Re: [Fed-Talk] Re: Fed-talk Digest, Vol 6, Issue 221
Re: [Fed-Talk] Re: Fed-talk Digest, Vol 6, Issue 221
- Subject: Re: [Fed-Talk] Re: Fed-talk Digest, Vol 6, Issue 221
- From: James Alcasid <email@hidden>
- Date: Fri, 04 Sep 2009 10:03:42 -0400
- Thread-topic: [Fed-Talk] Re: Fed-talk Digest, Vol 6, Issue 221
Title: Re: [Fed-Talk] Re: Fed-talk Digest, Vol 6, Issue 221
I have seen what you had mentioned in Tiger, we both have. I have not experienced it in testing with Leopard and do not expect such issues in SL. As you know Palo Alto had experienced the issue that you mentioned but a modification to the AD plug-in was made by Rick Lemmon, Apple. These changes were integrated into Leo updates and SL.
--
James Alcasíd, ACSA | VeriSolv Technologies
Department of Veterans Affairs | Enterprise Infrastructure Engineering
470 L’Enfant Plaza Suite 3100, Washington DC 20024
Office (202) 245-4573, Mobile (703) 400-1471
Note:
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity.
From: Cerniuk William <email@hidden>
Date: Thu, 3 Sep 2009 23:54:07 -0400
To: "Daniel S. Hoit" <email@hidden>
Cc: Fed Talk <email@hidden>
Subject: Re: [Fed-Talk] Re: Fed-talk Digest, Vol 6, Issue 221
That is good intel. The problem with binding to AD for us is that our AD is not structured in a normal way (so said MS).
This structure throws the Mac directory system for a loop and eventually stalls the Mac completely at login and then during some background process when and if the user actually gets logged in.
So from an operational standpoint, it would be very beneficial if the certs could be looked up and pulled over without the Mac being hardware bound (object in the OU) to Active Directory but instead just ad hoc binding while making LDAP data requests.
If (big if) the cert can be found via LDapper drilling into AD (?) then why can't they be pulled over without joining the Mac to the Domain?
V/R,
Wm. Cerniuk
703.594.7616
(Sent faster from my iPhone 3G)
On Sep 3, 2009, at 6:38 PM, "Daniel S. Hoit" <email@hidden> wrote:
On my 10.6 test box bound to AD, I can select DS in KA, type an email address, and see the cert.
It only works with the complete email address though, and you get no hits for partial matches.
Trying on a machine not bound to AD, setup with an LDAP connection, I couldn't make it work.
It could be the port/security settings need to be fine tuned, or it could be that it just doesn't work.
Can you bind to AD, but not use it for authentication? That should enable you to use the computer account to connect to the DS.
--DH
On Sep 1, 2009, at 12:04 PM, email@hidden <mailto:email@hidden> wrote:
From: "Levine, Jason (NIH/NCI) [E]" <email@hidden <mailto:email@hidden> >
Date: September 1, 2009 11:13:30 AM PDT
To: "email@hidden <mailto:email@hidden> " <email@hidden <mailto:email@hidden> >
Subject: [Fed-Talk] Searching AD for certs in 10.6 *without* binding the Mac to AD?
I saw the thread over the past few days about 10.6 allowing Macs bound
to an AD to now search the directory for email certificates -- does
anyone know if it's now possible in 10.6 to search an AD for certs
*without* binding to the AD?
I've tried to use Directory Utility to set up the AD as a source (both
as an Active Directory source and an LDAP3 source), and I've entered
my authentication credentials to allow pre-binding to the AD in order
to search it, but I can't seem to get Keychain Utility to ever return
anything from the "Directory Services" keychain.
Will searching an LDAP data store for certificates only work if the
machine itself is authenticated against the store?
Jason
Daniel S. Hoit
Lawrence Livermore National Laboratory
email: email@hidden <mailto:email@hidden>
phone: 925-424-5256
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden <mailto:email@hidden>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden