How create Cross Domain with Open Directory 4?

[Rick Gordon]

Hi,
in my company we ‘ve just bought some xserve to create a cross domain authentication… but there’s not any helpful documentation about how it does: just a plenty of marketing news about OpenDirectory 4 Cross Domain Feature!!

We asked to our Apple reps and no answer…
No helps from google…

Anyone here who has successfully created a Cross Real Authentication between Active Directory (2003 SP2) and Open Directory Master 10.5.2 …
Any experience, suggestions and tips would be appreciated?

Cheers
Rick

[Rick Gordon]

well….
we wanna use our new xserve to provide Wiki, Calendar, Mail services to Active Directory (2003 SP2) users most of them logging from windows XP computer under the Active Domain.

We see that CalDAV needs Open Directory Master maybe because it stores Service Locator attribute for every user (and for groups some others);
Mail service needs Mail attribute on users basis and rather than expanding Active Directory Schema (same issues, there ‘s no documentation about how to do), we are trying to create a Cross realm between Active Directory domain (AD.COM) and the OpenDirectory (OD.COM) so when a windows user logging, its Active kerberos tgt let him to be recognized by OpenDirectory Domain and authenticate to mail service. (I suppose that we have to duplicate al Active Users in ODM)

In Windows we have to create a domain transitive trust and then adding user kerberos user principal mapping to those we have i ODM, but in Leopard the official documentation is a marketing oriented (for example the latest Open_Directory_Admin.pdf pag. 69) and it’s complete skipping a fairly step by step procedure :(.
Probably we have also to configure windows client to know about a ODM domain….

Have anyone created such kind of authentication between domains?
Cheers
Rick

[nakima731]

Well – it sounds like you are looking for information on “[url=https://www.afp548.com/xrealm/]Configuring Cross-Realm Authentication between Mac OS X Server’s Open Directory and Active Directory[/url]”.

However, you will be sorely disappointed by the fact that “When using a Mac OS X Wiki Server that is bound to Active Directory, some configuration may be required in order to allow users to authenticate using their Active Directory credentials. This is required because, by default, the wiki server uses CRAM-MD5 authentication, which is not supported by the Active Directory plugin.” see: [url=http://support.apple.com/kb/TS1619]Enabling wiki access for Active Directory or third-party LDAP server users[/url]

[Rick Gordon]

nakima,

that document, written by the unforgettable Michael Bartosh, was useful under 10.4: we tried to follow the same steps under Leopard, but with no success (maybe it’s either a bug or a real different Leopard’s behaviour).

Apple OpenDirectory official pdf guide claims leopard simplify cross authorization between OpenDirectory Master and an Active Direcory (see pag. 69), but it doesn’t seem work at all.

Has anyone been able to create a cross domain trust — even a just only one-way– under leopard 10.5.3 ?

cheers
Rick

[Author]

Posts