Hi there,
I apologise if these questions are more Mac-related than openldap
related, but I haven't been able to find this information out on any
Mac type resources, so I'm hoping somebody here can point me in the
right direction.
- It would appear that the openldap installation that comes supplied
with MacOS X hasn't been compiled with kerberos/gssapi support.
e.g. if I try to connect to our (RH9) ldap server with an
authenticated connection I get a "no worthy mechs found" error
message. So, can I compile my own ldap and use it to replace the
apple-supplied one, or will it break things?
If you want to do this, I would suggest downloading Apple's source
code of their current release (.2.1.22 in 10.3.4 server) along with
BerkeleyDB and all the other parts you need. Apple has made some
changes to work better with their API's and management software, and
if you don't include these changes, some features might not work
right.
I'd suggest against it, unless you really get in a bind. Apple (or
any other company for that matter) will be hesitant to assist you
with problems on a system where you compile your own bits.
- On a similar line, the OSX Directory Access utility has a "Use
authentication when connecting" section, allowing you to specify a
distinguished name and password to use when connecting to the ldap
server. Does anyone know how this is actually used - the 'dscl'
utility seems to get data OK, with a correct and incorrect password
set here, suggesting that it's not being used.
By default, Apple's ACLs don't block much -even the password field
is publicly accessible. Check out /private/etc/openldap/slapd.conf
for the ACL details.
I suppose what I really want is something that tells me how Apple's
system software interacts with openldap beneath, as Apple's docs seem
extremely limited in this respect.
Much of Apple's software goes through an API called OpenDirectory.
OpenDirectory can in turn use LDAP, NetInfo, SMB, or a bunch of
other authentication/directory systems. Check out the "Directory
Access" application in the Utilities for more details.
All the documentation is out there:
http://www.apple.com/server/documentation/
Check out the Open Directory Administration manual, especially.
There is also an OSX Server mailing list, where people discuss the
sorts of things we are discussing.
http://www.lists.apple.com/mailman/listinfo/macos-x-server
Hope this is helpful!
-Matt