Extending the schema

[Ender]

I’m trying to get Server 10.3 to work as an external authentication server for FileMaker Server 7. The documentation for doing this is very thin, but I was told that I would need to “extend the schema” on OS X Server to make this possible. I was even given a schema file and a long list of unix commands I would need to run in order for it to work (Install Berkeley DB 4.2, install OpenLDAP, configure OpenLDAP to use the schema file.)

But I’m having trouble installing OpenLDAP (the ‘make’ step fails with errors.)

So if anyone has gotten this to work, please let me know:
1. Is OpenLDAP necessary to get this to work?
2. If it is, is there a trick to getting OpenLDAP installed?

–Mike

[Ender]

That’s good to know, and I appreciate your help. I’m not sure where the problem is. Perhaps it’s something as simple as the syntax.

I’m using OS 10.3.6’s Open Directory. I have it set up as an Open Directory Master using LDAP. The search base is

dc=mydomain,dc=org

And I have dir.mydomain.org registered with our ISP to point to this server’s IP address (obviously “mydomain” is not actually my domain.) I can see the directory with “LDAP Browser”.

My FileMaker Server is setup for external authentication like this:

Directory server name: dir.mydomain.org
Distinguished name: ou=admin,dc=dir,dc=mydomain,dc=org

Login Settings:
Account: admin
Password:****

The error I see in FileMaker’s event log is:
Registration with directory service failed. (Invalid DN syntax)

I have tried variations on the DN syntax, but I get the same error.

Thanks,

–Mike

[Ender]

Thanks, but I get the same error in the Event Log:

Registration with directory service failed. (Invalid DN syntax)

Any other ideas?

[Ender]

I can use ldapbrowser to see the directory anonymously, but FM Server 7 wont allow an anonymous authentication. The other accounts I tried for User DN fail to connect.

Am I supposed to create an account in Workgroup Manager just for directory authentication?

What setting in OS X Server allows the directory to be authenticated with an account rather than anonymously?

–Mike

[Anonymous]

Anyone with a solution? I’m running into the same problems. I also get the ‘Invalid DN Syntax’-error when I want to join using the following credentials:

cn=users,dc=example,dc=com

Of course this is just an example .

[Anonymous]

After far too much time playing with this on and off I’ve discovered that it doesn’t need to be fixed. FileMaker seems perfectly capable of receiving authentication information without having to register with the LDAP server.

So my solution is:- set up the user groups using WGM and the ‘Authenticated by external user’ group names in your FM7 file and it should work once you’ve specified the LDAP server address in FMP Admin.

I have got FMS7 running on the LDAP server, but I see no reason why that should make a significant difference if port 389 is open.

[Anonymous]

Ok, so the documentation on this is terrible, but I finally figured it out and I figured I’d share a few key insights.

FIRST (and this isn’t explicitly stated anywhere) it is VERY important to note that there are TWO pieces to the Filemaker/OD puzzle:

1. Registering your FM server with the OD server
2. Using the OD server’s user lists to authenticate a particular database.

You can do either, or both. #1 is for using OD to DISCOVER the FM server, #2 is for using OD to authenticate to a given database.

#1 is complicated, and can be ignored. You only need it if you have a large network and if you want to use OD to tell clients about the FM server. This would create an entry in the OD server for the filemaker server. it involves DNS and a whole host of other messy issues. If you ignore it, then your Filemaker clients will use another protocol (Rendezvous/Bonjour/AppleTalk/TCPIP) to discover the FM database.

Most people, it seems, only want #2. That is, they want their OD users to be able to log in to a particular FM database. Here’s what you need to do:

1. You must, of course, have Open Directory running on your OS X Server. You then must have users and groups created in the OD domain. Let’s say you have a group called “mystaff,” and this is the group that you want to give access to the FM database.

If your OD server is also your FM server, then you’re more or less done. But if, like most of us, your FM is a separate server, you need to first bind the FM server to the OD domain. This might be obvious to some, but could easily be a sticking point for others. Here’s what to do:

2. On your filemaker server, open Utilities -> Directory Access and register the FM server with the OD domain like so:

a) click on the “Services” tab, enable LDAP, and then set up a new configuration. Enter the Name or IP address of your OD server and choose “From Server” for the LDAP mappings

b) click on the “Authentication” tab and click “Add”. If you have OD running on your network, you should see something like /LDAPv3/xxx, where xxx is your OD server’s IP address. Add that domain to the list.

YOU MUST REBOOT after you do this. Your Filemaker server is now bound to your OD domain.

3. Open your FM database, go to Define Database -> Accounts & Privleges. Create a new account, Authenticated via: External Server. Then when it asks you for the group name, you have to enter your OD group name, in our case, “mystaff.”

So, in sum:

1. Bind your FM server to the OD domain via Directory Access, giving it access to the OD users and groups
2. Add the desired groups to the FM database itself and set access privleges.

This worked for me. HTH.

[Anonymous]

Ok, this is the same way i did it here and it works so far.
All you have to do is name the new account for your database like a group name you have set in your OD sheme.

But now FM sometimes asks for the username/pw again after afew times, even if the user just had the desired database open. FM never did it before when the username
authentification was set right in FM.

Example:

We have a solution here at work which is set by 10 different databases. All databases uses the same Authetication shemes. When the userrights were set in FM directly, FM just authenticates the user on opening the first database. After taht never before, unlike the user restarts FM.

Now, since FM authenticates the user against OD, FM asks for each database unregulary, means it asks for the first database, open all the others. Now wehn the user close just one database and opens it again, FM wants to have the authentification again. FM only does that against users which are identified through OD and does it not, if the user
is identified through FM directly.

Strange, and i didn’t find a solution yet to fix this.

[QUOTE BY= Here goes] Ok, so the documentation on this is terrible, but I finally figured it out and I figured I’d share a few key insights.

FIRST (and this isn’t explicitly stated anywhere) it is VERY important to note that there are TWO pieces to the Filemaker/OD puzzle:

1. Registering your FM server with the OD server
2. Using the OD server’s user lists to authenticate a particular database.

You can do either, or both. #1 is for using OD to DISCOVER the FM server, #2 is for using OD to authenticate to a given database.

#1 is complicated, and can be ignored. You only need it if you have a large network and if you want to use OD to tell clients about the FM server. This would create an entry in the OD server for the filemaker server. it involves DNS and a whole host of other messy issues. If you ignore it, then your Filemaker clients will use another protocol (Rendezvous/Bonjour/AppleTalk/TCPIP) to discover the FM database.

Most people, it seems, only want #2. That is, they want their OD users to be able to log in to a particular FM database. Here’s what you need to do:

1. You must, of course, have Open Directory running on your OS X Server. You then must have users and groups created in the OD domain. Let’s say you have a group called “mystaff,” and this is the group that you want to give access to the FM database.

If your OD server is also your FM server, then you’re more or less done. But if, like most of us, your FM is a separate server, you need to first bind the FM server to the OD domain. This might be obvious to some, but could easily be a sticking point for others. Here’s what to do:

2. On your filemaker server, open Utilities -> Directory Access and register the FM server with the OD domain like so:

a) click on the “Services” tab, enable LDAP, and then set up a new configuration. Enter the Name or IP address of your OD server and choose “From Server” for the LDAP mappings

b) click on the “Authentication” tab and click “Add”. If you have OD running on your network, you should see something like /LDAPv3/xxx, where xxx is your OD server’s IP address. Add that domain to the list.

YOU MUST REBOOT after you do this. Your Filemaker server is now bound to your OD domain.

3. Open your FM database, go to Define Database -> Accounts & Privleges. Create a new account, Authenticated via: External Server. Then when it asks you for the group name, you have to enter your OD group name, in our case, “mystaff.”

So, in sum:

1. Bind your FM server to the OD domain via Directory Access, giving it access to the OD users and groups
2. Add the desired groups to the FM database itself and set access privleges.

This worked for me. HTH.[/QUOTE]

[nob]

[QUOTE][u]Quote by: Here goes[/u][p]Ok, so the documentation on this is terrible, but I finally figured it out and I figured I’d share a few key insights.

FIRST (and this isn’t explicitly stated anywhere) it is VERY important to note that there are TWO pieces to the Filemaker/OD puzzle:

1. Registering your FM server with the OD server
2. Using the OD server’s user lists to authenticate a particular database.

You can do either, or both. #1 is for using OD to DISCOVER the FM server, #2 is for using OD to authenticate to a given database.

#1 is complicated, and can be ignored. You only need it if you have a large network and if you want to use OD to tell clients about the FM server. This would create an entry in the OD server for the filemaker server. it involves DNS and a whole host of other messy issues. If you ignore it, then your Filemaker clients will use another protocol (Rendezvous/Bonjour/AppleTalk/TCPIP) to discover the FM database.

[/p][/QUOTE]
Part One is what i will need. We have > 15 FM8 Servers, and i didn´t find any help to bind the Servers to the OD in my OSXS 10.4 Servers. If you know how to do this, can you explain please?

[Author]

Posts