Paranoid Penguin - Single Sign-On and the Corporate Directory, Part II

Ti Leggett continues his series on building a secure corporate directory.

Once you've set these, make sure to restart sshd.

Unfortunately, RHEL v3's sshd supports an older GSSAPI mechanism called gssapi, which is susceptible to a man-in-the-middle attack. It's been replaced by the gssapi-with-mic mechanism, which is what both RHEL v4 and Gentoo use. If you're unsure which mechanism your sshd supports, simply enable GSSAPI authentication in the sshd_config file and then attempt to ssh in using the verbose flag. You'll get a report of all the mechanisms that sshd supports. If you attempt to ssh from a client that uses one mechanism to a server that uses the other, you'll be prompted for your password. This is because the credential passing is done slightly differently, and incompatibly, with each mechanism.

Our ultimate goal is for users to have to type their password only once per day and never have that password go across the wire. So why go through all this trouble if your users are sending their password over the wire every time they check e-mail? Fortunately, more e-mail clients are starting to support the GSSAPI mechanism. Unfortunately, if you're a Mozilla Thunderbird user, you're out of luck (as of this writing). A few other options exist, however; for example, both KDE's KMail v1.8 and Ximian Evolution v2.2 have GSSAPI support. I've never used KMail, so I'll stick to what I know. Configuring Evolution to use GSSAPI is simple. Just select GSSAPI as the authentication type under both the Receiving and Sending Email tabs (Figure 1). If you set the Use Secure Connection option to Whenever Possible, Evolution uses StartTLS to secure the data transport.

Figure 1. Evolution 2.2 Account Preferences

Mac OS X Clients

Starting with Tiger, Apple has Kerberized almost all portions of the operating system. If you need to incorporate Panther (v10.3) clients into your infrastructure, contact me for information; a good deal is required. Tiger, however, is relatively easy.

Start by editing the file /Library/Preferences/ This file is quite similar to its Linux counterpart, /etc/krb5.conf, with some very minor changes. Ours looks like Listing 3.

With Kerberos configured, the next step is to create a keytab for the host and place it in /etc/krb5.keytab. You can run kadmin from the OS X client, but because the version that comes with v10.4 is slightly buggy, you need to append the -O option:

#/usr/sbin/kadmin -p <admin princ> -O

That's it for Kerberos authentication with Tiger.

Unfortunately, at the time of this writing, a bug causes the machine's authentication subsystem to hang when a network user attempts to use sudo while having valid Kerberos credentials. I'm working with Apple to resolve this issue, so check back with me to find the solution.

Mac OS X does not use nsswitch for resolution of name services. Instead, it uses what it calls Directory Services. I explain how to modify Directory Services via a GUI called Directory Access, but ultimately the GUI makes modifications to two files: /Library/Preferences/DirectoryService/DSLDAPv3PlugInConfig.plist and /Library/Preferences/DirectoryService/SearchNodeConfig.plist.

The GUI utility can be found in /Applications/Utilities. First, enable the LDAPv3 plugin, then select it and click the Configure button. Once inside, click the Show Options drop-down, and then click New to define a new LDAP server. Enter your LDAP server's name, make sure all three check boxes are checked (Figure 2), and click Continue. Next, choose RFC 2307 (Unix) as the template, enter your LDAP base, click Continue and define a Configuration Name. That's it!

You can refine how Directory Services searches the directory, much as you can with /etc/ldap.conf under Linux. If you highlight the directory service and click Edit, it brings up some more advanced options. Click on the Search & Mappings tab. There you'll see a list labeled Record Types and Attributes. For each of those you can select and then define a more specific Search base (Figure 3). Click Ok twice, and then Apply to save your changes.

Figure 2. Creating a New OS X LDAP Directory Connection

Figure 3. Refining OS X LDAP Searches

Of course, you'll want to verify that your directory changes are correct and working. OS X has a command-line utility, dscl, that is used to query not only an LDAP directory but also a NetInfo directory, NIS directory or any other directory listed in Directory Access. First, we should make sure we can query our LDAP server directly:

# dscl localhost list \

If you run dscl without any options, you are given usage instructions and left at an interactive prompt. Here are two more examples of using dscl:

# dscl localhost list /Search/Users
# dscl localhost read /Search/Users/leggett

Here we use the /Search directory, which acts on all enabled directories. So, if you have local users in a NetInfo directory and also LDAP users, the /Search acts on both of those directories, merging the results for display. The second example uses the read action to show the detailed information of the leaf of the branch specified, /Search/Users/leggett in this case. The dscl utility can be helpful when all you have is console access to your OS X machine.

Having verified that our LDAP users are available, we need to create local home directories for the LDAP users we've just enabled:

# install -d -o leggett /Users/leggett
# ln -sf /Users /home

OS X v10.4 has some finer-grained policies than standard POSIX access for controlling access to certain aspects of the OS. By default, members of the group admin have administrator privileges. However, this group is locally stored in each machine's NetInfo directory, and I've been told it's very bad to remove or rename this group. You also can't override this group with an LDAP group named admin, because the search order for directories always searches the local NetInfo directory first. To use an LDAP group to replace the local group role, you need to edit the file /etc/authorization. This is a standard Apple plist-formatted file, and it defines roles for different aspects of the system. If you change lines that look like: