Tuesday, August 11, 2009

Yet another OSX Server'ism

Today our Open Directory service lost its mind. At least thats what it
seemed like. Turns out what started it was a configuration change we
made a couple days ago. We enabled SSL for LDAP via the Server Admin
tool. Turns out SSL auth is broken in OSX server without some fixes.
It also turns out that once you click this button, it appears that
local client apps like Workgroup Manager start using SSL to
communicate and when you turn this back off they don't stop using SSL.
In other words, once you go SSL you can't go back just by shutting it
back off, so you're forced to fix the SSL issue.

Anyway, here's what you need to do if you're having SSL issues with
Open Directory on OSX server (10.5):

Add:
olcDisallows: bind_anon
to:
/etc/openldap/slapd.d/cn\=config.ldif

then: sudo killall slapd

Also see: http://www.afp548.com/article.php?story=20071203011158936

To test on a client:
ldapsearch -v -x -W -D
"uid=<auser>,cn=users,dc=<host>,dc=<domain>,dc=<com>" -H ldaps://
<host>.<domain>.<com> -b "dc=<host>,dc=<domain>,dc=<com>"

Replacing the things in <>'s with your appropriate information. You
can test this with and without the user ID section to see if anonymous
access is allowed.

If you're using a self-signed cert you may need to do this on the
client:

Edit:
/etc/openldap/ldap.conf

Change:
TLS_REQCERT demand
To:
TLS_REQCERT allow

From there you should be able to ping your LDAP server (make sure you
allow access through firewalls etc).

0 comments: