HT202285: Use Profile Manager or Wiki service with Active Directory or third-party LDAP services

Learn about Use Profile Manager or Wiki service with Active Directory or third-party LDAP services
madoser

Q: OSX 10.9 Server - How do I use a 3rd Party LDAP for Authentication for Profile Manager and Mobile Accounts?

OSX 10.9 Server - How do I use a 3rd Party LDAP for Authentication for Profile Manager and Mobile Accounts?

 

I can see the users. I even figured out how to change the directory info in workgroup manager and Directory Utility. I want to bind into my osx server and have it get the password from my LDAP so I can login and use OSX Services like Mobile Accounts and Profile Manager. Does anyone have any tips on this?

OS X Server

Posted on Dec 23, 2014 2:58 PM

Close

Q: OSX 10.9 Server - How do I use a 3rd Party LDAP for Authentication for Profile Manager and Mobile Accounts?

  • All replies
  • Helpful answers

  • by datasmith,

    datasmith datasmith Dec 24, 2014 11:03 AM in response to madoser
    Level 1 (49 points)
    Servers Enterprise
    Dec 24, 2014 11:03 AM in response to madoser

    I setup a mail server (Kerio Connect) to authenticate with LDAP server in 10.9 server, so I can tell you what works for Kerio

     

    The host name is the fully qualified name of the 10.9 server

    The user name is

    uid=diradmin,cn=users,dc={servername},dc={domain},dc=com

    note that I use diradmin for the master admin for Open Directory.  To duplicate my efforts, replace the {} brackets and the data inside with your data

     

    The search suffix is parsing of the fully qualified name.

    If the FQN is server.domain.com the search suffix would be

     

    dc=server,dc=domain,dc=com

  • by John Lockwood,

    John Lockwood John Lockwood Jan 2, 2015 8:48 AM in response to madoser
    Level 6 (9,379 points)
    Servers Enterprise
    Jan 2, 2015 8:48 AM in response to madoser

    Profile Manager requires that the Mac server running Profile Manager also be an Open Directory server. However it is still possible to bind the Mac running Profile Manager to other directory servers as well. It will then search for user accounts to authenticate in the search order you define in Directory Utility.

     

    By the way you cannot 'get' a password from Open Directory. Literally the password is not stored anywhere. When a user is authenticating against an Open Directory account the user types in their password, their Mac then encodes the password and the encoded version is compared against the stored encoded version in the Open Directory server. This encoding however is a one-way process you can encode a password and compare the encoded version but you cannot decode the encoded version back to the password. To 'crack' a password you would have to try encoding every possible password and compare each until you get a match and clearly this would take so long as to be impractical.