External Authentication w/ OS X: Invalid DN Syntax

[Ender]

I am trying to get external authentication working with Server 7v2 on Mac OS 10.3.4 with a Mac OS 10.3.6 server set up as an authentication server.

Suggestions from similar posts have not helped me here, so if some of you have been successful at getting this to work, please let me know what the things are that I should be checking.

My OS X Server is has a static IP and a dns that is registered with our isp. It is set up as an Open Directory Master with LDAPv3 and an Administrator account.

My FM Server is set up to use Filemaker and external accounts. Under Directory Services, my settings look like this:

Directory service name: dir.mydomain.org

Distinguished name: cn=admin,dc=mydomain,dc=org

LDAP port: 389

Login Settings:

Account name: admin

Password: ******

The error I see in FM Server's Event.log is:

Registration with directory service failed. (Invalid DN syntax)

If I use ldapbrowser to look at the directory, I can get into the directory anonymously, but not with my admin account. But if I try to log in anonymously with FM Server, it shows this error in the Event.log:

Registration with directory service failed. (Strong(er) authentication required)

What am I missing?

[Sheaferm]

under Filemaker --> Preferences

you should have

dc HostnameOfLDAPServer

dc DomainOfLDAPServer

dc TLDofldapserver

ou NameFileMakerIsRegisteredAsInLDAP

so, if your ldap server is at ldap.example.com and your server is registered as Filemaker you would have (in Filemaker Preferences under the LDAP Directory Service pull down menu)

server address: ldap.example.com

ldap port 389

Search base:

ou FileMaker

dc ldap

dc example

dc com

Then in Configure --> Directory Service in Filemaker Admin

check Register Filemaker server with a directory service

Directory Server Name: ldap.example.com

Distinguished name: filemaker.example.com

and you can choose to put in the optional information if you would like

make sense?

-rich

[Ender]

I thought the FileMaker Server Admin->Preferences->LDAP Directory Service settings were for getting the server to show up in the hosts list under LDAP. Is this needed to get external authentication to work?

[Sheaferm]

no, it's not necessarily needed to get authentication to work, but it's just to keep everything matching up.

what I forgot to ask (and stupidly assumed that the answer was yes) was do you have your users/groups set up on the LDAP server, and are your databases set to authenticate from a remote server?

for example: to authenticate from a remote (OS X) server using LDAP, you need to have a user "Admin" (which you can create with the Workgroup Manager).

I would recommend keeping the user "Admin" though just authenticated via filemaker, then make a user for yourself, like "Joe Blow", put joe blow in the Filemaker Administrators group (call it whatever you want, but you'll have to make the group), then under Define Database in Filemaker, make a new account, authenticated from the remote server with an access level of Full Access, then type in the group name that you want to have administrator access, then you can just log in to that database with your own username/password of Joe Blow.

-rich

[Sheaferm]

err, not under Define Database. under Define: Accounts & Priveleges

I have this working in our office with about 40 databases. all the employees have their own username/password authenticated against the LDAP server, then I defined groups for access levels on each database. the exec on a particular account (and maybe a couple of others) will have full access to their own client's database, then some of the administrative assistant types will only have data entry access. if you're not in a group that has specified access to a specified database, then you have no access.

I hope you can understand these posts. I can hardly make heads or tails out of them and I wrote them.

-rich

[Ender]

Thanks rich. I have setup a Full Access account with FileMaker authentication and some external authenticated accounts. I have users created in Workgroup Manager with the same group name as my external authenticated account. But I see this error even before attempting a login. As soon as I click out of the External Authentication pane of the Server Admin app, the error shows up in the event log.

I have my directory server registered with my ISP, but I have not registered my filemaker server. Perhaps this is the problem. I will try your suggestions when I get back to the office next week.

[tang]

Ender,I almost have the same problem you do - I'm able to force user to authenticate to the database but I cannot register my FileMaker Server to my LDAP server.

Thank you, Rich, for you info. I tried the exact steps you posted but still without any luck. However, I'm a little unclear about what the value of the organizational unit name (ou) should be. I tried putting the name of the machine where FileMaker Server resides but that did not work. I read in the FileMaker Server help that the login name I'm using to register my FileMaker Server needs to be in the ou??!!?? What does that mean??? So far I also tried putting "FileMaker" and my group name as the values for ou. Nothing worked.

Sincerely,

Tang.

[Marisa Smith :: DataSmith Consulting]

Ender-

Did you ever get this working? I am having the exact same problem with the same setup and can't figure it out from the replies to your post.

Thanks.

Marisa

[Ender]

No, I couldn't get this to work. Gave up on it and went to FileMaker authentication for now.