Kerberized directory access via openldap

[ruckerz]

So I followed https://www.afp548.com/article.php?story=20061126220622764 (Linux as a server) and am able to bind to my directory via directory access using a kerberos principal.

The problem is that when I try to ls my LDAPv3/host/Users dir, I get nothing. I try a id ruckerz2k (a real user) and I get no user. I check the slapd log on my linux server and i see.

Feb 9 15:51:14 rna slapd[20297]: conn=44 op=0 BIND dn=”” method=128
Feb 9 15:51:14 rna slapd[20297]: conn=44 op=0 RESULT tag=97 err=0 text=
Feb 9 15:51:14 rna slapd[20297]: conn=44 op=1 SRCH base=”cn=users,dc=od1,dc=colorado,dc=edu” scope=2 deref=0 filter=”(&(objectClass=inetOrgPerson)(objectClass=posixAccount)(objectClass=shadowAccount)(objectClass=apple-user)(objectClass=extensibleObject)(|(|(uid=ruckerz2k))(|(cn=ruckerz2k))))”

Why is directory access still doing anonyous binds? I’ve already authenticated with my kerberos principal for this machine!

[ruckerz]

I got it now. I think it was a matter of getting my /Library/Preferences/edu.mit.Kerberos correct.

Here’s a question though, in the link above, there’s no mention of ‘Writing to server’ from Directory Access. This is convenient, since every machine I setup now to bind to LDAP I must use ‘manual’. However, writing to server also writes the machine login/pw, and the description attribute that it writes to is available to anonymous users.

Should I continue to setup machines to bind to ldap manually?

[Author]

Posts