Saturday, 2 February 2013

Fun with Sophos UTM and Mac OS X Lion ldap

Scenario: Sophos UTM 9 gateway needs to authenticate unknown users against a Mac OS X Lion server running Open Directory.  How do we find the right strings to put in the Authentication Server configuration in UTM?

The UTM configuration is reached from the UTM webadmin page, on the lhs click on "Definitions & Users" then "Authentication Servers".

Click on "New Authentication Server...".

Set "Backend" to "LDAP".

I set "Position" to "Bottom".

Populate the "Server" field with the address of your Mac OS X server.

Now the "Bind DN" field will contain uid=diradmin,cn=users,dc=fruit,dc=local if your LDAP administrator is "diradmin" and your server is "fruit.local".  You need as many "dc=" parts as there are parts in the host name e.g. for fruit.tree.com you would need "dc=fruit,dc=tree,dc=com".

(I am a little concerned about using "diradmin" here perhaps another user can be created for binding?)

In the "Password" and "Repeat" fields enter the password for "diradmin" or whatever user you are using to bind. This explains how to reset the directory administrator password if you can't remember it.
[You can get to the Directory Utility by opening System Preferences then clicking on "Login Options" then "Edit" next to "Network Account Server.]

The "Base DN" will be what appears as "LDAP Search Base" under "Open Directory"->Overview in Server Admin.