[Network Administration]: OS X Contacts and LDAP

I updated my LDAP accounts with information to pull into the OS X for contacts. I’ve already got my network users in my LDAP directory available to OS X and I can now use this for managing my contacts.

First I need to extend the information that I want to make available in the directory. The inetOrgPersion object from the inetorgperson schema provides a whole slew of attributes and the apple schema for LDAP already provides even more. I added two attributes to my accounts in particular:

  • mail – Email address
  • jpegPhoto – Image in JPEG format

The two are pretty basic. I wanted to add mail to the account for other reasons already.

As an aside, the directory can store contact information for not just users. The objects can also be used to store other contact information in the directory without the user account information. Such people can be stored in a separate sub-tree such as ou=people,dc=example,dc=com. I don’t have any like this, but I don’t see any reason why it wouldn’t be the case.

To get this to work with OS X, the mapping needs to be extended. I added the following two mappings

  • EMailAddress -> mail — This is listed as “work” email under the contacts app in OS X
  • JPEGPhoto -> jpegPhoto — This is the photo associated with the contact

There are more that can be added such as:

  • RealName -> cn — Doesn’t seem to be used
  • RecordName -> cn
  • FirstName -> givenName — Contact’s first name
  • LastName -> sn — Contact’s last name
  • HomePhoneNumber -> homePhone — Listed as “home” phone number
  • PhoneNumber -> telephoneNumber — Listed as “work” phone number
  • MobileNumber -> mobile – Listed as “mobile” phone number
  • EMailAddress -> mail — Listed as “work” email address
  • AddressLine1 -> street – Doesn’t seem to be used
  • Street -> street — Listed as part of “work” address
  • City -> l — Listed as part of “work” address
  • State -> st — Listed as part of “work” address
  • PostalCode -> postalCode — Listed as part of “work” address
  • PostalAddress -> postalAddress — Doesn’t seem to be used
  • CreationTimestamp -> createTimestamp
  • ModificationTimestamp -> modifyTimestamp

There are more possible attributes to add. In creating the mapping in Directory Utility, there is a list of attributes that can be associated with the different records, for example, the users certificate can be added into their entry. Adding the email address attribute was straightforward, but for the image it was more complex. The image binary needs to be written straight into the attribute. I used a piece of code with ldapmodify like:

n: uid=testuesr,ou=users,dc=example,dc=com
changetype: modify
replace: jpegPhoto
jpegPhoto:< file:///tmp/image.jpg

This will write the contents of the file into the attribute.

At this point I needes to push this out to a couple of OSX machines to update the mapping. I disnt really want to load the new twmplate onto each one, so instead I wrote the mapping to the server.

[Network Administration]: OS X and Mobile Accounts

I have both Ubuntu and Linux machines. One of the goals is to have access to all of the same information regardless of where I log in, and to have it transparent to the machine that I’m actually using. Continue reading “[Network Administration]: OS X and Mobile Accounts”

[Network Administration]: Kerberized SSH

At this point, most of the infrastructure is in place. Now I could tie some other services together with this infrastructure. For my servers (not the kerberos KDC and LDAP directory), I’ve configured kerberized SSH. It’s a good starting point to see the benefits of single sign-on. Continue reading “[Network Administration]: Kerberized SSH”

[Network Administration]: Automounter over LDAP

This is basically an update to the autofs and automounter page that was published earlier to reflect some changes to how things are set up now. I still have my automount maps in the LDAP directory, but the DN for the maps is updated to the currently provided autofs schema that comes with the Ubuntu package instead of the rfc2307bis schema which seems to have languished in draft form. I’ve also unified some of the files across both Linux machines and OS X. Continue reading “[Network Administration]: Automounter over LDAP”

[Network Authentication]: OS X Kerberos Authentication and LDAP Authorization

I’ve also enabled Kerberos authentication and LDAP authorization on my OSX machine in addition to Linux machines. OSX supports Kerberos out of the box and deploys it for authentication against an OSX server. Also, the native OpenDirectory implementation is OpenLDAP, so we should be able to talk with our LDAP directory. Additionally, we’ve generated the directory entries with the records that we’ll need for OSX authorization, we just need to enable it. Continue reading “[Network Authentication]: OS X Kerberos Authentication and LDAP Authorization”