I'm using Catalina 10.15.4 OSX as client and FreeBSD 12-1 with openldap-sasl-server-2.4.48_1 as Openldap server. I've configured the LDAP server using Direct Utility.
- I can see the LDAP users on Directory Editor tab;
- I can use "id user" in terminal showing the user, its groups etc;
- I can use "dscl localhost -read /Search/Users/user" that shows all user info;
- I can use "dscacheutil -q user -a name user" that shows all user info;
- I can change to root in terminal and then "su – user" and it works (I've created the home directory and mapped to #/Users/$uid$;
- BUT I CAN'T login using user.
All network users are enabled to login. I've tried using "ssh user@localhost" and at Login Window. It doesn't work.
Setting debug with "odutil set log debug" and taking a look in Console logs:
opendirectoryd failed CRAM-MD5 authentication for authzid - '<private>' authcid - '<private>' error 49
opendirectoryd ODRecordVerifyPassword failed with result ODErrorCredentialsInvalid
opendirectoryd nw_path_evaluator_start [78C31F06-08D0-4EF9-B584-EB41028A814D IPv6#0d17d740.389 generic, local: IPv6#ef0057ec.49455, indefinite]
path: unsatisfied (No network route)
On server, CRAM-MD5 is available.
supportedSASLMechanisms: SCRAM-SHA-1
supportedSASLMechanisms: SCRAM-SHA-256
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: NTLM
What's going wrong? How to use LDAP users on OSX?
–
There are some tutorial on the Internet about editing a directory configuration file (plist). However, this had worked in later versions of OSX. For example:
/usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string DIGEST-MD5" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver.plist
/usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string CRAM-MD5" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver.plist
/usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string NTLM" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver.plist
/usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string GSSAPI" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver.plist
In Catalina we can't edit anymore this file (yourldapserver.plist). I've tried to usa another tool, defaults, but the file can only be altered if we copy it to another place. At the normal system location we can't edit to test these configurations.
Best Answer
Does it work for you if you try to edit the plist file indirectly with odutil, as follows: