Manuals / HP / Computer Equipment / Software

HP UX Red Hat Direry Server Software manual Example Configuring an Example KDC Server, 428

Models: UX Red Hat Direry Server Software

1 638
Download 638 pages 23.73 Kb
Page 448
Image 448

Chapter 12. Managing SASL

NOTE

On Red Hat Enterprise Linux, the client-side Kerberos configuration is in the /etc/krb5.conf. On Solaris, the client-side Kerberos configuration is in the /etc/krb5/krb5.conf.

The HP server and client are separate packages with their own configuration. The server stores config files in /opt/krb5. The client is classic MIT and uses /etc/krb5.conf. Both the server and client must be configured to have a working Kerberos system.

In order to respond to Kerberos operations, the Directory Server requires access to its own cryptographic key. This key is read by the Kerberos libraries that the server calls, through GSS-API, and the details of how it is found are implementation-dependent. However, in current releases of the supported Kerberos implementations, the mechanism is the same: the key is read from a file called a keytab file. This file is created by the Kerberos administrator by exporting the key from the KDC. Either the system default keytab file (typically /etc/krb5.keytab) is used, or a service-specific keytab file determined by the value of the KRB5_KTNAME environment variable; this environment variable can be set in the start-slapdscript, which is recommended because it ensures that the variable is properly set each time Directory Server starts.

The Directory Server uses the service name ldap. Its Kerberos principal is

ldap/host-fqdn@realm, like ldap/dap.corp.example.com/EXAMPLE.COM. The host-fqdnmust be the fully-qualified host and domain name, which can be resolved by all LDAP and Kerberos clients through both DNS and reverse DNS lookups. A key with this identity must be stored in the server'skeytab in order for Kerberos to work.

For information on setting up the service key, see the Kerberos documentation.

5.3. Example: Configuring an Example KDC Server

This example code shows a KDC server configured with the company.example.com realm.

[libdefaults] ticket_lifetime = 24000

default_realm = COMPANY.EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false ccache_type = 1

forwardable = true proxiable = true

default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc permitted_enctypes = des3-hmac-sha1 des-cbc-crc

[realms] COMPANY.EXAMPLE.COM = {

kdc = kdcserver.company.example.com:88

428

Page 447 Page 449
Page 448
Image 448
HP UX Red Hat Direry Server Software manual Example Configuring an Example KDC Server, 428
Page 447 Page 449