More LDAP in Mac OS X Server
Pages: 1, 2
Extending the System
Now that you have the email addresses of all of the staff available in both the Address Book and SquirrelMail, how do we extend that so we that can share other mail addresses? We can do that easily with a little help.
The secret is that Mail, Address Book, and SquirrelMail can all be set up to
check more than one LDAP server. But we can use the same LDAP
server with two different search bases. Remember that we used
cn=users,dc=example,dc=com as our base, so if we add a reference to
the same LDAP server but with a base of, say,
cn=customers,dc=example,dc=com, we can have a separate mail list.
In fact, we could have many lists; say, one for customers and one for suppliers, if
desired.
The easiest way to add the records is to use a small Perl script. I've written one that reads the names from standard input with the fields separated by tabs. Write your file like so (those blanks are single tabs):
Tony Williams tonyw@honestpuck.com
Peter Parker spiderman@comics.com
Tim O'Reilly tim@oreilly.com
Then cat address.txt | perl ldap_add.pl at the command line will do
the job. Here's the script:
#!/usr/bin/perl
use Net::LDAP;
#the 'cn' container that will hold the addresses
$container = 'customers';
# DN for a user able to write to LDAP server
$bind = 'uid=admin,cn=users,dc=example,dc=com';
$passwd = 'secret';
$ldap = Net::LDAP->new( 'ldap.example.com ) or die "$@";
$mesg = $ldap->bind($bind, password => $passwd);
$mesg->code && die $mesg->error;
while (<>) {
chomp;
($first, $last, $mail) = split('\t', $_);
$cn = "$last $first";
$dn = "$cn,cn=$container,dc=example,dc=com";
$mesg = $ldap->add( $dn,
attrs => [
objectClass => 'inetOrgPerson',
cn => $cn,
givenName => $first,
sn => $last,
mail => $mail
]
);
$mesg->code && die $mesg->error;
}
$mesg = $ldap->unbind; # take down session
If you don't want to use something like this script, then you can of course do it by hand using phpLDAPadmin or your favorite LDAP editor. You can also extend the script to support more fields for Address Book, if you wish. Just add the fields into the text file and script.
Now just add the "new" LDAP server to Address Book, Mail, and
SquirrelMail in exactly the same way as the first one -- just replace the
base cn=users,dc=example,dc=com with the new one,
cn=customers,dc=example,dc=com. I've established a customers
container, a suppliers container, and a misc container for each of our
three state offices, and then set Mail and Address Book to search only
the containers the user requires. This keeps the total list of addresses
searched by the user as short as possible. Unfortunately, SquirrelMail
does not support an individual list of LDAP servers, so users have a
longer list here, though they can easily select just one server.
In the illustration above, you can see the pop-up menu (right next to the Search button) that allows the user to select where to search. The choices are All, Address Book (which is the list of the user's personal addresses saved in SquirrelMail) followed by the "name" field from each of the LDAP servers you set in the SquirrelMail preferences.
LDAP and Apache
For our next trick, we are going to need some serious mojo. After doing a lot of research and testing, I've found a module for Apache 1.13.x that will allow us to provide user authentication for Apache basic authorization, though with some problems. There are several (I found five) modules available that should do this, but none works perfectly. So I took one (mod_LDAPauth from Piet Ruyssinck) that worked fairly well, and did some hacking to lengthen the user ID and make it support Apple's model of group membership. Go to my web site to grab a copy of the hacked version.
You'll be happy to read that building, installing, and configuring Apache for it are trivial. Download the source file into a folder on your server, and then type sudo apxs -lldap -llber -i -a -c mod_LDAPauth.c at a terminal prompt. This will run the Apache extension tool to build and install the module. Once you've done that, sudo apachectl restart will get Apache to read the new configuration, and you are good to go.
You can secure a directory by adding a <Directory> block to your
Apache config in /etc/httpd/httpd.conf, but I prefer to get
everything working using a .htaccess file in the
directory itself, and then later transfer it to the configuration file.
Create a directory named /Library/WebServer/Documents/test_secure
and place a small HTML file in it called index.html. Here's
mine:
<html>
<head>
<title>Testing Security</title>
</head>
<body>
<p>
This is a secured page
</p>
</body>
</html>
Then create the .htaccess file to test it, and drop that in the same directory.
AuthName "IT Staff only"
AuthType Basic
LDAP_server ldap://ldap.example.com/
LDAP_base_dn cn=users,dc=example,dc=com
LDAP_scope subtree
# require valid-user
require user admin tony_williams marvin_martian
# LDAP_group_base_dn cn=groups,dc=example,dc=com
# require group Group_Aliens Group_Accounts
All you need to do is replace the list admin tony_williams
marvin_martian with your own list of users, and all should work
fine. You can also change the entire line to require
valid-user, and then anyone listed as user in your LDAP server can
log on.
You can see from the example above how to use
valid-user and group. Note that if you have a
require group line, then you need to specify a
distinguished name for the container that holds your groups using the
LDAP_group_base_dn line.
Final Thoughts
Now we have completed all of the work from the previous article. After this tutorial, our users can log onto any machine in the network and get their home folders and preferences; log on automatically to Mail and any volume on our server thanks to Kerberos single sign-on; list any email address on our LDAP server in Mail, Address Book, and SquirrelMail; and log onto protected areas of our web server using their login ID and password.
Not bad for a couple of hours of work.
Tony Williams is currently a desktop support consultant at a major Australian university, specializing in Macintosh computers. He describes himself as a "professional Mac geek."
Return to the Mac DevCenter
You must be logged in to the O'Reilly Network to post a talkback.
Showing messages 1 through 14 of 14.
-
Groups?
2004-11-28 17:26:35 bripakes [Reply | View]
I'm at the stage where I've enabled the Directory Inspector and entered user information... but I am missing one last piece... groups!
Any suggestions??
I tried adding email addresses to groups I created in WGM, but always get an error kicked back once I try to save...
I'm trying to get our department to use Apple Mail, but will not make the move until I am able to distribute mail groups to my users... something Eudora makes quite easy...
Brian -
Groups?
2004-11-28 18:19:57 tonywilliams [Reply | View]
Unfortunately the mail system in OS X doesn't use the groups in the LDAP directory and it is a non-trivial exercise to get it to use them.
However groups are merely an instance of a mailing list and there are a few ways you can get mailling lists working. you can use Mailman, built into OS X or they can be in the alias file.
TYou can find the alias file as /etc/aliases and you can either enter the list straight into this file so :
group-address: member1@example.com, member2@example.com, member3@example.com
or you can have the addresses in a separate file included like so
group-address: include /path/to/file
and then put each member of the list on a separate line in the file.
With a little thought you could write a Perl script that wrote the files for you.
Once you have the files done then run
sudo postaliases /etc/aliases so that the mailer can rebuild its internal database and you are done.
Tony -
Groups?
2006-04-25 00:43:07 gkjapan [Reply | View]
Can I use the above method if I am not hosting my own mail? Currently just hosting AFP, DNS and OD on 10.4.5 Server, and mail is outsourced. I just want to have the ability to have users send mail to a group of other users. Isn't there a way to do this? Has anything changed since the article was written?
Thanks for any help,
Gary
-
help with single signon
2004-07-13 09:59:35 GaryBernstein [Reply | View]
I am having a bunch of problems setting up single signon. I have read your great articles and they are really helpful. However, in the articles it says you addressed single signon, but I don't see where. I have a machine acting as the directory server and a second machine being the file server. How do I get it so that when the client logs in and authenticates to the directory server that it does not ask for a login and password to the file server? Are there any articles on this?
Thanks,
-Gary -
help with single signon
2004-07-13 16:07:12 tonywilliams [Reply | View]
Gary,
You have just uncovered the one area that the articles don't cover.
Assuming that both the directory server and the file server are running OS X Server. Establish the directory server as an Open Directory Master and set the file server to 'Connected to a directory system' and it should work fine. If it doesn't or you aren't running Server on both then you are into territory a little harder.
I hope to be writing more about these topics soon and extending Kerberos beyond a single server (and debugging connections) is on my list.
Tony
-
OD login and LDAP query not working
2004-06-23 16:24:13 hakan_kaya [Reply | View]
I have set up an OS X 10.3.3 as OD Master with KDC working. Users can access network shares, mail and ssh with single sign on. But they can only login to their machines as local users.
