how do you implement the Full OS X Schema on win2003 AD Server?

[dusty28]

Hello,

I have been googling and browsing the web for days trying to find “The List” of the approx 52 schema changes that can be implemented on AD to support OS X network users. I have read several articles on this site the makes reference to this magical list, but I have been unable to find it.

I work for a non profit that has a vast majority of users running windows and a significant minority running OS X. I have setup the AD plugin to authenticate to the AD Domain and have even written some scripts that run at login to mount shared drives.

I would like a finer degree of control that I know is possible with the “Magic Triangle” setup. However, my non-profit cannot justify the expense of buying an OS X Server.

Could someone please point me to the documentation that shows the full schema needed for OS X on AD? Any advice would also be greatly appreciated.

Thanks.

[s_groening]

Hi,

I am at the moment working on an OpenLDAP-based OS X Server replacement running on Linux. Apple’s OpenDirectory is basically OpenLDAP + MIT Kerberos 5 + Cyrus SASL2 in a fancy armour, however, Active Directory is itself pretty standard compliant (at least at its core) so you should be able to mold the apple.schema onto it…

However, it is at the same time very dependent on the samba.schema which in turn resembles a sub set of what is to be considered the Active Directory schema, since it emulates the capabilities of the Windows NT4 domain structure.

I would think that it is possible to load an .ldif of the apple.schema file but I wouldn’t expect it to be easy… OpenLDAP is by far easier, I guess, since it can use the schema files directly.

There is one project that comes to mind, though. An effort by Gordon Shukwit to port the apple.schema to Active Directory. [url]http://www.shukwit.com/files/ADintregration7-31-03.dmg[/url]

It has not beem updated since sometime of 2003, but you might want to take a look at it anyhow!

Best regards,
Søren Grønning

[dusty28]

Hi s_groening and MacTroll,

Thanks for the replies.

[QUOTE][u]Quote by: MacTroll[/u][p]A few things here…
Point this at an OD Master, it’ll suck all the schema files out and create an import file for AD. This is by far the most painless way to do this.[/p][/QUOTE]
Unfortunatly I don not have an Open Directory server (nor an xserver, as mentioned) that I can pull a schema from. It sounds like a great solution if I had one. 🙂

It was actually my apple rep that pointed me to this website. I am still hoping there is someone out there who can tell me where to find the specifics on how to do this.

I guess I can maybe clarify by staring small. The first thing I would like to implement is to lock down which network logons are allowed to work on each computer. In WIN AD, there is a “Log on to” button under the user object that lets you define a list of which computers that user is allowed to have access to.

I tried adding only one OS X computer to a test users “Log on to” list, however that user still could log into any machine joined to the domain. I assume that the AD Plugin is not looking at the win AD schema to determine if the user has access or not.

What schema changes would have to be made to implement the AD “Log on to” list?

Thanks again.

[Author]

Posts