带有 LDAP 后端的 Kerberos 仍然使用 db2

tag-icon tag-icon openldap kerberos
带有 LDAP 后端的 Kerberos 仍然使用 db2

我已经安装并配置了 LDAP,安装并配置了 kerberos 以使用 LDAP 作为后端,如下所示:

[dbdefaults]
    ldap_kerberos_container_dn = dc=voltage,dc=com

[dbmodules]
    openldap_ldapconf = {
            db_library = kldap
            ldap_kdc_dn = "cn=admin,dc=voltage,dc=com"

            # this object needs to have read rights on
            # the realm container, principal container and realm sub-trees
            ldap_kadmind_dn = "cn=admin,dc=voltage,dc=com"

            # this object needs to have read and write rights on
            # the realm container, principal container and realm sub-trees
            ldap_service_password_file = /etc/krb5kdc/service.keyfile
            ldap_servers = ldap://ldap.voltage.com
            ldap_conns_per_server = 5
    }

但是当我进入 kadmin.local 并尝试时:

addprinc -x dn="uid=sam,ou=ssn,dc=voltage,dc=com" sam

我明白了

add_principal: Unsupported argument "dn=uid=sam,ou=ssn,dc=voltage,dc=com" for db2 while creating "[email protected]".

这意味着 kadmin 正在尝试将主体添加到 db2 而不是 LDAP 后端,对吗?

我也做过:

sudo kdb5_ldap_util -D  cn=admin,dc=example,dc=com create -subtrees \
dc=example,dc=com -r EXAMPLE.COM -s -H ldap://ldap01.example.com

sudo kdb5_ldap_util -D  cn=admin,dc=example,dc=com stashsrvpw -f \
/etc/krb5kdc/service.keyfile cn=admin,dc=example,dc=com

当然,将示例重命名为电压后,两个命令都成功运行,并显示新的 REALM 已创建

任何帮助表示感谢

答案1

在我更新 /etc/krb5.conf 和 /var/kerberos/krb5kdc/kdc.conf 并在 realms 部分下添加 database_module 以及添加 dbdefaults 和 dbmodules 部分之前,我一直遇到相同的错误。我使用的是 RHEL 6,下面是基于我的 krb5.conf 和 kdc.conf 的示例。

/etc/krb5.conf

[记录]
   默认 = 文件:/var/log/krb5libs.log
   kdc = 文件:/var/log/krb5kdc.log
   管理员服务器 = 文件:/var/log/kadmind.log

  [libdefaults]
   默认领域 = VOLTAGE.COM
   dns_lookup_realm = false
   dns_lookup_kdc = false
   ticket_lifetime = 24h
   renew_lifetime = 7d
   可转发 = true

  [境界]
   电压.COM = {
    kdc = server1.voltage.com
    admin_server = server1.voltage.com
    默认域名=voltage.com
    数据库模块=openldap_ldapconf
   }

  [域名]
   .voltage.com = VOLTAGE.COM
   电压.com = VOLTAGE.COM

  [应用程序默认设置]
   帕姆={
     调试=false
     票证有效期 = 36000
     续订寿命 = 36000
     可转发 = true
     krb4_convert = false
   }

  [数据库默认设置]
   ldap_kerberos_container_dn = dc=电压,dc=com

  [数据库模块]
   openldap_ldapconf = {
       db_library = kldap
       ldap_kdc_dn = "cn=admin,dc=电压,dc=com"
       ldap_kadmind_dn = "cn=admin,dc=电压,dc=com"
       ldap_service_password_file = /var/kerberos/krb5kdc/service.keyfile
       ldap_servers = ldaps://ldap.voltage.com
       ldap_conns_per_server = 5
  }

/var/kerberos/krb5kdc/kdc.conf

  [kdcdefaults]
   kdc_ports = 88
   kdc_tcp_ports = 88

  [境界]
   电压.COM = {
    数据库模块=openldap_ldapconf
    master_key_type = aes256-cts
    key_stash_file = /var/kerberos/krb5kdc/.k5.VOLTAGE.COM
    acl_file = /var/kerberos/krb5kdc/kadm5.acl
    dict_file = /usr/share/dict/words
    admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
    支持的enctypes = aes256-cts:正常 aes128-cts:正常 des3-hmac-sha1:正常 arcfour-hmac:正常 des-hmac-sha1:正常 des-cbc-md5:正常 des-cbc-crc:正常
   }

  [数据库默认设置]
   ldap_kerberos_container_dn = dc=电压,dc=com

  [数据库模块]
   openldap_ldapconf = {
       db_library = kldap
       ldap_kdc_dn = "cn=admin,dc=电压,dc=com"
       ldap_kadmind_dn = "cn=admin,dc=电压,dc=com"
       ldap_service_password_file = /var/kerberos/krb5kdc/service.keyfile
       ldap_servers = ldaps://ldap.voltage.com
       ldap_conns_per_server = 5
}

然后重新启动 kerberos 服务器进程并添加您的用户原则。

希望有帮助!

答案2

也许您的领域中缺少“database_module = openldap_ldapconf”

[realms]
    BEISPIEL.DE = {
            kdc = kdc01.beispiel.de
            kdc = kdc02.beispiel.de
            admin_server = kdc01.beispiel.de
            admin_server = kdc02.beispiel.de
            default_domain = beispiel.de
            database_module = openldap_ldapconf    # MISSING!?!?!?!
    }

相关内容