特殊:Badtitle/NS100:SingleSignOn:修订间差异

来自Ubuntu中文
跳到导航跳到搜索
←上一编辑下一编辑→
Wikibot留言 | 贡献
87,256次编辑
无编辑摘要
Wikibot留言 | 贡献
87,256次编辑
无编辑摘要
第1行: 第1行:
{{From|https://help.ubuntu.com/community/SingleSignOn}}
{{From|https://help.ubuntu.com/community/SingleSignOn}}
{{Languages|UbuntuHelp:SingleSignOn}}
{{Languages|UbuntuHelp:SingleSignOn}}
<!> '''WORK IN PROGRESS - This HOWTO is not complete!''' <!>
<!> '''WORK IN PROGRESS - This HOWTO is not complete! The client setup section works, however.''' <!>
See also: [[UbuntuHelp:OpenLDAPServer|OpenLDAPServer]]
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconWarning3.png '''IMPORTANT: Before you get started you must enable the Universe Repository!''' See [[UbuntuHelp:AddingRepositoriesHowto|AddingRepositoriesHowto]] for info on how to do this.
== Introduction ==
== Introduction ==
This page describes how to set up network-connected Ubuntu machines to support '''Single Sign On''' (SSO).  SSO refers to the capability to only enter your logon credentials one time and then have those crendentials automatically passed to authenticate you to other services available on your network.  You will also have a central location that stores all username, groupname, and password data for the users on your network. This solution uses OpenLDAP to provide authorization and MIT Kerberos to provide authentication.  This document is divided in to several sections that describe installation of required server software, testing, and installation of software on the client.
This page describes how to set up network-connected Ubuntu machines to support '''Single Sign On''' (SSO).  SSO refers to the capability to only enter your logon credentials one time and then have those credentials automatically passed to authenticate you to other services available on your network.  You will also have a central location that stores all user, group and password data for the users on your network. This solution uses OpenLDAP to provide authorization and MIT Kerberos to provide authentication.  This document is divided in to several sections that describe installation of required server software, testing, and installation of software on the client.
There are two functions that a Single Sign On solution must perform:
There are two functions that a Single Sign On solution must perform:
* Authentication: Determining if a user or server is who they claim to be and providing a mechanism for passing that information throughout the network.
* Authentication: Determining if a user or server is who they claim to be and providing a mechanism for passing that information throughout the network.
* Authorization: Information on what priviledges are possessed by authorized entities on the network
* Authorization: Information on what privileges are possessed by authenticated entities on the network
This solution uses Keberos 5 for authentication and OpenLDAP for authorization.
This solution uses Keberos 5 for authentication and OpenLDAP for authorization.
== Target Audience ==
== Target Audience ==
第15行: 第13行:
=== Installing MIT Kerberos 5 ===
=== Installing MIT Kerberos 5 ===
==== Overview of Kerberos ====
==== Overview of Kerberos ====
This section describes how to install and configure a Kerberos 5 Key Distribution Center (KDC) and establish a realm for your network.  The KDC is used to store password information for all users on your network.  Kerberos allows users and services to securly authenticate with each other by passing around encrypted tickets.  Tickets allow users and servers to know that each party is who they say they are.  At logon, the KDC generates a ticket granting ticket (TGT) that the user can use with subsequent transactions to request access.  A more detailed explaination of Kerberos is available at [http://web.mit.edu/kerberos].
This section describes how to install and configure a Kerberos 5 Key Distribution Center (KDC) and establish a realm for your network.  The KDC is used to store password information for all users on your network.  Kerberos allows users and services to securly authenticate with each other by passing around encrypted tickets.  Tickets allow users and servers to know that each party is who they say they are.  At logon, the KDC generates a ticket granting ticket (TGT) that the user can use with subsequent transactions to request access.  A more detailed explaination of Kerberos is available at [[http://web.mit.edu/kerberos]].
==== Pre-installation Decisions ====
==== Pre-installation Decisions ====
Before you install the KDC, you must decide on the following:
Before you install the KDC, you must decide on the following:
第24行: 第22行:
<pre><nowiki>
<pre><nowiki>
sudo apt-get install krb5-kdc krb5-admin-server
sudo apt-get install krb5-kdc krb5-admin-server
sudo dpkg-reconfigure krb5-kdc
</nowiki></pre>
</nowiki></pre>
The package install will step you through defining the basic Kerberos configuration parameters. Recommended settings are:
The package install will step you through defining the basic Kerberos configuration parameters. Recommended settings are:
第29行: 第28行:
* do not run krb524d (daemon to convert Kerberos tickets between versions)
* do not run krb524d (daemon to convert Kerberos tickets between versions)
* defaults for the other settings are acceptable
* defaults for the other settings are acceptable
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconWarning3.png '''IMPORTANT''': You need to remember the admin username and password you create during this step!
The configuration file for Kerberos is /etc/krb5kdc/kdc.conf. This file provides settings for your Kerberos realm.  Important settings here are the locations of the KDC's data files, and the default settings for the durations that tickets are valid.  To get it working minimally, you will probably at least have to set the realm name.  Here is an example configuration file:
The configuration file for Kerberos is /etc/krb5kdc/kdc.conf. This file provides settings for your Kerberos realm.  Important settings here are the locations of the KDC's data files, and the default settings for the durations that tickets are valid.  Here is an example configuration file:
<pre><nowiki>
<pre><nowiki>
[kdcdefaults]
[kdcdefaults]
第57行: 第55行:
# To enable this, uncomment the following line:
# To enable this, uncomment the following line:
</nowiki></pre>
Edit /etc/krb5.conf with your realm.
<pre><nowiki>
[libdefaults]
    default_realm = SOMEREALM.COM
</nowiki></pre>
Create the Kerberos database:
<pre><nowiki>
krb5_newrealm
</nowiki></pre>
</nowiki></pre>
==== Creating Principals ====
==== Creating Principals ====
Create the Kerberos database (if not found) using the following command:
Principals are items in the Kerberos database that represent users, hosts, or services on your network.  There are two types of principals that you need to create. Obviously, you will need a principal for each user that you want to allow access to your network.  You'll also need a host principal for each computer on your network.  Finally, you will need to create a service principal for your LDAP server.
kdb5_util create -r YOUR-REALM -s
Use the program `kadmin` or `kadmin.local` to create principals.  Running `kadmin.local` as root will let you authenticate without having an existing principal for yourself.
Principals are items in the Kerberos database that represent users, hosts, or services on your network.  There are two types of Principals that you need to create. Obviously, you will need a Principal for each user that you want to allow access to your network.  You'll also need a host Principal for each computer on your network.  Finally, you will need to create a service Principal for your LDAP server.
==== Configuring DNS ====
Use the program `kadmin` or `kadmin.local` to create principals.  If the admin Principal you created when you installed the KDC is `<your username>/admin`, then `kadmin` will automatically ask you for the admin Principal's password. If your admin principal is called something different use `kadmin -p <principal_name>`.
It is somewhat simpler to configure Kerberos clients if some Kerberos records are present in DNS. To do this in a BIND-controlled zone requires entries like the following. Here the DNS domain is `example.com`, and the Kerberos realm is `EXAMPLE.COM`.
<pre><nowiki>
$ORIGIN example.com.
_kerberos              TXT    "EXAMPLE.COM"
$ORIGIN _tcp.example.com.
_kerberos              SRV    0 0 88 kdc.example.com.
_kerberos-adm          SRV    0 0 749 kdc.example.com.
</nowiki></pre>
=== Installing OpenLDAP ===
=== Installing OpenLDAP ===
==== Overview of LDAP ====
==== Overview of LDAP ====
第71行: 第85行:
To install OpenLDAP execute the following on the machine that will be your server:
To install OpenLDAP execute the following on the machine that will be your server:
<pre><nowiki>
<pre><nowiki>
sudo apt-get install slapd libsasl2-gssapi-mit
sudo apt-get install slapd libsasl2-modules-gssapi-mit
</nowiki></pre>
</nowiki></pre>
==== Creating SSL Certificates ====
==== Creating SSL Certificates ====
Since you will be using OpenLDAP to provide authentication information to your network, you should encrypt all of the traffic between the server and clients.  This will be done using SSL encryption.  In order to do this, you must create keys for the server.  
Since you will be using OpenLDAP to provide authentication information to your network, you should encrypt all of the traffic between the server and clients.  This will be done using SSL encryption.  In order to do this, you must create keys for the server.  
First, you will need a certification authority to sign your certificates.  You can use one of the CAs on the net or create your own.[[FootNote(Fedora: cd /etc/pki/tls/certs && make slapd.pem)]] See the [[UbuntuHelp:OpenSSL|OpenSSL]] page for info on how to create a certificate authority and your own certificates.  Import your new CA certificate into /usr/share/ca-certificates, as described on the [[UbuntuHelp:OpenSSL|OpenSSL]] page, so that other software on your system will recognize your CA as trusted.  When you create a certificate for your ldap server, make sure the Common Name (CN) matches the hostname of the server where you are running slapd.  Copy both the public and private key files to `/etc/slapd/certs`.  In the `/etc/slapd/certs` directory, do the following:
First, you will need a certification authority to sign your certificates.  You can use one of the CAs on the net or create your own.<<FootNote(Fedora: cd /etc/pki/tls/certs && make slapd.pem)>> See the [[UbuntuHelp:OpenSSL]] page for info on how to create a certificate authority and your own certificates.  Import your new CA certificate into /usr/share/ca-certificates, as described on the [[UbuntuHelp:OpenSSL|OpenSSL]] page, so that other software on your system will recognize your CA as trusted.  When you create a certificate for your ldap server, make sure the Common Name (CN) matches the hostname of the server where you are running slapd.  Copy both the public and private key files to `/etc/slapd/certs`.  In the `/etc/slapd/certs` directory, do the following:
<pre><nowiki>
<pre><nowiki>
sudo chown root:ldap *.pem
sudo chown root:ldap *.pem
第86行: 第100行:
</li><li>Answer the questions and make sure to enter the name of your server to answer the 'Common Name' question</li></ol>
</li><li>Answer the questions and make sure to enter the name of your server to answer the 'Common Name' question</li></ol>


==== Configuring OpenLDAP ====
==== Configuring SSL ====
To use the self-signed certificate:
To use the self-signed certificate:
<ol><li>edit the `slapd.conf` file and include the following lines: <pre><nowiki>
<ol><li>edit the `slapd.conf` file and include the following lines: <pre><nowiki>
第93行: 第107行:
   TLSCertificateFile /etc/ldap/ssl/server.pem
   TLSCertificateFile /etc/ldap/ssl/server.pem
   TLSCertificateKeyFile /etc/ldap/ssl/server.pem </nowiki></pre>
   TLSCertificateKeyFile /etc/ldap/ssl/server.pem </nowiki></pre>
</li><li>edit `/etc/default/slapd`[[FootNote(Fedora: follow the instructions in /etc/sysconfig/ldap)]] and include the following line: <pre><nowiki>
</li><li>edit `/etc/default/slapd`<<FootNote(Fedora: follow the instructions in /etc/sysconfig/ldap)>> and include the following line: <pre><nowiki>
   SLAPD_SERVICES="ldaps://SERVER-NAME" </nowiki></pre></li></ol>
   SLAPD_SERVICES="ldaps://SERVER-NAME" </nowiki></pre></li></ol>


Note that the above line enables only SSL access to your OpenLDAP server (port 636)
Note that the above line enables only SSL access to your OpenLDAP server (port 636)
<ol><li>edit `/etc/hosts` and change SERVER-NAME to resolve to its IP not 127.0.0.1
</li><li>You may need to create two IPtables rules to open the port 636, for example: <pre><nowiki>
  iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d {SERVER-IP} --dport 636 -m state --state NEW,ESTABLISHED -j ACCEPT
  iptables -A OUTPUT -p tcp -s {SERVER-IP} --sport 636 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT </nowiki></pre></li></ol>
Don't forget to replace the {SERVER-IP} and SERVER-NAME with the correct custom values.
<ol><li>Restart `slapd`
<ol><li>Restart `slapd`
</li><li>You may test the SSL response using: `openssl s_client -connect SERVER-NAME:636 -showcerts`
</li><li>You may test the SSL response using: `openssl s_client -connect SERVER-NAME:636 -showcerts`
第110行: 第118行:
   TLS_REQCERT allow </nowiki></pre></li></ol>
   TLS_REQCERT allow </nowiki></pre></li></ol>


Don't forget to replace the {SERVER-IP} & YOUR-BASE with the correct values.
Don't forget to replace the SERVER-NAME & YOUR-BASE with the correct values.
<ol><li>test using `ldapsearch -x`</li></ol>
<ol><li>test using `ldapsearch -x`</li></ol>


* need to add instructions on configuring OpenLDAP
==== Configuring LDAP ====
===== Authenticated-only mode =====
See [[UbuntuHelp:OpenLDAPServer]] to set up the directory structure. In addition to the general configuration there, you should have the following lines in your slapd.conf. They will allow you to authenticate as normal LDAP users, except with Kerberos.
<pre><nowiki>
sasl-secprops noanonymous,noplain,noactive
sasl-regexp uid=([^/]*),cn=GSSAPI,cn=auth uid=$1,ou=People,dc=example,dc=com
</nowiki></pre>
This approach isn't without difficulties, however - you'll have to have either an admin password for the database, or a Kerberos principal that allows you to browse the directory in order to log in!
Not all sites will want to have an admin password for the database in the clear in a file on clients. Of course, anyone with root access to the client can then obtain your LDAP admin password. It's contrary to the Kerberos assumption that the KDC is trusted, but clients are not. For such sites, it ''is'' possible to have a 'Kerberized' way of accessing the directory that doesn't require passwords, but it's a bit of extra work. [XXX that isn't documented here yet.]
===== Anonymous access mode =====
As an alternative approach to requiring Kerberos or an admin password to read the directory, you could make the directory readable to all. This is an option you might want to explore on LANs, where having people able to list the directory without authentication probably isn't the end of the world, and the extra effort required to setting up and renewing directory access tickets isn't really necessary. This is a more NIS-like approach to using LDAP as the directory service, but without some of NIS's more serious security problems.
A small change to the above `slapd.conf` extract allows this.
<pre><nowiki>
sasl-secprops none,noplain,noactive                                           
saslRegexp uid=([^/]*),cn=GSSAPI,cn=auth uid=$1,ou=People,dc=example,dc=com
</nowiki></pre>
As you'll find in `slapd.conf(5)`, the '`none`' option turns off the defaults ('`noanonymous,noplain`', forbidding anonymous and plaintext logins respectively), and then '`noplain`' of course turns plaintext authentication back off again. We want anonymous mode.
We'll not be publishing crypt'ed (or otherwise hashed) passwords to everyone. The default `slapd.conf` has this stanza:
<pre><nowiki>
access to attrs=userPassword,shadowLastChange
        by dn="cn=admin,dc=home,dc=ae-35,dc=com" write
        by anonymous auth
        by self write
        by * none
</nowiki></pre>
This means that the attribute simply won't be shown to anonymous logins. We don't have to worry about other permissions; because the LDAP-stored password isn't being used, we don't have to worry about letting users write to it in order to change their password.
[XXX This argument doesn't apply to changing the shell...]
== Server Testing ==
== Server Testing ==
=== Testing Kerberos 5 ===
=== Testing Kerberos 5 ===
第141行: 第175行:
* test SASL binds to the OpenLDAP directory
* test SASL binds to the OpenLDAP directory
== Client Installation ==
== Client Installation ==
[[UbuntuHelp:LDAPClientAuthentication]] may well also be of interest, particularly for caching.
=== Installing required packages ===
=== Installing required packages ===
You need to install these packages on all machines on your network where you want to be able to use SSO.  At the command line, type the following:
You need to install these packages on all machines on your network where you want to be able to use SSO.  At the command line, type the following:
<pre><nowiki>
<pre><nowiki>
sudo apt-get install ldap-utils libsasl2-modules-gssapi-mit libpam-krb5 libnss-ldap nscd
sudo apt-get install ldap-auth-client libpam-krb5 krb5-user libpam-foreground libsasl2-modules-gssapi-mit
</nowiki></pre>
</nowiki></pre>
==== Configuring libnss-ldap ====
==== Configuring LDAP ====
The libnss-ldap package has a debconf script to help you create the libnss-ldap configuration file.  This script will be run automatically when you install the package.
The ldap-auth-config package (depended upon by ldap-auth-client) has a debconf script to help you create the LDAP configuration file.  This script will be run automatically when you install the package.
* The first step is to enter the URI for your LDAP server.  If you followed this howto's instructions on installing your server, this URI will be '''ldaps://<your server IP>/'''.
* The first step is to enter the URI for your LDAP server.  If you followed this howto's instructions on installing your server, this URI will be '''ldaps://<your server IP>/'''.
https://help.ubuntu.com/community/SingleSignOn?action=AttachFile&do=get&target=libnss-ldap-step1-1.png
{{https://help.ubuntu.com/community/SingleSignOn?action=AttachFile&do=get&target=ldap-1-uri.png%7D%7D
* Next, you need to enter the DN of your search base.  Use the same DN that you used as the base for your user database.
* Next, you need to enter the DN of your search base.  Use the same DN that you used as the base for your user database.
https://help.ubuntu.com/community/SingleSignOn?action=AttachFile&do=get&target=libnss-ldap-step2-2.png
{{https://help.ubuntu.com/community/SingleSignOn?action=AttachFile&do=get&target=ldap-2-base-dn.png%7D%7D
* You will only be using LDAPv3, so choose the default on this screen.
* You will only be using LDAPv3, so choose the default on this screen.
https://help.ubuntu.com/community/SingleSignOn?action=AttachFile&do=get&target=libnss-ldap-step3.png
{{https://help.ubuntu.com/community/SingleSignOn?action=AttachFile&do=get&target=ldap-3-version.png%7D%7D
* Delete the default entry for this step.  You will not need to provide a root DN for this setup.
* There's no need for local root to have full privileges over your LDAP server, so answer no here.
https://help.ubuntu.com/community/SingleSignOn?action=AttachFile&do=get&target=libnss-ldap-step4-1.png
{{https://help.ubuntu.com/community/SingleSignOn?action=AttachFile&do=get&target=ldap-4-local-root.png%7D%7D
* Finally, leave the root account password screen blank as well.
* If your LDAP server allows anonymous binds, you can answer 'no' here too. If you're ok with the script dropping a plaintext password in `/etc/ldap.secret`, then you can enter the password here. Otherwise, you answer 'no', but you have some work to do [XXX which is not documented here yet].
https://help.ubuntu.com/community/SingleSignOn?action=AttachFile&do=get&target=libnss-ldap-step5.png
{{https://help.ubuntu.com/community/SingleSignOn?action=AttachFile&do=get&target=ldap-5-require-login.png%7D%7D
Rough Outline:
==== Configuring Kerberos ====
* install packages
krb5-config has a debconf script to set up client-side Kerberos properly.
* create host principal / add to client's keytab
<pre><nowiki>
* test kinit / klist
sudo dpkg-reconfigure -plow krb5-config
</nowiki></pre>
Enter your realm (EXAMPLE.COM, for example) when prompted. If you have set up DNS records to point to your KDC, answer yes to the relevant question. If not, you will be asked to specify the hostname of your KDC and admin server.
edit `/etc/ldap/ldap.conf` and include the following lines:
<pre><nowiki>
BASE    YOUR-BASE
URI    ldaps://SERVER-NAME
TLS_REQCERT allow
</nowiki></pre>
Replace the SERVER-NAME & YOUR-BASE with the correct values.
edit `/etc/ldap.conf` and include the following lines:
<pre><nowiki>
bind_policy soft
</nowiki></pre>
==== Configuring PAM and NSS ====
auth-client-config gives us an easy way to configure NSS and PAM. It doesn't come with a configuration for LDAP and Kerberos.
edit `/etc/auth-client-config/profile.d/krb-auth-config` and include the following lines:
<pre><nowiki>
[krb5ldap]
nss_passwd=passwd: files ldap
nss_group=group: files ldap
nss_shadow=shadow: files ldap
pam_auth=auth      sufficient  pam_krb5.so
        auth      required    pam_unix.so nullok_secure use_first_pass
pam_account=account    sufficient  pam_krb5.so
            account    required    pam_unix.so
pam_password=password  sufficient  pam_krb5.so
            password  required    pam_unix.so nullok obscure min=4 max=8 md5
pam_session=session    required    pam_unix.so
            session    required    pam_mkhomedir.so skel=/etc/skel/
            session    optional    pam_krb5.so
            session    optional    pam_foreground.so
 
[krb5ldap.cached]
nss_passwd=passwd: files ldap [NOTFOUND=return] db
nss_group=group: files ldap [NOTFOUND=return] db
nss_shadow=shadow: files ldap
pam_auth=auth  required      pam_env.so
        auth  sufficient    pam_unix.so likeauth nullok
        auth  [default=ignore success=1 service_err=reset] pam_krb5.so use_first_pass
        auth  [default=die success=done] pam_ccreds.so action=validate use_first_pass
        auth  sufficient pam_ccreds.so action=store use_first_pass
        auth  required        pam_deny.so
pam_account=account    sufficient  pam_krb5.so
            account    required    pam_unix.so
pam_password=password  sufficient  pam_krb5.so
            password  required    pam_unix.so nullok obscure min=4 max=8 md5
pam_session=session    required    pam_unix.so
            session    required    pam_mkhomedir.so skel=/etc/skel/
            session    optional    pam_krb5.so
            session    optional    pam_foreground.so
</nowiki></pre>
Now we can do the actual configuration. It's probably a good idea to have a root shell open while doing this, just in case something breaks.
<pre><nowiki>
sudo auth-client-config -a -p krb5ldap
</nowiki></pre>
At this stage, everything should work! Try `getent passwd` and `getent group` to check that users and groups from LDAP are appearing properly. Log in as one of the LDAP users, and use `klist` to confirm that you were automatically granted a TGT. Running `passwd` should change your Kerberos password.
===== Cached Credentials =====
<pre><nowiki>
sudo apt-get install nss-updatedb libnss-db libpam-cracklib libpam-ccreds
</nowiki></pre>
<pre><nowiki>
sudo nss_updatedb ldap
</nowiki></pre>
<pre><nowiki>
sudo auth-client-config -a -p krb5ldap.cached
</nowiki></pre>
==== Troubleshooting ====
If `getent passwd` doesn't show your users, you have something wrong with your LDAP configuration. Try using `ldapsearch` or similar to confirm that you are able to query the LDAP server. If that works, check your settings in `/etc/ldap.conf`.
If `getent passwd` shows your users but you can't log in, it's probably a Kerberos problem. Try `kinit`. It should prompt for your Kerberos password. If that works, check that you have a TGT with `klist`. If there's no TGT at this point, there's your problem - your client can't talk to your KDC properly. DNS issues are a possibility.
If you still can't log in, head over to your lifesaving root shell, and use auth-client-config to revert the settings.
<pre><nowiki>
auth-client-config -a -p krb5ldap -r
</nowiki></pre>
You may then debug at a later date without the risk of not being able to log into your system.
== Application Installation ==
=== Apache2 ===
First of all you need to create a principal and keytab for the webserver:
<pre><nowiki>
# sudo kadmin.local
kadmin> addprinc -randkey HTTP/wiki.example.com
kadmin> ktadd -k /etc/apache2/auth/apache2.keytab HTTP/webserver.example.com
kadmin> quit
</nowiki></pre>
Make sure the keytab has the right permissions and ownership:
<pre><nowiki>
# sudo chowm www-data:www-data /etc/apache2/auth/apache2.keytab
# sudo chmod 400 /etc/apache2/auth/apache2.keytab
</nowiki></pre>
Install mod_auth_kerb in your linux installation.
<pre><nowiki>
# sudo apt-get install libapache2-mod-auth-kerb
</nowiki></pre>
Update your http.conf file:
<pre><nowiki>
<Directory /var/www/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        allow from all
 
        AuthType Kerberos
        AuthName "Kerberos Login"
        KrbAuthRealm EXAMPLE.COM
        Krb5Keytab /etc/apache2/auth/apache2.keytab
        require valid-user
</Directory>
</nowiki></pre>
==== Further configuration ====
For configuring SSH servers to accept Kerberos authentication, see [[UbuntuHelp:AdvancedOpenSSH]]. For NFS with Kerberos, see [[UbuntuHelp:NFSv4Howto]].
TODO:
* test SASL binds
* test SASL binds
* modify /etc/ldap/ldap.conf, /etc/libnss-ldap.conf, /etc/nsswitch.conf
* check that getent can retrieve user information from the LDAP server
* modify PAM configuration to use LDAP and Kerberos
* information on configuring nss-updatedb and nscd to cache LDAP information
* information on configuring nss-updatedb and nscd to cache LDAP information
----
----
[[category:CategoryDocumentation]] [[category:CategorySecurity]]
[[category:CategoryDocumentation]] [[category:CategorySecurity]] [[category:CategoryAudio]]


