Using OpenDirectory Without Binding?

Is there any way to connect to a remote OpenDirectory without binding the system to it first? I tried the remote/proxy API in OpenDirectory.framework, but it looks like that assumes administrator credentials, which would be inappropriate in this context (macOS GUI app, untrusted user until authentication, etc).

I really don't want to require binding because of the deployment difficulty, and we don't require authenticated binding at the OD master. On both sides (client: query/authentication only, no system reconfiguration) (server: no authenticated binding requirement) it looks like no root/administrator permissions should be necessary for this task. Is there a way forward?

The last mention I saw was https://forums.developer.apple.com/message/158790, but that was some time ago, perhaps not the same exact issue.

Up vote post of TyngJJ Down vote post of TyngJJ
938 views
Posted by
TyngJJ
Reply
Add a Comment

Replies

What sort of queries do you want to run?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

I'd like to look up a user (the user trying to authenticate), and extract some attributes. The equivalent of:

ODNode *n = [ODNode nodeWithSession:<REMOTE> type:kODNodeTypeAuthentication error:&error];
ODRecord *r = [n recordWithRecordType:kODRecordTypeUsers name:<USER> attributes:nil error:&err2];

After that I might use -setCredentialsWithRecordType:recordName:password:error:

Posted by
TyngJJ
Post not yet marked as solved Up vote reply of TyngJJ Down vote reply of TyngJJ
Add a Comment

Under the covers OD uses LDAP, so you might be able to query attributes using an LDAP query directly. That won’t help you changing the password though. Then again, you’d need to authenticate in order to change the password anyway.

Are you sure that the OD proxy support requires administrator credentials? If not, you could set up a dummy account and use it as proxy authentication (until such time as you need to authenticate properly in order to change the password).

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

I’d be thrilled to be proved wrong about the proxy credentials, but can’t find any documentation or reference either in the framework or Directory Utility. I tried the source too, but it didn’t turn up much. Authenticating against the proxy would be fine upfront, I could live with the whole thing as one transaction. However I did try Connect from Directory Utility and it seems pretty clear it’s administrators only out of the box. Hope it’s configurable.

Posted by
TyngJJ
Up vote reply of TyngJJ Down vote reply of TyngJJ
Add a Comment