Quick Start Guide: Integrating eDirectory 8.8 SP8 with MIT Kerberos (Berkeley database)

  • 7015544
  • 15-Aug-2014
  • 17-Aug-2021


SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)
MIT Kerberos 5 Release 1.6.3
NetIQ eDirectory 8.8 SP8 (888)
NetIQ Modular Authentication Service (NMAS)
NetIQ iManager 2.7 SP7 (277)


This Kerberos Quick Start Guide has been created so that a working setup can be quickly built in a lab environment enabling the testing of Kerberos integration with eDirectory. 
This includes the following products:
- SLES 11's MIT implementation of Kerberos 5 which includes the KDC server, admin server and Kerberos client
- eDirectory 8.8 SP8 and the LDAP GSSAPI extensions
- iManager Kerberos & NMAS Plugins


This Quick Start is for integrating eDirectory and MIT Kerberos using the KDC Berkeley database.  A solution such as this will not keep the passwords in sync.  For that, the Berkeley database cannot be used and instead the NetIQ KPA (Kerberos Password Agent) must be installed.  That said, many do use the solution outlined here with password changes being made to both servers: eDirectory and the KDC.   
This Quick Start Guide is intended to provide a quick way to get this solution up and running from scratch in a lab environment.  This guide assumes the lab has no DNS SRV or TXT records being served (recommeded), therefore, this will be a non-DNS installation: only the hosts file will be used.
Important Notes:
UP must be enabled.
Extended characters in the password are not supported.
Password changes must be made to both systems
The key type and password selected during creation of the realm in the KDC and in eDirectory must match or the passwords cannot be unwrapped on the KDC side.

The following is an overview of the major steps involved.
- Install required Kerberos rpms
- Ensure resolves and NTP are taken care of
- Install and configure eDirectory, iManager and its plugins
- Populate the keystores read by the Kerberos plugin and the kdb5_ldap_util utility with the tree's Trusted Root
- Install the Kerberos LDAP extensions and extend schema for eDirectory
- Configure the KDC krb5.conf file
- Create the realm in the KDC and eDirectory
- Create the realm service objects, add their ACLs and stash their passwords
- Set the realm master key in eDirectory
- Start the krb5kdc and kadmind daemons
- Enable UP on the realm in eDirectory
- Create and\or verify that a NMAS UP policy is in place
- Create a user in eDirectory then on the KDC create for him both a merged and a linked standalone principal
- "Kerberize" that user object in eDirectory by modifing his krbPrincipalReferences attribute to point to his standalone principal object.
- Install the KPA and verify password changes are synchronizing from NMAS to the KDC service.

Realm:  SAMPLE
DNS:  hv5.lab.novell.com
Backend:  LDAP
LDAP Server URL:  ldaps://
Kerberos Container:  cn=Kerberos,cn=Security
KDC bind DN:  cn=kb-kdc,o=emg
Kadmin bind DN:  cn=krb-admin,o=emg
Server: 888_Kerb_Svr.emg
Kerberos container:      Kerberos.Security.HV_KRB_TREE
Realm container:           SAMPLE.Kerberos.Security.HV_KRB_TREE
Principal Container:      emg.HV_KRB_TREE
Realm Sub Tree:          emg.HV_KRB_TREE
Subtree Scope:            Subtree
Users Container:          krbusers.emg.HV_KRB_TREE


1. Install SLES 11 SP3 + Kerberos
A. Install a minimal SLES11 instance (also de-selecting the Print Server and App Armor selections).
B. Install the three required Kerberos packages
- krb5-server
- krb5-client
- krb5-plugin-kdb-ldap
2. Setup the hosts file
----------------------------       localhost
# special IPv6 addresses
::1                        localhost ipv6-localhost ipv6-loopback
fe00::0                 ipv6-localnet
ff00::0                  ipv6-mcastprefix
ff02::1                  ipv6-allnodes
ff02::2                  ipv6-allrouters
ff02::3                  ipv6-allhosts  hv5.lab.novell.com
#Manual Entries - last four are optional for this excercise SAMPLE hv5.SAMPLE hv5 kerberos.SAMPLE kerberos _kerberos._udp.SAMPLE _kerberos._tcp.SAMPLE _kerberos-adm._tcp.SAMPLE
3. Setup DNS resolves in /etc/resolv.conf
  A. Ensure this server's address is first in the list of name servers.
search SAMPLE
nameserver x.x.x.x
nameserver x.x.x.x

