Creating a Kerberos principal
You need to create at least two principals on the Key Distribution Center (KDC) for use by the IDS server and client in order to support Kerberos bind. The first principal is the LDAP server principal and the second one is the principal used by client systems to bind to the server.
Each of the principal keys need to be placed in a keytab file so that they can be used to start the server process or the client daemon process.
The following example is based on the IBM® Network Authentication Service. If you install Kerberos software from other sources, the actual commands may be different than what is shown here.
- Start the kadmin tool on the KDC server as the root user.
#/usr/krb5/sbin/kadmin.local kadmin.local: - Create the ldap/serverhostname principal for the LDAP server.
The serverhostname is the fully qualified DNS host that will
run the LDAP server.
kadmin.local: addprinc ldap/plankton.austin.ibm.com WARNING: no policy specified for "ldap/plankton.austin.ibm.com@ud3a.austin.ibm.com": Re-enter password for principal "ldap/plankton.austin.ibm.com@ud3a.austin.ibm.com": Principal "ldap/plankton.austin.ibm.com@ud3a.austin.ibm.com" created. kadmin.local: - Create a keytab for the created server principal. This key will
be used by the LDAP server during server startup. To create a keytab
called slapd_krb5.keytab:
kadmin.local: ktadd -k /etc/security/slapd_krb5.keytab ldap/plankton.austin.ibm.com Entry for principal ldap/plankton.austin.ibm.com with kvno 2, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/security/slapd_krb5.keytab. Entry for principal ldap/plankton.austin.ibm.com with kvno 2, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/security/slapd_krb5.keytab. Entry for principal ldap/plankton.austin.ibm.com with kvno 2, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/security/slapd_krb5.keytab. Entry for principal ldap/plankton.austin.ibm.com with kvno 2, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/security/slapd_krb5.keytab. kadmin.local: - Create a principal named ldapadmin for the IDS administrator.
kadmin.local: addprinc ldapadmin WARNING: no policy specified for ldapadmin@ud3a.austin.ibm.com; defaulting to no policy. Note that policy may be overridden by ACL restrictions. Enter password for principal "ldapadmin@ud3a.austin.ibm.com": Re-enter password for principal "ldapadmin@ud3a.austin.ibm.com": Principal "ldapadmin@ud3a.austin.ibm.com" created. kadmin.local: - Create a keytab for the bind principal ldapadmin.keytab. This key can be
used by the secldapclntd client daemon.
kadmin.local: ktadd -k /etc/security/ldapadmin.keytab ldapadmin Entry for principal ldapadmin with kvno 2, encryption type Triple DES cbc mode with HMCA/sha1 added to keytab WRFILE:/etc/security/ldapadmin.keytab. Entry for principal ldapadmin with kvno 2, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/security/ldapadmin.keytab. Entry for principal ldapadmin with kvno 2, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/security/ldapadmin.keytab. Entry for principal ldapadmin with kvno 2, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/security/ldapadmin.keytab. kadmin.local - Create a principal named ldapproxy for clients to bind to the
LDAP server.
kadmin.local: addprinc ldapproxy WARNING: no policy specified for ldapproxy @ud3a.austin.ibm.com; defaulting to no policy. Note that policy may be overridden by ACL restriction Enter password for principal "ldapproxy@ud3a.austin.ibm.com": Re-enter password for principal "ldapproxy@ud3a.austin.ibm.com": Principal "ldapproxy@ud3a.austin.ibm.com" created. kadmin.local: - Create a keytab called ldapproxy.keytab for the bind principal ldapproxy. This key can be used by the secldapclntd client daemon.
kadmin.local: ktadd -k /etc/security/ldapproxy.keytab ldapproxy Entry for principal ldapproxy with kvno 2, encryption type Triple DES cbc mode with HMAC/sh1 added to keytab WRFILE:/etc/security/ldapproxy.keytab. Entry for principal ldapproxy with kvno 2, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/security/ldapproxy.keytab Entry for principal ldapproxy with kvno 2, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/security/ldapproxy.keytab Entry for principal ldapproxy with kvno 2, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/security/ldapproxy.keytab. kadmin.local: