[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP for Mac OS X Login and Authentication

 I am having some difficulties autheticating my OS X machines to LDAP. I
will try to give you (and the list) the information that I know. Well, I
guess I'm not *giving* it, I'm just relaying it, I picked up most of what I
know from Luke Howard's posts on several lists and forums.

> This is a little bit off-topic, but I'm running out of ideas and places to
>look. In other words, I'm stuck.
I'm stuck too =).

> Has anyone successfully used OpenLDAP for login and authentication on Mac
I haven't, not yet.

> According to the OS X docs, I ~should~ be able to have the login sequence
> check LDAP directories for authentication ~before~ it checks NetInfo.

Uh, that depends on which OS X docs you were reading. Using the stock
lookupd (not built from source), LDAPv3 cannot be used, you must use LDAPv2.
Luke has fixed this, but you must build lookupd from cvs source. I haven't
successfully done this yet, I've played with building lookupd from source,
but I haven't any luck.

> 1. OpenLDAP's slurpd will not work due to the OS X threading scheme. (I
> don't need slurpd, so I haven't spent any time trying to figure out how to
> make it work yet.)
You shouldn't need to build the OpenLDAP client or slurpd on a OS X client,
lookupd will do all the ldap stuff for you.

> 4. The LoginHook and LogoutHook parameters for customizing loginwindow do
> not work (official word from Apple) and ~rumor says~ they will be removed
> from future OS X releases.
Hmm, I'm new to the hole OS X scene, and I have no idea what LoginHook is,
maybe someone can enlighten me.

> 5. lookupd is supposed to allow you to change the order of lookups for
> authentication. It doesn't. On a Mac OS X Development list, it has been
> suggested that looking at, and modifying, lookupd's source might be the
> to go, but I haven't done this yet.
No, you can the order of lookups. I'll give you a hint:
http://www.bresink.de/osx/nis.html#Lookupd , you just need to modify it for
LDAPAgent. I think Luke has some info on this on a dev list some where. I
would give you the file that I used to import it, but I

> Any suggestions, ideas, places to look or people to ask for more info
> be greatly appreciated.
Another idea is to use pam_ldap for Mac OS X , by Luke Howard (again).
Geesh, Luke has done a lot with LDAP and Mac OS X.

Maybe Luke can comment or share some notes :)