[Fedora-directory-users] Apple OS X 10.5 question

John Call johnsimcall at gmail.com
Wed Mar 5 02:40:47 UTC 2008 

Jonathan, Dan,

Thank you for your help.  After being sick for a few days I sat down  
with one of my Apple users.  We are still unable to log in to OS X  
10.5 after changing /etc/openldap/ldap.conf to the following...

#BASE	dc=example, dc=com
#URI	ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT	12
#TIMELIMIT	15
#DEREF		never
#TLS_REQCERT	demand
TLS_REQCERT	never	

Is there any direction you might offer?  I've included a copy of my  
Template as an attachment.  I believe I've kept it quite simple, maybe  
too simple.

Thanks,
John

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OSX105-LDAP-Template.plist
Type: application/octet-stream
Size: 2112 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20080304/9c935e9d/attachment.obj>
-------------- next part --------------



On Feb 28, 2008, at 6:00 AM, dandantheitman wrote:

> On 28/02/2008, Jonathan Barber <j.barber at dundee.ac.uk> wrote:
>> On Wed, Feb 27, 2008 at 04:42:12PM -1000, John Call wrote:
>>> Aloha list,
>>>
>>> My university has been authenticating Mac OS X 10.4 clients to FDS
>>> 1.04 for about a year now.  Things have been working great, as  
>>> long as
>>> we keep an eye on the external SASL mechanisms.  However, now that  
>>> our
>>> staff is deploying the new OS X 10.5 things aren't working.  To the
>>> best of our knowledge we have maintained the same client LDAP
>>> configuration from 10.4 to 10.5, but the Apple clients refuse to
>>> authenticate.  Has anybody else experienced this?
>>
>>
>> Are you doing SSL to the ldap? If so, check the clientside SSL
>> verification. I'm not big on the different Mac OS X versions, so  
>> can't
>> say when it occured, but for one of the revisions we did see the  
>> default
>> openldap SSL verification change from "never" to "demand" on the  
>> clients.
>>
>> I don't think we found a GUI widget to config this behaviour, but you
>> can via /etc/openldap/ldap.conf like linux.
>>
>
> Jonathon is 100% correct. Starting with OSX Leopard the ldap client
> was 'locked down' to make it more secure out of the box.  The
> TLS_REQCERT = never was revised to TLS_REQCERT = demand.
>
> You either need to make the change on each client in
> /etc/openldap/ldap.conf to reset it back to its previous state or you
> shall need to do the following:
>
> (01) Copy the cert to the client /etc/openldap/certs
> (02) Add the following line to /etc/openldap/ldap.conf:
> TLS_CACERT    /etc/openldap/certs/bright.newshinycert.com
>
> Dan
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

More information about the Fedora-directory-users mailing list