LDAP
Latest
OS X Lion accepts any LDAP password, creates enterprise network nightmare
There's nothing more frightening to a network administrator than to have a potential security hole that can open a network to attacks from outside. Unfortunately, the latest incarnation of Mac OS X -- Lion -- reportedly has a major security issue related to Lightweight Directory Access Protocol (LDAP). LDAP servers often contain sensitive enterprise data, so a successful attack on one of the servers is a bonanza to hackers. For some reason, Macs running Lion that use LDAP to authenticate users to shared resources work just fine for the initial login. After that point, Lion users can use any password and still log in. Macs running older versions of OS X, Windows PCs, and Linux machines authenticate properly on the same LDAP servers, but the Lion machines exhibit the bad behavior. There are no security problems with Macs running Lion and logging into networks that use protocols other than LDAP. This issue may create concern in the minds of network administrators who are being pressured to add more Macs to their networks. A researcher at iSec Partners, Alex Stamos, recently noted that large corporate customers should think twice before deploying large numbers of Macs in enterprises. Speaking at the Black Hat security conference earlier this month, Stamos mentioned that iSec Partners had figured out an easy way to steal hundreds of passwords from enterprise servers by connecting a Mac to the network. Network admins who think that Macs may be an open gate to their data are not going to be amenable to connecting the devices to their enterprise networks.
Why your school doesn't want boot camp
A trend I'd like to see go the way of the dodo: every time Apple introduces something new that doesn't seem to appeal to the average home user, the net lights up with wild speculation that it's for the education market. Most of the time it's not, and Boot Camp is no exception. The reaction to Boot Camp from MacEnterprise and other education and business Mac communities has not been positive. It's ranged from "wait and see" to "why me?" with most of the responses at the "why me?" end. Boot Camp is, in the words of University sysadmin and TUAW reader Jason Young, quite possibly "any IT staff member’s worst nightmare come true." And here are just a few of the reasons I think he's right:First, we live in a very imperfect world. Heterogeneous networks are messy, messy things. Sure there are protocols for Active Directory, Open Directory, LDAP, DHCP, etc., but vendors do one of two things: fail to implement the spec properly, or add a bunch of proprietary bells and whistles that aren't part of the spec, are technically add-ons, but still seem to mysteriously cause hardware or software to fail when they aren't present. Throw a couple of DNS forwarding issues, some CISCO equipment and maybe a Radius server into the mix, and things get ugly fast. What's the admins final line of defense against complete network chaos? Hardware addressing. Figure out what hardware is sitting at which MAC address, and build policies based on that. It's not ideal, but it's the the way the real world works. If you can't predict the OS type from the MAC, your job becomes 10 times harder in a flash.Second, nobody actually wants to reboot. It's time consuming, stressful on the hardware, and just generally not too much fun. It also means getting users in the habit of interacting with the firmware, which is something sane sysadmins want to avoid at all costs. What admins, and others, want is real virtualization. Not dual booting. Not emulation and compatibility layers. Real virtualization. When Apple delivers that, there will be partying in the streets.Third, there's no support and it doesn't look like there's ever going to be. Unlike the rest of us peons, large education and enterprise clients spend a lot of money on premium AppleCare services. They have reps who know them by name, and part of what makes Macs appealing is that you call one number and get integrated hardware and OS support. If Apple won't support Windows, dual booting will mean buying a second support contract for the same machine. hat more than negates the cost benefit of a single machine solution. Beige boxes are cheap and procurement already has contracts with HP and Dell. There is, of course, a potential for third parties here to step up and become Apple Authorized Resellers offering pre-configured machines with support, but that's a niche market. Most organizations that buy Macs want to deal directly with Apple.And then for education tech support, there's the added fun of personal machines that people use to connect to the network....Individual admins, of course, are thrilled. Being able do dual boot, say, a MacBook Pro means only needing one machine to administer everything. But supporting it for users? That's a different story.
