[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP for Mac OS X Login and Authentication

Has PAM been ported to OS X?  If so, it's already easily accomplished. 
Otherwise, it's extremely non-trivial.  Basically you have to replace
the entire login mechanism.


On Wed, 2002-01-16 at 14:11, Ryan Suarez wrote:
> Hi,
> 
> Has anyone out there got a mac os x 10.1 client to authenticae off LDAP?
> If you have, please share the process with the community.  much
> appreciated.
> 
> Thanks,
> Ryan
> 
> ps.
> please cc me as well
> 
> "Chuck Coker (Tyrell)" wrote:
> 
> > Hi Ryan,
> >
> > We were hitting dead ends with the LDAP authentication on OS X 10.0.4.
> > We finally quit working on it when OS X 10.1 was released. I haven't
> > seen anything on authentication for OS X 10.1, but I haven't been
> > looking either.
> >
> > If you find something that works, I would like to hear about it.
> >
> > Good luck,
> > Chuck
> >
> > On Wednesday, January 16, 2002, at 06:41 , Ryan Suarez wrote:
> >
> > > Wow, there is absolutely no docs available online that shows how to get
> > > OSX to authenticate via ldap.
> > > Your posts was probably the only ones  that had direction, but i'm
> > > running out of ideas.
> > >
> > > I just wanted to know how far you guys have gotten?
> > >
> > > I'm trying to authenticate a Mac OS X 10.1 client via OpenLDAP running
> > > on a debian linux box.
> > > OSX 10.1 is supposed to have LDAPv2 support built in but when I
> > > configure the lookuporder and LDAPAgent through netinfo, run "lookupd
> > > -d", then set the agent attribute to LDAPAgent it crashes with a "Bus
> > > error"
> > >
> > > [indigo:/var/log] root# less system.log
> > > Jan 15 16:40:24 indigo netinfod local[189]: setsid failed: Operation not
> > > permitted
> > > Jan 15 16:40:25 indigo lookupd[196]: _lookup_all(getfsent) failed
> > > Jan 15 16:40:25 indigo lookupd[196]: _lookup_all(getfsent) failed
> > >
> > >
> > > So from Luke's post below it says that LDAPv3 is supported if you build
> > > the latest source of netinfo from their cvs repository.  So I grabbed
> > > their latest build (netinfo-236) from cvs.
> > >
> > > There's no documentation on how to compile this thing so I just ran
> > > their "BUILD" script in the netinfo-236 source directory.  It seems to
> > > compile all the binaries with no complaints and I just replaced all the
> > > old binaries with the new ones.
> > >
> > > However, when I reboot, it just pauses at the "Starting Directory
> > > Services" screen.
> > > I am STUCK
> > >
> > > Please let me know what progress you have made,
> > >
> > > Thanks,
> > > Ryan
> > >
> > > <snip>
> > >>> According to the OS X docs, I ~should~ be able to have the login
> > > sequence
> > >>> check LDAP directories for authentication ~before~ it checks NetInfo.
> > >
> > >>
> > >> Uh, that depends on which OS X docs you were reading. Using the stock
> > >> lookupd (not built from source), LDAPv3 cannot be used, you must use
> > > LDAPv2.
> > >> Luke has fixed this, but you must build lookupd from cvs source. I
> > > haven't
> > >> successfully done this yet, I've played with building lookupd from
> > > source,
> > >> but I haven't any luck.
> > >
> > > I would highly recommend that you do attempt to do this. The stock LDAP
> > > support in lookupd is *VERY OLD*. What is the problem? One thing that
> > > I forgot to point out is that you will probably need to rebuild the
> > > NetInfo.framework in Services/netinfo/common to build the lukeh-OpenLDAP
> > >
> > > branch of lookupd which unfortunately will require you to rebuild and
> > > reinstall netinfod and nibindd. You may prefer to wait for OS X 10.1.
> > >
> > >>> 4. The LoginHook and LogoutHook parameters for customizing
> > > loginwindow do
> > >>> not work (official word from Apple) and ~rumor says~ they will be
> > > removed
> > >>> from future OS X releases.
> > >> Hmm, I'm new to the hole OS X scene, and I have no idea what LoginHook
> > > is,
> > >> maybe someone can enlighten me.
> > >
> > > Runs an arbitary executable after logon. Totally irrelevant to
> > > authentication.
> > >
> > >> Another idea is to use pam_ldap for Mac OS X , by Luke Howard (again).
> > >
> > > That will help you with authentication only, not account information.
> > > Just
> > > as you would typically use nss_ldap and pam_ldap on a Linux or Solaris
> > > box,
> > > you might use LDAPAgent and pam_ldap on an OS X or Darwin machine.
> > > Getting
> > > pam_ldap installed on OS X requires building the PAM framework, the PAM
> > > loginwindow authenticator bundle, and rebuildling all the system
> > > utilities
> > > that need PAM (such as ftpd and login). Non-trivial, but not too hard if
> > >
> > > you really need PAM support :-)
> > >
> > > Darwin PAM support is tracking FreeBSD-current, BTW.
> > >
> > > If you would like Apple to incorporate PAM into the OS, I suggest you
> > > talk
> > > to your Apple rep or use one of the feedback addresses on their website.
> > >
> > > cheers,
> > >
> > > -- Luke
> > >
> > > --
> > > Luke Howard | lukehoward.com
> > > PADL Software | www.padl.com
> > > </snip>
> > >
> > >
> > ----------------------------------------------------------------------
> > Chuck Coker - <chuckc@tyrell.com>
> > Software Developer, Tyrell Software Corporation
> > 23151 Verdugo Drive, Suite 204
> > Laguna Hills, California 93653 United States
> > +1 949 458 1911 ext. 3
> > ----------------------------------------------------------------------
-- 
Blake Barnett (bdb)  <blake.barnett@developonline.com>
Sr. Unix Administrator
DevelopOnline.com                 office: 480-377-6816

Learning is a skill, you get better at it with practice.