macdevcenter.com
oreilly.comSafari Books Online.Conferences.

advertisement

AddThis Social Bookmark Button

More LDAP in Mac OS X Server

by Tony Williams
06/18/2004

After the last article in this series, you now have your OpenLDAP server running smoothly, and it's providing authentication to any Mac OS X computer in your network. Kerberos is up and running, so you get single sign-on for file sharing. What next?

First, how about getting all those addresses working properly with Address Book and SquirrelMail? Due to another slew of "features" in Apple's integration of WorkGroup Manager and LDAP, the records it creates in our LDAP server are far from ideal to use in email applications. For starters, they don't have email addresses. While this isn't a problem in Mail (if your user's "short name" and email address are the same and you all live in the one domain), it is a problem with other email clients, including SquirrelMail.

In my last article, I suggested that you could fix the problems in the information Apple's WorkGroup Manager writes to the LDAP server by editing the records by hand and fixing the sn and givenName attributes. Well, you need a little more than that to get it all working well with both SquirrelMail and Address Book. To solve the problem, I delved into my toolbox and wrote a Perl script to give you a hand. In my company, a person's user name is their first name and last name joined by an underscore, so I could do it all in one go with my script. If you have some other system, then you'll need to make some small changes to my script, and perhaps do some editing by hand.

To get the script working, you'll need to use cpan to load the Net::LDAP module. Using sudo cpan -i Net::LDAP at a terminal prompt should get that done. Watch it, though, as it may well ask if you'd like to load one or two other modules on which it depends. If it does then just say yes -- none are terribly large or hard for the Mac OS X Server to digest.


#!/usr/bin/perl

use Net::LDAP;

#config here
$server = "ldap.example.com";
$base=cn=users,dc=example,dc=com;
# server part of mail address
$mail = "@example.com";
# end config

$ldap = Net::LDAP->new( $server ) or die "$@";
$mesg = $ldap->bind('uid=admin,cn=users,dc=example,dc=com',
					password => 'secret');
$mesg->code && die $mesg->error;
$mesg = $ldap->search( base => $base, 
	filter=> '(uid=*)',
	);
	
$mesg->code && die $mesg->error;

foreach $entry ($mesg->all_entries) { 
	$id = $entry->get_value('uid');

	# if uid is First_Last use next line
	($first, $last) = split('_', $id);

	# if givenName and sn are set use next line
	# $first = $entry->get_value('givenName'); $last = $entry->get_value('sn');
	
	# edit this according to your desires
	# if you have already fixed sn and givenName then comment out
	# the appropriate lines below
	# I use cn="$last $first" as that sorts properly in SquirrelMail
	
	$mesg = $ldap->modify( $entry, changes => [
		replace => [
			sn  => $last,
			cn => "$last $first"
		],
		add => [ 
			givenName => $first,
			mail => "$id$mail"
		]
	]);
	print "Modified $id\n"; 
	}

$mesg = $ldap->unbind;   # take down session

Save the code as ldap.pl, alter to taste, and then enter perl ldap.pl at the terminal prompt. I left in a line to print something to the terminal for each user so you can watch it go.

Even once you've done that, though, you still don't have SquirrelMail and Panther Server talking. The default configuration in Panther Server is a little too paranoid for us; it only allows logins using version 3 of the LDAP protocol. And SquirrelMail wants to use version 2.

To fix this, edit /etc/opendlap/slapd.conf and add the line allows bind_v2 just under all of the schema include lines. At this point, you can either reboot your server or restart slapd by hand. To restart by hand, enter sudo kill -INT `cat /var/run/slapd.pid` (those are back quotes -- found just under the Esc key) to kill it, then /usr/libexec/slapd to run it again.

Now we just need to get SquirrelMail pointed to our mail server, configured to talk to the LDAP server, and running.

Configuring SquirrelMail

Configuring SquirrelMail is accomplished by using a Perl script that you can find at /etc/squirrelmail/config/conf.pl. This script provides a primitive menu system to change the settings. To set the mail server, select "2" and update the IMAP settings:


IMAP Settings
--------------
4.  IMAP Server            : mail.junpacific.com
5.  IMAP Port              : 143
6.  Authentication type    : login
7.  Secure IMAP (TLS)      : false
8.  Server software        : other
9.  Delimiter              : detect

Then, your SMTP settings:

SMTP Settings
-------------
4.   SMTP Server           : mail.junpacific.com
5.   SMTP Port             : 25
6.   POP before SMTP       : false
7.   SMTP Authentication   : none
8.   Secure SMTP (TLS)     : false

For SMTP authentication, you may have to check what your server supports. If you want, the configure program will attempt to work it out for you.

Then you need to set up the link to your LDAP server. This is done from the main menu selection "6". This brings you to another menu with only two choices. Leave Use Javascript Address Book Search set to false, and select "1" to change the LDAP servers.

This choice runs a small subsystem that allows you to add or delete LDAP servers from the list, but not change the settings on an existing one. To add our server, press "+" and answer the questions as they come up.

hostname: ldap.example.com
base: cn=users,dc=example,dc=com
name: Staff

The default is fine for all other settings. Since we are only searching, we can leave binddn blank, for anonymous bind.

Starting SquirrelMail

Starting SquirrelMail is not difficult. Run Server Admin and select Web. Then select Settings and Sites, which brings up a list of the web sites you have defined. If you edit the main site under Options, you'll see a tick box for WebMail that turns it on and off. Once it is turned on, you can access it as http://www.example.com/webmail.

Log in using your email ID and password, and you will see your mailbox. One caveat: the Addresses link at the top of the page shows your personal address book, and so doesn't reflect all of our work. To get to the addresses from the LDAP server, you need to click on the Addresses button on the Compose form. This allows you to list all of the addresses, search them, and choose the one you want to use. You can see the Addresses button just below "Priority: Normal" in the Compose form below.

Pages: 1, 2

Next Pagearrow