On 28/02/2008, Jonathan Barber <j.barber@xxxxxxxxxxxx> wrote: > On Wed, Feb 27, 2008 at 04:42:12PM -1000, John Call wrote: > > Aloha list, > > > > My university has been authenticating Mac OS X 10.4 clients to FDS > > 1.04 for about a year now. Things have been working great, as long as > > we keep an eye on the external SASL mechanisms. However, now that our > > staff is deploying the new OS X 10.5 things aren't working. To the > > best of our knowledge we have maintained the same client LDAP > > configuration from 10.4 to 10.5, but the Apple clients refuse to > > authenticate. Has anybody else experienced this? > > > Are you doing SSL to the ldap? If so, check the clientside SSL > verification. I'm not big on the different Mac OS X versions, so can't > say when it occured, but for one of the revisions we did see the default > openldap SSL verification change from "never" to "demand" on the clients. > > I don't think we found a GUI widget to config this behaviour, but you > can via /etc/openldap/ldap.conf like linux. > Jonathon is 100% correct. Starting with OSX Leopard the ldap client was 'locked down' to make it more secure out of the box. The TLS_REQCERT = never was revised to TLS_REQCERT = demand. You either need to make the change on each client in /etc/openldap/ldap.conf to reset it back to its previous state or you shall need to do the following: (01) Copy the cert to the client /etc/openldap/certs (02) Add the following line to /etc/openldap/ldap.conf: TLS_CACERT /etc/openldap/certs/bright.newshinycert.com Dan -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
