Admin4 - an open source LDAP browser and directory client for Linux, OS X, and Microsoft Windows, implemented in Python. Apache Directory Server/Studio - an LDAP browser and directory client for Linux, OS X, and Microsoft Windows, and as a plug-in for the Eclipse development environment. One of our clients has an SSID that uses an external LDAP server for authentication. And they have asked if it is possible to enable MAC Authentication, before the 802.11x authentication happens.
I have the following commands on MacOS
As Mac OS X Server evolved, Apple replaced NetInfo with a service based on the Lightweight Directory Access Protocol (LDAP) that is often referred to as simply Open Directory.
I am following this tutorial on running an ldap server on MacOS:
seems strange that I don't have a slapd command - anyone know why?
1 Answer
Since slapd is almost never run 'by hand', it's not in one of the binaries directories that're in the default PATH. Instead, it's in /usr/libexec, which is the usual place for things that're run automatically rather than manually. So run it with sudo /usr/libexec/slapd instead of just as slapd. (BTW, the sudo is needed so it can allocate low-numbererd TCP ports, and get full access to its database).
Ldap Client For Mac
I've install 389 Directory Server on a Centos 7.0 server. Over the last two days I've been trying to connect a MacBook running 10.10.5 to the server as a client and I'm having only partial success.
I've 'Joined' to my network Account Server, and set my LDAP Mappings to RFC2307.
With these settings, I'm able to look at the 'Directory Editor' (located within the Directory Utility) and see the postfix groups / users I've created on the 389-ds server. (so success!)
Similarly, when using the Mac OS dscl command, and 'cd-ing' int LDAPv3/FQDN_of_server/Users, I see the RecordNames of the users (or the shortname uid). (success again!)
The command
appears to pull up the correct information for the user. For example, the above command yields the following user information:
As root on the Mac system, I can 'su' to an LDAP test user and create files. The ownership and group of the created files look correct. For example:
I can also 'change' the user's password by doing the following from the macbook:
When I then try to login to a ldap client linux box, the user can successfully login with the new password.
However, I have an issue where I apparently can't ssh into the mac as testuser, login to the console, or 'su' to an LDAP user from an unprivileged account. NOTE: I did verify that under 'Users & Groups' I am allowing 'all' network users to login at the login window.
The error I'm seeing in the system.log file when I try to ssh into the localhost as the test user is the following:
I believe the problem is with the authorization, sshd, and login files in the /etc/pam.d directory of the mac, butI've tried several changes to correct for the error, and nothing seems to work. I also tried setting UsePAM yes in the sshd_config file, but that didn't make a difference.
Has anyone else run across this issue? any suggestions would be appreciated. I've been fighting with this problem for two days now. Slaving into the directory server was easy, but this part has me puzzled.
Thanks,
NOTE1: Error in the system.log file. What I'm seeing from an ldap user login (testuser) compared to a local user (localuser):
NOTE2: I did modify the MacBook's /etc/openldap/ldap.conf file to be:
I added the ssl start_tls line so that I could use the following command from the mac:
Ldap Admin Tool Mac
Ldap Client For Mac
Ldap Client For Windows
| jlh |
| View Public Profile for jlh |
| Find all posts by jlh |