[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Not able to authenticate Windows and MAC client

To: Saurabh Ohri <sam_ohri@yahoo.co.in>
Subject: Re: Not able to authenticate Windows and MAC client
From: Dennis Leeuw <D.Leeuw@umcutrecht.nl>
Date: Wed, 26 Feb 2014 12:15:28 +0100
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
In-reply-to: <F4E982E8-D717-495E-A944-26D4BBA4F73D@yahoo.co.in>
Organization: UMC Utrecht
References: <1393388788.84176.YahooMailNeo@web192201.mail.sg3.yahoo.com> <530DA895.6040907@umcutrecht.nl> <F4E982E8-D717-495E-A944-26D4BBA4F73D@yahoo.co.in>
User-agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.3.0

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Have a look at the shadow* attributes from the shadowAccount class.
Those should help you enforcing password related stuff. For self
changes of passwords use an ACL like:
access to attrs=userPassword
        by self write
        by anonymous auth
        by * none

Greetings,

Dennis

On 02/26/2014 11:50 AM, Saurabh Ohri wrote:
> Thanks Dennis. You ate right the problem is not related to ldap
> but was looking for help against it.
> 
> I am able to have successful authentication from ldap on both mac
> and windows after trying 50 combinations of configuration ð
> 
> But finally it worked and it our effort paid.
> 
> Thanks again and will share the information/ document soon.
> 
> Also it would be of great help if you could share some details on 
> enforcing password policies like self user password change, force 
> passed change after first login etc. I did some config but it is
> not working even for Linux.
> 
> Thanks Sam
> 
> Sent from my iPhone
> 
>> On 26 Feb 2014, at 4:40 pm, Dennis Leeuw <D.Leeuw@umcutrecht.nl> 
>> wrote:
>> 
>>>> On 02/26/2014 05:26 AM, saurabh ohri wrote: Hi all,
>>>> 
>>>> I am new to openldap and i manage dto install and configure 
>>>> the same. My linux client is working well but not able to 
>>>> authenticate windows and mac clients.
>>>> 
>>>> Have been trying since past 2 days by google and other posts 
>>>> but still facing issue. Any help would be highly
>>>> appreciated.
>>>> 
>>>> Details: using openldap-2.4.23-34 on RHEL6.5 *Client
>>>> details:* Mac 10.8.5 -- tried configuring the network account
>>>> server but it is showing RED. Error This server is not
>>>> responding. Windows 7 â tried installing GINA but it is
>>>> giving me invalid credentials error.
>>>> 
>>>> Configuration file on server: Password: # extended LDIF # # 
>>>> LDAPv3 # base <dc=j,dc=example,dc=com> (default) with scope 
>>>> subtree # filter: (objectclass=*) # requesting: ALL #
>>>> 
>>>> # j.example.com dn: dc=j,dc=example,dc=com objectClass: top 
>>>> objectClass: dcObject objectClass: organization o: example 
>>>> Organization description: example Inc DIT dc: j
>>>> 
>>>> # Users, j.example.com dn: ou=Users,dc=j,dc=example,dc=com 
>>>> objectClass: organizationalUnit ou: Users
>>>> 
>>>> # Groups, j.example.com dn: ou=Groups,dc=j,dc=example,dc=com
>>>>  objectClass: organizationalUnit ou: Groups
>>>> 
>>>> # Admins, j.example.com dn: ou=Admins,dc=j,dc=example,dc=com
>>>>  objectClass: organizationalUnit ou: Admins
>>>> 
>>>> # sohri, Users, j.example.com dn: 
>>>> uid=sohri,ou=Users,dc=j,dc=example,dc=com uid: sohri cn:
>>>> sohri sn: 1 objectClass: top objectClass: posixAccount
>>>> objectClass: inetOrgPerson loginShell: /bin/bash
>>>> homeDirectory: /home/sohri uidNumber: 15000 gidNumber: 10000
>>>> userPassword:: 
>>>> e1NTSEF9eWdkWExpZUdIT01YRytRM3ZmZWdNY3QwSmd2bFNqSkcg mail: 
>>>> sam.ohri@example.com gecos: Local User
>>>> 
>>>> # tpearce, Users, j.example.com dn: 
>>>> uid=tpearce,ou=Users,dc=j,dc=example,dc=com uid: tpearce cn:
>>>>  tpearce sn: 2 objectClass: top objectClass: posixAccount 
>>>> objectClass: inetOrgPerson loginShell: /bin/bash 
>>>> homeDirectory: /home/tpearce uidNumber: 15001 gidNumber:
>>>> 10000 userPassword:: 
>>>> e1NTSEF9eWdkWExpZUdIT01YRytRM3ZmZWdNY3QwSmd2bFNqSkc= mail: 
>>>> tony.pearce@example.com gecos: local User
>>>> 
>>>> # ldapusers, Groups, j.example.com dn: 
>>>> cn=ldapusers,ou=Groups,dc=j,dc=example,dc=com objectClass: 
>>>> posixGroup objectClass: top cn: ldapusers userPassword:: 
>>>> e2NyeXB0fXg= gidNumber: 10000 memberUid: uid=sohri memberUid:
>>>>  uid=tpearce
>>>> 
>>>> # search result search: 2 result: 0 Success
>>>> 
>>>> # numResponses: 8 # numEntries: 7
>>>> 
>>>> 
>>>> Regards Sam
> 
> Windows is created to work against an Active Directory system, 
> meaning you have an LDAP authorization and Kerberos
> authentication. Connecting Windows to a LDAP for both is
> problematic to say the least. The easiest solution is using SAMBA
> against LDAP and make the Windows systems login against the SAMBA
> server. If you like to make it work with GINA, contact them, and to
> understand what is going on you might want to read:
> http://pig.made-it.com/win-boot-test.html No guarantees, I did my
> best to document what is happening. Hope I did it right.
> 
> Mac OS X did once work against LDAP, I have no idea what the
> current state is. On 10.6.5 go to Preferences, Accounts. Click
> Login Options go to Account Server and click Join. Select
> OpenDirectory utility. Click LDAPv3 and click the edit button.
> Click show options, click New, type the address of your ldap
> server. Give your account credentias, pick template RFC 2307, set
> search base. And your done...
> 
> And finaly: None of your problems is OpenLDAP related since it
> works on your Linux machine.
> 
> Greetings,
> 
> Dennis
>> 
>> ------------------------------------------------------------------------------
>>
>>
>>
>> 
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is
>> uitsluitend bestemd voor de geadresseerde. Indien u dit bericht 
>> onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken
>> en de afzender direct te informeren door het bericht te
>> retourneren. Het Universitair Medisch Centrum Utrecht is een
>> publiekrechtelijke rechtspersoon in de zin van de W.H.W. (Wet
>> Hoger Onderwijs en Wetenschappelijk Onderzoek) en staat
>> geregistreerd bij de Kamer van Koophandel voor Midden-Nederland
>> onder nr. 30244197.
>> 
>> Denk s.v.p aan het milieu voor u deze e-mail afdrukt.
>> 
>> ------------------------------------------------------------------------------
>>
>>
>>
>> 
This message may contain confidential information and is intended
exclusively
>> for the addressee. If you receive this message unintentionally, 
>> please do not use the contents but notify the sender immediately
>> by return e-mail. University Medical Center Utrecht is a legal
>> person by public law and is registered at the Chamber of Commerce
>> for Midden-Nederland under no. 30244197.
>> 
>> Please consider the environment before printing this e-mail.
>> 

