[Freeipa-users] Apple OpenDirectory Integration

"Răzvan Corneliu C.R. VILT" razvan.vilt at me.com
Thu Feb 4 12:22:55 UTC 2016 

>> It is probably best to stick with the Apple schema otherwise there could be pain later if something changes, requiring additional mapping.
> 
> I wouldn't encourage it for two reasons:
> 1) The Apple schema is designed to be remapped to any other schema. That's the point of cn=config. That's what I did. It describes the attribute mappings to internal data structures. I've identified a minimal number of apple-schema items that have no direct mapping to freeIPA datastructures and documented them in the two schema expansions in the email.
> 2) Using the Apple schema without remapping would duplicate a most of the data and would make account maintenance and LDAP Browsing more difficult in the future. Since Apple is flexible about the schema, why shouldn't we use that?

If you open up the ldif file from the first email and base64 decode the entries you will see clear configuration directives such as below. These mean that you don't need to stick with Apple's schema and neither does Apple (for forward and backward compatibility):

OD Policy:
==========

	<key>Denied SASL Methods</key>
<!-- works (without cause investigation) ONLY with PLAIN over SSL at registration time -->
	<array>
		<string>DIGEST-MD5</string>
		<string>CRAM-MD5</string>
	</array>
	<key>Configured Security Level</key>
	<dict>
		<key>Advisory Client Caching</key>
		<false/>
<!-- No anonymous searches as the results are incomplete due to ACIs-->
		<key>Binding Required</key>
		<true/>
<!-- KRB5/SSL required -->
		<key>Man In The Middle</key>
		<true/>
<!-- KRB5/SSL required -->
		<key>No ClearText Authentications</key>
		<true/>
<!-- KRB5/SSL required -->
		<key>Packet Encryption</key>
		<true/>
<!-- KRB5 required -->
		<key>Packet Signing</key>
		<true/>
	</dict>
<!-- Computer Account creation mandatory -->
	<key>Directory Binding</key>
	<true/>

LDAP Servers:
=============
Here you list the replicas, read-only or read-write. For registration a r/w replica will be used, preferably the primary master.

	<key>IPaddresses</key>
	<array>
		<string>172.16.23.138</string>
	</array>
	<key>PrimaryMaster</key>
	<string>ipa.example.org</string>
	<key>ReplicaName</key>
	<string>Master</string>
	<key>Replicas</key>
	<array/>

Kerberos KRB5.conf:
===================
Since you can register to multiple realms at one on a Mac, you need to modify (and not replace) the krb5.conf file so they are including the information as opposed to the file.
	<key>edu.mit.kerberos</key>
	<dict>
		<key>domain_realm</key>
		<dict>
			<key>.example.org</key>
			<string>EXAMPLE.ORG</string>
			<key>example.org</key>
			<string>EXAMPLE.ORG</string>
		</dict>
		<key>libdefaults</key>
		<dict>
			<key>default_realm</key>
			<string>EXAMPLE.ORG</string>
		</dict>
		<key>realms</key>
		<dict>
			<key>EXAMPLE.ORG</key>
			<dict>
				<key>KADM_List</key>
				<array>
					<string>ipa.example.org</string>
					<string>172.16.23.138</string>								</array>
				<key>KDC_List</key>
				<array>
					<string>ipa.example.org</string>
					<string>172.16.23.138</string>
				</array>
			</dict>
		</dict>
	</dict>

OD Config snipplets:
====================
Server information used for LDAP binding.

	<key>Delay Rebind Try in seconds</key>
	<integer>0</integer>
	<key>Enable Use</key>
	<true/>
	<key>Map Search Base</key>
	<string>cn=config,dc=example,dc=org</string>
	<key>OpenClose Timeout in seconds</key>
	<integer>15</integer>
	<key>Port Number</key>
	<integer>389</integer>
	<key>SSL</key>
	<true/>
	<key>Search Timeout in seconds</key>
	<integer>120</integer>
	<key>Server</key>
	<string>172.16.23.138</string>
	<key>Server Mappings</key>
	<true/>
	<key>Template Name</key>
	<string>FreeIPA Server</string>
	<key>Template Search Base Suffix</key>
	<string>dc=example,dc=org</string>
	<key>Template Version</key>
	<string>1.0</string>
	<key>UI Name</key>
	<string>Example.ORG</string>

OD Config Attribute Type Maps snipplet:
=======================================
Open Directory also includes them, but they map to different attributes.

<key>Attribute Type Map</key>
<array>
	<dict>
		<key>Native Map</key>
			<array>
				<string>fqdn</string>
			</array>
			<key>Standard Name</key>
			<string>dsAttrTypeStandard:RecordName</string>
	</dict>
	<dict>
		<key>Native Map</key>
		<array>
			<string>ipaUniqueId</string>
		</array>
		<key>Standard Name</key>
		<string>dsAttrTypeStandard:GeneratedUID</string>
	</dict>
	<dict>
		<key>Native Map</key>
		<array>
			<string>sambaSID</string>
		</array>
		<key>Standard Name</key>
		<string>dsAttrTypeStandard:SMBSID</string>
	</dict>
</array>
<key>Native Map</key>
<array>
	<dict>
		<key>Group Object Classes</key>
		<string>OR</string>
		<key>Object Classes</key>
			<array>
<!-- This is how you set the minimal number of object classes required for the Computer Object Type -->
				<string>ipaHost</string>
				<string>krbPrincipal</string>
				<string>krbPrincipalAux</string>
				<string>apple-user</string>
				<string>ieee802Device</string>
			</array>
<!-- This is the LDAP search base for computers -->
		<key>Search Base</key>
		<string>cn=computers,cn=accounts,dc=example,dc=org</string>
	</dict>
</array>
<key>Standard Name</key>
<string>dsRecTypeStandard:Computers</string>

More information about the Freeipa-users mailing list