Mac OSX Server Open Directory

Reply
Highlighted
L2 Linker

Mac OSX Server Open Directory

We use Open Directory as our primary LDAP service whcih normally works pretty well.

I'm trying to get LDAP authentication profiles up and running and am only having limited success. By limited I mean I can authenticate a user against a simple config where I am looking for the "uid" login attribute in the users group using cn=users,dc=server,dc=mydomain,dc=com.

If I try to authenticate a user in a group called sslvpn (cn=sslvpn,cn=groups,dc=server,dc=mydomain,dc=com) using "memberUid" as the login attribute the session login fails with an invalid username/password error.

Just wondering if there is a limitation in PANOS when it comes to Open Directory attributes or if I'm doing something simple wrong?

Jason

Tags (2)
Highlighted
L3 Networker

Re: Mac OSX Server Open Directory

The login attribute " uid" in the working authentication profile we assume would be used in the sslvpn authprofile instead of 'memberUid'

On initial review  that could be causing auth attempts to fail.

Highlighted
L2 Linker

Re: Mac OSX Server Open Directory

hello --

Apple OpenDirectory has a custom (ie. proprietary) schema objectclass to define group membership (ie. apple-group).

Apple's OpenDirectory does NOT use objectclass=groupofuniquenames which includes the uniquemember attribute to define group membership.

Thus, the OpenLDAP support (a superset of OpenDirectory) provided by LDAP auth of Palo Alto Networks will not likely include any support for apple's group membership.

-GA

Highlighted
L2 Linker

Re: Mac OSX Server Open Directory

This sounds about right to me from other research, bit of a nusiance though.

Would be nice if PAN would do some development to provide support for OpenDirectory.

Jason

Highlighted
L2 Linker

Re: Mac OSX Server Open Directory

hello -- I can't post screenshots to this forum, but I have screenshot of OpenDirectory group object and similar OpenLDAP-based group object.

the membership attribute for "apple-group" is 'memberuid' and contains UID value.

the membership attribute for "groupofuniquenames" is "uniquemember" and contains user DN value (full user object address).

the value of "uniquemember" can be readily used as part of ldap_simple_bind auth validation, but the 'memberuid" value requires one extra step (ie. lookup user object to get the DN value for LDAP_simple_bind).

-GA

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!