[Fedora-directory-users] Apple OS X 10.5 question

[dandantheitman]

On 28/02/2008, Jonathan Barber <j.barber at dundee.ac.uk> wrote:
> On Wed, Feb 27, 2008 at 04:42:12PM -1000, John Call wrote:
>  > Aloha list,
>  >
>  > My university has been authenticating Mac OS X 10.4 clients to FDS
>  > 1.04 for about a year now.  Things have been working great, as long as
>  > we keep an eye on the external SASL mechanisms.  However, now that our
>  > staff is deploying the new OS X 10.5 things aren't working.  To the
>  > best of our knowledge we have maintained the same client LDAP
>  > configuration from 10.4 to 10.5, but the Apple clients refuse to
>  > authenticate.  Has anybody else experienced this?
>
>
> Are you doing SSL to the ldap? If so, check the clientside SSL
>  verification. I'm not big on the different Mac OS X versions, so can't
>  say when it occured, but for one of the revisions we did see the default
>  openldap SSL verification change from "never" to "demand" on the clients.
>
>  I don't think we found a GUI widget to config this behaviour, but you
>  can via /etc/openldap/ldap.conf like linux.
>

Jonathon is 100% correct. Starting with OSX Leopard the ldap client
was 'locked down' to make it more secure out of the box.  The
TLS_REQCERT = never was revised to TLS_REQCERT = demand.

You either need to make the change on each client in
/etc/openldap/ldap.conf to reset it back to its previous state or you
shall need to do the following:

(01) Copy the cert to the client /etc/openldap/certs
(02) Add the following line to /etc/openldap/ldap.conf:
TLS_CACERT    /etc/openldap/certs/bright.newshinycert.com

Dan