Lion Open Directory Updates

July 27, 2011

So we just started rolling out Lion to a few machines for testing and came across something that is extremely annoying, as well as related to a previous post I did detailing how to setup Directory Services.

Previous to Lion, one of the reported TrustInformation levels was Encryption which identified if the connection was over SSL.  That trust level has been removed in Lion.  So basically your choice is all or nothing.  You can set your Directory Services to do all the Kerberos, two-way, man in the  middle, authenticated etc stuff up, but that requires a lot of manual intervention to do.  The whole point of my process is that I run a single .pkg and it installs the whole computer without me having to manually type in passwords and such (and placing the password in the script file really doesn’t gain any security since anybody can read it).

So, what we have done for now, until we can find a better way, is to lower the MCXScriptTrust setting to Anonymous. As far as security considerations, here is what that means:

  • We use static IP addresses on all our directory clients, so DHCP injection is not an issue.
  • If somebody manages to take control of our internal DNS server, they could redirect the ldap.hdcnet.org name to an IP address of a rogue server and use that to run scripts as root on the clients at login.
  • If, while we have ldap.hdcnet.org down for maintenance, somebody launches a rogue server on the same IP address, they could use that to run scripts as root on the clients at login.
  • If somebody manages to gain root (admin) access to the client machine, they can manually add their own server to the machine.

Our take on this is that yes, it is still a security hole and we don’t like the fact that Apple removed the Encryption value for TrustInformation, but the amount of time it will save us is worth the small risk.  The only 2 major security holes are the middle two, which would be pretty noticeable to us that something has been compromised as it would effect the ability of users to authenticate.

LDAPSSL Install Script

We also had to make a small change to the post-install script used by the LDAPSSL package. The first change was to the MCXScriptTrust value I already mentioned, changing that to Anonymous from Encryption.

The second change was to add two lines to the top of the script to restart the (new) opendirectoryd daemon. This is so that it will reload the new SSL certificates. The top of the script now looks like this:

#!/bin/sh
#

sudo killall opendirectoryd
sleep 3

sudo defaults write com.apple.loginwindow EnableMCXLoginScripts -bool true
sudo defaults write com.apple.loginwindow MCXScriptTrust Anonymous