Services won't allow users to authenticate via Open Directory

Greetings! I have been pulling my hair out for a long time over this and wondering if anyone has seen something similar or has anything I can try.
It's a bit confusing so I'll try to lay it out so it's not to crazy.
*The setup:*
Leopard server hosing services including Podcast Producer, AFP, SMB and iCal
External OpenLDAP directory server
*The problem:*
I have setup our test Leopard server and got services all working. While this server is setup as an OD master I can authenticate and use the services without problem. However, we have an external LDAP server using OpenLDAP. If I try to authenticate with any of these users from the external ldap server they are not able to login on any service except afp!!!
*What I've Done:*
I've setup the server trying two methods: Magic triangle and augmented records. Both seem to yield the same thing. I can see the ldap users in workgroup manager and I can even nest them into groups on the local leopard ldap server. Some other possible info:
A log entry in the Podcast producer log dealing with authentication:
[error] [client xxx.xxx.11.122] moddigestapple: Unable to authenticate for URI "/podcastproducer/workflows" from user "testuser" for realm "PodcastProducer" at location "/LDAPv3/ldap.ourschool.edu" from the directory because user's password type is not compatible with digest authentication.
If I edit /etc/smb.conf and delete the line : passdb backend = opendirectorysam guest windows users can successfully authenticate via smb.
On our old Tiger server, we had a magic triangle setup. That machine only ran SMB and AFP and it experienced the same problem with SMB and needing to delete that line.
I think these things may be related, but I'm not sure where to look next. Any help would be greatly appreciated! Thank you for any suggestions you can provide.
Steve

I've followed the apple kb articles for enabling WIKI access and Podcast Producer access. Users can now authenticate.

Similar Messages

  • HELP: Can't get iMac users to authenticate via OpenLDAP on external server

    Faculty policies require only registered students may use our iMacs. So I need to set up 20+ machines to allow login after authentication via OpenLDAP (directory replica stored on a remote server at ldapdir.myorg.com).
    (1) Is it possible to configure the login window to automatically redirect login attempts with username&passwd to the remote directory? How?
    (2) How do users reach this server when fast user switching is ON?
    Thx
    - HM -

    Hi
    Is it possible to configure the login window to automatically
    redirect login attempts with username&passwd to the remote
    directory? How?
    Yes. System Preferences > Accounts > Log in Options > Switch off automatic login
    (2) How do users reach this server when fast user switching is ON?
    MCX supports fast user switching at the Machines level (Computer lists) just enable the feature by clicking the appropriate button. Of course you would have to bind the clients to the LDAP Server first. Applications > Utilities > Directory Access. Select the LDAPv3 Plug in and click Configure, click Show Options and click new. Add the IP Address of the LDAP Server in the address field and click continue. For the FQDN to work the IP address of the LDAP Server would have to be configured in the DNS Servers field of the client’s network preference pane. You can either do this manually or if configure the DHCP Server/Service to do this for you. If the DHCP Server/Service is already doing this then you might find the LDAP Server details are automatically configured in Directory Access. By default Directory Access looks for DHCP-supplied LDAP Servers.
    You may find downloading the Open Directory Admin Manual of benefit:
    http://images.apple.com/server/pdfs/OpenDirectoryv10.4.pdf
    Tony

  • Itunes now won't allow users to categorise videos ie. move from Film to Podcast

    Itunes now won't allow users to categorise videos ie. move from Film to Podcast.  Why not? Infuriating.
    Respect your customers or you'll lose us! Android/Windows are flexible.

    Just to add, itunes needs to allow users to define their own file hierachy

  • OXS server 3 with mavericks, it will not load up the assistant with open directory and will not allow me to use old open directory it was not a clean install just upgrade. any help or advise appreciated as i really need the server.

    OXS server 3 with mavericks, it will not load up the assistant with open directory and will not allow me to use old opeopen directory and will not allow me to use old open directory it was not a clean install just upgrade. any help or advise appreciated as i really need the server.

    I wonder if the disk being referred to is actually your iPod which is not plugged in. Maybe something has stuck thinking the iPod should be there.
    Try completely removing all the iTunes related programs according to this method.
    http://support.apple.com/kb/HT1923
    Restart you PC and see if startup improves.
    If it doesn't improve you need to consider the possibility that there is something else going on.
    If The problem goes away, hopefully a fresh install will be OK.

  • Tomcat 5.5 service won't start with jmxremote.authenticate=true

    The Tomcat5 service (5.5.17) starts fine on XP if I set com.sun.management.jmxremote.authenticate=false in the Tomcat5W.exe (gui for setting properties of the service). However, when I set authenticate=true (or omit it), I get the error:
    "Could not start the Apache Tomcat Tomcat5 service on Local Computer. Error 1067: The process terminated unexpectedly." I have created a jmx.remote.password file from the jmx.remote.password.template. I left it in the default location in %JRE_HOME%\lib\management. I also set the file properties so that I am the only user on the security tab, and I have full control. Any ideas?

    Does using Tomcate5W.exe require uninstalling and then re-installing the service to take affect?
    I had a similar issue recently, but had the requirement that I could not uninstall and re-install the service. So I had to use the Tomcat5 service updater via command line. The main problem I ran into was getting the security set properly on the password file. Also, I did not use the default location for the files, but put them in the tomcat directory. Here's a summary of what I did
    1.     Stop the service.
    2.     run the command �service.bat remove� from the tomcat bin directory.
    3.     add the following java options to service.bat
    -Dcom.sun.management.jmxremote
    -Dcom.sun.management.jmxremote.port=1092
    -Dcom.sun.management.jmxremote.ssl=false
    -Dcom.sun.management.jmxremote.authenticate=true
    -Dcom.sun.management.jmxremote.password.file=c:\tomcat\Tomcat 5.5\conf\jmxremote.password
    -Dcom.sun.management.jmxremote.access.file=c:\tomcat\Tomcat 5.5\conf\jmxremote.access
    4.     Fllow the instructions to secure the password file: http://java.sun.com/j2se/1.5.0/docs/guide/management/security-windows.html
    5.     start the service
    I was not able to remove the service, so I actually did this:
    The following will update the windows service named Tomcat5 and add the jvm options to enable jmx remote monitoring with password authentication. Replace Tomcat5 with your service name, and also, you can change the listen port to your desired port.
    C:\>tomcat5 //US//Tomcat5 --JvmOptions="-Dcom.sun.management.jmxremote;-Dcom.sun.management.jmxremote.port=1092;-Dcom.sun.management.jmxremote.ssl=false;-Dcom.sun.management.jmxremote.authenticate=true;-Dcom.sun.management.jmxremote.password.file=c:\tomcat\Tomcat 5.5\conf\jmxremote.password;-Dcom.sun.management.jmxremote.access.file=c:\tomcat\Tomcat 5.5\conf\jmxremote.access"
    Lastly, I followed exactly these steps to secure the password file (which it seems you did).
    http://java.sun.com/j2se/1.5.0/docs/guide/management/security-windows.html
    - Alper

  • IWeb Blogging:  Allowing Users to Subscribe Via Email?

    I just created a blog and website in iWeb. Is there a way to allow users to subscribe to my blog via email so they are notified of new blog entries over email? Currently, all I have on my website is an RSS feed.

    Create a form in HTML snippet that sends info to your email or place an email link on your page where visitors send an email to you with their address and desire to subscribe. There are many form services available and you can find countless email form tutorials in Google search results. Compile the subscription email addresses into a database or Mail group and BCC or MailChimp the group your updates. Also... users can subscribe through RSS to their email.

  • SSH user, via Open Directory, can't SUDO...

    On three of my Xserves I have SSH access restricted to a handful of users and these users are Open Directory-based users. Aside from the fact that these users don't have a home directory on the servers they connect to (as they're not local users to those machines), I'm having an issue where, when they try and run a command via SUDO, they get an error stating they are not in the sudoers file and thus can't complete the command.
    I'm wondering if anyone has a solution for this? Should I not be using OD-based users for SSH?
    Thanks,
    Kristin.

