1 2 Previous Next 17 Replies Latest reply on May 28, 2012 9:11 AM by taylorsharpe

    FileMaker 12 Server on Mac 10.7.4 Server - External Authentication

    taylorsharpe

      I have a Mac Pro runninig Server (10.7.4) with FileMaker 12 Advanced Server. I have turned on Open Directory, making it a stand alone Open Directory Master, and set up the certificate and SSL. I've added Users and Groups and they all work fine for services on the Mac. I go to the FileMaker Admin Console, and Configure Directory Service. I put in the Server Address (ns2.mydomain.com) and Entry point (ou=ns2,dc=mydomain,dc=com) (obviously substituting my domain where I say "mydomain"), check the SSL box, and then press the Test Directory Service Button. It tells me the external authentication is successful. So it sure sounds like it is all working for FileMaker Server authenticating to Open Directory.

       

      I go to to my FileMaker database. I create a group for external authentication. To keep is simple, I make the group "filemaker" and I give it Full Access and make sure Full Access has access by fmapp in the privilege set. The test user I created on the Mac Mini Server.app is "John Doe" and he belongs to group "filemaker". I try connecting and it fails. I've tried it with several names just to make sure and double checked passwords. I've tried it with the short name "johndoe". I've tried it with SSL turned off. I've tried going to Server.app and opening John Doe and making him able to administer the server. That didn't help. I've made sure that John Doe has the little globe next to his user name to assure he is an LDAP user. I've tried creating another group on another file on the same server, but it still doesn't help. In the FM Admin Console's Confi9gure Directory Service, I've tried changing the Address Point in the from the domain name to the public IP, then to the local IP, and then to 127.0.0.1. That didn't change anything. I tried it without an Entry Point, and that didn't change. Every time I made these changes, the "Test Directory Service Settings" button said the test was successful, but the FileMaker database still would not let the user in. I've made sure the "filemaker" group is at the top of the authentication list in the FileMaker Security so it is evaluated first.

       

      In this past I have done this on Snow Leopard machines and it just always worked. This is just my development machine, but next week I'm supposed to try to set it up on a production machine and want to figure out why it is not working here first. Anyone else have a Mac Server 10.7.4 with FileMaker Server successfully using Open Directory authentication?

        • 1. Re: FileMaker 12 Server on Mac 10.7.4 Server - External Authentication
          wimdecorte

          taylorsharpe wrote:

           

          I go to the FileMaker Admin Console, and Configure Directory Service.

           

          That configuration option has nothing to do with authenticating users at all.  It's a very common misconception.

           

          All that is required for EA to work is:

          - confgure FMS through the admin console to allow "Filemaker and external accounts" on the security tab

          - make the FMS machine itself part of the OD domain.

           

          i'm a little confused where you mention that you have a Mac Pro running OD+FMS but later you mention a Mac Mini.  Can you re-state what is running on what?

          • 2. Re: FileMaker 12 Server on Mac 10.7.4 Server - External Authentication
            taylorsharpe

            The Mac Mini reference was a mistake.  It is a Mac Pro. 

             

            I understand that the FileMaker Admin Console's Configure Directory service is not authenticating, but what it does is verify that FileMaker Server can talk with and exchange credentials with the Open Directory, which is on the same machine.  This is the first step to making sure it is working because it confirms that FileMaker Server and Open Directory are talking.  The next step is what you are talking about, which is making sure the Manage>Security  is set up correctly.  I've actually done this many times at many clients and never had a problem.  So I am familiar with the process, but have not done it with Lion and FileMaker 12.  Have you tried it with Lion and FMS 12?  I actually wiped this machine about a month ago and installed Lion cleanly.  So I would not think it is an OS problem and all the other services on the OS respond just fine to the OD authentications.  Thank you for any additional input or ideas you can give. 

