Greetings,
I have a directory I set up for a client that uses OpenLDAP for single sign-on for several web applications and email, but I’m hoping to get it to work for their computer lab as well (All OS X El capitan machines).
It’s unclear to me whether I truly need to add the apple/samba schemas to OpenLDAP to appease OS X, or whether I can map more standard attributes from the cosine etc schema to whatever OS X is looking for.
I’ve read many blogs posts and have yet to find documentation that I think covers all the bases, including these: http://pig.made-it.com/ldap-mac.html http://vuksan.com/linux/mac-os-x-ldap/openldap-mac-os-x-authentication.html https://hermanbanken.nl/2011/01/22/openldap-server-mac-osx-clients/ http://www.hawaii.edu/askus/1625
It seems like OS X changes may have rendered some of the existing blogs/documents out there outdated.
We are willing to hire someone to help with getting this set up.
Regards,
Kevin Long
Kevin Long kevin.long@haloprivacy.com writes:
It’s unclear to me whether I truly need to add the apple/samba schemas to OpenLDAP to appease OS X, or whether I can map more standard attributes from the cosine etc schema to whatever OS X is looking for.
All my users have samba schema (because I also use samba), but they do not have apple schema.
They can still authenticate on the iMac.
The last time I reinstalle Mac OS X was El captain. I wrote the following to remember what I needed to do: https://www.cs.ait.ac.th/~on/technotes/archives/2015/12/02/configuring_mac_o...
The file mentionned there is below. It contains 3 parts: - what LDAP server is managing the authentication, how to access it, I am using LDAPS; you may have to change that for TLS - what is the attribute mapping between MacOSX own version of LDAP and real OpenLDAP - the part about SALS disabled authentication: I cannot remember what it means, but I know it was important (like I waste way to much time to figure that out).
I hope the information help. It's free, but if you are hiring on that problem, I can pretend I did not tell you and do the job :)
Best regards,
Olivier
Dict { mappings = Dict { template = LDAPv3 function = ldap:translate_recordtype attributes = Array { objectClass } recordtypes = Dict { dsRecTypeStandard:Users = Dict { attributetypes = Dict { dsAttrTypeStandard:ModificationTimestamp = Dict { native = modifyTimestamp } dsAttrTypeStandard:Expire = Dict { native = shadowExpire } dsAttrTypeStandard:CreationTimestamp = Dict { native = createTimestamp } dsAttrTypeStandard:Change = Dict { native = shadowLastChange } dsAttrTypeStandard:UserShell = Dict { native = loginShell } dsAttrTypeStandard:PrimaryGroupID = Dict { native = gidNumber } dsAttrTypeStandard:RecordName = Dict { native = uid } dsAttrTypeStandard:UniqueID = Dict { native = uidNumber } dsAttrTypeStandard:Password = Dict { native = userPassword } dsAttrTypeStandard:Comment = Dict { native = description } dsAttrTypeStandard:RealName = Dict { native = gecos } dsAttrTypeStandard:NFSHomeDirectory = Dict { native = homeDirectory } } info = Dict { Group Object Classes = OR Object Classes = Array { posixAccount inetOrgPerson shadowAccount } Search Base = dc=cs,dc=ait,dc=ac,dc=th } } dsRecTypeStandard:People = Dict { attributetypes = Dict { dsAttrTypeStandard:RealName = Dict { native = gecos } dsAttrTypeStandard:MobileNumber = Dict { native = mobile } dsAttrTypeStandard:State = Dict { native = st } dsAttrTypeStandard:JobTitle = Dict { native = title } dsAttrTypeStandard:UserCertificate = Dict { native = userCertificate;binary } dsAttrTypeStandard:UserPKCS12Data = Dict { native = userPKCS12 } dsAttrTypeStandard:Country = Dict { native = c } dsAttrTypeStandard:PagerNumber = Dict { native = pager } dsAttrTypeStandard:PostalCode = Dict { native = postalCode } dsAttrTypeStandard:Street = Dict { native = street } dsAttrTypeStandard:FirstName = Dict { native = givenName } dsAttrTypeStandard:OrganizationName = Dict { native = o } dsAttrTypeStandard:PhoneNumber = Dict { native = telephoneNumber } dsAttrTypeStandard:RecordName = Dict { native = cn } dsAttrTypeStandard:City = Dict { native = l } dsAttrTypeStandard:FAXNumber = Dict { native = facsimileTelephoneNumber } dsAttrTypeStandard:ModificationTimestamp = Dict { native = modifyTimestamp } dsAttrTypeStandard:UserSMIMECertificate = Dict { native = userSMIMECertificate } dsAttrTypeStandard:Building = Dict { native = buildingName } dsAttrTypeStandard:Department = Dict { native = departmentNumber } dsAttrTypeStandard:AddressLine1 = Dict { native = street } dsAttrTypeStandard:HomePhoneNumber = Dict { native = homePhone } dsAttrTypeStandard:LastName = Dict { native = sn } dsAttrTypeStandard:CreationTimestamp = Dict { native = createTimestamp } dsAttrTypeStandard:EMailAddress = Dict { native = mail } dsAttrTypeStandard:PostalAddress = Dict { native = postalAddress } } info = Dict { Group Object Classes = OR Object Classes = Array { inetOrgPerson } Search Base = dc=cs,dc=ait,dc=ac,dc=th } } dsRecTypeStandard:Mounts = Dict { attributetypes = Dict { dsAttrTypeStandard:VFSDumpFreq = Dict { native = mountDumpFrequency } dsAttrTypeStandard:CreationTimestamp = Dict { native = createTimestamp } dsAttrTypeStandard:VFSType = Dict { native = mountType } dsAttrTypeStandard:VFSLinkDir = Dict { native = mountDirectory } dsAttrTypeStandard:RecordName = Dict { native = cn } dsAttrTypeStandard:VFSPassNo = Dict { native = mountPassNo } dsAttrTypeStandard:VFSOpts = Dict { native = mountOption } dsAttrTypeStandard:ModificationTimestamp = Dict { native = modifyTimestamp } } info = Dict { Group Object Classes = OR Object Classes = Array { mount } Search Base = dc=cs,dc=ait,dc=ac,dc=th } } dsRecTypeStandard:CertificateAuthorities = Dict { attributetypes = Dict { dsAttrTypeStandard:AuthorityRevocationList = Dict { native = authorityRevocationList;binary } dsAttrTypeStandard:CreationTimestamp = Dict { native = createTimestamp } dsAttrTypeStandard:CertificateRevocationList = Dict { native = certificateRevocationList;binary } dsAttrTypeStandard:CrossCertificatePair = Dict { native = crossCertificatePair;binary } dsAttrTypeStandard:RecordName = Dict { native = cn } dsAttrTypeStandard:ModificationTimestamp = Dict { native = modifyTimestamp } dsAttrTypeStandard:CACertificate = Dict { native = cACertificate;binary } } info = Dict { Group Object Classes = OR Object Classes = Array { certificationAuthority } Search Base = dc=cs,dc=ait,dc=ac,dc=th } } dsRecTypeStandard:Automount = Dict { attributetypes = Dict { dsAttrTypeStandard:RecordName = Dict { native = automountKey } dsAttrTypeStandard:CreationTimestamp = Dict { native = createTimestamp } dsAttrTypeStandard:AutomountInformation = Dict { native = automountInformation } dsAttrTypeStandard:Comment = Dict { native = description } dsAttrTypeStandard:ModificationTimestamp = Dict { native = modifyTimestamp } } info = Dict { Group Object Classes = OR Object Classes = Array { automount } Search Base = dc=cs,dc=ait,dc=ac,dc=th } } dsRecTypeStandard:Groups = Dict { attributetypes = Dict { dsAttrTypeStandard:RecordName = Dict { native = cn } dsAttrTypeStandard:PrimaryGroupID = Dict { native = gidNumber } dsAttrTypeStandard:GroupMembership = Dict { native = memberUid } dsAttrTypeStandard:CreationTimestamp = Dict { native = createTimestamp } dsAttrTypeStandard:ModificationTimestamp = Dict { native = modifyTimestamp } dsAttrTypeStandard:Member = Dict { native = memberUid } } info = Dict { Group Object Classes = OR Object Classes = Array { posixGroup } Search Base = dc=XXXXXXXXXXXXXXXXXXXXXXXXXXXX } } dsRecTypeStandard:AutomountMap = Dict { attributetypes = Dict { dsAttrTypeStandard:RecordName = Dict { native = automountMapName } dsAttrTypeStandard:CreationTimestamp = Dict { native = createTimestamp } dsAttrTypeStandard:ModificationTimestamp = Dict { native = modifyTimestamp } dsAttrTypeStandard:Comment = Dict { native = description } } info = Dict { Group Object Classes = OR Object Classes = Array { automountMap } Search Base = dc=XXXXXXXXXXXX } } } } trusttype = anonymous module options = Dict { AppleODClient = Dict { Server Mappings = false } ldap = Dict { Use DNS replicas = false Denied SASL Methods = Array { DIGEST-MD5 GSSAPI CRAM-MD5 NTLM } Template Search Base Suffix = dc=XXXXXXXXXXXXXXXXXX } } node name = /LDAPv3/ldap2.cs.ait.ac.th description = CSIM options = Dict { man-in-the-middle = false connection setup timeout = 15 destination = Dict { other = ldaps host = ldap2.cs.ait.ac.th port = 636 } packet encryption = 3 no cleartext authentication = true packet signing = 1 query timeout = 120 connection idle disconnect = 120 } template = LDAPv3 uuid = XXXXXXXXXXXXXXXXXXXXXX }
openldap-technical@openldap.org
-
Kevin Long -
Olivier