[Fedora-directory-users] Apple OS X 10.5 question
John Call
johnsimcall at gmail.com
Wed Mar 5 02:40:47 UTC 2008
Jonathan, Dan,
Thank you for your help. After being sick for a few days I sat down
with one of my Apple users. We are still unable to log in to OS X
10.5 after changing /etc/openldap/ldap.conf to the following...
#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
#TLS_REQCERT demand
TLS_REQCERT never
Is there any direction you might offer? I've included a copy of my
Template as an attachment. I believe I've kept it quite simple, maybe
too simple.
Thanks,
John
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OSX105-LDAP-Template.plist
Type: application/octet-stream
Size: 2112 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20080304/9c935e9d/attachment.obj>
-------------- next part --------------
On Feb 28, 2008, at 6:00 AM, dandantheitman wrote:
> On 28/02/2008, Jonathan Barber <j.barber at dundee.ac.uk> wrote:
>> On Wed, Feb 27, 2008 at 04:42:12PM -1000, John Call wrote:
>>> Aloha list,
>>>
>>> My university has been authenticating Mac OS X 10.4 clients to FDS
>>> 1.04 for about a year now. Things have been working great, as
>>> long as
>>> we keep an eye on the external SASL mechanisms. However, now that
>>> our
>>> staff is deploying the new OS X 10.5 things aren't working. To the
>>> best of our knowledge we have maintained the same client LDAP
>>> configuration from 10.4 to 10.5, but the Apple clients refuse to
>>> authenticate. Has anybody else experienced this?
>>
>>
>> Are you doing SSL to the ldap? If so, check the clientside SSL
>> verification. I'm not big on the different Mac OS X versions, so
>> can't
>> say when it occured, but for one of the revisions we did see the
>> default
>> openldap SSL verification change from "never" to "demand" on the
>> clients.
>>
>> I don't think we found a GUI widget to config this behaviour, but you
>> can via /etc/openldap/ldap.conf like linux.
>>
>
> Jonathon is 100% correct. Starting with OSX Leopard the ldap client
> was 'locked down' to make it more secure out of the box. The
> TLS_REQCERT = never was revised to TLS_REQCERT = demand.
>
> You either need to make the change on each client in
> /etc/openldap/ldap.conf to reset it back to its previous state or you
> shall need to do the following:
>
> (01) Copy the cert to the client /etc/openldap/certs
> (02) Add the following line to /etc/openldap/ldap.conf:
> TLS_CACERT /etc/openldap/certs/bright.newshinycert.com
>
> Dan
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
More information about the Fedora-directory-users
mailing list