Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 Kerberos Server Version 3.12 Administrator's Guide: HP-UX 11i v3 > Chapter 6 Configuring the Kerberos Server with LDAP

Configuration Files for LDAP Integration
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

You must configure the LDAP configuration files listed in Table 6-1 “LDAP Configuration Files”, before setting up your Kerberos server. This chapter contains detailed descriptions of these configuration files.

The krbsetup autoconfiguration tool generates these files, based on your input. Alternatively, you can manually edit the sample configuration files available in the /opt/krb5/examples directory. HP recommends that you use the autoconfiguration tool to generate these files.

Table 6-1 LDAP Configuration Files

File

Function
krb5_ldap.conf

Contains the LDAP configuration parameters and values. This file is used by the Kerberos server to connect to the Directory server.

krb5_schema.conf

Describes the object and attribute definitions that define the structure of the kerberos principal entries in the LDAP database.

krb5_map.conf

Defines the mapping from the default kerberos attributes to the user defined attributes.

 

The krb5_ldap.conf File

The krb5_ldap.conf file is the primary configuration file. It contains information about the LDAP configuration parameters and values for the Kerberos server.

If the krb5_ldap.conf file is not present in the /opt/krb5 directory, then the Kerberos Server assumes that C-tree is the backend database.

This file is generated automatically based on the input provided by you while autoconfiguring the Kerberos server. Alternatively, a sample file is available in the /opt/krb5/examples directory. You can copy this file to the /opt/krb5 directory, and manually edit it. HP recommends that you use the autoconfiguration tool to generate this file.

This file must reside in the /opt/krb5 directory and must have the following permissions:

-rw-------      root       3 sys

The krb5_ldap.conf File Format

Following is the format of the krb5_ldap.conf file:

ldap_enabled = 1directory_servers = fox.bambi.com:389base_dn_for_search = o=bambi.comsecurity_mech = passwordproxy_user=cn = Directory Managerproxy_user_password = <#$%^&*0#$0^&@1!$^%#10^0%>default_object_template = accountdefault_princ_subtree = ou=People,o=bambi.comdefault_objcls_attr = uid

Use the krb5_encrypt tool to modify the proxy_user_password field in the /opt/krb5/krb5_ldap.conf file. You must change the proxy field whenever you change the password of the proxy user or the master key. Ensure that the encryption key type and the master key type are the same; else the Kerberos server will not connect to the LDAP server. Table 6-2 “krb5_ldap.conf File Format” provides a detailed description of the various parameters in the krb5_ldap.conf file.

Table 6-2 krb5_ldap.conf File Format

ParameterDescription

ldap_enabled

This line indicates whether you have enabled LDAP.

1 indicates that you have enabled LDAP and 0 indicates that you have not enabled LDAP as the backend database.

directory_server

This line indicates a space separated list of LDAP Servers.

Example: fox.bambi.com:389 deer.bambi.com

base_dn_for_search

This line indicates the default base DN for search is the root of the directory tree on the Directory server, where the Kerberos server searches for kerberos principals.

Example: ou=People, o=bambi.com

default_princ_subtree

The default principal subtree DN is where all Kerberos principals are added by default, if no LDAP entry is specified while creating the kerberos principal. The default principal subtree DN must be located under the default base DN for search functionality.

Example: ou=people, o=bambi.com

security_mech

This line specifies the security mechanism used to connect to the LDAP server. Currently, the supported mechanisms are Secure Sockets Layer (SSL) and PASSWORD.

default_object_template

This line specifies the structural class, which is added by default.

Example: posixaccount

default_objcls_attr

This line specifies the mandatory attribute of the default object class.

Example: uid

When the Kerberos server creates a default object it uses the first attribute specified in this field, as the naming attribute. When adding a principal, an error message is displayed if duplicate entries are found.

You can change the default settings of the naming attribute by changing the order of entries in the krb5_ldap.conf file. Save these changes and restart the Kerberos server application.

proxy_user

This line specifies the DN of the proxy user. The Kerberos server binds to the Directory server as the proxy user. The proxy user must have the appropriate privileges to create, modify and delete Kerberos principals.

