I have been trying for quite a while to link my local LDAP directory to our corporate KDC with no luck. I can get console logins working and AFP logins, but what I really need is Samba logins. I worked with an Apple engineer and they have stated that Samba on OSX has been modified to support only the Password Server and Active Directory.
So what I’ve been looking at is doing a simple bind from LDAP to Kerberos, which is quite simple on most unix systems. But not so simple with OSX apparently. The theory is when any app tries to authenticate against LDAP, OSX would do a password check against the KDC instead of the local password server. If the passwords are good, LDAP provides the authorization environment for the user (UID, groups, shell, etc). This would mean that the app does not need to be Kerberos aware – any app that authenticates against LDAP would work.
Here is a link to instructions for doing this, but without knowing how Apple has set up OpenLDAP and SASL, I can’t seem to find the right combination:
http://www.bayour.com/LDAPv3-HOWTO.html#4.5.3.4.Creating%20a%20LDAP%20service%20key|outline
Also, there is a long thread on this topic at http://www.openldap.org/lists/openldap-software/200308/msg00114.html. Just click the Thread button at the top and the entire thread will be displayed.
Anyone have any insight into doing this?
.
.
Comments are closed