LDAP Authentication from MAC OSX

etino · February 21, 2015, 3:49pm

Hi guys

I’m trying to add on my MAC OSX a Nethserver as Server account network for permit authentication with the users configurated on the server.

According to this article http://goo.gl/svuilV I’ve add the IP of my Nethserver test and it result active.

I’ve just added the ip address of the server, no other params are me asked and neither other I’ve set. The server seems be active and using dscl tool also queryable, but the users directory is empty.

stefano@iMac:~$ dscl
Entering interactive mode... (type "help" for commands)
 > ls
LDAPv3
Local

Contact
Search
 > cd LDAPv3/
/LDAPv3 > ls
192.168.1.12
/LDAPv3 > cd 192.168.1.12/
/LDAPv3/192.168.1.12 > ls
AccessControls
Augments
Automount
AutomountMap
CertificateAuthorities
ComputerGroups
ComputerLists
Computers
Config
FileMakerServers
Groups
Locations
Machines
Maps
Mounts
OLCBDBConfig
OLCFrontEndConfig
OLCGlobalConfig
OLCLDIFConfig
OLCOverlayDynamicID
OLCSchemaConfig
OrganizationalUnit
People
Places
PresetComputerGroups
PresetComputerLists
PresetComputers
PresetGroups
PresetUsers
Printers
Resources
UserAuthenticationData
Users
/LDAPv3/192.168.1.12 > ls Use
UserAuthenticationData 	Users 	
/LDAPv3/192.168.1.12 > ls Users
/LDAPv3/192.168.1.12 >

In the post, using this tool, the Users folders isn’t empty.

Does someone already made a similar configuration with success or have some ideas to use?

Thank you in advance.

davidep · February 21, 2015, 4:01pm

I’m not sure… If I recall correctly the LDAP requires STARTTLS and user authentication to browse People and Groups subtrees…

davidep · February 21, 2015, 4:03pm

…we could relax this requirement at least for clients in the green and trusted networks. What do you think?

davidep · February 23, 2015, 2:50pm

@Stll0 @etino (ping)

etino · February 23, 2015, 3:34pm

Probably I give up… for now.

I’ve achived the goal to read ldap directory from MAC OsX Directory Utiliy, viewing the Users present on the server.

According to this http://goo.gl/Fx1yD0, its necessary to make some personalization that go head the simple GUI wizard.

Knowing not much Ldap, for me this task is very expensive at this moment. Waiting future development, or on some more explicative how-to, I stay to watch.

However I remain available for testing potentials ideas that come from the community.

Stll0 · February 23, 2015, 5:29pm

What about keeping default like this and allow to change this option? I don’t like to release security policies.

Is it possible to specify an username/address to query LDAP with? If it is, you can use existing libuser account to retrieve data (if you are lazy) with this command:

# perl -e 'use NethServer::Directory; my $password = NethServer::Directory::getUserPassword("libuser", 0) ; printf $password;'

or create another ldap account to read account list (you can copy /etc/e-smith/events/actions/nethserver-ejabberd-conf action from nethserver-ejabberd package)

davidep · February 23, 2015, 5:37pm

Never ever bind to LDAP as libuser: it’s almost root-equivalent. If you’re lazy use your personal credentials!

Lincee · February 23, 2015, 6:57pm

Mind you, i’m not so much a linux man as i am Apple.
If memory serves correctly you need to use certain .schema files, (the OSX Server handles ldap a bit different) they are found on an OSX server, and i believe that makes an OSX Client work with a Linux server… i shall return later to this topic and see if i can provide you with some links

–

http://pig.made-it.com/ldap-mac.html

This is the most recent link i could find, i hope it helps a bit?

capote · May 7, 2020, 12:22pm

Taking up this theme I want to use client authentication against the NS-LDAP on my Macs (High Sierra, Mojave and Catalina)

My NS-Setup:

Start TLS: Disabled
users_groups.ShellOverride:true
Bind password: ########
Base DN: dc=directory,dc=nh
Bind DN: cn=ldapservice,dc=directory,dc=nh
LDAP URI: ldap://127.0.0.1
User DN: ou=People,dc=directory,dc=nh
Group DN: ou=Groups,dc=directory,dc=nh
two defined users (‘admin’ and ‘marko’)

Client side:

empty user directory:

If I try to authenticate me:

Whats I do wrong?

pike · May 7, 2020, 1:51pm

Maybe your OSX would like to use TLS?
http://support.apple.com/kb/TS3958

fausp · May 7, 2020, 2:44pm

Do you know this HowTo? - HowTo join macOS (Mojave) to NethServer 7.6 AD

capote · May 7, 2020, 2:48pm

if I activate SSL

the server goes offline

capote · May 7, 2020, 2:50pm

Do you mean LDAP will not work and I should use AD as Account Provider?
Or what else do you want to say me?

fausp · May 7, 2020, 2:52pm

Sorry, I didnt read the whole… But this (AD) could be a solution?

capote · May 7, 2020, 2:58pm

I’m not really familiar with LDAP an AD but AD seems more complex. Thats why I want to use the LDAP-Server and hope it provides enough functionality, because I don’t need to integrate Windows Systems, only Linux Servers and macOS-Clients.

fausp · May 7, 2020, 3:01pm

I did all my tests, Windows 10, Linux, MacOS, with AD and it was very easy to implement

capote · May 7, 2020, 3:36pm

I switched to AD and got immediate access.
Thanks @fausp

fausp · May 7, 2020, 3:38pm

You are welcome!