Lion OD & Authenticated Binding

[saweron]

Hi,

Just installed Lion Server 10.7.2 hoping the LDAP bugs would be squashed but I still run into an issue.

I’ve set up a shiny new master, no SSL and just authenticated directory binding enabled.

I then joined a 10.7.2 client to the directory which works. Afterwards I go the Directory Utility, edit the OD server entry and click Bind… to set up authenticated binding. I enter the directory admin’s credentials and then it just fails

On the client I get ‘invalid credentials supplied’ although I pretty much pasted them from a TextEdit

and in /var/log/system I see

Oct 20 15:54:25 admins-MacBook-Pro Directory Utility[663]: Bind failed with code 5000, error: Error Domain=com.apple.OpenDirectory Code=5000 “Credentials could not be verified, username or password is invalid.” UserInfo=0x7fd1fa22b060 {NSLocalizedDescription=Credentials could not be verified, username or password is invalid., NSLocalizedFailureReason=Credentials could not be verified, username or password is invalid.}

On the server I see this in /var/log/system

Oct 20 15:54:25 server PasswordService[1413]: -[AuthDBFile setPassword:atSlot:obfuscate:setModDate:]: ldap_add_ext_s slot information returned -9 for admins_macbook$ (05544150-fb23-11e0-a8ff-109add60cc67)
Oct 20 15:54:25 server PasswordService[1413]: -[AuthDBFile getPasswordRec:putItHere:unObfuscate:]: no entries found for 05544150-fb23-11e0-a8ff-109add60cc67

Has anyone encountered this? Is this a known issue?

[aaronwyatt]

I’m getting one of those errors just pounding my logs on both my master and replica Lion servers:

2/13/12 10:21:26.573 AM PasswordService: -[AuthDBFile getPasswordRec:putItHere:unObfuscate:]: no entries found for 4e569fbc-740f-551d-0000-025f00000a62

That error is just scrolling past, with the entry guid changing every fourth line.

I’m also seeing servermgrd chew up memory until it reaches about 4GB and then it finally crashes. Been having these symptoms since 10.7.0, hoping each dot release update would fix them. Sadly, no.

[aaronwyatt]

Regarding that error, I did figure out where it was coming form on my OD master. Several of the previously bound client computers have lost their entry in the password server database but keep attempting to change their passwords. In your log it tells you which machine specifically, but in my logs there was no such added info. I wrote the attached script to lookup either a user or computer’s password database entry and find out which computer it belongs to.

Usage
./get_pws_entry.sh -c [i]hexidecimal_computer_entry_id[/i]
./get_pws_entry.sh -u [i]hexidecimal_user_entry_id[/i]

[code]
#!/bin/bash
###
# get_pws_entry.sh
###
# Aaron Wyatt
# aaron [dot] wyatt [at] bc [dot] edu
# 2/14/2012
###
# Resolve a password service entry ID to
# an Open Directory object name.
###

SEARCHNODE=”/LDAPv3/127.0.0.1″
DSPATH=”/Computers”
DSSEARCHKEY=”AuthenticationAuthority”
DSSEARCHVAL=$1

while getopts “:c:u:” opt; do
case $opt in
c)
DSPATH=”/Computers”
DSSEARCHVAL=$OPTARG
;;
u)
DSPATH=”/Users”
DSSEARCHVAL=$OPTARG
;;
\?)
echo “Invalid option: -$OPTARG” >&2
;;
esac
done

# Cleanup the search value to get it in the format we’ll
# see in the OD field
DSSEARCHVAL=${DSSEARCHVAL//-/}
DSSEARCHVAL=${DSSEARCHVAL//0x/}

if [ “$DSSEARCHVAL” == “” ]
then
echo “Please specify an argument”
exit
fi

complist=$(/usr/bin/dscl $SEARCHNODE list $DSPATH 2> /dev/null)

for comp in $complist
do
searchresult=$(/usr/bin/dscl $SEARCHNODE read $DSPATH/$comp $DSSEARCHKEY 2> /dev/null)
if [[ “$searchresult” =~ .*$DSSEARCHVAL.* ]]
then
echo “$comp”
break
fi

done

exit
[/code]

[Author]

Posts