Open Directory/Client Login quesetion

H

hayesm

Registered
Hello,
I'm trying to do something fairly simple, but it's just not working. I'm trying to get an iMac workstation (10.4.4) to authenticate to our new server (also 10.4.4 server), but I haven't had any luck.

So far, I've been able to figure out the following stuff:
-DNS seems to be working. If I type "host serverName" in Terminal, it shows me the IP Address. Typing "host ipaddress" in Terminal shows me the server's name. This makes me think DNS is working.
-The server is an Open Directory Master.
-Using Directory Access, I configured LDAPv3 with the server's name.
-On the server, I created both a computer account and a user account using Workgroup Manager and making sure to create them in the Open Directory location.
-I can log in directly to the server using the Open Directory user.

Here's where I think I've figured out what's going on, but I don't know how to fix it.
-Using Terminal on the server, "dscl localhost" lets me navigate through the LDAPv3>servername>Users. From there I can use "read username" view user information.

-Using terminal on the client, "dscl localhost" lets me get through LDAPv3>servername>Users. When I "ls" the Users folder, there is nothing listed.

-I tried setting up authentication in Directory Access, but nothing changed.

Does anyone know what I might be missing? Has this already been answered on another thread? Does anyone know of a good place for howtos on setting up mac servers (the apple documentation is a bit wordy, though it does a good job of explaining what's going on)

Thanks in advance for any help.
Hayes
 
OK, I made it almost work. I deleted and re-created the LDAP configuration on the client. I also made it bind to the directory. This made the login screen change according to the settings I set on the server, which means it's actually talking to the Open Directory server. In addition, dscl now shows me the same configuration as on the server.

HOWEVER, when I try to log in, it just sits there for a few seconds, then shakes, even though I'm sure I'm entering the right password and I'm selecting the user from the list.

Any ideas what I might try?

Thanks for any help.
Hayes
 
Now I've figured out what my problem is: Open Directory passwords. If I change the password type to Crypt, then it works fine. But, according to Apple, the Crypt passwords aren't very secure. Does anyone have any suggestions about what I might try to fix it?

Thanks in advance.

Hayes
 
Couple quick things...I responded to your PM as well.

Are you using authenticated binding to the directory? I've seen some issues with that, so possibly try binding without.

Open Directory passwords are shadow type passwords, as opposed to Crypt. The difference? Crypt is stored in the actual user account and can be read fairly easily. Shadow passwords are not stored in the user account, but rather in several hash files, securely. Much better! Crypt support is still around for legacy applications and use.

Have you statically assigned the hostname into the server? You should use scutil in the command line to do this. If there's any issue with the server resolving itself, that could come back to bite you in the directoryservice realm, such as authentication and such.

Michael
 
hayesm said:
Now I've figured out what my problem is: Open Directory passwords. If I change the password type to Crypt, then it works fine. But, according to Apple, the Crypt passwords aren't very secure. Does anyone have any suggestions about what I might try to fix it?

Thanks in advance.

Hayes
Click to expand...

If you can only set CRYPT or SHADOW passwords it means your LDAP configuration is not properly setup. I had the problem also and ended up reinstalling OS X (as no real important stuff would get lost during the reinstallation). I made 2 partitions, one for OS X server and ONE for my data, eases reinstallation enormously as you have to format to reinstall.

So check your LDAP configuration as the problem lies there. If security is not to important, leave it with crypt passwords, but if sharing your passwords between servers, fix the problem before making the passwords public.

Good luck, Kees
 
Kees Buijs said:
If you can only set CRYPT or SHADOW passwords it means your LDAP configuration is not properly setup. I had the problem also and ended up reinstalling OS X (as no real important stuff would get lost during the reinstallation). I made 2 partitions, one for OS X server and ONE for my data, eases reinstallation enormously as you have to format to reinstall.

So check your LDAP configuration as the problem lies there. If security is not to important, leave it with crypt passwords, but if sharing your passwords between servers, fix the problem before making the passwords public.

Good luck, Kees
Click to expand...

I wouldn't suggest that any improperly built Open Directory be allowed to continue running. Sure, if this is a test environment and your playing around, no big deal, but if this server is being built to be reliable and to be used over a period of time, getting this done right is critical. You never know when a software update may end the viability of an improper installation and you'll always wonder, day to day, if it'll still work.

Unless the installation itself is corrupted, meaning the source didn't replicate properly from the original media, the entire server should not need to be erased. Moving the OD to Standalone will destroy all directory information. If you have a lot of created users, you could export out the users, demote the OD, promote it again, import the users and update the user records to use the OD hash passwords, as importing the users in this fashion will use Crypt by default. I'd assume if you have directory issues and password server issues, you probably wouldn't want to migrate that data across. :)

Look through the logs though. Lets find out why exactly the OD installation was askew to begin with.
 
You must log in or register to reply here.
Back
Top