{"id":112,"date":"2018-04-01T09:15:28","date_gmt":"2018-04-01T07:15:28","guid":{"rendered":"https:\/\/wp.tntnet.eu\/?p=112"},"modified":"2019-10-22T15:48:38","modified_gmt":"2019-10-22T13:48:38","slug":"part-0-multi-master-kerberos-server-with-openldap-backend-installer","status":"publish","type":"post","link":"https:\/\/wp.tntnet.eu\/?p=112","title":{"rendered":"Part 0: Multi-Master Kerberos Server with OpenLDAP Backend &#8211; Installer"},"content":{"rendered":"<p>Some months ago, I started to play around with <a href=\"http:\/\/www.openldap.org\" target=\"_blank\" rel=\"noopener noreferrer\">OpenLDAP<\/a> and <a href=\"http:\/\/web.mit.edu\/kerberos\" target=\"_blank\" rel=\"noopener noreferrer\">Kerberos<\/a>. At the beginning of my LDAP adventure, I often messed up my installation, so I ended up reinstalling everything and had to start again from scratch.<\/p>\n<p>To make my life a little bit easier, I wrote a simple bash script to do the package installing in order to make the necessary changes to the config files only to the last &#8216;save&#8217; point. Over the time, I added a lot of stuff and features and so the script started to accumulate. In retrospect, if I started again from the beginning, I would now use something more appropriated than bash.<\/p>\n<p>Anyway, the script installs a &#8220;Multi-Master Kerberos Server with a LDAP Backend&#8221;.<\/p>\n<p>Please follow the steps to try out the script on a current ubuntu or debian system (ubuntu 17.10 or debian 8). I would recommend to use a fresh system in a virtual machine.<\/p>\n<p>There are some more things I will explain in further posts, once I will have the time which I do not have currently. Soooo, if you have specific questions about the script or ideas for improvement, please leave me a comment.<\/p>\n<p style=\"text-align: center;\" align=\"center\"><strong>Disclaimer: Feel free to use this script at your own charge, I cannot be held responsible for what YOU do on YOUR administered system.<\/strong><\/p>\n<ol>\n<li>Download the two files:\n<ul>\n<li><a href=\"https:\/\/wp.tntnet.eu\/?ddownload=389\" title=\"LDAPX-0.18.4.tar.gz\" rel=\"nofollow\" class=\"ddownload-link id-389 ext-gz\">LDAPX-0.18.4.tar.gz<\/a><\/li>\n<li><a href=\"https:\/\/wp.tntnet.eu\/?ddownload=390\" title=\"LDAPX-0.18.4.tar.gz.md5\" rel=\"nofollow\" class=\"ddownload-link id-390 ext-md5\">LDAPX-0.18.4.tar.gz.md5<\/a><\/li>\n<\/ul>\n<\/li>\n<li><span id=\"result_box\" class=\"\" lang=\"en\"><span class=\"\">Use md5 to check the data integrity of the downloaded file:<\/span><\/span><br \/>\n<span class=\"theme:kayote lang:sh decode:true crayon-inline\">user@yourbox:~$ md5sum -c LDAPX-0.18.4.tar.gz.md5<\/span><\/li>\n<li>Extract the file with tar:<br \/>\n<span class=\"theme:kayote lang:sh decode:true crayon-inline      \">user@yourbox:~$ tar -zxvf LDAPX-0.18.4.tar.gz<\/span><\/li>\n<li>Change in the directory LDAPX:<br \/>\n<span class=\"theme:kayote lang:sh decode:true crayon-inline \">user@yourbox:~$ cd LDAPX<\/span><\/li>\n<li>Add the fully qualified domain name of the server(s) to the variable &#8216;LIST_OF_ALL_LDAP_MASTERS&#8217; in &#8216;<em>conf\/ldapx.main.conf<\/em>&#8216;. (Only necessary if you want more then one master server.)\n<ul>\n<li><strong>Optional step<\/strong>: Change the password of the ldap admin (_LDAP_ADMIN_PW), the gpg password file (_GPG_FILE_PW) and the gpg user password file (_GPG_FILE_PW_USER)<br \/>\n(Leave it blank to enter them during the installation)<\/li>\n<\/ul>\n<\/li>\n<li><strong>Optional step<\/strong>: In the file &#8216;<em>conf\/ldapx.tls.conf&#8217; <\/em>change the values of <em>TLS_CA_LOCALITY\/TLS_CA_STATE\/TLS_CA_COUNTRYCODE\/<\/em>&#8230;<\/li>\n<li>Become root with the command:<br \/>\n<span class=\"theme:kayote lang:sh decode:true crayon-inline \">user@yourbox:~$ sudo su <\/span><\/li>\n<li><strong>Important:<\/strong> Add the fully qualified domain name of the server(s) to &#8216;<em>\/etc\/hosts<\/em>&#8216;.