Authentication via LDAP, Authorization via NetInfo

[jprince]

Hi all,

I’m trying to set up Mac OS X Server 10.3 to authenticate users via the company LDAP server, but pull all other info from the NetInfo database.

It seems that this should be possible. There’s a statment in the Active Directory Integration for the Risk Averse article that both techniques mentioned there will work with any Kerberos or LDAP connection you have.

So, I have my server able to authenticate users (logged in on the console or via ssh, afp and smb connections don’t seem to work yet) via the LDAP server. However, when I try to create “shadow” users in Workgroup Manager with the same uid and username with a password of “*” it won’t do it and complains that the user I’m trying to create already exists. It won’t let me create a local account if the same username already exists in the LDAP.

Any ideas?

Thanks,
Jim

[jprince]

Ok, I thought that it was implying that it could be done with Kerberos or LDAP, not just with Kerberos and LDAP, or really, just with Kerberos (if Kerberos could work with other user/pass repositories on the other end, it wouldn’t matter what it was).

So is there just no way to use the existing LDAP server if all that it contains is usernames, passwords and userids (employee numbers)?

Ultimately the setup that I’d like to have is that any one with a uid in the LDAP server (all employees) have some sort of generic access to the server, but subsets (various development groups) have additional abilities and more advanced use of the server.

I can already do that by adding users in the LDAP to various groups that I create on the server and give rights to the groups, but there doesn’t seem to be any reliable way to give individual users home directories. I don’t maintain the LDAP server and can’t get any other access to it than just using it to authenticate users. I’ve looked at the LDAPv3 plug-in that Dan Sinema modified, but that’s not really what I want; I don’t want everyone to have a home directory, plus, it doesn’t work on Panther Server.

It really seems as if there should be a way to “augment” the data from the LDAP server with additional data defined in the local netinfo database, but it looks like that just isn’t possible yet, or no one has figured out how to do it yet.

I’ll post whatever solution I eventually come up with here for others and for comment when I finally get it worked out.

[Author]

Posts