[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: A couple of questions about openldap on MacOS X Panther

Hi there,

I apologise if these questions are more Mac-related than openldap
related, but I haven't been able to find this information out on any
Mac type resources, so I'm hoping somebody here can point me in the
right direction.

- It would appear that the openldap installation that comes supplied
  with MacOS X hasn't been compiled with kerberos/gssapi support.
  e.g. if I try to connect to our (RH9) ldap server with an
  authenticated connection I get a "no worthy mechs found" error
  message.  So, can I compile my own ldap and use it to replace the
  apple-supplied one, or will it break things?

If you want to do this, I would suggest downloading Apple's source code of their current release (.2.1.22 in 10.3.4 server) along with BerkeleyDB and all the other parts you need. Apple has made some changes to work better with their API's and management software, and if you don't include these changes, some features might not work right.

I'd suggest against it, unless you really get in a bind. Apple (or any other company for that matter) will be hesitant to assist you with problems on a system where you compile your own bits.

- On a similar line, the OSX Directory Access utility has a "Use
  authentication when connecting" section, allowing you to specify a
  distinguished name and password to use when connecting to the ldap
  server.  Does anyone know how this is actually used - the 'dscl'
  utility seems to get data OK, with a correct and incorrect password
  set here, suggesting that it's not being used.

By default, Apple's ACLs don't block much -even the password field is publicly accessible. Check out /private/etc/openldap/slapd.conf for the ACL details.

I suppose what I really want is something that tells me how Apple's
system software interacts with openldap beneath, as Apple's docs seem
extremely limited in this respect.

Much of Apple's software goes through an API called OpenDirectory. OpenDirectory can in turn use LDAP, NetInfo, SMB, or a bunch of other authentication/directory systems. Check out the "Directory Access" application in the Utilities for more details.

All the documentation is out there:
Check out the Open Directory Administration manual, especially.

There is also an OSX Server mailing list, where people discuss the sorts of things we are discussing.

Hope this is helpful!

Matt Richard
Access and Security Coordinator
Franklin & Marshall College