Novell Home

Update: Mac OS X and Novell eDirectory Integration

Novell Cool Solutions: Feature
By Randall R. Saeks

Digg This - Slashdot This

Updated: 12 Jul 2006
 

Mac OS X and Novell eDirectory Integration

Note: To download the latest update to the article, click here.

Randy Saeks, Support Technician
Glenbrook High School District #225, Illinois

Introduction

This document serves as a guide to help you integrate Apple computers into a Novell environment. The same concepts, however, can be applied to any directory service. This document focuses on supplementing various other guides that are already published. It will include the various setups utilized in District 225, as well as challenges, problems and solutions encountered during the process. In addition, this will hopefully aid in building a stronger community where professionals working in a similar environment can correspond to address issues.

Background

School District #225 is comprised of two high schools: Glenbrook North High School and Glenbrook South High School. The schools have a high adoption of technology into the curriculum. Glenbrook North is comprised of 31% Macs (302 machines) while Glenbrook South is roughly 42% Macintosh (410 machines).

Once Apple released OS X.2, a plan was devised to upgrade the machines running OS 9.x to OS X. When Apple introduced 10.3, they incorporated version 3 of the Lightweight Directory Access Protocol (LDAP). This allowed OS X desktops to take better advantage of open standards. One of these advantages is the ability to use the LDAP services built into NetWare. Using the LDAP protocol provided by Novell and read by the OS X desktop, it is possible to have a Macintosh workstation authenticate to eDirectory to provide network services to the end user.

There are three basic elements to integrating Apple computers into a Novell environment:

  • Directory setup
  • Desktop setup
  • Managing preferences

Directory Setup

Before you do the client and server setup, you need to add certain extensions to eDirectory. These attributes can be broken down into several main areas:

  • User
  • Group
  • Computer
  • Mount
  • Printer
  • Machine List
  • Configuration
  • Preset

The user authentication attributes are the Mount and User attributes. The others can be used later on in the Client and Server setup to allow for managed settings to be applied. The Mount attributes tell the operating system where and how to mount the directory that will be the network home for the user. The User attributes are used by the OS X machine to authenticate the user and determine who is using the machine. This includes the user's home directory, password, name, unique ID, Group ID, etc.

The next pages explain the schema extensions and what they are used for. In the LDIF file used to extend the schema, unnecessary items may be commented out. Keep in mind that to ensure the setup will work for you, apply it to a test environment. Additionally, you don't need to apply all the attributes at once - you can add more at a later time. The schema extensions can be obtained from Macenterprise.org. You can find the link to the specific article by Dan Sinema in the Additional Information section at the end of this document.

User Attributes

AttributeDescription
apple-user-homeurlAFP address of the server that has the user's home directory. *Note: This will need to be in the same case as the apple-user-homeDirectory attribute.
apple-user-classUnused
apple-user-homequotaHome Directory quota, in Kilobytes. This cannot be exceeded.
apple-user-mailattributeMail-related settings, in XML
apple-mcxflagsAttribute that alerts the workstation at login that there are Managed Client settings to be applied to the user
apple-mcxsettings and apple-mcxsettings2 Where the plist-formatted preferences (XML) are stored in the directory. If the first attribute (apple-mcxsettings) becomes too large, it will carry over into apple-mcxsettings2.
apple-user-picturePath to the picture the user account will use
apple-user-printattributePrint quota settings
apple-user-adminlimitsUser capabilities, in Workgroup Manager. The settings here have no effect on the workstation.
apple-user-authenticationhintOnce a user types the password incorrectly three times, this text appear in the login window. For example: "If you forgot your password, please contact the Help Desk?.
apple-user-homesoftquotaAllocated disk space. A warning will be issued once this is reached.
apple-user-passwordpolicyPassword settings applied to the user, such as password length, expiration time, etc.
apple-keywordKeywords / Comments on the user account.
apple-user-homeDirectoryUNIX path to the user's home directory, once the AFP object apple-user-homeurl is mounted. This is partially determined by the mount object mountDir.
apple-generateduid Generated Unique ID

Group Attributes

AttributeDescription
apple-group-homeurlAFP address of the folder of the Group to which the user belongs
apple-group-homeownerOwner of the folder apple-group-homeurl
apple-mcxflagsAttribute that alerts the workstation at login that there are Managed Client settings to be applied to the group
apple-mcxsettingsActual Managed Client settings. These settings will apply to the group the user belongs to.
apple-group-realname'Real Name' of the group. This can be something like "OS X Admins," "Students," or "Marketing."
apple-user-picturePicture for the group
apple-keywordKeywords/comments for the group names, such as "Created on 11/22 by Randy Saeks."
apple-generateduidUniqueID of the group
apple-group-memberUidUniqueID of the members of the group

Computer Attributes

AttributeDescription
apple-realnameName of the workstation
DescriptionDescription of the workstation
macAddressMAC address of the machine (used to identify the machine on the network)
apple-computer-list-groupsGroups that the workstation belongs to.
apple-mcxflagsAttribute that alerts the workstation at login that there are Managed Client settings to be applied to the workstation.
apple-mcxsettingsWhere the plist-formatted preferences (XML) are stored in the directory.
apple-xmlplistXML Plist Data
authAuthorityAuthentication authority
uidNumberUnique ID number of workstation
gidNumberGroup ID number of the workstation
apple-generateduidGenerated unique ID

Computer List Attributes

AttributeDescription
apple-mcxflagsAttribute that alters the workstation at login that there are Managed Client settings to be applied to the workstation.
apple-mcxsettingsWhere the plist-formatted preferences (XML) are stored in the directory.
apple-computer-list-groupsXML Plist Data
apple-computersComputers in the group
apple-keywordNotes / Keyword about the computer
gidNumberGroup ID number of the workstation

Mount Attributes

AttributeDescription
apple-mountDirectoryLocation within the file system where the server will be mounted
apple-mountTypeMount VFS Type
apple-mountOptionMount Options
apple-mountDumpFrequencyMount Dump Frequency
apple-mountPassNoMount Passno

Printer Attributes

AttributeDescription
apple-printer-attributesPrinter attributes (in /etc/printcap format)
apple-printer-lprhostPrinter LPR hostname
apple-printer-lprqueuePrinter LPR queue
apple-printer-typePrinter Type
apple-printer-noteNotes about the printer

Machine Attributes

Attribute Description
apple-machine-softwareInstalled system software
apple-machine-hardwareSystem hardware description
apple-machine-serverNet Info Domain Server Binding
apple-machine-suffixDIT suffix

Configuration Attributes

AttributeDescription
apple-config-realnameReal name of the configuration object
apple-data-stampData Stamp on the configuration
apple-password-server-locationAddress of the password server
apple-password-server-listList of the password servers
apple-ldap-replicainformation regarding the LDAP replica
apple-ldap-writable-replicainformation regarding the writable LDAP directory
apple-keywordKeyword on the configuration
apple-kdc-authkeyKDC authentication key
apple-kdc-configdataKDC configuration data
apple-xmlplistXML Plist of the data

Location Attributes

AttributeDescription
apple-dns-domainDNS Domain
apple-dns-nameserverDNS Name Server List

Authentication Authority Attributes

AttributeDescription
authAuthorityAuthentication Authority

XML Plist Attributes

AttributeDescription
apple-xmlplistXML Plist Data

Preset User Attributes

AttributeDescription
apple-user-homequotaHome Directory quota, in KB. This value cannot be exceeded
apple-user-mailattributeMail-related settings, in XML
apple-mcxflagsAttribute that alerts the workstation at login that there are Managed Client settings to be applied to the user.
apple-mcxsettings and apple-mcxsettings2These two attributes are where the plist-formatted preferences (XML) are stored in the directory. If the first attribute (apple-mcxsettings) becomes too large, it will carry over into apple-mcxsettings2.
apple-user-picturePath to the picture the user account will use
apple-user-printattributePrint quota settings
apple-user-adminlimitsUser capabilities, in Workgroup Manager. These settings have no effect on the workstation.
uidPreset UID of the user
apple-user-homesoftquotaAllocated disk space. A warning will be issued once this is reached.
apple-user-passwordpolicyPassword settings applied to the user, such as password length, expiration time, etc.
apple-keywordKeywords/comments on the user account
memberUidUID of the user in group
apple-generateduidGenerated Unique ID
gidNumberGroup ID Number
homeDirectoryHome Directory
apple-user-printattributePrinter settings for the user
userPasswordPassword for the user
loginShellDefault login shell for the user. In ConsoleOne, you can put in the shell and then the script for the user to run.
DescriptionDescription of the user
shadowLastChangeLast time the shadow password was changed
shadowExpireWhen the shadow password is set to expire
authAuthorityAuthentication authority
apple-preset-user-is-adminDetermines whether preset users should be put into the Admin group
apple-user-homeurlAFP address of the server that has the users home directory. Note: This will need to be in the same case as the apple-user-homeDirectory attribute.
apple-user-classUnused

Preset Computer List Attributes

AttributeDescription
apple-mcxflagsDefault managed client flags for machines
apple-mcxsettingsDefault managed client settings for machines
apple-computer-list-groupsDefault group to which new machines belong
apple-keywordDefault comments/keyword about a machine

Preset Group Attributes

AttributeDescription
memberUidUID of member in the group
gidNumberDefault group ID
apple-group-homeurlDefault group AFP address
apple-group-homeownerDefault owner of the group folder
apple-mcxflagsDefault managed flags for the group
apple-mcxsettingsDefault managed settings for the group
apple-group-realnameReal Name of the group
apple-keywordKeyword(s) for the group

Desktop Setup

There currently is a managed desktop for each user. The user who logs in belongs to a group. Workgroup Manager is used to manage preferences for the machine that are retrieved from eDirectory. This is accomplished with the Managed Client settings of OS X Server, where the same LDAP mappings are used on the OS X Server as on the Client. This will tell the server where to store the settings, and the client where to retrieve them. For more details, see the Managing Preferences section.

The file system has some non-manageable preferences and settings. These are set using loginhooks. When a user successfully logs into the system, a hook is run with root privileges. There is a relatively standard desktop for users that appears at first login. The idea was taken from the University of Utah setup with UlabMin. A link to their page is contained in the Additional Information section at the end of this article. The desktop wallpaper, which has tips on using the OS X setup, was modified to fit our setup. A screen shot of the desktop is shown below.

Figure 1: Standard desktop

(Larger image)

Login Scripts

Below is a basic flowchart of how the login process works. It shows the flow of scripts and conditions required for them to run. The best thing to do when setting up loginhooks that perform various actions is to take them one command at a time. This will make troubleshooting much easier. It also is good to logically plan a setup that will work out the best. preferably a modular one. That way, if one script needs to be changed, you can send out one smaller file. Planning and thinking though a hierarchal setup for login scripts will make developing them much easier.

Figure 2: Login process flowchart

(Larger image)

The first script I use is shown below. Line numbers are added for reference.

1 echo "$1 `date`" >> /var/log/login.log 
2 sudo -H -u $1 /Library/Management/desktop.sh 
3 exit 0 

The main purpose of line 1 is to write the login user and the date to the log file stored on the machine. The parameter $1 in bash is the user ID of the current user. Line 2 runs the desktop creation script with the credentials of the user who is logged in. This is needed, because otherwise the script will run as root, and the items will be placed on the root user's desktop. The final line is an exit statement.

As seen on line 2, the login.sh script calls the desktop.sh script. This is what I use for managing the desktop and copying things that cannot be done though Workgroup Manager. The script follows:

1 id_num=`id -u` 

2 if [ $id_num -le 9999 ] 3 then 4 if echo "$HOME" | grep -q '10\.2'; then 5 /Library/Management/GBN/staff.sh 6 elif echo "$HOME" | grep -q '10\.3'; then 7 /Library/Management/GBS/staff.sh 8 elif echo "$HOME" | grep -q '10\.1'; then 9 echo "TEST" 10 fi 11 elif [ $id_num -gt 10000 ]
12 then 13 if echo "$HOME" | grep -q '10\.2'; then 14 /Library/Management/GBN/student.sh 15 ln -shf /Network/Servers/10.2.1.22/GBNCS3.DATA/Data/GBN ~/Desktop/Teacher\ Folders 16 elif echo "$HOME" | grep -q '10\.3'; then 17 /Library/Management/GBS/student.sh 18 ln -shf /Network/Servers/10.3.1.22/GBSCS3.DATA/Data/GBS ~/Desktop/Teacher\ Folders 19 elif echo "$HOME" | grep -q '10\.1'; then 20 echo "TEST" 21 fi 22 fi
23 ln -shf ~/ ~/Desktop/My\ User\ Folder 24 rm -r ~/Library/Caches/MS\ Internet\ Cach 25 ln -shf /Users/Shared/Library/Caches/MS\ Internet\ Cache ~/Library/Caches/
26 rm -r ~/Movies 27 ln -shf /Users/Shared/Movies ~/
28 rm -r ~/Library/Preferences/ByHost 29 ln -shf /Users/Shared/Library/Preferences/ByHost ~/Library/Preferences
30 if echo "$HOME" | grep -q '10\.2'; then 31 ldapsearch -x -h gbnsvc1.glenbrook.k12.il.us -LLL "(uidNumber=`id -u`)" 32 loginGraceRemaining > /var/log/grace_remaining.log 33 lgr=`grep loginGraceRemaining /var/log/grace_remaining.log` 34 lgr_count=${lgr##*loginGraceRemaining:\ } 35 if [ $lgr_count -lt 5 ] 36 then 37 open /Applications/Utilities/Password\ Expire.app 38 fi 39 elif echo "$HOME" | grep -q '10\.3'; then 40 ldapsearch -x -h gbssvc1.glenbrook.k12.il.us -LLL "(uidNumber=`id -u`)" 41 loginGraceRemaining > /var/log/grace_remaining.log 42 lgr=`grep loginGraceRemaining /var/log/grace_remaining.log` 43 lgr_count=${lgr##*loginGraceRemaining:\ } 44 if [ $lgr_count -lt 5 ] 45 then 46 open /Applications/Utilities/Password\ Expire.app 47 fi 48 fi 49 exit 0

The first line will be used throughout the entire script. In bash, it is fairly simple to assign a variable a value. However, using some of the commands can be tricky. In this case, the id --u command is used. The actual command ID has various ways it can return the values. By default, the user ID and primary group ID are returned. By specifying the --u parameter, only the user ID is returned. The two ticks (the non-shifted tilde key) are used to signify the result of the command. In this manner we assign the value of the command id --u to id_num. That way, each time this command is run it must query the network. In saving the value, the network only needs to be queried once, and that value can now be put into memory.

Lines 2 though 11 determine if the user logging in as a student or staff, based on the unique ID of the user. Because all our staff have 4-digit ID's, we set the unique ID of each user in ConsoleOne to the staff ID. That enables us to easily log the user and determine who, student or staff, is logging in. This is done by the command:

if [$id_num --le 9999] 

If the user ID is less than 9999, it is assumed that the person is a staff member, and the next set of IF statements execute. Because the image being used is for two locations, there may be different software setups at each building. To overcome this, we check where the user is located. The UNIX $HOME command is used to print the full path of the user's home directory, based upon the home path in the user's UNIX profile.

The IP scheme we use has different subnets at each location. The following command:

echo ?$HOME? | grep --q ?10\.2'

will print out to the terminal the homepath, and then perform a search of that value for 10.2. The "\" signifies to the terminal that the ?.' should be interpreted as an ASCII value, as opposed to a control character. Nesting this command with an IF will allow requested items to run only when the condition is true.

The same principle applies to student users. This can be seen on lines 12 though 22. With their ID numbers being 5 or more digits, if the value is greater than 10,000 it is assumed the user is a student. The building settings are done with the same comparison as the staff.

The next section of code deals with items pertaining to each and every user that logs into the machine. Lines 23-29 are things that all users will receive. The first,

ln --shf ~/ ~/Desktop/My\ User\ Folder 

will place a link (similar to an alias) on the user's desktop that goes to their user folder. Again, the "\" is used before a non-text character to signify not to break from the script.

Line 24 removes the Internet cache from the user's folder. This cache takes up 10 MB per user, and with a limitation of 100MB of storage on student folders in our setup, it made sense to free up the extra space. To make up for it however, the cache on the machine will be from the same file for all users. A link is made (line 25) to re-direct the file to the one on the machine.

Similarly, some students will be using iMovie to make movies, and folders can fill up rather quickly. Using the same method as the Internet cache, the Movies folder that appears in a user folder is re-directed to the local machine. This frees up the file size issue; however, users will need to remember that their data is only on that machine.

One of the most important links for functionality is in lines 28 and 29. If you are using NetWare 6, there is a limitation of 31 characters based on the AFP module that Novell uses. There are per-user settings (Classic is one) that are stored in the user folder on the network that violate this limitation. Therefore, Classic will not function. The preferences from a local account are copied into a shared folder on the machine. The Preferences in the user's folder are recursively deleted, and a link is made to the ones on the local hard drive. This way, when OS X looks in the usual location for these preferences (the network), it will find the link, resolve it to the machine, and then use the preferences on the local drive. The link is seen below.

Figure 3: Standard desktop

Figure:

Since the machine can handle the longer file names, the issue is resolved.

Finally, lines 30-49 notify users when passwords have expired. There is no built-in mechanism for users to be notified of expired LDAP passwords in OS X. Some locations force users to change their Novell password periodically. It is entirely possible that a user can login to OS X and never be notified the password has expired, and thus lock themselves out.

The lines 30 and 39 are used so that the LDAP server in the building where the user is from can be determined. This prevents users having to go across buildings to one single server to check for expiration.

Lines 31 and 32 go out to the LDAP server specified with an anonymous bind. With the unique ID of the user logging in, a query is made to the LDAP server for the value of the LDAP attribute loginGraceRemaining. This attribute is then placed it into a text file, overwriting what is already there. Most likely, a LDAP mapping will have to be created on the LDAP group in ConsoleOne to map the eDirectory attribute of loginGraceRemaining to an LDAP value of your choice.

Line 33 sets the value of lgr to the result of searching the file for the LDAP attribute. Once that is completed, the actual numeric value is placed into lgr_count. This is done by setting the value to the text after loginGraceRemaining, then a colon, backslash, and a space (":\ "). That value is then compared on line 35 to the value of how many grace logins users receive. If is below that, it will open a program on the local machine.

Script Resources

The program and scripts I wrote to accomplish this are available under the GPL and are listed at the end of this document. That is a basic outline on what processes on our workstations after a successful authentication. However, there are still a few customizations that can be made. These are the scripts that are opened based on the location, and user type (see lines 5, 7, 14, and 17). The first two scripts (ending in staff.sh) and the last two (ending in student.sh) do very similar tasks.

/Library/Management/GBN/staff.sh

1 ln -shf /Library/Management/GBN/FS\ Only/Glenbrook\ Applications ~/Desktop/Glenbrook\ Applications

2 ln -shf /Network/Servers/10.2.1.21/gbncs2.data/Data/FacStaff ~/Desktop/FacStaff

/Library/Management/GBS/staff.sh

1 ln -shf /Library/Management/GBS/FS\ Only/Glenbrook\ Applications ~/Desktop/Glenbrook\ Applications

2 ln -shf /Network/Servers/10.3.1.21/gbscs2.data/Data/FacStaff ~/Desktop/FacStaff

/Library/Management/GBN/student.sh

1 ln -sfh /Library/Management/GBN/profiles/studentuser/Desktop/Glenbrook\ Applications ~/Desktop/Glenbrook\ Applications

2 cp /Library/Management/GBN/profiles/studentuser/com.apple.desktop.plist ~/Library/Preferences

/Library/Management/GBS/student.sh 1 ln -shf

/Library/Management/GBS/profiles/studentuser/Desktop/Glenbrook\ Applications ~/Desktop/Glenbrook\ Applications

Deploying the Scripts

In building one image that is going to be used at two locations with various different software setups, it was necessary to present the staff at each building with the different folder of Applications. To do this, the Application setup on our Windows machines was mimicked. For all users, there are shortcuts to commonly used programs on their desktop, in a folder called Glenbrook Applications. A location was created based on building to create the profiles of applications and settings to be copied.

In this example, on line 1 of both staff.sh scripts, a link is made in the current users desktop to the folder Glenbrook Applications, in the /Library/Management/building folder. In this case, all applications that users at GBN will need are to be placed in the Glenbrook Applications folder in the GBN folder; likewise for GBS users to the GBS folder.

Line 2 in the staff.sh script places a shortcut to the shared space on the network that all Staff members have access to. On our Windows machines, this is accomplished with a drive mapping in my computer as well as shortcut on the desktop.

The last 2 scripts (student.sh) on line 1 have the same functionality as the staff scripts. The only difference is the path from where they are copied. In the GBN student.sh script there is one difference from the GBS script. This deals with the plist file that controls the appearance of the desktop for the students. Since the desktop appearance cannot be set with WorkGroup Manager, I had to set the wallpaper for an account and find which file was changed. In doing so, that file is copied to each students profile at login. Although they may set a wallpaper for themselves at login, the default one will be there the next time they log in.

Managing Preferences

Once all the login items that pertain to the machine are set, the next task is managing preferences. They can be broken into four areas; user, group, computer, and computer list. Preferences apply in this order: Computer, Group, User.

These settings are set on the OS X Server itself. It will need to have the same LDAP mappings as the clients, so you will want to apply the same package of eDirectory attributes to the server as the workstation and set up the LDAP profile in Directory Access. It is important to first plan out the user structure - what settings you want groups to have, how to make it easy to get that done, etc.

The nice thing about using the UNIX settings for groups is that the users merely have to have a group ID, and not actually be in the eDirectory group. For example, putting all students in a default GroupID of 20 allows every student within the defined search base to receive the same settings, without adding each person into the group with that Unix ID.

We currently have a base setup with students in a Primary Group ID of 20. A dummy group is created to hold the preferences for Group ID 20, so the preferences are organized. We also added all staff members into a Primary Group ID of 40. The same setup was used. A dummy group was created with Group ID 40, and the preferences applied to that group. We had to change the primary group ID of the users to 40 for this to work. Finally, we created another group with Group ID of 80. This group will allow users to be admins on the machines. There currently are no preferences set to this group, but login items will be added so the users connect to the same servers as the other staff members.

Note: If everyone has a primary group ID of 20, no matter whom they are, they will receive the preferences for the group number. If there are additional groups that you want to apply settings to, you can simply create a group, give it a unique group ID, and assign members into that group. This will make it easier to create special groups with access. Keep in mind that it is much easier to track settings when done on a group level than a user level.

Every preference that appears on the server can be managed, so if there are additional programs that install preference panes, it might be a good idea to install them on the server. Each preference can either be enabled or disabled to the user. Some, such as the dock, login items, printers, can be managed for the user. This is where the "manage once" preference setting may be beneficial.

Manage Once allows for the preference to be set on the machine, but be modifiable. Giving the users a simple dock at login with common items, then allowing them to change it is a good setup. There is a Cool Solution talks about using Workgroup Manager to connect to other servers automatically, with the user logging in credentials.

Additional Information

This section contains links to other sites and guides that you may find useful. If there are any comments or concerts, feel free to contact me via email, at rsaeks@gmail.com.

Novell

Multiple Mac Connections without Additional Logins
http://www.novell.com/coolsolutions/nds/features/a_mac_ldap_connections_edir.html

Leveraging eDirectory with Apple Workgroup Manager
http://www.novell.com/coolsolutions/nds/features/tips/t_apple_workgroup_edir.html

Student Login Versus Staff Login http://www.novell.com/coolsolutions/nnlsmag/features/trenches/tr_staff_vs_students_nls.html</p>

LDAP Expired Password
http://www.novell.com/coolsolutions/tools/1969.html

Integrating Mac OS X and Novell eDirectory White Paper
http://whitepapers.zdnet.co.uk/0,39025945,60045021p-39000512q,00.htm

MacEnterprise.org

Integrating Mac OS X 10.3 and Novell eDirectory
http://macenterprise.org/content/view/80/77/

Resources
http://macenterprise.org/component/option,com_weblinks/Itemid,88/

University of Utah University of Utah Mac OS Support http://www.macos.utah.edu/Documentation/ulabmin/ulabmin.html


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell