Tuning the Open Directory Server


Part of configuring a directory server is tuning the server to provide secure yet responsive transactions.

LDAP Security Concerns

An LDAP database holds a lot of potentially sensitive account information. Mac OS X no longer requires that password hashes be stored in the directory; however, depending on your organization, you may still store contact information that should be restricted to legitimate members of your organization. For example, you probably wouldn't want a visitor on your network to get a list of all your employees or students. As you've seen with ldapsearch, it's a fairly straightforward task to query an LDAP server and dump the output to an LDIF file.

Another security concern is the vulnerability of the traffic on the network. You wouldn't want others to see the LDAP traffic as it passed along the network.

Disallow Anonymous Binding

A standard install of Mac OS X Server allows anyone to browse the contents of your LDAP database, making it easy for client computers to connect, especially when using DHCP to configure the clients.

To secure your LDAP server, there are two ways to control binding, as shown in the following figure.

For better security, you can disable anonymous binding and limit access to authenticated users, requiring any connection to supply a valid user name and password for one of the users in the LDAP database. To disallow anonymous binding, add this line to /etc/openldap/slapd.conf:

disallow bind_anon


Then restart the LDAP process, slapd, or reboot the server.

Using Trusted Binding

Using Server Admin, you can configure an Open Directory master to allow or require trusted binding between the LDAP directory and the computers that access it. Replicas of the Open Directory master automatically inherit its binding policy.

Trusted LDAP binding is mutually authenticated. The computer proves its identity by using an LDAP directory administrator's name and password to authenticate to the LDAP directory by means of an authenticated computer record created in the directory when you set up trusted binding.

Where authenticated binding proves the identity of the client computer, trusted binding proves the identity of both the client computer and the LDAP directory. Trusted binding is configured from the client computer using Directory Access

Note

Clients need version 10.4 or later of Mac OS X or Mac OS X Server to use trusted LDAP binding. Clients using v10.3 or earlier won't be able to set up trusted binding.


Controlling Access to the Database

Access control lists (ACLs) are another way to secure your LDAP server. ACLs are specified in the AccessControls container in the LDAP directory. Each ACL specifies what a user can do to a specified container or object class in the LDAP database. Here's an example of a directory-service ACL:

1000:access to attr=userPassword by self write by sockurl="ldapi://%2Fvar%2Frun%2Fldapi" write by group/posixGroup/memberU write by * read


Write access to the userPassword attribute is limited to either the specific owner of the attribute or any user in the admin group. The last line allows any user to read the value. (Remember, in this case this is not the password but the password attribute.)

Alternatively, you can use Workgroup Manager to assign directory domain administrator privileges for an account stored in the LDAP directory of an Open Directory master or a NetInfo domain. A user with administrator privileges for a directory domain can make changes to user accounts, group accounts, and computer list accounts stored in that domain using Workgroup Manager. After enabling the domain administration option for the user account, you can specify the editing capabilities for each account type.

Preventing Eavesdropping With SSL

In Server Admin, you can enable SSL to provide encrypted communications between the Open Directory server and the client computers. SSL uses a digital certificate to provide a certified identity for the server. You can use a self-signed certificate or one obtained from a certificate authority, such as VeriSign or Thawte.

Once you have the certificate, you can store it anywhere you want, but it's best to put it somewhere accessible only by the root user. Also, remove any passphrase associated with the certificate, since OpenLDAP does not support passphrases.

Enable SSL through Server Admin by choosing Enable Secure Sockets Layer (SSL) in the Protocols pane. After it has been enabled, choose the SSL certificate from the Certificate pop-up menu. To use a certificate not listed, choose Custom Configuration from the pop-up menu and supply the full path to the server's certificate and private key. If you created your own certificate, supply the one from the certificate authority.

To configure the LDAP server to listen only for SSL connections, you edit the launch arguments for slapd. The launch arguments are specified in /System/Library/ LaunchDaemons/org.openldap.slapd.xml. Delete the ldap:/// entry under ProgramArguments, but leave the ldaps:/// entry.

Once the server has been secured with SSL, you'll need to enable SSL on the client. In Directory Access on the client, choose SSL next to the LDAP entry for your server.

LDAP Indexing and Caching

Indexing increases the speed of queries by creating an indexed lookup table of attribute values, but it also increases the size of the LDAP database files on the server as well as the time of write operations.

The slapd_macosxserver.conf file specifies what attributes are cached by the server. By default, only a few attributes, such as user name and user ID, are indexed. However, if you have the space and need better responsiveness, you can index other attributes by editing the configuration file. The more attributes you index on, the slower the performance during writes, since the index needs to be updated for the added attributes.

Changing the Default BerkeleyDB Cache Size

In Mac OS X Server v10.4, the BerkeleyDB cache size depends on the amount of RAM installed on your computer when the LDAP master is created.

If your computer has 256 MB of RAM, the default BerkeleyDB cache size will be 16 MB. If your computer has more than 256 MB of RAM up to 512 MB, the cache size will be 32 MB. If your computer has more than 512 MB of RAM, the default cache size will be 64 MB.

If you've added more RAM to the server, you can manually increase the BerkeleyDB cache size, using the RAM to cache ratios described above as your guideline. This helps improve overall LDAP performance.

To change the BerkeleyDB cache size, edit the file /var/db/openldap/openldap-data/DB_ CONFIG and change the set_cachesize entry to one of the following:

  • For 4 MB: set_cachesize 0 4194304 1

  • For 16 MB: set_cachesize 0 16777216 1

  • For 32 MB: set_cachesize 0 33554432 1

  • For 64 MB: set_cachesize 0 67108864 1

Save the file and restart the server to apply your change.




Apple Training Series. Mac OS X System Administration Reference, Volume 1
Apple Training Series: Mac OS X System Administration Reference, Volume 1
ISBN: 032136984X
EAN: 2147483647
Year: 2005
Pages: 258
Authors: Schoun Regan

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net