[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP for Mac OS X Login and Authentication

To: openldap-software@OpenLDAP.org
Subject: Re: OpenLDAP for Mac OS X Login and Authentication
From: Ryan Suarez <ryan.suarez@sheridanc.on.ca>
Date: Wed, 16 Jan 2002 16:11:40 -0500
References: <02858D2B-0AB5-11D6-B628-0050E4F9C517@tyrell.com>

Hi,

Has anyone out there got a mac os x 10.1 client to authenticae off LDAP?
If you have, please share the process with the community.  much
appreciated.

Thanks,
Ryan

ps.
please cc me as well

"Chuck Coker (Tyrell)" wrote:

> Hi Ryan,
>
> We were hitting dead ends with the LDAP authentication on OS X 10.0.4.
> We finally quit working on it when OS X 10.1 was released. I haven't
> seen anything on authentication for OS X 10.1, but I haven't been
> looking either.
>
> If you find something that works, I would like to hear about it.
>
> Good luck,
> Chuck
>
> On Wednesday, January 16, 2002, at 06:41 , Ryan Suarez wrote:
>
> > Wow, there is absolutely no docs available online that shows how to get
> > OSX to authenticate via ldap.
> > Your posts was probably the only ones  that had direction, but i'm
> > running out of ideas.
> >
> > I just wanted to know how far you guys have gotten?
> >
> > I'm trying to authenticate a Mac OS X 10.1 client via OpenLDAP running
> > on a debian linux box.
> > OSX 10.1 is supposed to have LDAPv2 support built in but when I
> > configure the lookuporder and LDAPAgent through netinfo, run "lookupd
> > -d", then set the agent attribute to LDAPAgent it crashes with a "Bus
> > error"
> >
> > [indigo:/var/log] root# less system.log
> > Jan 15 16:40:24 indigo netinfod local[189]: setsid failed: Operation not
> > permitted
> > Jan 15 16:40:25 indigo lookupd[196]: _lookup_all(getfsent) failed
> > Jan 15 16:40:25 indigo lookupd[196]: _lookup_all(getfsent) failed
> >
> >
> > So from Luke's post below it says that LDAPv3 is supported if you build
> > the latest source of netinfo from their cvs repository.  So I grabbed
> > their latest build (netinfo-236) from cvs.
> >
> > There's no documentation on how to compile this thing so I just ran
> > their "BUILD" script in the netinfo-236 source directory.  It seems to
> > compile all the binaries with no complaints and I just replaced all the
> > old binaries with the new ones.
> >
> > However, when I reboot, it just pauses at the "Starting Directory
> > Services" screen.
> > I am STUCK
> >
> > Please let me know what progress you have made,
> >
> > Thanks,
> > Ryan
> >
> > <snip>
> >>> According to the OS X docs, I ~should~ be able to have the login
> > sequence
> >>> check LDAP directories for authentication ~before~ it checks NetInfo.
> >
> >>
> >> Uh, that depends on which OS X docs you were reading. Using the stock
> >> lookupd (not built from source), LDAPv3 cannot be used, you must use
> > LDAPv2.
> >> Luke has fixed this, but you must build lookupd from cvs source. I
> > haven't
> >> successfully done this yet, I've played with building lookupd from
> > source,
> >> but I haven't any luck.
> >
> > I would highly recommend that you do attempt to do this. The stock LDAP
> > support in lookupd is *VERY OLD*. What is the problem? One thing that
> > I forgot to point out is that you will probably need to rebuild the
> > NetInfo.framework in Services/netinfo/common to build the lukeh-OpenLDAP
> >
> > branch of lookupd which unfortunately will require you to rebuild and
> > reinstall netinfod and nibindd. You may prefer to wait for OS X 10.1.
> >
> >>> 4. The LoginHook and LogoutHook parameters for customizing
> > loginwindow do
> >>> not work (official word from Apple) and ~rumor says~ they will be
> > removed
> >>> from future OS X releases.
> >> Hmm, I'm new to the hole OS X scene, and I have no idea what LoginHook
> > is,
> >> maybe someone can enlighten me.
> >
> > Runs an arbitary executable after logon. Totally irrelevant to
> > authentication.
> >
> >> Another idea is to use pam_ldap for Mac OS X , by Luke Howard (again).
> >
> > That will help you with authentication only, not account information.
> > Just
> > as you would typically use nss_ldap and pam_ldap on a Linux or Solaris
> > box,
> > you might use LDAPAgent and pam_ldap on an OS X or Darwin machine.
> > Getting
> > pam_ldap installed on OS X requires building the PAM framework, the PAM
> > loginwindow authenticator bundle, and rebuildling all the system
> > utilities
> > that need PAM (such as ftpd and login). Non-trivial, but not too hard if
> >
> > you really need PAM support :-)
> >
> > Darwin PAM support is tracking FreeBSD-current, BTW.
> >
> > If you would like Apple to incorporate PAM into the OS, I suggest you
> > talk
> > to your Apple rep or use one of the feedback addresses on their website.
> >
> > cheers,
> >
> > -- Luke
> >
> > --
> > Luke Howard | lukehoward.com
> > PADL Software | www.padl.com
> > </snip>
> >
> >
> ----------------------------------------------------------------------
> Chuck Coker - <chuckc@tyrell.com>
> Software Developer, Tyrell Software Corporation
> 23151 Verdugo Drive, Suite 204
> Laguna Hills, California 93653 United States
> +1 949 458 1911 ext. 3
> ----------------------------------------------------------------------

Follow-Ups:
- Re: OpenLDAP for Mac OS X Login and Authentication
  - From: Blake Barnett <blake.barnett@developonline.com>

Prev by Date: Re: SuperiorKnowledge DSA
Next by Date: How to define a new objectclass
Index(es):
- Chronological
- Thread