Professional Documents
Culture Documents
Technical Training:
Integration
This document is intended for Apple internal and channel audiences, and is for training purposes only.
Apple Inc.
2013 Apple Inc. All rights reserved.
06-06-2013
ii
Table of Contents
Introduction ...............................................................................1
About this series ....................................................................................................1
Collaboration...........................................................................56
iii
Resources .................................................................................77
Appendix .................................................................................80
iv
Introduction
This guide is designed to help organizations conduct proof-of-concept or broader end-user pilot
testing with Mac computers in their environments. The guide is divided into two sections critical
to successfully deploying Mac computers:
Directory Services
Collaboration
Each section contains examples with step-by-step instructions for a variety of technologies using
different strategies. For example, the Directory Services sections explain Open Directory, Active
Directory, Lightweight Directory Access Protocol (LDAP), and other techniques. Choose the one
that best meets your organizations needs.
Before using this guide, you may want to speak with your Apple sales representative or Apple
Authorized Reseller for assistance in determining the right modules to review for your
environment.
1 Directory Services
A directory service stores information about users, groups, and network resources for an
organization. OS X maintains local directory services in the form of local accounts or by using
network directory services, which obtain information from a centralized source. On a default
installation of OS X, you can configure directory services to access directory service information
with LDAP (Lightweight Directory Access Protocol) and Active Directory.
When an application, daemon, or utility needs information about a user, group, or computer, it
does a directory service lookup. In OS X, directory information is always retrieved from the local
directory service first. If the information isnt located in local directory services, the query is sent
to other directory services that have been configured. This search path is specified in the
/System/Library/CoreServices/Directory Utility application. Administrators can specify the order to
search the directory services for information such as users and groups.
Directory services in OS X are built using a modular framework. This framework allows directory
services to be extended with third-party directory modules. These modules provide additional
functions as well as other directory services support not included in the default operating system.
The command line utilities and their roles include the following:
odutilMonitors directory services and manages directory services logging.
dsclDirectory Service command line utility
dscacheutilLooks up information, flushes caches, and gathers statistics on directory
services.
dseditgroupAlters group membership information.
dsenablerootEnables or disables the root account.
dserrShows descriptions of directory services error codes.
dsexportExports directory services information.
dsimportImports directory services information.
1.
Choose System Preferences from the Apple menu and click Users & Groups.
2.
Click the lock icon in the lower-left of the pane and authenticate with an administrators
password.
3.
4.
In the new account dialog, choose Administrator from the New Account menu.
5.
Enter the new users full name and account name. (These names should be unique and
different from each other.)
6.
Enter the password in both the Password and Verify fields, then click the Create User button.
The new account appears in the Accounts list, under Other Users.
7.
To make sure you created the account successfully with the appropriate administrative
privileges, log out and log in again as the new user.
Open Directory
Open Directory is the directory services implementation built into OS X Server.
The Open Directory service in OS X Server includes a shared LDAPv3-based directory domain
along with a number of schema extensions using registered Object Identifier (OID) space through
Internet Assigned Numbers Authority (IANA). It also includes the Apple Password Server and
Kerberos 5. Each component is integrated using the modular Directory Services subsystem.
The Kerberos service running in Open Directory allow users to authenticate to any service
running on any server with their Open Directory credentials. The services must be kerberized and
the server theyre running on must be bound to Open Directory.
Before you set up the Open Directory master, make sure that the IP address matches the DNS
records for the server. To do this, use the changeip command:
changeip -checkhostname
This command checks the current DNS information against the servers IP address and makes
sure that the DNS has been set up appropriately. If you receive any errors while running this
command, repair the DNS and run the command again until it returns with success.
mainserver:~ serveradmin$ sudo changeip -checkhostname
Primary address
= 10.10.100.9
Current HostName
= mainserver.pretendco.com
DNS HostName = mainnserver.pretendco.com
The names match. There is nothing to change.
dirserv:success = success
IMPORTANT: The hostname and DNS could match while still being wrong. Before you
continue setting up the Open Directory master, verify the systems HostName is correct.
2.
After OS X Server resolves the DNS correctly, open Server.app from the Applications folder.
3.
Select your server on the Choose a Mac screen and authenticate to the server.
4.
5.
6.
In the Configure Network Users and Groups pane, select Create a new Open Directory
domain and click Next.
7.
In the Directory Administrator pane, enter the account information for the new Open
Directory administrator account.
This account is different from a local administrative account because the Directory
Administrator can only edit information within the Open Directory database, and cant
modify local accounts or modify service settings. The default name for the Open Directory
administrator account is Directory Administrator and the default short name is diradmin. You
can change these names. The default User ID is 1000, which cant be changed in the Setup
Assistant.
8.
9.
Click Next.
10. In the Organization Information pane, enter your organizations name and an administrators
email address to be used for creating a certificate authority and some certificates.
14. When the setup process is complete, click Logs in the sidebar and choose the Open Directory
configuration log to review the setup logs.
15. The logs are spread throughout a number of files. Review the other Open Directory logs,
looking for any major errors. Available logs are shown in the screenshot below.
16. Return to the Open Directory area in the sidebar and confirm the service is running and your
master is in the list.
17. If youre using a server for testing, consider removing the Open Directory information you
created in this exercise (for example, if you want to start over using the command line or
review logs more thoroughly to understand what happens if you change various options
during the promotion). To delete an Open Directory master in Server app, select the master in
the Open Directory service area and click the Delete (-) button. In Terminal, run the following
command:
slapconfig -destroyldapserver
IMPORTANT: This command destroys all information in the Open Directory network domain.
Because DNS records are crucial to an Open Directory environment, you must make sure that DNS
is working properly.
To use Network Utility to validate DNS:
Open Network Utility and select the Ping tab. Enter the name of the Open Directory server in the
text field and click the Ping button. The example below uses mainserver.pretendco.com as the
name of the Open Directory master.
When the server responds to your request, your client is ready to be bound to the server.
If the server doesnt respond, it may be because its configured with security options. To verify
connectivity, use Network Utility to scan any ports in use on that server (for example, 389 for
LDAP). To do this, open Network Utility and click the Port Scan tab at the top of the pane. Enter
the IP address or host name of the server in the Enter an internet or IP address to scan for open
ports field. Then select the Only test ports between checkbox, enter the range of ports you want
to test in the fields, and click Scan.
10
Binding to Open Directory using the Users & Groups pane in System Preferences
The easiest way to bind a Mac to an Open Directory master is by using the Network Account
Server setup assistant in the Users & Groups pane of System Preferences. The setup assistant is a
simple interface for binding and automatically detects whether youre binding to Active Directory
or Open Directory.
Note: To configure advanced options, open Directory Utility from the Network Accounts Setup
pane or from /System/Library/CoreServices/Directory Utility.
To bind to Open Directory from the Users & Groups pane:
1.
2.
3.
4.
5.
11
6.
Enter the name of the Open Directory master in the Server field.
7.
Click OK.
OS X will first attempt to establish an SSL connection and verify that the certificate is trusted
by evaluating the certificate trust chain. If the root certificate isnt already trusted, youll be
prompted to trust the SSL certificate.
8.
Click Trust.
12
If the LDAP communication isnt encrypted, youre prompted to continue without a secure
connection.
9.
Click Continue.
10. If prompted, enter the Client Computer ID (the name of the computer record in Open
Directory is provided), and enter a user name and password if you want to perform a trusted
bind. Then click OK.
This step depends on server configuration, so it may not appear.
13
If the binding was successful, a green status indicator appears to the right of Network
Account Server, followed by the the name of the directory server.
1.
2.
3.
4.
14
5.
6.
7.
8.
From the Services pane, select LDAPv3 and click the pencil, or double-click LDAPv3 to edit.
15
9.
16
13. Enter a Computer ID and optionally a network name and password to perform an
authenticated bind.
17
19. If the new connection doesnt appear in the list, choose Custom path in the Search menu.
20. Click the Add (+) button to add the directory service.
21. Select the new LDAP service from the list provided.
22. Click Add.
.
23. Click Apply on the main Search Policy screen.
Note: If you need to customize further, go back to the Services button in the Directory Utility
toolbar, double-click LDAP, then click the server you want to customize.
18
25. Click the Connection tab to edit information you entered in the previous window, and
customize time-out settings, custom TCP ports for LDAP, and so on.
19
26. Use the Search & Mappings pane to map specific records and attributes from the local
system to those on the Open Directory server.
27. When youre finished with your settings, click Save Template to make a copy, or click the
Write to Server button to change your cn=config environment.
IMPORTANT: Be careful when using the Write to Server option because this option means
all clients that are set up will get their settings from the server.
28. In the Security pane, you can add authenticated binding by selecting the checkbox labeled
Use authentication when connecting and entering the distinguished name and password of
the account youll use for connections,. You can also use the Security Policy section of this
pane to enable policies that control how LDAP data is transmitted over your network.
Note: The server that the client computer is connecting to must allow these security policy
settings.
20
1.
2.
3.
21
4.
In the Configure Network Users and Groups panel, select Join an existing Open Directory
domain as a replica.
5.
Click Next.
6.
Enter the parent server hostname, and the Directory Admin name and password.
7.
Click Next.
22
8.
The Open Directory replica is created and you return to the Open Directory service.
23
9.
Click the disclosure triangle next to the master to see the Open Directory structure.
10. On the Open Directory master, use Server app to view the replica along with the last
replication that was performed. Click Logs in the sidebar to look for errors that may have
occurred during initial replication. (See Setting Up an Open Directory Master earlier in this
document for more information about viewing log files.)
Active Directory
Active Directory is Microsofts directory services solution. Active Directory provides information
about users, groups, and computers (information stored in LDAP), password management and
encryption (using Kerberos), and the ability to find objects on a network. Information in Active
Directory is used to manage users, computers, groups, printers, and other resources. Within Active
Directory, administrators can also use Group Policy Objects to assign policies to Windows
computers.
Active Directory deployments vary, from smaller environments with a few hundred objects to
larger environments with thousands (or millions) of users and systems distributed across a
number of sites.
You can manually bind Mac computers to Active Directory through the Active Directory Service
plug-in in Directory Utility. From the command line, use dsconfigad to bind and specify Active
Directoryspecific options.
Active Directory provides policies to Windows computers and the schema can be extended to
include policies for other operating systems, including OS X. Some environments cant extend
their AD schemas so third-party solutions can provide policies to Mac computers without
extending the schema.
In this section, youll learn some administrative tasks for managing OS X with Active Directory.
24
Open Terminal and enter the following command to do a lookup on the service record to
locate the global catalog:
dig -t SRV _gc._tcp.pretendco.com
; <<>> DiG 9.4.1-P1 <<>> -t SRV _gc._tcp.pretendco.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34512
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;_gc._tcp.pretendco.com.
IN
SRV
;; ANSWER SECTION:
_gc._tcp.pretendco.com.
600
IN
SRV
;; ADDITIONAL SECTION:
dc.pretendco.com. 3600
IN
192.168.55.47
;;
;;
;;
;;
2.
If the response doesnt include an answer section with the name of a domain controller,
check to make sure the OS X network settings are correct and that the DNS specified is one
that will return service record information for your Active Directory forest.
3.
To bind OS X to Active Directory, you need credentials of a local administrator on the Mac as
well as of an Active Directory user who has the authority to join computers into the
Organizational Unit (OU) that youll be leveraging in Active Directory.
After you have bound the Mac to Active Directory, you can set up the client to allow Active
Directory administrators (or any Active Directory user you choose) to be local administrators on
the local Mac client. During initial setup, you need the local administrative user name and
password for the Mac. This user is the user set up in the Setup Assistant after installation.
1.
2.
25
3.
4.
5.
After youve joined the network account server, you can go back and look at the binding
information and provide more details, if needed.
26
You can also see the Active Directory options in Directory Utility before binding if more
information is needed to bind. To open Directory Utility, click the Edit button in the Users &
Groups pane in System Preferences (or if the initial attempt at binding failed, click Join).
6.
7.
Double-click Active Directory (or click Active Directory and then click the pencil icon).
27
8.
b.
c.
Click OK.
d.
Enter the Active Directory user with the delegated authority to bind a machine to the
OU specified for Computer OU. Enter the Active Directory users password.
e.
Click OK.
28
In the Users & Groups pane, a green light appears next to the domain if provided network
accounts are accessible.
Sample:
Client-1:~ admin$ id jfoster
uid=818406992(jfoster) gid=1450179434(PRETENDCO\domain users)
groups=1450179434(PRETENDCO\domain users)
2.
If the id command doesnt return information about an Active Directory user, open Directory
Utility and make sure OS X is bound to Active Directory and that Active Directory is listed
under Search Path (the listing is created automatically when the client is bound). Also verify
network connectivity between OS X and the domain controller, and check firewall settings on
the network.
29
One of the listed nodes should be Active Directory (if not, Active Directory isnt enabled in
Directory Utility).
Active Directory
BSD
Local
Search
Contact
3.
Type cd 'Active Directory' to get to the Active Directory node. Then type ls to list the
contents of the node. An example is shown below.
> cd 'Active Directory'
/Active Directory > ls
All Domains
4.
Type cd 'All Domains' to get to the All Domains node. Then type ls to show the
contents of the node. An example is shown below.
/Active Directory > cd 'All Domains'
/Active Directory/All Domains > ls
CertificateAuthorities
Computers
FileMakerServers
Groups
Mounts
People
Printers
Users
5.
Type cd Users to move into the Users container. The node should contain all of the users in
the forest. If you have a lot of users, dont use ls to list the contents of the User node. Instead
type read <ad username> to view that users attributes. An example is shown below:
/Active Directory/All Domains > cd Users
/Active Directory/All Domains/Users > read jfoster
dsAttrTypeNative:accountExpires: 9223372036854775807
30
dsAttrTypeNative:ADDomain: pretendco.com
dsAttrTypeNative:badPasswordTime: 0
dsAttrTypeNative:badPwdCount: 0
dsAttrTypeNative:cn:
Tim Lee
dsAttrTypeNative:codePage: 0
dsAttrTypeNative:countryCode: 0
dsAttrTypeNative:displayName:
Tim Lee
dsAttrTypeNative:distinguishedName:
CN=Jimmy Foster,CN=Users,DC=pretendco,DC=com
more...
6.
If you cant read the attributes for a user, check access controls in Active Directory and make
sure that youve bound to the correct OU.
7.
Exit dscl.
/Active Directory/All Domains/Users > exit
Goodbye
For example:
Client-1:~ Admin$ su jfoster
Password:
2.
Enter the Active Directory users password (nothing will display) and press the Return key.
You should now be in a Terminal session as that user. To check, use the whoami command.
>whoami
For example:
bash-3.2$ whoami
jfoster
3.
To confirm that the Active Directory Kerberos is available type kinit and reenter the
password.
bash-3.2$ kinit
Password for jfoster@PRETENDCO.COM:
4.
If there are no errors, type klist to see your ticket. If there are errors, investigate and
remedy them.
31
bash-3.2$ klist
Ticket cache: /tmp/krb5cc_ttypa
Default principal: jfoster@PRETENDCO.COM
Valid starting
Expires
Service principal
03/07/13 19:49:21
03/08/13 05:49:19
krbtgt/jfoster@PRETENDCO.COM
Note: If you see warnings about not having a home directory, disregard them at this point.
The home directory is created on initial login.
To verify whether an Active Directory user account is active:
You can log out by choosing Log Out [user name] from the Apple menu, but its more convenient
to use Fast User Switching to test the login window.
1.
To enable Fast User Switching, choose System Preferences from the Apple menu, and click
Users & Groups.
2.
In the Users & Groups pane, make sure the lock in the lower-left corner is unlocked. If its
locked, click the lock icon and authenticate to unlock it.
3.
4.
Make sure that the Show fast user switching menu as checkbox is selected.
A user name appears in the menu bar in the upper-right corner of your display.
5.
32
After a cube transition, the login window appears. The current user session is still active. To
return to it, select the original user in the Fast User Switching menu or at the login window.
6.
Click Other, and enter the Active Directory user name and password. You can use the short
name or the user principal name (UPN) name (for example JimmyFoster, jfoster, PRETENDCO
\jfoster, or jfoster@pretendco.com).
You should now be logged in as the Active Directory user.
7.
If the login window jiggles during authentication, make sure that you have completed the
verify setting section above and validate the password. Or you can try a different Active
Directory user account.
8.
If you receive a warning that your home directory wasnt found, open Directory Utility and
check the settings for your Active Directory configuration. If you havent selected Force local
home directory on startup disk, theres an issue with mounting your network home
directory. For this exercise, make sure the Force local home directory on startup disk option
is selected.
2.
Authority
The Active Directory account youre using to bind also needs the authorization to bind clients. In
many cases, this means having access to a specific OU. Requirements may include having
permission to remove objects from an OUsuch as when binding and placing into a new OU
or full control over the domain. The access required for the account used to bind OS X should
mirror that required to bind Windows clients.
Active Directory verification
When bound, make sure accounts are reachable using dscl and id. To use id, open Terminal and
enter the following command to do a lookup using id. This returns the user and group
information for the account. See the procedure above.
2013 Apple Inc.
33
If you cant look up a single account, the Active Directory connection isnt working. Another tool
that can isolate where in the directory services tree that a problem has occurred is dscl. Run the
following command to see the plugins enabled on the system, and enter the dscl runtime
environment. See the procedure above.
If you cant cd into All Domains, you cant communicate with a domain controller. If you can cd
into All Domains, navigate into the Users node by using cd and perform another ls to show
the contents of the node. The node should contain all users in the forest. If you have a large
number of users, dont enter ls to list the contents of the node, but rather use read to read the
attributes of that user.
If you cant read the attributes of a user, check access controls in Active Directory and make sure
that you have bound to the correct OU.
User password verification
If the users password doesnt work, make sure that you dont have multiple users with the same
short name in your Active Directory forest. If you do, you must enable namespace support with
dsconfigad. To test this, enter a user name that has a unique short name forest-wide.
1.
2.
34
3.
4.
5.
6.
Authenticate as a local administrator by clicking the lock icon in the lower-left corner, if its
not already unlocked.
35
7.
Select the Active Directory plug-in and click the pencil, or double-click Active Directory to
edit.
8.
9.
10. Enter the information needed to map to the Active Directory attributes. If you arent sure
what values to enter, ask your Active Directory administrator.
36
1.
2.
37
3.
4.
Click the Join button to the right of Network Account Server. This is an Edit button when the
system is already bound to a directory service.
38
5.
6.
Authenticate as a local administrator by clicking the lock icon in the lower-left corner, if it isnt
already unlocked.
7.
Select the Active Directory plug-in and click the pencil, or double-click Active Directory to
edit.
