Integrating Leopard Server With UNIX LDAP
This article will add to Rajeev Karamchedu’s excellent post, “Integrating Mac OS X into Unix LDAP Environment with NFS Home Directories”, only with Leopard Server instead of Tiger. My goals are a bit different from Rajeev’s: I am not interested in automounting home directories with NFS, but rather in augmenting UNIX accounts from Sun’s LDAP directory so that they can be used with Apple’s collaboration services. This information is also relevant for those who are looking for auto-mounting home directories, however.
Rajeev used Tiger server, which has a different apple.schema file from Leopard. It looks like he upgraded his Tiger server to Leopard instead of starting with a clean install of Leopard, so he may not have encountered the same obstacles as those of us who are starting from a non-upgraded Leopard server. The procedure is basically the same, but we need a new schema file (Leopard’s LDAP schema has an additional 400+ lines!), and we’ll need to add some missing attributes to it. Conveniently, I am also integrating with Sun ONE Directory Server 5.2. However, this methodology should apply equally to any LDAPv3 compliant directory server, such as OpenLDAP.
Create the LDAP Schema File
The first step towards integration with the Sun Directory Server is to add the LDAP schema from Leopard. You will find this schema on your Leopard server in
You will note that the script adds five attributes and an objectclass to the top of the file. The first three objects,
Apple accounts support integration with Windows, which is why the Apple server will request the ’sambaSID’ attribute when it searches your LDAP server for user records. To accommodate this, you will also need to convert the samba.schema file, and append it to the .ldif file for importing.
Assuming that you copied my
$ cd ~
$ chmod +x apple2ldif
$ ./apple2ldif /etc/openldap/schema/apple.schema 92apple.ldif
$ ./apple2ldif /etc/openldap/schema/samba.schema samba.ldif
$ cat samba.ldif >> 92apple.ldif
Import the Schema File
To import the schema file, copy it onto your Solaris (I assume) server, and put it into — as Rajeev pointed out —
It is a good idea to keep a root shell or two open on the server when you are working with the naming service, so switch to root user. It can also be useful to watch the error log while you’re doing this, so in another window/shell, run:
$ sudo bash
# tail -f /var/opt/mps/serverroot/slapd-myserver/logs/errors
Substituting, of course, for the path to the LDAP error log on your server.
Now, restart the LDAP server and cross your fingers:
# /usr/sbin/directoryserver stop
(wait until it is fully stopped)
# /usr/sbin/directoryserver start
If the schema import works, you won’t see any errors on start up. Assuming that schema checking is enabled — as it should be, and as is by default — then if there are problems with the schema file, it will tell you what the problem is, and fail to start. If this happens, remove the 92apple.ldif file from the schema directory, and try again. Fix the problem in the ldif file, let others know about it by posting a comment below, and try again. Good luck!
One problem I encountered was with one replica server that was running Sun DS6 instead of 5.x. This server already had one of the object classes in the 92apple.ldif file. I think it was the
sambaAccount objectclass, but I didn’t write it down (wups). The result was that replication stopped working on this server. Removing the offending object class from the 92apple.ldif file for that server fixed the problem.
In my next post on this topic, I will describe the addition of a new LDAP partition to SunDS, ou=macox (as Rajeev recommends), and the addition of the necessary objects from Leopard server.
Tags: apple.schema, LDAP, LDIF, Leopard, Linux, Mac OSX Server, OpenLDAP, osx-ldap-integration, Solaris, Sun ONE Directory Server, SunDS, Sysadmin, UNIX, UNIX LDAP