Currently Being ModeratedMay 1, 2013 1:17 AM (in response to RCuller)
LDAP client don't use keychain. It's based on standard openldap system and it works like openldap works.
For ssl connexion, you'll have to install certificates manually, by using a shell script for example.
Here is what I do on each clients (with a bash script)
(assuming you have the correct certif format) :
1) download the certificate
$> cd /path/to/cert/dir/ # for example /etc/openldap/Certs, that you should create
$> sudo curl -o OD_ca.pem http://server.ici.ch/ca.pem
(where http://server.ici.ch/ca.pem is the address of your certificate)
2) obtain the hash
$> sudo openssl x509 -hash -noout -in OD_ca.pem
3) create a symlink of the certificate
$> sudo ln -s OD_ca.pem 12345678.0
(where 12345678.0 is the result of the previous command)
4) modify the ldap.conf
$> sudo vim /etc/openldap/ldap.conf
ldapsearch -v -x -H ldaps://server.ici.ch
For more info, google different parts and check apple KB :
Have fun !
Currently Being ModeratedMay 2, 2013 2:08 PM (in response to nicolas michel)
Thanks for the detailed reply. However, I followed those steps to no avail. That shouldn't be necessary according to the documentaion referenced, "OS X Lion clients will automatically use SSL and import the necessary certificate when binding to an Open Directory server that supports it." And my client is also 10.8.3. But I did try anyway.
I'm incredibly frustrated at this point. I deleted all the self signed certificates and changed the host name so I could start with a clean slate. Then I broke down and paid for a trusted certificate and it is behaving the exact same way.
From the client, openssl s_client -connect myServerName:636 -showcerts shows the correct certificate.
I can connect using ldapsearch -v -x -H ldaps://server, but when I go to User Preferences, Login Options and try to bind to the Open Directory I get the same response. "This server does not provide a secure(SSL) connection. Do you want to continue?" And netstat shows the connection as ldap, not ldaps.
Currently Being ModeratedMay 3, 2013 12:05 AM (in response to RCuller)
Sorry, My OD is 10.6, I'm not aware about new changes.
What I suppose is that your certificate is corectly set as ldapsearch works.
I have no idea where is the problem at this step.
Try to encrease the log level of the OD server with odutil
( Usage: odutil set log [default | alert | critical | error | warning | notice | info | debug] )
Then try to bind your client whith command line as in some cases, error message is more explicit :
sudo dsconfigldap -fsx -a $serverName -n $serverName -u $adminName -p "$adminPWD" -c "$computerName"
$serverName is the od fqdn, $adminName is an od full admin username, the password in in clear text and $computerName is the name of the client (scutil --get ComputerName)
Then fix the authentication search policy in Directory Utility (command line is not really explicit and it doesn't concern your point.)
As your client should have been used for multiple tests, you should try to bind an other mac or try to delete the /Library/Preferences/OpenDirectory folder on the client and then restart to avoid config conflict
More Like This
- Retrieving data ...
- This solved my question - 10 points
- This helped me - 5 points