What I just can't figure out is why it's not possible to login as an OD user with networked home folders. Also, I can't configure Address Book to query the ldap server so that other users info can be retrieved. I tried every possible search base combination. I think the problem is that there are sub entries like uid=user_name which don't fit into the search base scheme as described in various articles.
What does work is, if I create a new entry with phpldapadmin, e.g. "people" and manually add entries for users and their email, phone etc. These infos can be retrieved using the search base cn=people,dc=domain,dc=tld
I have tried configuring Directory Services, both manually and automatic (DHCP delivered OD server entry) to no avail.
What am I supposed to do, to get ldap authentication working? I truly appreciate any helping hand.
Hakan Kaya -
Re: OD login and LDAP query not working
2004-06-23 17:52:06 tonywilliams [Reply | View]
Hakan,
If I understand you correctly your first problem is that if someone has the same user id on their machine and on the LDAP server they only log on locally, not via LDAP. This is unchangeable as the search order in Directory Access requires that the local netinfo directory is searched before anything else.
Therefore the only way to fix this is to never have the same user id in both places. I suggest that you have a fixed user id for the local user on all machines (I use 'local' for an ordinary user and 'admin' for the admin user) or alternately use a different variation of the users name for the local id (I have used their first name and last initial for this - i.e. I'm tonyw on the local machine and tony_williams on the LDAP server).
For your second problem it appears that you have run into the problems in Apple's Workgroup Admin application, Address Book and LDAP. As I have said several times in these two articles the integration of these is seriously flawed. The major problem is that Workgroup Admin doesn't populate the right fields with the right information and in the case of the 'sn' container shoves the number '99' into every user.
The first perl script in this second article is designed to fix the information. You need to have the 'givenName', 'sn', 'cn' and 'mail' fields filled in properly in each user record for them to be searched properly in Address Book. Read both articles again while taking a close look at your user records in phpLDAPadmin and you should see where your problem is.
Tony Williams -
Re: OD login and LDAP query not working
2004-06-24 01:02:11 hakan_kaya [Reply | View]
Dear Tony,
thank you very much for your valued attention. Concerning the first problem regarding users being unable to do networked login, I forgot to state that (on a test machine) there's only a local admin user. The uid and group info for the OD user only exists on the OD Master and is not used locally.
Thank you again for your great effort!
Hakan Kaya -
Re: OD login and LDAP query not working
2004-06-24 23:33:51 tonywilliams [Reply | View]
Hakan,
Carefully check your users in WorkGroup Manager. Then I suggest you use ldapsearch from the command line to check that the LDAP server is responding as you expect. If that is all OK double check the settings in Directory Access.
Tony
-
Kerberized Apache
2004-06-22 21:26:21 kcrawford [Reply | View]
I want to do single sign-on with Safari. I know there is a module for Apache. Anyone have this working with Open Directory? If so, what are the steps? -
Re: Kerberized Apache
2004-06-22 22:17:32 tonywilliams [Reply | View]
I believe that this is currently impossible with Safari as it doesn't support the 'Negotiate' method.
At this time I'm not aware of any browser on the Mac that does support HTTP Negotiate. Mozilla has a plugin that supports it on Linux and IE 6.0 supports it on Windows.
With a fair amount of work you could compile the plugin for Mozilla on the Mac, but it does require building Mozilla from source. You can get details on the plugin and the matching Apache module from http://negotiateauth.mozdev.org/index.html
Tony Williams
-
It's a pleasure
2004-06-21 16:41:29 tonywilliams [Reply | View]
Adam,
I appreciate the thank you. Glad you liked the articles and found them useful.
Tony
-
Enterprise related article
2004-06-21 01:12:44 aqsalter [Reply | View]
Another very clear article on how to set up OS X in an enterprise environment including the "hiccups" :)
I have been trying to manage this myself and these articles are very timely. (Although the server is likely to be running Debian, the clients are all Macs and the principles are virtually identical)
Thanks heaps,
Adam
==> limits_get: conn=2 op=1 dn="[anonymous]"
Has anyone else seen this? Every other client (Mozilla email/thunderbird, Evolution, Outlook, KMail) all bind correctly but the OS/X addressbook does not seem to.
If you know how to make the addressbook use its username/password please post.