[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Authenticating Mac OSX (El Capitan) sign-ons to an OpenLDAP directory?
- To: Kevin Long <kevin.long@haloprivacy.com>
- Subject: Re: Authenticating Mac OSX (El Capitan) sign-ons to an OpenLDAP directory?
- From: Olivier <Olivier.Nicole@cs.ait.ac.th>
- Date: Mon, 05 Sep 2016 11:19:08 +0700
- Cc: openldap-technical@openldap.org
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.ait.ac.th; h= content-transfer-encoding:content-type:content-type:mime-version :message-id:date:date:in-reply-to:subject:subject:from:from :received:received:received; s=selector1; t=1473049150; x= 1474863551; bh=LygsslHQb8DG52mLak4Oz9X9u57F6LgwQeX1VAjZ8I8=; b=R NC+W40iYmjaxXf7FDYMJNJKhM8m78Si8S8iahW5x+BMftg+4KrLfoaG1cOf7qwNa 7C0sppqZKCWBkc6+qiGGTEXvJNdqyGEEXnOdVyaTBI7LUgtiaTL7JXDjOP12CtVD 4JwYthRQYCSdWuA9DHgs+u3Biq7M+Vf3w0TZjbs7HA=
- In-reply-to: <64E5AD85-1888-414F-8F2B-D086B456B923@haloprivacy.com> (message from Kevin Long on Sat, 3 Sep 2016 20:08:02 +0000)
Kevin Long <kevin.long@haloprivacy.com> writes:
> It’s unclear to me whether I truly need to add the apple/samba schemas
> to OpenLDAP to appease OS X, or whether I can map more standard
> attributes from the cosine etc schema to whatever OS X is looking for.
All my users have samba schema (because I also use samba), but they do
not have apple schema.
They can still authenticate on the iMac.
The last time I reinstalle Mac OS X was El captain. I wrote the
following to remember what I needed to do:
https://www.cs.ait.ac.th/~on/technotes/archives/2015/12/02/configuring_mac_os_x_for_csim/index.html
The file mentionned there is below. It contains 3 parts:
- what LDAP server is managing the authentication, how to access it, I
am using LDAPS; you may have to change that for TLS
- what is the attribute mapping between MacOSX own version of LDAP and
real OpenLDAP
- the part about SALS disabled authentication: I cannot remember what it
means, but I know it was important (like I waste way to much time to
figure that out).
I hope the information help. It's free, but if you are hiring on that
problem, I can pretend I did not tell you and do the job :)
Best regards,
Olivier
Dict {
mappings = Dict {
template = LDAPv3
function = ldap:translate_recordtype
attributes = Array {
objectClass
}
recordtypes = Dict {
dsRecTypeStandard:Users = Dict {
attributetypes = Dict {
dsAttrTypeStandard:ModificationTimestamp = Dict {
native = modifyTimestamp
}
dsAttrTypeStandard:Expire = Dict {
native = shadowExpire
}
dsAttrTypeStandard:CreationTimestamp = Dict {
native = createTimestamp
}
dsAttrTypeStandard:Change = Dict {
native = shadowLastChange
}
dsAttrTypeStandard:UserShell = Dict {
native = loginShell
}
dsAttrTypeStandard:PrimaryGroupID = Dict {
native = gidNumber
}
dsAttrTypeStandard:RecordName = Dict {
native = uid
}
dsAttrTypeStandard:UniqueID = Dict {
native = uidNumber
}
dsAttrTypeStandard:Password = Dict {
native = userPassword
}
dsAttrTypeStandard:Comment = Dict {
native = description
}
dsAttrTypeStandard:RealName = Dict {
native = gecos
}
dsAttrTypeStandard:NFSHomeDirectory = Dict {
native = homeDirectory
}
}
info = Dict {
Group Object Classes = OR
Object Classes = Array {
posixAccount
inetOrgPerson
shadowAccount
}
Search Base = dc=cs,dc=ait,dc=ac,dc=th
}
}
dsRecTypeStandard:People = Dict {
attributetypes = Dict {
dsAttrTypeStandard:RealName = Dict {
native = gecos
}
dsAttrTypeStandard:MobileNumber = Dict {
native = mobile
}
dsAttrTypeStandard:State = Dict {
native = st
}
dsAttrTypeStandard:JobTitle = Dict {
native = title
}
dsAttrTypeStandard:UserCertificate = Dict {
native = userCertificate;binary
}
dsAttrTypeStandard:UserPKCS12Data = Dict {
native = userPKCS12
}
dsAttrTypeStandard:Country = Dict {
native = c
}
dsAttrTypeStandard:PagerNumber = Dict {
native = pager
}
dsAttrTypeStandard:PostalCode = Dict {
native = postalCode
}
dsAttrTypeStandard:Street = Dict {
native = street
}
dsAttrTypeStandard:FirstName = Dict {
native = givenName
}
dsAttrTypeStandard:OrganizationName = Dict {
native = o
}
dsAttrTypeStandard:PhoneNumber = Dict {
native = telephoneNumber
}
dsAttrTypeStandard:RecordName = Dict {
native = cn
}
dsAttrTypeStandard:City = Dict {
native = l
}
dsAttrTypeStandard:FAXNumber = Dict {
native = facsimileTelephoneNumber
}
dsAttrTypeStandard:ModificationTimestamp = Dict {
native = modifyTimestamp
}
