고정 헤더 영역
상세 컨텐츠
본문
This issue happens only on my Mac and not on my PC (same account). Build: 16.5.185 As you can see below, I get a popup that should normally populate with my authentication page but this doesn't happen and all I get is a blank screen. I have a user using a MAC G4 OS-10 with IE V5.2 client, that cannot logon to a SharePoint Services site over the Internet. Both Basic and Windows Authentication are set in IIS6.0.
How to Authenticate Mac OSX Against Active Directory This Paper will explain how to authenticate a Mac OS X 10.2 computer against Active Directory via LDAP without modifying any schema. Part I: Getting your Schema Attributes As a MCSE, the thought of making irreversible schema changes to our Active Directory to authenticate our Macs ranks up there with intentionally contracting scurvy. To make matters worse, all of the documentation available for OSX authentication either called for massive schema changes, buying expensive third-party software, or buying OSX servers, none of which were an acceptable solution. Another option which was reported to work was to statically map and script some of the settings. The only problem with this is that nobody actually had complete documentation on the process, which is the scope of this paper.
The first step in authenticating against Active Directory (AD for short) is to be able to actually see the directory. For testing purposes, it is much easier to use a LDAP viewer to hone in your settings than to try to authenticate against AD without knowing the exact settings you need. Get a LDAP Viewer: Download the Java-based LDAP browser from here: Now unzip and open the lbe.jar file inside the “ldapbrowser” folder. Once the program has finished loading, select “New” and enter a name for this connection. Click on the Connection tab and enter the Fully Qualified Domain Name (FQDN for short.
Ex, server.foo.bar) or the IP address of one of your Active Directory domain controllers into the host field. Port should be set to 389, and version should be set to 3.
Enter your network’s Base Suffix into the Base DN field. (A Base suffix is a collection of domain component (dc for short) items in your domain separated by commas. For example, for the domain “store.apple.com”, the Base suffix will be “dc=store,dc=apple,dc=com” Note the lack of spaces between the dc’s.) Initially you should be able to connect anonymously and atleast see the base DSE, although some admins have locked this down. To be able to connect and browse the directory you’ll have to supply credentials of a user that has been granted this permission. By default, all users have this permission unless your admin has changed something. If you’re the only user of a machine you can use your own account, but if you’re setting up a lab you should setup a user specifically for this purpose and deny this user any rights to anything important because this user will be going on every OSX box as part of the setup. Let’s create this user and we’ll call him macviewer.
Authentication Issues For Mac Pro
Uncheck the Anonymous bind checkbox. Enter “cn=yourusername,ou=yourou” into the User DN field, where yourusername is a username of any user in the domain (like the “macviewer” account), and yourou is the ou to which the user belongs (in a standard configuration, the OU is Users). Enter the password for that user, and check the “append base DN” check box. Click Save, and then click Connect. If everything that you entered was correct, then a list of items should appear on the left of the window. Select the OU that you entered, and select one user in that OU. On the right side of the window the Attributes belonging to that user will appear.
From that list of attributes you should choose one of these attributes to be the user ID for all your users. It could be something like uid, userID, or uSNCreated (We used uSNCreated in our network). You will also need to choose a Record Name for your users. Acceptable options would be sAMAccountName, or cn (We used sAMAccountName in our Network). Write these names somewhere, as you will need them later in the setup. Part II: Configuring Directory Access. Open the “Directory Access” application (located in /Applications/Utilities/).
Authenticate by clicking on the lock in the lower left corner of the screen if you have to. Uncheck all boxes except AppleTalk, LDAPv3, and SMB (That’s what we had, although only LDAPv3 should be enough). Click on LDAPv3, and click on the “Configure” button. Uncheck the “User DHCP-supplied LDAP Server” box Click on show Options. Click on the New button.
Enter a configuration name of your choice, the FQDN or IP of your Windows domain controller, uncheck the SSL check box, and select “Active Directory” from the LDAP Mappings pop-up menu. Enter your Search Base Suffix (see above) into the dialog that will pop-up, and press “OK”.
Click the Edit button. Set “Open/close times out” and “Connection times out” fields to 10 seconds. Check the “User authentication when connecting” box. Enter the following into the Distinguished Name field: “cn=yourusername, ou=yourou, yourbasesuffix” (See the top of this paper if you don’t know what these are.) Enter the password for that user. Make sure that “Encrypt using SSL” and “User custom port” are not checked Click on the “Search & Mappings” tab.
Click on “Users”. The Search base field of the window should get automatically filled in.
The OU will be automatically set to Users. If your OU is not Users, then type in your OU instead of Users. Make sure that the all subtrees radio button is selected. Click on the triangle to the left of “Users”. You will have to click on each attribute under the User type, and map it to something using the box on the right. Map RecordName to the record name that you wrote down earlier (in our case it was sAMAccountName).
Map UniqueID to the unique ID that you wrote down earlier (in our case it was uSNCreated). Map RealName to “cn” (without the quotes). Don’t map the Password to anything. Map the PrimaryGroupID to “#20” (without quotes). This will make any network user that logs on to your Mac have the same privileges as the local non-administrator users. You may change this if you know what you’re doing. Don’t map the HomeDirectory to anything (delete the item that it was mapped to by default).
Map NFSHomeDirectory to “#/Users/localUser/” without quotes, where localUser is the name of a local user on the machine whose home directory you want the network users to use when they log on to your Mac. Delete the following attributes (unless you really need them and know how to map them: EMailAddress, PhoneNumber, Comment. Press the “OK” button. Press “OK” again (you might have to enter your local admin password).
Click on the Authentication tab. Choose custom path from the Search pop-up menu, then click on the Add button, and click add in the dialog box that pops up. Do the same for the Contacts tab, and press Apply. Now you need to check if your Mac can receive the user information from the active directory server by using the lookupd program: Open the Terminal, and type in “ lookupd -d” (without quotes of course), and press enter. At the prompt type in allUsers and press enter. Information for all the users should appear, with the number of users on the bottom. If the number of users is between 18 and about 25 (number of local users on your machine + system users), then it didn’t work.
Try to figure out what you have done wrong. If the number of users is much higher, congratulations!
You have done most of the work! Now you are ready to test to see if everything works. Restart the computer, and try to log in as a network user. NOTE: If your Mac freezes up after you made some changes in Directory Access, or it stalls on boot up before the login screen comes up, then you will have to boot up in single-user mode (hold Command-S during startup), and type in the following at the prompt: “mount -uw / enter rm -r /Library/Preferences/DirectoryService enter exit” Once the Mac has finished booting, login, and configure Directory Access all over again. If the login screen appears and you can’t log in as a network user, then login as a local user, and open Terminal, and enter lookupd -d enter userWithName yourusername enter to see if the Mac even gets the logon information for that user.
If so, then there is a problem with password encryption incapability. You’ll need to troubleshoot it a bit.