[[category:UbuntuHelp]]
[[category:UbuntuHelp]]

2008年10月19日 (日) 17:17的版本

文章出处: 

{{#if: | {{{2}}} | https://help.ubuntu.com/community/SingleSignOn }}

点击翻译: 

English {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/af |  • {{#if: UbuntuHelp:SingleSignOn|Afrikaans| [[::SingleSignOn/af|Afrikaans]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/ar |  • {{#if: UbuntuHelp:SingleSignOn|العربية| [[::SingleSignOn/ar|العربية]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/az |  • {{#if: UbuntuHelp:SingleSignOn|azərbaycanca| [[::SingleSignOn/az|azərbaycanca]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/bcc |  • {{#if: UbuntuHelp:SingleSignOn|جهلسری بلوچی| [[::SingleSignOn/bcc|جهلسری بلوچی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/bg |  • {{#if: UbuntuHelp:SingleSignOn|български| [[::SingleSignOn/bg|български]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/br |  • {{#if: UbuntuHelp:SingleSignOn|brezhoneg| [[::SingleSignOn/br|brezhoneg]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/ca |  • {{#if: UbuntuHelp:SingleSignOn|català| [[::SingleSignOn/ca|català]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/cs |  • {{#if: UbuntuHelp:SingleSignOn|čeština| [[::SingleSignOn/cs|čeština]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/de |  • {{#if: UbuntuHelp:SingleSignOn|Deutsch| [[::SingleSignOn/de|Deutsch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/el |  • {{#if: UbuntuHelp:SingleSignOn|Ελληνικά| [[::SingleSignOn/el|Ελληνικά]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/es |  • {{#if: UbuntuHelp:SingleSignOn|español| [[::SingleSignOn/es|español]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/fa |  • {{#if: UbuntuHelp:SingleSignOn|فارسی| [[::SingleSignOn/fa|فارسی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/fi |  • {{#if: UbuntuHelp:SingleSignOn|suomi| [[::SingleSignOn/fi|suomi]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/fr |  • {{#if: UbuntuHelp:SingleSignOn|français| [[::SingleSignOn/fr|français]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/gu |  • {{#if: UbuntuHelp:SingleSignOn|ગુજરાતી| [[::SingleSignOn/gu|ગુજરાતી]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/he |  • {{#if: UbuntuHelp:SingleSignOn|עברית| [[::SingleSignOn/he|עברית]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/hu |  • {{#if: UbuntuHelp:SingleSignOn|magyar| [[::SingleSignOn/hu|magyar]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/id |  • {{#if: UbuntuHelp:SingleSignOn|Bahasa Indonesia| [[::SingleSignOn/id|Bahasa Indonesia]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/it |  • {{#if: UbuntuHelp:SingleSignOn|italiano| [[::SingleSignOn/it|italiano]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/ja |  • {{#if: UbuntuHelp:SingleSignOn|日本語| [[::SingleSignOn/ja|日本語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/ko |  • {{#if: UbuntuHelp:SingleSignOn|한국어| [[::SingleSignOn/ko|한국어]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/ksh |  • {{#if: UbuntuHelp:SingleSignOn|Ripoarisch| [[::SingleSignOn/ksh|Ripoarisch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/mr |  • {{#if: UbuntuHelp:SingleSignOn|मराठी| [[::SingleSignOn/mr|मराठी]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/ms |  • {{#if: UbuntuHelp:SingleSignOn|Bahasa Melayu| [[::SingleSignOn/ms|Bahasa Melayu]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/nl |  • {{#if: UbuntuHelp:SingleSignOn|Nederlands| [[::SingleSignOn/nl|Nederlands]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/no |  • {{#if: UbuntuHelp:SingleSignOn|norsk| [[::SingleSignOn/no|norsk]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/oc |  • {{#if: UbuntuHelp:SingleSignOn|occitan| [[::SingleSignOn/oc|occitan]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/pl |  • {{#if: UbuntuHelp:SingleSignOn|polski| [[::SingleSignOn/pl|polski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/pt |  • {{#if: UbuntuHelp:SingleSignOn|português| [[::SingleSignOn/pt|português]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/ro |  • {{#if: UbuntuHelp:SingleSignOn|română| [[::SingleSignOn/ro|română]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/ru |  • {{#if: UbuntuHelp:SingleSignOn|русский| [[::SingleSignOn/ru|русский]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/si |  • {{#if: UbuntuHelp:SingleSignOn|සිංහල| [[::SingleSignOn/si|සිංහල]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/sq |  • {{#if: UbuntuHelp:SingleSignOn|shqip| [[::SingleSignOn/sq|shqip]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/sr |  • {{#if: UbuntuHelp:SingleSignOn|српски / srpski| [[::SingleSignOn/sr|српски / srpski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/sv |  • {{#if: UbuntuHelp:SingleSignOn|svenska| [[::SingleSignOn/sv|svenska]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/th |  • {{#if: UbuntuHelp:SingleSignOn|ไทย| [[::SingleSignOn/th|ไทย]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/tr |  • {{#if: UbuntuHelp:SingleSignOn|Türkçe| [[::SingleSignOn/tr|Türkçe]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/vi |  • {{#if: UbuntuHelp:SingleSignOn|Tiếng Việt| [[::SingleSignOn/vi|Tiếng Việt]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/yue |  • {{#if: UbuntuHelp:SingleSignOn|粵語| [[::SingleSignOn/yue|粵語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/zh |  • {{#if: UbuntuHelp:SingleSignOn|中文| [[::SingleSignOn/zh|中文]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/zh-hans |  • {{#if: UbuntuHelp:SingleSignOn|中文(简体)| [[::SingleSignOn/zh-hans|中文(简体)]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SingleSignOn | UbuntuHelp:SingleSignOn | {{#if: | :}}SingleSignOn}}/zh-hant |  • {{#if: UbuntuHelp:SingleSignOn|中文(繁體)| [[::SingleSignOn/zh-hant|中文(繁體)]]}}|}}

