[Network Administration] : OpenLDAP and SASL Passthrough

I needed to get the SASL passthrough working since I have some things that need to bind to the LDAP server. Specifically, I need to be able to authenticate to my Synology NAS with my LDAP account. Till now, I’ve just used NFS permissions to mount the shares to the system (mainly using the automounter getting the information from the LDAP server). If I need to allow clients to bind to the LDAP server as authentication, then I’ll need to have access to the password. I store my passwords in the Kerberos KDC, but I can have LDAP pass the authentication through to a SASL backend instead of storing the passwords locally in the directory.
Continue reading “[Network Administration] : OpenLDAP and SASL Passthrough”


[Network Administration] : Postfix and LDAP recipients

Given that I’ve already put my addresses into the LDAP directory, I’m going to use that to pull my recipients for local delivery. There is information on the Postfix website, here and here.

Appropriate section of /etc/postfix/main.cf

# all main to the domain is slated for local delivery
mydestination = $mydomain, $myhostname, localhost.$mydomain, localhost
# Set aliases to the postfix configuration directory
alias_maps = hash:${config_directory}/aliases
alias_database = hash:${config_directory}/aliases
# Local recipients are stored in ldap
# Alias maps also needs to be added here to accept mail for aliases locally
local_recipient_maps = ldap:${config_directory}/ldap-recipients.cf $alias_maps

The file ldap-recipients.cf file has the information to connect to the LDAP server.

server_host = <SERVER>
search_base = ou=users,dc=example,dc=com
version = 3
query_filter = mail=%s
result_attribute = uid
start_tls = yes
tls_require_cert = yes
tls_ca_cert_file = <CA certificate chain>

We require the verification of the LDAP certificate, so we need to specify the certificate chain.

[Network Administration] : Kerberized IMAP

To go with the Kerberized Postfix that I’ve put in place, I also added Kerberized IMAP to it as well. This will allow me to authenticate the IMAP server with my Kerberos tickets. This works similarly. I’m using Carnegie Mellon’s Cyrus IMAP server (although CMU has migrated all of it’s accounts over to Google since). The Cyrus server supports GSSAPI natively, and other mechanisms through their SASL implementation. Using GSSAPI, I can now connect from my mail client and access my IMAP mailbox using my already granted ticket.
Continue reading “[Network Administration] : Kerberized IMAP”

[Network Administration] : Kerberized Postfix

I updated my mail server and connected this into the kerberized system that was put in place earlier. Previously I had my mail accounts defined in a MYSQL database, which worked alright, but was really more of a hassle since any password changes needed to be done both in the system, and in the mysql database which was used by postfix. Either I had a single password, and needed to update both databases if it was changed, or I had to let them diverge. I’ll need an authentication mechanism so that I can submit mail from the mail client (MUA) for delivery. This time, I connected postfix, which I use as my MTA, to the Kerberos server to do the authentication. Postfix supports SASL mechanisms for authentication and can use it for both GSSAPI and PLAIN authentication against the Kerberos system. The postfix website has a whole page describing use of SASL with Postfix. I used Cyrus SASL from Carnegie Mellon University to do the authentication.
Continue reading “[Network Administration] : Kerberized Postfix”

[Network Administration] : Ubuntu and encrypted swap space

Installing Ubuntu 14.04LTS, I’ve gotten the following error:
the disk drive for /dev/mapper/cryptswap1 is not ready yet or not present
The message is annoying, but worse, the swap partition is not encrypted.
I was able to get around this by editing the /dev/crypttab to list the /dev/ path to the drive instead of the UUID in the cryptswap1 entry:

cryptswap1 UUID=2f36a43f-0d3e-4c2e-92ad-ac12603c1ff0 /dev/urandom swap,cipher=aes-cbc-essiv:sha256

was changed to:

cryptswap1 /dev/mapper/cerf--vg-swap_1 /dev/urandom swap,cipher=aes-cbc-essiv:sha256

I still get the message, but the swap space is encrypted now.

cerf:~> sudo swapon --summary
Filename				Type		Size	Used	Priority
/dev/mapper/cryptswap1                  partition	8314876	0	-1

[Network Administration]: OS X and Mobile Accounts

I have both Ubuntu and Linux machines. One of the goals is to have access to all of the same information regardless of where I log in, and to have it transparent to the machine that I’m actually using. Continue reading “[Network Administration]: OS X and Mobile Accounts”

[Network Administration]: Kerberized SSH

At this point, most of the infrastructure is in place. Now I could tie some other services together with this infrastructure. For my servers (not the kerberos KDC and LDAP directory), I’ve configured kerberized SSH. It’s a good starting point to see the benefits of single sign-on. Continue reading “[Network Administration]: Kerberized SSH”