It is about attributes
© 2014 Dennis Leeuw dleeuw at made-it dot com
License: GPLv2 or later
There are a lots of documents on the Internet about how to tie a Mac OS X client to an OpenLDAP server. This document is my attempt to providing this information.
Open Directory (opendirectoryd) is a wrapper around several information stores, one of which is can be a LDAP-server. If an application needs to know the users home-directory it asks Open Directory to get that information, so Open Directory needs to know where to fetch that. This is what this document is about. How to cofigure Open Directory in such a way that it knows where to retrieve the data and especially how to tell it to obtain the data from our own OpenLDAP server, since we assume that you already have an OpenLDAP-infrastructure to begin with.
About assumtions, we make a couple more. We assume you have already included the samba.schema or samba.ldif schema-file within your LDAP-server. We also assume you use Simple Bind (-x) to access your LDAP-server.
We have to extend OpenLDAP with some additional schema files. We will not blindly add the Mac OS X apple.schema file as provided by Apple, but we provide our own version. The mentioned schema files can all be downloaded from das.made-it.com. To load them in the correct order make sure your slapd.conf looks something like this:
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/rfc2307bis.schema include /etc/openldap/schema/microsoft-ad.schema include /etc/openldap/schema/asid-ldap-cache-draft.schema include /etc/openldap/schema/samba.schema include /etc/openldap/schema/apple-od.schemaIf your current slapd.conf includes nis.schema you can safely replace that with the RFC2307bis schema, it contains the same attributes and classes, and a bit more. The one you can download from DAS Project has already commented out the uidNumber and gidNumber attributes, since these are OpenLDAP slapd builtins.
Mac OS 10.9.2 retrieves the userPassword from the LDAP-server that means that an ACL in the slapd.conf like this:
access to attrs=userPassword,sambaNTPassword,sambaLMPassword by dn="cn=manager,dc=example,dc=com" write by anonymous auth by * nonewill not work. The Mac's should be able to read the userPassword field so I ended up doing this:
access to attrs=userPassword,sambaNTPassword,sambaLMPassword by dn="cn=manager,dc=example,dc=com" write by peername.ip=192.168.1.0%255.255.255.0 read by anonymous auth by * noneThis allows the entire local network to read the values of the password fields. It's not ideal but it at least makes it work.
Mac OS X searches the LDAP-tree using the base and filtering on: (&(objectClass=organizationalUnit)(ou=macosxodconfig)), to support having the LDAP Mappings in the LDAP-tree we add this ou with:
dn: ou=macosxodconfig,ou=apps,dc=example,dc=com ou: macosxodconfig objectClass: top objectClass: organizationalUnitLater we will fill this with the correct data.
From System Preferences select the Users & Groups utility. Click on Login Options and select the Join... button:
At the Server: prompt provide the FQDN or IP-address of your LDAP-server.
Click Continue if you get the messages that no secure (SSL) connection can be found. After the system is ready detecting the LDAP-server you should see the Network Account Server with a green dot in front of it. Note also the extra checked element that is added to Allow network users to log in.
sudo ls /Library/Preferences/OpenDirectory/Configurations/LDAPv3/should show the server-name.plist file.
In the Users & Groups utility click Edit... behind the Network Account Server.
Select the server and click Open Directory Utility...
Double Click the LDAPv3 line. Set the LDAP Mappings field to RFC2307 and supply the Search Base Suffix.
To finish this procedure click Ok.
To make sure the machine uses our LDAP-server:
dscl localhost -list /LDAPv3
To check the user list:
dscl localhost -list /LDAPv3/<ldap-server>/Users
To make sure the SearchPath is right:
dscl /Search -read / CSPSearchPath
Edit /etc/auto_master and comment the line that starts with /home, then
Create the home directory of an LDAP-user, with the correct access rights, and test with:
su - <LDAP-user> pwd
If you messed up, delete the Network Account Server from the Users & Groups Utility and run:
sudo rm /Library/Preferences/OpenDirectory/DynamicData/LDAPv3/<ldap-server>.plist
Since Mac OS X 10.7.2 (Lion) Open Directory will attempt to connect to OpenLDAP via SASL mechanisms. If your OpenLDAP server uses Simple Bind Lion will not fall back to that, but will refuse to log you on. Versions before 10.7 only used Simple Bind and thus worked without problems.
Wireshark shows that the first thing a Mac does is connecting to the LDAP server and asking the server root to filter on (objectClass=*) and requesting supportedSASLMechanisms, defaultNamingContext, schemaNamingContext and saslRealm.
If we mimick that with ldapsearch for the supportedSASLMechanisms it would look like this:
# ldapsearch -x -h localhost -b '' -D "cn=manager,dc=example,dc=com" -y /etc/secrets/ldap-manager.secret -s base -LLL "(objectclass=*)" supportedSASLMechanismsWhich results in something like this:
supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: NTLM
To make the Mac play nice again, we have to run the following command on the Mac (replace yourldapserver with the name of of your LDAP server) for every mechanism offered by your LDAP server:
/usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string DIGEST-MD5" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver.plist Opendirectoryd.plist?
Go back to the Directory Utility and at:
Click the Search & Mappings tab. Set the Access this LDAPv3 server using to Open Directory. Per entry in the left column correct the Search Base to reflect the DLAP-tree.
After that make sure that Users uses: inetOrgPerson, posixAccount, shadowAccount and apple-user.
Groups should be set to: posixGroup and apple-group
If you like to make more adjustments go ahead. When you are done select Save Template...
Create an LDIF-file like this:
dn: ou=macosxodconfig,ou=apps,dc=example,dc=com changetype: modify add: description description:< file:///home/admin/Documents/Template.plistAdjust the DN and the file path to your local situation.
ldapmodify -x -h ldap.example.com -D "cn=manager,dc=example,dc=com" -W -f macosxodconfig.ldifTo add the Template.plist to your LDAP-tree.
On the other clients you can now set the LDAP Mappings setting to From Server instead of RFC2307.
The client will request for the Search Base and figures out the rest.