4

I've made a setup containing a Mac Mini with OSX Server 3 (Mavericks 10.9.2) using Open Directory and Profile Manager (Mail, etc all set up and working).

Now the thing is, internally on the local network, everything works great. Clients can bind to the OD and the users are able to login. I can install trust and settings profiles (either custom or group profiles) and all services in the profiles mentioned are being configured correctly. I can log in and out, hump around and do it a 100 times on different macs with different users, it works.

My goal is to make this service publicly. The domain is with a FQDN which I own, for simplicity let's say server.domain.com. Now the only way for me to bind the clients to the OD is using LDAP mapping RCF2307 (without SSL) and a DN suffix of dc=server,dc=domain,dc=com using the Directory Utility. The options from server, or open directory will throw several errors like Connection failed to node '/LDAPv3/server.domain.com (2100).

First of all I don't really understand the problem why clients can't bind to the OD like it does locally, with and without SSL (all ports are open, literally all ports are open, not just 389,636 and 1640, wasn't sure if I was missing any).

When the clients are using LDAP mapping RFC2307 to bind (without SSL only), clients are able to authenticate, login and even load the Trust profile. But every Settings profile will fail with a Debug Message: Unable to find GUID in user record OD or fail to install saying missing user identification.

Is there any way to get this to work without RFC2307? Because there is quite some stuff missing when using RFC2307 and not pull the mapping from the server or use open directory.

Is this setup even possible? Or should I use VPN to authenticate with the OD?

open directory schema rfc2307 schema

The network setup is a Modem/Router (DHCP off) with WAN NATted to an Airport Extreme (Using DHCP+NAT). The AE does notify with a double NAT message but I haven't had any problems with it on any other service. So WAN -> 192.168.2.220 (static), AE -> 10.0.1.* (dhcp)

Output of DIG from the outside using dig server.domain.com

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;server.domain.com.     IN  A
;; ANSWER SECTION:
server.domain.com. 77   IN  A   91.50.*.* (valid WAN IP)
;; SERVER 172.*.*.1#53(172.*.*.1) (iPhone)

DIG locally from a client and server (same output)

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;server.domain.com. IN  A
;; ANSWER SECTION:
server.domain.com. 10800    IN  A   10.0.1.11
;; AUTHORITY SECTION:
server.domain.com. 10800    IN  NS  domain.com. (used for email send in relay)
server.domain.com. 10800    IN  NS  server.domain.com.
;; SERVER 10.0.1.11#53(10.0.1.11)

Are there any things I should check? Only have OSX.

-- double NAT issue, plugged in the server directly on the Modem/Router with a static IP and issue remains. Guess that rules out the double NAT thing.

-- changeip -checkhostname comes with There is nothing to change, e.g. success.

Primary address     = 10.0.1.11
Current HostName    = server.domain.com
DNS HostName        = server.domain.com

For now, I've made a workaround by using an admin account that forces a permanent VPN connection on boot. That means before it comes to the login, a connection is already made or underway.

I will continue this post when I have more time, also locating all the necessary .log files of each application involved. I have some suspicions but have to debug a bit more when I have more time on my hands .. 

Unless, of course, I get sidetracked with having a life. Which is arguably 
not very likely.       
                                                               krypted.com
dbf
  • 143
  • 1
  • 6
  • This sounds like a DNS and/or firewall/routing issue. Is the server on a private (NATted) network? What does the DNS for server.domain.com look like to local and remote computers? – Gordon Davisson Mar 16 '14 at 05:47
  • @GordonDavisson _my suspicion also_, the server is on a private network. Modem/Router with the (dynamic)WAN address, NATted to an Airport Extreme which again distributes the network using `DHCP and NAT`. I'll update my post with more details. – dbf Mar 16 '14 at 10:50
  • Ok, the DNS setup looks good, but I'm a little worried about the NAT. Double NAT shouldn't be a problem, but you do need to make sure port forwarding is set up properly at both layers. Also, are you forwarding just TCP, or both TCP and UDP? I think the only UDP-based service it uses is Kerberos (port 88), but at least that one does need to be forwarded. – Gordon Davisson Mar 16 '14 at 22:09
  • @GordonDavisson As i mentioned, at some point I have opened every port and forwarded it to `192.168.2.220`, meaning TCP/UDP from 1-65536 cause I wanted to be sure that wasn't the problem. These ports are again forwarded to `10.0.1.11`, the server. Can it be so picky that it has to be port specific? I mean literally a NAT entry which says `WAN:88 <> 192.168.2.220:88` and `192.168.2.220:88 <> 10.0.1.11:88`? Currently I'm setting up the profiles with a VPN access to the server, this seems to work .. obviously ;) For the ports, 389,636 are open directory, 1640 is profile manager (SSL). – dbf Mar 17 '14 at 01:16
  • Try this... go to the Directory Utility -> Services -> LDAPv3 click the pen edit button. Inside the new view... delete and recreate the configuration there. – unom Mar 25 '14 at 19:20
  • Reading more into your post... your double nat is the problem... the airport mapping wan network (192.168.2.x) OD ports to lan network (10.0.1.x) with the server ip you have AND is the second router(the one with the internet connection) wan network(internet ip) mapping the corrent ports to your inside router ip? To get over all this try to set DMZ for your airport ip in the router with the internet connection. – unom Mar 25 '14 at 19:27
  • @unmircea My edit on `double NAT` -> _plugged in the server directly on the Modem/Router with a static IP and issue remains. Guess that rules out the double NAT thing._. About Directory Utility, I have created a mapping for LDAPv3, it only works with RFC2307, that's the whole problem. – dbf Mar 25 '14 at 21:34

1 Answers1

2

To follow along your question's line of thinking, check your modem/router configuration. You need to make sure that WAN->LAN ports are open for both TCP and UDP.

Warning: this may be a real pain to configure and maintain!

It looks like you have VPN configured and working. I'd suggest continuing down that line unless you want to spend a bunch more time with the routers.

atimba
  • 57
  • 2
  • I know, that's why I said `all ports are open, literally all ports are open` ;) – dbf Mar 18 '14 at 19:32