Configuring OpenLDAP on Mandriva 2009.1

First up, install the openldap-extra-schemas package. This contains the apple.schema needed to make things work. This schema builds on the outdated samba (2) schema which is now sadly replaced with an updated version for samba3. I guess this will change in the future but for the time being, I hacked up the necessary attribute definitions into a schema that I included prior to the apple one. Here are the changes I made to the default /etc/openldap/slapd.conf file:

--- etc/openldap/slapd.conf	2009-07-27 16:22:58.000000000 +0100
+++ /etc/openldap/slapd.conf	2009-07-25 15:58:56.000000000 +0100
@@ -15,11 +15,11 @@
 include	/usr/share/openldap/schema/krb5-kdc.schema
 include /usr/share/openldap/schema/kerberosobject.schema
 include	/usr/share/openldap/schema/misc.schema
-include	/usr/share/openldap/schema/nis.schema
+#include	/usr/share/openldap/schema/nis.schema
 include	/usr/share/openldap/schema/openldap.schema
-include /usr/share/openldap/schema/autofs.schema
+#include /usr/share/openldap/schema/autofs.schema
 include /usr/share/openldap/schema/samba.schema
-include /usr/share/openldap/schema/kolab.schema
+#include /usr/share/openldap/schema/kolab.schema
 include /usr/share/openldap/schema/evolutionperson.schema
 include /usr/share/openldap/schema/calendar.schema
 include /usr/share/openldap/schema/sudo.schema

As you can see, nis, autofs and kolab schemas have all been disabled. Both nis and autofs are covered in RFC2307. I only disabled kolab as it builds on some of the definitions of those other two and thus caused errors on startup. I don't use kolab so this isn't a problem. It is no doubt quite simple to fix these errors.

As I like to keep changes to system config files to a minimum I didn't changes things much ore than that. There is a file, /etc/openldap/schemas/local.schema in which I did the real work. Here is the contents of that file:

# This is a good place to put your schema definitions
include /home/setup/ldap/schemas/mozilla.schema

# (cg) This schema is needed for OSX Automount integration.
# In order to activate it, you need to disable:
#  o nis.schema
#  o automount.schema
#  o kolab.schema
include /usr/share/openldap/schema/rfc2307bis.schema

include /etc/openldap/schema/pre-apple.schema
include /usr/share/openldap/schema/apple.schema

The rfc2307bis and apple schemas are part of the openldap-extra-schemas package mentioned above. The pre-apple one is one I crafted myself based on comments on other blogs and due to the fact our samba schema is now version three. Here is my pre-apple.schema file:

#ident $Id: apple.schema,v 1.42 2005/01/27 23:40:38 jtownsen Exp $
#
# Preliminary Apple OS X Native LDAP Schema
# This file is subject to change.
#

# (cg) Some definitions needed prior to including the apple.schema
# See: http://mattfleming.com/node/190#comment-656
# Both the below sections are included (but commented) in the official
# apple.schema in the openldap-schemas-extra package.

# ===== From (historical) samba.schema

##
## Account flags in string format ([UWDX     ])
##
attributetype ( 1.3.6.1.4.1.7165.2.1.4 NAME 'acctFlags'
 DESC 'Account Flags'
 EQUALITY caseIgnoreIA5Match
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE )

##
## Password timestamps & policies
##
attributetype ( 1.3.6.1.4.1.7165.2.1.3 NAME 'pwdLastSet'
 DESC 'NT pwdLastSet'
 EQUALITY integerMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.5 NAME 'logonTime'
 DESC 'NT logonTime'
 EQUALITY integerMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.6 NAME 'logoffTime'
 DESC 'NT logoffTime'
 EQUALITY integerMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.7 NAME 'kickoffTime'
 DESC 'NT kickoffTime'
 EQUALITY integerMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.8 NAME 'pwdCanChange'
 DESC 'NT pwdCanChange'
 EQUALITY integerMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.9 NAME 'pwdMustChange'
 DESC 'NT pwdMustChange'
 EQUALITY integerMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

