Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PAM questions. HELP!

On Tuesday 03 December 2002 22:45, Jason Townsend wrote:

> There is actually reconnect support in the LDAPv3 plug-in. In some
> cases this would not work properly. (The fix is in the Darwin CVS
> version and will be included in a future release of Mac OS X.)

That's interesting. The scenario for me is that I have the LDAP bridge on my
departmental NetInfo server (/Music) which also holds home directories etc.
All client machines are set to bind to this machine for NetInfo, but also
have the LDAPv3 plugin set to query the LDAP bridge after trying NetInfo.

If I restart the LDAP bridge for any reason, client machines are not able to
log users in, and must be restarted. I can't remember off the top of my head
whether they query the LDAP bridge at all or not -- I seem to remember that
some contact was made but I can't remember how much (not to the point of the
BIND, I am fairly certain).

> Configuring both plug-ins will not really address the issue. The first
> one in the list will take precedence. (The search policy is not a
> replication/fail over strategy.)

Oh, that's interesting. It is for NetInfo though - if a user is not found in
NetInfo then it will go on to look in LDAP (search order in Directory
Access.app)... or do you mean that if a user is found in one, but does not
authenticate (wrong password) then it does not go any further?

> As to the startup sequence, you should make sure that the LDAP server
> starts before DirectoryService. This can be done by making the
> DirectoryServices startup item depend on your LDAP server's startup
> item.

Hmmm. Is it possible to simply restart DirectoryService in some way so I can
test this without restarting the machine?

> Alternately, try running ftpd and the passthrough LDAP server on
> different machines.

Yes, good idea. Is the stock ftpd on OSX client machines (10.2.2) supposed to
work in the same way (by authenticating via DirectoryServices)? I suspect
not, having looked at the lukemftpd sources in Darwin... but I could be wong.

> -Jason

Thanks Jason - I would like to nail this issue.

Cheers,
Stephen Brandon
_______________________________________________
darwin-development mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/darwin-development
Do not post admin requests to the list. They will be ignored.
References: 
 >Re: PAM questions. HELP! (From: Jason Townsend <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.