    Sure, you can use OD-based users and sudo.
    Maybe add your users to the domain's Administrators group, which, by default, would grant sudo on the member machines. Careful, though, as that's the _domain_ administration group. If you need to restrict access so they can't make domain admin level changes but so they can do just about anything on your member servers and workstations, you could just create a new sudo group, maybe called "sudo-admins" then append an appropriate line to the sudoers files on all of your machines... maybe a line that reads:
    %sudo-admins  ALL=(ALL) ALL
    (standard warning about using caution while editing sudoers goes here -- be careful)

  • Users cannot connect to Open Directory Leopard server

    Just testing Leopard server and running into all sorts of problems...
    Clean install of Leopard Server running DNS, AFP and Open Directory.
    Set up DNS first and checked both forward and reverse look-up was correct.
    Promoted to Open Directory master from Standalone.
    Created two test user accounts (without Home directories) and gave them access to a specific sharepoint.
    Setup LDAP on the client machine (Leopard client) and could see the user accounts in the Directory app.
    Try to log in.....'username or password incorrect'.
    Check the OD logs and cannot find any reference to the attempted log-in.
    I understand that it appears that user accounts require a Home Directory in Leopard, regardless of whether you actually want one (I don't). I tried creating a home directory using Workgroup Manager but as noted in other threads, the 'create home directory' button doesn't work.
    I then created a home directory via the command line for one of the user accounts but am still unable to log-in.
    Any ideas?
    Thanks.

    This may be a stupid question but have you run sudo chown on the user's home directory after creating it?
    I had the same problem and my solution is posted here: http://discussions.apple.com/thread.jspa?threadID=1290158&tstart=0
    Let me know if that works. If not, we'll work on it together.

  • Creating User Acct's in Open Directory from External Source

    Hello,
    I am trying to find a way to automate the creation of user accounts in OpenDirectory. I have a MS SQL database that has the usernames and passwords in it now, and I'm looking to export those out of there and have an automatic way to create matching accounts in the OpenDirectory service on OSX Server.
    Gary

    It's unfortunate that there's no better way to do this. We're using ssh with a pre-shared key to our Open Directory server to run a script which runs dsimport to create the accounts on the Open Directory.
    This works fine for importing/creating accounts, but it doesn't help us change passwords that we are pushing down to Open Directory from our metadirectory solution.
    Here's the python we use to generate the dsimport entries:
    dsimport_base = '0x0A 0x5C 0x3A 0x2C dsRecTypeStandard:Users 11 dsAttrTypeStandard:RecordName dsAttrTypeStandard:GeneratedUID dsAttrTypeStandard:AuthMethod dsAttrTypeStandard:Password dsAttrTypeStandard:UniqueID dsAttrTypeStan\
    dard:PrimaryGroupID dsAttrTypeStandard:RealName dsAttrTypeStandard:UserShell dsAttrTypeStandard:HomeDirectory dsAttrTypeStandard:EMailAddress dsAttrTypeNative:postOfficeBox'
    dsimport_entry = '%s:%s:dsAuthMethodStandard\\:dsAuthClearText:%s:%s:%s:%s:%s:%s:%s:Ganymede managed [%s]'
    params = (obj.Username,
    obj.Global_UID,
    obj.Password.plaintext,
    obj.UID,
    self.getPrimaryGID(obj),
    obj.Full_Name,
    obj.Login_Shell,
    '/Users/' + obj.Username,
    obj.Username + '@arlut.utexas.edu',
    obj._oid)
    new_entry = dsimport_base + '\n' + dsimport_entry % tuple([str(value).replace(':', '\\:') for value in params]) + '\n' # not handling signature aliases yet
    and here's the Perl that is run on the far end of the ssh pipeline which
    reads the list of 'new_entry' lines generated by our Python:
    #!/usr/bin/perl
    # This script receives files on STDIN and runs dsimport on them.
    # Jonathan Abbey
    # 22 October 2009
    use File::Temp qw/ tempfile tempdir /;
    $adminuser = 'diradmin';
    $adminpass = 'seekret';
    ($fh, $filename) = tempfile();
    @users = ();
    while () {
    if (/^([^0][^:]+):/) {
    push(@users, $1);
    print $_;
    print $fh $_;
    close($fh);
    system('/usr/bin/dsimport', '-g', $filename, '/LDAPv3/127.0.0.1', 'O', '-u', $adminuser, '-p', $adminpass, '-v');
    unlink($filename);
    foreach $user (@users) {
    system('/usr/bin/pwpolicy', '-a', $adminuser, '-p', $adminpass, '-u', $user, '-setpolicy', 'canModifyPasswordforSelf=0');
    We've been trying to use kadmin to change passwords, but it seems flaky, with occasional 'policy reject' complaints breaking the sync.

