makes interactive bind from <b>ldapsearch</b> fail if trying to
connect with SSL/TLS. If you execute this command line (exchanging
the <b>&lt;YOUR BASE DN&gt;</b>) after running <b>kinit</b> to get a
Kerberos ticket:</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">ldapsearch -I -b "&lt;YOUR BASE DN&gt;" -H ldaps:///</pre><p>
If you then get the following error, you need the patch below.</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">ldap_sasl_interactive_bind_s: Unknown authentication method</pre><p>
<u>NOTE</u>: According to a message on the openldap-software mailing
list, this was fixed some time ago in the CVS version of Cyrus SASL.
So make sure that you need the patch before applying it! The version
of the file <b>plugins/gssapi.c</b> in the cyrus-sasl source
directory should be greater than 1.39, that's when it was fixed. So
if you have a version higher than 1.39 you don't need to patch
Cyrus-SASL. If you got the tarball from the FTP site, then you will
need both these patches. Another thing, if you can't find a version
number in the file noted above, then you're most likely not running
the CVS version, so the patch is needed.</p>
<p>This is the patch you will have to apply:</p>
<pre>diff -ur cyrus-sasl-1.5.24.orig/plugins/gssapi.c cyrus-sasl-1.5.24/plugins/gssapi.c
--- cyrus-sasl-1.5.24.orig/plugins/gssapi.c.orig Wed Mar 7 19:42:31 2001
+++ cyrus-sasl-1.5.24/plugins/gssapi.c Wed Mar 7 19:43:35 2001
@@ -1243,7 +1243,7 @@
/* need bits of layer */
allowed = secprops.max_ssf - external;
- need = secprops.min_ssf - external;
+ need = secprops.min_ssf &lt; external ? 0 : secprops.min_ssf - external;
serverhas = ((char *)output_token-&gt;value)[0];
/* if client didn't set use strongest layer available */</pre><p>
<a name="patch-sasl_realm"></a>Also, there is a problem with the
Debian GNU/Linux (and according to information on the
OpenLDAP-Software list, in any place where you use pre-built
binaries) that makes SASL 'forget' about the realm part in the login.
The way to test this is by running slapd with options <b>-d -1</b>
and try a <a href="#4.5.4.3.Testing%20OpenLDAP,%20using%20your%20Kerberos%20ticket%7Coutline">sasl
bind</a>. Then check the output from <b>slapd</b><span style="">.</span>
To save all the output that <b>slapd</b> is spewing out, use the
command <b>tee</b> like this:</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">slapd -d -1 2&gt;&amp;1 | tee /tmp/output.txt</pre><p>
Then search in the file <b>/tmp/output.txt</b> for the parts that
read:</p>
<pre>slap_sasl_bind: username="u:<b>[YOUR USER ID]</b>" realm="<b>[YOUR KERBEROS REALM]</b>" ssf=<b>[SOME NUMBER]</b>
&lt;== slap_sasl_bind: authzdn: "uid=<b>[YOUR USER ID]</b> + realm=<b>[YOUR KERBEROS REALM]</b>"</pre><p>
If you have the text <b>realm=&lt;YOUR KERBEROS REALM&gt;</b> in
there, all is well, and you don't need the patch. If however, the
realm is not listed there, then please apply this patch that I got
from the mailing list:</p>
<pre>diff -ur cyrus-sasl-1.5.24.orig/plugins/gssapi.c cyrus-sasl-1.5.24/plugins/gssapi.c
--- cyrus-sasl-1.5.24.orig/plugins/gssapi.c.orig Fri Jul 21 04:06:52 2000
+++ cyrus-sasl-1.5.24/plugins/gssapi.c Sun Dec 17 15:19:31 2000
@@ -592,6 +594,7 @@
gss_buffer_desc name_without_realm;
gss_name_t without = NULL;
int equal;
+ char *realm = NULL;
name_token.value = NULL;
name_without_realm.value = NULL;
@@ -625,7 +623,8 @@
without the realm and see if it's the same id (i.e.
tmartin == tmartin@ANDREW.CMU.EDU. If this is the case we just want
to return the id (i.e. just "tmartin: */
- if (strchr((char *)name_token.value, (int) '@')!=NULL)
+ realm = strchr((char *)name_token.value, (int) '@');
+ if (realm != NULL)
{
name_without_realm.value = (char *) params-&gt;utils-&gt;malloc(strlen(name_token.value)+1);
if (name_without_realm.value == NULL) return SASL_NOMEM;
@@ -687,6 +686,14 @@
strcpy(oparams-&gt;authid, name_token.value);
}
+ if (realm != NULL)
+ {
+ realm++; /* skip '@' */
+ oparams-&gt;realm = (char *) params-&gt;utils-&gt;malloc(strlen(realm)+1);
+ if (oparams-&gt;realm == NULL) return SASL_NOMEM;
+ strcpy(oparams-&gt;realm, realm);
+ }
+
if (name_token.value)
params-&gt;utils-&gt;free(name_token.value);
if (name_without_realm.value)</pre><p>
Applying this patch(-es) can be done by using patch. For example, the
patch is saved in the file <b>/tmp/gssapi1.patch</b>. You would then
use the following command (in the top directory of the cyrus sasl
source).</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">patch -p1 &lt; /tmp/gssapi1.patch</pre><p>
The patch can also be found at my site, <a href="http://www.bayour.com/kerberos/gssapi1.patch">GSSAPI
patch 1</a> and <a href="http://www.bayour.com/kerberos/gssapi2.patch">GSSAPI
patch 2</a>. The author of the first patch comes originally from
Nalin Dahyabhai &lt;nalin@redhat.com&gt;. Again, only do this if your
<b>plugins/gssapi.c</b> version is lower than 1.39 (or if you're
trying to compile SASL from the official tarball)!</p>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="4.4.1.2.Build the Cyrus SASL packages|outline"></a>
Build the Cyrus SASL packages</h4>
<p>Now you can start building the packages by executing the command
line</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">debuild -uc -us -rfakeroot</pre><p>
Debuild is in the package devscripts, so just install that package by
executing the command line</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">apt-get install devscripts</pre><p>
before building the package. To build the packages if you are not
running Debian, you just execute <b>make</b> to build the software.</p>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="4.4.2.Installing Cyrus SASL|outline"></a>
Installing Cyrus SASL</h3>
<p>To make sure that the packages you just build don't get
automatically upgraded when using the command</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">apt-get update &amp;&amp; apt-get upgrade</pre><p>
etc, make sure to put the packages on hold. Easiest way to do that,
is to go into <b><span style="font-style: normal;">dselect</span></b>
and press <u>=</u> on the line of the package. Another way to do this
is to execute</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">echo <b>&lt;PACKAGENAME&gt;</b> hold | dpkg --set-selections</pre><p>
Do this after you have installed the packages :). Please also see the
section about <a href="#6.2.Bumping%20the%20Debian%20GNU/Linux%20package%20version%7Coutline">Bumping
the Debian GNU/Linux package version</a> on another way to avoid
automatic upgrades of the newly made packages.</p>
<p>But before we install the SASL packages, you have to make sure
that some libraries etc. that these libraries depend on is installed.
To do this, first install these packages</p>
<pre>libgdbmg1
libpam0g
libcomerr2
libkrb53</pre><p>
Then you can continue with installation of the SASL packages below</p>
<pre>libsasl7
libsasl-modules
libsasl-bin</pre><p>
You do this by executing the command</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">dpkg -i libsasl7*.deb libsasl-modules*.deb libsasl-bin*.deb</pre><p>
To install the software if you are not running Debian, you execute
the command <b>make install</b>. See the package <b>libkrb53</b>? Now
you know why I asked you to install the Kerberos development
packages. SASL must find krb5 on the system to allow you to use
Kerberos V!</p>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="4.4.3.Testing Cyrus SASL|outline"></a>
Testing Cyrus SASL</h3>
<p>You will need to have a working Kerberos V system running. See the
section <a href="#4.3.4.Testing%20MIT%20Kerberos%20V%7Coutline">Testing MIT
Kerberos V</a> for more about this. What you will have to do is get
yourself two shells. Execute <b>kinit</b> in both and then in shell
number one type</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">su -c ./sample-server -s ldap -p /usr/lib/sasl</pre><p>
And in the other one</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">./sample-client -s ldap -n <b>&lt;FQDN&gt;</b> -u <b>&lt;USERNAME&gt;</b> -p /usr/lib/sasl</pre><p>
Other than that, please follow the information outlined in the file
<b>testing.txt</b> distributed with cyrus-sasl. You can find the file
at this URL to, <a href="http://www.bayour.com/doc/libsasl-dev/testing.txt" target="_blank">Testing
the CMU SASL Library with the included sample applications</a> if you
prefer to have it through you favourite web browser.</p>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="4.8.1.Building and installation|outline"></a>
OpenLDAP</h2>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="4.5.1.Building OpenLDAP v2|outline"></a><a name="4.5.1.Building OpenLDAP v2|outline"></a><a name="4.5.1.Building OpenLDAP v2|outline"></a>
Building OpenLDAP v2</h3>
<p>This package have also been slightly modified to suite my needs.
First the changes in the configure command line, please edit the file
<b>debian/rules</b>.</p>
<pre>--disable-cleartext instead of --enable-cleartext
--disable-rlookups instead of --enable-rlookups
--with-tls instead of --without-tls
--enable-kpasswd</pre><p>
To build against the <a href="#4.2.1.Building%20and%20installing%20Berkeley%20DB%7Coutline">Berkeley
DB we built before</a>, add these two lines before the configure
line.</p>
<pre>CPPFLAGS="-I/usr/local/BerkeleyDB.3.0/include" \
LDFLAGS="-L/usr/local/BerkeleyDB.3.0/lib" </pre><p>
And all the options, for those of you that aren't running Debian
GNU/Linux, are the following. These are the important ones you should
have</p>
<pre>--with-cyrus-sasl
--enable-slapd
--enable-crypt
--enable-spasswd
--with-tls
--enable-kpasswd</pre><p>
These are also some (optional) values you should add. Remove the
options that you know that you definitely don't want. For example,
the enable-ipv6 might be a bad idea sometimes...</p>
<pre>--enable-debug
--enable-syslog
--enable-proctitle
--enable-cache
--enable-referrals
--enable-ipv6
--enable-local
--with-readline
--with-threads
--disable-cleartext
--enable-multimaster
--enable-phonetic
--disable-rlookups
--enable-wrappers
--enable-dynamic
--enable-dnssrv
--enable-ldap
--enable-ldbm
--enable-passwd
--enable-shell
--enable-sql
--enable-slurpd
--enable-shared</pre><h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;">
<a name="4.5.1.1.Bugs in OpenLDAP, v2.0.7|outline"></a><a name="4.5.1.1.Bugs in OpenLDAP, v2.0.7|outline"></a>
Bugs in OpenLDAP, v2.0.7</h4>
<p><a name="patch-openldap"></a>There might also bee needed to patch
the file <b>libraries/libldap/open.c</b> from the openldap2 source
directory. Read all about the reasoning behind this at the <a href="http://www.openldap.org/its/index.cgi/Software%20Bugs?id=889" target="_blank">OpenLDAP
ITS, bug 889</a>. There's also a patch there for you that don't use
Debian. If you however are using Debian, and you want the changes in
the rules file and the discussed patch, you can apply this patch
instead of doing it all by yourself. To apply this patch, see the
<a href="#4.4.1.1.Bugs%20in%20Cyrus%20SASL,%20v1.5.24%7Coutline">Cyrus SASL
bugs</a> above or read the manual page for patch. This patch might
not be needed on the OpenLDAP source you have, so verify that you
need it before use! One way of doing this, is compile/install without
it, and if <b>ldapsearch</b>, <b>ldapadd</b>, <b>ldapmodify</b>
segfaults when trying to use the parameter <u>-H</u>, then you need
it!</p>
<p><u>NOTE</u>: These bugs have been fixed around 2.0.9 or so. At any
rate, the latest version (at the time of this writing, 2.0.21) have
it fixed, so there is no need to patch the files! Please have a look
at the <a href="#6.7.Updates%7Coutline">Updates</a> section for more
information.</p>
<pre>diff -urN debian.orig/patches/004_libldap-open debian/patches/004_libldap-open
--- debian.orig/patches/004_libldap-open Thu Jan 1 01:00:00 1970
+++ debian/patches/004_libldap-open Wed Mar 14 22:13:52 2001
@@ -0,0 +1,19 @@
+diff -ur OPENLDAP_HEAD/libraries/libldap/open.c libraries/libldap/open.c
+--- OPENLDAP_HEAD/libraries/libldap/open.c Wed Oct 18 11:53:53 2000
++++ ./libraries/libldap/open.c Tue Nov 21 20:37:04 2000
+@@ -329,8 +329,15 @@
+ if (ld-&gt;ld_options.ldo_tls_mode == LDAP_OPT_X_TLS_HARD ||
+ strcmp( srv-&gt;lud_scheme, "ldaps" ) == 0 )
+ {
++ LDAPConn *savedefconn = ld-&gt;ld_defconn;
++ ++conn-&gt;lconn_refcnt; /* avoid premature free */
++ ld-&gt;ld_defconn = conn;
++
+ rc = ldap_pvt_tls_start( ld, conn-&gt;lconn_sb,
+ ld-&gt;ld_options.ldo_tls_ctx );
++
++ ld-&gt;ld_defconn = savedefconn;
++ --conn-&gt;lconn_refcnt;
+
+ if (rc != LDAP_SUCCESS) {
+ return -1;
diff -urN debian.orig/rules debian/rules
--- debian.orig/rules Wed Mar 14 22:10:41 2001
+++ debian/rules Wed Mar 14 22:10:33 2001
@@ -34,11 +34,11 @@
configure_args := --enable-debug --enable-syslog --enable-proctitle \
--enable-cache --enable-referrals --enable-ipv6 --enable-local \
--with-cyrus-sasl --with-readline --with-threads \
---enable-slapd --enable-cleartext --enable-crypt --enable-spasswd \
---enable-multimaster --enable-phonetic --enable-rlookups --enable-wrappers \
+--enable-slapd --disable-cleartext --enable-crypt --enable-spasswd \
+--enable-multimaster --enable-phonetic --disable-rlookups --enable-wrappers \
--enable-dynamic --enable-dnssrv --enable-ldap --enable-ldbm \
--enable-passwd --enable-shell --enable-sql --enable-slurpd --enable-shared \
---without-tls
+--with-tls --enable-kpasswd
# FHS options
configure_args += --prefix=/usr --localstatedir=/var --sysconfdir=/etc \
@@ -52,6 +52,8 @@
$(STAMP_DIR)/pre-build-stamp: $(unpacked) $(patched)
dh_testdir
cd $(BUILD_TREE) &amp;&amp; CFLAGS="$(CFLAGS)" \
+ CPPFLAGS="-I/usr/local/BerkeleyDB.3.0/include" \
+ LDFLAGS="-L/usr/local/BerkeleyDB.3.0/lib" \
./configure $(configure_args) --host=$(DEB_BUILD_GNU_TYPE)
$(MAKE) depend -C $(BUILD_TREE)
touch $(STAMP_DIR)/pre-build-stamp</pre><p>
You can also get the <a href="http://www.bayour.com/kerberos/openldap.patch">OpenLDAP
v2 patch</a> on papadoc.</p>
<p>When the possible patching is done, we will build the packages. Do
this by executing the command</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">debuild -uc -us -rfakeroot</pre><p>
For those that aren't running Debian, execute the commands</p>
<pre>make depend
make</pre><h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;">
<a name="4.5.2.Installing OpenLDAP v2|outline"></a>Installing
OpenLDAP v2</h3>
<p>The packages you should install are the following:</p>
<pre>libldap2
ldap-utils
slapd</pre><p>
You do this by executing the command</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">dpkg -i libldap2*.deb ldap-utils*.deb slapd*.deb</pre><p>
But before you can do this, you have to make sure that some libraries
etc. that these libraries depend on is installed. To do this, execute
the line</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">apt-get install libiodbc2</pre><p>
To install the software if you are not running Debian, you just
execute the command</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">make install</pre><p>
For more information (in case of trouble building and installing
OpenLDAP2 etc.), please see the <a href="http://www.openldap.org/" target="_blank">OpenLDAP
web site</a> and/or the <a href="http://www.openldap.org/faq/data/cache/172.html" target="_blank">OpenLDAP
FAQ-O-Matic:Quick Start Guide</a>.</p>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="4.5.3.Configuring OpenLDAP v2|outline"></a>
Configuring OpenLDAP v2</h3>
<p>The Debian GNU/Linux installation script will guide you through
most of the scripts and will also create the administration DN
referred to in these files. This DN is mostly for backward
compatibility with older clients, than can't do SASL/Kerberos binds.</p>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="4.5.3.1.Configure OpenLDAP to use the new SSL certificate|outline"></a>
Configure OpenLDAP to use the new SSL certificate</h4>
<h5 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="4.5.3.1.1.Changes to the OpenLDAP config file|outline"></a>
Changes to the OpenLDAP config file</h5>
<p>Then it's just a matter of copying this file, <b>server.pem</b> to
<b>/etc/ldap</b> and modify <a href="#4.5.3.2.The%20OpenLDAP%20config%20file%7Coutline">The
OpenLDAP config file</a> with these options:</p>
<pre>TLSCertificateFile /etc/ldap/server.pem
TLSCertificateKeyFile /etc/ldap/server.pem
TLSCACertificateFile /etc/ldap/server.pem</pre><h5 style="margin-top: 0,2cm; margin-bottom: 0,5cm;">
<a name="4.5.3.1.2.Changes to the OpenLDAP startup script|outline"></a>
Changes to the OpenLDAP startup script</h5>
<p>We have to make sure that <b>slapd</b> (the actual LDAP
daemon/server) listens to port 636 which is the actual LDAP over
SSL/TLS port. In the Debian GNU/Linux original startup script, we
make this change:</p>
<pre>--- slapd.orig Fri Jul 27 08:53:39 2001
+++ slapd Fri Jul 27 08:53:11 2001
@@ -21,7 +21,7 @@
echo -n "Starting ldap server(s):"
echo -n " slapd"
start-stop-daemon --start --quiet --pidfile "$pidfile" \
- --exec $DAEMON
+ --exec $DAEMON -- -h "ldap://0.0.0.0:$PORT/ ldaps://0.0.0.0/"
replicas=`grep ^replica /etc/ldap/slapd.conf`
test -z "$replicas" || (echo -n " slurpd" &amp;&amp; start-stop-daemon --start \
--quiet --name slurpd --exec $SLURPD)</pre><p>
That is, we have to make sure that SLAPD listens to ldaps (which is
port 636). The PORT variable is set earlier in the script (at least
in the Debian GNU/Linux version).You should have a line that read
something like:</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">PORT=389</pre><p>
If you don't have this, either replace the <b>$PORT</b> part above
with <b>389</b>, or add the <b>PORT=389</b> line above the slapd
start lines...</p>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="4.5.3.2.The OpenLDAP config file|outline"></a><a name="4.5.3.2.The OpenLDAP config file|outline"></a><a name="4.5.3.2.The OpenLDAP config file|outline"></a><a name="4.5.3.2.The OpenLDAP config file|outline"></a>
The OpenLDAP config file</h4>
<p><a name="slapd_conf-file"></a>This could be a FAQ all on it's own,
let's just include my config file, shall we?</p>
<pre># This is the main ldapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/krb5-kdc.schema
