Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Use LDAP instead of NetInfo on Jaguar Network
Ok, this is very cool (IMHO). So I am excited, because I have waited for this moment since the first release of OSX. Finally I got everything working to replace my network NetInfo with LDAP. The new Jaguar LDAP support is great. I just replaced my NetInfo network domain with a central LDAP server running OpenLDAP on Gentoo linux.

Additionally, I set up a DHCP server to serve the LDAP URL. With this setup, a Jaguar client will hook up to the network without any further work on the client required. All the network users, groups and shares are available.
This is a very nice out of the box experience. Getting there on the server side was a little harder, but with OSX Server it should be no pain at all.

Read the rest of the article for a short summary of what was done on the server side to get this working...

Server work:
  • install openldap-2.0.25

  • install dhcpcd-1.3.20

  • set up your openldap server; either start with the stuff from or use the openldap installation on a Jaguar machine and NetInfo db as backend (haven't tried this) and export the contents as ldif.

  • set up dhcpd to provide ldap information; in dhcp.conf:
    option ldap-server code 95 = text;
    option ldap-server "ldap://,dc=com";
  • set up the mapping between DirectoryService and your LDAP schema. This can be done with Directory Access:
    • on just one jaguar client machine add the ldap server manually
    • edit the server and go to the mappings. Map to your liking
    • now write the mapping to your ldap server
    • disable the ldap server, as this was only needed to write the mapping to the ldap server
Essentially that's it!

There is an OpenServer schema, which Apple is using under /etc -> openldap -> schema -> apple.schema. I had to modify it and remove all references to authAuthority to get it running. If you start a new ldap server, you might want to use this for a start.
  • Currently 2.75 / 5
  You rated: 1 / 5 (4 votes cast)

Use LDAP instead of NetInfo on Jaguar | 5 comments | Create New Account
Click here to return to the 'Use LDAP instead of NetInfo on Jaguar' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
This doesn't work for me
Authored by: kesmit on Oct 03, '02 08:00:41PM

This is really cool...if I could get it to work. I have DHCP and OpenLDAP running and apparently working, but the information doesn't seem to be getting accessed. I can get it to work if I got into "Directory Access", manually configure an LDAP server, and add it to the configuration in "Authentication", but that doesn't seem right. It should "just work" from the information from the DHCP server, right?

[ Reply to This | # ]
Authored by: kesmit on Oct 04, '02 10:45:19AM

After I rebooted everything worked fine. I thought that just switching to another location and back again would trigger it. This is great!

[ Reply to This | # ]
Authored by: gfoyle on Nov 10, '03 10:40:59PM

If you log out and log back in, then the new bindings take effect (at least in 10.2.8). I use this all the time when traveling between my school Location and my home Location.

[ Reply to This | # ]
Use LDAP instead of NetInfo on Jaguar
Authored by: robleach on Feb 20, '03 04:10:26PM

First off, I'm a newbie to this kind of sysadmin stuff. I'm not sure if this is what I'm looking for, but it might be, so let me ask a couple questions...

I'm on a network that's behind a firewall. I can ssh in and out of my computer to others on the network, but my account on my machine is different from my account on the network. I can't su to my network account from my machine. Other people on my network can't ssh into my machine unless I set them up a local account. I have disks on the network mounted, but I can't change files on them because I don't belong to the same group. So I always have to ssh over even though I've got a mount that allows me access to the files.

What I want to do is make it so anyone on my network can ssh in and so that I can log into my machine using my network account. Will this procedure enable these things?

Second, some of those last steps appear somewhat vague, for eaxmple: "set up the mapping between DirectoryService and your LDAP schema". I don't know what that means. Could someone post a more detailed set of instructions for less experienced users? I'd greatly appreciate it. (Maybe if I'd tried it, those last steps would make more sense - if that's the case, then please ignore this last comment. I just haven't tried it because I don't know if it'll do what I'm thinking it'll do yet.)


[ Reply to This | # ]
Use LDAP instead of NetInfo on Jaguar
Authored by: adamshand on Jan 20, '04 10:43:12PM

FYI in case anyone else is trying to do this. Don't use a copy of apple.schema from a Panther box as it doesn't work, even after removing references to authAuthority.


[ Reply to This | # ]