个人整合Kerberos+LDAP,即Kerberos使用的是LDAP数据库,执行命令:
# kadmin.local
kadmin.local: addprinc test
报错如下:
原因:
权限问题
个人/etc/krb5.conf内容如下:
[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = EXAMPLE.COM
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
default_ccache_name = /tmp/krb5cc_%{uid}
#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[logging]
default = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log
[realms]
EXAMPLE.COM = {
admin_server = c2bde55
kdc = c2bde55
max_renewable_life = 30m
database_module = openldap_ldapconf
}
[domain_realm]
.example.com = EXAMPLE.COM
[dbdefaults]
ldap_kerberos_container_dn = cn=kerberos,dc=example,dc=com
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_servers = ldapi://
ldap_kerberos_container_dn = cn=kerberos,dc=example,dc=com
ldap_kdc_dn = "cn=root,dc=example,dc=com"
ldap_kadmind_dn = "cn=root,dc=example,dc=com"
ldap_service_password_file = /etc/krb5.ldap
ldap_conns_per_server = 5
}
解决方法:
修改创建数据库的默认权限:
进入到 /etc/openldap/slapd.d目录,查看
cat /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif 可以看到一些默认的配置,例如:
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
建立modify.ldif文件,内容如下:
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
# Temporary lines to allow initial setup
olcRootDN: uid=ldapadmin,ou=people,dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: 12345678 #输入密码
dn: cn=config
changetype: modify
add: olcAuthzRegexp
olcAuthzRegexp: uid=([^,]*),cn=GSSAPI,cn=auth uid=$1,ou=people,dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
# Everyone can read everything
olcAccess: {0}to dn.base="" by * read
# The ldapadm dn has full write access
olcAccess: {1}to * by dn="uid=ldapadmin,ou=people,dc=example,dc=com" by dn="cn=root,dc=example,dc=com" write by * read
使用下面命令导入更新配置:
$ ldapmodify -Y EXTERNAL -H ldapi:/// -f modify.ldif