FileMaker Server can be setup to authenticate against Active Directory and Open Directory. For those already using a Microsoft Server as a domain controller setup is little more than flipping a switch, while those on Mac only networks have to do a little more.
FileMaker Server and Open Directory can be integrated on either a single machine or across multiple machines. If you are following FileMaker Server best practices, Open Directory and FileMaker Server should be installed on separate machines. The directions for either deployment are the same, except for on the single-machine deployment do all the steps on a single machine. This tutorial assumes a two-machine deployment.
Setup may require an advanced understanding of networking and domain name configuration.
FileMaker Server must be installed on a Mac, as Windows based PCs are not able to bind to an Open Directory domain. Windows clients will still be able to authenticate, as authentication is processed through FileMaker Server.
Each FileMaker database must have a local account with [Full Access], as a Open Directory user with [Full Access] will not be able change security settings.
- Mac OS X Mountain Lion (other versions may require a slightly different setup).
- OS X Server
- FileMaker Server 12
- Mac OS X Server
- Open Directory Configuration
- FileMaker Server Configuration
- FileMaker Pro Database Configuration
- Troubleshooting
OpenDirectory Server (required)
The Open Directory server must have a static IP and a resolvable hostname.
FileMaker Server (optional)
-
Install Mountain Lion and update to the latest version.
-
If you are going to be using this machine as an Open Directory server, you will need to assign it a static IP and make sure it is using a reachable domain name.
-
Install OS X Server
- Purchase and download Mac OS X Server from the Mac App Store
- Open your Applications folder, and double-click Server to begin setup.
- On the second page of the Server setup wizard, "Accessing your Server" you will be given three options. If the server is not going to be accessible from outside the local network, choose "Local Network" ①.
- Step through Server setup wizard: - On the section "Connecting to your Server" make sure the "Network Address" ① is set to a static IP and "Host Name" ② is set to the domain that resolves to the static IP your configured.
— Static IP (required)
— Resolvable DNS Name (required)
-
Open the "Server" application.
-
Choose "Open Directory" under "SERVICES" section.
-
Start the Open Directory setup wizard by clicking on the OFF/ON toggle.
-
Choose "Create a new Open Directory domain", and click next.
-
Enter the information for the Directory Administrator account, click next. If you get an error regarding the hostname being invalid, you need to make sure the Open Directory server has a resolvable domain name. You may need to check the PTR (reverse lookup) record to make sure it is configured correctly. (See troubleshooting section)
-
Enter the organization name and the email address of the server administrator, click next.
-
Click on "Set Up" to configure and enable Open Directory.
-
Setup SSL Certificate ①, make sure that "Secure services using:" is set to your SSL certificate and NOT "Custom configuration".
- Use the existing self-signed certificate ②.
- OR
- Use a third-party certificate, by clicking on the plus sign ③ and generate a CSR for use with a trusted SSL provider – [OS X Server: Configuring clients to use SSL for Open Directory binding] (http://support.apple.com/kb/HT4183)
- Use the existing self-signed certificate ②.
Now that you have a working Open Directory server, you will need to setup users and groups to use for authentication.
For more control over Users & Groups you can download [Workgroup Manager]((http://support.apple.com/kb/DL1567) directly from Apple.
- Click on "Groups" ① under "ACCOUNTS" and then choose "Local Network Groups" from the drop down menu ②.
- Click on the plus "+" button to create groups to control access to FileMaker databases.
- Click on "Users" ① under "ACCOUNTS" and then choose "Local Network Users" from the drop down menu ②.
-
Click on the plus "+" button to create a user, enter the users information and click "Done".
-
Now right-click the newly created user, and select "Edit User…"
-
You can assign groups to a user by click in the plus "+" button (1), and then begin typing in the blank Groups line to get the option to browse (2), which will open the Groups floating window. To add groups to the user, just drag the group name into the user Groups list.
These steps only apply if the FileMaker and Open Directory servers are on separate machines.
-
Open System Preferences, and select "Users & Groups".
-
Click on "Login Options" ①, then click on the lock ②, and enter an administrator's credentials.
-
Click on "Join…" ①, then click on the Server drop-down ②. You should see your Open Directory server in the list, if you do not, enter the fully qualified domain (FQDN). Press enter to bind to the directory server.
-
Open the FileMaker Server Admin Console
-
Click on "Database Server" ①, choose "Security" ②, change "Client Authentication" to "FileMaker and external server accounts" ③, then click Save ④
-
Open Directory authentication may also be used to configure access to the FileMaker Server Admin Console. Click on "Administrator Groups" ① click Add ②. Configure the group.
- Click on "Administrator Groups" ①
- Click Add ②
- Enter "Group Name" ③
- Enter "Group Password" ④ (required, but unused)
- Check "Use external group" ⑤
- Enter Open Directory Group ⑥ to use for authentication.
- Click "Test External Group" ⑦
- Click "Select Folder" ⑧ and choose a folder, if you would like to limit access to a specific folder.
- Click "Edit Privileges" ⑨, if you would allow privileges beyond the default: View Databases, Send Messages and Disconnect Clients.
- Click Save ⑩
-
Open Directory authentication may also be used to provide full access to the admin console.
- Click on "General Setting" ①
- Check "Use external group" ②
- Enter Open Directory Group ③ to use for authentication.
- Click "Test External Group" ④
- Click Save ⑤
To use Open Directory for authentication, the database must be hosted on a FileMaker Server configured for Open Directory.
Complete the following steps for each FileMaker Pro database you want to authenticate through OpenDirectory.
-
Open database.
-
Go to the menu File -> Manage -> Security
-
Add Open Directory Group Account
- Click "New…" ①
- Select "External Server" from the "Account is authenticated via" menu ②.
- For "Group Name" ③, enter the Open Directory Group you would like to use for authentication.
- Select a "Privilege Set" ④
- Click OK ⑤
The order matters, if a user has a FileMaker account and an OpenDirectory account, using the same username, the first account/group that accepts the provided username and password will be the one used.
-
Legacy local user "localUser" ① [Full Access]
-
New OD Group "ODUserGroup" ② [Edit Only]
-
"localUser" logs in with his old local password and is given [Full Access] even though he is in the group "ODUserGroup" and was expected to have [Edit Only] access.
If you are getting an "invalid hostname" error, or are unable to connect to the Open Directory server using SSL:
Run the following command from terminal to check your configuration:
sudo changeip -checkhostname. The most common issue is that the domain lookup and reverse lookup (PTR record) do not match, you should contact your network administrator or internet provider.**
If you are unable to login with OpenDirectory Credentials
On the FileMaker server, unbind and rebind to the OpenDirectory server in System Preferences -> Users & Groups -> Login Options.
--
- Recommended: Install Mac OS X Server on all the machines used, though it is optional for the FileMaker Server machine.