39
8.
Click the disclosure triangle to show advanced options, then click User Experience.
This pane includes the Create mobile account at login checkbox. Selecting this option
creates an account on the local system so the user can log in even if the Mac cant contact
the Active Directory servers.
9.
To turn on home-folder synchronization, select the checkbox labeled Use UNC path from
Active Directory to derive network home location. If you select this checkbox, additional
settings in the Network protocol to be used menu appear. The Active Directory plug-in
converts the \\server\share\folder that the Active Directory profile provides to /server/share/
folder and places either an afp: or an smb: in front of the request, resulting in afp://server/
share/folder or smb://server/share/folder, respectively.
40
To change packet signing options in OS X, use the -packetsign flag with dsconfigad.
Available settings with the -packetsign flag are allow, disable, and require. To configure
dsconfigad to require packet signing, use the following command: dsconfigad packetsign require
If necessary, set the signing back to default with the following command:
dsconfigad -packetsign allow
Packet encryption is also available in OS X. Packet encryption helps keep the contents as secure as
they are authentic. To enable packet encryption, use the -packetencrypt flag along with the
same settings available with the -packetsign flag. The same issues persist with verifying that
the server supports packet encryption as with packet signing. To require -packetencrypt, use
the following command:
dsconfigad -packetencrypt require
If you need to use TLS to encrypt packets, use the ssl option.
dsconfigad -packetencrypt ssl
The ssl option requires a trusted certificate chain from Active Directory. If the certificate chain
doesnt have a trusted root, you need to install and trust the root certificate in the root keychain.
If the change is successful, the following message appears:
Settings changed successfully
1.
2.
41
3.
4.
5.
Browse to the SSL root certificate and select the certificate you want to import.
A trust sheet appears.
6.
LDAP
Lightweight Directory Access Protocol (LDAP) is the protocol used in most modern directory
services systems, including Novells eDirectory, Microsofts Active Directory, and Apples Open
Directory.
LDAP defines how clients create, query, and update information in directory services and supplies
that data, stored in a database, to clients and servers. OS X supports binding to any directory
service that supports LDAP with the LDAPv3 Directory Service plug-in, which you can configure in
the Users & Groups pane in System Preferences, with Directory Utility (located in /System/Library/
CoreServices), or with the dsconfigldap command.
LDAP is flexible and supports different options for connecting, binding, and mapping to and from
the fields of the LDAP databasecalled attributes. If you use Directory Utility or the
dsconfigldap command, you can customize these options.
In LDAP, a schema is a set of rules about how data is stored in a directory service. Depending on
the schema, you may have to provide custom mappings of directory service data in OS X with
data in your directory service. Directory Utility provides templates (and the ability to create new
templates for easy migration between hosts) to map to commonly used schemas. Directory Utility
also supports mapping attributes via a special record stored in the directory service.
Binding to LDAP
To begin using an LDAP-based directory service, you must first bind OS X to your directory service
with the LDAPv3 plug-in. The LDAPv3 plug-in supports simple binding, trusted binding, and
Kerberos binding. Select a binding option based on your security requirements and settings
configured on your LDAP servers.
Simple binding configures OS X to look up directory service information with minimum
configuration and security.
42
Trusted binding requires the server to authenticate itself to prevent a man-in-the-middle type
of attack.
Kerberos binding provides digital signing of all packets, packet encryption, and man-in-themiddle attack prevention.
Note: Communication for all types of bindings can be encrypted with SSL.
Simple binding
Binding a Mac computer to an LDAP server with a simple bind tells the directory services
framework of OS X to use an LDAP server as a potential location to find information, whether for
simple directory lookups or for account information supplied at the login window. A simple bind
tells directory services that a directory domain exists and, if requested specifically by configuring
the Search Policy, that it should pull user and computer information from this directory service.
Youll then add the simple bind configuration to your Search Policy.
To enable a simple bind:
1.
2.
3.
43
4.
Enter either the host name or IP address of your LDAP server in the Server Name or IP
Address field.
5.
Click Continue.
6.
7.
In the LDAP Mappings menu, choose From Server, and enter the search base of your LDAP
environment.
8.
44
9.
Choose Custom path from the Search menu to tell the system to use the search path youre
about to add.
10. Click the Add (+) button to show the Available Directory Domains.
11. Click the LDAP environment you just added, then click Add. When you get back to the
Directory Utility window, click Apply.
You can now use the dscl command to browse to the domain, authenticate as a user at the
login window, and test other functions.
45
Trusted binding
Use the Users & Groups pane in System Preferences and/or Directory Utility (from /System/
Library/CoreServices) to set up trusted binding between a Mac and an LDAP directory, if the
directory supports trusted binding.
In a trusted bind scenario, the binding is mutually authenticated between the client and server
with an authenticated computer record created in the directory upon binding (similar to the
process in Active Directory).
A trusted bind setup is a static binding specific to the client hardware it was setup on. This means
every computer must be bound after imaging.
To bind a Mac:
1.
2.
3.
4.
5.
Click the Join button (or the Edit button if the system has already been bound into a
directory service).
46
6.
7.
47
The dialog expands to include a Computer ID, a user name, and a password.
8.
9.
Enter a user name and password with privileges to the LDAP infrastructure.
10. Click OK. The computer will bind to Open Directory and a computer record will be created on
the Open Directory master for this computer.
Note: The computer record might already exist in the directory if its a duplicate system or is
being rebound after not unbinding properly. If an alert appears saying a computer record
exists, click Overwrite to replace the existing computer record and then click OK.
11. Click the Open Directory Utility button.
48
13. Make sure that the server is listed in the Authentication Search Policy. Add the server via the
Custom path option if necessary.
14. Click Apply.
49
1.
Open Directory Utility (from the Users & Groups System Preferences pane or from /System/
Library/CoreServices).
2.
3.
4.
If you dont need to map individual attributes, choose one of the templates in the LDAP
Mappings list.
50
5.
To map individual attributes, select the entry for your LDAP server and click the Edit button.
6.
7.
Choose Custom from the Access this LDAPv3 server using menu. A list of record types and
attributes appears.
8.
Click the Add button under the Record Types and Attributes list to show the record selection
dialog.
9.
Enter Users (for this example) for the record type you want to build a map for, select Users
from the list, and then click OK.
51
10. Select Users in the Record Types and Attributes list and click Add again.
11. Select the Attribute Types radio button and search for NFS in the Attributes list.
12. Click OK again to select the NFSHomeDirectory attribute from the list.
The pane should look as shown below.
52
13. While NFSHomeDirectory is selected, click Add under the Map to any items in list option.
Enter the name for the attribute (homeDirectory for this example) that you want to map to in
your LDAP schema into the field that appears.
Now that youve entered a record, you can see that if you have 30 records and 100 systems, its
labor intensive to map attributes one by one. There are two ways to streamline this process. The
first is RFC 2307, which maps the OS X directory service to an RFC2307-based LDAP schema. For
more information on RFC2307, see http://www.ietf.org/rfc/rfc2307.txt.
You can also store mappings on the LDAP server, and theyll be discovered as long as the
organizational unit is called ou=macosxodconfig. Mac OS X clients will perform an LDAP query on
the LDAP server, searching for a record named macosxodconifg which contains the mappings. In
Directory Utility, you can save the mappings to the servers /Config container by clicking the
Write to Server button. If you do this, enter the distinguished name and password for a user who
has permission to write to the /Config object. Then enter the search base to discover the Config
object.
53
Note: In OS X, templates are, by default, stored in the Documents directory for the user account
that created them, in the property list (.plist) format.
Kerberos
Kerberos is a network authentication protocol that provides a client-server architecture where
mutual authenticationboth the user and the serververify each others identity. This protects
Kerberos against attacks such as eavesdropping, and the resulting potential of replay attacks.
Kerberos uses a Key Distribution Center (KDC) that consists of two parts: the Authentication
Server (AS) and a Ticket Granting Server (TGS), which issues Ticket Granting Tickets (TGTs).
Kerberos works with tickets that prove the identity of users. The KDC maintains a database of
secret keys. All clients on the network share a secret key and use it to acquire a TGT. When the
client has a TGT, it can present it to the KDC to get service tickets, which authenticate to
kerberized services on the network. A kerberized service issues service ticket to clients. These
service tickets are encrypted with the services private key. If a client presents an invalid or
unverified service ticket to the service, the clients service request is denied.
Note: For communication between two kerberized entities, the KDC generates session keys,
which the KDC uses to secure communications.
In addition to authenticating a hosts identity in a Kerberos environment, safeguards are also put
into place to protect the authenticity of each service running on a system in the form of a Service
Principal. For a client to obtain tickets, the client requests a ticket using a TGT. You can view this
information, in the form of Service Principals, with the klist command from the Mac to view
cached service tickets.
A more detailed overview of Kerberos is beyond the scope of this document, but its important to
know that when a user first authenticates to a KDC (whether its Active Directory, Open Directory,
or an MIT/Heimdel-based KDC), the client receives a TGT. When the client authenticates to a
2013 Apple Inc.
54
kerberized service, the client will have both a TGT and a service ticket for that service. This helps in
troubleshooting authentication issues.
To use a graphical interface to access information regarding Kerberos tickets, open Keychain
Access and choose Ticket Viewer from the Keychain Access menu. You can also manage Kerberos
from the command line using kinit, kswitch, kdestroy, klist, kgetcred, and
kpasswd.
55
2 Collaboration
One of the great challenges for IT departments is to optimize the sharing, storage, and retrieval of
institutional knowledge. Apple has a number of innovative features available that promote
collaboration. This chapter examines how you can use Apple tools and technologies to integrate
with an organizations existing collaboration solutions.
In many organizations, collaboration revolves around accessing groupware and corporate micro
sites that are centered around Microsoft servers. In this section youll learn how to access
Microsoft Exchange, connect to Microsoft SharePoint and DFS shares, and communicate with
instant messaging servers.
56
1.
2.
3.
4.
Enter the users name, email address, and password in the appropriate fields.
57
5.
Click Continue.
Autodiscover should provide the user name, password, and server address for the account. If
not, see Troubleshooting Mail, Calendar, and Contacts with Microsoft Exchange later in this
chapter for more information.
6.
Click Continue.
1.
Open Mail.
2.
If Mail hasnt been configured with any accounts, the Welcome to Mail dialog will prompt
you to add an account.
58
3.
4.
If an account has already been set up in Mail, you can add additional accounts in Mail
preferences.
5.
6.
Click Accounts.
7.
59
8.
Enter the users full name, email address, and password in the Add Account pane.
9.
Click Create.
Mail uses Autodiscover to attempt to look up the account information. If it finds the
appropriate Autodiscover records, Mail will populate the input fields. After this is completed,
check the content in each field, or provide the correct information.
10. If Autodiscover isnt configured, choose Exchange from the Account Type menu and enter the
server address, user name, and password.
60
11. If you want to automatically configure Contacts and Calendar at this point, select the
Contacts and/or Calendars checkboxes.
1.
Open Mail.
2.
Right-click the name of the account (or Inbox if there is only one account) in the left sidebar.
61
3.
4.
5.
6.
Set the time during which replies will be sent (or leave the Until disabled option).
7.
Enter reply messages in the Internal and External Reply fields (one for users inside your
domain, the other for users outside your domain).
8.
62
DNS
Many organizations use Service Connection Points (SCP) to implement Autodiscover. This is
usually sufficient for Windows clients that run Microsoft Outlook. However, if the proper forward
and reverse DNS entries for Autodiscover havent been configured on the DNS servers, the Mac
client cant find the Exchange Web Services (EWS) service on the Client Access Server (CAS).
To verify SRV DNS record results:
1.
2.
In theOpenwindow, typeCMD.
3.
4.
5.
Type _autodiscover._tcp.yourdomain.com
replacing yourdomain.com with the domain of the primary email address.
6.
Press Enter.
192.168.1.100
Non-authoritative answer:
63
_autodiscover._tcp.yourdomain.com
primary name server = ns2.yourdomain.com
responsible mail addr = mailserver.yourdomain.com
serial
= 1
expire
nameserver = ns2.yourdomain.com
_autodiscover._tcp.yourdomain.com
nameserver = ns1.yourdomain.com
This opens the Mail app and logs all the traffic generated into a text file on the desktop. This log
file is helpful when you need to troubleshoot connectivity issues.
