389 directory server
TRANSCRIPT
-
7/24/2019 389 Directory Server
1/24
389 Directory Server:
The 389 directory server is a LDAP (Lightweight directory access protocol) server developed byRed Hat. The name 389 is derived from the LDAP port number. Though 389 server is being built
on top of fedora, it supports many operating system such as CentOS, Scientific Linux, Debian
and solaris etc.
Features:
Multi-Master Replication, to provide fault tolerance and high write performance
Scalability: thousands of operations per second, tens of thousands of concurrent users,
tens of millions of entries, hundreds of gigabytes of data
The codebase has been developed and deployed continuously by the same team for morethan a decade
Extensive documentation, including helpful Installation and Deployment guides
Active Directory user and group synchronization
Secure authentication and transport (SSLv3, TLSv1, and SASL) Support for LDAPv3
On-line, zero downtime, LDAP-based update of schema, configuration, management and
in-tree Access Control Information (ACIs)
Graphical console for all facets of user, group, and server management
Prerequistes:
1. Make sure that your server is properly configured with DNS server with proper FQDN.
Navigate to thislinkto congure your DNS server.
2.
Configure the firewall to allow LDAP ports in your server. To do that open the iptablesconfig file and enter the lines as shown below. Changes which i have made in the config
files are shown in bold letters.
[root@server ~]# nano /etc/sysconfig/iptables# Firewall configuration written by system-config-firewall# Manual customization of this file is not recommended.*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [0:0]-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT-A INPUT -j REJECT --reject-with icmp-host-prohibited-A FORWARD -j REJECT --reject-with icmp-host-prohibited-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 9830 -j ACCEPTCOMMIT
http://ostechnix.wordpress.com/2013/01/25/setup-dns-server-step-by-step-in-centos-6-3-rhel-6-3-scientific-linux-6-3-3/http://ostechnix.wordpress.com/2013/01/25/setup-dns-server-step-by-step-in-centos-6-3-rhel-6-3-scientific-linux-6-3-3/http://ostechnix.wordpress.com/2013/01/25/setup-dns-server-step-by-step-in-centos-6-3-rhel-6-3-scientific-linux-6-3-3/http://ostechnix.wordpress.com/2013/01/25/setup-dns-server-step-by-step-in-centos-6-3-rhel-6-3-scientific-linux-6-3-3/ -
7/24/2019 389 Directory Server
2/24
1. Restart iptables to save the changes.
[root@server ~]# service iptables restartiptables: Flushing firewall rules: [ OK ]iptables: Setting chains to policy ACCEPT: filter [ OK ]iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
1. Add and install the EPEL repository to install 389ds package.
[root@server ~]# wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm--2013-02-05 13:00:46-- http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpmResolving dl.fedoraproject.org... 209.132.181.23, 209.132.181.24,209.132.181.25, ...Connecting to dl.fedoraproject.org|209.132.181.23|:80... connected.HTTP request sent, awaiting response... 200 OKLength: 14540 (14K) [application/x-rpm]
Saving to: `epel-release-6-8.noarch.rpm'100%[======================================>] 14,540 30.9K/s in0.5s2013-02-05 13:00:48 (30.9 KB/s) - `epel-release-6-8.noarch.rpm' saved[14540/14540][root@server ~]# rpm -ivh epel-release-6-8.noarch.rpmwarning: epel-release-6-8.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID0608b895: NOKEYPreparing... ###########################################[100%]
1:epel-release ###########################################[100%]
1.
Before start to install and configure 389 directory server we should adjust someperformance and security settings in the server.
5.1. Open the/etc/sysctl .conffile and add the lines as shown below. Changes which i have made
in the config files are shown in bold letters.
[root@server ~]# nano /etc/sysctl.conf## Kernel sysctl configuration file for Red Hat Linux# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and# sysctl.conf(5) for more details.# Controls IP packet forwarding
net.ipv4.ip_forward = 0# Controls source route verificationnet.ipv4.conf.default.rp_filter = 1# Do not accept source routingnet.ipv4.conf.default.accept_source_route = 0# Controls the System Request debugging functionality of the kernelkernel.sysrq = 0# Controls whether core dumps will append the PID to the core filename.# Useful for debugging multi-threaded applications.kernel.core_uses_pid = 1
-
7/24/2019 389 Directory Server
3/24
# Controls the use of TCP syncookiesnet.ipv4.tcp_syncookies = 1# Disable netfilter on bridges.net.bridge.bridge-nf-call-ip6tables = 0net.bridge.bridge-nf-call-iptables = 0net.bridge.bridge-nf-call-arptables = 0# Controls the default maxmimum size of a mesage queuekernel.msgmnb = 65536# Controls the maximum size of a message, in byteskernel.msgmax = 65536# Controls the maximum shared segment size, in byteskernel.shmmax = 4294967295# Controls the maximum number of shared memory segments, in pageskernel.shmall = 268435456net.ipv4.tcp_keepalive_time = 300net.ipv4.ip_local_port_range = 1024 65000fs.file-max = 64000
Check the changes you have made before.
[root@server ~]# sysctl -pnet.ipv4.ip_forward = 0net.ipv4.conf.default.rp_filter = 1net.ipv4.conf.default.accept_source_route = 0kernel.sysrq = 0kernel.core_uses_pid = 1net.ipv4.tcp_syncookies = 1error: "net.bridge.bridge-nf-call-ip6tables" is an unknown keyerror: "net.bridge.bridge-nf-call-iptables" is an unknown keyerror: "net.bridge.bridge-nf-call-arptables" is an unknown keykernel.msgmnb = 65536kernel.msgmax = 65536kernel.shmmax = 4294967295
kernel.shmall = 268435456net.ipv4.tcp_keepalive_time = 300net.ipv4.ip_local_port_range = 1024 65000fs.file-max = 64000
5.2. Edit the file descriptors in/etc/secur i ty/l imi ts.conffile and add the lines as shown below atthe end. Changes which i have made in the config files are shown in bold letters.
[root@server ~]# nano /etc/security/limits.conf# /etc/security/limits.conf##Each line describes a limit for a user in the form:## ##Where:# can be:# - an user name# - a group name, with @group syntax# - the wildcard *, for default entry# - the wildcard %, can be also used with %group syntax,# for maxlogin limit
-
7/24/2019 389 Directory Server
4/24
## can have the two values:# - "soft" for enforcing the soft limits# - "hard" for enforcing hard limits## can be one of the following:# - core - limits the core file size (KB)# - data - max data size (KB)# - fsize - maximum filesize (KB)# - memlock - max locked-in-memory address space (KB)# - nofile - max number of open files# - rss - max resident set size (KB)# - stack - max stack size (KB)# - cpu - max CPU time (MIN)# - nproc - max number of processes# - as - address space limit (KB)# - maxlogins - max number of logins for this user# - maxsyslogins - max number of logins on the system# - priority - the priority to run user process with# - locks - max number of file locks the user can hold
# - sigpending - max number of pending signals# - msgqueue - max memory used by POSIX message queues (bytes)# - nice - max nice priority allowed to raise to values: [-20, 19]# - rtprio - max realtime priority## ##* soft core 0#* hard rss 10000#@student hard nproc 20#@faculty soft nproc 20#@faculty hard nproc 50#ftp hard nproc 0#@student - maxlogins 4# End of file*softnofile8192*hardnofile8192
5.3. Open the/etc/profi lefile and add the line as shown below. Changes are shown in bold.
[root@server ~]# nano /etc/profile# /etc/profile# System wide environment and startup programs, for login setup# Functions and aliases go in /etc/bashrc# It's NOT a good idea to change this file unless you know what you# are doing. It's much better to create a custom.sh shell script in
# /etc/profile.d/ to make custom changes to your environment, as this# will prevent the need for merging in future updates.pathmunge () {
case ":${PATH}:" in*:"$1":*)
;;*)
if [ "$2" = "after" ] ; thenPATH=$PATH:$1
else
-
7/24/2019 389 Directory Server
5/24
PATH=$1:$PATHfi
esac}
if [ -x /usr/bin/id ]; thenif [ -z "$EUID" ]; then
# ksh workaroundEUID=`id -u`UID=`id -ru`
fiUSER="`id -un`"LOGNAME=$USERMAIL="/var/spool/mail/$USER"
fi# Path manipulationif [ "$EUID" = "0" ]; then
pathmunge /sbinpathmunge /usr/sbinpathmunge /usr/local/sbin
elsepathmunge /usr/local/sbin afterpathmunge /usr/sbin afterpathmunge /sbin after
fiHOSTNAME=`/bin/hostname 2>/dev/null`HISTSIZE=1000if [ "$HISTCONTROL" = "ignorespace" ] ; then
export HISTCONTROL=ignorebothelse
export HISTCONTROL=ignoredupsfiexport PATH USER LOGNAME MAIL HOSTNAME HISTSIZE HISTCONTROL# By default, we want umask to get set. This sets it for login shell# Current threshold for system reserved uid/gids is 200# You could check uidgid reservation validity in# /usr/share/doc/setup-*/uidgid fileif [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
umask 002else
umask 022fifor i in /etc/profile.d/*.sh ; do
if [ -r "$i" ]; thenif [ "${-#*i}" != "$-" ]; then
. "$i"else
. "$i" >/dev/null 2>&1fi
fidoneunset iunset pathmungeulimit-n8192
-
7/24/2019 389 Directory Server
6/24
5.4. Add the following to the end of your/etc/pam.d/loginfile as shown below. Changes which i
have made in the config files are shown in bold letters.
[root@server ~]# nano /etc/pam.d/login#%PAM-1.0auth [user_unknown=ignore success=ok ignore=ignore default=bad]
pam_securetty.soauth include system-authaccount required pam_nologin.soaccount include system-authpassword include system-auth# pam_selinux.so close should be the first session rulesession required pam_selinux.so closesession required pam_loginuid.sosession optional pam_console.so# pam_selinux.so open should only be followed by sessions to be executed inthe user contextsession required pam_selinux.so opensession required pam_namespace.so
session optional pam_keyinit.so force revokesession include system-auth-session optional pam_ck_connector.sosession required /lib/security/pam_limits.so
1. Add a user called fedora-ds.
[root@server ~]# useradd fedora-ds[root@server ~]# passwd fedora-dsChanging password for user fedora-ds.New password:BAD PASSWORD: it is based on a dictionary wordRetype new password:
passwd: all authentication tokens updated successfully.
Install LDAP server:
[root@server ~]# yum install 389-ds openldap-clients -y
Confiure 389 Directory server
[root@server ~]# setup-ds-admin.pl==============================================================================
This program will set up the 389 Directory and Administration Servers.It is recommended that you have "root" privilege to set up the software.Tips for using this program:
- Press "Enter" to choose the default and go to the next screen- Type "Control-B" then "Enter" to go back to the previous screen- Type "Control-C" to cancel the setup program
Would you like to continue with set up? [yes]: ##press enter##==============================================================================Your system has been scanned for potential problems, missing patches,
-
7/24/2019 389 Directory Server
7/24
etc. The following output is a report of the items found that need tobe addressed before running this software in a productionenvironment.389 Directory Server system tuning analysis version 10-AUGUST-2007.NOTICE : System is i686-unknown-linux2.6.32-279.el6.i686 (1 processor).WARNING: 622MB of physical memory is available on the system. 1024MB isrecommended for best performance on large production system.WARNING: There are only 1024 file descriptors (soft limit) available, whichlimit the number of simultaneous connections.WARNING : The warning messages above should be reviewed before proceeding.Would you like to continue? [no]: yes ##type yes and press enter##==============================================================================Choose a setup type:
1. ExpressAllows you to quickly set up the servers using the mostcommon options and pre-defined defaults. Useful for quickevaluation of the products.
2. TypicalAllows you to specify common defaults and options.
3. CustomAllows you to specify more advanced options. This isrecommended for experienced server administrators only.
To accept the default shown in brackets, press the Enter key.Choose a setup type [2]: 2 ##type 2 and press enter##==============================================================================Enter the fully qualified domain name of the computeron which you're setting up server software. Using the form.Example: eros.example.com.To accept the default shown in brackets, press the Enter key.Warning: This step may take a few minutes if your DNS serverscan not be reached or if DNS is not configured correctly. Ifyou would rather not wait, hit Ctrl-C and run this program againwith the following command line option to specify the hostname:
General.FullMachineName=your.hostname.domain.nameComputer name [server.ostechnix.com]: ##press enter##==============================================================================The servers must run as a specific user in a specific group.It is strongly recommended that this user should have no privilegeson the computer (i.e. a non-root user). The setup procedurewill give this user/group some permissions in specific paths/filesto perform server-specific operations.If you have not yet created a user and group for the servers,create this user and group using your native operating
system utilities.System User [nobody]: fedora-ds ##input your yourname which you createdearlier and press enter##System Group [nobody]: fedora-ds==============================================================================Server information is stored in the configuration directory server.This information is used by the console and administration server toconfigure and manage your servers. If you have already set up aconfiguration directory server, you should register any servers you
-
7/24/2019 389 Directory Server
8/24
set up or create with the configuration server. To do so, thefollowing information about the configuration server is required: thefully qualified host name of the form.(e.g. hostname.example.com), the port number(default 389), the suffix, the DN and password of a user havingpermission to write the configuration information, usually theconfiguration directory administrator, and if you are using security(TLS/SSL). If you are using TLS/SSL, specify the TLS/SSL (LDAPS) portnumber (default 636) instead of the regular LDAP port number, andprovide the CA certificate (in PEM/ASCII format).If you do not yet have a configuration directory server, enter 'No' tobe prompted to set up one.Do you want to register this software with an existingconfiguration directory server? [no]: ##press enter##==============================================================================Please enter the administrator ID for the configuration directoryserver. This is the ID typically used to log in to the console. Youwill also be prompted for the password.Configuration directory server
administrator ID [admin]: ##enter the password and press enter##Password:Password (confirm):==============================================================================The information stored in the configuration directory server can beseparated into different Administration Domains. If you are managingmultiple software releases at the same time, or managing informationabout multiple domains, you may use the Administration Domain to keepthem separate.If you are not using administrative domains, press Enter to select thedefault. Otherwise, enter some descriptive, unique name for theadministration domain, such as the name of the organizationresponsible for managing the domain.Administration Domain [ostechnix.com]: ##press enter##==============================================================================The standard directory server network port number is 389. However, ifyou are not logged as the superuser, or port 389 is in use, thedefault value will be a random unused port number greater than 1024.If you want to use port 389, make sure that you are logged in as thesuperuser, that port 389 is not in use.Directory server network port [389]: ##press enter##==============================================================================Each instance of a directory server requires a unique identifier.This identifier is used to name the various
instance specific files and directories in the file system,as well as for other uses as a server instance identifier.Directory server identifier [server]: ##press enter##==============================================================================The suffix is the root of your directory tree. The suffix must be a validDN.It is recommended that you use the dc=domaincomponent suffix convention.For example, if your domain is example.com,you should use dc=example,dc=com for your suffix.
-
7/24/2019 389 Directory Server
9/24
Setup will create this initial suffix for you,but you may have more than one suffix.Use the directory server utilities to create additional suffixes.Suffix [dc=ostechnix, dc=com]: ##press enter##==============================================================================Certain directory server operations require an administrative user.This user is referred to as the Directory Manager and typically has abind Distinguished Name (DN) of cn=Directory Manager.You will also be prompted for the password for this user. The password mustbe at least 8 characters long, and contain no spaces.Press Control-B or type the word "back", then Enter to back up and startover.Directory Manager DN [cn=Directory Manager]: ##press enter##Password:Password (confirm):==============================================================================The Administration Server is separate from any of your web or applicationservers since it listens to a different port and access to it is
restricted.Pick a port number between 1024 and 65535 to run your AdministrationServer on. You should NOT use a port number which you plan torun a web or application server on, rather, select a number which youwill remember and which will not be used for anything else.Administration port [9830]: ##press enter##==============================================================================The interactive phase is complete. The script will now set up yourservers. Enter No or go Back if you want to change something.Are you ready to set up your servers? [yes]:Creating directory server . . .Your new DS instance 'server' was successfully created.Creating the configuration directory server . . .Beginning Admin Server creation . . .Creating Admin Server files and directories . . .Updating adm.conf . . .Updating admpw . . .Registering admin server with the configuration directory server . . .Updating adm.conf with information from configuration directory server . . .Updating the configuration for the httpd engine . . .Starting admin server . . .output: Starting dirsrv-admin:output: [ OK ]The admin server was successfully started.Admin server was successfully created, configured, and started.Exiting . . .
Log file is '/tmp/setupkmf7gF.log'
Test LDAP server
[root@server ~]# ldapsearch -x -b "dc=ostechnix,dc=com"# extended LDIF## LDAPv3# base with scope subtree
-
7/24/2019 389 Directory Server
10/24
# filter: (objectclass=*)# requesting: ALL## ostechnix.comdn: dc=ostechnix,dc=comobjectClass: topobjectClass: domaindc: ostechnix# Directory Administrators, ostechnix.comdn: cn=Directory Administrators,dc=ostechnix,dc=comobjectClass: topobjectClass: groupofuniquenamescn: Directory AdministratorsuniqueMember: cn=Directory Manager# Groups, ostechnix.comdn: ou=Groups,dc=ostechnix,dc=comobjectClass: topobjectClass: organizationalunitou: Groups# People, ostechnix.com
dn: ou=People,dc=ostechnix,dc=comobjectClass: topobjectClass: organizationalunitou: People# Special Users, ostechnix.comdn: ou=Special Users,dc=ostechnix,dc=comobjectClass: topobjectClass: organizationalUnitou: Special Usersdescription: Special Administrative Accounts# Accounting Managers, Groups, ostechnix.comdn: cn=Accounting Managers,ou=Groups,dc=ostechnix,dc=comobjectClass: topobjectClass: groupOfUniqueNamescn: Accounting Managersou: groupsdescription: People who can manage accounting entriesuniqueMember: cn=Directory Manager# HR Managers, Groups, ostechnix.comdn: cn=HR Managers,ou=Groups,dc=ostechnix,dc=comobjectClass: topobjectClass: groupOfUniqueNamescn: HR Managersou: groupsdescription: People who can manage HR entriesuniqueMember: cn=Directory Manager# QA Managers, Groups, ostechnix.com
dn: cn=QA Managers,ou=Groups,dc=ostechnix,dc=comobjectClass: topobjectClass: groupOfUniqueNamescn: QA Managersou: groupsdescription: People who can manage QA entriesuniqueMember: cn=Directory Manager# PD Managers, Groups, ostechnix.comdn: cn=PD Managers,ou=Groups,dc=ostechnix,dc=comobjectClass: top
-
7/24/2019 389 Directory Server
11/24
objectClass: groupOfUniqueNamescn: PD Managersou: groupsdescription: People who can manage engineer entriesuniqueMember: cn=Directory Manager# search resultsearch: 2result: 0 Success# numResponses: 10# numEntries: 9
If you get search: 2anywhere in the above result youre done. LDAP server is working now.
Make the LDAP server to start automatically on every reboot.
[root@server ~]# chkconfig dirsrv on
http://sysads.co.uk/2014/05/install-apache-directory-server-2-0-0-m16-ubuntu-14-04/
https://help.ubuntu.com/community/ApacheDS%20-%20LDAP%20-%20Kerberos%20-%20NFS4
https://www.microsoft.com/en-us/download/details.aspx?id=7887
http://www.turnkeylinux.org/domain-controller
Folder Redirection using Group Policy - Samba 4 AD DC
I must give credit where credit is due. I found this excellent article which details configuring the
NTFS share and creating the group policy object for Windows Server 2008:
Configuring Folder Redirection in Windows Server 2008
What You Must Have
http://sysads.co.uk/2014/05/install-apache-directory-server-2-0-0-m16-ubuntu-14-04/http://sysads.co.uk/2014/05/install-apache-directory-server-2-0-0-m16-ubuntu-14-04/https://help.ubuntu.com/community/ApacheDS%20-%20LDAP%20-%20Kerberos%20-%20NFS4https://help.ubuntu.com/community/ApacheDS%20-%20LDAP%20-%20Kerberos%20-%20NFS4https://www.microsoft.com/en-us/download/details.aspx?id=7887https://www.microsoft.com/en-us/download/details.aspx?id=7887http://www.turnkeylinux.org/domain-controllerhttp://www.turnkeylinux.org/domain-controllerhttp://www.itechtalk.com/thread1958.htmlhttp://www.itechtalk.com/thread1958.htmlhttp://www.itechtalk.com/thread1958.htmlhttp://www.turnkeylinux.org/domain-controllerhttps://www.microsoft.com/en-us/download/details.aspx?id=7887https://help.ubuntu.com/community/ApacheDS%20-%20LDAP%20-%20Kerberos%20-%20NFS4http://sysads.co.uk/2014/05/install-apache-directory-server-2-0-0-m16-ubuntu-14-04/ -
7/24/2019 389 Directory Server
12/24
This article assumes you have the following:
Fully functional Samba 4 active directory domain controller installed and operational.(Please
see my Samba 4 howto for further information)
You have attached at least one Windows 7/8 client to the domain.
Remote Server Administration Toolsis installed on your Windows host that will be accessing
your domain controller.
You have a basic understanding of Active Directory and working with group policy.
Basic Rules to Remember
1.
Do not create user folders manually within the server share (i.e. \\server\users\username). You
need to allow the system to create these folders automatically so the correct NTFS permissions
will be applied.
2.
Enable client-side caching to utilize offline file synchronization. This has been tested and works
fine on a Samba 4 domain controller when using Windows clients. Depending on your
organization's security policies, you may want to disable this feature.
3.
You must use fully qualified UNC paths even when accessing your network share via a file
manager such as Windows Explorer.
4.
Depending on your version of Samba 4, your installation path may vary. This howto is using a
samba 4 installation via git and therefore the installation path is/usr/local/samba. Edit your
'smb.conf' file where appropriate.
Create the 'root' Network ShareThis example is using the Samba 4 domain controller itself to host the network shares. If this is
unacceptable to you or you wish to use another file server for your network shares, simply make
the changes necessary where needed. If you are using aSamba 4 domain memberthat is not aDC, you will still need to set the NTFS permissions as outlined below.
To create the network share on the Samba 4 AD DC (or another samba 4 domain member),
simply follow these steps:
1. As root user on your Samba 4 DC, use 'vi' or your favourite text editor and append your
'smb.conf' to contain this:
[Users]path = /data/Userscomment = user folders for redirectionread only = No
Save the file and exit 'vi'.
http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controllerhttp://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controllerhttp://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controllerhttp://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controllerhttp://www.microsoft.com/en-us/download/details.aspx?id=7887http://www.microsoft.com/en-us/download/details.aspx?id=7887https://wiki.samba.org/index.php/Samba4/Domain_Memberhttps://wiki.samba.org/index.php/Samba4/Domain_Memberhttps://wiki.samba.org/index.php/Samba4/Domain_Memberhttps://wiki.samba.org/index.php/Samba4/Domain_Memberhttp://www.microsoft.com/en-us/download/details.aspx?id=7887http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controllerhttp://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller -
7/24/2019 389 Directory Server
13/24
2. Create the directory 'Users' in the path you specified above:
# mkdir -p /data/Users
3. Restart samba or reboot the server.
NOTE: Now for folder redirection to work properly, YOU MUST configure the NTFS as
follows on the Samba4 server.
