TweetFollow Us on Twitter

Strangers in a foreign land

Volume Number: 23 (2007)
Issue Number: 10
Column Tag: MacEnterprise, networking

Strangers in a foreign land

Integrating OS X with Active Directory

By Philip Rinehart, Yale University

Active Directory!

Of the topics that come up on the Macenterprise list, Active Directory and its integration with OS X is discussed frequently. Why? Many environments are using Active Directory for integration for the Windows side of the house, and many Mac administrators don't want to manage the information store separately for Macs alone. This month we will look at some tips for working with the Active Directory plug-in. Let's get started!

Binding

Binding, what is it? Directory Services uses a machine account and "binds" the account to the Active Directory domain. When logging in, the authentication framework is able to use the bound machine's account for non-local users. As a result, a user is granted access to a machine without a local account. With the Active Directory plug-in, there are a number of intricacies that make binding difficult. We will look at one of the most common issues. Before we begin this discussion, though, remember to check forward and reverse DNS, a common binding problem. For more information about testing, check out the article here, http://macenterprise.org/content/view/305/84.

Finding my Organizational Unit

Often, an administrator does not have access to the default Organizational Unit used by the Active Directory plug-in. How does an administrator find their Organizational Unit then? Fortunately, the tools for performing a lookup are built into OS X! Let's look at a rather verbose command.

ldapsearch -LLL -Hldap://yourdomaincontroller.ad.test -x -D "admin@ad.test" -b "dc=ad,dc=test" -W  "cn=activedirectorycomputerobjectname" dn

Looks rather complicated doesn't it? Fortunately, it isn't that hard to understand once we dissect it a little bit. The first option, -LLL is not strictly necessary. However, using it omits comments, restricts the output to LDIFv1 (not important here), and the last L prevents printing of the LDIF version.

Next, the -H option is specified. This option is very important! Enter the URI of a domain controller that has a copy of the Global Catalog. Ldapsearch uses this domain controller to look up information about a computer account.

Next, the -x option is used for simple authentication, not SSL. In some cases, SSL is not used on domain controllers. The -D option is important, as it supplies the Active Directory credentials that are used to authenticate for the LDAP search.

-b provides the search base. The search base is the point in the LDAP tree where the search should begin. If unsure, enter the top level of the forest. -W is similar to using the -x option, telling ldapsearch to prompt for the password, instead of supplying it with the ldapsearch command.

The last two entries are used to get the actual Organizational Unit path. The first option "cn=activedirectorycomputerobjectname" looks for the computer account in Active Directory. The last option tells ldapsearch that only the dn attribute is important. It's o.k. not to specify it, but every attribute is then returned. Sounds like a lot, doesn't it? Try executing the command once. After you have the hang of it, you will find how powerful ldapsearch can be. As a sanity check, here's an example of how the ldapsearch results might appear:

dn: CN=mbp,OU=One,OU=Two,OU=Three,OU=Four,DC=ad,DC=test

With this information, it's easy to determine the OU path for machine binding. Note however that the machine account must exist before this search is executed. The command and its results could also be wrapped in Applescript, an Automator action, or any other scripting language. Once the machine is bound, the fun begins!

Static maps

One of the hidden gems of the Active Directory plug-in is the ability to use "static maps". Usage of static maps was originally conceived for usage with the LDAP plug-in, but it can now be used for mapping any needed attributes. Let's use an example. On the list, a discussion about using NFS shares on Active Directory asked about how to provide an attribute for each user logging in that would be exactly the same. Static maps to the rescue! Here's how to do it:

This will require a little bit of command line magic. Open a terminal, and enter the following command:

dsconfigad -staticmap attributetype attributevalue

Three attributes should not be statically mapped, UID, RecordName and GeneratedUID. As stated in the man page, mapping these attributes may produce "unexpected" results. What is the syntax? It's pretty simple, first the attribute value. Attribute values are preceded by a pound sign "#". If the goal is to have every non-local user use the same value, enter #value to provide each user with that value at login. Another feature, variable mappings, is not available with the Active Directory plug-in. It should also be noted that using static maps is only available from the command line using dsconfigad.

Timeout values

Controlling the timeout values for the Active Directory plug-in involves editing the ActiveDirectory.plist in /Library/Preferences/DirectoryService. First, note that this procedure is completely unsupported by Apple! A very common problem occurs with mobile accounts and Active Directory is extremely slow logins. This problem commonly occurs due to the fact that the Domain Controller is firewalled, and unavailable outside the corporate network. For each Domain Controller, a value of 240 seconds is assigned. Imagine what happens when the laptop user goes home. Login times, and even wake from sleep times can become almost unbearably long. Fortunately, an administrator who knows what values to change in the plist can alter them, reducing the timeout times manually. Open the ActiveDirectory.plist in your favorite editor. Next search for the following entries:

<key>LDAP Connection Timeout</key>
<string>240</string>

This entry usually occurs in multiple places. Depending on your environment, change the value to a lower value. Restart the computer, and the timeout values should be in effect. It has been reported that for some environments the value may get overwritten, but in my experience it has worked.

Question marks in the Dock

The last thing that appeared recently is the appearance of a host of question marks in the dock on Intel-based machines when using the Active Directory plug-in with mobile accounts. Credit Mike Yocom and Brian Warsing for this solution. It is a bit involved, but does solve the problem quite nicely.

Step one: Convert com.apple.dock.plist for each user to xml. This task is best accomplished with a loginhook. Here is the command:

plutil -convert xml1 -o /tmp/foo.xml com.apple.dock.plist

Step two: Use a bit of xmlmagic, using xsltproc to filter out "_CFURLAliasData" entries from the plist.

xsltproc -o com.apple.dock.plist /path/to/style-sheet/com-apple-dock-style.xsl /tmp/foo.xml

And the required style sheet:

<?xml version='1.0' encoding='utf-8'?>
<xsl:stylesheet version='1.0'
xmlns:xsl='http://www.w3.org/1999/XSL/Transform'>
<xsl:output method='xml' version='1.0' encoding='utf-8' indent='yes'
doctype-public="-//Apple Computer//DTD PLIST 1.0//EN"
doctype-system="http://www.apple.com/DTDs/PropertyList-1.0.dtd"/>
<!-- This template copies the entire root -->
<xsl:template match="@*|node()">
    <xsl:copy>
        <xsl:apply-templates select="@*|node()"/>
    </xsl:copy>
</xsl:template>
<!-- This template removes the _CFURLAliasData node -->
<xsl:template match="array/dict/dict/dict/key">
    <xsl:variable name="foo">
        <xsl:value-of select="." />
    </xsl:variable>
    <xsl:choose>
        <xsl:when test="$foo = '_CFURLAliasData'">
            <!-- Do nothing. I mean don't print it -->
        </xsl:when>
        <xsl:otherwise>
            <!-- Output a copy of the orig. node -->
            <xsl:copy-of select="." />
        </xsl:otherwise>
    </xsl:choose>
</xsl:template>
<!-- This template dumps the data nodes with the alias data -->
<xsl:template match="array/dict/dict/dict/data">
    <xsl:for-each select="." />
</xsl:template>
</xsl:stylesheet>

Step 3: There is no step 3!

It really is that simple once all of the pieces are in place, and solves the immediate problem so that question marks will not appear in the dock. This month, we've tackled some of the most recent issues with Active Directory. As always, Active Directory integration continues to be a very complex problem, as each environment has unique qualities. Keep sending in feedback to Apple, and keep discussing on the lists, to make the Active Directory plug-in as good as it can be! One last thing, check out the following Best Practices paper about Active Directory integration from Apple: http://images.apple.com/itpro/pdf/AD_Best_Practices_2.0.pdf. It also supplies very useful information about troubleshooting and integration. Until next month, see you on the lists!


Philip Rinehart is co-chair of the steering committee leading the Mac OS X Enterprise Project (macenterprise.org) and is the Lead Mac Analyst at Yale University. He has been using Macintosh Computers since the days of the Macintosh SE, and Mac OS X since its Developer Preview Release. Before coming to Yale, he worked as a Unix system administrator for a dot-com company. He can be reached at: philip.rinehart@yale.edu. The MacEnterprise project is a community of IT professionals sharing information and solutions to support Macs in an enterprise. We collaborate on the deployment, management, and integration of Mac OS X client and server computers into multi-platform computing environments.

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

Tor Browser 11.5.8 - Anonymize Web brows...
Using Tor Browser you can protect yourself against tracking, surveillance, and censorship. Tor was originally designed, implemented, and deployed as a third-generation onion-routing project of the U.... Read more
Alarm Clock Pro 15.0 - $19.95 (91% off)
Alarm Clock Pro isn't just an ordinary alarm clock. Use it to wake you up in the morning, send and compose e-mails, remind you of appointments, randomize the iTunes selection, control an internet... Read more
Google Chrome 107.0.5304.121 - Modern an...
Google Chrome is a Web browser by Google, created to be a modern platform for Web pages and applications. It utilizes very fast loading of Web pages and has a V8 engine, which is a custom built... Read more
calibre 6.9.0 - Complete e-book library...
Calibre is a complete e-book library manager. Organize your collection, convert your books to multiple formats, and sync with all of your devices. Let Calibre be your multi-tasking digital librarian... Read more
Safari Technology Preview 16.4 - The new...
Safari Technology Preview contains the most recent additions and improvements to WebKit and the latest advances in Safari web technologies. And once installed, you will receive notifications of... Read more
FileZilla 3.62.2 - Fast and reliable FTP...
FileZilla (ported from Windows) is a fast and reliable FTP client and server with lots of useful features and an intuitive interface. The FileZilla Client not only supports FTP, but also FTP over TLS... Read more
djay Pro 4.0.13 - Transform your Mac int...
djay Pro provides a complete toolkit for performing DJs. Its unique modern interface is built around a sophisticated integration with iTunes and Spotify, giving you instant access to millions of... Read more
Opera 93.0.4585.21 - High-performance We...
Opera is a fast and secure browser trusted by millions of users. With the intuitive interface, Speed Dial and visual bookmarks for organizing favorite sites, news feature with fresh, relevant content... Read more
AppCleaner 3.6.6 - Uninstall your apps e...
AppCleaner allows you to uninstall your apps easily. It searches the files created by the applications and you can delete them quickly. Supports macOS Ventura. Fixed an issue causing failed updates... Read more
QuickBooks 21.0.7.1248 - Financial manag...
QuickBooks helps you manage your business easily and efficiently. Organize your finances all in one place, track money going in and out of your business, and spot areas where you can save. Built for... Read more

Latest Forum Discussions

See All

‘Top Hunter Roddy & Cathy’ Review –...
The NEOGEO is generally characterized by, with only a few notable exceptions, fighting games and Metal Slug. Within a couple of years of its launch, the vast majority of the output on the console seemed to be mining (quite successfully) a few... | Read more »
SwitchArcade Round-Up: Reviews Featuring...
Hello gentle readers, and welcome to the SwitchArcade Round-Up for November 28th, 2022. In today’s article, we’ve got a pair of reviews to check out. Full reviews of Pokemon Scarlet and Violet and The Oregon Trail are waiting for you to read. There’... | Read more »
‘OPUS: Echo of Starsong’ Interview: Port...
With OPUS: Echo of Starsong ($8.99) having finally launched on iOS after hitting PC and consoles, I had a chance to talk to Scott Chen who is the co-founder and executive producer of Sigono. In our chat, I touched on topics like game subscription... | Read more »
Best iPhone Game Updates: ‘Rush Rally 3’...
Hello everyone, and welcome to the week! It’s time once again for our look back at the noteworthy updates of the last seven days. As November breaths its last, the holiday season is right around the corner. That means we should start seeing more... | Read more »
‘Total Football’ is an Arcade-Style Socc...
GALA SPORTS recently launched its brand new soccer title, Total Football, and, true to its name, it is a pure arcade-style soccer game in the same vein as FIFA Mobile and PES Mobile. It also features official licensing from FIFPro and Manchester... | Read more »
Genshin Impact will recieve two new char...
HoYoverse has announced that Genshin Impacts version 3.3 will be arriving on December 7th. Titled All Senses Clear, All Existence Void, the update will bring two powerful new characters and a brand new card-based minigame. [Read more] | Read more »
‘Wreckfest’ Mobile Compared With Console...
HandyGames’ mobile version of Bugbear’s demolition derby-style racer Wreckfest ($9.99) released on iOS and Android recently, and we featured it as our Game of the Week. | Read more »
Black Friday Deals Here – The TouchArcad...
After taking a couple of weeks off we return on this glorious Black Friday with another episode of The TouchArcade Show. We get into a big discussion about virtual assistants like Alexa, Siri, and Google, and their place in the greater smarthome... | Read more »
TouchArcade Game of the Week: ‘Station 1...
I’m a big fan of Glitch Games and their unique brand of point-and-click adventure/escape room/puzzle games, and while they’re a tiny outfit and there’d typically be a couple years gap in-between their new releases, they were always worth the wait.... | Read more »
SwitchArcade Round-Up: ‘Super Lone Survi...
Hello gentle readers, and welcome to the SwitchArcade Round-Up for November 25th, 2022. Today we look at the remaining releases for the week, and I’ll be honest with you: it’s not a great assortment. Still, there are at least a couple of things... | Read more »

Price Scanner via MacPrices.net

Cyber Monday: 24″ Apple M1 iMacs for $150 off...
Amazon has Apple’s 24″ M1 iMacs on Black Friday sale for $150 off MSRP. Their prices are currently the lowest available for new iMacs among the Apple retailers we track: – 24″ M1 iMacs (8-Core CPU/7-... Read more
Cyber Monday Sale: 25% off Apple MagSafe acce...
Apple retailers are offering MagSafe accessories for up to 25% off MSRP for Cyber Monday. Here are the best deals available, currently from Verizon and Amazon: (1) Verizon has Apple MagSafe Chargers... Read more
Cyber Monday Sale: Apple AirPods for up to $1...
Looking for Apple AirPods, AirPods Pro, or AirPods Max this Cyber Monday? Look no further than our Apple AirPods Price Tracker. We track prices from 20+ Apple retailers and update the tracker... Read more
Final day for Apple’s Black Friday/Cyber Mond...
CYBER MONDAY Apple’s four day Black Friday/Cyber Monday 2022 event is now live and will run from November 25, 2022 to November 28, 2022 (ends today!). Receive a free $100-$250 Apple Gift Card with... Read more
Cyber Monday: Apple 13″ M2 MacBook Airs for $...
Apple retailers have posted their Cyber Monday prices on 13″ MacBook Airs. Take up to $200 off MSRP on M2-powered Airs with these sales with prices starting at only $1049. Free shipping is available... Read more
The best Cyber Monday iPhone sale? This $500...
If you switch to Xfinity Mobile and open a new line of service, they will take $500 off the price of a new iPhone, no trade-in required. This is the best no trade-in Cyber Monday Apple iPhone 14 deal... Read more
Cyber Monday Sale: Apple 16″ MacBook Pros for...
Amazon is offering $500 off MSRP discounts on Apple 16″ MacBook Pros with M1 Pro CPUs as part of their Cyber Monday sale. Their prices are the lowest available for these models from any Apple... Read more
Cyber Monday Sale: Apple 14″ MacBook Pros for...
Amazon is offering $300-$500 off MSRP discounts on Apple 14-inch MacBook Pros with M1 Pro CPUs as part of their Cyber Monday sale. Their prices are the lowest available for these models from any... Read more
Cyber Monday Sale: Apple Watch Ultra for $60...
Amazon has Apple Watch Ultra models (Alpine Loop, Trail Loop, and Opean Bans) on sale for $60 off MSRP as part of their Cyber Monday sale, each including free shipping, reducing the price for an... Read more
Cyber Monday MacBook Sale: 13″ M1 Apple MacBo...
Amazon has Apple 13″ M1 MacBook Airs back on sale for $200 off MSRP, starting at only $799, for Cyber Monday 2022. Their prices are the lowest available for new MacBooks this Cyber Monday. Stock may... Read more

Jobs Board

*Apple* Electronic Repair Technician - PlanI...
…a highly motivated individual to join our Production Department as an Apple Electronic Repair Technician. The computer repair technician will diagnose, assemble, Read more
Product Manager II - *Apple* - DISH (United...
…you will be doing We seek an ambitious, data-driven thinker to assist the Apple Product Development team as our new Retail Wireless division continues to grow and Read more
Staff Engineer 5G Protocol, *Apple* - DISH...
…metrics. Essential Functions and Responsibilities for a Staff Engineer 5G protocol( Apple ) Knowledge of 5G and 4G/LTE protocols and system architectures Experience Read more
Cashier - *Apple* Blossom Mall - JCPenney (...
Cashier - Apple Blossom Mall Location:Winchester, VA, United States (https://jobs.jcp.com/jobs/location/191170/winchester-va-united-states) - Apple Blossom Mall Read more
Omnichannel Associate - *Apple* Blossom Mal...
Omnichannel Associate - Apple Blossom Mall Location:Winchester, VA, United States (https://jobs.jcp.com/jobs/location/191170/winchester-va-united-states) - Apple Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.