To trace regular Mail activity beyond EWS Autodiscover, type:
/Applications/Mail.app/Contents/MacOS/Mail
-LogHTTPActivity YES >& Desktop/yourmaildebug.log &
To track EWS traffic in Calendar or Contacts instead of Mail, type:
/Applications/Calendar.app/Contents/MacOS/Calendar
-LogHTTPActivity YES >& Desktop/yourcalendardebug.log &
or type:
/Applications/Contacts.app/Contents/MacOS/Contacts -LogHTTPActivity YES
>& Desktop/yourcontactsdebug.log &
64
For Exchange 2010, the Web.config resides in Find, the Outlook Web App Web.config file on the
Client Access server. The default location is \Program Files\Microsoft\Exchange
Server\V14\ClientAccess\exchweb\ews.
1.
2.
3.
4.
Change the value for maxRequestLength to 20000, because the units are kilobytes.
5.
6.
Stop and restart the Default Web Site to make the setting take effect.
If you configure other Exchange settings for message size limits accordingly, changing this setting
means OS X Mail users connected to an Exchange server can send messages as large as 20 MB.
The size of a message is roughly determined by the size of the message body plus the size of any
attached files.
Note: Currently, Microsoft doesnt document the configuration of maxRequestLength in the EWS
Web.config file; they document it for OWA. The steps listed above are subject to change.
For more information, see thisMicrosoft article on managing message sizes for Exchange 2007
(http://technet.microsoft.com/en-us/library/bb124345(EXCHG.80).aspx) or this Microsoft article on
managing message size for Exchange 2013 (http://technet.microsoft.com/en-us/library/
bb124345.aspx).
65
Making these changes assumes that the incoming email message is scanned at the email
gateway and at the server.
For more information about how to turn logging on or off in Outlook 2011, go to http://
office.microsoft.com/en-us/mac-outlook-help/turn-on-logging-HA102928406.aspx?CTT=1.
66
1.
2.
3.
4.
Enter the address, user name, and password for the site.
67
5.
Select the Save password in my Mac OS keychain checkbox to save the credentials in the
user keychain.
6.
7.
8.
Click the button in the top application toolbar that corresponds to the task you want to
perform, for example, Add File.
In the Finder, click the Go menu and choose Connect to Server (or use keyboard shortcut
Command-K).
2.
In the Server Address field, enter the path to the DFS share you want to access. (This may or
may not be the root share.)
You can also, click the Browse button to see a list of servers on the network, and choose a
DFS share from the list.
68
3.
Click Connect.
4.
If youre using Kerberos, and you have permission to connect to the share, a window with the
shares contents appears. If youre not using Kerberos, youre prompted to enter a password.
Enter the user name and password.
5.
Click Connect.
Instant messaging
OS X supports many standard instant messaging platforms. In the following section, youll learn
about Messages, FaceTime, and integration with Microsoft Office Communications Server as
potential instant messaging clients.
Messages
Messages is based on the XMPP instant messaging protocol commonly known as Jabber and
works with AOL Instant Messenger (AIM), Yahoo, Google, standard Jabber servers, and iMessage.
Jabber can be integrated with any instant messaging platform that also has an XMPP gateway.
To configure Messages as a Jabber client:
1.
2.
3.
Click Accounts, then the Add (+) button to add a new account.
69
4.
5.
6.
7.
70
8.
If applicable, select the Use SSL checkbox and the Use Kerberos v5 for authentication
checkbox.
9.
2.
3.
4.
Enter your AppleID and password, and then click Sign In.
71
5.
Apple offers a number of tools for troubleshooting Messages connectivity. You can use Network
Utility, an application in the /Applications/Utilities folder, to check whether private Jabber servers
are accessible by name and IP address, and check that ports are accessible.
You can also enable debug logging for Messages. To debug communications with Messages,
enter the following string in Terminal:
/Applications/Messages.app/Contents/MacOS/Messages -errorLogLevel 7
The most common causes for connection quality are bandwidth, gateway filters, and antivirus
applications.
72
iMessage on iOS
Apples iOS 6 includes the Messages app that can connect to your iMessage account with your
Apple ID. This connection lets you receive messages sent to your email addresses or phone
numbers on your iOS devices and OS X computers.
FaceTime
You can use FaceTime on your Mac to make and receive video calls with users on any device that
supports FaceTimeanother Mac computer, iPhone 4 or later, iPad 2 or later, or iPod touch (4th
generation or later).
To participate in FaceTime video calls on your Mac, you need:
An Internet connection. You can use Ethernet or Wi-Fi to connect to the Internet.
A Mac computer running Mac OS X 10.6.4 with all available security updates installed
A built-in FaceTime camera, an iSight camera (built-in or external), a USB video class (UVC)
camera, or a FireWire DV camcorder
A microphone. You can use the built-in microphone, an external microphone attached to your
computers audio input port, or a Bluetooth or USB microphone or headset.
Contacts. You can call FaceTime users whose contact information is kept in Contacts. To place a
video call to an iPhone, use a phone number. To call a Mac, iPod touch, or iPad, use an email
address.
Signing in to FaceTime
Before making or receiving video calls, you need to sign in to FaceTime with your Apple ID.
If you already have an iTunes Store account or another Apple account, you can use the Apple ID
associated with that account. If you dont have an Apple ID, you can create one in FaceTime.
To sign in to FaceTime:
1.
2.
Enter the email address others can use to call you in FaceTime, and then click Next to sign in.
If this is the first time youve used the email address in FaceTime, check for a new email
message from Apple requesting that you verify that the address is a valid one to associate
with your Apple ID. Simply click the Verify Now link in the message, and then enter your
Apple ID and password.
After signing in, you can add an additional email address and adjust other FaceTime settings.
1.
2.
73
Click Account.
The Account field identifies the Apple ID you used to sign in to FaceTime.
2.
1.
Open Office Communicator from the Applications > Microsoft Office 2011 folder.
2.
The first time the application opens, it will prompt you to make Communicator the default
application for phone calls. If you want to make Communicatory your default telephony
application, click Use Communicator.
3.
74
4.
Click Account. The account name is listed by email address. Click Change to assign a new
account name.
5.
6.
The default for My Network Settings in the Account pane is set to Automatic configuration. If
you have a private Microsoft Lync server, select Manually configure settings.
7.
75
8.
Choose whether to use TCP or TLS. (If you dont know which option to use, contact the
Communications Server administrator.)
9.
76
Resources
Command line help: man pages
For more information on local directory services command line tools, open Terminal in
/Applications/Utilities, and enter man <utility name>.
