[Network Administration]: LDAP and OS X

I’ve gotten my LDAP directory up and running. It’s serving out the directory information, and I’ve been able to login on my Linux machine. Now, I want to get logins and home directories available on my OS X machines. This is some really good information out there on getting this working. Most of what is here is cobbled together from these sources among others:
Mac OS X Server Open Directory Adminstration for Snow Leopard
BackupCentral’s LDAPand Austofs for Ubuntu and Snow Leopard
Rajeev Karamchedu’s excellent writeup for integrating OS X and LDAP

At it’s most basic, the current LDAP entries will work with the following information (which is generated for the linux accounts setup by default on Ubuntu):

objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid:
cn:
uidNumber:
gidNumber:
homeDirectory:
password:

However, there is a number of extended attributes that apple uses that are included in the apple schema. I followed this writeup to get the additional apple attributes working.

I did have to make some changes to the apple.schema from my Snow Leopard schema file. First I uncommented the apple-user-homeDirectory attribute type. I also needed to add it the apple-user object class so that it could use it. Secondly, I needed to move the authAuthority attribute above the apple-user object class so that it could use it (this one is pointed out in some other blog posts). And lastly, I needed to comment out the automount attributes and object classes. These are already present in the rfc2307bis schema. Once I made the changes were made, I was able to convert them to LDIF files.

This perl script should be able to do the LDIF conversion. (Only checked it superficially. I had used slapcat to convert the schema to LDIF and did the rest by hand, but felt that was too roundabout.)

#!/usr/bin/perl

use strict;

open(FILE, $ARGV[0]);

my $schema = $ARGV[0];
$schema =~ s/.schema//;

print “dn: cn=${schema},cn=schema,cn=config\n”;
print “objectClass: olcSchemaConfig\n”;
print “cn: ${schema}\n”;

# turn blank lines into comments
while () {
if (/^#/) {
# Leave comments as is
print $_;
}
elsif (/^\n/) {
# Convert blank lines into comments
print “#\n”;
}
# Convert to olc naming
elsif (/\s*object[iI]dentifier(.*)/) {
print “olcObjectIdentifier: ${1}\n”;
} elsif (/\s*object[cC]lass(.*)/) {
print “olcObjectClasses: ${1}\n”;
} elsif (/\s*attribute[tT]ype(.*)/) {
print “olcAttributeTypes: ${1}\n”;
}
# Convert TAB to space
elsif (/\t*(.*)/) {
print ” ${1}\n”;
}
# Otherwise do nothing
else {
print $_;
}
}

One frustration that I did encounter was that all logins subsequent to the first login would fail with LDAP accounts.
From the /var/log/secure.log I got this:

Jan 7 15:45:57 mac SecurityAgent[8866]: Could not get the user record for user from DirectoryServices.
Jan 7 15:45:57 mac SecurityAgent[8866]: Will sleep 1 seconds and try again (retryCount = 4)
Jan 7 15:45:58 mac SecurityAgent[8866]: Could not get the user record for user from DirectoryServices.
Jan 7 15:45:58 mac SecurityAgent[8866]: Will sleep 2 seconds and try again (retryCount = 3)
Jan 7 15:46:00 mac SecurityAgent[8866]: Could not get the user record for user from DirectoryServices.
Jan 7 15:46:00 mac SecurityAgent[8866]: Will sleep 4 seconds and try again (retryCount = 2)
Jan 7 15:46:04 mac SecurityAgent[8866]: Could not get the user record for user from DirectoryServices.
Jan 7 15:46:04 mac SecurityAgent[8866]: Will sleep 8 seconds and try again (retryCount = 1)
Jan 7 15:46:12 mac SecurityAgent[8866]: User info context values set for user
Jan 7 15:46:12 mac SecurityAgent[8866]: unknown-user (user) login attempt PASSED for auditing

Anyway, it turned out that Airport was setup to turn-off on logout.
BTW, to enable debug of DirectoryServices, the following needs to be executed

sudo killall -USR1 DirectoryService

Advertisements

2 thoughts on “[Network Administration]: LDAP and OS X

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s