- -- 
ICT Medewerker
Divisie Biomedische Genetica
UMC Utrecht
Heidelberglaan 100 STR2.126
3584 CX  Utrecht
The Netherlands
06 27744048
intern: 64048
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTDczPAAoJEMVYYpdbQscom+AH/j3irlTH6Fh5hM0yncYXJ8dk
0jhwMdNRTl1TXwGm1Bl+30Vff/WGzGElPtZ9ob/UnhRmHvyhZXihm7WbOv5t9lYv
fiKEJUB2zp0jdigIvLPFI7ScGtXuBuSmndiuPVGDkaeELhIHyvTNAXxNnZ0SXal6
PZVNxP0qzMaYAGpO9V5m/GJuvFta/z7M1p5id6NYSzsrzfWbcJJNCkMLoYjIGRBo
eoUUFTVRxZLSdnUu5UPrxSj76F537KIx1x5s7OVhlj7mZpI4bCr9Tk/hdd3+TRJS
kQpkeKdrCc/A/fKXTaLl2SLu48ELkwdZHLwmc0O8/ZEaECLyIAsDduGfY+wNm4E=
=fYo2
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: Not able to authenticate Windows and MAC client
  - From: saurabh ohri <sam_ohri@yahoo.co.in>

References:
- Not able to authenticate Windows and MAC client
  - From: saurabh ohri <sam_ohri@yahoo.co.in>
- Re: Not able to authenticate Windows and MAC client
  - From: Dennis Leeuw <D.Leeuw@umcutrecht.nl>
- Re: Not able to authenticate Windows and MAC client
  - From: Saurabh Ohri <sam_ohri@yahoo.co.in>

Prev by Date: Re: Not able to authenticate Windows and MAC client
Next by Date: Re: Replication from OpenLDAP to Fedora 389 DS
Index(es):
- Chronological
- Thread