![]() |
ABOUT
SERVICES
PROJECTS
WRITING
CONTACT
![]() |
Please note this was originally written in 2004 and I haven't had a sysadmin job since 2009. It has been updated a number of times but is now quite out of date, hopefully it is still useful as a starting point. Also please note that it has recently been converted from MoinMoin to Dokuwiki syntax, if you find any mistakes please let me know. — Adam, August 2015
Where I work is primarily a Redhat Linux shop, with a smattering of Microsoft Windows, SGI Irix and Apple OSX. While we will remain primarily a Linux house for cost reasons, OSX is becoming an increasingly important part of our corporate workflow due to our dependence on quicktime, the increasing number of applications available and the increasing preference of both our artists and IT staff.
Because we already had a huge Linux infrastructure built I didn't want to mess about with Netinfo or using an OSX Server as a bridge between our Macs and our LDAP authentication infrastructure. I wanted our Mac's to play nicely in our existing world, this meant that authentication, naming (users, groups etc) and automount all had to work with as little fuss or differences as possible.
See also: AppleOsx, AppleSoftware, LdapClient, AppleOsxIntegration
To keep this howto as simple as possible I had to make some assumptions:
You may or may not have good luck following these directions with older or newer versions.
There are plenty of articles out there on setting up an OpenLDAP server, so I won't go into that here. If you haven't done this before the best article I've found is the Mandrake Secure article (a slightly more evolved version is available on the authors wiki). If you are unfamiliar with LDAP and still want to tackle this probably the single most useful thing you can do is install a good LdapClient and start browsing around to get a feel of how it works. I recommend PHP LDAP Admin as by far the best client I've used.
OSX can access normal user and group data so long as you configure it correctly. The hard part, and the almost completely undocumented part, is getting OSX automount to work. OSX comes with two options for automounting directories, AMD and the Apple proprietary automount. I only discuss the automount option because all our attempts at configuring AMD resulted in a horrible unstable mess. 1)
apple.schema
2) to you LDAP directory:schema
directory (normally /etc/openldap/schema
).slapd.conf
: schemacheck off
ou=people
, ou=group
and ou=mounts
. If you haven't populated it I've included a sample LDIF file which you can use to get started.Note: I have not yet followed the above steps to make sure they are correct and that I haven't left anything out. If you encounter problems please let me know.
These instructions were written for OSX 10.3 (Panther) however they are still approximately correct for anything from 10.2 to 10.4. Once you understand how it works just follow your nose and it should be fairly straight forward.
LDAPv3 Plugin
“Configure”
“New”
ldap01.spack.org
RFC 2307 (Unix)
dc=spack,dc=org
“Edit”
10
10
“Search & Mappings”
3)“Users”
“Search base”
box enter ou=people,dc=spack,dc=org
“first level only”
“Groups”
“Search base”
box enter ou=group,dc=spack,dc=org
“first level only”
“Mounts”
“Search base”
box enter ou=mounts,dc=spack,dc=org
“first level only”
“Directory Access”
screen.“Authentication”
tab.“Custom”
from the “Search:”
drop down menu.“Add”
at the bottom of the screen.“LDAPv3 …”
option from the “Available Directories”
screen.“Directory Access”
and save all changes.
Depending on the exact order you exit “Directory Access”
, you may need to reboot for the changes to become live. It can be a bit quirky and I haven't figured out exactly which things make a difference yet.
The best program to test your new directory service with is an OSX tool called dscl for “Domain Service command line utility”. 4)
You can use dscl to either search all of the available sources for information (via the /Search/Users
path) or you can manually specify which particular directory you wish to query (eg./LDAPv3/ldap.spack.org/Users
. The difference between Users
and People
seems to be based on whether the data is keyed on username (uid) or full name (cn/gecos).
