ApacheDS
Contents
ApacheDS - LDAP - Kerberos - NFS4 here
STATUS: UNDER WORK
There are many alternatives for LDAP. Most of them are hard to manage, configure and erroneus. apacheDS project is not 100% ready yet but offers solution at least get NFS4, Kerberos and LDAP deployed timely manner for small network. More at [pages] and [[2]] packages. Soem help can be found IRC support .
Kindly use user'manuals at project site. These instruction's are Ubuntu Spesific and give's some contextual knowledge how apacheDS differs from other LDAP solutions.
reference Materials's to read:
[for Rocket Siectist]
Installation 64bit system - current version
prerequisite
To confirm the version of java installed run
java -version
You'll get an output that looks like:
java version "1.7.0_15"
OpenJDK Runtime Environment (IcedTea7 2.3.7) (7u15-2.3.7-0ubuntu1~12.04.1)
OpenJDK 64-Bit Server VM (build 23.7-b01, mixed mode)
This one runs JRE version 7update15
If Java environment is not installed, install it:
sudo apt-get install openjdk-7-jdk
apacheDS - LDAP - Kerberos server code
mkdir /mpi3/S4/apacheds
wget http://www.trieuvan.com/apache//directory/apacheds/dist/2.0.0-M17/apacheds-2.0.0-M17-amd64.deb
dbkg -i apacheds-2.0.0-M17-amd64.deb
After that Server can be found: /opt/apacheds-2.0.0-M17
LDAP database located:/var/lib/apacheds-2.0.0-M17/ <instance name>
Server's can be started via apache Directory Studio, by init script or commandline:
/opt/apacheds-2.0.0-M17/bin/apacheds <command> <instance name>
apache Directory studio - The tool to configure and manage servers
cd /mpi3/S4/apacheds
wget http://apache.spinellicreations.com//directory/studio/dist/2.0.0.v20130628/ApacheDirectoryStudio-linux-x86_64-2.0.0.v20130628.tar.gz
extract tar
Get started
apacheDS Directory Studio start's
cd /mpi3/S4/apacheds/ApacheDirectoryStudio-linux-x86_64-2.0.0.v20130628
.ApacheDirectoryStudio
apacheDS is structured such way you can manage several servers. Directory studio gives easy way to add, modify, duplicate LDAP directoryes and Kerberos. There is build in mechanisms for replication setup. Whit studio you can import/export *.ldif and *.schema to and from your installations. Look User's Manuals. At future there could be NTP, DHCP and DNS. Those are allready build as experimental servers. This project needs more people to grow.
Created server's configuration, database ( <inctance name> ) is located and can be deployed it just copying created database at directory /var/lib/apacheds-2.0.0-M17/<instance name>
Ldap for kerberos / nfs
https://help.ubuntu.com/community/Kerberos
https://directory.apache.org/apacheds/kerberos-ug/4.2-authenticate-studio.html
https://directory.apache.org/apacheds/kerberos-user-guide.html
apacheDS configuration notes (this what I get working):
1) at apache director studio first add new server and then modify it's default name ext. dc=example, dc=com to dc=yoursserver,dc=edu that can be done at Partitions sheet, touch dc=example,dc=com and change name ! 2) mark LDAP and KERBEROS on 3) whit nfs only ads-krbEncryptionTypes: des-cbc-md5 and ads-krbEncryptionTypes: des3-cbc-sha1-kd could work https://bugzilla.redhat.com/show_bug.cgi?id=573968 . Due this /etc/krb5.conf you must have:
[libdefaults] allow_weak_crypto = yes default_tkt_enctypes = des-cbc-md5 default_tgs_enctypes = des-cbc-md5
Kerberos clients
I have used MIT client packages and libraryes. sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config
Single SING ON
https://help.ubuntu.com/community/SingleSignOn
Postfix & LDAP
http://www.postfix.org/LDAP_README.html
PGP server
http://lists.gnupg.org/pipermail/gnupg-users/2006-February/028058.html
Kerberos
nfs4 & Kerberos
https://we.riseup.net/stefani/kerberos-and-nfs4
https://help.ubuntu.com/community/NFSv4Howto
https://help.ubuntu.com/community/Kerberos
https://directory.apache.org/apacheds/kerberos-ug/4.2-authenticate-studio.html
https://wiki.debian.org/nfs4-kerberos-ldap
kerberos client
sudo apt-get install nfs-common krb5-user krb5-config sudo apt-get install sasl2-bin libsasl2-2 libsasl2-modules libsasl2-modules-gssapi-mit sudo apt-get install libnss-ldapd libsasl2-modules-gssapi-mit kstart sudo apt-get install libpam-ccreds
nfs server
sudo apt-get install nfs-kernel-server
sudo nano /etc/exports :
/export 192.168.0.0/255.255.255.0(rw,no_subtree_check,fsid=0,sync) #/export/jaettava 192.168.0.40/255.255.255.0(rw,async,insecure,no_subtree_check,fsid=0) /export/jaettava gss/krb5(rw,async,insecure,no_subtree_check,fsid=0)
sudo nano /etc/krb.conf
....
default_tgs_enctypes = des3-hmac-sha1
default_tkt_enctypes = des3-hmac-sha1
permitted_enctypes = des3-hmac-sha1
.....
[realms]
KURROLA.FI = {
kdc = mpi1.kurrola.dy.fi:60088
kdc = mpi2.kurrola.dy.fi:60088
kdc = 192.168.0.41:60088
kdc = 192.168.0.40:60088
admin_server = mpi1.kurrola.dy.fi:60088
}
[domain_realm]
.kurrola.dy.fi = KURROLA.FI
kurrola.dy.fi = KURROLA.FI
[login]
krb4_convert = true
krb4_get_tickets = false
server:
ktutil
ktutil: addent -password -p nfs/KURROLA.FI@KURROLA.FI -k 1 -e des3-hmac-sha1
<password>
ktutil: wkt /etc/krb5.keytab
ktutil: q
nfs client
sudo apt-get install nfs-common krb5-user krb5-config
client:
ktutil ktutil: addent -password -p nfs/kaak.kurrola.dy.fi@KURROLA.FI -k 1 -e des3-hmac-sha1 <password> ktutil: wkt /etc/krb5.keytab ktutil: q
CategoryNetworking