pvlvsk

Q: Third-party LDAP Authentication in Profile Manager

Hello,

 

we have set up LDAP Authentication against our Ubuntu OpenLDAP Server, which works fine for all services except profile manager. I can't see groups nor users in the PM web ui. Login under server.local/mydevices isn't working too.

 

The log says "missing externalID" oder "[user] not found" when an ldap user tries to login to mydevices.

 

Unfortunately this doesn't help too:

 

OS X Server: Using the Profile Manager or Wiki service with Active Directory or third-party LDAP services - Apple Suppor…

 

I appreciate your help.

 

Thank you

 

 

 

OSX Server 5.0.15 on El Capitan 10.11.2

Posted on Dec 22, 2015 5:53 AM

Close

Q: Third-party LDAP Authentication in Profile Manager

  • All replies
  • Helpful answers

Page 1 Next
  • by pvlvsk,

    pvlvsk pvlvsk Jan 2, 2016 3:00 AM in response to pvlvsk
    Level 1 (4 points)
    Jan 2, 2016 3:00 AM in response to pvlvsk

    is there anyone who can help me with this?

     

    Thank you!

  • by FromOZ,

    FromOZ FromOZ Jan 2, 2016 4:12 AM in response to pvlvsk
    Level 3 (545 points)
    Jan 2, 2016 4:12 AM in response to pvlvsk

    Hi - is your server running in German?

    The log says "missing externalID" oder "[user] not found" when an ldap user tries to login to mydevices.

     

    Is the 'oder' German for 'or'?


    Have you looked at the log of OpenLDAP on the Ubuntu box when you attempt to log in?


    You can also look at the system accounts on your OS X Server 5.x install by choosing 'View > Show System Accounts' from the menu. Perhaps there is a specific (system) account that has to speak between the OS X and Unbuntu systems.


    HTH

  • by pvlvsk,

    pvlvsk pvlvsk Jan 2, 2016 8:59 AM in response to FromOZ
    Level 1 (4 points)
    Jan 2, 2016 8:59 AM in response to FromOZ

    FromOZ wrote:

     

    Hi - is your server running in German?

    The log says "missing externalID" oder "[user] not found" when an ldap user tries to login to mydevices.

     

    Is the 'oder' German for 'or'?


    Have you looked at the log of OpenLDAP on the Ubuntu box when you attempt to log in?


    You can also look at the system accounts on your OS X Server 5.x install by choosing 'View > Show System Accounts' from the menu. Perhaps there is a specific (system) account that has to speak between the OS X and Unbuntu systems.


    HTH

     

    Yes, its running in German, sorry

     

    The problem is, like I said that the server itself connects to the ldap directory without problems. I can see users and for example - I can authenticate users for the smb service. But in profile manager I see only local server accounts but no ldap users.

     

    I will check the ldap log soon. Here is the error which comes in system.log of the OS X Server, when an ldap user tries to login to xxx.local/mydevices:

     

    Jan  2 17:50:59 mdm com.apple.xpc.launchd[1] (com.apple.collabd.preview[46846]): Service exited with abnormal code: 65

    Jan  2 17:51:02 mdm collabd[46765]: [CSServiceDispatcher.m:261 21d000 +11ms] Caught exception "Missing externalID" [CSAuthServiceError] executing [http]Request{AuthService.validateUsername:andPassword:remember:(<<scrubbed>>)} :

      (

      0   CoreFoundation                      0x00007fff85e8cae2 __exceptionPreprocess + 178

      1   libobjc.A.dylib                     0x00007fff9589273c objc_exception_throw + 48

      2   CSService                           0x0000000108436975 -[CSAuthService updateCurrentSessionWithExternalID:remember:] + 1755

      3   CSService                           0x0000000108430739 -[CSAuthService sessionForUsername:andPassword:remember:] + 565

      4   CSService                           0x0000000108430469 -[CSAuthService validateUsername:andPassword:remember:] + 73

      5   CoreFoundation                      0x00007fff85d5717c __invoking___ + 140

      6   CoreFoundation                      0x00007fff85d56fce -[NSInvocation invoke] + 286

      7   CSService                           0x00000001083b008e -[CSServiceDispatcher executeRequest:asPartOfBatch:usingServiceImpl:] + 4567

      8   CSService                           0x00000001083b0c14 __43-[CSServiceDispatcher executeBatchRequest:]_block_invoke_3 + 83

      9   CSService                           0x00000001083b58bc -[NSArray(CollabBlockMethods) map:] + 249

      10  CSService                           0x00000001083b0b6d __43-[CSServiceDispatcher executeBatchRequest:]_block_invoke_2 + 160

