April 17, 2014

Integrating Mac OS X into Unix LDAP Environment with NFS Home Directories

Create and Populate Mount Objects

Mac OS X uses the

mount

objectclass to look for NFS, SMB and AFP mount information, including user home directories. Detailed discussion of automount implementation in Mac OS X is outside the scope of this article. Automount in Mac OS X has been covered excellently here and here.

Briefly, however, it is important to note that while it is possible to mount a user’s home directory at the traditional location (

/home/testuser

), doing so will disable some of the end-user features of Portable Home Directories... When using NFS, the only way we were able to fully implement Portable Home Directories is to use the

mountOption=net

option in the mount Object.

Consequently, using the “net” option in Mac OS X means that the mount directory will be /Network/Servers – hence the reason to set the apple-user-homeDirectory value to /Network/Servers/path/to/nfs/homedir.

With that, a mount entry for a user’s home directory should look like:

dn: cn=nfsserver:/vol/home/testuser,ou=mount,ou=macosx,dc=example,dc=com
mountOption: rw
mountOption: net
mountOption: intr
mountOption: nfsv3
mountOption: tcp
mountOption: rdirplus
mountOption: bg
mountDirectory: /Network/Servers
objectClass: mount
objectClass: top
mountType: nfs
mountPassNo: 0
mountDumpFrequency: 0
cn: nfsserver:/vol/home/testuser

The mount options, nfsv3, tcp, rdirplus, bg, intr are all site-specific options and often related to performance and availability.

Mapping Remaining Attributes and ObjectClasses

Apple stores all of its remaining LDAP mappings and configuration information in LDAP itself, in a container called ou=macosxodconfig. One of the many advantages of this approach is that once these mappings are performed and written to the server, subsequent client configurations will download all of them automatically from the LDAP server. We need to use a Macintosh client machine running 10.4.3 or later and admin privileges to perform this operation. We will also need the username and password of the LDAP Administrator or at least, the binddn and bind password of a user account with read/write privileges to the mac osx suffix container (i.e. ou=macosx)

  • Login to the client as an admin and open up Directory Access application. (Found in /Applications/Utilities/Directory Access)
  • Click the lock icon in the bottom-left of the window to authenticate. Check LDAPv3 and click Configure. A new screen will appear
  • Important! – Ensure that the box labeled Add DHCP-supplied LDAP servers to automatic search policies is unchecked. There are several security advisories relating to its use
  • Click New. Enter the FQDN of the master LDAP server in the Server Name field. Make sure that Use for authentication and Use for contacts is selected
  • Click Manual
  • In the resulting screen, give a descriptive name to the configuration and click Edit
  • In the resulting screen, select the second tab titled Search & Mappings
  • From the drop-down labeled Access this LDAPv3 server using, Select Open Directory Server
  • A new window pops up, prompting for the Search base suffix. Enter dc=example,dc=com and click OK
  • You will see a list of Record Types and Attributes in a split-screen window. Mapping is done by selecting a object type in the left screen and mapping them to LDAP Object classes in the screen on the right. Using the table below to map the Record Types and Attributes.

    For the sake of brevity, I am only listing the attributes that you need to change

    • Users
      • Mapping: inetOrgPerson, posixAccount, shadowAccount and apple-user
        Search Base: ou=People,dc=example,dc=com
        Scope: First level Only
      • RecordName
        • Mapping: uid
      • RealName
        • Mapping: displayName
      • NFSHomeDirectory
        • Mapping: apple-user-homeDirectory
      • homeDirectory
        • Mapping: apple-user-homeurl
    • Groups
      • Mapping: posixGroup, apple-group
        Search Base: Ou=Group,dc=example,dc=com
        Scope: First Level Only
    • Mounts
      • Mapping: mount
        Search Base: ou=mount,ou=macosx,dc=example,dc=com
        Scope: First Level Only

    For the remaining objectclasses (Record Types), the only value that needs to be changed is the Search Base so that it reflects our directory tree. For e.g., cn=machines,dc=example,dc=com should be changed to ou=machines,ou=macosx,dc=example,dc=com

  • Once all the changes are done, click Write to Server
  • In the resulting pop-up dialog box, enter the LDAP administrator username and password (or the username and password of the bind dn and bind password of the user who has read/write access to the ou=macosx container) This will write create an object ou=macosxodconfig,ou=config,ou=macosx,dc=example,dc=com. This container will also be used later by Work Group Manager to store Managed Preferences

Done! For subsequent client configuration, you only need to know the hostname of the ldap server.

Configure the clients to pull the Search and Mappings from the server (instead of Open Directory Server, select “From Server” with Search Base as ou=config,dc=example,dc=com) and you will be all set!

In the next section, we will configure a macintosh client with ldap so that our testuser can use LDAP logins and configure portable home directories.

Client Configuration
Now that our LDAP Server is setup with all the OD schema and objects, it is time to configure the clients. This is the easiest part of the whole process.

