Create and Populate Mount Objects
Mac OS X uses the
mountobjectclass to look for NFS, SMB and AFP mount information, including user home directories. Detailed discussion of automount implementation in Mac OS X is outside the scope of this article. Automount in Mac OS X has been covered excellently here and here.
Briefly, however, it is important to note that while it is possible to mount a user’s home directory at the traditional location (
/home/testuser
), doing so will disable some of the end-user features of Portable Home Directories... When using NFS, the only way we were able to fully implement Portable Home Directories is to use the
mountOption=netoption in the mount Object.
Consequently, using the “net” option in Mac OS X means that the mount directory will be /Network/Servers – hence the reason to set the apple-user-homeDirectory value to /Network/Servers/path/to/nfs/homedir.
With that, a mount entry for a user’s home directory should look like:
dn: cn=nfsserver:/vol/home/testuser,ou=mount,ou=macosx,dc=example,dc=com mountOption: rw mountOption: net mountOption: intr mountOption: nfsv3 mountOption: tcp mountOption: rdirplus mountOption: bg mountDirectory: /Network/Servers objectClass: mount objectClass: top mountType: nfs mountPassNo: 0 mountDumpFrequency: 0 cn: nfsserver:/vol/home/testuser
The mount options, nfsv3, tcp, rdirplus, bg, intr are all site-specific options and often related to performance and availability.
Mapping Remaining Attributes and ObjectClasses
Apple stores all of its remaining LDAP mappings and configuration information in LDAP itself, in a container called ou=macosxodconfig. One of the many advantages of this approach is that once these mappings are performed and written to the server, subsequent client configurations will download all of them automatically from the LDAP server. We need to use a Macintosh client machine running 10.4.3 or later and admin privileges to perform this operation. We will also need the username and password of the LDAP Administrator or at least, the binddn and bind password of a user account with read/write privileges to the mac osx suffix container (i.e. ou=macosx)
- Login to the client as an admin and open up Directory Access application. (Found in /Applications/Utilities/Directory Access)
- Click the lock icon in the bottom-left of the window to authenticate. Check LDAPv3 and click Configure. A new screen will appear
- Important! – Ensure that the box labeled Add DHCP-supplied LDAP servers to automatic search policies is unchecked. There are several security advisories relating to its use
- Click New. Enter the FQDN of the master LDAP server in the Server Name field. Make sure that Use for authentication and Use for contacts is selected
- Click Manual
- In the resulting screen, give a descriptive name to the configuration and click Edit
- In the resulting screen, select the second tab titled Search & Mappings
- From the drop-down labeled Access this LDAPv3 server using, Select Open Directory Server
- A new window pops up, prompting for the Search base suffix. Enter dc=example,dc=com and click OK
- You will see a list of Record Types and Attributes in a split-screen window. Mapping is done by selecting a object type in the left screen and mapping them to LDAP Object classes in the screen on the right. Using the table below to map the Record Types and Attributes.
For the sake of brevity, I am only listing the attributes that you need to change
- Users
- Mapping: inetOrgPerson, posixAccount, shadowAccount and apple-user
Search Base: ou=People,dc=example,dc=com
Scope: First level Only - RecordName
- Mapping: uid
- RealName
- Mapping: displayName
- NFSHomeDirectory
- Mapping: apple-user-homeDirectory
- homeDirectory
- Mapping: apple-user-homeurl
- Mapping: inetOrgPerson, posixAccount, shadowAccount and apple-user
- Groups
- Mapping: posixGroup, apple-group
Search Base: Ou=Group,dc=example,dc=com
Scope: First Level Only
- Mapping: posixGroup, apple-group
- Mounts
- Mapping: mount
Search Base: ou=mount,ou=macosx,dc=example,dc=com
Scope: First Level Only
- Mapping: mount
For the remaining objectclasses (Record Types), the only value that needs to be changed is the Search Base so that it reflects our directory tree. For e.g., cn=machines,dc=example,dc=com should be changed to ou=machines,ou=macosx,dc=example,dc=com
- Users
- Once all the changes are done, click Write to Server
- In the resulting pop-up dialog box, enter the LDAP administrator username and password (or the username and password of the bind dn and bind password of the user who has read/write access to the ou=macosx container) This will write create an object ou=macosxodconfig,ou=config,ou=macosx,dc=example,dc=com. This container will also be used later by Work Group Manager to store Managed Preferences
Done! For subsequent client configuration, you only need to know the hostname of the ldap server.
Configure the clients to pull the Search and Mappings from the server (instead of Open Directory Server, select “From Server” with Search Base as ou=config,dc=example,dc=com) and you will be all set!
In the next section, we will configure a macintosh client with ldap so that our testuser can use LDAP logins and configure portable home directories.
Client Configuration
Now that our LDAP Server is setup with all the OD schema and objects, it is time to configure the clients. This is the easiest part of the whole process.
- Login to the Macintosh Client as an admin user
- Open Directory Access application. Either use Spotlight to bring it up or double-click it in /Applications/Utilities/Directory Access.
- Click the lock icon on the bottom-left corner to unlock the screen. Check LDAPv3 and and Click Configure. A new screen will appear
- Important! – Ensure that the box labeled Add DHCP-supplied LDAP servers to automatic search policies is unchecked. There are several security advisories relating to its use
- Click New. Enter the FQDN of the LDAP server in the Server Name field. Make sure that Use for authentication and Use for contacts is selected
- Activate the pull down menu titled LDAP Mappings and select From Server. This will cause the client to perform a sub-scope search under the basedn for the entry
ou=macosxodconfigand use that to pull down all of the ldap configuration information.
Once the configuration is complete, you will see a message
Configuration of new server complete
- Click OK and give a descriptive name to the Configuration and click OK
- Click on Authentication and ensure that the newly created LDAP configuration is listed in the Authentication list. It will be listed below NetInfo/DefaultLocalNote which appears in gray. This cannot be changed.
- If your Contacts are listed in LDAP server as well, then you can click the Contacts tab and put your LDAP server there as well.
All Done! For a good measure, restart the client. You should be able to login with your LDAP credentials. Upon successful logins, OS X will cache these credentials and you would still be able to log-off and log-on when you are not on the corporate network.
Rajeev,
Ben is not alone; 10.6 does indeed do nothing when you click “write to server”. I have run tcpdump on the client, and it does not even try to make a network connection. So sadly, I don’t think this works for 10.6, so I’ve had to resort to passing around the .plist configuration to the clients, which kinda stinks. For reference, I use SSL with my configuration and the ACL’s are correct, because if I manually update the mappings on the clients, everything works just fine.
I’ve got most of this working but I can’t get a user’s groups to come across. Only the primary group is associated with the user on login. Any ideas?
I can’t for the life of me get Workgroup Manager working with my CentOS openldap server. It just can’t or won’t connect. Logs don’t seem to give any clues. Is there something specific in the ldap setup that identifies an OD master as OD instead of LDAP? Is this the problem? I can’t authenticate at all yet so sticking to Apache Directory Studio.