MacLdapAuthSnowLeopard: Difference between revisions

From LLL
Jump to navigationJump to search
No edit summary
Line 1: Line 1:
----
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;">
----
=[http://uvetysudema.co.cc Under Construction! Please Visit Reserve Page. Page Will Be Available Shortly]=
----
=[http://uvetysudema.co.cc CLICK HERE]=
----
</div>
=Setting up LDAP access to LLL server on a Macintosh client=
=Setting up LDAP access to LLL server on a Macintosh client=


Line 6: Line 14:
==Disable or set up SSL certificate verification==
==Disable or set up SSL certificate verification==


* Open a terminal by clicking on the "Applications" icon in the dock (see red arrow in image below)
* Open a terminal by clicking on the &quot;Applications&quot; icon in the dock (see red arrow in image below)
* Click Utilities folder
* Click Utilities folder
* Click Terminal
* Click Terminal
Line 12: Line 20:
[[Image:Applications6.png|Applications]]
[[Image:Applications6.png|Applications]]


* Do <code>sudo vi /etc/openldap/ldap.conf</code> file and add <code>TLS_REQCERT never</code> to the end (removing or commenting out any other <code>TLS_REQCERT</code> setting that might be there) if you want to disable SSL certificate verification
* Do &lt;code&gt;sudo vi /etc/openldap/ldap.conf&lt;/code&gt; file and add &lt;code&gt;TLS_REQCERT never&lt;/code&gt; to the end (removing or commenting out any other &lt;code&gt;TLS_REQCERT&lt;/code&gt; setting that might be there) if you want to disable SSL certificate verification
* Add <code>TLS_CACERT /path/to/cacert.pem</code> to set it up instead (where cacert.pem is the certificate for the CA, which first must be copied here)
* Add &lt;code&gt;TLS_CACERT /path/to/cacert.pem&lt;/code&gt; to set it up instead (where cacert.pem is the certificate for the CA, which first must be copied here)


==Open Directory access==
==Open Directory access==


Click on apple menu, and chose "System Preferences":
Click on apple menu, and chose &quot;System Preferences&quot;:


[[Image:MacLdapDirectoryAccess6.png|Accessing the System Preferences]]
[[Image:MacLdapDirectoryAccess6.png|Accessing the System Preferences]]
Line 27: Line 35:




Click "Login Options" (lower left), and add a "Network Account Server":
Click &quot;Login Options&quot; (lower left), and add a &quot;Network Account Server&quot;:


[[Image:MacLdapDirectoryAccess6-3.png|Accounts configuration]]
[[Image:MacLdapDirectoryAccess6-3.png|Accounts configuration]]
Line 38: Line 46:


# Doubleclick on the padlock (lower left of directory acess window) and enter admin user and password until padlock is open  
# Doubleclick on the padlock (lower left of directory acess window) and enter admin user and password until padlock is open  
# Select "LDAPv3" in list
# Select &quot;LDAPv3&quot; in list
# Click the pen icon to "Configure"
# Click the pen icon to &quot;Configure&quot;


[[Image:MacLdapDirectoryAccess6-5.png|Chose LDAPv3]]
[[Image:MacLdapDirectoryAccess6-5.png|Chose LDAPv3]]




Click "New" to add a new configuration for connecting to your LDAP server:
Click &quot;New&quot; to add a new configuration for connecting to your LDAP server:


[[Image:MacLdapDirectoryAccess6-6.png|Add a new connection configuration]]
[[Image:MacLdapDirectoryAccess6-6.png|Add a new connection configuration]]




Pick a configuration name, enter your server's name or IP address, tick "Encrypt using SSL", leave the default port (636), and click OK when done:
Pick a configuration name, enter your server's name or IP address, tick &quot;Encrypt using SSL&quot;, leave the default port (636), and click OK when done:


[[Image:MacLdapDirectoryAccess6-7.png|Configuring your connection to LDAP]]
[[Image:MacLdapDirectoryAccess6-7.png|Configuring your connection to LDAP]]


* Click on the tab "Search and Mappings", and the dialog below should be shown
* Click on the tab &quot;Search and Mappings&quot;, and the dialog below should be shown
* Pick "RFC 2307 (Unix)" template
* Pick &quot;RFC 2307 (Unix)&quot; template
* Enter <code>dc=lll,dc=lu</code> as search base
* Enter &lt;code&gt;dc=lll,dc=lu&lt;/code&gt; as search base


[[Image:MacLdapDirectoryAccess6-8.png|Configuring your connection to LDAP]]
[[Image:MacLdapDirectoryAccess6-8.png|Configuring your connection to LDAP]]
Line 61: Line 69:


* Click Mounts in left hand pane
* Click Mounts in left hand pane
* Enter <code>ou=Mounts,dc=lll,dc=lu</code> as a search base
* Enter &lt;code&gt;ou=Mounts,dc=lll,dc=lu&lt;/code&gt; as a search base
* Check check "first level only"
* Check check &quot;first level only&quot;


N.B. It is expected that the template setting automatically changes from <code>RFC 2307</code> to <code>Custom</code> as soon as you change one of the setting.
N.B. It is expected that the template setting automatically changes from &lt;code&gt;RFC 2307&lt;/code&gt; to &lt;code&gt;Custom&lt;/code&gt; as soon as you change one of the setting.


[[Image:MacLdapDirectoryAccess6-9.png|Mounts configuration]]
[[Image:MacLdapDirectoryAccess6-9.png|Mounts configuration]]


* Click Users in left hand pane
* Click Users in left hand pane
* Enter <code>ou=People,dc=lll,dc=lu</code> as a search base
* Enter &lt;code&gt;ou=People,dc=lll,dc=lu&lt;/code&gt; as a search base
* Check check "first level only"
* Check check &quot;first level only&quot;


[[Image:MacLdapDirectoryAccess6-10.png|Users configuration]]
[[Image:MacLdapDirectoryAccess6-10.png|Users configuration]]
Line 76: Line 84:


* Click Groups in left hand pane
* Click Groups in left hand pane
* Enter <code>ou=Groups,dc=lll,dc=lu</code> as a search base
* Enter &lt;code&gt;ou=Groups,dc=lll,dc=lu&lt;/code&gt; as a search base
* Check check "first level only"
* Check check &quot;first level only&quot;
* Click ok
* Click ok


[[Image:MacLdapDirectoryAccess6-11.png|Groups configuration]]
[[Image:MacLdapDirectoryAccess6-11.png|Groups configuration]]


* Click "Search Policy" icon in Top Bar, and add your newly defined server using the + icon
* Click &quot;Search Policy&quot; icon in Top Bar, and add your newly defined server using the + icon
[[Image:MacLdapDirectoryAccess6-12.png|Adding your new connection to the search policy]]
[[Image:MacLdapDirectoryAccess6-12.png|Adding your new connection to the search policy]]




On some newer version of MacOS, you may need to click on the "Search Policy" Icon at the top of the "Directory Utility" (only clickable if currently no service is being edited: click Ok or Cancel to dismiss if you are editing a service), and then add the newly defined service to the list.
On some newer version of MacOS, you may need to click on the &quot;Search Policy&quot; Icon at the top of the &quot;Directory Utility&quot; (only clickable if currently no service is being edited: click Ok or Cancel to dismiss if you are editing a service), and then add the newly defined service to the list.


== Testing ==
== Testing ==
Line 95: Line 103:


* Open a terminal as described above ( Application button, then Utilities/Terminal)
* Open a terminal as described above ( Application button, then Utilities/Terminal)
* In terminal, enter <code>dscl localhost list /Search/Users
* In terminal, enter &lt;code&gt;dscl localhost list /Search/Users
</code>. This displays a list of all users known by the macintosh. If everything worked, it should include all users from the server's LDAP database.
&lt;/code&gt;. This displays a list of all users known by the macintosh. If everything worked, it should include all users from the server's LDAP database.
* If the server users are not included, try killing the DirectoryService process (this should cause it to respawn and initialize correctly) and try again
* If the server users are not included, try killing the DirectoryService process (this should cause it to respawn and initialize correctly) and try again
* If all users are included, log out, and log back in as one of the server users (you need to click "Other users" at the login window, then enter its name). It's expected that the login process is slow, as we have not yet set up mounting of <code>/home</code>.
* If all users are included, log out, and log back in as one of the server users (you need to click &quot;Other users&quot; at the login window, then enter its name). It's expected that the login process is slow, as we have not yet set up mounting of &lt;code&gt;/home&lt;/code&gt;.
* If login was successful, clean away its temporary home directory (if the system created one)
* If login was successful, clean away its temporary home directory (if the system created one)

Revision as of 04:55, 24 November 2010


Setting up LDAP access to LLL server on a Macintosh client

This page describes how to set up LDAP authentication with SSL on Mac OSX 6 (Snow Leopard).


Disable or set up SSL certificate verification

  • Open a terminal by clicking on the "Applications" icon in the dock (see red arrow in image below)
  • Click Utilities folder
  • Click Terminal

Applications

  • Do <code>sudo vi /etc/openldap/ldap.conf</code> file and add <code>TLS_REQCERT never</code> to the end (removing or commenting out any other <code>TLS_REQCERT</code> setting that might be there) if you want to disable SSL certificate verification
  • Add <code>TLS_CACERT /path/to/cacert.pem</code> to set it up instead (where cacert.pem is the certificate for the CA, which first must be copied here)

Open Directory access

Click on apple menu, and chose "System Preferences":

Accessing the System Preferences


Click Accounts:

System Preferences


Click "Login Options" (lower left), and add a "Network Account Server":

Accounts configuration


Open Directory Utility:

Opening Directory Utility


  1. Doubleclick on the padlock (lower left of directory acess window) and enter admin user and password until padlock is open
  2. Select "LDAPv3" in list
  3. Click the pen icon to "Configure"

Chose LDAPv3


Click "New" to add a new configuration for connecting to your LDAP server:

Add a new connection configuration


Pick a configuration name, enter your server's name or IP address, tick "Encrypt using SSL", leave the default port (636), and click OK when done:

Configuring your connection to LDAP

  • Click on the tab "Search and Mappings", and the dialog below should be shown
  • Pick "RFC 2307 (Unix)" template
  • Enter <code>dc=lll,dc=lu</code> as search base

Configuring your connection to LDAP


  • Click Mounts in left hand pane
  • Enter <code>ou=Mounts,dc=lll,dc=lu</code> as a search base
  • Check check "first level only"

N.B. It is expected that the template setting automatically changes from <code>RFC 2307</code> to <code>Custom</code> as soon as you change one of the setting.

Mounts configuration

  • Click Users in left hand pane
  • Enter <code>ou=People,dc=lll,dc=lu</code> as a search base
  • Check check "first level only"

Users configuration


  • Click Groups in left hand pane
  • Enter <code>ou=Groups,dc=lll,dc=lu</code> as a search base
  • Check check "first level only"
  • Click ok

Groups configuration

  • Click "Search Policy" icon in Top Bar, and add your newly defined server using the + icon

Adding your new connection to the search policy


On some newer version of MacOS, you may need to click on the "Search Policy" Icon at the top of the "Directory Utility" (only clickable if currently no service is being edited: click Ok or Cancel to dismiss if you are editing a service), and then add the newly defined service to the list.

Testing

Now is time for testing.

opening a terminal

  • Open a terminal as described above ( Application button, then Utilities/Terminal)
  • In terminal, enter <code>dscl localhost list /Search/Users

</code>. This displays a list of all users known by the macintosh. If everything worked, it should include all users from the server's LDAP database.

  • If the server users are not included, try killing the DirectoryService process (this should cause it to respawn and initialize correctly) and try again
  • If all users are included, log out, and log back in as one of the server users (you need to click "Other users" at the login window, then enter its name). It's expected that the login process is slow, as we have not yet set up mounting of <code>/home</code>.
  • If login was successful, clean away its temporary home directory (if the system created one)