B. Verify that the /etc/nsswitch file's hosts: section has files before dns
# group:  files nis
passwd: compat
group:  compat
hosts:          files dns
networks:       files dns
services:       files
protocols:      files
rpc:            files
ethers:         files
netmasks:       files
netgroup:       files nis
publickey:      files
4. Setup NTP.
Normally NTP would be setup to get time from a trusted source as Kerberos is very dependandant on a reliable time source.  However, since this is a single-server lab exercise, NTP will be configured to use the hardware clock.
## Address:     127.127.8.u
## Serial Port: /dev/refclock-u
## (create soft link /dev/refclock-0 to the particular ttyS?)
# server mode 5 prefer
## Undisciplined Local Clock. This is a fake driver intended for backup
## and when no outside source of synchronized time is available.
# local clock (LCL)
fudge  stratum 10
# LCL is unsynchronized
## Add external Servers using
## # rcntp addserver <yourserver>
5. Install eDirectory 8.8 SP8 and iManager 2.7 SP7 as well as their latest patches.  The latest eDirectory, NMAS and Kerberos plugins will also need to be installed.  At the time of this writing they were:
- eDirectory88 Plugins 2.7.20140406
- NetIQ Kerberos Plugin 2.7.20140406
- NMAS Plug-ins for iManager 8.880.20130826
- Novell iManager Password Management 10.7.20120601

6. Enable iManager to perform non-TLS binds then refresh the LDAP server.  This can be re-enabled after all steps have been completed.
  A. iManager - LDAP - LDAP Options - Group - Information - uncheck to require TLS for simple binds.
  B. iManager - LDAP - LDAP Options - Server - Information - Refresh.
7.  Populate KeyStores (iMgr\Tomcat & kdb5_ldap_util \OpenLDAP)
In order for the Kerberos plugin to work the following steps will need to be performed so that the tree Root CA's certificate is trusted by placing it in the appropriate keystore.
A. iManager Keystore
  The Kerberos plugin does not use the default iManager keystore but "system's".
    1. Copy the Root CA's exported certificate to the iManager 'system' keystore and use the password 'changeit' when prompted.
/opt/novell/jdk1.7.0_25/bin/keytool -import -alias "krb" -file /root/hvaughan/cert.der -keystore
    2. Restart Tomcat
/etc/init.d/novell-tomcat7 restart
B.  OpenLDAP Client Keystore
  The kdb5_ldap_util utility uses the openLDAP client configuration files (ldap.conf, .ldaprc).  Once the OpenLDAP client is aware of the trust the kdb5_ldap_util utility will also share that trust.
     1. Copy the tree Root CA certificate (example: cp /tmp/krbcert/data/SSCert.pem /etc/ssl/certs)
     2. Run c_rehash
     3. Edit ldap.conf (On SLES, the file is under /etc/openldap/) to specify the trusted CA certificate:
    TLS_CACERTDIR /etc/ssl/certs
     4. Verify the openLDAP client works with this configuration by performing a secure ldapsearch on eDir, over LDAPS. 
/usr/bin/ldapsearch -x -H ldaps://hv5.lab.novell.com:636 -D cn=admin,o=emg cn 
If the following is seen it is likely due to a problem with the reverse address. 
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Just use the server's ip address instead of the DNS name above.
/usr/bin/ldapsearch -x -H ldaps:// -D cn=admin,o=emg cn 
8. LDAP Extensions
The Kerberos LDAP extensions must be in place for the Kerberos iManager plugin to work.  The GSSAPI method is not required for the KPA to function.
   A. Unzip the nmasmethods_8881.zip file within the 8882 patch
   B. Navigate to the extracted directory: NmasMethods/Novell/GSSAPI/64bit/GSSAPI/Kerberos_ldap_extensions/Linux
   C. Run the following command: ./krbLdapConfig -i -D cn=admin,o=emg -w novell -h -p 389
9. Extend Schema
Now that the plugin should be working, extend schema using the Kerberos plugin.
iManager - Kerberos Management - Extend Schema
10. Customize the /etc/krb5.conf file for the environment
           default_realm = SAMPLE
           clockskew = 3000
           sample.com = {
                         kdc = hvaughan10.SAMPLE
                         default_domain = SAMPLE
                         admin_server = hv5.SAMPLE
             kdc = hv5.SAMPLE
             admin_server = hv5.SAMPLE
             kdc = FILE:/var/log/krb5/krb5kdc.log
             admin_server = FILE:/var/log/krb5/kadmind.log
             default = SYSLOG:NOTICE:DAEMON
             .sample = SAMPLE
             .lab.novell.com = SAMPLE
             pam = {
                         ticket_lifetime = 1d
                         renew_lifetime = 1d
                         forwardable = true
                         proxiable = true
                         minimum_uid = 0
                         clockskew = 3000
                         external = sshd
                         use_shmem = sshd

11. Copy the trusted root
cp /var/opt/novell/eDirectory/data/SSCert.der /opt/novell/kerberos/Trustedroot.der
Run the command to create the realm on the KDC
kdb5_util create -r SAMPLE -s
13. Create the Service Objects in eDirectory and add their ACLs.  Also the Security container must have its krbContainerReference attribute point to the Kerberos realm container (Kerberos.Security).
This is best done from a LDIF script.
  1. ldapmodify -x -h -D "cn=admin,o=emg" -w novell -f /root/hv5/krb_services.ldif
Sample krb_services.ldif:
acl: 48#subtree#cn=krb-admin,o=emg#[Entry Rights]
acl: 48#subtree#cn=krb-admin,o=emg#[All Attributes Rights]
acl: 33#subtree#cn=krb-kdc,o=emg#[Entry Rights]
acl: 3#subtree#cn=krb-kdc,o=emg#[All Attributes Rights]
acl: 48#subtree#cn=krb-admin,o=emg#[Entry Rights]
acl: 48#subtree#cn=krb-admin,o=emg#[All Attributes Rights]
acl: 33#subtree#cn=krb-kdc,o=emg#[Entry Rights]
acl: 3#subtree#cn=krb-kdc,o=emg#[All Attributes Rights]
15. Ensure that krbContainerReference attribute on the Security container points to the Kerberos.Security container.  iMonitor makes this easy.
17.  Fire up the KDC daemons.
- /etc/init.d/krb5kdc start
- /etc/init.d/kadmind start
B. Run chkconfig against the daemons so they will start when NDSD starts.
- chkconfig krb5kdc on -level 235
- chkconfig kadmind on -level 235
- chkconfig krb5kdc --list
- chkconfig kadmind --list

18. Using the Kerberos plugin's "Edit Realm" task, enable UP for the realm
iManager - Kerberos Management - Edit Realm - SAMPLE.Kerberos.Security - place a check in the check box for Use Universal Password
NOTE: Many of other fields that are displayed in the plugin are not applicable to using the KPA and eDir as a back-end to KDC so they are ignored.
19. Ensure a UP password policy is in place and assigned to the user.
- Verify that the "Synchronize Distribution Password while setting Universal Password" option is enabled in the password policy.
- Verify the policy either does not have the advanced rules enabled or does not allow extended characters by deselecting the options "Allow non-alphanumeric characters" and "Allow non-US ASCII characters".

  2. iManager - Directory Administration - Modify Object - user1.krbusers.emg - Other tab - Select krbPrincipalReferences - Click on left arrow - use the object selector and select the standalone principal object created earlier: princ2@SAMPLE.emg

KPA documentation in the eDirectory 8.8 SP8 Administration Guide:  https://www.netiq.com/documentation/edir88/edir88/data/bs3o4p9.html