Re: [Fedora-directory-users] Apple OS X 10.5 question

Tue, 04 Mar 2008 18:41:51 -0800 

Jonathan, Dan,
Thank you for your help. After being sick for a few days I sat down with one of my Apple users. We are still unable to log in to OS X 10.5 after changing /etc/openldap/ldap.conf to the following... 

#BASE   dc=example, dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
#TLS_REQCERT    demand
TLS_REQCERT     never   


Is there any direction you might offer?  I've included a copy of my  
Template as an attachment.  I believe I've kept it quite simple, maybe  
too simple.


Thanks,
John




Attachment:
OSX105-LDAP-Template.plist

Description: Binary data





On Feb 28, 2008, at 6:00 AM, dandantheitman wrote:


On 28/02/2008, Jonathan Barber <[EMAIL PROTECTED]> wrote:

On Wed, Feb 27, 2008 at 04:42:12PM -1000, John Call wrote:

Aloha list,

My university has been authenticating Mac OS X 10.4 clients to FDS

1.04 for about a year now.  Things have been working great, as  
long as
we keep an eye on the external SASL mechanisms.  However, now that  
our

staff is deploying the new OS X 10.5 things aren't working.  To the
best of our knowledge we have maintained the same client LDAP
configuration from 10.4 to 10.5, but the Apple clients refuse to
authenticate.  Has anybody else experienced this?



Are you doing SSL to the ldap? If so, check the clientside SSL

verification. I'm not big on the different Mac OS X versions, so  
can't
say when it occured, but for one of the revisions we did see the  
default
openldap SSL verification change from "never" to "demand" on the  
clients.


I don't think we found a GUI widget to config this behaviour, but you
can via /etc/openldap/ldap.conf like linux.



Jonathon is 100% correct. Starting with OSX Leopard the ldap client
was 'locked down' to make it more secure out of the box.  The
TLS_REQCERT = never was revised to TLS_REQCERT = demand.

You either need to make the change on each client in
/etc/openldap/ldap.conf to reset it back to its previous state or you
shall need to do the following:

(01) Copy the cert to the client /etc/openldap/certs
(02) Add the following line to /etc/openldap/ldap.conf:
TLS_CACERT    /etc/openldap/certs/bright.newshinycert.com

Dan

--
Fedora-directory-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/fedora-directory-users



--
Fedora-directory-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/fedora-directory-users






















					Reply via email to