LDAP in Mac OS X Server
Pages: 1, 2
Since I'm creating this user to create a Preset, I give him a
user name that is obviously fake, such as a full name of Bugs Bunny
and a short name of bugs_bunny.
Then move on to the Home pane. Click on the plus symbol to add a new
item to the list of home folders. Adding a home folder so it can be
shared is not well documented, but this is what works for me. In the
server/share point URL enter afp://servername.company.com/Users as you
might think from the URL. The path, as suggested, should be the short
user name. The software insists that something should be in the Home
box; logic, on the other hand, might suggest that the URL and path we specified have all the information required. Having tried various possibilities,
I've discovered that entering just "/" works best here. Don't bother
clicking on Create Home Folder, since 1) It doesn't seem to work for
shared home folders, and 2) There is a good script we can run to add
them all at once when we have finished all our users.
Set the Print and Windows panes as you desire. Now click on Save
to save your user, and then select Save Preset in the preset popup,
giving it an obvious name such as plain user.
Now you're ready to import your users and groups. Select Import... from the File menu. Once you've selected the file to be imported, choose your preset in the User Preset popup and let the import run.
I've found that every time I import there's a problem or two. The first is that the mail server in the Mail pane is always set to the LDAP server I'm using, not the mail server name. The second is that some of the time the user's home folder is not set properly.
Thankfully, there's an easy fix to both of these as the Workgroup Manager allows operations on multiple user records at the same time. So select all our imported users and go to the Mail pane. Enter the correct server name in the Mail Server box and click on Save.
Fixing the home folder is almost as
easy. With all the users still selected, go to the Home pane and click on
"None" in the folder list, then click on the proper home folder. You
will notice that the line in the dialog that starts "Home:" will change
to afp://servername.company.com/Users/user_name, and you can then click
Save again. It seems that both these bugs in import are problems with
the Preset system, since you will have the same problems when you use a preset to create a user by hand.
Now we can create those home folders. Apple's documentation says that if
there is no shared home folder when a user first logs in it will be
created, but I've never actually trusted this process, so I create them
using the createhomedir script. Go into the Terminal and enter sudo
createhomedir -a, and you should find that the directories will be created
for you.
The moment of truth is now upon us. Time to connect a Mac OS X client.
Connecting a Client
Go to your client and run Directory Access, which can be found in the Utilities folder. You'll have to start by clicking on the padlock to authenticate yourself, then click on the LDAPv3 box. The configuration dialog will pop up, so click on New... to create a blank entry.
Name the configuration and put in the domain name of your server. Then
select Open Directory Server in the LDAP Mappings popup and another
dialog will pop up asking for the Search Base Suffix, which is the same
dc=company,dc=com back when we were setting up our server. That has
connected the client to the server so now we just have to tell it where
to use them.
Go to the Authentication pane and click on Add... and you will see a list of the methods available to you that are currently unused. Click on the LDAP line and click the Add button. Do the same in the Contacts pane. Now you've set up directory access.
To test this, try logging into the client.
LDAP for Mail
We can also use the LDAP directory to build a shared address book for our company. Once again we'll run into some problems due to Apple's poor implementation.
For example, when you add a user into your LDAP directory,
the WorkGroup Manager will set the sName attribute to 99 for all
users. This means you have to go in and edit all those entries.
Personally I use phpLDAPadmin as
it is easy to install and not only allows you to cruise your entire LDAP
tree, but also allows you to easily examine the schema.
Installing it is as easy as downloading it to the Mac you use for
managing your network, unpacking the tar file somewhere accessible from
the web server (I put it in my Sites folder), and editing the config file.
One note, I set the authtype to form so that I get a login form
rather than saving my password in the config file. I do this so that I
can easily change the password of the admin user on the server without
having to change it in places like this.
To fix the aftermath of Apple's bug you need to change the sn attribute to the user's surname and add the attribute givenName with
the user's given name(s). Doing this is a fairly tedious job if you have
a number of users, so I find a junior staff member and after 10 minutes
of training get him or her to do it.
After all of this, you now have your local users ready for use in email.
Adding other addresses can be fairly easy. If they are in your Address
book then Alex Hartner has written an excellent tool, AddressBook2LDAP, which allows you to easily shift addresses to your server. The hard part
of configuring this tool is specifying the logon field. You'll find
that the easiest way to set it is
uid=admin_user,cn=users,dc=company_name,dc=com where you replace the
admin_user and company_name with your details. Then just enter the correct password into the password field.
If you have addresses stored in some other system that can export an LDIF (LDAP Data Interchange Format) file, then you can import that using phpLDAPadmin. If they can't export as LDIF, you're out of luck.
One of the shortcomings between Address Book and the LDAP server is that not all fields in the Address Book can be saved on your LDAP server so that Address Book can get them back. Fortunately the most important ones, such as email address, physical address, and phone numbers are supported, but only one of each for a single entry.
In order to use these addresses, you have to make some minor additions in Address Book. At the moment the Address Book can find your users through Directory Services but not the addresses you have added to the server. To allow this, you have to set the Address Book to access the LDAP server directly.
Open the Address Book preferences and click on the LDAP button. Click
on the "+" button at the bottom of the window and a pane will open to
add the details of your LDAP server. The only field not obvious is the
"Search base:" -- set this to cn=people,dc=company_name,dc=com.
You can now search your LDAP server from the Address Book. I've had problems (on some clients) getting auto-completion to work in Mail. The fix for this is to go into Mail preferences and in the Composing pane you'll see a "Configure LDAP..." button. Click on this and you will see a pane identical to the one in Address Book. Enter your server and Mail will auto-complete perfectly, but a little slower than addresses in your local book.
Final Thoughts
As we have seen, Apple's integration with LDAP in Panther is not without problems. We can hope for better in Tiger. Despite these shortcomings however, we can use the LDAP server in Mac OS X to share authentication and addresses around our network easily. Once you've mastered those basics, it's time to think about single sign-on with Kerberos and using your LDAP server with other services such as webmail.
Thanks
A great deal of the information in the introduction of this article was found in LDAP System Administration by Gerald Carter. I would also like to thank the folks at the AFP548 eBBS for their help with getting the best out of LDAP on Mac OS X.
Tony Williams is currently a desktop support consultant at a major Australian university, specializing in Macintosh computers. He describes himself as a "professional Mac geek."
Return to MacDevCenter.com.
You must be logged in to the O'Reilly Network to post a talkback.
Showing messages 1 through 15 of 15.
-
LDAP on OS X Client?
2006-01-21 08:07:23 Mladd [Reply | View]
Is it possible to install an LDAP server on OSX 10.3 Client? I am currently running an E-Mail and Web server on this desktop and was hoping to set up an LDAP server also. Any ideas as to what packages I could use? I only see information for OS X Server.
-
Answering My Own Question (Well No One Else Would)
2005-11-11 20:59:19 Mickwilli [Reply | View]
It seams that MAC Os 10.3 Server needs to be setup a specific Way or it throws a hissy fit and leaveds town.
To egt LDAP to work you need to first instsall a fresh version of the Server System OS, Then you need to Set it as a Standalone Server in The server assistant, also tick only AFP to run as Default. Next Step is to update your server to 10.3.9 and then Setup DNS for all the things you need DON'T START TRYING TO DO ANYTHING ELSE and don't forget the dot at the end of the "Map From" address. Test you DNS by typing "host server.domain.com" in termainal (Without the quotes) and press enter, it should return the server's Ip addres and if you enabled reverse mappings then if you do the same but replace the server adddress with the ip address then you you should get the server name. If and only if that works move on to setting DHCP (If you are using DHCP on this server if not move on) up and to test that connect a client to this server with DHCP (If you already have a DHCP server then make shore you isolate your new server and client to test. If that works Move on to setting up LDAP.
Before you go any firther RESTART YOUR SERVER and then follow the instructions on this page to set LDAP up but Don't wory if KDC isn't running when you start it should come up later if you have setup DNS and DHCP properly.
