No finnish version

How to integrate MacOS X with E-directory.

New MacOS 10.1.3 cames with LDAP support. It's posible to use Novell E-directory to authenticate macintosh users. With Native File Access Pack its posible to host macintosh files and home directorys on Netware server. This documen is based information from news://support-forums.novell.com, www.macosxlabc.org , help of other peoples and my own experiences with combination of MacOSX 10.1.3 and Netware 5.1.

This documentation is more like diary, I will add information here when I get some progress on MAC/NW integration project.

3.4.2002 I get finaly get authentication and network homedirectories working. Next I'll try to use SSL between workstations and LDAP-server.

Petri Aikainen

Changes:

12.6.2002

www.macosxlabs.org have good documentation about macosx and novell integration.

19.5.2002

Added one critical bug more to 7. Bugs and features section.

19.4.2001

Added comments to section 2.1.

3.4.2002

Finaly I get network homedirectories working. Lots of updates.

21.3.2002

Get some progress with mount objects. Updated section 6.

19.3.2002

Corrected mistake from attribute mappings. Home diretory was wrongly mapped. After this you can login with local homedirectory.

19.3.2002

Removed apples sample OIDs from section 1.3. as suggested by Jefferey D Sessler. Added new 7. Bugs&Features section to collect addition information of Apples LDAP implementation.

18.3.2002

Initial version.

Content (Quick how to):

1.Prepare server

1.1. Install NFAP for Macintosh to get File connectivity

1.2. Install NFAP for Unix to get standard unix attributes

1.3. Create attributes for Mount-objects

1.4.Create aux-class formount-Object

2. Prepare LDAP-server

2.1. Define LDAP-mappings

3. Create E-directory objects

3.1. Create context for mount-objects

3.2. Create mount object

3.3. Add user attributes

4. MacOS Directory Setup

4.1. Identify:

4.2. Record setup

4.3. Data setup

4.4. Access setup

4.5. Authentication setup

5. Testing setup

5.1. Using lookupd -d

5.2. Using dstrace on server console

6. Current situation

7. Bugs and features

8. References

1. Prepare server

Netware 5.1 server should be patched at least:

Supportpack 4
tcp590n.exe TCPIP patch
nfap1sp1.exe NFAP support pack 1

If you like to host homedirectorys on Netware 5.1 server download also Netware 6 supportpack 1 and take afptcp-modules from it.

1.1. Install NFAP for Macintosh to get File connectivity

Nothing special here, just install it and patch to nfap1sp1 (and modules from netware 6).

1.2. Install NFAP for Unix to get standard unix attributes

Nothing special here, you dont need to create unix NIS-domains. Just install product to get schema extensions. NFAP for mac and NFAP for unix can be installed on same time.

1.3. Create other missing attributes for Mount-objects

To use afpmount-object you will need aux-class for them. Attributes used by afpmount-class have to be created before you can make afpmount-class itself. Use ConsoleOne -> Tools -> Schema Manager to create them. Create attributes as:

vfsdir, Case sensitive string, single valued
vfsopts, Case sensitive string
vfstype, Case sensitive string , single valued

1.4.Create aux-class for mount-object

When attributes are ready, use Schema Manager to create new aux-class "afpmount". Define cn as required and vfsdir, vfsopts and vfstype as optional attributes.

2. Prepare LDAP-server

2.1. Define LDAP-mappings

Comments from Jeffrey Sessler: Also, I was reviewing your page again and I noticed the section on2.1 Define LDAP-mappings. You don't need to do this unless you want to rename the attributes. The eDir LDAP server will automatically strip off illegal characters so that "UNIX:UID" is passed thru as "UNIXUID" without the need for the mappings. I'd also suggest not renaming anything so that the LDAP stays as generic as possible. Better to map the OSX "NFSHomeDirectory" to the edir "uNIXHomeDirectory" then to rename it on every LDAP server you are running.

For LDAP server group-object define attribute mappings as:

Table1: LDAP to NDS-mappings

E-Directory	LDAP
User attributes
uniqueID	UID
UNIX:UID	unixUID
UNIX:GID	unixGID
Full Name	fullName
UNIX:Home Directory	unixHome
Some unused attribute or create new with aux-class	afpHome
Mount attributes
vfsdir	vfsdir
vfstype	vfstype
vfsopts	vfsopts

3. Create and configure e-directory objects

You can skip all moutobject tasks if yo dont try to implement them

3.1. Create context for mount-objects

3.2. Create mount object

In ConsoleOne create new object. I used "AFP-server"-class. Give name in form 172.21.x.x:/FS1.VOL1. It's good idea to create all mount objects on one context. Then right click object on ConsoleOne, select Extensions of this object. Add afpmount-class. Then open object-properties, select "Other" page and add vfs* attributes and values.

Table 2: Example mount-object values

NDS-attribute	Value
cn	172.21.x.x:/FS1.VOL1
vfsdir	/Network/Servers
vfstype	url
vfsopts	net url==afp://;AUTH=NO%20USER%20AUTHENT@172.21.x.x/FS1.VOL1

Notice that vfsopts have 2 values.

I have to use servers ip-addresses on object-name (cn) and vfsopts to make it work. When using dots when renaming objects on ConsoleOne you have to give them in form 172\.21\.x\.x:/FS1\.VOL1

3.3. Add user attributes

Select userobject and modify it on ConsoleOne.

Table 3: Example user attributes

NDS-attribute	Value
UNIX:UID	1001
UNIX:GID	301
UNIX:Home	/Network/Server/172.21.x.x./FS1.VOL1/Homes/Username
Attribute mapped to afpHome	<home_Dir><url>afp://172.21.x.x/FS1.VOL1</url>>path>Homes/Username</path></home_Dir>

Notice that I (and propably you too) have to use server ip-addresses instead of domainnames.

4. MacOS Directory Setup

Open Directory setup on macintosh.

4.1. Identify:

Name: LDAP-NETWARE

Server: my.ldap.server.domain.name

4.2. Record setup

I removed all unneeded record maps , leaving only:

Users: ou=myusers, o= myorganisation

Mounts: ou=afpmounts,o=myorganisation

4.3. Data setup

I removed all unneeded data maps , leaving only:

MacOS X	LDAP
RecordName	cn UID
UniqueID	unixUID
Primary GroupID	unixGUD
RealName	fullName
NFSHomeDirectory	unixHome
HomeDirectory	afpHome

4.4. Access setup

Set up as you like , I use anonymous bind. SSL connection should be done with tunneling-software on mac-side.

4.5. Authentication setup

Open authentication page. Select "Custon path" and add your ldap-service to authentication path.

5. Testing your setup

5.1. Using lookupd -d

On mac, open shell-window. On command prompt give following commands:

[machine] user% lookupd -d

lookupd version 233.2 (root 2002.01.09 02:03:51 UTC)
Enter command name, "help", or "quit" to exit
> userWithName: Asikainen_Petri
Dictionary: "DS: user Asikainen_Petri"
_lookup_DS_timestamp: 1017989925
_lookup_info_system: DirectoryServices
gid: 301
home: /Network/Servers/172.21.x.x/FS1.VOL1/Homes/Asikainen_Petri
home_loc: <home_Dir><url>afp://172.21.x.x/FS1.VOL1</url><path>Homes/Asikainen_Petri</path></home_Dir>
name: Asikainen_Petri asikainp
passwd: ********
uid: 2008
+ Category: user
+ Time to live: 43200
+ Age: 0 (expires in 43200 seconds)
+ Negative: No
+ Cache hits: 0
+ Retain count: 5

5.2. Using dstrace on server console

You can use DSSTACE ON; DSTRACE -ALL; DSTRACE +LDAP to trace LDAP querys on server console.

6. Current situation

6.1. Login with netware homedirectory is working

6.2. SSL connection to LDAP server is work in prograss.

7. Bugs&Features

General LDAPv2 plugin-issue

Right now some users can authenticate and some them cannot. I'm not sure but it looks like LDAPv2-plugin does not handle all search-results correctly. If search-result is "big" more than 2 packects, LDAPv2-plugin gets confused and users cannot authenticate. Right now I know two workarounds,second is untested.

Limit search-responses size by limiting ldapproxy-user rights to only needed attributes. 1. Put ldap-proxy-user to it's own container. 2. IR-filter all rights off from container. 3. Add rights proxy-user to read macos-x related attributes from needed containers.
Update LDAPv2 plugin to version 1.2 or greater. Source is avaible at http://www.opensource.apple.com/cgi-bin/registered/cvs/DSLDAPPlugIn/LDAPv2/ and latest update is about "Implemented the expanded buffer capacity for Attr data blocks and Attr values...". You will need April 2002-MacosX develeloper tools to compile it. They are avaible at same place.

Aliasies

18.3.2002 by Jeffrey D Sessler:I can authenticate all day long to the NetWare LDAP server. I did find an issue where if a user object has an "alias" in the search path OSX would not authenticate. Once you tried to authenticate with this type of user, OS X would never authenticate any users until I restarted it.

Login/ su from command prompt

Right now you cannot use login or su at command prompt to LDAP-account on fly. Thoso tools propably needed some pathes to support LDAP-authentication.

Command prompt

After authentication to LDAP, I can't open terminal window with LDAP-account. But giving local netinfo-account information to login: promp works fine.

NFAP homedirectorys, RecordName

Macintosh Directory setup -> Data mappings -> RecordName . You have to use cn as first mapping attribute if it is different than NDS-UniqueID. Mac will use first attribute on this mapping to authenticate to NFAP-server.

8. References

www.darvin.org Apples open source kernel project. Links to documentation and mailing lists.

www.apple.com Support forums and documentation.

www.macosxlabs.org Lot of information based on real experience. See forums and documentation section.

support-forums.novell.com Novells excelent diccussion forum. See group novell.support.ds.ldap. I prefer use of NNTP-interface over http with reader like Mozilla.