CryptoCARD can be used to provide 2 factor authentication. This can easily be integrated into the VPN server for Mac OS X, although it will take a little while to get integrated into Open Directory. However, it’s cost effective and available for OS X.
-
-
Mac OS X Server: Does My Name and Host Name match?
Two utilities worth noting here, changeip and scutil. You can check if your name and hostname match using changeip. It will look at the DNS and look at the name your system has for itself and let you know if they match: changeip -checkhostname You can also use scutil to see what the hostname is: scutil –getHostName If you want to change the hostname: scutil –setHostName <new hostname> With the DNS, if the name server runs on the system you’re sitting at then you can edit the zone files on that system. Use dig to check whether the name matches the hostname. Think FQDN here btw, with Server…
-
Mac OS X Server 10.5: Managed Preferences Update
I originally posted this at http://www.318.com/TechJournal If you’re familiar with Managed Preferences in Tiger then you’re basically already familiar with Managed Preferences in Leopard Server. But there are some great new features that Apple has provided us with by popular demand. These include the following: Applications There are now more features to the Applications Managed Preference. You can allow or disallow applications by selecting them individually or a folder. This means that you can allow access to applications located in the /Applications folder but disallow all applications located in the /Applications/Utilities folder. There are also now controls for allowing specific widgets and disabling Front Row. Finder There are new options…
-
Mac OS X Server 10.5: LDAP ACLs
I originally posted this at http://www.318.com/TechJournal In Leopard, Workgroup Manager supports rudimentary ACLs for the LDAP database. We’re all familiar with Access Control Lists by now. Especially in the Mac OS X Server community. However, we might not all be familiar with ACLs as they’re implemented in LDAP. But we should be, because LDAP is being used more and more as an address book, and with the new Directory application being shipped in Leopard it is conceivable that environments aren’t just going to use ACLs to secure LDAP but they’re also going to use them to allow users to self update their information in the directory. So in the interest…
-
Mac OS X Server 10.5: Self Updating Directory Entries
I originally posted this at http://www.318.com/TechJournal If you’re migrating to Leopard and Leopard Server then you’ve likely noticed the welcome addition of a new program in /Applications/Utilities called Directory. Directory allows users bound into an Open Directory environment to update LDAP records provided they have access to do so. Using LDAP ACLs it’s possible to give users access to update their own directory information using an LDAP directory browser such as Directory. When you open Directory you should see a listing of all of the directory information that has been created. From here you can create Shared Contacts, Groups, Locations and Resources. Each of these can be connected to a…
-
Mac OS X: Trusted Binding
In Directory Access, click Services and authenticate. Then select LDAPv3 in the list of services, then click Configure. Net, select the server configuration of interest, then click Edit. Or click on the plus icon and type in the name of the server and click on Bind. When prompted, enter the name of the computer and the name and password of an LDAP directory domain admin account. Next, click on the OK button bind.
-
Kerberos Keys
Kerberos uses keys to transmit information between hosts. There are session keys and service keys kept in the keytab ï¬le on the KDC. The KDC (Key Distribution Center) then does out keys as needed. To see the service keys: klist -k /etc/krb5.keytab
-
What is a Kerberos Realm
A realm is where the kerberos database is stored. The realm lives on one computer (KDC) and can have read-only slave servers (kinda’ like a cluster). Each realm will have a listing in the following files /private/var/db/krb5kdc/ .k5.FQDN.OF.REALM (secret key) kdc.conf (configuration file for the KDC) kadm5.acl (access control list for KDC)
-
Download Kerberos
Download it here: http://web.mit.edu/kerberos/dist/
-
Build Your Own PAM for OS X
Despite the deep hatred for the in-state rival, I must admit that Georgia Tech has done something nice for the community here: http://www.math.gatech.edu/~villegas/pam_krb5