[Date Prev][Date Next] [Chronological] [Thread] [Top]

Getting Mac OS X to authenticate off OpenLDAP

To: OpenLDAP-software@OpenLDAP.org
Subject: Getting Mac OS X to authenticate off OpenLDAP
From: David Wright <ichbin@heidegger.rprc.washington.edu>
Date: Sat, 16 Jun 2001 16:04:23 -0700

Short Version:
Has anyone got a Mac OS X box authenticating users off an OpenLDAP
server? Please tell me how!

Long Version:
I'm running OpenLDAP 2.0.7 under Red Hat Linux, storing passwords
MD5-hashed. I have a bunch of Linux machines authenticating via LDAP
using PAM and nss_ldap.so, and it works fine. Now I have a Mac OS X box.
I got it to get user and group information from my OpenLDAP server, but
it won't successfully authenticate users. It does try. Here's what goes
out over the wire (as sniffed by ethereal) when "mike" tries to log in:

 Mac  -> LDAP  Search Request (62)
               Base DN: uid=mike,ou=people,o=rprc,c=us
               Filter: (objectClass=*)
               Attribute: modifyTimestamp
 LDAP -> Mac   Search Entry
               Distinguished Name: uid=mike,ou=people,o=rprc,c=us
               Attribute: modifyTimestamp
               Value: 20010616194956Z
 LDAP -> Mac   Search Result
               Result Code: Success

I guess it just does this to make sure mike exists before continuing.
Next comes:

 Mac  -> LDAP  Search Request
               Base DN: o=rprc,c=us
               Filter: (&(objectClass=poxixAccount)(uid=mike))
               Attribute: uid
               Attribute: userPassword
               Attribute: uidNumber
               Attribute: gidNumber
               Attribute: cn
               Attribute: homeDirectory
               Attribute: loginShell
               Attribute: gecos
               Attribute: modifyTimestamp
               Attribute: ttl
 LDAP -> Mac   Search Entry
               Distinguished Name: uid=mike,ou=people,o=rprc,c=us
               Attribute: uid
               Value: mike
               Attribute: cn
               Value: Michael Shadlen
               Attribute: uidNumber
               Value: 1003
               Attribute: homeDirectory
               Value: /home/mike
               Attribute: loginShell
               Value: /bin/tcsh
               Attribute: gidNumber
               Value: 100
               Attribute: userPassword
               Value: {MD5}kDz.......EN3w==
               Attribute: modifyTimeStamp
               Value: 20010616194956Z

Then the Mac breaks off and denies the login. I can think of several
possible problems:

1) The Mac can't do MD5 hashes. Can I teach it? If I have to use
something else, what are my choices?

2) The Mac can use MD5 hashes, but doesn't like the {MD5} text before
the password. What can I do about this?

3) The Mac in unhappy that it didn't get gecos and ttl attributes back.
This seems unlikely.

Any help is greatly appreciated! Thanks,
David

Prev by Date: Re: nscd
Next by Date: Re: absolutely frustrated
Index(es):
- Chronological
- Thread