This article applies to:
Question:
- How do I set up authentication to work with Open Directory?
Procedure:
There are two scenarios that this document will consider when working with Mac Open Directory:
- Enable users to successfully authenticate, and receive filtering based on either a Global profile or Individual user profile
- Enable users to successfully authenticate, and receive filtering based on Global, Individual user or Group Membership profile.
Scenario 1 is easy to accomplish, and requires no additional configuration of the LDAP server. Scenario 2 will require some additional configuration on the LDAP server, in order to store group membership by a user’s Distinguished Name, rather than by only their “uid”.
Scenario 1:
- Choose “Sun One, Sun iPlanet or Netscape Directory Server” as the Server Type when adding an LDAP domain in the R3000 GUI.
- In the Domain Details -> Group tab of the R3000 GUI, add “apple-group” to the Include list.
- In the Domain Details -> User tab of the R3000 GUI, add “apple-user” to the Include list.
At this point, you should be able to browse the directory properly, and authentication will work (assuming the correct Query Base and LDAP server information are configured). What will not work is setting profiles by group membership. The reason for this is that by default, Open Directory will store the attribute of "memberUid" in a group record, for each user that is a member of this group. The R3000, however, is looking for an attribute of "uniqueMember". The name of the attribute is not all that important, but the type of data contained within that attribute is. The "memberUid" attribute is only a record of the user's account name; i.e. jsmith. The "uniqueMember" attribute contains a value that is the user's "Distinguished Name", which is the unique name of that user in the directory, i.e.: "cn=john smith,cn=users,dc=directory,dc=org". In order to achieve this functionality, please see Scenario 2.
Scenario 2:
Some background information on the problem can be found here:
http://explanatorygap.net/2005/08/18/open-directory-pretending-to-use-another-schema-for-opencms/
- Choose “Sun One, Sun iPlanet or Netscape Directory Server” as the Server Type when adding an LDAP domain in the R3000 GUI.
- In the Domain Details -> Group tab of the R3000 GUI, add “posixGroup” to the Include list. NOTE You can also add the value of “apple-group”, but this can be confusing, as you will see duplicates of each group; one will be the original group configured in the directory (apple-group), and the second will be the new group that we will create with the script (posixGroup). Since only the one we create with the script will work for assigning group profiles, the recommended configuration is to only add “posixGroup” to the Include list.
- In the Domain Details -> User tab of the R3000 GUI, add “apple-user” to the Include list.
- Contact Trustwave Technical support to obtain a copy of the Open Directory group recreation script. This script will create a copy of your LDAP tree in a format that the R3000 is capable of reading.
- Run the script against the Open Directory LDAP server. NOTE This script needs to be run any time a change is made to group membership, i.e. new users are added, new groups are added, users are moved from one group to another, etc., so you may want to schedule it to run at specified time intervals in order to automate this procedure. There is no harm in running the script multiple times as it will first delete the 8e6-specific entries, then recreate them.
At this point, you should be finished. Authentication will work properly, and you will be able to configure profiles based on Individual, Group or Global basis.