dsAttrTypeStandard:UserSMIMECertificate = Dict {
native = userSMIMECertificate
}
dsAttrTypeStandard:Building = Dict {
native = buildingName
}
dsAttrTypeStandard:Department = Dict {
native = departmentNumber
}
dsAttrTypeStandard:AddressLine1 = Dict {
native = street
}
dsAttrTypeStandard:HomePhoneNumber = Dict {
native = homePhone
}
dsAttrTypeStandard:LastName = Dict {
native = sn
}
dsAttrTypeStandard:CreationTimestamp = Dict {
native = createTimestamp
}
dsAttrTypeStandard:EMailAddress = Dict {
native = mail
}
dsAttrTypeStandard:PostalAddress = Dict {
native = postalAddress
}
}
info = Dict {
Group Object Classes = OR
Object Classes = Array {
inetOrgPerson
}
Search Base = dc=cs,dc=ait,dc=ac,dc=th
}
}
dsRecTypeStandard:Mounts = Dict {
attributetypes = Dict {
dsAttrTypeStandard:VFSDumpFreq = Dict {
native = mountDumpFrequency
}
dsAttrTypeStandard:CreationTimestamp = Dict {
native = createTimestamp
}
dsAttrTypeStandard:VFSType = Dict {
native = mountType
}
dsAttrTypeStandard:VFSLinkDir = Dict {
native = mountDirectory
}
dsAttrTypeStandard:RecordName = Dict {
native = cn
}
dsAttrTypeStandard:VFSPassNo = Dict {
native = mountPassNo
}
dsAttrTypeStandard:VFSOpts = Dict {
native = mountOption
}
dsAttrTypeStandard:ModificationTimestamp = Dict {
native = modifyTimestamp
}
}
info = Dict {
Group Object Classes = OR
Object Classes = Array {
mount
}
Search Base = dc=cs,dc=ait,dc=ac,dc=th
}
}
dsRecTypeStandard:CertificateAuthorities = Dict {
attributetypes = Dict {
dsAttrTypeStandard:AuthorityRevocationList = Dict {
native = authorityRevocationList;binary
}
dsAttrTypeStandard:CreationTimestamp = Dict {
native = createTimestamp
}
dsAttrTypeStandard:CertificateRevocationList = Dict {
native = certificateRevocationList;binary
}
dsAttrTypeStandard:CrossCertificatePair = Dict {
native = crossCertificatePair;binary
}
dsAttrTypeStandard:RecordName = Dict {
native = cn
}
dsAttrTypeStandard:ModificationTimestamp = Dict {
native = modifyTimestamp
}
dsAttrTypeStandard:CACertificate = Dict {
native = cACertificate;binary
}
}
info = Dict {
Group Object Classes = OR
Object Classes = Array {
certificationAuthority
}
Search Base = dc=cs,dc=ait,dc=ac,dc=th
}
}
dsRecTypeStandard:Automount = Dict {
attributetypes = Dict {
dsAttrTypeStandard:RecordName = Dict {
native = automountKey
}
dsAttrTypeStandard:CreationTimestamp = Dict {
native = createTimestamp
}
dsAttrTypeStandard:AutomountInformation = Dict {
native = automountInformation
}
dsAttrTypeStandard:Comment = Dict {
native = description
}
dsAttrTypeStandard:ModificationTimestamp = Dict {
native = modifyTimestamp
}
}
info = Dict {
Group Object Classes = OR
Object Classes = Array {
automount
}
Search Base = dc=cs,dc=ait,dc=ac,dc=th
}
}
dsRecTypeStandard:Groups = Dict {
attributetypes = Dict {
dsAttrTypeStandard:RecordName = Dict {
native = cn
}
dsAttrTypeStandard:PrimaryGroupID = Dict {
native = gidNumber
}
dsAttrTypeStandard:GroupMembership = Dict {
native = memberUid
}
dsAttrTypeStandard:CreationTimestamp = Dict {
native = createTimestamp
}
dsAttrTypeStandard:ModificationTimestamp = Dict {
native = modifyTimestamp
}
dsAttrTypeStandard:Member = Dict {
native = memberUid
}
}
info = Dict {
Group Object Classes = OR
Object Classes = Array {
posixGroup
}
Search Base = dc=XXXXXXXXXXXXXXXXXXXXXXXXXXXX
}
}
dsRecTypeStandard:AutomountMap = Dict {
attributetypes = Dict {
dsAttrTypeStandard:RecordName = Dict {
native = automountMapName
}
dsAttrTypeStandard:CreationTimestamp = Dict {
native = createTimestamp
}
dsAttrTypeStandard:ModificationTimestamp = Dict {
native = modifyTimestamp
}
dsAttrTypeStandard:Comment = Dict {
native = description
}
}
info = Dict {
Group Object Classes = OR
Object Classes = Array {
automountMap
}
Search Base = dc=XXXXXXXXXXXX
}
}
}
}
trusttype = anonymous
module options = Dict {
AppleODClient = Dict {
Server Mappings = false
}
ldap = Dict {
Use DNS replicas = false
Denied SASL Methods = Array {
DIGEST-MD5
GSSAPI
CRAM-MD5
NTLM
}
Template Search Base Suffix = dc=XXXXXXXXXXXXXXXXXX
}
}
node name = /LDAPv3/ldap2.cs.ait.ac.th
description = CSIM
options = Dict {
man-in-the-middle = false
connection setup timeout = 15
destination = Dict {
other = ldaps
host = ldap2.cs.ait.ac.th
port = 636
}
packet encryption = 3
no cleartext authentication = true
packet signing = 1
query timeout = 120
connection idle disconnect = 120
}
template = LDAPv3
uuid = XXXXXXXXXXXXXXXXXXXXXX
}