Install and Configure an Open Source Identity Server Lab

Transcription

1 Install and Configure an Open Source Identity Server Lab SUS05/SUS06 Novell Training Services ATT LIVE 2012 LAS VEGAS

2 Legal Notices Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the Novell International Trade Services Web page ( for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals. Copyright 2012 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. Novell, Inc., has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed on the Novell Legal Patents Web page ( and one or more additional patents or pending patent applications in the U.S. and in other countries. Novell, Inc. 404 Wyman Street, Suite 500 Waltham, MA U.S.A. Online Documentation: To access the latest online documentation for this and other Novell products, see the Novell Documentation Web page ( Novell Trademarks For Novell trademarks, see the Novell Trademark and Service Mark list ( Third-Party Materials All third-party trademarks are the property of their respective owners. 2 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES.

3 Contents Section 1 Exercise 1.1 Exercise 1.2 Exercise 1.3 Exercise 1.4 Exercise 1.5 Exercise 1.6 Exercise 1.7 Exercise 1.8 Exercise 1.9 Exercise 1.10 Exercise 1.11 Section 2 Exercise 2.1 Configure an Open Source Identity Server...11 Configure an NTP Server on the LDAP Servers...12 Task I: Configure the NTP Server on DS Task II: Configure the NTP Server on DS Configure csync2 for the CA/LDAP/Kerberos Servers (Optional)...14 Task I: Configure csync Configure a Certificate Authority with YaST...16 Task I: Create a Root CA...16 Task II: Replicate the Root CA to another Server...17 Generate a Common Server Certificate with YaST...18 Task I: Generate a Server Certificate...18 Task II: Set a Certificate as the Common Server Certificate...19 Task III: Replicate the Changes to the CA to another Server...19 Generate an SSL Server Certificate for the 2nd LDAP Server (Optional)...20 Task I: Generate a Server Certificate...20 Task II: Replicate the Changes to the CA to the other Server...21 Task III: Set a Certificate as the Common Server Certificate...21 Create a Synchronized Exported Key Store...23 Task I: Create a Synchronized Exported Key Store...23 Task II: Replicate the Changes to the CA to another Server...23 Configure an OpenLDAP Master Server...24 Task I: Configure the LDAP Server...24 Task II: Configure the LDAP Client on the LDAP Server...25 Task III: Browse the LDAP Database...26 Configure an OpenLDAP Slave Server (Optional)...27 Task I: Configure the LDAP Slave Server...27 Task II: Configure the LDAP Client on the LDAP Server...27 Task III: Browse the LDAP Database...28 Configure a Multi-master LDAP Replication (Optional)...29 Task I: Configure LDAP Multi-master Database Replication...29 Configure a Kerberos Server with a LDAP Back End...31 Task I: Configure LDAP to Store the Kerberos Database...31 Task II: Configure a Kerberos Server...31 Configure a Secondary Kerberos with a LDAP Back End (Optional)...33 Task I: Configure LDAP to Store the Kerberos Database...33 Task II: Configure a Kerberos Server...33 Task III: Configure the Kerberos Client...34 Configure a LDAP Client...37 Generate an SSL Server Certificate for Another Server...38 Task I: Generate a Server Certificate...38 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 3

4 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services Exercise 2.2 Exercise 2.3 Exercise 2.4 Section 3 Exercise 3.1 Exercise 3.2 Exercise 3.3 Exercise 3.4 Exercise 3.5 Section 4 Exercise 4.1 Exercise 4.2 Exercise 4.3 Exercise 4.4 Section 5 Exercise 5.1 Exercise 5.2 Task II: Export the Server Certificate in PKCS12 Format...39 Task III: Export the Server Certificate in PEM Format...39 Task IV: Copy the Cert and Key Files to the Other Server...40 Task V: Replicate the Changes to the CA to another Server...40 Import a Common Server Certificate for a Server...42 Task I: Generate a Server Certificate...42 Create LDAP Groups and Users...43 Task I: Create LDAP Groups...43 Task II: Create LDAP Users...43 Configure an LDAP Client with YaST...45 Task I: Configure an LDAP Client...45 Configure a Kerberos Client...47 Configure an NTP Client...48 Task I: Configure the NTP Clients...48 Create LDAP Group and Users for Kerberos...49 Task I: Create an LDAP Group for Kerberos Users...49 Task II: Create LDAP Users for Kerberos...49 Create Kerberos User Principals...51 Task I: Create Kerberos User Principals...51 Configure a Kerberos Client with YaST...52 Task I: Configure the Kerberos Client...52 Configure pam to Use Both Kerberos and LDAP...53 Option I: Configure pam with pam-config...53 Option II: Edit the pam Configuration Files...53 Configure SSH to Use Kerberos...55 Generate Host Principals and Keytabs for the Kerberos Servers...56 Task I: Create the Kerberos Host Principals...56 Task II: Generate the Kerberos Keytabs...56 Generate Host Principals and Keytabs for a SSH Server...58 Task I: Generate the Kerberos Host Principal...58 Task II: Generate the Kerberos Keytabs...58 Task III: Copy the Keytab to the SSH Server...58 Configure a SSH on the Kerberos Server to Use Kerberos Authentication...60 Task I: Configure the SSH Daemon for Kerberos...60 Task II: Test SSH Kerberos Authentication...60 Configure SSH to Use Kerberos Authentication...61 Task I: Configure the SSH Daemon for Kerberos...61 Task II: Test SSH Kerberos Authentication...61 Configure NFSv Configure an NTP Client on the NFS Server...64 Task I: Configure the NTP Clients...64 Generate an SSL Server Certificate for Another Server...65 Task I: Generate a Server Certificate Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

5 Exercise 5.3 Exercise 5.4 Exercise 5.5 Exercise 5.6 Exercise 5.7 Exercise 5.8 Exercise 5.9 Exercise 5.10 Exercise 5.11 Task II: Export the Server Certificate in PKCS12 Format...66 Task III: Export the Server Certificate in PEM Format...66 Task IV: Copy the Cert and Key Files to the Other Server...67 Task V: Replicate the Changes to the CA to another Server...67 Import a Common Server Certificate for a Server...69 Task I: Generate a Server Certificate...69 Configure an LDAP Client with YaST...70 Task I: Configure an LDAP Client...70 Configure a Kerberos Client with YaST...72 Task I: Configure the Kerberos Client...72 Configure pam to Use Both Kerberos and LDAP...73 Option I: Configure pam with pam-config...73 Option II: Edit the pam Configuration Files...73 Generate a Host Principal and Keytab for a NFS Server...75 Task I: Generate the Kerberos Keytabs...75 Configure SSH to Use Kerberos Authentication...77 Task I: Configure the SSH Daemon for Kerberos on the NFS Server...77 Task II: Test SSH Kerberos Authentication...77 Configure an NFSv4 Server with GSSAPI...78 Task I: Configure the NFS Server...78 Configure an NFSv4 Client with GSSAPI Security...80 Task I: Configure an NFS Client for GSSAPI Security...80 Task II: Enable GSS Security for the NFS Client...81 Export Home Directories with NFSv4 and GSSAPI Security...82 Task I: Export /home via NFSv Task II: Verify the Exported File System...83 Task III: Configure a NFS Client to Mount the /home Share...83 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 5

6 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services List of Figures Lab Network Environment...7 Machine Roles...7 Node1 Network Configuration...8 Node2 Network Configuration...8 Node3 Network Configuration...9 Storage1 Network Configuration...9 DS1 Network Configuration...10 DS2 Network Configuration Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

7 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 7

8 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 8 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

9 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 9

11 Configure an Open Source Identity Server Section 1 Configure an Open Source Identity Server In this section you configure OpenSSL, OpenLDAP and Kerberos to create an identity server based on open source software. Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 11

12 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 1.1 Configure an NTP Server on the LDAP Servers In this exercise, you use the YaST NTP module to configure an NTP server. Objectives: Task I: Configure the NTP Server on DS1 Task II: Configure the NTP Server on DS2 Special Instructions and Notes: You may need to turn off or modify the firewall rules on the NTP server if its firewall is enabled. NTP_SERVER_IP= Task I: Configure the NTP Server on DS1 1. On the DS1 server, launch the NTP YaST module on the NTP server: YaST > Network Services > NTP Configuration 2. Select Start NTP Daemon: Now and On Boot Click Continue if a warning window appears 3. Ensure that Undisciplined Local Clock (Local) is listed 4. Highlight Undisciplined Local Clock(LOCAL) and click Edit 5. Click Driver Calibration 6. Change the Stratum to be 5 7. Click Next, then OK and then OK 8. Restart the NTP daemon on the NTP server by entering the following at the command line of that server: killall ntpd rcntp restart Task II: Configure the NTP Server on DS2 1. On the DS2 server, launch the NTP YaST module on the NTP server: YaST > Network Services > NTP Configuration 2. Select Start NTP Daemon: Now and On Boot Click Continue if a warning window appears 3. Ensure that Undisciplined Local Clock (Local) is listed 4. Click Add and then Next 5. On the New Synchronization screen select Server and then click Next 12 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

13 Configure an Open Source Identity Server 6. On the NTP Server screen enter the following values in the corresponding fields: Address: Options: iburst 7. Click the Test button If the test is unsuccessful, the NTP server on DS1 may not be finished starting. Wait a minute or two and try again. When the test is successful, click OK 8. Click Next, then OK and then OK 9. Restart the NTP daemon on the NTP server by entering the following at the command line of that server: killall ntpd rcntp restart (End of Exercise) Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 13

