[tech] LDAP authentication
Grahame Bowland UCC
grahame at ucc.gu.uwa.edu.au
Fri Feb 21 00:10:26 WST 2003
Hi all,
We now have LDAP authentication. There is an OpenLDAP server
running on mussel with all of our users in it. It supports
bind operations against user records to verify passwords.
Tangerine (the iMac) is now doing LDAP authentication,
although with an absolutely horrible wait to log in. The
delay does not appear to be directly LDAP related; it seems
to be doing NetInfo lookups, failing, then doing LDAP and
then immediately working.
Once you have logged in it all works fine - home directory,
applications run, it's all good.
Details for people configuring LDAP authentication on UCC
machines:
* base DN is: o=The University Computer Club,c=AU
* script to generate LDAP config: ~grahame/ldap/run.sh
* currently populated from NIS
If you ssh into tangerine as a normal user it's fine, you'll
have a home directory and there won't be timeouts. The problem
seems to be with the GUI login application.
I'm trying to find out how people on campus are getting around
this, although I suspect most departments are running Apple's
'OpenDirectory' LDAP server which gets around the problem
by populating NetInfo too.
(The reason I did this: NIS is broken in 10.2 and won't be
fixed. And I wanted to get Nautilus onto 10.2 so we can use
the nice new applications, and get a slightly less jelly-bean
based UI experience.)
For sanity, please email tech if you either play with the LDAP
on tangerine or touch the LDAP server config so that we're not
working at cross-purposes.
Cheers,
Grahame
PS: I hear rumours that OpenLDAP + Kerberos is a go for Win2K
if you sacrifice enough chickens.
PPS: I've tried to change the lookupd configuration in NetInfo
although it doesn't seem to have helped.
More information about the tech
mailing list