Today was another heavy day.
We dealt a lot with encryption and security issues, then moved on to OpenDirectory.
We used openssl to generate a self signed certificate for testing purposes, and used it to encrypt LDAP based OpenDirectory network logins. We manually walked through the self signing process rather than using /System/Library/OpenSSL/misc/CA.pl. I guess to make sure we knew how painful a process this is.
We then generated a happy dsa keypair for automated authentication over ssh. Which is very nice for scripting remote servers. We talked extensively about SSH and preventing network attacks.We covered network security in general, but only briefly, as that would be the subject of another class.
We then setup the OpenDirectory server and imported 15000 users. Don’t use Workgroup Manager to do this. It will take your entire life to complete. Workgroup Manager can handle about 1000 users at a time without bogging, so if you want to do it that way you can, but ldapadd is your happy friend here.
Apple in 10.2 was using NetInfo for directory services, which while it handled things adequately, was not very good for controlling access to the domain records. In 10.2 any user authenticated into the domain could dump all the records from the root domain. You could then run dictionary attacks against the password hash and gather userids and other fun info. 10.3 does not allow this any more. Now directory information is held by OpenDirectory, which is basically OpenLDAP with some apple object extensions. LDAP has a ton of options for securing it’s info, and is more standard in the industry. Passwords are kept in the password server, and unretrievable even by the admin. This is a good thing.
We then started on the Single Signon chapter, but it really was about Kerberos and understanding how it works. We set up AFP and Mail to authorize using kerberos and then used ethereal to packet sniff the network for clear text passwords. This encouraged me to get SSL working on my mail servers again. While Kerberos will protect your login information, it won’t encrypt mail contents, so SSL is necessary.
Tomorrow we delve even deeper into Kerberos, discuss Replication of our LDAP server and Disk Quotas. Fun Stuff. See you tomorrow.