include /etc/ldap/schema/qmail.schema
include /etc/ldap/schema/qmailControl.schema
include /etc/ldap/schema/netscape-profile.schema
include /etc/ldap/schema/trust.schema
include /etc/ldap/schema/turbo.schema
# Some are extra schema's that I found on the 'Net...
# Want them? They can be found at <a href="http://www.bayour.com/openldap/schemas/" target="_blank">http://www.bayour.com/openldap/schemas/</a>
# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck on
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd.args
# Read slapd.conf(5) for possible values
loglevel 2048 # Only entry parsing errors
<b>sasl-realm &lt;YOUR KERBEROS REALM&gt;</b>
<b>sasl-host &lt;FQDN OF LDAP SERVER&gt;</b>
#sasl-secprops none
#######################################################################
# ldbm database definitions
#######################################################################
# The backend type, ldbm, is the default standard
database ldbm
# The base of your directory
suffix "<b>&lt;YOUR BASEDN&gt;</b>"
# Where the database file are physically stored
directory "/var/lib/ldap"
# Save the time that the entry gets modified
lastmod on
# Indexes
index default pres,eq
index objectClass,uid,uidnumber,gidnumber,cn
index mail,mailalternateaddress,mailforwardingaddress eq
# Include the access lists
include /etc/ldap/slapd.access
# End of ldapd configuration file</pre><p>
In this file you will notice the option <b>sasl-host</b>. Remember
the <a href="#4.3.3.1.Preparing%20the%20DNS%20for%20KerberosV%7Coutline">DNS
setup</a>? This is the host name and domain name of the host that
your LDAP server is running on. It is not the FQDN of the kerberos
server as I've stated in previous versions of this document. Sorry
about that. In my case, this is egeria.bayour.com, because that was
what I was entering into the SSL certificate. Don't forget the
SSL/TLS certificate file options, which I showed you in <a href="#4.1.4.Creating%20SSL%20certificate%7Coutline">Creating
SSL certificate</a>.</p>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="4.5.3.3.The OpenLDAP access file|outline"></a><a name="4.5.3.3.The OpenLDAP access file|outline"></a><a name="4.5.3.3.The OpenLDAP access file|outline"></a><a name="4.5.3.3.The OpenLDAP access file|outline"></a><a name="4.5.3.3.The OpenLDAP access file|outline"></a><a name="4.5.3.3.The OpenLDAP access file|outline"></a>
The OpenLDAP access file</h4>
<p><a name="slapd_access-file"></a>I have all my access lists (ACL's)
in a separate file (<b>/etc/ldap/slapd.access</b>). I'm still working
on getting this to work properly so it's not perfect, but there you
go...</p>
<pre># For Netscape Roaming support, each user gets a roaming profile for
# which they have write access to
access to dn=".*,ou=Roaming,dc=.*"
by dn="<b>&lt;YOUR ADMIN DN&gt;</b>" write
by dn="uid=ldapadm.+\+realm=<b>&lt;YOUR KERBEROS REALM&gt;</b>" write
by dnattr=owner write
by * none
# Some things should be editable by the owner, and viewable by anyone...
access to attr=cn,givenName,sn,krbName,krb5PrincipalName,gecos
by dn="<b>&lt;YOUR ADMIN DN&gt;</b>" write
by dn="uid=ldapadm.+\+realm=<b>&lt;YOUR KERBEROS REALM&gt;</b>" write
by self write
by users read
access to attr=loginShell,gecos
by dn="<b>&lt;YOUR ADMIN DN&gt;</b>" write
by dn="uid=ldapadm.+\+realm=&lt;<b>&lt;YOUR KERBEROS REALM&gt;</b>" write
by self write
by * read
# Since we're using {KERBEROS}&lt;PRINCIPAL&gt;, we can't allow the user
# to change the password. They have to use the Kerberos 'kpasswd' to
# do this... But the admin can change (if need be).
# Please see krb5 userPassword attribute
access to attr=userPassword
by dn="cn=admin,ou=People,dc=papadoc,dc=bayour,dc=com" write
by dn="uid=ldapadm.+\+realm=<b>&lt;YOUR KERBEROS REALM&gt;</b>" write
by anonymous auth
by * none
# The mail and mailAlternateAddress should only be readable if you
# authenticate!
access to attr=mail,mailAlternateAddress,mailHost
by dn="<b>&lt;YOUR ADMIN DN&gt;</b>" write
by dn="uid=ldapadm.+\+realm=<b>&lt;YOUR KERBEROS REALM&gt;</b>" write
by users read
by * none
# Should not be readable to anyone, and only editable by admin...
access to attr=mailQuota,trustModel,accessTo
by dn="<b>&lt;YOUR ADMIN DN&gt;</b>" write
by dn="uid=ldapadm.+\+realm=<b>&lt;YOUR KERBEROS REALM&gt;</b>" write
by self read
by * none
# The admin dn has full write access
access to *
by dn="<b>&lt;YOUR ADMIN DN&gt;</b>" write
by dn="uid=ldapadm.+\+realm=<b>&lt;YOUR KERBEROS REALM&gt;</b>" write
by * read</pre><p>
Notice the</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">by dn="uid=ldapadm.+\+realm=<b>&lt;YOUR REALM&gt;</b>" write</pre><p>
That's the Kerberos principal you want write access to the database
as. This principal was created in the <a href="#4.3.3.3.Create%20KerberosV%20realm%7Coutline">Create
KerberosV realm</a> section.</p>
<p>But there seems to be another bug in the Debian SASL packages.
According to information on the openldap-software mailing list, the
problem don't exist in the tarball from Cyrus home page. See the
section about the <a href="#patch-sasl_realm">SASL patch - Realm</a>
for more about this.</p>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="4.5.3.4.Creating a LDAP service key|outline"></a><a name="4.5.3.4.Creating a LDAP service key|outline"></a><a name="4.5.3.4.Creating a LDAP service key|outline"></a>
Creating a LDAP service key</h4>
<p><a name="servicekey-saslbind"></a>To let OpenLDAP/SASL connect to
the KDC, we need to add a LDAP service key into the KDC. To do this,
use the command <b>kadmin</b> or <b>kadmin.local</b> like this:</p>
<pre>kadmin.local -q "addprinc -randkey ldap/<b>&lt;FQDN&gt;</b>@<b>&lt;YOUR KERBEROS REALM&gt;</b>"
kadmin.local -q "ktadd ldap/<b>&lt;FQDN&gt;</b>"</pre><h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;">
<a name="4.5.3.5.Populate the database to allow simple bind as user|outline"></a><a name="4.5.3.5.Populate the database to allow simple bind as user|outline"></a>
Populate the database to allow simple bind as user</h4>
<p>If you starting out fresh with this project, you will have to read
up on how to create a database on the openldap <a href="http://www.openldap.org/doc/admin/dbtools.html" target="_blank">database
creation and maintenance tools</a> page. When you understand this,
it's time to specify the special object classes and attributes that
makes this whole LDAPv3 thing tick. The object class <i>krb5Principal</i>
specify that the attribute <i>krb5PrincipalName</i> is a <u>must</u>
and that the <i>cn</i> and <i>krb5PrincipalRealm</i> attributes is
optional. What this means, is that we use the following LDIF snippet
on each of our users:</p>
<pre>objectClass: krb5Principal
krb5PrincipalName: turbo@<b>&lt;MY KERBEROS REALM&gt;</b>
cn: Turbo Fredriksson</pre><p>
The <i>cn</i> means Common Name, and in this case it's my full name
(yes, my name really IS turbo! :).</p>
<p>These attributes and object classes are defined in the
<b>krb5-kdc.schema</b> file distributed with OpenLDAP2. The other
object classes (<i>krb5KDCEntry</i> and <i>krb5Realm</i>) are not
used in this context, so ignore them :).</p>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="4.5.3.6.Modify the LDAP database to allow simple bind as user.|outline"></a><a name="4.5.3.6.Modify the LDAP database to allow simple bind as user.|outline"></a>
Modify the LDAP database to allow simple bind as user.</h4>
<p>If you already have a database, but are using some other means of
storing the passwords, you will have to do some minor modifications
to the database. For example, my production server, which is a
version 1.2.11 have the passwords in the LDAP database as
'{crypt}CRYPTEDPW', and is using libpam-ldap (and for migration
purposes libpam-krb5 which is NOT to recommend in a shared network
environment since it binds in clear text) to authenticate the users
on all services (ssh/imap/pop/ftp etc). Now, Quite naturally I wanted
to use that database, so I first did a dump of the original database
with <b>ldbmcat</b> (to convert it into an LDIF file) and then on the
new server, <b>slapadd</b> to create the database. This was a big
problem, since OpenLDAP2 is much more strict about the existence of a
proper schema for the objectClasses etc. See <a href="http://www.bayour.com/openldap/schemas/" target="_blank">LDAP
schemas on Papadoc</a> for the schema's that I have (I found most of
them on the Internet so don't blame me if they are a little out of
date :).</p>
<p><a name="krb5_userPassword-attrib"></a>Before loading the database
into the new server, I had to change all the <i>userPassword</i>
attributes. This is where <b>the --enable-kpasswd</b> comes into
play. The password should be <b><u>{KERBEROS}&lt;USERS PRINCIPAL&gt;</u></b>
like this (my entry):</p>
<pre>dn: uid=turbo,ou=People,<b>&lt;MY BASEDN&gt;</b>
replace: userPassword
userPassword: {KERBEROS}turbo@<b>&lt;MY KERBEROS REALM&gt;</b></pre><p>
This have to be done for all the users to allow them to authenticate!
This only works if you have compiled OpenLDAP2 with the configure
option <b>--with-kpasswd</b>, and what that do is making <b>slapd</b>
ask the Kerberos server if the password corresponds with the password
for the Kerberos principal <b>turbo@&lt;MY KERBEROS REALM&gt;</b>.
What this do, is it's telling the OpenLDAP2 server (<b>slapd</b>) to
check the password in the Kerberos server. Since there is no password
in the LDAP database any more, we have to make sure that the user
can't change there password with either <b>ldappasswd</b> or via PAM.
Therer for, please have a look at the <a href="#4.5.3.3.The%20OpenLDAP%20access%20file%7Coutline">The
OpenLDAP access file</a> again (especially the '<u>access to
attr=userPassword</u>' section.</p>
<p>Now, just to clarify some things (because it will look a little
strange). If you do the modifications above, and then do a search
(ie, retrieving) the <i>userPassword</i> value from the database, it
will look a little garbled:</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">userPassword:: e2NyeXB0fUlNRDR0cmxiaUdFVVU=</pre><p>
This is nothing to worry about. It's simply base 64 encoded (this
reads <b><u>{KERBEROS}turbo@BAYOUR.COM</u></b> after decoding).</p>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="4.5.3.7.Notes about 'userPassword: {KERBEROS}'|outline"></a>
Notes about 'userPassword: {KERBEROS}'</h4>
<p>The reason for using <u>userPassword: {KERBEROS}<b>PRINCIPAL</b></u><span style="text-decoration: none;"><span style=""><span style="font-style: normal;">
is so that we can allow simple binds with the password in the
Kerberos database. This should not really be done, since if we do a
simple bind without SSL/TLS, we're opening up the Kerberos database.
We're using Kerberos so that we get a secure system, remember?!.</span></span></span></p>
<p style="text-decoration: none;"><span style="font-style: normal;"><span style="">So
simple binds would only be allow </span><b>if</b><span style="">
it's protected with SSL or TLS. If you have no interest in allowing
simple binds (note, this is not SASL bind!), then don't use the
</span></span><span style=""><i>userPassword</i><span style="font-style: normal;">
entry at all. If you only have interest in allowing SASL binds, this
entry can be left out completely. If, for some reason, you have
clients that can't do SASL binds (Qmail-LDAP comes to mind), then
don't have the password in the Kerberos database, but in LDAP with
either <b>{CRYPT}</b> or even better </span></span><span style="font-style: normal;"><b>{SSHA}</b><span style="">.
Using the command </span><b>slappasswd</b><span style="">,
you can create a scheme to be inserted into the database. This way,
you won't accidentally compromise your Kerberos database security.</span></span></p>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="4.5.4.Testing OpenLDAP v2|outline"></a>
Testing OpenLDAP v2</h3>
<p>In the <b>ldapsearch</b> commands below, I use <i>localhost</i>
for the name of the LDAP server. I got one mail from Will Day on the
OpenLDAP-Software mailing list, saying that this didn't work for him.
He had to exchange <i>localhost</i> to the <i>FQDN</i> of the LDAP
server instead. The reason for this is most likely because it can't
get a ticket for <b><u>ldap/localhost@&lt;KERBEROS REALM&gt;</u></b>.
To avoid that, just enter a <b>ldap/localhost<u>@&lt;KERBEROS REALM&gt;</u></b>
service key as well as the <b>ldap/&lt;FQDN&gt;<u>@&lt;KERBEROS
REALM&gt;</u></b>. Have a look at <a href="#4.5.3.4.Creating%20a%20LDAP%20service%20key%7Coutline">Creating
a LDAP service key</a> below how to do that. So, if the commands
don't work as shown here, please try that.</p>
<p>Also, I'm specifying port 389 here. You might not need that at
all, since that's the default port of the LDAP server. I only list
that here, because while setting all this up for the very first time,
I ran a OpenLDAP1 server on port 389, and my new OpenLDAP2 server on
port 3389. This server is now my main LDAP database.</p>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="4.5.4.1.Testing OpenLDAP, simple/anonymous bind|outline"></a><a name="4.5.4.1.Testing OpenLDAP, simple/anonymous bind|outline"></a>
Testing OpenLDAP, simple/anonymous bind</h4>
<p><a name="simple_bind"></a>The first thing is probably to check if
a non SASL/SSL/TLS (that is, a simple bind) works</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">ldapsearch -h localhost -p 389 -x -b "" -s base -LLL supportedSASLMechanisms</pre><p>
You should get something like this</p>
<pre>supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: ANONYMOUS
supportedSASLMechanisms: GSSAPI</pre><p>
The important stuff here is the last line! If you don't have GSSAPI
listed, something is wrong, and you should go back to <a href="#4.5.1.Building%20OpenLDAP%20v2%7Coutline">Building
OpenLDAP v2</a> (or maybe you need to go back to <a href="#4.4.1.Building%20Cyrus%20SASL%7Coutline">Building
Cyrus SASL</a>) and do it right this time. On my production server, I
have now disabled some of these mechanisms, so the only one <u>I</u><span style="text-decoration: none;">
get is GSSAPI. This is perfectly ok, since I only want/need SASL
(GSSAPI) binds.</span></p>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="4.5.4.2.Testing OpenLDAP, simple/anonymous bind, with SSL/TLS|outline"></a>
Testing OpenLDAP, simple/anonymous bind, with SSL/TLS</h4>
<p>If the search for supported SASL mechanisms went well, let's
continue with the next step. Let's try to do a simple bind, but with
SSL and TLS. The first command tests TLS, and the second one SSL
(notice the parameter <u>-ZZ</u> in the second and <u>ldaps:///</u>
in the first?).</p>
<pre>ldapsearch -H ldap://<b>&lt;FQDN OF LDAP SERVER&gt;</b>/ -p 389 -x -b "" -s base -LLL -ZZ supportedSASLMechanisms
ldapsearch -H ldaps://<b>&lt;FQDN OF LDAP SERVER&gt;</b>/ -x -b "" -s base -LLL supportedSASLMechanisms</pre><p>
You should get the same stuff as above back, only this time it is
sent to you encrypted from the LDAP server. You can double check this
by using a packet sniffer. The reason we have to enter the full name
of our LDAP server for these two commands (instead of just ldap:///
or ldaps:///) is because in newer OpenLDAP, the certificate
verifications is much stronger. It <b><i>requires</i></b> the FQDN
one connects to matches the one in the certificate. In my example
(see the section about <a href="#4.1.4.Creating%20SSL%20certificate%7Coutline">Creating
SSL certificate</a>) the commands would look like:</p>
<pre>ldapsearch -H ldap://egeria.bayour.com/ -p 389 -x -b "" -s base -LLL -ZZ supportedSASLMechanisms
ldapsearch -H ldaps://egeria.bayour.com/ -x -b "" -s base -LLL supportedSASLMechanisms</pre><h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;">
<a name="4.5.4.3.Testing OpenLDAP, using your Kerberos ticket|outline"></a><a name="4.5.4.3.Testing OpenLDAP, using your Kerberos ticket|outline"></a>
Testing OpenLDAP, using your Kerberos ticket</h4>
<p><a name="sasl_bind"></a>Now let's try out a SASL bind. Exchange
the <u>-x</u> above to <u>-I</u> (uppercase i) like below. Just press
enter when you get the prompt <u>Please enter your authorisation
name</u>:.</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">ldapsearch -H ldaps:/// -I -b "" -s base -LLL supportedSASLMechanisms</pre><p>
Anything? Nope, you should get back:</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">ldap_sasl_interactive_bind_s: Local error</pre><p>
This is a bug (or maybe more correctly, 'missing feature' :) in SASL
(it doesn't return the correct error codes). There is no known fix
for this yet. To get around it, execute the command <b>kinit</b> and
try again. The lines above, with <u>-x</u> replaced with <u>-I</u>
should return something like:</p>
<pre>SASL SSF: 56
SASL installing layers
dn:
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: ANONYMOUS
supportedSASLMechanisms: GSSAPI</pre><p>
Here DES (56 bit key lengh for symmetric cryptography) is used to
<i>encrypt the data stream</i>. That is, the <u>transfer</u> of the
information to you isn't encrypted, but the actual bind (the password
and user/authorisation name) is. Hmm, wonder if this is true... I've
heard 'rumors' on some lists that SASL actually ARE encrypting all
communication between you and the LDAP server. Ah, well. Better safe
than sorry, use <u>-H</u> or <u>-Z</u>.</p>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="4.5.4.4.Testing OpenLDAP, using your Kerberos ticket, with SSL/TLS|outline"></a>
Testing OpenLDAP, using your Kerberos ticket, with SSL/TLS</h4>
<p>Please verify that a SSL and TLS works with SASL to by using <u>-ZZ</u>
and <u>-H</u> parameters to the above <b>ldapsearch</b> command line.
The difference between <u>-Z</u> and <u>-ZZ</u> is that the later
requires the operation to be successful.</p>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="4.5.4.5.Testing OpenLDAP, simple user bind, with SSL/TLS|outline"></a>
Testing OpenLDAP, simple user bind, with SSL/TLS</h4>
<p><a name="simple_user-bind"></a>Now, if all the changes to the
database (see how to <a href="#4.5.3.5.Populate%20the%20database%20to%20allow%20simple%20bind%20as%20user%7Coutline">populate
the database</a> and/or <a href="#4.5.3.6.Modify%20the%20LDAP%20database%20to%20allow%20simple%20bind%20as%20user.%7Coutline">modify
the LDAP database</a>) have been done and all the above tests work,
let's try to search the database as yourself again, but this time
doing it with a simple bind (<u>-x</u> to <b>ldapsearch</b>). To make
absolutely sure that it doesn't try to use the Kerberos ticket you
got with <b>kinit</b> above, execute <b>kdestroy</b>. Just to be on
the safe side when testing here, mind you :). Here we go, all in one
line:</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">ldapsearch -x -D 'uid=turbo,ou=People,<b>&lt;MY BASEDN&gt;</b>' -W -b "" -s base -LLL -H ldaps://<b>&lt;FQDN OF LDAP SERVER&gt;</b>/ supportedSASLMechanisms</pre><p>
Enter the password when prompted. This command should return the same
thing as the previous commands. Remember, you should enter the
password for your KerberosV principal. If it didn't take the Kerberos
password, you would get this back:</p>
<pre>Enter LDAP Password:
ldap_bind: Invalid credentials</pre><p>
I worked for quite some time (about 4-5 days) to get this part to
work. I had no luck. Then, all of a sudden it worked, and I'm not
quite sure why. I am however <b><u>quite</u></b> sure that it have
something to do with the order the ACL's for <i>userPassword</i> is
arranged. OpenLDAP v2.0 is a LOT more picky about the order of the
ACL's than the 1.3 version(s) where (where my config/access file
originates from). See my <a href="#4.5.3.3.The%20OpenLDAP%20access%20file%7Coutline">OpenLDAP
access file</a> of how it looks when it works. Take a extra look at
the section that starts with:</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">access to attr=userPassword</pre><p>
<u>NOTE</u>: The parameters <u>-D</u>, <u>-W</u> and <u>-w</u> is not
used when using SASL (unless you want a simple bind, which you
normally wouldn't). You use <u>-I</u> (uppercase i), <u>-U</u> and <u>-X</u>
to use SASL bind. For anonymous and/or simple binds, one have to use
the option <u>-x</u>.</p>
<p>If all the above searches work, you might want to try searching
for data under your base DN, and also do modifications etc, just to
double check that everything works as it's supposed to. The biggest
problems I had with all this, must be the ACL's! Have a second look
at <a href="#4.5.3.3.The%20OpenLDAP%20access%20file%7Coutline">The OpenLDAP
access file</a>.</p>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="4.5.5.Setting up secure replication|outline"></a><a name="4.5.5.Setting up secure replication|outline"></a>
Setting up secure replication</h3>
<p>One of the main points (for me at least) by using SASL, Kerberos
and SSL/TLS is so that we can have a secure/encrypted authentication
and communication between the master and slave LDAP server(s). To try
this out, I will demonstrate how you can (and should?) have a slave
server running on localhost. The reason we want to do this, is so
that when doing backups of the LDAP database, we don't need to take
down the master database, only the read-only replica, which means
that we don't have any downtime on the LDAP server.</p>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="4.5.5.1.Replication configuration, slave server|outline"></a><a name="4.5.5.1.Replication configuration, slave server|outline"></a>
Replication configuration, slave server</h4>
<p><a name="slapd_conf-file_slave"></a>The first thing we do, is we
create the config file for the slave server. This is basically the
exact same config file as <a href="#4.5.3.2.The%20OpenLDAP%20config%20file%7Coutline">The
OpenLDAP config file</a>. The differences though, is that the
database is located in another directory. Preferably we should set
the database to read only, but it doesn't seem to work. We will
instead use ACL's to limit the access (as much as I can, with the
limited knowledge of OpenLDAP2's ACL structure :).</p>
<pre>directory "/var/lib/ldap.backup"
updatedn "uid=replicator.\+realm=&lt;YOUR REALM&gt;"
include <a href="#4.5.5.6.Give%20the%20replicator%20access%20to%20the%20database%7Coutline">/etc/ldap/slapd.access.backup</a></pre><p>
Other than that, we will run the slave server on other ports than the
master. That's since we are running both on the same machine, and we
can't bind both of them on the same port (unless you make it bind to
different IP addresses, but that's nothing I will go into here).
There for we add some more options to the command line. You can use
the master's start script, modify it by running <b>slapd</b> like
this:</p>
<pre>PORT=3391 /usr/sbin/slapd \
-h "ldap://0.0.0.0:$PORT/ ldaps://0.0.0.0:`expr $PORT + 1`/" \
-f /etc/ldap/slapd.conf.backup</pre><p>
<a name="slapd_conf-file_master"></a>That will start the non-SSL/TLS
port on 3391, and the SSL/TLS port on 3392.</p>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="4.5.5.2.Replication configuration, master server|outline"></a>
Replication configuration, master server</h4>
<p>The modifications to the master database's configuration, is the
location of the slave. This is what we will add to the database
definition in <a href="#4.5.3.2.The%20OpenLDAP%20config%20file%7Coutline">The
OpenLDAP config file</a>:</p>
<pre>replica host=localhost:3391
tls=yes
bindmethod=sasl
saslmech=GSSAPI
replogfile /var/lib/ldap/replog</pre><p>
Please see the <a href="http://www.openldap.org/doc/admin/replication.html" target="_blank">OpenLDAP
2.0 Administrator's Guide:Replication</a> and the manual page for
<b>slapd.conf</b> for more about this.</p>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="4.5.5.3.Creating a replication principal|outline"></a><a name="4.5.5.3.Creating a replication principal|outline"></a>
Creating a replication principal</h4>
<p><a name="servicekey-replication"></a>To be able to use
GSSAPI/Kerberos V with replication, we will need to create a service
key that we will use for authentication and extract that into a
keyfile. The principal I have chosen here is replicator, but you can
essentially choose any principal you like, as long as use use the
same principal in the access list on both the master and the slave
server. To create such a principal, we execute the following
commands:</p>
<pre>kadmin.local -q "addprinc -randkey replicator@<b>&lt;YOUR KERBEROS REALM&gt;</b>"
kadmin.local -q "ktadd -k /etc/krb5.keytab.slurpd replicator"</pre><p>
Make sure that the keytab file (<b>/etc/krb5.keytab.slurpd</b> in
this example) is secure. That is, transfer it <b><u><i>safely</i></u></b>
to the slave and master LDAP server (using for example <b>scp</b> or
<b>kscp</b>). Also make sure it is not readable for anyone else than
the user <b>slapd</b> is running as.</p>
<blockquote>If this file is compromised (obtained by any arbitrary
user), then your whole LDAP database will have to be considered
compromised!</blockquote>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="4.5.5.4.Automatically getting a ticket before starting slurpd|outline"></a>
Automatically getting a ticket before starting slurpd</h4>
<p>Since we are using SASL/KerberosV to do the replication
authentication, we must ensure that <b>slurpd</b> have a Kerberos
ticket before starting. We must also 'remember' the location of the
ticket file, so that it can be removed when shutting down <b>slurpd</b>.
To do this, we use the <a href="#4.5.3.4.Creating%20a%20LDAP%20service%20key%7Coutline">LDAP
service key</a> we created above, like this:</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">kinit -r 7d -k -t /etc/krb5.keytab.slurpd replicator@<b>&lt;YOUR KERBEROS REALM&gt;</b></pre><p>
This line will have to be inserted into the <b>slapd</b><span style="">/</span><b>slurpd</b>
start script, just before <b>slurpd</b> is started. To make sure that
the ticket gets removed/destroyed when no longer needed (ie, when
<b>slurpd</b> is shutdown), we issue the command <b>kdestroy</b> just
after <b>slurpd</b> have been stopped.</p>
<p>This results in the following start scripts (for starting <b>slurpd</b>):</p>
<pre>replicas=`grep ^replica /etc/ldap/slapd.conf`
if [ ! -z "$replicas" ]; then
KRB5CCNAME=FILE:/var/run/slapd.krbenv
echo -n "Getting ticket for replicator: "
kinit -k -t /etc/krb5.keytab.slurpd replicator@<b>&lt;YOUR KERBEROS REALM&gt;</b>
echo "done."
echo -n "Starting LDAP replication daemon: "
/usr/sbin/slurpd
echo "done."
fi</pre><p>
This is the stopping part:</p>
<pre>replicas=`grep ^replica /etc/ldap/slapd.conf`
if [ ! -z "$replicas" ]; then
echo -n "Stopping LDAP replication daemon: "
killall slurpd &gt; /dev/null 2&gt;&amp;1
echo "done."
KRB5CCNAME=FILE:/var/run/slapd.krbenv
echo -n "Removing Kerberos ticket: "
kdestroy &amp;&amp; rm /var/run/slapd.krbenv
echo "done."
fi</pre><h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;">
<a name="4.5.5.5.Keeping replication ticket updated|outline"></a>Keeping
replication ticket updated</h4>
<p>To make sure that there always is a ticket for the replicator, we
will have to execute the <b>kinit</b> line above every now and then
from <b>cron</b>. How often this should happen, depends on how
long-lived the ticket is. To find that out, we issue the command
<b>kadmin</b> (or <b>kadmin.local</b>) like this:</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">kadmin.local -q "getprinc replicator" | grep "^Maximum ticket life:"</pre><p>
In my case, it will return:</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">Maximum ticket life: 0 days 10:00:00</pre><p>
So I will have to renew the ticket at least every ten hours. To be on
the safe side, I'll do it every nine hours. The entry we will put
into <b>/etc/crontab</b> is:</p>
<pre># Making sure that the LDAP replication have a valid ticket
KRB5CCNAME=FILE:/var/run/slapd.krbenv
0 */9 * * * root test -e /var/run/slapd.krbenv &amp;&amp; kinit -R</pre><p>
You can read more about running and getting tickets in shell scripts
untended at the <a href="http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#kadmnohuman" target="_blank">Kerberos
FAQ:Shell scripts</a>.</p>
<p>There is a way to specify a longer life time when creating the
principal (<u>-maxlife</u>) but I haven't figured out exactly how to
specify the time. I keep getting <u>Invalid date specification</u>
all the time.</p>
<p><u>UPDATE</u>: The maximum lifetime of a ticket can, in <b>kadmin</b><span style="">
or </span><b>kadmin.local</b><span style=""> be
specified like</span></p>
<pre>-maxlife "4 days"
-maxlife "4 hours"</pre><p>
etc...</p>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="4.5.5.6.Give the replicator access to the database|outline"></a><a name="4.5.5.6.Give the replicator access to the database|outline"></a>
Give the replicator access to the database</h4>
<p>We must give the replicator principal access to write to the
database. To do this, we create this access file instead of <a href="#4.5.3.3.The%20OpenLDAP%20access%20file%7Coutline">The
OpenLDAP access file</a> we had for the master server (this file is
named <b>/etc/ldap/slapd.access.backup</b> in the <a href="#4.5.5.1.Replication%20configuration,%20slave%20server%7Coutline">slave
server replication configuration</a> above). The reason it's much
simpler is because it's read-only, and should contain a online backup
of the database, therefor there is no need for anyone else than
replicator to be able to read/write to the slave.</p>
<pre>access to attr=cn,givenName,sn,krbName,krb5PrincipalName,loginShell,gecos,mail,mailAlternateAddress,mailHost,mailQuota,uidNumber,gidNumber,homeDirectory
by dn="uid=replicator.+\+realm=<b>&lt;YOUR KERBEROS REALM&gt;</b>" write
by users read
by * none
access to attr=userPassword,ldapPassword,clearTextPassword
by dn="uid=replicator.+\+realm=<b>&lt;YOUR KERBEROS REALM&gt;</b>" write
by * none
access to *
by dn="uid=replicator.+\+realm=<b>&lt;YOUR KERBEROS REALM&gt;</b>" write
by * read</pre><p>
We should really not have read access at all (<u>by users read</u><span style="text-decoration: none;">
and </span><u>by * read</u>), but for some reason (which elude me) it
doesn't work otherwise...</p>
<h1>Building miscellaneous software</h1>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;">Concurrent
Version System</h2>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="5.1.1.Building CVS|outline"></a>
Building CVS</h3>
<p>The version I did this with was v1.11-0.1. One can now
authenticate and encrypt using the GSSAPI network security interface.
For details, see <a href="http://www.cvshome.org/docs/manual/cvs_2.html#IDX88" target="_blank">the
Cederqvist's description</a> of specifying <u>:gserver:</u> in
CVSROOT, and the <u>-a</u> global option.</p>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="5.1.1.1.Configure options|outline"></a>
Configure options</h4>
<p>To do this, we need to build with the following options to
<b>configure</b>:</p>
<pre>--with-gssapi=value GSSAPI directory
--enable-encryption enable encryption support</pre><p>
For non-Debian systems, these are the full <b>configure</b> opions:</p>
<pre>--prefix=/usr
--mandir=/usr/share/man
--infodir=/usr/share/info
--with-gssapi
--enable-encryption</pre><p>
How to build and install? Haven't you paid attention? :) Please go
back to the <a href="#4.4.1.Building%20Cyrus%20SASL%7Coutline">Building
Cyrus SASL</a> section again...</p>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="5.1.1.2.With Krb4 option|outline"></a>
With Krb4 option</h4>
<p>There's the <u>--with-krb4=value</u> to configure in this case,
but as you can see that is for Kerberos IV, and that isn't fully
compatible with MIT Kerberos V. There is however a <b>krb524d</b>
daemon that takes care of converting a Kerberos IV request to a
Kerberos V. But that's quite pointless, since we are already using
GSSAPI with our Kerberos V server. From what I can tell, you should
only run the <b>krb534d</b> daemon if you don't have any other
choice. That is, if there weren't any <u>--with-gssapi</u> option
here, we'd go for the <u>--with-krb4</u>, and made sure that our
converter daemon was running.</p>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="5.1.2.Creating a CVS service key|outline"></a>
Creating a CVS service key</h3>
<p><a name="servicekey-cvs"></a>To be able to use GSSAPI/Kerberos V
with CVS, you will have to add the appropriate service key into the
Kerberos database:</p>
<pre>kadmin.local -q "addprinc -randkey cvs/<b>&lt;FQDN&gt;</b>@<b>&lt;YOUR KERBEROS REALM&gt;</b>"
kadmin.local -q "ktadd cvs/<b>&lt;FQDN&gt;</b>"</pre><p>
As you can see, the service name for CVS, are... Right, <b>cvs</b>!</p>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="5.2.Bumping the Debian GNU/Linux package version|outline"></a>
Cyrus IMAP/POP</h2>
<p class="text-body-indent">This is currently unverified by me, but
this is supposed to be the way it's done...</p>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="5.2.1.Building Cyrus IMAP and POP3 server|outline"></a>
Building Cyrus IMAP and POP3 server</h3>
<p><!-- IMAP/POP server compile/configure
options to use SASL for authentication.
-->To
have the Cyrus IMAP and POP3 server use GSSAPI (SASL) to authenticate
the user, we need the source of the Cyrus IMAPd/POP3d package
(<b>apt-get source cyrus-imapd</b>). And to build, these are the
options to <b>configure</b>:</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">[I'm currently trying this out, come back in a few days]</pre><p>
For non-Debian systems, these are the full <b>configure</b> options:</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">[I'm currently trying this out, come back in a few days]</pre><h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;">
<a name="5.2.2.Configure Cyrus IMAP and POP3 server|outline"></a>Configure
Cyrus IMAP and POP3 server</h3>
<p>See <a href="http://www.linuxdoc.org/HOWTO/Cyrus-IMAP-7.html" target="_blank">Cyrus
IMAP/POP Howto:Cyrus IMAP Configuration</a> and imapd.conf(5) for
more about this.</p>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="5.2.2.1.Creating a IMAP/POP3 service key|outline"></a>
Creating a IMAP/POP3 service key</h4>
<p><a name="servicekey-imap_pop"></a><!-- IMAP/POP Kerberos service key.
Service principal name?
-->To
be able to use GSSAPI/Kerberos V with IMAPd/POP3d, you will have to
add the appropriate service keys into the Kerberos database:</p>
<pre>kadmin.local -q "addprinc -randkey imap/<b>&lt;FQDN&gt;</b>@<b>&lt;YOUR KERBEROS REALM&gt;</b>"
kadmin.local -q "addprinc -randkey pop/<b>&lt;FQDN&gt;</b>@<b>&lt;YOUR KERBEROS REALM&gt;</b>"
kadmin.local -q "ktadd -k /etc/krb5.keytab.cyrus imap/<b>&lt;FQDN&gt;</b>"
kadmin.local -q "ktadd -k /etc/krb5.keytab.cyrus pop/<b>&lt;FQDN&gt;</b>"
chown cyrus /etc/krb5.keytab.cyrus</pre><p>
The keytab above is used in the wrapper needed for GSSAPI/KerberosV
support:</p>
<pre>#!/bin/sh
KRB5_KTNAME=/etc/krb5.keytab.cyrus
export KRB5_KTNAME
exec /usr/sbin/imapd.real $@</pre><h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;">
LibPAM-LDAP and LibNSS-LDAP</h2>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="5.3.1.Building and installation|outline"></a>
Building and installation</h3>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="5.3.1.1.Downloading source|outline"></a>
Downloading source</h4>
<p>Basicly the only thing that needs to be done with these two
packages are rebuilding (ie, <b>configure</b> and <b>make</b>) them,
to get SSL/TLS support. For those of you that are running Debian
GNU/Linux, execute this command</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">apt-get source libpam-ldap libnss-ldap</pre><p>
and the source of the two packages will be downloaded and unpacked in
the current directory.</p>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="5.3.1.2.Building packages|outline"></a>
Building packages</h4>
<p>To create the two Debian GNU/Linux packages, execute this command
(we only have to rebuild them to have them recognize that we have the
installed OpenSSL development package files)</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">find -maxdepth 1 -type d -name 'lib*ldap-*' -exec sh -c 'cd {} &amp;&amp; debuild -rfakeroot -uc -us' \;</pre><h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;">
<a name="5.3.2.Install the newly made packages|outline"></a>Install
the newly made packages</h3>
<p>Now it's just a matter of executing the following command to
install them:</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">dpkg -i lib*ldap_*.deb</pre><h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;">
SAMBA</h2>
<p class="text-body-indent">This is currently unverified by me, but
this is supposed to be the way it's done...</p>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="5.4.1.Building Samba/Samba-TNG|outline"></a>
Building Samba/Samba-TNG</h3>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;">Wed, May 30, 2001</h4>
<p>Have compiled samba-2.2.0.final with the following options. I'm
currently trying to configure samba. Using '<u>security = user</u>'
and '<u>encrypt passwords = no</u>' don't work at all, and using
encrypted password don't either (it bypasses the auth mechanisms).</p>
<pre>--with-krb5
--with-ssl
--with-sslinc=/usr/include/openssl</pre><p>
According on a mail on the kerberos mailinglist, Microsofts
<a href="http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp" target="_blank">Step-by-Step
Guide to Kerberos 5 (krb5 1.0) Interoperability</a> should be
interesting to read... You be the judge, I haven't bothered to read
it fully yet :).</p>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;">Fri, Jun 1, 2001</h4>
<p>It seems that the LDAP support in samba 2.2 isn't working at all.
Have downloaded <a href="http://www.samba-tng.org/cvs.html" target="_blank">samba
TNG via CVS</a>, hopefully that will work...</p>
<h5 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="5.4.1.2.1.Compile options|outline"></a>
Compile options</h5>
<pre>--with-fhs
--prefix=/usr
--sysconfdir=/etc
--with-privatedir=/etc/samba
--with-lockdir=/var/state/samba
--localstatedir=/var
--with-netatalk
--with-smbmount
--with-pam
--with-syslog
--with-sambabook
--with-utmp
--with-readline
--with-krb5
--with-ssl
--with-sslinc=/usr/include/openssl
--with-ldap
--with-utmp</pre><h5 style="margin-top: 0,2cm; margin-bottom: 0,5cm;">
<a name="5.4.1.2.2.Make string|outline"></a>Make string</h5>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">make SMBLOGFILE=/var/log/smb NMBLOGFILE=/var/log/nmb all smbtorture rpctorture debug2html</pre><h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;">
<a name="5.7.3.4.v2.0.18|outline"></a><a name="5.6.LDAPv3, why bother|outline"></a>
OpenAFS</h2>
<p>I have this working just fine on my live server, and it have been
working great (better than expected!) for about three months now.
From the occasional glitch when I started to understand what exactly
AFS is, I now have all my users, my web directory and whole of my FTP
support directory on AFS.</p>
<p>There's many good things about AFS, and one that I've started to
like more and more, is that root is no longer almighty! Root have (at
least default) absolutely NO rights in AFS space! It's all about
tickets (Kerberos V) and tokens. The ACL (Access Control List) of the
directory decide who have access to what, not the system UID (User
Identification Number).</p>
<p>AFS also come with 'replication support' as standard, so adding
more servers is a good thing. And easy to, from what it seems.</p>
<p>To get OpenAFS up and running with Kerberos V (OpenAFS only works
with Kerberos IV as standard), there is some additional software's
necessary besides the OpenAFS sources. These are the OpenAFS PAM
module and the the special OpenAFS/KerberosV support software's.</p>
<p>Getting OpenAFS and the associated PAM/KRB5 softwares to compile
under Debian GNU/Linux 2.2 (code name Potato) have been proven to be
very difficult. There's a lot of build dependencies that have to be
fulfilled and very few of the packages required exists for Potato. I
have therefor left out the building of all these packages. If you
really want to build for Potato, you will have to figure out how to
build those yourself.</p>
<p class="text-body-indent"><a href="#5.5.1.OpenAFS%7Coutline">OpenAFS</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#5.5.1.1.Building%20OpenAFS%7Coutline">Building
OpenAFS</a></p>
<p class="text-body-indent" style="margin-left: 14cm;"><a href="#5.5.1.1.1.Build%20OpenAFS%20kernel%20module%7Coutline">Build
OpenAFS kernel module</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#5.5.1.3.Installing%20OpenAFS%7Coutline">Installing
OpenAFS</a></p>
<p class="text-body-indent"><a href="#5.5.2.OpenAFS%20KerberosV%20support%20software%7Coutline">OpenAFS
KerberosV support software</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#5.5.2.1.Building%20OpenAFS%20KerberosV%20support%20software%7Coutline">Building
OpenAFS KerberosV support software</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#5.5.2.2.Installing%20OpenAFS%20KerberosV%20support%20software%7Coutline">Installing
OpenAFS KerberosV support software</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#5.5.2.3.Configure%20OpenAFS%20KerberosV%20support%20software%7Coutline">Configure
OpenAFS KerberosV support software</a></p>
<p class="text-body-indent"><a href="#5.5.3.OpenAFS%20PAM%20module%7Coutline">OpenAFS
PAM module</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#5.5.3.1.Building%20and%20Installing%20the%20OpenAFS%20PAM%20module%7Coutline">Building
and Installing the OpenAFS PAM module</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#5.5.3.2.Configure%20OpenAFS%20PAM%20module%7Coutline">Configure
OpenAFS PAM module</a></p>
<p class="text-body-indent"><a href="#5.5.4.Configure%20OpenAFS%7Coutline">Configure
OpenAFS</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#5.5.4.1.Creating%20a%20AFS%20service%20key%7Coutline">Creating
a AFS service key</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#5.5.4.2.Putting%20the%20AFS%20service%20key%20into%20the%20AFS%20KeyFile%7Coutline">Putting
the AFS service key into the AFS KeyFile</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#5.5.4.3.Mount%20the%20AFS%20volume%7Coutline">Mount
the AFS volume</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#5.5.4.4.Create%20the%20new%20cell%7Coutline">Create
the new cell</a></p>
<p class="text-body-indent" style="margin-left: 14cm;"><a href="#5.5.4.4.1.Setup%20the%20cell%20configuration%20files%7Coutline">Setup
the cell configuration files</a></p>
<p class="text-body-indent" style="margin-left: 14cm;"><a href="#5.5.4.4.2.Getting%20a%20Kerberos%20ticket%20and%20a%20AFS%20token%7Coutline">Getting
a Kerberos ticket and a AFS token</a></p>
<p class="text-body-indent" style="margin-left: 14cm;"><a href="#5.5.4.4.3.Setting%20up%20root%20volumes%7Coutline">Setting
up root volumes</a></p>
<p class="text-body-indent"><a href="#5.5.5.Testing%20the%20OpenAFS%20softwares%7Coutline">Testing
the OpenAFS softwares</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#5.5.5.1.Testing%20OpenAFS%20KerberosV%20support%20software%7Coutline">Testing
OpenAFS KerberosV support software</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#5.5.5.2.Testing%20OpenAFS%20PAM%20module%7Coutline">Testing
OpenAFS PAM module</a></p>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="5.5.1.OpenAFS|outline"></a><a name="5.5.1.OpenAFS|outline"></a>
OpenAFS</h3>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="5.5.1.1.Building OpenAFS|outline"></a><a name="5.5.1.1.Building OpenAFS|outline"></a>
Building OpenAFS</h4>
<p>The source package for OpenAFS is just simply called '<b>openafs</b>'
so download the source, using the command</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">apt-get source openafs</pre><p>
I have not needed to make any modifications to these packages, they
are fine as is. These are the options that the Debian GNU/Linux
package is using to configure the OpenAFS sources:</p>
<pre>afslogsdir=/var/log/openafs
--with-afs-sysname=$(SYS_NAME)
--disable-kernel-module
--prefix=/usr
--sysconfdir=/etc
--libexecdir=/usr/lib
--localstatedir=/var/lib</pre><p>
The variable SYS_NAME is delivered from the output of the <b>/bin/arch</b>
command (in the <b>util-linux</b> package). For my Sun SPARC Station
4, this will equal <i>sparc_linux22</i>. Strangely enough, this seems
to be the system name even if I use a 2.4 kernel. I think I must look
into this more...</p>
<p>To build the package on a Debian GNU/Linux box, the command</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">debuild -uc -us -rfakeroot</pre><p>
is used. If not running a Debian GNU/Linux box, execute the command</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">make dest</pre><h5 style="margin-top: 0,2cm; margin-bottom: 0,5cm;">
<a name="5.5.1.1.1.Build OpenAFS kernel module|outline"></a><a name="5.5.1.1.1.Build OpenAFS kernel module|outline"></a>
Build OpenAFS kernel module</h5>
<p>When the build of the sofware is done, there will be a
<b>openafs-modules-source</b> package (in my example, for the version
I built, this file will be called
<u><span style="font-style: normal;">openafs-modules-source_1.2.3final2-3_all.deb</span></u>).
This is the source to the kernel module, which is needed to give
OpenAFS support to the kernel. The module for the kernel is built by
unpacking the file <b>openafs.tar.gz</b> which gets installed into
<b>/usr/src</b> when installing this package. This file have to be
unpacked from the <b>/usr/src</b> tree for the <b>make-kpkg</b>
command (which is in the <b>kernel-package</b> package.</p>
<p>To create a Debian GNU/Linux package for the kernel and for the
OpenAFS module, issue the following command <u>inside</u> the kernel
source tree of your choice.</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">make-kpkg -uc -us configure buildpackage modules_image</pre><p>
You will have to have the kernel configured using either <span style=""><u>make
config</u></span>, <span style=""><u>make
menuconfig</u></span> or <u>make xconfig</u> depending on favorite
choice. My personal favorite is the second one, <u>make menuconfig</u>.
Graphically enough for me :)</p>
<p>The <i>buildpackage</i> option creates the kernel packages, so
that can be lefout if you don't want/need a package for your kernel.</p>
<p>When the <i>modules_image</i> have finished, it will leave a</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">openafs-module-KERNELVERSION_OPENAFSVERSION_SPECIALVERSION_ARCH.deb</pre><p>
file in <b>/usr/src</b>. For my Sun SPARC Station 4, trying to build
my first 2.4 kernel on this architecture, this file will be named:</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">openafs-modules-2.4.18_1.2.3final2-5+10.00.Custom_sparc.deb</pre><p>
and that is installed using <b>dpkg</b> (with the option <u>-i</u>).
If not using Debian GNU/Linux, the package is installed when you
issued the command <b>make dest</b>.</p>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="5.5.1.3.Installing OpenAFS|outline"></a><a name="5.5.1.3.Installing OpenAFS|outline"></a>
Installing OpenAFS</h4>
<p>The packages that have to be installed are:</p>
<dl><dl><dd>
<table width="622" border="0" cellpadding="0" cellspacing="0">
<col width="207">
<col width="207">
<col width="207">
<thead>
<tr valign="top">
<th width="207">
<p align="left">All hosts</p>
</th>
<th width="207">
<p align="left">Development Host</p>
</th>
<th width="207">
<p align="left">Server Host(s)</p>
</th>
</tr>
</thead>
<tbody>
<tr valign="top">
<td width="207">
<p>openafs-client</p>
</td>
<td width="207">
<p>libopenafs-dev</p>
</td>
<td width="207">
<p>openafs-dbserver</p>
</td>
</tr>
<tr valign="top">
<td width="207">
<p>openafs-modules-XX-YY</p>
</td>
<td width="207">
<p>openafs-modules-source</p>
</td>
<td width="207">
<p>openafs-fileserver</p>
</td>
</tr>
<tr valign="top">
<td width="207">
<p><br>
</p>
</td>
<td width="207">
<p><br>
</p>
</td>
<td width="207">
<p>openafs-kpasswd</p>
</td>
</tr>
</tbody>
</table>
</dd></dl></dl>
<p>The development packages only have to be installed on the host
where all the packages are built, not on the client/server hosts
themselves. The <b>libopenafs-dev</b> package is needed by all
software's that is going to be compiled to use some functionality
that OpenAFS provides. That include the <a href="#5.5.2.OpenAFS%20KerberosV%20support%20software%7Coutline">OpenAFS
KerberosV support software</a> and the <a href="#5.5.3.OpenAFS%20PAM%20module%7Coutline">OpenAFS
PAM module</a> below.</p>
<p>Before we continue with configuring OpenAFS, we need some
supplementary commands since we're using Kerberos V. So these have to
be built first.</p>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="5.5.2.OpenAFS KerberosV support software|outline"></a><a name="5.5.2.OpenAFS KerberosV support software|outline"></a><a name="5.5.2.OpenAFS KerberosV support software|outline"></a><a name="5.5.2.OpenAFS KerberosV support software|outline"></a>
OpenAFS KerberosV support software</h3>
<p>OpenAFS only comes with Kerberos IV (four) support. We need this
software to be able to use the Kerberos V (five) database, which was
the very first thing we did, and not have to have <i>two</i>
databases (the Transarc KA server which comes with OpenAFS and the
Kerberos V server) for user authentication/authorization.</p>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="5.5.2.1.Building OpenAFS KerberosV support software|outline"></a><a name="5.5.2.1.Building OpenAFS KerberosV support software|outline"></a>
Building OpenAFS KerberosV support software</h4>
<p>The source package for this is called <b>openafs-krb5</b>, and are
configured using the following configure options:</p>
<pre>--prefix=/usr
--with-krb5=/usr/
--with-afs=/usr</pre><p>
Building the <b>openafs-krb5</b> package is done with <b>debuild</b>
as always (see above for more information). The software is built
using <b>make</b> on a non Debian GNU/Linux box...</p>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="5.5.2.2.Installing OpenAFS KerberosV support software|outline"></a><a name="5.5.2.2.Installing OpenAFS KerberosV support software|outline"></a>
Installing OpenAFS KerberosV support software</h4>
<p>The build process will create the <b>openafs-krb5</b> package, and
is installed using <b>dpkg</b>. On a non Debian GNU/Linux box, issue
the command <b>make install</b>.</p>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="5.5.2.3.Configure OpenAFS KerberosV support software|outline"></a><a name="5.5.2.3.Configure OpenAFS KerberosV support software|outline"></a>
Configure OpenAFS KerberosV support software</h4>
<p>No configuration of the OpenAFS Kerberos V migration kit have to
be done. Instead of using <b>klog</b> to get a AFS token, one uses
<b>aklog</b> instead. This is (usually) done by the OpenAFS PAM
module, but not always, so use <b>aklog</b> after getting a Kerberos
V ticket.</p>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="5.5.3.OpenAFS PAM module|outline"></a><a name="5.5.3.OpenAFS PAM module|outline"></a><a name="5.5.3.OpenAFS PAM module|outline"></a>
OpenAFS PAM module</h3>
<p>This package is intended to be used by PAM aware programs getting
a AFS token, and requires <b>aklog</b> which is in the <a href="#5.5.2.OpenAFS%20KerberosV%20support%20software%7Coutline">OpenAFS
KerberosV support software</a>. Use it as any other PAM module.</p>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="_1"></a><a name="5.5.3.1.Building and Installing the OpenAFS PAM module|outline"></a><a name="5.5.3.1.Building and Installing the OpenAFS PAM module|outline"></a>
Building and Installing the OpenAFS PAM module</h4>
<p>The source for this is called <b>libpam-openafs-session</b>, so a</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">apt-get source libpam-openafs-session</pre><p>
is needed to get source for the package. Using the same command as
when we were building OpenAFS, we will end up with the package
<b>libpam-openafs-session</b>. This package is installed using the
command <u>dpkg -i</u> (as ANY package is installed on a Debian
GNU/Linux box is :).</p>
<p>Building and installing this software on a non Debian GNU/Linux
box, issue the command make and then make install.</p>
<p>The installation of this software will result in a file called</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">/lib/security/pam_openafs_session.so</pre><p>
on a Debian GNU/Linux box, and</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">/lib/security/pam_openafs-krb5.so</pre><p>
on a non Debian GNU/Linux machine. Why the files are named
differently, is something you will have to ask the maintainer for the
Debian GNU/Linux package about. I have not bothered with this, so be
my guest asking him :)</p>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="5.5.3.2.Configure OpenAFS PAM module|outline"></a><a name="5.5.3.2.Configure OpenAFS PAM module|outline"></a><a name="5.5.3.2.Configure OpenAFS PAM module|outline"></a>
Configure OpenAFS PAM module</h4>
<p>The is no configuration that needs to be done for this package,
it's just a matter of using it. This is done in the service file,
located under /etc/pam.d. For example, using the pam_openafs_session
module with ssh, this is what my /etc/pam.d/ssh file looks like (use
as directed :)</p>
<pre>auth required pam_nologin.so
auth required pam_env.so
auth sufficient pam_krb5.so forwardable
auth required pam_unix.so try_first_pass shadow
auth required pam_issue.so issue=/etc/issue.net
account sufficient pam_krb5.so forwardable
account required pam_unix.so try_first_pass shadow
password required pam_krb5.so forwardable
session sufficient pam_krb5.so forwardable
<b>session optional pam_openafs_session.so</b>
session required pam_unix.so
session optional pam_lastlog.so
session optional pam_motd.so</pre><p>
How much of this that's actually needed, is up to you to decide and
verify, but this works for me. What this file do, is verify the
password against the Kerberos V database, OR if that fails, against
the <b>/etc/shadow</b> file (the <i>shadow</i> option). When that is
done, it will obtain a AFS token when the session starts.</p>
<p>We should really only add this module to services that have an
interactive session, such as <b>ssh</b>, <b>login</b>, <b>ftp</b>
etc. NOT something like the IMAP and POP services (unless you deliver
mail to the users home directory that is).</p>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="5.5.4.Configure OpenAFS|outline"></a><a name="5.5.4.Configure OpenAFS|outline"></a>
Configure OpenAFS</h3>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="5.5.4.1.Creating a AFS service key|outline"></a><a name="5.5.4.1.Creating a AFS service key|outline"></a><a name="5.5.4.1.Creating a AFS service key|outline"></a>
Creating a AFS service key</h4>
<p>There is some things that needs to be setup before we can use AFS.
One such thing is to create a service principal for AFS. This is in
the form <u>afs@REALM</u>. Usually your AFS cell is the same as your
Kerberos realm, just in lower case. So since my Kerberos realm is
<b>BAYOUR.COM</b><span style="">, I decided to use
the AFS cell name of </span><b>bayour.com</b><span style="">.
If your AFS cell name don't match your Kerberos realm like this, you
will have to use the AFS principal form </span>afs/CELL@REALM (like:
<b>afs/google.com@BAYOUR.COM</b>). Creating the service principal,
and putting it in a keytab is done like this:</p>
<pre>kadmin.local -q "ank -randkey afs"
kadmin.local -q "ktadd -k /etc/krb5.keytab.afs afs"</pre><h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;">
<a name="5.5.4.2.Putting the AFS service key into the AFS KeyFile|outline"></a><a name="5.5.4.2.Putting the AFS service key into the AFS KeyFile|outline"></a>
Putting the AFS service key into the AFS KeyFile</h4>
<p>We need AFS to recognize the service principal, and that is done
by putting the service key into the AFS KeyFile. This is done with
the command <b>asetkey</b><span style=""> like
this:</span></p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">asetkey add 4 /etc/krb5.keytab.afs afs</pre><p>
The number <b>4</b><span style=""> here is the
keynumber that got created in <a href="#5.5.4.1.Creating%20a%20AFS%20service%20key%7Coutline">Creating
a AFS service key</a> so make sure you took note about this. If you
forgot which number it is, you can use the following command line to
find that out:</span></p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">kadmin.local -q 'getprinc afs' | grep ^Key</pre><h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;">
<a name="5.5.4.3.Mount the AFS volume|outline"></a><a name="5.5.4.3.Mount the AFS volume|outline"></a>
Mount the AFS volume</h4>
<p>AFS uses a special directory and file structure, very different
from the ordinary UN*X way of storing files. We need a special
partition to be mounted on <b>/vicepX</b><span style="">
where X is a letter from a to z (and from aa to zz &#8211; see the
<a href="http://www.openafs.org/pages/doc/AdminGuide/auagd007.htm#Header_62">OpenAFS
documentation</a> for more about this). There have been indications
that this partition can not be on a journaling file system (such as
JFS, XFS and Ext3) on Linux.</span></p>
<p style="">If you don't have a free partition,
you can settle for a file that is mounted using the <b>loop</b>
module. Create such a file like this:</p>
<pre>dd if=/dev/zero of=/var/lib/openafs/vicepa bs=1024k count=32
mke2fs /var/lib/openafs/vicepa
mount -oloop /var/lib/openafs/vicepa /vicepa</pre><h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;">
<a name="5.5.4.4.Create the new cell|outline"></a><a name="5.5.4.4.Create the new cell|outline"></a>
Create the new cell</h4>
<h5 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="5.5.4.4.1.Setup the cell configuration files|outline"></a><a name="5.5.4.4.1.Setup the cell configuration files|outline"></a>
Setup the cell configuration files</h5>
<p>We need to have our IP address and cell name in both the file
server cell configuration file <i>and</i><span style="font-style: normal;">
in the Client configuration file. If this is to be both a client and
server, that is. Usually the very first machine is both, but does not
need to be. In Debian GNU/Linux, the configuration files is
<b>/etc/openafs/server/CellServDB</b><span style="">
for the file server, and </span><b>/etc/openafs/CellServDB</b><span style="">
for the client. Make sure our IP address and cell name is located <u>at
the top</u><span style="text-decoration: none;"> of these files. The
format of this file is:</span></span></span></p>
<pre>&gt;<b>CELLNAME</b>
<b>IPADDRESS</b></pre><p style="font-style: normal; text-decoration: none;">
So for my test environment, these files begin like this:</p>
<pre>&gt;bayour.com
192.168.1.4 # tuzjfi.bayour.com</pre><p>
We also need to specify which cell this is and the configuration file
for this is <b>/etc/openafs/ThisCell</b><span style="">.
