Linux System Administration Recipes A Problem-Solution Approach

CHAPTER 2 ■ CENTRALIZING YOUR NETWORK: KERBEROS, LDAP, AND NFSaddprinc ldapadm@EXAMPLE.COMaddprinc -randkey ldap/server.example.comktadd -k /etc/ldap/ldap.keytab ldap/server.example.comThe first command creates the admin user. You’ll be asked for a password. Call this user whateveryou like, but it should match what you set in the access controls. You should extract the server key to akeytab other than the system one at /etc/krb5.keytab (the -k flag specifies this alternate keytab), sincethe LDAP keytab must be owned by the LDAP user, and you don’t want the main keytab to be owned bythe LDAP user:chown openldap:openldap /etc/ldap/ldap.keytabTo ensure that slapd is looking at this keytab, add the following line to /etc/default/slapd:export KRB5_KTNAME=/etc/ldap/ldap.keytabRestart slapd:/etc/init.d/slapd restart■ Note If there are problems with startup, change the log level in /etc/ldap/slapd.conf to 16383 to getverbose logging in the log file. Change it back before you go into production, though, because it makes the serververy slow.Setting Up the DatabaseTo set up the database, you first use the authentication in the rootdn and rootpw directives to add theroot entry, the People group, and an admin user. You should have added the admin user when you setup Kerberos as in recipe 2-1. Here it’s ldapadm.For this you need to create a “setup” LDIF file (setup.ldif). Your base domain will depend on yourorganization. It is a good idea to use a base domain that is related to your Kerberos domain and also toyour IP domain. Here we use dc=example,dc=com (matching example.com).# setup.ldifdn: dc=example,dc=comobjectclass: organizationobjectclass: dcObjectobjectclass: topo: Example Companydc: exampledescription: root entry33Download at WoweBook.Com