How to bind to an Open Directory Server - Authenticated + SSL

esl-francois
New Contributor II

Good morning all !

My first post, so let me introduce myself : I'm Francois, I'm the administrator of 350+ macs, 70+ servers, network, telephony… and a casper suite user for two years ! It made my life really easier, I'm very happy about it. My company sells language studies, and owns 4 language schools. We have around 40 remote offices worldwide, adding a bit of complexity ;-) I live in Montreux in Switzerland. Everyone should experience the Montreux Jazz Festival some day !

So now, the IT stuff :

I'm setting up a new Open Directory server on 10.7.3 to replace my older 10.6.8 server.

This time, I would like to use SSL and authenticated bindings. It looks like it's not possible to use the built-in tools.

Is there a simple method to do this, or should I script a bit ? I found the bindToLDAP.sh script in the Ressource Kit, but there's no mention of any authentification.

FYI I checked these options on my ODM :

  • Enable authenticated directory binding
  • Disable clear text passwords
  • Encrypt all packets
  • Digitally sign all packets
  • Block man-in-the-middle attacks
  • Allow users to edit their own contact information

Any help would be very appreciated.

Thanks in advance,

Francois

1 ACCEPTED SOLUTION

esl-francois
New Contributor II

It do work in a payload-free package, in postflight.

If you use luggage, check it out :
https://github.com/ftiff/ftiff-scripts/tree/master/luggage/Bind_to_Opendir_10.7

#!/bin/sh

# Script I use to bind a 10.7 client to Open Directory + SSL
# Use only on startup volume

# Define variables for path to executables
DSCONFIGLDAP="/usr/sbin/dsconfigldap"

# Define variables
ODM="nestor.esl.lan"

# Output variables
echo We will bind to $ODM


# Bind to the Open Directory Master
echo $DSCONFIGLDAP -vsemgx -a $ODM
$DSCONFIGLDAP -vsemgx -a $ODM << EOF
y
EOF

# done ! :)

View solution in original post

5 REPLIES 5

esl-francois
New Contributor II

Ok so after a bit of research, I find I could simply use Casper Admin ;-)

But it doesn't work on 10.7. The scripts hangs and the computer never get bound.
The reason is that dsconfigldap expects an answer, wether to trust or not the certificate (see below).

I did the trick of changing ldap.conf to add TLS_CACERT but it didn't work.

I also tried to create a postinstall script that would do :

dsconfigldap -vsemgx -a nestor.esl.lan >> EOF
y 
EOF

It works if I launch it from CLI, but not inside a payload-free package.

I'm sure there's a way to do it cleanly… Any idea ?

esl-francois
New Contributor II

It do work in a payload-free package, in postflight.

If you use luggage, check it out :
https://github.com/ftiff/ftiff-scripts/tree/master/luggage/Bind_to_Opendir_10.7

#!/bin/sh

# Script I use to bind a 10.7 client to Open Directory + SSL
# Use only on startup volume

# Define variables for path to executables
DSCONFIGLDAP="/usr/sbin/dsconfigldap"

# Define variables
ODM="nestor.esl.lan"

# Output variables
echo We will bind to $ODM


# Bind to the Open Directory Master
echo $DSCONFIGLDAP -vsemgx -a $ODM
$DSCONFIGLDAP -vsemgx -a $ODM << EOF
y
EOF

# done ! :)

gskibum
Contributor III

I've been trying to get this to work. It mostly does work however I still see the prompt inside the logs:

Certificates will be automatically added to your system keychain in order to talk to this server. Would you like to continue (y/n)?

Even though the << EOF variable is set.

In spite of this it seems the certificate is set and the box is successfully bound as I am able to log in with directory accounts.

I'm testing this on a Mavericks box. Is there an update for above Lion?

bmodesitt
New Contributor II

Add a -N to the end of the dsconfigldap command. This will assume 'y' when certificates are added.

bughollow
New Contributor III

I am trying on 10.10 machines where the server stopped responding. The built in directory binding in Casper does not work!

I can manually join to the server using System Preferences, but need to do this remotely if possible. I am using Casper 9.82. Do I need to add parameters to the script (full script at the end).

This is the result. Help!

[STEP 1 of 4]
Executing Policy CAWS - Air 11 - Directory Policy Script
[STEP 2 of 4]
Running script CAWS-SRV1 Directory Binding...
Script exit code: 78
Script result: We will bind to caws-srv1.caws.lan
/usr/sbin/dsconfigldap -vsemgx -a caws-srv1.caws.lan
Computer with the name 'caws-air-11' already exists
dsconfigldap verbose mode
Using suggested computer ID Options selected by user:
Enforce Secure Authentication is enabled
SSL was chosen
Add server option selected
Server name provided as Computer ID provided as Local username determined to be Enforce man-in-the-middle only policy if server supports it.
Adding new node to search policies
Enforce packet encryption policy if server supports it.
Enforce packet signing policy if server supports it.
Non-interactive.

Error running script: return code was 78.
[STEP 3 of 4]
[STEP 4 of 4]

The Script:

!/bin/sh

Define variables for path to executables

DSCONFIGLDAP="/usr/sbin/dsconfigldap"

Define variables

ODM="caws-srv1.caws.lan"

Output variables

echo We will bind to $ODM

Bind to the Open Directory Master

echo $DSCONFIGLDAP -vsemgx -a $ODM
$DSCONFIGLDAP -vsemgx -a $ODM -N << EOF
y
EOF

done ! :)