WORK IN PROGRESS - This HOWTO is not complete! The client setup section works, however.
1. Introduction
This page describes how to set up network-connected Ubuntu machines to support Single Sign On (SSO). SSO refers to the capability to only enter your logon credentials one time and then have those credentials automatically passed to authenticate you to other services available on your network. You will also have a central location that stores all user, group and password data for the users on your network. This solution uses OpenLDAP to provide authorization and MIT Kerberos to provide authentication. This document is divided in to several sections that describe installation of required server software, testing, and installation of software on the client.
There are two functions that a Single Sign On solution must perform:
- Authentication: Determining if a user or server is who they claim to be and providing a mechanism for passing that information throughout the network.
- Authorization: Information on what privileges are possessed by authenticated entities on the network
This solution uses Keberos 5 for authentication and OpenLDAP for authorization.
2. Target Audience
To properly implement the practical steps found in this guide, the reader should be a user of Ubuntu who is comfortable with the use command-line applications, using the Bourne Again SHell (bash) environment, and editing system configuration files with their preferred text editor application. While previous familiarity with OpenLDAP or Kerberos is not required for this guide, the reader is advised to pursue further learning from the resources listed in the Resources section of this guide in order to broaden understanding of the technologies involved in SSO.
3. Server Installation
3.1. Installing MIT Kerberos 5
3.1.1. Overview of Kerberos
This section describes how to install and configure a Kerberos 5 Key Distribution Center (KDC) and establish a realm for your network. The KDC is used to store password information for all users on your network. Kerberos allows users and services to securly authenticate with each other by passing around encrypted tickets. Tickets allow users and servers to know that each party is who they say they are. At logon, the KDC generates a ticket granting ticket (TGT) that the user can use with subsequent transactions to request access. A more detailed explaination of Kerberos is available at http://web.mit.edu/kerberos.
3.1.2. Pre-installation Decisions
Before you install the KDC, you must decide on the following:
- What machine do you want to use as your KDC? Security of this machine is important, since compromising the KDC could compromise the security of your entire network.
- Determine a name for your realm. The convention for realm names is to use the site's domain name fully capitalized. For instance, the site somerealm.com would use the realm name SOMEREALM.COM.
3.1.3. Software Installation
Once you have decided where to install the KDC, and determined your realm name, install the Kerberos server software on the machine that will be the KDC:
sudo apt-get install krb5-kdc krb5-admin-server sudo dpkg-reconfigure krb5-kdc
The package install will step you through defining the basic Kerberos configuration parameters. Recommended settings are:
- disable Kerberos 4 compatibility mode
- do not run krb524d (daemon to convert Kerberos tickets between versions)
- defaults for the other settings are acceptable
The configuration file for Kerberos is /etc/krb5kdc/kdc.conf. This file provides settings for your Kerberos realm. Important settings here are the locations of the KDC's data files, and the default settings for the durations that tickets are valid. To get it working minimally, you will probably at least have to set the realm name. Here is an example configuration file:
[kdcdefaults]
kdc_ports = 750,88
[realms]
SOMEREALM.COM = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm
default_principal_flags = +preauth
}Kerberos uses an Access Control List (ACL) to specify the access a principal will have to the Kerberos admin deamon. This file is /etc/krb5kdc/kadm5.acl. The default, as shown below will suffice to get started. You may need to add additional ACLs depending on the needs of your network configuration.
# This file Is the access control list for krb5 administration. # When this file is edited run /etc/init.d/krb5-admin-server restart to activate # One common way to set up Kerberos administration is to allow any principal # ending in /admin is given full administrative rights. # To enable this, uncomment the following line: */admin@SOMEREALM.COM *
Edit /etc/krb5.conf with your realm.
[libdefaults]
default_realm = SOMEREALM.COMCreate the Kerberos database:
krb5_newrealm
3.1.4. Creating Principals
Principals are items in the Kerberos database that represent users, hosts, or services on your network. There are two types of principals that you need to create. Obviously, you will need a principal for each user that you want to allow access to your network. You'll also need a host principal for each computer on your network. Finally, you will need to create a service principal for your LDAP server.
Use the program kadmin or kadmin.local to create principals. Running kadmin.local as root will let you authenticate without having an existing principal for yourself.
3.1.5. Configuring DNS
It is somewhat simpler to configure Kerberos clients if some Kerberos records are present in DNS. To do this in a BIND-controlled zone requires entries like the following. Here the DNS domain is example.com, and the Kerberos realm is EXAMPLE.COM.
$ORIGIN example.com. _kerberos TXT "EXAMPLE.COM" $ORIGIN _tcp.example.com. _kerberos SRV 0 0 88 kdc.example.com. _kerberos-adm SRV 0 0 749 kdc.example.com.
3.2. Installing OpenLDAP
3.2.1. Overview of LDAP
LDAP is the Lightweight Directory Access Protocol. It is designed to store data records and allow for easy access to the records via a simple network interface. LDAP can provide access to directory type information such as an address book for your email client, or a list of users and groups that have access to services on your network.
This guide will show you how to install OpenLDAP to use SASL binds with TLS encrypted network sessions.
3.2.2. Software Installation
3.2.2.1. Installing OpenLDAP
To install OpenLDAP execute the following on the machine that will be your server:
sudo apt-get install slapd libsasl2-modules-gssapi-mit
3.2.3. Creating SSL Certificates
Since you will be using OpenLDAP to provide authentication information to your network, you should encrypt all of the traffic between the server and clients. This will be done using SSL encryption. In order to do this, you must create keys for the server.
First, you will need a certification authority to sign your certificates. You can use one of the CAs on the net or create your own.1 See the OpenSSL page for info on how to create a certificate authority and your own certificates. Import your new CA certificate into /usr/share/ca-certificates, as described on the OpenSSL page, so that other software on your system will recognize your CA as trusted. When you create a certificate for your ldap server, make sure the Common Name (CN) matches the hostname of the server where you are running slapd. Copy both the public and private key files to /etc/slapd/certs. In the /etc/slapd/certs directory, do the following:
sudo chown root:ldap *.pem sudo chmod 640 *.pem
3.2.4. Creating self-signed Certificate
Use the following commands to create a self-signed certificate to use with your OpenLDAP server:
Create the cert directory: mkdir /etc/ldap/ssl ; cd /etc/ldap/ssl
Create the certificate: openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 3650
- Answer the questions and make sure to enter the name of your server to answer the 'Common Name' question
3.2.5. Configuring SSL
To use the self-signed certificate:
edit the slapd.conf file and include the following lines:
TLSCipherSuite HIGH:MEDIUM:-SSLv2 TLSCACertificateFile /etc/ldap/ssl/server.pem TLSCertificateFile /etc/ldap/ssl/server.pem TLSCertificateKeyFile /etc/ldap/ssl/server.pem
edit /etc/default/slapd2 and include the following line:
SLAPD_SERVICES="ldaps://SERVER-NAME"
- Note that the above line enables only SSL access to your OpenLDAP server (port 636)
Restart slapd
You may test the SSL response using: openssl s_client -connect SERVER-NAME:636 -showcerts
On the client machine, edit /etc/ldap/ldap.conf and include the following lines:
BASE YOUR-BASE URI ldaps://SERVER-NAME TLS_REQCERT allow
Don't forget to replace the {SERVER-IP} & YOUR-BASE with the correct values.
test using ldapsearch -x
3.2.6. Configuring LDAP
See OpenLDAPServer to set up the directory structure. In addition to the general configuration there, you should have the following lines in your slapd.conf. They will allow you to authenticate as normal LDAP users, except with Kerberos.
sasl-secprops noanonymous,noplain,noactive sasl-regexp uid=([^/]*),cn=GSSAPI,cn=auth uid=$1,ou=People,dc=example,dc=com
4. Server Testing
4.1. Testing Kerberos 5
From the KDC, type the following:
$ kinit
Type your password when prompted. If this was successful, you won't receieve any error messages. Next, test that you got a Ticket Granting Ticket (TGT) from the KDC. To do this type the following:
$ klist
The response should look something like this:
Ticket cache: FILE:/tmp/krb5cc_5001_PpRNvF
Default principal: user@SOMEREALM.COM
Valid starting Expires Service principal
05/28/06 08:18:09 05/28/06 18:18:09 krbtgt/SOMEREALM.COM@SOMEREALM.COM
renew until 05/29/06 08:18:06
Kerberos 4 ticket cache: /tmp/tkt5001
klist: You have no tickets cachedTry these same two commands from another machine on your network. If these commands succeed, you have successfully installed the KDC.