4. Log on to a Windows 7/8 client computer as a domain administrator that has been bound to
the domain.
5. Using Windows Explorer, use a fully qualified UNC path like this:
\\samba.mydomain.com\
Substitute for your servername and domain above.
6. You should see the following folders:
netlogonsysvolUsers
Do not delete 'netlogon' or 'sysvol' as they are required for your domain controller!
7. Right-click on 'Users' and choose 'Properties', then click on the 'Security' tab. Configureexactly as follows:
Configure the folder to not inherit permissions and remove all existing permissions. This means
removing ALL groups or usernames. You may need to use the 'Advanced' button.
Add the file servers local Administrators group with Full Control of This Folder, Subfolders, and
Files. You will need to click the 'Advanced' button 'For special permissions or advanced settings'
and then 'Change Permissions'.
Add the Domain Admins domain security group with Full Control of This Folder, Subfolders, and
Files.
Add the SYSTEM account with Full Control of This Folder, Subfolders, and Files.
Add the Creator/Owner with Full Control of Subfolders and Files only.
Add the Authenticated Users group with both List Folder/Read Data and Create Folders/Append
DataThis Folder Only rights. The Authenticated Users group can be replaced with the desired
group, but do not choose the Everyone group as a best practice. NOTE: Since I am using Samba4
I also needed to add, 'Traverse folder / execute file', 'Create files / write data', and 'Change
permissions'. This is important or else folder redirection will not work!
Now make sure you 'Apply' all changes and click 'OK'. Double, triple check these permissions as
this is the main cause of the folder redirection failure!
-
7/24/2019 389 Directory Server
14/24
8. Right-click on the 'Users' folder and enable 'Always available offline'. This will allow offline
files to work and then sync any files once the client logs back onto the domain (good for laptop
users). Do not enable this if it violates your company's security policy.
9. As a precaution, restart Samba or reboot the server to make sure settings will stick. Once the
Samba4 server has rebooted, double check all the permissions again and make sure 'Alwaysavailable offline' is still enabled.
If everything appears to be okay, you can now create the GPO for folder redirection.
Create the Folder Redirection GPO
For the following to work it is assumed that you have configured your Samba 4 AD DC and havecreated some Organizational Units for your domain. You should also have a test user created and
RSAT installed on your Windows client.
1. Log on to a Windows 7/8 client computer as a domain administrator that has been bound to
the domain.
2. Launch the 'Group Policy Management' console:
Start -> All Programs -> Administrative Tools -> Group Policy Management
3. Either select an already existing GPO that is applied to an OU or create a new one. Right-click
the GPO and choose 'Edit'. Then go to:
User Configuration -> Policies -> Windows Settings -> Folder Redirection
4. Right-click on 'Documents' and select 'Properties'. On the 'Target' tab configure as follows:
Setting: Basic - Redirect everyone's folder to the same location
Target folder location: Create a folder for each user under the root pathRoot Path: \\samba.mydomain.com\Users
NOTE: You should notice a preview at the bottom showing 'For user Clair, this folder will beredirected to: \\samba.mydomain.com\Users\Clair\Documents'
5. At the top select the 'Settings' tab and uncheck the 'Grant the User Exclusive Rights toDocuments' check box. Leave the remaining check boxes unchanged.
6. Click OK to complete the folder redirection configuration. A pop-up opens that states that thispolicy will not display the Folder Redirection node if an administrator or user attempts to
configure or view this group policy using policy management tools from Windows 2000,
-
7/24/2019 389 Directory Server
15/24
Windows XP, or Windows Server 2003. Click Yes to accept this warning and configure the
folder redirection.
7. Back in the 'Group Policy Management Editor' window, close the GPO.
8. Make sure that the GPO has 'Authenticated Users' (or another security group you're using)listed in 'Security Filtering'.
9. Link the new GPO policy (if not done already) to an OU with a user account that can be used
to test this policy. This user must log on to a Windows Vista/7/8 computer to allow proper
processing of this policy.
10. Log on to a Windows Vista/7/8 system with the test user account. After the profile completes
loading, click the Start button, and locate and right-click the Documents folder and then select
Properties. Select the Location tab and verify the path. For example, for a user named Tom, thepath should be \\samba.mydomain.com\Users\Tom\Documents.
Your folder redirection should now work. If you continue to have your 'Documents' folder pathshowing C:\Users\xxx and not the server share, it is most likely due to permissions on the root
'Users' folder. The NTFS permissions must be set corr ectly on the server share or f older
redirection wil l fail.
Having the correct permissions set on the server share also protects users from accessing anotheruser's files. If you set the permissions correctly as outlined in this howto you should be able to
test this successfully.
Troubleshooting
You may have to run 'gpupdate' as an admin from the command line on the windows 7 client.
However, a reboot should force the GPO to update on the Windows host.
I noticed I had to reboot the Win 7 client twice in a row after logging in as the test user. Once I
did this twice then my redirections worked.
You may need to reboot the Samba 4 AD DC for permissions to stick on the 'Users\username'
folders. This may not be necessary but worth an attempt if you experience problems.
I must give credit where credit is due. I found this excellent article which details configuring the
NTFS share and creating the group policy object for Windows Server 2008:
Configuring Folder Redirection in Windows Server 2008
http://www.itechtalk.com/thread1958.htmlhttp://www.itechtalk.com/thread1958.htmlhttp://www.itechtalk.com/thread1958.html -
7/24/2019 389 Directory Server
16/24
What You Must Have
This article assumes you have the following:
Fully functional Samba 4 active directory domain controller installed and operational.(Please
see my Samba 4 howto for further information) You have attached at least one Windows 7/8 client to the domain.
Remote Server Administration Toolsis installed on your Windows host that will be accessing
your domain controller.
You have a basic understanding of Active Directory and working with group policy.
Basic Rules to Remember
1.
Do not create user folders manually within the server share (i.e. \\server\users\username). You
need to allow the system to create these folders automatically so the correct NTFS permissionswill be applied.
2.
Enable client-side caching to utilize offline file synchronization. This has been tested and works
fine on a Samba 4 domain controller when using Windows clients. Depending on your
organization's security policies, you may want to disable this feature.
3.
You must use fully qualified UNC paths even when accessing your network share via a file
manager such as Windows Explorer.
4.
Depending on your version of Samba 4, your installation path may vary. This howto is using a
samba 4 installation via git and therefore the installation path is/usr/local/samba. Edit your
'smb.conf' file where appropriate.
Create the 'root' Network Share
This example is using the Samba 4 domain controller itself to host the network shares. If this isunacceptable to you or you wish to use another file server for your network shares, simply make
the changes necessary where needed. If you are using aSamba 4 domain memberthat is not a
DC, you will still need to set the NTFS permissions as outlined below.
To create the network share on the Samba 4 AD DC (or another samba 4 domain member),
simply follow these steps:
1. As root user on your Samba 4 DC, use 'vi' or your favourite text editor and append your
'smb.conf' to contain this:
[Users]path = /data/Userscomment = user folders for redirectionread only = No
http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controllerhttp://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controllerhttp://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controllerhttp://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controllerhttp://www.microsoft.com/en-us/download/details.aspx?id=7887http://www.microsoft.com/en-us/download/details.aspx?id=7887https://wiki.samba.org/index.php/Samba4/Domain_Memberhttps://wiki.samba.org/index.php/Samba4/Domain_Memberhttps://wiki.samba.org/index.php/Samba4/Domain_Memberhttps://wiki.samba.org/index.php/Samba4/Domain_Memberhttp://www.microsoft.com/en-us/download/details.aspx?id=7887http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controllerhttp://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller -
7/24/2019 389 Directory Server
17/24
Save the file and exit 'vi'.
2. Create the directory 'Users' in the path you specified above:
# mkdir -p /data/Users
3. Restart samba or reboot the server.
NOTE: Now for folder redirection to work properly, YOU MUST configure the NTFS as
follows on the Samba4 server.
4. Log on to a Windows 7/8 client computer as a domain administrator that has been bound to
the domain.
5. Using Windows Explorer, use a fully qualified UNC path like this:
\\samba.mydomain.com\
Substitute for your servername and domain above.
6. You should see the following folders:
netlogonsysvolUsers
Do not delete 'netlogon' or 'sysvol' as they are required for your domain controller!
7. Right-click on 'Users' and choose 'Properties', then click on the 'Security' tab. Configureexactly as follows:
Configure the folder to not inherit permissions and remove all existing permissions. This means
removing ALL groups or usernames. You may need to use the 'Advanced' button.
Add the file servers local Administrators group with Full Control of This Folder, Subfolders, and
Files. You will need to click the 'Advanced' button 'For special permissions or advanced settings'
and then 'Change Permissions'.
Add the Domain Admins domain security group with Full Control of This Folder, Subfolders, and
Files.
Add the SYSTEM account with Full Control of This Folder, Subfolders, and Files.
Add the Creator/Owner with Full Control of Subfolders and Files only.
Add the Authenticated Users group with both List Folder/Read Data and Create Folders/Append
DataThis Folder Only rights. The Authenticated Users group can be replaced with the desired
group, but do not choose the Everyone group as a best practice. NOTE: Since I am using Samba4
I also needed to add, 'Traverse folder / execute file', 'Create files / write data', and 'Change
permissions'. This is important or else folder redirection will not work!
Now make sure you 'Apply' all changes and click 'OK'. Double, triple check these permissions as
this is the main cause of the folder redirection failure!
-
7/24/2019 389 Directory Server
18/24
8. Right-click on the 'Users' folder and enable 'Always available offline'. This will allow offline
files to work and then sync any files once the client logs back onto the domain (good for laptop
users). Do not enable this if it violates your company's security policy.
9. As a precaution, restart Samba or reboot the server to make sure settings will stick. Once the
Samba4 server has rebooted, double check all the permissions again and make sure 'Alwaysavailable offline' is still enabled.
If everything appears to be okay, you can now create the GPO for folder redirection.
Create the Folder Redirection GPO
For the following to work it is assumed that you have configured your Samba 4 AD DC and havecreated some Organizational Units for your domain. You should also have a test user created and
RSAT installed on your Windows client.
1. Log on to a Windows 7/8 client computer as a domain administrator that has been bound to
the domain.
2. Launch the 'Group Policy Management' console:
Start -> All Programs -> Administrative Tools -> Group Policy Management
3. Either select an already existing GPO that is applied to an OU or create a new one. Right-click
the GPO and choose 'Edit'. Then go to:
User Configuration -> Policies -> Windows Settings -> Folder Redirection
4. Right-click on 'Documents' and select 'Properties'. On the 'Target' tab configure as follows:
Setting: Basic - Redirect everyone's folder to the same location
Target folder location: Create a folder for each user under the root pathRoot Path: \\samba.mydomain.com\Users
NOTE: You should notice a preview at the bottom showing 'For user Clair, this folder will beredirected to: \\samba.mydomain.com\Users\Clair\Documents'
5. At the top select the 'Settings' tab and uncheck the 'Grant the User Exclusive Rights toDocuments' check box. Leave the remaining check boxes unchanged.
6. Click OK to complete the folder redirection configuration. A pop-up opens that states that thispolicy will not display the Folder Redirection node if an administrator or user attempts to
configure or view this group policy using policy management tools from Windows 2000,
-
7/24/2019 389 Directory Server
19/24
Windows XP, or Windows Server 2003. Click Yes to accept this warning and configure the
folder redirection.
7. Back in the 'Group Policy Management Editor' window, close the GPO.
8. Make sure that the GPO has 'Authenticated Users' (or another security group you're using)listed in 'Security Filtering'.
9. Link the new GPO policy (if not done already) to an OU with a user account that can be used
to test this policy. This user must log on to a Windows Vista/7/8 computer to allow proper
processing of this policy.
