PADL has contributed over14,000 lines of code to Heimdal, including:
Kerberos Credentials Manager (KCM)
Port of MIT Kerberos mechanism glue (mechglue)
GSS-API CFX and protected mechanism negotiation
RFC 2478bis (SPNEGO) mechanism
NetInfo configuration support
Dynamic loading of database backends
RFC 3244 (set password) server-side support
Windows 2000 interoperability fixes for public key initial authentication (PKINIT)
This document describes how to install the LDAP backend for Heimdal. Note that, before attempting to configure such an installation, you should be aware of the implications of storing private information (such as users' keys) in a directory service primarily designed for public information. Nonetheless, with a suitable authorization policy, it is possible to set this up in a secure fashion. A knowledge of LDAP, Kerberos, and C is necessary to install this backend. The HDB schema was devised by Leif Johansson.
A current release of Heimdal, configured with --with-openldap=/usr/local (adjust according to where you have installed OpenLDAP).
OpenLDAP 2.0.x. Configure OpenLDAP with --enable-local to enable the local transport. (A patch to support SASL EXTERNAL authentication is necessary in order to use OpenLDAP 2.1.x.)
The KDC LDAP schema, which is distributed with OpenLDAP
Configure the LDAP server ACLs to accept writes from clients over the local transport. For example:
access to * by sockurl="^ldapi:///$" write
Make sure you include the schema:
Start the slapd with the local listener (as well as the default TCP/IP listener on port 389) as follows:
slapd -h "ldapi:/// ldap:///"
Note: These is a bug in slapd where it appears to corrupt the krb5Key binary attribute on shutdown. This may be related to our use of the V3 schema definition syntax instead of the old UMich-style, V2 syntax.
You should specify a the distinguished name under which your principals will be stored in krb5.conf:
Once you have built Heimdal and started the LDAP server, run kadmin (as usual) to initialize the database. Note that the instructions for stashing a master key are as per any Heimdal installation; you are encouraged to read the Heimdal documentation for further information.
kdc# kadmin -l kadmin> init PADL.COM Realm max ticket life [unlimited]: Realm max renewable ticket life [unlimited]: kadmin> ank lukeh Max ticket life [1 day]: Max renewable life [1 week]: Principal expiration time [never]: Password expiration time [never]: Attributes : lukeh@PADL.COM's Password: Verifying password - lukeh@PADL.COM's Password: kadmin> exit
Verify that the principal database has indeed been stored at the directory with the following command: