[K12OSN] RE SME Server Authentication
Craig White
craig at tobyhouse.com
Tue Nov 20 20:11:07 UTC 2007
On Tue, 2007-11-20 at 12:45 -0700, Craig White wrote:
> On Tue, 2007-11-20 at 11:16 -0500, Jim Kronebusch wrote:
> > On Tue, 20 Nov 2007 04:29:06 -0500, Larry McPherson wrote
> > > Do you authenticate OSX against your SME server, and if so, do you know
> > > of a how-to?
> > >
> > > Great how to on contribs!! With pictures too.
> > >
> > > Larry
> >
> > I put this together a few years ago for authenticating OSX to smb/ldap. I've never
> > tried it against SME Server, but it may be a good start.
> >
> > http://www.1-cs.com/osxldap.html
> >
> > Hope that helps,
> > Jim
> ----
> - I never found the need to 'enable' root user in NetInfo for this
>
> - I did need to add Apple.schema to LDAP configuration and to make that
> work, I had to 'uncomment' some sections of the samba.schema (it was a
> tacky setup)
>
> YMMV ;-)
>
> you can download the apple.schema from Apple
> http://www.info.apple.com
>
> samba.schema changes...
> # diff
> -u /etc/openldap/schema/samba.schema /etc/openldap/schema/samba.schema~
> --- /etc/openldap/schema/samba.schema 2007-05-13 15:58:10.000000000
> -0700
> +++ /etc/openldap/schema/samba.schema~ 2007-05-13 15:57:33.000000000
> -0700
> @@ -133,15 +133,15 @@
> ##
> ## user and group RID
> ##
> -attributetype ( 1.3.6.1.4.1.7165.2.1.14 NAME 'rid'
> - DESC 'NT rid'
> - EQUALITY integerMatch
> - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
> -
> -attributetype ( 1.3.6.1.4.1.7165.2.1.15 NAME 'primaryGroupID'
> - DESC 'NT Group RID'
> - EQUALITY integerMatch
> - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
> +#attributetype ( 1.3.6.1.4.1.7165.2.1.14 NAME 'rid'
> +# DESC 'NT rid'
> +# EQUALITY integerMatch
> +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
> +
> +#attributetype ( 1.3.6.1.4.1.7165.2.1.15 NAME 'primaryGroupID'
> +# DESC 'NT Group RID'
> +# EQUALITY integerMatch
> +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
>
>
> anyway, my notes for enabling Mac clients to authenticate to my LDAP
> setup (and I have them mounting NFS shares for the user $HOME
> directories) are rather crude but:
>
> Macintosh Systems
> Directory Access - Authentication
> Server srv1.example.com
> LDAP Custom mappings (RFC-2307)
>
> * Users
> * base ou=People,dc=example,dc=com
> * NFSHomeDirectory apple-user-homeDirectory
> * HomeDirectory (new) apple-user-homeurl
> * Groups
> * base ou=Groups,dc=example,dc=com
> * Mounts
> * ou=mounts,dc=example,dc=com
>
> Contacts (see above) My LDAP address books
>
> * Employee Directory
> * base ou=People,dc=example,dc=com
> * Shared Contacts
> * base ou=AddressBook,dc=example,dc=com
----
one other detail that is really important in case someone is actually
following this and wants to play along which I should have mentioned...
Part and parcel with this is that I have installed 'Netatalk' on my
primary server
http://netatalk.sourceforge.net
and it shares the users directory as part of netatalk setup as an Apple
shared volume called 'NetUsers'
/home/storage/users NetUsers
and this information is stored in my ldap server which makes it all work
(again, YMMV)...
# ldapsearch -x '(ou=mounts)'
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (ou=mounts)
# requesting: ALL
#
# Mounts, example.com
dn: ou=Mounts,dc=example,dc=com
ou: Mounts
objectClass: top
objectClass: organizationalUnit
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root at srv1 schema]# ldapsearch -x '(cn=*)' -b
'ou=mounts,dc=example,dc=com'
# extended LDIF
#
# LDAPv3
# base <ou=mounts,dc=example,dc=com> with scope subtree
# filter: (cn=*)
# requesting: ALL
#
# srv1.example.com:/NetUsers, Mounts, example.com
dn: cn=srv1.example.com:/NetUsers,ou=Mounts,dc=example,dc=com
cn: srv1.example.com:/NetUsers
mountDirectory: /Network/Servers
mountOption: net
mountOption: url=="afp://;AUTH=NO%20USER%
20AUTHENT at srv1.example.com/NetUsers
mountType: url
objectClass: mount
objectClass: top
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
More information about the K12OSN
mailing list