Integrating Mac OS X And Novell eDirectory

Integrating
Mac OS X
And
Novell
eDirectory
Contents
Introduction
- Directory services
- Prerequisites
- Terminology
- This document
- Scenarios
Setting up the Mac OS X Client Scenario
• Configuring the Netware Server
- Tools used to configure server
- What the test Netware tree looks like
- Setting the Password options for Netware
- Pre-existing attributes needed for Mac OS X
- Extending the schema for Mac OS X Home Directory and mounts class
- Modify LDAP Group Settings
- Populate the users with the needed values
- Create an mounts object
- Create an LDAP proxy user
- Assure the values are correct
- Finishing up the Netware Server
• Configuring the Mac OS X client
- Using Directory Setup
- Mapping values (table)
- Testing
• Making Secure connections
- Enabling SSL on Netware server
- SSL Enabler
- Mac OS X Client
Setting up the Mac OS 9/Macintosh Manager Client Scenario
Appendix
A – Setting the Simple Password
B- Schema LDIF File
C – User LDIF Template
D – Mounts LDIF Template
E – Manually Extending the Schema
Integrating MacOS X and Novell eDirectory
1
Introduction
This document describes how you can use information stored in Novell’s eDirectory to
authenticate Macintosh users and provide file services and home directories for them on
Netware 6. To do so, you’ll take advantage of the Mac OS X directory services
architecture. This setup can be similar to a Windows PC setup with Novell’s Client 32.
Directory Services
A directory service provides a central repository for information about the systems,
applications, and users in an organization. It also defines the relationships and access
privileges between systems, applications and users in an organization. In education and
enterprise environments, a directory service is the ideal way to manage users and
computing resources. Organizations with as few as 10 people can benefit by deploying a
directory service.
Directory services can be doubly beneficial. They centralize system and network
administration, and they simplify a user’s experience on the network. With a directory
service, information about all the users—such as their names, passwords, and
preferences—as well as printers and other resources on a network can be maintained in a
single location rather than on each computer on the network. Using a directory service
can reduce the system administrator’s user management burden. In addition, users can log
in to any authorized computer on the network, with their Desktop customized using their
individual preferences, and easily locate and use authorized network resources. Apple has
built an open, extensible directory services architecture into Mac OS X and Mac OS X
Server. This architecture directs system software and applications to either Apple’s
NetInfo (the directory that ships with Mac OS X Server) or an LDAP (Lightweight
Directory Access Protocol) directory located on the network. NetInfo is an easy-todeploy, scalable directory service for Macintosh networks. LDAP is an open standard
commonly used in mixed environments. By adding LDAP support, Apple provides
customers with the ability to easily integrate Mac OS X and Mac OS X Server systems
into most managed networks. In addition, it is now possible to integrate Mac OS X
computers into environments based on Novell’s eDirectory. This support lets you
maintain Mac OS X user names and passwords in eDirectory, authenticate Mac OS X
users with eDirectory, and allow users to mount their network home directory based on
information stored in eDirectory.
Today, directory services are an essential part of any computing infrastructure. Directory
services fill a number of critical roles, including managing workgroups, workflows,
employee directories, and hardware and software resources. With Mac OS X’s open
directory services architecture and built-in support for open standards, Mac OS X
desktops and servers can now leverage directory services wherever they reside—in a
Macintosh NetInfo directory, in a Novell eDirectory, or in an enterprise LDAP directory.
Integrating MacOS X and Novell eDirectory
2
Prerequisites
For readers not familiar with Mac OS X directory services, we recommend the
Mac OS X Server Administrator’s Guide and the white paper entitled
Understanding and Using NetInfo. Both are available at www.apple.com/macosx/server
The IETF and various LDAP Directory Service vendors have a number of valuable
resources to help readers not familiar with the LDAP standard and associated schema.
Mac OS X uses the LDAP protocol to connect to Novell’s eDirectory. This paper
assumes that you have in-depth knowledge of eDirectory, especially the ways in which it
needs to be configured to support standard LDAP schema definitions. The instructions
for working with the Netware server and eDirectory in this document assume that you are
familiar with Netware 6 and eDirectory. They do not show every step you use to update
eDirectory. If you need additional assistance, consult an individual with Netware 6 and
eDirectory expertise, refer to the documentation for these products, or go to this Web site:
http://support.novell.com/
NFAP (Native File Access Pack) for Macintosh and UNIX need to be installed on your
Netware 6 Server.
Terminology
There is a difference in terminology between Mac OS X and Netware that will be helpful
when reading this document. The first is that the UID (user ID) in Mac OS X is a
numerical value, similar with other UNIX platforms, but in Netware a user UID is the
“username”. Mac OS X uses a numerical value to distinguish users Novell uses an X.500
style name to distinguish users. Example:
Mac OS X
Netware
username
Fred
Fred
UID
100
Fred
Novell does allow for a user to be given a numerical ID. When a UID in Novell is
discussed what is meant is the user’s username (Fred), uidNumber is the numerical ID.
To contrast, when discussing UIDs in Mac OS X the numerical ID is meant (100).
This Document
Integrating MacOS X and Novell eDirectory
3
This document describes how information stored in Novell’s eDirectory can be used to
authenticate Mac OS X users and provide these users with network home directories and
file services from a Netware 6 server and the Apple Filing Protocol (AFP).
Scenarios
This paper presents two scenarios for eDirectory integration. In each scenario,
Netware 6 is used to host files for Macintosh computer users:
-
In one scenario, Netware 6 is used to authenticate Mac OS X clients
Mac OS X clients in this scenario can authenticate with their eDirectory account from the
Mac OS X login window. The user’s Netware home directory located on the Netware 6
server will be mounted as the users Mac OS X home directory.
-
In another scenario, Netware 6 is used to authenticate Mac OS 9 users through
Macintosh Manager on a Mac OS X Server
This will allow Mac OS 9 users to log in through Macintosh Manager using their
eDirectory accounts. The user’s Netware home directory located on the Netware 6 server
will be mounted as the user’s Macintosh Manager home directory.
Setting up Mac OS X client scenario
Netware 6 Server
Tools used to configure the server
How many tools you use to configure the Netware server will depend on your setup. In
most cases users will just use ConsoleOne. If you are planning on running ConsoleOne at
the server console, you will also need to use Netware Remote Manager for setting the
simple passwords. If you are running ConsoleOne on a Windows PC you need to make
sure you have the simple password snap-in installed (The snap-in is installed with
NMAS) and that client NICI (Novell International Cryptographic Interface) v2 or greater
is installed on your Windows PC.
What the test Netware tree looks like
The tree used in this document is as follows:
Integrating MacOS X and Novell eDirectory
4
The tree name is APPLE-TREE, there is one Organization (O=) that is named APPLE
(O=APPLE). The users are contained inside the Organization APPLE (O=APPLE). I
have created an Organizational Unit for “mounts”; this will be discussed later in the
document.
Setting the Password options for Netware
If you selected allow clear-text login for LDAP at install you may skip this step. Select
and open the LDAP Group Object for your server (usually located in the same container
as your server) in ConsoleOne. From the first screen select “Allow Clear text
Passwords”. If you are concerned with clear text passwords see the end of the manual for
setting up SSL encrypted connections to the server.
Integrating MacOS X and Novell eDirectory
5
Preexisting attributes in Netware used by Mac OS X
Novell has done an excellent job at supplying attributes for users in almost any
environment. Many of the attributes needed are exposed in ConsoleOne’s UNIX Profile
Screen and General screen. Below is a table of existing attributes and were the GUI is
located to configure the values.
