Mirrors/docker-kerberos-with-ldap
1
0
Fork 0
mirror of https://github.com/nugaon/docker-kerberos-with-ldap.git synced 2025-10-26 15:54:16 -04:00
Code Issues Packages Projects Releases Wiki Activity

HOTFIX: start krb service with service manager, in kadm5.acl set every permisiion to default admin user from LDAP, bind admin Kerberos principal to LDAP admin at creation, ADDED: readme

Browse Source
This commit is contained in:
nugaon
2020-07-29 22:14:55 +02:00
parent e68a512974
commit 3b2b193a33
2 changed files with 31 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
README.md
View File

@@ -3,10 +3,9 @@ This image is for testing purposes for Kerberos/LDAP environments.
With this Kerberos image you can initialize an Ubuntu based Kerberos server with LDAP connections. With this Kerberos image you can initialize an Ubuntu based Kerberos server with LDAP connections.
The whole project based on `mrenouf/docker-images` repository, but this codebase is not compatible with that. The whole project based on `mrenouf/docker-images` repository, but this codebase is not compatible with that.
#### Quick start # Quick start
``` > docker run -d --net docker_overlay -v /dev/urandom:/dev/random --name kerberos nugaon/kerberos-with-ldap
docker run -d -v /dev/urandom:/dev/random --name kerberos nugaon/kerberos-with-ldap
```
The containers have a pretty bad entropy level so the KDC won't start because of this. We can overcome this by using `/dev/urandom` which is less secure but does not care about entropy. The containers have a pretty bad entropy level so the KDC won't start because of this. We can overcome this by using `/dev/urandom` which is less secure but does not care about entropy.
Obviously, this Kerberos container has to be run on the same network as the ldap container or make it possible to reach the outsider LDAP server. For the former case, Obviously, this Kerberos container has to be run on the same network as the ldap container or make it possible to reach the outsider LDAP server. For the former case,
I suggest for you to use my compatible LDAP docker with Kerberos image `nugaon/openldap-with-kerberos`, I suggest for you to use my compatible LDAP docker with Kerberos image `nugaon/openldap-with-kerberos`,
@@ -14,20 +13,27 @@ that you can find on [GitHub](https://github.com/nugaon/docker-openldap-with-ker
Useful environment variables: Useful environment variables:
| Environment variables | Description | | Environment variables | Description | Default value |
| --------------------- | ----------------------------- | | --------------------- | ----------------------------- | ------------------------ |
| `REALM` | the Kerberos realm | | `REALM` | the Kerberos realm | EXAMPLE.COM |
| `DOMAIN_REALM` | the DNS domain for the realm | | `DOMAIN_REALM` | the DNS domain for the realm | example.com |
| `KERB_MASTER_KEY` | master key for the KDC | | `KERB_MASTER_KEY` | master key for the KDC | masterkey |
| `KERB_ADMIN_USER` | administrator account name | | `KERB_ADMIN_USER` | administrator account name | admin |
| `KERB_ADMIN_PASS` | administrator's password | | `KERB_ADMIN_PASS` | administrator's password | admin |
| `SEARCH_DOMAINS` | domain suffix search list | | `SEARCH_DOMAINS` | domain suffix search list | example.com |
| `LDAP_DC` | domain suffix search list | | `LDAP_DC` | domain suffix search list | dc=example,dc=com |
| `LDAP_USER` | ldap user | | `LDAP_USER` | ldap service user | admin |
| `LDAP_PASS` | ldap pass | | `LDAP_PASS` | ldap service pass | admin |
| `LDAP_URL` | ldap url | | `LDAP_URL` | ldap url | ldap://ldap |
### Test # Bind LDAP user to Kerberos DB
If you add new users in LDAP you have to register them in Kerberos as well in order to utilize Kerberos authentication. It is possible by the following command:
> docker exec -ti $KERBEROS_CONTAINER kadmin.local -q 'addprinc -x dn=$USER_DN $USER_KERB_NAME'
example
> docker exec -ti kerberos kadmin.local -q 'addprinc -x dn=cn=Teszt" "Elek,cn=users,dc=ldap,dc=hiflylabs,dc=hu telek'
# Test
Once kerberos is enabled you need a `ticket` to execute any job on the cluster. Here's an example to get a ticket: Once kerberos is enabled you need a `ticket` to execute any job on the cluster. Here's an example to get a ticket:
> docker exec -ti kerberos sh -c "kinit admin && klist" > docker exec -ti kerberos sh -c "kinit admin && klist"

16
config.sh
View File

@@ -4,12 +4,12 @@ sleep 10
[[ "TRACE" ]] && set -x [[ "TRACE" ]] && set -x
: ${REALM:=AMAZON} : ${REALM:=EXAMPLE.COM}
: ${DOMAIN_REALM:=amazon} : ${DOMAIN_REALM:=example.com}
: ${KERB_MASTER_KEY:=masterkey} : ${KERB_MASTER_KEY:=masterkey}
: ${KERB_ADMIN_USER:=admin} : ${KERB_ADMIN_USER:=admin}
: ${KERB_ADMIN_PASS:=admin} : ${KERB_ADMIN_PASS:=admin}
: ${SEARCH_DOMAINS:=krb.amazon} : ${SEARCH_DOMAINS:=example.com}
: ${LDAP_DC:=dc=example,dc=com} : ${LDAP_DC:=dc=example,dc=com}
: ${LDAP_USER:=admin} : ${LDAP_USER:=admin}
: ${LDAP_PASS:=admin} : ${LDAP_PASS:=admin}
@@ -91,13 +91,13 @@ EOF
} }
start_kdc() { start_kdc() {
krb5kdc start service krb5-kdc start
kadmind service krb5-admin-server start
} }
restart_kdc() { restart_kdc() {
krb5kdc restart service krb5-kdc restart
kadmind restart service krb5-admin-server restart
} }
create_admin_user() { create_admin_user() {
@@ -105,7 +105,7 @@ create_admin_user() {
$LDAP_PASS $LDAP_PASS
$LDAP_PASS $LDAP_PASS
EOF EOF
echo "*/admin@$REALM *" > /etc/krb5kdc/kadm5.acl echo "admin@$REALM *" > /etc/krb5kdc/kadm5.acl
} }
mkdir -p /var/log/kerberos mkdir -p /var/log/kerberos