External server authentication problem

[ManuelD]

I have setup my FileMaker Server 9 Advanced IWP setup to authentication via a OS X server. I wanted to have every user on the OS X Server to have access to the database so I have made the group "staff" have full access to the database. This is not a security issue as this OS X server is solely used for users of this database.

Now my problem is, I added new users to the OS X Server's ldap, and they ARE in the staff group, however, none of the new users can access the database.

I know that for the previous users, the database IS using the LDAP's user base for authentication because those users do NOT exist in the FileMaker database itself.

How can some members of the group staff authenticate and some can't?

any help would be appreciated.

Manuel

[Vaughan]

There could be many things causing the problem. Basically I'd start by confirming that things I know to be correct actually are.

Check that the EA is actually using the OD and not the server box's accounts.

Check there are not duplicate groups on the OD box.

Check the authentication order in the database. Disable all others accounts.

BTW, externally authenticating the full access account IS a security risk. I can get a copy of your file and reproduce your EA server setup to gain full access without having to hack any passwords or usernames.

[Steven H. Blackwell]

Now my problem is, I added new users to the OS X Server's ldap,

And that's the problem. LDAP has [color:red]nothing whatsoever to do with External Server Authentication. Accounts must be added via WorkGroup Manager. LDAP is a yellow pages registration listing for your server, noit for Accounts.

There is an extensive tech brief on the FMI web site about this and it is covered in FileMaker Security: The Book if you can get past the author's eccentricities.

Steven

[ManuelD]

Actually I got it working, the problem was that IWP was reporting the wrong error. It would give me a message saying that the user did not have access to the database. In fact, my script creating the user was broken and would not enter the proper password when creating the user in the LDAP.

Took me awhile to figure it out, would have helped if IWP properly reported that login credentials were wrong instead of pointing to a privilege issue.

I don't understand what you are saying that LDAP is not related to the external authentication. I create my users in LDAP and they authenticate fine to the database. I have always seen LDAP as the user database of OS X server and Workgroup Manager as a simple GUI sitting on top of it.

Manuel

[Steven H. Blackwell]

I don't understand what you are saying that LDAP is not related to the external authentication. I create my users in LDAP and they authenticate fine to the database. I have always seen LDAP as the user database of OS X server and Workgroup Manager as a simple GUI sitting on top of it.

Not really. LDAP (Lightweight Directory Access Protocol) is a communication protocol. FileMakr Server can use Accounts authenticated by itself, by Active Directory, and by Open Directory. The LDAP settings in the Console are for registering the FileMaker Server machine with a network LDAP directory.

Novell Netware is LDAP compliant, but you cannot authenticate a FileMaker client against it, for example.

BTW, in your specific instance, both IWP and CWP can authenticate their accounts externally, but they cannot do Single Sign On as FileMaker Windows clients and FileMaker Server Windows Servers can.

See the Tech Brief.

HTH

Steven

[Wim Decorte]

To emphasize what Steven is saying:

LDAP is just a protocol, just like HTTP is. The accounts (and other stuff) are stored in a Directory Service (like Active Directory and Open Directory).

LDAP is used to communicate with the Directory just like HTTP is used to communicate with a Web Server.

All modern Directory Services are LDAP compliant (meaning they all speak LDAP). A lot of them understand other communication protocols as well like ADSI for Active Directory.

But you don't say: I've updated an account in LDAP just like you wouldn't say: I've checked my settings in HTTP (when you mean the web server).

Now where it gets truly confusing is that there is one Directory Service out there named "openLDAP".

HTH

Wim

Edited January 24, 2009 by Guest