\n<pre class=\"theme:kayote toolbar:2 toolbar-overlay:false toolbar-hide:false toolbar-delay:false show-title:false striped:false marking:false ranges:false nums:false nums-toggle:false wrap-toggle:false plain:false plain-toggle:false copy:false popup:false expand-toggle:false decode-attributes:false trim-whitespace:false trim-code-tag:false mixed:false show_mixed:false lang:sh decode:true \">127.0.0.1       localhost\n#127.0.1.1       yourbox.domain.name yourbox\n10.0.0.1        yourbox.domain.name yourbox<\/pre>\n<\/li>\n<li>Make the two scripts executable with:<br \/>\n<span class=\"theme:kayote lang:sh decode:true crayon-inline\">root@yourbox:\/home\/user\/LDAPX# chmod +x installLDAPX.sh<\/span><br \/>\nand<br \/>\n<span class=\"theme:kayote lang:sh decode:true crayon-inline\">root@yourbox:\/home\/user\/LDAPX# chmod +x setupLDAPX.sh<\/span><\/li>\n<li>Run the script:<br \/>\n<span class=\"theme:kayote lang:sh decode:true crayon-inline\">root@yourbox:\/home\/user\/LDAPX# .\/setupLDAPX.sh<\/span><\/li>\n<li>Start the installation process with the menu item &#8216;Install first master server&#8217;<\/li>\n<li>You can find some more information in the file: &#8216;<strong><em>backup\/ldapx.info<\/em><\/strong>&#8216;<\/li>\n<li><span class=\"st\">Test the setup:<\/span>\n<ul>\n<li>kinit\n<ol>\n<li>Use kinit to request a kerberos ticket:<br \/>\n<span class=\"theme:kayote lang:sh decode:true crayon-inline\">root@yourbox:\/home\/user\/LDAPX# kinit doejo<\/span><\/li>\n<li><span class=\"st\">The default password for user doejo is &#8216;winter2014#&#8217;<\/span><\/li>\n<li>Use <span class=\"theme:kayote lang:sh decode:true crayon-inline\">klist<\/span> to list your cached Kerberos ticket.<\/li>\n<\/ol>\n<\/li>\n<li>ssh\n<ol>\n<li>ssh to yourbox with:<br \/>\n<span class=\"theme:kayote lang:sh decode:true crayon-inline\">ssh doejo@yourbox<\/span><\/li>\n<li>Use your new password or &#8216;winter2014#&#8217; if you did not change it above.<\/li>\n<li>Use <span class=\"theme:kayote lang:sh decode:true crayon-inline \">klist<\/span> to list your cached Kerberos ticket.<\/li>\n<li>Try to become root with <span class=\"theme:kayote lang:sh decode:true crayon-inline\">doejo@yourbox:~# sudo su &#8211;<\/span><\/li>\n<\/ol>\n<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>Some months ago, I started to play around with OpenLDAP and Kerberos. At the beginning of my LDAP adventure, I often messed up my installation, so I ended up reinstalling everything and had to start again from scratch. To make my life a little bit easier, I wrote a simple bash script to do the [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":true,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7,4,2,3,44,45,9,8],"tags":[6,5,41,48,47,28,46],"class_list":["post-112","post","type-post","status-publish","format-standard","hentry","category-debian","category-kerberos","category-ldap","category-linux","category-multi-master","category-replication","category-sssd","category-ubuntu","tag-kerberos","tag-ldap","tag-multi-master","tag-replication","tag-sasl","tag-sssd","tag-syncrepl"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/wp.tntnet.eu\/index.php?rest_route=\/wp\/v2\/posts\/112","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wp.tntnet.eu\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wp.tntnet.eu\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wp.tntnet.eu\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/wp.tntnet.eu\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=112"}],"version-history":[{"count":170,"href":"https:\/\/wp.tntnet.eu\/index.php?rest_route=\/wp\/v2\/posts\/112\/revisions"}],"predecessor-version":[{"id":574,"href":"https:\/\/wp.tntnet.eu\/index.php?rest_route=\/wp\/v2\/posts\/112\/revisions\/574"}],"wp:attachment":[{"href":"https:\/\/wp.tntnet.eu\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=112"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wp.tntnet.eu\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=112"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wp.tntnet.eu\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=112"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}