Leopard Server: Using ACLs with Open Directory

Posted on February 7, 2008. Filed under: Leopard, OSX, Servers, Software, Web Development | Tags: , , , |

In Leopard, Workgroup Manager supports rudimentary ACLs for the LDAP database. We’re all familiar with Access Control Lists by now. Especially in the Mac OS X Server community. However, we might not all be familiar with ACLs as they’re implemented in LDAP. But we should be, because LDAP is being used more and more as an address book, and with the new Directory application being shipped in Leopard it is conceivable that environments aren’t just going to use ACLs to secure LDAP but they’re also going to use them to allow users to self update their information in the directory. So in the interest of security and making the most out of the technologies build into LDAP, let’s cover LDAP ACLs for a bit. So to push beyond what you can do in Workgroup Manager, let’s take a look at building out more finely grained ACLs manually. (more…)

Read Full Post | Make a Comment ( None so far )

Apple Remote Desktop Directory-based Authentication

Posted on February 7, 2008. Filed under: Leopard, OSX, Servers, Software | Tags: , , , , , , |

One of the great gems of Apple Remote Desktop 2, and while it’s not hidden in the documentation, no one seems to have sung its virtues – until now.
You’re going to love how easy this is…

I’m making a couple assumptions here, so before we start, here they are: You already have ARD 2 installed and set up to administer your client machines with a local account. You have LDAP set up, and your client machines are already bound into the domain.

The theory behind this is creating groups in Workgroup Manager, and then adding users who you want to be authorized to use ARD into those groups. There are 4 groups, ard_admin, ard_interact, ard_manage and ard_reports.

ard_admin will have access to all functions of ARD, ard_interact is simply interaction (like you’d get with VNC alone) with the client, ard_manage allows for more advanced features, and ard_reports can only generate reports from the ARD clients. For a clearer idea, check out the Interact, Manage and Reports items in the menubar of ARD.

Create your groups in Workgroup Manager – you don’t need to add all 4, you can pick and choose which you would like, and they can be created with any GID, it’s only the name which must be exact. Then add your ARD administrative users to their appropriate groups.

To set up the clients, you can either create your own Client Installer, or you can change your existing client settings (under the Manage menu bar item). Using the “Change Client Settings” as an example, click through the screens until you get to the “Incoming Access” screen. From here click the “Set authorized groups to:” checkbox. Keep continuing through once you’ve done this, and eventually you’ll be able to set your selecting machines with these settings.

Do check out some of the other options you can apply to your client machines using this tool, it allows you to set up, or remove local admin users, and set up other tools like openWBEM.

Once you’ve pushed out these setting to your clients, set up the computers you wish to manage in ARD, and put yourself into one of the ard_* groups, you can use your own username and password to add the clients to your computer lists. This will also make your administrative life much easier if you want different ARD users to have different abilities.

Read Full Post | Make a Comment ( None so far )

  • Blog Stats

    • 159,565 hits
  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 21 other followers

Liked it here?
Why not try sites on the blogroll...