4 Replies Latest reply on Sep 5, 2012 3:55 PM by gsokolsky

    Client Authentication against multiple OD Masters broken in FMSA 12?

    gsokolsky

      We have two Open Directory Master (10.6.8) servers. One for students and teachers, one for administrative staff. The Filemaker Server is a standalone server that does not hold user accounts. I am using External server accounts to authenticate FM users.

       

      With FMSA 11 running on 10.6.8 server I was able to add both OD Masters to the Filemaker server's Authentication path (using Directory Utility) which allowed users on both servers to authenticate and use Filemaker client - it worked like a dream!

       

      Screen Shot 2012-09-04 at 9.13.06 AM.JPG

       

       

      With FMSA 12 running on 10.7.4 or 10.8.1 server, only users hosted on the server that's first in the LDAPv3 authentication path list can authenticate successfully. For example, using the configuration above, users on the server ushome can open a filemaker database. If a user from castlehome tries to open a database they get "The account and password you entered cannot be used to access this file."

       

      setup2.jpg

      Using this configuration, users on the server castlehome can open filemaker databases. If a user from ushome tries to open a database they get the same error as above.

       

       

      I have wiped, reinstalled server more times than I'd like to count - it's not an OS issue. Did they remove the ability to authenticate to more than one OD Master in 12 server or am I missing a checkbox somewhere?

       

      Any ideas?

        • 1. Re: Client Authentication against multiple OD Masters broken in FMSA 12?
          wimdecorte

          Authentication is handled by the OS: basically FMS asks the OS to validate the credenttials, the OS goes through the Directory tree and comes back with a result for FMS (basically a list of groups the user belongs to).   So to me it seems that this is something that is broken in going from 10.6.8 to 10.7/10.8, not something that is broken in FMS.  FMS doesn't care how many directory tree entries there are, it just waits for the OS to come back from going through them all.

           

          Can you log into the machine itself with credentials from the ushome OD?

          Are you 100% sure that no user accounts with the same short name exist in castlehome that may have a different pw than in ushome?

          • 2. Re: Client Authentication against multiple OD Masters broken in FMSA 12?
            gsokolsky

            Wimdecorte,

             

            Thanks for the reply.

             

             

            Can you log into the machine itself with credentials from the ushome OD?

             

            Yes. And from CastleHome OD.

            Are you 100% sure that no user accounts with the same short name exist in castlehome that may have a different pw than in ushome?

             

            Yes.  I learned about that the hard way in the past!

             

             

            It seems that Filemaker server isn't able to see past the first entry in the directory tree as the OS has no problem with it. 

             

            Any other ideas?

            • 3. Re: Client Authentication against multiple OD Masters broken in FMSA 12?
              wimdecorte

              The thing is that FMS doesn't go through the Directory Tree, it's the OS.  Apple has a terrible reputation for messing up AD and OD authentication with every new release.  I would spend some time on the apple forums to see if anyone has reported OD issues.

               

              Also open a support ticket with FMI to see if they have more info.

              1 of 1 people found this helpful
              • 4. Re: Client Authentication against multiple OD Masters broken in FMSA 12?
                gsokolsky

                Thanks again for your reply.

                 

                 

                wimdecorte wrote:

                 

                The thing is that FMS doesn't go through the Directory Tree, it's the OS.  Apple has a terrible reputation for messing up AD and OD authentication with every new release.  I would spend some time on the apple forums to see if anyone has reported OD issues.

                 

                I agree and am often baffled by Apple server's ability/inability to handle directory services.  However - since I can log into the Filemaker Server machine with credentials from either of the OD Masters in my directory tree successfully, I don't think the issue lies with the OS.

                 

                Also open a support ticket with FMI to see if they have more info.

                 

                I called FM tech support before I posted here.  They told me that they were very surprised that what I had working with FMSA 11 actually worked as they don't support that kind of thing.  They wouldn't help me with FMSA 12 multiple OD directory authentication because of this. Granted, I could have talked to someone having a bad day or didn't have experience with this kind of thing, but needless to say, I didn't want to hear that so I reached out to the forums.

                 

                 

                This is unacceptable to me.

                 

                Does anyone else out there have multiple directory authentication working with FMSA 12?

                 

                What if your solution spans different companies/locations/departments that use their own unique directory servers??  Do I have to go back to Filemaker 5 "land" and give them generic credentials?  Or should I give up on Open Directory and delve into Active Directory?  Before I do though, I want to make sure FMSA 12 can even do it with Active Directory...

                 

                Help!