Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

Purpose:

This how-to is for the users who want to setup an environment with CAS in front and OpenLDAP, GSSAPI, Kerberos as the authorization engine.

Environment: 

Server: Fedora Core 6 + CAS 3.1 + Tomcat 5.5.20 + OpenLDAP 2.3.30 + Cyrus SASL 2.1.22 + Kerboeros 1.5-23

Client: Fedora Core 6 + Firefox 2

      Windows XP + IE6 SP2

Config DNS:

To make SSL and Kerberos work, I have to config DNS at the very beginning.

1. Edit /etc/named.conf, add langhua zone:

/etc/named.conf
zone "1.168.192.IN-ADDR.ARPA." IN {
        type master;
        file "192.168.1.db";
};

zone "langhua." IN {
        type master;
        file "named.langhua";
};

2. Create /var/named/named.langhua

/var/named/named.langhua
$TTL 1H
@	SOA	localhost.	root.localhost. (	2
						3H
						1H
						1W
						1H )
	NS	localhost.

auth.langhua.                          IN 1H A 192.168.1.110

_kerberos                              IN TXT "AUTH.LANGHUA"
_kerberos._udp.auth.langhua.           IN SRV 0 0 88  auth.langhua.
_kerberos-master._udp.auth.langhua.    IN SRV 0 0 88  auth.langhua.
_kerberos-adm._tcp.auth.langhua.       IN SRV 0 0 749 auth.langhua.
_kpasswd._udp.auth.langhua.            IN SRV 0 0 464 auth.langhua.

_ldap._tcp.auth.langhua.               IN SRV 0 0 389 auth.langhua.
_ldap._tcp.dc._msdcs.auth.langhua.     IN SRV 0 0 389 auth.langhua.
_kerberos._tcp.dc._msdcs.auth.langhua. IN SRV 0 0 88  auth.langhua.

3. Create /var/name/192.168.1.db

/var/name/192.168.1.db
$TTL 1H
@	SOA	localhost.	root.localhost. (	2
						3H
						1H
						1W
						1H )
	NS	localhost.
110	PTR	auth.langhua.

4. nslookup auth.langhua

Server: 192.168.1.110
Address: 192.168.1.110#53

Name: auth.langhua
Address: 192.168.1.110

5. dig -x 192.168.1.110

; <<>> DiG 9.3.4-P1 <<>> -x 192.168.1.110
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3829
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; QUESTION SECTION:
;110.1.168.192.in-addr.arpa. IN PTR

;; ANSWER SECTION:
110.1.168.192.in-addr.arpa. 3600 IN PTR auth.langhua.

;; AUTHORITY SECTION:
1.168.192.in-addr.arpa. 3600 IN NS localhost.

;; ADDITIONAL SECTION:
localhost. 86400 IN A 127.0.0.1
localhost. 86400 IN AAAA ::1

;; Query time: 1 msec
;; SERVER: 192.168.1.110#53(192.168.1.110)
;; WHEN: Thu Nov 29 04:53:02 2007
;; MSG SIZE rcvd: 137

Config Kerberos:

1. Config /etc/krb5.conf

/etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = AUTH.LANGHUA
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = true

[realms]
 AUTH.LANGHUA = {
  kdc = auth.langhua:88
  admin_server = auth.langhua:749
  default_domain = langhua
 }

[domain_realm]
.langhua = AUTH.LANGHUA

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

2. kdb5_util create -s

3. Add users to Kerberos

kadmin.local -q "addprinc krbadm@AUTH.LANGHUA"
kadmin.local -q "addprinc ldapadm@AUTH.LANGHUA"
kadmin.local -q "addprinc host/auth.langhua@AUTH.LANGHUA"
kadmin.local -q "addprinc ldap/auth.langhua@AUTH.LANGHUA"

If you face this error in this step, delete the files under /var/kerberos/krb5kdc/ and redo the above step 2 and 3:
kadmin.local: Cannot find/read stored master key while initializing kadmin.local interface

4. Edit /var/kerberos/krb5kdc/kdc.conf

This file is configed in /etc/krb5.conf.

/var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
 acl_file = /var/kerberos/krb5kdc/kadm5.acl
 dict_file = /usr/share/dict/words
 admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
 v4_mode = nopreauth

[realms]
  AUTH.LANGHUA = {
  master_key_type = des3-hmac-sha1
  supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
 }

5. Edit /var/kerberos/krb5kdc/kadm5.acl

This file is configed in /var/kerberos/krb5kdc/kdc.conf.

/var/kerberos/krb5kdc/kadm5.acl
kadmin/admin@AUTH.LANGHUA              *
ldap/auth.langhua@AUTH.LANGHUA         *
krbadm@AUTH.LANGHUA                    *
*/*@AUTH.LANGHUA                       i
host/auth.langhua@AUTH.LANGHUA         *

6. Config /var/kerberos/krb5kdc/kadm5.keytab

This file is configed in /var/kerberos/krb5kdc/kdc.conf.
kadmin.local -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin"
kadmin.local -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw"

  • No labels