Docstoc

Xeda AD-OD Integration

Document Sample
Xeda AD-OD Integration Powered By Docstoc
					                 Xeda Active Directory and
          Apple Open Directory Integration
                      Technology Overview


                              Last updated: 7/27/09




NOTE: IET does not currently support Apple Open Directory integration with Xeda Active
Directory. These instructions were developed for a demonstration and do not include
security best practices.

Please refer to
<http://images.apple.com/server/macosx/docs/Leopard_Server_Security_Config_v10.5.
pdf> for Mac OS X Server security practices.

These UCD specific instructions incorporate content from Mike Bombich’s excellent
AD/OD tutorial at <http://www.bombich.com/mactips/activedir.html>.




                                                                                    1
Overview

These instructions describe how to integrate a Mac OS X Open Directory
server into the UCD Campus Active Directory (Xeda) forest.


Once your Mac OS X Server has been successfully integrated there are
several benefits for environments that are part of the Xeda service and also
running Mac OS X Server. Here are the major benefits:
   - Provide kerberos Single Sign On (SSO) to Mac OS X Services such as
     afp, smb, and vpn.
   - Simplify account provisioning. Utilize campus kerberos accounts
     instead of managing accounts and passwords departmentally in Open
     Directory.
   - Manage users based on Active Directory group membership. Nested
     groups allow you to create an Open Directory group with an Active
     Directory group as a member.
   - Restrict access to Mac OS X Server services based on Active Directory
     group membership.


Here is an overview of the instructions:
   -   Install Mac OS X server in “Advanced Mode”
   -   Bind Mac OS X Server to Active Directory
   -   Kerberize the Mac OS X Services to enable SSO
   -   Promote Mac OS X Server to Open Directory Master
   -   Bind a Mac OS X client to Open Directory Master
   -   Bind Mac OS X client to Active Directory




                                                                           2
Step-by-step Instructions

  1. Install Mac OS X Server using “Advanced” Configuration




  2. Install Software Updates

     Be sure to update to the most current version of Mac OS X. The Mac
     OS X Active Directory plug-in did not work as expected pre 10.5.5
     (September 2008) in a multi-level Active Directory environment such
     as Xeda.




  3. Bind the Mac OS X Server to Active Directory

                                                                       3
a. Create the computer object in the AD OU from your Windows
   OU admin station.
b. Launch Directory Utility on the Mac OS X server. Select the
   “Show Advanced Settings” button. Select the “Services” tab,
   enable “Active Directory” and click the pencil icon to edit.
c. Enter ou.ad3.ucdavis.edu for Active Directory Domain and
   enter the name of the computer object for Computer ID.
d. Configure the User Experience, Mappings, and Administrative
   tabs as desired and select the Bind button.




                                                                  4
4. Authenticate with your Xeda OU Admin account
      a. Put in the appropriate LDAP string in the Computer OU field for
         your department.
      b. A dialog titled “Join Existing Account” will appear when the AD
         plug-in finds the computer object in your OU. Select “OK”.
      c. A dialog titled “Join Kerberos Realm” will appear once you bind
         to AD. Ignore the instructions in this dialog because the “Join
         Kerberos” button is inconsistent in the Server Admin tool.


             LDAP string used for the IET-ATS department:
 CN=ATS-OU-Servers,OU=ATS,OU=IET,OU=DEPARTMENTS,DC=ou,DC=ad3,DC=ucdavis,DC=edu




                                                                                 5
5. Verify the Mac OS X Server is bound to Active Directory by running
   the following terminal commands from your Mac OS X Server.
      a. % dscl /Active\ Directory/All\ Domains –read /Users/username
      b. % dscl /Active\ Directory/All\ Domains –read /Groups/groupname

   Verify you can read users and groups from both ad3.ucdavis.edu and
   in ou.ad3.ucdavis.edu.


6. Kerberize Mac OS X services by issuing the following command from
   the terminal on the Mac OS X Server.
      a. % sudo dsconfigad -enableSSO

   This will kerberize all Mac OS X Server services that support SSO.
   These services do not need to be enabled in order to be kerberized.


7. Verify your keytab has entries by running the following command
   from the terminal.
      a. % sudo klist -ke

   You should see three entries per Kerberos realm for each service
   offered in Mac OS X Server (there should be about a dozen unique
   services).




                                                                          6
8. Promote the Mac OS X Server to an Open Directory Master.
      a. Enable the Open Directory service using the Server Admin
         utility.
      b. Select the Open Directory Settings tab, click the “Change…”
         button next to the “Role:” field.




                                                                       7
      c. Select “Open Directory Master” as the desired server type.




      d. You will be prompted to create an Open Directory master
         directory admin account.




9. Bind a Mac OS X client to the Open Directory master. Bind the Mac
   OS X client to the Open Directory master first, then bind to Active
   Directory, otherwise MCX settings and augmented records may be
   ignored.
      a. Launch Directory Utility from the Mac OS X Client and select
         the + icon.
      b. Select “Open Directory” and enter the Mac OS X server name
         and select “OK”.




                                                                         8
10. Bind a Mac OS X client to Active Directory.
       a. Create the computer object in your Active Directory OU from
          your Windows OU admin station.
       b. In Directory Utility on the Mac OS X client. Select the “Show
          Advanced Settings” button. Select the “Services” tab, enable
          “Active Directory” and click the pencil icon to edit.
       c. Enter ou.ad3.ucdavis.edu for the Active Directory Domain and
          enter the computer object name for Computer ID
       d. Configure the User Experience, Mappings, and Administrative
          tabs as desired and select the Bind button.




                                                                      9
11.Authenticate with your Xeda OU Admin account
      a. Put in the appropriate LDAP string in the Computer OU field for
         your department.
      b. A dialog titled “Join Existing Account” will pop up when the AD
         plug-in finds the computer object in your OU. Select “OK”.
             LDAP string used for the IET-ATS department:
CN=ATS-OU-Computers,OU=ATS,OU=IET,OU=DEPARTMENTS,DC=ou,DC=ad3,DC=ucdavis,DC=edu



   You should now be able to login to your Mac OS X client using your
   Kerberos account. Once you configure and enable kerberized Mac OS
   X services you will be able to access them with SSO.

   Known Issues:
   When connecting to a Mac OS X service such as afp or smb the Active
   Directory plug-in on the Mac OS X client creates the kerberos
   principals using the “Computer ID” and prepends it to the AD domain
   ou.ad3.ucdavis.edu. This issue prevents SSO from working when
   attempting to connect to servername.ucdavis.edu. If you connect to
   servername.ou.ad3.ucdavis.edu then SSO works as expected.

   A workaround is to create a DNS “A record” for your Mac OS X
   Server’s IP address with the DNS name
   servername.ou.ad3.ucdavis.edu with an alias of
   servername.ucdavis.edu.

   Another issue that currently does not have a workaround is
   authentication delays for Mac OS X clients that are bound to Active
   Directory from off campus. Due to specific Microsoft ports that are
   blocked for off campus IPs the Mac OS X client does not
   appropriately utilized its cached credentials when authenticating at
   the login prompt or when waking up from sleep.




                                                                                  10
11

				
DOCUMENT INFO