Technical:OSXClientToK12LTSPLDAP

From K12LTSP Wiki

Jump to: navigation, search

The following instructions will authenticate a Mac OS 10.3+ computer to an LDAP server (such as OpenLDAP setup with the smbldap scripts provided by David Trask and Matt Oquist).

Done incorrectly, these tasks can leave your machine in a state in which you can not log in. Please DO NOT perform them for the first time on an important machine.

Contents

[edit]

Enable root user

This step may not be needed but some have had better luck this way.

  1. Open the NetInfo Manager in /Applications/Utilities
  2. Click the lock and authenticate with your admin password.
  3. Under Security in the menu click Authenticate and enter your admin password.
  4. Under Security click Enable Root User.
  5. Close NetInfo Manager and log out. You should now be able to click Other at the login prompt and log in as root and whatever password you set for root.
[edit]

Configure system to authenticate users from LDAP server

  1. Open Directory Access in /Applications/Utilities
  2. Click the lock and authenticate with your admin password.
  3. Check LDAPv3 box if it isn't already.
  4. Highlight LDAPv3 and click Configure.
  5. Click New.
  6. Type in a configuration name in the Configuration Name field (I used domain-PDC for mine), this doesn't really matter, just so it makes sense for you.
  7. In the Server Name or IP address field enter in the IP or fully qualified domain name of your LDAP server.
  8. In the LDAP Mappings drop-down select "RFC 2307 (Unix)".
  9. A window should pop up asking for the Search Base Suffix, enter the search base matching that of your LDAP server (e.g. dc=district,dc=k12,dc=or,dc=us) and click OK.
  10. Do not check the SSL box.
  11. Do uncheck the "Allow plaintext passwords" box.
  12. The defaults should work so click on OK.
  13. Click Apply in the Services window.
  14. Click the Authentication tab.
  15. In the drop-down switch from Automatic to Custom Path.
  16. Click Add; from the Available Directories select your newly created directory (ie: LDAPv3/yourdomain), click Add, click Apply and quit Directory Access.
[edit]

Configure system to automount /home and store user data on NFS server

  1. Open the NetInfo Manager from /Applications/Utilities
  2. Click the lock and authenticate with your admin password.
  3. There should be 3 columns, leftmost should have "/", middle will have and entry called "mounts >", click on "mounts >", click on the menu Directory, then New Sub Directory.
  4. In the pane below click on "name" under the Property and Value(s) fields enter the following:
  5. To add more fields to to the menu "Edit" and select "Add" five more times.
Properties Values
name hostname:/Users
dir /home
vfstype nfs
opts -P
passno 0
dump_freq 0

Adjust hostname in the "name" property accordingly.

  1. Save all changes and exit NetInfo Manager by going to "Domain->Save Changes" in the application menu.
  2. Open System Preferences, click Accounts, click Login Options, on the right side where it says "Display Login Window as:" click the radio button for "List of users". This will allow you to type names and passwords that should reside in the LDAP server; otherwise it will only list local accounts.
[edit]

Create /home directory for mounting /home via NFS from LDAP server

  1. Open terminal as root
  2. Dump the current fstab to a file you can edit with this command: nidump fstab . > /etc/fstab
  3. Edit the dumped fstab: vi /etc/fstab
  4. Be sure your dumped fstab has one line that looks like this "192,168.1.254:/home /home nfs -P 0 0"
  5. If it does not change it, be sure to substitute your IP or fully qualified domain name.
  6. Save and close your /etc/fstab file
  7. Reload the dumped fstab with the following command: niload -m fstab . < /etc/fstab
  8. mkdir /home
  9. chmod 777 /home

Restart your machine and log in with an account from your LDAP server. If this doesn't work save your hair, go home, and try from the beginning tomorrow, with a machine that isn't messed up yet. When finished you should have an OSX client setup that has full roaming profile abilities. No user data should be stored on the local machine. All data should also be able to be accessed from LTSP clients, and Windows clients.

Retrieved from "http://k12ltsp.org/mediawiki/index.php/Technical:OSXClientToK12LTSPLDAP"
Personal tools