Finally. It works. I got Richard’s OSX-Box to authenticate against my OpenLDAP server, I set up yesterday (acutually, it authenticates against the replica but this does not make any difference). Here’s what I did:<ol>
(In my explanations, I assume, your accounts have objectClasses of inetOrgPerson, posixAccount and shadowAccount).
- Under “Users”, set the RecordName to “uid”
- I had to add a Record called “Group” to Users and assign “primaryUID” to it or the group of the user was not recognized (see the prior entry to this blog)
- Under “Group” add the RecordName-Attribute and assign cn to it or the Group was not recognized later on.
- Now close the dialog by hitting “OK” and then close the Next dialog too with “OK”
- Now select the “Authentication”-Tab and chose a “Custom” search path. Add your newly added LDAP-Server.
- Do the same with the Contacts-Tab – although I have not yet figured out how to get this to work.
- Hit “Apply”
The last step is very annoying: I had to experiment quite a bit with the mapping settings to finally get my LDAP-Groups recognized and get the right primary group assigned to LDAP-Users (it was always 0/wheel which is not what I wanted – not at all). There is no way to get the OS to recognize changes you make in the Direcotry Access Utility but to reboot the machine. I’m happy, OSX boots that fast. If it had been windows I’d stell be wating for the reboots to complete ;-)
What have I accomplished?
- I can login with the LDAP-Accounts be selecting “other” in the Login-Screen and then entering username and password
- I can su to any LDAP-Account
What still does not work:
- Although I can set a new password in the system preferences, the changes do not get written back to the LDAP-Server
About the password-changing-problems, I will have a look at pam. Until then, I’m quite happy, I finally got it to work.
I really hope, someone will find this useful…