E.5 Managing the SASL-GSSAPI Method

E.5.1 Extending the Kerberos Schema

This task allows you to extend your eDirectory schema with the Kerberos object class and attribute definitions.

  1. If the schema has not already been extended, click OK to extend the schema.

  2. In iManager, click Kerberos Management > Extend Schema to open the Extend Schema page.

    If the schema has been extended, a message is displayed with the status.

  3. Click Close.

E.5.2 Managing the Kerberos Realm Object

A realm is the logical network served by a set of Key Distribution Centers (KDCs). In other words, a realm is a domain or grouping of principals served by a set of KDCs. By convention, realm names are generally all uppercase letters, to differentiate the realm from the internet domain. For more information, refer to RFC 1510.

This section discusses the following:

Creating a New Realm Object

The supported and the default encryption type is DES-CBC-CRC.

  1. In iManager, click Kerberos Management > New Realm to open the New Realm page.

  2. Specify a name for the Kerberos realm that is to be created.

    The realm name must be the same as the one that you want to configure this Login Method with and must conform to the RFC 1510 conventions.

  3. Specify a master password for the realm, then confirm the password.

    NOTE:Ensure that you use a strong master password.

  4. Specify the subtrees and Principal Container Reference you want the Kerberos realm to be configured with or use the Object Selector icon to select it.

    This is the FDN of the subtree or the container that contains the eDirectory service principals of this realm. This subtree is not applicable to user principals.

  5. Specify the scope of the subtree search:

    • One-level: Searches the immediate subordinates of the realm subtree.

    • Subtree: Searches the entire subtree starting with, and including, the realm subtree.

  6. Click OK.

NOTE:The KDC Services box is not used in SASL-GSSAPI.

NOTE:If a Kerberos realm for LDAP SASL GSSAPI authentication has to be configured in the tree by an eDirectory container administrator, the tree administrator should perform the following:

  1. Ensure that the security container object (cn=security) has objectclass krbContainerRefAux and the krbContainerReference attribute is set to the Kerberos container.

  2. Grant Read access right to the container administrator over the krbContainerReference attribute.

  3. Create a realm container under the Kerberos container. The name of the container should be same as the name of the new realm being created, and the objectclass should be krbRealmContainer.

  4. Grant Supervisor right to the container administrator over the realm container.

Login to iManager as the container administrator, select Kerberos Management > Set MasterKey to open the Set Master Key page. Select the MIT KDC realm and specify a master password.

Editing a Realm Object

  1. In iManager, click Kerberos Management > Edit Realm to open the Edit Realm page.

  2. Specify a name for the Kerberos realm that is to be edited or use the Object Selector icon to select it.

  3. Click OK.

  4. Specify the subtree you want the Kerberos realm to be configured with or use the Object Selector icon to select it.

    This is the FDN of the subtree or the container that contains the eDirectory service principals of this realm. This subtree is not applicable to user principals.

  5. Specify the scope of the subtree search.

    • One-level: Searches the immediate subordinates of the realm subtree.

    • Subtree: Searches the entire subtree starting with, and including the realm subtree.

  6. Click OK.

  7. (Optional) To edit another realm, click Repeat Task.

NOTE:The KDC Services box is not used in SASL-GSSAPI.

Deleting a Realm Object

  1. In iManager, click Kerberos Management > Delete Realm to open the Delete Realm page.

  2. Select the realms that are to be deleted.

    To select multiple realms, press Shift and select the realms or press Shift+Arrow keys.

  3. Click OK.

  4. Click OK again to confirm the delete operation or click Cancel to cancel the delete operation.

IMPORTANT:Deleting a Realm object deletes all service principal objects under that Realm.

E.5.3 Managing a Service Principal

This section discusses the following:

Creating a Service Principal for an LDAP Server

Use the Kerberos Administration tool that is available with your KDC to create the eDirectory service principal with the encryption type and salt type as AES256-CTS and Normal, respectively.

The name of the principal must be ldap/MYHOST.MYDNSDOMAIN@REALMNAME.

For example, if you are using MIT KDC, execute the following command:

kadmin:addprinc -randkey -e aes256-cts:normal ldap/server.novell.com@MITREALM

IMPORTANT:The hostname of service principal created must be in lowercase. Authentication fails if the hostname is in uppercase. For example, if the hostname is myHost.com, the hostname syntax of the LDAP service principal should look like ldap/myhost.com@<realmname>.

Best Practice

  • All the keys should be preferably of type AES256.

  • Change the LDAP service principal keys regularly. Whenever you change the LDAP service principal keys, ensure that you update the principal object in eDirectory.

Extracting the Key of the Service Principal for eDirectory

Use the Kerberos Administration tool that is available with your KDC to extract the key of the LDAP service principal created in Creating a Service Principal for an LDAP Server, then store it in the local file system. This can be done with the help of your Kerberos administrator.

For example, if you are using an MIT KDC, execute the following command:

kadmin: ktadd -k /directory_path/keytabfilename -e aes256-cts:normal ldap/server.novell.com@MITREALM

For example, if you are using Microsoft KDC, create a user ldapMYHOST in Active Directory and then execute the following command:

ktpass -princ ldap/MYHOST.MYDNSDOMAIN@MYREALM -mapuser ldapMYHOST -pass mypassword -out MYHOST.keytab

This command maps the principal (ldap/MYHOST.MYDNSDOMAIN@MYREALM) to the user account (ldapMYHOST), sets the host principal password to mypassword, and extracts the key into the MYHOST.keytab file.

Creating a Service Principal Object in eDirectory

You must create a Kerberos service principal with the same name (ldap/MYHOST.MYDNSDOMAIN@MYREALM) as specified in Creating a Service Principal for an LDAP Server.

Best Practice

Service principals for eDirectory must be readily accessible to all servers enabled for the SASL GSSAPI mechanism. If these eDirectory service principals are not created under the Kerberos Realm container inside the Security container, we strongly recommend that you create the container that contains these eDirectory service principals as a separate partition, and that the container be widely replicated.

  1. In iManager, click Kerberos Management > New Principal to open the New Principal page.

  2. Specify the name of the principal to be created.

    The principal name must be in the format ldap/MYDNSDOMAIN@REALMNAME.

  3. Specify the name of the container where the Principal object is to be created or use the Object Selector icon to select it.

  4. Specify the name of the realm.

    If you have already specified the realm name in Step 2, leave this field blank.

  5. Do either of the following:

    • Specify the keytab filename or click Browse to select the location where the keytab file is stored.

      This is the file that contains the key extracted in Extracting the Key of the Service Principal for eDirectory.

    • Specify the password, confirm the password, then select the encryption type and salt type combination.

      The password and encryption type/salt type combination must be the same as the those specified while creating the service principal in the KDC database.

  6. Click OK.

Viewing the Kerberos Service Principal Keys

  1. In iManager, click Kerberos Management > View Key Information to open the View Principal Keys page.

  2. Specify the name of the principal key that is to be viewed or use the Object Selector icon to select it.

    The following information of the principal keys is displayed:

    • Principal name

    • Key Information

      • Number: Serial number of the key in the key table

      • Version: Version of the key

      • Key Type: Type of this principal key

      • Salt Type: Salt type of this principal key

  3. Click OK.

Deleting a Kerberos Service Principal Object

You can delete a single object or multiple objects, or perform an advanced selection of the principal objects to be deleted.

