Re: Apple OS X 10.5 question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Jonathan, Dan,
Thank you for your help. After being sick for a few days I sat down with one of my Apple users. We are still unable to log in to OS X 10.5 after changing /etc/openldap/ldap.conf to the following... 

#BASE	dc=example, dc=com
#URI	ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT	12
#TIMELIMIT	15
#DEREF		never
#TLS_REQCERT	demand
TLS_REQCERT	never
Is there any direction you might offer? I've included a copy of my Template as an attachment. I believe I've kept it quite simple, maybe too simple. 

Thanks,
John

Attachment: OSX105-LDAP-Template.plist
Description: Binary data




On Feb 28, 2008, at 6:00 AM, dandantheitman wrote:


On 28/02/2008, Jonathan Barber <j.barber@xxxxxxxxxxxx> wrote:

On Wed, Feb 27, 2008 at 04:42:12PM -1000, John Call wrote:

Aloha list,

My university has been authenticating Mac OS X 10.4 clients to FDS
1.04 for about a year now. Things have been working great, as long as we keep an eye on the external SASL mechanisms. However, now that our 
staff is deploying the new OS X 10.5 things aren't working.  To the
best of our knowledge we have maintained the same client LDAP
configuration from 10.4 to 10.5, but the Apple clients refuse to
authenticate.  Has anybody else experienced this?



Are you doing SSL to the ldap? If so, check the clientside SSL
verification. I'm not big on the different Mac OS X versions, so can't say when it occured, but for one of the revisions we did see the default openldap SSL verification change from "never" to "demand" on the clients. 

I don't think we found a GUI widget to config this behaviour, but you
can via /etc/openldap/ldap.conf like linux.



Jonathon is 100% correct. Starting with OSX Leopard the ldap client
was 'locked down' to make it more secure out of the box.  The
TLS_REQCERT = never was revised to TLS_REQCERT = demand.

You either need to make the change on each client in
/etc/openldap/ldap.conf to reset it back to its previous state or you
shall need to do the following:

(01) Copy the cert to the client /etc/openldap/certs
(02) Add the following line to /etc/openldap/ldap.conf:
TLS_CACERT    /etc/openldap/certs/bright.newshinycert.com

Dan

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users



--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux