Initial Open Directory Authentication

So weird! Have new 10.3 server installed, configued with Open Dir Master. Put in
custom path based on server IP. Now, can't authenticate to my domain. Instead
of bringing over the Administrator name & Psw, getting error messages of
invalid login info. Stopped in my tracks! Can only access Net/info domain.
Have already tried installing the software again, no luck. Help!!!

If you haven't already reinstalled, here are some things to check:
• Are all of the OD services running? Check in Server Admin -> Open Directory service in the sidebar -> Overview in the toolbar.
• Is there anything suspicious in any of the server logs (Server Admin -> Open Directory -> Logs in the toolbar -> choose various logs from the View menu near the bottom of the window)?
• Are you using Time Machine to back up the server? It apparently shuts down OD services to get a clean backup, and has sometimes had trouble restarting them afterward (although this is supposed to be better in 10.6.5)...

Similar Messages

Open Directory authentication question

I have 2 Apple servers. One is running 10.6 (server), the other is running 10.5 (server). I have my Open Directory on the 10.6 server, and I have the 10.5 server use it via LDAP for user authentication. What I'd like to do is to assign a home directory on the 10.5 server for users in the 10.6 Open Directory. Any ideas?

mickey13 wrote:
I have 2 Apple servers. One is running 10.6 (server), the other is running 10.5 (server). I have my Open Directory on the 10.6 server, and I have the 10.5 server use it via LDAP for user authentication. What I'd like to do is to assign a home directory on the 10.5 server for users in the 10.6 Open Directory. Any ideas?
This should work the same way as normal.
Define the user accounts in Open Directory as normal via Workgroup Manager
On the 10.5 Server, set up a share point, usually AFP is used as the protocol, this is done in Server Admin
On the 10.5 Server, set up that share point to be an Automounted share for user home directories, this will register that share in Open Directory assuming you have already successfully connected the 10.5 Server to Open Directory system, this is also done in Server Admin
Go back to Workgroup Manager select a user account you want to store on the 10.5 server, click on the Home tab, you should now see the 10.5 share point listed as an available choice for storing home directories.
Click on the 10.5 share point and save the user account.
I normally now click on create Home directory, although this happens automatically when a user logs in for the first time.
It is perfectly ok to mix 10.5 and 10.6 servers in this manner. The client machines can also be a different version e.g. 10.4
What you are doing above even though you are mixing 10.5 and 10.6 servers, is the same as you would do to spread the workload of user home directories across multiple servers. While handling user home directories does not cause a massive amount of CPU activity (or memory use) it does cause a significant amount of disk activity and therefore at a certain level spreading user accounts across multiple servers is recommended.

OSX 10.6 server open directory authentication

I was wondering if there is any issues with allowing one user account to authenicate (login) at the same time on serveral machines?

This is perfectly ok to do but remember that it is possible to set an account in Workgroup Manager to only allow a single login at a time. Also, if you login to the same Network Home Directory (i.e. same account) from more than one machine at the same time then some applications do not allow or cope with two systems trying to access those files at the same time.

Open Directory authentication error

Hi,
I am trying to create a replica with 10.8 server.
Steps:
Create OD on server 1.
Create Replica on server 2. All works fine
Restore OD. Replica stop working. I get an error message saying that I cannot authentificate against diradmin on main OD.
What is the step to either merge the database or create a new diradmin password. This is driving me nuts!
Tks

Get a working master with all your users first.
Make sure DNS (forward and reverse) is correct from both locations.
Then add the replica.
There's a good chance the OD you are restoring has references to an older hostname or IP, this can break your setup.
Depending on the size of your setup.. it may be less painful not to bother restoring your old OD and just create from users/groups scratch (leaving behind the possibility of bringing in issues related to your previous OD config).
Its a hassle.. but looking for a needle in a haystack is also.

Use Open Directory for intranet web acces

Is it possible to tap in to Open Directory user information from other services than those build into the server? And that way use the Open Directory authentication for our own home-made service?
We plan to setup an intranet on our OS X 10.6 server. We're still not sure whether to use one of the popular Open Source cms/portal platforms such as Drupal or maybe even WordPress.
1. I would like to use the users accounts in our Open Directory to authenticate to the intranet. Is that possible in any way?
2. Or does anyone know of a way to modify e.g. the build in blog function and integrate that with another system such as Drupal or WordPress?
I'm guessing there are blocks of code in the blog that handle user authentication. And if I keep them where they are on the server and include them in other Drupal files, it may be possible? Is the build in blog build on an open source system like some of the other services on Mac OS X server? A system I can read about anywhere?
+Note: The build in blog or wiki service does not match our needs for an intranet. We need to customize it a lot to make i suit our needs.+
3. Plan B could be to export our 100 users and passwords from Open Directory and import them in the intranet system. But as far as I know it's impossible to export the passwords. Right?
+New users would then have to be added to both Open Directory and the separate intranet system in the future. That would be okay for working but not perfect Plan B.+

ryanowich wrote:
Is it possible to tap in to Open Directory user information from other services than those build into the server?
Yes.
And that way use the Open Directory authentication for our own home-made service?
Sure. I have HP OpenVMS systems that are authenticating to Mac OS X Server boxes. LDAP has a callable interface for applications written in most any active programming language, and many packages already have LDAP support.
We plan to setup an intranet on our OS X 10.6 server. We're still not sure whether to use one of the popular Open Source cms/portal platforms such as Drupal or maybe even WordPress.
You need to narrow your requirements and your ideas somewhat, and work toward a list of features.
I have some discussions posted of what I went through when I ended up picking Drupal.
1. I would like to use the users accounts in our Open Directory to authenticate to the intranet. Is that possible in any way?
Network servers (Apache, DHCP, etc) can authenticate to LDAP, but (once granted access via DHCP and RADIUS, or analogous) clients don't usually further authenticate.
Within Drupal, the [Drupal|http://drupal.org] module [ldapauth|http://drupal.org/node/118092] would be worth a test. That's an available connection into LDAP. (Haven't prototyped that module, though.)
2. Or does anyone know of a way to modify e.g. the build in blog function and integrate that with another system such as Drupal or WordPress?
You're apparently not familiar with Drupal. You might want to learn more about it, and particularly its extensibility. Drupal can be connected to some refrigerators, if you were inclined to do so.
I'm guessing there are blocks of code in the blog that handle user authentication. And if I keep them where they are on the server and include them in other Drupal files, it may be possible? Is the build in blog build on an open source system like some of the other services on Mac OS X server? A system I can read about anywhere?
Including random blocks of code isn't a strategy for success. Understanding the basics of how the pieces fit together tends to be a better strategy. For Drupal, there's always the [Drupal documentation|http://drupal.org/documentation], or the available books on the CMS. Or you can call in somebody that's done this stuff.
+Note: The build in blog or wiki service does not match our needs for an intranet. We need to customize it a lot to make i suit our needs.+
The built-in services are limited, yes. I've been running Drupal on Mac OS X Server for years now.
3. Plan B could be to export our 100 users and passwords from Open Directory and import them in the intranet system. But as far as I know it's impossible to export the passwords. Right?
I would sincerely hope you don't get the passwords out of your authentication system. That would be bad. Cleartext passwords are bad news. You don't want that ability.
+New users would then have to be added to both Open Directory and the separate intranet system in the future. That would be okay for working but not perfect Plan B.+
That would be a hassle.
And I've tested with Wordpress on Mac OS X Server, but haven't deployed it in production. I'll leave discussions of its features and capabilities to others. That written, you might try the [Wordpress web site|http://Wordpress.org], as I'd expect there would be discussions of LDAP there.
I'd suggest determining your requirements, otherwise you're going to flail around given the numbers of options an alternatives here. If you have your requirements, then you have a framework to pick your tools. [Here is what I looked at when I picked Drupal|http://labs.hoffmanlabs.com/node/100].

Ubuntu Karmic authentication against Snow leopard open directory server

Hi,
I'm looking for help. I've tried to configure an installation of Karmic to authenticate against our office's open directory server running on an osx snow leopard server. Currently `getent password` show all users including those from the open directory server when running the command as both root and normal users. However authentication against the open directry users fails with the following messages in the /var/log/auth.log:-
Dec 7 22:42:05 [hostname] getent: nss_ldap: failed to bind to LDAP server ldap://server.domain.com: Invalid credentials
Dec 7 22:42:05 [hostname] getent: nss_ldap: could not search LDAP server - Server is unavailable
(I've changed the hostname and ldap url)
/etc/ldap.conf has:-
base dc=server,dc=domain,dc=com
ldap_version 3
rootbinddn cn=diradmin,dc=server,dc=domain,dc=com
bind_policy soft
pam_password md5
/etc/ldap.secret is set to the password of the diradmin user and has a permission mask of 600
/etc/pam.d/common-passwd :-
password sufficient pam_ldap.so md5
password required pam_unix.so nullok obscure md5
password optional pam_smbpass.so nullok use_authtok tryfirstpass missingok
/etc/pam.d/common-auth:-
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so usefirstpass
auth requisite pam_deny.so
auth required pam_permit.so
/etc/pam.d/common-account:-
account [success=2 newauthtokreqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so
account requisite pam_deny.so
account required pam_permit.so
/etc/pam.d/common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
session optional pam_ldap.so
session optional pamckconnector.so nox11
Does anyone have any ideas where to go from here?
Message was edited by: zebardy

Hi
It's easy enough to 'connect' any version of OS X Server to any other version of OS X Server. Use the Join button in the Users & Groups Preferences Pane. Alternatively use the Directory Utility itself.
You seem to be misunderstanding what an Open Directory Master and Replica are? They are not what I think you think they are. They are not a 'back-up' of each other if you're providing more than the shared Directory Service.
An OD Replica maintains a read-only copy of the LDAP Database (Usernames, Passwords and Policies etc) that's stored on the OD Master and nothing more. If the Master was to go offline for any reason the Replica can be quickly promoted to a Master Role and continue to provide information for the shared directory. This assumes it has easy and quick access to the Volume storing networked home folders? The LDAP Database in that case would then become writable. Later on and whenever you've fixed the problem with the old Master it can quickly be demoted and made a Replica of the now new Master.
Although this is for 10.6 Server (it is nevertheless still applicable) everything you need to know about Master and Replica relationships is here:
http://manuals.info.apple.com/en_US/OpenDirAdmin_v10.6.pdf
Page 55 onwards.
From Page 64:
"The Open Directory master and its replicas must use the same version of Mac OS X Server. . ."
If your OD Master is also providing Mail, Calendar and Contact Services then none of these will be replicated. You will have to maintain a backup of these databases yourself using whatever method you deem fit for your needs.
HTH?
Tony

Brand new Open Directory server not authenticating 10.9, 3.3.2

I'm hoping somebody here has ran into this as it's driving me up a wall.
I'm on a completely clean install of OS X Mavericks, with the installation from the App Store.
On top of that, a completely clean install of Server.app 3.2.2 is installed.
This server has a FQDN, and when I check to see if the hostname resolves in DNS, it totally does. DNS is not turned on as a service, but DNS server settings are correct and the server can hit the outside internet just fine.
So my steps are as follows: Install Mavericks, clean onto a new partition. Update with all patches. Set Static IP. Install Server 3.2.2 which installs without error. Check hostname settings. All good there. Verify permissions. Create OD Master. I cannot get a single newly created with Server.app Local Network user to log in, even with home folders all 100% local to the client machine. I've unbound and rebound the client machine. I've restarted everything. Nothing.
When attempting to log in, if I set it to reset password at next login, the prompt to reset the password will appear. I know at least initial auth is taking place, or I wouldn't be getting a password reset screen. After attempting to reset the password, neither the original temporary nor reset password will work. Users cannot log in.
Here are the errors generated, with my info edited out:
Jan 14 17:49:35 server slapd[111]: passwd_extop: (null) changed password for uid=test,cn=users,dc=controller,dc=domain,dc=edu
Jan 14 17:49:35 server slapd[111]: => bdb_idl_delete_key: c_get failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30994)
Jan 14 17:49:35 server slapd[111]: conn=1181 op=3: attribute "entryCSN" index delete failure
Jan 14 17:49:41 server slapd[111]: => bdb_idl_delete_key: c_get failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30994)
Jan 14 17:49:41 server slapd[111]: conn=1197 op=3: attribute "entryCSN" index delete failure
I understand this is common for users upgrading from 10.6.8 but this is completely clean. I'm not usually administering an OS X server; I'm completely lost.
Have tried: Recreating master, rekerberizing
Using scutil and host to verify the DNS on the server works perfectly. Am I missing something small with DNS? We are a fairly large org with DNS not being provided by this server. If you think a different log file would help, please let me know which one.

What do you get from this:
sudo /usr/libexec/slapd -Tt
Anything in /Library/Logs/slapconfig.log?
Also, have you tried the suggestion here:
Open Directory - Local Network User/Group - GONE

Authentication Delays / Slow Authentication for Open Directory Users

I'm experiencing delays when authenticating Open Directory users and it absolutely has me at my wit's end.
The problem is quite simple: any time an Open Directory user authenticates his password there is a delay of at least 5-10 seconds. This goes for clients that are bound to the directory server and also authenticating locally on the server. Here are some examples:
* On the server, there is a several second delay on the Login Window screen when trying to log in using an Open Directory account. Logging in as a local user is instantaneous.
* In Workgroup manager, authenticating as the Directory Administrator takes several seconds.
* On a remote computer, sharing the screen using an Open Directory user take several seconds and again, a local user is instantaneous. Screen sharing takes particularly long and often temporarily shows a sheet saying it has lost the connection with the server while authenticating.
* Connecting with AFP takes several seconds when using an Open Directory login
* On a client computer, unlocking the screen after sleep or screen saver takes several seconds for Open Directory users
* Connecting with SSH does NOT exhibit the behavior
In addition to all of this, I've seen periodic random unexplainable freezes for several seconds on client computers that are bound to the directory even when logged in as a local user account (and with no other users logged in.) For example, launching applications often results in a freeze. After unbinding the computer from the directory the problem goes away entirely.
The history of the problem:
Used Tiger Server for over a year = no problems
Clean install of Leopard Server 10.5.0 back in October = no problems
Update to Leopard Server 10.5.1 = no problems
Then, all of the sudden one day several weeks back I started having problems. The server had been up for a few weeks. I didn't install any updates. I didn't change any configuration. Literally the only thing that I had done recently was unplug the Apple Cinema Display and keyboard+mouse that was connected to the server. Then I started having problems so I plugged the display, keyboard and mouse back in to troubleshoot it. I cleared the directory services caches on my server and clients and rebooted the Airport Base Station that's serving as my router and eventually the problem went away. I wish I could tell you which of those things resolved the problem but I have no idea. It was fine for a couple more weeks (and incidentally I once again unplugged the display, keyboard and mouse from the server). Then last week I started having problems again and this time no amount of rebooting, cache clearing, rebinding, troubleshooting using information in these forums or anything else will fix the problem. I only mention the display/keyboard/mouse thing because it's literally the only thing I changed around the time the problems started happening. I truly don't think it has anything to do with it.
So in desperation I backed up and did a clean install today. Here's the process I used:
0. Erase the disk
1. Install Leopard Server 10.5.0 from the install DVD
2. In the setup assistant, use the Advanced Configuration option but I didn't enable any services. Set up network settings and host name of myserver.mydomain.private.
3. Reboot
4. Use Software Update to update to 10.5.1 and Security Update 2007-009 v1.1
5. Reboot
6. Configure DNS (see below for detailed configuration)
7. Reboot
8. Change role to Open Directory Master
9. Reboot
... and the problem is still there. Simply logging into the server GUI with the Directory Administrator account has the delay. Authenticating in Workgroup Manager has the delay. I haven't even bothered to set up AFP or any other users yet. I'm truly at my wit's end and I'm ready to chuck the server out the window.
I've done a lot of googling and searching of these forums looking for answers. All of the responses seem to point to a problem with DNS or with the Kerberos realm. I believe all of my setup is correct. Here it is:
== Basic Configuration ==
OS: Mac OS X Server 10.5.1 (9B18) with Security Update 2007-009 v.1.1
Services Enabled:
DNS
Open Directory
(All other services are not yet enabled)
== DNS Setup ==
Primary Zone: mydomain.private.
Allows zone transfer: no
Nameservers: ns.mydomain.private.
myserver (Machine) 10.0.22.201
ns (Alias) myserver.mydomain.private.
Reverse Zone: 22.0.10.in-addr.arpa.
10.0.22.201 (Reverse Mapping) myserver.mydomain.private.
Accept recursive queries from the following networks:
localnets
Forwarder IP Addresses:
208.67.222.222
208.67.220.220
== Open Directory Setup ==
Role: Open Directory Master
LDAP Search Base: dc=myserver,dc=mydomain,dc=private
Kerberos Realm: myserver.mydomain.private
== Network Configuration ==
Configure: Manually
IP Address: 10.0.22.201
Subnet Mask: 255.255.255.0
Router: 10.0.22.1
DNS Server: 127.0.0.1
Search Domains: mydomain.private
== Other Stuff ==
Using 'changeip -checkhostname' verifies that the hostname and DNS hostname are both myserver.mydomain.private.
I set the realm to myserver.mydomain.private (though the default was myserver.local) based on the advice of another poster to this forum. Kerberos.app reveals something interesting: the kdc and admin servers are both myserver.local and the domains are .local and local. I tried changing all instances of 'local' to 'mydomain.private' to see if that would solve the problem. No luck.
I verified on a client that 'host myserver' and 'host 10.0.22.201' return proper DNS and reverse DNS resolutions.
Hopefully one of the gurus out there will be able to help me out.
Thanks,
jeff