            • 3. Re: FileMaker 12 Server on Mac 10.7.4 Server - External Authentication
              wimdecorte

              It's a good troubeshooting step, but you can  not draw the conclusion that they both communicate properly for FM client authentication purposes, all that it confirms that the account you specify can log into OD to see data, what you can not conclude is that FMS is actually asking OD for the authentication.   FMS will always go through the accounts and groups on the local machine first before even looking at the AD.  Doublecheck tha tthe "filemaker" group does not exist on the local machine (outside of OD).

              • 4. Re: FileMaker 12 Server on Mac 10.7.4 Server - External Authentication
                MartinCrosman

                Doesn't it also matter the order that accounts appear. That is if I have an active account that is authenticated by FileMaker appears on the list of accounts before the externally group that the external account will not be used..

                 

                Martin Crossman

                Sent from my iPhone

                • 5. Re: FileMaker 12 Server on Mac 10.7.4 Server - External Authentication
                  taylorsharpe

                  By the way, this is the same machine.  Open Directory is on the Mac OS X 10.7.4 Mac Pro which is also hosting FIleMaker Server Advance.  I have never said that the FM client authenticated.  In fact, it hasn't.  What I have said is that the FileMaker Admin Console has are area under the "Configuration", then click on "Database Server", then click the tab "FileMaker Clients" then look in the bottom right hand corner for the "Configure Directory Service".  That is how you make sure your FileMaker Server is talking to the OD to ask for authentication.  In that configuration, I have run the test to confirm that FileMaker Server is talking on the same port using SSL, etc., to OD and asking for verification of authentication.  We know this works.  We know that when we use a client to authenticate to the database, that the client is denied access.  But I wanted to make it clear that the issue is not a matter of FileMaker Server talking to OD since we have tested it. 

                   

                  The user I created, "John Doe" had one and only one group that I created, "filemaker".  I made sure that FileMaker was at the top of the security list for the database I tried to authenticate to because, as Martin noted, the order does matter.  I have tried this on two different databases with the same result of denied access. 

                   

                  Since I have done this probably a couple dozen times on Snow Leopard and Leopard successfully, I am trying to figure out if this is a Lion issue or a FMS 12 issue.  That is why I was asking if anyone else has done this using Mac OS X Server Lion 10.7.4 and FMS v12.  And if so, do you see any obvious steps I have missed or things you are aware of that are different than using FMS 11 or Snow Leopard. 

                   

                  Thanks for any ideas or input. 

                   

                  fm.jpg

                  • 6. Re: FileMaker 12 Server on Mac 10.7.4 Server - External Authentication
                    taylorsharpe

                    Here is the Server Admin.app on the left with OD running and on the right is the Server.app with group "filemaker" and user "John Doe" assigned to it.  FYI, short name for "John Doe" is "johndoe" and I have tried that as a logon unsuccessfully too. 

                     

                    fm1.jpg

                    • 7. Re: FileMaker 12 Server on Mac 10.7.4 Server - External Authentication
                      wimdecorte

                      taylorsharpe wrote:

                       

                      What I have said is that the FileMaker Admin Console has are area under the "Configuration", then click on "Database Server", then click the tab "FileMaker Clients" then look in the bottom right hand corner for the "Configure Directory Service".  That is how you make sure your FileMaker Server is talking to the OD to ask for authentication.

                       

                      That's the part in your reasoning / understanding that is not true.  That does nothing for authentication.  I just establishes that your OD can be contacted for writing data to it (such as the FMS IP address / name / admin contact info), it is not a valid test for FM client authentication.  so the fact that this configuraiton option works is a red herring, don't dwell on it.

                       

                      EA with OD works with FMS 12 and 10.7.4, I've tested that.  But I don't usually set up the OD and the FMS on the same box so my guess is that it something there.  Try creating a local group and local account and test with that.  If that works then it must be the OD cofiguration.

                       

                      Can you log into the FMS machine itself with the johndoe OD account?

