Coder Social home page Coder Social logo

docker-kerberos-with-ldap's Introduction

Docker kerberos

This image is for testing purposes for Kerberos/LDAP environments. With this Kerberos image you can initialize an Ubuntu based Kerberos server with LDAP connections. The whole project based on mrenouf/docker-images repository, but this codebase is not compatible with that.

Quick start

docker run -d --net docker_overlay -v /dev/urandom:/dev/random --name kerberos nugaon/kerberos-with-ldap

The containers have a pretty bad entropy level so the KDC won't start because of this. We can overcome this by using /dev/urandom which is less secure but does not care about entropy. Obviously, this Kerberos container has to be run on the same network as the ldap container or make it possible to reach the outsider LDAP server. For the former case, I suggest for you to use my compatible LDAP docker with Kerberos image nugaon/openldap-with-kerberos, that you can find on GitHub as well.

Useful environment variables:

Environment variables Description Default value
REALM the Kerberos realm EXAMPLE.COM
DOMAIN_REALM the DNS domain for the realm example.com
KERB_MASTER_KEY master key for the KDC masterkey
KERB_ADMIN_USER administrator account name admin
KERB_ADMIN_PASS administrator's password admin
SEARCH_DOMAINS domain suffix search list example.com
LDAP_DC domain suffix search list dc=example,dc=com
LDAP_USER ldap service user admin
LDAP_PASS ldap service pass admin
LDAP_URL ldap url ldap://ldap

Bind LDAP user to Kerberos DB

If you add new users in LDAP you have to register them in Kerberos as well in order to utilize Kerberos authentication. It is possible by the following command:

docker exec -ti $KERBEROS_CONTAINER kadmin.local -q 'addprinc -x dn=$USER_DN $USER_KERB_NAME'

example

docker exec -ti kerberos kadmin.local -q 'addprinc -x dn=cn=Teszt" "Elek,cn=users,dc=ldap,dc=hiflylabs,dc=hu telek'

Test

Once kerberos is enabled you need a ticket to execute any job on the cluster. Here's an example to get a ticket:

docker exec -ti kerberos sh -c "kinit admin && klist"

It authenticates the LDAP associated admin user by the Kerberos server.

docker-kerberos-with-ldap's People

Contributors

nugaon avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar

docker-kerberos-with-ldap's Issues

Unable to read Realm: No such object while initializing kadmin.local interface

Hi,
I had a look at a few of your repos and tried setting up ldap & kerberos dev env, but I didn't succeed. I'm all new to this, so my understanding of all of this is very limited and I'd be very grateful if you could elaborate on I what did wrong.

docker-compose.yml

version: '3'
services:
  ldap:
    image: osixia/openldap:1.4.0
    container_name: ldap
    volumes:
      - ./ldap/database:/var/lib/ldap
      - ./ldap/config:/etc/ldap/slapd.d
    ports:
      # LDAP
      - 389:10389
      # LDAPS
      # - 636:10636

  kerberos:
    image: nugaon/kerberos-with-ldap
    container_name: kerberos
    volumes:
      - /dev/urandom:/dev/random
    environment:
      - REALM=EXAMPLE.ORG
      - DOMAIN_REALM=example.org
      - SEARCH_DOMAINS=example.org
      - LDAP_DC=dc=example,dc=org

  phpldapadmin:
    image: osixia/phpldapadmin:latest
    container_name: phpldapadmin
    environment:
      PHPLDAPADMIN_LDAP_HOSTS: 'ldap'
      PHPLDAPADMIN_HTTPS: 'false'
    ports:
      - '8080:80'
    depends_on:
      - ldap

After executing docker exec -ti kerberos kadmin.local -q 'addprinc -x dn=cn=Teszt" "Elek,cn=users,dc=ldap,dc=hiflylabs,dc=hu telek' which you mentioned in your examples I get the following error:

Authenticating as principal root/[email protected] with password.
kadmin.local: Unable to read Realm: No such object while initializing kadmin.local interface

Also, what would be the correct command to register cn=admin,dc=example,dc=org account with kerberos? Would this docker exec -it kerberos kadmin.local -q 'addprinc -x cn=admin,dc=example,dc=org' be correct?

Thanks in advance for your help.

Kerberos service not working on macs with m1 processor

Hi, the kerberos service works without any problems on my older mac with the intel processor, but I can't make it work on m1. Any ideas on how to resolve this issue? These are the logs I'm getting. Thanks in advance.

+ : LAB.LOCAL
+ : lab.local
+ : masterkey
+ : admin
+ : admin
+ : lab.local
+ : dc=lab,dc=local
+ : admin
+ : admin
+ : ldap://openldap
+ '[' '!' -f /kerberos_initialized ']'
+ mkdir -p /var/log/kerberos
+ create_config
++ hostname -f
+ KDC_ADDRESS=401a594e078e
+ cat
+ init_ldap
+ kdb5_ldap_util -D cn=admin,dc=lab,dc=local create -subtrees dc=lab,dc=local -r LAB.LOCAL -s -H ldap://openldap
Password for "cn=admin,dc=lab,dc=local": 
Initializing database for realm 'LAB.LOCAL'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
kdb5_ldap_util: Kerberos Container create FAILED: Invalid syntax while creating realm 'LAB.LOCAL'
Re-enter KDC database master key to verify: 
+ kdb5_ldap_util -D cn=admin.,dc=lab,dc=local stashsrvpw -f /etc/krb5kdc/service.keyfile cn=admin,dc=lab,dc=local
Password for "cn=admin.,dc=lab,dc=local": 
Password for "cn=admin,dc=lab,dc=local": 
Re-enter password for "cn=admin,dc=lab,dc=local": 
+ create_admin_user
+ kadmin.local -q 'addprinc -x dn=cn=admin,dc=lab,dc=local admin'
kadmin.local: Unable to read Realm: No such object while initializing kadmin.local interface
Authenticating as principal root/[email protected] with password.
+ echo '[email protected] *'
+ create_db
+ kdb5_util -P masterkey -r LAB.LOCAL create -s
kdb5_util: Kerberos Container create FAILED: Invalid syntax while creating database '/var/lib/krb5kdc/principal'
Loading random data
Initializing database '/var/lib/krb5kdc/principal' for realm 'LAB.LOCAL',
master key name 'K/[email protected]'
+ start_kdc
+ service krb5-kdc start
 * Starting Kerberos KDC krb5kdc
krb5kdc: cannot initialize realm LAB.LOCAL - see log file for details
   ...fail!
+ service krb5-admin-server start
 * Starting Kerberos administrative servers kadmind
kadmind: Unable to read Realm: No such object while initializing, aborting
   ...fail!
+ touch /kerberos_initialized
+ tail -F /var/log/kerberos/krb5kdc.log
Feb 17 06:03:25 401a594e078e krb5kdc[48](Error): Unable to read Realm: No such object - while initializing database for realm LAB.LOCAL

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.