LDAP Authentication from MAC OSX

etino · 2015-02-21 15:49:35 UTC

Hi guys

I’m trying to add on my MAC OSX a Nethserver as Server account network for permit authentication with the users configurated on the server.

According to this article http://goo.gl/svuilV I’ve add the IP of my Nethserver test and it result active.

I’ve just added the ip address of the server, no other params are me asked and neither other I’ve set. The server seems be active and using dscl tool also queryable, but the users directory is empty.

stefano@iMac:~$ dscl
Entering interactive mode... (type "help" for commands)
 > ls
LDAPv3
Local

Contact
Search
 > cd LDAPv3/
/LDAPv3 > ls
192.168.1.12
/LDAPv3 > cd 192.168.1.12/
/LDAPv3/192.168.1.12 > ls
AccessControls
Augments
Automount
AutomountMap
CertificateAuthorities
ComputerGroups
ComputerLists
Computers
Config
FileMakerServers
Groups
Locations
Machines
Maps
Mounts
OLCBDBConfig
OLCFrontEndConfig
OLCGlobalConfig
OLCLDIFConfig
OLCOverlayDynamicID
OLCSchemaConfig
OrganizationalUnit
People
Places
PresetComputerGroups
PresetComputerLists
PresetComputers
PresetGroups
PresetUsers
Printers
Resources
UserAuthenticationData
Users
/LDAPv3/192.168.1.12 > ls Use
UserAuthenticationData 	Users 	
/LDAPv3/192.168.1.12 > ls Users
/LDAPv3/192.168.1.12 >

In the post, using this tool, the Users folders isn’t empty.

Does someone already made a similar configuration with success or have some ideas to use?

Thank you in advance.

davidep · 2015-02-21 16:01:38 UTC

I’m not sure… If I recall correctly the LDAP requires STARTTLS and user authentication to browse People and Groups subtrees…

davidep · 2015-02-21 16:03:34 UTC

…we could relax this requirement at least for clients in the green and trusted networks. What do you think?

davidep · 2015-02-23 14:50:43 UTC

@Stll0 @etino (ping)

etino · 2015-02-23 15:34:15 UTC

Probably I give up… for now.

I’ve achived the goal to read ldap directory from MAC OsX Directory Utiliy, viewing the Users present on the server.

According to this http://goo.gl/Fx1yD0, its necessary to make some personalization that go head the simple GUI wizard.

Knowing not much Ldap, for me this task is very expensive at this moment. Waiting future development, or on some more explicative how-to, I stay to watch.

However I remain available for testing potentials ideas that come from the community.

Stll0 · 2015-02-23 17:29:49 UTC

What about keeping default like this and allow to change this option? I don’t like to release security policies.

Is it possible to specify an username/address to query LDAP with? If it is, you can use existing libuser account to retrieve data (if you are lazy) with this command:

# perl -e 'use NethServer::Directory; my $password = NethServer::Directory::getUserPassword("libuser", 0) ; printf $password;'

or create another ldap account to read account list (you can copy /etc/e-smith/events/actions/nethserver-ejabberd-conf action from nethserver-ejabberd package)

davidep · 2015-02-23 17:37:10 UTC

Never ever bind to LDAP as libuser: it’s almost root-equivalent. If you’re lazy use your personal credentials!

Lincee · 2015-02-23 18:57:34 UTC

Mind you, i’m not so much a linux man as i am Apple.
If memory serves correctly you need to use certain .schema files, (the OSX Server handles ldap a bit different) they are found on an OSX server, and i believe that makes an OSX Client work with a Linux server… i shall return later to this topic and see if i can provide you with some links

–

http://pig.made-it.com/ldap-mac.html

This is the most recent link i could find, i hope it helps a bit?