Kerberos/OpenLDAP Administration
This document describes the various tasks related to maintain your account. And manage user accounts as an administrator
Retreive a kerberos ticket
$ kinit <user>@TDVENLO.NL Password for <user>@TDVENLO.NL:
Change your kerberos password
$ kpasswd Password for <user>@TDVENLO.NL: Enter new password: Enter it again: Password changed.
Destroy the kerberos ticket after use
$ kdestroy
Administrative tasks
Managing OpenLDAP requires a you have a valid ticket and be member of any of following groups
- cn=Operators,dc=ald-weishoes,dc=lan
- cn=Administrators,dc=ald-weishoes,dc=lan
Managing Kerberos requires you have have credentials to access a <account>/admin@TDVENLO.NL instance of your kerberos principal. Tools required to administer the Kerberos/OpenLDAP domain are installed on all client pc's.
Commisioning a new account is done via several steps, described below.
- Create account
- Create group
- Create kerberos principal
- Change kerberos password
Note, that following restrictions apply:
uid
/guid
: all lowercase, alphanumeric. (no digits, no punctuation marks). Must be unique.cn
: Full name with capitals and spaces. Must be unique.givenName
: First name only (with capital).sn
: Last name only (with capital).
Create account
Find highest assigned uidNumber
$ ldapsearch -Q -LLL -H ldap://kadmin.ald-weishoes.lan -b ou=People,dc=ald-weishoes,dc=lan uidNumber | awk '/uidNumber/{print $2}' | sort -n | tail -1
Create the LDAP object
$ echo "dn: uid=<account>,ou=People,dc=ald-weishoes,dc=lan changetype: add objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux objectClass: posixAccount objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: person objectClass: top uid: <account> cn: <Full Name> givenName: <First Name> sn: <Surname> loginShell: /bin/bash uidNumber: <uid> gidNumber: <gid> homeDirectory: /nethomes/<account> krbPrincipalName: <account>@TDVENLO.NL userPassword: {SASL}<account>@TDVENLO.NL mail: <account>@tdvenlo.nl" | ldapmodify -Q -H ldaps://kadmin.ald-weishoes.lan
Create group
$ echo "dn: cn=<account>,ou=Groups,dc=ald-weishoes,dc=lan changetype: add objectClass: groupOfNames objectClass: posixGroup objectClass: top cn: <account> gidNumber: <gid> member: cn=Nobody,dc=ald-weishoes,dc=lan" | ldapmodify -Q -H ldaps://kadmin.ald-weishoes.lan
Create kerberos principal
$ kadmin addprinc <account>@TDVENLO.NL Password for <user>/admin@TDVENLO.NL: Enter password for principal "<account>@TDVENLO.NL": Re-enter password for principal "<account>@TDVENLO.NL":
Change password
$ kadmin cpw <user>@TDVENLO.NL Password for <user>/admin@TDVENLO.NL: Enter password for principal "<account>@TDVENLO.NL": Re-enter password for principal "<account>@TDVENLO.NL":
Disable account
$ kadmin modprinc -allow_tix +needchange <user>@TDVENLO.NL Password for <user>/admin@TDVENLO.NL: $ kadmin cpw -randkey <user>@TDVENLO.NL Password for <user>/admin@TDVENLO.NL:
modify uid, gid, groups for <account>
$ ldapmodify -Q -H ldap://kadmin.ald-weishoes.lan -w - dn: uid=<account>,ou=People,dc=ald-weishoes,dc=lan changetype: modify replace: uidNumber uidNumber: <uidNumber>
$ ldapmodify -Q -H ldap://kadmin.ald-weishoes.lan -w - dn: uid=<account>,ou=People,dc=ald-weishoes,dc=lan changetype: modify replace: gidNumber gidNumber: <gidNumber>
$ ldapmodify -Q -H ldap://kadmin.ald-weishoes.lan -w - dn: cn=<account>,ou=Groups,dc=ald-weishoes,dc=lan changetype: modify replace: gidNumber gidNumber: <gidNumber>
Backlinks: