Binding to Open Directory (MacOS OR Cloud-based service)

[ian_a_2001]

We host FileMaker Server 16 and have around 20-25 users connecting to it using FMPro 16 plus a couple of WebDirect users.

Currently the security structure is quite flat and which is obviously not ideal and upcoming changes in the business mean a more hierarchal structure is becoming critical. I have been working on how to implement this on-and-off for a couple of months now testing various techniques which integrate into our other business systems but have hit a few brick walls.

Desire to Integrate with other systems’ user accounts (OS, email, etc) and several FileMaker databases made me go down the external authentication route as opposed to internal authentication. So I tried:

a) Setting up our own Open Directory server using Apple’s Server app. The set up of the server worked fine but I couldn’t get the FileMaker server (or any other machine for that matter) to bind/join the Open Directory server (a separate machine). After clicking 'Join' and entering the server address, it shows an error saying that it could not bind with error code 2100.

b) Setting up an account with an ‘Open Directory as a Service’ provider (Jumpcloud.com). This was not a ‘second choice’, it was an option I was always keen on exploring due to it’s ‘cloud’ nature. MacOS on the FileMaker Server will happily bind to the server but, for some reason, any authentication attempts fail. If I try to auth from the OS login screen it hangs for >30 minutes before I give up. If I try to auth from FM then it just fails (account not recognised). With no definitive, clear ‘how to’ guide it is quite difficult to troubleshoot. This is made even more difficult by being a newbie at this!

I found a video going through the OAuth providers but would prefer to stay away from them for several reasons. Primarily that it's ANOTHER system to sync account data with and secondly, Google and Amazon don’t allow auth against groups which puts me off them (I know there is still the MS option but there's still my primary reason).

Any ideas? Is it even possible to use LDAP like this? 

Thanks in advance for any suggestions!

Edited January 7, 2020 by ian_a_2001

[Steven H. Blackwell]

Perhaps take a look at these papers:

 

https://fmforums.com/files/file/115-how-to-extend-oauth/

https://fmforums.com/files/file/116-addendum-oauth-extensibility/

 

Open Directory is likely not the best choice for authentication.  But it does work.  You are correct in believing that a service that supports Group structures is your best avenue.

 

Steven H. Blackwell

Platinum Member Emeritus

 

[Wim Decorte]

FMS supports the following External Authentication providers:

1. Open Directory
2. Active Directory
3. local accounts and groups on the FMS machine
4. any OAuth2 Open ID Connect provider (for group-based authentication they need to be able to deliver and Id_token that contains the groups)

The first 3 are on-premise only, #4 can be either on-premise or in the cloud

JumpCloud does not seem to offer #4 (they are limited to LDAP and SAML).  You cannot use LDAP for anything that is not OD or AD.  I went through long exercises for instance to use the OpenLDAP directory service but you cannot make it work without also involving OD or AD to some extent, and it is a giant time-suck to even try.

In your case:

- the OD setup should work, that's just a matter of troubleshooting it

- if you do want to use a cloud provider, you'll need to pick one that supports OAuth2 OIDC.  There are plenty, Steven and I have it working with Ping, Okta, Auth0, OneLogin, MiniOrange,... many of them offer delegation/federation to other directories. Or can you just use their own identity store and not bother with a local one.