Kerberos and LDAP Client on OpenBSD 7.3

From Unixcat.net Wiki
Revision as of 21:05, 14 April 2023 by ToroidalCore (talk | contribs)
Jump to navigation Jump to search

Kerberos and LDAP are often used to centralize authentication and authorization respectively on Unix-like systems. Kerberos allows users and applications to authenticate against a network database (the key distribution center (KDC)), and LDAP lets you store information about things like users and groups and more. With one or more (hopefully more, for redundancy) Kerberos and LDAP servers, it should be possible to set up client hosts such that a user created on the server can log into the client host, without a local user account. (Local users can still be used if needed, eg as a backup or for system services.)

This guide describes setting up OpenBSD, specifically OpenBSD 7.3 to authenticate in this way. Note that due to Kerberos being removed from the OpenBSD base system, integration is not as tight as perhaps in other operating systems, such as Linux distributions or FreeBSD. Note also that while this authentication scheme is similar to that used for Microsoft's Active Directory, this guide is not specifically about integrating it with OpenBSD. If you are trying to do that, however, this may be helpful.

Prerequisites

In addition to an OpenBSD 7.3 host you want to actually set this up on, we will assume you have a few things available:

  • A working Kerberos KDC and LDAP directory server you can make changes to, eg creating users and principals.
  • An up-to-date OpenBSD system, with root access.

You should have knowledge about Kerberos and LDAP; setting them up is a subject of another guide. Knowledge of OpenBSD itself is helpful too. :)

Overview

There are three primary goals:

  1. Configure Kerberos on OpenBSD to point to a KDC, so a user can request and destroy a ticket.
  2. Configure BSD auth so that users can log in with the password for their Kerberos principal.
  3. Configure ypldap so that the system can get information about network users, ie what their user ID and group ID numbers are.

A user should be able to log into the system with the password set up with their Kerberos principal. The system should be able to look in LDAP to get user information, and using Kerberos and GSSAPI, search through the LDAP directory and make changes to things they have permission for.

Limitations

There are some things to be aware of in this configuration. OpenBSD removed Kerberos (the heimdal package) from the base years ago, but you can still install it with pkg_add. System integration with Kerberos is not very strong, and presently I haven't been able to acquire a ticket automatically on log in - this is something I'm looking into. Additionally, OpenSSH is compiled without GSSAPI support, so single sign on is not possible. This is unfortunate,

Retrieved from "https://wiki.unixcat.net/index.php?title=Kerberos_and_LDAP_Client_on_OpenBSD_7.3&oldid=45"