macdevcenter.com
oreilly.comSafari Books Online.Conferences.

advertisement

AddThis Social Bookmark Button

LDAP in Mac OS X Server

by Tony Williams
05/25/2004

When you think of network services and their clients, you don't often think about the information that has to be stored about, or on behalf, of each of those clients. Your mail server and file server, for example, have to know the user name and password of every user. You may also have a web server that requires similar information. You may even want all the computers in your network to be able to use the same login information to authenticate users.

These are typical of the problems that "directory services" were developed to solve. In this article I'm going to explain how we can solve them using Mac OS X.

The granddaddy of directory services was X.500. Unfortunately the X.500 standard proved difficult to implement and overkill for most real-world requirements.

So a simpler version was developed: the Lightweight Directory Access Protocol or LDAP. OS X has the OpenLDAP server and utilities installed. Mac OS X has a number of utilities from Apple that make controlling, configuring, and adding data to your LDAP server easier. These are half the key components (Kerberos and some parts of Samba provide the other half) of what Apple calls Open Directory v2 in OS X 10.3. For more technical information and a copy of Apple's Open Directory Administration Guide, I recommend Apple Support's Open Directory page.

Related Reading

Running Mac OS X Panther
Inside Mac OS X's Core
By James Duncan Davidson

People often confuse an LDAP server with a database, indeed most LDAP servers use a database (in our case Berkeley DB) to store the information, but LDAP uses a different model of the data. LDAP uses a tree model called the Directory Information Tree (DIT) and we can imagine each entry as either a fork or a leaf on the tree (an inner or outer node in geek speak).

An entry contains one or more objectClasses. An objectClass has certain required or optional attributes. Attributes (or more specifically, their types) have a particular encoding and rules that determine things like how they should be searched and the type of data they contain. This is defined in a schema. Open Directory uses both Internet standard schemas and a number of extensions from Apple.

Getting LDAP Running

OpenLDAP is running by default in Mac OS X Server, so we only have to make sure that it came up OK and change the settings for our purposes. Open the Server Admin application and connect to your server. In the list of services in the left-hand pane click on Open Directory and it will open to the Overview pane on the right. This should list all the parts of Open Directory as Running; for our purposes we need the LDAP server and the Kerberos KDC running.

You may discover that the KDC is not running; if so, this is probably due to the base paranoia of Kerberos. If the Kerberos realm name does not return the same IP address as the machine, and if the KDC does a DNS lookup, then the KDC will not run as a daemon and will exit. By default the Kerberos realm name will be the full host name of the computer. For this, and similar reasons, I always give my servers a specific name (such as server1.company.com) and make sure this is properly added to my DNS before I start installing the OS software on a new server. If you have changed something so that this is no longer true, then add the host name of the server to your DNS and reboot to get KDC running.

Once we've done that, it's time to get all the settings correct, so click on the Settings button. We'll now see the General pane. Set the Role to Open Directory Master, making sure that the Kerberos realm is set right and the search base is set to dc=company,dc=com. Click on the Protocols button, and you should see that the search base is the same and everything else has sane settings.

The final pane is Authentication where you set such things as password and account timeout. Set these according to your own institutional paranoia and we are all set. Click the Save button and exit from Server Admin.

Our first task now is to populate our LDAP server with the account information we need to authenticate our users and provide them with a served home directory and mail address.

The easiest way to do this (and that's using "easiest" loosely) is with Apple's Workgroup Manager. Unfortunately this application has a fair number of peculiarities, but we can easily work around them. Open the WorkGroup Manager and connect to your LDAP server.

Before we can add our users we need to make sure they can get to their home folders. Click on the Sharing icon in the top bar. Then in the left pane select the Users folder. In the General pane click on "Share this item and contents." As I can be a little paranoid, I then select the Protocol pane and make sure "Allow AFP guest access" is selected in AppleShare and that none of the other protocols are active.

Now click on the Accounts button. Even if you are importing your users from another computer, you should start by creating a user by hand so that you can create a Preset.

The first decision you have to make is what the "short name" of your users will be. The short name is used for both the users home folder and their email address. If you have existing users that are being imported from AppleShare IP, then the users' "Internet names" will be used by the import process. At my company we use the person's full name with spaces replaced by underscores.

Pages: 1, 2

Next Pagearrow