Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

OpenLDAP on Linux for Apple Clients?

Cliff posted more than 11 years ago | from the interoperability dept.

Apple 22

groovemaneuver asks: "I've managed to get a working OpenLDAP directory running on my network. Linux, Windows, and Apple boxes are all happily authenticating. I have imported the 'apple.schema' file to the LDAP server from one of my Macs, but I cannot seem to find any info on the proper syntax for the various apple schema attributes. Anyone have any idea where one could find this? This is the one obstacle keeping my network from having a single source of authentication, and I'm sure this info would be useful to more than just myself. Thanks!"

cancel ×


Sorry! There are no comments related to the filter you selected.

Im in awe before your greatness (-1, Offtopic)

anon mouse-cow-aard (443646) | more than 11 years ago | (#5171050)

nuff said.

Redundant. (-1, Redundant)

tvadakia (314991) | more than 11 years ago | (#5171073)

He's right, I would love to know how to do this. Pray-tell /.ers

Re:Redundant. (2, Informative)

Anonymous Coward | more than 11 years ago | (#5171174)

well, for windows, he's probably using pGina []

for linux ... most likely a pam module

and, for the macs ... i forgot the name of the package, but it's listed in one of the SysAdmin mags from a few months ago (w/screenshots)

Macs and networking (0, Flamebait)

ObviousGuy (578567) | more than 11 years ago | (#5171082)

Stuff like this shows how non-network oriented Apple really is with their products. Despite claims to the contrary, when it comes down to nuts and bolts Apple falls short. Google does not return anything useful in regards to this question, it's definitely the fault of Apple for not supporting their business customers well that there is no web resource available for this Ask Slashdot query.

It's really not that surprising, though. Apple has always been geared towards publishing houses, whether they be print or online publishing, and not geared towards "Fortune 500" businesses. Their lack of developer support outside of the artistic arena is infamous.

Good luck finding stuff.

apple discussions pages have some hits. relevent? (4, Informative)

davidyorke (543505) | more than 11 years ago | (#5171148)

try [] and search on "openldap"

You need to check MacOS X Secrets. (5, Informative)

PorkCharSui (583216) | more than 11 years ago | (#5171154)

Since most users are users are not using LDAP on Jaguar, Apple does not tend to document the steps necessary to set it up. Jaguar Server on the other hand is a different question though.

Integrating Mac OS X with Active Directory [] BTW this also includes using secure LDAP authentication!

A quick search at Mac OS X Hints turns up some usefull sources too. []

Stream of consciousness (-1, Offtopic)

Tuxinatorium (463682) | more than 11 years ago | (#5171171)

angry nun
catholic schoolgirl

Re:Stream of consciousness (2, Informative)

nbvb (32836) | more than 11 years ago | (#5172327)

Wish I had mod points today. Sadly enough, although lines 2-5 are off topic, lines 0 & 1 absolutely are. is one of the best LDAP resources around. Luke Howard's been at this longer than anyone!

try the developers website too... (1)

fl0at (13331) | more than 11 years ago | (#5171186)

few hits on the developers website too. ADC Search results []

Look in NetInfo, or just use RFC 2307 (4, Informative)

plsuh (129598) | more than 11 years ago | (#5171237)

Apple's version of OpenLDAP uses NetInfo as its backing store -- the apple.schema file merely exports the contents. Go to a Mac OS X Server machine and look at the values it puts into NetInfo. This will give you examples of what you need to put into the corresponding LDAP server entries on your Linux server.

Probably easier is to just use the LDAP values you already have in the RFC 2307 schema for your Linux machines, and set the Mac OS X machines to use the RFC 2307 schema by using the Directory Access application.


LDAP warning (3, Interesting)

sofar (317980) | more than 11 years ago | (#5173340)

After 4 years of professional experience in running routers, general multipupose servers and all the way to full GNU desktops, I decided to try to install a LDAP server so everyone here can keep a joint company address book.

Bad idea

almost a year later this project is still not finished. I've prolly stumped into this once a month and spent a days reading and trying to figger out how to get the backend bootstrapped. No such luck.

I've completely dropped the idea of having LDAP as a database server because of this and I'm very disappointed because of it. In the end you can get the software everywhere, the user-howto's are sublimely stupid (open netscape and click "my addressbooK"), but there is no adequate support, help or whatever information about what to do when you have slapd running, but no data in there yet.

I've no time to dig into this deeper, but I think LDAP should be shot dead for this. I hope you don't fall into the same pifall I did.

Re:LDAP warning (1)

ChrisMWage (158008) | more than 11 years ago | (#5174425)

Let me get this straight -- LDAP sucks because you couldn't figure it out?

Re:LDAP warning (1)

Finni (23475) | more than 11 years ago | (#5174670)

Cut - n -paste below from this Googled .ps file []

7.8 Command Line Utilities

Administration of the data in a directory is a sensitive point. Data administration concerns data management with a directory structure and content. The IBM SecureWay Directory server comes with a set of management utilities to assist an administrator in managing the directory's contents.

There are command line utilities that are used to handle large amounts of data, for example, to import thousands of entries in one single step. These utilities include the following:

* ldif

* ldif2db

* bulkload

* db2ldif

Because they access data in the database directly, the tools listed above must run on a directory server. Note that the ldif2db, bulkload, and the db2ldif utilities support the conversion from a specified local character set to/from UTF-8 (see also 4.3, "UTF-8 Support" on page 83).

Another set of utilities are more geared towards handling of single (or a few) entries at a time. These include:

* ldapsearch

* ldapmodify

* ldapdelete

* ldapmodrdn

* ldapadd

These latter tools use LDAP to communicate to an LDAP server, and they can, therefore, be run on a server or a client. They are, therefore, included in the IBM SecureWay Directory Client SDK. Source code for these utilities is provided, too, to allow application programmers to modify them as required or as sample programs to learn about LDAP programming. A parameter allows to specify whether LDAP Version 2 or Version 3 is to be used (the default is Version 2).

Do not entirely trust above advice. (1)

Ashurbanipal (578639) | more than 11 years ago | (#5175138)

You just inadvertently proved the first guy's point by giving him bad and incomplete advice from Google.

Don't use tools that default to LDAP v2, use v3 only.

Never bulkload with ldapxxxx tools, they are too slow and may run into server limitations on how many LDAP operations can be performed per client connection.

ldif2db and friends are derived from the umich distribution and have been superseded by the slapxxx family of tools. The IBM code fork may still use ldifxxx tools, though, and there are no doubt others in the Sun, HP and Netscape code forks. I recommend not using any of these with linux, use current OpenLDAP. Use Sun and HP tools only on those systems and don't use Netscape LDAP stuff at all if you can avoid it.

Don't use Microsoft or Novell LDAP tools on other platforms either, unless you can't avoid it. You should definitely use their native utilities if you must support AD and NDS, but try to keep from getting strangled by their "embrace and extend" philosophy. NDS is better than AD if you have to choose.

Use the current OpenLDAP doco, such as it is, and experiment, experiment, experiment. That's the ticket.

Re:LDAP warning (2, Informative)

Ashurbanipal (578639) | more than 11 years ago | (#5174969)

I'm sorry you couldn't get LDAP going. I am just finishing up implementation here and it looks pretty sweet - we've got Samba, Apache, and Linux all using the same OpenLDAP database, and we are going to integrate HP-UX as well if possible. This allows us to have digitally signed work orders and help desk trouble tickets without setting up a bunch of crypto stuff that the users would invariably screw up due to lack of crypto knowledge.

Your experience highlights the problem with the technology - it's new, raw, fast-moving, and there is a tremendous amount of conflicting and poorly organized documentation that can be physically painful to try to sort out.

I never found any "how to" that relected the current state of the art - I found how-tos for the current version of samba and an old version of OpenLDAP, or the current OpenLDAP and older samba, etc. ad nauseum, but nothing totally up-to-date. You have to be a bona-fide hacker to get it going at this point in a real production environment.

A couple of small examples: Red Hat 7.3- doesn't ship LDAP-enabled RPMs, you have to unroll their source and modify the specfile, then roll your own samba-ldap .rpms, or give up the advantages of RPM package management. More subtly, the modified IDEALX script they ship for migration from /etc/group to OpenLDAP has a subtle flaw - it takes the members of the group, adds them to a list that also contains the name of the group itself, then they strip out all duplicates with a CASE-INSENSITIVE uniq function. This means that when you have a group ADMIN that contains a user named admin, the user is silently, secretly removed from the group during your migration process. There are other, similar subtle traps as well, that you really have to be a hacker to catch on to.

As for your conundrum:
no adequate support, help or whatever information about what to do when you have slapd running, but no data in there yet.
You write scripts (using perl (or awk if you have uberhacker chops)) to turn your existing data into LDIF format as defined by your schema files (if slapd runs you have schema files) turn slapd off, and use the slapadd program to batch-load your LDIFs into the database. Then turn slapd back on again, put nss_ldap in your name service switch configuration and pam_ldap in your pluggable authentication modules configuration, and you are up and running.

You don't use ldapadd on the running database because it's insufferably slow. LDAP databases are optimized for READ access not WRITE access which makes sense if you think about it. Use slapadd with the daemon turned off instead.

And don't put your root and daemon accounts into LDAP. Have them in the local /etc/passwd with MD5 shadow passwords enabled, so that you can function temporarily if you somehow hose your LDAP infrastructure (if you never make mistakes, you're not doing anything innovative). This also allows you to have separate root passwords on your machines (which is wise) but requires you to have a slightly more complex PAM and NSS configuration.

Integrating samba gets harder. You have to learn how to protect the database, which is still a "trail of errors" technique even if you know backus-naur, but it's essential because the MS-windows password hashes are trivially crackable.

Re:LDAP warning (1)

JohnFluxx (413620) | more than 11 years ago | (#5177357)

I hate to be the one to ask.. but.. what is openldap?

I had a look at their site, and read the both FAQ's (Jeez, what a nightmare that is - is there anything worse than that faq-o-matic?).

As far as I understand so far:

* Users authenticate against it.
* It stores user information (So it can be used like a phone book).

Is there anything else it does?

Here you go - OpenLDAP is: (1)

Ashurbanipal (578639) | more than 11 years ago | (#5177532)

but.. what is openldap?
It's a client and server suite that uses the LDAP protocol to talk to a simple database (typically the Berkeley DB) which is usually used to hold user identification and authentication data.

It's intended to be OS-independent free software, but it reportedly runs best on linux at this time.

LDAP stands for Lightweight Directory Access Protocol which is a IETF standard for accessing data stored in a hierarchical directory structure such as that used by Microsoft's Active Directory, Novell's Netware Directory Services, and X.500.

X.500 was an ambitious attempt to create a network-accessible data store that would hold all possible data pertaining to humanity in a hierarchical format. The original DAP protocol the X.500 droogies developed was too big and unwieldy, and posited X.500 as the directory. LDAP was born to serve the functions people actually need in real life, and is a trimmed-down version of the original X.500 DAP that is actually useable by people in the trenches.

Modules are available to integrate LDAP into most user authentication schemes. Google for nss_ldap, pam_ldap, pGina, that sort of thing. Sendmail can use ldap, as can ssh, and OpenLDAP readily integrates with Kerberos and TLS for state-of-the-art security.

OpenLDAP itself doesn't actually do the things you mentioned. It uses whatever backend you select (such as Sleepycat) to store the data, and you need pams or nss_switches or the equivalent to authenticate users. OpenLDAP just provides the protocol glue to bind such LDAP-capable gadgets to the backend database of your choice.

You still have to build the database the old-fashioned way, unless your end-users have plugs in their heads and you can suck their ID information directly out of their brains.

ER No (Re:Here you go - OpenLDAP is:) (1)

MrChuck (14227) | more than 11 years ago | (#5183891)

but.. what is openldap?
It's a client and server suite that uses the LDAP protocol to talk to a simple database (typically the Berkeley DB) which is usually used to hold user identification and authentication data.


But thank you for your information which will likely confuse many admins and get them thinking about LDAP in the wrong way.

X.500 was an ambitious attempt
LDAP a Lighter weight version of the rarely implemented bloat that is X.500 directory brought to us by the ISO (those euro's who wrote OSI, a clean room replacement for TCP/IP without the burdens of actually writing code; specs were available for $$$$ if you wanted to use it).

To the ex-ISO brit who whined about MAIL: being taken over for email use by Netscape's schema and that it was intended to be for postal mail, I've offered that well, X500 was thought up and imposed on the world and it never scaled well or really worked. It took the UMich team (many went to Netscape) to actually fix it to be where it works, where people can us it without a room full of machines and 20 administrators. The UMich goal was to have machines that people actually have (at the time, 4MB machines) be able to get information. X500 required a high end server to even LOOK at the data. Bloat.

It's intended to be OS-independent free software, but it reportedly runs best on linux at this time.
It is intended to be implemented on computers and runs really nicely on machines with lots of RAM and decent disk. Given that you can hit MILLIONS on a modest (by 2002 standards) machine, while it DOES scale really well on an 8 way machine (Sun, SGI), you generally don't need that. OpenLDAP 2.x screams on Solaris, BSD, Linux and AIX.

LDAP directories on Unix are often implemented using Berkeley/Sleepycat DB on the back end. Why? Cause its fast as hell. You can use SQL, you can use flat text files, if you wanted. You can write your own.

ldapman [] has some stuff that the guy wrote for (RIP). Sorta helpful.

A directory entry basically consists of a blob of data lines about a user or machine or whatever. You can then look for those bits of data via structured queries (show me the MAIL entry for the user who's alias is $THIS and who's server is $THAT. Show me the PHOTO entry for the student whoes name is $THIS and whose class in $THEN.).

You still have to build the database the old-fashioned way...
You have to feed the server (not the database) the data somehow. This can be done via perl scripts (and web front ends), it's often initially done with some hand work to create LDIF files. A little perl or awk to merge several points of data into directory entries is done ONCE.

The biggest difference is re-thinking about your data.
You don't think about "I have this alias for that user, I have another alias for that user, I have this alias for a list".
Now you have "I have this user. Among his entries are THESE aliases." The user also has other features: An office, a phone, a picture maybe, vacation (email) information, and other attributes.

"I have this list, it contains these USERS (whose mail addresses might change" and these EMAIL addresses on it (for external users who aren't in your realm of control)"


Ashurbanipal (578639) | more than 11 years ago | (#5197729)

But thank you for your information which will likely confuse many admins and get them thinking about LDAP in the wrong way.
If you actually read the two posts preceding your own, you might notice that the question was "but.. what is openldap?"

Despite what you seem to think, the question was NOT "but.. what is LDAP?"

OpenLDAP is a software suite composed of clients and servers that use the LDAP protocol.
As I said.
Your comments pertain to LDAP, which is not what the previous poster was asking about!

But thank you for your display of illiteracy and fatheadedness.

LDAP is hard (1)

MrChuck (14227) | more than 11 years ago | (#5183706)

Like DNS is hard. I worked with it doing rote memorization in the early 90s (DNS, not LDAP). Then this great big light bulb went off. Its basically a Key -> Value lookup.

Hesiod made sense (we put 30k aliases into HESIOD therefore DNS TXT records) to serve a global directory for 500 email SERVERS (and 20k clients).

LDAP is hard to "get". Trying to read really bad documentation, I struggled. By working with someone who used it a lot, and in the context of getting mail (again) running, I suddenly "got it". The tools out there are generally either useless or too abstract to get a grip on what LDAP does.

Sendmail, Inc, has an LDAP tool through their ProServices group. (Not that you could find out from their web site). Not cheap, it's intended for high end sites and offered from the consulting group for that. Cheaper than Active Directory, once you count machines (2 - a master server that few people access and the slave server that people actually use) and software licenses?

A pretty web GUI lets a secretary add/remove/manage users in LDAP.

Linux, Solaris, MacOS and BSD all authenticate to it, mail is routed with it, it can even store student ID pictures for the librarians to see when the scan an ID. With ACLs, you can only let certain users/places see certain fields so administrators can see addresses (home or school), but anyone on campus can see their email address.

Quota information can be kept in it, pretty much any field you want in a directory could be put in there your your own apps to use (ie. this person can use this door access at this time, but not after midnight). That part's up to you.

As a database, it's not great (though 2.1 and DB 4 are indicating that it's not as bad at writes as previously experienced). As a repository for READING information, in small chunks, with mostly fixed queries, it's great. INFINITELY faster than SQL. I've heard big-shot consultants/ think tanks say that SQL will replace LDAP. These people didn't quite "get" that you can't access SQL server by $COMPANY_of_Choice in a single way. LDAP is a protocol and lets you do that.

LDAP is hard, it's powerful and complex, it scales like a MoFo (2 CPU, 1GB RAM machine handled beating hard on it with several million entries using OpenLDAP 2.0.x and DB3.x. Far more than we expected in tests.

(and I don't know what a GNU desktop is. Been hearing about HURD for several decades. Still waiting. Is someone going to port the BSD userland to Linux just to get stallman to shut up?)

Hooray! A worthwhile ASK SLASHDOT topic! (0)

Anonymous Coward | more than 11 years ago | (#5175185)

Yo, Cliff baby, more of the same. This is actually something that the questioner could conceivably get a good answer for from the /. crowd.

Unlike the usual "how do I get laid" and "how do I do something that's incredibly easy to find on any Internet search engine" type questions.

Thanks for posting it.

Mapping Macs to LDAP directories (0)

Anonymous Coward | more than 11 years ago | (#5186599)

The best documentation of Apple's LDAP schema I have seen is in Appendix A of the Mac OSX Server admin guide. 4d / _121902.pdf

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?