  • Php authenticate to Open Directory

    I have a Mac OS X Server with several realms, including some which require ssl. At present, when attempting to open a file in the secure realms, the default 401 http (or in this case https) authentication browser dialogue is brought up to request ID and password.
    Ideally, I would like to avoid this by inputting the ID and password in a form (which I can customise, e.g. with help tips) which is submitted to a php script. I imagine if the form was in the secure realm, but accessible to all, and the script to which it was directed looked up the ID and password from Open Directory or LDAP(?) then I may be able to achieve this. However, I am at a loss as to how I can access the Open Directory IDs and passwords via php. Does anyone have any experience with this? According to phpinfo(), OpenLDAP 3001 is enabled.
    Alternatively, I would be interested if anyone has some other customisable authentication method for accessing a secure realm.

    The process is basically:
    1. connect to ldap server
    2. search for user by login name given
    3. if user is found, try binding to server with login name and password given
    4. if binding is successful then user supplied correct name and password; else login fails
    Here is a snippet of my login function:
    <pre>function login($name, $pass)
    // connect to ldap
    ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
    $ldap_connect = ldap_connect("ldap.domain.com");
    if($ldap_connect == false) {
    return false;
    elseif($ldap_connect == true) {
    if( !empty($name) && !empty($pass) ) {
    $dn = 'dc=domain,dc=com';
    $filter = "(&(objectclass=person)(userPassword=*)(|(uid=$name)(cn=$name)) )";
    $attributes = array( 'cn', 'userpassword', 'uid');
    $search_result = ldap_search($ldap_connect, $dn, $filter, $attributes);
    $info = ldap_get_entries($ldap_connect, $search_result);
    if( $info\['count'\] ) {
    $ldap_bind = ldap_bind($ldap_connect, $info[0]\['dn'\], $pass);
    if($ldap_bind == false) {
    return false;
    else
    return false;
    else
    return false;
    }</pre>
    Message was edited by: skrying

  • Local Admin Doesn't Authenticate on Open Directory 10.9

    Running 10.9.4.  I exported my open directory database from my old 10.6 server and imported into my new 10.9.4 server.  Everything worked without a hitch, except that the local admin can't administer the database, only the old directory admin (which works, but after every action, it tells me I'm not authenticated... even though it still works).
    I double checked, and sure enough, all the admins are in the directory administer group:
    GroupMembership: root diradmin rfinn
    Member: root diradmin rfinn
    NestedGroups: 9B953861-B2D1-43A2-BC57-F53C0C33F236
    PrimaryGroupID: 80
    RealName:
    Open Directory Administrators
    RecordName: admin
    RecordType: dsRecTypeStandard:Groups
    But... it still doesn't authenticate in Workgroup Manager.  Just to be sure, I re-added the LDAP admin GUID to the local admin's nested group list, but that didn't fix the issue either.  Suggestions?
    Thanks,
    -Rob

    Running 10.9.4.  I exported my open directory database from my old 10.6 server and imported into my new 10.9.4 server.  Everything worked without a hitch, except that the local admin can't administer the database, only the old directory admin (which works, but after every action, it tells me I'm not authenticated... even though it still works).
    I double checked, and sure enough, all the admins are in the directory administer group:
    GroupMembership: root diradmin rfinn
    Member: root diradmin rfinn
    NestedGroups: 9B953861-B2D1-43A2-BC57-F53C0C33F236
    PrimaryGroupID: 80
    RealName:
    Open Directory Administrators
    RecordName: admin
    RecordType: dsRecTypeStandard:Groups
    But... it still doesn't authenticate in Workgroup Manager.  Just to be sure, I re-added the LDAP admin GUID to the local admin's nested group list, but that didn't fix the issue either.  Suggestions?
    Thanks,
    -Rob

  • OSX 10.8.2 won't allow Mail (v6.2) to open.  Any ideas what to do?