      11  CSService                           0x00000001083b5f99 +[CSExecutionTimer recordTime:ofBlock:] + 76

      12  CSService                           0x00000001083b5dd2 +[CSExecutionTimer timerNamed:aroundBlock:] + 76

      13  CSService                           0x00000001083b08bd __43-[CSServiceDispatcher executeBatchRequest:]_block_invoke + 323

      14  PostgreSQLClient                    0x0000000108306ec4 -[PGCConnection transactionInBlock:onError:] + 157

      15  CSService                           0x00000001083b06f3 -[CSServiceDispatcher executeBatchRequest:] + 277

      16  CSService                           0x0000000108424124 +[CSServiceDispatchHTTPRouter routeServiceRequest:response:] + 594

      17  CSService                           0x00000001083b680f __21-[CSServiceBase init]_block_invoke_6 + 48

      18  CSService                           0x0000000108421757 __53-[CSRoutingHTTPConnection httpResponseForMethod:URI:]_block_invoke + 110

      19  CSService                           0x00000001084246c9 -[CSHTTPBackgroundResponse bounce:] + 284

      20  Foundation                          0x00007fff955b6c6f __NSThread__start__ + 1351

      21  libsystem_pthread.dylib             0x00007fff8961bc13 _pthread_body + 131

      22  libsystem_pthread.dylib             0x00007fff8961bb90 _pthread_body + 0

      23  libsystem_pthread.dylib             0x00007fff89619375 thread_start + 13

  • by Leopardus,

    Leopardus Leopardus Jan 3, 2016 5:05 AM in response to pvlvsk
    Level 4 (1,122 points)
    Desktops
    Jan 3, 2016 5:05 AM in response to pvlvsk

    Guten Tag,


    Profile Manager requires that the Mac server running Profile Manager also be an Open Directory server. However it is still possible to bind the Mac running Profile Manager to other directory servers as well. It will then search for user accounts to authenticate in the search order you define in Directory Utility.

    (With compliments to John Lockwood)

     

    vG

     

    Leo

  • by pvlvsk,

    pvlvsk pvlvsk Jan 4, 2016 5:29 AM in response to Leopardus
    Level 1 (4 points)
    Jan 4, 2016 5:29 AM in response to Leopardus

    yes, the mac server is running Open Directory (with just one user), all other users are fetched from our OpenLDAP. In the directory utility the OpenLDAP server is on top of the search paths.

     

    So all is working fine except Profile Manager...

     

    Bildschirmfoto 2016-01-02 um 17.49.31.png

    Bildschirmfoto 2016-01-02 um 17.49.57.png

    Bildschirmfoto 2016-01-04 um 14.27.42.png

  • by pvlvsk,

    pvlvsk pvlvsk Jan 19, 2016 7:41 AM in response to pvlvsk
    Level 1 (4 points)
    Jan 19, 2016 7:41 AM in response to pvlvsk

    So I assume, there is no one, who had success with using OSX Server with OpenLDAP Accounts for Profile Manager. Sad...

  • by Leopardus,

    Leopardus Leopardus Jan 19, 2016 10:06 AM in response to pvlvsk
    Level 4 (1,122 points)
    Desktops
    Jan 19, 2016 10:06 AM in response to pvlvsk

    Vielleicht gehts es mit einfach 'localhost' am erste stelle? Ich selbst bin mich nicht sicher, weil ich es nur zusammen mit AD ausprobiert hatte. Dort hatte ich die AD auf zweite Platz.

     

    Leo

  • by Blaidd Drwg,Helpful

    Blaidd Drwg Blaidd Drwg Jan 19, 2016 11:06 PM in response to pvlvsk
    Level 1 (109 points)
    Jan 19, 2016 11:06 PM in response to pvlvsk

    It can be made to work, but not with the default RFC2307 mappings, since there is no GeneratedUID. Profile Manager (and a lot of other stuff in OS X) wants a GeneratedUID for each user and group.

     

    On the Mac side, you need to add a mapping for GeneratedUID in Users and Groups to some attribute in LDAP. On the LDAP server, you need to decide which attribute to use that can store a unique GUID for each user and group. OpenLDAP has an entryUUID operational attribute which you could use pretty easily; it's already populated with a unique GUID for each user and group, but you need to make it readable and indexed. Maybe run that by an OpenLDAP master before you do that. Alternatively, use another attribute or extend your schema with the Apple schema.

     

    Once you decide what attribute to map GeneratedUID to, configure one Mac manually with the custom mappings with Directory Utility, then save a template file plist. Then ldapadd a record in LDAP like this:

     

    dn: ou=macosxodconfig,dc=ldap,dc=example,dc=com

    ou: macosxodconfig

    objectClass: organizationalUnit

    objectClass: top

    description:< file:///home/admin/MyTemplate.plist

     

    Edit the search base (dc=ldap...) as needed. "MyTemplate.plist" is the file you saved from Directory Utility. With this record in LDAP, any Macs you bind to LDAP in the future will find this record and automatically configure the custom mappings.

  • by pvlvsk,

    pvlvsk pvlvsk Jan 19, 2016 11:11 PM in response to Blaidd Drwg
    Level 1 (4 points)
    Jan 19, 2016 11:11 PM in response to Blaidd Drwg

    YES!!! Blaidd Drwg, thank you! I mapped the GUID to entryUUID in Directory Utility and now an LDAP user can login to the /mydevices page. But the problem is now, that profilemanager says that this user doesn't have permissions to access this page...

     

    profilemanager.log

     

    The logged in user does not have permission to access the user portal ({"succeeded"=>"true", "longName"=>"User Test", "uid"=>"6c819426-cf47-1031-8a29-0b08975019c1", "generated_uid"=>"6c819426-cf47-1031-8a29-0b08975019c1", "shortName"=>"utest", authed_at=>1453273211, auth_token=[FILTERED]>[FILTERED]})

     

    Also the LDAP users are still not there in Profile Manager under "users"...

  • by pvlvsk,

    pvlvsk pvlvsk Jan 20, 2016 12:00 AM in response to pvlvsk
    Level 1 (4 points)
    Jan 20, 2016 12:00 AM in response to pvlvsk

    I know, this problems were solved with Workgroup Manager in the past, but there isn't such tool now in the Server 5 app... And Profile Manager isn't in the "Access to services..." menu when I edit a user in Server App... I tried to add an LDAP user to the "workgroup", but still no luck.

  • by Leopardus,

    Leopardus Leopardus Jan 20, 2016 1:55 AM in response to pvlvsk
    Level 4 (1,122 points)
    Desktops
    Jan 20, 2016 1:55 AM in response to pvlvsk

    It should be possible to create LDAP groups in OS X Server's Open Directory Service and populate these proxy groups with Groups/Users from your OpenLDAP accounts. Use the LDAP groups that you created to provide access to services and data.

     

    Leo

  • by Leopardus,

    Leopardus Leopardus Jan 20, 2016 2:40 AM in response to pvlvsk
    Level 4 (1,122 points)
    Desktops
    Jan 20, 2016 2:40 AM in response to pvlvsk

    Your server must be bound to the OpenLDAP and the server (OS X) must be promoted to be the master. To create the proxy group in OS X Server:

     

    1. Open Server.app
    2. Select Groups on the left side column
    3. Set the Groups to Local Network Groups. It is the Open Directory groups container.
    4. Select the + button for the New Group pane.
    5. Enter the Full Name for the group indicating what OS X Group this should be, maybe starting with a unique character so that this will not conflict with an existing group in your OpenLDAP
    6. Tab to allow autocomplete in the Group Name
    7. Click on the OK

    You now have an Open Directory group on a server that is bound to your OpenLDAP server. You only have to populate this group with the respective OpenLDAP users:

    1. Double click on your new Group Name to select and open.
    2. Locate the Members field and click on +
    3. This will create a new entry. Start to type a few characters and the names will start to appear to select the appropriate user.
    4. Repeat for each user or group that you want to include into the OS X Server LDAP group that you created.
    5. Remember to add Keywords if needed, and Notes to remind you some months down the line of why you did what.
    6. Of course, if there is a lot of users to add select in the menu pane the Window => Show Accounts Browser and; select all the users you want, and subsequently drag them to the Members window.
    7. Press the OK button.


    You can define access by selecting Edit Access to Services on the Gear selection as is required.

     

     

    Leo

     

    (With Comliments to Reid)

  • by pvlvsk,

    pvlvsk pvlvsk Jan 20, 2016 2:58 AM in response to Leopardus
    Level 1 (4 points)
    Jan 20, 2016 2:58 AM in response to Leopardus

    Leo,

     

    yes, i created a proxy group named mdm-users and put an OpenLDAP user within. Unfortunately the group membership is only shown in the server app, but not in profile manager. The user can't login either respectively gets  this permission error...

     

    Bildschirmfoto 2016-01-20 um 11.50.59.png

    Bildschirmfoto 2016-01-20 um 11.50.32.png

  • by Leopardus,

    Leopardus Leopardus Jan 20, 2016 3:25 AM in response to pvlvsk
    Level 4 (1,122 points)
    Desktops
    Jan 20, 2016 3:25 AM in response to pvlvsk

    Just to confirm, did you edit the mdm-users permissions to allow group members access to the portal?

     

    You will find that when you log in as an Admin under About / Uber. There you will have to grant access and login rights to the group.

     

    Leo

Page 1 Next