{{#ifeq:UbuntuHelp:SingleSignOn|:SingleSignOn|请不要直接编辑翻译本页,本页将定期与来源同步。}}

{{#ifexist: :SingleSignOn/zh | | {{#ifexist: SingleSignOn/zh | | {{#ifeq: {{#titleparts:SingleSignOn|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:SingleSignOn|1|-1|}} | zh | | }}

<!> WORK IN PROGRESS - This HOWTO is not complete! The client setup section works, however. <!>

Introduction

This page describes how to set up network-connected Ubuntu machines to support Single Sign On (SSO). SSO refers to the capability to only enter your logon credentials one time and then have those credentials automatically passed to authenticate you to other services available on your network. You will also have a central location that stores all user, group and password data for the users on your network. This solution uses OpenLDAP to provide authorization and MIT Kerberos to provide authentication. This document is divided in to several sections that describe installation of required server software, testing, and installation of software on the client. There are two functions that a Single Sign On solution must perform:

  • Authentication: Determining if a user or server is who they claim to be and providing a mechanism for passing that information throughout the network.
  • Authorization: Information on what privileges are possessed by authenticated entities on the network

This solution uses Keberos 5 for authentication and OpenLDAP for authorization.

Target Audience

To properly implement the practical steps found in this guide, the reader should be a user of Ubuntu who is comfortable with the use command-line applications, using the Bourne Again SHell (bash) environment, and editing system configuration files with their preferred text editor application. While previous familiarity with OpenLDAP or Kerberos is not required for this guide, the reader is advised to pursue further learning from the resources listed in the Resources section of this guide in order to broaden understanding of the technologies involved in SSO.

Server Installation

Installing MIT Kerberos 5

Overview of Kerberos

This section describes how to install and configure a Kerberos 5 Key Distribution Center (KDC) and establish a realm for your network. The KDC is used to store password information for all users on your network. Kerberos allows users and services to securly authenticate with each other by passing around encrypted tickets. Tickets allow users and servers to know that each party is who they say they are. At logon, the KDC generates a ticket granting ticket (TGT) that the user can use with subsequent transactions to request access. A more detailed explaination of Kerberos is available at [[1]].

Pre-installation Decisions

Before you install the KDC, you must decide on the following:

  • What machine do you want to use as your KDC? Security of this machine is important, since compromising the KDC could compromise the security of your entire network.
  • Determine a name for your realm. The convention for realm names is to use the site's domain name fully capitalized. For instance, the site somerealm.com would use the realm name SOMEREALM.COM.

Software Installation

Once you have decided where to install the KDC, and determined your realm name, install the Kerberos server software on the machine that will be the KDC: 

sudo apt-get install krb5-kdc krb5-admin-server
sudo dpkg-reconfigure krb5-kdc

The package install will step you through defining the basic Kerberos configuration parameters. Recommended settings are:

  • disable Kerberos 4 compatibility mode
  • do not run krb524d (daemon to convert Kerberos tickets between versions)
  • defaults for the other settings are acceptable

The configuration file for Kerberos is /etc/krb5kdc/kdc.conf. This file provides settings for your Kerberos realm. Important settings here are the locations of the KDC's data files, and the default settings for the durations that tickets are valid. To get it working minimally, you will probably at least have to set the realm name. Here is an example configuration file: 

[kdcdefaults]
        kdc_ports = 750,88

[realms]
SOMEREALM.COM = {
    database_name = /var/lib/krb5kdc/principal
    admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
    acl_file = /etc/krb5kdc/kadm5.acl
    key_stash_file = /etc/krb5kdc/stash
    kdc_ports = 750,88
    max_life = 10h 0m 0s
    max_renewable_life = 7d 0h 0m 0s
    master_key_type = des3-hmac-sha1
    supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm
    default_principal_flags = +preauth
}

Kerberos uses an Access Control List (ACL) to specify the access a principal will have to the Kerberos admin deamon. This file is /etc/krb5kdc/kadm5.acl. The default, as shown below will suffice to get started. You may need to add additional ACLs depending on the needs of your network configuration. 

# This file Is the access control list for krb5 administration.
# When this file is edited run /etc/init.d/krb5-admin-server restart to activate
# One common way to set up Kerberos administration is to allow any principal
# ending in /admin  is given full administrative rights.
# To enable this, uncomment the following line:
*/[email protected]    *

Edit /etc/krb5.conf with your realm. 

[libdefaults]
    default_realm = SOMEREALM.COM

Create the Kerberos database: 

krb5_newrealm

Creating Principals

Principals are items in the Kerberos database that represent users, hosts, or services on your network. There are two types of principals that you need to create. Obviously, you will need a principal for each user that you want to allow access to your network. You'll also need a host principal for each computer on your network. Finally, you will need to create a service principal for your LDAP server. Use the program `kadmin` or `kadmin.local` to create principals. Running `kadmin.local` as root will let you authenticate without having an existing principal for yourself.

Configuring DNS

It is somewhat simpler to configure Kerberos clients if some Kerberos records are present in DNS. To do this in a BIND-controlled zone requires entries like the following. Here the DNS domain is `example.com`, and the Kerberos realm is `EXAMPLE.COM`. 

$ORIGIN example.com.
_kerberos               TXT     "EXAMPLE.COM"
$ORIGIN _tcp.example.com.
_kerberos               SRV     0 0 88 kdc.example.com.
_kerberos-adm           SRV     0 0 749 kdc.example.com.

Installing OpenLDAP

Overview of LDAP

LDAP is the Lightweight Directory Access Protocol. It is designed to store data records and allow for easy access to the records via a simple network interface. LDAP can provide access to directory type information such as an address book for your email client, or a list of users and groups that have access to services on your network. This guide will show you how to install OpenLDAP to use SASL binds with TLS encrypted network sessions.

Software Installation

Installing OpenLDAP

To install OpenLDAP execute the following on the machine that will be your server: 

sudo apt-get install slapd libsasl2-modules-gssapi-mit

Creating SSL Certificates

Since you will be using OpenLDAP to provide authentication information to your network, you should encrypt all of the traffic between the server and clients. This will be done using SSL encryption. In order to do this, you must create keys for the server. First, you will need a certification authority to sign your certificates. You can use one of the CAs on the net or create your own.<<FootNote(Fedora: cd /etc/pki/tls/certs && make slapd.pem)>> See the UbuntuHelp:OpenSSL page for info on how to create a certificate authority and your own certificates. Import your new CA certificate into /usr/share/ca-certificates, as described on the OpenSSL page, so that other software on your system will recognize your CA as trusted. When you create a certificate for your ldap server, make sure the Common Name (CN) matches the hostname of the server where you are running slapd. Copy both the public and private key files to `/etc/slapd/certs`. In the `/etc/slapd/certs` directory, do the following: 

sudo chown root:ldap *.pem
sudo chmod 640 *.pem

Creating self-signed Certificate

Use the following commands to create a self-signed certificate to use with your OpenLDAP server:

  1. Create the cert directory: `mkdir /etc/ldap/ssl ; cd /etc/ldap/ssl`
  2. Create the certificate: `openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 3650`
  3. Answer the questions and make sure to enter the name of your server to answer the 'Common Name' question

Configuring SSL

To use the self-signed certificate:

  1. edit the `slapd.conf` file and include the following lines: 
       TLSCipherSuite HIGH:MEDIUM:-SSLv2
   TLSCACertificateFile /etc/ldap/ssl/server.pem
   TLSCertificateFile /etc/ldap/ssl/server.pem
   TLSCertificateKeyFile /etc/ldap/ssl/server.pem
  2. edit `/etc/default/slapd`<<FootNote(Fedora: follow the instructions in /etc/sysconfig/ldap)>> and include the following line: 
       SLAPD_SERVICES="ldaps://SERVER-NAME"

Note that the above line enables only SSL access to your OpenLDAP server (port 636)

  1. Restart `slapd`
  2. You may test the SSL response using: `openssl s_client -connect SERVER-NAME:636 -showcerts`
  3. On the client machine, edit `/etc/ldap/ldap.conf` and include the following lines: 
       BASE    YOUR-BASE
   URI     ldaps://SERVER-NAME
   TLS_REQCERT allow

Don't forget to replace the SERVER-NAME & YOUR-BASE with the correct values.

  1. test using `ldapsearch -x`

Configuring LDAP

Authenticated-only mode

See UbuntuHelp:OpenLDAPServer to set up the directory structure. In addition to the general configuration there, you should have the following lines in your slapd.conf. They will allow you to authenticate as normal LDAP users, except with Kerberos. 

sasl-secprops noanonymous,noplain,noactive
sasl-regexp uid=([^/]*),cn=GSSAPI,cn=auth uid=$1,ou=People,dc=example,dc=com

This approach isn't without difficulties, however - you'll have to have either an admin password for the database, or a Kerberos principal that allows you to browse the directory in order to log in! Not all sites will want to have an admin password for the database in the clear in a file on clients. Of course, anyone with root access to the client can then obtain your LDAP admin password. It's contrary to the Kerberos assumption that the KDC is trusted, but clients are not. For such sites, it is possible to have a 'Kerberized' way of accessing the directory that doesn't require passwords, but it's a bit of extra work. [XXX that isn't documented here yet.]

Anonymous access mode

As an alternative approach to requiring Kerberos or an admin password to read the directory, you could make the directory readable to all. This is an option you might want to explore on LANs, where having people able to list the directory without authentication probably isn't the end of the world, and the extra effort required to setting up and renewing directory access tickets isn't really necessary. This is a more NIS-like approach to using LDAP as the directory service, but without some of NIS's more serious security problems. A small change to the above `slapd.conf` extract allows this. 

sasl-secprops none,noplain,noactive                                             
saslRegexp uid=([^/]*),cn=GSSAPI,cn=auth uid=$1,ou=People,dc=example,dc=com

As you'll find in `slapd.conf(5)`, the '`none`' option turns off the defaults ('`noanonymous,noplain`', forbidding anonymous and plaintext logins respectively), and then '`noplain`' of course turns plaintext authentication back off again. We want anonymous mode. We'll not be publishing crypt'ed (or otherwise hashed) passwords to everyone. The default `slapd.conf` has this stanza: 

access to attrs=userPassword,shadowLastChange
        by dn="cn=admin,dc=home,dc=ae-35,dc=com" write
        by anonymous auth
        by self write
        by * none

This means that the attribute simply won't be shown to anonymous logins. We don't have to worry about other permissions; because the LDAP-stored password isn't being used, we don't have to worry about letting users write to it in order to change their password. [XXX This argument doesn't apply to changing the shell...]

Server Testing

Testing Kerberos 5

From the KDC, type the following: 

$ kinit

Type your password when prompted. If this was successful, you won't receieve any error messages. Next, test that you got a Ticket Granting Ticket (TGT) from the KDC. To do this type the following: 

$ klist

The response should look something like this: 

Ticket cache: FILE:/tmp/krb5cc_5001_PpRNvF
Default principal: [email protected]

Valid starting     Expires            Service principal
05/28/06 08:18:09  05/28/06 18:18:09  krbtgt/[email protected]
        renew until 05/29/06 08:18:06


Kerberos 4 ticket cache: /tmp/tkt5001
klist: You have no tickets cached

Try these same two commands from another machine on your network. If these commands succeed, you have successfully installed the KDC.

Testing OpenLDAP

  • test SASL binds to the OpenLDAP directory

Client Installation

UbuntuHelp:LDAPClientAuthentication may well also be of interest, particularly for caching.

Installing required packages

You need to install these packages on all machines on your network where you want to be able to use SSO. At the command line, type the following: 

sudo apt-get install ldap-auth-client libpam-krb5 krb5-user libpam-foreground libsasl2-modules-gssapi-mit

Configuring LDAP

The ldap-auth-config package (depended upon by ldap-auth-client) has a debconf script to help you create the LDAP configuration file. This script will be run automatically when you install the package.

  • The first step is to enter the URI for your LDAP server. If you followed this howto's instructions on installing your server, this URI will be ldaps://<your server IP>/.

{{https://help.ubuntu.com/community/SingleSignOn?action=AttachFile&do=get&target=ldap-1-uri.png%7D%7D

  • Next, you need to enter the DN of your search base. Use the same DN that you used as the base for your user database.

{{https://help.ubuntu.com/community/SingleSignOn?action=AttachFile&do=get&target=ldap-2-base-dn.png%7D%7D

  • You will only be using LDAPv3, so choose the default on this screen.

{{https://help.ubuntu.com/community/SingleSignOn?action=AttachFile&do=get&target=ldap-3-version.png%7D%7D

  • There's no need for local root to have full privileges over your LDAP server, so answer no here.

{{https://help.ubuntu.com/community/SingleSignOn?action=AttachFile&do=get&target=ldap-4-local-root.png%7D%7D

  • If your LDAP server allows anonymous binds, you can answer 'no' here too. If you're ok with the script dropping a plaintext password in `/etc/ldap.secret`, then you can enter the password here. Otherwise, you answer 'no', but you have some work to do [XXX which is not documented here yet].

{{https://help.ubuntu.com/community/SingleSignOn?action=AttachFile&do=get&target=ldap-5-require-login.png%7D%7D

Configuring Kerberos

krb5-config has a debconf script to set up client-side Kerberos properly. 

sudo dpkg-reconfigure -plow krb5-config

Enter your realm (EXAMPLE.COM, for example) when prompted. If you have set up DNS records to point to your KDC, answer yes to the relevant question. If not, you will be asked to specify the hostname of your KDC and admin server. edit `/etc/ldap/ldap.conf` and include the following lines: 

BASE    YOUR-BASE
URI     ldaps://SERVER-NAME
TLS_REQCERT allow

Replace the SERVER-NAME & YOUR-BASE with the correct values. edit `/etc/ldap.conf` and include the following lines: 

bind_policy soft

Configuring PAM and NSS

auth-client-config gives us an easy way to configure NSS and PAM. It doesn't come with a configuration for LDAP and Kerberos. edit `/etc/auth-client-config/profile.d/krb-auth-config` and include the following lines: 

[krb5ldap]
nss_passwd=passwd: files ldap
nss_group=group: files ldap
nss_shadow=shadow: files ldap
pam_auth=auth       sufficient   pam_krb5.so
         auth       required     pam_unix.so nullok_secure use_first_pass
pam_account=account    sufficient   pam_krb5.so
            account    required     pam_unix.so
pam_password=password   sufficient   pam_krb5.so
             password   required     pam_unix.so nullok obscure min=4 max=8 md5
pam_session=session    required     pam_unix.so
            session    required     pam_mkhomedir.so skel=/etc/skel/
            session    optional     pam_krb5.so
            session    optional     pam_foreground.so

[krb5ldap.cached]
nss_passwd=passwd: files ldap [NOTFOUND=return] db
nss_group=group: files ldap [NOTFOUND=return] db
nss_shadow=shadow: files ldap
pam_auth=auth   required       pam_env.so
         auth   sufficient     pam_unix.so likeauth nullok
         auth   [default=ignore success=1 service_err=reset] pam_krb5.so use_first_pass
         auth   [default=die success=done] pam_ccreds.so action=validate use_first_pass
         auth   sufficient pam_ccreds.so action=store use_first_pass
         auth   required        pam_deny.so
pam_account=account    sufficient   pam_krb5.so
            account    required     pam_unix.so
pam_password=password   sufficient   pam_krb5.so
             password   required     pam_unix.so nullok obscure min=4 max=8 md5
pam_session=session    required     pam_unix.so
            session    required     pam_mkhomedir.so skel=/etc/skel/
            session    optional     pam_krb5.so
            session    optional     pam_foreground.so

Now we can do the actual configuration. It's probably a good idea to have a root shell open while doing this, just in case something breaks. 

sudo auth-client-config -a -p krb5ldap

At this stage, everything should work! Try `getent passwd` and `getent group` to check that users and groups from LDAP are appearing properly. Log in as one of the LDAP users, and use `klist` to confirm that you were automatically granted a TGT. Running `passwd` should change your Kerberos password.

Cached Credentials
sudo apt-get install nss-updatedb libnss-db libpam-cracklib libpam-ccreds

sudo nss_updatedb ldap

sudo auth-client-config -a -p krb5ldap.cached

Troubleshooting

If `getent passwd` doesn't show your users, you have something wrong with your LDAP configuration. Try using `ldapsearch` or similar to confirm that you are able to query the LDAP server. If that works, check your settings in `/etc/ldap.conf`. If `getent passwd` shows your users but you can't log in, it's probably a Kerberos problem. Try `kinit`. It should prompt for your Kerberos password. If that works, check that you have a TGT with `klist`. If there's no TGT at this point, there's your problem - your client can't talk to your KDC properly. DNS issues are a possibility. If you still can't log in, head over to your lifesaving root shell, and use auth-client-config to revert the settings. 

auth-client-config -a -p krb5ldap -r

You may then debug at a later date without the risk of not being able to log into your system.

Application Installation

Apache2

First of all you need to create a principal and keytab for the webserver: 

# sudo kadmin.local
kadmin> addprinc -randkey HTTP/wiki.example.com
kadmin> ktadd -k /etc/apache2/auth/apache2.keytab HTTP/webserver.example.com
kadmin> quit

Make sure the keytab has the right permissions and ownership: 

# sudo chowm www-data:www-data /etc/apache2/auth/apache2.keytab
# sudo chmod 400 /etc/apache2/auth/apache2.keytab

Install mod_auth_kerb in your linux installation. 

# sudo apt-get install libapache2-mod-auth-kerb

Update your http.conf file: 

<Directory /var/www/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        allow from all

        AuthType Kerberos
        AuthName "Kerberos Login"
        KrbAuthRealm EXAMPLE.COM
        Krb5Keytab /etc/apache2/auth/apache2.keytab
        require valid-user
</Directory>

Further configuration

For configuring SSH servers to accept Kerberos authentication, see UbuntuHelp:AdvancedOpenSSH. For NFS with Kerberos, see UbuntuHelp:NFSv4Howto. TODO:

  • test SASL binds
  • information on configuring nss-updatedb and nscd to cache LDAP information
取自“https://wiki.ubuntu.org.cn/index.php?title=特殊:Badtitle/NS100:SingleSignOn&oldid=93302