|
|
OS X Client LDAP setup.
This section will help you get your Mac OS X clients ready to work with the LDAP server you already have up and running. These instructions work with OUR setup we have done, as documented in the Server-LDAP section of this site. As stated there, our LDAP server is running Debian Linux and OpenLDAP. If you are using another system you will have to adjust these instructions accordingly to work with your system.
So, on your Mac, as the admin user, open up /Applications/Utilities/Directory Access. This is the program that sets up your mac to work with some sort of authentication server, be it an OS X server, Windows server, or LDAP server as we have done. The first screen you will see looks like this one.
1) Click the lock in the bottom of the window to authenticate. Then disable LDAPv2. The reason we diable LDAPv2 is becuase we want to specifically use LDAPv3, so we decided to manually disable LDAPv2 to make sure we don't have any problems. It would probably be ok to disable the other services you are not using, but we didn't bother with that.
2) Select LDAPv3 and click the confiugre button at the bottom. This pulls up the screen below. Configure a LDAP setup like we show below. Uncheck DHCP-supplied server. Show the options if they are not shown. Then click the New button to create a new LDAP entry.
Click the check box for Enable if it is not already checked. Select the Configuration Name section and name it accordingly for your server. Select the Server Name or IP Address field and change it to match your server accrodingly.
3) Select the LDAP Mappings drop down menu and choose RFC 2307 (Unix). These are the default Unix search mappings for LDAP. When you choose this, the following window will open. Configure the search base accordingly for your server. The syntax is the same as a DNS server name, except that each section is preceded by dc=. So, for our server, it's DNS name is ldap.cs.dixie.edu, so for the search base we put dc=ldap, dc=cs, dc=dixie, dc=edu. Click OK to continue.
4) Now you are back to the previous screen with your new LDAP configuration. Now, click Edit... to edit that configuration. The Configuration Name and Server Name or IP Address sections should have values from the previous steps. Everything else stays the defaults, except for check the Use authentication when connecting checkbox.
For the Distinguished Name field, use the following syntax. First, put cn= followed by the name the machine will connect as. For our system all machines connect as "admin". We are looking into changing this, and you may need to based on your LDAP setup. So, if the machine was to connect as admin, you would start the entry as cn=admin. The rest of the entry uses the same format as the above step using the DNS name. So, continuing with our example, the entry would be cn=admin, dc=ldap, dc=cs, dc=dixie, dc=edu. Then, enter the password for the LDAP user you are connecting as (admin in our example.)
NOTE:
 |
|
|
|
| So far, everything I have read says that the current LDAP implementation in OS X does not work with SSL (secure socket layer). The option for SSL is there, but from what I have read it does not work. There is a security risk involved with not using SSL as the password is not encrypted when sent to the server. |
|
|
|
|
|
|
5) Everything in the Search & Mappings tab should be ok to leave as default as long as you choose the RFC 2307 (Unix) option in the previous step. If you did not do that, do it here. Click OK to continue.
6) For the final step, you should now be back to the original Directory Access Window. Click the Authentication tab. In the drop down menu, choose Custom path. At the bottom, choose ADD. A window will open showing you all of your available connection configurations (which will ONLY be the LDAP setting we just made unless you have done other settings here previously.)
You can change the order of the things in this list, but the default /NetInfo/root must always be at the top. When authenticating, the Mac will ALWAYS check the local users first. If no local user is found that matches the one trying to login, then it goes to the next level in this search path. You can add as many LDAP servers, or other authentication services as you wish here. The mac will check them one by one down the list until it finds a user that matches the one logging in. Click the Apply button, save and exit, and you are finished. Restart the Mac to use the new settings.
LDAP is not nearly as touchy as NFS on the Mac. When you are finished, and after you have restarted you can test it in the following way (assuming your LDAP server is up and running correctly and has users added into it. Open up the terminal, and type id username where username is the username of a user in the LDAP database. If the LDAP configuration is working correctly it will return various information about that user. If it is not working, it will return no such user.
If LDAP is not working correctly the rest of the machine will function normally for local users. At this point, even if you do not have the NFS mounts working, a user from the LDAP database can login and use the machine. They will be given a default home directory which they do NOT have write Privileges to.
|
