2012/09/21
I spent the better part of a day playing with Apple Open Directory on Mountain Lion Server 10.8. The purpose of spending that time was to try to gain a better understanding of Open Directory, LDAP and Kerberos as described in Notes on Kerberos troubleshooting (Kerio).
I've emerged from my testing bloodied and more confused than I was going in.
This isn't the first time that I've been confused by LDAP. The documentation is awful, the implementations vary widely and it's not at all uncommon to find written examples that simply do not work. I've been through this before and have emerged victorious, so I'm sure that will eventually be the case here. It may just be a matter of older documentation that doesn't apply to 10.8 and of course there could be some bugs in there too.
Or it could just be me. This is my first dance with Apple Server, and although I think I have been careful in my testing, I may have fat-fingered or neglected something and helped confuse myself. I think I must have, because my results have thoroughly baffled me!
Methodology
As mentioned in previous articles, I made use of a Parallels Virtual Machine and snapshots for my testing. The snapshots make it easy for me to revert back and start over again, both to fix mistakes and to deliberately create some (learn by destroying approach).
Here are the snapshots I worked with:
The first is just after installation, with Server.app purchased but not yet executed. This lets me branch off from there to multiple configurations, some of which I saved as snapshots themselves.
Let me say this first: the initial configuration was successful. That is, I was able to point a Kerio Connect server at it and get users from Open Directory. However, there were some very odd things that I noted.
Oddities
First, there's a paragraph in Kerio's documentation that talks about a "Settings" section in Open Directory:
To correctly configure Kerberos, you must:Open the Mac OS Server Admin tool on the Kerio MailServer machine.
In the OpenDirectory section, go to the "Settings" section and select "Connected to a Directory System"
After this, you must go through the necessary steps to be able to join your machine to Kerberos using the "Join Kerberos..." button. For details, see Apple documentation.
I don't believe that applies to Open Directory in 10.8. i found no "Settings" section and therefore did not do this part at all. My configuration worked, so this must not apply.
Kerio docs also mention messing with Kerberos on 10.7. None of that seems to apply to 10.8: I touched no Kerberos at all.
There were other oddities. First, one of the things Kerio docs seemed rather sure of is that you should be able to do "host `hostname`" in a Terminal window after configuring the Open Directory Master.
I could not. I could "ping `hostname`" from there and could ping that name from my hosting Mac (the Mac running Parallels). Obviously the Kerio directory configuration worked with that hostname also, so not being able to do that didn't actually matter. I checked DNS and found it was not running and that it had no entry for the server. I turned it on and added the entry, but nothing changed: I still could not do "host `hostname`".
So, at that point I was thinking that this is just some oddity of 10.8 Open Directory. Maybe it is, but it gets more strange: when I reverted back to my starting snapshot and went through the same configuration steps again but with a different hostname, it DID add the entry to DNS and I COULD do "host `hostname`"!
OK, I must have done something differently, right? Yeah, I agree, but it's not like there are fifty steps here: you run Server.app, answer its questions, download Kerio's Open Directory Extension and install that. Reboot and that's all. There aren't very many opportunities to do anything any other way!
And yet something sure as heck is different, because in addition to that little hostname/DNS oddity, I could not get Kerio Connect to talk to any of my subsequent configurations. I'm not going to go through all the kinit and klist testing I did, but rest assured that all worked as it should, and I could even get the domains to test correctly from the Kerio administration, but I never again was able to bring in users.
This COULD be Kerio. There may be some residual stuff gumming up my experimentation. However, I did all this with additional mail domains and deleted each after testing - you'd think that would be sufficient, but it might not be. That's an aspect I haven't yet investigated.
So that's where I am right now: somewhat confused by Open Directory oddities and unsure of why my initial configuration was successful but subsequent attempts were not. Understand that I'm happy they were not: I can't learn anything from things that just simply work as advertised!
My next step is to drop to the command line and look at this as a generic LDAP server. That should tell me much more about what Server.app actually does when you set it up and will also let me see where the Kerio config is getting bamboozled by it (or itself, if that's the case).
If this page was useful to you, please click to help others find it: ? Your +1's can help friends, contacts, and others on the web find the best stuff when they search.
Comments?
More Articles by Anthony Lawrence - Find me on Google+
Have you tried Searching this site?
Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.
Publishing your articles here
Jump to Comments
Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.
Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.
We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.
Source: http://feedproxy.google.com/~r/aplawrence/ZPYH/~3/z2llk8pvABs/open_directory2.html
us open tennis aaliyah Empire State Building shooting Republican National Convention Karlie Redd guild wars 2 adrian gonzalez
No comments:
Post a Comment