[OT] OS X Open Directory with linux clients

Shawn L Johnston sjohnston
Mon Sep 27 16:19:50 PDT 2004 

On Thu, 2004-09-23 at 20:15, Kurt Wall wrote:
> On Thu, Sep 23, 2004 at 03:52:57PM -0500, Shawn L Johnston took 31 lines to write:
> > Ok, another stupid mac question for any LDAP experts out there. I gave
> > up trying to use another LDAP directory for my Xserve to authenticate
> > against and went with Apple's Open Directory (which is actually OpenLDAP
> > with their own schema extensions).
> 
> Hmm.
> 
> > My problem is I now want to authenticate my linux machines against Open
> > Directory,which was easy to set up. Unfortunatly Apple has seen in its
> > ultimate wisdom to include the OS X root user in Open Directory (OD)
> > which means any linux box I have using OD for authentication sees two
> > root users which I don't want.
> 
> Can you create a different domain for the Linux boxen so that root on the
> Linux boxen won't be the same as root on OS X? The idea is that root
> on each will have their own DNs because they're in "sub-domains" that
> are part of the same One True DIT.
> 

Yeah, this would be a possiblity however the management tools that come
with OS X don't seem to handle this. It's something I'll try later.

> > I think my options are:
> > 1) Forget having 1 ldap service with one set of logins/passwords 
> 
> Which rather defeats the purpose of using LDAP at all, at least for
> authentication. Or so it seemeth to my little mind.
> 
> > 2) Perhaps there is some sort of filter I can do in my linux ldap.conf
> > file that will "hide" undesirable users such as root?
> 
> Yep. But I'm definitely not an LDAP wonk, either.
> 

Unfortunatly I'm not an LDAP guru either. It seems like I should be able
to do something in ldap.conf on the client like

nss_base_passwd=dc=example,dc=com?sub?uidNumber>=1000
nss_base_shadow=dc=example,dc=com?sub?uidNumber>=1000

but it gives me a "nss_ldap: could not search LDAP server - Bad search
filter" error message. I can do an exact match like uidNumber=1000
though... 

What I've done for now to solve this is doing a gidNumber=5000 and
changing the primary group id of everyone who I wan't to have login
privs to this number. Not a real pretty solution but it works for the
moment.


Thanks,

Shawn

More information about the Linux-users mailing list