Mac OSX Authentication against OpenLDAP

Configuring a Mac OSX machine to authenticate users against a Linux-based OpenLDAP server can be slightly tricky. This page is intended to document my experiences. The configuration described here provides simple authentication services and may not be suitable for enterprise level scenarios.

Configuring OpenLDAP

Disable SASL

Mac OSX always attempt to authenticate the LDAP session through SASL (Simple Authentication and Security Layer) if at all possible and OpenLDAP will allow it to try. Note that we are referring to authenticating the LDAP session itself, rather than actually authenticating the login request. We prevent OpenLDAP advertising that it supports SASL through the slapd.conf option:

sasl-secprops noplain,noanonymous,noactive

An alternative way to prevent OSX trying to authenticate the session using SASL (works for Leopard, does not work for Tiger) is to use the access control policy:

access to dn.exact="" attrs=supportedSASLMechanisms by * none

Note: After making this ACL change, any OSX workstations configured to use LDAP will require rebooting as OSX caches the value.
Adding the Apple schema

To use many of the features provided by Apple’s own LDAP server, the apple.schema LDAP schema is required. This should be placed in /etc/ldap/schema and included in the slapd.conf:

include /etc/ldap/schema/apple.schema

The version above has been tweaked in relation to the version supplied elsewhere on the internet to actually work. The original version supplied with Tiger is available here. In particular, the tweaked version includes the fields for automounting NFS home directories.

After updating the configuration file, restart the LDAP server

/etc/init.d/slapd restart

Ldapvi is a useful tool for editing LDAP directories.

Populating the Directory

It is first necessary to populate the LDAP tree with core OUs and objects…

Creating a User

We will create a user which contains the necessary data to allow authentication. First create the entry and add the necessary object classes. We add a new entry using ldapvi:

add uid=<username>,ou=People,dc=example,dc=co,dc=uk
objectClass: top
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: apple-user

Next create the basic user information as for standard Linux PAM authentication:

givenName: John
cn: John Smith
displayName: John Smith
sn: Smith
uid: jsmith
uidNumber: 10001
gidNumber: 10001
mail: *protected email*
loginShell: /bin/bash
homeDirectory: /home/jsmith
userPassword: {SSHA}m2srVSPlnkoYcAa8MjkxpPqiIcpTp2pq

The following are Apple-specific fields.

authAuthority: ;basic;
apple-user-homeDirectory: /Network/Servers/example.co.uk/home/jsmith
apple-user-homeurl:; <home_dir><url>afp://example.co.uk/home</url><path>jsmith</path></home_dir>

If Samba support is required see here.

Once you have created an entry for a user, remember to create their home directory in /home. If you have not already done so, you should export the home directories using NFS.

Configure the Mac OSX Client

This procedure typically differs depending on the version of OSX used. On Leopard, LDAP authentication is configured using the Directory Access utility from the Utilites group.

  • Open the Directory Access box and enter the administrator password to make changes.
  • Enabled the LDAPv3 option.
  • Configure the LDAP authentication, providing the IP address of the LDAP server.
  • From the mappings section, choose the UNIX mappings option (RFC).

You should now be able to authenticate through LDAP. This is most easily tested from a terminal on the client, for example

ssh jsmith@localhost

If your home directory is unavailable, ensure /home is mounted:

mount xxx.xxx.xxx.xxx:/home /home

When SSH login is working correctly, you can try logging into the graphical environment, whereby a default profile should be created automatically in your NFS mounted home directory.

Article last modified on January 26, 2014 at 3:31 pm.

Leave a Reply

Your email address will not be published. Required fields are marked *