gnegg

OSX and OpenLDAP

Finally. It works. I got Richard's OSX-Box to authenticate against my OpenLDAP server, I set up yesterday (acutually, it authenticates against the replica but this does not make any difference). Here's what I did:

  1. As I have the homeDirectory attribute in the form /home/username, and Mac OS X has the users in /Users/username, I actually have two ways to fix this: a) add another attribute to the LDAP-Server called osxHomeDirecotry or something like that. This was no alternative as I don't have an enterprise number yet so I could not legally create an OID for such an attribute. b) symlink /home to /Users. That's what I did.
  2. Now I started the "Directory Access" Utility in the Application/Utilities folder.
  3. I've removed the checkmark on LDAPv2, selected LDAPv3 and clicked on "configure"
  4. The next step was to remove the checkmark "Use DHCP supplied LDAP-Server" as my DHCP-Server does not supply an LDAP server (and I don't even know which option-code that would be on the DHCP-Server).
  5. Now I've clicked on the "more"-Arrow to display the advanced settings where I've entered the hostname of the internal (replica) LDAP-Server. In LDAP Mappings, I've selected "Custom", the SSL-Checkbox stayed un-checked after my un-successful tries to get OpenLDAP to use my self-signed certificate yesterday. I'll get back to this as before I get productive with my setup.
  6. In the new dialog that popped up, I had to make some adjustments:

    (In my explanations, I assume, your accounts have objectClasses of inetOrgPerson, posixAccount and shadowAccount).

    1. Under "Users", set the RecordName to "uid"
    2. I had to add a Record called "Group" to Users and assign "primaryUID" to it or the group of the user was not recognized (see the prior entry to this blog)
    3. Under "Group" add the RecordName-Attribute and assign cn to it or the Group was not recognized later on.

  7. Now close the dialog by hitting "OK" and then close the Next dialog too with "OK"
  8. Now select the "Authentication"-Tab and chose a "Custom" search path. Add your newly added LDAP-Server.
  9. Do the same with the Contacts-Tab - although I have not yet figured out how to get this to work.
  10. Hit "Apply"
  11. Reboot
The last step is very annoying: I had to experiment quite a bit with the mapping settings to finally get my LDAP-Groups recognized and get the right primary group assigned to LDAP-Users (it was always 0/wheel which is not what I wanted - not at all). There is no way to get the OS to recognize changes you make in the Direcotry Access Utility but to reboot the machine. I'm happy, OSX boots that fast. If it had been windows I'd stell be wating for the reboots to complete ;-)

What have I accomplished?

  • I can login with the LDAP-Accounts be selecting "other" in the Login-Screen and then entering username and password
  • I can su to any LDAP-Account
What still does not work:
  • passwd
  • Although I can set a new password in the system preferences, the changes do not get written back to the LDAP-Server

About the password-changing-problems, I will have a look at pam. Until then, I'm quite happy, I finally got it to work.

I really hope, someone will find this useful...

blog comments powered by Disqus