    I just ran the latest update to 10.8.2 and now Mail won't open.  I get an error message saying that the version 6.2 I have is not compatible with the 10.8.2 OSX.
    Any ideas what to do...I depend on Mail for work!

    Straight away.
    Last night I tried to restore the system from the Time Machine to just before the problem and then update the OS again.  This worked fine, although it took a long time to optimize the Mailboxes and even then quite a lot of previously read email was showing as unread.
    Anyway, since I've now solved the problem myself with no loss of data I think I should close this thread.
    Thank you for your interest...

  • My mac won't allow youtube or google to open

    Macbook air completely updated
    Get the following error even though I can get to any other website.
    In FIREFOX I get a connection was reset error. Chrome is the same thing.
    I also noticed over the last few weeks that many times I would have to reload webpages a couple of times. Then if I hit "back" there would be my webpage.
    Help please.

    Please read this whole message before doing anything.
    This procedure is a diagnostic test. It’s unlikely to solve your problem. Don’t be disappointed when you find that nothing has changed after you complete it.
    The purpose of the test is to determine whether the problem is caused by third-party software that loads automatically at startup or login, by a peripheral device, by a font conflict, or by corruption of the file system or of certain system caches.
    Disconnect all wired peripherals except those needed for the test, and remove all aftermarket expansion cards, if applicable. Start up in safe mode and log in to the account with the problem. You must hold down the shift key twice: once when you turn on the computer, and again when you log in.
    Note: If FileVault is enabled, or if a firmware password is set, or if the startup volume is a Fusion Drive or a software RAID, you can’t do this. Ask for further instructions.
    Safe mode is much slower to start up and run than normal, with limited graphics performance, and some things won’t work at all, including sound output and Wi-Fi on certain models. The next normal startup may also be somewhat slow.
    The login screen appears even if you usually login automatically. You must know your login password in order to log in. If you’ve forgotten the password, you will need to reset it before you begin.
    Test while in safe mode. Same problem?
    After testing, restart as usual (not in safe mode) and verify that you still have the problem. Post the results of the test.

  • Password service won't start

    Following an unplanned hard restart of our server (Mac OS X 10.9.5, Server 3.2.2), the password service won't start, so our staff can't log into mail, calendars or file sharing.
    When I launch Open Directory, the main window has the message "Unable to load replica list", then it switches itself off after a minute or so.
    I've looked at the certificates in Server and they have the green tick so presumably are OK.
    DNS is working OK and running the command "sudo changeip -checkhostname" reports success.
    Here's the section of log that repeats every few seconds as PasswordService repeatedly starts up and exits:
    13/03/2015 20:55:00.617 com.apple.launchd[1]: (com.apple.PasswordService[5890]) Exited with code: 1
    13/03/2015 20:55:00.617 com.apple.launchd[1]: (com.apple.PasswordService) Throttling respawn: Will start in 10 seconds
    13/03/2015 20:55:02.540 xscertd[249]: Failed sending LookupCRLByCARecordName command to com.apple.xscertd.helper: The operation couldn’t be completed. (com.apple.certificateserver error 42005.)
    13/03/2015 20:55:08.708 com.apple.launchd[1]: (org.openldap.slapd[5894]) Exited with code: 1
    13/03/2015 20:55:08.708 com.apple.launchd[1]: (org.openldap.slapd) Throttling respawn: Will start in 7 seconds
    13/03/2015 20:55:10.206 xscertd-helper[5897]: ldap_search_ext_s returned -1 - Can't contact LDAP server when searching for bdb suffix, exiting
    13/03/2015 20:55:10.207 com.apple.launchd[1]: (com.apple.xscertd-helper[5897]) Exited with code: 1
    13/03/2015 20:55:10.207 com.apple.launchd[1]: (com.apple.xscertd-helper) Throttling respawn: Will start in 10 seconds
    13/03/2015 20:55:10.639 PasswordService[5901]: -[PasswordServerPrefsObject getSearchBase]: Unable to locate search base: -1 Can't contact LDAP server
    13/03/2015 20:55:10.639 PasswordService[5901]: -[PasswordServerPrefsObject loadXMLData]: Unable to locate passwordserver config record's plist attribute: -1 Can't contact LDAP server
    13/03/2015 20:55:10.640 PasswordService[5901]: -[PasswordServerPrefsObject getSearchBase]: Unable to locate search base: -1 Can't contact LDAP server
    13/03/2015 20:55:10.640 PasswordService[5901]: -[PasswordServerPrefsObject saveXMLData]: ldap_modify_ext_s of the passwordserver config record's plist attribute: -1 Can't contact LDAP server
    13/03/2015 20:55:10.684 PasswordService[5901]: int pwsf_GetPublicKey(char *): ldap_search_ext_s cn=authdata for Public Key returned -1
    13/03/2015 20:55:10.687 com.apple.launchd[1]: (com.apple.PasswordService[5901]) Exited with code: 1
    I have backups (both Time Machine and clones of the hard drive) that I could use to restore the corrupted bit of the configuration, if necessary, but I don't know what to restore.