Description
NDS/eDirectory name
LDAP name
GUI location
(ConsoleOne)
UID
GID
Login Shell
Home
Directory
Path
Full Name
Email
Address
Given Name
Last Name
User ID
Group ID
Login Shell
Home Directory
uidNumber*
gidNumber*
loginShell*
homeDirectory*
UNIX Profile
UNIX Profile
UNIX Profile
UNIX Profile
Full Name
E-mail Address
fullName
mail
General
General
Given Name
Last Name
givenName
sn
General
General
Integrating MacOS X and Novell eDirectory
6
* These attributes are part of the posixAccount objectClass, which must be applied to
each user
Extending the schema for Mac OS X Home Directories
The users home directory stored on an AFP server is provided to Mac OS X as a XML
string. An attribute is needed in eDirectory for this value. The value is in following
format:
<home_dir>
<url>afp://yourserver.yourcompany.com/Sharepoint</url>
<path>PathToYourHomeDirectory</path>
</home_dir>*
where:
yourserver.yourcompany.com can be the DNS name or IP address
of your server
Sharepoint is the volume exported by AFPTCP on NetWare. It
usually has the format of servername.volumename
PathToYourHomeDirectory is a path relative to NetWare volume
root of the users home directory.
* This XML value must be base64 encoded in the LDIF file according to RFC 2849 (See
Appendix E for options on base64 encoding a value)
To extend the schema we will use a LDIF file that has all the proper attributes and
classes, including approved names and ASN.1 numbers. The LDIF file is attached as part
of this text in Appendix B or a text file named macosx.ldf can be found in the
“Supporting Files” Folder.
To import the LDIF file into eDirectory you can use two methods:
1. ldapmodify
This tool is a command-line only tool. It is available from http://www.openldap.org
and is available for DOS and Unix (the Unix version works great with MacOS X.)
Realize that the DOS version can process ldif files with CR-LF combinations,
whereas the Unix compiled version cannot.
Enter the following command:
ldapmodify –v –h <server address> –D‘cn=admin,ou=<YourOU>,o=<YourO>’ –W –f
<PathToFile>
NOTE: The command must be on one line, it is wrapped in the text because of the editor.
2. ConsoleOne
From ConsoleOne under the “Wizards” menu option select NDS Import/Export.
Integrating MacOS X and Novell eDirectory
7
1. This will bring up a wizard, select “Import LDIF file”. Click “Next”
2. Navigate to your LDIF file. Click “Next”
3. Enter the ip address/DNS name of your server and port number 389 (If you have
SSL setup I would suggest using the SSL port (636), but you will need to select
your Der file. The server’s certificate [.der] is found on all servers in
SYS:\PUBLIC\RootCert.der). Select “Authenticated” login and enter your admin
name (cn=admin,ou=YourOU,o=YourO) and the admin password. Click “Next”
4. Click “Finish”
The file should update the schema, if you received errors on importing make sure your
file does not have any illegal characters (specifically invisible character from copying off
the web). To make sure everything updated properly, open ConsoleOne and go the
“Schema Manager” located under the “Tools” menu and look for your classes and
attributes. After you have updated the schema
Modify LDAP Group Settings
There are a few NDS/LDAP attributes mappings that need to be deleted from the LDAP
Group object. These mappings are redundant, so there should not be any concern about
loss of data or functionality.
1. Select your LDAP Group object (usually located in the same container as your
server)
2. Right click and select “Properties”
3. Select the “Attribute Mappings” tab
4. Find the entries for UID/uidNumber and GID/groupID
5. Delete both of these mappings.
Populate the users with the needed values
There are a few ways to populate the users. The easiest way is to set the values on user
import, but that may not always be an option. So the other ways are as follows, manually
extend each user object in ConsoleOne.
