Category: Security

Configuring Dovecot to authenticate FreeIPA users using Kerberos (with Single Sign On)

monitorI have also posted this article on the FreeIPA.org project wiki which is linked here

The below details will walk you through how to add a Red Hat Enterprise Linux 6.2 system to an IPA domain, and then configure Dovecot to allow single sign on to user mailboxes with IMAP/S.

Details of this example are as follows

   Domain name: example.com
   IPA Server: ds01.example.com
   Dovecot Server: mail01.example.com
   IPA Client: workstation01.example.com
   IPA User: user1 and user2

Please Note: This guide describes using SSL combined with Dovecot to deliver IMAPS support. This guide is not designed to cover how to create a valid SSL vertificate. This guide uses the default dovecot generated certificate and it is HIGHLY recommended that if you wish to deploy this into a production environment, that you replace this certificate with your own trusted/validated certificate Read more

Deploying Postfix with LDAP (FreeIPA) virtual aliases and Kerberos Authentication

monitorFor those of you looking for a way to set up Postfix so your client base can login with Single Sign On, this article is for you.

Here we will be walking through configuring postfix for the following criteria:

  1. LDAP based User lookups (In this article I have used FreeIPA 3.0)
  2. Single Sign On authentication for mail sending.
  3. Enabling TLS based connections using FreeIPA as the Certificate Authority.

Please be aware that this article does not cover accessing a user’s mailbox as this is covered in the following article.

Before I continue I’d like to thank Loris Santamaria and Anthony Messina from the freeipa-users@redhat.com mailing list for their assistance in getting this solution working.

Details used in this article are as follows:
FreeIPA Servers: ds01.example.com, ds02.example.com
Postfix Server: mail.example.com
IPA Test user: ipauser1

Read more

Fencing with switch

dbPrerequisites:

  1. A managed switch supporting SNMP
  2. Write access to the switch through SNMP

The idea behind this method is to either isolate the entire node or isolate the node from shared storage. The way this is done is to call the switch using the proper command to disable one or more port(s) on the switch and doing so effectively avoid the node from being able to start a VM or CT on the shared storage since no route will exists to the shared storage from the node. Restoring the access to the shared storage requires operator intervention on the switch or by running the fence command with the option to open the port(s) again. If the nodes are using bonding you need to disable the bridge aggregation on the switch and not the individual ports which is members of the bridge aggregation.

Read more

1 2