E.3 Prerequisites for Configuring GSSAPI

To configure GSSAPI, you must first do the following:

E.3.1 Assumptions on Network Characteristics

The SASL-GSSAPI mechanism is based on the following assumptions:

  • All the machines in the network have loosely synchronized time. This means that no two machines in the network have their system time differing by more than five minutes.

  • The SASL-GSSAPI mechanism is expected to be used mostly in LAN as it is difficult to obtain the time synchronization requirement mentioned above in MAN and/or WAN environments. However, this mechanism is not limited to LAN.

  • You trust the Kerberos servers and Kerberos administrators unconditionally and unverifiably.

  • Denial-of-Service attack is not countered. For more information, refer to RFC 1510.

E.3.2 Installing the Kerberos Plug-in for iManager

  1. Open the browser.

  2. Enter the following URL in the address field of the browser window:

    http://hostname/nps/
    

    where hostname is the server name or IP address of the iManager server where you want to install the iManager plug-in for SASL-GSSAPI.

    NOTE:In case of problems, ensure that the Tomcat and Web server are configured properly. For information, refer to the NetIQ iManager 2.7 Administration Guide.

  3. Specify the user name and password to log in to eDirectory, then click Login.

  4. Click Configure Configure on the iManager toolbar.

  5. In the left pane, click Plug-in Installation > Available NetIQ Plug-in Modules.

  6. Click Add.

  7. Specify the location of the kerberosPlugin.npm file or click Browse to select it.

    The Kerberos Management plug-in is available as part of the eDirectory 88 single NPM (eDir_88_iMan27_Plugins.npm) and can be downloaded from the Novell Download Site.

    If you have moved the kerberosPlugin.npm file to a different location, browse to the location and select it.

  8. Click Open, then click OK.

  9. Click Install.

    This installation will take a few minutes.

  10. Restart the iManager server after the Successfully saved module message appears.

    If you are running iManager in an Unrestricted Access mode (no RBS collection in the tree), skip Step 11 through Step 17.

    NOTE:For information on restarting the iManager server, refer to the NetIQ iManager 2.7 Administration Guide.

  11. Log in to iManager, then click the Configure Configure button.

  12. In the left pane, click Role Based Services > RBS Configuration.

  13. (Conditional) If you do not have an RBS collection, do the following:

    1. Click New > Collection.

    2. Specify the name you want to use for the collection.

    3. Select the container under which you want to create the Role Based services, then click OK.

    4. Click OK again.

  14. In the iManager 2.x collections tab, click the number in the Modules column for the collection you want to use.

  15. Select Kerberos Module and click Install.

  16. Click OK to continue.

  17. When iManager finishes installing the module, click OK.

  18. In the iManager toolbar, click Roles and Tasks.

    The Kerberos Management role is displayed on the left pane.

    If the Kerberos Management role is not displayed, restart the iManager server.

E.3.3 Adding Kerberos LDAP Extensions

Kerberos LDAP Extensions provide the functionality to manage Kerberos keys.

To use the Kerberos LDAP extensions, you must install the LDAP libraries for C. For more information, refer to LDAP Libraries for C.

To add or remove the Kerberos LDAP extensions, use the krbLdapConfig utility. When standalone eDirectory package is extracted to a directory, the path of this file is extracted_folder/nmas/NmasMethods/Novell/GSSAPI/Kerberos_ldap_extensions/Linux/krbLdapConfig.

For example, /misc/eDir88/Linux/nmas/NmasMethods/Novell/GSSAPI/Kerberos_ldap_extensions/Linux/krbLdapConfig.

To add the Kerberos LDAP extensions, use the following syntax:

krbldapconfig {-i | -u} -D bind_DN [-w bind_DN_password] [-h ldap_host] [-p ldap_port] [-e trusted_root_cert]

The following table explains the krbldapconfig utility parameters:

Parameter

Description

-i

Adds the Kerberos LDAP extensions to eDirectory.

-u

Removes the Kerberos LDAP extensions from eDirectory.

-D bind_fdn

Specifies the FDN of the administrator or the user with administrator-equivalent rights.

This must be in the format cn=admin,o=org.

-w bind_fdn_password

Specifies the password of the bind FDN (bind_fdn).

-h ldap_server

Specifies the hostname or IP address of the LDAP server where Kerberos LDAP extensions must be installed.

-p port

Specifies the port where the LDAP server is running.

-e trusted_root_file

Specifies the trusted root certificate filename for the SSL bind.

If you are using an SSL port, specify the -e option.

For more information, refer to Section E.3.4, Exporting the Trusted Root Certificate.

NOTE:If you do not specify the -h option, the name of the local host that krbldapconfig is invoked from is used as the default.

If you do not specify the LDAP server port and the trusted root certificate, the default port 389 is used.

If you do not specify the LDAP server port but specify the trusted root certificate, the default port 636 is used.

For example, enter the following to add the extensions:

krbldapconfig -i -D cn=admin,o=org -w password -h ldapserver -p 389

Or to remove, enter the following:

krbldapconfig -u -D cn=admin,o=org -w password -h ldapserver -p 389

IMPORTANT:You must manually refresh the LDAP server for the installation changes to take effect. For more information, refer to Section 16.5, Refreshing the LDAP Server.

E.3.4 Exporting the Trusted Root Certificate

  1. In iManager, click Directory Administration > Modify Object to open the Modify Object page.

  2. Use the Object Selector to select the Server Certificate object of the server.

  3. Click OK.

  4. Click the Certificates tab, then select Trusted Root Certificate and view the details of the certificate.

  5. Click Export.

  6. Click the Certificates drop-down menu and select the certificate you want to export.

  7. Specify whether you want to export the private key or not. If you want to export the private key, you might need to specify a password to protect the private key.

  8. Click Next.

  9. Click Save the exported certificate.

  10. Click Save File.

  11. Click Close.