14 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 1.2 Configure csync2 for the CA/LDAP/Kerberos Servers (Optional) In this exercise you configure csync2 to keep the common certificate authority, LDAP and Kerberos configuration files in sync. Objectives: Task I: Configure csync2 Special Instructions and Notes: The csync2 package must be installed for this exercise to be performed successfully. The csync2 package can be found in the SLE-HA Extension and on Task I: Configure csync2 1. On the first LDAP server (DS1) open a terminal window and if not already logged in as the root user enter su to become root 2. Enter the following command to create the csync2 key for the CA/LDAP/Kerberos servers: csync2 -k /etc/csync2/key_cagroup 3. In the text editor of your choice (as root) open the /etc/csync2/csync2.cfg file to be edited 4. Add the following to the end of the file: group ca_group { } host ds1 ds2; key /etc/csync2/key_cagroup; include /etc/csync2/csync2.cfg; include /var/lib/cam; include /etc/ldap/ldap-pw; include /var/lib/kerberos/krb5kdc/.k5.site; include /var/lib/kerberos/krb5kdc/kadm5.keytab; 5. Save the file and close the text editor 6. Enter the following command(s) to copy the initial file to the other LDAP server(s): 14 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

15 Configure an Open Source Identity Server scp /etc/csync2/key_cagroup ds2:/etc/csync2/ scp /etc/csync2/csync2.cfg 7. Enter the following command to enable csync2: chkconfig csync2 on insserv xinetd rcxinetd restart 8. Repeat the previous step on the other LDAP servers 9. On the first LDAP server (DS1) enter the following command(s) to perform the initial file synchronization: csync2 -xv (End of Exercise) Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 15

16 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 1.3 Configure a Certificate Authority with YaST In this exercise, you use the YaST CA Management module to configure an SSL certificate authority. Objectives: Task I: Create a Root CA Task II: Replicate the Root CA to another Server Special Instructions and Notes: This is a special instruction needed to complete the exercise. CA_NAME= CA_COMMON_NAME= CA_ = CA_PASSWD= DS2_IP= Task I: Create a Root CA 1. On the first LDAP server (DS1)Launch the YaST CA module: YaST > Security and Users > CA Management 2. On the CA Selection screen click Create Root CA 3. Use the following values to fill in the fields on the Create Root CA (step 1/3) screen. If a value is not provided for a field, leave the default value in the field. CA Name = CA_NAME Common Name = CA_COMMON_NAME Addresses = CA_ TIP: For the address, enter the value in the field below the addresses list and click Add 4. When the values have been entered, click Next 5. On the Create New Root CA (step 2/3) screen, fill in the fields using the following values: Password = CA_PASSWD Key Length (bit) = 2048 Valid Period (days) = When the values have been entered, click Next 7. On the Create New CA (step 3/3) screen, verify that all values are correct and then click Create 16 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

17 Configure an Open Source Identity Server You should see your newly created CA in the CA Tree list on the CA Selection screen. If the YaST CA Management module is closed, launch it again. 8. To view the contents of the CA, select the CA from the CA Tree list and click Enter CA 9. When prompted for the CA password, enter the CA password used above and click OK You should see information about your CA Task II: Replicate the Root CA to another Server 1. On the first LDAP server (DS1), while logged in as the root user, open as terminal window and enter one of the following commands: -If csync2 IS configured: csync2 -xv -If csycn2 is NOT configured: rsync -a /var/lib/cam/ When prompted, enter the root password 2. On the second LDAP server (DS2), verify that the CA directory was copied to /var/lib/cam/ 3. On the second LDAP server (DS2)Launch the YaST CA module: 4. YaST > Security and Users > CA Management You should see the new CA listed her as well. (End of Exercise) Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 17

18 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 1.4 Generate a Common Server Certificate with YaST In this exercise, you use the YaST CA Management module to generate an SSL server certificate. You then set that certificate as the common server certificate for the machine. Objectives: Task I: Generate a Server Certificate Task II: Set a Certificate as the Common Server Certificate Task III: Replicate the Changes to the CA to another Server Special Instructions and Notes: A certificate Authority must be configured to perform this exercise. CA_PASSWD= CRT_COMMON_NAME= CRT_ = DS2_IP= Task I: Generate a Server Certificate 1. On the first LDAP server (DS1),launch the YaST CA Management module: YaST > Security and Users > CA Management 2. From the CA Tree list, select your CA and click Enter CA 3. When prompted for the CA password, enter CA_PASSWD 4. On the Certificate Authority (CA) screen, select the Certificates tab 5. On the Certificates tab, from the Add drop-down list, select Add Server Certificate 6. Use the following values to fill in the fields on the Create New Server Certificate (step 1/3) screen. If a value is not provided, leave the default value in the field. NOTE: The common name should be the fully qualified domain name that will be used to access the server. Common Name = CRT_COMMON_NAME Addresses = CRT_ TIP: For the address, enter the value in the field below the Addresses list and click Add 7. When the values have been entered, click Next 8. On the Create New Server Certificate (step 2/3) screen, select the Use CA Password as Certificate Password check box 9. Fill in the rest of the fields using the following values: 18 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

19 Key Length (bit) = 2048 Valid Period (days) = When the values have been entered, click Next Configure an Open Source Identity Server 11. On the Create New Server Certificate (step 3/3), verify that the values are correct and then click Create You should see the newly created server certificate in the certificates list and it should be listed as valid. Task II: Set a Certificate as the Common Server Certificate 1. On the Certificates tab of the Certificate Authority (CA) screen, select the newly generated certificate from the list of certificates 2. From the Export drop-down list, select Export as Common Server Certificate 3. When prompted for the Certificate password, enter CA_PASSWD and click OK 4. When the export confirmation window appears, click OK 5. To verify that the certificate was exported, open a terminal window and enter the following command: ls -l /etc/ssl/servercerts/ You should see two files named servercert.pem and serverkey.pem. These are the files that were created when the certificate was exported as the common server certificate. Task III: Replicate the Changes to the CA to another Server 1. On the first LDAP server (DS1), while logged in as the root user, open as terminal window and enter one of the following commands: -If csync2 IS configured: csync2 -xv If csycn2 is NOT configured: rsync -a /var/lib/cam/ root@ds2_ip:/var/lib/cam/ When prompted, enter the root password 2. (Optional) On the DS2 server, verify that the CA updates were copied to /var/lib/cam/ (End of Exercise) Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 19

20 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 1.5 Generate an SSL Server Certificate for the 2nd LDAP Server (Optional) In this exercise, you use YaST to generate a server certificate for the 2nd LDAP server. You then import the certificate on the DS2 server as the common server certificate Objectives: Task I: Generate a Server Certificate Task II: Replicate the Changes to the CA to the other Server Task III: Set a Certificate as the Common Server Certificate Special Instructions and Notes: A Certificate Authority must be configured to perform this exercise. CA_PASSWD= DS2_FQDN= DS2_IP= CRT_ = Task I: Generate a Server Certificate 1. On the first LDAP server (DS1), launch the YaST CA Management module: YaST > Security and Users > CA Management If prompted for the root user's password, enter novell 2. From the CA Tree list, select your CA and click Enter CA 3. When prompted for the CA password, enter CA_PASSWD 4. On the Certificate Authority (CA) screen, select the Certificates tab 5. On the Certificates tab, from the Add drop-down list, select Add Server Certificate 6. Use the following values to fill in the fields on the Create New Server Certificate (step 1/3) screen. If a value is not provided, leave the default value in the field. NOTE: The common name should be the fully qualified domain name that will be used to access the server. Common Name = DS2_FQDN Addresses = CRT_ TIP: For the address, enter the value in the field below the Addresses list and click Add 7. When the values have been entered, click Next 8. On the Create New Server Certificate (step 2/3) screen, select the Use CA 20 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

21 Password as Certificate Password check box 9. Fill in the rest of the fields using the following values: Key Length (bit) = 2048 Valid Period (days) = When the values have been entered, click Next Configure an Open Source Identity Server 11. On the Create New Server Certificate (step 3/3), verify that the values are correct and then click Create You should see the newly created server certificate in the certificates list and it should be listed as valid. Task II: Replicate the Changes to the CA to the other Server 1. On the DS1 server, while logged in as the root user, open as terminal window and enter one of the following commands: -If csync2 IS configured: csync2 -xv -If csycn2 is NOT configured: rsync -a /var/lib/cam/ root@ds2_ip:/var/lib/cam/ When prompted, enter the root password 2. (Optional) On the DS2 server, verify that the CA updates were copied to /var/lib/cam/ Task III: Set a Certificate as the Common Server Certificate 1. On the DS2 server, launch the YaST CA Management module: YaST > Security and Users > CA Management If prompted for the root user's password, enter novell 2. From the CA Tree list, select your CA and click Enter CA 3. When prompted for the CA password, enter CA_PASSWD 4. On the Certificates tab of the Certificate Authority (CA) screen, select the ds2 certificate from the list of certificates 5. From the Export drop-down list, select Export as Common Server Certificate 6. When prompted for the Certificate password, enter CA_PASSWD and click OK 7. When the export confirmation window appears, click OK 8. To verify that the certificate was exported, open a terminal window and enter the following command: Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 21

22 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services ls -l /etc/ssl/servercerts/ You should see two files named servercert.pem and serverkey.pem. These are the files that were created when the certificate was exported as the common server certificate. (End of Exercise) 22 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