                      • 8. Re: FileMaker 12 Server on Mac 10.7.4 Server - External Authentication
                        taylorsharpe

                        Oh my..... you don't get it.  I know exactly how this works.  The Admin console has to be configured to properly talk to OD.  I am confirming that this part of the process works and that was one of my steps of confirmation.  I know that this is just a tunnel connection between the two services and not the actual authentication.  But it still has to work if there will ever be an authentication.  Goodness!

                         

                        You have not been helpful because you have only restated what I have already confirmed.  OD does the authentication and it is not authenticating.  Back tracking, I made sure that  FMS was properly talking to OD in the same way I went to Server.app to make sure it was configured properly and also Server Admin.app. 

                         

                        I know how to do this and have done it many times in Snow Leopard and FMS 11.  It is NOT working in the situation of Lion 10.7.4 and FMS12 on the same machine.  I need someone to respond that has done this before.  It is the latest version of both the Lion OS and FMS.  I test these things on development machine before rolling them out on production machines and this is the test that has failed. 

                         

                        I am looking for someone to respond that has actually tried this and I hate to say it, but your responses have not been helpful. 

                         

                        Is there someone out there that has actually used these latest versions and tested them to see that they really work together on the same machine.  

                        • 9. Re: FileMaker 12 Server on Mac 10.7.4 Server - External Authentication
                          taylorsharpe

                          FYI, in response to your last paragraph, yes, I did logged in with "John Doe" and it worked.  But I didn't just log in.  I tested different services (Mail, AFP, FTP) to see if there were problems with other services not working.  They all worked.  FMS is the only service not authenticating, which is why I kept going back to the tunnel between OD and FMS Admin Console. 

                          • 10. Re: FileMaker 12 Server on Mac 10.7.4 Server - External Authentication
                            ch0c0halic

                            Taylor may be misdirected,

                             

                            Sorry but from what I've read it appears you do not understand how FMS performs authentication.

                             

                            The Directory Service that FMS is referring to is LDAP and it is not the same as AD or OD. FMS does not do Security user authentication against LDAP. Configuring the LDAP part of FMS is only so LDAP users can find databases, which no one I know actually uses. It is not for Security authentication.

                             

                            The LDAP setup only effects this setting.

                            Select the "Open Remote" menu item.

                            At the top of the window is a drop down list called "View:". One of the entries is "Hosts Listed by LDAP". The "Directory Service" settings in FMS are only used to populate that list.

                             

                            It is confusing because some of the same words are used to define each service. If you have the OD Domain controller set up and working then you only have to click the "FileMaker and external server accounts" radio button to make it usable.

                             

                             

                             

                             

                            Both OD and AD authentications are entirely done by the OS. FMS requests Authentication validation from the OS Services which then connects to the Authentication (AD or OD) server to perform the authentication and get a lit of Groups associated with that user account. All you have to do is get the OS to authenticate against the AD or OD service and FMS will then be able to authenticate.

                             

                            I suggest you save yourself a lot of headaches and ignore that part of the FMS setup. Unless you have an LDAP Directory Service set up for database discovery. It has nothing to do with FMS User Authentication.

                            • 11. Re: FileMaker 12 Server on Mac 10.7.4 Server - External Authentication
                              taylorsharpe

                              I have been using LDAP and it has been working fine, but my statements above have been incorrect in that what I was referring to was LDAP and not OD because I assumed them to include LDAP (see Wikipedia reference below).

                               

                              When I go to Workgroup Manager, I switch to LDAP and find "John Doe" in the LDAP directory.  So I switch back to the Local directory, which would be the local OD directory (not LDAP.... local is technically "NetInfo").  I create "janesmith" and assign a group "FM".   I put FM at the top of the FileMaker security list for the database to first evaluate.  I log in and it still does not work.  Neither by OD's LDAP or Local (NetInfo) . 

                               

                              FYI, LDAP is frequently used in enterprise setting where you want to control users, but don't want them on the local machine as local users.  Interestingly, when finding servers I have set up this way, I have never had to use the "Host Listed by LDAP".  I had always opened under the normal Open Remote Favorites. 

                               

                              I search on google for "open directory domain controller" and the first entry I find is:

                               

                              FM7.jpg

                               

                              The very first sentence says the Apple Open Directory is the LDAP directory service, which is what I have been using.  I have created an Open Directory Master which is what the 2nd paragraph talks about.  I have gone to Workgroup Manager and changed from Local to LDAP and created the user there. 

                               

                              I actually used to never get FileMaker to authenticate against a local user and that is why I have always used LDAP, plus LDAP is how enterprise systems do it.  And if you didn't use FMS's Directory Service configuration, how would you tell FMS to authenticate against another server that controls User ID's and passwords?  When at a large government installation, we had to do this to get it to seek authentication from the master Active Directory back in Washington DC and not your local machine, and it worked just fine. 

                               

                              Referencing your last paragraph about avoiding a lot of headaches and saying I quit using LDAP part of OD, I still cannot authenticate a local OD user with FileMaker.  I'm all for the easy route, but I don't see that working, plus I have production machines that need authenticating to other servers. 

                               

                              You say "It is confusing because some of the same words are used to define each service. If you have the OD Domain controller set up and working then you only have to click the "FileMaker and external server accounts" radio button to make it usable."  I am not sure what you mean.  I go to Server Admin.app and connect to the server and click on Open Directory and it shows I have an Open Directory Master.  I do not see where you would add a FileMaker Service to Open Directory for authentication.  If I go to services on the server, it only lists the Apple available services to turn off and on.  So what do you mean clicking the radio button to make it usable?  That may be what I am not doing and don't know how to do.  Any assistance is appreciated. 

                               

                              FM8.jpg

                              • 12. Re: FileMaker 12 Server on Mac 10.7.4 Server - External Authentication
                                Vaughan

                                Be aware that there is an authentication order for externally authenticated accounts. When a user authenticates with account name "janedoe" then:

                                 

                                if the database has a user called janedoe then that will be used; if not then:

                                if the FMS host computer has a local user account called janedoe then that will be used; if not then:

                                if the OD/AD has a user called janedoe in the appropriate group then that will be used.

                                 

                                 

                                Disable all user accounts in the FileMaker databases to ensure they are not used.

                                Check the server's local accounts and see if a username exists there.

                                 

                                Open Directory uses LDAP technology, but any old LDAP server cannot be used for external authentication, it must be Open Directory.

                                 

                                The admin colsole does NOT have to be configured to OD for external authentication to work.

                                • 13. Re: FileMaker 12 Server on Mac 10.7.4 Server - External Authentication
                                  wimdecorte

                                  taylorsharpe wrote:

                                   

                                  And if you didn't use FMS's Directory Service configuration, how would you tell FMS to authenticate against another server that controls User ID's and passwords? 

                                   

                                  The only way you tell FMS to use external accounts is the "FileMaker and External accounts" setting on the security tab.  Juat as Jimmy explained, it is the configuration of hte OS that FMS runs on that dictates how the authentiction will be done: FMS hands of the authentiction request to the OS, the OS looks at its own config and asks "who is my authenticator".  If it is a member server of an OD or AD it will ask there.  If it is not a member server of an AD or OD it will look at its own local accounts and groups.

                                   

                                  The fact that it appeared to work for you in other deployments by using the Directory Services configuration is a total red herring.

                                   

                                  For now I would remove the OD role from the FMS machine and test with basic accounts and groups.  That should get you going.

                                  • 14. Re: FileMaker 12 Server on Mac 10.7.4 Server - External Authentication
                                    shearn

                                    Some other things to check that may have been forgotten:

                                     

                                    - as Wim and Jimmy suggest, make sure the FMS Admin Console setting in Security is set to 'FileMaker and External Accounts'

                                    - I believe the security group is case sensitive so check that the case is identical in the Server.app and your EA Group in your fm file

                                    - check that the fm file doesn't have an auto-login defined in the file options

                                    1 2 Previous Next