[Freeipa-users] Apple OpenDirectory Integration

"Răzvan Corneliu C.R. VILT" razvan.vilt at me.com
Wed Feb 3 21:09:37 UTC 2016 

Hi Guys,

I've done a small scale demo of using FreeIPA instead of an Open Directory Server to serve Apple OS X clients. This is based on my experiences from one year ago (Ticket #4813). I've also attached some screenshots.

Here's what works:
Host sees the IPA Server
Host is able to register to the IPA server
Host creates a computer account (needs a bit of help here)
Host sets it's own random password (including kerberosPrincipalKey and kerberosExtraData)
Host can see the users and other computers in the LDAP
Host can use TLS registration with FreeIPA's own root certificate as found in cn=CACert,cn=ipa,cn=etc
Host can use just Kerberos for authentication and doesn't need an Apple Password Server

Here's what needs to be done to get there:
Create a cn=config,$baseDN entry (attached example ldif). This can be created automatically based on a template.
Create and ACI that gives anonymous read access to cn=config,$baseDN (SNIP #3)
Modify an existing ACI to give altSecurityIdentities and description to anonymous/public consumption (SNIP #4)
Extend the schema to include apple-configuration (SNIP #1)
Extend the schema to include apple-user (should be renamed to apple-account since it applies also to hosts) (SNIP #2)
Add PLAIN to the supported SASL mechanisms (I don't know why it's missing anyway because it's restricted to TLS by default). For me, without further investigation of the reasons, I had to also disable CRAM-MD5 and DIGEST-MD5 on the 389 DS.
Make sure (if you upgraded from a v3) that you have OCSP and/or CRL working
Add an _ldap._tcp entry in avahi and/or server the LDAP server via DHCP and/or serve the search domain via DHCP and make the DNS-SD service entries for it.

Here's what's missing from FreeIPA:

A 389 Directory Server plugin that generates altSecurityIdentities and AuthAuthority values automatically for an objectClass=apple-account.
This would automatically present the following entries (user admin used as an example):
--
altSecurityIdentitites: Kerberos:admin at EXAMPLE.ORG
AuthAuthority: ;Kerberosv5;;admin at EXAMPLE.ORG;EXAMPLE.ORG;
--
AuthAuthority is interesting because it supports not only basic LDAP authentication, but also Kerberos, Netlogon and Apple Password Server and you can specify multiple authentication authorities (including an Active Directory).


A better way to specify homes for users. Not everyone uses automount and automount maps (although OS X can use them). We need to be able to specify not the assumably mounted home directory, but the protocol (afp, nfs, cifs, etc.), server and share/directory. Furthermore, most Mac Admins will have a heart-attack if they see an auto-mounted /home/$username instead of the usual /Users/$username.

Here's what's missing from OS X:
A way to request OS X to do GSS-TSIG registration to the DNS. We may have an MCX method to do that, but I haven't investigated. NSUpdate is available and has support for gss-tsig. I think that for Active Directory it does this automatically, and if so, we should be able to reproduce it.

A way to specify that the fqdn argument should actually be an FQDN. We might have to write a 389 DS plugin to take the CN without the final "$" and add the domain name after it.

SUDO Map support. Currently, the only way to specify if an account has sudo rights is to make it an admin. This makes it clear that without Password Server support (partly implemented in the LPWS project), the usage scenarios are limited to normal users and SSO to servers. OTOH, OS X only knows admin and non-admin accounts, so it's not that bad.

Steps to produce my demo install before the patches below:
ipa-server-install -r EXAMPLE.ORG -n example.org -p deadbeef -a deadbeef -P deadbeef --hostname=ipa.example.org --ip-address=172.16.23.138 --ssh-trust-dns -U --setup-dns --no-forwarders

Is anyone from Red Hat willing to pick this up? It would be a nice addition. If so, I am offering to do the testing and fine-tuning for all post-Tiger releases. I can also share virtual machines for server and client configuration.
The Apple schemas are included in Apple's GPL code-drops for OpenLDAP if anyone is wondering about licensing. We don't need the full schemas because we can map most stuff to our own schema and it works brilliantly.