23 Configure an Open Source Identity Server 1.6 Create a Synchronized Exported Key Store In this exercise, you create a directory to hold the exported certificates and keys that can be replicated to the other CA server. Objectives: Task I: Create a Synchronized Exported Key Store Task II: Replicate the Changes to the CA to another Server Special Instructions and Notes: (none) Task I: Create a Synchronized Exported Key Store 1. On the first CA server (DS1), enter the following command to create a directory to store exported server certificates: mkdir -p /var/lib/serverkeys/ 2. If you have not configured csync2, skip to the next task. If you have configured csync2, do the following In the text editor of your choice, as the root user, open the /etc/csync2/csync2.cfg file to be edited 3. Add the following to the end of the group ca_group section before its closing } : include /var/lib/serverkeys; 4. Save the file and close the text editor Task II: Replicate the Changes to the CA to another Server 1. On the first CA server (DS1), while logged in as the root user, open as terminal window and enter one of the following commands: -If csync2 IS configured: csync2 -xv -If csycn2 is NOT configured: rsync -a /var/lib/serverkeys/ root@ds2_ip:/var/lib/ When prompted, enter the root password (End of Exercise) Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 23

24 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 1.7 Configure an OpenLDAP Master Server In this exercise, you use the YaST LDAP Server module to configure a Master LDAP server. You then use the YaST LDAP Client module to create the default objects in the directory and then use the YaST LDAP Browser to browse the LDAP database. Objectives: Task I: Configure the LDAP Server Task II: Configure the LDAP Client on the LDAP Server Task III: Browse the LDAP Database Special Instructions and Notes: Use the following value(s) in this exercise: BASE_DN= ADMIN_DN= ADMIN_DN_PASSWD= Task I: Configure the LDAP Server 1. On the first LDAP server (DS1), launch the YaST LDAP Server module: YaST > Network Services > LDAP Server 2. On the General Settings screen, under Start LDAP Server, select Yes. If the Open Port in Firewall check box is enabled, select it as well and click Next 3. On the Please Select Server Type screen, select This server can act as a master server in a replication setup and click Next 4. On the TLS Settings screen, under Basic Settings, ensure that all of the check boxed are selected and click Next NOTE: If a common server certificate has not been generated, you will need to specify that paths to the CA certificate, sever certificate, and server key files. If these have not been generated you can click the Launch CA Management Module button and use YaST to generate these certificates. 5. On the Basic Database Settings screen, fill in the fields using the following values. If a value is not provided, leave the default value in the field: Database Type: hdb Base DN = BASE_DN Administrator DN = ADMIN_DN Append Base DN = (checked) LDAP Administrator Password = ADMIN_DN_PASSWD Database Directory = /var/lib/ldap 24 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

25 Configure an Open Source Identity Server Use this database as the default = (checked) 6. When the values have been entered, click Next 7. On the Replication Master setup screen, enter the following for the password and then click Next: Password = linux Prepare for MirrorMode replication = (unchecked) Note: MirrorMode will optionally be configured in a later exercise. 8. On the LDAP Server Configuration Summary screen, verify that the values are correct and click Finish 9. Open a terminal window and if not already logged in as the root user, enter su to become root. 10. Enter the following commands to copy the kerberos schema files into the openldap schema directory: cd /usr/share/doc/packages/krb5/ cp kerberos.* /etc/openldap/schema/ 11. Launch the YaST LDAP Server module again: 12. In the left panes select Schema Files 13. In the right pane click Add, select kerberos.schema and then click Open 14. Click Add again select samba3.schema and then click Open 15. Click Add again select dhcp.schema and then click Open 16. Click Add again select dnszone.schema and then click Open 17. If this is the first LDAP server, make a list of the schema files listed here (the order doesn't matter): 18. Click OK to close the YaST module Task II: Configure the LDAP Client on the LDAP Server 1. On the first LDAP server, launch the YaST LDAP Client module: YaST > Network Services > LDAP Client 2. Under User Authentication, select Use LDAP Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 25

26 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 3. In the LDAP Client section, in the Addresses of LDAP Servers field, enter ds1 and click Fetch DN 4. In the pop-up window showing the available DNs, select the Base DN created above and click OK 5. Ensure that only the following check box(es) are selected: Create Home Directory on Login 6. Click Advanced Configuration 7. Select the Administration Settings tab 8. In the Administrator DN field, enter ADMIN_DN and select the following check boxes: Append Base DN Create Default Configuration Objects Home Directories on This Machine 9. When the values have been entered, click OK 10. Back on the LDAP Client Configuration screen, click OK to finish 11. When prompted for the LDAP Server Password, enter ADMIN_DN_PASSWD and clock OK 12. Click OK to finish 13. When prompted for the LDAP Server Password, enter ADMIN_DN_PASSWD and clock OK Task III: Browse the LDAP Database 1. On the first LDAP server, launch YaST LDAP Browser module: YaST > Network Services > LDAP Browser 2. On the pop-up window select/enter the following: LDAP Connections: Current LDAP Client settings LDAP Server: Administrator DN: ADMIN_DN LDAP Server Password: ADMIN_DN_PASSWD LDAP TLS: (checked) 3. In the left pane, select BASE_DN You should see the currently configured objects in the directory (End of Exercise) 26 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

27 Configure an Open Source Identity Server 1.8 Configure an OpenLDAP Slave Server (Optional) In this exercise, you use the YaST LDAP Server module to configure a LDAP slave server. You then use the YaST LDAP Browser module to view the objects in the directory. Objectives: Task I: Configure the LDAP Slave Server Task II: Configure the LDAP Client on the LDAP Server Task III: Browse the LDAP Database Special Instructions and Notes: Use the following value(s) in this exercise: BASE_DN= ADMIN_DN= ADMIN_DN_PASSWD= Task I: Configure the LDAP Slave Server 1. On the second LDAP server (DS2), launch the YaST LDAP Server module: YaST > Network Services > LDAP Server 2. On the General Settings screen, under Start LDAP Server, select Yes. If the Open Port in Firewall check box is enabled, select it as well and click Next 3. On the Please Select Server Type screen, select This will be a replica (slave)server.... and click Next 4. On the Slave server setup screen, enter/select the following values. Protocol: ldap Provider Hostname = ds1 Port: 389 Administrator Password... = ADMIN_DN_PASSWD Note: On SLES11-SP2 you must also change the following value: CA Certificate = /var/lib/cam/site/cacert.pem 5. When the values have been entered, click Next 6. If you get a TLS error due to a self signed certificate, just clisk Continue Task II: Configure the LDAP Client on the LDAP Server 1. On the second LDAP server (DS2), launch the YaST LDAP Client module: YaST > Network Services > LDAP Client 2. Under User Authentication, select Use LDAP Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 27

28 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 3. In the LDAP Client section, in the Addresses of LDAP Servers field, enter and click Fetch DN 4. In the pop-up window showing the available DNs, select the Base DN created above and click OK 5. Ensure that only the following check boxe(s) are selected: Create Home Directory on Login 6. Click Advanced Configuration 7. Select the Administration Settings tab 8. In the Administrator DN field, enter ADMIN_DN and select the following check boxes: Append Base DN Home Directories on This Machine 9. When the values have been entered, click OK 10. Back on the LDAP Client Configuration screen, click OK to finish 11. When prompted for the LDAP Server Password, enter ADMIN_DN_PASSWD and clock OK 12. Click OK to finish 13. When prompted for the LDAP Server Password, enter ADMIN_DN_PASSWD and clock OK Task III: Browse the LDAP Database 1. On the second LDAP server (DS2), launch YaST LDAP Browser module: YaST > Network Services > LDAP Browser 2. On the pop-up window select/enter the following: LDAP Connections: Current LDAP Client settings LDAP Server: Administrator DN: ADMIN_DN LDAP Server Password: ADMIN_DN_PASSWD LDAP TLS: (checked) 3. In the left pane, select BASE_DN You should see the currently configured objects in the directory (End of Exercise) 28 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

29 Configure an Open Source Identity Server 1.9 Configure a Multi-master LDAP Replication (Optional) In this exercise, you configure two LDAP servers for multi-master database replication. Objectives: Task I: Configure LDAP Multi-master Database Replication Special Instructions and Notes: Use the following value(s) in this exercise: BASE_DN= Task I: Configure LDAP Multi-master Database Replication 1. On the first LDAP server (DS1), enter the following command to retrieve the syncrepl user credentials: ldapsearch -Y external -H ldapi:/// -b cn=config grep credentials Record the value in credentials ******* here: SYNCREPL_CREDS= 2. In the text editor of your choice, create and open the /tmp/add_mm.ldif file to be edited 3. Enter the following in the file: dn: cn=config changetype: modify replace: olcserverid olcserverid: 1 ldap://ds1 olcserverid: 2 ldap://ds2 dn: olcdatabase={1}hdb,cn=config changetype: modify replace: olcsyncrepl olcsyncrepl: rid=2 provider= ldap://ds1 searchbase= dc=site type= refreshandpersist retry= starttls=critical tls_reqcert=demand Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 29

30 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services bindmethod= simple binddn= uid=syncrepl,ou=system,base_dn credentials= SYNCREPL_CREDS olcsyncrepl: rid=4 provider= ldap://ds2 searchbase= dc=site type= refreshandpersist retry= starttls=critical tls_reqcert=demand bindmethod= simple binddn= uid=syncrepl,ou=system,base_dn credentials= SYNCREPL_CREDS dn: olcdatabase={1}hdb,cn=config changetype: modify add: olcmirrormode olcmirrormode: TRUE 4. Save the file and close the text editor 5. Enter the following command to update the LDAP sever configuration with the new LDIF file (as one command with no line breaks): ldapmodify -v -Y external -H ldapi:/// -f /tmp/add_mm.ldif 6. Enter the following command to verify that it worked: ldapsearch -LLL -Y external -H ldapi:/// -b cn=config olcdatabase=* Look for the section beginning with olcdatabase={1}hdb,cn=config. You should see olcmirrormode: TRUE (End of Exercise) 30 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

31 Configure an Open Source Identity Server 1.10 Configure a Kerberos Server with a LDAP Back End In this exercise, you use the YaST Kerberos Server module to configure a Kerberos KDC that uses LDAP as the back-end database. Objectives: Task I: Configure LDAP to Store the Kerberos Database Task II: Configure a Kerberos Server Special Instructions and Notes: An LDAP server must be configured before performing the exercise. The kerberos.ldif and kerberos.schema files must be copied from the /usr/share/doc/packages/krb5/ directory into the/etc/openldap/schema/ directory before performing this exercise Use the following value(s) in this exercise: KRB5_REALM= KRB5_PASSWD= BASE_DN= ADMIN_DN= ADMIN_DN_PASSWD= Task I: Configure LDAP to Store the Kerberos Database 1. On the DS1 server, launch the YaST LDAP Server module: YaST > Network Services > LDAP Server If prompted for the root user's password, enter novell 2. In the left pane, select Schema Files 3. Verify that the kerberos schema is listed. If not, Click Add, browse to and select /etc/openldal/schema/kerberos.schema, and then click Open 4. Click OK to close the LDAP Server YaST module Task II: Configure a Kerberos Server 1. Launch the YaST Kerberos Server module: YaST > Network Services > Kerberos Server If prompted for the root user's password, enter novell 2. On the Select the Database Back-End screen, select Use Existing LDAP server as database back-end and click Next 3. On the Basic Kerberos Settings, screen, fill in the fields using the following values: Realm = KRB5_REALM Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 31

32 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services Password = KRB5_PASSWD 4. If the Open Port in Firewall check box is enabled, select it 5. When all of the values have been entered, click Next 6. Under LDAP Settings use the following values to fill the fields. If a value is not provided, leave the default value in the field. LDAP Server URI = ldap:// LDAP base DN = BASE_DN KDC_Bind DN = ADMIN_DN,BASE_DN Kadmin Bind DN = ADMIN_DN,BASE_DN (all password fields) = ADMIN_DN_PASSWD 7. When the values are entered, click Next (End of Exercise) 32 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

33 Configure an Open Source Identity Server 1.11 Configure a Secondary Kerberos with a LDAP Back End (Optional) In this exercise, you use the YaST Kerberos Server module to configure a secondary Kerberos KDC that uses an LDAP as the back-end database. Objectives: Task I: Configure LDAP to Store the Kerberos Database Task II: Configure a Kerberos Server Task III: Configure the Kerberos Client Special Instructions and Notes: An LDAP server must be configured before performing the exercise. The kerberos.ldif and kerberos.schema files must be copied from the /usr/share/doc/packages/krb5/ directory into the/etc/openldap/schema/ directory before performing this exercise Use the following value(s) in this exercise: KRB5_REALM= KRB5_PASSWD= BASE_DN= ADMIN_DN= ADMIN_DN_PASSWD= DNS_DOMAIN= DS2_IP= Task I: Configure LDAP to Store the Kerberos Database 1. On the second LDAP server (DS2), launch the YaST LDAP Server module: YaST > Network Services > LDAP Server If prompted for the root user's password, enter novell 2. In the left pane, select Schema Files 3. Verify that the kerberos schema is listed. If not, Click Add, browse to and select /etc/openldal/schema/kerberos.schema, and then click Open 4. Click OK to close the LDAP Server YaST module Task II: Configure a Kerberos Server 1. Launch the YaST Kerberos Server module: YaST > Network Services > Kerberos Server 2. On the Select the Database Back-End screen, select Use Existing LDAP server as database back-end and click Next Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 33

34 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 3. On the Basic Kerberos Settings, screen, fill in the fields using the following values: Realm = KRB5_REALM Password = KRB5_PASSWD 4. If the Open Port in Firewall check box is enabled, select it 5. When all of the values have been entered, click Next 6. Under LDAP Settings use the following values to fill the fields. If a value is not provided, leave the default value in the field. LDAP Server URI = ldap:// LDAP base DN = BASE_DN KDC_Bind DN = ADMIN_DN,BASE_DN Kadmin Bind DN = ADMIN_DN,BASE_DN (all password fields) = ADMIN_DN_PASSWD 7. When the values are entered, click Next 8. When you get an error (creating the Kerberos database (because the realm is already in LDAP)) click Cancel and then OK If asked if you want change the configuration click No 9. Relaunch the Kerberos Server YaST module 10. When prompted for the LDAP Server Password, enter ADMIN_DN_PASSWD and then click OK 11. Select Enable Kerberos and then click Finish 12. Enter one of the following sets of commands on the second Kerberos server (DS2) to copy the missing files from the first Kerberos server (DS1): -If csync2 IS configured: csync2 -xv -If csync2 is NOT configured: cd /etc/openldap/ scp ds1:/etc/openldap/ldap-pw./ cd /var/lib/kerberos/krb5kdc/ scp ds1:/var/lib/kerberos/krb5kdc/.k5.krb5_realm./ scp ds1:/var/lib/kerberos/krb5kdc/kadm5.keytab./ 13. Enter the following command to start the Kerberos server: rckrb5kdc start Task III: Configure the Kerberos Client 1. Launch the YaST Kerberos Client module: YaST > Network Servicse > Kerberos Client 34 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

35 Configure an Open Source Identity Server 2. Select Use Kerberos 3. Under Basic Kerberos Settings, enter the following values in the fields. If a value is not provided, leave the default value in the field. Default Domain = DNS_DOMAIN Default Realm = KRB5_REALM KDC Server Address = DS2_IP 4. Click Advanced Settings 5. On the Advanced Kerberos Client Configuration screen, on the PAM Settings tab, select Kerberos Support for OpenSSH Client and then click OK 6. Back on the Kerberos Client Configuration screen click OK 7. To verify the configuration, enter the following command at the command line: less /etc/krb5.conf You should see a section named KRB5_REALM that contains all of the Kerberos configuration from above. (End of Exercise) Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 35

37 Configure an Open Source Identity Server Section 2 Configure a LDAP Client In this section you configure a LDAP client. Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 37

38 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 2.1 Generate an SSL Server Certificate for Another Server In this exercise, you use YaST to generate a server certificate for another server. You then export the certificate and key to a text file and then split the certificate and key into separate files. Objectives: Task I: Generate a Server Certificate Task II: Export the Server Certificate in PKCS12 Format Task III: Export the Server Certificate in PEM Format Task IV: Copy the Cert and Key Files to the Other Server Task V: Replicate the Changes to the CA to another Server Special Instructions and Notes: A Certificate Authority must be configured to perform this exercise. CA_PASSWD= SERVER_FQDN= SERVER_IP= CRT_ = CRT_FILENAME= DS2_IP= Task I: Generate a Server Certificate 1. On the first LDAP server (DS1), launch the YaST CA Management module: YaST > Security and Users > CA Management 2. From the CA Tree list, select your CA and click Enter CA 3. When prompted for the CA password, enter CA_PASSWD 4. On the Certificate Authority (CA) screen, select the Certificates tab 5. On the Certificates tab, from the Add drop-down list, select Add Server Certificate 6. Use the following values to fill in the fields on the Create New Server Certificate (step 1/3) screen. If a value is not provided, leave the default value in the field. NOTE: The common name should be the fully qualified domain name that will be used to access the server. Common Name = SERVER_FQDN Addresses = CRT_ TIP: For the address, enter the value in the field below the Addresses list and click Add 38 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

39 Configure a LDAP Client 7. When the values have been entered, click Next 8. On the Create New Server Certificate (step 2/3) screen, select the Use CA Password as Certificate Password check box 9. Fill in the rest of the fields using the following values: Key Length (bit) = 2048 Valid Period (days) = When the values have been entered, click Next 11. On the Create New Server Certificate (step 3/3), verify that the values are correct and then click Create You should see the newly created server certificate in the certificates list and it should be listed as valid. Task II: Export the Server Certificate in PKCS12 Format 1. On the Certificates tab of the Certificate Authority (CA) screen, select the newly generated certificate from the list of certificates 2. From the Export drop-down list, select Export to File 3. On the Export to File pop-up window, select Certificate and the Key Unencrypted in PKCS12 Format 4. In the Certificate Password field, type CA_PASSWD 5. In the New Password and Verify Password fields enter CA_PASSWD 6. In the File Name field, type /var/lib/serverkeys/server_fqdn.p12 7. Click OK to export the certificate to a file You should have a new text file named SERVER_FQDN.p12 in /var/lib/serverkeys that contains both the certificate and the key. Task III: Export the Server Certificate in PEM Format 1. On the Certificates tab of the Certificate Authority (CA) screen, select the newly generated certificate from the list of certificates 2. From the Export drop-down list, select Export to File 3. On the Export to File pop-up window, select Certificate and the Key Unencrypted in PEM Format 4. In the Certificate Password field, type CA_PASSWD 5. In the File Name field, type /var/lib/serverkeys/crt_filename 6. Click OK to export the certificate to a file You should have a new text file named CRT_FILENAME in /var/lib/serverkeys that contains both the certificate and the key. Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 39

