Results 1 to 2 of 2

Thread: How to authenticate OSX clients from 11.0 LDAP Server

  1. #1
    Drommy NNTP User

    Default How to authenticate OSX clients from 11.0 LDAP Server

    I have been scratching my head at this one for a while.

    Has anybody managed to set up a SuSE openldap server to correctly authenticate logins on OSX clients ?

    I am currently trying to get an 11.0 LDAP server to provide user authentication services to OSX clients (MacBooks running Tiger and Leopard). I am unable to get the MacBooks to authenticate users using the default configuration on the server. Conversely, the LDAP service does not start, if I include using the commonly advocated schema extensions to support Apple clients (samba.schema and apple.schema, sourced from a Leopard system).

    In its standard configuration, the server happily provides LDAP, IPP and NFS services to other 11.0 clients and responds to ldapsearch queries run on the OSX clients, but does not authenticate login attempts on the latter.

    If I include the abovementioned schema extensions, LDAP service then fails to start altogether with the following notification in /var/log/messages:

    Jul 21 18:30:26 dobby slapd[28068]: @(#) $OpenLDAP: slapd 2.4.9 (Jun 6 2008 22:00:39) $ abuild@klempnerei:/usr/src/packages/BUILD/openldap-2.4.9/servers/slapd
    Jul 21 18:30:26 dobby slapd[28068]: slapd stopped.
    Jul 21 18:30:26 dobby slapd[28068]: connections_destroy: nothing to destroy.
    Jul 21 18:30:26 dobby startproc: startproc: exit status of parent of /usr/lib/openldap/slapd: 1


    Is there any way to make slapd accept these schemas without choking or alternatively convince the OSX clients to play straight with the default installation?

  2. #2
    Join Date
    Jun 2010
    Posts
    1

    Default Re: How to authenticate OSX clients from 11.0 LDAP Server

    Hi,
    the thread is a bit old, but since I have a running solution with openldap on opensuse since 2005, I want to share it anyway.

    As you mentioned, there is a way getting the OSX Client to work, by editing the schema in the Directory Access App (pre 10.6) or the Network Account Server Button in the Login Preferences Panel of the System Preferences (10.6).

    You can see in the results of a google search for "osx ldap setup", there are plenty of universities describing their setup. You can even save these settings by entering your root-dn to let the client write the ou=macosxodconfig to your ldap server root. Live View on the directory recommended, it didn't happen on the first try in my server.

    But when you want to work with a client with all the apple bells and whistles,
    1. load the apple schema, by checking requirements (in my case by running slapd -d<RTFM slapd.conf (5) loglevel>) I wrote myself a preload.schema, which was a copy and paste of objectclasses and attributes required before the apple schema. these guys were to lazy or in a hurry, just by getting everything in the right order, it loads. (samba.schema et al required).
    Apple loads the schema files (at least pre 10.5) schemacheck=off.
    2. maybe you want to have a look at a working osx open directory server, especially on their slapcat or ldapcat output. When looking at a full tree dump, you can see all the different settings of apples dscl (1) client saved in the directory. Even usage restrictions of applications in user profiles can be decoded. Most of the stuff is the applications plist-xml file in a string attribute. Which I think is a rather disappointing representation. Maybe apple will add a real key-value representation later.

    Apple uses an unmodified openldap server in their client and server product. the schema and tree configurations are the base of their open directory server. But integration in a unix login via ldap environment works fine.

    this is my first post here, I hope it helps.
    Last edited by m0; 08-Jun-2010 at 01:02. Reason: added the osx schemacheck=off

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •