[fherbert]

I have tried this migration tool at several sites we have upgraded to OS X server. The mail import has NEVER worked!!. Instead, we use fetchmail on the os x server to pop the mail off the old ASIP server and store in local accounts on the OS X server machine. the only downside to this is that we can only get the contents of the users inboxes and no other folders they ahve created themselves. Check the fetchmail man page for details on how to use.
There may be some way of also getting the users other mail folders, but at this stage I don’t know of any (but i havn’t looked for any either).

[fherbert]

On your OS X server VPN setup, did you enter the dns server and search domain in the “Client Information Tab” in the “Settings” section on the VPN server in Server Admin??

[fherbert]

I had this issue when I first setup OS X VPN server.

I was surprised that I didn’t have to do much on the server in order for it to work.

Essentially the issue was my client machine not routing the traffic to the correct place. If you have a pc, set that up and test it.
I fixed the issue on my client machine, by setting up a new location, and within that location, creating the vpn connection.
I could then ping the server and mount server share points.

PS. I also did the steps as suggested by the post above, this may have also been the cause of my issues.

[fherbert]

No worries, I have been keeping documentation of my progress. I have created a new article and submitted it.
Any chance I could upload the modified pam_ldap.so file to this website for people to download and use if they want??

[fherbert]

What does your mount share point script look like??

[fherbert]

Success!!!

I have had to download and modify the source code of the pam_ldap.so module to make it use the username instead of the usersdn, then compiled the module.

[fherbert]

Well… i have managed to sort out how to get pam_auth to authenticate using groups… in my /etc/ldap.conf file i have the following lines:

# Group to enforce membership of
pam_groupdn cn=internet,cn=groups,dc=test,dc=co,dc=nz

# Group member attribute
pam_member_attribute memberUid

The only trouble is, the pam_auth module looks for the memberUid which matches the users FULL dn ie it is looking for uid=validuser,cn=users,dc=test,dc=co,dc=nz
BUT apple only have the uid ie validuser.

i can manually enter the full dn of the user into the os x ldap directory, but it would be nice if we can use the data created when you enter a user in a group using workgroup manager.

Any ideas???

[fherbert]

Ok. So I have managed to get pam working to authenticate using accounts from the OS X server. The only issue I have now is how to only allow access to the members of the internet group.

[fherbert]

I’m not sure which LDAP CLI you mean – but i have used ldapsearch to authenticate to the OS X server using the following command:

ldapsearch -x -D uid=validuser,cn=users,dc=my,dc=domain,dc=name -W -b dc=my,dc=domain,dc=name -h osxserver.my.domain.name uid=username

This prompts me for a ldap password for username “validuser”, the results of my search are then displayed (indicating that I have succesfully authenticated to the OS X ldap server).

I have had a quick look at the pam module for squid. Ideally i would like to be able to place internet users in an “internet” group on the OS X open directory and then only allow users in that group access to the internet through squid. I can’t see anywhere using the pam module where I can set this up..

I am still looking into the Pam module though, and have not managed to get it working yet, I’m not even sure I can use it to authenticate to a remote machine. I have created a file /etc/pamd.d/squid, but am not sure how I tell the module to use a remote server (osxserver.my.domain.name) for authentication. It currently only authenticates against local accounts.

[Author]

Posts