Mac OS X and OpenLDAP

It is about attributes

© 2014 Dennis Leeuw dleeuw at made-it dot com
License: GPLv2 or later

Index

    1. Introduction
      2.
      1. Open Directory
        2.
    2. The OpenLDAP additions
      3.
      1. Schemas
        2.
      2. ACLs
        3.
      3. Adding containers
        4.
    3. Making the Mac talk LDAP
      4.
      1. Connecting to OpenLDAP
        2.
      2. Denying SASL Mechanisms
        3.
    4. Mapping attributes
      5.

Introduction

There are a lots of documents on the Internet about how to tie a Mac OS X client to an OpenLDAP server. This document is my attempt to providing this information.

Open Directory

Open Directory (opendirectoryd) is a wrapper around several information stores, one of which is can be a LDAP-server. If an application needs to know the users home-directory it asks Open Directory to get that information, so Open Directory needs to know where to fetch that. This is what this document is about. How to cofigure Open Directory in such a way that it knows where to retrieve the data and especially how to tell it to obtain the data from our own OpenLDAP server, since we assume that you already have an OpenLDAP-infrastructure to begin with.

About assumtions, we make a couple more. We assume you have already included the samba.schema or samba.ldif schema-file within your LDAP-server. We also assume you use Simple Bind (-x) to access your LDAP-server.

The OpenLDAP additions

Schemas

We have to extend OpenLDAP with some additional schema files. We will not blindly add the Mac OS X apple.schema file as provided by Apple, but we provide our own version. The mentioned schema files can all be downloaded from das.made-it.com. To load them in the correct order make sure your slapd.conf looks something like this: 

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/rfc2307bis.schema
include         /etc/openldap/schema/microsoft-ad.schema
include         /etc/openldap/schema/asid-ldap-cache-draft.schema
include         /etc/openldap/schema/samba.schema
include         /etc/openldap/schema/apple-od.schema
If your current slapd.conf includes nis.schema you can safely replace that with the RFC2307bis schema, it contains the same attributes and classes, and a bit more. The one you can download from DAS Project has already commented out the uidNumber and gidNumber attributes, since these are OpenLDAP slapd builtins.

ACLs

Mac OS 10.9.2 retrieves the userPassword from the LDAP-server that means that an ACL in the slapd.conf like this: 

access to attrs=userPassword,sambaNTPassword,sambaLMPassword
        by dn="cn=manager,dc=example,dc=com" write
        by anonymous auth
        by * none
will not work. The Mac's should be able to read the userPassword field so I ended up doing this: 
access to attrs=userPassword,sambaNTPassword,sambaLMPassword
        by dn="cn=manager,dc=example,dc=com" write
	by peername.ip=192.168.1.0%255.255.255.0 read
        by anonymous auth
	by * none
This allows the entire local network to read the values of the password fields. It's not ideal but it at least makes it work.

Adding containers

Mac OS X searches the LDAP-tree using the base and filtering on: (&(objectClass=organizationalUnit)(ou=macosxodconfig)), to support having the LDAP Mappings in the LDAP-tree we add this ou with: 

dn: ou=macosxodconfig,ou=apps,dc=example,dc=com
ou: macosxodconfig
objectClass: top
objectClass: organizationalUnit
Later we will fill this with the correct data.

Making the Mac talk LDAP

Connecting to OpenLDAP

From System Preferences select the Users & Groups utility. Click on Login Options and select the Join... button:

At the Server: prompt provide the FQDN or IP-address of your LDAP-server.

Click Continue if you get the messages that no secure (SSL) connection can be found. After the system is ready detecting the LDAP-server you should see the Network Account Server with a green dot in front of it. Note also the extra checked element that is added to Allow network users to log in.

Running: 

sudo ls /Library/Preferences/OpenDirectory/Configurations/LDAPv3/
should show the server-name.plist file.

In the Users & Groups utility click Edit... behind the Network Account Server.

Select the server and click Open Directory Utility...

Double Click the LDAPv3 line. Set the LDAP Mappings field to RFC2307 and supply the Search Base Suffix.

To finish this procedure click Ok.

To make sure the machine uses our LDAP-server: 

dscl localhost -list /LDAPv3

To check the user list: 

dscl localhost -list /LDAPv3/<ldap-server>/Users

To make sure the SearchPath is right: 

dscl /Search -read / CSPSearchPath

Edit /etc/auto_master and comment the line that starts with /home, then 

killall autofsd

Create the home directory of an LDAP-user, with the correct access rights, and test with: 

su - <LDAP-user>
pwd

If you messed up, delete the Network Account Server from the Users & Groups Utility and run: 

sudo rm /Library/Preferences/OpenDirectory/DynamicData/LDAPv3/<ldap-server>.plist

Denying SASL Mechanisms

Since Mac OS X 10.7.2 (Lion) Open Directory will attempt to connect to OpenLDAP via SASL mechanisms. If your OpenLDAP server uses Simple Bind Lion will not fall back to that, but will refuse to log you on. Versions before 10.7 only used Simple Bind and thus worked without problems.

Wireshark shows that the first thing a Mac does is connecting to the LDAP server and asking the server root to filter on (objectClass=*) and requesting supportedSASLMechanisms, defaultNamingContext, schemaNamingContext and saslRealm.

If we mimick that with ldapsearch for the supportedSASLMechanisms it would look like this: 

# ldapsearch -x -h localhost -b '' -D "cn=manager,dc=example,dc=com" -y /etc/secrets/ldap-manager.secret -s base -LLL "(objectclass=*)" supportedSASLMechanisms
Which results in something like this: 
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: NTLM

To make the Mac play nice again, we have to run the following command on the Mac (replace yourldapserver with the name of of your LDAP server) for every mechanism offered by your LDAP server: 

/usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string DIGEST-MD5" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver.plist
Opendirectoryd.plist?

Mapping attributes

Go back to the Directory Utility and at:

select New...

Click the Search & Mappings tab. Set the Access this LDAPv3 server using to Open Directory. Per entry in the left column correct the Search Base to reflect the DLAP-tree.

After that make sure that Users uses: inetOrgPerson, posixAccount, shadowAccount and apple-user.

Groups should be set to: posixGroup and apple-group

If you like to make more adjustments go ahead. When you are done select Save Template...

Create an LDIF-file like this: 

dn: ou=macosxodconfig,ou=apps,dc=example,dc=com
changetype: modify
add: description
description:< file:///home/admin/Documents/Template.plist
Adjust the DN and the file path to your local situation.

Use: 

ldapmodify -x -h ldap.example.com -D "cn=manager,dc=example,dc=com" -W -f macosxodconfig.ldif
To add the Template.plist to your LDAP-tree.

On the other clients you can now set the LDAP Mappings setting to From Server instead of RFC2307.


The client will request for the Search Base and figures out the rest.