macdevcenter.com
oreilly.comSafari Books Online.Conferences.

advertisement

AddThis Social Bookmark Button

More LDAP in Mac OS X Server
Pages: 1, 2

Extending the System

Now that you have the email addresses of all of the staff available in both the Address Book and SquirrelMail, how do we extend that so we that can share other mail addresses? We can do that easily with a little help.



The secret is that Mail, Address Book, and SquirrelMail can all be set up to check more than one LDAP server. But we can use the same LDAP server with two different search bases. Remember that we used cn=users,dc=example,dc=com as our base, so if we add a reference to the same LDAP server but with a base of, say, cn=customers,dc=example,dc=com, we can have a separate mail list. In fact, we could have many lists; say, one for customers and one for suppliers, if desired.

The easiest way to add the records is to use a small Perl script. I've written one that reads the names from standard input with the fields separated by tabs. Write your file like so (those blanks are single tabs):


Tony          Williams          tonyw@honestpuck.com
Peter	      Parker            spiderman@comics.com
Tim           O'Reilly          tim@oreilly.com

Then cat address.txt | perl ldap_add.pl at the command line will do the job. Here's the script:


#!/usr/bin/perl

use Net::LDAP;

#the 'cn' container that will hold the addresses
$container = 'customers';
# DN for a user able to write to LDAP server
$bind = 'uid=admin,cn=users,dc=example,dc=com';
$passwd = 'secret';

$ldap = Net::LDAP->new( 'ldap.example.com ) or die "$@";
$mesg = $ldap->bind($bind, password => $passwd);
$mesg->code && die $mesg->error;
while (<>) {
	chomp;
	($first, $last, $mail) = split('\t', $_);	
	$cn = "$last $first";
	$dn = "$cn,cn=$container,dc=example,dc=com";
	$mesg = $ldap->add( $dn, 
		attrs => [
			objectClass => 'inetOrgPerson',
			cn => $cn,
			givenName => $first,
			sn => $last,
			mail => $mail
		]
	);		
	$mesg->code && die $mesg->error;	
}
$mesg = $ldap->unbind;   # take down session

If you don't want to use something like this script, then you can of course do it by hand using phpLDAPadmin or your favorite LDAP editor. You can also extend the script to support more fields for Address Book, if you wish. Just add the fields into the text file and script.

Now just add the "new" LDAP server to Address Book, Mail, and SquirrelMail in exactly the same way as the first one -- just replace the base cn=users,dc=example,dc=com with the new one, cn=customers,dc=example,dc=com. I've established a customers container, a suppliers container, and a misc container for each of our three state offices, and then set Mail and Address Book to search only the containers the user requires. This keeps the total list of addresses searched by the user as short as possible. Unfortunately, SquirrelMail does not support an individual list of LDAP servers, so users have a longer list here, though they can easily select just one server.

In the illustration above, you can see the pop-up menu (right next to the Search button) that allows the user to select where to search. The choices are All, Address Book (which is the list of the user's personal addresses saved in SquirrelMail) followed by the "name" field from each of the LDAP servers you set in the SquirrelMail preferences.

LDAP and Apache

For our next trick, we are going to need some serious mojo. After doing a lot of research and testing, I've found a module for Apache 1.13.x that will allow us to provide user authentication for Apache basic authorization, though with some problems. There are several (I found five) modules available that should do this, but none works perfectly. So I took one (mod_LDAPauth from Piet Ruyssinck) that worked fairly well, and did some hacking to lengthen the user ID and make it support Apple's model of group membership. Go to my web site to grab a copy of the hacked version.

You'll be happy to read that building, installing, and configuring Apache for it are trivial. Download the source file into a folder on your server, and then type sudo apxs -lldap -llber -i -a -c mod_LDAPauth.c at a terminal prompt. This will run the Apache extension tool to build and install the module. Once you've done that, sudo apachectl restart will get Apache to read the new configuration, and you are good to go.

You can secure a directory by adding a <Directory> block to your Apache config in /etc/httpd/httpd.conf, but I prefer to get everything working using a .htaccess file in the directory itself, and then later transfer it to the configuration file. Create a directory named /Library/WebServer/Documents/test_secure and place a small HTML file in it called index.html. Here's mine:


<html>
<head>
        <title>Testing Security</title>
</head>
<body>
<p>
This is a secured page
</p>
</body>
</html>
 

Then create the .htaccess file to test it, and drop that in the same directory.


AuthName "IT Staff only"
AuthType Basic
LDAP_server ldap://ldap.example.com/
LDAP_base_dn cn=users,dc=example,dc=com
LDAP_scope subtree
# require valid-user
require user admin tony_williams marvin_martian
# LDAP_group_base_dn cn=groups,dc=example,dc=com
# require group Group_Aliens Group_Accounts

All you need to do is replace the list admin tony_williams marvin_martian with your own list of users, and all should work fine. You can also change the entire line to require valid-user, and then anyone listed as user in your LDAP server can log on.

You can see from the example above how to use valid-user and group. Note that if you have a require group line, then you need to specify a distinguished name for the container that holds your groups using the LDAP_group_base_dn line.

Final Thoughts

Now we have completed all of the work from the previous article. After this tutorial, our users can log onto any machine in the network and get their home folders and preferences; log on automatically to Mail and any volume on our server thanks to Kerberos single sign-on; list any email address on our LDAP server in Mail, Address Book, and SquirrelMail; and log onto protected areas of our web server using their login ID and password.

Not bad for a couple of hours of work.

Tony Williams is currently a desktop support consultant at a major Australian university, specializing in Macintosh computers. He describes himself as a "professional Mac geek."


Return to the Mac DevCenter