-
HELP!!! (Please)
2005-11-07 12:59:36 Mickwilli [Reply | View]
I can't KDC to run on my Mac Os X 10.3.9 server. It is probably setup in the DNS as I have tested it with the host Command and the full server name returns the correct IP address. I have the Kerberos Realm name the CAPATLISED name of the server and tried with and with out the dot at the end of the name. Is there any idea why KDC doesn't want to stick around?
-
Missing Instruction: AFP must be running
2005-06-14 14:36:18 Celia [Reply | View]
Apple file sharing must be turned on in ServerAdmin for remote users to log in to their home directory on the shared server.
Although clues are given in the pictures, it is not expressly stated in the text.
-
Problem with LDAPv3 on OSX Server 10.2.8
2004-07-14 12:44:23 ChHoney [Reply | View]
Hi experts!
I get stuck in trying to configure LDAPv3 for remote authentication.
We are running an X-Serve with OSX Server 10.2.8 and about 10 iMac Clients with OSX 10.3.4
The server runs a "Password Server" and was configured with Open Directory Assistant for LDAP use. I used Directory Access on the server to configure the LDAP service and set the servers IP as the LDAP host. I did the same Directory Access setup for a client that can log in the server (the server is visible in the client).
In Directory Access > Authentication I set the Search method to Custom in both the server and the client and chose added the share points: /LDAPv3/IP-of-Server for the client and the server. Those were both available after setting up LDAP in Directory Access.
Then I created a user account on the server in the LDAPv3/IP-of-Server folder. First I could log in the client with that account, but first I had to change something in the Attribute-mapping of either the servers or the clients LDAP-setup in Directory Access. Then, when I wanted to create new users there poped up a message that some Attributes are not mapped. Which mapping do I have to chose?
A configuration paper from MIT used "Custom" but there is also "Open Directory" and "From Server". I don't know how to deal with this attribute mapping. Maybe I did something wrong there. Anyway, it doesn't work any more and I am sitting here for hours trying to find out what I am doing wrong.
Can you please help me?
Christian
(student from Osnabrück, Germany)
-
10.3 Server Network Home Dir in Home environment?
2004-06-19 11:40:56 uurf [Reply | View]
I'm using 10.3 Server in a home environment and would like to enable LDAP Auth and Networked Home Directories.
Since I don't have a static IP (Dyndns points my domains here) I can't get KDC to start (nor LDAP now).
I tried creating an entry in the hosts file for the server
192.168.1.25 servername.domain.org
(where servername and the domain have actual values of course).
...with no luck
Any thoughts on enabling this capability in a home env where there's no explicit domain name server naming the host? -
10.3 Server Network Home Dir in Home environment?
2004-06-19 12:07:03 tonywilliams [Reply | View]
Since you don't have static IP addresses I assume that you have your home network behind a hub/router or switch to share out the net connection and that this router is providing a NAT so that the machines on the inside get IP addresses.
All you need do is get the NAT to not serve out a couple of IP addresses, usually at the bottom of the range, and put a DNS server and KDC on the 'net manually configured to use the addresses rather than ask the NAT for one.
If you don't want to keep a second server just as the DNS then set up the machine that will have the KDC so that it is its own backup DNS. Then when you remove the first DNS it will still work.
Of course you have to have at least one permanent computer on the 'net, but you're going to need that for shared home directories anyway.
If you have any trouble configuring the DNS I suggest you read the Linux Network Administrator's Guide for the section onbindor the O'Reilly book.
Tony Williams
-
LDAP Authentication (10.3.4 Server & Client)
2004-06-14 20:01:21 Lumenire [Reply | View]
Joined: Feb, 2003
Posts: 6
I have set up my Xserve 10.3.4 using LDAP Open Directory Master, and set up my client machines to authenticate with LDAP. The clients will login just fine, until I either restart the computer or shutdown and then restart. At that point the client machine can't authenticate the user.
I then hooked up one client machine directly to the server using a dumb hub and it worked fine. When I hook it back into the campus network same problem again.
Suggestions?
-
LDAP Authentication (10.3.4 Server & Client)
2004-06-18 12:27:02 highthoughts [Reply | View]
i have seen similar issues with auth to a mac osX server running both netinfo and openldap when spanning tree is turned on. i would disable spanning tree on your switches and try the auth again.
the reason it works with the dumb hub is simply that is doesn't support spanning tree
-
how to populate ldap with 10.2 server netinfo users?
2004-06-08 09:54:43 jesushouston [Reply | View]
In the past we had OS 10.2 server with networked home folders using netinfo. Has anyone been able to successfully import this user data into 10.3 server LDAP? Can I use nidump to extract the user information from the Netinfo database in a format that LDAP will import? -
how to populate ldap with 10.2 server netinfo users?
2004-06-09 14:32:34 danielhembree [Reply | View]
I've found it undoable. I've got encrypted passwords and 10.3 seem determined to not let me use them. I've written a script that takes a 10.2 password dump, "nidump passwd . > rawpwfile", and converts it into an import file for the workgroup manager. The script also adds what's needed to turn on Apple's Mail since sendmail has been replaced by postfix. This sort of works. It was no problem with a few users but up past about 100 things become difficult.
You can only import about 100 at a time, and after a few hundred, this takes hours. It took me a week of roung the clock loading to move 500 users. There is a command line script to load these files but I can only get it to load one at a time.
Once loaded, the only way to maintain password info is through netinfo. Using the command line passwd or workgroup manager will result in your encrypted passwords be converted to something else, somewhere else, that you can't find.
The worst part is that lookupd becomes dysfunctional, any attempt on the part of the OS to translate between a UID and username, such as during login or with an ls -l, will send the CPU to the roof and freeze the machine for serveral minutes.
These problesm arise from needing to use the encrypted passwords. If you don't need them or changing all your user's passwords is manually is feasible then simply exporting from 10.2 and importing into 10.3 ( a few at a time) is simple and avoids the problems mentioned above.
-
OS X and Linux LDAP?
2004-06-07 10:08:58 trekkie [Reply | View]
Anyone aware of any 'how toos' to use a linux server as your LDAP server? Until I win the lottery or something I'm probably not going to buy a Mac OS X Server for my home (never say never, but xserves are a bit too high still for my taste). In the interim, I'd love to use the multiple Macs I have ni the house with one sign on, and home directories somewhere so you could check your email from any machine and not have to worry about folder sync. -
OS X and Linux LDAP?
2004-06-08 02:39:59 tonywilliams [Reply | View]
Actually, after doing some checking I've discovered that it is a little easier than I thought. You'll find that Apple's LDAP schema and OpenLDAP are already installed on any OS X machine.
That means that the only thing you need to get it all working well is a copy of Apple's WorkGroup Manager to populate the database for you.
Tony Williams
-
OS X and Linux LDAP?
2004-06-08 00:02:47 tonywilliams [Reply | View]
The hard part of doing this is to get the right schema and populate the records properly. You can install OpenLDAP easily on a Linux box (or any OS X Mac for that matter) but getting the right information into it is a huge hurdle.
Of course you don't need an XServe to run OS X Server. You could for your network just get a copy of Panther Server - the 10 client version is still serious money at $499 in the US but it will save you a great deal of time and trouble. Install it on the fastest of your home Macs and you should have no problems.
Once you have OS X Server there are even more facilities you can provide than just single sign on and shared Home folders.
Tony Williams
-
addressbook4ldap
2004-05-26 10:40:32 jurg [Reply | View]
addressbook4ldap (follow the link for addressbok2ldap) is even better. It lets you manage your online address book. It even supports ssl. In my situation I use authenticated binds to read and manage the address book in LDAP. The OS X addressbook application has two flaws when you want to use it with authenticated binds. It doesn't work over ssl (so the password you send and addresses you retrieve are sent cleartext) and it uses an old authentication method. The latter can be solved by adding a line with 'allow bind_v2' in slapd.conf.
However, now I use addressbook4ldap to search and manage the ldap addressbook. It has no problems with authenticated binds and ssl.
