This article is one part in a multi-part series about how to have centralized logins and home directories with Mac OS 10.6 using an Ubuntu 9.10 server, LDAP & Automounter. You can find the parent article here.
Important Note: Unless stated otherwise, all the commands in this procedure should be run as root. To become root from a typical admin user, just type sudo su and enter your password. You can also just stay the regular user and put the word sudo in front of every command. I’m using to a root prompt and that drives me crazy, so I just su to root.
Apple looks for certain tables (i.e. schema) in LDAP when it is trying to authenticate a Mac OS user. If you want to learn all about what these are, this blog entry by Rajeev Karamchedu will tell you more than you ever wanted to know. The concepts are the same, but the process is now much easier than what Rajeev had to do back in Tiger.
(This one I had to deduce from a similar procedure about how to import the samba.schema file into a Zimbra server, whatever that is.)
1. Log in to the MacOS client running Snow Leopard
2. Copy the schemas to the LDAP server. Important: Substitute ldapserver with the name or IP address of your ldapserver.
# cd /etc/openldap/schema
# scp apple* samba* root@ldapserver
You will be prompted for the root password of the LDAP server. Enter it and it will copy the three files over there.
For some reason the apple.schema file has one part commented out and in the wrong place. So you’ll need to move it and uncomment it. To do this, edit the apple.schema file and uncomment and move the authAuthority section.
4. vi /etc/ldap/schema/apple.schema
5. Look for a section that looks like this:
# Authentication authority attribute 188.8.131.52.184.108.40.2060.1.1.2.16.1
# NAME ‘authAuthority’
# DESC ‘password server authentication authority’
# EQUALITY caseExactIA5Match
# SUBSTR caseExactIA5SubstringsMatch
# SYNTAX 220.127.116.11.4.1.1418.104.22.168.26 )
6. Copy and paste those lines to the top of the file before any other uncommented lines
(in the current apple.schema that means just before the “time to live” section)
7. Uncomment just the following lines by deleting the ‘#’ sign
DESC ‘password server authentication authority’
SYNTAX 22.214.171.124.4.1.14126.96.36.199.26 )
8. Create a file called /tmp/test.conf containing the following lines:
9. Use slaptest to convert the .schema file to .ldif files.
# mkdir –p /tmp/ldap
# slaptest -f /tmp/test.conf -F /tmp/ldap
10. This will create the following directory: /tmp/ldap/cn=config/cn=schema. You need to cd to this directory, stop slapd, copy some files from it to the production ldap directory, change ownership on those files and restart slapd.
Please note: This part of the procedure assumes that this is a slapd configuration configured using the procedure outlined in a previous. If any other customization has been done (i.e. if you have more than four schema files — numbered 0-3 – in /etc/ldap/slapd.d/cn=config/cn=schema), you will have a conflict with how the .ldif files are numbered. You will need to read what they do about that in this procedure. Yuck. Good luck.
Here are the commands to do this if you are dealing with a base configuration:
# cd /tmp/ldap/cn=config/cn=schema
# /etc/init.d/slapd stop
# cp *apple* *samba* /etc/ldap/slapd.d/cn=config/cn=schema
# chown openldap.openldap /etc/ldap/slapd.d/cn=config/cn=schema/*
# /etc/init.d/slapd start
You have now converted the .schema files to .ldif files and copied them into the appropriate place. The next step is to tell the Macs how to talk to LDAP.
----- Signature and Disclaimer -----
Written by W. Curtis Preston (@wcpreston). For those of you unfamiliar with my work, I've specialized in backup & recovery since 1993. I've written the O'Reilly books on backup and have worked with a number of native and commercial tools. I am now Chief Technical Architect at Druva, the leading provider of cloud-based data protection and data management tools for endpoints, infrastructure, and cloud applications. These posts reflect my own opinion and are not necessarily the opinion of my employer.