Autentisering via LDAP och Kerberos i CentOS 7: Difference between revisions

From Peters wiki
Jump to navigation Jump to search
Created page with "authconfig --savebackup=original authconfig --enableldap --ldapserver="ldap://ns1.kerwien.se/" --ldapbasedn="dc=kerwien,dc=se" --enableldapstarttls --enablekrb5 --krb5kdc="ns..."
 
mNo edit summary
 
(56 intermediate revisions by the same user not shown)
Line 1: Line 1:
authconfig --savebackup=original
__NOTOC__
Denna guide visar hur man sätter upp autentisering via LDAP/Kerberos i CentOS 7. Vi kommer använda SSSD och i guiden heter Kerberos realm EXAMPLE.COM och servern med Kerberos och LDAP heter ns.example.com. Klienten vi sätter upp heter client.example.com.
__TOC__


authconfig --enableldap --ldapserver="ldap://ns1.kerwien.se/" --ldapbasedn="dc=kerwien,dc=se" --enableldapstarttls --enablekrb5 --krb5kdc="ns1.kerwien.se" --krb5adminserver="ns1.kerwien.se" --krb5realm="KERWIEN.SE" --enablecache --update
=== Kerberos ===
Installera följande:
{{RootCmd|yum install krb5-workstation sssd}}


{{Category:Guide}}
Spara undan befintlig settings:
{{RootCmd|<nowiki>authconfig --savebackup=original</nowiki>}}
 
Enable:a autentisering via Kerberos:
{{RootCmd|<nowiki>authconfig --krb5kdc=ns.example.com --krb5adminserver=ns.example.com --krb5realm=EXAMPLE.COM --update</nowiki>}}
Testa att du kan skaffa en Kerberos ticket.
 
Skapa en keytab fil för klienten. Logga in mot din KDC med admin-konto som har rättighet att skapa Kerberos principals:
{{RootCmd|kadmin -p kadmin/admin}}
Kör kadmin kommandot:
{{bc|kadmin: addprinc -randkey host/client.example.com@EXAMPLE.COM}}
Spara sen nycklarna i filen /etc/krb5.keytab:
{{bc|kadmin: ktadd -k /etc/krb5.keytab host/client.example.com@EXAMPLE.COM}}
Logga ut från kadmin.
 
=== SSSD ===
 
Editera filen /etc/sssd/sssd.conf:
{{bc|1=
[sssd]
config_file_version = 2
services = nss, pam
domains = LOCAL, EXAMPLE.COM
 
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75
 
[pam]
reconnection_retries = 3
 
[domain/LOCAL]
id_provider = local
auth_provider = local
access_provider = permit
 
[domain/EXAMPLE.COM]
debug_level = 0
enumerate = false
min_id = 5000
cache_credentials = true
 
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = simple
sudo_provider = none
 
ldap_uri = ldap://ns.example.com
ldap_search_base = dc=example,dc=com
ldap_id_use_start_tls = true
ldap_tls_cacert = /etc/openldap/cacerts/example.com-ca.crt
 
krb5_realm = EXAMPLE.COM
krb5_server = ns.example.com
krb5_kpasswd = ns.example.com
}}
 
{{RootCmd|chmod 600 /etc/sssd/sssd.conf}}
 
Kopiera ditt CA certifikat till filen /etc/openldap/cacerts/example.com-ca.crt, kör sedan kommandot:
{{RootCmd|cacertdir_rehash /etc/openldap/cacerts}}
 
Starta sssd:
{{RootCmd|systemctl enable sssd
|systemctl start sssd}}
 
Enable:a användarinformation via SSSD:
{{RootCmd|authconfig --enablesssd --enablesssdauth --update}}
 
Kontrollera med:
{{RootCmd|getent passwd <user>
|getent group <group>
}}
 
== LDAP ==
 
Installera:
{{RootCmd|yum install openldap-client}}
 
{{RootCmd|<nowiki>authconfig --ldapserver=ns.example.com --ldapbasedn="dc=example,dc=com" --enableldapstarttls --update</nowiki>}}
 
Kontrollera med:
{{RootCmd|kinit anna
|ldapwhoami
|kdestroy
|<nowiki>ldapwhoami -D uid=anna,ou=people,dc=example,dc=com -W</nowiki>}}
 
[[Category:GammalGuide]]

Latest revision as of 13:59, 12 August 2023

Denna guide visar hur man sätter upp autentisering via LDAP/Kerberos i CentOS 7. Vi kommer använda SSSD och i guiden heter Kerberos realm EXAMPLE.COM och servern med Kerberos och LDAP heter ns.example.com. Klienten vi sätter upp heter client.example.com.

Kerberos

Installera följande:

root # yum install krb5-workstation sssd

Spara undan befintlig settings:

root # authconfig --savebackup=original

Enable:a autentisering via Kerberos:

root # authconfig --krb5kdc=ns.example.com --krb5adminserver=ns.example.com --krb5realm=EXAMPLE.COM --update

Testa att du kan skaffa en Kerberos ticket.

Skapa en keytab fil för klienten. Logga in mot din KDC med admin-konto som har rättighet att skapa Kerberos principals:

root # kadmin -p kadmin/admin

Kör kadmin kommandot: 

kadmin: addprinc -randkey host/client.example.com@EXAMPLE.COM

Spara sen nycklarna i filen /etc/krb5.keytab: 

kadmin: ktadd -k /etc/krb5.keytab host/client.example.com@EXAMPLE.COM

Logga ut från kadmin.

SSSD

Editera filen /etc/sssd/sssd.conf: 

[sssd]
config_file_version = 2
services = nss, pam
domains = LOCAL, EXAMPLE.COM

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75

[pam]
reconnection_retries = 3

[domain/LOCAL]
id_provider = local
auth_provider = local
access_provider = permit

[domain/EXAMPLE.COM]
debug_level = 0
enumerate = false
min_id = 5000
cache_credentials = true

id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = simple
sudo_provider = none

ldap_uri = ldap://ns.example.com
ldap_search_base = dc=example,dc=com
ldap_id_use_start_tls = true
ldap_tls_cacert = /etc/openldap/cacerts/example.com-ca.crt

krb5_realm = EXAMPLE.COM
krb5_server = ns.example.com
krb5_kpasswd = ns.example.com
root # chmod 600 /etc/sssd/sssd.conf

Kopiera ditt CA certifikat till filen /etc/openldap/cacerts/example.com-ca.crt, kör sedan kommandot:

root # cacertdir_rehash /etc/openldap/cacerts

Starta sssd:

root # systemctl enable sssd
root # systemctl start sssd

Enable:a användarinformation via SSSD:

root # authconfig --enablesssd --enablesssdauth --update

Kontrollera med:

root # getent passwd <user>
root # getent group <group>

LDAP

Installera:

root # yum install openldap-client
root # authconfig --ldapserver=ns.example.com --ldapbasedn="dc=example,dc=com" --enableldapstarttls --update

Kontrollera med:

root # kinit anna
root # ldapwhoami
root # kdestroy
root # ldapwhoami -D uid=anna,ou=people,dc=example,dc=com -W
Retrieved from "http://www.kerwien.se/index.php?title=Autentisering_via_LDAP_och_Kerberos_i_CentOS_7&oldid=3360"