With all the issues related to Sarbanes-Oxley compliancy, and contracts being written to cover all losses and lawsuits related to any security breach in network setup these days, along with the desire for System Administrators to manage all of their user accounts from one location, I’ve been looking into getting an existing Communigate Pro mail setup authenticating to OS X Server’s built in Open Directory.
Read on for more…
Stalker are kind enough to provide a link to an LDAP authentication plugin, however, this script is built for plain/clear text passwords – which I might add drops the plain text password into the Communigate Pro logs also.
I’m looking to hear from anyone who has got Communigate Pro integrated into their LDAP environment, and how they’ve dealt with the password situation.
Also, kerberos authentication with communigate whould be cool to learn more
about.. have anyone got this running?
There’s some info on this on their website here http://
http://www.stalker.com/CommuniGatePro/Security.html#Kerberos but I
haven’t tried implementing with this.
Stalker has an article that was a little helpful with this for Active Directory. It
was at: http://www.stalker.com/CommuniGatePro/Security.html#KerbAD
There’s also a good page for at (note this is on your CGP Server):
http://Your-servers-IP:8010/Guide/CentralDir.html
Communigate can act as the LDAP database or look to another LDAP database
for information. When you are looking to another LDAP database, it replaces
your account.settings (which stores passwords in clear text by default, btw – if
you haven’t upgraded your encryption to blowfish, I’d look into that…) with a
server based version of this file. In Communigate, if you click on the Domains
section and then click on Directory Integration, you can click “Enable” under
Directory Based domains. Then you “LOAD” the keytabs for each domain.
Personally, I also join the LDAP infrastructure using Directory Access. Once
you are a part of the LDAP domain, you can use the Keep In Sync button for
each domain under the Directory Integration button of the Domain Settings
screen to sync the database.
If you want to do more than just look to LDAP for passwords and the such,
you may need to extend the schema of your LDAP database. If you do this,
look to the Directory->Root->Schema and scroll down to the section where all
of the items start with the word Communigate. This is a map for doing so.
Communigate can also do an LDIF import if you only want a one-time dump
of the information.
That should ge you started, let me know if you get stuck.
As for the Kerio integration, it is a little more straight forward, but in my
opinion a little less flexible with how the schema’s can relate to one another.
An interesting not about how Communigate is built: They use SASL and LDAP
in much the same way (and on the same ports) as Open Directory. Be a little
careful if you’re running a default version of CGP as you can easily publish
your database to the web anonymously through the web portal of CGP…
—
Charles Edge, ACSA, MCSE, CCNA, Network+
Author :: Mac Tiger Server Little Black Book
Partner :: Three18 Consulting
http://www.318.com
[email protected]
Caveat: I am no expert but this is what I did…
I tried the auth_ldap script and was not entirely satisfied as it would
not allow the use of additional short user names in the directory.
Generally we use first_last as a user name but we have some people
with VERY long names and I’ve provided them alternate shorter names
so they can log into this computers. I also used the shorter name as
their email account name. This causes the auth_ldap script to fail.
I use the auth_pam script available from Stalker. I bind my CGP mail
server to the directory in Directory Access (configure the LDAP plug-
in) and the auth_pam script then seems to go through Directory
Access to authenticate the users. I have the CGP log set to log "All
Info" and I see no passwords in the log.
I would really love to see something like a "CGP Best Practices for OS
X" document that outlines a robust and secure CGP setup for OS X.
I took a guy from Mac Managers by the name of Bob Gendler through this
and this is the summary he put together of how we did it…
1. Set up CPAN
2. Hop into CPAN’s console by typing "perl -MCPAN -e shell"
3. Then I had to install 3 packages before installing the LDAP stuff.
– type "install IO::Socket", when that’s done "install Net::SSLeay", and
finally "install IO::Socket::SSL"
4. We’re ready to install the LDAP component with "install Net::LDAP"
-For me this failed, strangely enough, so I had to manually build the
package.
-So I had to go to the build directory which I found out where it was by
looking at /System/Library/Perl/CPAN/Config.pm
-Then into the perl-ldap-0.33 folder and I followed the directions in the
readme "perl Makefile.PL, make, make test, make install"
5. Now that the pieces are installed I went and grabbed authLDAP.pl from
http://www.stalker.com/CGAUTH/ and did some minor edits.
6. Change my $result=$ldap->bind("uid=$name,cn=$domain",password=>
$password) to my $result=$ldap->bind("uid=
$name,cn=users,dc=landminesurvivors,dc=org",password=>$password) for
example
7. Put authLDAP.pl into CommuniGate Pro’s folder which by default is /var/
CommuniGate/ and give the script execute permission.
8. In CommuniGate Pro’s web admin interface in Settings—>General—
>Helpers. Enable External Authentication and point it to the script.
9. I had to restart CommuniGate Pro and actually do a complete shutdown of
the mail server. Which you can do in the terminal with /System/Library/
StartupItems/CommuniGatePro/CommuniGatePro stop —shut it down for like
30 seconds and then do /System/Library/StartupItems/CommuniGatePro/
CommuniGatePro start
10. Under the CommuniGate Pro web administration go to Accounts — then
any account under "CommuniGate Password Allow to Use" — set it to No and
say Yes to "External Authentication".
I’ve also implemented the Kerberos config – it’s easy on 10.4 server because
you can just choose to "Kerberize the server" in server admin, which creates
the correct keytab files on the KDC. After that collect the keytab files from the
server and (definitely using SSL HTTP Admin) upload the keytab files into the
Kerberos section of the CommuniGate web admin. Then enable Kerberos on
the domain (or user account) and things are good….
Hope that helps – please don’t hesitate to contact me about this one…!
Cheers
David
Of course the Kerberos option does get away from the issues with clear-text
passwords – I couldn’t really find an "out" using their LDAP scripts from this bar
"lock down the logs" π
Did the above and I get a message “EXTAUTH [email protected] created” but I am not allowed to log in. I suspect as I have yet been able to extend my Open Directory schema that this is due to attributes missing–do you have any pointers for adding the downloaded cgpro schema into opendirectory–my last attempt crashed the Open Directory service.
We’re interested in doing similar with EIMS… Any ideas anyone?
While EIMS can easily act as an LDAP server, and push out Directory information
over ACAP, I have not been able to find any way to join an existing directory
service in 3.2.8. I have been able to query the LDAP database running on EIMS
from an external host, but have only found directory information that was
plugged into EIMS from the EIMS Admin X utility. Has anyone else been able to
get further than this with EIMS?
—
Charles Edge, ACSA, MCSE, CCNA, Network+
Author :: Mac Tiger Server Little Black Book
Partner :: Three18 Consulting
http://www.318.com
[email protected]
How do I save Entourage .pst files to a central server.Thanks.
You could use an Alias. I did this to encrypt my Entourage database (versus using FileVault) by placing the database in a secure disk image and then creating an alias to it and placing said alias in the original location. The principle should work the same as long as the share was mounted.
Is it possible to allow all users in an Open Directory group to be administrators of a client machine when logging in with network home folders, without having to check the box for each individual user in System preferences/Accounts? Something like nesting the OD group in the local admin group.
Thanks,
Alan.
Yes this is possible. I have done it in Tiger, but have not tried it in Leopard.
I did it using Workgroup Manager. You create an “Administration” group on your OD and add all of the users you want to be Local Admins to it.
Then you open the Local Directory in WM.
Then you add the directory group Administration to the local admin group. (you may have to upgrade the legacy group to have nested groups).
The caveat is that the users will only have admin rights as long as they can see the directory. If you disconnect from the network the rights are temporarily lost.
By the way, this solution was found for me by my Apple rep π