77
78
SharePoint: Working with Documents Stored in a SharePoint Site Using Document Connection:
http://social.technet.microsoft.com/wiki/contents/articles/10527.sharepoint-working-withdocuments-stored-in-a-sharepoint-site-using-document-connection.aspx
79
Appendix
This appendix contains advanced techniques for managing accounts, directory binds, and
certificates using the command line interface (CLI).
Add the user name to the local directory services information store database using the
following command:
sudo dscl /Local/Default create /Users/pretendcoadmin
2.
Set the login shell to be used. Bash is the standard used in most OS X environments:
sudo dscl /Local/Default create /Users/pretendcoadmin UserShell /bin/
bash
3.
Set the full (or long) name of the user account, replacing Pretendco Administrator with the
new users full name:
sudo dscl /Local/Default create /Users/pretendcoadmin RealName
"Pretendco Administrator"
4.
Set the User ID (UID) as a unique value. In this example, run the following command to set
the UID to 1100. Subsequent users will need additional unique UIDs.
sudo dscl /Local/Default create /Users/pretendcoadmin UniqueID 1100
5.
Once a UID has been assigned to the account, set the default group ID (GID) using the
following command. Note that the GID must be different than other GIDs but can be the
same as the UID used in the previous step.
sudo dscl /Local/Default create /Users/pretendcoadmin PrimaryGroupID
1100
6.
Now that the user has a GID, set the home directory for the user using the following
command:
sudo dscl /Local/Default create /Users/pretendcoadmin
NFSHomeDirectory /Users/pretendcoadmin
7.
Add the user to the existing admin group. If converting an existing user account into an
administrative account, use only the following command:
Apple confidentialfor internal and channel use only
80
8.
Set (or change) the users password (unless it was a pre-existing account) using the following
command:
sudo dscl . -passwd /Users/pretendcoadmin
Optionally, to avoid being prompted for it, the password may be included at the end of the
command, as follows:
sudo dscl . -passwd /Users/pretendcoadmin newpassword
When generating a shell script from these commands, either prompt the user for the password in
the script and use the entered value, or supply a hash/hash file instead. Otherwise the password
would be available to anyone who knows how to edit a script.
Note: If you use this account for anything other than standard administrative purposes, youll
want to populate the account with more attributes. In this case, youre simply using a skeleton set
of attributes given that the account doesnt need to be fully usable.
Now log in and test that the account doesnt show up in the Users & Groups System Preferences
pane.
Note: When using hidden local administrative accounts, text input at login is allowed by default,
rather than only showing a list of users. This is the default behavior of OS X when there are
accounts able to authenticate but not listed in the login pane.
81
Additionally, you can change items, such as the home directory or real name, by using dscl
options.
Before nesting the Active Directory group, verify that it resolves correctly on the client. To do
so, use the following dseditgroup command to resolve group membership,
dseditgroup -o read <active directory group name>
The -o read is the command for doing a read operation on the specified group. Therefore,
if you run the command dseditgroup -o read mac_admins, you should receive the
following output:
27 attribute(s) found
...
Attribute[5] is <dsAttrTypeNative:member>
Value[1] <CN=Ken Weaver,CN=Users,DC=pretendco,DC=com>
Value[2] <CN=Gary Dunn,CN=Users,DC=pretendco,DC=com>
...
As you can see from the above output, the member section lists group members. If you dont
receive the desired output, make sure youre bound to a directory service and that the group
exists within Active Directory.
2.
Verify that OS X can resolve group membership for that group. Use the id command to see
in which groups a user is included,
id <short name>
For example, if you run the command id jkaiser (assuming that jkaiser is in an
administrative group), youll receive the following information:
uid=142413031(jkaiser) gid=63826092(pretendco\domain users)
groups=63826092(pretendco\domain users),
103(com.apple.sharepoint.group.3),104(com.apple.sharepoint.group.4),
98(_lpadmin),1166270692(pretendco\mac_admins),
102(com.apple.sharepoint.group.2),101(com.apple.sharepoint.group.1),
80(admin),20(staff)
82
3.
To nest the Active Directory group, use dseditgroup with the -o edit option (edit
operation), the -a option followed by the appropriate group name from Active Directory, the
-t option followed by group (which specifies that the type to add is a group), and the -n
option followed by
/Local/Default, which specifies to add to the local directory service.
sudo dseditgroup -o edit -a <group name> -t group -n
/Local/Default admin
Using the above syntax, a sample of the command would appear as follows:
sudo dseditgroup -o edit -a mac_admins -t group -n
/Local/Default admin
If you receive a message about the group being upgraded, ignore this message.
Note: You can also add a network user to the admin group by using the same command but
changing the type.
sudo dseditgroup -o edit -a <network user name> -t user
-n /Local/Default admin
Note: If you combine this with mobile (cached) accounts, you can give a user administrative
rights to their local computer but allow for password policies managed from within Active
Directory.
4.
To test that the nested user is now a local administrator, open the Users & Groups System
Preferences pane and unlock the pane with a user that is in the nested group. If it unlocks
successfully, the user is now a local administrator.
Note: The command line utility used to run commands as root, sudo, doesnt recognize
nested groups. If you want users in nested administrative accounts to be able to use sudo,
you must edit the /etc/sudoers file. Within that file, find the user privilege specification
section, as follows:
# User privilege specification
root
ALL=(ALL) ALL
%admin ALL=(ALL) ALL1
Then add %<AD group name> ALL=(ALL) ALL to that section. For example:
# User privilege specification
root
ALL=(ALL) ALL
%admin ALL=(ALL) ALL
%mac_admins ALL=(ALL) ALL
1.
2.
83
touch createuser.bash
3.
/Users/hidden
/Users/hidden
/Users/hidden
/Users/hidden
/Users/hidden
/Users/hidden
NFSHomeDirectory /Users/hidden
RealName "Hidden Admin"
PrimaryGroupID 499
UserShell /bin/bash
UniqueID 499
Each line in the script uses dscl (directory services command line) to create the user account
and the user account attributes.
4.
Since a password has not yet been assigned to the account, choose from three ways to
provide a password for the newly created user.
The first way is to simply place the password into the script in clear text. This requires the
directory services daemon to be running when the script runs. To do so, append the
following line to the end of the above script:
dscl . -passwd /Users/hidden 'mypass'
The second, and most secure, way is to pregenerate the SHA1 hash and install it as a file with
your package. This requires you to hard code the GeneratedID, which is typically
automatically generated when the account is created using dscl using the standard
iteration. The simplest method is to create a user and generate a password as described in
the rest of this script. Then add the users corresponding plist file and the generated
encrypted password file to a package and push it to the local workstation, also adding the
GeneratedUID attribute in dscl. For example, if the GeneratedUID were 000-000-000 in a
created account, the following would create the GeneratedUID when used as the last line of
the script:
dscl . -create /Users/hidden GeneratedUID 000-000-000
Note: There are also scripts that can be leveraged to generate a SHA1 hash for the password
as needed.
In the above example, diradmin is the user name of the LDAP administrative account with a
password of ldappassword, and admin is the local administrative user name with a password
of localpassword.
84
2.
To embed other information into the command, use the following options:
-f
-v
-i
-x
-s
-g
-m
-e
-h
The following parameters are necessary when automating the process in later modules:
3.
-a servername
-r servername
-n configname
-c computerid
-u username
-p password
-l username
-q password
The following command binds to the directory service using a user name and a password for
both the local client and the directory service. The server was defined using the -a option
followed by the server name of server.pretendco.com. The servers administrative user that
allows for binding was set using the -u option, followed by diradmin, the user of the server
with said privileges.
dsconfigldap -a server.pretendco.com -l admin -q mypassword -u
diradmin -p myODpassword
4.
By default, dsconfigldap adds the client to the search path. This can also be done
manually (which is required in OS X 10.5 and earlier). To do so, add the Open Directory store
to the search path and set the search path to custom for the computer to be able to
authenticate against the bound directory. To set your search path to custom, use the
following command:
sudo dscl /Search -change / SearchPolicy
dsAttrTypeStandard:LSPSearchPath dsAttrTypeStandard:CSPSearchPath
5.
To set the third item in the search path, use the following command:
sudo dscl /Search -append / CSPSearchPath /LDAPv3/server.pretendco.com
85
6.
To specifically bind and not add the new LDAP instance to the search path in OS X,
use the -S operator along with the dsconfigldap command.
Paste the following into the ldapbind.bash file for an authenticated bind. In this example, the user
name for Open Directory is diradmin and the password is mypassword.
#!/bin/bash
dsconfigldap -a server.pretendco.com -n server.pretendco.com -u diradmin
-p mypassword
Alternatively, paste the following into the ldapbind.bash file (for an unauthenticated bind).
#!/bin/bash
dsconfigldap -a server.pretendco.com
dscl /Search -change / SearchPolicy dsAttrTypeStandard:LSPSearchPath
dsAttrTypeStandard:CSPSearchPath
sudo dscl /Search -append / CSPSearchPath /LDAPv3/server.pretendco.com
Given that some environments are more complicated than the above script, you may need to
further customize the dsconfigldap script using more switches to denote items such as local
administrative user names and passwords, SSL requirements, and packet signing requirements.
When performing a trusted bind with a password in the script, make the script self-destructing for
added security. To do so, add a line at the end of the script that performs an srm (secure erase) of
the script when its finished running. Alternatively, build a first-run launchd task into an image
and have the launchd task remove itself when finished using the same srm command.
To set up the mobile home directory for the Active Directory account to exist on the local system,
add the -mobile switch to the end of the dsconfigad command with a setting of enable, as
follows:
dsconfigad -f -a mycomputername -u domainadmin -p domainadminspassword domain mydomain.com -mobile enable
86
Other options available to the dsconfigad command include the following, broken out by type.
Basic optionscommonly used
-computer
computerid
-force
-remove
-localuser
username
-localpassword
password
-username username
-password password
-ou dn
-domain fqdn
-show
-mobileconfirm
-localhome flag
-useuncpath flag
-protocol type
-shell value
Advanced optionsmappings
-uid attribute
-nouid
-gid attribute
-nogid
87
-ggid attribute
-noggid
-authority enable
or disable
Advanced optionsadministrative
-preferred server
-nopreferred
-groups "1,2,..."
-nogroups
-alldomains flag
-packetsign flag
-packetencrypt
flag
-namespace flag
-passinterval
days
-restrictDDNS
Given that your environment is likely more complicated than the above script, you may need to
further customize the dsconfigldap script using more switches to denote items such as admin
user names and admin passwords.
88
your deployment scenario. With either option, you can set the script to automatically delete itself.
For the purposes of this module, we will place the script in the /Library/StartupItems directory
and call it adbind.bash.
1.
2.
Open the new empty shell script in your favorite text editor and paste the previously created
script.
3.
Once you have the script inserted, add a line at the bottom to remove the script and
(optionally) provide an exit code. The whole script can be seen as follows:
#!/bin/bash
ipconfig waitall
dsconfigad -a <computername> -u <binduser> -p <binduserpass> -domain
<domain>
sleep 15
srm $0 /Library/StartupItems/adbind/adbind.bash
exit 0
For this example, youll map uid to the uidNumber in Active Directory. To do so, run the
following command:
dsconfigad -uid uidNumber
Note: An unbind and rebind isnt required to change these settings. They are global for all users
on a Mac where this command is run.
89
Once run, use the domain name in front of the user name when authenticating. If you would like
to switch to using domain namespace at a later date, you can specify the -namespace flag with
domain as the setting.
To change namespace back, use the following command:
dsconfigad -namespace forest
Note: When run, the -namespace changes the primary ID for all accounts. Therefore, any user
profiles for accounts from the Active Directory domain on each client computer need to be
copied/moved into the new profile that is created.
The openssl command can be used to test connectivity to a server that requires the certificate,
as follows:
openssl s_client -connect pretendco.com:389
Once you have validated that the certificate is functional, use dsconfigad to set the packetencrypt option to ssl, as follows:
dsconfigad -packetencrypt ssl
Ignoring trust
By default, OS X requires that a certificate received from a domain controller be trusted. To modify
this policy, you can configure the ldap.conf. To disable certificate verification, change the
TLSR_EQCERT value by editing /etc/openldap/ldap.confand changing the TLS_REQCERT setting
to read never, rather than demand. By default, the settings read as follows:
#SIZELIMIT
12
#TIMELIMIT
15
#DEREF
never
TLS_REQCERT
demand
#SIZELIMIT
12
#TIMELIMIT
15
#DEREF
never
TLS_REQCERT
never
90
91
92