Ask AFP548 February 8, 2006 at 11:00 pm

Communigate Pro with LDAP Authentication

With all the issues related to Sarbanes-Oxley compliancy, and contracts being written to cover all losses and lawsuits related to any security breach in network setup these days, along with the desire for System Administrators to manage all of their user accounts from one location, I’ve been looking into getting an existing Communigate Pro mail setup authenticating to OS X Server’s built in Open Directory.

Read on for more…
Stalker are kind enough to provide a link to an LDAP authentication plugin, however, this script is built for plain/clear text passwords – which I might add drops the plain text password into the Communigate Pro logs also.

I’m looking to hear from anyone who has got Communigate Pro integrated into their LDAP environment, and how they’ve dealt with the password situation.

About

Andrina Kelly is responsible for anything and everything touched by, or connected to, a Mac at Bell Media, Canada's premiere multimedia company. You may recognize her name from the end credits of Canada's evening news broadcast. She has previously spoken at MacSysAdmin, JAMF National Users Conference, Apple's WWDC, Macworld IT conferences, Mac Networkers Retreat, and Canada MacExpo.

No Comments

  • Also, kerberos authentication with communigate whould be cool to learn more
    about.. have anyone got this running?

  • Stalker has an article that was a little helpful with this for Active Directory. It
    was at: http://www.stalker.com/CommuniGatePro/Security.html#KerbAD

    There’s also a good page for at (note this is on your CGP Server):
    http://Your-servers-IP:8010/Guide/CentralDir.html

    Communigate can act as the LDAP database or look to another LDAP database
    for information. When you are looking to another LDAP database, it replaces
    your account.settings (which stores passwords in clear text by default, btw – if
    you haven’t upgraded your encryption to blowfish, I’d look into that…) with a
    server based version of this file. In Communigate, if you click on the Domains
    section and then click on Directory Integration, you can click “Enable” under
    Directory Based domains. Then you “LOAD” the keytabs for each domain.
    Personally, I also join the LDAP infrastructure using Directory Access. Once
    you are a part of the LDAP domain, you can use the Keep In Sync button for
    each domain under the Directory Integration button of the Domain Settings
    screen to sync the database.

    If you want to do more than just look to LDAP for passwords and the such,
    you may need to extend the schema of your LDAP database. If you do this,
    look to the Directory->Root->Schema and scroll down to the section where all
    of the items start with the word Communigate. This is a map for doing so.

    Communigate can also do an LDIF import if you only want a one-time dump
    of the information.

    That should ge you started, let me know if you get stuck.

    As for the Kerio integration, it is a little more straight forward, but in my
    opinion a little less flexible with how the schema’s can relate to one another.

    An interesting not about how Communigate is built: They use SASL and LDAP
    in much the same way (and on the same ports) as Open Directory. Be a little
    careful if you’re running a default version of CGP as you can easily publish
    your database to the web anonymously through the web portal of CGP…


    Charles Edge, ACSA, MCSE, CCNA, Network+
    Author :: Mac Tiger Server Little Black Book
    Partner :: Three18 Consulting
    http://www.318.com
    [email protected]

    • Caveat: I am no expert but this is what I did…

      I tried the auth_ldap script and was not entirely satisfied as it would
      not allow the use of additional short user names in the directory.
      Generally we use first_last as a user name but we have some people
      with VERY long names and I’ve provided them alternate shorter names
      so they can log into this computers. I also used the shorter name as
      their email account name. This causes the auth_ldap script to fail.

      I use the auth_pam script available from Stalker. I bind my CGP mail
      server to the directory in Directory Access (configure the LDAP plug-
      in) and the auth_pam script then seems to go through Directory
      Access to authenticate the users. I have the CGP log set to log "All
      Info" and I see no passwords in the log.

      I would really love to see something like a "CGP Best Practices for OS
      X" document that outlines a robust and secure CGP setup for OS X.

