Jonathan, Dan, Thank you for your help. After being sick for a few days I sat down with one of my Apple users. We are still unable to log in to OS X 10.5 after changing /etc/openldap/ldap.conf to the following... #BASE dc=example, dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never #TLS_REQCERT demand TLS_REQCERT never Is there any direction you might offer? I've included a copy of my Template as an attachment. I believe I've kept it quite simple, maybe too simple. Thanks, John -------------- next part -------------- A non-text attachment was scrubbed... Name: OSX105-LDAP-Template.plist Type: application/octet-stream Size: 2112 bytes Desc: not available Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20080304/9c935e9d/attachment.obj -------------- next part -------------- On Feb 28, 2008, at 6:00 AM, dandantheitman wrote: > On 28/02/2008, Jonathan Barber <j.barber at dundee.ac.uk> wrote: >> On Wed, Feb 27, 2008 at 04:42:12PM -1000, John Call wrote: >>> Aloha list, >>> >>> My university has been authenticating Mac OS X 10.4 clients to FDS >>> 1.04 for about a year now. Things have been working great, as >>> long as >>> we keep an eye on the external SASL mechanisms. However, now that >>> our >>> staff is deploying the new OS X 10.5 things aren't working. To the >>> best of our knowledge we have maintained the same client LDAP >>> configuration from 10.4 to 10.5, but the Apple clients refuse to >>> authenticate. Has anybody else experienced this? >> >> >> Are you doing SSL to the ldap? If so, check the clientside SSL >> verification. I'm not big on the different Mac OS X versions, so >> can't >> say when it occured, but for one of the revisions we did see the >> default >> openldap SSL verification change from "never" to "demand" on the >> clients. >> >> I don't think we found a GUI widget to config this behaviour, but you >> can via /etc/openldap/ldap.conf like linux. >> > > Jonathon is 100% correct. Starting with OSX Leopard the ldap client > was 'locked down' to make it more secure out of the box. The > TLS_REQCERT = never was revised to TLS_REQCERT = demand. > > You either need to make the change on each client in > /etc/openldap/ldap.conf to reset it back to its previous state or you > shall need to do the following: > > (01) Copy the cert to the client /etc/openldap/certs > (02) Add the following line to /etc/openldap/ldap.conf: > TLS_CACERT /etc/openldap/certs/bright.newshinycert.com > > Dan > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
