[lilmatt]

@MacTroll:
I’ve enabled the Kerberos-required options on the OD Master, therefore LDAP connections on port 389 are using SASL/GSSAPI/Kerb5. So at least my data isn’t going across the wire in the clear. Of course, now I can’t use the “Edit” function in Directory.app, but that’s a secondary issue.

I couldn’t find any errors in the logs, but perhaps I’m not looking in the right place on 10.5. I’ve checked /var/log/system.log, /var/log/krb5kdc/*.log, /Library/Logs/SingleSignonTools.log, and /Library/Logs/DirectoryService/DirectoryService*.log on the client. I’ve also tried increasing the logging verbosity using “loglevel” in /etc/openldap/slapd.conf to get an idea of what’s up, but no matter which value I choose, the verbosity appears the same, even after SIGHUPping slapd and/or restarting the whole box.

At first I thought the generic self-signed SSL certificate might be to blame, so I replaced it using Server Admin with one signed by my employer’s internal CA. I then thought perhaps that OpenLDAP didn’t like not having the CA’s public certificate, so I scp’d the CA cert onto the box and used a “Custom Configuration” to specify its location. Still no love. Additionally, if I add the Open Directory master to the client’s Directory\ Utility.app without SSL enabled and then go into the “Services” tab, tick the SSL box, and restart, I can no longer log in to the client box with network accounts.

@netguy45:
Yes, those seem like the same trouble, particularly http://discussions.apple.com/message.jspa?messageID=5781411#5781411
However, I’m not getting errors in my logs or dscl/WM as I can’t even get past adding the server in Directory\ Utility.app if I have SSL enabled.

[Author]

Posts