4.2. Testing OpenLDAP
- test SASL binds to the OpenLDAP directory
5. Client Installation
LDAPClientAuthentication may well also be of interest, particularly for caching.
5.1. Installing required packages
You need to install these packages on all machines on your network where you want to be able to use SSO. At the command line, type the following:
sudo apt-get install ldap-auth-client libpam-krb5 krb5-user
5.1.1. Configuring LDAP
The ldap-auth-config package (depended upon by ldap-auth-client) has a debconf script to help you create the LDAP configuration file. This script will be run automatically when you install the package.
The first step is to enter the URI for your LDAP server. If you followed this howto's instructions on installing your server, this URI will be ldaps://<your server IP>/.
- Next, you need to enter the DN of your search base. Use the same DN that you used as the base for your user database.
- You will only be using LDAPv3, so choose the default on this screen.
- There's no need for local root to have full privileges over your LDAP server, so answer no here.
- As your LDAP server allows anonymous binds, answer no here too.
5.1.2. Configuring Kerberos
krb5-config has a debconf script to set up client-side Kerberos properly.
sudo dpkg-reconfigure -plow krb5-config
Enter your realm (EXAMPLE.COM, for example) when prompted. If you have set up DNS records to point to your KDC, answer yes to the relevant question. If not, you will be asked to specify the hostname of your KDC and admin server.
5.1.3. Configuring PAM and NSS
auth-client-config gives us an easy way to configure NSS and PAM. It doesn't come with a configuration for LDAP and Kerberos, so put the following in a new file in /etc/auth-client-config/profile.d/:
[krb5ldap]
nss_passwd=passwd: files ldap
nss_group=group: files ldap
nss_shadow=shadow: files ldap
pam_auth=auth sufficient pam_krb5.so
auth required pam_unix.so nullok_secure use_first_pass
pam_account=account sufficient pam_krb5.so
account required pam_unix.so
pam_password=password sufficient pam_krb5.so
password required pam_unix.so nullok obscure min=4 max=8 md5
pam_session=session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/
session optional pam_krb5.so
session optional pam_foreground.soNow we can do the actual configuration. It's probably a good idea to have a root shell open while doing this, just in case something breaks.
sudo auth-client-config -a -p krb5ldap
At this stage, everything should work! Try getent passwd and getent group to check that users and groups from LDAP are appearing properly. Log in as one of the LDAP users, and use klist to confirm that you were automatically granted a TGT. Running passwd should change your Kerberos password.
5.1.4. Troubleshooting
If getent passwd doesn't show your users, you have something wrong with your LDAP configuration. Try using ldapsearch or similar to confirm that you are able to query the LDAP server. If that works, check your settings in /etc/ldap.conf.
If getent passwd shows your users but you can't log in, it's probably a Kerberos problem. Try kinit. It should prompt for your Kerberos password. If that works, check that you have a TGT with klist. If there's no TGT at this point, there's your problem - your client can't talk to your KDC properly. DNS issues are a possibility.
If you still can't log in, head over to your lifesaving root shell, and use auth-client-config to revert the settings.
auth-client-config -a -p krb5ldap -r
You may then debug at a later date without the risk of not being able to log into your system.
5.1.5. Further configuration
For configuring SSH servers to accept Kerberos authentication, see AdvancedOpenSSH. For NFS with Kerberos, see NFSv4Howto.
TODO:
- test SASL binds
- information on configuring nss-updatedb and nscd to cache LDAP information