3

I am doing a few tests with OS X Server before I have to do a deploy in a few months. I have configured Open Directory, and created a few users. I've configured Directory Utility on a 10.5 client, but the login authentication doesn't work the way I would expect. I would expect I could user a username/password from any user created in Open Directory and be able to log into the client. Instead, it appears I need to create a local user, which you then sync with a directory user using Directory Utility.

Alternatively, if I add an Active Directory config to the client, I can use any AD user, as I would expect.

Am I hoping for the impossible, or is something likely wrong with the configuration?

Scott Pack
  • 14,717
  • 10
  • 51
  • 83
mattdwen
  • 353
  • 1
  • 7
  • 20
  • 1
    Did you join the Mac to the OpenDirectory system or simply add a search entry in Directory Utility? What you're asking for is exactly what OD is designed to do. – Scott Pack Jul 10 '09 at 00:43

4 Answers4

5

It sounds more likely something may be wrong with your configuration - how did you add the Open Directory server in Directory Utility as what you want is precisely how it is supposed to work.

Additionally, before too much else double check your DNS as DNS will cause all sorts of issues with Open Directory.

For instructions you can check the docs: Open Directory Admin PDF, specifically: page 118 quoted:

To connect to a standard or workgroup configuration server:

1 Open Directory Utility (in /Applications/Utilities/).
2 If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator.
3 Click Directory Servers, then click the Add (+) button.
4 From the “Add a new directory of type” pop-up menu, choose Open Directory.
5 In the “Server Name or IP Address” field, enter the server name or IP address.
6 (Conditional) Before you select the “Encrypt using SSL” checkbox, check with your Open directory administrator to determine if SSL is needed.
7 In the Introduction pane, a list of services offered by the server you are connecting to are displayed, click Begin Setup.
8 Enter the Authentication information for the server you are connecting to.
In the name and password field, enter the administrator name and password for the server you are connecting to.
Enter the password for the user account that appears in “Enter the password for the account username on this computer.”
9 Click Continue.
10 Under Configuration Options, choose to let Directory Utility configure your applications or not.
Select Yes if you want the server to configure your application to use services that it offers.
Select No to bypass this configuration.
11 Click Continue.
12 Click Finish Setup.

Chealion
  • 5,713
  • 27
  • 29
  • Have followed these steps, and it all appears to work. I see a list of network accounts on the login screen, but as soon as you try and login as one, after entering the password, it just shakes its head and kicks you back to the login screen. – mattdwen Sep 29 '09 at 01:09
  • Are logins enabled on OS X Server? When debugging why it's not working check the logs (system.log and console.log) or on the Server check the logs that the authentication succeeds. – Chealion Sep 29 '09 at 01:58
  • I can't find an option to enable or disable logins? I've finally got one work, after trying many things. I think I've isolated it to creating the user using Workgroup Manager as opposed to Server Preferences. I can only imagine that WM isn't giving access to the 'login' service, even though it's not an option in SPrefs. – mattdwen Sep 29 '09 at 02:33
  • Using Workgroup Manager you can disable logins by either unchecking "Access Account" on the first tab of information when you click on a user, or the second tab (Advanced) setting the login shell to `/usr/bin/false` or something similar. That said with WGM - which directory are you creating users on? `/Local/Default` is local to the server, whereas `/LDAPv3/127.0.0.1` is Open Directory. You can see this in the top left under the Server Admin button. – Chealion Sep 29 '09 at 15:26
1

Here is something you can do to check where things are at on the client.

Open up a Terminal, and run dscl. It allows you to access the directory services from the command line, and when run with no options, it is interactive (and feels rather like navigating a filesystem heirarchy, complete with tab completion.)

$ dscl

ls

Your listing will probably include:

  • BSD
  • LDAPv3
  • Local
  • [a blank line]
  • Search
  • Contact

Now, let us see what directories you are bound to through LDAP (which includes OpenDirectory, as it uses OpenLDAP):

cd LDAPv3
ls

You should see an IP address corresponding to the Open Directory Master/Replica you are bound to. If there is nothing here, you aren't bound to anything.

cd [IP address of ODM/ODR -- tab completion can help]
ls

You should see a bunch of directories. If you get nothing, you either aren't bound, the server isn't responding, or there is a network problem.

cd Users
ls

You should see a list of your users. To get details info on one of them:

read [username]

or, for less spew, you can specify which parameters you are interested, like so:

read [username] UniqueID PrimaryGroupID RecordName RealName NFSHomeDirectory UserShell

or, to see info on all of the users, try:

readall . RealName UniqueID

Lastly, you can query the search path (searched for users to authenticate) and the contacts path (users who show up in Directory.app and Address Book.app), by doing, respectively:

readall /Search/Users RealName UniqueID
readall /Contacts/Users RealName UniqueID

Did this indicate anything regarding the binding status of your client?

One other things to try is:
ssh username@localhost

This will let you test if authentication is working. (ssh needs to be enabled first. System Preferences -> Sharing -> Remote Login).

Clinton Blackmore
  • 3,510
  • 6
  • 35
  • 61
  • Wow it's taken me a long time to get back to this. Have tried all the steps down to using ssh, and they all work as expected. However, ssh will only ever authenticate as the default administrator account, and not as any I've created using workgroup manager. This is from localhost, or a bound client machine. – mattdwen Sep 29 '09 at 01:07
  • I enabled the 'administer this server' option for the account, and the ssh works from the client. – mattdwen Sep 29 '09 at 01:15
  • Hmm... I don't recall ever having a problem sshing as a directory user to a machine. I imagine that ssh is enabled for all users, right? (You can specify SACLs (Service Access Control Lists) for ssh in the same place you enable/disable it). – Clinton Blackmore Sep 29 '09 at 03:40
0

Yeah, I recall adding home directories and then all of a sudden I no longer had a shaking screen when trying to authenticate against Open Directory! Thanks for reminding me.

0

It should work without any problems; just create an OD master on the Server, create you home share and the users and on the clients, use Directoy Utility to point to your OD server under the directory servers tab.

Then go to advanced settings: In the Services Tab, LDAPv3 must be activated, and under Search Policy/Authentication, your OD server must also be listed. If it is not, it should be appear if you click the Plus button.

After that, restart and you should be able to authenticate with your OD users (to avoid confusion, you shouldn't have any local user with the name as the corresponding OD user.

Sven
  • 97,248
  • 13
  • 177
  • 225