E.3 Prerequisites for Configuring GSSAPI

To configure GSSAPI, you must first do the following:

  • SASL-GSSAPI method: Install the SASL-GSSAPI method. Refer to the Installing a Login Method section in the NetIQ Modular Authentication Services 3.3 Administration Guide.

    NOTE:The eDirectory SASL-GSSAPI method does not work on installations of Open Enterprise Server versions 2 or 11 that have Domain Services for Windows installed.

    To verify whether SASL-GSSAPI is installed on your machine, enter the following:

    ldapsearch -x -h osg-dt-srv9 -b " " -s base | grep -i sasl

    If SASL-GSSAPI is installed, the output of the command is similar to the following:

    supportedSASLMechanisms: NMAS_LOGIN
    supportedSASLMechanisms: GSSAPI

  • Kerberos plug-in for iManager: Install the Kerberos plug-in for iManager. Refer to Installing the Kerberos Plug-in for iManager for more information.

  • Key distribution center (KDC): Install Kerberos KDC (MIT; Active Directory) on the network.

    For Microsoft KDC (Active Directory), you must have the Kerberos tools installed. These tools are part of the Windows installation and can be installed from \support\tools\setup.exe (Windows XP) and \support\tools\suptools.msi (Windows 2003) on the Windows installation CD.

  • Time Synchronization: Synchronize the time on the NMAS client machine, the NMAS server machine, and the KDC machine for this method to work. For more information on synchronizing network time, refer to Synchronizing Network Time.

  • Kerberos LDAP Extensions: Add the Kerberos LDAP extensions. For more information, see Adding Kerberos LDAP Extensions.

    IMPORTANT:

    • On Open Enterprise Server, do not add the Kerberos LDAP extensions on servers where Domain Services for Windows or DNS services are configured.

    • All Kerberos information collected from your Kerberos administration is case-sensitive and must be specified exactly in the same case.

E.3.1 Assumptions on Network Characteristics

The SASL-GSSAPI mechanism is based on the following assumptions:

  • All the machines in the network have loosely synchronized time. This means that no two machines in the network have their system time differing by more than five minutes.

  • The SASL-GSSAPI mechanism is expected to be used mostly in LAN as it is difficult to obtain the time synchronization requirement mentioned above in MAN and/or WAN environments. However, this mechanism is not limited to LAN.

  • You trust the Kerberos servers and Kerberos administrators unconditionally and unverifiably.

  • Denial-of-Service attack is not countered. For more information, refer to RFC 1510.

E.3.2 Installing the Kerberos Plug-in for iManager

  1. Open the browser.

  2. Enter the following URL in the address field of the browser window:

    http://hostname/nps/

    where hostname is the server name or IP address of the iManager server where you want to install the iManager plug-in for SASL-GSSAPI.

    NOTE:In case of problems, ensure that the Tomcat and Web server are configured properly. For information, refer to the NetIQ iManager 2.7 Administration Guide.

  3. Specify the user name and password to log in to eDirectory, then click Login.

  4. Click Configure Configure on the iManager toolbar.

  5. In the left pane, click Plug-in Installation > Available NetIQ Plug-in Modules.

  6. Click Add.

  7. Specify the location of the kerberosPlugin.npm file or click Browse to select it.

    The Kerberos Management plug-in is available as part of the eDirectory 88 single NPM (eDir_88_iMan27_Plugins.npm) and can be downloaded from the Novell Download Site.

    If you have moved the kerberosPlugin.npm file to a different location, browse to the location and select it.

  8. Click Open, then click OK.

  9. Click Install.

    This installation will take a few minutes.

  10. Restart the iManager server after the Successfully saved module message appears.

    If you are running iManager in an Unrestricted Access mode (no RBS collection in the tree), skip Step 11 through Step 17.

    NOTE:For information on restarting the iManager server, refer to the NetIQ iManager Administration Guide.

  11. Log in to iManager, then click the Configure Configure button.

  12. In the left pane, click Role Based Services > RBS Configuration.

  13. (Conditional) If you do not have an RBS collection, do the following:

    1. Click New > Collection.

    2. Specify the name you want to use for the collection.

    3. Select the container under which you want to create the Role Based services, then click OK.

    4. Click OK again.

  14. In the iManager 2.x collections tab, click the number in the Modules column for the collection you want to use.

  15. Select Kerberos Module and click Install.

  16. Click OK to continue.

  17. When iManager finishes installing the module, click OK.

  18. In the iManager toolbar, click Roles and Tasks.

    The Kerberos Management role is displayed on the left pane.

    If the Kerberos Management role is not displayed, restart the iManager server.

E.3.3 Adding Kerberos LDAP Extensions

Kerberos LDAP Extensions provide the functionality to manage Kerberos keys.

To use the Kerberos LDAP extensions, you must install the LDAP libraries for C. For more information, refer to LDAP Libraries for C.

To add or remove the Kerberos LDAP extensions, use the krbLdapConfig utility. When standalone eDirectory package is extracted to a directory, the path of this file is extracted_folder/nmas/NmasMethods/Novell/GSSAPI/Kerberos_ldap_extensions/Linux/krbLdapConfig.

For example, /misc/eDir88/Linux/nmas/NmasMethods/Novell/GSSAPI/Kerberos_ldap_extensions/Linux/krbLdapConfig.

To add the Kerberos LDAP extensions, use the following syntax:

krbldapconfig {-i | -u} -D bind_DN [-w bind_DN_password] [-h ldap_host] [-p ldap_port] [-e trusted_root_cert]

The following table explains the krbldapconfig utility parameters:

Parameter

Description

-i

Adds the Kerberos LDAP extensions to eDirectory.

-u

Removes the Kerberos LDAP extensions from eDirectory.

-D bind_fdn

Specifies the FDN of the administrator or the user with administrator-equivalent rights.

This must be in the format cn=admin,o=org.

-w bind_fdn_password

Specifies the password of the bind FDN (bind_fdn).

-h ldap_server

Specifies the hostname or IP address of the LDAP server where Kerberos LDAP extensions must be installed.

-p port

Specifies the port where the LDAP server is running.

-e trusted_root_file

Specifies the trusted root certificate filename for the SSL bind.

If you are using an SSL port, specify the -e option.

For more information, refer to Exporting the Trusted Root Certificate.

NOTE:If you do not specify the -h option, the name of the local host that krbldapconfig is invoked from is used as the default.

If you do not specify the LDAP server port and the trusted root certificate, the default port 389 is used.

If you do not specify the LDAP server port but specify the trusted root certificate, the default port 636 is used.

For example, enter the following to add the extensions:

krbldapconfig -i -D cn=admin,o=org -w password -h ldapserver -p 389

Or to remove, enter the following:

krbldapconfig -u -D cn=admin,o=org -w password -h ldapserver -p 389

IMPORTANT:You must manually refresh the LDAP server for the installation changes to take effect. For more information, refer to Refreshing the LDAP Server.

E.3.4 Exporting the Trusted Root Certificate

  1. In iManager, click Directory Administration > Modify Object to open the Modify Object page.

  2. Use the Object Selector to select the Server Certificate object of the server.

  3. Click OK.

  4. Click the Certificates tab, then select Trusted Root Certificate and view the details of the certificate.

  5. Click Export.

  6. Click the Certificates drop-down menu and select the certificate you want to export.

  7. Specify whether you want to export the private key or not. If you want to export the private key, you might need to specify a password to protect the private key.

  8. Click Next.

  9. Click Save the exported certificate.

  10. Click Save File.

  11. Click Close.