To delete a single principal object:

  1. In iManager, click Kerberos Management > Delete Principal to open the Delete Principal page.

  2. Click Select a Single Object.

  3. Specify the name of the Principal object to be deleted or use the Object Selector icon to select it.

  4. Click OK.

  5. Click OK again to confirm the delete operation or click Cancel to cancel the delete operation.

To delete multiple principal objects:

  1. In iManager, click Kerberos Management > Delete Principal to open the Delete Principal page.

  2. Click Select Multiple Objects.

  3. Specify the name of the principal objects that are to be deleted or use the Object Selector icon to select them.

  4. Select the principal to be deleted.

  5. Click OK.

  6. Click OK again to confirm the delete operation or click Cancel to cancel the delete operation.

To delete a principal using advanced selection:

  1. In iManager, click Kerberos Management > Delete Principal to open the Delete Principal page.

  2. Click Advanced Selection.

  3. Select the object class.

  4. Specify the container that contains the Principal object or use the Object Selector icon to select it.

  5. Click Include sub-containers to include the subcontainers of the container specified in Step 3.

  6. Click Enter advanced selection criterion to open the Advanced Selection Criteria window.

  7. Select the type of attribute and the operator from the drop-down list, then provide the corresponding values.

  8. Click Add Row add to include more Logic groups to the selection.

  9. Click OK to set the filter.

  10. Click Show Preview to display the preview of the advanced selection.

  11. Click OK.

  12. Click OK again to confirm the delete operation or click Cancel to cancel the delete operation.

Setting a Password for the Kerberos Service Principal

If the eDirectory service principal key has been reset in your KDC, you must update the key for this principal in eDirectory also.

For information on extracting the key, refer to Extracting the Key of the Service Principal for eDirectory.

  1. In iManager, click Kerberos Management > Set Principal Password to open the Set Principal Password page.

  2. Specify the name of the Principal object for which an individual password has to be set or use the Object Selector icon to select it.

  3. Specify the keytab filename or click Browse to browse the location where the keytab file is stored.

  4. Do either of the following:

  5. Click OK to set the password.

  6. (Optional) To set the password for another principal, click Repeat Task.

E.5.4 Editing Foreign Principals

You can add Kerberos principal names to the eDirectory users using iManager.

  1. In iManager, click Kerberos Management > Edit Foreign Principals to open the Edit Foreign Principals page.

  2. Specify the FDN of a valid User object or use the Object Selector icon to select the User object reference.

  3. Click OK.

  4. Specify the foreign principal names, then click Add add.

    The principal name must be in the format principalname@REALMNAME.

    To delete the foreign principal name, select the name and then click Delete remove.

  5. Click OK.

    NOTE:Kerberos principal names should be unique in the tree. If eDirectory is configured as a LDAP back end to a KDC realm, foreign principal names should not be configured in eDirectory for that realm. Instead, you can associate an existing Kerberos principal name with an eDirectory user DN using the following command:

    kadmin.local -q 'modprinc -x linkdn=<eDir DN> <principal>@<realm>'

    You can also associate a Kerberos principal name with an eDirectory user DN at the time of principal creation, using one of the following commands:

    kadmin.local -q 'ank -x dn=<eDir DN> <principal>@<realm>'

    kadmin.local -q 'ank -x linkdn=<eDir DN> <principal>@<realm>'

E.5.5 Configuring SASL GSSAPI Authentication if MIT Kerberos KDC Uses eDirectory as Back End

If MIT Kerberos KDC uses eDirectory as the back end, to enable the MIT KDC principals to authenticate to eDirectory using SASL GSSAPI, perform the following procedure after configuration of MIT KDC:

  1. In iManager, edit the security container object (cn=security):

    1. Add the objectclass krbContainerRefAux to the security container.

    2. Set the attribute krbContainerReference to point to the Kerberos container.

      For example:

      cn=Kerberos,cn=Security
      
  2. In iManager, select Kerberos Management > Set MasterKey to open the Set Master Key page.

  3. Select the MIT KDC realm and specify the password. It should be the password that you used as the master password while creating the MIT KDC realm using kdb5_ldap_util.

NOTE:If the Kerberos realm is being created by a user who is not the tree administrator, the tree administrator should grant the Create entry rights to the user over the Kerberos container.