« Disable MSN Messenger Auto Run via Group Policy | Main | Installing Arcobat automatically on multiple machines »
March 20, 2006
Integrating OS X Tiger 10.4 w/LDAP and Kerberos
I recently purchased four Intel Mac Mini Core Duo's for the Nord Lab and wanted them setup similar to the PCs on Active Directory. The solution was to have them Authenticate to the Campus Kerberos servers, and use LDAP for the account information. This allows anyone to log into the lab macs with their case network ID and password, and doesn't require me creating any accounts. The user is automatically setup with a home directory the first time they log in, based on the template account in /System/Library/User Template/English.lproj
The solution I used is based on Penn State's detailed instructions here:
http://clc.its.psu.edu/Labs/Mac/resources/authdoc/default.aspx
Below are the neccessary changes to make it work on CWRU's campus.
Step 1) Setup the file /Library/Preferences/edu.mit.Kerberos with the following contents:
[libdefaults] default_realm = INS.CWRU.EDU [realms] INS.CWRU.EDU = { kdc = KERBEROS.CWRU.EDU kdc = KERBEROS2.CWRU.EDU admin_server = KERBEROS.CWRU.EDU default_domain = cwru.edu } [domain_realm] .cwru.edu = INS.CWRU.EDU cwru.edu = INS.CWRU.EDU
You might also be able to run this from the command line to automatically populate the file:
% kerberosautoconfig -r INS.CWRU.EDU -m kerberos.cwru.edu
You should run 'kinit [cwrunet id]' at this point and try to get a kerberos ticket to see if it works.
Next, apply the following diff patch to the /etc/authorization file. If you don't know how, check out Penn State's instructions, it goes into detail about which line to change;
356c356
<
If you have any local accounts on your mac that have the same username as your cwrunet ID, you should be able to reboot the computer at this point and log in using your Case Network ID (Kerberos) password. If you reboot and are greeted with a text login: prompt, don't worry. Login as yourself, run "sudo -s" and edit the "/etc/authorization" file from the command line with nano or some other text editor.
Now, if you run a lab, you certainly don't want to make a whole bunch of local accounts for everyone so that they can log in with their Kerberos Password. This is where the campus LDAP comes into play.
First step, you'll need to email ldap-admin@case.edu and ask for a 'special ldap account'. They will reply with the DN (Distiguished Name) and password you'll need to bind with. When you email them, tell them the only special ldap attribute you need access to is uidNumber. This attribute contains the UID number for every respective user on campus. Conveniently we can use the same UIDs for accounts on your mac.
From here out, Please refer to Penn State's instructions:
http://clc.its.psu.edu/Labs/Mac/resources/authdoc/ldapauthorization.aspx and I'll point out the differences.
Don't be discouraged by the number of steps!! Penn State was very thorough, and took A LOT of screen shots.
Step F) The server name needs to be changed to "ldap.cwru.edu".
Step G) I Didn't change any of the time outs, etc.. Probably doesn't matter either way
Before proceeding to Step H in Penn State's instructions, click on the Security Tab. Check the box "Use authentication when connecting". Enter the Distinguished Name and Password supplied by ldap-admin. Now go back to following their instructions.
Step O) For the search base, enter "ou=People,o=cwru.edu,o=isp".
Step R1) Set AuthenticationAuthority to "#;Kerberosv5;;$uid$;INS.CWRU.EDU"
Step R2) Penn State has everyone sharing one homedirectory, /Users/guest. I changed mine to be "#/Users/$uid$" which has the effect of giving everyone their own home directory based on their username. The variable $uid$ is NOT their user ID number, but is instead what OS X calls the short user name. This is the same as your Case Network ID (abc12)
Step R3) I chose to map the PrimaryGroupID to "#20", but you can probably use whatever GID you want. I chose that GID based on a comment in this article: http://www.macdevcenter.com/pub/a/mac/2003/08/26/active_directory.html
Step R6) Set UniqueID to "uidNumber"... This is the UID attribute from the campus LDAP we will be mapping everyone's UID field to. This information is what you need the 'special LDAP account' for.
Step V) Select the "LDAPv3/ldap.cwru.edu" item.
You can now test LDAP connectivety before rebooting the machine to try and log in. From Terminal (as root) run the "dscl" command. At the prompt, type "cd /LDAPv3/ldap.cwru.edu/Users/[Case Network ID]". Substitute [Case Network ID] with something in the format of "abc12". At the next prompt, type "cat". This should output a bunch of information about that user, including the "uidNumber: ******" line we need!! You can also try running "id [Case Network ID]" at the command prompt to see if it returns a valid UID number and the default GID you mapped in ldap.
Once you reboot, you should be able to log in as anyone with a Case Network ID & Password!! Say goodbye to account administration!!
Posted by djc6 at March 20, 2006 08:55 PM
Trackback Pings
TrackBack URL for this entry:
http://blog.case.edu/djc6/mt-tb.cgi/6703
Comments
has this resolved the issue with printing mentioned in http://blog.case.edu/djc6/2005/06/22/printing_from_os_x_104_to_windows_printer_on_active_directory by any chance? :)
Posted by: Tom at May 9, 2006 03:52 PM
i am new to integrating LDAP to Tiger. we have our clients setup to authenticate against the LDAP server. and i already customized the default user template in the system folder. Once i created a new user it will apply the custom user template. HOwever, once i logged onto the system using my LDAP account it brought me to the original apple user template. pls advice
Posted by: lawrence ho at November 3, 2006 02:33 PM