40 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 7. Often applications want to have the certificate and key in deferent files. To do this, in the text editor of your choice, open the /var/lib/serverkeys/crt_filename file. 8. Select the section of the file beginning with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE Copy this section and paste it into another empty file named /var/lib/serverkeys/server_fqdn.crt 10. Save the SERVER_FQDN.crt file 11. Select the section of the file beginning with -----BEGIN RSA PRIVATE KEY----- and ending with -----END RSA PRIVATE KEY Copy this section and paste it into another empty file named /var/lib/serverkeys/server_fqdn.key 13. Save the SERVER_FQDN.key file. 14. Close the text editor. 15. You should now have a file named CA_FILENAME that ends in a.pem extension that contains both the certificate and the key, a second file named SERVER_FQDN.crt that contains only the certificate, and a third file named SERVER_FQDN.key that contains only the key. Task IV: Copy the Cert and Key Files to the Other Server 1. Copy the server cert and key to the other server: scp /var/lib/serverkeys/server_fqdn.* root@server_ip:/tmp/ 2. Log into the other server as root and verify that the files were copied into /tmp/ Task V: Replicate the Changes to the CA to another Server 1. On the first LDAP server (DS1), while logged in as the root user, open as terminal window and enter one of the following commands: -If csync2 IS configured: csync2 -xv -If csycn2 is NOT configured: rsync -a /var/lib/cam/ root@ds2_ip:/var/lib/cam/ rsync -a /var/lib/serverkeys/ root@ds2_ip:/var/lib/serverkeys/ When prompted, enter the root password 40 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

41 Configure a LDAP Client (End of Exercise) Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 41

42 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 2.2 Import a Common Server Certificate for a Server In this exercise, you use YaST to import a common server certificate for a server. Objectives: Task I: Generate a Server Certificate Special Instructions and Notes: A Certificate Authority must be configured to perform this exercise. CA_PASSWD= SERVER_FQDN= Task I: Generate a Server Certificate 1. On the server, launch the YaST Common Server Certificate module: YaST > Security and Users > Common Server Certificate 2. In the File Name field browse to or enter /tmp/server_fqdn.p12 3. In the Password field enter CA_PASSWD and then click Next 4. On the Certificate Has Been Imported pop-up window, click OK 5. Back on the Common Server Certificate screen, click Finish (End of Exercise) 42 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

43 Configure a LDAP Client 2.3 Create LDAP Groups and Users In this exercise, you use the standard usradd/groupadd commands to create user and group accounts for the LDAP and Kerberos users in the LDAP directory. Because authentication will be handled by Kerberos for the Kerberos user, these users' passwords will be set to a non-valid password string in the LDAP directory. The LDAP users' passwords will be stored in the LDAP directory. Objectives: Task I: Create LDAP Groups Task II: Create LDAP Users Special Instructions and Notes: The LDAP server must be configured before performing this exercise. ADMIN_DN= BASE_DN= Task I: Create LDAP Groups 1. On the first LDAP server (DS1), if not already logged in as the root user, open a terminal window and enter su to become root. 2. Enter the following commands to create the required ldap group(s) in the LDAP directory. groupadd --service ldap --binddn ADMIN_DN,BASE_DN \ -g 2000 ldapusers 3. To see that the group(s) were successfully created, enter the following command: getent group You should see the newly created group(s) in the list Task II: Create LDAP Users 1. Enter the following commands to create the LDAP users. useradd --service ldap --binddn ADMIN_DN,BASE_DN \ -m -d /home/ldapuser1 -g ldapusers -u 2001 ldapuser1 useradd --service ldap --binddn ADMIN_DN,BASE_DN \ -m -d /home/ldapuser2 -g ldapusers -u 2002 ldapuser2 yast users edit type=ldap username=ldapuser1 password=linux Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 43

44 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services yast users edit type=ldap username=ldapuser2 password=linux 2. To see that the user(s) were successfully created, enter the following command: getent passwd You should see the newly created user(s) in the list (End of Exercise) 44 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

45 Configure a LDAP Client 2.4 Configure an LDAP Client with YaST In this exercise, you use the YaST LDAP Client module to configure Linux to authenticate from an openldap server. Objectives: Task I: Configure an LDAP Client Special Instructions and Notes: This is a special instruction needed to complete the exercise. LDAP_SRVR_LIST= BASE_DN= ADMIN_DN= ADMIN_DN_PASSWD= Task I: Configure an LDAP Client 1. On Node1, launch the YaST LDAP Client module: YaST > Network Services > LDAP Client 2. Under User Authentication, select Use LDAP 3. In the LDAP Client section, in the Addresses of LDAP Servers field, enter LDAP_SRVR_LIST and then click Fetch DN 4. In the pop-up window showing the available DNs, select the Base DN created above and click OK Note: If you get an TLS error: Click on Advanced Configuration and in the Certificate Directory enter: /etc/ssl/certs Click OK and then try clicking Fetch DN again 5. Ensure that only the following check boxes are selected: LDAP TLS/SSL Create Home Directory on Login 6. Click Advanced Configuration 7. Select the Administration Settings tab 8. In the Administrator DN field, enter ADMIN_DN and select the following check boxes: Append Base DN Home Directories on This Machine Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 45

46 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 9. When the values have been entered, click OK 10. Back on the LDAP Client Configuration screen, click OK to finish 11. If prompted for the LDAP Server Password, enter ADMIN_DN_PASSWD and clock OK 12. (Optional) Log out and then try logging in with and LDAP user account (End of Exercise) 46 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

47 Configure a LDAP Client Section 3 Configure a Kerberos Client In this section you configure a Kerberos client. Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 47

48 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 3.1 Configure an NTP Client In this exercise you use the YaST NTP module to configure an NTP client. Objectives: Task I: Configure the NTP Clients Special Instructions and Notes: You may need to turn off or modify the firewall rules on the NTP server if its firewall is enabled. NTP_SERVER_IP= Task I: Configure the NTP Clients 1. On Node1, launch the NTP YaST module on the NTP clients: YaST > Network Services > NTP Configuration 2. Select Automatically Start NTP Daemon: During boot Click Continue if a warning window appears 3. Click Add, select Server as the type and then click Next 4. In the Address field, enter NTP_SERVER_IP and click Test A window stating that Server is reachable and responds properly. should appear. Click OK to dismiss the window. (If the server does not respond, don't worry at this point because we will set the clock manually.) 5. Click OK and then OK to finish 6. Ensure the clocks are in sync manually by running the following: sntp -P no -r NTP_SERVER_IP Note: Running the following command will display information about the local clock relative to all ntp sources and can aid in troubleshooting ntp related problems. (Ctrl+C terminates the command) ntpq -p (End of Exercise) 48 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

49 Configure a Kerberos Client 3.2 Create LDAP Group and Users for Kerberos In this exercise, you use the standard usradd/groupadd commands to create user and group accounts for the Kerberos users in the LDAP directory. Because authentication will be handled by Kerberos for the Kerberos user, these users' passwords will be set to a non-valid password string in the LDAP directory. Objectives: Task I: Create an LDAP Group for Kerberos Users Task II: Create LDAP Users for Kerberos Special Instructions and Notes: The LDAP server must be configured before performing this exercise. ADMIN_DN= BASE_DN= Task I: Create an LDAP Group for Kerberos Users 1. On the first LDAP server (DS1), if not already logged in as the root user, open a terminal window and enter su to become root. 2. Enter the following commands to create the required ldap group(s) in the LDAP directory. groupadd --service ldap --binddn ADMIN_DN,BASE_DN \ -g 3000 krb5users 3. To see that the group(s) were successfully created, enter the following command: getent group You should see the newly created group(s) in the list Task II: Create LDAP Users for Kerberos 1. On the first LDAP server (DS1), enter the following commands to create the Kerberos users. useradd --service ldap --binddn ADMIN_DN,BASE_DN \ -m -d /home/krb5user1 -p '!KRB5' \ -g krb5users -u 3001 krb5user1 useradd --service ldap --binddn ADMIN_DN,BASE_DN \ -m -d /home/krb5user2 -p '!KRB5' \ -g krb5users -u 3002 krb5user2 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 49

50 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 2. To see that the user(s) were successfully created, enter the following command: getent passwd You should see the newly created user(s) in the list (End of Exercise) 50 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

51 Configure a Kerberos Client 3.3 Create Kerberos User Principals In this exercise, you create user principals. Objectives: Task I: Create Kerberos User Principals Special Instructions and Notes: The Kerberos server must be configured before performing this exercise. If you have more than one Kerberos server, you only need to do this on one of the servers Task I: Create Kerberos User Principals 1. On the first LDAP server (DS1) open a terminal window and if not already logged in as the root user, enter su to become root. 2. Enter the following commands to create user principals for the Kerberos users: kadmin.local -q addprinc -pw linux krb5user1 kadmin.local -q addprinc -pw linux krb5user2 3. Enter the following command to see that the user principals were created: kadmin.local -q listprincs You should see the newly added user principals in the list (End of Exercise) Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 51

52 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 3.4 Configure a Kerberos Client with YaST In this exercise, you use the YaST Kerberos Client module to configure a Kerberos client. Objectives: Task I: Configure the Kerberos Client Special Instructions and Notes: A Kerberos server must be configured before performing the exercise. Use the following value(s) in this exercise: KRB5_REALM= BASE_DN= DNS_DOMAIN= KRB5_SRVR_LIST= Task I: Configure the Kerberos Client 1. On Node1, launch the YaST Kerberos Client module: YaST > Network Servicse > Kerberos Client 2. Select Use Kerberos 3. Under Basic Kerberos Settings, enter the following values in the fields. If a value is not provided, leave the default value in the field. Default Domain = DNS_DOMAIN Default Realm = KRB5_REALM KDC Server Address = KRB5_SRVR_LIST 4. Click Advanced Settings 5. On the Advanced Kerberos Client Configuration screen, on the PAM Settings tab, select Kerberos Support for OpenSSH Client and then click OK 6. Back on the Kerberos Client Configuration screen click OK 7. To verify the configuration, enter the following command at the command line: less /etc/krb5.conf You should see a section named KRB5_REALM that contains all of the Kerberos configuration from above. 8. (Optional) Log out and then try logging in with and Kerberos user account (End of Exercise) 52 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

53 Configure a Kerberos Client 3.5 Configure pam to Use Both Kerberos and LDAP In this exercise you edit the common-* pam configuration files to allow both Kerberos and LDAP authentication. Objectives: Option I: Configure pam with pam-config Option II: Edit the pam Configuration Files Special Instructions and Notes: (none) Option I: Configure pam with pam-config 1. On Node1, log in as the root user and open a terminal window 2. Enter the following commands to view the current pam common-* files: cat /etc/pam.d/common-{auth,password,session} You should see the three files concatenated together on the screen (each file begins with #%PAM-1.0) 3. Enter the following command to add ldap as an authentication source: pam-config --add --ldap 4. Enter the following command again to view the modified files: cat /etc/pam.d/common-{auth,password,session} Compare the previous output with the current to see the changes 5. Repeat this task on any other machines on which you wish to use both LDAP and Kerberos authentication Option II: Edit the pam Configuration Files WARNING: It is always a good idea to leave yourself logged in as the root user on some other terminal when editing and testing pam configuration! 1. On Node1, log in as the root user and in the text editor of you choice open the /etc/pam.d/common-auth file to be edited: 2. Add the following line after the pam_krb5.so line: auth sufficient pam_ldap.so use_first_pass 3. Save the file 4. Open the /etc/pam.d/common-password file to be edited Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 53

54 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 5. Add the following line after the pam_krb5.so line: password sufficient pam_ldap.so use_authtok nullok 6. Save the file 7. Open the /etc/pam.d/common-session file to be edited: 8. Add the following line after the pam_krb5.so line: session optional pam_ldap.so 9. Save the file and close the text editor 10. Repeat this task on any other machines on which you wish to use both LDAP and Kerberos authentication (End of Exercise) 54 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

55 Configure a Kerberos Client Section 4 Configure SSH to Use Kerberos In this section you configure SSH to use Kerberos tickets for authentication. Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 55

56 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 4.1 Generate Host Principals and Keytabs for the Kerberos Servers In this exercise, you generate host principals and keytabs for the Kerberos servers. Objectives: Task I: Create the Kerberos Host Principals Task II: Generate the Kerberos Keytabs Special Instructions and Notes: (none) Task I: Create the Kerberos Host Principals In order to support Kerberos authentication using services such as SSH, Kerberos host and service principals must be generated for and stored in a keytab file on each machine. 1. Log into the first Kerberos server (DS1) as the root user and enter the following commands to create a host principal for the Kerberos servers: kadmin.local -q addprinc -randkey host/ds1 kadmin.local -q addprinc -randkey host/ds2 Task II: Generate the Kerberos Keytabs 1. On the first Kerberos server (DS1), enter the following command to create a keytab file for the that server and add the host principals to that keytab: kadmin.local -q ktadd -k /etc/krb5.keytab host/ds1 2. On the first Kerberos server (DS1) enter the following command to set the proper permissions on the copied keytab: chmod 600 /etc/krb5.keytab 3. On the first Kerberos server (DS1) enter the following command to see that the host principal was added to the keytab: echo -e rkt /etc/krb5.keytab \n list ktutil You should see the principal listed at least once in the list 4. Log into the second Kerberos server (DS2), enter the following command to create a keytab file for the that server and add the host principals to that keytab: 5. kadmin.local -q ktadd -k /etc/krb5.keytab host/ds2 6. On the second Kerberos server (DS2) enter the following command to set the 56 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

57 Configure SSH to Use Kerberos proper permissions on the copied keytab: chmod 600 /etc/krb5.keytab 7. On the second Kerberos server (DS2) enter the following command to see that the host principal was added to the keytab: echo -e rkt /etc/krb5.keytab \n list ktutil You should see the principal listed at least once in the list (End of Exercise) Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 57

58 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 4.2 Generate Host Principals and Keytabs for a SSH Server In this exercise, you generate host principals and keytabs for a SSH. Objectives: Task I: Generate the Kerberos Host Principal Task II: Generate the Kerberos Keytabs Task III: Copy the Keytab to the SSH Server Special Instructions and Notes: Use the following values in this exercise: SSH_HOSTNAME= Task I: Generate the Kerberos Host Principal In order to support Kerberos authentication using services such as SSH, Kerberos host and service principals must be generated for and stored in a keytab file on each machine. 1. Log into the first Kerberos server ( DS1) as the root user and enter the following command to create a host principal for the SSH server: kadmin.local -q addprinc -randkey host/ssh_hostname Task II: Generate the Kerberos Keytabs 1. Enter the following commands to create a keytab file for the SSH server and add the host principals to that keytab: kadmin.local -q ktadd -k /var/lib/serverkeys/ssh_hostname.keytab host/ssh_hostname Task III: Copy the Keytab to the SSH Server 1. EEnter the following command to copy the new keytab to the SSH server (command is a single line with no line wraps): scp /var/lib/serverkeys/ssh_hostname.keytab SSH_HOSTNAME:/etc/krb5.keytab 2. Enter the following command to set the proper permissions on the copied keytab: ssh SSH_HOSTNAME chmod 600 /etc/krb5.keytab 3. On the SSH server, enter the following command to see that the host principal was 58 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

59 Configure SSH to Use Kerberos added to the keytab: echo -e rkt /etc/krb5.keytab \n list ktutil You should see the principal listed at least once in the list (End of Exercise) Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 59

60 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 4.3 Configure a SSH on the Kerberos Server to Use Kerberos Authentication In this exercise, you configure the SSH daemon on the Kerberos servers to use Kerberos authentication. Objectives: Task I: Configure the SSH Daemon for Kerberos Task II: Test SSH Kerberos Authentication Special Instructions and Notes: A Kerberos server and the Kerberos client must be configured before performing the exercise. Task I: Configure the SSH Daemon for Kerberos 1. On the first Kerberks server (DS1), while logged in as the root user, in the text editor of your choice, open the /etc/ssh/sshd_config file to be edited 2. Locate, uncomment and edit the following to GSSAPI lines as follows: GSSAPIAuthentication yes GSSAPICleanupCredentials yes 3. Save the file and close the text editor 4. Enter the following command to restart the SSH daemon: rcsshd restart 5. Repeat this task on the second Kerberos server (DS2) Task II: Test SSH Kerberos Authentication 1. Log into the first Kerberos server (DS1) as the krb5user1 user 2. Enter the following command to connect to the other Kerberos server (DS2) via ssh: ssh ds2 If prompted to accept the other server's host key, enter yes You should be connected without being asked to provide a password (End of Exercise) 60 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

61 Configure SSH to Use Kerberos 4.4 Configure SSH to Use Kerberos Authentication In this exercise, you configure the SSH daemon to use Kerberos authentication. Objectives: Task I: Configure the SSH Daemon for Kerberos Task II: Test SSH Kerberos Authentication Special Instructions and Notes: A Kerberos server and the Kerberos client must be configured before performing the exercise. Use the following value(s) in this exercise: SSH_HOSTNAME= Task I: Configure the SSH Daemon for Kerberos 1. On the SSH server, while logged in as the root user, in the text editor of your choice, open the /etc/ssh/sshd_config file to be edited 2. Locate, uncomment and edit the following to GSSAPI lines as follows: GSSAPIAuthentication yes GSSAPICleanupCredentials yes 3. Save the file and close the text editor 4. Enter the following command to restart the SSH daemon: rcsshd restart 5. If you created keytabs for other servers, repeat this Task on those servers Task II: Test SSH Kerberos Authentication 1. Log into one of the other machines that has been configured as a Kerberos client as the krb5user1 user 2. Enter the following command to connect to the other original server via ssh: ssh HOSTNAME If prompted to accept the other server's host key, enter yes You should be connected without being asked to provide a password (End of Exercise) Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 61

63 Configure SSH to Use Kerberos Section 5 Configure NFSv4 Section Description goes here. Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 63

64 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 5.1 Configure an NTP Client on the NFS Server In this exercise you use the YaST NTP module to configure an NTP client. Objectives: Task I: Configure the NTP Clients Special Instructions and Notes: You may need to turn off or modify the firewall rules on the NTP server if its firewall is enabled. NTP_SERVER_IP= Task I: Configure the NTP Clients 1. On storage1, launch the NTP YaST module on the NTP clients: YaST > Network Services > NTP Configuration 2. Select Automatically Start NTP Daemon: During boot Click Continue if a warning window appears 3. Click Add, select Server as the type and then click Next 4. In the Address field, enter NTP_SERVER_IP and click Test A window stating that Server is reachable and responds properly. should appear. Click OK to dismiss the window. (If the server does not respond, don't worry at this point because we will set the clock manually.) 5. Click OK and then OK to finish 6. Ensure the clocks are in sync manually by running the following: sntp -P no -r NTP_SERVER_IP Note: Running the following command will display information about the local clock relative to all ntp sources and can aid in troubleshooting ntp related problems. (Ctrl+C terminates the command) ntpq -p (End of Exercise) 64 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

