Tuesday, January 17, 2012

osx 10.7.2 openldap authentication

MacOSX 10.7.2 LDAP authentication

0.  Enable root.
* Go to a terminal prompt
* ~ sudo su - root
* type your password
* You're root!
* # passwd
* create a password for root.
* Log off
* Log on as root.  Yes.

1.  Add LDAPv3 Directory access
* Open Directory Access from /Applications/Utilities or under System Preferences > Users & Groups.

* Click the Lock on the bottom of the window.

* Click on LDAPv3 then click Configure

* Select Options then click Add
    Enter a configuration name; e.g. myldap
    Server Name: LDAP server canonical dns or IP address; e.g. myldap.my.com
    Click on LDAP Mappings and select RFC 2307 (Unix)
    For search base, put in your LDAP search base; e.g.  dc=my,dc=com
    Don not Check SSL

* Click edit and make sure all settings are at either their default or match your environment
    Under Search and Mappings, if you're using a stock OpenLDAP install, it is safe to have a "Search in" 
all subtrees set.  This is recommended.
    Check all Record types and attributes.
    When done, Save Template.  Somewhere.
    Click OK, and OK again.

* At the Directory Access windows, Go to "Search Policy" and click on Authentication.
    You're now going to add a Directory domain.
    Select Custom Path

2.  
    Add the LDAPv3 server you just added.  Click the + and add /LDAPv3/Server Name
    Keep /Local/Default at the top; if not you'll not be able to logon with a local user account.
    Once done, test your LDAP configuration by going to Directory Editor (also in Directory Access).  
In the search box, search for a known account.

Did you mess up?

Check, /var/log/system.log for -14002 errors.

1.  Remove all contents of directory /Library/Preferences/DirectoryService
2.  Open /Applications/Utilities/Netinfo Manager and remove contents of directory /config/mcx-mask

If not, time to allow logons.

There's a bug in OSX 10.7.2 not allowing LDAP users to logon.  Nice.  Let's fix that.

1.  As root...
# ldapsearch -x -h myldap.my.com -b "" -s base "(objectclass=*)" supportedSASLMechanisms

You should see something akin to:
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5

This shows you the sort of authentication mechanisms your LDAP server supports.  
Let's make OSX add the SASL mechanisms - even if your LDAP server isn't using them.

2.  Open the Opendirectoryd plist for your LDAPv3 server in /Library/Preferences/OpenDirectory/Configurations/LDAPv3, 
and add all of the advertised SASL garnered from above to the Denied SASL Methods array in the plist file.  Simply browse 
to the file, double click and use xcode to edit.

Add the items here:
module options > ldap > Denied SASL Methods
add string items.  Add the strings exactly as provided by your LDAP server.

3.  Reboot the OSX machine and you'll then be able to logon using a LDAP-defined user.

No comments: