TweetFollow Us on Twitter

Strangers in a foreign land

Volume Number: 23 (2007)
Issue Number: 10
Column Tag: MacEnterprise, networking

Strangers in a foreign land

Integrating OS X with Active Directory

By Philip Rinehart, Yale University

Active Directory!

Of the topics that come up on the Macenterprise list, Active Directory and its integration with OS X is discussed frequently. Why? Many environments are using Active Directory for integration for the Windows side of the house, and many Mac administrators don't want to manage the information store separately for Macs alone. This month we will look at some tips for working with the Active Directory plug-in. Let's get started!

Binding

Binding, what is it? Directory Services uses a machine account and "binds" the account to the Active Directory domain. When logging in, the authentication framework is able to use the bound machine's account for non-local users. As a result, a user is granted access to a machine without a local account. With the Active Directory plug-in, there are a number of intricacies that make binding difficult. We will look at one of the most common issues. Before we begin this discussion, though, remember to check forward and reverse DNS, a common binding problem. For more information about testing, check out the article here, http://macenterprise.org/content/view/305/84.

Finding my Organizational Unit

Often, an administrator does not have access to the default Organizational Unit used by the Active Directory plug-in. How does an administrator find their Organizational Unit then? Fortunately, the tools for performing a lookup are built into OS X! Let's look at a rather verbose command.

ldapsearch -LLL -Hldap://yourdomaincontroller.ad.test -x -D "admin@ad.test" -b "dc=ad,dc=test" -W  "cn=activedirectorycomputerobjectname" dn

Looks rather complicated doesn't it? Fortunately, it isn't that hard to understand once we dissect it a little bit. The first option, -LLL is not strictly necessary. However, using it omits comments, restricts the output to LDIFv1 (not important here), and the last L prevents printing of the LDIF version.

Next, the -H option is specified. This option is very important! Enter the URI of a domain controller that has a copy of the Global Catalog. Ldapsearch uses this domain controller to look up information about a computer account.

Next, the -x option is used for simple authentication, not SSL. In some cases, SSL is not used on domain controllers. The -D option is important, as it supplies the Active Directory credentials that are used to authenticate for the LDAP search.

-b provides the search base. The search base is the point in the LDAP tree where the search should begin. If unsure, enter the top level of the forest. -W is similar to using the -x option, telling ldapsearch to prompt for the password, instead of supplying it with the ldapsearch command.

The last two entries are used to get the actual Organizational Unit path. The first option "cn=activedirectorycomputerobjectname" looks for the computer account in Active Directory. The last option tells ldapsearch that only the dn attribute is important. It's o.k. not to specify it, but every attribute is then returned. Sounds like a lot, doesn't it? Try executing the command once. After you have the hang of it, you will find how powerful ldapsearch can be. As a sanity check, here's an example of how the ldapsearch results might appear:

dn: CN=mbp,OU=One,OU=Two,OU=Three,OU=Four,DC=ad,DC=test

With this information, it's easy to determine the OU path for machine binding. Note however that the machine account must exist before this search is executed. The command and its results could also be wrapped in Applescript, an Automator action, or any other scripting language. Once the machine is bound, the fun begins!

Static maps

One of the hidden gems of the Active Directory plug-in is the ability to use "static maps". Usage of static maps was originally conceived for usage with the LDAP plug-in, but it can now be used for mapping any needed attributes. Let's use an example. On the list, a discussion about using NFS shares on Active Directory asked about how to provide an attribute for each user logging in that would be exactly the same. Static maps to the rescue! Here's how to do it:

This will require a little bit of command line magic. Open a terminal, and enter the following command:

dsconfigad -staticmap attributetype attributevalue

Three attributes should not be statically mapped, UID, RecordName and GeneratedUID. As stated in the man page, mapping these attributes may produce "unexpected" results. What is the syntax? It's pretty simple, first the attribute value. Attribute values are preceded by a pound sign "#". If the goal is to have every non-local user use the same value, enter #value to provide each user with that value at login. Another feature, variable mappings, is not available with the Active Directory plug-in. It should also be noted that using static maps is only available from the command line using dsconfigad.

Timeout values

Controlling the timeout values for the Active Directory plug-in involves editing the ActiveDirectory.plist in /Library/Preferences/DirectoryService. First, note that this procedure is completely unsupported by Apple! A very common problem occurs with mobile accounts and Active Directory is extremely slow logins. This problem commonly occurs due to the fact that the Domain Controller is firewalled, and unavailable outside the corporate network. For each Domain Controller, a value of 240 seconds is assigned. Imagine what happens when the laptop user goes home. Login times, and even wake from sleep times can become almost unbearably long. Fortunately, an administrator who knows what values to change in the plist can alter them, reducing the timeout times manually. Open the ActiveDirectory.plist in your favorite editor. Next search for the following entries:

<key>LDAP Connection Timeout</key>
<string>240</string>

This entry usually occurs in multiple places. Depending on your environment, change the value to a lower value. Restart the computer, and the timeout values should be in effect. It has been reported that for some environments the value may get overwritten, but in my experience it has worked.

Question marks in the Dock

The last thing that appeared recently is the appearance of a host of question marks in the dock on Intel-based machines when using the Active Directory plug-in with mobile accounts. Credit Mike Yocom and Brian Warsing for this solution. It is a bit involved, but does solve the problem quite nicely.

Step one: Convert com.apple.dock.plist for each user to xml. This task is best accomplished with a loginhook. Here is the command:

plutil -convert xml1 -o /tmp/foo.xml com.apple.dock.plist

Step two: Use a bit of xmlmagic, using xsltproc to filter out "_CFURLAliasData" entries from the plist.

xsltproc -o com.apple.dock.plist /path/to/style-sheet/com-apple-dock-style.xsl /tmp/foo.xml

And the required style sheet:

<?xml version='1.0' encoding='utf-8'?>
<xsl:stylesheet version='1.0'
xmlns:xsl='http://www.w3.org/1999/XSL/Transform'>
<xsl:output method='xml' version='1.0' encoding='utf-8' indent='yes'
doctype-public="-//Apple Computer//DTD PLIST 1.0//EN"
doctype-system="http://www.apple.com/DTDs/PropertyList-1.0.dtd"/>
<!-- This template copies the entire root -->
<xsl:template match="@*|node()">
    <xsl:copy>
        <xsl:apply-templates select="@*|node()"/>
    </xsl:copy>
</xsl:template>
<!-- This template removes the _CFURLAliasData node -->
<xsl:template match="array/dict/dict/dict/key">
    <xsl:variable name="foo">
        <xsl:value-of select="." />
    </xsl:variable>
    <xsl:choose>
        <xsl:when test="$foo = '_CFURLAliasData'">
            <!-- Do nothing. I mean don't print it -->
        </xsl:when>
        <xsl:otherwise>
            <!-- Output a copy of the orig. node -->
            <xsl:copy-of select="." />
        </xsl:otherwise>
    </xsl:choose>
</xsl:template>
<!-- This template dumps the data nodes with the alias data -->
<xsl:template match="array/dict/dict/dict/data">
    <xsl:for-each select="." />
</xsl:template>
</xsl:stylesheet>

Step 3: There is no step 3!

It really is that simple once all of the pieces are in place, and solves the immediate problem so that question marks will not appear in the dock. This month, we've tackled some of the most recent issues with Active Directory. As always, Active Directory integration continues to be a very complex problem, as each environment has unique qualities. Keep sending in feedback to Apple, and keep discussing on the lists, to make the Active Directory plug-in as good as it can be! One last thing, check out the following Best Practices paper about Active Directory integration from Apple: http://images.apple.com/itpro/pdf/AD_Best_Practices_2.0.pdf. It also supplies very useful information about troubleshooting and integration. Until next month, see you on the lists!


Philip Rinehart is co-chair of the steering committee leading the Mac OS X Enterprise Project (macenterprise.org) and is the Lead Mac Analyst at Yale University. He has been using Macintosh Computers since the days of the Macintosh SE, and Mac OS X since its Developer Preview Release. Before coming to Yale, he worked as a Unix system administrator for a dot-com company. He can be reached at: philip.rinehart@yale.edu. The MacEnterprise project is a community of IT professionals sharing information and solutions to support Macs in an enterprise. We collaborate on the deployment, management, and integration of Mac OS X client and server computers into multi-platform computing environments.

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

Tor Browser 12.5.5 - Anonymize Web brows...
Using Tor Browser you can protect yourself against tracking, surveillance, and censorship. Tor was originally designed, implemented, and deployed as a third-generation onion-routing project of the U.... Read more
Malwarebytes 4.21.9.5141 - Adware remova...
Malwarebytes (was AdwareMedic) helps you get your Mac experience back. Malwarebytes scans for and removes code that degrades system performance or attacks your system. Making your Mac once again your... Read more
TinkerTool 9.5 - Expanded preference set...
TinkerTool is an application that gives you access to additional preference settings Apple has built into Mac OS X. This allows to activate hidden features in the operating system and in some of the... Read more
Paragon NTFS 15.11.839 - Provides full r...
Paragon NTFS breaks down the barriers between Windows and macOS. Paragon NTFS effectively solves the communication problems between the Mac system and NTFS. Write, edit, copy, move, delete files on... Read more
Apple Safari 17 - Apple's Web brows...
Apple Safari is Apple's web browser that comes bundled with the most recent macOS. Safari is faster and more energy efficient than other browsers, so sites are more responsive and your notebook... Read more
Firefox 118.0 - Fast, safe Web browser.
Firefox offers a fast, safe Web browsing experience. Browse quickly, securely, and effortlessly. With its industry-leading features, Firefox is the choice of Web development professionals and casual... Read more
ClamXAV 3.6.1 - Virus checker based on C...
ClamXAV is a popular virus checker for OS X. Time to take control ClamXAV keeps threats at bay and puts you firmly in charge of your Mac’s security. Scan a specific file or your entire hard drive.... Read more
SuperDuper! 3.8 - Advanced disk cloning/...
SuperDuper! is an advanced, yet easy to use disk copying program. It can, of course, make a straight copy, or "clone" - useful when you want to move all your data from one machine to another, or do a... Read more
Alfred 5.1.3 - Quick launcher for apps a...
Alfred is an award-winning productivity application for OS X. Alfred saves you time when you search for files online or on your Mac. Be more productive with hotkeys, keywords, and file actions at... Read more
Sketch 98.3 - Design app for UX/UI for i...
Sketch is an innovative and fresh look at vector drawing. Its intentionally minimalist design is based upon a drawing space of unlimited size and layers, free of palettes, panels, menus, windows, and... Read more

Latest Forum Discussions

See All

Listener Emails and the iPhone 15! – The...
In this week’s episode of The TouchArcade Show we finally get to a backlog of emails that have been hanging out in our inbox for, oh, about a month or so. We love getting emails as they always lead to interesting discussion about a variety of topics... | Read more »
TouchArcade Game of the Week: ‘Cypher 00...
This doesn’t happen too often, but occasionally there will be an Apple Arcade game that I adore so much I just have to pick it as the Game of the Week. Well, here we are, and Cypher 007 is one of those games. The big key point here is that Cypher... | Read more »
SwitchArcade Round-Up: ‘EA Sports FC 24’...
Hello gentle readers, and welcome to the SwitchArcade Round-Up for September 29th, 2023. In today’s article, we’ve got a ton of news to go over. Just a lot going on today, I suppose. After that, there are quite a few new releases to look at... | Read more »
‘Storyteller’ Mobile Review – Perfect fo...
I first played Daniel Benmergui’s Storyteller (Free) through its Nintendo Switch and Steam releases. Read my original review of it here. Since then, a lot of friends who played the game enjoyed it, but thought it was overpriced given the short... | Read more »
An Interview with the Legendary Yu Suzuk...
One of the cool things about my job is that every once in a while, I get to talk to the people behind the games. It’s always a pleasure. Well, today we have a really special one for you, dear friends. Mr. Yu Suzuki of Ys Net, the force behind such... | Read more »
New ‘Marvel Snap’ Update Has Balance Adj...
As we wait for the information on the new season to drop, we shall have to content ourselves with looking at the latest update to Marvel Snap (Free). It’s just a balance update, but it makes some very big changes that combined with the arrival of... | Read more »
‘Honkai Star Rail’ Version 1.4 Update Re...
At Sony’s recently-aired presentation, HoYoverse announced the Honkai Star Rail (Free) PS5 release date. Most people speculated that the next major update would arrive alongside the PS5 release. | Read more »
‘Omniheroes’ Major Update “Tide’s Cadenc...
What secrets do the depths of the sea hold? Omniheroes is revealing the mysteries of the deep with its latest “Tide’s Cadence" update, where you can look forward to scoring a free Valkyrie and limited skin among other login rewards like the 2nd... | Read more »
Recruit yourself some run-and-gun royalt...
It is always nice to see the return of a series that has lost a bit of its global staying power, and thanks to Lilith Games' latest collaboration, Warpath will be playing host the the run-and-gun legend that is Metal Slug 3. [Read more] | Read more »
‘The Elder Scrolls: Castles’ Is Availabl...
Back when Fallout Shelter (Free) released on mobile, and eventually hit consoles and PC, I didn’t think it would lead to something similar for The Elder Scrolls, but here we are. The Elder Scrolls: Castles is a new simulation game from Bethesda... | Read more »

Price Scanner via MacPrices.net

Clearance M1 Max Mac Studio available today a...
Apple has clearance M1 Max Mac Studios available in their Certified Refurbished store for $270 off original MSRP. Each Mac Studio comes with Apple’s one-year warranty, and shipping is free: – Mac... Read more
Apple continues to offer 24-inch iMacs for up...
Apple has a full range of 24-inch M1 iMacs available today in their Certified Refurbished store. Models are available starting at only $1099 and range up to $260 off original MSRP. Each iMac is in... Read more
Final weekend for Apple’s 2023 Back to School...
This is the final weekend for Apple’s Back to School Promotion 2023. It remains active until Monday, October 2nd. Education customers receive a free $150 Apple Gift Card with the purchase of a new... Read more
Apple drops prices on refurbished 13-inch M2...
Apple has dropped prices on standard-configuration 13″ M2 MacBook Pros, Certified Refurbished, to as low as $1099 and ranging up to $230 off MSRP. These are the cheapest 13″ M2 MacBook Pros for sale... Read more
14-inch M2 Max MacBook Pro on sale for $300 o...
B&H Photo has the Space Gray 14″ 30-Core GPU M2 Max MacBook Pro in stock and on sale today for $2799 including free 1-2 day shipping. Their price is $300 off Apple’s MSRP, and it’s the lowest... Read more
Apple is now selling Certified Refurbished M2...
Apple has added a full line of standard-configuration M2 Max and M2 Ultra Mac Studios available in their Certified Refurbished section starting at only $1699 and ranging up to $600 off MSRP. Each Mac... Read more
New sale: 13-inch M2 MacBook Airs starting at...
B&H Photo has 13″ MacBook Airs with M2 CPUs in stock today and on sale for $200 off Apple’s MSRP with prices available starting at only $899. Free 1-2 day delivery is available to most US... Read more
Apple has all 15-inch M2 MacBook Airs in stoc...
Apple has Certified Refurbished 15″ M2 MacBook Airs in stock today starting at only $1099 and ranging up to $230 off MSRP. These are the cheapest M2-powered 15″ MacBook Airs for sale today at Apple.... Read more
In stock: Clearance M1 Ultra Mac Studios for...
Apple has clearance M1 Ultra Mac Studios available in their Certified Refurbished store for $540 off original MSRP. Each Mac Studio comes with Apple’s one-year warranty, and shipping is free: – Mac... Read more
Back on sale: Apple’s M2 Mac minis for $100 o...
B&H Photo has Apple’s M2-powered Mac minis back in stock and on sale today for $100 off MSRP. Free 1-2 day shipping is available for most US addresses: – Mac mini M2/256GB SSD: $499, save $100 –... Read more

Jobs Board

Licensed Dental Hygienist - *Apple* River -...
Park Dental Apple River in Somerset, WI is seeking a compassionate, professional Dental Hygienist to join our team-oriented practice. COMPETITIVE PAY AND SIGN-ON Read more
Sublease Associate Optometrist- *Apple* Val...
Sublease Associate Optometrist- Apple Valley, CA- Target Optical Date: Sep 30, 2023 Brand: Target Optical Location: Apple Valley, CA, US, 92307 **Requisition Read more
*Apple* / Mac Administrator - JAMF - Amentum...
Amentum is seeking an ** Apple / Mac Administrator - JAMF** to provide support with the Apple Ecosystem to include hardware and software to join our team and Read more
Child Care Teacher - Glenda Drive/ *Apple* V...
Child Care Teacher - Glenda Drive/ Apple ValleyTeacher Share by Email Share on LinkedIn Share on Twitter Read more
Cashier - *Apple* Blossom Mall - JCPenney (...
Cashier - Apple Blossom Mall Location:Winchester, VA, United States (https://jobs.jcp.com/jobs/location/191170/winchester-va-united-states) - Apple Blossom Mall Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.