Regards,
Răzvan

-------- SNIP #1----------
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: (1.3.6.1.4.1.63.1000.1.1.1.12.3 NAME 'apple-config-realname' DESC 'config real name' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: (1.3.6.1.4.1.63.1000.1.1.1.12.7 NAME 'apple-kdc-authkey' DESC 'KDC master key RSA encrypted with realm public key' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
attributeTypes: (1.3.6.1.4.1.63.1000.1.1.1.12.8 NAME 'apple-kdc-configdata' DESC 'Contents of the kdc.conf file' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
attributeTypes: (1.3.6.1.4.1.63.1000.1.1.1.1.19 NAME 'apple-keyword' DESC 'keywords' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
attributeTypes: (1.3.6.1.4.1.63.1000.1.1.1.12.5 NAME 'apple-ldap-replica' DESC 'LDAP replication list' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
attributeTypes: (1.3.6.1.4.1.63.1000.1.1.1.12.6 NAME 'apple-ldap-writable-replica' DESC 'LDAP writable replication list' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
attributeTypes: (1.3.6.1.4.1.63.1000.1.1.1.12.4 NAME 'apple-password-server-list' DESC 'password server replication plist' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
attributeTypes: (1.3.6.1.4.1.63.1000.1.1.1.12.1 NAME 'apple-password-server-location' DESC 'password server location' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributeTypes: (1.3.6.1.4.1.250.1.60 NAME 'ttl' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributeTypes: (1.3.6.1.4.1.63.1000.1.1.1.17.1 NAME 'apple-xmlplist' DESC 'XML plist data' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
-
add: objectclasses
objectClasses: (1.3.6.1.4.1.63.1000.1.1.2.12 NAME 'apple-configuration' DESC 'configuration' SUP top STRUCTURAL MAY ( cn $ apple-config-realname $ modifyTimestamp $ apple-password-server-location $ apple-password-server-list $ apple-ldap-replica $ apple-ldap-writable-replica $ apple-keyword $ apple-kdc-authkey $ apple-kdc-configdata $ apple-xmlplist $ ttl ) )
-------- END of SNIP #1-------

-------- SNIP #2----------
cn=schema:
changetype: modify
add: attributeTypes
attributesTypes: ( 1.2.840.113556.1.4.867 NAME 'altSecurityIdentities' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
attributesTypes: ( 1.3.6.1.4.1.63.1000.1.1.2.16.2 NAME ( 'authAuthority' 'authAuthority2' ) DESC 'password server authentication authority' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
-
add: objectclasses
objectclasses: ( 1.3.6.1.4.1.63.1000.1.1.2.1 NAME 'apple-user' SUP top AUXILIARY DESC 'apple user account'  MAY ( authAuthority $ sambaAcctFlags $ sambaPwdLastSet $ sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $ sambaHomeDrive $ sambaLogonScript $ sambaProfilePath $ sambaUserWorkstations $ sambaHomePath $ sambaSID $ sambaPrimaryGroupSID $ userCertificate $ userPKCS12 $ jpegPhoto $ altSecurityIdentities ) )
-------- END of SNIP #2-------

-------- SNIP #3 ----------
targetattr = "description || cn || objectclass || ou || apple-xmlplist")(targetfilter ="(objectclass=apple-configuration)")(version 3.0;acl "permission:System: Read Mac Profile";allow (compare,read,search) userdn = "ldap:///anyone";)
-------- END of SNIP #3-------

-------- SNIP #4 ----------
(targetattr = "altSecurityIdentities || cn || createtimestamp || description || displayname || entryusn || gecos || gidnumber || givenname || homedirectory || initials || ipantsecurityidentifier || loginshell || manager || modifytimestamp || objectclass || sn || title || uid || uidnumber")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Standard Attributes";allow (compare,read,search) userdn = "ldap:///anyone";)
--------- END of SNIP #4------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160203/64ae48dd/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cn_config.ldif
Type: application/octet-stream
Size: 57279 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160203/64ae48dd/attachment.obj>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160203/64ae48dd/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2016-02-03 at 22.11.57.png
Type: image/png
Size: 189973 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160203/64ae48dd/attachment.png>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160203/64ae48dd/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2016-02-03 at 22.12.53.png
Type: image/png
Size: 91870 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160203/64ae48dd/attachment-0001.png>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160203/64ae48dd/attachment-0003.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2016-02-03 at 22.11.41.png
Type: image/png
Size: 75008 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160203/64ae48dd/attachment-0002.png>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160203/64ae48dd/attachment-0004.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2016-02-03 at 22.11.49.png
Type: image/png
Size: 245733 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160203/64ae48dd/attachment-0003.png>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160203/64ae48dd/attachment-0005.htm>

More information about the Freeipa-users mailing list