1. Select the User Object
2. Right click and select “Extensions of this Object…”
3. Click “Add Extension”
4. Select “aplMacOSXUser”
5. Name the auxiliary object EXACTLY the same as your user object
6. Click “Close”
7. Select your user object in ConsoleOne, right click to “Properties”
8. Scroll to the “Other” tab
9. With “Attributes” highlighted, click “Add”
10. Select the “aplXMLHomeDirectory” attribute (NOTE: that screen sorts uppercase
first then lowercase)
11. Select the “aplXMLHomeDirectory” attribute and add the value in the following
format:
Integrating MacOS X and Novell eDirectory
8
<home_dir><url>afp://YourServer.com/SharePoint</url><path>YourPathToHom
eDirectory</path></home_dir>
12. repeat steps 9 and 10 for “aplHomeDirectory”
13. Select the “aplHomeDirectory” attribute and add the value in the following
format:
/Network/Servers/YourServer.com/Sharepoint/YourPathToHomeDirectory
The second method is to create a LDIF file to update all your user objects, there is a
template LDIF file for a single user object found in “Supporting Files” folder called
userTemp.ldf (this template can also be found in Appendix C). NOTE: these files are
completely unsupported. DO NOT call Apple or Novell for support for these files.
Create an mounts object
A mounts class and organizational unit now need to be created to tell Mac OS X how,
where and what to mount for user home directories. You will need to modify the
mounts.ldf file located in the “Supporting Files” directory (See also Appendix D) . You
need to modify the following:
1. Line 1: place your organization object name in place of <someO>
2. Line 5: place your server ip address/dns name in place of <YourServer.com>,
place your share point name in place of <YourSharePoint>, and your organization
object name in place of <someO>
3. Line 12: place your server ip address/dns name in place of <YourServer.com>,
place your share point name in place of <YourSharePoint>.
You can also manually create this object and organizational unit (See Appendix F).
Create an LDAP proxy user
You will know need to create an LDAP proxy user; I will refer you to Novell’s Support
Knowledgebase for instructions on how to configure the ldap proxy account.
TID 10068137
Cannot query the cn attribute using LDAP anonymous queries
http://support.novell.com/cgi-bin/search/searchtid.cgi?/10068137.htm
Assure the values are correct
Use an LDAP browser to confirm that the values from Netware via LDAP are correct.
We are now ready to configure the Mac OS X clients.
Integrating MacOS X and Novell eDirectory
9
Configuring the Mac OS X client
Using Directory Setup
We will use the Directory Setup application to configure the Mac OS X client to
communicate with the Netware Server via LDAP. The Directory Setup application is
located in /Applications/Utilities/ .
1. Open Directory Setup and authenticate
2. Select LDAPv2 and click Configure
3. From the Configure LDAPv2 screen, click “New”
4. Name the configuration and enter the IP Address or DNS Name
Integrating MacOS X and Novell eDirectory
10
5. Click on the “Records” tab.
6. Select “Users”, enter the proper fully qualified path for your user objects
7. Select “Mounts”, enter the proper fully qualified path for you mounts objects
(HINT: a LDAP browser is nice for finding your paths)
Integrating MacOS X and Novell eDirectory
11
8. Select “Data” and enter the following values from Table 3
9. Select “Access” and enter the ldap proxy user name in the “distinguished name”
field. NOTE: Your ldap proxy user cannot have a password.
10. Click “Ok” and click the check box to enable your ldap configuration. Close the
“Configure” window and Save
Integrating MacOS X and Novell eDirectory
12
11. Click on the “Authentication” tab from the main Directory Setup window
12. Select “Custom Path” from “Search:”
Integrating MacOS X and Novell eDirectory
13
13. Click “Add” and select the LDAP value
Integrating MacOS X and Novell eDirectory
14
14. Close Directory setup, you are now ready to test the login
Integrating MacOS X and Novell eDirectory
15
Mapping values (table)
Date Type (Mac OS X
value)
RecordName
Maps to (Novell LDAP
Value)
cn
fullName
RealName
UniqueID
Password
PrimaryGroupID
NFSHomeDirectory
HomeDirectory
fullName
uidNumber
Blank value
gidNumber
aplHomeDirectory
aplXMLHomeDirectory
VFSType
VFSLinkDir
VFSOpts
Table 3
Comments
The values should be
entered in the order to the
left
This is the attribute we
added for AFP home
directories.
aplVfstype
aplVfsdir
aplVfsopts
Testing
To test the configuration from the Mac OS X login screen make sure you have set the
login window to allow for the user to enter their username and password. This setting can
be set in the Login module of System Preferences. Also make sure you have setup simple
passwords for your users and have enabled the guest user for AFPTCP.NLM (See
Appendix A& B).
