Introduction
Mac OS X and Mac OS X Server have been designed to fit into existing enterprise directory services. Apple’s extensible Open Directory architecture integrates with standards-based LDAP directory services, including Sun JAVA Enterprise Directory Server and IBM Directory Server, as well as with proprietary ones such as Microsoftâ„¢s Active Directory.
In Mac OS X 10.4 (Tiger), Apple released a new feature called Portable Home Directories which allows Macintosh laptop users to maintain synchronized copies of their home directories on their laptop and the network. When a user goes off line with the laptop, her home directory goes with her, so she can continue to work just as if she would back at the office. When she reconnects to the network, Mac OS X automatically syncs up selected content in her local home directory with the one on the server.
The following possibilities are available to any Systems Administrator or Architect who is looking to integrate Mac OS X into their IT Environment. Depending upon what’s already installed and available, the choices are:
- Use the existing Active Directory Environment to authentication Macintosh users.
- Use the existing Open Directory Server on a Mac OS X server to authenticate Mac users
- Use the existing LDAP Environment (Novell, Sun ONE, OpenLDAP etc) to extend authentication services
- Install one of the above, if a centralized solution is not already implemented.
In this article, we will discuss in detail, the steps required to integrate Mac OS X with Sun ONE Directory Server for authentication and also configure and manage the Portable Home Directories using NFS. There is adequate documentation on the internet with regards to Active Directory Integration and synchronizing home directories using Window File Sharing Protocols and SAMBA. However, when it comes to non-Apple and non-Microsoft Directory Services and NFS, there is a dearth of case studies and documentation. We hope to resolve that with this article.
In addition to achieving full integration, this approach also allows the use the Macintosh Work Group Manager to manage apple users, groups and computers and associated policies. Apple stores all of policy and preference settings in plists. Unless you have another method to make changes to these plists and manage them, I strongly recommend that you use Work Group Manager.
Assumptions
It is assumed that the implementation environment is a Unix environment with a standards based LDAP server deployed for authentication and home directories being served from a central NFS server. It is desired to extend the LDAP auth services and NFS home directories to Macintosh Systems
Hi Rajeev
Thanks for this tutorial.
I’m very new in MacOS world and we are trying to integrate a couples of iMac into our network.
We are running Sun ONE Directory Server 5.2 and I want to authenticate mac user versus our ladp servers. Are there anything in the Mac side that can parse information from solaris schema to apple.schema? something like “NS_LDAP_SERVICE_SEARCH_DESC” in solaris or “nss_map_attribute” in linux?. I’m a bit afraid to change anything in the schema.
Another thing is I can’t access to this link “http://www.tigr.org/%7Erajeev/92apple_schema.html”
Thanks again
Juan
I used this information to set up an ODS clone on Ubuntu 9.04 using OpenLDAP and was able to access it without problem from my Leopard clients up to 10.5.8. Thanks!
However, a machine that I have upgraded to Snow Leopard (10.6.2) – although able to see the ODS clone – seems to ignore it completely. WGM 10.6.2 won’t let me log in with the credentials which work for Leopard. The shell “id” command doesn’t return any information from the ODS clone.
I presume that Apple has changed the schemas for ODS, though the only change I have been able to identify is the introduction of apple_auxillary.schema. Adding that to my ODS clone has not solved the problem though.
Do you have any insight into what needs to be done to get an ODS clone running for Snow Leopard clients?
Steve
Have not had a chance to experiment with 10.6 for a while but may be this link might be of help.
http://images.apple.com/business/solutions/it/docs/Modifying_the_Active_Directory_Schema.pdf
The link to apple.schema ldif is broken. does anyone have a copy?
Hi,
your article help a lot. But I still encounter some problems. I’m trying to use NFS + Kerberos + LDAP. I’m using OS X 10.5. The LDAP users can login, but they won’t get their home directories. It seams as if the mac system isn’t even trying to mount the NFS share. The Kerberos configuration seams to be fine, because the user gets a valid ticket. Perhaps you could explain the apple-user-homeurl, homeDirectory values. I don’t quiet get it if i need the apple-user-homeurl value for nfs. Is it possible that 10.5 changed the way how you mount the home directory?
Best reagrds,
Ulrich
Greetings. I found this article very informative. The article mentions: “On an OS X Server, we started the Open Directory Server and created one admin user. We then dumped the directory tree contents to a file…”. Would you please email me this file, or post a link to it?
I don’t have access to those files anymore – but something you can do quite easily if you have access to an Open Directory Server.. Just issue a ldapsearch command at the root of the suffix as an admin user..
Here are some example entries that might help you..
apple-user-homeurl:nfs://fas3170.myco.com/vol/homes
/users/rajeev
homeDirectory: /home/rajeev
To understand exactly what the client is requesting from the server, my suggestion is to turn up the debug logging on the OSX LDAP server and watch the access logs.
Rajeev,
Ben is not alone; 10.6 does indeed do nothing when you click “write to server”. I have run tcpdump on the client, and it does not even try to make a network connection. So sadly, I don’t think this works for 10.6, so I’ve had to resort to passing around the .plist configuration to the clients, which kinda stinks. For reference, I use SSL with my configuration and the ACL’s are correct, because if I manually update the mappings on the clients, everything works just fine.