  • I took a guy from Mac Managers by the name of Bob Gendler through this
    and this is the summary he put together of how we did it…

    1. Set up CPAN
    2. Hop into CPAN’s console by typing "perl -MCPAN -e shell"
    3. Then I had to install 3 packages before installing the LDAP stuff.
    – type "install IO::Socket", when that’s done "install Net::SSLeay", and
    finally "install IO::Socket::SSL"
    4. We’re ready to install the LDAP component with "install Net::LDAP"
    -For me this failed, strangely enough, so I had to manually build the
    package.
    -So I had to go to the build directory which I found out where it was by
    looking at /System/Library/Perl/CPAN/Config.pm
    -Then into the perl-ldap-0.33 folder and I followed the directions in the
    readme "perl Makefile.PL, make, make test, make install"
    5. Now that the pieces are installed I went and grabbed authLDAP.pl from
    http://www.stalker.com/CGAUTH/ and did some minor edits.
    6. Change my $result=$ldap->bind("uid=$name,cn=$domain",password=>
    $password) to my $result=$ldap->bind("uid=
    $name,cn=users,dc=landminesurvivors,dc=org",password=>$password) for
    example
    7. Put authLDAP.pl into CommuniGate Pro’s folder which by default is /var/
    CommuniGate/ and give the script execute permission.
    8. In CommuniGate Pro’s web admin interface in Settings—>General—
    >Helpers. Enable External Authentication and point it to the script.
    9. I had to restart CommuniGate Pro and actually do a complete shutdown of
    the mail server. Which you can do in the terminal with /System/Library/
    StartupItems/CommuniGatePro/CommuniGatePro stop —shut it down for like
    30 seconds and then do /System/Library/StartupItems/CommuniGatePro/
    CommuniGatePro start
    10. Under the CommuniGate Pro web administration go to Accounts — then
    any account under "CommuniGate Password Allow to Use" — set it to No and
    say Yes to "External Authentication".

    I’ve also implemented the Kerberos config – it’s easy on 10.4 server because
    you can just choose to "Kerberize the server" in server admin, which creates
    the correct keytab files on the KDC. After that collect the keytab files from the
    server and (definitely using SSL HTTP Admin) upload the keytab files into the
    Kerberos section of the CommuniGate web admin. Then enable Kerberos on
    the domain (or user account) and things are good….

    Hope that helps – please don’t hesitate to contact me about this one…!

    Cheers
    David

    • Of course the Kerberos option does get away from the issues with clear-text
      passwords – I couldn’t really find an "out" using their LDAP scripts from this bar
      "lock down the logs" πŸ™

    • Did the above and I get a message “EXTAUTH [email protected] created” but I am not allowed to log in. I suspect as I have yet been able to extend my Open Directory schema that this is due to attributes missing–do you have any pointers for adding the downloaded cgpro schema into opendirectory–my last attempt crashed the Open Directory service.

  • We’re interested in doing similar with EIMS… Any ideas anyone?

    • While EIMS can easily act as an LDAP server, and push out Directory information
      over ACAP, I have not been able to find any way to join an existing directory
      service in 3.2.8. I have been able to query the LDAP database running on EIMS
      from an external host, but have only found directory information that was
      plugged into EIMS from the EIMS Admin X utility. Has anyone else been able to
      get further than this with EIMS?


      Charles Edge, ACSA, MCSE, CCNA, Network+
      Author :: Mac Tiger Server Little Black Book
      Partner :: Three18 Consulting
      http://www.318.com
      [email protected]

  • How do I save Entourage .pst files to a central server.Thanks.

    • You could use an Alias. I did this to encrypt my Entourage database (versus using FileVault) by placing the database in a secure disk image and then creating an alias to it and placing said alias in the original location. The principle should work the same as long as the share was mounted.

  • Is it possible to allow all users in an Open Directory group to be administrators of a client machine when logging in with network home folders, without having to check the box for each individual user in System preferences/Accounts? Something like nesting the OD group in the local admin group.

    Thanks,

    Alan.

    • Yes this is possible. I have done it in Tiger, but have not tried it in Leopard.

      I did it using Workgroup Manager. You create an “Administration” group on your OD and add all of the users you want to be Local Admins to it.
      Then you open the Local Directory in WM.
      Then you add the directory group Administration to the local admin group. (you may have to upgrade the legacy group to have nested groups).

      The caveat is that the users will only have admin rights as long as they can see the directory. If you disconnect from the network the rights are temporarily lost.

      By the way, this solution was found for me by my Apple rep πŸ™‚

Leave a reply

You must be logged in to post a comment.