[tech] LDAP authentication

Matt Johnston matt at ucc.gu.uwa.edu.au
Fri Feb 21 19:00:39 WST 2003 

Seems that the problem was tangerine doing inet6 lookups to mussel
(specified by hostname), and waiting for lots of timeouts, due to mussel not
listening on inet6 for ldap. I've changed it to mussel by 130.95.13.18, it
seems happy now.

Matt

On Fri, Feb 21, 2003 at 12:10:26AM +0800, Grahame Bowland (UCC) wrote:
> Hi all,
> 
> We now have LDAP authentication. There is an OpenLDAP server 
> running on mussel with all of our users in it. It supports 
> bind operations against user records to verify passwords.
> 
> Tangerine (the iMac) is now doing LDAP authentication, 
> although with an absolutely horrible wait to log in. The 
> delay does not appear to be directly LDAP related; it seems 
> to be doing NetInfo lookups, failing, then doing LDAP and 
> then immediately working.
> 
> Once you have logged in it all works fine - home directory, 
> applications run, it's all good.
> 
> Details for people configuring LDAP authentication on UCC 
> machines:
>   * base DN is: o=The University Computer Club,c=AU
>   * script to generate LDAP config: ~grahame/ldap/run.sh
>   * currently populated from NIS
> 
> If you ssh into tangerine as a normal user it's fine, you'll 
> have a home directory and there won't be timeouts. The problem 
> seems to be with the GUI login application.
> 
> I'm trying to find out how people on campus are getting around
> this, although I suspect most departments are running Apple's 
> 'OpenDirectory' LDAP server which gets around the problem 
> by populating NetInfo too.
> 
> (The reason I did this: NIS is broken in 10.2 and won't be 
>  fixed. And I wanted to get Nautilus onto 10.2 so we can use 
>  the nice new applications, and get a slightly less jelly-bean 
>  based UI experience.)
> 
> For sanity, please email tech if you either play with the LDAP 
> on tangerine or touch the LDAP server config so that we're not 
> working at cross-purposes.
> 
> Cheers,
> Grahame
> 
> PS: I hear rumours that OpenLDAP + Kerberos is a go for Win2K 
>     if you sacrifice enough chickens.
> 
> PPS: I've tried to change the lookupd configuration in NetInfo 
>      although it doesn't seem to have helped.

More information about the tech mailing list