2

I try to configure the mac clients to use a LDAP to connect to their session (using openLDAP).

I have created PosixAccounts with PosixGroups, and tried on ubuntu systems : I can log-in with my users.

But On macOS (tried with Mojave and Sierra) I simply cannot log-in.

I see my users in the Directory Utility, I can even see them when I use id command :

bash-3.2$ id -p hlarget
uid hlarget
groups  sysadmin everyone netaccounts com.apple.sharepoint.group.1

I can even use the user with the command ldapsearch -H ldap://example.com -D "cn=hlarget,dc=example,dc=com" -W

I have a "49" error code (and just after a 5000 error)

failed CRAM-MD5 authentication for authzid - 'dn:cn=hlarget+o=example+ou=users,ou=users,dc=example,dc=com' authcid - 'hlarget' error 49

And I cannot edit my Directory using Directory editor with cn=admin,dc=example,dc=com (error code 2100).

I'm pretty sure the problem is encryption, but I tried different encryptions for the password and nothing changed, and I can still log-in on linux configurations.

How can I figure out what the problem is and how do I solve it?

d3cima
  • 133
  • 6
  • 1
    I am in the process of incorporating MacOSX clients to my OpenLDAP Directory. I am still in the research phase. I don't know how I'll create the users so that the client will successfully authenticate but I'm impressed you managed with ordinary POSIX users. I'll get back to this question if I am successfull – hanzo2001 Nov 22 '18 at 00:00

1 Answers1

1

I solved my problem using this script

for m in CRAM-MD5 DIGEST-MD5 LOGIN NTLM PLAIN; do
/usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string $m" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/ldap.foo.fr.plist
done

I'm pretty sure it's not the best answer but still, it do the trick and now I can log in.

d3cima
  • 133
  • 6