You are here: start » computer_stuff » opendir_and_ldap
Replacing Open Directory with Linux and OpenLDAP
This document describes how Apple's Open Directory sytem works, and how to replace it with a Linux server or servers using LDAP, Kerberos, and Samba in such a way that native Mac clients can work with it without changes or special configurations. To the Mac OS X clients, the Linux server appears to be a native OS X server.
What is Open Directory
“Open Directory” is Apple's term for an amalgamation of technologies, some open source and some not, that combine to form a unified directory service for OS X clients. This service provides the following things to clients:
- User and Group mappings
- Client configuration directives for policies, etc
- Authentication system (SASL)
- Kerberos authentication
None of these things are really that unique to Apple. Linux users have been using various technologies like Kerberos and LDAP for years. But Apple's solution is interesting because of how everything is integrated together such that administering things like user accounts is very simple, even though various technologies require different kinds of password authentication mechanisms. Some apps do SASL authentication, others do Kerberos, Samba uses its own NT hashes and challenge/response, and some services, such as IMAP require a simple plain-text password authentication system (via an encrypted channel of course).
All of this is provided through several services.
OpenLDAP
The core of Open Directory is LDAP, provided by a slightly modified OpenLDAP daemon. LDAP provides the basic way for mac clients to perform user and group mappings, and for them to find out about what Open Directory offers and how to reach the services. For the most part Apple's use of LDAP is pretty standard. The schemas used by apple users and groups are pretty much the same as you'd use for linux. Apple does have their own schema they add that brings an additional set of object classes. These are used to provide extra information to Mac clients. For example, an LDAP user will include the “apple-user” object class. This provides attributes that are used to tell Mac clients where to mount the user's home directory from (a url), how to authenticate the user, and so forth. This schema is the key to making a normal OpenLDAP setup start to look like Open Directory to Mac clients.
Besides the normal purpose of LDAP in a unix system, LDAP is how the OS X server communicates to Mac clients participating in the domain how to do the following things:
- Talk to Kerberos
- Authenticate users
- Mount network shares
- Mount network home directories
- Set machine policies
PasswordServer
PasswordServer is a proprietary daemon that runs on OS X server that acts as a unified password store and also a means of changing and synchronizing passwords. In Open Directory no password hashes whatsoever are stored in LDAP itself, which is different (and probably better) than in most Linux LDAP setups. PasswordServer speaks its own proprietary protocol over the network, which is not documented anywhere that I'm aware of, except maybe in the source code to the OpenLDAP and Samba backend plugins that Apple wrote.
PasswordServer provides the following services to clients:
- Authentication via a number of different mechanism including but not limited to:
- SASL
- NTLM challenge response (used by samba)
- Plain
- Password change
- Keeps various hashes within the proprietary password database synchronized
- Sets Kerberos passwords
- Allows accounts to be enabled or disabled
- Tells OS X's samba server whether or not to allow a user to log in to smb
- Sets Kerberos flags to indicate status
- Sets policies for passwords
- Strength
- Expiry
- The use of old passwords
PasswordServer is what Mac clients normally communicate with when a user logs in, when connected to the Open Directory domain.
As we shall see, this component is not actually necessary for the function of an Open Directory domain.
Kerberos
Kerberos provides a trusted third-party authentication system, just like it provides in any Unix network, and in Microsoft's Active Directory domain. Unlike AD, though, Open Directory seems to prefer PasswordServer-based authentication for Mac services. However Kerberos can be used for a lot of things including IMAP, AFP file server access, and so forth. It's likely that most Open Directory domains don't use Kerberos for anything, probably. But Kerberos support is there, both in the server, and in the client. And LDAP can tell a Mac client to use it for primary authentication, which is another key to making a normal Linux OpenLDAP installation function as if it were Open Directory.
Kerberos is an optional part of an OpenDirectory setup, at least when making OpenLDAP appear to be an OpenDirectory Server. If Kerberos configurations and the “authAuthority” field in user records are not present, Mac clients fall back to standard LDAP binds for authentication. If you want to do any AFP using netatalk, though, you will need it. As it is not too complicated to set up and use, I recommend that you configure Kerberos.
By default when you log in to a OS X client on a normal Open Directory domain, you get a Kerberos ticket which is automatically passed along to many different services you may request. For example, when mounting an AFP share, OS X tries several methods of authentication including the Kerberos ticket. If you happen to have a Netatalk server on linux that has been properly configured to work with Kerberos, the OS X client will use kerberos to securely authenticate and mount the share.
Setting up OpenLDAP
This section explains how to set up OpenLDAP with the Apple schema, and then how to populate the minimal amount of entries that an OS X client will expect to see on an Open Directory domain LDAP server. Before doing this, you will have to already have configured the following things, documented elsewhere on the Internet in the various Samba, Kerberos, and LDAP howtos:
- Set up a Kerberos domain controller (KDC)
- Configured Samba to work with LDAP
- Configured and set up LDAP for basic Unix or Linux use
Also recommended, but not required, is to have set up LDAP integration with Kerberos, at least so that LDAP-only clients can do simple binds against LDAP which will in turn authenticate against Kerberos. You could also configure LDAP's SASL binds if you'd like.
OS X clients, once we configure our LDAP to look like Open Directory, will never do anything other than anonymous binds against LDAP. We will need to make sure that certain fields we'll add to LDAP records are readable to anonymously-bound LDAP clients.
Adding Apple's Schema
The first thing we have to do to OpenLDAP is to add Apple's special schema files. Apple's schema can be found in their OpenLDAP source code bundle in OpenLDAP/servers/slapd/schema/apple.schema. As of 10.6.3, Apple's schema still refers to obsolete Samba fields. In our LDAP system we'll use the modern, Samba 3 schemas, so we can safely ignore most of the old Samba fields that Apple's schema refers too and just use the required fields and the fields we need.
Apple's schema provides the following ObjectClasses and fields:
apple-configuration
This ObjectClass is used to define things in the LDAP tree such as the KerberosKDC address and realm, the Kerberos client configuration (what would be krb5.conf on a Linux machine), and where the client should look for ldap replicas. The fields that are important to us are:
- apple-xmlplist
- apple-kdc-configdata
- apple-ldap-replica
- apple-ldap-writable-replica
apple-user
This Object class provides fields that we can add to our user (people) records that Mac OD clients expect to find. These fields indicate to the Mac client how the user should authenticate and where the home directory should be mounted from. As with on Unix systems, the homeDirectory field in a posixAccount specify where the home directory is physically located in the file system. However the apple-user objectclass allows us to specify a URL that the client will attempt to mount to the location specified by homeDirectory.
We really only use the following fields from apple-user:
- apple-user-homeurl
- authAuthority – Optional. Only needed if we want to use kerberos. If not present, Mac clients fall back to a standard ldap bind.
Inital LDAP configuration
Follow the standard LDAP howtos (more info here, here, and here) to set up your initial LDAP tree, integrate Samba with it, and set up proper access controls. Apple clients do expect to be able to see the OD configuration elements and certain user fields anonymously. Fields containing the password hashes obviously should not be accessible.
Here is an excerpt from our ACL configuration in slapd.conf:
# Users can read and change their own password.
# Anyone can authenticate (bind) against userPassword.
# Deny all other password access, including read.
access to attrs=userPassword
by self write
by * auth
access to attrs=lmPassword
by self write
access to attrs=ntPassword
by self write
access to attrs=sambaNTPassword
by self write
# Allow users to update their own authenticationHint and picture.
access to attrs=apple-user-authenticationHint
by self write
by * break
access to attrs=apple-user-picture
by self write
by * break
# Default policy: everyone can read everything.
access to *
by * read
I recommend that you use the IdealX scripts provided with Samba 3 to set up a Samba-compatible LDAP tree to work with. Once you have done this, we'll just add a few elements to the the LDAP tree to provide Apple clients with information.
LDAP OD Config Nodes
In order to appear to be an OpenDirectory server to a Mac client, we need to set up at least two LDAP record. I'm not sure if they have to be in side a cn=config container or not, but since they are on a real Mac server, I put them in one as well. The LDIF for the container and the initial records look like this, where YOURLDAPSUFFIX and YOUR_LDAP_IPADDR should be replaced with your own relevant pieces:
dn: cn=config,YOURLDAPSUFFIX cn: config objectclass: container objectclass: top dn: cn=ldapreplicas,YOURLDAPSUFFIX cn: ldapreplicas apple-ldap-replica: YOUR_LDAP_IPADDR apple-ldap-writable-replica: YOUR_LDAP_IPADDR objectclass: apple-configuration objectclass: top dn: ou=macosxodconfig,YOURLDAPSUFFIX ou: macosxodconfig objectclass: organizationalUnit objectclass: top dn: cn=KerberosClient,YOURLDAPSUFFIX cn: KerberosClient objectclass: apple-configuration objectclass: top dn: cn=KerberosKDC,YOURLDAPSUFFIX cn: KerberosKDC objectclass: apple-configuration objectclass: top
These records aren't yet complete, though. We have to add some fields to them. The reason I don't provide the LDIF is that these fields contain XML (a plist file really), and so the LDIF export consists of base64-encoded gibberish. As you need to modify the XML, I'll post the XML snippets separately. As mentioned before, the KerberosClient and KerberosKDC sections are only needed if you have set up a Kerberos server.
ou=macosxodconfig
The ou=macosxodconfig record needs to have a description field added to it. If you're using an LDAP editor to do this, be sure that it knows you're adding a text field that contains line breaks, rather than squishing it all onto one line. For some reason, if the XML is squished and the line breaks removed, the clients don't like it.
Here is the XML snippet that should be in the description field. You should replace “YOURLDAPSUFFIX” with your own LDAP suffix. Also change the relevant Search Base fields to match your LDAP setup. For example, if your users are stored in ou=People,YOURLDAPSUFFIX, be sure to set that as the Search Base in the appropriate part of the XML plist document. Another important search base is the one for groups. Others are less important, but since Samba's IdealX scripts already create many equivalent parts of the LDAP tree, it doesn't hurt to set the search base for computers, etc. Note the space in the Search Bases. Not sure if it's needed, but my real OD server always had that.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Attribute Type Map</key> <array> <dict> <key>Native Map</key> <array> <string>cn</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:RecordName</string> </dict> <dict> <key>Native Map</key> <array> <string>createTimestamp</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:CreationTimestamp</string> </dict> <dict> <key>Native Map</key> <array> <string>modifyTimestamp</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:ModificationTimestamp</string> </dict> </array> <key>Enable Use</key> <true/> <key>LDAP PlugIn Version</key> <string>DSLDAPv3PlugIn Version 1.5</string> <key>Map Search Base</key> <string>cn=config,YOURLDAPSUFFIX</string> <key>OpenClose Timeout in seconds</key> <integer>15</integer> <key>Port Number</key> <integer>389</integer> <key>Record Type Map</key> <array> <dict> <key>Attribute Type Map</key> <array> <dict> <key>Native Map</key> <array> <string>uid</string> <string>cn</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:RecordName</string> </dict> <dict> <key>Native Map</key> <array> <string>cn</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:RealName</string> </dict> <dict> <key>Native Map</key> <array> <string>uidNumber</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:UniqueID</string> </dict> <dict> <key>Native Map</key> <array> <string>gidNumber</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:PrimaryGroupID</string> </dict> <dict> <key>Native Map</key> <array> <string>homeDirectory</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:NFSHomeDirectory</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-user-homeurl</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:HomeDirectory</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-user-homequota</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:HomeDirectoryQuota</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-user-homesoftquota</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:HomeDirectorySoftQuota</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-user-mailattribute</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:MailAttribute</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-user-printattribute</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:PrintServiceUserData</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-mcxflags</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:MCXFlags</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-mcxsettings</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:MCXSettings</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-user-adminlimits</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:AdminLimits</string> </dict> <dict> <key>Native Map</key> <array> <string>userPassword</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Password</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-user-picture</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Picture</string> </dict> <dict> <key>Native Map</key> <array> <string>loginShell</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:UserShell</string> </dict> <dict> <key>Native Map</key> <array> <string>description</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Comment</string> </dict> <dict> <key>Native Map</key> <array> <string>shadowLastChange</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Change</string> </dict> <dict> <key>Native Map</key> <array> <string>shadowExpire</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Expire</string> </dict> <dict> <key>Native Map</key> <array> <string>authAuthority</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:AuthenticationAuthority</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-user-authenticationhint</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:AuthenticationHint</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-user-passwordpolicy</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:PasswordPolicyOptions</string> </dict> <dict> <key>Native Map</key> <array> <string>acctFlags</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:SMBAccountFlags</string> </dict> <dict> <key>Native Map</key> <array> <string>pwdLastSet</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:SMBPasswordLastSet</string> </dict> <dict> <key>Native Map</key> <array> <string>logonTime</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:SMBLogonTime</string> </dict> <dict> <key>Native Map</key> <array> <string>logoffTime</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:SMBLogoffTime</string> </dict> <dict> <key>Native Map</key> <array> <string>kickoffTime</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:SMBKickoffTime</string> </dict> <dict> <key>Native Map</key> <array> <string>homeDrive</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:SMBHomeDrive</string> </dict> <dict> <key>Native Map</key> <array> <string>scriptPath</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:SMBScriptPath</string> </dict> <dict> <key>Native Map</key> <array> <string>profilePath</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:SMBProfilePath</string> </dict> <dict> <key>Native Map</key> <array> <string>userWorkstations</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:SMBUserWorkstations</string> </dict> <dict> <key>Native Map</key> <array> <string>smbHome</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:SMBHome</string> </dict> <dict> <key>Native Map</key> <array> <string>rid</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:SMBRID</string> </dict> <dict> <key>Native Map</key> <array> <string>primaryGroupID</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:SMBGroupRID</string> </dict> <dict> <key>Native Map</key> <array> <string>sambaSID</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:SMBSID</string> </dict> <dict> <key>Native Map</key> <array> <string>sambaPrimaryGroupSID</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:SMBPrimaryGroupSID</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-keyword</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Keywords</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-generateduid</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:GeneratedUID</string> </dict> <dict> <key>Native Map</key> <array> <string>sn</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:LastName</string> </dict> <dict> <key>Native Map</key> <array> <string>givenName</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:FirstName</string> </dict> <dict> <key>Native Map</key> <array> <string>mail</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:EMailAddress</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-imhandle</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:IMHandle</string> </dict> <dict> <key>Native Map</key> <array> <string>labeledURI</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:URL</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-webloguri</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:WeblogURI</string> </dict> <dict> <key>Native Map</key> <array> <string>telephoneNumber</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:PhoneNumber</string> </dict> <dict> <key>Native Map</key> <array> <string>facsimileTelephoneNumber</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:FAXNumber</string> </dict> <dict> <key>Native Map</key> <array> <string>mobile</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:MobileNumber</string> </dict> <dict> <key>Native Map</key> <array> <string>pager</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:PagerNumber</string> </dict> <dict> <key>Native Map</key> <array> <string>street</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:AddressLine1</string> </dict> <dict> <key>Native Map</key> <array> <string>postalAddress</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:PostalAddress</string> </dict> <dict> <key>Native Map</key> <array> <string>street</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Street</string> </dict> <dict> <key>Native Map</key> <array> <string>l</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:City</string> </dict> <dict> <key>Native Map</key> <array> <string>st</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:State</string> </dict> <dict> <key>Native Map</key> <array> <string>postalCode</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:PostalCode</string> </dict> <dict> <key>Native Map</key> <array> <string>c</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Country</string> </dict> <dict> <key>Native Map</key> <array> <string>o</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:OrganizationName</string> </dict> <dict> <key>Native Map</key> <array> <string>departmentNumber</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Department</string> </dict> <dict> <key>Native Map</key> <array> <string>title</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:JobTitle</string> </dict> <dict> <key>Native Map</key> <array> <string>buildingName</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Building</string> </dict> </array> <key>Native Map</key> <array> <dict> <key>Group Object Classes</key> <string>AND</string> <key>Object Classes</key> <array> <string>inetOrgPerson</string> <string>posixAccount</string> <string>shadowAccount</string> <string>apple-user</string> <string>extensibleObject</string> </array> <key>Search Base</key> <string>ou=People, YOURLDAPSUFFIX</string> </dict> </array> <key>Standard Name</key> <string>dsRecTypeStandard:Users</string> </dict> <dict> <key>Attribute Type Map</key> <array> <dict> <key>Native Map</key> <array> <string>apple-group-memberguid</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:GroupMembers</string> </dict> <dict> <key>Native Map</key> <array> <string>memberUid</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:GroupMembership</string> </dict> <dict> <key>Native Map</key> <array> <string>memberUid</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Member</string> </dict> <dict> <key>Native Map</key> <array> <string>gidNumber</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:PrimaryGroupID</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-group-homeurl</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:HomeDirectory</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-group-homeowner</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:HomeLocOwner</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-mcxflags</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:MCXFlags</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-mcxsettings</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:MCXSettings</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-group-nestedgroup</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:NestedGroups</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-group-realname</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:RealName</string> </dict> <dict> <key>Native Map</key> <array> <string>description</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Comment</string> </dict> <dict> <key>Native Map</key> <array> <string>mail</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:EMailAddress</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-user-picture</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Picture</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-keyword</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Keywords</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-generateduid</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:GeneratedUID</string> </dict> <dict> <key>Native Map</key> <array> <string>rid</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:SMBRID</string> </dict> <dict> <key>Native Map</key> <array> <string>primaryGroupID</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:SMBGroupRID</string> </dict> <dict> <key>Native Map</key> <array> <string>sambaSID</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:SMBSID</string> </dict> <dict> <key>Native Map</key> <array> <string>ttl</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:TimeToLive</string> </dict> </array> <key>Native Map</key> <array> <dict> <key>Group Object Classes</key> <string>AND</string> <key>Object Classes</key> <array> <string>posixGroup</string> <string>apple-group</string> <string>extensibleObject</string> </array> <key>Search Base</key> <string>ou=Groups, YOURLDAPSUFFIX</string> </dict> </array> <key>Standard Name</key> <string>dsRecTypeStandard:Groups</string> </dict> <dict> <key>Attribute Type Map</key> <array> <dict> <key>Native Map</key> <array> <string>mountDirectory</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:VFSLinkDir</string> </dict> <dict> <key>Native Map</key> <array> <string>mountOption</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:VFSOpts</string> </dict> <dict> <key>Native Map</key> <array> <string>mountType</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:VFSType</string> </dict> <dict> <key>Native Map</key> <array> <string>mountDumpFrequency</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:VFSDumpFreq</string> </dict> <dict> <key>Native Map</key> <array> <string>mountPassNo</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:VFSPassNo</string> </dict> </array> <key>Native Map</key> <array> <dict> <key>Group Object Classes</key> <string>OR</string> <key>Object Classes</key> <array> <string>mount</string> </array> <key>Search Base</key> <string>ou=Mounts, YOURLDAPSUFFIX</string> </dict> </array> <key>Standard Name</key> <string>dsRecTypeStandard:Mounts</string> </dict> <dict> <key>Attribute Type Map</key> <array> <dict> <key>Native Map</key> <array> <string>apple-realname</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:RealName</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-category</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Category</string> </dict> <dict> <key>Native Map</key> <array> <string>description</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Comment</string> </dict> <dict> <key>Native Map</key> <array> <string>macAddress</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:ENetAddress</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-keyword</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Keywords</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-mcxflags</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:MCXFlags</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-mcxsettings</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:MCXSettings</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-networkview</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:NetworkView</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-computer-list-groups</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Group</string> </dict> <dict> <key>Native Map</key> <array> <string>uidNumber</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:UniqueID</string> </dict> <dict> <key>Native Map</key> <array> <string>gidNumber</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:PrimaryGroupID</string> </dict> <dict> <key>Native Map</key> <array> <string>authAuthority</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:AuthenticationAuthority</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-generateduid</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:GeneratedUID</string> </dict> <dict> <key>Native Map</key> <array> <string>acctFlags</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:SMBAccountFlags</string> </dict> <dict> <key>Native Map</key> <array> <string>pwdLastSet</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:SMBPasswordLastSet</string> </dict> <dict> <key>Native Map</key> <array> <string>logonTime</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:SMBLogonTime</string> </dict> <dict> <key>Native Map</key> <array> <string>logoffTime</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:SMBLogoffTime</string> </dict> <dict> <key>Native Map</key> <array> <string>kickoffTime</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:SMBKickoffTime</string> </dict> <dict> <key>Native Map</key> <array> <string>rid</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:SMBRID</string> </dict> <dict> <key>Native Map</key> <array> <string>primaryGroupID</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:SMBGroupRID</string> </dict> <dict> <key>Native Map</key> <array> <string>sambaSID</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:SMBSID</string> </dict> <dict> <key>Native Map</key> <array> <string>sambaPrimaryGroupSID</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:SMBPrimaryGroupSID</string> </dict> <dict> <key>Native Map</key> <array> <string>ttl</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:TimeToLive</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-service-url</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:URL</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-xmlplist</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:XMLPlist</string> </dict> </array> <key>Native Map</key> <array> <dict> <key>Group Object Classes</key> <string>OR</string> <key>Object Classes</key> <array> <string>apple-computer</string> </array> <key>Search Base</key> <string>ou=Computers, YOURLDAPSUFFIX</string> </dict> </array> <key>Standard Name</key> <string>dsRecTypeStandard:Computers</string> </dict> <dict> <key>Attribute Type Map</key> <array> <dict> <key>Native Map</key> <array> <string>apple-mcxflags</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:MCXFlags</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-mcxsettings</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:MCXSettings</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-computers</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Computers</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-computer-list-groups</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Group</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-generateduid</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:GeneratedUID</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-keyword</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Keywords</string> </dict> </array> <key>Native Map</key> <array> <dict> <key>Group Object Classes</key> <string>OR</string> <key>Object Classes</key> <array> <string>apple-computer-list</string> </array> <key>Search Base</key> <string>cn=computer_lists, YOURLDAPSUFFIX</string> </dict> </array> <key>Standard Name</key> <string>dsRecTypeStandard:ComputerLists</string> </dict> <dict> <key>Attribute Type Map</key> <array> <dict> <key>Native Map</key> <array> <string>cn</string> <string>ou</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:RecordName</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-config-realname</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:RealName</string> </dict> <dict> <key>Native Map</key> <array> <string>description</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Comment</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-data-stamp</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:DataStamp</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-kdc-authkey</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:KDCAuthKey</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-kdc-configdata</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:KDCConfigData</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-keyword</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Keywords</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-ldap-replica</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:LDAPReadReplicas</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-ldap-writable-replica</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:LDAPWriteReplicas</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-password-server-list</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:PasswordServerList</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-password-server-location</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:PasswordServerLocation</string> </dict> <dict> <key>Native Map</key> <array> <string>ttl</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:TimeToLive</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-xmlplist</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:XMLPlist</string> </dict> </array> <key>Native Map</key> <array> <dict> <key>Group Object Classes</key> <string>OR</string> <key>Object Classes</key> <array> <string>apple-configuration</string> <string>organizationalUnit</string> </array> <key>Search Base</key> <string>cn=config, YOURLDAPSUFFIX</string> </dict> </array> <key>Standard Name</key> <string>dsRecTypeStandard:Config</string> </dict> <dict> <key>Attribute Type Map</key> <array> <dict> <key>Native Map</key> <array> <string>apple-dns-domain</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:DNSDomain</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-dns-nameserver</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:DNSNameServer</string> </dict> </array> <key>Native Map</key> <array> <dict> <key>Group Object Classes</key> <string>OR</string> <key>Object Classes</key> <array> <string>apple-location</string> </array> <key>Search Base</key> <string>cn=locations, YOURLDAPSUFFIX</string> </dict> </array> <key>Standard Name</key> <string>dsRecTypeStandard:Locations</string> </dict> <dict> <key>Attribute Type Map</key> <array> <dict> <key>Native Map</key> <array> <string>description</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Comment</string> </dict> <dict> <key>Native Map</key> <array> <string>ipHostNumber</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:IPAddress</string> </dict> <dict> <key>Native Map</key> <array> <string>macAddress</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:ENetAddress</string> </dict> <dict> <key>Native Map</key> <array> <string>bootFile</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:BootFile</string> </dict> <dict> <key>Native Map</key> <array> <string>bootParameter</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:BootParams</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-machine-contactperson</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:ContactPerson</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-machine-serves</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:MachineServes</string> </dict> </array> <key>Native Map</key> <array> <dict> <key>Group Object Classes</key> <string>AND</string> <key>Object Classes</key> <array> <string>device</string> <string>ipHost</string> <string>ieee802Device</string> <string>bootableDevice</string> <string>apple-machine</string> </array> <key>Search Base</key> <string>cn=machines, YOURLDAPSUFFIX</string> </dict> </array> <key>Standard Name</key> <string>dsRecTypeStandard:Machines</string> </dict> <dict> <key>Attribute Type Map</key> <array> <dict> <key>Native Map</key> <array> <string>apple-realname</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:RealName</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-generateduid</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:GeneratedUID</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-category</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Category</string> </dict> <dict> <key>Native Map</key> <array> <string>description</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Comment</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-keyword</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Keywords</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-nodepathxml</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:NodePathXMLPlist</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-neighborhoodalias</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:NeighborhoodAlias</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-computeralias</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:ComputerAlias</string> </dict> <dict> <key>Native Map</key> <array> <string>ttl</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:TimeToLive</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-xmlplist</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:XMLPlist</string> </dict> </array> <key>Native Map</key> <array> <dict> <key>Group Object Classes</key> <string>OR</string> <key>Object Classes</key> <array> <string>apple-neighborhood</string> </array> <key>Search Base</key> <string>cn=neighborhoods, YOURLDAPSUFFIX</string> </dict> </array> <key>Standard Name</key> <string>dsRecTypeStandard:Neighborhoods</string> </dict> <dict> <key>Attribute Type Map</key> <array> <dict> <key>Native Map</key> <array> <string>cn</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:RecordName</string> </dict> <dict> <key>Native Map</key> <array> <string>cn</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:RealName</string> </dict> <dict> <key>Native Map</key> <array> <string>sn</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:LastName</string> </dict> <dict> <key>Native Map</key> <array> <string>givenName</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:FirstName</string> </dict> <dict> <key>Native Map</key> <array> <string>mail</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:EMailAddress</string> </dict> <dict> <key>Native Map</key> <array> <string>telephoneNumber</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:PhoneNumber</string> </dict> <dict> <key>Native Map</key> <array> <string>facsimileTelephoneNumber</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:FAXNumber</string> </dict> <dict> <key>Native Map</key> <array> <string>mobile</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:MobileNumber</string> </dict> <dict> <key>Native Map</key> <array> <string>pager</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:PagerNumber</string> </dict> <dict> <key>Native Map</key> <array> <string>street</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:AddressLine1</string> </dict> <dict> <key>Native Map</key> <array> <string>postalAddress</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:PostalAddress</string> </dict> <dict> <key>Native Map</key> <array> <string>street</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Street</string> </dict> <dict> <key>Native Map</key> <array> <string>l</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:City</string> </dict> <dict> <key>Native Map</key> <array> <string>st</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:State</string> </dict> <dict> <key>Native Map</key> <array> <string>postalCode</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:PostalCode</string> </dict> <dict> <key>Native Map</key> <array> <string>c</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Country</string> </dict> <dict> <key>Native Map</key> <array> <string>o</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:OrganizationName</string> </dict> <dict> <key>Native Map</key> <array> <string>departmentNumber</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Department</string> </dict> <dict> <key>Native Map</key> <array> <string>title</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:JobTitle</string> </dict> <dict> <key>Native Map</key> <array> <string>buildingName</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Building</string> </dict> </array> <key>Native Map</key> <array> <dict> <key>Group Object Classes</key> <string>OR</string> <key>Object Classes</key> <array> <string>inetOrgPerson</string> </array> <key>Search Base</key> <string>ou=People, YOURLDAPSUFFIX</string> </dict> </array> <key>Standard Name</key> <string>dsRecTypeStandard:People</string> </dict> <dict> <key>Attribute Type Map</key> <array> <dict> <key>Native Map</key> <array> <string>apple-mcxflags</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:MCXFlags</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-mcxsettings</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:MCXSettings</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-computer-list-groups</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Group</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-keyword</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Keywords</string> </dict> </array> <key>Native Map</key> <array> <dict> <key>Group Object Classes</key> <string>OR</string> <key>Object Classes</key> <array> <string>apple-preset-computer-list</string> </array> <key>Search Base</key> <string>cn=presets_computer_lists, YOURLDAPSUFFIX</string> </dict> </array> <key>Standard Name</key> <string>dsRecTypeStandard:PresetComputerLists</string> </dict> <dict> <key>Attribute Type Map</key> <array> <dict> <key>Native Map</key> <array> <string>memberUid</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:GroupMembership</string> </dict> <dict> <key>Native Map</key> <array> <string>gidNumber</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:PrimaryGroupID</string> </dict> <dict> <key>Native Map</key> <array> <string>description</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Comment</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-group-homeurl</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:HomeDirectory</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-group-homeowner</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:HomeLocOwner</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-keyword</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Keywords</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-mcxflags</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:MCXFlags</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-mcxsettings</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:MCXSettings</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-group-nestedgroup</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:NestedGroups</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-group-realname</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:RealName</string> </dict> </array> <key>Native Map</key> <array> <dict> <key>Group Object Classes</key> <string>OR</string> <key>Object Classes</key> <array> <string>apple-preset-group</string> </array> <key>Search Base</key> <string>cn=presets_groups, YOURLDAPSUFFIX</string> </dict> </array> <key>Standard Name</key> <string>dsRecTypeStandard:PresetGroups</string> </dict> <dict> <key>Attribute Type Map</key> <array> <dict> <key>Native Map</key> <array> <string>uid</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:RecordName</string> </dict> <dict> <key>Native Map</key> <array> <string>cn</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:RealName</string> </dict> <dict> <key>Native Map</key> <array> <string>memberUid</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:GroupMembership</string> </dict> <dict> <key>Native Map</key> <array> <string>gidNumber</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:PrimaryGroupID</string> </dict> <dict> <key>Native Map</key> <array> <string>homeDirectory</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:NFSHomeDirectory</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-user-homeurl</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:HomeDirectory</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-user-homequota</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:HomeDirectoryQuota</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-user-homesoftquota</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:HomeDirectorySoftQuota</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-user-mailattribute</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:MailAttribute</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-user-printattribute</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:PrintServiceUserData</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-mcxflags</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:MCXFlags</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-mcxsettings</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:MCXSettings</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-user-adminlimits</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:AdminLimits</string> </dict> <dict> <key>Native Map</key> <array> <string>userPassword</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Password</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-user-picture</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Picture</string> </dict> <dict> <key>Native Map</key> <array> <string>loginShell</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:UserShell</string> </dict> <dict> <key>Native Map</key> <array> <string>description</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Comment</string> </dict> <dict> <key>Native Map</key> <array> <string>shadowLastChange</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Change</string> </dict> <dict> <key>Native Map</key> <array> <string>shadowExpire</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Expire</string> </dict> <dict> <key>Native Map</key> <array> <string>authAuthority</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:AuthenticationAuthority</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-user-passwordpolicy</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:PasswordPolicyOptions</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-preset-user-is-admin</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:PresetUserIsAdmin</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-keyword</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Keywords</string> </dict> <dict> <key>Native Map</key> <array> <string>homeDrive</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:SMBHomeDrive</string> </dict> <dict> <key>Native Map</key> <array> <string>scriptPath</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:SMBScriptPath</string> </dict> <dict> <key>Native Map</key> <array> <string>profilePath</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:SMBProfilePath</string> </dict> <dict> <key>Native Map</key> <array> <string>smbHome</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:SMBHome</string> </dict> </array> <key>Native Map</key> <array> <dict> <key>Group Object Classes</key> <string>OR</string> <key>Object Classes</key> <array> <string>apple-preset-user</string> </array> <key>Search Base</key> <string>cn=presets_users, YOURLDAPSUFFIX</string> </dict> </array> <key>Standard Name</key> <string>dsRecTypeStandard:PresetUsers</string> </dict> <dict> <key>Attribute Type Map</key> <array> <dict> <key>Native Map</key> <array> <string>apple-printer-lprhost</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:PrinterLPRHost</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-printer-lprqueue</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:PrinterLPRQueue</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-printer-note</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:Note</string> </dict> <dict> <key>Native Map</key> <array> <string>apple-printer-type</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:PrinterType</string> </dict> </array> <key>Native Map</key> <array> <dict> <key>Group Object Classes</key> <string>OR</string> <key>Object Classes</key> <array> <string>apple-printer</string> </array> <key>Search Base</key> <string>cn=printers, YOURLDAPSUFFIX</string> </dict> </array> <key>Standard Name</key> <string>dsRecTypeStandard:Printers</string> </dict> <dict> <key>Attribute Type Map</key> <array> <dict> <key>Native Map</key> <array> <string>apple-xmlplist</string> </array> <key>Standard Name</key> <string>dsAttrTypeStandard:XMLPlist</string> </dict> </array> <key>Native Map</key> <array> <dict> <key>Group Object Classes</key> <string>OR</string> <key>Object Classes</key> <array> <string>apple-serverassistant-config</string> </array> <key>Search Base</key> <string>cn=autoserversetup, YOURLDAPSUFFIX</string> </dict> </array> <key>Standard Name</key> <string>dsRecTypeStandard:AutoServerSetup</string> </dict> </array> <key>SSL</key> <false/> <key>Search Timeout in seconds</key> <integer>120</integer> <key>Server</key> <string>127.0.0.1</string> <key>Server Mappings</key> <false/> <key>Template Name</key> <string>Open Directory Server</string> <key>Template Search Base Suffix</key> <string>YOURLDAPSUFFIX</string> <key>UI Name</key> <string>localhost</string> </dict> </plist>
cn=KerberosClient
This record should also have a apple-configuration field added to it with the following plist XML code, substituting your own information for YOUR_DNS_DOMAIN, YOUR_KERBEROS_DOMAIN, and YOUR_KERBEROS_SERVER_ADDRESS:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>edu.mit.kerberos</key> <dict> <key>domain_realm</key> <dict> <key>.YOUR_DNS_DOMAIN</key> <string>YOUR_KERBEROS_DOMAIN</string> <key>YOUR_DNS_DOMAIN</key> <string>YOUR_KERBEROS_DOMAIN</string> </dict> <key>libdefaults</key> <dict> <key>default_realm</key> <string>YOUR_KERBEROS_DOMAIN</string> </dict> <key>realms</key> <dict> <key>YOUR_DNS_DOMAIN</key> <dict> <key>KADM_List</key> <array> <string>YOUR_KERBEROS_SERVER_ADDRESS</string> </array> <key>KDC_List</key> <array> <string>YOUR_KERBEROS_SERVER_ADDRESS</string> </array> </dict> </dict> </dict> <key>generationID</key> <integer>2056141908</integer> </dict> </plist>
cn=KerberosKDC
I'm not sure this record is strictly necessary, since it doesn't have anything to do with clients and on Linux machines, the Kerberos domain controller's config is in a normal file. But for completeness I include this record in my setups. I add to this record a field, apple-kdc-configdata and simply stick it in the contents of my KDC's kdc.conf file, which on RHEL is in /etc/kdc.conf.
Adding Apple Fields to User Records
Only two or three fields need to be added to an otherwise normal PosixAccount/SambaSamAccount user record for Apple clients to work with them.
apple-user-homeurl
The apple-user-homeurl field contains a small snippet of XML that describes how to mount the user's home directory. Depending on what protocols you want to use, there there are a number of ways of specifying the url.
One important thing is to make sure that the homeDirectory path for this user is not a path that the client has in its automounter configuration. For example, /home/blah is perfectly legit on Linux machines, but on OS X clients, the auto mounter sits on /home. You'll have to disable this in the client automounter or the mount at login will fail. To avoid this, maybe put home directories in /nethome or /NetUsers or something. If the server, Mac clients, and Unix clients all use LDAP, you need to find a scheme that all the systems can work with. On Macs, the automounter configuration is in /etc/auto_master. You can comment out any lines like the /home one that might conflict with your chosen home directory path scheme.
Here are some examples of XML code for different mounting protocols. Again substitute your own information for the stuff in caps.
Samba smb or cifs
<home_dir><url>cifs://SAMBA_SERVER/USERNAME/</url><path></path></home_dir>
Note that the path part is empty and the url has a trailing slash.
AFP
<home_dir><url>afp://AFP_SERVER/AFP_SHARE</url><path>USERNAME</path></home_dir>
NFS
<home_dir><url>nfs://NFS_SERVER/PATH</url><path>USERNAME</path></home_dir>
authAuthority
If you are using Kerberos authentication, you can set the authAuthority field to something like the following, substituting the appropriate information for USERNAME and YOUR_KERBEROS_DOMAIN:
;Kerberosv5;;USERNAME@YOUR_KERBEROS_DOMAIN;YOUR_KERBEROS_DOMAIN;
Complete example of a user record
Here is the LDIF of a complete user record:
dn: uid=testuser,ou=People,YOURLDAPSUFFIX
apple-user-homeurl: <home_dir><url>cifs://myserver/testuser/</url><path></path></home_dir>
authauthority: ;Kerberosv5;;testuser@MYDOMAIN.COM;MYDOMAIN.COM;
cn: Test User
givenname: Test
gidnumber: 1000
homedirectory: /NetUsers/testuser
loginshell: /bin/bash
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: shadowAccount
objectclass: top
objectclass: apple-user
objectclass: extensibleObject
objectclass: organizationalPerson
objectclass: person
objectclass: sambaSamAccount
sambaacctflags: [UX]
sambahomedrive: U:
sambahomepath: \\myserver\testuser
sambalogonscript: \scripts\logon.bat
shadowmax: 1000
sambantpassword: E2970763DF217C97EEFFCFC7F53A93E7
sambaprimarygroupsid: S-1-5-21-4014530946-69055226-1538787552-3025
sambaprofilepath: \\myserver\Profiles\testuser
sambapwdlastset: 1251824629
sambapwdmustchange: 1338224629
sambasid: S-1-5-21-4014530946-69055226-1538787552-3024
shadowlastchange: 14488
shadowwarning: 5
sn: User
uid: testuser
uidnumber: 1012
userpassword: {SASL}testuser@MYDOMAIN.COM
Apple Client Configuration
Now all that's necessary is to configure the OS X client to talk to your LDAP server. Configure it as normal, and make sure it thinks it's talking to an OpenDirectory server. Then test that you can see the users using the Terminal.app and the id command. You should be able to look up users that are listed in your LDAP directory.
Now simply try a login. If there are errors concerning the mounting of the home directory, the most common cause is that you're trying to mount a home directory to a path that's already in use by the automounter. For example, /home. If this is the case, you'll have to disable the mount in /etc/auto_master and reboot.
That's about it.
