LDAP Authentication from OSX 10.6.2 Client

[davebez]

I have configured the LDAP in zimbra as per the instructions found in this article

HTML Code:

http://wiki.zimbra.com/index.php?title=UNIX_and_Windows_Accounts_in_Zimbra_LDAP_and_Zimbra_Admin_UI_6.0#Creating_Linux_and_Samba_users_using_Zimbra_Admin_UI

I have also managed to get a fedora 12 client to successfully authenticate against the zimbra LDAP db, but i cannot for the life of me get my mac clients to authenticate... Im not sure if this is snow leopard specific or a general mac problem.

has anyone succeeded at this?

the steps i have looked at so far are

I have edited the /etc/openldap.ldap.conf included the TLS_CACERTDIR /etc/openldap/cacerts/ and have copied over the ca certificate from the zimbra install.

this still does not allow for authentication from the snow leopard client

also when looking at the logging of ldap on the zimbra server it looks as though the search base is incorrect from the osx client. Is there anything specific that should be done in the osx gui "search and mappings" in order to get this to see the LDAP structure correctly?

I have considered adding the apple.schema to the zimbra ldap directory. Would this make any difference in the short term with trying to get the osx clients authenticated. Even so I would eventually like to put this on the LDAP directory for automounts etc...

any experiences or thoughts would be appreciated.

[davebez]

Further reading from this apple mail group seems to be the problems i am experiencing,

Re: Authenticating to LDAP

in Zimbra 6.0 is it possible/advisable to disable SASL in ldap in order for the osx clients to authenticate.

[albanwr]

Did you manage to auth OSX to Zimbra in the end?

[davebez]

Yes. I was successful in the end. All settings are pretty much straight forward. It is important however to make sure you use authentication for the ldap server on zimbra and to then reboot the client machine for ldap to take hold. We now have successful ldap authentication from an osx client.

[chimaster]

Howdy,

I'm struggling to get LDAP authentication going from OSX, we were hoping to use OSX with snow leopard authenticating to the Samba server, but it turns out there are some mdns issues relating to .local domains.

So as a backup I thought I'd bypass samba and auth straight to the Zimbra server then find a way to map drives / authenticate / SSO once connected to LDAP. We've got the server showing up as Green and connecting within Open Directory settings on Mac OS, but can't seem to login.

Any suggestions / comments / configs on how you got yours operational appreciated... :-)

[chimaster]

So... I got it going, about two minutes after posting. We hadn't set the LDAP mappings on the Directory Utility to RFC 2307.

But... Any one have any pointers in delivering Home Directory options, I'm wondering if we can extend the schema, but I'm no LDAP guru, so any thoughts?
(do_search: invalid dn: "automountMapName=auto_master,dc=domain,dc=com " )

Thanks.

[catnipper]

I am not 100% sure if it also applies to your case, but I once started to struggle with POSIX and Samba on ZCS with no luck (not sying the Zimlet is a bad solution!). Secondly I did not like the idea any schema changes (OS X) may disappear or get corrupted upgrading Zimbra (upgrade safe?). Third I still need BlackBerry services (therefore a Windows Server). And forth I do not think it's a good idea to build security groups based on distribution lists in a mail server...

As for above reasons, I decided it would be better to spend money for a regular Windows 2008 server to manage users and authenticate Zimbra off that (building a Golden Triangle). Also it's much more transparent for Unix, OS X and Windows profile services and allows me to run RADIUS services for our WiFi networks which I was not able to use with encrypted LDAP passwords on Zimbra using freeradius.

As said, it depends on your requirements - but I would strongly recommend you think of all features you may implement before taking your final decision.

[chimaster]

Hi Catnipper,

Thanks for the info. I was originally trying to user OS X via SAMBA which is auth via the LDAP but was having issues with with the ".local" extension from the MAC and mDNS. I'm testing this .local issue on another independent samba server today and if I'm having the same issues I'm simply going to re-install Zimbra server with a new domain.

I was hoping I could just the macs to simply auth via LDAP and gather up their home directories etc.. but I'm also not interested in too many schema changes which will fail on any upgrade. Although I'm quickly becoming more of an LDAP man. ARRGGHH. At least it's not eDir.

:-)

Thanks.

[catnipper]

I never tried to link an OS X directory to anything else than AD - but I do not think that this would work without implementing POSIX and Samba (OS X schema if you want to manage OS X users).

Your issue with DNS I do not understand - except I know AD provides specific entries in the DNS to retrieve the domain controller

[chimaster]

Hi Resolved the DNS issues.

Now looking into extending schema for OS X as I'm having a shit of a time (still) getting OS X login to Samba/LDAP, although, it's close and I suspect an auth / SSL issue which I'm hoping to isolate today. Will post results if I have any.

I can login to OpenLDAP and have two other options if Samba fails.
Option 1. Auth LDAP, OSX extensions and attempt to map drives / SSO to samba

Option 2. Auth LDAP, AppleScript drive mappings to Samba Server.

Option 3. Cry. :-)

FYI: I forgot to add Samba Posix Extension for Zimbra works a treat, even with win 7 clients! I'm worried about upgrades to the Zimbra server but managed to upgrade samba from 3.0.28 to 3.5.6 without any issues. It would be great to see further devopment of this Zimlet as it really offers an alternative to Exchange / Active Directory