Nov 29, 2009 LDAP is included, by default, installed on every copy of Mac OS X. For Mac OS X Servers its easiest to get LDAP up and running, given that you have a nice handy graphical means of manipulating LDAP in the Open Directory features of Server Admin and Workgroup Manager. But what about Mac OS X Continue reading Starting OpenLDAP on Mac OS X Client. Mac Os x (Intel & PPC 64 bit architecture) Installation Instructions: MAC OSx version is supplied as an installer executable.To perform the installation, simply launch the installer once the download is completed. Ldap Admin Tool has been tested on Mountain Lion on Intel Core i7 processor.
Directory Utility User Guide
Using Directory Utility, you can configure a stricter security policy for an LDAPv3 connection than the security policy of the LDAP directory. For example, if the LDAP directory’s security policy permits clear-text passwords, you can set up an LDAPv3 connection so it doesn’t permit clear-text passwords.
Setting a stricter security policy protects your computer from a malicious hacker trying to use a rogue LDAP server to gain control of your computer.
The computer must communicate with the LDAP server to show the state of the security options. Therefore, when you change security options for an LDAPv3 connection, the computer’s authentication search policy should include the LDAPv3 connection.
The permissible settings for an LDAPv3 connection’s security options are subject to the LDAP server’s security capabilities and requirements. For example, if the LDAP server doesn’t support Kerberos authentication, several LDAPv3 connection security options are disabled.
In the Directory Utility app on your Mac, click Search Policy.
Make sure the LDAPv3 directory you want is listed in the search policy.
See Define search policies.
Click the lock icon.
Enter an administrator’s user name and password, then click Modify Configuration (or use Touch ID).
Click Services.
Select LDAPv3, then click the Edit button (looks like a pencil).
If the list of server configurations is hidden, click Show Options.
Select the configuration for the directory you want, then click Edit.
Click Security, then change any of the following settings.
Note: The security settings here and on the corresponding LDAP server are determined when the LDAP connection is set up. The settings aren’t updated when server settings are changed.
If any of the last four options are selected but disabled, the LDAP directory requires them. If any of these options are not selected and disabled, the LDAP server doesn’t support them.
Use authentication when connecting: Determines whether the LDAPv3 connection authenticates itself with the LDAP directory by supplying the specified distinguished name and password. This option is not visible if the LDAPv3 connection uses trusted binding with the LDAP directory.
Bound to the directory as: Specifies the credentials the LDAPv3 connection uses for trusted binding with the LDAP directory. This option and the credentials can’t be changed here. Instead, you can unbind and then bind again with different credentials. See Stop trusted binding with an LDAP directory and Set up authenticated binding for an LDAP directory. This option is not visible unless the LDAPv3 connection uses trusted binding.
Disable clear-text passwords: Determines whether the password is to be sent as clear-text if it can’t be validated using an authentication method that sends an encrypted password.
Digitally sign all packets (requires Kerberos): Certifies that directory data from the LDAP server hasn’t been intercepted and modified by another computer while en route to your computer.
Encrypt all packets (requires SSL or Kerberos): Requires the LDAP server to encrypt directory data using SSL or Kerberos before sending it to your computer. Before you select the “Encrypt all packets (requires SSL or Kerberos)” checkbox, ask your Open Directory administrator if SSL is needed.
Block man-in-the-middle attacks (requires Kerberos): Protects against a rogue server posing as the LDAP server. Best if used with the “Digitally sign all packets” option.
Click OK.
Open Directory uses a signed certificate and has all the required CA and intermediate certificates correctly installed. SSL, package encryption and no clear text passwords has been enabled in the 'macosxodpolicy' and 'macosxodconfig' residing in the 'cn=config' container of our Open Directory LDAP structure has been appropriately configured to explicitly request SSL connections on port 636 (StartTLS does NOT seem to work at all, though OpenLDAP seems to regard explicit LDAPS:// as deprecated as opposed to StartTLS on port 389).
With this setup I now have THREE out of eight computers successfully retrieving the 'macosxodpolicy' at bind to the directory - the rest of my test subjects all hang at step one of the binding process. After a while I then receive the error:
Step 1 - Server Information Discovery
Error -14292 from DirectoryService
The three computers that actually work as supposed, one Mac OS X 10.5.8 client and two 10.6.4 clients (10.6.0 installed, then updated to 10.6.2 through combo update, then updated to 10.6.3 and 10.6.4), all bind correctly within seconds! No complaining at all ... It Just Works™!
Now, I have tried all the same 'openssl s_client -connect <server>:<port>' exercises as you mention and everything seems fine - no matter which computer I use ... The computers that are unable to connect through DirectoryService connect just fine with the openssl commands from the command line ...
I can even use Apache Directory Studio to connect to the server on port 636 using LDAPS:// and - again - everything just works ...
I have tried copying my issuer's CA certificate to /etc/openldap/cert and adding the 'TLS_CACERT /etc/openldap/cert/<certificate>' line to the client's /etc/openldap/ldap.conf file as well as changing the line 'TLS_REQCERT demand' to 'TLS_REQCERT never' with no greater success ...
Mysteriously enough, something seems to work differently with the two Snow Leopard Macs that are able to bind correctly. I wonder if it has anything at all to do with Apple's OpenSSL port, since I have MacPorts installed on the two working setups - and at least one of these respond to the 'openssl version -d' command by stating 'OPENSSLDIR:'/opt/local/etc/openssl' ...
Could we be experiencing some weird bug somewhere in Apple's OpenSSL port that only affects DirectoryService configuration, since the sample client seems to work along with the supplied OpenLDAP command line tools?
Thanks
Ldap Client For Mac Os X
Sep 4, 2010 2:39 AM