[K12OSN] RE SME Server Authentication

Craig White craig at tobyhouse.com
Tue Nov 20 20:11:07 UTC 2007


On Tue, 2007-11-20 at 12:45 -0700, Craig White wrote:
> On Tue, 2007-11-20 at 11:16 -0500, Jim Kronebusch wrote:
> > On Tue, 20 Nov 2007 04:29:06 -0500, Larry McPherson wrote
> > > Do you authenticate OSX against your SME server, and if so, do you know 
> > > of a how-to?
> > > 
> > > Great how to on contribs!! With pictures too.
> > > 
> > > Larry
> > 
> > I put this together a few years ago for authenticating OSX to smb/ldap.  I've never
> > tried it against SME Server, but it may be a good start.
> > 
> > http://www.1-cs.com/osxldap.html
> > 
> > Hope that helps,
> > Jim
> ----
> - I never found the need to 'enable' root user in NetInfo for this
> 
> - I did need to add Apple.schema to LDAP configuration and to make that
> work, I had to 'uncomment' some sections of the samba.schema (it was a
> tacky setup)
> 
> YMMV ;-)
> 
> you can download the apple.schema from Apple
> http://www.info.apple.com
> 
> samba.schema changes...
> # diff
> -u /etc/openldap/schema/samba.schema /etc/openldap/schema/samba.schema~
> --- /etc/openldap/schema/samba.schema   2007-05-13 15:58:10.000000000
> -0700
> +++ /etc/openldap/schema/samba.schema~  2007-05-13 15:57:33.000000000
> -0700
> @@ -133,15 +133,15 @@
>  ##
>  ## user and group RID
>  ##
> -attributetype ( 1.3.6.1.4.1.7165.2.1.14 NAME 'rid'
> -       DESC 'NT rid'
> -       EQUALITY integerMatch
> -       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
> -
> -attributetype ( 1.3.6.1.4.1.7165.2.1.15 NAME 'primaryGroupID'
> -       DESC 'NT Group RID'
> -       EQUALITY integerMatch
> -       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
> +#attributetype ( 1.3.6.1.4.1.7165.2.1.14 NAME 'rid'
> +#      DESC 'NT rid'
> +#      EQUALITY integerMatch
> +#      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
> +
> +#attributetype ( 1.3.6.1.4.1.7165.2.1.15 NAME 'primaryGroupID'
> +#      DESC 'NT Group RID'
> +#      EQUALITY integerMatch
> +#      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
> 
> 
> anyway, my notes for enabling Mac clients to authenticate to my LDAP
> setup (and I have them mounting NFS shares for the user $HOME
> directories) are rather crude but:
> 
> Macintosh Systems
> Directory Access - Authentication
> Server srv1.example.com
> LDAP Custom mappings (RFC-2307)
> 
>       * Users
>               * base ou=People,dc=example,dc=com
>               * NFSHomeDirectory apple-user-homeDirectory
>               * HomeDirectory (new) apple-user-homeurl
>       * Groups
>               * base ou=Groups,dc=example,dc=com
>       * Mounts
>               * ou=mounts,dc=example,dc=com
> 
> Contacts (see above) My LDAP address books
> 
>       * Employee Directory
>               * base ou=People,dc=example,dc=com
>       * Shared Contacts
>               * base ou=AddressBook,dc=example,dc=com
----
one other detail that is really important in case someone is actually
following this and wants to play along which I should have mentioned...

Part and parcel with this is that I have installed 'Netatalk' on my
primary server
http://netatalk.sourceforge.net

and it shares the users directory as part of netatalk setup as an Apple
shared volume called 'NetUsers'
/home/storage/users     NetUsers

and this information is stored in my ldap server which makes it all work
(again, YMMV)...

# ldapsearch -x '(ou=mounts)'
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (ou=mounts)
# requesting: ALL
#

# Mounts, example.com
dn: ou=Mounts,dc=example,dc=com
ou: Mounts
objectClass: top
objectClass: organizationalUnit

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[root at srv1 schema]# ldapsearch -x '(cn=*)' -b
'ou=mounts,dc=example,dc=com'
# extended LDIF
#
# LDAPv3
# base <ou=mounts,dc=example,dc=com> with scope subtree
# filter: (cn=*)
# requesting: ALL
#

# srv1.example.com:/NetUsers, Mounts, example.com
dn: cn=srv1.example.com:/NetUsers,ou=Mounts,dc=example,dc=com
cn: srv1.example.com:/NetUsers
mountDirectory: /Network/Servers
mountOption: net
mountOption: url=="afp://;AUTH=NO%20USER%
20AUTHENT at srv1.example.com/NetUsers
mountType: url
objectClass: mount
objectClass: top

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1





More information about the K12OSN mailing list