  • Login to the Macintosh Client as an admin user
  • Open Directory Access application. Either use Spotlight to bring it up or double-click it in /Applications/Utilities/Directory Access.
  • Click the lock icon on the bottom-left corner to unlock the screen. Check LDAPv3 and and Click Configure. A new screen will appear
  • Important! – Ensure that the box labeled Add DHCP-supplied LDAP servers to automatic search policies is unchecked. There are several security advisories relating to its use
  • Click New. Enter the FQDN of the LDAP server in the Server Name field. Make sure that Use for authentication and Use for contacts is selected
  • Activate the pull down menu titled LDAP Mappings and select From Server. This will cause the client to perform a sub-scope search under the basedn for the entry
    ou=macosxodconfig

    and use that to pull down all of the ldap configuration information.
    Once the configuration is complete, you will see a message

    Configuration of new server complete

  • Click OK and give a descriptive name to the Configuration and click OK
  • Click on Authentication and ensure that the newly created LDAP configuration is listed in the Authentication list. It will be listed below NetInfo/DefaultLocalNote which appears in gray. This cannot be changed.
  • If your Contacts are listed in LDAP server as well, then you can click the Contacts tab and put your LDAP server there as well.

All Done! For a good measure, restart the client. You should be able to login with your LDAP credentials. Upon successful logins, OS X will cache these credentials and you would still be able to log-off and log-on when you are not on the corporate network.

Pages: 1 2 3 4 5

Comments

  1. Rajeev,

    Ben is not alone; 10.6 does indeed do nothing when you click “write to server”. I have run tcpdump on the client, and it does not even try to make a network connection. So sadly, I don’t think this works for 10.6, so I’ve had to resort to passing around the .plist configuration to the clients, which kinda stinks. For reference, I use SSL with my configuration and the ACL’s are correct, because if I manually update the mappings on the clients, everything works just fine.

  2. I’ve got most of this working but I can’t get a user’s groups to come across. Only the primary group is associated with the user on login. Any ideas?

  3. I can’t for the life of me get Workgroup Manager working with my CentOS openldap server. It just can’t or won’t connect. Logs don’t seem to give any clues. Is there something specific in the ldap setup that identifies an OD master as OD instead of LDAP? Is this the problem? I can’t authenticate at all yet so sticking to Apache Directory Studio.

  4. Christophe says:

    You say:

    “Fortunately, the apple schema also includes an alternative attribute called [apple-user-homeDirectory] to be used in such cases.”

    What do you mean by “in such cases”, which case is meant?

    Many thanks in advance!

Trackbacks

  1. [...] article I had written about integrating Mac OS X with LDAP attracted a bit of attention. While I had [...]

  2. [...] posted a comment on my Mac OS X article about integrating Linux into a Mac OS X Open Directory Environment. I figured [...]

  3. [...] about integrating Apple into your exsiting Unix/NFS environment, please read the article Integrating Mac OS X into Unix LDAP Environment with NFS Home Directories. Rant:  Even with Leopard, there is no support for Microsoft DFS. [...]

  4. [...] First off, Leopard’s autofs DOES work with LDAP.  Second, we are also looking at a little bit of hardcoded application from Apple, ergo not very flexible. Third, the integration of Mac OS X into LDAP is not covered in this particular post, as it was quite heavily covered in this comprehensive article titled “Integrating Mac OS X into Unix LDAP Environment with NFS Home Directories“. [...]

  5. [...] article will add to Rajeev Karamchedu’s excellent post, “Integrating Mac OS X into Unix LDAP Environment with NFS Home Directories”, only with Leopard Server instead of Tiger. My goals are a bit different from [...]

  6. [...] because I’m writing as I go, and I don’t know how it will turn out. However, given that others have had success at employing this method to get NFS automounting home directories working from Solaris LDAP, there [...]

  7. [...] start the Directory Utility application. It is in Applications -> Utilities. I basically followed Rajeev Karamchedu’s instructions, under the “Mapping Remaining Attributes and ObjectClasses” [...]

  8. homedir says:

    [...] for integrating Mac OS X with Unix LDAP and NFS environment. A must-read for all Unix administratorshttp://rajeev.name/2006/09/09/integrating-mac-os-x-into-unix-ldap-environment-with-nfs-home-dir…suexec homedir – HowtoForge Forums HowtoForge – Linux Howtos and …suexec homedir [...]

  9. [...] Integrating Mac OS X into Unix LDAP Environment with NFS Home Directories Mac OS X and Mac OS X Server have been designed to fit into existing enterprise directory services. Apple’s extensible Open Directory architecture integrates with standards-based LDAP directory services, including Sun JAVA Enterprise Directory Server and IBM Directory Server, as well as with proprietary ones such as Microsoft’s Active Directory. [...] [...]

  10. [...] I’ve gotten my LDAP directory up and running. It’s serving out the directory information, and I’ve been able to login on my Linux machine. Now, I want to get logins and home directories available on my OS X machines. This is some really good information out there on getting this working. Most of what is here is cobbled together from these sources among others: Mac OS X Server Open Directory Adminstration for Snow Leopard BackupCentral’s LDAPand Austofs for Ubuntu and Snow Leopard Rajeev Karamchedu’s excellent writeup for integrating OS X and LDAP [...]

  11. […] Guide to integrating Mac OS X with LDAP and Unix Home Directories · Rajeev Karamchedu […]

Speak Your Mind

*