In my example, my AFS cell name is </span><b>bayour.com</b><span style="">,
so I enter this into this file.</span></p>
<h6 style="margin-top: 0,2cm; margin-bottom: 0,5cm;">Setup AFS
services</h6>
<p>When this is done, we can start the fileserver with the command</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">/etc/init.d/openafs-fileserver start</pre><p style="">
Now it's time to setup and start the other services that we need for
this to be a proper file and database server for AFS. I will only
list them right of, no explanation.</p>
<pre>bos addhost tuzjfi tuzjfi -localauth ||true
bos adduser tuzjfi turbo -localauth
bos create tuzjfi ptserver simple /usr/lib/openafs/ptserver -localauth
bos create tuzjfi vlserver simple /usr/lib/openafs/vlserver -localauth
bos create tuzjfi fs fs -cmd /usr/lib/openafs/fileserver -cmd /usr/lib/openafs/volserver -cmd /usr/lib/openafs/salvager -localauth
vos create tuzjfi a root.afs -localauth</pre><p>
In these examples, I have specified <b>tuzjfi</b><span style="">
which is my test platform's hostname. Replace with </span><b>your</b><span style="">
hostname! Also, the paths to the commands (</span><b>/usr/lib/openafs/</b><span style="">)
might differ from your installation, so take note!</span></p>
<p style="">Also, <b>turbo</b> in these commands
is my principal name which is to be the administration user for my
AFS cell. Exchange with <b>your</b> principal name!</p>
<p style="">When this is done, we can start the
AFS client which mounts the <b>/afs</b> tree which is where we access
our AFS file system. This is done with the command</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">/etc/init.d/openafs-client force-start</pre><blockquote>
<b>Do not under any any circumstances access anything under /vicepX!
It is in special AFS format, and any changes might render your AFS
system unusable!</b></blockquote>
<h5 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="5.5.4.4.2.Getting a Kerberos ticket and a AFS token|outline"></a><a name="5.5.4.4.2.Getting a Kerberos ticket and a AFS token|outline"></a>
Getting a Kerberos ticket and a AFS token</h5>
<p>To be able to create volumes (which can roughly be translated to
partitions &#8211; storage space in AFS), we need a token for the
administration user (which we created above). This is done by issuing
the command (exchange with <b>your</b><span style="">
principal name):</span></p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">kinit turbo &amp;&amp; aklog</pre><h5 style="margin-top: 0,2cm; margin-bottom: 0,5cm;">
<a name="5.5.4.4.3.Setting up root volumes|outline"></a><a name="5.5.4.4.3.Setting up root volumes|outline"></a>
Setting up root volumes</h5>
<p>The following command sequences will create the necessary volumes
with the proper access control. Don't forget to change all
occurrences of '<b>tuzjfi'</b><span style=""> to
your hostname, and all references to '</span><b>bayour.com</b><span style="">'
to your cell name. The '</span><b>bayour'</b><span style="">
entries is quick access links to the cell mount point, and it's up to
you if you want/need them...</span></p>
<pre>fs sa /afs system:anyuser rl
vos create <b>tuzjfi</b> a root.cell -localauth
fs sa /afs/<b>bayour.com</b> system:anyuser rl
fs mkm /afs/.<b>bayour.com</b> root.cell -cell <b>bayour.com</b> -rw
fs mkm /afs/.root.afs root.afs -rw
ln -s /afs/<b>bayour.com</b> /afs/<b>bayour</b>
ln -s /afs/.<b>bayour.com</b> /afs/.<b>bayour</b>
vos addsite <b>tuzjfi</b> a root.afs -localauth
vos addsite <b>tuzjfi</b> a root.cell -localauth
vos release root.afs -localauth
vos release root.cell -localauth</pre><h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;">
<a name="5.5.5.Testing the OpenAFS softwares|outline"></a><a name="5.5.5.Testing the OpenAFS softwares|outline"></a>
Testing the OpenAFS softwares</h3>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="5.5.5.1.Testing OpenAFS KerberosV support software|outline"></a><a name="5.5.5.1.Testing OpenAFS KerberosV support software|outline"></a><a name="5.5.5.1.Testing OpenAFS KerberosV support software|outline"></a>
Testing OpenAFS KerberosV support software</h4>
<p>To verify that it is possible to get a AFS token from the OpenAFS
server(s), you must have a Kerberos V ticket. This is done using the
command <b>kinit</b>. If <b>kinit</b> where successful in getting a
ticket, it will look something like this when looking at the ticket.
Viewing what tickets you have is done with the command <b>klist</b>
without parameters, like this:</p>
<pre>[papadoc.pts/1]$ kinit
Password for turbo@<b>&lt;MY_KERBEROS_REALM&gt;</b>:
[papadoc.pts/1]$ klist
Ticket cache: FILE:/tmp/krb5cc_turbo
Default principal: turbo@<b>&lt;MY_KERBEROS_REALM&gt;</b>
Valid starting Expires Service principal
05/31/02 09:59:23 05/31/02 19:59:19 krbtgt/<b>&lt;MY_KERBEROS_REALM&gt;</b>@<b>&lt;MY_KERBEROS_REALM&gt;</b>
Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached
[papadoc.pts/1]$ </pre><p>
Now it's time to get the AFS token:</p>
<pre>[papadoc.pts/1]$ aklog
[papadoc.pts/1]$ tokens
Tokens held by the Cache Manager:
User's (AFS ID 1) tokens for afs@<b>&lt;MY_AFS_CELL&gt;</b> [Expires May 31 19:59]
--End of list--
[papadoc.pts/1]$ </pre><p>
As you can see, if everything goes well, <b>aklog</b> won't output
anything. This is in good old UNIX style. If it's okay, why say
anything :)</p>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="5.5.5.2.Testing OpenAFS PAM module|outline"></a><a name="5.5.5.2.Testing OpenAFS PAM module|outline"></a>
Testing OpenAFS PAM module</h4>
<p>When the <a href="#5.5.5.1.Testing%20OpenAFS%20KerberosV%20support%20software%7Coutline">Testing
OpenAFS KerberosV support software</a> have been successful, it is
time to verify that the PAM module works. This is done by trying to
login with a service that is OpenAFS aware. In <a href="#5.5.3.2.Configure%20OpenAFS%20PAM%20module%7Coutline">Configure
OpenAFS PAM module</a> we enabled the <b>ssh</b> service to use
OpenAFS, so we try to login through ssh.</p>
<h1>Miscellaneous information</h1>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.1.Migrating existing users|outline"></a><a name="6.1.Migrating existing users|outline"></a>
Migrating existing users</h2>
<p>For those that are converting an existing setup (be it users
located in <span style=""><i>/etc/passwd</i></span>,
<i>NIS</i>/<i>NIS++</i>, <i>NDS</i> etc) it would be nice if there
where a 'execute and continue' solution to on the fly convert the
current database while keeping the users passwords. But there is no
such thing, and never will (in most cases anyway). This is because
most, if ALL 'password storage systems' have some means of encrypting
the password. And most of them is a one-way encryption, meaning that
it's not possible to decrypt it (only force a check, trying out
random password to see if it's a match).</p>
<p>It is therefor necessary to either write a program that inserts
the users password into Kerberos (after a successful authorization)
or you can ask each and every user to come to you to receive/change
their password. On a big system, this is just not possible, so there
you have to go with option one.</p>
<p>There is however a third alternative, although in my eyes not the
perfect one... It is to only include the NEW users in this new
system, and slowly migrate (forcing a password change) the existing
ones.</p>
<p>I went for the first alternative, because my users are very spread
geographically, so it was not possible for them to come to me for a
new password, and I don't like to talk passwords over the phone. Some
of my users I never meet. So what I did was I modified the <b>pam_ldap</b>
module to insert the users clear text password into the
clearTextPassword attribute in the LDAP database, then after three
months I did a search for users with a <i>clearTextPassword</i>
entry, and use that when changing the users password in the Kerberos
server. Something like this:</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">ldapsearch -LLL 'cleartextpassword=*' clearTextPassword krb5PrincipalName</pre><p>
This will give us something like this</p>
<pre>dn: uid=turbo,ou=People,dc=papadoc,dc=bayour,dc=com
krb5PrincipalName: turbo@<b>&lt;MY KERBEROS REALM&gt;</b>
clearTextPassword: ThisIsMySecretPasswordInClearTextFormat</pre><p>
This will however also give us the passwords that are set to 0 or *.
We must initially set it to some value, because OpenLDAP does not
allow us to insert a NULL value. You either use an attribute (which
requires a value) or you don't. So you'll have to write a script that
parses the information, filtering out those that don't make sense.</p>
<p>Then, for each value retrieved, modify the <i>krb5PrincipalName</i>
with the value of <i>clearTextPassword</i>. If you're paranoid, or
don't want this information in the database, just modify each LDAP
object, removing the <i>clearTextPassword</i> attribute <u>and</u>
the corresponding object class.</p>
<p>To change a password in the Kerberos database in a script, this is
how to do it</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">kadmin.local -q "cpw -pw <b>&lt;USER PASSWORD&gt;</b> <b>&lt;USER PRINCIPAL&gt;</b>"</pre><p>
The magic here is the <u>-pw</u> option.</p>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.2.Bumping the Debian GNU/Linux package version|outline"></a>
Bumping the Debian GNU/Linux package version</h2>
<p>Instead of putting the packages on hold, one can increase the
version number in a 'secure' way. That is, one makes the version
number such that it will always be higher than the default Debian
package number, that way it won't be upgraded/overwritten by a
<u>default</u> Debian version. To do this, one edits the file
<b>debian/changelog</b>. If we take the entry I made for the
cyrus-sasl packages as an example, the top of the changes file will
look like this:</p>
<pre>cyrus-sasl (2:1.5.24-5.TF.3) unstable; urgency=low
* --without-des. It seems that's part of the Krb4 packages, not Krb5...
-- Turbo Fredriksson &lt;turbo@debian.org&gt; Sun, 1 Apr 2001 19:10:58 +0200
cyrus-sasl (2:1.5.24-5.TF.1) unstable; urgency=low
* Can't do search with '-H ldaps:///', but to the non-ssl works.
Norbert Klasen &lt;klasen@zdv.uni-tuebingen.de&gt; say:
Seems to be some signend/unsigned arithmetic mismatch.
=&gt; Patched plugins/gssapi.c
-- Turbo Fredriksson &lt;turbo@debian.org&gt; Wed, 7 Mar 2001 15:30:00 +0100
cyrus-sasl (2:1.5.24-5.TF) unstable; urgency=low
* Build with the following parameters to configure:
--enable-gssapi Needed to have kerberos auth
--with-des Even better to have I guess
-- Turbo Fredriksson &lt;turbo@debian.org&gt; Tue, 27 Feb 2001 17:34:33 +0100</pre><p>
The important number here is <u>2:</u> before the actual number
(1.5.24-5). This number will not be seen when doing a</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm; text-decoration: none;">dpkg -l libsasl-modules</pre><p>
but only when doing</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">dpkg -s libsasl-modules | grep '^Version: '</pre><p>
The <u>.TF</u> is added just to make sure that I remember that it's a
home made packages. It will however work just fine without it. If I
remove the <u>2:</u> and just have <u>.TF</u>, the package will be
upgraded by any package with a version number higher than <span style=""><u>1.5.24-5</u></span>.
That can be, for example <span style=""><u>1.5.24-5.1</u></span>
which would indicate the first Non Maintainer upload. A fix for this
package, by the maintainer, would have the number <span style=""><u>1.5.24-6</u></span>
which would also overwrite my package (if I didn't have the <u>2:</u>).
By setting myself (the <u><i>Turbo Fredriksson &lt;turbo@debian.org&gt;</i></u>
entry) I will be listed as the maintainer when viewing the status of
the package (<b>dpkg -s libsasl7</b> for example). That is also a
indication that it is a home made package. To make this a 'fully
fledged Debian package', instead of issuing the command <b><u>debuild
-uc -us -rfakeroot</u></b> i will remove the <u>-uc -us</u> (which is
unsigned source and changelog. Without those two parameters, the
package will be signed with my PGP (or GPG) signature. In emacs,
there's the <b>debian-changelog-mode</b> command, that will give you
a proper editing mode for changelogs. The mode is in the emacs
package.</p>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.3.Problems that can occur|outline"></a>
Problems that can occur</h2>
<p>Nothing works right out of the box. Sad to say, but that's the way
it is. I have tried to list as many of the most common problems here,
but I'm still working on this, so please contribute!</p>
<p class="text-body-indent"><a href="#6.3.1.Problems%20when%20the%20KVNO%20don%27t%20match%20up.%7Coutline">Problems
when the KVNO don't match up.</a></p>
<p class="text-body-indent"><a href="#6.3.2.No%20such%20attribute%20error%7Coutline">No
such attribute error</a></p>
<p class="text-body-indent"><a href="#6.3.3.No%20such%20object%20error%7Coutline">No
such object error</a></p>
<p class="text-body-indent"><a href="#6.3.4.Local%20error%7Coutline">Local
error</a></p>
<p class="text-body-indent"><a href="#6.3.5.Problems%20with%20ACL%27s%7Coutline">Problems
with ACL's</a></p>
<p class="text-body-indent"><a href="#6.3.6.SLAPADD%20problems/messages%7Coutline">SLAPADD
problems/messages</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#6.3.6.1.Attribute%20type%20undefined%7Coutline">Attribute
type undefined</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#6.3.6.2.Attribute%20not%20allowed%7Coutline">Attribute
not allowed</a></p>
<p class="text-body-indent" style="margin-left: 12cm;"><a href="#6.3.6.3.Missing%20required%20attribute%7Coutline">Missing
required attribute</a></p>
<p class="text-body-indent" style="margin-left: 16cm;"><br><br>
</p>
<p class="text-body-indent">If you can't have pam_ldap to
authenticate you, this is most likely a <a href="#6.3.5.Problems%20with%20ACL%27s%7Coutline">problems
with ACL's</a></p>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="kvno-problems"></a><a name="6.3.1.Problems when the KVNO don't match up.|outline"></a><a name="6.3.1.Problems when the KVNO don't match up.|outline"></a><a name="6.3.1.Problems when the KVNO don't match up.|outline"></a>
Problems when the KVNO don't match up.</h3>
<p>A problem with the kvno can be verified by executing the <u>klist
-k</u> command. If I do it on my machine, I will get this output:</p>
<pre>Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
4 kadmin/admin@<b>&lt;MY KERBEROS REALM&gt;</b>
4 kadmin/admin@<b>&lt;MY KERBEROS REALM&gt;</b>
4 kadmin/changepw@<b>&lt;MY KERBEROS REALM&gt;</b>
4 kadmin/changepw@<b>&lt;MY KERBEROS REALM&gt;</b>
5 ftp/<b>&lt;MY FQDN&gt;</b>@<b>&lt;MY KERBEROS REALM&gt;</b>
3 host/<b>&lt;MY FQDN&gt;</b>@<b>&lt;MY KERBEROS REALM&gt;</b>
3 host/<b>&lt;MY FQDN&gt;</b>@<b>&lt;MY KERBEROS REALM&gt;</b>
4 ldap/<b>&lt;MY FQDN&gt;</b>@<b>&lt;MY KERBEROS REALM&gt;</b>
5 ftp/<b>&lt;MY FQDN&gt;</b>@<b>&lt;MY KERBEROS REALM&gt;</b>
4 ldap/<b>&lt;MY FQDN&gt;</b>@<b>&lt;MY KERBEROS REALM&gt;</b></pre><p>
The reason there are two of a kind, is because they use different
crypto algorithms. To check this, use the command</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">klist -keK | grep ldap</pre><p>
(we're only interested in the ldap service key at this point), it
will return something like this:</p>
<pre> 4 ldap/<b>&lt;MY FQDN&gt;</b>@<b>&lt;MY KERBEROS REALM&gt;</b> (DES cbc mode with CRC-32) (0x<b>&lt;A HEX NUMBER&gt;</b>)
4 ldap/<b>&lt;MY FQDN&gt;</b>@<b>&lt;MY KERBEROS REALM&gt;</b> (Triple DES cbc mode with HMAC/sha1) (0x<b>&lt;A HEX NUMBER&gt;</b>)</pre><p>
To verify that the kvno for the ldap service key is correct, issue
the command</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">kvno ldap/<b>&lt;MY FQDN&gt;</b>@<b>&lt;MY KERBEROS REALM&gt;</b></pre><p>
This is what I get back:</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">ldap/<b>&lt;MY FQDN&gt;</b>@<b>&lt;MY KERBEROS REALM&gt;</b>: kvno = 4</pre><p>
As you can see, they match up now. However, I wasted two whole days
on looking for a problem with OpenLDAP/SASL, when it was in fact a
problem with this number.</p>
<p>If the number received from <span style="">kvno</span>
is <u>lower</u> than the number received from <b>klist</b>, one have
to remove all the service keys and principal of that service and then
add them again. I doubt that this is the correct/best way to do it,
but it works for me (probably since this is a fresh install, without
a big DB etc.).</p>
<pre>kadmin.local -q "ktrem ldap/<b>&lt;FQDN&gt;</b> all"
kadmin.local -q "delprinc ldap/<b>&lt;FQDN&gt;</b>"
kadmin.local -q "addprinc -randkey ldap/<b>&lt;FQDN&gt;</b>"
kadmin.local -q "ktadd -k /etc/krb5.keytab ldap/<b>&lt;FQDN&gt;</b>"</pre><p>
If the number from <span style="">kvno</span> is
<u>higher</u> than the one from <b>klist</b>, just add the service
key to the keytab, removing (?) all the old ones. Use <b>ktadd</b>
below until the numbers from both <b>klist</b> and <b>kvno</b> match
up.</p>
<pre>kadmin.local -q "ktadd -k /etc/krb5.keytab ldap/<b>&lt;FQDN&gt;</b>"
kadmin.local -q "ktrem ldap/<b>&lt;FQDN&gt;</b> old"</pre><p>
Update, <sdfield type="DATETIME" sdval="36994,7177488426" sdnum="1053;0;YYYY-MM-DD">2001-04-13</sdfield>:
When doing all this for a company I'm doing some consulting for, I
noticed that this might not be necessary (removing and then adding
the principal, that is). I'm not sure what happened, but I'll tell
you what I did.</p>
<p>The company have three machines, <i>dns1</i>, <i>dns2</i> and
<i>kattla</i> (the dragon from Astrid Lindgren's Lionheart). <i>Kattla</i>
is the LDAP/Kerberos server, and <i>dns1</i> and <i>dns2</i> is the
DNS servers.</p>
<p>I added the host/<b>&lt;FQDN&gt;</b> principals for the three
machines in <i>kattla</i>'s keytab. When trying <b>krsh</b>/<b>ktelnet</b>
to <i>dns1</i>, the machine complained about 'no such file'. Using
<b>strace</b> I found that <b>kshd</b>/<b>ktelnetd</b> where looking
for the keyfile <b>/etc/krb5.keytab</b>. I had hoped that I wouldn't
need that (since I thought/had hoped that all that would be in the
KDC). Now, I wouldn't want to copy the whole keytab from <i>kattla</i>
(since that included ALL server's host keys). So I executed</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">ktadd -k /etc/krb5.keytab.dns1</pre><p>
on <i>kattla</i> and copied that file to <i>dns1</i> as file
<b>/etc/krb5.keytab</b>. Logical conclusion? I thought so. But that's
where I got the same problem as before. The keytab on <i>dns1</i> had
version 4, but I had tried connecting and got version 3 in my ticket
(that is, doing <b><u>kvno host/dns1.DOMAINNAME</u></b> on my own
server, revealed version 3). This was a real nuisance. I couldn't
figure out a way to have the same version in the two files.</p>
<p>Doing some testing, I tried executing <b>kdestroy</b> and then
<b>kinit</b> again. That helped!</p>
<p>Now, I'm not sure if I really need all the host keys in <i>kattla</i>
but as said, I'm not very good at Kerberos administration yet...</p>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="supportedSASLMechanisms"></a><a name="6.3.2.No such attribute error|outline"></a><a name="6.3.2.No such attribute error|outline"></a>
No such attribute error</h3>
<p>You get this error when SASL isn't configured/working properly.
