The Kerberos and LDAP authentication

Eugenia Kuzina

Kerberos is a protocol for authentication service requests between trusted hosts across an untrusted network. Kerberos manages credentials (authentication), while LDAP holds authoritative information about user accounts and their access rights (authorization).

We create a secure connection between two hosts (OS — CentOS):

  • 10.92.6.36, adpg-host, adpg-host.domain.local;

  • 10.92.6.201, freeipa-host, freeipa-host.domain.local.

ADPG is installed on adpg-host.

Install the FreeIPA server

We use Docker CE to deploy the FreeIPA server on freeipa-host. Follow the steps below to install FreeIPA.

  1. Execute the command below to add host names and their IP addresses to the hosts file:

    sudo tee -a /etc/hosts > /dev/null <<EOT
10.92.6.36  adpg-host.domain.local adpg-host
10.92.6.201 freeipa-host.domain.local freeipa-host
EOT

  2. Use the hostnamectl tool to set the hostname:

    sudo hostnamectl set-hostname freeipa-host.domain.local

  3. Execute the following commands to disable SELinux:

    sudo setenforce 0
sudo sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
sudo reboot

  4. Install Docker CE:

    sudo -i
yum remove docker \
               docker-client \
               docker-client-latest \
               docker-common \
               docker-latest \
               docker-latest-logrotate \
               docker-logrotate \
               docker-engine
yum install -y yum-utils
yum-config-manager \
    --add-repo \
    https://download.docker.com/linux/centos/docker-ce.repo
yum install docker-ce docker-ce-cli containerd.io docker-compose-plugin
systemctl start docker
systemctl enable docker

  5. Create the ipa-data directory for the FreeIPA configuration files, specify FreeIPA installation options, and write them to the ipa-server-install-options file:

    mkdir /var/lib/ipa-data
tee -a /var/lib/ipa-data/ipa-server-install-options > /dev/null <<EOT
--realm=DOMAIN.LOCAL
--ds-password=freeipaDSpass
--admin-password=freeipaADMINpass
EOT

  6. Install the FreeIPA server:

    docker run -ti -h freeipa-host.domain.local --read-only \
    -v /sys/fs/cgroup:/sys/fs/cgroup:ro \
    --name freeipa \
    --network host \
    -v /var/lib/ipa-data:/data:Z -v /etc/hosts:/etc/hosts \
    -e PASSWORD=Password123 \
    freeipa/freeipa-server:centos-7 ipa-server-install -U -r DOMAIN.LOCAL --no-ntp

Install the FreeIPA client

Install the FreeIPA client on adpg-host.

  1. Add host names and their IP addresses to the hosts file:

    sudo tee -a /etc/hosts > /dev/null <<EOT
10.92.6.36  adpg-host.domain.local adpg-host
10.92.6.201 freeipa-host.domain.local freeipa-host
EOT

  2. Use the hostnamectl tool to set the hostname:

    sudo hostnamectl set-hostname adpg-host.domain.local

  3. Execute the following commands to disable SELinux:

    sudo setenforce 0
sudo sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
sudo reboot

  4. Install the FreeIPA client:

    sudo -i

yum install freeipa-client

  5. Utilize the ipa-client-install command to configure adpg-host to use IPA:

    ipa-client-install --mkhomedir --domain=domain.local --server=adpg-host.domain.local

    The terminal displays the following notification:

    Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]:

    Type yes to continue with fixed values. The fixed values are displayed:

    Client hostname: adpg-host.domain.local
Realm: DOMAIN.LOCAL
DNS Domain: domain.local
IPA Server: freeipa-host.domain.local
BaseDN: dc=domain,dc=local

Continue to configure the system with these values? [no]:

    Type yes to confirm the settings.

    Specify admin as the authorized user:

    User authorized to enroll computers: admin

    Enter the password that is passed as the PASSWORD parameter of the docker run command (in our example — Password123).

  6. Use the kinit command to obtain a new Kerberos ticket. Execute the klist command to check if a Kerberos ticket is created:

    kinit admin
klist

  7. Add a user and set their password:

    ipa user-add pguser --first=pguser --last=PG --password

    The result:

    -------------------
Added user "pguser"
-------------------
  User login: pguser
  First name: pguser
  Last name: PG
  Full name: pguser PG
  Display name: pguser PG
  Initials: pP
  Home directory: /home/pguser
  GECOS: pguser PG
  Login shell: /bin/sh
  Principal name: pguser@DOMAIN.LOCAL
  Principal alias: pguser@DOMAIN.LOCAL
  User password expiration: 20220804150601Z
  Email address: pguser@domain.local
  UID: 1391600001
  GID: 1391600001
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

  8. Services require Service Principal Name (SPN) to perform Kerberos authentication. Register the postgres service to obtain SPN:

    ipa service-add postgres/adpg-host.domain.local@DOMAIN.LOCAL --force

    The result:

    ---------------------------------------------------------------
Added service "postgres/adpg-host.domain.local@DOMAIN.LOCAL"
---------------------------------------------------------------
  Principal name: postgres/adpg-host.domain.local@DOMAIN.LOCAL
  Principal alias: postgres/adpg-host.domain.local@DOMAIN.LOCAL
  Managed by: adpg-host.domain.local

Configure ADPG for Kerberos

Create a keytab on adpg-host :

ipa-getkeytab --principal=postgres/adpg-host.domain.local@DOMAIN.LOCAL --keytab=/etc/krb5.keytab

Use the chown command to change the owner and the group of the krb5.keytab file:

chown postgres:postgres /etc/krb5.keytab

Utilize ADCM to change the ADPG configuration settings. Open Clusters → ADPG cluster → Services → ADPG → Primary configuration and set listen_addresses to *.

Add the following line to the postgresql.conf custom section:

krb_server_keyfile = '/etc/krb5.keytab'

Add the following line to the PG_HBA section:

host all pguser 0.0.0.0/0 gss  include_realm=0 krb_realm=DOMAIN.LOCAL

Click the Save button and execute the Reconfigure & Restart action to apply changes.

Create a user on adpg-host:

sudo su - postgres
psql -c "CREATE USER pguser"

Test the GSSAPI-encrypted connection:

kinit pguser
psql -h adpg-host.domain.local -U pguser postgres

The result:

psql (14.3)
GSSAPI-encrypted connection
Type "help" for help.

postgres=#

Install the openldap-clients package

The openldap-clients package contains command line tools to view and modify directories on an LDAP server. Install openldap-clients on adpg-host:

yum install openldap-clients -y

Execute the klist command to check if a current system user obtains a Kerberos ticket with IPA administrative privilege. If not, run the command kinit admin:

klist
kinit admin

Add a user:

ipa user-add pgldap --first=pgldap --last=PG --password

Test the connection:

ldapsearch -x -h freeipa-host.domain.local  -b dc=domain,dc=local uid=pgldap

Configure ADPG to use LDAP

Create the pgldap user:

sudo su - postgres
psql -c "CREATE USER pgldap"

Add the following line to the PG_HBA section:

host all pgldap 0.0.0.0/0 ldap  ldapserver=freeipa-host.domain.local ldapbasedn="cn=users,cn=compat,dc=domain,dc=local" ldapsearchattribute=uid

Click the Save button and execute the Reconfigure & Reload action to apply changes.

Test the GSSAPI-encrypted connection:

kinit pgldap
psql -h adpg-host.domain.local -U pgldap postgres

The result:

psql (14.3)
GSSAPI-encrypted connection
Type "help" for help.

postgres=#
Found a mistake? Seleсt text and press Ctrl+Enter to report it