Re: [Fed-Talk] Searching AD for certs in 10.6 *without* binding the Mac to AD?
Re: [Fed-Talk] Searching AD for certs in 10.6 *without* binding the Mac to AD?
- Subject: Re: [Fed-Talk] Searching AD for certs in 10.6 *without* binding the Mac to AD?
- From: "Levine, Jason (NIH/NCI) [E]" <email@hidden>
- Date: Tue, 1 Sep 2009 15:42:25 -0400
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] Searching AD for certs in 10.6 *without* binding the Mac to AD?
On Sep 1, 2009, at 3:28 PM, Timothy J. Miller wrote:
On 9/1/2009 1:13 PM, Levine, Jason (NIH/NCI) [E] wrote:
I saw the thread over the past few days about 10.6 allowing Macs
bound
to an AD to now search the directory for email certificates -- does
anyone know if it's now possible in 10.6 to search an AD for certs
*without* binding to the AD?
AD doesn't allow anonymous bind by default. The last version that
did was Windows 2000.
I'm not binding anonymously -- I'm putting my credentials in on the
LDAP3 pane that asks for them, and I've verified with ldapsearch that
the credentials work fine and I can complete searches with them.
I've tried to use Directory Utility to set up the AD as a source
(both
as an Active Directory source and an LDAP3 source), and I've entered
my authentication credentials to allow pre-binding to the AD in order
to search it, but I can't seem to get Keychain Utility to ever return
anything from the "Directory Services" keychain.
Do you have your Kerberos tickets?
Why would I need Kerberos tickets? I'm using a local account on my
Mac, and explicitly putting my auth creds in to bind the query
connection.
Will searching an LDAP data store for certificates only work if the
machine itself is authenticated against the store?
LDAP only binds the query connection.
I might have worded that incorrectly -- I'm *trying* to bind the query
connection with the provided creds, and return certs from the query.
I'm specifically NOT trying to bind the machine.
Jason
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden