testetstsst

Q: Profile Manger and external LDAP

Hello everybody,

 

have a strange problem with 10.11 and Server 5.0.15.

 

- Have bound the server to an external OpenLDAP Server.

- After making changes in Directory Utility (Mapping GernerateUID to the uidNumber) I can also see the users in Server.app

- I can browse the users also in Directory Utility

- I can perform an "id testuser" in Terminal

- I can login with an user on an the WIKI Page

- But I don't see the Users in Profile Manger Admin Webpage (http://<fqdn>/profilemanager)

- When logging in on MyDevices (http://<fqdn>/mydevices) the authentication is passed but the an message appears the the user didn't have the rights to access this page > First have to be activated in ProfileManger

 

Have checked the LDAP entries and output of "dscl read" in Terminal between an working local account and and not working LDAP Account, but couldn't get rid of it.

 

Any ideas how to configure Profile Manger to see and use the LDAP accounts?

Posted on Dec 22, 2015 1:46 PM

Close

Q: Profile Manger and external LDAP

  • All replies
  • Helpful answers

  • by Blaidd Drwg,Helpful

    Blaidd Drwg Blaidd Drwg Dec 22, 2015 2:52 PM in response to testetstsst
    Level 1 (109 points)
    Dec 22, 2015 2:52 PM in response to testetstsst

    Profile Manager wants a unique GeneratedUID for each user and group. The GeneratedUID must be a GUID. UniqueID (usually mapped to uidNumber) is not a GUID, so it is unsurprising that mapping GeneratedUID to uidNumber failed.

     

    Each user and group should have an attribute that is populated with a unique GUID (in string form). That attribute should be indexed on the LDAP server. The attribute should be visible to bound clients. The clients should have their GeneratedUID mapped to that attribute.

     

    OpenLDAP has a entryUUID operational attribute that is a GUID. You could potentially use that. Or use some other unused attribute that can store a GUID. Or extend your schema and add the apple-generateduid attribute.

  • by testetstsst,

    testetstsst testetstsst Dec 22, 2015 2:59 PM in response to Blaidd Drwg
    Level 1 (0 points)
    Dec 22, 2015 2:59 PM in response to Blaidd Drwg

    Thanks a lot for that tip. Have read about that in another forum.

    Have tried it also with a generatedUID like "#12345678-1234-1234-1234567$uidNumber$" in the Directory Utility. Which gives me a unique ID to every user when checking with dscl.

    But with this setting the authentication itself failed on MyDevices with username oder password false, which was less the mapping it to uidNumber itself.

     

    Will have a look on the LDAP Server if it sends an entryUUID.

     

    Have found one entry like smbUID (or something like that; no access to the server right now ) but the format was like 1-123-1234-1-1234-12

    So not like the Mac UID format. Has the Format for that generatedUID be like the Mac blocks, or could it also be formatted completely different?

  • by testetstsst,

    testetstsst testetstsst Dec 28, 2015 4:40 AM in response to testetstsst
    Level 1 (0 points)
    Dec 28, 2015 4:40 AM in response to testetstsst

    So have further informations:

     

    - The field the LDAP Server is giving is called "sambaSID" an in Format: S-1-1-12-1234567890-1234567890-1234567890-12345

    - Mapped that sambaSID to the generated ID, switch LogLevel to debug an tested, but it didn't worked

    - In the Log file there is appearing a line:

    SQL State = 22P02;

    errorMessage = "Error: invalid input syntax for uuid: S-1-1-12-1234567890-1234567890-1234567890-12345

     

    Any ideas how to find out the correct format for the UUID? Will be looking with postgres to find out the right syntax.

  • by pvlvsk,

    pvlvsk pvlvsk May 18, 2016 1:13 AM in response to testetstsst
    Level 1 (4 points)
    May 18, 2016 1:13 AM in response to testetstsst

    Hello testetstsst,

     

    do you found a soultion for this problem? I have the same problem with Server El Capitan and an external Ubuntu OpenLDAP Server..

     

    Thank you!

  • by testetstsst,

    testetstsst testetstsst May 18, 2016 2:19 AM in response to pvlvsk
    Level 1 (0 points)
    May 18, 2016 2:19 AM in response to pvlvsk

    Unfortunately not

    Most progress was with "#12345678-1234-1234-1234567$uidNumber$" mapped as generatedUID, but also with this in the logs appeared "wrong  format"

     

    Have been created the users (not so many) in the OpenDirectory on the server itself again ... maybe trying in a few month again.

    Maybe some struggling around the same problem with a solution for that.

     

    Maybe you can extend the scheme on your Ubuntu OpenLDAP for giving out the generatedUID directly. Unfortunately I have no admin access to the LDAP server in my case, so can' try this.

    https://tools.ietf.org/html/rfc4530

  • by pvlvsk,

    pvlvsk pvlvsk May 18, 2016 2:30 AM in response to testetstsst
    Level 1 (4 points)
    May 18, 2016 2:30 AM in response to testetstsst

    YES!!! Blaidd Drwg, thank you! I mapped the GUID to entryUUID in Directory Utility and now an LDAP user can login to the /mydevices page. But the problem is now, that profilemanager says that this user doesn't have permissions to access this page...

     

    profilemanager.log

     

    The logged in user does not have permission to access the user portal ({"succeeded"=>"true", "longName"=>"User Test", "uid"=>"6c819426-cf47-1031-8a29-0b08975019c1", "generated_uid"=>"6c819426-cf47-1031-8a29-0b08975019c1", "shortName"=>"utest", authed_at=>1453273211, auth_token=[FILTERED]>[FILTERED]})

     

    Also the LDAP users are still not there in Profile Manager under "users"...

     

    I'm stuck on this (my thread from last year)... when I map the GUID to entryUUID, i can "successfully" login to the /mydevices page, at least in the logs, though the user has no rights to display the page. In Profile Manager I can't see any of the LDAP Users, in the Server app they are there...

     

    Frustrating...

  • by testetstsst,

    testetstsst testetstsst May 18, 2016 2:45 AM in response to pvlvsk
    Level 1 (0 points)
    May 18, 2016 2:45 AM in response to pvlvsk

    There must be another issue. Maybe searching the Logs deeper.

    Same appearance was in my situation: In Server.app the users where shown. In ProfileManager not.

    Looking further in the logs shown up the "wrong format" message ...

     

    What you can test:

    Create a "local" group in the OD of the server an put in a local OD user.

    Have a look in the profile manager if the group an user appears.

    The put in a user form the remote LDAP server. In my situation the group disappears from profile manager with an error in the log again ...

  • by pvlvsk,

    pvlvsk pvlvsk May 19, 2016 1:08 AM in response to testetstsst
    Level 1 (4 points)
    May 19, 2016 1:08 AM in response to testetstsst

    Hello,

     

    thank you for the help In my case the group stays in profile manager, but shows only the local OD users, not from LDAP...

     

    This are outputs from the logs:

     

    Starting sync of user query <DMODQueries 0x7fa752e60590> search_type = 1, attribute = 'dsAttrTypeStandard:GeneratedUID', match_type = 8193, query_values = [0B5CB2A0-86F7-40B1-A580-D0BD121E4E0E]

     

    0:: [217] [2016/05/19 09:52:59.372] Unable to sync user records: *** -[__NSArrayM insertObject:atIndex:]: object cannot be nil

  • by pvlvsk,

    pvlvsk pvlvsk May 19, 2016 1:17 AM in response to pvlvsk
    Level 1 (4 points)
    May 19, 2016 1:17 AM in response to pvlvsk

    1:: [217] [2016/05/19 09:52:58.929] Active authentication node: /Local/Default

    1:: [217] [2016/05/19 09:52:58.929] Active authentication node: /LDAPv3/127.0.0.1

    1:: [217] [2016/05/19 09:52:58.929] Active authentication node: /LDAPv3/10.2.20.251

    1:: [217] [2016/05/19 09:52:58.931] Preparing to sync required users and groups

    1:: [217] [2016/05/19 09:52:58.994] -[DMODSyncRunner _syncGroupODRecords:syncMode:createActive:state:]: Processed 1 group records (synced 1)

    1:: [217] [2016/05/19 09:52:59.002] -[DMODSyncRunner _syncGroupODRecord:createActive:syncMode:syncState:]: Querying OD for 2 new users and groups

    1:: [217] [2016/05/19 09:52:59.063] -[DMODSyncRunner _syncGroupODRecords:syncMode:createActive:state:]: Processed 2 group records (synced 2)

    1:: [217] [2016/05/19 09:52:59.064] Preparing to sync OD subset

    1:: [217] [2016/05/19 09:52:59.130] -[DMODSyncRunner _syncODUserSubset]: Processed 137 users from OD subset

    1:: [217] [2016/05/19 09:52:59.307] -[DMODSyncRunner _syncGroupODRecords:syncMode:createActive:state:]: Processed 122 group records (synced 2)

    1:: [217] [2016/05/19 09:52:59.308] -[DMODSyncRunner _syncODGroupSubset]: Processed 0 already active groups from OD subset

    1:: [217] [2016/05/19 09:52:59.308] -[DMODSyncRunner _syncODGroupSubset]: Processed 125 non-active groups from OD subset

    1:: [217] [2016/05/19 09:52:59.308] Preparing to sync active users and groups

    1:: [217] [2016/05/19 09:52:59.336] -[DMODSyncRunner _syncGroupODRecord:createActive:syncMode:syncState:]: Querying OD for 1 new users and groups

    0:: [217] [2016/05/19 09:52:59.346] Caught unhandled exception *** -[__NSArrayM insertObject:atIndex:]: object cannot be nil

    0:: [217] [2016/05/19 09:52:59.346] EXCEPTION: NSInvalidArgumentException: *** -[__NSArrayM insertObject:atIndex:]: object cannot be nil

     

    Interesting is

     

    1:: [217] [2016/05/19 09:52:59.130] -[DMODSyncRunner _syncODUserSubset]: Processed 137 users from OD subset

     

    This are users from LDAP. But non of them is showing in Profile Manager

  • by testetstsst,

    testetstsst testetstsst May 19, 2016 1:57 AM in response to pvlvsk
    Level 1 (0 points)
    May 19, 2016 1:57 AM in response to pvlvsk

    Interesting.

    I would guess, that profile manager is look for an LDAP key, that isn't present.

     

    Can you give an output of an LDAP search with "dscl" for a user on the LDAP server?

  • by pvlvsk,

    pvlvsk pvlvsk May 19, 2016 6:31 AM in response to testetstsst
    Level 1 (4 points)
    May 19, 2016 6:31 AM in response to testetstsst

    Here is the output for a test user:

     

    mdm:~ sysop$ dscl /LDAPv3/10.2.20.251 read /Users/utest

    dsAttrTypeNative:displayName:

    User Test

    dsAttrTypeNative:givenName: User

    dsAttrTypeNative:mail: utest@company.de

    dsAttrTypeNative:objectClass: inetLocalMailRecipient ldapPublicKey sambaSamAccount posixAccount inetOrgPerson organizationalPerson person

    dsAttrTypeNative:sambaAcctFlags:

    [XU         ]

    dsAttrTypeNative:sambaDomainName: Company

    dsAttrTypeNative:sambaHomeDrive: U:

    dsAttrTypeNative:sambaNTPassword: A50EB48E5BE7FA6BB54BA364E46CC08E

    dsAttrTypeNative:sambaPrimaryGroupSID: S-1-5-21-1492413247-2473295210-1746723797-21005

    dsAttrTypeNative:sambaPwdLastSet: 1463563977

    dsAttrTypeNative:sambaSID: S-1-5-21-1492413247-2473295210-1746723797-21502

    dsAttrTypeNative:sn: Test

    AppleMetaNodeLocation: /LDAPv3/10.2.20.251

    AppleMetaRecordName:

    cn=User Test,ou=users,dc=company,dc=de

    Comment: f8c9ffd6-a234-4729-bd2a-68379df315fb

    NFSHomeDirectory: /home/utest

    Password: ********

    PrimaryGroupID: 10002

    RealName:

    Alena Hering

    RecordName: utest

    RecordType: dsRecTypeStandard:Users

    UniqueID: 10251

    UserShell: /bin/bash

  • by John Lockwood,

    John Lockwood John Lockwood May 19, 2016 7:39 AM in response to pvlvsk
    Level 6 (9,309 points)
    Servers Enterprise
    May 19, 2016 7:39 AM in response to pvlvsk

    I did a couple of years ago successfully use Profile Manager with an OpenLDAP server, however I had not setup the OpenLDAP server myself and I believe it had already been fully tweaked to make it support Mac schema extensions and Kerberos before I was involved. However I have the following suggestions.

     

    1. See OS X Server: Using the Profile Manager or Wiki service with Active Directory or third-party LDAP services - Apple Suppor…
    2. Also check the search order in Directory Utility, remember Profile Manager creates its own Open Directory Master so even if you bind it to another server i.e. OpenLDAP it will be bound to two servers, you want to make the OpenLDAP server the first choice listed
    3. See http://blog.smalleycreative.com/administration/fixing-openldap-authentication-on -os-x-lion/
    4. Also OpenLDAP by itself does not I believe include Kerberos support unlike OpenDirectory which includes both LDAP and Kerberos, it is possible to setup a Linux server to do both OpenLDAP and Kerberos so double-check this, this may help a little https://www.novell.com/documentation/suse91/suselinux-adminguide/html/ch19s04.ht ml and also http://deepport.net/archives/setting-up-a-linux-server-for-os-x-clients/

     

    Note: OS X now uses the Heimdal version of Kerberos, Mac OS X originally used the MIT version. Personally I feel this is a huge step backwards by Apple even though supposedly the Heimdal version is newer code and has better support, it is more that Apple's Heimdal version seems castrated. This should in theory not prevent a Mac client connecting to another Kerberos server e.g. a Linux one, but might make it difficult to impossible to connect a Linux client to a Mac Kerberos server.

  • by testetstsst,

    testetstsst testetstsst May 19, 2016 8:31 AM in response to pvlvsk
    Level 1 (0 points)
    May 19, 2016 8:31 AM in response to pvlvsk

    You have the UniqueID as "Comment" in the output.

    That won't work. It has to be an entry "GeneratedUID".

     

    Have you mapped the "comment" in Directory Utility manually? Then you can change the name of the entry to "GeneratedUID" and try again.

    Otherwise you can map the "comment" output of your OpenLDAP to an "GeneratedUID" Entry within Directory Utility.

     

    Should look like this (with more Datatypes on the left side).

    You can add the GeneratedUID when selecting "Users" and hit the "+" sign under the left table and then click "+" and map to "comment"

    Bildschirmfoto 2016-05-19 um 17.18.44.png