infra:kerberos_openldap_user_administration

You are not allowed to perform this action

Kerberos/OpenLDAP Administration

This document describes the various tasks related to maintain your account. And manage user accounts as an administrator

$ kinit <user>@TDVENLO.NL
Password for <user>@TDVENLO.NL:
$ kpasswd
Password for <user>@TDVENLO.NL: 
Enter new password: 
Enter it again: 
Password changed.
$ kdestroy

Administrative tasks

Managing OpenLDAP requires a you have a valid ticket and be member of any of following groups

  • cn=Operators,dc=ald-weishoes,dc=lan
  • cn=Administrators,dc=ald-weishoes,dc=lan

Managing Kerberos requires you have have credentials to access a <account>/admin@TDVENLO.NL instance of your kerberos principal. Tools required to administer the Kerberos/OpenLDAP domain are installed on all client pc's.

Commisioning a new account is done via several steps, described below.

  1. Create account
  2. Create group
  3. Create kerberos principal
  4. Change kerberos password

Note, that following restrictions apply:

  1. uid / guid: all lowercase, alphanumeric. (no digits, no punctuation marks). Must be unique.
  2. cn: Full name with capitals and spaces. Must be unique.
  3. givenName: First name only (with capital).
  4. sn: Last name only (with capital).

Find highest assigned uidNumber

$ ldapsearch -Q -LLL -H ldap://kadmin.ald-weishoes.lan -b ou=People,dc=ald-weishoes,dc=lan uidNumber | awk '/uidNumber/{print $2}' | sort -n | tail -1

Create the LDAP object

$ echo "dn: uid=<account>,ou=People,dc=ald-weishoes,dc=lan
changetype: add
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
objectClass: posixAccount
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: person
objectClass: top
uid: <account>
cn: <Full Name>
givenName: <First Name>
sn: <Surname>
loginShell: /bin/bash
uidNumber: <uid>
gidNumber: <gid>
homeDirectory: /nethomes/<account>
krbPrincipalName: <account>@TDVENLO.NL
userPassword: {SASL}<account>@TDVENLO.NL
mail: <account>@tdvenlo.nl" | ldapmodify -Q -H ldaps://kadmin.ald-weishoes.lan
$ echo "dn: cn=<account>,ou=Groups,dc=ald-weishoes,dc=lan
changetype: add
objectClass: groupOfNames
objectClass: posixGroup
objectClass: top
cn: <account>
gidNumber: <gid>
member: cn=Nobody,dc=ald-weishoes,dc=lan" | ldapmodify -Q -H ldaps://kadmin.ald-weishoes.lan
$ kadmin addprinc <account>@TDVENLO.NL
Password for <user>/admin@TDVENLO.NL: 
Enter password for principal "<account>@TDVENLO.NL": 
Re-enter password for principal "<account>@TDVENLO.NL": 
$ kadmin cpw <user>@TDVENLO.NL
Password for <user>/admin@TDVENLO.NL: 
Enter password for principal "<account>@TDVENLO.NL": 
Re-enter password for principal "<account>@TDVENLO.NL": 
$ kadmin modprinc -allow_tix +needchange <user>@TDVENLO.NL
Password for <user>/admin@TDVENLO.NL: 
$ kadmin cpw -randkey <user>@TDVENLO.NL
Password for <user>/admin@TDVENLO.NL: 
$ ldapmodify -Q -H ldap://kadmin.ald-weishoes.lan -w -
dn: uid=<account>,ou=People,dc=ald-weishoes,dc=lan
changetype: modify
replace: uidNumber
uidNumber: <uidNumber>
$ ldapmodify -Q -H ldap://kadmin.ald-weishoes.lan -w -
dn: uid=<account>,ou=People,dc=ald-weishoes,dc=lan
changetype: modify
replace: gidNumber
gidNumber: <gidNumber>
$ ldapmodify -Q -H ldap://kadmin.ald-weishoes.lan -w -
dn: cn=<account>,ou=Groups,dc=ald-weishoes,dc=lan
changetype: modify
replace: gidNumber
gidNumber: <gidNumber>





Backlinks:

  • infra/kerberos_openldap_user_administration.txt
  • Last modified: 24/02/2024 16:56
  • by harm