I gathered together some log information for when I try to authenticate user 'diradmin' in Workgroup Manager. You can see from the log messages that this authentication took 4 seconds. There's an interesting error message in slapd.log (see below) but it doesn't say what it's looking for in the keytab that it's not finding. Grr! I've provided a listing of the principles in my keytab. I haven't monkeyed around with it at all -- this is just what resulted from promoting the server to an Open Directory Master.
== kdc.log ==
Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): handling authdata
Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): handling authdata
Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): .. .. ok
Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): .. .. ok
Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
Dec 30 18:21:52 myserver.mydomain.private krb5kdc[79](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for ldap/[email protected]
Dec 30 18:21:52 myserver.mydomain.private krb5kdc[79](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for ldap/[email protected]
== slapd.log ==
Dec 30 18:21:48 myserver slapd[36]: <= bdbsubstringcandidates: (authAuthority) index_param failed (18)
Dec 30 18:21:52 myserver slapd[36]: SASL [conn=20] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No principal in keytab matches desired name)
== sudo klist -k ==
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
3 cifs/[email protected]
3 cifs/[email protected]
3 cifs/[email protected]
3 ldap/[email protected]
3 ldap/[email protected]
3 ldap/[email protected]
3 xgrid/[email protected]
3 xgrid/[email protected]
3 xgrid/[email protected]
3 vpn/[email protected]
3 vpn/[email protected]
3 vpn/[email protected]
3 ipp/[email protected]
3 ipp/[email protected]
3 ipp/[email protected]
3 xmpp/[email protected]
3 xmpp/[email protected]
3 xmpp/[email protected]
3 XMPP/[email protected]
3 XMPP/[email protected]
3 XMPP/[email protected]
3 host/[email protected]
3 host/[email protected]
3 host/[email protected]
3 smtp/[email protected]
3 smtp/[email protected]
3 smtp/[email protected]
3 nfs/[email protected]
3 nfs/[email protected]
3 nfs/[email protected]
3 http/[email protected]
3 http/[email protected]
3 http/[email protected]
3 HTTP/[email protected]
3 HTTP/[email protected]
3 HTTP/[email protected]
3 pop/[email protected]
3 pop/[email protected]
3 pop/[email protected]
3 imap/[email protected]
3 imap/[email protected]
3 imap/[email protected]
3 ftp/[email protected]
3 ftp/[email protected]
3 ftp/[email protected]
3 afpserver/[email protected]
3 afpserver/[email protected]
3 afpserver/[email protected]

Initial setup and Open Directory problem

Hi,
I'm new to the MAC OS X server system and trying to get one up and running on a G5.
Unfortunately I can’t get the configuration up and running, and I have the feeling it already goes wrong during the initial setup. I was hoping you guys could help me out.
The purpose of the server is providing network user accounts (DNS + Open Dir.) and providing sharepoints.
I go trough following steps while installing from scratch:
- Install MAC OS X and run the Server install package from the OS X Server DVD (as you know, OSX Server is'n installing directly on G5)
- Choose keyboard layout, enter license and create an account "admin"
- Define static IP "192.168.1.1", add this IP as the first in the list of DNS Servers, add "company.local" in the search domain
- Install as a standalone server (so I can configure dns & other network services after basic setup)
- Check "network time server" (so time will be synced for Kerberos)
- Proceed, install and reboot
OSX Server seems to be installed fine and I can login with "admin". Next step I take is configuring DNS.
- create a zone "companyname.local.", use my IP as server address (192.168.1.1) and use "server" as the server name.
- add a machine record for DNS-testing (called "gateway", with the IP of "192.168.1.254")
Start the DNS service and reboot
- perform an nslookup with a second MAC with 192.168.1.1 as the nameserver and verify that DNS is resolving correctly.
DNS seems to be working fine, now I would like to get the Open Directory service to work:
- change "Standalone" to "Open directory master" in the server configuration panel
- provide a password for the directory admin
- use "SERVER.COMPANYNAME.LOCAL" as kerberos realm, and "dc=server,dc=companyname,dc=local" as the search base
- Save & start the service and perform a reboot to be sure all the new settings are in use
Unfortunately after this install open directory doesn't seem to work fine and also Kerberos doesn't start.
Concerning Kerberos: I get following output in the "Slapconfig log" Open Directory log file:
Starting LDAP server (slapd)
command: /usr/bin/ldapadd -c -x -D uid=root,cn=users,dc=maggie,dc=interesourcegroup,dc=local -w **
Hostname server.companyname.local is from Rendezvous
Skipping Kerberos configuration
Sorry to bother you with the entire walkthrough of the installation, but I have the feeling that I'm missing something while performing the basic install or DNS setup .. ?
Regards,
Seppe
G5 Mac OS X (10.4.6) /

We currently have a static IP and a public dns hosted
by MediaTemple, so I think I can create a subdomain
on MediaTemple and link it to our fixed IP address
("private.companyname.com" >> static ip) instead of
using dydns.. ?
Of course.
I suppose I can then use "private.companyname.com" as
the zone name on my G5 server and use
"server.private.companyname.com" for my local DNS?
Sounds reasonable.
If using this DNS, what will be the Kerberos REALM
and Search Base? And do I still need to specify
private.companyname.com as the Search Base in the
Network Settings of the clients and server?
Well, REALM and LDAP Search Base can set to whatever you like. On the other hand I've seen tools contacting kerberos servers break when the REALM is not part of the kerberos server fqdn.
So I'd stick with the usual recomandations and set kerberos REALM to your domain name (if there is no other kerberos server alread running and using this).
For the LDAP search domain I'd also follow the road of using domain name space as search base.
When dns will finally be setup properly, these setting will be autopopulated for you in the GUI. So test, test, test you dns with
host $ip and host $fqdn and then go on promoting "Standalone Server" to "Open Directory Master".
HTH
-Ralph

How can I get authentication and authorization through OS X open directory with the Sun ZFS STOR ZS3-2

how can I get authentication and authorization through OS X open directory with the Sun ZFS STOR ZS3-2
I have configure NFS, I need help configuring the share that I created in the Sun ZFS STOR ZS3-2 to connect with the OS X Open Directory

Hi,
You may try checking the help page for ldap configuration :
https://<Appliance_IP>:215/wiki/index.php/Configuration:Services:LDAP
ZFS Storage supports LDAP, NIS, AD as directory service.
Hope Open Directory is also based on LDAP and may work in similar fashion.
Thanks
Nitin

Can't complete initial setup - Open Directory problems

"Easy to set up, easy to run" my big ***. On initial bootup, the automatic setup failed. "There may be a problem with the Open Directory." A few days later, it was suddenly working. So I set up and enjoyed one, count em, one user account. Then it stopped working again. I can't set up a Group. I can't use Workgroup Manager successfully, either. The whole server has been one big mess of fail.
Is this a common problem? Is there a fix? A workaround? Do I need to take this thing back??

Check this site out for starters
http://www.wazmac.com/serversnetwork/fileservers/osxserversetup/index.htm
It's not just for schools, and it offers a lot of info on setting up OS X server.
It is possible that there is some hardware problem, but it's more likely that you need to setup the server correctly. If you're not familiar with OS X Server, it's not necessarily easy.

RoundCube Webmail Authenticating against Open Directory on Mountain Lion 10.8.x

Hello all,
I've been battling this issue for over a month with no success. Here is what we got:
Mac Mini Server running Mountain Lion Server 10.8.2 running Calendar, Contacts, Mail and Web services.
With there being no webmail present I've gone thru the process of installing RoundCube.
I'm using Postgres as the database.
When I test the ability to login I get the following error messages in the console.app
10/12/12 10:13:27.071 AM log[182]: auth: Error: od(andrew,::1): Authentication server failed to complete the requested operation.
10/12/12 10:13:27.071 AM log[182]: auth: Error: od(andrew,::1): authentication failed for user=andrew, method=DIGEST-MD5
The first line I find the most interesting but have had no success determinign exactly what it means.
I'm using open directory to authenticate and it is working perfectly with every other service so I'm led to believe it's an issue between RoundCube and Open Directory.
ANY help would be appreciated emmensely!

Sorry about taking so long to get back on here working on this. I've switched over to MySQL. I had a hard time because mysql.sock was located under /tmp/ rather than /var/mysql/ but I fixed that by using the following command:
sudo ln -s /tmp/mysql.sock /var/mysql/mysql.sock
Then I reinstalled roundcube. Here is my main.inc.php file:
<?php
+-----------------------------------------------------------------------+
| Main configuration file                                               |
|                                                                       |
| This file is part of the Roundcube Webmail client                     |
| Copyright (C) 2005-2011, The Roundcube Dev Team                       |
|                                                                       |
| Licensed under the GNU General Public License version 3 or            |
| any later version with exceptions for skins & plugins.                |
| See the README file for a full license statement.                     |
|                                                                       |
+-----------------------------------------------------------------------+
$rcmail_config = array();
// LOGGING/DEBUGGING
// system error reporting: 1 = log; 2 = report (not implemented yet), 4 = show, 8 = trace
$rcmail_config['debug_level'] = 1;
// log driver: 'syslog' or 'file'.
$rcmail_config['log_driver'] = 'file';
// date format for log entries
// (read http://php.net/manual/en/function.date.php for all format characters)
$rcmail_config['log_date_format'] = 'd-M-Y H:i:s O';
// Syslog ident string to use, if using the 'syslog' log driver.
$rcmail_config['syslog_id'] = 'roundcube';
// Syslog facility to use, if using the 'syslog' log driver.
// For possible values see installer or http://php.net/manual/en/function.openlog.php
$rcmail_config['syslog_facility'] = LOG_USER;
// Log sent messages to <log_dir>/sendmail or to syslog
$rcmail_config['smtp_log'] = true;
// Log successful logins to <log_dir>/userlogins or to syslog
$rcmail_config['log_logins'] = false;
// Log session authentication errors to <log_dir>/session or to syslog
$rcmail_config['log_session'] = false;
// Log SQL queries to <log_dir>/sql or to syslog
$rcmail_config['sql_debug'] = false;
// Log IMAP conversation to <log_dir>/imap or to syslog
$rcmail_config['imap_debug'] = false;
// Log LDAP conversation to <log_dir>/ldap or to syslog
$rcmail_config['ldap_debug'] = false;
// Log SMTP conversation to <log_dir>/smtp or to syslog
$rcmail_config['smtp_debug'] = false;
// IMAP
// the mail host chosen to perform the log-in
// leave blank to show a textbox at login, give a list of hosts
// to display a pulldown menu or set one host as string.
// To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
// Supported replacement variables:
// %n - http hostname ($_SERVER['SERVER_NAME'])
// %d - domain (http hostname without the first part)
// %s - domain name after the '@' from e-mail address provided at login screen
// For example %n = mail.domain.tld, %d = domain.tld
$rcmail_config['default_host'] = 'localhost';
// TCP port used for IMAP connections
$rcmail_config['default_port'] = 143;
// IMAP AUTH type (DIGEST-MD5, CRAM-MD5, LOGIN, PLAIN or empty to use
// best server supported one)
$rcmail_config['imap_auth_type'] = null;
// If you know your imap's folder delimiter, you can specify it here.
// Otherwise it will be determined automatically
$rcmail_config['imap_delimiter'] = null;
// If IMAP server doesn't support NAMESPACE extension, but you're
// using shared folders or personal root folder is non-empty, you'll need to
// set these options. All can be strings or arrays of strings.
// Folders need to be ended with directory separator, e.g. "INBOX."
// (special directory "~" is an exception to this rule)
// These can be used also to overwrite server's namespaces
$rcmail_config['imap_ns_personal'] = null;
$rcmail_config['imap_ns_other']    = null;
$rcmail_config['imap_ns_shared']   = null;
// By default IMAP capabilities are readed after connection to IMAP server
// In some cases, e.g. when using IMAP proxy, there's a need to refresh the list
// after login. Set to True if you've got this case.
$rcmail_config['imap_force_caps'] = false;
// By default list of subscribed folders is determined using LIST-EXTENDED
// extension if available. Some servers (dovecot 1.x) returns wrong results
// for shared namespaces in this case. http://trac.roundcube.net/ticket/1486225
// Enable this option to force LSUB command usage instead.
$rcmail_config['imap_force_lsub'] = false;
// Some server configurations (e.g. Courier) doesn't list folders in all namespaces
// Enable this option to force listing of folders in all namespaces
$rcmail_config['imap_force_ns'] = false;
// IMAP connection timeout, in seconds. Default: 0 (no limit)
$rcmail_config['imap_timeout'] = 0;
// Optional IMAP authentication identifier to be used as authorization proxy
$rcmail_config['imap_auth_cid'] = null;
// Optional IMAP authentication password to be used for imap_auth_cid
$rcmail_config['imap_auth_pw'] = null;
// Type of IMAP indexes cache. Supported values: 'db', 'apc' and 'memcache'.
$rcmail_config['imap_cache'] = null;
// Enables messages cache. Only 'db' cache is supported.
$rcmail_config['messages_cache'] = false;
// SMTP
// SMTP server host (for sending mails).
// To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
// If left blank, the PHP mail() function is used
// Supported replacement variables:
// %h - user's IMAP hostname
// %n - http hostname ($_SERVER['SERVER_NAME'])
// %d - domain (http hostname without the first part)
// %z - IMAP domain (IMAP hostname without the first part)
// For example %n = mail.domain.tld, %d = domain.tld
$rcmail_config['smtp_server'] = 'localhost';
// SMTP port (default is 25; use 587 for STARTTLS or 465 for the
// deprecated SSL over SMTP (aka SMTPS))
$rcmail_config['smtp_port'] = 25;
// SMTP username (if required) if you use %u as the username Roundcube
// will use the current username for login
$rcmail_config['smtp_user'] = '';
// SMTP password (if required) if you use %p as the password Roundcube
// will use the current user's password for login
$rcmail_config['smtp_pass'] = '';
// SMTP AUTH type (DIGEST-MD5, CRAM-MD5, LOGIN, PLAIN or empty to use
// best server supported one)
$rcmail_config['smtp_auth_type'] = '';
// Optional SMTP authentication identifier to be used as authorization proxy
$rcmail_config['smtp_auth_cid'] = null;
// Optional SMTP authentication password to be used for smtp_auth_cid
$rcmail_config['smtp_auth_pw'] = null;
// SMTP HELO host
// Hostname to give to the remote server for SMTP 'HELO' or 'EHLO' messages
// Leave this blank and you will get the server variable 'server_name' or
// localhost if that isn't defined.
$rcmail_config['smtp_helo_host'] = '';
// SMTP connection timeout, in seconds. Default: 0 (no limit)
$rcmail_config['smtp_timeout'] = 0;
// SYSTEM
// THIS OPTION WILL ALLOW THE INSTALLER TO RUN AND CAN EXPOSE SENSITIVE CONFIG DATA.
// ONLY ENABLE IT IF YOU'RE REALLY SURE WHAT YOU'RE DOING!
$rcmail_config['enable_installer'] = false;
// provide an URL where a user can get support for this Roundcube installation
// PLEASE DO NOT LINK TO THE ROUNDCUBE.NET WEBSITE HERE!
$rcmail_config['support_url'] = 'http://www.crawfordworks.ca/contact';
// replace Roundcube logo with this image
// specify an URL relative to the document root of this Roundcube installation
$rcmail_config['skin_logo'] = null;
// automatically create a new Roundcube user when log-in the first time.
// a new user will be created once the IMAP login succeeds.
// set to false if only registered users can use this service
$rcmail_config['auto_create_user'] = true;
// use this folder to store log files (must be writeable for apache user)
// This is used by the 'file' log driver.
$rcmail_config['log_dir'] = 'logs/';
// use this folder to store temp files (must be writeable for apache user)
$rcmail_config['temp_dir'] = 'temp/';
// lifetime of message cache
// possible units: s, m, h, d, w
$rcmail_config['message_cache_lifetime'] = '10d';
// enforce connections over https
// with this option enabled, all non-secure connections will be redirected.
// set the port for the ssl connection as value of this option if it differs from the default 443
$rcmail_config['force_https'] = false;
// tell PHP that it should work as under secure connection
// even if it doesn't recognize it as secure ($_SERVER['HTTPS'] is not set)
// e.g. when you're running Roundcube behind a https proxy
// this option is mutually exclusive to 'force_https' and only either one of them should be set to true.
$rcmail_config['use_https'] = false;
// Allow browser-autocompletion on login form.
// 0 - disabled, 1 - username and host only, 2 - username, host, password
$rcmail_config['login_autocomplete'] = 0;
// Forces conversion of logins to lower case.
// 0 - disabled, 1 - only domain part, 2 - domain and local part.
// If users authentication is not case-sensitive this must be enabled.
// After enabling it all user records need to be updated, e.g. with query:
// UPDATE users SET username = LOWER(username);
$rcmail_config['login_lc'] = 0;
// Includes should be interpreted as PHP files
$rcmail_config['skin_include_php'] = false;
// display software version on login screen
$rcmail_config['display_version'] = false;
// Session lifetime in minutes
// must be greater than 'keep_alive'/60
$rcmail_config['session_lifetime'] = 10;
// session domain: .example.org
$rcmail_config['session_domain'] = '';
// session name. Default: 'roundcube_sessid'
$rcmail_config['session_name'] = null;
// Backend to use for session storage. Can either be 'db' (default) or 'memcache'
// If set to memcache, a list of servers need to be specified in 'memcache_hosts'
// Make sure the Memcache extension (http://pecl.php.net/package/memcache) version >= 2.0.0 is installed
$rcmail_config['session_storage'] = 'db';
// Use these hosts for accessing memcached
// Define any number of hosts in the form of hostname:port or unix:///path/to/sock.file
$rcmail_config['memcache_hosts'] = null; // e.g. array( 'localhost:11211', '192.168.1.12:11211', 'unix:///var/tmp/memcached.sock' );
// check client IP in session athorization
$rcmail_config['ip_check'] = false;
// check referer of incoming requests
$rcmail_config['referer_check'] = false;
// X-Frame-Options HTTP header value sent to prevent from Clickjacking.
// Possible values: sameorigin|deny. Set to false in order to disable sending them
$rcmail_config['x_frame_options'] = 'sameorigin';
// this key is used to encrypt the users imap password which is stored
// in the session record (and the client cookie if remember password is enabled).
// please provide a string of exactly 24 chars.
$rcmail_config['des_key'] = 'Qw4jLYQK+MyNLPIRmON7Lq+Z';
// Automatically add this domain to user names for login
// Only for IMAP servers that require full e-mail addresses for login
// Specify an array with 'host' => 'domain' values to support multiple hosts
// Supported replacement variables:
// %h - user's IMAP hostname
// %n - http hostname ($_SERVER['SERVER_NAME'])
// %d - domain (http hostname without the first part)
// %z - IMAP domain (IMAP hostname without the first part)
// For example %n = mail.domain.tld, %d = domain.tld
$rcmail_config['username_domain'] = '';
// This domain will be used to form e-mail addresses of new users
// Specify an array with 'host' => 'domain' values to support multiple hosts
// Supported replacement variables:
// %h - user's IMAP hostname
// %n - http hostname ($_SERVER['SERVER_NAME'])
// %d - domain (http hostname without the first part)
// %z - IMAP domain (IMAP hostname without the first part)
// For example %n = mail.domain.tld, %d = domain.tld
$rcmail_config['mail_domain'] = '';
// Password charset.
// Use it if your authentication backend doesn't support UTF-8.
// Defaults to ISO-8859-1 for backward compatibility
$rcmail_config['password_charset'] = 'ISO-8859-1';
// How many seconds must pass between emails sent by a user
$rcmail_config['sendmail_delay'] = 0;
// Maximum number of recipients per message. Default: 0 (no limit)
$rcmail_config['max_recipients'] = 0;
// Maximum allowednumber of members of an address group. Default: 0 (no limit)
// If 'max_recipients' is set this value should be less or equal
$rcmail_config['max_group_members'] = 0;
// add this user-agent to message headers when sending
$rcmail_config['useragent'] = 'Roundcube Webmail/'.RCMAIL_VERSION;
// use this name to compose page titles
$rcmail_config['product_name'] = 'Tri Innovations Webmail';
// try to load host-specific configuration
// see http://trac.roundcube.net/wiki/Howto_Config for more details
$rcmail_config['include_host_config'] = false;
// path to a text file which will be added to each sent message
// paths are relative to the Roundcube root folder
$rcmail_config['generic_message_footer'] = '';
// path to a text file which will be added to each sent HTML message
// paths are relative to the Roundcube root folder
$rcmail_config['generic_message_footer_html'] = '';
// add a received header to outgoing mails containing the creators IP and hostname
$rcmail_config['http_received_header'] = false;
// Whether or not to encrypt the IP address and the host name
// these could, in some circles, be considered as sensitive information;
// however, for the administrator, these could be invaluable help
// when tracking down issues.
$rcmail_config['http_received_header_encrypt'] = false;
// This string is used as a delimiter for message headers when sending
// a message via mail() function. Leave empty for auto-detection
$rcmail_config['mail_header_delimiter'] = NULL;
// number of chars allowed for line when wrapping text.
// text wrapping is done when composing/sending messages
$rcmail_config['line_length'] = 72;
// send plaintext messages as format=flowed
$rcmail_config['send_format_flowed'] = true;
// don't allow these settings to be overriden by the user
$rcmail_config['dont_override'] = array();
// Set identities access level:
// 0 - many identities with possibility to edit all params
// 1 - many identities with possibility to edit all params but not email address
// 2 - one identity with possibility to edit all params
// 3 - one identity with possibility to edit all params but not email address
$rcmail_config['identities_level'] = 0;
// Mimetypes supported by the browser.
// attachments of these types will open in a preview window
// either a comma-separated list or an array: 'text/plain,text/html,text/xml,image/jpeg,image/gif,image/png,application/pdf'
$rcmail_config['client_mimetypes'] = null; # null == default
// mime magic database
$rcmail_config['mime_magic'] = '/usr/share/misc/magic';
// path to imagemagick identify binary
$rcmail_config['im_identify_path'] = null;
// path to imagemagick convert binary
$rcmail_config['im_convert_path'] = null;
// maximum size of uploaded contact photos in pixel
$rcmail_config['contact_photo_size'] = 160;
// Enable DNS checking for e-mail address validation
$rcmail_config['email_dns_check'] = false;
// PLUGINS
// List of active plugins (in plugins/ directory)
$rcmail_config['plugins'] = array();
// USER INTERFACE
// default messages sort column. Use empty value for default server's sorting,
// or 'arrival', 'date', 'subject', 'from', 'to', 'fromto', 'size', 'cc'
$rcmail_config['message_sort_col'] = '';
// default messages sort order
$rcmail_config['message_sort_order'] = 'DESC';
// These cols are shown in the message list. Available cols are:
// subject, from, to, fromto, cc, replyto, date, size, status, flag, attachment, 'priority'
$rcmail_config['list_cols'] = array('subject', 'status', 'fromto', 'date', 'size', 'flag', 'attachment');
// the default locale setting (leave empty for auto-detection)
// RFC1766 formatted language name like en_US, de_DE, de_CH, fr_FR, pt_BR
$rcmail_config['language'] = null;
// use this format for date display (date or strftime format)
$rcmail_config['date_format'] = 'Y-m-d';
// give this choice of date formats to the user to select from
$rcmail_config['date_formats'] = array('Y-m-d', 'd-m-Y', 'Y/m/d', 'm/d/Y', 'd/m/Y', 'd.m.Y', 'j.n.Y');
// use this format for time display (date or strftime format)
$rcmail_config['time_format'] = 'H:i';
// give this choice of time formats to the user to select from
$rcmail_config['time_formats'] = array('G:i', 'H:i', 'g:i a', 'h:i A');
// use this format for short date display (derived from date_format and time_format)
$rcmail_config['date_short'] = 'D H:i';
// use this format for detailed date/time formatting (derived from date_format and time_format)
$rcmail_config['date_long'] = 'Y-m-d H:i';
// store draft message is this mailbox
// leave blank if draft messages should not be stored
// NOTE: Use folder names with namespace prefix (INBOX. on Courier-IMAP)
$rcmail_config['drafts_mbox'] = 'Drafts';
// store spam messages in this mailbox
// NOTE: Use folder names with namespace prefix (INBOX. on Courier-IMAP)
$rcmail_config['junk_mbox'] = 'Junk';
