Leave a reply

Part 0: Multi-Master Kerberos Server with OpenLDAP Backend – Installer

Some months ago, I started to play around with OpenLDAP and Kerberos. At the beginning of my LDAP adventure, I often messed up my installation, so I ended up reinstalling everything and had to start again from scratch.

To make my life a little bit easier, I wrote a simple bash script to do the package installing in order to make the necessary changes to the config files only to the last ‘save’ point. Over the time, I added a lot of stuff and features and so the script started to accumulate. In retrospect, if I started again from the beginning, I would now use something more appropriated than bash.

Anyway, the script installs a “Multi-Master Kerberos Server with a LDAP Backend”.

Please follow the steps to try out the script on a current ubuntu or debian system (ubuntu 17.10 or debian 8). I would recommend to use a fresh system in a virtual machine.

There are some more things I will explain in further posts, once I will have the time which I do not have currently. Soooo, if you have specific questions about the script or ideas for improvement, please leave me a comment.

Disclaimer: Feel free to use this script at your own charge, I cannot be held responsible for what YOU do on YOUR administered system.

  1. Download the two files:
  2. Use md5 to check the data integrity of the downloaded file:
    user@yourbox:~$ md5sum -c LDAPX-0.7.7.tar.gz.md5
  3. Extract the file with tar:
    user@yourbox:~$ tar -zxvf LDAPX-0.7.7.tar.gz
  4. Change in the directory LDAPX:
    user@yourbox:~$ cd LDAPX
  5. Add the fully qualified domain name of the server(s) to the variable ‘LIST_OF_ALL_LDAP_MASTERS’ in ‘conf/LDAPX.conf‘. (Only necessary if you want more then one master server.)
    • Optional step: Change the password of the ldap admin (_LDAP_ADMIN_PW), the gpg password file (_GPG_FILE_PW) and the gpg user password file (_GPG_FILE_PW_USER)
      (Leave it blank to enter them during the installation)
  6. Optional step: In the file ‘conf/LDAPX.tls.conf’ change the values of TLS_CA_LOCALITY/TLS_CA_STATE/TLS_CA_COUNTRYCODE/
  7. Become root with the command:
    user@yourbox:~$ sudo su
  8. Important: Add the fully qualified domain name of the server(s) to ‘/etc/hosts‘.
  9. Make the two scripts executable with:
    root@yourbox:/home/user/LDAPX# chmod +x installLDAPX.sh
    root@yourbox:/home/user/LDAPX# chmod +x setupLDAPX.sh
  10. Run the script:
    root@yourbox:/home/user/LDAPX# ./installLDAPX.sh
  11. Start the installation process with the menu item ‘Install first master server’
  12. You can find some more information in the file: ‘backup/LDAPX.info
  13. Test the setup:
    • kinit
      1. Use kinit to request a kerberos ticket:
        root@yourbox:/home/user/LDAPX# kinit doejo
      2. The default password for user doejo is ‘winter2014#’
      3. Use klist to list your cached Kerberos ticket.
    • ssh
      1. ssh to yourbox with:
        ssh doejo@yourbox
      2. Use your new password or ‘winter2014#’ if you did not change it above.
      3. Use klist to list your cached Kerberos ticket.
      4. Try to become root with doejo@yourbox:~# sudo su -

Leave a reply

Xen LDAP Schema

For a small project I needed an ldap schema to map the structure of virtual machines in an LDAP directory tree. As far as I know, there is no xen-ldap-scheme out there, so I created one myself. Although it is at an early stage, someone may be interested in using and improving it.

xenX.schema (0.4.4)