Example, cn=Anne

 

The krb5_schema.conf File

A schema is a collection of object and attribute definitions that defines the structure of the entries in a database. The krb5_schema.conf file is the kerberos schema file that contains the object and attribute definitions of the kerberos principal entries. LDAP objects are standardized in order to provide interoperability with a variety of directory services servers. The krb5_schema.conf file defines the following:

  • Type of object classes

  • Attributes of the object classes

  • Optional attributes

  • Syntax of each attribute

For example, a schema can define a person object class. The person schema might require that a person have a surname attribute that is a character string. It also specifies that a person entry can optionally have a telephoneNumber attribute that is a string of numbers with spaces and hyphens.

The krb5_schema.conf file is automatically generated based on the input provided by you while autoconfiguring the Kerberos server. Alternatively, a sample file is available in the /opt/krb5/examples directory. You can copy this file to the /opt/krb5 directory, and manually edit it. HP recommends that you use the autoconfiguration tool to generate this file.

This file must reside in the /opt/krb5 directory and must have the following permissions:

-rw-r--r--      root       3

The krb5_schema.conf File Format

Following is the format of the krb5_schema.conf file:

dn: cn=schemachangetype: modifyadd: attributetypesattributetypes: ( hpKrbPrincipalName-oidNAME ’hpKrbPrincipalName’DESC ’Kerberos principal identity for a user in the form <principal>@<realm>’EQUALITY caseExactMatchSYNTAX 1.3.6.1.4.1.1466.115.121.1.15SINGLE-VALUE )attributetype: ( hpKrbMaxTicketAge-oidNAME ’hpKrbMaxTicketAge’DESC ’Value defining the maximum lifetime of a user ticket’SYNTAX 1.3.6.1.4.1.1466.115.121.1.27SINGLE-VALUE )attributetypes: ( hpKrbMaxRenewAge-oidNAME ’hpKrbMaxRenewAge’DESC ’Value defining the maximum renewable lifetime of a ticket’SYNTAX 1.3.6.1.4.1.1466.115.121.1.27SINGLE-VALUE )attributetypes: ( hpKrbAccountExpires-oidNAME ’hpKrbAccountExpires’DESC ’Value used to compute date and time when account will expire’SYNTAX 1.3.6.1.4.1.1466.115.121.1.27SINGLE-VALUE )attributetypes: ( hpKrbPasswordExpireTime-oid NAME ’hpKrbPasswordExpireTime’DESC ’A value indicating the date and time when the password expires’SYNTAX 1.3.6.1.4.1.1466.115.121.1.27SINGLE-VALUE )attributetypes: ( hpKrbPwdLastSet-oidNAME ’hpKrbPwdLastSet’DESC ’A value that stores the date and time when the password was last set’SYNTAX 1.3.6.1.4.1.1466.115.121.1.27SINGLE-VALUE )
 
attributetypes: ( hpKrbLastLogon-oidNAME ’hpKrbLastLogon’ DESC ’A value used to compute date and time of last successfullogon’SYNTAX 1.3.6.1.4.1.1466.115.121.1.27SINGLE-VALUE ) attributetypes: ( hpKrbBadPasswordTime-oidNAME ’hpKrbBadPasswordTime’DESC ’Value used to compute date and time of last unsuccessfu logon attempt’SYNTAX 1.3.6.1.4.1.1466.115.121.1.27SINGLE-VALUE )attributetypes: ( hpKrbBadPwdCount-oidNAME ’hpKrbBadPwdCount’DESC ’Number of unsuccessful attempts to authenticate with this account’SYNTAX 1.3.6.1.4.1.1466.115.121.1.27SINGLE-VALUE )
attributetypes: ( hpKrbModifiersName-oid NAME ’hpKrbModifiersName’DESC ’The last modifier of any attribute associated with a principal entry’EQUALITY caseExactMatchSYNTAX 1.3.6.1.4.1.1466.115.121.1.15SINGLE-VALUE )attributetypes: ( hpKrbModifyTimestamp-oidNAME ’hpKrbModifyTimestamp’DESC ’The date and time when the identity specified in the hpKrbModifiersName attribute made the last modification’ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27SINGLE-VALUE ) attributetypes: ( hpKrbAttributes-oidNAME ’hpKrbAttributes’DESC ’A value containing one or more flags’SYNTAX 1.3.6.1.4.1.1466.115.121.1.27SINGLE-VALUE )attributetypes: ( hpKrbPolicyName-oidNAME ’hpKrbPolicyName’DESC ’The Kerberos password policy to which this principal subscribes to’EQUALITY caseExactMatchSYNTAX 1.3.6.1.4.1.1466.115.121.1.15SINGLE-VALUE )
attributetypes: ( hpKrbKeyVersion-oid
NAME ’hpkrbAuthzData’DESC ’Other Authorization Data.’SYNTAX 1.3.6.1.4.1.1466.115.121.1.40SINGLE-VALUE )add: objectClassesobjectClasses: ( hpKrbPrincipal-oidNAME ’hpKrbKeyVersion’DESC ‘Version of a secret key; a monotomic increasing number beginning with 1’SYNTAX 1.3.6.1.4.1.1466.115.121.1.27SINGLE-VALUE )attributetypes: ( hpKrbKeyData-oidNAME ’hpKrbKeyData’DESC ’A set of values with each value containing an encrypted key and information about the encrypted key.’SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )attributetypes: ( hpkrbAuthzData-oid NAME ’hpkrbAuthzData’ DESC ’Other Authorization Data.’ SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )add: objectClassesobjectClasses: ( hpKrbPrincipal-oidNAME ’hpKrbPrincipal’DESC ’An auxiliary class for use in configuring an entry to represent a Kerberos principal.’SUP top Auxiliary MAY ( hpKrbPrincipalName $ hpKrbMaxTicketAge$ hpKrbMaxRenewAge $ hpKrbAccountExpires $ hpKrbPasswordExpireTime $ hpKrbPwdLastSet $ hpKrbLastLogon $ hpKrbBadPasswordTime$ hpKrbBadPwdCount $ hpKrbModifiersName $ hpKrbModifyTimestamp$ hpKrbAttributes $ hpKrbPolicyName $ hpkrbAuthzData) )
 
objectClasses: ( hpKrbKey-oidNAME ’hpKrbKey’DESC ’An structural object class used for configuring the principal name of an associated principal entry.’ SUP top STRUCTURAL MUST ( hpKrbPrincipalName ) MAY ( hpKrbKeyVersion$hpKrbKeyData ) )

The krb5_map.conf File

The krb5_map.conf mapping file defines the mapping of the default kerberos attributes to user defined attributes, to support the Kerberos server schema. The Kerberos server uses this map file for translating Kerberos attribute names to LDAP attribute names. Each entry in the mapping file represents a translation for an attribute.

The krb5_map.conf file is automatically generated based on the input provided by you while autoconfiguring the Kerberos server. Alternatively, a sample file is available in the /opt/krb5/examples directory. You can copy this file to the /opt/krb5 directory, and manually edit it. HP recommends that you use the autoconfiguration tool to generate this file.

This file must reside in the /opt/krb5 directory and must have the following permissions:

-rw-r--r--      root       3

The krb5_map.conf File Format

Following is the format of the default mapping file:

hpKrbPrincipalName        =  hpKrbPrincipalName
hpKrbMaxTicketAge         =  hpKrbMaxTicketAge
hpKrbMaxRenewAge          =  hpKrbMaxRenewAge
hpKrbAccountExpires       =  hpKrbAccountExpires
hpKrbPasswordExpireTime   =  hpKrbPasswordExpireTime
hpKrbPwdLastSet           =  hpKrbPwdLastSet
hpKrbLastLogon            =  hpKrbLastLogon
hpKrbBadPasswordTime      =  hpKrbBadPasswordTime
hpKrbBadPwdCount          =  hpKrbBadPwdCount
hpKrbModifiersName        =  hpKrbModifiersName
hpKrbModifyTimestamp      =  hpKrbModifyTimestamp
hpKrbAttributes           =  hpKrbAttributes
hpKrbPolicyName           =  hpKrbPolicyName
hpKrbAuthzData            =  hpKrbAuthzData
hpKrbKeyVersion           =  hpKrbKeyVersion
hpKrbKeyData              =  hpKrbKeyData


Chapter 6 Configuring the Kerberos Server with LDAP
  		 


Planning Your LDAP Configuration  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2007 Hewlett-Packard Development Company, L.P.