// store sent message is this mailbox
// leave blank if sent messages should not be stored
// NOTE: Use folder names with namespace prefix (INBOX. on Courier-IMAP)
$rcmail_config['sent_mbox'] = 'Sent Messages';
// move messages to this folder when deleting them
// leave blank if they should be deleted directly
// NOTE: Use folder names with namespace prefix (INBOX. on Courier-IMAP)
$rcmail_config['trash_mbox'] = 'Trash';
// display these folders separately in the mailbox list.
// these folders will also be displayed with localized names
// NOTE: Use folder names with namespace prefix (INBOX. on Courier-IMAP)
$rcmail_config['default_folders'] = array('INBOX', 'Drafts', 'Sent Messages', 'Junk', 'Trash');
// automatically create the above listed default folders on first login
$rcmail_config['create_default_folders'] = false;
// protect the default folders from renames, deletes, and subscription changes
$rcmail_config['protect_default_folders'] = true;
// if in your system 0 quota means no limit set this option to true
$rcmail_config['quota_zero_as_unlimited'] = false;
// Make use of the built-in spell checker. It is based on GoogieSpell.
// Since Google only accepts connections over https your PHP installatation
// requires to be compiled with Open SSL support
$rcmail_config['enable_spellcheck'] = true;
// Enables spellchecker exceptions dictionary.
// Setting it to 'shared' will make the dictionary shared by all users.
$rcmail_config['spellcheck_dictionary'] = false;
// Set the spell checking engine. 'googie' is the default. 'pspell' is also available,
// but requires the Pspell extensions. When using Nox Spell Server, also set 'googie' here.
$rcmail_config['spellcheck_engine'] = 'googie';
// For a locally installed Nox Spell Server, please specify the URI to call it.
// Get Nox Spell Server from http://orangoo.com/labs/?page_id=72
// Leave empty to use the Google spell checking service, what means
// that the message content will be sent to Google in order to check spelling
$rcmail_config['spellcheck_uri'] = '';
// These languages can be selected for spell checking.
// Configure as a PHP style hash array: array('en'=>'English', 'de'=>'Deutsch');
// Leave empty for default set of available language.
$rcmail_config['spellcheck_languages'] = NULL;
// Makes that words with all letters capitalized will be ignored (e.g. GOOGLE)
$rcmail_config['spellcheck_ignore_caps'] = false;
// Makes that words with numbers will be ignored (e.g. g00gle)
$rcmail_config['spellcheck_ignore_nums'] = false;
// Makes that words with symbols will be ignored (e.g. g@@gle)
$rcmail_config['spellcheck_ignore_syms'] = false;
// Use this char/string to separate recipients when composing a new message
$rcmail_config['recipients_separator'] = ',';
// don't let users set pagesize to more than this value if set
$rcmail_config['max_pagesize'] = 200;
// Minimal value of user's 'keep_alive' setting (in seconds)
// Must be less than 'session_lifetime'
$rcmail_config['min_keep_alive'] = 60;
// Enables files upload indicator. Requires APC installed and enabled apc.rfc1867 option.
// By default refresh time is set to 1 second. You can set this value to true
// or any integer value indicating number of seconds.
$rcmail_config['upload_progress'] = false;
// Specifies for how many seconds the Undo button will be available
// after object delete action. Currently used with supporting address book sources.
// Setting it to 0, disables the feature.
$rcmail_config['undo_timeout'] = 0;
// ADDRESSBOOK SETTINGS
// This indicates which type of address book to use. Possible choises:
// 'sql' (default) and 'ldap'.
// If set to 'ldap' then it will look at using the first writable LDAP
// address book as the primary address book and it will not display the
// SQL address book in the 'Address Book' view.
$rcmail_config['address_book_type'] = 'sql';
// In order to enable public ldap search, configure an array like the Verisign
// example further below. if you would like to test, simply uncomment the example.
// Array key must contain only safe characters, ie. a-zA-Z0-9_
$rcmail_config['ldap_public'] = array();
// If you are going to use LDAP for individual address books, you will need to
// set 'user_specific' to true and use the variables to generate the appropriate DNs to access it.
// The recommended directory structure for LDAP is to store all the address book entries
// under the users main entry, e.g.:
// o=root
//   ou=people
//    uid=user@domain
// mail=contact@contactdomain
// So the base_dn would be uid=%fu,ou=people,o=root
// The bind_dn would be the same as based_dn or some super user login.
* example config for Verisign directory
$rcmail_config['ldap_public']['Verisign'] = array(
'name'          => 'Verisign.com',
// Replacement variables supported in host names:
// %h - user's IMAP hostname
// %n - http hostname ($_SERVER['SERVER_NAME'])
// %d - domain (http hostname without the first part)
// %z - IMAP domain (IMAP hostname without the first part)
// For example %n = mail.domain.tld, %d = domain.tld
'hosts'         => array('directory.verisign.com'),
'port'          => 389,
'use_tls'                => false,
'ldap_version' => 3,       // using LDAPv3
'user_specific' => false,   // If true the base_dn, bind_dn and bind_pass default to the user's IMAP login.
// %fu - The full username provided, assumes the username is an email
//       address, uses the username_domain value if not an email address.
// %u - The username prior to the '@'.
// %d - The domain name after the '@'.
// %dc - The domain name hierarchal string e.g. "dc=test,dc=domain,dc=com"
// %dn - DN found by ldap search when search_filter/search_base_dn are used
'base_dn'       => '',
'bind_dn'       => '',
'bind_pass'     => '',
// It's possible to bind for an individual address book
// The login name is used to search for the DN to bind with
'search_base_dn' => '',
'search_filter' => '',   // e.g. '(&(objectClass=posixAccount)(uid=%u))'
// DN and password to bind as before searching for bind DN, if anonymous search is not allowed
'search_bind_dn' => '',
'search_bind_pw' => '',
// Default for %dn variable if search doesn't return DN value
'search_dn_default' => '',
// Optional authentication identifier to be used as SASL authorization proxy
// bind_dn need to be empty
'auth_cid'       => '',
// SASL authentication method (for proxy auth), e.g. DIGEST-MD5
'auth_method'    => '',
// Indicates if the addressbook shall be hidden from the list.
// With this option enabled you can still search/view contacts.
'hidden'        => false,
// Indicates if the addressbook shall not list contacts but only allows searching.
'searchonly'    => false,
// Indicates if we can write to the LDAP directory or not.
// If writable is true then these fields need to be populated:
// LDAP_Object_Classes, required_fields, LDAP_rdn
'writable'       => false,
// To create a new contact these are the object classes to specify
// (or any other classes you wish to use).
'LDAP_Object_Classes' => array('top', 'inetOrgPerson'),
// The RDN field that is used for new entries, this field needs
// to be one of the search_fields, the base of base_dn is appended
// to the RDN to insert into the LDAP directory.
'LDAP_rdn'       => 'cn',
// The required fields needed to build a new contact as required by
// the object classes (can include additional fields not required by the object classes).
'required_fields' => array('cn', 'sn', 'mail'),
'search_fields'   => array('mail', 'cn'), // fields to search in
// mapping of contact fields to directory attributes
//   for every attribute one can specify the number of values (limit) allowed.
//   default is 1, a wildcard * means unlimited
'fieldmap' => array(
    // Roundcube => LDAP:limit
    'name'        => 'cn',
    'surname'     => 'sn',
    'firstname'   => 'givenName',
    'title'       => 'title',
    'email'       => 'mail:*',
    'phone:home' => 'homePhone',
    'phone:work' => 'telephoneNumber',
    'phone:mobile' => 'mobile',
    'phone:pager' => 'pager',
    'street'      => 'street',
    'zipcode'     => 'postalCode',
    'region'      => 'st',
    'locality'    => 'l',
// if you uncomment country, you need to modify 'sub_fields' above
//    'country'     => 'c',
    'department' => 'departmentNumber',
    'notes'       => 'description',
// these currently don't work:
//    'phone:workfax' => 'facsimileTelephoneNumber',
//    'photo'        => 'jpegPhoto',
//    'organization' => 'o',
//    'manager'      => 'manager',
//    'assistant'    => 'secretary',
// Map of contact sub-objects (attribute name => objectClass(es)), e.g. 'c' => 'country'
'sub_fields' => array(),
'sort'          => 'cn',    // The field to sort the listing by.
'scope'         => 'sub',   // search mode: sub|base|list
'filter'        => '(objectClass=inetOrgPerson)',      // used for basic listing (if not empty) and will be &'d with search queries. example: status=act
'fuzzy_search' => true,    // server allows wildcard search
'vlv'           => false,   // Enable Virtual List View to more efficiently fetch paginated data (if server supports it)
