MacLdapAuthSnowLeopard: Difference between revisions

From LLL
Jump to navigationJump to search
m (Reverted edits by Yxawyjo (Talk) to last version by AlainKnaff)
 
(4 intermediate revisions by 2 users not shown)
Line 4: Line 4:




==Disable SSL certificate verification==
==Disable or set up SSL certificate verification==


* Open a terminal by clicking on the "Applications" icon in the dock (see red arrow in image below)
* Open a terminal by clicking on the "Applications" icon in the dock (see red arrow in image below)
Line 12: Line 12:
[[Image:Applications6.png|Applications]]
[[Image:Applications6.png|Applications]]


* Do <code>sudo vi /etc/ldap/ldap.conf</code> file and add <code>TLS_REQCERT never</code> to the end (removing or commenting out any other <code>TLS_REQCERT</code> setting that might be there)
* Do <code>sudo vi /etc/openldap/ldap.conf</code> file and add <code>TLS_REQCERT never</code> to the end (removing or commenting out any other <code>TLS_REQCERT</code> setting that might be there) if you want to disable SSL certificate verification
* Add <code>TLS_CACERT /path/to/cacert.pem</code> to set it up instead (where cacert.pem is the certificate for the CA, which first must be copied here)


==Open Directory access==
==Open Directory access==
Line 96: Line 97:
* In terminal, enter <code>dscl localhost list /Search/Users
* In terminal, enter <code>dscl localhost list /Search/Users
</code>. This displays a list of all users known by the macintosh. If everything worked, it should include all users from the server's LDAP database.
</code>. This displays a list of all users known by the macintosh. If everything worked, it should include all users from the server's LDAP database.
* If the server users are not included, try killing the DirectoryService process (this should cause it to respawn and initialize correctly) and try again
* If all users are included, log out, and log back in as one of the server users (you need to click "Other users" at the login window, then enter its name). It's expected that the login process is slow, as we have not yet set up mounting of <code>/home</code>.
* If all users are included, log out, and log back in as one of the server users (you need to click "Other users" at the login window, then enter its name). It's expected that the login process is slow, as we have not yet set up mounting of <code>/home</code>.
* If login was successful, clean away its temporary home directory (if the system created one)
* If login was successful, clean away its temporary home directory (if the system created one)

Latest revision as of 19:47, 26 November 2010

Setting up LDAP access to LLL server on a Macintosh client[edit]

This page describes how to set up LDAP authentication with SSL on Mac OSX 6 (Snow Leopard).


Disable or set up SSL certificate verification[edit]

  • Open a terminal by clicking on the "Applications" icon in the dock (see red arrow in image below)
  • Click Utilities folder
  • Click Terminal
Error creating thumbnail: Unable to save thumbnail to destination
  • Do sudo vi /etc/openldap/ldap.conf file and add TLS_REQCERT never to the end (removing or commenting out any other TLS_REQCERT setting that might be there) if you want to disable SSL certificate verification
  • Add TLS_CACERT /path/to/cacert.pem to set it up instead (where cacert.pem is the certificate for the CA, which first must be copied here)

Open Directory access[edit]

Click on apple menu, and chose "System Preferences":

Error creating thumbnail: Unable to save thumbnail to destination


Click Accounts:

Error creating thumbnail: Unable to save thumbnail to destination


Click "Login Options" (lower left), and add a "Network Account Server":

Error creating thumbnail: Unable to save thumbnail to destination


Open Directory Utility:

Error creating thumbnail: Unable to save thumbnail to destination


  1. Doubleclick on the padlock (lower left of directory acess window) and enter admin user and password until padlock is open
  2. Select "LDAPv3" in list
  3. Click the pen icon to "Configure"
Error creating thumbnail: Unable to save thumbnail to destination


Click "New" to add a new configuration for connecting to your LDAP server:

Error creating thumbnail: Unable to save thumbnail to destination


Pick a configuration name, enter your server's name or IP address, tick "Encrypt using SSL", leave the default port (636), and click OK when done:

Error creating thumbnail: Unable to save thumbnail to destination
  • Click on the tab "Search and Mappings", and the dialog below should be shown
  • Pick "RFC 2307 (Unix)" template
  • Enter dc=lll,dc=lu as search base
Error creating thumbnail: Unable to save thumbnail to destination


  • Click Mounts in left hand pane
  • Enter ou=Mounts,dc=lll,dc=lu as a search base
  • Check check "first level only"

N.B. It is expected that the template setting automatically changes from RFC 2307 to Custom as soon as you change one of the setting.

Error creating thumbnail: Unable to save thumbnail to destination
  • Click Users in left hand pane
  • Enter ou=People,dc=lll,dc=lu as a search base
  • Check check "first level only"
Error creating thumbnail: Unable to save thumbnail to destination


  • Click Groups in left hand pane
  • Enter ou=Groups,dc=lll,dc=lu as a search base
  • Check check "first level only"
  • Click ok
Error creating thumbnail: Unable to save thumbnail to destination
  • Click "Search Policy" icon in Top Bar, and add your newly defined server using the + icon
Error creating thumbnail: Unable to save thumbnail to destination


On some newer version of MacOS, you may need to click on the "Search Policy" Icon at the top of the "Directory Utility" (only clickable if currently no service is being edited: click Ok or Cancel to dismiss if you are editing a service), and then add the newly defined service to the list.

Testing[edit]

Now is time for testing.

Error creating thumbnail: Unable to save thumbnail to destination
  • Open a terminal as described above ( Application button, then Utilities/Terminal)
  • In terminal, enter dscl localhost list /Search/Users

. This displays a list of all users known by the macintosh. If everything worked, it should include all users from the server's LDAP database.

  • If the server users are not included, try killing the DirectoryService process (this should cause it to respawn and initialize correctly) and try again
  • If all users are included, log out, and log back in as one of the server users (you need to click "Other users" at the login window, then enter its name). It's expected that the login process is slow, as we have not yet set up mounting of /home.
  • If login was successful, clean away its temporary home directory (if the system created one)