HT4183: OS X Server: Configuring clients to use SSL for Open Directory bindingLearn about OS X Server: Configuring clients to use SSL for Open Directory binding
Currently Being ModeratedApr 9, 2013 7:09 AM (in response to francisgomes)
I just found that when the OD is stopped and started, the SSL setting is unchecked.
Any command line utility that I can use?
Currently Being ModeratedApr 10, 2013 6:31 AM (in response to francisgomes)
You'll need to use the camera icon to get the picture loaded to the forums; I don't see anything shown.
To get the certificate accepted by the client, you can choose to enable trust for the certificate when each client first connects (that trust setting is available in the SSL/TLS connection pop-ups), or you can establish your own certificate chain and load the root public key into each client (via provisioning or various other means) or you can purchase a certificate that already has the root public certificate in the keychains of your various devices.
The first — trusting the cert — is the easiest. On a local network with local servers, granting that trust is not usually an issue. With remote servers, you might not be connected to the server you think you're connected to, so this can be subverted.
Setting up a certificate authority (CA) is entirely feasible, but takes a little rummaging in the certificate tools, and you're then responsible for maintaining the root certificate private keys and any intermediate certificate private keys securely. You do need a trusted way to get the root certificate public key onto each client, as that root cert is a form of a "master key" for secured network connections.)
Buying the cert is cheap and easy, though you're outsourcing your security to the root certificate authority. You're already outsourcing a whole lot of that to the root certificate authorities, so... There's no encryption-level difference between a private certificate chain and a public (purchased0 certificate chain.
As for Open Directory and SSL, if Open Directory is doing something wonky, I'd first check the certificate involved to ensure it's still valid and correct, and I'd then check DNS. (DNS services and digital certificates are two sides of the same coin. SSL/TLS and certificates require correct and functional DNS.) To verify the OS X Server DNS settings, launch Terminal.app from Applications > Utilities folder and issue the non-destructive, no-changes-made, diagnostic command:
sudo changeip -checkhostname
which will display some information and then an indication that DNS is correct and valid and no changes are needed, or some information on the problem(s) it may have detected.
Currently Being ModeratedApr 16, 2013 9:35 AM (in response to MrHoffman)
MrHoffMan, Thank you for taking the time to write a detailed reply. My primary issue was I was unable to use secured connection to the OpenDirectory/Server.
My DNS setting was correct; I had checked with the changeip command as well as the Network Utility app. I could resolve the local domain name to my ip as well as the reverse (ip to name). My certificate (self signed) was valid for two years in the server app. I had assigned all apps to use the same certificate.
I was able to connect to the server from my macpro (with the expected notification that the certificate is not trusted), but I also got second notification saying that the connection is not secured it is a potential for harm to my computer. So I went to my server and in the directory utility in the sever, I set the SSL to on. When Ihave this setting on, I am unable to login from the macpro (clients). On the server side in the directory utility, I was unable to browse the LDAP records too, if I remember right.
The reason I am using past tense replying to you is because I have since reverted back to Lion, and decided to not use the iMac as a server. I re-installed all the software fresh.