Red Hat Directory Server 8.0 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Red Hat Directory Server Software

441

442

443

444

445

446

447

448

449

450

NOTE

On Red Hat Enterprise Linux, the client-side Kerberos configuration is in the

/etc/krb5.conf. On Solaris, the client-side Kerberos configuration is in the

/etc/krb5/krb5.conf.

The HP server and client are separate packages with their own configuration.

The server stores config files in /opt/krb5. The client is classic MIT and uses

/etc/krb5.conf. Both the server and client must be configured to have a

working Kerberos system.

In order to respond to Kerberos operations, the Directory Server requires access to its own

cryptographic key. This key is read by the Kerberos libraries that the server calls, through

GSS-API, and the details of how it is found are implementation-dependent. However, in current

releases of the supported Kerberos implementations, the mechanism is the same: the key is

read from a file called a keytab file. This file is created by the Kerberos administrator by

exporting the key from the KDC. Either the system default keytab file (typically

/etc/krb5.keytab) is used, or a service-specific keytab file determined by the value of the

KRB5_KTNAME environment variable; this environment variable can be set in the start-slapd

script, which is recommended because it ensures that the variable is properly set each time

Directory Server starts.

The Directory Server uses the service name ldap. Its Kerberos principal is

ldap/host-fqdn@realm, like ldap/dap.corp.example.com/EXAMPLE.COM. The host-fqdn must

be the fully-qualified host and domain name, which can be resolved by all LDAP and Kerberos

clients through both DNS and reverse DNS lookups. A key with this identity must be stored in

the server's keytab in order for Kerberos to work.

For information on setting up the service key, see the Kerberos documentation.

5.3. Example: Configuring an Example KDC Server

This example code shows a KDC server configured with the company.example.com realm.

[libdefaults]

ticket_lifetime = 24000

default_realm = COMPANY.EXAMPLE.COM

dns_lookup_realm = false

dns_lookup_kdc = false

ccache_type = 1

forwardable = true

proxiable = true

default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc

permitted_enctypes = des3-hmac-sha1 des-cbc-crc

[realms]

COMPANY.EXAMPLE.COM = {

kdc = kdcserver.company.example.com:88

Chapter 12. Managing SASL

428