seemed like. Turns out what started it was a configuration change we
made a couple days ago. We enabled SSL for LDAP via the Server Admin
tool. Turns out SSL auth is broken in OSX server without some fixes.
It also turns out that once you click this button, it appears that
local client apps like Workgroup Manager start using SSL to
communicate and when you turn this back off they don't stop using SSL.
In other words, once you go SSL you can't go back just by shutting it
back off, so you're forced to fix the SSL issue.
Anyway, here's what you need to do if you're having SSL issues with
Open Directory on OSX server (10.5):
Add:
olcDisallows: bind_anon
to:
/etc/openldap/slapd.d/cn\=config.ldif
then: sudo killall slapd
Also see: http://www.afp548.com/article.php?story=20071203011158936
To test on a client:
ldapsearch -v -x -W -D
"uid=<auser>,cn=users,dc=<host>,dc=<domain>,dc=<com>" -H ldaps://
<host>.<domain>.<com> -b "dc=<host>,dc=<domain>,dc=<com>"
Replacing the things in <>'s with your appropriate information. You
can test this with and without the user ID section to see if anonymous
access is allowed.
If you're using a self-signed cert you may need to do this on the
client:
Edit:
/etc/openldap/ldap.conf
Change:
TLS_REQCERT demand
To:
TLS_REQCERT allow
From there you should be able to ping your LDAP server (make sure you
allow access through firewalls etc).
0 comments:
Post a Comment