OSX 10.7 Directory Utility – Editing OpenLDAP

mac-osxopenldapubuntu-12.04

I am attempting to get Macs, running os 10.7.5 Lion, to authenticate using OpenLDAP running on Ubuntu 12.0.4 LTS. One of the things that I would love to be able to do is to use Apple's lovely Directory Utility client to physically edit entries on the LDAP server. I have set up my Root DN as cn=admin,dc=example,dc=com. However, I am unable to authenticate using the DU client to edit the entries stored in the LDAP. I tried using "admin" as a username, and "cn=admin,dc=example,dc=com" as well. Has anyone gotten this to work?

Best Answer

OS X Server uses OpenLDAP as it's LDAP server so the DU utility should be able to administer it. Without more information, we can't really troubleshoot this problem. Most importantly can you administer the LDAP server with Linux tools with the credentials you specified? If not see this guide on how to set the OpenLDAP http://www.howtoforge.com/linux_openldap_setup_server_client

Related Solutions

Ldap – Securing userPassword access with OpenLDAP in RHEL

pam_ldap shouldn't be attempting to read the userPassword value to log you in -- It logs you in by doing an LDAP bind with the DN that it retrieves.

It's possible the search parameters pam_ldap uses are over-broad & it tries to pull userPassword as a result, but if your ACL is set up correctly (looks fine to me) it won't get that value in its results.

Just in case your ACLs aren't fine (I've been known to miss stupidly obvious stuff before), here's the working ACL list from my production LDAP environment :)

# Access and Security Restrictions
# (Most restrictive entries first)
access to attrs=userPassword
    by self write
    by dn.sub="ou=sync,dc=mydomain,dc=com" read
    by anonymous auth
by users none

access to * by * read

The trailing access to * by * read is important, I didn't see it in your examples so I'm not sure if it's missing or just omitted from your snippet.

The sync line is for my LDAP synchronization service and isn't necessary if you're not doing replication...

Configuring openldap multimaster replication using cn=config

This thread led me to the idea that the olcMirrorMode definition needs to be placed after the olcSyncrepl lines. I stopped the ldap servers and edited the olcDatabase ldif files manually. This seems to have gotten replication of the data working in both directions now.

Best Answer

Related Solutions

Ldap – Securing userPassword access with OpenLDAP in RHEL

Configuring openldap multimaster replication using cn=config

Related Topic