How to enable DIGEST-MD5 SASL mechanism in Open Directory?

Question

We've created an Open Directory master on OSX 10.10 Yosemite + Server.app v4:

$ sudo slapconfig -createldapmasterandadmin admin Administrator 1000

But it doesn't support DIGEST-MD5:

$ ldapsearch -x -LLL -b "" -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: CRAM-MD5

Which is a problem because users can't authenticate against collabd (for Profile/Device manager, or Wiki):

<Error>: [CSAuthService.m:326 667e000 +86ms] Digest did not validate
<Error>: [CSServiceDispatcher.m:261 667e000 +0ms] Caught exception "Invalid Credentials" [CSAuthBadDigest] executing [http]Request{AuthService.validateUsernameAndPasswordDigest:remember:(<<scrubbed>>)}:
(
    0   CoreFoundation                      0x00007fff8d35c64c __exceptionPreprocess + 172
    1   libobjc.A.dylib                     0x00007fff92ec76de objc_exception_throw + 43
    2   CSService                           0x000000010425fc90 -[CSAuthService sessionForDigest:remember:] + 1681
    3   CSService                           0x000000010425f5a7 -[CSAuthService validateUsernameAndPasswordDigest:remember:] + 65
    4   CoreFoundation                      0x00007fff8d23533c __invoking___ + 140
    5   CoreFoundation                      0x00007fff8d235192 -[NSInvocation invoke] + 290
    6   CSService                           0x00000001041dce3d -[CSServiceDispatcher executeRequest:asPartOfBatch:usingServiceImpl:] + 4774
    7   CSService                           0x00000001041dd91e __43-[CSServiceDispatcher executeBatchRequest:]_block_invoke_3 + 83
    8   CSService                           0x00000001041e2a22 -[NSArray(CollabBlockMethods) map:] + 249
    9   CSService                           0x00000001041dd877 __43-[CSServiceDispatcher executeBatchRequest:]_block_invoke_2 + 160
    10  CSService                           0x00000001041e3100 +[CSExecutionTimer recordTime:ofBlock:] + 74
    11  CSService                           0x00000001041e2f3b +[CSExecutionTimer timerNamed:aroundBlock:] + 76
    12  CSService                           0x00000001041dd5c4 __43-[CSServiceDispatcher executeBatchRequest:]_block_invoke + 323
    13  PostgreSQLClient                    0x00000001041400b3 -[PGCConnection transactionInBlock:onError:] + 149
    14  CSService                           0x00000001041dd3fa -[CSServiceDispatcher executeBatchRequest:] + 277
    15  CSService                           0x0000000104253aab +[CSServiceDispatchHTTPRouter routeServiceRequest:response:] + 1024
    16  CSService                           0x00000001041e399e __21-[CSServiceBase init]_block_invoke_6 + 48
    17  CSService                           0x0000000104250af4 __53-[CSRoutingHTTPConnection httpResponseForMethod:URI:]_block_invoke + 92
    18  CSService                           0x00000001042540ea -[CSHTTPBackgroundResponse bounce:] + 284
    19  Foundation                          0x00007fff8e14cb7a __NSThread__main__ + 1345
    20  libsystem_pthread.dylib             0x00007fff9ad2f2fc _pthread_body + 131
    21  libsystem_pthread.dylib             0x00007fff9ad2f279 _pthread_body + 0
    22  libsystem_pthread.dylib             0x00007fff9ad2d4b1 thread_start + 13
)

How does one enable DIGEST-MD5?

Answer 1

Try listing the password server's supported hash types with

pwpolicy -n /LDAPv3/127.0.0.1 -getglobalhashtypes

...and see if it includes RECOVERABLE (which I believe is needed for both DIGEST-MD5 and WEBDAV-DIGEST) (note that this won't list GSSAPI/Kerberos, since this is handled by a separate service). Unfortunately I don't have a way to test this right not, but if it's missing, try:

pwpolicy -n /LDAPv3/127.0.0.1 -a admin -setglobalhashtypes RECOVERABLE on

...and see if that adds the needed auth mechanisms. Note that this won't apply to individual users until the next time their password is changed.

Answer 2

Here's what worked for me solving this login issue on OS X 10.11.6 with Server 5.1.7. These steps also resolved several other problems like not being able to install profiles due to trust issues, user permissions issues, or the inability to contact the server, etc.

From https://support.apple.com/en-us/HT200018 :

Check DNS:

1. Open Terminal and type hostname to verify the name of your server.

2. Open Server.app and select your server in the sidebar.

3. Select the Overview tab. Your server's fully qualified domain name should be displayed in the Host Name field.

   If the qualified domain name in the Server window doesn't match the results of the hostname command, you need to correct this before proceeding with the next steps in this article. If you are certain the Fully Qualified Domain Name assigned to your server's IP address is correct, use the change hostname assistant in Server to set the correct hostname for your server.

4. Open System Preferences and click the Network icon.

5. Select the network interface that has been configured for your server. Your server's IP address is listed here.

6. Note the DNS Servers listed.

   If you have configured the DNS server on your server and DNS records have been created for this server, your server should be listed as 127.0.0.1 (not the server's IP address).

   If another server on your network is hosting DNS records for your server, that server's IP Address should be listed in the DNS Servers field.

   If this information is not correct, click the “Advanced…” button and then the DNS tab. The correct DNS server address(es) can be set here.

Testing your DNS settings

You can use the Terminal to test your name to IP address resolution. Open Terminal (/Applications/Utilities/Terminal.app) and use the following commands:

Use the “host” command to test name to ip address resolution:

host <your server's fully qualified domain name>

The expected output is has address You can also use the "host" command to test IP address to name resolution:

host <your ip address> 

The expected output is .in-addr.arpa domain name pointer

In addition to this, Default Network Access should be set to All Networks and I am not sure if it helps, but turning on Apple Push Notifications in Settings was another step I took (MDM relies on Push to a degree).

Further, if you are hosting at a .local domain name, it is also important that the certificate assigned to your server be signed by the Open Directory Certificate Authority on your computer (otherwise of course you'd want to use one signed by an actual certificate authority). OS X server version 5 has some annoying bugs when it comes to how it automatically assigns certificates to various services including websites. What I had to do was manually create a new certificate like this, prior to the rekerberize step below, I did the following steps to reset certificates for the system:

1. (Optionally) After freshly backing up your system, start fresh by turning off all server services and deleting the Master from Open Directory. Then go to Certificates and delete any certificates except for special ones for any custom websites. Also go to /etc/certificates and make sure there are not any rogue certificates there that do not show up in Server app (if there are, move to a temp folder or delete).

2. Next, in OS X Server app, if you did not already, then TURN OFF ALL SERVICES. Then go to OS X Server app and do Certificates > + > Create a Certificate Identity...

3. For the name, I put my hostname, but you can put anything here. Identity type: Leaf. Certificate type: SSL Server. Check "let me override defaults." Click "Continue."

4. For Serial Number, pick something you haven't already used. Click continue.

5. For Name (Common Name) make sure it matches your hostname. The rest does not matter. Press Continue.

6. For Certificate Authority, select the one that includes the text, "Open Directory Certificate Authority", which should have been created when you first set up Open Directory. Press Continue.

7. Set the bit size of the cert (2048 RSA is fine).

8. In Key Usage Extension, make sure to select Key Encipherment and Key Agreement. Press Continue.

9. In Key Usage Extension, make sure to select SSL Client Authentication and PKINIT Client Authentication (this may not matter but I did see an error in the iPad log that indicated the client needed a cert and the time I reset everything and checked this, it started working.) Press continue.

10. Go past Basic Constraint Extension. Press continue there.

11. In Subject Alternate Name Extension, make sure the dDNSName is set to your hostname verified in the Check DNS step from Apple above. Make sure the IP Address includes the actual IP of your server. Press continue.

12. Authenticate and press OK. Now the new cert should show up in OS X server's Certificates area. Select Secure services using: > Custom. In the Server Certificates box that pops up, set the certificate for ALL of your services (except any custom websites that need their own cert) to your new cert.

13. (Optional.) If you deleted your Open Directory master in step 0, then make a new one here. At least make sure Open Directory has a locale with your local IP range, e.g. 10.1.10.0/24 etc.

Next do the "rekerberize" step below, from Apple:

Rekerberize your server:

sudo mkdir /var/db/openldap/migration
sudo touch /var/db/openldap/migration/.rekerberize
sudo slapconfig -firstboot

The last terminal command above will have turned on the Open Directory server. Go back to server app and make sure Open Directory is on. Then do the following steps (first few steps I believe are just to ensure it can work with a .local server):

1. Make sure your server's DNS server is configured with an entry for your machine's hostname, and set to forward all other DNS requests to a normal DNS server. (This is especially important if you're using a .local domain for your machine.) Add the entry for your hostname and your IP, then turn on the DNS server.

2. Now turn on Websites. If you're still in your testing phase and your server is still on a .local domain name, then Double-click on Server Website (SSL) and verify its SSL certificate is set up as the new one that we created above.

3. Turn on Profile Manager. Set it to Sign configuration profiles. The cert shown ought to say it's been signed by an intermediary authority.

4. In Users, create a user to use with Profile Manager. All users used with Profile Manager MUST be in the "Local Directory" and NOT in the "Local Network Directory"... this is VERY important... ! The reason is because when you log out from OS X Server (even the Profile Manager) it may cause the un-mounting of the volume containing that user's data, preventing further logins by them. See this Apple support site: https://support.apple.com/en-us/HT203325

5. In Safari, login to your server's Profile Manager. If you are intending to have devices auto-setup from the Welcome screen, you'll need to check the box in the Everyone group for "Allow enrollment during Setup Assistant for devices configured using Apple Configurator". (See this Spiceworks post & replies.). If this is turned off then the user's login will fail without explanation during the Welcome screen process on a "prepared" device.

Now, if you're using a .local server, then to get an iPad to download and install profiles you'll need to do the following steps:

1. Turn off the iPad's Cellular Data and go to WiFi and make sure it's on the same subnet as your server.

2. If the iPad is already set up past the Welcome screen, set the iPad's DNS server to exactly match the hostname determined in the Check DNS steps above (e.g., mycomputer.local).

   OR

3. If the iPad is on the Welcome screen and it is a Supervised device set up with Configurator to download the profile at setup time from your .local MDM server, then you'll need to turn on Internet Sharing on the server to create a hotspot, and use that for the initial WIFI connection. Note that this requires the server to have its DNS server setup properly as described in the Check DNS section quoted from Apple's support site above.

---

Please note:

• Technically speaking, a .local address is a fully qualified domain name. If your clients are on the same LAN and subnet as the server then things will work if the server has a .local address as long as Apple Push Notification service is activated on the server. If you set up Profile Manager and then later turn off APN in OS X Server, then you won't be prompted to re-enable it and things will start failing.

• In the device logs if you get the following type of error:

Desc   : The server certificate for “https://my-macbook-pro.local/devicemanagement/api/device/mdm_checkin” is invalid.

Then it's because your iPad's not trusting the certificate. This could mean one of several things:

1. It could mean a certificate issue. Make sure profile signing is turned on in Profile Manager in OS X Server app. If it's not, and you don't want it on, then you may need to install and trust the root certificate onto your device by either e-mailing it to the Device, or putting it up on a website and then downloading it from that website onto the device. BTW, "the root certificate" means the one that signed the intermediary root that signed the code signing profile used to sign the Remote Management Profile; you can see which cert signed which by going into Keychain Access and looking at the details of the certificates (roots are not accessible from within OS X Server app itself as far as I'm aware). (You can install a certificate onto an iOS device by exporting it from Keychain Access as a .cer file, then placing it in /Library/Server/Web/Data/Sites/Default/, then sudo chown _www:_www CertName.cer, then on the iPad, navigate to myserver.local/CertName.cer.) However I did not need to do this if I just signed the cert. If all that fails then repeat all the above steps because you probably have the wrong IP or hostname or settings on the certs in question, or Kerberos needs a reset, etc.

2. It could mean your client does not have the server's hostname as its DNS server. Either set it to have it, or set it to use the server's Internet Sharing hotspot, both described above.

---

This Apple Discussions thread, particularly Linc Davis's post, was also very helpful: https://discussions.apple.com/message/30689429#30689429