9 Replies Latest reply on Jan 10, 2017 6:34 PM by wimdecorte

    Need help with external authentication and Open Directory

    user17152

      Hello everyone,

       

      I'd like to set up an Open Directory server for external authentication but am pretty clueless about how Open Directory works and was hoping someone here might be able to point me in the right direction, perhaps some links to other forum threads or online tutorials?

       

      I have two servers, one running Filemaker 15 Server, the other running OS X Server.  I've enabled Open Directory on the OS X machine and made a few user accounts, but that's about as far as I've gotten.  I've added the OS X Server IP to the Filemaker Server's Directory Service tab, but I didn't know what to enter for Entry Point.  I'm also not sure if my directory server requires me to log on?  I'm also unclear about whether or not DNS needs to be enabled on the OS X Server machine?

       

      When I click the "Test Directory Services Settings" button on the Filemaker Server's Directory Service tab, it reports "successful", but I'm not able to login when I open my test file with an externally authenticated user account.

       

      I'd appreciate any advice or links you external authentication pros have to offer.  Thanks!

        • 1. Re: Need help with external authentication and Open Directory
          bigtom

          Are the groups setup properly in FM? SSL?

           

          Maybe you already have read this link but if not:

          Setting up FileMaker Pro clients and FileMaker Server to use external authentication using the LDAP protocol | FileMaker

          1 of 1 people found this helpful
          • 2. Re: Need help with external authentication and Open Directory
            user17152

            Thanks for the reply Tom.  For the purposes of setting up the Open Directory server, I created a simple test file.  On the Open Directory machine, I created a user group called Test and assigned two users to the group.  In Filemaker, I created a new permission set and added an external authentication user to the file, entering "Test" for Group Name in the account setup window.  I assigned this external user the new permission set.

             

            SSL was not on.  I just read the document link you provided and it looks like that is required.  I can't see where I'm supposed to turn it on in OS X Server.  When the "Use SSL" checkbox is not checked in Filemaker Server's Directory Service tab, I get a successful test.  When I click "Use SSL", the test fails.

             

            The document link you sent confuses me a bit because it refers to the user accounts being on the same machine as the Filemaker Server.  I assume they are referring to the Open Directory users?  My understanding (from Filemaker) is that Filemaker Server 15 and OS X Server cannot reside on the same machine.  That's why I have two servers, one for Filemaker and one for a PHP web app hosted by OS X server (this is the Open Directory machine).  Also, the linked PDF at the bottom of the support document references Filemaker 9, OS X 10.4, and NetInfo Manager!  In other words, it seems very out of date.

             

            The support doc says to check the following if one cannot login:

            • The external accounts that are defined in FileMaker match the domain or local groups that are setup

             

            There are no local groups (assuming local means the Filemaker server) since OS X server and the Open Directory service are on another machine.  I keep seeing references to domains matching and Domain Controllers, but I don't fully understand what that means.  I'm assuming the Domain Controller is a machine (the Open Directory machine?) on the network and somehow I have to make the Filemaker server part of that "domain"?

             

            The other thing I don't understand is "Entry Point".  Do I need to enter anything here?  How do I figure out what to enter?

             

            I guess I should also note my reasons for wanting to use a directory server and give you a bit of info about the network configuration.  I'd like to break my current solution into several files and don't want to maintain logins across multiple files.  Our Filemaker server is only accessible from the local network or when connected by VPN.  It is not accessible from the Internet.  The Open Directory machine receives a local IP address and our router uses 1:1 NAT to direct a static IP to this machine.  We are using SeedCode Subscribe on this machine to generate read-only calendars, hence the need for a static IP for syncing.  It is running the latest version of OS X server.  I figured it could be the Open Directory server as well.

            • 3. Re: Need help with external authentication and Open Directory
              electon

              So it works when the checkbox "Use SSL" is not enabled and does not when it's enabled.

               

              What SSL certificates are you using and did you set them up beforehand?

              According to FileMaker help:

               

               

              Using SSL with an LDAP directory service

              If your organization uses an LDAP directory service, you can enable Use Secure Sockets Layer (SSL) in the Directory Service assistant to encrypt the user names and passwords that FileMaker Server and FileMaker Pro clients use to log in to the LDAP server.

              To use SSL with an LDAP service with FileMaker Server and FileMaker Pro clients, there are several requirements:

              • In each FileMaker Pro client, Use Secure Sockets Layer (SSL) in the Specify LDAP Directory Service dialog box must be enabled.
              • On Windows, the LDAP server must have Active Directory certificate services (AD CS) installed if using the LDAP server as the (CA). For more information, see the documentation on Active Directory.
              • On MacOS, SSL must be enabled in Open Directory. For more information, see the documentation for Open Directory.
              • You cannot use self-signed certificates for a secure SSL connection to an LDAP server. Signed client and server root CA certificates issued by a trusted certificate authority (CA) are required. The server root CA certificate must be installed on the machine where the LDAP server is running. The client root CA certificate must be installed on the FileMaker Server master machine and on FileMaker Pro computers that are using SSL to connect to an LDAP service.

               

              Does this help?

              Thomas.

              1 of 1 people found this helpful
              • 4. Re: Need help with external authentication and Open Directory
                wimdecorte

                user17152 wrote:

                 

                 

                The support doc says to check the following if one cannot login:

                • The external accounts that are defined in FileMaker match the domain or local groups that are setup

                 

                There are no local groups (assuming local means the Filemaker server) since OS X server and the Open Directory service are on another machine.

                 

                The wording is meant to cover all 3 possible EA scenarios:

                - authenticating against AD

                - authenticating against OD

                - authenticating against local accounts/groups on the FMS machine's OS (when no AD or OD is in play).

                 

                For your purpose you can completely ignore any references to local accounts an groups.

                 

                You are fine with having OD on a separate machine, that is the best practice setup.

                One thing to try: log into the FMS machine's OS with an OD account.  If that works then the OS config for the OD is correct (in that the FMS machine's OS is properly bound to the OD).

                 

                Also make sure that the clocks between the FMS machine and the OD machine are in sync.

                1 of 1 people found this helpful
                • 5. Re: Need help with external authentication and Open Directory
                  wimdecorte

                  user17152 wrote:

                  I'm assuming the Domain Controller is a machine (the Open Directory machine?) on the network and somehow I have to make the Filemaker server part of that "domain"?

                   

                  Yes.  That is the key.  The FMS machine's OS needs to be made to be a member server in the domain.  In OD terms that's often referred to as 'bound to the OD'.

                   

                  'Domain Controller' is an AD term, but the principle holds for OD too. 

                   

                  In FMS' admin console the only config change is to flip to 'FM and external accounts' on the Security tab.

                   

                  user17152 wrote:

                   

                  When the "Use SSL" checkbox is not checked in Filemaker Server's Directory Service tab, I get a successful test. When I click "Use SSL", the test fails.

                   

                   

                   

                  HALT!

                   

                  The 'directory service' tab in the FMS admin console HAS ****NOTHING**** TO DO WITH AUTHENTICATING USERS.  So don't configure it and don't waste another second on it.

                   

                  From the Tower of Babel: FileMaker Server and Directory Services and LDAP - Soliant Consulting

                   

                  That 'directory service' tab is the single biggest misconception around FM's EA.

                  1 of 1 people found this helpful
                  • 6. Re: Need help with external authentication and Open Directory
                    electon

                    wimdecorte wrote:

                     

                    One thing to try: log into the FMS machine's OS with an OD account. If that works then the OS config for the OD is correct (in that the FMS machine's OS is properly bound to the OD).

                     

                    Would it not fail if the OD account is setup with "Services Only" enabled?

                    From memory, i think it would since there's no Home folder enabled for that account.

                    1 of 1 people found this helpful
                    • 7. Re: Need help with external authentication and Open Directory
                      wimdecorte

                      it might, but to test you could set up an OD account that is a full user.  The aim here is to verify that the FMS machine's OS is properly bound to the OD. 

                      2 of 2 people found this helpful
                      • 8. Re: Need help with external authentication and Open Directory
                        user17152

                        Thank you all for the replies!  It's working!  In the end, I had a few configuration issues...

                         

                        There was an issue with my router and the 1:1 NAT configuration that mapped the public/static IP to the private/local IP.  That's the machine that's providing Open Directory service.

                         

                        I also needed to enable DNS on the OS X server and configure the clients on my network to use it for DNS service.

                         

                        I followed wimdecorte's suggestion (thanks!) of logging in to a network account from the Filemaker server machine to test the directory service.  That's how I figured out the problem wasn't Filemaker, but rather my NAT and DNS configurations.  Once those were fixed, I could login.

                         

                        And then I discovered...I had made a mistake when configuring the external authentication user account in Filemaker.  I used the OS X Server group's full name, not short name, for the Filemaker external user's Group Name.  I'm not not sure how it happened, but the OS X Server's group name was one thing and the short name was "workgroup".  Instead of using "workgroup" for the Filemaker external user group name, I used the group's full name.

                         

                        All's well that ends well.  Thanks especially to wimdecorte for steering me away from the Directory Service tab in Filemaker Server too.  Now that I've set it up, I will say the documentation is rather confusing.  It's actually quite simple to get it up and running, at least using OS X Server's Open Directory service.  Thanks again!

                        1 of 1 people found this helpful
                        • 9. Re: Need help with external authentication and Open Directory
                          wimdecorte

                          Glad you got it working and thanks for posting back with what made it work!