Introduction
Mac OS X and Mac OS X Server have been designed to fit into existing enterprise directory services. Apple’s extensible Open Directory architecture integrates with standards-based LDAP directory services, including Sun JAVA Enterprise Directory Server and IBM Directory Server, as well as with proprietary ones such as Microsoftâ„¢s Active Directory.
In Mac OS X 10.4 (Tiger), Apple released a new feature called Portable Home Directories which allows Macintosh laptop users to maintain synchronized copies of their home directories on their laptop and the network. When a user goes off line with the laptop, her home directory goes with her, so she can continue to work just as if she would back at the office. When she reconnects to the network, Mac OS X automatically syncs up selected content in her local home directory with the one on the server.
The following possibilities are available to any Systems Administrator or Architect who is looking to integrate Mac OS X into their IT Environment. Depending upon what’s already installed and available, the choices are:
- Use the existing Active Directory Environment to authentication Macintosh users.
- Use the existing Open Directory Server on a Mac OS X server to authenticate Mac users
- Use the existing LDAP Environment (Novell, Sun ONE, OpenLDAP etc) to extend authentication services
- Install one of the above, if a centralized solution is not already implemented.
In this article, we will discuss in detail, the steps required to integrate Mac OS X with Sun ONE Directory Server for authentication and also configure and manage the Portable Home Directories using NFS. There is adequate documentation on the internet with regards to Active Directory Integration and synchronizing home directories using Window File Sharing Protocols and SAMBA. However, when it comes to non-Apple and non-Microsoft Directory Services and NFS, there is a dearth of case studies and documentation. We hope to resolve that with this article.
In addition to achieving full integration, this approach also allows the use the Macintosh Work Group Manager to manage apple users, groups and computers and associated policies. Apple stores all of policy and preference settings in plists. Unless you have another method to make changes to these plists and manage them, I strongly recommend that you use Work Group Manager.
Assumptions
It is assumed that the implementation environment is a Unix environment with a standards based LDAP server deployed for authentication and home directories being served from a central NFS server. It is desired to extend the LDAP auth services and NFS home directories to Macintosh Systems
Extremely handy! Thanks a bunch for posting this!
Exactly what I needed to get my Macintoshes integrated into a larger system. Thank you very much!
No problem! I am glad you found it useful. With Leopard out for the developers, I hope to write up a similar article on Leopard’s integration with NFS and AD!
Hi,
thanks for your article.
Reading the introduction I thought: ‘Wow, exactly what I was looking for’. But it seems this article only covers the integration of the mac os scheme with a directory server. Or did I miss a link to a followup?
I would really like to know details on how you setup PHD with NFS.
Thanks,
Christoph
I think I am missing the link for the follow up. I have written the article initially as separate pages that covered all of the implementation (including home directories over NFS using automounter). Let me check for those posts and link them properly. Sorry about that.
=rajeev
I found some HTML code from the page templates that was causing the rest of the output to be hidden. The full article is online now. Hope you find it useful.
I am testing Leopard and hope to write up some info on that as well.
How did you convert the apple.schema to an ldif file? May I have a copy of your apple.ldif?
Hi Brian
The page has the link to the formatted apple schema.
HTH
Your site was very helpful. Two additional things. Can you detail more your experiences with Workgroup Manager? I find that it’s unable to connect WGM to my directory (after all the other changes) because it requires the Apple DirectoryService listener on port 625
Your site is great.
I can not mount the home directory during the login process – so i can not login.
How should the apple-user-homeurl look like?
Something like this?
nfs://server.tld/Volumes/homes/username
Thanks a lot
Pirmin
Thanks much for your note. The settings really depend on your configuration and on your mappings.
The OSX code looks for these two attributes for setting up the home directories:
If using NFS, you should in the least, map NFSHomeDirectory to the LDAP attribute – apple-user-homeDirectory
Technically I did not see the need to map the HomeDirectory attribute at all. If you are using AFP home dirs, you may need to map it to apple-user-homeurl. The thing with apple-user-homeurl is that its value is actually an XML spec like this:
<home_dir>
<url>yourserver.com/SharePoint</url>
<path>YourPathToHomeDirectory</path>
</home_dir>
For NFS, OSX uses the attribute NFSHomeDirectory. The above document talks about setting it. basically it is /Network/Servers/path/to/nfs/homedir. So using your example, the string should be /Network/Servers/$SERVERNAME/Volumes/homes/$USERNAME
Sorry to be a bother, but I’m very interested if you’ve been able to get WorkGroup Manager working with your configuration. How did you do so without having someone/something listening on the DirectoryListener port? What steps after configuration of your did it take to get WGM working?
Patrick
Thanks for your writing.
But I also would be interested how you managed to connect Workgroup Manager to LDAP. Mine says something like server not found.
Ernst
I have detailed that on a separate post here at
http://rajeev.name/2007/05/15/wgm-on-ldap-directory/
Hi it’s me again :-)
I couldn’t use smb for the synced mobile homes, because it worked not steadily. Sometimes the sync process worked ond sometimes not. Maybe so problems with the automounter?
I use now nfs – I am more happy with nfs but not to 100 %. Sometimes the share don’t gets mounted and the sync process isn’t working during this time. What is wrog with the mount?
There is another strange thing. When i login with a new / fresh created user the nfs mount is not mounted. When I login the second time the nfs mount is mounted.
Do you have an Idea what could be wrog? Do you have any sugestions?
Thanks a lot for your great support :-)
can you clarify what the client actually uses for self configuration?
You say “Client will self-configure itself by searching for ou=macosxconfig entry in the basedn.” except the listing for the root DN here and on my real OSX server shows ou=Config at base.
Does MacOS X client do subtree search for ou=Config in the entire base DN ?? How does the client know to look for ou=Config, ou=macosx,dc=foo,dc=bar without a mapping (we are trying to deliver a mapping for self config) ? Confused…
Hi Ega
That is a typo that I have since corrected. It is not macosxconfig but rather macosxodconfig. Sorry about that.
Earlier on in the page, I have mentioned
In the earlier step under the section Mapping Remaining Attributes and ObjectClasses, we had setup the mappings and written all the mappings to ou=macosx,dc=example,dc=com. What actually happens there is that a container called “config” is created under that suffix (that we enter) and underneath that an ou=macosxodconfig is created where an XML blob containing all LDAP info is stored.
In the later step, when we go to configure the client, all you have to do is specify the suffix base dn and it will do a sub-scope search for ou=macosxodconfig and pulls all LDAP info out of it !
I am trying to set this up using an OpenLDAP server and Mac OS X clients, but for some reason, the client does not let me login as an LDAP user.
Server gets the request and it can find the relevant user in its tree, but somehow the password does not get passed on from the client to the server, and the server keeps denying the auth access for “userPassword” attribute for the client. Finally server fails saying
Jul 20 19:00:51 headnode slapd[7804]: do_sasl_bind: dn () mech CRAM-MD5
Jul 20 19:00:51 headnode slapd[7804]: conn=38 op=1 BIND dn=”" method=163
Jul 20 19:00:51 headnode slapd[7804]: ==> sasl_bind: dn=”" mech= datalen=42
Jul 20 19:00:51 headnode slapd[7804]: SASL Canonicalize [conn=38]: authcid=”user”
Jul 20 19:00:51 headnode slapd[7804]: slap_sasl_getdn: conn 38 id=user [len=9]
Jul 20 19:00:51 headnode slapd[7804]: slap_sasl_getdn: u:id converted to uid=user,cn=CRAM-MD5,cn=auth
Jul 20 19:00:51 headnode slapd[7804]: >>> dnNormalize:
Jul 20 19:00:51 headnode slapd[7804]:
Jul 20 19:00:51 headnode slapd[7804]: ==>slap_sasl2dn: converting SASL name uid=user,cn=cram-md5,cn=auth to a DN
Jul 20 19:00:51 headnode slapd[7804]: slap_authz_regexp: converting SASL name uid=user,cn=cram-md5,cn=auth
Jul 20 19:00:51 headnode slapd[7804]:
Jul 20 19:00:51 headnode slapd[7804]: SASL Canonicalize [conn=38]: slapAuthcDN=”uid=user,cn=cram-md5,cn=auth”
Jul 20 19:00:51 headnode slapd[7804]: SASL [conn=38] Error: unable to open Berkeley db /etc/sasldb2: No such file or directory
Jul 20 19:00:51 headnode slapd[7804]: SASL [conn=38] Error: unable to open Berkeley db /etc/sasldb2: No such file or directory
Jul 20 19:00:51 headnode slapd[7804]: SASL [conn=38] Error: unable to open Berkeley db /etc/sasldb2: No such file or directory
Jul 20 19:00:51 headnode slapd[7804]: SASL [conn=38] Failure: no secret in database
Jul 20 19:00:51 headnode slapd[7804]: send_ldap_result: conn=38 op=1 p=3
Jul 20 19:00:51 headnode slapd[7804]: send_ldap_result: err=49 matched=”" text=”SASL(-13): user not found: no secret in database”
Jul 20 19:00:51 headnode slapd[7804]: send_ldap_response: msgid=2 tag=97 err=49
Jul 20 19:00:51 headnode slapd[7804]: conn=38 op=1 RESULT tag=97 err=49 text=SASL(-13): user not found: no secret in database
Any help appreciated,
Prakash
Looks like your have some setup issues to work out – mainly SASL stuff.
looky here:
Jul 20 19:00:51 headnode slapd[7804]: do_sasl_bind: dn () mech CRAM-MD5Obviously doing a SASL bind..
However
Jul 20 19:00:51 headnode slapd[7804]: SASL [conn=38] Error: unable to open Berkeley db /etc/sasldb2: No such file or directory
Jul 20 19:00:51 headnode slapd[7804]: SASL [conn=38] Error: unable to open Berkeley db /etc/sasldb2: No such file or directory
Jul 20 19:00:51 headnode slapd[7804]: SASL [conn=38] Error: unable to open Berkeley db /etc/sasldb2: No such file or directory
you may want to resolve them first…
How do I enable simple binds from Mac client in this case? What should be the server-side configuration so that SASL binds from the client fall back to simple.
My OpenLDAP version is 2.3.27-25
Mac OS X Client – 10.4.10
Thanks,
Prakash
Thanks for this article. I’m in the process of setting up an LDAP server @ home, so that I can centralize user accounts… Its my 1st use of LDAP, so what confused me was how to get 92apple.schema into the LDAP DB. Finally, I found out that we include it in slapd.conf. You might want to add that for other novices. ;-)
Hi,
first off all, thanks for your great article ^^
I’m running several macs with Tiger using PHD without issues.
BUT
I tested Leopard these days, and everything works great (ie. Logon with network users, working with “normal” network users straight on the server) but using PHD doesn’t work.
it’s simply not syncing anything, login, creating home dir etc works without problems but it’s not syncing one file.
I’m totally lost :-(
Tried to create an new User with the new Workgroup Manager (works without problems) but still no syncing.
Maybe u could help me. ^^
I don’t won’t to loose my PHDs.
Ohh, I’m using Freebsd-6.2 just in case ;-)
Thanks
Thank you very much for your article. I followed your instructions completely and also used the apple_schema.ldif from the link. When I added the apple-user obj apple-user-homeDirectory was not available. Two questions: 1. how do I modify the apple_schema.ldif to give apple-user this attr? I do not know how to convert schema to ldif file. 2. With a new .ldif file, what should I do to remove the previous one that I have added to the schema?
I am totally new with ldap, but your instructions took me through amazing work, thanks again.
How about the other way around? Integrating Linux into OS X Open Directory Environment with Home Directories.
Has anyone run across account management issues with the NS schema versus shadowAccount? e.g. , SunONE likes to store stuff in passwordExpirationTime and passwordHistory like attributes instead of shadowExpire. Do your MacOS X clients resepect those attributes or how did you map them? What about filters for users, how did you say these people or groups can login but no one else?
Have you tried integrating any Mac OS X 10.5 Leopard Servers with your iPlanet Directory Server yet? If you import the newer Apple schema file from Leopard Server – can the older 10.4 machines still continue to use the same instance of the directory server (with the data present in the Tiger schema fields? ( are the new fields/objects in the leopard schema just an extension to the Tiger schema – or did anything get re-mapped?) Thanks for any info.
Great write-up!
Ok, I’ve searched for awhile and I’m not finding what I need to make this happen.
We have an openldap server runing on a linux machine. I am trying to get the apple leopard client to understand the automount maps we have in the ldap tree on the server. I have successfully configured the apple client’s user and group settings simply by appending ou=People, to the searchbases of the User and People records and appending ou=Group, for the Groups record on the client. The automount part is much trickier apparently. Like sun apple uses the auto_foo syntax with autofs but unlike sun I can’t figure out what the equivalent command to ldapclient is on the apple. Basically we slurped over the NIS maps from nis into ldap so now at the root level of the ldap structure on the ldap server we have:
# LDIF Export for: dc=foo,dc=bar,dc=bla
# Generated by phpLDAPadmin ( http://phpldapadmin.sourceforge.net/ ) on December 6, 2007 12:33 pm
# Server: Master LDAP Server (ldap.foo.bar.bla)
# Search Scope: one
# Search Filter: (objectClass=*)
# Total Entries: 8
dn: nisMapName=auto.foo,dc=foo,dc=bar,dc=bla
objectClass: top
objectClass: nisMap
nisMapName: auto.foo
dn: nisMapName=auto.master,dc=foo,dc=bar,dc=bla
objectClass: top
objectClass: nisMap
nisMapName: auto.master
dn: nisMapName=auto.mirror,dc=foo,dc=bar,dc=bla
objectClass: top
objectClass: nisMap
nisMapName: auto.mirror
dn: nisMapName=auto.notbackedup,dc=foo,dc=bar,dc=bla
objectClass: top
objectClass: nisMap
nisMapName: auto.notbackedup
dn: nisMapName=auto.projects,dc=foo,dc=bar,dc=bla
objectClass: top
objectClass: nisMap
nisMapName: auto.projects
dn: nisMapName=auto.test,dc=foo,dc=bar,dc=bla
objectClass: top
objectClass: nisMap
nisMapName: auto.test
dn: ou=Group,dc=foo,dc=bar,dc=bla
ou: Group
objectClass: top
objectClass: organizationalUnit
dn: ou=People,dc=foo,dc=bar,dc=bla
ou: People
objectClass: top
objectClass: organizationalUnit
below is the contents of the local ldap config file that the ldapclient command generates on Solaris machines:
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
#
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= ldap.foo.bar.bla, ldap2.foo.bar.bla
NS_LDAP_SEARCH_BASEDN= dc=foo,dc=bar,dc=bla
NS_LDAP_CACHETTL= 0
NS_LDAP_SERVICE_SEARCH_DESC= auto_foo:nisMapName=auto.foo,dc=foo,dc=bar,dc=bla
NS_LDAP_SERVICE_SEARCH_DESC= auto_projects:nisMapName=auto.projects,dc=foo,dc=bar,dc=bla
NS_LDAP_SERVICE_SEARCH_DESC= auto_test:nisMapName=auto.test,dc=foo,dc=ucsc,dc=edu
NS_LDAP_SERVICE_SEARCH_DESC= auto_notbackedup:nisMapName=auto.notbackedup,dc=foo,dc=ucsc,dc=edu
NS_LDAP_SERVICE_SEARCH_DESC= auto_mirror:nisMapName=auto.mirror,dc=foo,dc=bar,dc=bla
NS_LDAP_ATTRIBUTEMAP= automount:automountInformation=nisMapEntry
NS_LDAP_ATTRIBUTEMAP= automount:automountKey=cn
NS_LDAP_ATTRIBUTEMAP= automount:automountMapName=nisMapName
NS_LDAP_OBJECTCLASSMAP= automount:automount=nisObject
NS_LDAP_OBJECTCLASSMAP= automount:automountMap=nisMap
NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:tls:simple
NS_LDAP_SERVICE_AUTH_METHOD= passwd-cmd:tls:simple
Basically I would like to set +auto_master in the auto_master in /etc and with the correct translations like the suns have, just get my mount info from the ldap server as needed.
Any info would be greatly appreciated
Guys
I have posted some Leopard specific info here
http://rajeev.name/2007/12/09/integrating-leopard-autofs-with-ldap/
Great article, although I’ve came across few problems while follwoing it.
My scenario:
SLES10 server and OSX 10.5 machines.
I’ve added apple.schema to LDAP and it’s visible.
The problem:
Nothing happens when I try to write attributes and objectclasses modifications to the server.
Nothing gets written, the window just closes on OK.
Any ideas?
I’m with Peter (April 10, 2008, 10:26 am), with an OpenLDAP 2.3 server (Debian etch) and 10.5.2 client: “Nothing happens when I try to write attributes and objectclasses modifications to the server.”
Nothing in the logs to suggest what’s up.
Thanks for the writeup though, it’s been helpful in understanding how OD differs from plain RFC2307 (which I’m now using).
@Peter and @Ben
What I am unsure from your comments is whether or not a dialog box pops up when you click “Write to Server”.. This dialog box should contain fields to enter
Distinguished Name- Password
- Search Base
If the dialog box does not even show up, then I would start looking at the LDAP client configuration leading up to it.
It it does show up and you are entering values correctly (remember the search base — the client will create a ou=macosxodconfig entry under this suffix and stores its config info.), then I would check
HTH
(remember the SearchBase is the searchbase where the client can
>If the dialog box does not even show up…
It does, and I enter my admin credentials. Then, nada. I’m not certain I have the LDAP server’s ACLs right, though I can create anything with the same credentials under phpLDAPadmin. I’m out of time on this work right now, I hope to get another shot in the next few weeks… (I’d love to find an up to date “from zero to OpenLDAP + OS X” howto – I’ve more or less been stumbling from place to place piecing things together, no doubt I’ve missed something along the way!)
Thanks,
Ben
@Ben
I am sure you have already done this but I had to ask. Once you click “Write to server” and nothing happens, have you checked the LDAP Server and see if the macosxodconfig entry gets changed ? (LDAP debug access logs should also help). Sometimes, changing a specific mapping to a bogus value and looking for that in the XML text of the macosxodconfig entry will also help…
What is not clear is
a) whether the ldap server is receiving the request at all from the client.
b) If it did receive the request, then what did the access log say..?
do you have access to the access logs on the server ?
Running tcpdump on the client will also help …
HTH
Hi, Thanks for your great writeup on this topic. This definitely is the most complete and helpful article I’ve found so far.
I do have a question about extending the posix users and groups to be apple-user and apple-group objects. Do I have to add that object class to all users and groups in the directory? I only have a few users that need to use OS X and I would like to only extend those users and not every user and group. However, when I browse nfs shares, OS X can’t resolve user IDs to usernames that haven’t been made apple-users. It also can’t resolve any group names. I would have thought the posixAccount and posixGroup mappings would have taken care of this.
Upon closer inspection I see that there is a “Map to [any|all] items in this list” setting in Directory Utility. I also see that I can drag the mappings up and down (perhaps to prioritize?).
Can you shed some light on this? If I can avoid modifying every user and group account in the directory, that would be preferable.
I am running OS X 10.5.4 on the client.
Thanks.
Zach
You do not have to add this to all users. One advantage of LDAP is that objects are extensible individually. You can extend individual user object to be apple-user objects.
Hi,
in ‘Mapping Remaining Attributes and ObjectClasses’ part you’ve listed attributes that should be changed.
1. What about any already existing ones, ie: extensibleObject. Should they be removed?
2. What about ‘Map to any/all items in list’? Do they matter, and how if so?
Thanks
:)
I’ve been working on setting up a five machine G5 10.3.9 Cluster using LDAP to NFS mount a RAID as user home directories, and NFS mount a directory existing on the LDAP master (with some programs that need to be shared) to the same location as on the master on the other 4 replica nodes. I’m trying to do this using only the Server Admin GUI and the Workgroup Manager GUI, for the users to easily be able to replicate the process should anything go down in the future.
I can create users just fine, but sharing is the difficult part that doesn’t seem to work at all. Checking off “custom mount” as the location to share anything always returns a “device busy” at the terminal on the other 4 nodes (and I assume I shouldn’t add the master’s IP to the “export to” list), and checking off “use as user home directories” for the home directories on the RAID just created new default home directory folders with owner root and doesn’t share any of the pre-existing content from the RAID to any of the other nodes. Have you ever had this problem before? I have no idea what I’m doing wrong because I think I’ve tried everything.
I am trying to set up an LDAP environment on a Mac OS X 10.5 Client machine and also on a Mac OS X 10.4 Server machine to use it mainly for sharing contacts in a small office network. This works already but I have to create contacts on the command line which is fine for me but not acceptable for the staff.