'numsub_filter' => '(objectClass=organizationalUnit)',   // with VLV, we also use numSubOrdinates to query the total number of records. Set this filter to get all numSubOrdinates attributes for counting
'sizelimit'     => '0',     // Enables you to limit the count of entries fetched. Setting this to 0 means no limit.
'timelimit'     => '0',     // Sets the number of seconds how long is spend on the search. Setting this to 0 means no limit.
'referrals'     => true|false, // Sets the LDAP_OPT_REFERRALS option. Mostly used in multi-domain Active Directory setups
// definition for contact groups (uncomment if no groups are supported)
// for the groups base_dn, the user replacements %fu, %u, $d and %dc work as for base_dn (see above)
// if the groups base_dn is empty, the contact base_dn is used for the groups as well
// -> in this case, assure that groups and contacts are separated due to the concernig filters!
'groups'        => array(
    'base_dn'     => '',
    'scope'       => 'sub',   // search mode: sub|base|list
    'filter'      => '(objectClass=groupOfNames)',
    'object_classes' => array("top", "groupOfNames"),
    'member_attr' => 'member',   // name of the member attribute, e.g. uniqueMember
    'name_attr'    => 'cn',       // attribute to be used as group name
// An ordered array of the ids of the addressbooks that should be searched
// when populating address autocomplete fields server-side. ex: array('sql','Verisign');
$rcmail_config['autocomplete_addressbooks'] = array('sql');
// The minimum number of characters required to be typed in an autocomplete field
// before address books will be searched. Most useful for LDAP directories that
// may need to do lengthy results building given overly-broad searches
$rcmail_config['autocomplete_min_length'] = 1;
// Number of parallel autocomplete requests.
// If there's more than one address book, n parallel (async) requests will be created,
// where each request will search in one address book. By default (0), all address
// books are searched in one request.
$rcmail_config['autocomplete_threads'] = 0;
// Max. numer of entries in autocomplete popup. Default: 15.
$rcmail_config['autocomplete_max'] = 15;
// show address fields in this order
// available placeholders: {street}, {locality}, {zipcode}, {country}, {region}
$rcmail_config['address_template'] = '{street}<br/>{locality} {zipcode}<br/>{country} {region}';
// Matching mode for addressbook search (including autocompletion)
// 0 - partial (*abc*), default
// 1 - strict (abc)
// 2 - prefix (abc*)
// Note: For LDAP sources fuzzy_search must be enabled to use 'partial' or 'prefix' mode
$rcmail_config['addressbook_search_mode'] = 0;
// USER PREFERENCES
// Use this charset as fallback for message decoding
$rcmail_config['default_charset'] = 'ISO-8859-1';
// skin name: folder from skins/
$rcmail_config['skin'] = 'larry';
// show up to X items in messages list view
$rcmail_config['mail_pagesize'] = 50;
// show up to X items in contacts list view
$rcmail_config['addressbook_pagesize'] = 50;
// sort contacts by this col (preferably either one of name, firstname, surname)
$rcmail_config['addressbook_sort_col'] = 'surname';
// the way how contact names are displayed in the list
// 0: display name
// 1: (prefix) firstname middlename surname (suffix)
// 2: (prefix) surname firstname middlename (suffix)
// 3: (prefix) surname, firstname middlename (suffix)
$rcmail_config['addressbook_name_listing'] = 0;
// use this timezone to display date/time
// valid timezone identifers are listed here: php.net/manual/en/timezones.php
// 'auto' will use the browser's timezone settings
$rcmail_config['timezone'] = 'auto';
// prefer displaying HTML messages
$rcmail_config['prefer_html'] = true;
// display remote inline images
// 0 - Never, always ask
// 1 - Ask if sender is not in address book
// 2 - Always show inline images
$rcmail_config['show_images'] = 0;
// compose html formatted messages by default
// 0 - never, 1 - always, 2 - on reply to HTML message only
$rcmail_config['htmleditor'] = 0;
// show pretty dates as standard
$rcmail_config['prettydate'] = true;
// save compose message every 300 seconds (5min)
$rcmail_config['draft_autosave'] = 300;
// default setting if preview pane is enabled
$rcmail_config['preview_pane'] = false;
// Mark as read when viewed in preview pane (delay in seconds)
// Set to -1 if messages in preview pane should not be marked as read
$rcmail_config['preview_pane_mark_read'] = 0;
// Clear Trash on logout
$rcmail_config['logout_purge'] = false;
// Compact INBOX on logout
$rcmail_config['logout_expunge'] = false;
// Display attached images below the message body
$rcmail_config['inline_images'] = true;
// Encoding of long/non-ascii attachment names:
// 0 - Full RFC 2231 compatible
// 1 - RFC 2047 for 'name' and RFC 2231 for 'filename' parameter (Thunderbird's default)
// 2 - Full 2047 compatible
$rcmail_config['mime_param_folding'] = 0;
// Set true if deleted messages should not be displayed
// This will make the application run slower
$rcmail_config['skip_deleted'] = false;
// Set true to Mark deleted messages as read as well as deleted
// False means that a message's read status is not affected by marking it as deleted
$rcmail_config['read_when_deleted'] = true;
// Set to true to never delete messages immediately
// Use 'Purge' to remove messages marked as deleted
$rcmail_config['flag_for_deletion'] = false;
// Default interval for keep-alive/check-recent requests (in seconds)
// Must be greater than or equal to 'min_keep_alive' and less than 'session_lifetime'
$rcmail_config['keep_alive'] = 60;
// If true all folders will be checked for recent messages
$rcmail_config['check_all_folders'] = false;
// If true, after message delete/move, the next message will be displayed
$rcmail_config['display_next'] = false;
// 0 - Do not expand threads
// 1 - Expand all threads automatically
// 2 - Expand only threads with unread messages
$rcmail_config['autoexpand_threads'] = 0;
// When replying place cursor above original message (top posting)
$rcmail_config['top_posting'] = false;
// When replying strip original signature from message
$rcmail_config['strip_existing_sig'] = true;
// Show signature:
// 0 - Never
// 1 - Always
// 2 - New messages only
// 3 - Forwards and Replies only
$rcmail_config['show_sig'] = 1;
// When replying or forwarding place sender's signature above existing message
$rcmail_config['sig_above'] = false;
// Use MIME encoding (quoted-printable) for 8bit characters in message body
$rcmail_config['force_7bit'] = false;
// Defaults of the search field configuration.
// The array can contain a per-folder list of header fields which should be considered when searching
// The entry with key '*' stands for all folders which do not have a specific list set.
// Please note that folder names should to be in sync with $rcmail_config['default_folders']
$rcmail_config['search_mods'] = null; // Example: array('*' => array('subject'=>1, 'from'=>1), 'Sent' => array('subject'=>1, 'to'=>1));
// Defaults of the addressbook search field configuration.
$rcmail_config['addressbook_search_mods'] = null; // Example: array('name'=>1, 'firstname'=>1, 'surname'=>1, 'email'=>1, '*'=>1);
// 'Delete always'
// This setting reflects if mail should be always deleted
// when moving to Trash fails. This is necessary in some setups
// when user is over quota and Trash is included in the quota.
$rcmail_config['delete_always'] = false;
// Directly delete messages in Junk instead of moving to Trash
$rcmail_config['delete_junk'] = false;
// Behavior if a received message requests a message delivery notification (read receipt)
// 0 = ask the user, 1 = send automatically, 2 = ignore (never send or ask)
// 3 = send automatically if sender is in addressbook, otherwise ask the user
// 4 = send automatically if sender is in addressbook, otherwise ignore
$rcmail_config['mdn_requests'] = 0;
// Return receipt checkbox default state
$rcmail_config['mdn_default'] = 0;
// Delivery Status Notification checkbox default state
$rcmail_config['dsn_default'] = 0;
// Place replies in the folder of the message being replied to
$rcmail_config['reply_same_folder'] = false;
// Sets default mode of Forward feature to "forward as attachment"
$rcmail_config['forward_attachment'] = false;
// Defines address book (internal index) to which new contacts will be added
// By default it is the first writeable addressbook.
// Note: Use '0' for built-in address book.
$rcmail_config['default_addressbook'] = null;
// Enables spell checking before sending a message.
$rcmail_config['spellcheck_before_send'] = false;
// Skip alternative email addresses in autocompletion (show one address per contact)
$rcmail_config['autocomplete_single'] = false;
// Default font for composed HTML message.
// Supported values: Andale Mono, Arial, Arial Black, Book Antiqua, Courier New,
// Georgia, Helvetica, Impact, Tahoma, Terminal, Times New Roman, Trebuchet MS, Verdana
$rcmail_config['default_font'] = '';
// end of config file

Use Open Directory on Mac OS X Server for Airport authentication?

Is it possible to set up an Airport Extreme network so that only people with user names and passwords in the Open Directory on my Mac OS X Server can access it?
I'm picturing a scenario where users would be prompted for the same user name and password they use for other network services when they attempt to join the wireless network.
Our Airport Extreme access point is connected to the second Ethernet port on an original-model XServe that's running Mac OS X Server 10.3.9 (soon to be upgraded to 10.4.x).

Is it possible to set up an Airport Extreme network
so that only people with user names and passwords in
the Open Directory on my Mac OS X Server can access
it?
I'm picturing a scenario where users would be
prompted for the same user name and password they use
for other network services when they attempt to join
the wireless network.
Our Airport Extreme access point is connected to the
second Ethernet port on an original-model XServe
that's running Mac OS X Server 10.3.9 (soon to be
upgraded to 10.4.x).
What you seem to be describing, is WPA2/Enterprise level security. This would require you to run some type of Radius Server on your XServe, and you would simply duplicate the name & password they use on the XServe on the Radius Server. BTW, this is considered one of the most secure methods of running a wireless network in the corporate world.
You will however, have to research Radius & it's requirements, as I have not yet implemented that on my own system. HTH.
Regards,
Albert
G4 QuickSilver01 OWC 1.47Ghz CPU 1.5GB RAM 740GB HDD Mac OS X (10.4.3) 17" Aluminum PowerBook G4 1.33Ghz CPU 1.5GB RAM 80GB HD

Open Directory not working for AFP authentication

Scenario:
- Running OS X Server (10.9) using FileSharing with AFP to share to multiple users.
- Currently the users login with local user accounts to gain access. I'd like to use our Open Directory server to authenticate instead (save me maintaining local users).
Issue:
- I added the OD server to Apple > System Prefs > Users > Login Options but when users attempt to login with their OD name/password, it doesn't recognize their credentials. Their local user accounts work fine and I've added their OD names to the access list for the various directories on the server.
I'm assuming I need to add the OD server somewhere else on the computer to get OS X to bind to it. Appreciate any input here.

Logs?

Creating Open Directory Replica fails with Server Admin Error Value 1127

Hallo,
I have seen a lot of similar threads here and they were helpful up to a certain point, but in the end, they did not solve my problem.
Currently, it comes down to this. The Server Admin Error message ist really meaningless and I could not find a single for the error value on the whole wide web. As such, I switched to the command line versions of the tools involved to geht more meaningful results. It worked. Specifically, creating a replica of an openldap master means using slapconfig.
When executing
slapconfig -createreplica master.ourdomain.com diradmin
as root on the prospective replica machine, I get the following error message:
ssh command failed with status 127
That command is not allowed with the root account via public key authentication.
That makes perfect sense to me, but how is it meant to work then?
Executing slapconfig as admin tells me that this tool is to be executed as root. On the other hand, root login via ssh is not allowed in Mac OS X by default, which seems fine to me. I even changed /etc/sshd_config on the Open Directory Master machine to "PermitRootLogin yes". However, neither reloading ssh using launchctl nor restarting the whole server made this setting operational. Trying to login from command line as root still tells me:
root login is not permitted to this machine via public key authentication.
While this is the current state where I need help urgently, I changed some other things before. I tell about to exclude these issues as possible reason of failure. I got this message for quite a while:
Replica Setup failed : This machine does not have a valid computer name
I was sure, this machine meant the target machine, the open directory master, because the domain had changed there once before I had taken over responsibility as an admin in this environment. And in fact, changeip disguised an issue there. The command proposed by changeip to fix the situation did not seem appropriate because this machine is multihomed with a public and a private IP adress. Proper name resolution is available for both interfaces including reverse lookup. I dont like this setup, but it was the only way to get mail service running smoothly. Running changeip on the machine itself using these arguments
changeip /LDAPv3/127.0.0.1 internalIP internalIP old.ours.com current.ours.com
reported success in updating password server, open directory, both interfaces, hostconfig (which in fact did not change) and samba. It reported an issue with kadmin which is related to Kerberos (we dont use Kerberos yet).
Changing the hostname of the server using changeip did not solve the issue. I then found the hint to check with scutil. This showed that the Hostname was not set on the prospective replica machine. (A question aside: in how many place is the hostname stored? The traditional /etc/hostname has gone, but seems to be replaces with several other configuration files and databases. I cant see this as an advantage). Setting the hostname using scutil worked fine. However, it did not solve the problem either. At least, slapconfig now started to complain about not being able to log in as root instead of failing from the start.
I also checked all log files on bboth machines that might have to do with openldap, as there are /var/log/slapd.log, /var/log/system.log and /Library/Log/slapconfig.log. I also checked the log of th layer on top of openldap which is /Library/Log/DirectoryService.server.log. None of them revealed anything noticeable beside a lot of of entries that I have googled in the last few hours and which all dont seem to be associated with the problem in question.
I will take a break now, but I have to fix this until tomorrow and I hope to get the ultimate hint from you, dear reader.
Thanks and bye, Christian Völker

ssh command failed with status 127
That command is not allowed with the root account via public key authentication.
Initial OD replication takes place via 'ssh'. If you have 'sshd' configured on the OD Master to authenticate with public keys then the OD replica will not be able to communicate with the OD Master via 'ssh'. You must configure the OD Master to use 'ssh' with password authentication and root login enabled.
Demote the replica back to standalone. Stop any services that you may have running on the primary network interface. Then stop any services that you may have running on the secondary network interface. In the 'Network' System Prefpane remove the IP number from the secondary interface then deactivate the secondary network interface.
Assign the private IP address and hostname that you wish to use for the replica to the primary network interface. Assign the 'public' IP number to the secondary interface. Check the DNS to see that the IP address and hostname for the primary network interface resolve both forward and reverse for the hostname of the replica that you have chosen. If it does not, fix your DNS before proceeding.
In the 'Sharing' System Prefpane, change the name of the machine to the hostname (server.domain.tld) of the replica that you have chosen. Then use 'changeip -checkhostname' to see if the IP/hostname matches. Fix it if it doesn't.
Then configure the /etc/sshd_config file on the OD master like this:
\# Authentication:
PermitRootLogin yes
PasswordAuthentication yes
PubkeyAuthentication no
and the /etc/ssh_config file on the OD replica like this:
PasswordAuthentication yes
PubkeyAuthentication no
Then from the OD replica as the 'root' user issue:
slapconfig -createreplica <ODMasterIPorFQDN> <diradmin user>
Make sure that the 'diradmin' user's password contains only alpha-numeric characters -no 'option-characters' or symbols, change it first if it does. Once the process completes, reactivate the secondary interface for the 'public' IP and check the configuration of services that will be using that IP, then start your other services. Secure the 'ssh' service on both machines to disable password authentication and 'root' logins.

Initial Open Directory Authentication

Similar Messages

Maybe you are looking for