Home Forums OS X Server and Client Discussion Open Directory iPrism lookups to Open Directory

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • June 22, 2006 at 5:03 pm #366488
    Flash
    Participant

    We’re testing an iPrism appliance (content filter) from St Bernard Software. While we have several other systems doing ldap lookups to OD, we cannot get the iPrism to connect to OD. Our OD master is 10.4.6, clear text passwords allowed, all UAM’s enabled. It’s not a context typo, because we can browse our ldap with various tools, such as LDAP browser. When attempting an anonymous bind from the iPrism, it returns a non-descript protocol error, no ldap log entries on the OD master. While St Bernard software claims to have many clients doing this, their tech support is stumped. We even set up a brand new OD master, all default configs – the iPrism throws the same protocol error. Any ideas? Could it be that OD is LDAPv3 while the iPrism may only handle LDAPv2?

    June 23, 2006 at 7:32 pm #366494
    Flash
    Participant

    Sure enough, St Bernard’s iPrism uses LDAPv2 only. 10.4 Server will allow LDAPv2 requests, but you have to add the following line in slapd.conf.

    allow bind_v2

    June 27, 2006 at 11:57 am #366511
    Flash
    Participant

    Just thought you might want to know this in case you decide to do OD integration. iPrism is the best product we tested, but St. Bernard support was disappointing – it would seem they have far less experience and expertise implementing in Mac environments than they will admit. We figured out all of this completely on our own:

    1. iPrism, at present, only supports LDAPv2. It’s not very secure as cleartext passwords are now flying around my network, but you can force Open Directory to honor LDAPv2 requests by including this line in your slapd.conf file:
    allow bind_v2
    In theory, if and when iPrism embraces LDAPv3, single sign-on using Kerberos would be possible.
    2. iPrism filtering policies then have to be mapped to some LDAP attribute. Logically you would use each user’s Group Membership to determine filtering. However, Open LDAP has no “MemberOf” User attribute as Active Directory and eDirectory do. So, you can add a new attribute to your schema, if you’re brave enough, or use some other existing attribute to map to your iPrism policies. We chose to use “dsAttrType:apple-keyword”. When a user authenticates, the iPrism looks to OD to find out what Keywords are assigned to that user. The Keyword corresponds to an iPrism filtering policy of the same name. Keywords are fairly easy to maintain from the Advanced tab of WGM or using an LDAP import tool like Passenger.
    Rather than filtering only by IP address, this solution allows filtering and reporting by user.

    June 7, 2008 at 1:33 am #373039
    stmoddell
    Participant

    http://discussions.apple.com/thread.jspa?threadID=1267288

  • Author
    Posts
Viewing 4 posts - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.