Kerberos + OpenLDAP集成测试

最近研究了下Kerberos + OpenLDAP的集成，得出结论如下：

1、Kerberos 与OpenLDAP是两套分别独立的用户认证系统

2、OpenLDAP主要做用户管理，其可以作为Kerberos的用户存储数据库

3、OpenLDAP可以与SSSD、SSH集成来作为Linux远程登录用户管理

4、对于大数据平台比如CDH，可以集成Kerberos也可以集成OpenLDAP，但是集成时依然是两套独立的用户认证系统，可以通过后台脚本或者其他方式做到在两个系统中同时创建用户，但是本质上依然为两套

5、从本质上来说，可以直接在LDAP中创建用户，通过Kinit来访问，但是发现创建的用户kinit登陆不了，报如下错误：

 kpasswd [email protected]
kpasswd: KDC has no support for encryption type getting initial ticket

在日志中发现：

12月 18 20:25:41 test-ldap2 krb5kdc[77137](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.116.201: CANT_FIND_CLIENT_KEY: [email protected] for krbtgt/[email protected], KDC has no support for encryption type
12月 18 20:25:41 test-ldap2 krb5kdc[77137](info): closing down fd 15
12月 18 20:27:41 test-ldap2 krb5kdc[77137](info): AS_REQ (11 etypes {18 17 20 19 16 23 25 26 1 3 2}) 192.168.116.201: CANT_FIND_CLIENT_KEY: [email protected] for krbtgt/[email protected], KDC has no support for encryption type
12月 18 20:27:41 test-ldap2 krb5kdc[77137](info): closing down fd 15
12月 18 20:27:45 test-ldap2 krb5kdc[77137](info): AS_REQ (11 etypes {18 17 20 19 16 23 25 26 1 3 2}) 192.168.116.201: CANT_FIND_CLIENT_KEY: [email protected] for krbtgt/[email protected], KDC has no support for encryption type
12月 18 20:27:45 test-ldap2 krb5kdc[77137](info): closing down fd 15
12月 18 20:41:11 test-ldap2 krb5kdc[77137](info): AS_REQ (11 etypes {18 17 20 19 16 23 25 26 1 3 2}) 192.168.116.201: CANT_FIND_CLIENT_KEY: [email protected] for kadmin/[email protected], KDC has no support for encryption type
12月 18 20:41:11 test-ldap2 krb5kdc[77137](info): closing down fd 15
12月 18 20:42:32 test-ldap2 krb5kdc[77137](info): AS_REQ (11 etypes {18 17 20 19 16 23 25 26 1 3 2}) 192.168.116.201: ISSUE: authtime 1545136952, etypes {rep=18 tkt=18 ses=18}, [email protected] for krbtgt/[email protected]
12月 18 20:42:32 test-ldap2 krb5kdc[77137](info): closing down fd 15

解决该错误需要从kadmin中将密码修改下就可以了：

kadmin.local:  cpw [email protected]
Enter password for principal "[email protected]": 
Re-enter password for principal "[email protected]": 
Password for "[email protected]" changed.
kadmin.local:  exit

 

参考文档：

https://help.ubuntu.com/lts/serverguide/kerberos-ldap.html.en

https://community.hortonworks.com/articles/199542/configuring-kerberos-with-openldap-back-end.html

http://k5wiki.kerberos.org/wiki/LDAP_on_Kerberos

https://blog.csdn.net/cheng_fangang/article/details/40143261

http://blog.51cto.com/11555417/2065747