Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MacOSX LDAP server Solaris 9 client


On Sep 30, 2004, at 12:47 AM, Robert Frank wrote:

We are trying to get a solaris 9 (sparc) client to authenticate from a MacOSX server (10.3.5) using LDAP.

While the linux clients work just fine, the solaris client (which doesn't use openldap) has problems.
We've narrowed the problem down to some kind of mapping/protocoll error.

Solaris's built-in nss_ldap is.. well.. no one uses it. Grab padl's (http://www.padl.com).

Solaris uses the SASL/CRAM-MD5 protocol, (linux only CRAM-MD5)

Well.. it's hard to speak about Linux as a cohesive whole. But LDAPv3 in general (and OpenLDAP in specific, which most linux distributions use) certainly does use SASL to implement CRAM-MD5.

and it is the SASL part that is
causing problems. According to what we discovered, SASL uses its own (user) database,

SASL is a network protocol; its secrets can be stored in a number of places. In Mac OS X they're stored in Password Server.

as the error we get,
is: "user not in database" and when we go through the logs, we can see the SASL message: "no users in database".
Obviously, the MAC side is not quite correctly set up to tell SASL to get the information from LDAP/password
server ...

Err.. not sure how that's obvious. Mac OS X can not support CRAM-MD5 authentication unless it's using at all. The error your are seeing is likely spurious.

The other minor glitch is the way queries are transformed.
We get something like uid=uid=xxx, which is definitively wrong (it should just be uid=xxx,).


More likely your Solaris config is sending a bind dn that Mac OS X's SASL regexp is not handling... which would be odd since it's pretty liberal and should interpret almost anything correctly.

This use of LDAP for authentication is silly when we have Kerberos. Its come up sure it works but its sort of like taking the ugo when the porche is in the garage. LDAP is great for user identification, servicing getpwnam(). That's nss_ldap, and using it is right.

Authentication, though... why not use pam_krb5, get a ticket logging in, and support ingle sign-on.

Anyway yeah I've set up Solaris clients 5-6 times now. I have generally used PADL's stuff rather than Sun's, on the advice of the Solaris Manager's list.


http://www.4am-media.com
Mac OS X Consulting and Training
Michael Bartosh
email@hidden
303.517.0272
Denver, CO


"The surest way to corrupt a youth is to instruct him to hold in higher
regard those who think alike than those who think differently."

- -- Nietzsche

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden

This email sent to email@hidden
References: 
 >MacOSX LDAP server Solaris 9 client (From: Robert Frank <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.