Home Forums OS X Server and Client Discussion Open Directory Lion OD & Authenticated Binding

This topic contains 2 replies, has 2 voices, and was last updated by  aaronwyatt 7 years, 9 months ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #381336

    saweron
    Participant

    Hi,

    Just installed Lion Server 10.7.2 hoping the LDAP bugs would be squashed but I still run into an issue.

    I’ve set up a shiny new master, no SSL and just authenticated directory binding enabled.

    I then joined a 10.7.2 client to the directory which works. Afterwards I go the Directory Utility, edit the OD server entry and click Bind… to set up authenticated binding. I enter the directory admin’s credentials and then it just fails

    On the client I get ‘invalid credentials supplied’ although I pretty much pasted them from a TextEdit

    and in /var/log/system I see

    Oct 20 15:54:25 admins-MacBook-Pro Directory Utility[663]: Bind failed with code 5000, error: Error Domain=com.apple.OpenDirectory Code=5000 “Credentials could not be verified, username or password is invalid.” UserInfo=0x7fd1fa22b060 {NSLocalizedDescription=Credentials could not be verified, username or password is invalid., NSLocalizedFailureReason=Credentials could not be verified, username or password is invalid.}

    On the server I see this in /var/log/system

    Oct 20 15:54:25 server PasswordService[1413]: -[AuthDBFile setPassword:atSlot:obfuscate:setModDate:]: ldap_add_ext_s slot information returned -9 for admins_macbook$ (05544150-fb23-11e0-a8ff-109add60cc67)
    Oct 20 15:54:25 server PasswordService[1413]: -[AuthDBFile getPasswordRec:putItHere:unObfuscate:]: no entries found for 05544150-fb23-11e0-a8ff-109add60cc67

    Has anyone encountered this? Is this a known issue?

    #381629

    aaronwyatt
    Participant

    I’m getting one of those errors just pounding my logs on both my master and replica Lion servers:

    2/13/12 10:21:26.573 AM PasswordService: -[AuthDBFile getPasswordRec:putItHere:unObfuscate:]: no entries found for 4e569fbc-740f-551d-0000-025f00000a62

    That error is just scrolling past, with the entry guid changing every fourth line.

    I’m also seeing servermgrd chew up memory until it reaches about 4GB and then it finally crashes. Been having these symptoms since 10.7.0, hoping each dot release update would fix them. Sadly, no.

    #381631

    aaronwyatt
    Participant

    Regarding that error, I did figure out where it was coming form on my OD master. Several of the previously bound client computers have lost their entry in the password server database but keep attempting to change their passwords. In your log it tells you which machine specifically, but in my logs there was no such added info. I wrote the attached script to lookup either a user or computer’s password database entry and find out which computer it belongs to.

    Usage
    ./get_pws_entry.sh -c [i]hexidecimal_computer_entry_id[/i]
    ./get_pws_entry.sh -u [i]hexidecimal_user_entry_id[/i]

    [code]
    #!/bin/bash
    ###
    # get_pws_entry.sh
    ###
    # Aaron Wyatt
    # aaron [dot] wyatt [at] bc [dot] edu
    # 2/14/2012
    ###
    # Resolve a password service entry ID to
    # an Open Directory object name.
    ###

    SEARCHNODE=”/LDAPv3/127.0.0.1″
    DSPATH=”/Computers”
    DSSEARCHKEY=”AuthenticationAuthority”
    DSSEARCHVAL=$1

    while getopts “:c:u:” opt; do
    case $opt in
    c)
    DSPATH=”/Computers”
    DSSEARCHVAL=$OPTARG
    ;;
    u)
    DSPATH=”/Users”
    DSSEARCHVAL=$OPTARG
    ;;
    \?)
    echo “Invalid option: -$OPTARG” >&2
    ;;
    esac
    done

    # Cleanup the search value to get it in the format we’ll
    # see in the OD field
    DSSEARCHVAL=${DSSEARCHVAL//-/}
    DSSEARCHVAL=${DSSEARCHVAL//0x/}

    if [ “$DSSEARCHVAL” == “” ]
    then
    echo “Please specify an argument”
    exit
    fi

    complist=$(/usr/bin/dscl $SEARCHNODE list $DSPATH 2> /dev/null)

    for comp in $complist
    do
    searchresult=$(/usr/bin/dscl $SEARCHNODE read $DSPATH/$comp $DSSEARCHKEY 2> /dev/null)
    if [[ “$searchresult” =~ .*$DSSEARCHVAL.* ]]
    then
    echo “$comp”
    break
    fi

    done

    exit
    [/code]

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

Comments are closed