65 Configure NFSv4 5.2 Generate an SSL Server Certificate for Another Server In this exercise, you use YaST to generate a server certificate for another server. You then export the certificate and key to a text file and then split the certificate and key into separate files. Objectives: Task I: Generate a Server Certificate Task II: Export the Server Certificate in PKCS12 Format Task III: Export the Server Certificate in PEM Format Task IV: Copy the Cert and Key Files to the Other Server Task V: Replicate the Changes to the CA to another Server Special Instructions and Notes: A Certificate Authority must be configured to perform this exercise. CA_PASSWD= SERVER_FQDN= SERVER_IP= CRT_ = CRT_FILENAME= DS2_IP= Task I: Generate a Server Certificate 1. On the first LDAP server (DS1), launch the YaST CA Management module: YaST > Security and Users > CA Management 2. From the CA Tree list, select your CA and click Enter CA 3. When prompted for the CA password, enter CA_PASSWD 4. On the Certificate Authority (CA) screen, select the Certificates tab 5. On the Certificates tab, from the Add drop-down list, select Add Server Certificate 6. Use the following values to fill in the fields on the Create New Server Certificate (step 1/3) screen. If a value is not provided, leave the default value in the field. NOTE: The common name should be the fully qualified domain name that will be used to access the server. Common Name = SERVER_FQDN Addresses = CRT_ TIP: For the address, enter the value in the field below the Addresses list and click Add Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 65

66 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 7. When the values have been entered, click Next 8. On the Create New Server Certificate (step 2/3) screen, select the Use CA Password as Certificate Password check box 9. Fill in the rest of the fields using the following values: Key Length (bit) = 2048 Valid Period (days) = When the values have been entered, click Next 11. On the Create New Server Certificate (step 3/3), verify that the values are correct and then click Create You should see the newly created server certificate in the certificates list and it should be listed as valid. Task II: Export the Server Certificate in PKCS12 Format 1. On the Certificates tab of the Certificate Authority (CA) screen, select the newly generated certificate from the list of certificates 2. From the Export drop-down list, select Export to File 3. On the Export to File pop-up window, select Certificate and the Key Unencrypted in PKCS12 Format 4. In the Certificate Password field, type CA_PASSWD 5. In the New Password and Verify Password fields enter CA_PASSWD 6. In the File Name field, type /var/lib/serverkeys/server_fqdn.p12 7. Click OK to export the certificate to a file You should have a new text file named SERVER_FQDN.p12 in /var/lib/serverkeys that contains both the certificate and the key. Task III: Export the Server Certificate in PEM Format 1. On the Certificates tab of the Certificate Authority (CA) screen, select the newly generated certificate from the list of certificates 2. From the Export drop-down list, select Export to File 3. On the Export to File pop-up window, select Certificate and the Key Unencrypted in PEM Format 4. In the Certificate Password field, type CA_PASSWD 5. In the File Name field, type /var/lib/serverkeys/crt_filename 6. Click OK to export the certificate to a file You should have a new text file named CRT_FILENAME in /var/lib/serverkeys that contains both the certificate and the key. 66 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

67 Configure NFSv4 7. Often applications want to have the certificate and key in deferent files. To do this, in the text editor of your choice, open the /var/lib/serverkeys/crt_filename file. 8. Select the section of the file beginning with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE Copy this section and paste it into another empty file named /var/lib/serverkeys/server_fqdn.crt 10. Save the SERVER_FQDN.crt file 11. Select the section of the file beginning with -----BEGIN RSA PRIVATE KEY----- and ending with -----END RSA PRIVATE KEY Copy this section and paste it into another empty file named /var/lib/serverkeys/server_fqdn.key 13. Save the SERVER_FQDN.key file. 14. Close the text editor. 15. You should now have a file named CA_FILENAME that ends in a.pem extension that contains both the certificate and the key, a second file named SERVER_FQDN.crt that contains only the certificate, and a third file named SERVER_FQDN.key that contains only the key. Task IV: Copy the Cert and Key Files to the Other Server 1. Copy the server cert and key to the other server: scp /var/lib/serverkeys/server_fqdn.* root@server_ip:/tmp/ 2. Log into the other server as root and verify that the files were copied into /tmp/ Task V: Replicate the Changes to the CA to another Server 1. On the first LDAP server (DS1), while logged in as the root user, open as terminal window and enter one of the following commands: -If csync2 IS configured: csync2 -xv -If csycn2 is NOT configured: rsync -a /var/lib/cam/ root@ds2_ip:/var/lib/cam/ rsync -a /var/lib/serverkeys/ root@ds2_ip:/var/lib/serverkeys/ When prompted, enter the root password Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 67

68 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services (End of Exercise) 68 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

69 Configure NFSv4 5.3 Import a Common Server Certificate for a Server In this exercise, you use YaST to import a common server certificate for a server. Objectives: Task I: Generate a Server Certificate Special Instructions and Notes: A Certificate Authority must be configured to perform this exercise. CA_PASSWD= SERVER_FQDN= Task I: Generate a Server Certificate 1. On the server, launch the YaST Common Server Certificate module: YaST > Security and Users > Common Server Certificate 2. In the File Name field browse to or enter /tmp/server_fqdn.p12 3. In the Password field enter CA_PASSWD and then click Next 4. On the Certificate Has Been Imported pop-up window, click OK 5. Back on the Common Server Certificate screen, click Finish (End of Exercise) Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 69

70 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 5.4 Configure an LDAP Client with YaST In this exercise, you use the YaST LDAP Client module to configure Linux to authenticate from an openldap server. Objectives: Task I: Configure an LDAP Client Special Instructions and Notes: This is a special instruction needed to complete the exercise. DS1_IP= BASE_DN= ADMIN_DN= ADMIN_DN_PASSWD= Task I: Configure an LDAP Client 1. On the NFS server (Storage1), launch the YaST LDAP Client module: YaST > Network Services > LDAP Client 2. Under User Authentication, select Use LDAP 3. In the LDAP Client section, in the Addresses of LDAP Servers field, enter DS1_IP and click Fetch DN 4. In the pop-up window showing the available DNs, select the Base DN created above and click OK 5. Ensure that only the following check boxes are selected: LDAP TLS/SSL Create Home Directory on Login 6. Click Advanced Configuration 7. Select the Administration Settings tab 8. In the Administrator DN field, enter ADMIN_DN and select the following check boxes: Append Base DN Home Directories on This Machine 9. When the values have been entered, click OK 10. Back on the LDAP Client Configuration screen, click OK to finish 11. If prompted for the LDAP Server Password, enter ADMIN_DN_PASSWD and clock OK 70 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

71 12. (Optional) Log out and then try logging in with and LDAP user account Configure NFSv4 (End of Exercise) Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 71

72 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 5.5 Configure a Kerberos Client with YaST In this exercise, you use the YaST Kerberos Client module to configure a Kerberos client. Objectives: Task I: Configure the Kerberos Client Special Instructions and Notes: A Kerberos server must be configured before performing the exercise. Use the following value(s) in this exercise: KRB5_REALM= BASE_DN= DNS_DOMAIN= DS1_IP= Task I: Configure the Kerberos Client 1. On the NFS server (Storage1), launch the YaST Kerberos Client module: YaST > Network Servicse > Kerberos Client 2. Select Use Kerberos 3. Under Basic Kerberos Settings, enter the following values in the fields. If a value is not provided, leave the default value in the field. Default Domain = DNS_DOMAIN Default Realm = KRB5_REALM KDC Server Address = DS1_IP 4. Click Advanced Settings 5. On the Advanced Kerberos Client Configuration screen, on the PAM Settings tab, select Kerberos Support for OpenSSH Client and then click OK 6. Back on the Kerberos Client Configuration screen click OK 7. To verify the configuration, enter the following command at the command line: less /etc/krb5.conf You should see a section named KRB5_REALM that contains all of the Kerberos configuration from above. 8. (Optional) Log out and then try logging in with and Kerberos user account (End of Exercise) 72 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

73 Configure NFSv4 5.6 Configure pam to Use Both Kerberos and LDAP In this exercise you edit the common-* pam configuration files to allow both Kerberos and LDAP authentication. Objectives: Option I: Configure pam with pam-config Option II: Edit the pam Configuration Files Special Instructions and Notes: (none) Option I: Configure pam with pam-config 1. On Node1, log in as the root user and open a terminal window 2. Enter the following commands to view the current pam common-* files: cat /etc/pam.d/common-{auth,password,session} You should see the three files concatenated together on the screen (each file begins with #%PAM-1.0) 3. Enter the following command to add ldap as an authentication source: pam-config --add --ldap 4. Enter the following command again to view the modified files: cat /etc/pam.d/common-{auth,password,session} Compare the previous output with the current to see the changes 5. Repeat this task on any other machines on which you wish to use both LDAP and Kerberos authentication Option II: Edit the pam Configuration Files WARNING: It is always a good idea to leave yourself logged in as the root user on some other terminal when editing and testing pam configuration! 1. On Node1, log in as the root user and in the text editor of you choice open the /etc/pam.d/common-auth file to be edited: 2. Add the following line after the pam_krb5.so line: auth sufficient pam_ldap.so use_first_pass 3. Save the file 4. Open the /etc/pam.d/common-password file to be edited Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 73

