OpenLDAP on Linux for Apple Clients? 22
groovemaneuver asks: "I've managed to get a working OpenLDAP directory running on my network. Linux, Windows, and Apple boxes are all happily authenticating. I have imported the 'apple.schema' file to the LDAP server from one of my Macs, but I cannot seem to find any info on the proper syntax for the various apple schema attributes. Anyone have any idea where one could find this? This is the one obstacle keeping my network from having a single source of authentication, and I'm sure this info would be useful to more than just myself. Thanks!"
apple discussions pages have some hits. relevent? (Score:4, Informative)
You need to check MacOS X Secrets. (Score:5, Informative)
Integrating Mac OS X with Active Directory [sc.edu] BTW this also includes using secure LDAP authentication!
A quick search at Mac OS X Hints turns up some usefull sources too. [macosxhints.com]
Re:Redundant. (Score:2, Informative)
for linux
and, for the macs
Look in NetInfo, or just use RFC 2307 (Score:5, Informative)
Probably easier is to just use the LDAP values you already have in the RFC 2307 schema for your Linux machines, and set the Mac OS X machines to use the RFC 2307 schema by using the Directory Access application.
--Paul
Re:Stream of consciousness (Score:3, Informative)
www.padl.com is one of the best LDAP resources around. Luke Howard's been at this longer than anyone!
Re:LDAP warning (Score:3, Informative)
Your experience highlights the problem with the technology - it's new, raw, fast-moving, and there is a tremendous amount of conflicting and poorly organized documentation that can be physically painful to try to sort out.
I never found any "how to" that relected the current state of the art - I found how-tos for the current version of samba and an old version of OpenLDAP, or the current OpenLDAP and older samba, etc. ad nauseum, but nothing totally up-to-date. You have to be a bona-fide hacker to get it going at this point in a real production environment.
A couple of small examples: Red Hat 7.3- doesn't ship LDAP-enabled RPMs, you have to unroll their source and modify the specfile, then roll your own samba-ldap
As for your conundrum: You write scripts (using perl (or awk if you have uberhacker chops)) to turn your existing data into LDIF format as defined by your schema files (if slapd runs you have schema files) turn slapd off, and use the slapadd program to batch-load your LDIFs into the database. Then turn slapd back on again, put nss_ldap in your name service switch configuration and pam_ldap in your pluggable authentication modules configuration, and you are up and running.
You don't use ldapadd on the running database because it's insufferably slow. LDAP databases are optimized for READ access not WRITE access which makes sense if you think about it. Use slapadd with the daemon turned off instead.
And don't put your root and daemon accounts into LDAP. Have them in the local
Integrating samba gets harder. You have to learn how to protect the database, which is still a "trail of errors" technique even if you know backus-naur, but it's essential because the MS-windows password hashes are trivially crackable.