I'm trying to get some client OS X machine to automatically authenticate to a QNAP share using a separate LDAP Open Directory server.
(Note: I'm using example.com below to hide the real server name as it's currently exposed)
The networks has:
An OSX Server machine with Open Directory running (e.g. server is master.example.com)
Multiple OSX Client machines connecting and authentication to the Server using network accounts.
That part so far is working well.
I'm now adding a separate QNAP NAS as a file server (a TVS-871T for reference), e.g. called server.example.com
I've configured the QNAP Nas to use the OSX Server for LDAP authentication in the control panel under Domain Security.
Server: master.example.com
Base DN: dc=master,dc=example,dc=com
Root DN is the Open directory admin: uid=keymaster,dc=master,dc=example,dc=com
Users Base DN is: cn=users,dc=master,dc=example,dc=com
Groups Base DN is: cn=groups,dc=master,dc=example,dc=com
I can see the network users and groups in the QNAP interface and give them access to shares.
I can manually mount the share from an afp client (Cmd + K) and type in the username and password.
So far so good.
Now for the problem.. I'm attempting to get all the network accounts to automatically mount the share when they login.
Normally I would configure this in the OSX server profile manager as an authenticated network mount (which automatically uses the user's network account to authenticate during the mount operation). This is tested and works well if it's a share of the open directory master itself.
However, when I try to automatically mount a share on the QNAP drive, the client pops up the authentication window.
Which seems to say it's unable to login to it. Even if I re-enter the password, it still doesn't want to login.
The Console shows an error in NetAuthSysAgent AFP_OpenSession – Login failed with 80
Now, interestingly if I try to login with the user's short username – e.g. joesmith in this instance – then it does login to the share.
So basically, I can get partial authentication using username but can't get the automated mount to happen because – I'm guessing – the client tries using a slightly different method (with the full name displayed in the login box).
Is there a way that I can get this to work? Am I missing a setting on QNAP ldap configuration to get this to work?
Should I configure the LDAP connection different on the QNAP server to allow the authentication system from the osx clients?
Edit:
I did a bit of digging around using Wireshark on the OD server to see what the QNAP device sends through (I am clearly desperate), and I can see the QNAP device does a (&(objectClass=posixAccount)(uid=Joe Smith)) query to the OD master which confirms the assumption that it's sending the wrong credential.
Using ldapsearch I can replicate this too. If I change the query from uid to cn then it works on the command line. Not sure if I can change the way QNAP sends its search filter though.
Edit 2:
I can get the QNAP drive to use CN instead of uid by editing:
/mnt/HDA_ROOT/.config/nss_ldap.conf
and adding
nss_map_attribute uid cn
to it.
Then /etc/init.d/ldap.sh restart
This then allows me to login with the full name.
However, this breaks the groups ACL.
Looking at Wireshark again, the ldap authentication now uses CN for the group membership test too: (&(objectClass=posixGroup)(memberUid=Joe Smith))
Works if you give individual users share access, but I want to use group ACLs :(
Edit 3:
pam ldap seems to have an option called pam_login_attribute that would be exactly what I need, but nss ldap doesn't seem to use it or have a similar alternative.