Please see the <a href="#simple_bind">simple bind</a> examples on
when to know if SASL works or not.</p>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.3.3.No such object error|outline"></a><a name="6.3.3.No such object error|outline"></a>
No such object error</h3>
<p>This is most likely because you are trying to do a
<a href="#4.5.4.1.Testing%20OpenLDAP,%20simple/anonymous%20bind%7Coutline">simple/anonymous
bind</a>, but aren't using the correct parameters to
<b>ldapsearch</b>/<b>ldapadd</b>/<b>ldapmodify</b>. Try adding <u>-x</u>
to the command line. If you are using <u>-x</u>, but still get this
error, it might be that your ACL's don't allow viewing the base dn
(where the <i>supportedSASLMechanisms</i> attributes are).
</p>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="error-local"></a><a name="6.3.4.Local error|outline"></a><a name="6.3.4.Local error|outline"></a>
Local error</h3>
<p>This error messages will look like this</p>
<pre># ldapsearch -h localhost -p 389 -I -b "" -s base -LLL supportedSASLMechanisms
SASL/GSSAPI authentication started
SASL Interaction
Please enter your authorization name:
ldap_sasl_interactive_bind_s: Local error</pre><p>
This is because you don't have a Kerberos TGT (<u>T</u>icket <u>G</u>ranting
<u>T</u>icket). Just execute <b>kinit</b> to get a ticket.</p>
<p>Will Day (on the OpenLDAP-Software list) also reported that he got
this problem because he hadn't specified the FQDN host name of the
LDAP server, which led it to default to localhost, for which it
couldn't get a Kerberos ticket.</p>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="prob-acl"></a><a name="6.3.5.Problems with ACL's|outline"></a><a name="6.3.5.Problems with ACL's|outline"></a><a name="6.3.5.Problems with ACL's|outline"></a>
Problems with ACL's</h3>
<p>I migrated from OpenLDAP1 to OpenLDAP2. Having used OpenLDAP1 for
over a year on a number of production servers, going to OpenLDAP2 was
quite a nuisance. The first problem I got was that the old database
wouldn't load at all (which was a problem with the non-existence of
proper schemas). The other, and the one that gave me the most grief
was the ACL's. It seems like OpenLDAP2 is much more strict about the
correctness and order of the ACL's. So it's important to have all the
stuff in the right order and in the right place. By a lot of trial
and error, I came up with <a href="#4.5.3.3.The%20OpenLDAP%20access%20file%7Coutline">The
OpenLDAP access file</a> you see in this document. It might be the
most perfect, but at least it works. If all other fails, try my ACL
and see if that work. If it does, start modifying that to get the
restrictions you want. I'm still working on perfecting this list, so
come back every now and then to see if I have any updates...
</p>
<p>Otherwise, don't hesitate to ask on the <a href="http://openldap.org/?subject=subscribe?body=subscribe/">OpenLDAP-Software
mailing list</a> or if you need to make your own schemas, have a look
at the <a href="http://www.openldap.org/doc/admin/schema.html" target="_blank">OpenLDAP2
Admin Guide:Schema Specification</a>.</p>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.3.6.SLAPADD problems/messages|outline"></a><a name="6.3.6.SLAPADD problems/messages|outline"></a>
SLAPADD problems/messages</h3>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.3.6.1.Attribute type undefined|outline"></a><a name="6.3.6.1.Attribute type undefined|outline"></a>
Attribute type undefined</h4>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">slapadd: could not parse entry (line=<b>&lt;SOME LINE NR&gt;</b>)</pre><p>
This (usually ?) means that one (or more) of the attribute you are
trying to use, don't exist in any schema. For example, I kept getting
this when trying to use the objectclass <i>krb5Principal</i>. The
attribute I <u>meant</u> to use where <span style="font-style: normal;">krb5Principal</span><b><u><i>Name</i></u></b>
but a typo slipped in the LDIF, so it was named <i>krb5Principal</i>
instead...</p>
<p><u>NOTE</u>: The line it complains about, is the first empty line
<i>after</i> the object (that is, the empty line <u><span style="font-style: normal;">between</span></u>
the two adjacent objects) in the LDIF file. There is no problem on
the line itself, but the object <u>above</u> the empty line. To find
exactly what attribute it complains about, copy the whole (and ONLY
the) troublesome object to a separate LDIF file, and try to just add
that object. Then use <u>-d -1</u> when executing <b>slapadd</b>.</p>
<p class="text-body-indent">Solution: Correct attribute name</p>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.3.6.2.Attribute not allowed|outline"></a><a name="6.3.6.2.Attribute not allowed|outline"></a>
Attribute not allowed</h4>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">slapadd: dn="<b>&lt;SOME DN&gt;</b>" (line=<b>&lt;SOME LINE NR&gt;</b>): attribute not allowed</pre><p>
This (usually ?) means that you have attribute which is not a <i>MUST</i>
or <i>MAY</i> attribute in the objectclasses you are using.</p>
<p class="text-body-indent">Solution: Find the objectclass this
attribute belong to, and add that to the LDIF.</p>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.3.6.3.Missing required attribute|outline"></a><a name="6.3.6.3.Missing required attribute|outline"></a>
Missing required attribute</h4>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">slapadd: dn="<b>&lt;SOME DN&gt;</b>" (line=<b>&lt;SOME LINE NR&gt;</b>): missing required attribute</pre><p>
This should be quite obvious. You are trying to use a objectclass,
but you have not specified one (or more) of the <i>MUST</i>
attributes. For example, when trying to modify my old DB (replacing
the attribute <i>userPassword</i>), I wrote a perl script that parsed
the old LDIF, and replaced all the <b><u>userPassword: {crypt}...</u></b>
values with <b>userPassword: {KERBEROS}user@&lt;MY KERBEROS REALM&gt;</b>.
Some of the objects (especially the AdminDN object) should not be
replaced, it should retain the crypted value. But my script was
buggy, so the attribute where totaly removed. Those DN's used the
objectclass <i>simpleSecurityObject</i> which <i>MUST</i> have the
attribute <i>userPassword</i>.</p>
<p class="text-body-indent">Solution: Add the missing REQUIRED (<i>MUST</i>)
attributes to the LDIF.</p>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.4.Shortcuts|outline"></a>
Shortcuts</h2>
<p>For those of you running Debian GNU/Linux which thinks all this
about making your own package are daunting, or if you're just to lazy
to do it your self, you can always get the pre-compiled binaries from
me. <b><u><i>I make no promises</i></u></b> to keeping them up to
date, I'm deploying this on a live server, without access to a
development platform. Because of this, it's difficult to keep
downloading packages, remake them and then doing a install. IF
something breaks, it will break my live server!</p>
<p>HOWEVER, if you thing it's about time I upgraded (ie, these
packages are WAY out of date) don't hesitate to send me a <a href="http://bayour.com/?subject=LDAPv3%20HOWTO.%20Packages%20_WAY_%20out%20of%20date%21&amp;body=It%27s%20about%20time%20you%20upgraded,%20the%20package%20%5BPLEASE%20FILL%20IN%20PACKAGE%20NAME%5D%20is%20out%20of%20date./">simple
and friendly 'nudge' mail</a>, telling me to get my acts together! :)</p>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.4.1.APT configuration|outline"></a>
APT configuration</h3>
<p>If you use Debian GNU/Linux and would like to use the packages
I've created, here's the line you should add one of the following
lines to the <b>/etc/apt/sources.list</b> file, and run the command
apt-get update to update the list of available packages.</p>
<pre>deb <a href="ftp://ftp.bayour.com/pub/debian">ftp://ftp.bayour.com/pub/debian</a> local .
deb-src <a href="ftp://ftp.bayour.com/pub/debian/dists/local/binary-i386/">ftp://ftp.bayour.com/pub/debian</a> local .</pre><p>
These packages have such a higher version number, that they won't be
upgraded by the packages from the official Debian GNU/Linux FTP
sites. See the section about <a href="#5.2.Bumping%20the%20Debian%20GNU/Linux%20package%20version%7Coutline">Bumping
the Debian GNU/Linux package version</a> section of what I mean.</p>
<p>Packages are available for the Intel processors and for Sun SPARC
only. Unfortunately I don't have any Alpha, PPC, m68k machines, so I
can't currently support these architectures. Using my source
packages, all you have to do is download them yourself, and compile
using <b>debuild</b> as directed elsewhere in this document...</p>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.4.2.These are the packages that are available for installations|outline"></a>
These are the packages that are available for installations</h3>
<dl><dd>
<table width="811" border="0" cellpadding="0" cellspacing="0">
<col width="153">
<col width="147">
<col width="163">
<col width="181">
<col width="167">
<tbody><tr valign="top">
<td width="153">
<h4><a name="6.4.2.1.KerberosV server|outline"></a>KerberosV
server</h4>
</td>
<td width="147">
<h4><a name="6.4.2.2.KerberosV client|outline"></a>KerberosV
client</h4>
</td>
<td width="163">
<h4><a name="6.4.2.3.KerberosV services|outline"></a>KerberosV
services</h4>
</td>
<td width="181">
<h4><a name="6.4.2.4.PAM/NSS|outline"></a>PAM/NSS</h4>
</td>
<td width="167">
<h4><a name="6.4.2.5.Miscellaneous|outline"></a>Miscellaneous</h4>
</td>
</tr>
<tr valign="top">
<td width="153">
<p>krb5-kdc</p>
</td>
<td width="147">
<p>krb5-doc</p>
</td>
<td width="163">
<p>krb5-ftpd</p>
</td>
<td width="181">
<p>libnss-ldap</p>
</td>
<td width="167">
<p>cvs</p>
</td>
</tr>
<tr valign="top">
<td width="153">
<p>krb5-admin-server</p>
</td>
<td width="147">
<p>krb5-user</p>
</td>
<td width="163">
<p>krb5-rsh-server</p>
</td>
<td width="181">
<p>libpam-ldap</p>
</td>
<td width="167">
<p>ssh</p>
</td>
</tr>
<tr valign="top">
<td width="153">
<p>krb5-dev</p>
</td>
<td width="147">
<p>krb5-clients</p>
</td>
<td width="163">
<p>krb5-telnetd</p>
</td>
<td width="181">
<p>libpam-krb5</p>
</td>
<td width="167">
<p>sudo</p>
</td>
</tr>
<tr valign="top">
<td width="153">
<p><br>
</p>
</td>
<td width="147">
<p><br>
</p>
</td>
<td width="163">
<p><br>
</p>
</td>
<td width="181">
<p><br>
</p>
</td>
<td width="167">
<p><br>
</p>
</td>
</tr>
<tr valign="top">
<td width="153">
<h4><a name="6.4.2.6.OpenSSL|outline"></a>OpenSSL</h4>
</td>
<td width="147">
<h4><a name="6.4.2.7.Cyrus SASL|outline"></a>Cyrus SASL</h4>
</td>
<td width="163">
<h4><a name="6.4.2.8.OpenLDAP2|outline"></a>OpenLDAP2</h4>
</td>
<td width="181">
<h4><a name="6.4.2.9.OpenAFS|outline"></a>OpenAFS</h4>
</td>
<td width="167">
<h4><a name="6.4.2.10.PostgreSQL|outline"></a>PostgreSQL</h4>
</td>
</tr>
<tr valign="top">
<td width="153">
<p>libssl0.9.6a</p>
</td>
<td width="147">
<p>libgdbmg1</p>
</td>
<td width="163">
<p>libiodbc2</p>
</td>
<td width="181">
<p>openafs-dbserver</p>
</td>
<td width="167">
<p>libecpg3</p>
</td>
</tr>
<tr valign="top">
<td width="153">
<p>openssl</p>
</td>
<td width="147">
<p>libpam0g</p>
</td>
<td width="163">
<p>libldap2</p>
</td>
<td width="181">
<p>openafs-fileserver</p>
</td>
<td width="167">
<p>libpgsql2.1</p>
</td>
</tr>
<tr valign="top">
<td width="153">
<p><i>libssl0.9.6a-dev</i></p>
</td>
<td width="147">
<p>libcommerr2</p>
</td>
<td width="163">
<p>ldap-utils</p>
</td>
<td width="181">
<p>openafs-modules-source</p>
</td>
<td width="167">
<p>odbc-postgresql</p>
</td>
</tr>
<tr valign="top">
<td width="153">
<p><br>
</p>
</td>
<td width="147">
<p>libkrb53</p>
</td>
<td width="163">
<p>slapd</p>
</td>
<td width="181">
<p>openafs-client</p>
</td>
<td width="167">
<p>postgresql</p>
</td>
</tr>
<tr valign="top">
<td width="153">
<p><br>
</p>
</td>
<td width="147">
<p>libsasl7</p>
</td>
<td width="163">
<p><i>libldap2-dev</i></p>
</td>
<td width="181">
<p><i>libopenafs-dev</i></p>
</td>
<td width="167">
<p>postgresql-client</p>
</td>
</tr>
<tr valign="top">
<td width="153">
<p><br>
</p>
</td>
<td width="147">
<p>libsasl-modules</p>
</td>
<td width="163">
<p><br>
</p>
</td>
<td width="181">
<p>libpam-openafs-session</p>
</td>
<td width="167">
<p><i>postgresql-dev</i></p>
</td>
</tr>
<tr valign="top">
<td width="153">
<p><br>
</p>
</td>
<td width="147">
<p>libsasl-bin</p>
</td>
<td width="163">
<p><br>
</p>
</td>
<td width="181">
<p><br>
</p>
</td>
<td width="167">
<p><br>
</p>
</td>
</tr>
</tbody></table>
</dd></dl>
<p class="sdfootnote" style="margin-top: 0,2cm; margin-bottom: 0,5cm;">
<b>Table 1</b>: Packages to install. Packages in italic is for
development only...</p>
<p>The PAM/NSS modules above will come with <a href="#4.8.1.Building%20and%20installation%7Coutline">SSL
and TLS</a> enabled, if downloaded from me. CVS, SSH, sudo and
PostgreSQL is compiled with GSSAPI/Kerberos support (which the
original packages are not).</p>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.5.Mailing lists for help|outline"></a>
Mailing lists for help</h2>
<dl><dl><dd>
<table width="612" border="0" cellpadding="0" cellspacing="0">
<col width="153">
<col width="153">
<col width="153">
<col width="153">
<tbody><tr valign="top">
<td width="153">
<p><a href="http://www.debian.org/MailingLists/subscribe">Debian
GNU/Linux</a></p>
</td>
<td width="153">
<p><a href="http://web.mit.edu/kerberos/www/mail-lists.html">MIT
Kerberos V</a></p>
</td>
<td width="153">
<p><a href="http://padl.com/?body=subscribe/">NSS/LDAP</a></p>
</td>
<td width="153">
<p><a href="https://lists.openafs.org/mailman/listinfo/openafs-info">OpenAFS-Info</a></p>
</td>
</tr>
<tr valign="top">
<td width="153">
<p><a href="http://www.openssl.org/support/">OpenSSL</a></p>
</td>
<td width="153">
<p><a href="http://asg.web.cmu.edu/sasl/#mailinglists">Cyrus
SASL</a></p>
</td>
<td width="153">
<p><a href="http://padl.com/?body=subscirbe/">PAM/LDAP</a></p>
</td>
<td width="153">
<p><br>
</p>
</td>
</tr>
<tr valign="top">
<td width="153">
<p>Berkeley DB</p>
</td>
<td width="153">
<p><a href="http://www.openldap.org/lists/">OpenLDAP</a></p>
</td>
<td width="153">
<p><a href="http://www.samba.org/samba/archives.html">Samba TNG</a></p>
</td>
<td width="153">
<p><br>
</p>
</td>
</tr>
</tbody></table>
</dd></dl></dl>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.6.LDAPv3, why bother|outline"></a>
LDAPv3, why bother</h2>
<p class="text-body-indent"><a href="#6.6.1.Foreword%7Coutline">Foreword</a></p>
<p class="text-body-indent"><a href="#6.6.2.Papadoc,%20before%20conversion%7Coutline">Papadoc,
before conversion</a></p>
<p class="text-body-indent"><a href="#6.6.3.Why%20SSL/TLS?%7Coutline">Why
SSL/TLS?</a></p>
<p class="text-body-indent"><a href="#6.6.4.Why%20Kerberos?%7Coutline">Why
Kerberos?</a></p>
<p class="text-body-indent"><a href="#6.6.5.Kerberos%20replacement%20software%7Coutline">Kerberos
replacement software</a></p>
<p class="text-body-indent"><a href="#6.6.6.Why%20SASL?%7Coutline">Why
SASL?</a></p>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.6.1.Foreword|outline"></a>
Foreword</h3>
<p><a name="why-foreword"></a>Why should we use so much encryption
and such a complicated setup, when user information (inclusive the
password) works so great together with libpam-ldap? Well, basicly the
keyword here is growth (and maybe security, even though many isn't
that paranoid as me :). To illustrate what I mean by growth, I will
show you the system I use, and the (small) differences to a system I
did for the company I worked for.</p>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.6.2.Papadoc, before conversion|outline"></a>
Papadoc, before conversion</h3>
<p><a name="why-description_papadoc"></a>I only have one machine
(called papadoc for 'historical' reasons). This system 'only' hosts
five domains, with about 50 users (most of them family and friends).
Having users (and all there relevant information, such as UID/GID
number, home directory, passwords, mail address, mail aliases etc,
etc) in an LDAP database, using libpam-ldap to help authentication,
was my main reason for LDAP. Be able to structure users in a
tree-like fashion, with the possibility to have a fail-over system
(an extra LDAP database, a so called 'replica') is a very nice
feature. But I'm not going to tell you much about the reasoning for
LDAP in the first place, there are other, better HOWTOs/FAQs etc out
there.</p>
<p><a name="why-description_air2net"></a>At my previous job, we had
the exact same system, but with a lot more domains, a lot more users
and finally, a lot more machines. Since this was an ISP, redundancy
is vital. So a replica was quickly setup (so that we could have an
online backup of the user/mail database). Using round-robin (poor
mans load-balancer) reduced the load of the master database.</p>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.6.3.Why SSL/TLS?|outline"></a>
Why SSL/TLS?</h3>
<p><a name="why-ssl_tls"></a>Here came (and comes for me to when, not
if, I add a second DB or a second machine, be it shell, mail server
or other type of system) the first big gripe I had with OpenLDAP1 (at
the time of this writing, I'm still running OpenLDAP v1.2.11 on my
system, but are slowly migrating to OpenLDAP2 according to this
document). Since OpenLDAP1 don't have built in support for SSL/TLS
(or any other secure authentication mechanism), all communication
between the master and slave (or by any of the other servers on the
network, about 50 or so at last count) is done in clear text! It's
quite easy for someone on the same network segment (yes, EVEN if it's
a switched network!) to listen on the communication and retrieving
all the passwords etc. This can be avoided to some extent by using
external programs to do the SSL tunnelling, such as <a href="http://stunnel.mirt.net/">stunnel</a>.
My experience with this is that it isn't that reliable. Stunnel dies
every now and then, and it's difficult to automate the process.
Another big gripe I had, was the fact that the replication DN and
password (options <b>replica</b> and <b>bindmethod</b>) have to be
stored in clear text in the configuration file. And the third thing
is that libpam-ldap is doing the authentication in clear text as
well. This isn't true any more (latest version, v99), since it can be
compiled with SSL support.
</p>
<p><a name="flow-libpam_ldap"></a>Using only PAM/LDAP, an
authentication happens something like this:</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><i>login</i> -&gt; PAM -&gt; PAM/LDAP -&gt; LDAPServer</pre><p>
Everything between <i>login</i> and the LDAP server is clear text
communication.</p>
<p>Also imagine adding a second system, or putting the LDAP serveri
on it's own machine. All logins (be it login/imap/pop/ssh/ftp etc) is
verified in clear text between the system and the machine where the
LDAP database is residing. Now we have tree machines, the actual
server, the master LDAP database and the slave database (or a second
<i>login</i> system). Login in this text does refer to a <i>software
that does some kind of user authentication</i>, not the program
<b>login</b>. All communication back and forth is done in clear text,
giving anyone (basically) the chance to discover any password.</p>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.6.4.Why Kerberos?|outline"></a>
Why Kerberos?</h3>
<p><a name="why-kerberos"></a>But why store the user passwords in the
Kerberos database in the first place? Why not just use it for/when we
need a replica (or replicas)? We only really need Kerberos to have a
service key, right? Nope, not quite true. The answer is quite simple
actually. Kerberos is designed solely as a secure password storage
database (with a secure authentication protocol) on an insecure
network. And contrary to popular belief, a local network <u>IS NOT</u>
to be considered a secure environment! LDAP, on the other hand, is
designed to be a database for distributed, public information.
</p>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.6.5.Kerberos replacement software|outline"></a><a name="6.6.5.Kerberos replacement software|outline"></a>
Kerberos replacement software</h3>
<p><a name="krb5_replacements"></a>Put simply, passwords are more
secure in a Kerberos database, than in a LDAP ditto. Besides, with at
least MIT Kerberos, there are special, kerberised binaries that
replace the original ones. This will give you a more secure way of
authentication (you don't have to go through PAM etc). The software
to let this be possible, is <b>libnss-ldap</b>. It will get all the
public information (such as UID/GID numbers, home directory etc, etc)
from LDAP, but look at the Kerberos server fo the password. Thus, all
sensitive information is encrypted, even before leaving the binary.
The binaries/services that can be replaced right-out-of-the-box is
<b>login</b>, <b>ftpd</b>, <b>ftp</b>, <b>rlogind</b>, <b>rlogin</b>,
<b>rshd</b>, <b>rsh</b>, <b>telnetd</b>, <b>telnet</b> and <b>passwd</b>.</p>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.6.6.Why SASL?|outline"></a>
Why SASL?</h3>
<p><a name="why-sasl"></a>Oki, I guess I have convinced you why it is
imperative to use SSL/TLS, and we have discussed some of the nice
things about Kerberos. But why use SASL? Where does that come into
play? Well, when using the combination SASL and KerberosV (SASL can
use other means of storing password, Kerberos is just my choice), we
can use a KerberosV keytab to authenticate the master database with
the slave with. Thus, no need for any passwords etc in the <b>slapd</b>
configuration file. See <a href="#4.5.5.3.Creating%20a%20replication%20principal%7Coutline">Creating
a replication principal</a> for more about this. The reason we use
SASL, is because SASL is designed as a <i>middle-layer</i>. That is,
it sits between the LDAP server and the authentication system (in
this case, Kerberos). As mentioned, SASL could just as well use any
other authentication system, such as the default UNIX way
(/etc/passwd, /etc/group etc), it's own database file (usually
/etc/sasldb) etc. In theory, it can even use a LDAP database (which
might be a little redundant, and difficult do obtain, with out
creating authentication loops). With a little code writing, it's even
possible to use a KerberosIV server. Some use <b>libpam-smb</b> to
look-up the user/password on a Windows PDC. <i>Simply, SASL is
designed as a modular authentication protocol, and it's usage is as a
middle-layer</i>. The difference between SASL and PAM (which in many
ways resembles each other) is that SASL have integrity and
confidentiality protection, while PAM don't have anything like that.</p>
<p><a name="flow-ssl_sasl_kerb"></a>With all this stuff we have
discussed (LDAP, SSL/TLS, SASL and Kerberos), we get this flow of
authentication (remember the <a href="#flow-libpam_ldap">flow,
libpam_ldap</a>?):</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><i>login</i> -&gt; PAM -&gt; PAM/LDAP -&gt; SSL/TLS -&gt; SASL -&gt; LDAP -&gt; KerberosV</pre><p>
If we only want the UID/GID number etc (like when doing <b><u>ls -l</u></b>
etc), the communication stops at the LDAP server, and don't continue
with SASL/Kerberos.</p>
<p><a name="flow-kerberised"></a>There are still many hops the
information have to travel, many of them not that very secure (like
PAM). So to minimise that, we could replace many (preferably all) of
the programs with proper Kerberised binaries, see the section about
<a href="#6.6.5.Kerberos%20replacement%20software%7Coutline">Kerberos
replacement software</a>. That will create the following
authentication flow.</p>
<p>For public information:</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><i>login</i> -&gt; NSS -&gt; NSS/LDAP -&gt; LDAP</pre><p>
and for password authentication:</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><i>login</i> -&gt; Kerberos</pre><p>
Much cleaner, don't you think? A nice feature would be to have
SSL/TLS to the <b>libnss-ldap</b> software, but I'm not quite that
paranoid yet :). It might already have that option, I just haven't
bothered to check...</p>
<p><u>UPDATE</u>: I just recompiled the <b>libnss-ldap</b> package,
and if the OpenSSL development package are installed, <b>libnss-ldap</b>
will come with SSL/TLS.</p>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.7.Updates|outline"></a><a name="6.7.Updates|outline"></a>
Updates</h2>
<p>In the package listings below, the package names in <b>bold</b> is
the one you need if installing the rest of my packages (ie, just
using the packages, not building anyting yourself) and the ones in
<i>italic</i> is needed for building you own packages of the other
software. If you are very daring, have a look at the <a href="#5.4.Shortcuts%7Coutline">Shortcuts</a>
section.</p>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.7.1.BerkeleyDB|outline"></a>
BerkeleyDB</h3>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.7.1.1.v3.3.11|outline"></a>
v3.3.11</h4>
<p><b><u>15/8 2001</u></b>: Build and install exactly like you did on
<a href="#4.2.1.Building%20and%20installing%20Berkeley%20DB%7Coutline">Building
and installing Berkeley DB</a>.</p>
<p>Unfortunately, Sleepycat have changed some of the interface, so
that OpenLDAP will have to be rewritten slightly to use the new
version of BerkeleyDB.</p>
<blockquote>THAT IS, OPENLDAP WILL NOT WORK WITH THIS VERSION OF
BERKELEYDB!</blockquote>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.7.2.OpenSSL|outline"></a>
OpenSSL</h3>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.7.2.1.v0.9.6a|outline"></a>
v0.9.6a</h4>
<p><b><u>28/5 2001</u></b>: Built v0.9.6a from the Debian GNU/Linux
sources. See <a href="#4.1.OpenSSL%7Coutline">OpenSSL</a>.</p>
<ul>
<li><p>These are the packages that got built:</p>
</li></ul>
<pre>openssl
libssl0.9.6
libssl-dev
ssleay</pre><h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;">
<a name="6.7.2.2.v0.9.6b|outline"></a>v0.9.6b</h4>
<p><b><u>15/8 2001</u></b>: Built v0.9.6b from the Debian GNU/Linux
sources. See <a href="#4.1.OpenSSL%7Coutline">OpenSSL</a>.</p>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.7.3.OpenLDAP|outline"></a>
OpenLDAP</h3>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.7.3.1.v2.0.10|outline"></a>
v2.0.10</h4>
<p><b><u>28/5 2001</u></b>: According to a mail on the
OpenLDAP-Software mailinglist:</p>
<pre>At 05:17 PM 5/22/01, Mark Whitehouse wrote:
I am experiencing some database corruption problems with back-ldbm using
Berkeley DB 3.2.9. Any advances over this configuration would especially
interest me.</pre>
<ul>
<li><p>This means that I will wait a while longer to upgrade...</p>
</li><li><p>Also, OpenLDAP2 v2.0.10 and .11 depends on libdb3 (which is
only availible in unstable). Unfortunatly, many packages depend on
libdb2, and they have to be upgraded as well...</p>
</li></ul>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.7.3.2.v2.0.11|outline"></a>
v2.0.11</h4>
<p><b><u>12/8 2001</u></b>: I'm currently testing this version, and
it works fine in a CHROOT jail.</p>
<p>I'll try to upgrade my machine the next couple of hours/days and
let you know...</p>
<ul>
<li><p>What I can say right away is, that I tried to compile this
yesterday, and when I installed the package, I got segfault from
slapd. My thoughts is that it linked against TWO different versions
of OpenSSL. I've been fiddling with upgrading OpenSSL due to some
security alerts, and somehow the old developer packages was left
behind.</p>
<p>This is what dpkg show me now:</p>
</li></ul>
<pre>[papadoc.pts/4]$ dpkg -l | grep ssl
ii libssl0.9.6 0.9.6b-1 SSL shared libraries
ii libssl09 0.9.4-5 SSL shared libraries
ii libssl09-dev 0.9.4-5 SSL development libraries
ii libssl095a 0.9.5a-5 SSL shared libraries
ii openssl 0.9.6b-1 Secure Socket Layer (SSL) binary and related</pre>
<ul>
<p>The troublesome package where:</p>
</ul>
<pre>[papadoc.pts/4]$ dpkg -l | grep ssl
ii libssl-dev 0.9.6b-1 SSL shared libraries</pre>
<ul>
<p>So after I replaced the libssl-dev package with libssl09-dev, it
seems to work (at least OpenSSL isn't compiled in twice as before).</p>
</ul>
<p>16/8 2001: I just don't seem to get this to work. I'm still
working on it though, since I <b><u><i>REALLY</i></u></b> need it!</p>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.7.3.3.v2.0.14|outline"></a>
v2.0.14</h4>
<p><b><u>21/11 2001</u></b>: I finally got this version to work! You
will have to patch <a href="http://www.bayour.com/kerberos/openldap-config.c.patch" target="_blank">servers/slurpd/config.c</a>.
This is what it looks like:</p>
<pre>diff -urN openldap-2.0.10/servers/slurpd/slurp.h openldap-2.0.10.new/servers/slurpd/slurp.h
--- openldap-2.0.10/servers/slurpd/config.c Mon Sep 18 18:08:08 2000
+++ openldap-2.0.10.new/servers/slurpd/config.c Thu May 24 15:29:17 2001
@@ -34,7 +34,7 @@
#include "slurp.h"
#include "globals.h"
-#define MAXARGS 100
+#define MAXARGS 500
/* Forward declarations */
static void add_replica LDAP_P(( char **, int ));</pre><p>
The patches you see in the <a href="#4.5.1.1.Bugs%20in%20OpenLDAP,%20v2.0.7%7Coutline">Bugs
in OpenLDAP, v2.0.7</a> section is <b><u><i>NOT</i></u></b> needed
with this version. The only patch necessary is the one above
(servers/slurpd/config.c). Also, this patch is <b><u><i>NOT</i></u></b>
needed with OpenLDAP <a href="#5.7.3.4.v2.0.18%7Coutline">v2.0.18</a>
and later! I'm currently trying to install that, I'll let you know...</p>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.7.3.4.v2.0.18|outline"></a>
v2.0.18</h4>
<p><b><u>21/11 2001</u></b>: This worked right out of the box! Weird!
No patches had to be applied, I just compiled it according to the
section Building OpenLDAP v2.</p>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.7.3.5.v2.0.21|outline"></a>
v2.0.21</h4>
<p><b><u>24/01 2002</u></b>: This worked out perfectly! No need for
any patches etc. Just compile and install!</p>
<blockquote>Note that you should really install this, and not
anything earlier. There is a bug in version 2.0.19 (and earlier I
assume).</blockquote>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.7.3.6.v2.0.22|outline"></a>
v2.0.22</h4>
<p><b><u>06/02 2002</u></b>: This worked out perfectly! No need for
any patches etc. Just compile and install!</p>
<p>Just for the record, these are the changed files in the Debian
GNU/Linux package. Other than this, I made no changes...</p>
<ol>
<li><pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">The <a href="http://www.bayour.com/kerberos/openldap2-2.0.22_debian_rules.patch.txt" target="_blank">debian/rules</a></pre>
</li><li><pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">The <a href="http://www.bayour.com/kerberos/openldap2-2.0.22_debian_changelog.patch.txt" target="_blank">debian/changelog</a></pre>
</li></ol>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.7.3.7.v2.0.23|outline"></a>
v2.0.23</h4>
<p><b><u>26/03 2003</u></b>: Same as previous version. Works great!
Same modifications as v2.0.22.</p>
<ol>
<li><pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">The <a href="http://www.bayour.com/kerberos/openldap2-2.0.23_debian_rules.patch.txt" target="_blank">debian/rules</a></pre>
</li><li><pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">The <a href="http://www.bayour.com/kerberos/openldap2-2.0.23_debian_changelog.patch.txt" target="_blank">debian/changelog</a></pre>
</li></ol>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.7.4.CyrusSASL|outline"></a>
CyrusSASL</h3>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.7.4.1.v1.5.27|outline"></a>
v1.5.27</h4>
<p><b><u>20/11 2001</u></b>: Thanx to Allan Streib, I got some
updates on the new CurysSASL software:</p>
<ol>
<li><pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">There is a potential security vulnerability in cyrus-sasl versions prior to 1.5.27. It is described at: <a href="http://xforce.iss.net/static/7443.php" target="_blank">http://xforce.iss.net/static/7443.php</a></pre>
</li><li><pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">To close the vulnerability above, I downloaded version 1.5.27 from the cyrus FTP site. I found that the problem corrected by your patch 1 has been corrected in this version of gssapi.c. However the second problem (REALM being dropped in a GSSAPI SASL bind) is still there. But your second patch file could not be applied, as there are enough other changes to gssapi.c that patch(1) could not resolve the context. I created the attached patch which corrects the problem in the 1.5.27 release. To apply it, change to the plugins directory and enter:</pre>
<ol>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">$ patch &lt; <a href="http://www.bayour.com/kerberos/cyrus-sasl-1.5.27-gssapi.patch" target="_blank">cyrus-sasl-1.5.27-gssapi.patch</a></pre>
</ol>
</li></ol>
<p><b><u>26/03 2002</u></b>: Rein Tollevik found a problem with
chain-crashing postfix-tls using SASL LDAP authentication. Without
this patch, all applications that both link to OpenLDAP and use SASL
(maybe through PAM) will segfault. Apply this patch by issuing the
command:</p>
<pre style="margin-top: 0,2cm; margin-bottom: 0,5cm;">patch -p1 &lt; <a href="http://www.bayour.com/kerberos/cyrus-sasl-1.5.27-sasl_allocation_locked.patch" target="_blank">cyrus-sasl-1.5.27-sasl_allocation_locked.patch</a></pre><h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;">
<a name="6.7.5.MIT KerberosV|outline"></a>MIT KerberosV</h3>
<h4 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.7.5.1.v1.2.4|outline"></a>
v1.2.4</h4>
<p>04/03 2002: I'm currently looking into compiling this. These are
the changes between the 1.2.2 and 1.2.4 releases:</p>
<pre><a href="http://web.mit.edu/kerberos/www/krb5-1.2/README-1.2.3.txt" target="_blank">Changes between 1.2.2 and 1.2.3</a>
<a href="http://web.mit.edu/kerberos/www/krb5-1.2/README-1.2.4.txt" target="_blank">Changes between 1.2.3 and 1.2.4</a></pre><h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;">
<a name="6.8.My configuration files|outline"></a>My configuration
files</h2>
<p>Just to make sure that there are no typos or that you haven't
misunderstood etc anything in my configuration examples, these are my
configuration files (they are however censored). With these files,
everything works like a charm. Replication, Secure searches and
updates, simple binds etc, etc... They might not be absolutely
optimised, but they work...</p>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.8.1.Master LDAP server|outline"></a>
Master LDAP server</h3>
<dl><dl><dd>
<table width="614" border="0" cellpadding="0" cellspacing="0">
<col width="286">
<col width="328">
<tbody><tr valign="top">
<td width="286">
<p>Start script</p>
</td>
<td width="328">
<p><a href="http://www.bayour.com/openldap/slapd.txt" target="_blank">/etc/init.d/slapd</a></p>
</td>
</tr>
<tr valign="top">
<td width="286">
<p>Configuration file</p>
</td>
<td width="328">
<p><a href="http://www.bayour.com/openldap/slapd.conf.txt" target="_blank">/etc/ldap/slapd.conf</a></p>
</td>
</tr>
<tr valign="top">
<td width="286">
<p>Access Control Lists file</p>
</td>
<td width="328">
<p><a href="http://www.bayour.com/openldap/slapd.access.txt" target="_blank">/etc/ldap/slapd.access</a></p>
</td>
</tr>
</tbody></table>
</dd></dl></dl>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.8.2.Slave LDAP server|outline"></a>
Slave LDAP server</h3>
<dl><dl><dd>
<table width="614" border="0" cellpadding="0" cellspacing="0">
<col width="287">
<col width="327">
<tbody><tr valign="top">
<td width="287">
<p>Start script</p>
</td>
<td width="327">
<p><a href="http://www.bayour.com/openldap/slapd.backup.txt" target="_blank">/etc/init.d/slapd.backup</a></p>
</td>
</tr>
<tr valign="top">
<td width="287">
<p>Configuration file</p>
</td>
<td width="327">
<p><a href="http://www.bayour.com/openldap/slapd.conf.backup.txt" target="_blank">/etc/ldap/slapd.conf.backup</a></p>
</td>
</tr>
<tr valign="top">
<td width="287">
<p>Access Control Lists file</p>
</td>
<td width="327">
<p><a href="http://www.bayour.com/openldap/slapd.access.backup.txt" target="_blank">/etc/ldap/slapd.access.backup</a></p>
</td>
</tr>
</tbody></table>
</dd></dl></dl>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.8.3.PAM/LDAP files|outline"></a>
PAM/LDAP files</h3>
<dl><dl><dd>
<table width="614" border="0" cellpadding="0" cellspacing="0">
<col width="288">
<col width="326">
<tbody><tr valign="top">
<td width="288">
<p>Name Service Switch configuration file</p>
</td>
<td width="326">
<p><a href="http://www.bayour.com/openldap/nsswitch.conf.txt" target="_blank">/etc/nsswitch.conf</a></p>
</td>
</tr>
<tr valign="top">
<td width="288">
<p>Configuration file for LDAP NSS library</p>
</td>
<td width="326">
<p><a href="http://www.bayour.com/openldap/libnss-ldap.conf.txt" target="_blank">/etc/libnss-ldap.conf</a></p>
</td>
</tr>
<tr valign="top">
<td width="288">
<p>Configuration file for LDAP PAM library</p>
</td>
<td width="326">
<p><a href="http://www.bayour.com/openldap/pam_ldap.conf.txt" target="_blank">/etc/pam_ldap.conf</a></p>
</td>
</tr>
</tbody></table>
</dd></dl></dl>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="6.8.4.Misc files|outline"></a>
Misc files</h3>
<dl><dl><dd>
<table width="615" border="0" cellpadding="0" cellspacing="0">
<col width="288">
<col width="327">
<tbody><tr valign="top">
<td width="288">
<p>LDAP configuration file</p>
</td>
<td width="327">
<p><a href="http://www.bayour.com/openldap/ldap.conf.txt" target="_blank">/etc/ldap/ldap.conf</a></p>
</td>
</tr>
<tr valign="top">
<td width="288">
<p>KerberosV configuration file</p>
</td>
<td width="327">
<p><a href="http://www.bayour.com/openldap/krb5.conf.txt" target="_blank">/etc/krb5.conf</a></p>
</td>
</tr>
<tr valign="top">
<td width="288">
<p>Tables for driving cron</p>
</td>
<td width="327">
<p><a href="http://www.bayour.com/openldap/crontab.txt" target="_blank">/etc/crontab</a></p>
</td>
</tr>
</tbody></table>
</dd></dl></dl>
<h1><a name="7.Reference material|outline"></a>Reference material</h1>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="7.1.Patches|outline"></a>
Patches</h2>
<dl><dl><dd>
<table width="615" border="0" cellpadding="0" cellspacing="0">
<col width="615">
<tbody><tr>
<td width="615" valign="top">
<p style="margin-top: 0,51cm;"><a href="http://www.sxw.org.uk/computing/patches/openssh.html">OpenSSH+Kerberos</a></p>
</td>
</tr>
</tbody></table>
</dd></dl></dl>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="7.2.LDAP|outline"></a>
LDAP</h2>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="7.2.1.LDAPv2|outline"></a>
LDAPv2</h3>
<dl><dl><dd>
<table width="726" border="0" cellpadding="0" cellspacing="0">
<col width="149">
<col width="577">
<tbody><tr valign="top">
<td width="149">
<p style="margin-top: 0,51cm;">RFC1777</p>
</td>
<td width="577">
<p style="margin-top: 0,51cm;"><a href="http://rfc.net/rfc1777.html">Lightweight
Directory Access Protocol</a></p>
</td>
</tr>
<tr valign="top">
<td width="149">
<p style="margin-top: 0,51cm;">RFC1778</p>
</td>
<td width="577">
<p style="margin-top: 0,51cm;"><a href="http://rfc.net/rfc1778.html">The
String Representation of Standard Attribute Syntaxes</a></p>
</td>
</tr>
<tr valign="top">
<td width="149">
<p style="margin-top: 0,51cm;">RFC1779</p>
</td>
<td width="577">
<p style="margin-top: 0,51cm;"><a href="http://rfc.net/rfc1779.html">A
String Representation of Distinguished Names</a></p>
</td>
</tr>
<tr valign="top">
<td width="149">
<p style="margin-top: 0,51cm;">RFC1959</p>
</td>
<td width="577">
<p style="margin-top: 0,51cm;"><a href="http://rfc.net/rfc1959.html">An
LDAP URL format</a></p>
</td>
</tr>
<tr valign="top">
<td width="149">
<p style="margin-top: 0,51cm;">RFC1960</p>
</td>
<td width="577">
<p style="margin-top: 0,51cm;"><a href="http://rfc.net/rfc1960.html">A
String Representation of LDAP Search Filters</a></p>
</td>
</tr>
<tr valign="top">
<td width="149">
<p style="margin-top: 0,51cm;">RFC1823</p>
</td>
<td width="577">
<p style="margin-top: 0,51cm;"><a href="http://rfc.net/rfc1823.html"><font face="Helvetica, sans-serif">The
LDAP Application Program Interface (C language API)</font></a></p>
</td>
</tr>
<tr valign="top">
<td width="149">
<p style="margin-top: 0,51cm;">RFC 2596</p>
</td>
<td width="577">
<p style="margin-top: 0,51cm;"><a href="http://rfc.net/rfc2596.html"><font face="Helvetica, sans-serif">Use
of Language Codes in LDAP</font></a></p>
</td>
</tr>
</tbody></table>
</dd></dl></dl>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="7.2.2.LDAPv3|outline"></a>
LDAPv3</h3>
<dl><dl><dd>
<table width="727" border="0" cellpadding="0" cellspacing="0">
<col width="148">
<col width="579">
<tbody><tr valign="top">
<td width="148">
<p style="margin-top: 0,51cm;">RFC 2251</p>
</td>
<td width="579">
<p style="margin-top: 0,51cm;"><a href="http://rfc.net/rfc2251.html">Lightweight
Directory Access protocol</a></p>
</td>
</tr>
<tr valign="top">
<td width="148">
<p style="margin-top: 0,51cm;">RFC 2252</p>
</td>
<td width="579">
<p style="margin-top: 0,51cm;"><a href="http://rfc.net/rfc2252.html">LDAPv3:
Attribute Syntax Definitions</a></p>
</td>
</tr>
<tr valign="top">
<td width="148">
<p style="margin-top: 0,51cm;">RFC 2253</p>
</td>
<td width="579">
<p style="margin-top: 0,51cm;"><a href="http://rfc.net/rfc2253.html">LDAPv3:
UTF-8 String representation of Distiguished Names</a></p>
</td>
</tr>
<tr valign="top">
<td width="148">
<p style="margin-top: 0,51cm;">RFC 2254</p>
</td>
<td width="579">
<p style="margin-top: 0,51cm;"><a href="http://rfc.net/rfc2254.html">The
string representation of LDAP search filters</a></p>
</td>
</tr>
<tr valign="top">
<td width="148">
<p style="margin-top: 0,51cm;">RFC 2255</p>
</td>
<td width="579">
<p style="margin-top: 0,51cm;"><a href="http://rfc.net/rfc2255.html">The
LDAP URL format</a></p>
</td>
</tr>
<tr valign="top">
<td width="148">
<p style="margin-top: 0,51cm;">RFC 2256</p>
</td>
<td width="579">
<p style="margin-top: 0,51cm;"><a href="http://rfc.net/rfc2256.html">A
summary of the X.500(96) User Schema for use with LDAPv3</a></p>
</td>
</tr>
<tr valign="top">
<td width="148">
<p style="margin-top: 0,51cm;">RFC 2830</p>
</td>
<td width="579">
<p style="margin-top: 0,51cm;"><a href="http://rfc.net/rfc2830.html">LDAPv3:
Extension for Transport Layer Security</a></p>
</td>
</tr>
<tr valign="top">
<td width="148">
<p style="margin-top: 0,51cm;"><br>
</p>
</td>
<td width="579">
<p style="margin-top: 0,51cm;"><br>
</p>
</td>
</tr>
<tr valign="top">
<td width="148">
<p style="margin-top: 0,51cm;">Readme</p>
</td>
<td width="579">
<p style="margin-top: 0,51cm;"><a href="http://java.sun.com/products/jndi/tutorial/ldap/models/v3.html">Some
differences between LDAPv2 and LDAPv3</a></p>
</td>
</tr>
</tbody></table>
</dd></dl></dl>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="7.3.Authentication|outline"></a>
Authentication</h2>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="7.3.1.SASL|outline"></a>
SASL</h3>
<dl><dl><dd>
<table width="728" border="0" cellpadding="0" cellspacing="0">
<col width="147">
<col width="581">
<tbody><tr valign="top">
<td width="147">
<p style="margin-top: 0,51cm;">RFC 2222</p>
</td>
<td width="581">
<p style="margin-top: 0,51cm;"><a href="http://www.ietf.org/rfc/rfc2222.txt">Simple
Authentication and Security Layer (SASL)</a></p>
</td>
</tr>
<tr valign="top">
<td width="147">
<p style="margin-top: 0,51cm;">RFC 2245</p>
</td>
<td width="581">
<p style="margin-top: 0,51cm;"><a href="http://www.ietf.org/rfc/rfc2245.txt">Anonymous
SASL Mechanism</a></p>
</td>
</tr>
<tr valign="top">
<td width="147">
<p style="margin-top: 0,51cm;">RFC 2444</p>
</td>
<td width="581">
<p style="margin-top: 0,51cm;"><a href="http://www.ietf.org/rfc/rfc2444.txt">The
One-Time-Password SASL Mechanism</a></p>
</td>
</tr>
<tr valign="top">
<td width="147">
<p style="margin-top: 0,51cm;">RFC 2829</p>
</td>
<td width="581">
<p style="margin-top: 0,51cm;"><a href="http://rfc.net/rfc2829.html">Strong
Authentication Methods for LDAP (SASL)</a></p>
</td>
</tr>
<tr valign="top">
<td width="147">
<p style="margin-top: 0,51cm;"><br>
</p>
</td>
<td width="581">
<p style="margin-top: 0,51cm;"><br>
</p>
</td>
</tr>
<tr valign="top">
<td width="147">
<p style="margin-top: 0,51cm;">Draft</p>
</td>
<td width="581">
<p style="margin-top: 0,51cm;"><a href="ftp://ietf.org/internet-drafts/draft-leach-digest-sasl-03.txt">Using
Digest Authentication as a SASL Mechanism</a></p>
</td>
</tr>
<tr valign="top">
<td width="147">
<p style="margin-top: 0,51cm;">Draft</p>
</td>
<td width="581">
<p style="margin-top: 0,51cm;"><a href="ftp://ietf.org/internet-drafts/draft-ietf-cat-sasl-gssapi-00.txt">SASL
GSSAPI Mechanisms</a></p>
</td>
</tr>
<tr valign="top">
<td width="147">
<p style="margin-top: 0,51cm;">Draft</p>
</td>
<td width="581">
<p style="margin-top: 0,51cm;"><a href="ftp://ietf.org/internet-drafts/draft-nystrom-securid-sasl-00.txt">The
SecurID(r) SASL Mechanism</a></p>
</td>
</tr>
<tr valign="top">
<td width="147">
<p style="margin-top: 0,51cm;">Draft</p>
</td>
<td width="581">
<p style="margin-top: 0,51cm;"><a href="ftp://ietf.org/internet-drafts/draft-ietf-ldapext-x509-sasl-01.txt">X.509
Authentication SASL Mechanism</a></p>
</td>
</tr>
<tr valign="top">
<td width="147">
<p style="margin-top: 0,51cm;">Draft</p>
</td>
<td width="581">
<p style="margin-top: 0,51cm;"><a href="ftp://ietf.org/internet-drafts/draft-newman-telnet-sasl-01.txt">Telnet
SASL Option</a></p>
</td>
</tr>
<tr valign="top">
<td width="147">
<p style="margin-top: 0,51cm;">Draft</p>
</td>
<td width="581">
<p style="margin-top: 0,51cm;"><a href="ftp://ietf.org/internet-drafts/draft-weltman-java-sasl-01.txt">The
Java SASL Application Program Interface</a></p>
</td>
</tr>
<tr valign="top">
<td width="147">
<p style="margin-top: 0,51cm;">Draft</p>
</td>
<td width="581">
<p style="margin-top: 0,51cm;"><a href="ftp://ietf.org/internet-drafts/draft-myers-sasl-pop3-05.txt">POP3
AUTHentication command</a></p>
</td>
</tr>
<tr valign="top">
<td width="147">
<p style="margin-top: 0,51cm;">Draft</p>
</td>
<td width="581">
<p style="margin-top: 0,51cm;"><a href="ftp://ietf.org/internet-drafts/draft-newman-sasl-passdss-01.txt">DSS
Secured Password Authentication Mechanism</a></p>
</td>
</tr>
<tr valign="top">
<td width="147">
<p style="margin-top: 0,51cm;">Draft</p>
</td>
<td width="581">
<p style="margin-top: 0,51cm;"><a href="ftp://ietf.org/internet-drafts/draft-overell-roaming-elgamal-sasl-00.txt">ROAMING-ELGAMAL
SASL Authentication Mechanism</a></p>
</td>
</tr>
<tr valign="top">
<td width="147">
<p style="margin-top: 0,51cm;">Draft</p>
</td>
<td width="581">
<p style="margin-top: 0,51cm;"><a href="http://asg.web.cmu.edu/cyrus/download/sasl/doc/draft-newman-auth-scram-03.txt">Salted
Challenge Response Authentication Mechanism (SCRAM)</a></p>
</td>
</tr>
<tr valign="top">
<td width="147">
<p style="margin-top: 0,51cm;"><br>
</p>
</td>
<td width="581">
<p style="margin-top: 0,51cm;"><br>
</p>
</td>
</tr>
<tr valign="top">
<td width="147">
<p style="margin-top: 0,51cm;">Documentation</p>
</td>
<td width="581">
<p style="margin-top: 0,51cm;"><a href="http://asg.web.cmu.edu/cyrus/download/sasl/doc/">Cyrus
SASL library for System Administrators</a></p>
</td>
</tr>
<tr valign="top">
<td width="147">
<p style="margin-top: 0,51cm;">Documentation</p>
</td>
<td width="581">
<p style="margin-top: 0,51cm;"><a href="http://asg.web.cmu.edu/cyrus/download/sasl/doc/gssapi.html">Configuring
GSSAPI and Cyrus SASL</a></p>
</td>
</tr>
<tr valign="top">
<td width="147">
<p style="margin-top: 0,51cm;">Documentation</p>
</td>
<td width="581">
<p style="margin-top: 0,51cm;"><a href="http://asg.web.cmu.edu/cyrus/download/sasl/doc/programming.html">SASL
Programmer's Guide</a></p>
</td>
</tr>
</tbody></table>
</dd></dl></dl>
<h3 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="7.3.2.Kerberos|outline"></a>
Kerberos</h3>
<dl><dl><dd>
<table width="728" border="0" cellpadding="0" cellspacing="0">
<col width="146">
<col width="582">
<tbody><tr valign="top">
<td width="146">
<p style="margin-top: 0,51cm;">RFC 1510</p>
</td>
<td width="582">
<p style="margin-top: 0,51cm;"><a href="http://www.ietf.org/rfc/rfc1510.txt">Kerberos
v5</a></p>
</td>
</tr>
<tr valign="top">
<td width="146">
<p style="margin-top: 0,51cm;"><br>
</p>
</td>
<td width="582">
<p style="margin-top: 0,51cm;"><br>
</p>
</td>
</tr>
<tr valign="top">
<td width="146">
<p style="margin-top: 0,51cm;">HOWTO</p>
</td>
<td width="582">
<p style="margin-top: 0,51cm;"><a href="http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html">Frequently
Asked Questions about Kerberos v5</a></p>
</td>
</tr>
<tr valign="top">
<td width="146">
<p style="margin-top: 0,51cm;">HOWTO</p>
</td>
<td width="582">
<p style="margin-top: 0,51cm;"><a href="http://www.ornl.gov/%7Ejar/HowToKerb.html">How
to Kerberize your site</a></p>
</td>
</tr>
<tr valign="top">
<td width="146">
<p style="margin-top: 0,51cm;">Readme</p>
</td>
<td width="582">
<p style="margin-top: 0,51cm;"><a href="http://web.mit.edu/Kerberos/www/dialogue.html">Designing
an Authentication System: a Dialogue in Four Scenes</a></p>
</td>
</tr>
</tbody></table>
</dd></dl></dl>
<h2 style="margin-top: 0,2cm; margin-bottom: 0,5cm;"><a name="7.4.Other|outline"></a>
Other</h2>
<dl><dl><dd>
<table width="728" border="0" cellpadding="0" cellspacing="0">
<col width="146">
<col width="582">
<tbody><tr valign="top">
<td width="146">
<p style="margin-top: 0,51cm;">RFC 1321</p>
</td>
<td width="582">
<p style="margin-top: 0,51cm;"><a href="http://www.ietf.org/rfc/rfc1321.txt">The
MD5 Message-Digest Algorithm</a></p>
</td>
</tr>
<tr valign="top">
<td width="146">
<p style="margin-top: 0,51cm;">RFC 2052</p>
</td>
<td width="582">
<p style="margin-top: 0,51cm;"><a href="http://rfc.net/rfc2052.html">A
DNS RR for specifying the location of services (DNS SRV)</a></p>
</td>
</tr>
<tr valign="top">
<td width="146">
<p style="margin-top: 0,51cm;">RFC 2104</p>
</td>
<td width="582">
<p style="margin-top: 0,51cm;"><a href="http://www.ietf.org/rfc/rfc2104.txt">HMAC:
Keyed-Hashing for Message Authentication</a></p>
</td>
</tr>
<tr valign="top">
<td width="146">
<p style="margin-top: 0,51cm;">RFC 2247</p>
</td>
<td width="582">
<p style="margin-top: 0,51cm;"><a href="http://rfc.net/rfc2247.html">Using
Domains in LDAP/X.500 Distinguished Names</a></p>
</td>
</tr>
<tr valign="top">
<td width="146">
<p style="margin-top: 0,51cm;">RFC 2849</p>
</td>
<td width="582">
<p style="margin-top: 0,51cm;"><a href="http://rfc.net/rfc2849.html">The
LDAP Data Interchange Format (LDIF)</a></p>
</td>
</tr>
<tr valign="top">
<td width="146">
<p style="margin-top: 0,51cm;"><br>
</p>
</td>
<td width="582">
<p style="margin-top: 0,51cm;"><br>
</p>
</td>
</tr>
<tr valign="top">
<td width="146">
<p style="margin-top: 0,51cm;">IBM Redbook</p>
</td>
<td width="582">
<p style="margin-top: 0,51cm;"><a href="http://publib-b.boulder.ibm.com/Redbooks.nsf/RedbookAbstracts/sg244986.html?Open">Understanding
LDAP</a></p>
</td>
</tr>
</tbody></table>
</dd></dl></dl>
<p><EFBFBD> <sdfield type="DATETIME" sdval="36958,5288020833" sdnum="1053;1053;D MMM YYYY">8 mar 2001</sdfield>,
Turbo Fredriksson &lt;turbo@bayour.com&gt;. Last changed: <sdfield type="DATETIME" sdnum="1053;1053;D MMM YYYY">1 nov 2002</sdfield>
</p>
<p>Total number of access:
</p>
</body></html>