31 Mrz Lion Server and LDAPv2
Two weeks ago I had the task of connecting a Proxy and Webfilter running on a dedicated special hardware with a Open Directory Master on a Lion Server. The Proxy and Webfilter is used to ensure that the MacBooks and iPads of a school are protected and can not access inappropriate content on the web, which is required by law for schools in Germany. The school wants to control who can access different content, based on the students grade. The Proxy offers this functionality and can bind to an LDAP Server to pull Users and Groups. It was not too hard to find the correct settings for the LDAP Server and the LDAP Search base:
If the Lion OD Master Server is mainserver.pretendco.com, the LDAP Server is mainserver.pretendco.com and the search base is dc=mainserver,dc=pretendco,dc=com.
I had double checked those settings with jxplorer, which is an open source LDAP Browser. Still, the Proxy could not connect. After some troubleshooting, I found out that the Proxy only speaks LDAPv2, while the Lion Server and its Open Directory Master loves to speak LDAPv3. As the LDAP Server in Lion is slapd, it should be possible to make it speak LDAPv2, too. Typically this is done by adding a line „allow bind_v2“ to the slapd.conf. Now Lion is a bit a special cat and reads its configuration from inside the LDAP Database, which is a nice architecture. So instead of adding the allow bind_v2 to slapd.conf, I looked inside the LDAP Database and looked for OLCGlobalConfig in cn=config, where I found the dsAttrTypeNative:olcAllows key. I added the bind_v2 value as an additional value and the Proxy could connect. While Snow Leopard used Workgroup Managers Inspector to manipulate the LDAP database, this functionality has moved to Directory Utility.
See the screenshot how it looks like:
So, have fun binding v2 !