apacheds服务端配置
保存后重启apacheds
重新打开apache directory studio
选择file->new->LDIF File
添加如下为两条ldif信息均做添加,主要是生成对应kerberos库信息
dn: ou=servicePrincioals,o=users,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: servicePrincioalsdn: uid=krbtgt,ou=servicePrincioals,o=users,dc=example,dc=comobjectClass: organizationalUnit
objectClass: uidObject
objectClass: krb5KDCEntry
objectClass: krb5Principal
objectClass: top
krb5KeyVersionNumber: 1
krb5PrincipalName: krbtgt/SOUCHE.COM@SOUCHE.COM
ou: TGT
uid: krbtgt
userPassword:: e1NTSEF9bkE3Njl4dlZqUkFHZStUZU95bE5xUHJmNC9aTFhHOVdCQm9PWmc9P
添加用户信息
dn: uid=test,o=users,dc=example,dc=comobjectClass: krb5KDCEntry
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: krb5Principal
objectClass: top
cn: test
krb5KeyVersionNumber: 7
krb5PrincipalName: test@EXAMPLE.COM
sn: test
uid: test
userPassword:: e1NTSEF9bkE3Njl4dlZqUkFHZStUZU95bE5xUHJmNC9aTFhHOVdCQm9PWmc9P上述密码均可在修改,使用格式为plaintext格式
客户端验证
需要新增配置
/etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
#下边的认证方式必须要加不然会出现密码错误的提示
default_tkt_enctypes = aes128-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-md5 aes128-cts des3-cbc-sha1-kd aes128-cts-hmac-sha1-96
[realms]
SOUCHE.COM = {
#端口为kdc端口,主机为apacheds的设备IP
kdc = 172.17.41.20:60088
#端口为admin端口
admin_server = 172.17.41.20:60464
# acl_file = /etc/krb5kdc/store/kadm5.acl
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM测试方式
kinit test
备注:
服务介绍: kdc服务主要是提供kerberos 的tickets在域(realm)的环境里 默认端口为88 kerberos admin server主要提供密码更改服务和管理(realm)域设置 密码服务默认是464端口 管理域服务默认是749端口
有效的Principals信息
john@APACHE.ORG A user
john/admin@APACHE.ORG A user who is an admin host/www.apache.org/apache.org@APACHE.ORG A host with two hostnames
ldap/www.apache.org@APACHE.ORG A service (Ldap server)