Hopefully some examples will make it clear:
## to list only LDAP users # dscl localhost list /LDAPv3/ldap.spack.org/Users adam ben bill paul ...<snip>... ## to list all available users (local, LDAP, NIS, whatever) # dscl localhost list /Search/Users adam ben bill paul ...<snip>... # dscl localhost list /LDAPv3/ldap.spack.org/People Adam Shand Ben Foo Bill Bar Paul Gaz ...<snip>... # dscl localhost read /LDAPv3/ldap.spack.org/Groups/staff cn: staff gidNumber: 10 memberUid: adam ben bill paul objectClass: posixGroup top AppleMetaNodeLocation: /LDAPv3/ldap.spack.org GroupMembership: adam ben bill paul Member: adam ben bill paul PasswordPlus: ******** PrimaryGroupID: 10 RecordName: staff # dscl localhost read /Search/Users/adam cn: Adam Shand gecos: Adam Shand gidNumber: 105 givenName: Adam homeDirectory: /home/adam loginShell: /bin/bash objectClass: top person organizationalPerson inetOrgPerson account posixAccount shadowAccount inetLocalMailRecipient kerberosSecurityObject sn: Shand uid: adam uidNumber: 364 AppleMetaNodeLocation: /LDAPv3/ldap.spack.org NFSHomeDirectory: /home/adam PasswordPlus: ******** PrimaryGroupID: 101 RealName: Adam Shand RecordName: adam UniqueID: 364 UserShell: /bin/bash # dscl localhost read /LDAPv3/ldap.spack.org/Mounts/netapp\\:\\/vol\\/vol0\\/home cn: rhun:/vol/vol0/home mountDirectory: /home mountOption: nodev intr hard nfsv3 resvport wsize=8192 rsize=8192 mountType: nfs objectClass: mount AppleMetaNodeLocation: /LDAPv3/ldap.spack.org PasswordPlus: ******** RecordName: rhun:/vol/vol0/home VFSLinkDir: /home VFSOpts: nodev intr hard nfsv3 resvport wsize=8192 rsize=8192 VFSType: nfs
If the above works as expected then you should be able to:
finger -m <username>
).cd /home/adam
). This works for home directories as well.ls -l
on a file owned by an LDAP user and group and have the uid/gid resolve into proper names./etc/syslog.conf
and then restart syslog: 5) *.* /var/log/debug.log
slapd -d 255
./etc/hostconfig
and changing the NFS locking line to look like NFSLOCKS=-NO-
(you have to reboot for the change to take effect).* Automount Quirks: The Apple automount doesn't support a few standard automount features, we've worked around them in various ways.
/net
(or /hosts
in Irix land) allows you to mount any available share by simply changing into a /net/<hostname>/<share>
style directory. While not ideal, the best solution I've found is to reshare /net
from an Linux server via Samba. OSX clients can then get similar functionality by manually mounting the Samba share. mkdir /net
and add -m /net -host
to the second automount line in /System/Library/StartupItems/NFS
to get the /net behavior, or better yet, copy that item to /Library/StartupItems
before modifying it so your changes don't get overwritten. – Anonymous Comment *
and &
characters is typically used by autofs for home directories. The work around is to simply mount all of your home directories rather then rely on the wildcard mapping to mount just the required user home directories. This works fine, but it means that an accidental ls /home
can be quite slow./foo/bar
, you must make sure that the /foo
directory exists when automount starts).“Directory Access”
exactly where it can find the information it's looking for (as opposed to the default of it searching from the top of the tree down for matching entries):kill -HUP
the automount process (there are two automount processes, you want the one with all the “-m” options and the one without the “-nsl” 6)ou=mounts
container of your LDAP directory. There does not seem to be any problem with the Linux mount entries coexisting with the OSX mount entries in the same ou.auto.master
and auto_*
files into OSX automount format on an LDAP directory. If get permission, I will post them here.“Directory Access”
does it's pathing seems to require that you know the name of the LDAP server the client will use. Here's a snippet from a /etc/dhcpd.conf
, though I still wonder how to specify two LDAP servers: option ldap-server code 95 = text; subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.200 192.168.1.250; option routers 192.168.1.1; option domain-name "spack.org"; option domain-name-servers 192.168.1.2,192.168.1.3; option ldap-server "ldap://192.168.1.2/dc=spack,dc=org"; }
From: Zhi-Wei Lu <zwlu AT ucdavis DOT edu> Subject: Re: OSX tiger fails to bind to OpenLDAP server with SSL Date: February 16, 2006 6:53:26 PM GMT+13:00 Hi Adam, Thank you for your quick response and encouragement. I did figure out the problem. I think that it might be a BUG for tiger (10.4.4 and 10.4.5, upgraded today). If I turn off the certificate checking in /etc/openldap/ldap.conf with TLS_REQCERT never LDAPv3 with SSL works just fine. If I turn on the certificate checking in /etc/openldap/ldap.conf with TLS_CACERT /Users/certificate_file Then LDAPv3 with SSL fails miserably. This is in strike contrast to this Apple instruction: http://docs.info.apple.com/article.html?artnum=107178 I can verify the server key using my own CA public certificate with "openssl s_client" and "ldapsearch" commands. I am wondering where I can submit the BUG report to APPLE. Thanks again.
♡2014 by adam shand. sharing is an act of love, please share. | changes · sitemap · login |