Add these two index directives for the uid and krb5principalname attributes: index objectClass eq index uid eq index krbPrincipalName eq,pres,sub The first eq index will facilitate searches for uid entries, while the second will do the same for Kerberos principal entries. Specify the keytab filename or click Browse to browse the location where the keytab file is stored. Do either of the following: Specify the name of the keytab file that contains the principal key or click Browse to select the location where the keytab file is stored. First try a simple unauthenticated (-x) LDAP query: ~# ldapsearch -xLLL ou=people No such object (32) ~# _ This does not work, because the default ACL has been set to «allow access to * by none» in slapd.conf. Your site should now be happily Kerberized and LDAP-ized. Unfortunately, this flexibility comes at a price, since it is slower than direct mapping, and it will not map GSSAPI names if no matching LDAP counterparts are found. The man page says that lacking -s the password will be read from a pre-existing stash file, but the program seems to prompt for a password unconditionally. [-sf] — [Don’t] override the default filename where the password goes.
Set up SSL on the OpenLDAP server and client to ensure secure communication when the KDC service and LDAP server are on different machines. ldapi:// can be used if the LDAP server and KDC service are running on the same machine. Enter KDC database master key: parviocula Re-enter KDC database master key to verify: parviocula ~# _ Use the slapcat command to verify the creation of the new database. However, it is recommended to add an eq index for uid entries, because these are used for storing user account names and later on, as the DIT grows in size, this index can significantly decrease the time it takes for users to log in.
The commands and their responses should look like this: kadmin.local: modprinc -maxlife «1 day» -maxrenewlife «90 day» \ krbtgt/ Principal «krbtgt/ » modified. kadmin.local: q ~# _ The values entered above are instead of 10 hours and 1 day respectively, which are the default values. Also, the admin guide ends the ACL with by * none, but I’m putting the user records for the KDC and kadmind in the Kerberos container, so the users before authentication need permission to enter the subtree to authenticate. Perform a quick test by generating an LDIF dump of the contents of a the database: ~# slapcat hdb_db_open: database «dc=example,dc=com»: unclean shutdown detected; attempting recovery. hdb_db_open: database «dc=example,dc=com»: recovery skipped in read-only mode. Configure the LDAP server ACLs to enable the KDC and kadmin server DNs to read and write the Kerberos data. If disable_last_success and disable_lockout are both set to true in the [dbmodules] subsection for the realm, then the KDC DN only requires read access to the Kerberos data. When using Kerberos, one way to distribute the user information (such as user ID, groups,and home directory) in your local network is to use LDAP. This requires a strong authentication mechanism that prevents packet spoofing and other attacks. Specify the container that contains the Principal object or use the Object Selector icon to select it.