I needed to get the SASL passthrough working since I have some things that need to bind to the LDAP server. Specifically, I need to be able to authenticate to my Synology NAS with my LDAP account. Till now, I’ve just used NFS permissions to mount the shares to the system (mainly using the automounter getting the information from the LDAP server). If I need to allow clients to bind to the LDAP server as authentication, then I’ll need to have access to the password. I store my passwords in the Kerberos KDC, but I can have LDAP pass the authentication through to a SASL backend instead of storing the passwords locally in the directory.
Continue reading “[Network Administration] : OpenLDAP and SASL Passthrough”
To go with the Kerberized Postfix that I’ve put in place, I also added Kerberized IMAP to it as well. This will allow me to authenticate the IMAP server with my Kerberos tickets. This works similarly. I’m using Carnegie Mellon’s Cyrus IMAP server (although CMU has migrated all of it’s accounts over to Google since). The Cyrus server supports GSSAPI natively, and other mechanisms through their SASL implementation. Using GSSAPI, I can now connect from my mail client and access my IMAP mailbox using my already granted ticket.
Continue reading “[Network Administration] : Kerberized IMAP”
I updated my mail server and connected this into the kerberized system that was put in place earlier. Previously I had my mail accounts defined in a MYSQL database, which worked alright, but was really more of a hassle since any password changes needed to be done both in the system, and in the mysql database which was used by postfix. Either I had a single password, and needed to update both databases if it was changed, or I had to let them diverge. I’ll need an authentication mechanism so that I can submit mail from the mail client (MUA) for delivery. This time, I connected postfix, which I use as my MTA, to the Kerberos server to do the authentication. Postfix supports SASL mechanisms for authentication and can use it for both GSSAPI and PLAIN authentication against the Kerberos system. The postfix website has a whole page describing use of SASL with Postfix. I used Cyrus SASL from Carnegie Mellon University to do the authentication.
Continue reading “[Network Administration] : Kerberized Postfix”
At this point, most of the infrastructure is in place. Now I could tie some other services together with this infrastructure. For my servers (not the kerberos KDC and LDAP directory), I’ve configured kerberized SSH. It’s a good starting point to see the benefits of single sign-on. Continue reading “[Network Administration]: Kerberized SSH”
I’ve also enabled Kerberos authentication and LDAP authorization on my OSX machine in addition to Linux machines. OSX supports Kerberos out of the box and deploys it for authentication against an OSX server. Also, the native OpenDirectory implementation is OpenLDAP, so we should be able to talk with our LDAP directory. Additionally, we’ve generated the directory entries with the records that we’ll need for OSX authorization, we just need to enable it. Continue reading “[Network Authentication]: OS X Kerberos Authentication and LDAP Authorization”
Once principals are added to the Keberos Database, and the account information is added to the LDAP directory, then the client Linux machines can be configured to access the information and allow for network accounts to be used. Continue reading “[Network Administration]: Linux Kerberos Authentication and LDAP Authorization”
First thing that I need is a system for authentication. This means a method where systems can verify the identity of anything that wants to access services. This is different than authorization, which will determine what services are granted access. I’m just saying services instead of machines since being able to log into a machine does not necessarily mean that the user would have access to every service that a machine can provide. I’ll be using a system developed at MIT called Kerberos. Continue reading “[Network Administration]: Kerberos Authentication Service”