Slashdot Mirror

← Back to Stories (view on slashdot.org)

Integrating Mac OS X With Active Directory

Posted by pudge on from the icky-poo dept.

Eric Zelenka writes "Apple has released a new document called 'Integrating Mac OS X with Active Directory.' This document describes how you can use the information stored in Microsoft's Active Directory to authenticate Macintosh users and provide file services and home directories for them on Mac OS X Server. It is available for download from the Mac OS X Server web site." I want my Mac OS X box to self-destruct if it comes into contact with a Microsoft server; does Apple have a document for that?

22 comments

  1. not directly using AD -- using LDAP by teridon · · Score: 3, Informative

    You have to contort your AD server to allow LDAP for this to work.

    --
    I hold it, that a little rebellion, now and then, is a good thing. -- Thomas Jefferson
  2. Link to article itself by Cire · · Score: 2, Informative

    For those that dont feel like actually looking through apples site for the article, here's a direct link to the PDF version of Integrating Mac OS X with Active Directory [apple.com]


    Cire

    1. Re:Link to article itself by Anonymous Coward · · Score: 0

      Thanks - saves me rummaging through apple propaganda. I mean, it's not exactly like they WROTE OSX or anything is it?

      If you ask me, apple sat around and said 'ok, we have an OS (9) that is totally crap if you connect it to a network. Servers need three reboots to change a tiny config option and the thing crashes every 10 minutes - what do we do?

      Enter UNIX...

  3. altering AD schema? by mistermoonlight · · Score: 2, Interesting
    It seems from the instructions that you have to create custom fields in the schemato make this happen (e.g. unixid). Higher-ups are a little nervous about this because changing the schema can severely alter the AD.


    I was under the impression that if you installed Services for Unix on the box hosting the AD, these fields would be automatically added, but would you still have to create unique LDAP IDs for each user? Is there a way you can do this in bulk?

  4. What about Novell eDirectory? by yancey · · Score: 1

    AD. Whatever.

    When are they going to release a lookupd agent for Novell's eDirectory?

    --
    Ouch! The truth hurts!
    1. Re:What about Novell eDirectory? by Wesley+Felter · · Score: 2

      This howto is all about using OS X with LDAP servers. Since eDirectory is an LDAP server, it shouldn't bee too hard to modify the instructions to work with it.

    2. Re:What about Novell eDirectory? by yancey · · Score: 1

      Yes, I know eDirectory is available via LDAP. I read the doc and it does explain how to setup authentication to any LDAPv2 enabled directory service. It even goes as far as to tell you how to do this securely over SSL by using third-party tools.

      I give Apple credit for documenting the procedure, but they lose points for not implementing LDAPv3 over SSL.

      --
      Ouch! The truth hurts!
  5. Need Reverse Solution by mwillmore · · Score: 1

    While this is all good and everything, we need a native, built-in solution for the opposite problem: accessing Active Directory servers (Samba, etc.) on OS X. X can do Samba, but not while Active Directories are in place (as far as I can determine.) C'mon, Apple, you're half way there!

    1. Re:Need Reverse Solution by rliebsch · · Score: 2, Interesting

      How does it not work for you. I have a fully implemented AD schema. I have file sharing for Windows, Mac, and Nix running. I have samba and appleshare IP.

      OSX sees it all. I can mount SMB, mount NFS, mount AFP.

      check yer smb conf.

      --
      Robert Liebsch Systems Psychiatrist, Network Sociologist, Security Criminologist
  6. don't worry by moosesocks · · Score: 2

    Don't worry about self destruct:
    If the OSX box is in close proximity to a microsoft server, the explosion from the microsoft server after it spontaneously combusts (tends to happen on microsoft servers) should engulf the OSX box too
    (unless apple uses some sort of fire-retardant on their imacs :) )

    pun: somehow, this sounds like flamebate

    --
    -- If you try to fail and succeed, which have you done? - Uli's moose
    1. Re:don't worry by PythonOrRuby · · Score: 0

      Actually.....

      PowerMac G4s, and G3s in the blue and white "Yosemite" enclosure have been known to come out of 1000 degree infernos with their internals functional.

    2. Re:don't worry by Anonymous Coward · · Score: 0

      This might be true, however as they are inherently unreliable anyway, how could you tell?

  7. thanks for posting this by Anonymous Coward · · Score: 0

    I couldn't find it though I knew it existed.

  8. Another addition to the elvolving Active Directory by fluor2 · · Score: 2, Interesting
    I must say I'm impressed with how Microsoft has made the AD evolve. There is a need in the industry, as networks increase in both size and bandwidth, for bigger and more centralized stuff so people don't have to use separate accounts for each apartment or whatever. There exist programs now for even synchonizing Oracle databases and AD, novell and AD (password on novell is unfortunately not possible to sync) and similar.

    A norwegian company named MetaMerge who has started on this big task (synchronizing databases is not that easy).

    I've seen that even Cisco is planning to support Active Directory. Wouldn't it be nice to right click on a user and just select what kind of access the user should have? E.g. "Allow only port 80, or only connections using https, or limit bandwidth of this user .. the solutions are endless".

    Of course, Microsoft did not like the full LDAP specification, so they created another layer (ADSI), but what the heck, it still works.

  9. This topic icon is Apple's copywritten artwork by Anonymous Coward · · Score: 0

    Something that's been bugging me is, I'm pretty sure this topic icon is Apple's copywritten artwork. Shouldn't it be altered for use on /. or a new unique icon be made?

  10. LDAPping AD for OS X by mattmacinnis · · Score: 1

    Has anyone gotten this to work without significant modifications to the Win2k server? The document prepares two scenarios -- authenticating via LDAP for access to a file server, and authenticating via LDAP for access to a client which will also mount a user's home directory.

    I want to allow authentication, but I don't want to mount a home directory -- just plop them into a 777 temporary home that will be destroyed when they log out. (It's a lab config.)

    The document doesn't go into this -- anyone have any insight?

    PS: [the following comment applies to only a subset of you] <rant> Stop mindlessly bashing Windows 2000 because you've quit thinking. Win2k is here, it's gonna be here tomorrow, and you're using up my fucking bandwidth and time making me read your useless bantering. Grow up! </rant>

    1. Re:LDAPping AD for OS X by Anonymous Coward · · Score: 0
      Why not just leave their home directory on their local machine? Does vfsdir need to be setup in the schema?

      I'm still working on it, but you could just do the procedure for having the unixid and LDAP id(page 30? of the pdf), secure it (page 42 of the pdf) and that's that.

      perhaps set up cron to perform a regular cleanout of the home directories on the local machines?


      mistermoonlight

  11. Re:Apple has what you want by Anonymous Coward · · Score: 0

    Or alternatively, simply attempt to run OS9 with AppleShareIP as a server. The thing will irritate everyone with constant crashing so much that it might have an 'accident'.

    I must say it's the only so-called-network OS that I have seen that when the server crashes, there is at least a 50% chance of all macs connected to said server crashing too. Same thing happens if you repatch the network cables.