74 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 5. Add the following line after the pam_krb5.so line: password sufficient pam_ldap.so use_authtok nullok 6. Save the file 7. Open the /etc/pam.d/common-session file to be edited: 8. Add the following line after the pam_krb5.so line: session optional pam_ldap.so 9. Save the file and close the text editor 10. Repeat this task on any other machines on which you wish to use both LDAP and Kerberos authentication (End of Exercise) 74 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

75 Configure NFSv4 5.7 Generate a Host Principal and Keytab for a NFS Server In this exercise, you generate a host principal and keytab for a NFS server. Objectives: Task I: Generate the Kerberos Keytabs Special Instructions and Notes: Use the following values in this exercise: NFS_HOSTNAME= Task I: Generate the Kerberos Keytabs In order to support Kerberos authentication using services such as SSH and NFSv4, Kerberos host and service principals must be generated for and stored in a keytab file on each node. 1. Log into the first Kerberos server (DS1) as the root user and enter the following command to create a host principal for the NFS server: kadmin.local -q addprinc -randkey host/nfs_hostname kadmin.local -q addprinc -randkey nfs/nfs_hostname 2. Enter the following commands to create a keytab file for the NFS server and add the host principals to that keytab: kadmin.local -q ktadd -k /var/lib/serverkeys/nfs_hostname.keytab host/nfs_hostname kadmin.local -q ktadd -k /var/lib/serverkeys/nfs_hostname.keytab nfs/nfs_hostname 3. Enter the following command to copy the new keytab to the NFS server (command is a single line with no line wraps): scp /var/lib/serverkeys/nfs_hostname.keytab NFS_HOSTNAME:/etc/krb5.keytab 4. Enter the following command to set the proper permissions on the copied keytab: ssh NFS_HOSTNAME chmod 600 /etc/krb5.keytab 5. On the NFS server (Storage1), enter the following command to see that the host Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 75

76 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services principal was added to the keytab: echo -e rkt /etc/krb5.keytab \n list ktutil You should see the principal listed at least once in the list (End of Exercise) 76 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

77 Configure NFSv4 5.8 Configure SSH to Use Kerberos Authentication In this exercise, you configure the SSH daemon to use Kerberos authentication. Objectives: Task I: Configure the SSH Daemon for Kerberos Task II: Test SSH Kerberos Authentication Special Instructions and Notes: A Kerberos server and the Kerberos client must be configured before performing the exercise. Task I: Configure the SSH Daemon for Kerberos on the NFS Server 1. On the first NFS server (storasge1), while logged in as the root user, in the text editor of your choice, open the /etc/ssh/sshd_config file to be edited 2. Locate, uncomment and edit the following to GSSAPI lines as follows: GSSAPIAuthentication yes GSSAPICleanupCredentials yes 3. Save the file and close the text editor 4. Enter the following command to restart the SSH daemon: rcsshd restart Task II: Test SSH Kerberos Authentication 1. Log into one of the other machines that has been configured as a Kerberos client as the krb5user1 user 2. Enter the following command to connect to the storage1 server via ssh: ssh storage1 If prompted to accept the other server's host key, enter yes You should be connected without being asked to provide a password (End of Exercise) Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 77

78 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 5.9 Configure an NFSv4 Server with GSSAPI In this exercise, you configure an NFSv4 server with GSSAPI security. Objectives: Task I: Configure the NFS Server Special Instructions and Notes: Use the following value(s) in this exercise: DNS_DOMAIN= Task I: Configure the NFS Server 1. On the NFS server (storage1), as the root user, enter the following command to create the directories to export via NFS: mkdir -p /export 2. Launch the YaST NFS Server module: YaST > Network Services > NFS Server 3. On the NFS Server Configuration screen, in the NFS Server section, select Start, in the Enable NFSv4 section put a check in the Enable NFSv4 check-box, enter DNS_DOMAIN as the NFSv4 domain put a check in the Enable GSS Security check-box and then click Next 4. On the Directories to Export screen, add a directory using the following and then click OK: Directory: /export Host Wild Card: * Options: fsid=0,crossmnt,rw,no_root_squash,sync,no_subtree_check,insecure Note: This exports the directory with no security 5. While still on the Directories to Export screen click Add Host, use the following information and then click OK: Directory: /export Host Wild Card: gss/krb5 Options: fsid=0,crossmnt,rw,no_root_squash,sync,no_subtree_check,insecure 78 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

79 Configure NFSv4 Note: This exports the directory with krb5 (authentication only) security 6. On the Directories to Export screen, add a directory using the following and then click OK: Directory: /export Host Wild Card: gss/krb5i Options: fsid=0,crossmnt,rw,no_root_squash,sync,no_subtree_check,insecure Note: This exports the directory with krb5 integrity protection 7. On the Directories to Export screen, add a directory using the following and then click OK: Directory: /export Host Wild Card: gss/krb5p Options: fsid=0,crossmnt,rw,no_root_squash,sync,no_subtree_check,insecure Note: This exports the directory with krb5 privacy protection 8. When finished adding the directories, click Finish If you get an error about the nfsserver not being able to restart until a reboot, click OK and then reboot the NFS server (End of Exercise) Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 79

80 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 5.10 Configure an NFSv4 Client with GSSAPI Security In this exercise you configure an NFSv4 client to connect to and NFSv4 server using GSSAPI security Objectives: Task I: Configure an NFS Client for GSSAPI Security Task II: Enable GSS Security for the NFS Client Special Instructions and Notes: The NFS client machine must have the Kerberos client and NTP timesync configured before performing this exercise Use the following value(s) in this exercise: DNS_DOMAIN= NFS_SERVER= Task I: Configure an NFS Client for GSSAPI Security 1. Launch the YaST NFS Client (Node1) module YaST > Network Services > NFS Client 2. On the NFS Settings tab enter/select the following: Enable NFSv4: (checked) NFSv4 Domain Name: DNS_DOMAIN 3. On the NFS Shares tab click Add 4. On the pop-up window for adding a NFS share, enter/select the following and then click OK: NFS Server Hostname: NFS_SERVER Remote Directory: / NFSv4 Share: (checked) Mount Point (local): /nfs Options: defaults,sec=krb5p 5. Back on the NFS Client Configuration screen, click OK to save and apply the changes If you get an error pop-up stating that it is Unable to mount the NFS entries from the /etc/fstab, click OK to dismiss the error. This error is because GSS security has not yet been enabled for the NFS client 80 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

81 Task II: Enable GSS Security for the NFS Client Configure NFSv4 Before the NFS client can mount a NFSv4 share with security enabled GSS security must be enabled for the client. 1. In the text editor of your choice open the /etc/sysconfig/nfs file to be edited 2. Locate and modify the NFS_SECURITY_GSS variable as follows: NFS_GSS_SECURITY= yes 3. Save the file and close the text editor 4. Enter the following command to restart the NFS client with GSS security enabled: rcnfs restart The NFS client shout restart successfully 5. Enter the following command to verify that the new NFS share is mounted: mount The NFS share should be listed with the appropriate NFS mount options (i.e. sec=krb5p) (End of Exercise) Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 81

82 SUS05 & 06: Open Source Identity Server & Secure Access to Linux Services 5.11 Export Home Directories with NFSv4 and GSSAPI Security In this exercise you export /home via NFSv4 with GSS security enabled. Objectives: Task I: Export /home via NFSv4 Task II: Verify the Exported File System Special Instructions and Notes: (none) Task I: Export /home via NFSv4 1. On the NFS server (storage1), while logged in as the root user, in the text editor of your choice, open the /etc/exports file to be edited 2. At the end of the file, add the following (add as a single line with no line wraps): /export/home *(bind=/home,crossmnt,rw,no_root_squash,sync,no_subtree_check,insecure) gss/krb5 (bind=/home,crossmnt,rw,no_root_squash,sync,no_subtree_check,insecure) gss/krb5i (bind=/home,crossmnt,rw,no_root_squash,sync,no_subtree_check,insecure) gss/krb5p (bind=/home,crossmnt,rw,no_root_squash,sync,no_subtree_check,insecure) 3. Save the file and close the text editor 4. Enter the following commands to see that /home is not currently bind mounted and that /export/home doesn't exist: mount You should see that /home is NOT bind mounted yet ls -l /export/home You should see that there are no files or directories in /export/home 5. Enter the following command to activate the changes to the /etc/exports file: rcnfsserver restart 82 Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES

83 Task II: Verify the Exported File System 1. Enter the following command to verify that /home is being exported: exportfs Configure NFSv4 You should see that /export/home is being exported to the world and to the special gss/krb5p group 2. Enter the following commands to see that /home was automatically bind mounted under /export mount ls -l /export You should see that /home is mounted on /export/home and the /export/home now exists where it didn't before Task III: Configure a NFS Client to Mount the /home Share This is a challenge task. You are not given the step-by-step instructions to perform the task. Rather you must use knowledge previously gained to successfully complete the task. 1. Your challenge is to configure the NFS client (Node2) to mount the home directory inside of the pseudo nfs root on /home. First do this without NFS security and then do it with kerb5p NFS security. (End of Exercise) Copying all or part of this manual, or distributing such copies, is strictly prohibited. To report suspected copying, please call PIRATES 83