I would like to use Directory.app for creating contacts (people and groups).
We can already read contacts (also with Mail.app and Address Book.app) but when trying to create a “New Shared Contact” I always get “An error occured during authentication – Unable to verify credentials for server myhost.mydomain.dom”
In system.log I can see (loglevel stats) a search “SRCH attr=authAuthority” which results in “SEARCH RESULT tag=101 err=0 nentries=1 text=” so I assume that there must be something missing in my setup.
I would really appreciate if anyone could give me a hint `cause I´m working an this for weeks now an I´m stuck.
Thanks in advance and best regards
maceis
Rajeev this was extremely helpful to me. Thanks!
It broke when I upgraded to 10.5. By looking at the protocol messages, I’ve come up with a few extra things that need to be done if you want WGM to play nicely under OS X 10.5.
I can’t figure out how to get the trackback thing to work properly, but my notes here
Following these instructions I’ve got my OSX clients authenticating against openldap on Linux box, plus nicely working PHDs.
Thanks for the instructions!
I’m battling with one problem, however;
Users in the ldap belong to multiple groups, but on the OSX only the primary group of an user is visible.
Any ideas or pointers here?
Thanks
Peter
This is very interesting information. I just bookmarked it now.
This is great! Thanks for writing it up. Have you tried doing this with OpenDS 1.2 at all? I am trying to get that set up and am hoping that the schema adjustments that you made, are the same for OpenDS.
The link to the apple.schema seems to be broken now. Is there any chance I can still get a copy of that file?
Hi Rajeev
Thanks for this tutorial.
I’m very new in MacOS world and we are trying to integrate a couples of iMac into our network.
We are running Sun ONE Directory Server 5.2 and I want to authenticate mac user versus our ladp servers. Are there anything in the Mac side that can parse information from solaris schema to apple.schema? something like “NS_LDAP_SERVICE_SEARCH_DESC” in solaris or “nss_map_attribute” in linux?. I’m a bit afraid to change anything in the schema.
Another thing is I can’t access to this link “http://www.tigr.org/%7Erajeev/92apple_schema.html”
Thanks again
Juan
I used this information to set up an ODS clone on Ubuntu 9.04 using OpenLDAP and was able to access it without problem from my Leopard clients up to 10.5.8. Thanks!
However, a machine that I have upgraded to Snow Leopard (10.6.2) – although able to see the ODS clone – seems to ignore it completely. WGM 10.6.2 won’t let me log in with the credentials which work for Leopard. The shell “id” command doesn’t return any information from the ODS clone.
I presume that Apple has changed the schemas for ODS, though the only change I have been able to identify is the introduction of apple_auxillary.schema. Adding that to my ODS clone has not solved the problem though.
Do you have any insight into what needs to be done to get an ODS clone running for Snow Leopard clients?
Steve
Have not had a chance to experiment with 10.6 for a while but may be this link might be of help.
http://images.apple.com/business/solutions/it/docs/Modifying_the_Active_Directory_Schema.pdf
The link to apple.schema ldif is broken. does anyone have a copy?
Hi,
your article help a lot. But I still encounter some problems. I’m trying to use NFS + Kerberos + LDAP. I’m using OS X 10.5. The LDAP users can login, but they won’t get their home directories. It seams as if the mac system isn’t even trying to mount the NFS share. The Kerberos configuration seams to be fine, because the user gets a valid ticket. Perhaps you could explain the apple-user-homeurl, homeDirectory values. I don’t quiet get it if i need the apple-user-homeurl value for nfs. Is it possible that 10.5 changed the way how you mount the home directory?
Best reagrds,
Ulrich
Greetings. I found this article very informative. The article mentions: “On an OS X Server, we started the Open Directory Server and created one admin user. We then dumped the directory tree contents to a file…”. Would you please email me this file, or post a link to it?
I don’t have access to those files anymore – but something you can do quite easily if you have access to an Open Directory Server.. Just issue a ldapsearch command at the root of the suffix as an admin user..
Here are some example entries that might help you..
apple-user-homeurl:nfs://fas3170.myco.com/vol/homes
/users/rajeev
homeDirectory: /home/rajeev
To understand exactly what the client is requesting from the server, my suggestion is to turn up the debug logging on the OSX LDAP server and watch the access logs.