Jump to content
Sign in to follow this  
ManuelD

External server authentication problem

Recommended Posts

I have setup my FileMaker Server 9 Advanced IWP setup to authentication via a OS X server. I wanted to have every user on the OS X Server to have access to the database so I have made the group "staff" have full access to the database. This is not a security issue as this OS X server is solely used for users of this database.

Now my problem is, I added new users to the OS X Server's ldap, and they ARE in the staff group, however, none of the new users can access the database.

I know that for the previous users, the database IS using the LDAP's user base for authentication because those users do NOT exist in the FileMaker database itself.

How can some members of the group staff authenticate and some can't?

any help would be appreciated.

Manuel

Share this post


Link to post
Share on other sites

There could be many things causing the problem. Basically I'd start by confirming that things I know to be correct actually are.

Check that the EA is actually using the OD and not the server box's accounts.

Check there are not duplicate groups on the OD box.

Check the authentication order in the database. Disable all others accounts.

BTW, externally authenticating the full access account IS a security risk. I can get a copy of your file and reproduce your EA server setup to gain full access without having to hack any passwords or usernames.

Share this post


Link to post
Share on other sites

Now my problem is, I added new users to the OS X Server's ldap,

And that's the problem. LDAP has [color:red]nothing whatsoever to do with External Server Authentication. Accounts must be added via WorkGroup Manager. LDAP is a yellow pages registration listing for your server, noit for Accounts.

There is an extensive tech brief on the FMI web site about this and it is covered in FileMaker Security: The Book if you can get past the author's eccentricities.

Steven

Share this post


Link to post
Share on other sites

Actually I got it working, the problem was that IWP was reporting the wrong error. It would give me a message saying that the user did not have access to the database. In fact, my script creating the user was broken and would not enter the proper password when creating the user in the LDAP.

Took me awhile to figure it out, would have helped if IWP properly reported that login credentials were wrong instead of pointing to a privilege issue.

I don't understand what you are saying that LDAP is not related to the external authentication. I create my users in LDAP and they authenticate fine to the database. I have always seen LDAP as the user database of OS X server and Workgroup Manager as a simple GUI sitting on top of it.

Manuel

Share this post


Link to post
Share on other sites

I don't understand what you are saying that LDAP is not related to the external authentication. I create my users in LDAP and they authenticate fine to the database. I have always seen LDAP as the user database of OS X server and Workgroup Manager as a simple GUI sitting on top of it.

Not really. LDAP (Lightweight Directory Access Protocol) is a communication protocol. FileMakr Server can use Accounts authenticated by itself, by Active Directory, and by Open Directory. The LDAP settings in the Console are for registering the FileMaker Server machine with a network LDAP directory.

Novell Netware is LDAP compliant, but you cannot authenticate a FileMaker client against it, for example.

BTW, in your specific instance, both IWP and CWP can authenticate their accounts externally, but they cannot do Single Sign On as FileMaker Windows clients and FileMaker Server Windows Servers can.

See the Tech Brief.

HTH

Steven

Share this post


Link to post
Share on other sites

To emphasize what Steven is saying:

LDAP is just a protocol, just like HTTP is. The accounts (and other stuff) are stored in a Directory Service (like Active Directory and Open Directory).

LDAP is used to communicate with the Directory just like HTTP is used to communicate with a Web Server.

All modern Directory Services are LDAP compliant (meaning they all speak LDAP). A lot of them understand other communication protocols as well like ADSI for Active Directory.

But you don't say: I've updated an account in LDAP just like you wouldn't say: I've checked my settings in HTTP (when you mean the web server).

Now where it gets truly confusing is that there is one Directory Service out there named "openLDAP".

HTH

Wim

Edited by Guest

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Who Viewed the Topic

    1 member has viewed this topic:
    _ian 
×

Important Information

By using this site, you agree to our Terms of Use.