TweetFollow Us on Twitter

Strangers in a foreign land

Volume Number: 23 (2007)
Issue Number: 10
Column Tag: MacEnterprise, networking

Strangers in a foreign land

Integrating OS X with Active Directory

By Philip Rinehart, Yale University

Active Directory!

Of the topics that come up on the Macenterprise list, Active Directory and its integration with OS X is discussed frequently. Why? Many environments are using Active Directory for integration for the Windows side of the house, and many Mac administrators don't want to manage the information store separately for Macs alone. This month we will look at some tips for working with the Active Directory plug-in. Let's get started!

Binding

Binding, what is it? Directory Services uses a machine account and "binds" the account to the Active Directory domain. When logging in, the authentication framework is able to use the bound machine's account for non-local users. As a result, a user is granted access to a machine without a local account. With the Active Directory plug-in, there are a number of intricacies that make binding difficult. We will look at one of the most common issues. Before we begin this discussion, though, remember to check forward and reverse DNS, a common binding problem. For more information about testing, check out the article here, http://macenterprise.org/content/view/305/84.

Finding my Organizational Unit

Often, an administrator does not have access to the default Organizational Unit used by the Active Directory plug-in. How does an administrator find their Organizational Unit then? Fortunately, the tools for performing a lookup are built into OS X! Let's look at a rather verbose command.

ldapsearch -LLL -Hldap://yourdomaincontroller.ad.test -x -D "admin@ad.test" -b "dc=ad,dc=test" -W  "cn=activedirectorycomputerobjectname" dn

Looks rather complicated doesn't it? Fortunately, it isn't that hard to understand once we dissect it a little bit. The first option, -LLL is not strictly necessary. However, using it omits comments, restricts the output to LDIFv1 (not important here), and the last L prevents printing of the LDIF version.

Next, the -H option is specified. This option is very important! Enter the URI of a domain controller that has a copy of the Global Catalog. Ldapsearch uses this domain controller to look up information about a computer account.

Next, the -x option is used for simple authentication, not SSL. In some cases, SSL is not used on domain controllers. The -D option is important, as it supplies the Active Directory credentials that are used to authenticate for the LDAP search.

-b provides the search base. The search base is the point in the LDAP tree where the search should begin. If unsure, enter the top level of the forest. -W is similar to using the -x option, telling ldapsearch to prompt for the password, instead of supplying it with the ldapsearch command.

The last two entries are used to get the actual Organizational Unit path. The first option "cn=activedirectorycomputerobjectname" looks for the computer account in Active Directory. The last option tells ldapsearch that only the dn attribute is important. It's o.k. not to specify it, but every attribute is then returned. Sounds like a lot, doesn't it? Try executing the command once. After you have the hang of it, you will find how powerful ldapsearch can be. As a sanity check, here's an example of how the ldapsearch results might appear:

dn: CN=mbp,OU=One,OU=Two,OU=Three,OU=Four,DC=ad,DC=test

With this information, it's easy to determine the OU path for machine binding. Note however that the machine account must exist before this search is executed. The command and its results could also be wrapped in Applescript, an Automator action, or any other scripting language. Once the machine is bound, the fun begins!

Static maps

One of the hidden gems of the Active Directory plug-in is the ability to use "static maps". Usage of static maps was originally conceived for usage with the LDAP plug-in, but it can now be used for mapping any needed attributes. Let's use an example. On the list, a discussion about using NFS shares on Active Directory asked about how to provide an attribute for each user logging in that would be exactly the same. Static maps to the rescue! Here's how to do it:

This will require a little bit of command line magic. Open a terminal, and enter the following command:

dsconfigad -staticmap attributetype attributevalue

Three attributes should not be statically mapped, UID, RecordName and GeneratedUID. As stated in the man page, mapping these attributes may produce "unexpected" results. What is the syntax? It's pretty simple, first the attribute value. Attribute values are preceded by a pound sign "#". If the goal is to have every non-local user use the same value, enter #value to provide each user with that value at login. Another feature, variable mappings, is not available with the Active Directory plug-in. It should also be noted that using static maps is only available from the command line using dsconfigad.

Timeout values

Controlling the timeout values for the Active Directory plug-in involves editing the ActiveDirectory.plist in /Library/Preferences/DirectoryService. First, note that this procedure is completely unsupported by Apple! A very common problem occurs with mobile accounts and Active Directory is extremely slow logins. This problem commonly occurs due to the fact that the Domain Controller is firewalled, and unavailable outside the corporate network. For each Domain Controller, a value of 240 seconds is assigned. Imagine what happens when the laptop user goes home. Login times, and even wake from sleep times can become almost unbearably long. Fortunately, an administrator who knows what values to change in the plist can alter them, reducing the timeout times manually. Open the ActiveDirectory.plist in your favorite editor. Next search for the following entries:

<key>LDAP Connection Timeout</key>
<string>240</string>

This entry usually occurs in multiple places. Depending on your environment, change the value to a lower value. Restart the computer, and the timeout values should be in effect. It has been reported that for some environments the value may get overwritten, but in my experience it has worked.

Question marks in the Dock

The last thing that appeared recently is the appearance of a host of question marks in the dock on Intel-based machines when using the Active Directory plug-in with mobile accounts. Credit Mike Yocom and Brian Warsing for this solution. It is a bit involved, but does solve the problem quite nicely.

Step one: Convert com.apple.dock.plist for each user to xml. This task is best accomplished with a loginhook. Here is the command:

plutil -convert xml1 -o /tmp/foo.xml com.apple.dock.plist

Step two: Use a bit of xmlmagic, using xsltproc to filter out "_CFURLAliasData" entries from the plist.

xsltproc -o com.apple.dock.plist /path/to/style-sheet/com-apple-dock-style.xsl /tmp/foo.xml

And the required style sheet:

<?xml version='1.0' encoding='utf-8'?>
<xsl:stylesheet version='1.0'
xmlns:xsl='http://www.w3.org/1999/XSL/Transform'>
<xsl:output method='xml' version='1.0' encoding='utf-8' indent='yes'
doctype-public="-//Apple Computer//DTD PLIST 1.0//EN"
doctype-system="http://www.apple.com/DTDs/PropertyList-1.0.dtd"/>
<!-- This template copies the entire root -->
<xsl:template match="@*|node()">
    <xsl:copy>
        <xsl:apply-templates select="@*|node()"/>
    </xsl:copy>
</xsl:template>
<!-- This template removes the _CFURLAliasData node -->
<xsl:template match="array/dict/dict/dict/key">
    <xsl:variable name="foo">
        <xsl:value-of select="." />
    </xsl:variable>
    <xsl:choose>
        <xsl:when test="$foo = '_CFURLAliasData'">
            <!-- Do nothing. I mean don't print it -->
        </xsl:when>
        <xsl:otherwise>
            <!-- Output a copy of the orig. node -->
            <xsl:copy-of select="." />
        </xsl:otherwise>
    </xsl:choose>
</xsl:template>
<!-- This template dumps the data nodes with the alias data -->
<xsl:template match="array/dict/dict/dict/data">
    <xsl:for-each select="." />
</xsl:template>
</xsl:stylesheet>

Step 3: There is no step 3!

It really is that simple once all of the pieces are in place, and solves the immediate problem so that question marks will not appear in the dock. This month, we've tackled some of the most recent issues with Active Directory. As always, Active Directory integration continues to be a very complex problem, as each environment has unique qualities. Keep sending in feedback to Apple, and keep discussing on the lists, to make the Active Directory plug-in as good as it can be! One last thing, check out the following Best Practices paper about Active Directory integration from Apple: http://images.apple.com/itpro/pdf/AD_Best_Practices_2.0.pdf. It also supplies very useful information about troubleshooting and integration. Until next month, see you on the lists!


Philip Rinehart is co-chair of the steering committee leading the Mac OS X Enterprise Project (macenterprise.org) and is the Lead Mac Analyst at Yale University. He has been using Macintosh Computers since the days of the Macintosh SE, and Mac OS X since its Developer Preview Release. Before coming to Yale, he worked as a Unix system administrator for a dot-com company. He can be reached at: philip.rinehart@yale.edu. The MacEnterprise project is a community of IT professionals sharing information and solutions to support Macs in an enterprise. We collaborate on the deployment, management, and integration of Mac OS X client and server computers into multi-platform computing environments.

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

Shadow Blade: Reload guide - How to hack...
Shadow Blade: Reload is the kind of action-platformer that would have happily sucked up hours of your time on a console a few years back.Now, you can take it with you wherever you go, and its mobile conversion is not too shabby at all. To help you... | Read more »
Tomb of the Mask guide - How to increase...
Tomb of the Mask is a great endless arcade game from Happymagenta in which quick reflexes and a persistent attitude can go a long way toward earning a top score. Check out these tips to see if you can give yourself an edge on the leaderboards. [... | Read more »
Smooth Operator! (Games)
Smooth Operator! 1.0 Device: iOS Universal Category: Games Price: $2.99, Version: 1.0 (iTunes) Description: Smooth Operator is a weird, weird two-player kissing game. Squeeze in for 2 player fun on a single iPad, creating awkward... | Read more »
Sinless: Remastered (Games)
Sinless: Remastered 1.0 Device: iOS Universal Category: Games Price: $1.99, Version: 1.0 (iTunes) Description: | Read more »
_PRISM Guide - How to solve those puzzle...
_PRISM is a rather delightful puzzle game that’s been tailor made for touch screens. While part of the fun is figuring things out as you go along, we thought we’d offer you a helping hand at getting in the right mindset. Don’t worry about messing... | Read more »
Fractal Space (Games)
Fractal Space 1.3.1 Device: iOS Universal Category: Games Price: $.99, Version: 1.3.1 (iTunes) Description: Live the memorable experience of Fractal Space, a unique first person adventure & puzzle game by Haze Games! Will you... | Read more »
Set off on an adventure through the Cand...
Like match three puzzlers? If so, Jelly Blast, the innovative iOS and Android game which launched last year, is worth a look. Jelly Blast sees you head off on an epic adventure through the Candy Kingdom with your friends Lily, Mr. Hare, and Mr.... | Read more »
Ellipsis - Touch. Explore. Survive. (...
Ellipsis - Touch. Explore. Survive. 1.0 Device: iOS Universal Category: Games Price: $2.99, Version: 1.0 (iTunes) Description: | Read more »
Abzorb (Games)
Abzorb 1 Device: iOS Universal Category: Games Price: $2.99, Version: 1 (iTunes) Description: Abzorb is a tilt game about consuming orbs by getting as close as you can to them without touching. By tilting your mobile device, collect... | Read more »
A Short Tale (Games)
A Short Tale 1.0 Device: iOS Universal Category: Games Price: $3.99, Version: 1.0 (iTunes) Description: It’s been years since I lost Ben, so long yet it doesn’t seem long enough. I never thought I’d return here, to where everything... | Read more »

Price Scanner via MacPrices.net

Sale! B&H Photo offers 12-inch Retina Mac...
B&H Photo has 12″ Retina MacBooks on sale for $300 off MSRP for a limited time. Shipping is free, and B&H charges NY tax only: - 12″ 1.1GHz Gray Retina MacBook: $999 $300 off MSRP - 12″ 1.... Read more
App Annie Reveals Future of the App Economy:...
App Annie, a San Francisco based mobile app data and insights platform, has launched its first comprehensive app economy forecast. This new offering will provide brands, agencies, investors and app... Read more
Apple restocks Certified Refurbished Mac mini...
Apple has restocked Certified Refurbished 2014 Mac minis, with models available starting at $419. Apple’s one-year warranty is included with each mini, and shipping is free: - 1.4GHz Mac mini: $419 $... Read more
What iPad Pro Still Needs To Make It Truly Pr...
I love my iPad Air 2. So much that I’m grudgingly willing to put up with its compromises and limitations as a production tool in order to take advantage of its virtues. However, since a computer for... Read more
21-inch 3.1GHz 4K on sale for $1399, $100 off...
B&H Photo has the 21″ 3.1GHz 4K iMac on sale $1399 for a limited time. Shipping is free, and B&H charges NY sales tax only. Their price is $100 off MSRP: - 21″ 3.1GHz 4K iMac (MK452LL/A): $... Read more
Apple price trackers, updated continuously
Scan our Apple Price Trackers for the latest information on sales, bundles, and availability on systems from Apple’s authorized internet/catalog resellers. We update the trackers continuously: - 15″... Read more
Save up to $240 with Apple Certified Refurbis...
Apple is now offering Certified Refurbished 12″ Retina MacBooks for up to $240 off the cost of new models. Apple will include a standard one-year warranty with each MacBook, and shipping is free. The... Read more
Apple refurbished 13-inch Retina MacBook Pros...
Apple has Certified Refurbished 13″ Retina MacBook Pros available for up to $270 off the cost of new models. An Apple one-year warranty is included with each model, and shipping is free: - 13″ 2.7GHz... Read more
Apple refurbished Time Capsules available for...
Apple has certified refurbished Time Capsules available for $120 off MSRP. Apple’s one-year warranty is included with each Time Capsule, and shipping is free: - 2TB Time Capsule: $179, $120 off - 3TB... Read more
13-inch 2.5GHz MacBook Pro (refurbished) avai...
Apple has Certified Refurbished 13″ 2.5GHz MacBook Pros available for $829, or $270 off the cost of new models. Apple’s one-year warranty is standard, and shipping is free: - 13″ 2.5GHz MacBook Pros... Read more

Jobs Board

Infrastructure Engineer - *Apple* /Mac - Rem...
…part of a team Requires proven problem solving skills Preferred Additional: Apple Certified System Administrator (ACSA) Apple Certified Technical Coordinator (ACTC) Read more
Lead Engineer - *Apple* OSX & Hardware...
Lead Engineer - Apple OSX & Hardware **Job ID:** 3125919 **Full/Part\-Time:** Full\-time **Regular/Temporary:** Regular **Listed:** 2016\-02\-10 **Location:** Cary, Read more
Simply Mac *Apple* Specialist- Service Repa...
Simply Mac is the largest premier retailer of Apple products in the nation. In order to support our growing customer base, we are currently looking for a driven Read more
Infrastructure Engineer - *Apple* /Mac - Rem...
…part of a team Requires proven problem solving skills Preferred Additional: Apple Certified System Administrator (ACSA) Apple Certified Technical Coordinator (ACTC) Read more
Lead Engineer - *Apple* OSX & Hardware...
Lead Engineer - Apple OSX & Hardware **Job ID:** 3125919 **Full/Part\-Time:** Full\-time **Regular/Temporary:** Regular **Listed:** 2016\-02\-10 **Location:** Cary, Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.