OpenDirectory is a feature included with Mac OS X Server. Wouldn’t it be nice if you could use it without having to spend hundreds of dollars on a server license? Wouldn’t it be great if you could add it into your existing Linux-based OpenLDAP server? It’s actually quite easy because OpenDirectory is a standard OpenLDAP server with a special Apple schema.
0. Prerequisites
– OpenLDAP server with Samba integration (I’m runnig it on a Ubuntu 8.04 server, using the standard OpenLDAP and Samba packages). I won’t go into the details of how to set this up, there are lots of tutorials around the web on this.
– some kind of LDAP admin tool, I used phpLDAPAdmin
– Mac OS X 10.5 Leopard clients
1. Adding the Apple schema to your OpenDirectory server
It is located in /etc/openldap/schema/apple.schema on any Mac. Copy this file to your OpenLDAP server and add it to your slapd.conf.
You may run into the problem that apple.schema references some samba.schema entries that were deprecated with Samba 3. Specifically, these are acctFlags, pwdLastSet, logonTime, logoffTime, kickoffTime, homeDrive, scriptPath, profilePath, userWorkstations, smbHome, rid and primaryGroupID, so you’ll need to editapple.schema and replace these with their Samba 3 counterparts.
Now, restart the OpenLDAP daemon so it recognizes the changes.
2. Adding some Mac-specific attributes to your LDAP server
Add an ou=macosx branch to your LDAP tree, under which you’ll need to create ou=accesscontrols, ou=augments, ou=automountMap, ou=autoserversetup, ou=certificateauthorities, ou=computer_groups, ou=computer_lists, ou=computers, ou=filemakerservers, ou=locations, ou=machines, ou=maps, ou=mount, ou=neighborhoods, ou=places, ou=preset_computer_groups, ou=preset_computer_lists, ou=preset_computers, ou=preset_groups, ou=preset_users, ou=printers, and ou=resources.
To all your LDAP groups, add the apple-group objectClass. To all your LDAP users, add the apple-user objectClass.
3. Connecting your Mac to the LDAP directory
On your Mac, go into Directory Access and add your LDAP server. Choose OpenDirectory as the server type and adjust the Samba mappings to match your changes from step 1. Here is a plist you can import into Directory Access that already has these mappings corrected: LDAPv3_Unix_Samba3_OD.plist.
If you want your other clients to automatically use this mapping, create a cn=config branch in your LDAP tree and use the Write to Server button in Directory Access.
4. Use Workgroup Manager to set network home folders, managed preferences, …
Now, you can use Workgroup Manager to manage network home folders and managed preferences, just like you would on a Mac server. You’ll need to authenticate using an LDAP user who has full write privileges to the directory (as set in slapd.conf). The standard cn=admin,dc=example,dc=com user will NOT work.
5. Conclusion
Almost everything works, except for:
– adding new users and group through Workgroup Manager
– solution: unknown
– assigning directory admin privileges to users through Workgroup Manager
– solution: using an OpenLDAP server set up to use cn=config instead of slapd.conf. This will also require going into Directory Access again and adding the OLCBDBConfig, OLCFrontEndConfig, OCGlobalConfig, OLCSchemaConfig and OLCOverlayDynamicID record types back in (they are included in the OpenDirectory mapping, but I deleted them from mine because they only cause error messages on an OpenLDAP server with slapd.conf configuration).
Here are all the web sites that helped me in the process of figuring this out:
http://docs.info.apple.com/article.html?path=ServerAdmin/10.4/en/c6od15.html (this one is especially important because it explains what to do if your LDAP server is not set up for SASL authentication)
http://www.emmes-world.de/mac-afp-homes.html (this one describes a similar setup and was my most important resource)
http://rajeev.name/blog/2006/09/09/integrating-mac-os-x-into-unix-ldap-environment-with-nfs-home-directories/
http://www.netmojo.ca/blog/tag/ldap/
http://www.macdevcenter.com/pub/a/mac/2003/08/26/active_directory.html?page=2
7. Further Information
Since you’re not using Kerberos for authentication, you may want to look at securing your LDAP connections with SSL. Here are some links that talk about it:
http://www.novell.com/coolsolutions/feature/19965.html
http://www.afp548.com/article.php?story=20071203011158936
Someone else also wrote a blog post about Setting up a Linux server for OS X clients, in which they also describe how to incorporate Kerberos into the whole equation. That’s certainly something worth considering.
This helps alot… I’m nearly there it seems.
I have a question about “5. Conclusion”
How can I set a user to have full write privileges to the directory when I’m using a cn=config setup as you describe?
On my config tree I see… olcDatabase={-1}frontend, olcDatabase={0}config & olcDatabase{1}hdb but none of those attributes you list. Where do I enter these and how do I specify a user instead of the cn=admin,dc=example,dc=com for the olcRootDN and also… can I have more than one olcRootDN? Is it a different attribute?
That seems to be the missing link to getting the connection to happen with Workgroup Manager.
Glad to hear that my post helped you and you got this to work.
I have never looked at the cn=config setup because it didn’t really matter in my setup and because I had to use a pre-existing LDAP.
Did you take a look at the slapd documentation? The OLC* objectClasses are normal OpenLDAP stuff, so you should be able to find something on “standard” cn=config setups on Linux.
If you find anything and get it to work, please let me know and I’ll be happy to add it to the post.
Just curious, are you on Leopard or on Snow Leopard? I don’t assume anything big has changed in Snow Leopard (at least apple.schema hasn’t changed).
Pingback: Extending Active Directory for Mac OS X clients « Michael Kuron's Blog
Supposedly there is some trouble in Lion with this, but some people have found a solution (which I have not tested): http://derflounder.wordpress.com/2012/03/02/binding-to-a-linux-based-openldap-server-from-10-6-x-and-10-7-x/
Pingback: How to use 389 Directory Server with Mac OS X for login | Blog SatoHost
I could really use your help. I currently have a CentOS OpenLDAP server. I want to connect my MAC clients to this server. Everything is working except the home directories cannot be accessed.
I am using direct maps through auto.master. which mounts the auto_home entries to /home. The /etc/auto_home ponts to +auto_home.
From the mac client I can see the users, I can run a dscl command that will allow me to see all the user accounts (automountKey) and their respective home directories (AutomountInformation).
For some reason, when I do a su – , it tries to go to the directory, but does not make it.
If I add the account name and respective NFS mount point to the auto_home file on the MAC client, the
user’s home directory can be established and I can see all the files
Do you know why autofs would prevent the account from accessing its home directory via +auto_home?
I could really use your help on this matter. Apple’s automount does not allow for debugging..