[Network Administration] : Using AFP home directories

So far, I’ve been using NFS to mount my home directories on my OS X machines with the automounter. It’s worked pretty well so far. There are a couple of issues that I’m hoping to work around. One is that the automounter can unmount the drives, which in this case would be the home directory. I’ve been converting this over to using AFP as the native file sharing protocol for the home directories. Synology’s DSM includes support for AFP as one of the protocols. I don’t have any Windows machines, so I’m not going to worry about SMB for support, although it appears that Apple will drop support for AFP in the near future.

Continue reading “[Network Administration] : Using AFP home directories”

Advertisements

[Network Administration] : OpenLDAP and SASL Passthrough

I needed to get the SASL passthrough working since I have some things that need to bind to the LDAP server. Specifically, I need to be able to authenticate to my Synology NAS with my LDAP account. Till now, I’ve just used NFS permissions to mount the shares to the system (mainly using the automounter getting the information from the LDAP server). If I need to allow clients to bind to the LDAP server as authentication, then I’ll need to have access to the password. I store my passwords in the Kerberos KDC, but I can have LDAP pass the authentication through to a SASL backend instead of storing the passwords locally in the directory.
Continue reading “[Network Administration] : OpenLDAP and SASL Passthrough”

[Network Administration] : Postfix and LDAP recipients

Given that I’ve already put my addresses into the LDAP directory, I’m going to use that to pull my recipients for local delivery. There is information on the Postfix website, here and here.

Appropriate section of /etc/postfix/main.cf

# DELIVERY CONFIGURATION
#
# all main to the domain is slated for local delivery
mydestination = $mydomain, $myhostname, localhost.$mydomain, localhost
# Set aliases to the postfix configuration directory
alias_maps = hash:${config_directory}/aliases
alias_database = hash:${config_directory}/aliases
# Local recipients are stored in ldap
# Alias maps also needs to be added here to accept mail for aliases locally
local_recipient_maps = ldap:${config_directory}/ldap-recipients.cf $alias_maps

The file ldap-recipients.cf file has the information to connect to the LDAP server.

server_host = <SERVER>
search_base = ou=users,dc=example,dc=com
version = 3
query_filter = mail=%s
result_attribute = uid
start_tls = yes
tls_require_cert = yes
tls_ca_cert_file = <CA certificate chain>

We require the verification of the LDAP certificate, so we need to specify the certificate chain.

[Network Administration] : Kerberized IMAP

To go with the Kerberized Postfix that I’ve put in place, I also added Kerberized IMAP to it as well. This will allow me to authenticate the IMAP server with my Kerberos tickets. This works similarly. I’m using Carnegie Mellon’s Cyrus IMAP server (although CMU has migrated all of it’s accounts over to Google since). The Cyrus server supports GSSAPI natively, and other mechanisms through their SASL implementation. Using GSSAPI, I can now connect from my mail client and access my IMAP mailbox using my already granted ticket.
Continue reading “[Network Administration] : Kerberized IMAP”

[Network Administration] : Kerberized Postfix

I updated my mail server and connected this into the kerberized system that was put in place earlier. Previously I had my mail accounts defined in a MYSQL database, which worked alright, but was really more of a hassle since any password changes needed to be done both in the system, and in the mysql database which was used by postfix. Either I had a single password, and needed to update both databases if it was changed, or I had to let them diverge. I’ll need an authentication mechanism so that I can submit mail from the mail client (MUA) for delivery. This time, I connected postfix, which I use as my MTA, to the Kerberos server to do the authentication. Postfix supports SASL mechanisms for authentication and can use it for both GSSAPI and PLAIN authentication against the Kerberos system. The postfix website has a whole page describing use of SASL with Postfix. I used Cyrus SASL from Carnegie Mellon University to do the authentication.
Continue reading “[Network Administration] : Kerberized Postfix”

[Network Administration] : Ubuntu and encrypted swap space

Installing Ubuntu 14.04LTS, I’ve gotten the following error:
the disk drive for /dev/mapper/cryptswap1 is not ready yet or not present
The message is annoying, but worse, the swap partition is not encrypted.
I was able to get around this by editing the /dev/crypttab to list the /dev/ path to the drive instead of the UUID in the cryptswap1 entry:

# 				
cryptswap1 UUID=2f36a43f-0d3e-4c2e-92ad-ac12603c1ff0 /dev/urandom swap,cipher=aes-cbc-essiv:sha256

was changed to:

# 				
cryptswap1 /dev/mapper/cerf--vg-swap_1 /dev/urandom swap,cipher=aes-cbc-essiv:sha256

I still get the message, but the swap space is encrypted now.

cerf:~> sudo swapon --summary
Filename				Type		Size	Used	Priority
/dev/mapper/cryptswap1                  partition	8314876	0	-1

[Network Administration]: OS X and Mobile Accounts

I have both Ubuntu and Linux machines. One of the goals is to have access to all of the same information regardless of where I log in, and to have it transparent to the machine that I’m actually using. Continue reading “[Network Administration]: OS X and Mobile Accounts”