#
# string settings
#
attributetype ( 1.3.6.1.4.1.7165.2.1.10 NAME 'homeDrive'
 DESC 'NT homeDrive'
 EQUALITY caseIgnoreIA5Match
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.11 NAME 'scriptPath'
 DESC 'NT scriptPath'
 EQUALITY caseIgnoreIA5Match
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.12 NAME 'profilePath'
 DESC 'NT profilePath'
 EQUALITY caseIgnoreIA5Match
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.13 NAME 'userWorkstations'
 DESC 'userWorkstations'
 EQUALITY caseIgnoreIA5Match
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.17 NAME 'smbHome'
 DESC 'smbHome'
 EQUALITY caseIgnoreIA5Match
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )

#
# user and group RID
#
attributetype ( 1.3.6.1.4.1.7165.2.1.14 NAME 'rid'
 DESC 'NT rid'
 EQUALITY integerMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.15 NAME 'primaryGroupID'
 DESC 'NT Group RID'
 EQUALITY integerMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

# ==== From (commented out) apple.schema

#
# Authentication authority attribute 1.3.6.1.4.1.63.1000.1.1.2.16.1
#
attributetype (
 1.3.6.1.4.1.63.1000.1.1.2.16.1
 NAME 'authAuthority'
 DESC 'password server authentication authority'
 EQUALITY caseExactIA5Match
 SUBSTR caseExactIA5SubstringsMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

#
# ACL object attributes 1.3.6.1.4.1.63.1000.1.1.1.21
#
attributetype (
 1.3.6.1.4.1.63.1000.1.1.1.21.1
 NAME 'apple-acl-entry'
 DESC 'acl entry'
 EQUALITY caseExactMatch
 SUBSTR caseExactSubstringsMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

So with all that done, I was able to restart my LDAP server without any errors. That is not to say that the data in it is any good, but it seemed to work for me. I've not tried creating new users etc yet tho', so problems could come out of the woodwork yet!

Configuring OS X For LDAP Authentication

This topic is really rather well covered already but it's actually very trivial. Just use "Directory Utility" to add the remote server, First off Show the Advanced controls and create an LDAPv3 definition for your server and select the RFC2307 mappings. I didn't do any custom mappings on top of this. I just left everything as default. Once you've done this you can just add your server as a new source and everything should work. You can verify by using the command "id" on the terminal. Just pass in an LDAP username and it should give you their details.

Quite simple so far huh? Well that is half the story. The second part is mounting the home directory.

Mounting Home Directory via LDAP Provided AutoFS Information

Big thanks go to Rajeev Karamchedu for his excellent series of posts on this topic. The information he gives is pretty much bang on. The most important part is about using the new autofs schema (three options are given in the Mandriva autofs package, but Apple only supports one), and the fact that the definition must live at the base dn. This is annoying as I'd rather it lived inside ou=Mounts but such is life. Hopefully Apple will support this in due course. One important deviation from Rajeev's post (and I'm not sure if this is just due to newer versions of OS X) is that I could not use the automountKey=/ syntax for defining my home directories. I had to use * in place of / This makes sense as it is the default wildcard for just about everything, but it's still a deviation.

You should also make sure that the "insecure" option is added to the /etc/exports file on the NFS server. OS X mounts come from a port number > 1024, so this option is needed. In a private network it's not really insecure as the name suggests, so don't loose too much sleep over it I'd recommend testing a manual NFS mount first. In actual fact, I would strongly recommend this as I found a rather annoying infinite loop in the autofs stuff. It continually tried to mount /home/.DS_Store over and over when I didn't have the insecure option set. I'm not sure why it did this, but I had to kill automountd to stop it.

Conclusion

So things work. It wasn't all that hard, and now I have login and auth for my network users on OS X. I've not tried getting autofs working again with Linux clients with the new structure imposed by OS X. It does support the structure, but I'm not sure if the location (e.g. not under ou=Mounts) or the wildcard will cause proplems (for the former it's configurable on Linux so shouldn't be a problem).

Apple could do better with their LDAP lookup (e.g. support a search base!), but all in all it's pretty good.

Thanks go to Matt Flemming and Rajeev Karamchedu for their excellent writeups. Hope this regurgitation helps some people in similar situations.