Snow Leopard Ubuntu, LDAP & Automounter Step 3: Import apple & samba schemas into LDAP

This article is one part in a multi-part series about how to have centralized logins and home directories with Mac OS 10.6 using an Ubuntu 9.10 server, LDAP & Automounter.  You can find the parent article here.

Important Note: Unless stated otherwise, all the commands in this procedure should be run as root.  To become root from a typical admin user, just type sudo su and enter your password.  You can also just stay the regular user and put the word sudo in front of every command.  I’m using to a root prompt and that drives me crazy, so I just su to root.

Apple looks for certain tables (i.e. schema) in LDAP when it is trying to authenticate a Mac OS user.  If you want to learn all about what these are, this blog entry by Rajeev Karamchedu will tell you more than you ever wanted to know.  The concepts are the same, but the process is now much easier than what Rajeev had to do back in Tiger.

(This one I had to deduce from a similar procedure about how to import the samba.schema file into a Zimbra server, whatever that is.)

1. Log in to the MacOS client running Snow Leopard

2. Copy the schemas to the LDAP server.  Important: Substitute ldapserver with the name or IP address of your ldapserver.

# cd /etc/openldap/schema
# scp apple* samba* root@ldapserver
:/etc/ldap/schema

You will be prompted for the root password of the LDAP server.  Enter it and it will copy the three files over there.

For some reason the apple.schema file has one part commented out and in the wrong place.  So you’ll need to move it and uncomment it.  To do this, edit the apple.schema file and uncomment and move the authAuthority section.

3. Log in to the LDAP server

4. vi /etc/ldap/schema/apple.schema

5. Look for a section that looks like this:

#
# Authentication authority attribute 1.3.6.1.4.1.63.1000.1.1.2.16.1
#

#attributetype (
#       1.3.6.1.4.1.63.1000.1.1.2.16.1
#       NAME ‘authAuthority’
#       DESC ‘password server authentication authority’
#       EQUALITY caseExactIA5Match
#       SUBSTR caseExactIA5SubstringsMatch
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

6. Copy and paste those lines to the top of the file before any other uncommented lines
    (in the current apple.schema that means just before the “time to live” section)

7. Uncomment just the following lines by deleting the ‘#’ sign

attributetype (
        1.3.6.1.4.1.63.1000.1.1.2.16.1
        NAME ‘authAuthority’
        DESC ‘password server authentication authority’
        EQUALITY caseExactIA5Match
        SUBSTR caseExactIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

8. Create a file called /tmp/test.conf containing the following lines:

include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/samba.schema
include /etc/ldap/schema/apple_auxillary.schema
include /etc/ldap/schema/apple.schema

9. Use slaptest to convert the .schema file to .ldif files.

# mkdir –p /tmp/ldap
# slaptest -f /tmp/test.conf -F /tmp/ldap

10. This will create the following directory: /tmp/ldap/cn=config/cn=schema.  You need to cd to this directory, stop slapd, copy some files from it to the production ldap directory, change ownership on those files and restart slapd

Please note: This part of the procedure assumes that this is a slapd configuration configured using the procedure outlined in a previous.  If any other customization has been done (i.e. if you have more than four schema files — numbered 0-3 –  in /etc/ldap/slapd.d/cn=config/cn=schema), you will have a conflict with how the .ldif files are numbered. You will need to read what they do about that in this procedure.  Yuck.  Good luck.

Here are the commands to do this if you are dealing with a base configuration:

# cd /tmp/ldap/cn=config/cn=schema
# /etc/init.d/slapd stop
# cp *apple* *samba* /etc/ldap/slapd.d/cn=config/cn=schema
# chown openldap.openldap /etc/ldap/slapd.d/cn=config/cn=schema/*
# /etc/init.d/slapd start

You have now converted the .schema files to .ldif files and copied them into the appropriate place.  The next step is to tell the Macs how to talk to LDAP.

Written by W. Curtis Preston (@wcpreston), four-time O'Reilly author, and host of The Backup Wrap-up podcast. I am now the Technology Evangelist at Sullivan Strickler, which helps companies manage their legacy data

1 comment
  • The schema supplied by Apple is for Samba 2.0.x while newer Ubuntu includes the Samba 3 compliant schema which supports 2.x.
    Instead of copying the samba.schema from my apple server I modified the ubuntu included schema by uncommenting the ‘historical’ entries. This does away with the missing attributes expected by the aging apple.schema file.