This article is one part in a multi-part series about how to have centralized logins and home directories with Mac OS 10.6 using an Ubuntu 9.10 server, LDAP & Automounter. You can find the parent article here.
Important Note: Unless stated otherwise, all the commands in this procedure should be run as root. To become root from a typical admin user, just type sudo su and enter your password. You can also just stay the regular user and put the word sudo in front of every command. I’m using to a root prompt and that drives me crazy, so I just su to root.
References. This page told me that the LDAP docs for 9.10 contained errors and that this thread and this doc is what I should use. This procedure is based off of those procedure, but is enhanced a bit.
1. Install slapd, etc. This installs slapd, some tools that will be useful, and the odbc stuff. The odbc might have already been installed, but I found out it was a prerequisite, so I add it to be installed in case it’s not.
# apt-get install slapd ldap-utils migrationtools unixodbc odbcinst1debian1
2. Load some basic schema files that need to be loaded before anything will work. In a terminal enter:
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
3. Pick a password that will become your LDAP admin password. If you lose it, you’re screwed, so pick one you can remember. I’m going to use 1234 in this example.
4. Pick a “domain” name that you’re going to call your LDAP setup. It really doesn’t matter. I just chose home.com. A lot of the examples you see out on the Internet use example.com.
5. From here on out in the procedure, you need to create a file with some stuff in it, then import that file with the ldapadd command. Let’s do the first one. Create the backend configuration by creating a file called /tmp/backend.ldif with the contents in the following table.
Note: Remember to change “
Also if you’re not going to use home.com as your domain, then remember to change “home” and “com” to the appropriate strings.
########################################################### #DATABASE SETUP ########################################################### # Load modules for database type # Create directory database
########################################################### dn: cn=config dn: olcDatabase={-1}frontend,cn=config dn: olcDatabase={0}config,cn=config dn: olcDatabase={0}config,cn=config |
What does all this mean? It basically is the basic config saying that you’re going to have a home.com domain and its super-user password is to be 1234. Other than that, I haven’t a clue. ๐
6. Import this configuration information into LDAP using this command:
# ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/backend.ldif
Note that this first time we run the ldapadd command, we don’t have to supply a password. That’s because this is before we have one. Once this command has been run, you will always need to authenticate to LDAP using a username and password to run ldapadd again. This will be reflected in the rest of the procedure.
7. Create another temporary file called /tmp/base.ldif with these contents:
# Tree root dn: dc=home,dc=com objectClass: dcObject objectclass: organization o: home.com dc: home description: Tree root # LDAP admin |
8. Then import it into LDAP with this command:
# ldapadd -x -D cn=admin,dc=home,dc=com -w 1234 -f /tmp/base.ldif
Note: The “-D cn=admin,dc=home,dc=com -w 1234” string says that you want to log in as admin to the home.com domain and that your password is 1234.
You now have a fresh OpenLDAP installation in Ubuntu 9.10.
9. Now we need to create an “organizational unit” (ou) called people and one called groups. An organizational unit is just a fancy name for group. The ones that Apple will be looking for is People and group, to give it the username and group (Unix style concepts) of the user that’s trying to log in.
Create a file called /tmp/ou.ldif with these contents
dn: ou=People,dc=home,dc=com objectClass: organizationalUnit ou: people dn: ou=group,dc=home,dc=com |
Don’t ask me why People is capitalized and group is not. Just do it. ๐
10. Import it with this command:
# ldapadd -x -D cn=admin,dc=home,dc=com -w 1234 -f /tmp/ou.ldif
11. Test that everything went OK. The quickest way to confirm that all of your syntax was alright is to resart slapd. It will complain of any typos.
# /etc/init.d/slapd restart
It should restart without errors.
12. Another way to confirm is to run some queries:
# ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -w 1234 olcDatabase={1}hdb
# ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -w 1234
You should see the things in the query that you put in the config files and added with ldapadd.
13. Run another query (substituting the appropriate value for home and com)
# ldapsearch -xLLL -b dc=home,dc=com
This should run without a password and should show you the People and group organization units (ou’s) that you added. You should see lines that start with “dn: ou=group” & “dn ou=People”
LDAP is now setup and is ready to be further configured. The next step is to import the Apple and Samba schemas into LDAP.
Written by W. Curtis Preston (@wcpreston), four-time O'Reilly author, and host of The Backup Wrap-up podcast. I am now the Technology Evangelist at Sullivan Strickler, which helps companies manage their legacy data
I get the following error on Ubuntu Server 10.04 LTS
Is it safe to just remove those four lines from the backend.ldif
I don’t seen “olcauthzregexp” anywhere in the text, so I’m thinking you have a cut and paste issue.
[quote name=Rob Moggach]I get the following error on Ubuntu Server 10.04 LTS
Is it safe to just remove those four lines from the backend.ldif[/quote]I am getting the same issue as well.
I read through this guide earlier and I’d just like to say thanks for your time and effort compiling all of this, I’ve just started to execute the install commands on the first page so a far way to go yet but the guide seems flawless. I appreciate your time and skill!
the code is not working properly , how can i correct the errors and run this succesfully