In some cases, we have seen that the MacOS X client needs to be rebooted after the
LDAP configuration has been changed to ensure it is properly initialized. Also, the
Novell LDAP server may take some time to incorporate the attributes mapping changes.
Reboot if you don’t want to wait.
Making Secure connections
Enabling SSL on Netware server
SSL should already be enabled on the Netware Server, if not select your LDAP Server
Object and set the appropriate properties.
SSL Enabler
On the Mac OS X computer, search for and download SSL Enabler at:
Integrating MacOS X and Novell eDirectory
16
www.apple.com/downloads/macosx/
Run SSL Enabler, installing the stunnel utility it uses when prompted. Click Add and
enter the Local Port value (usually 389), the Remote Server IP value (the IP address of
the Netware server), and the Remote Port value (usually 636). Click Save.
Mac OS X Client settings
Run Directory Setup to change the IP address of the LDAP entry for the Netware server.
1. Click the lock to log in as administrator, select LDAPv2, and then click
Configure.
2. Select the LDAP entry you configured earlier (Netware), and click Edit. Change
the Address field value to the loopback address, 127.0.0.1, then click OK
3. Click the Authentication tab to update the search path. Choose “Custom Path”
from the Search pop-up menu. Delete the old LDAP entry by selecting it, then
click Remove. To add the new entry, click Add, select the updated LDAP entry,
close the Add Nodes window, and then click Apply.
Setting up the Mac OS 9/Macintosh Manager Client Scenario
The setup for a Mac OS 9/Macintosh Manager client setup is very similar to the Mac OS
X client setup. There are a couple of differences, first a Mac OS X Server 10.1.3 (version
IS important) is REQUIRED. Second, the mounts class (See section mounts) is not
needed if all your clients are Mac OS 9/Macintosh Manager, if you have a mixture of
Mac OS X/OS 9 then the mounts class is required. Macintosh Manager will use the “all
other users” for group management and rights, if the “all other users” is disabled you will
need to re-enable the user. NOTE: the uidNumber and gidNumber in Netware must be
populated for the Mac OS 9 scenario.
Integrating MacOS X and Novell eDirectory
17
Appendix
A – Setting the Simple Password
The actual Netware password used at a client 32 login is actually a public/private key
system based on the RSA algorythms. Because we are using LDAP and Native File
Access to authenticate the user and mount home directories we cannot use the
public/private key system. Novell has created what is called a simple password for nonclient 32 logins, this password is generally the same as the NDS pass-phrase. There are a
few options you can use to set the simple password, I will briefly explain them. First, you
can use the Netware Remote Manager, the NFAP Security option will allow you to set
them for a single user or for multiple users. You can also use a less secure option of
turning on the clear text password option for AFPTCP.NLM and having all your users
login with the NDS password. Be aware the NDS password will move across your
network in clear text. Finally, you could use ConsoleOne from a Windows PC
workstation. ConsoleOne requires that NICI v2 or greater be installed on the Windows
PC. ConsoleOne will require the NMAS snap-ins in order to administer and set the
simple password.
B – Schema LDIF File
Notes on LDIF format:
- Version of the LDIF format should be specified at the beginning. All
examples here use version 1 formatting.
- Records in LDIF files are delimited by a blank line.
- Further additions may be specified to a given record by using the hyphen
character on its own line. This allows one to specify multiple operations to a
given dn: in one record.
- The # character delimits a comment and is not processed in an LDIF file.
The Following file is used to extend the eDirectory schema.
version: 1
#
# create MacOS X user and mounts attributes
#
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: (2.16.840.1.113719.1.304.4.10 NAME 'aplXMLHomeDirectory' SYNTAX
1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: (2.16.840.1.113719.1.304.4.20 NAME 'aplHomeDirectory' SYNTAX
1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)
Integrating MacOS X and Novell eDirectory
18
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: (2.16.840.1.113719.1.304.4.30 NAME 'aplVfsdir' SYNTAX
1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: (2.16.840.1.113719.1.304.4.40 NAME 'aplVfstype' SYNTAX
1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: (2.16.840.1.113719.1.304.4.50 NAME 'aplVfsopts' SYNTAX
1.3.6.1.4.1.1466.115.121.1.26)
#
# create User Auxiliary class
#
dn: cn=schema
changetype: modify
add: objectclasses
objectclasses: (2.16.840.1.113719.1.304.6.1 NAME 'aplMacOSXUser' MAY
(aplXMLHomeDirectory $ aplHomeDirectory) AUXILIARY)
#
# create Mounts Effective class
# Needs to be its own class as MacOS 10.1.3 and later
# make special use of the classes’ common name when configured.
#
dn: cn=schema
changetype: modify
add: objectclasses
objectclasses: (2.16.840.1.113719.1.304.6.2 NAME 'aplMounts' SUP top STRUCTURAL
MUST ( commonName ) MAY (aplVfsdir $ aplVfstype $ aplVfsopts) X-NDS_NAMING (
'CN' ) X-NDS_CONTAINMENT ('domain' 'country' 'locality' 'organization'
'organizationalUnit' ) X-NDS_NOT_CONTAINER '1' )
C – User LDIF Template
This file can be used for updating existing users in eDirectory.
NOTE: the attribute homeDirectory must have a value, if you are not already using this
value place something like “/home/<username>” for the value.
version: 1
#
# Extend user objects
#
dn: cn=<username>,ou=<someou>,o=<someo>
changetype: modify
add: objectClass
objectClass: posixAccount
uidNumber: <some number greater than 100>
gidNumber: <some group number (usually 20 is good)>
Integrating MacOS X and Novell eDirectory
19
homeDirectory: <some value>
add: objectClass
objectClass: aplMacOSXUser
aplXMLHomeDirectory: <baes 64 encoded XML pointing to remote server/directory
to mount>
aplHomeDirectory: <path for local mount point of remote export>
Example:
version: 1
#
# Extend user objects
#
dn: cn=testuser,ou=engineering,o=apple
changetype: modify
add: objectClass
objectClass: posixAccount
uidNumber: 1010
gidNumber: 20
homeDirectory: /users/testuser
add: objectClass
objectClass: aplMacOSXUser
aplXMLHomeDirectory::
PGhvbWVfZGlyPjx1cmw+YWZwOi8vZW5nc2VydmVyMi5hcHBsZS5jb20vRU5HMi5EQVRBPC91cmw+PHB
hdGg+VVNFUlMvdGVzdHVzZXI8L3BhdGg+PC9ob21lX2Rpcj4K
# The attribute above must base64 encoded. This is the human readable version:
# aplXMLHomeDirectory:
<home_dir><url>afp://engserver2.apple.com/ENG2.DATA</url><path>USERS/testuser</
path></home_dir>
aplHomeDirectory:
/Network/Servers/engserver2.apple.com/ENG2.DATA/USERS/testuser
Note: anywhere a DNS name is used in these examples, an IP address could be used such
as:
aplHomeDirectory: /Network/Servers/192.168.1.22/ENG2.DATA/USERS/testuser
D – Mounts LDIF Template
This is the template for adding a mount organizational unit and mount object class
version: 1
#
# Creates a mounts OU and mounts object for your server.
# Note: the DNS name or IP address of the server must be in the
# CN of the mounts object for this server
#
dn: ou=mounts,o=<someO>
changetype: add
objectClass: organizationalUnit
dn: cn=<YourServer.com>:/<YourSharePoint>,ou=mounts,o=<SomeO>
changetype: add
objectClass: aplMounts
Integrating MacOS X and Novell eDirectory
20
dn: cn=<YourServer.com>:/<YourSharePoint>,ou=mounts,o=<SomeO>
changetype: modify
add: aplVfstype
aplVfstype: url
add: aplVfsdir
aplVfsdir: /Network/Servers
add: aplVfsopts
aplVfsopts: net
aplVfsopts:
url==afp://;AUTH=NO%20USER%20AUTHENT@<YourServer.com>/<YourSharePoint>
Where:
YourServer.com can be either the DNS name or the IP address of your
server.
YourSharePoint is the NetWare AFPTCP exported volume name. By
default, it has the format of SERVERNAME.VOLUMENAME.
E – Options for base64 encoding a value
There are a few options for base64 encoding a value. For Mac OS X and *NIX users you
can download a command line application called base64, the syntax for the command is
“base64 –e - -“ then you would type in the value, hit enter and then control-D. Then you
would receive the encoded value from standard output. You may also script this with
tools like sed and awk. The other option is to write a shell script with PERL for example,
PERL has base64 modules available. The base64 CLI application is available at:
http://www.fourmi-lab.ch/webtools/base64. The base64 PERL module is available at
http://www.cpan.org/ .
F – Manually Extending the Schema
NOTE: This is NOT the suggested method of extending the schema, the suggested
method is to use the LDIF file from section 2 as using an LDIF file is much easier
and faster.
This will contain the information needed to mount the users Netware home directory. To
create the attribute in eDirectory
1. Open ConsoleOne and authenticate
2. Select “Schema Manager” from the “Tools” menu option in ConsoleOne
Integrating MacOS X and Novell eDirectory
21
3. Click on the Attributes tab
4. Click the “Create”, to create an new attribute for the Mac OS X home directory
path
5. Name the attribute “aplXMLHomeDirectory” (Please use these names as they
have been registered with Novell)
6. Set the ASN.1 value to “2.16.840.1.113719.1.304.4.10”, click “Next”
7. Set syntax to “Case Exact String”, click “Next”
Integrating MacOS X and Novell eDirectory
22
8. Set the flags to “Single valued” and “Public read”, click “Next”
Integrating MacOS X and Novell eDirectory
23
9. Double check your setting in the summary and then click “Finish”
Following the steps above create another attribute called “aplHomeDirectory” with the
ASN.1 number “2.16.840.1.113719.1.304.4.20”. The syntax is “Case exact string”, flags
are single valued and public read.
After the attribute is created we need to create an auxiliary User object class called
aplMacOSXUser.
1. While the Schema Manager is open click on the “Classes” tab
Integrating MacOS X and Novell eDirectory
24
2.
3.
4.
5.
6.
7.
Click “Create”
Name the class “aplMacOSXUser” with ASN.1 “2.16.840.1.113719.1.304.6.1”
Class flags should be “Auxiliary”, Click Next
Click “Next”, DO NOT select any class to inherit from
Click “Next”, there are NO mandatory attributes for the aplMacOSXUser
Select for optional attributes “CN”, “aplXMLHomeDirectory”,
“aplHomeDirectory”
8. Click “Next” and “Finish”
Extending the schema for a mounts class and attributes
In order to mount the home directory in the file system on the Mac OS X machines need
a mounts class that has three attributes that specify were to mount the volume, what type
of volume, and how to mount the volume.
Create the attributes for the mounts class
1. Open the Schema Manager
2. Click on the “Attributes” tab.
3. Click “Create”
4. You will do this for each of the following in table 1:
Integrating MacOS X and Novell eDirectory
25
Attribute
Name
aplVfsdir
ASN.1
2.16.840.1.113719.1.304.4.30
aplVfstype
2.16.840.1.113719.1.304.4.40
aplVfsopts
Syntax
Flags
Case
Exact
String
Single
valued
Public
read
Single
valued
Public
read
Public
read
Case
Exact
String
Case
Exact
String
2.16.840.1.113719.1.304.4.50
Notes
This is a
multi-valued
attribute, DO
NOT
SELECT
singled
valued
Table 1
Creating the mounts class
1. From the “Classes” tab in the Schema Manager, click “Create”
2. Name the class “aplMounts”
3. ASN.1 value should be “2.16.840.1.113719.1.304.6.2”, click “Next”
4. Class flags should be “Effective Class”, click “Next”
Integrating MacOS X and Novell eDirectory
26
5. Find and select “Top” for the class in which mounts will inherit from, click
“Next”
6. Select “CN” as a mandatory attribute, click “Next”
Integrating MacOS X and Novell eDirectory
27
7. Select “vfsdir”, “vfstype”, and “vfsopts” for optional attributes, click “Next”
8. Select “CN” and the naming attribute, click “Next”
Integrating MacOS X and Novell eDirectory
28
9. Select “Country”, “domain”, “Locality”, “Organization”, and “Organizational
Unit” for container classes.
Integrating MacOS X and Novell eDirectory
29
10. Double check your setting in the summary and then click “Finish”
Exposing the Mac OS X Home Directory Attribute
In order to input a value into the “aplXMLHomeDirectory” we created earlier we can
manually input that value or use bulkload to fill in multiple accounts. We will examine
the manual configuration.
1. Open ConsoleOne
2. Select the user object you wish to modify, right click and select properties
3. Scroll to the “Other” tab for user configuration
4.
5.
6.
7.
Select “Attributes” and click “Add” button
Select “aplXMLHomeDirectory” and click “OK”
Select the “aplXMLHomeDirectory” in the list and click on the button “…”
Enter the value of the users Netware home directory. Example: if my home
directory were located on the Netware server located at 192.168.1.3 (Netware
server name is HOMER) and on the USR volume. I would enter the following
<home_dir><url>afp://192.168.1.3/HOMER.USR</url><path>Dan</path></hom
e_dir>
Integrating MacOS X and Novell eDirectory
30
8. Click “Ok” and “Apply” (You may receive a warning about ConsoleOne updating
the screen, don’t worry it is fine)
Creating a mounts class and configuring the attributes
We will now create a search path for mounts class for use by Mac OS X. The mounts
class basically tells Mac OS X where the mount is located (vfsopts), where to mount
the share point in the local (Mac OS X) file system (vfsdir), and how the location
string is formatted (vfstype).
1. Open ConsoleOne
2. Select your organization container or where you would like to place the mounts
class. (Tip: keep it in the same container that contains your user container)
3. Create a new Organizational Unit in your search path, and name it “mounts” (Go
to File and select “Organizational Unit”)
4. Select the “mounts” OU you just created, double click to open OU
5. Create and new Object, select “aplMounts” from the classes.
6. Name the object your server IP address or the hostname of your server, “ :/ ”
share point . Example: if my Netware server’s IP address was 192.168.1.3 and the
DNS name was homer.corp.apple.com and the share point containing the home
directories was the USR volume. I would name it either
192.168.1.3:/HOMER.USR or homer:/HOMER.USR
Integrating MacOS X and Novell eDirectory
31
7. Click “Define other properties”
8. Click “Other” tab
9. Click on “Attributes” and “Add” button
Integrating MacOS X and Novell eDirectory
32
10. Select your “aplVfsdir” (do the same for vfsopts and vfstype), click “Ok”
11. Enter the following from table 2 values for each attribute:
Value
aplVfsdir
aplVfsopts
/Network/Servers
Net
url==afp://;AUTH=NO%20USER%20AUTHENT@yourserver.com/sharepoint
aplVfstype
Notes
This is a multivalued. Add “net”
and then select
“vfsopts” and click
“Add”
url
Table 2
See Appendix B to set your Netware server so that vfsopts work properly for the guest
account.
See Appendix A for information on setting the simple password for users so that they
may use the AFP share points.
Integrating MacOS X and Novell eDirectory
33