    Many Open Directory problems can be resolved by taking the following steps. Test after each one, and back up all data before making any changes.
    1. The OD master must have a static IP address on the local network, not a dynamic address. It must not be connected to the same network with more than one interface; e.g., Ethernet and Wi-Fi.
    2. You must have a working DNS service, and the server's hostname must match its fully-qualified domain name. To confirm, select the server by name in the sidebar of the Server application window, then select the Overview tab. Click the Edit button on the Host Name line. On the Accessing your Server sheet, Domain Name should be selected. Change the Host Name, if necessary. The server must have at least a three-level name (e.g. "server.yourdomain.com"), and the name must not be in the ".local" top-level domain, which is reserved for Bonjour.
    3. The primary DNS server used by the server must be itself, unless you're using another server for internal DNS. The only DNS server set on the clients should be the internal one, which they should get from DHCP if applicable.
    4. If you have accounts with network home directories, make sure the URL's are correct in the user settings. A return status of 45 from the authorizationhost daemon in the log may mean that the URL for mounting the home directory was not updated after a change in the hostname.
    5. Only if you're still running Mavericks server, follow these instructions to rebuild the Kerberos configuration on the server.
    6. If you use authenticated binding, check the validity of the master's certificate. The common name must match the hostname and domain name. Deselecting and then reselecting the certificate in Server.app has been reported to have an effect in some cases. Otherwise delete all certificates and create new ones.
    7. Unbind and then rebind the clients in the Users & Groups preference pane. Use the fully-qualified domain name of the master.
    8. Reboot the master and the clients.
    9. Don't log in to the server with a network user's account.
    10. Disable any internal firewalls in use, including third-party "security" software.
    11. If you've created any replica servers, delete them.
    12. If OD has only recently stopped working when it was working before, you may be able to restore it from the automatic backup in /var/db/backups, or from a Time Machine snapshot of that backup.
    13. As a last resort, export all OD users. In the Open Directory pane of Server, delete the OD server. Then recreate it and import the users. Ensure that the UID's are in the 1001+ range.
    If you get this far without solving the problem, then you'll need to examine the logs in the Open Directory section of the log list in the Server app, and also the system log on the clients.

  • My iPhone 4S has stuck some how. It won't allow me yo swipe but tells me which button I am pressing! How do I get out of this, tried the usual, on off and holding both to reset but still stuck

    My iPhone 4S has stuck and won't allow me to swipe it open! It talks to me and tells me which button I'm pressing, tried to reset ect but not working,

    Sounds like you've switched on something under accessibility, I have an iPhone 5s & there it's under settings>General>accessibility.
    To swipe you could try using two fingers.
    Hth,
    Message was edited by: Doctor9fan

Maybe you are looking for