10. Log on to a Windows Vista/7/8 system with the test user account. After the profile completes
loading, click the Start button, and locate and right-click the Documents folder and then select
Properties. Select the Location tab and verify the path. For example, for a user named Tom, thepath should be \\samba.mydomain.com\Users\Tom\Documents.
Your folder redirection should now work. If you continue to have your 'Documents' folder pathshowing C:\Users\xxx and not the server share, it is most likely due to permissions on the root
'Users' folder. The NTFS permissions must be set corr ectly on the server share or f older
redirection wil l fail.
Having the correct permissions set on the server share also protects users from accessing anotheruser's files. If you set the permissions correctly as outlined in this howto you should be able to
test this successfully.
Troubleshooting
You may have to run 'gpupdate' as an admin from the command line on the windows 7 client.
However, a reboot should force the GPO to update on the Windows host.
I noticed I had to reboot the Win 7 client twice in a row after logging in as the test user. Once I
did this twice then my redirections worked.
You may need to reboot the Samba 4 AD DC for permissions to stick on the 'Users\username'
folders. This may not be necessary but worth an attempt if you experience problems.
http://www.linuxscrew.com/2008/07/04/openldap-samba-domain-controller-on-debian-or-ubuntu/
http://www.topbestalternatives.com/2014/top-5-alternatives-to-microsoft-active-directory/
http://www.linuxscrew.com/2008/07/04/openldap-samba-domain-controller-on-debian-or-ubuntu/http://www.linuxscrew.com/2008/07/04/openldap-samba-domain-controller-on-debian-or-ubuntu/http://www.topbestalternatives.com/2014/top-5-alternatives-to-microsoft-active-directory/http://www.topbestalternatives.com/2014/top-5-alternatives-to-microsoft-active-directory/http://www.topbestalternatives.com/2014/top-5-alternatives-to-microsoft-active-directory/http://www.linuxscrew.com/2008/07/04/openldap-samba-domain-controller-on-debian-or-ubuntu/ -
7/24/2019 389 Directory Server
20/24
http://www.mactech.com/articles/mactech/Vol.25/25.01/IntegratingOSXWithOpenLDAPandSamba-
Part2/index.html
http://www.shabangs.net/zentyal/centralizing-usergroup-management-for-mac-osx-with-zentyal/
http://blog.pluralsight.com/join-mac-to-windows-domain
http://macosx.com/threads/join-to-a-samba-pdc.273499/
https://4sysops.com/archives/how-to-join-a-mac-os-x-computer-to-active-directory/
My scenario:My domain controller is on a remote location and I've got my router(Mikrotik) setup to create a PPTP tunnel to the w2k8 server as a domainuser, NAT and routes setup accordingly, not covered here.
Desktop computer running OSX ML 10.8.4 (mine is a custom build)Domain: example.localPDC: samba.example.local (10.10.10.5) Samba4BDC1: bdc.example.local (10.10.10.20) Samba4BDC2: w2k8.example.local (10.10.10.15) W2K8 R2
Now for the exciting part
1. Configure OSX for Kerberos authenticationCopy krb5.conf from your Samba4 Domain controller to your Mac then
from a Terminal:
|$ sudo mv /Path/To/krb5.conf /etc/||$ sudo chown root:wheel /etc/krb5.conf||$ sudo chmod ||644| |/etc/krb5.conf|
Confirm that you can successfully obtain a Kerberos Ticket GrantingTicket (TGT):
Use "kinit" with your username to generate a ticket. Use "kilst" to show
that your userID has a "krbtgt" ticket, then use "kdestroy" todestroy/invalidate the ticket.
Last login: Sat Jun 22 20:59:53 on consolelocalhost:~ dave$ kinit david [PRESS ENTER]david at EXAMPLE.LOCAL's Password: [ENTER USER'S PASSWORD]localhost:~ dave$ klist [PRESS ENTER]Credentials cache: API:501:5
Principal:david at EXAMPLE.LOCAL
http://www.mactech.com/articles/mactech/Vol.25/25.01/IntegratingOSXWithOpenLDAPandSamba-Part2/index.htmlhttp://www.mactech.com/articles/mactech/Vol.25/25.01/IntegratingOSXWithOpenLDAPandSamba-Part2/index.htmlhttp://www.mactech.com/articles/mactech/Vol.25/25.01/IntegratingOSXWithOpenLDAPandSamba-Part2/index.htmlhttp://www.shabangs.net/zentyal/centralizing-usergroup-management-for-mac-osx-with-zentyal/http://www.shabangs.net/zentyal/centralizing-usergroup-management-for-mac-osx-with-zentyal/http://blog.pluralsight.com/join-mac-to-windows-domainhttp://blog.pluralsight.com/join-mac-to-windows-domainhttp://macosx.com/threads/join-to-a-samba-pdc.273499/http://macosx.com/threads/join-to-a-samba-pdc.273499/https://4sysops.com/archives/how-to-join-a-mac-os-x-computer-to-active-directory/https://4sysops.com/archives/how-to-join-a-mac-os-x-computer-to-active-directory/https://lists.samba.org/mailman/listinfo/sambahttps://lists.samba.org/mailman/listinfo/sambahttps://lists.samba.org/mailman/listinfo/sambahttps://lists.samba.org/mailman/listinfo/sambahttps://lists.samba.org/mailman/listinfo/sambahttps://4sysops.com/archives/how-to-join-a-mac-os-x-computer-to-active-directory/http://macosx.com/threads/join-to-a-samba-pdc.273499/http://blog.pluralsight.com/join-mac-to-windows-domainhttp://www.shabangs.net/zentyal/centralizing-usergroup-management-for-mac-osx-with-zentyal/http://www.mactech.com/articles/mactech/Vol.25/25.01/IntegratingOSXWithOpenLDAPandSamba-Part2/index.htmlhttp://www.mactech.com/articles/mactech/Vol.25/25.01/IntegratingOSXWithOpenLDAPandSamba-Part2/index.html -
7/24/2019 389 Directory Server
21/24
Issued Expires PrincipalJun 23 15:02:28 2013 Jun 24 01:02:20 2013krbtgt/EXAMPLE.LOCAL at EXAMPLE.LOCAL
localhost:~ dave$ kdestroy [PRESS ENTER]localhost:~ dave$
If everything goes as expected you've got Kerberos working on your OSX ML
2) Configure Active Directory for AuthorizationEnable Directory Services with Active Directory for Authorization
From a Finder window- open /System/Library/CoreServices/Directory\ Utility.app- Unlock, authenticate as the local admin.- Select Active Directory- On active directory forest nothing, it'll automatocally be filled- On active directory domain input your domain name in our caseexample.local- On computerID input your computer's name
- Optional: check create mobile account at login (roaming profile-likeaccount I guess)- Hit Bind button- You'll be prompted for the administrator credentials, so input them- Computer OU leave as default CN=Computers,DC=example,DC=local- Check Use for authentication- Check Use for Contacts (optional)
You'll see the litle thing spinning and if you've got your samba runningon another terminal you'll see how the computer account is created andthe workstation is joined to the domain and the Bind button will changeto Unbind, so if no errors showed you've just joined your Mac OSX 10.8.4to your Samba 4 domain.
Enable logins for Network Users at OSX's Login Window:- Apple Menu -> System Preferences- Users & Groups Pref Pane- Unlock the Pad Lock and Authenticate as local admin- Click "Login Options"- Turn OFF Automatic Login- Set "Display login window as" to "Name and password"- This setting can also be configured with a command. Run the followingline in the terminal to set the login window to show username andpassword fields:
/usr/bin/defaults write /Library/Preferences/com.apple.loginwindowSHOWFULLNAME -bool "TRUE"
- Enable "Allow network users to log in at login window",- Click "Options..." and set "All Network users", Click DONE.- Network Account Server: EXAMPLE server should be listed and showing agreen "gum drop" icon.
Confirm that you can identify Active Directory users:
localhost:~ dave$ id daviduid=2002409141(david) gid=2125881087(EXAPLE\Domain Users)
https://lists.samba.org/mailman/listinfo/sambahttps://lists.samba.org/mailman/listinfo/sambahttps://lists.samba.org/mailman/listinfo/samba -
7/24/2019 389 Directory Server
22/24
groups=2125881087(EXAPLE\Domain Users),704058724(EXAPLE\Group PolicyCreator Owners),1845177527(EXAPLE\Denied RODC Password ReplicationGroup),2097499953(EXAPLE\RAS and IAS Servers),316274987(EXAPLE\VPNUsers),620839770(EXAPLE\EXAPLE),12(everyone),62(netaccounts),863062263(EXAPLE\EnterpriseAdmins)localhost:~ dave$
3) Enable Kerberos tickets at loginApplying the below configuration changes will enable OSX toautomatically obtain a Kerberos TGT for the logged in user. This isquite handy when you want the user to be able to mount servers that are"kerberized".
First make a backup copy of the file, edit the /etc/pam.d/authorizationfile and add two additional lines to the top:
Insert these two additional lines:
auth optional pam_krb5.so use_first_pass use_kcminit
default_principalauth sufficient pam_krb5.so use_first_pass default_principal
Use a Terminal.app text editor like 'vi' or 'nano', use a GUI editorlike TextWrangler, BBEdit, or TextMate, or use this terminal command:
/usr/bin/perl -pi -e 's/auth optional pam_krb5.souse_first_pass use_kcminit/auth optional pam_krb5.souse_first_pass use_kcminit default_principalauth sufficient pam_krb5.so use_first_passdefault_principal/g' "/etc/pam.d/authorization"
Check the /etc/pam.d/authorization looks like the following example:
$ cat /etc/pam.d/authorization# authorization: auth accountauth optional pam_krb5.so use_first_pass use_kcminitdefault_principalauth sufficient pam_krb5.so use_first_pass default_principalauth optional pam_ntlm.so use_first_passauth required pam_opendirectory.so use_first_pass nullokaccount required pam_opendirectory.so4) Test LoginsRestart, login with your Penn State Access ID, open terminal and verifythat you have a ticket with "klist". Open System Preferences and"Accounts" to verify you are a network user.
If you have some users that can login and others that can't, it'spossible that they are not yet listed in LDAP, OR their LDAP attributesmight be missing or have the wrong case. To check for a userid, do thefollow from the command line (terminal.app):
$ ldapsearch -h example.local -x -b "dc=example,dc=local" "uid=david" >/tmp/ldap-data.txt
$ grep "uid:" /tmp/ldap-data.txt ; grep "psDirIDN:" /tmp/ldap-data.txt ;
-
7/24/2019 389 Directory Server
23/24
grep "cn:" /tmp/ldap-data.txt ; grep "psUidNumber:" /tmp/ldap-data.txtuid: davidpsDirIDN: 367777cn: JUSTIN DAVID GONZALEZpsUidNumber: 493417
If any of the attributes do NOT appear, then there might be an issuewith the user's Active Directory record, with either missing attributesor attributes with non matching case of letters.
5) Additional System Changes
LoginWindow StartupDelay
To help curb the loginwindow from showing the status of the EXAMPLEserver as red, you can use this command to tell the it to wait until DNSis ready before starting. Doing this helps keep the "red dot of despair"from appearing after boot.
sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow
StartupDelay -int 60
Voila, you can now have your Mac joined to your shinny samba4 DC and youcan login with any domain user and use your mac as usual with the addedbenefit of the network shares and the thrill and pride that you made ityourself.
I changed some of the steps to work on Samba / Active Directory as thesesteps were all for LDAP.Source:https://wikispaces.psu.edu/display/clcmaclinuxwikipublic/Mountain+Lion+Authentication+Configuration#MountainLionAuthenticationConfiguration-2)ConfigureLDAPforAuthorization
Note: This was also on the PSU site but I haven't tried it yet as Idon't use scrren saver and Ialso hate it when I have to type a passwordto get out of it.
I hope this comes in handy for someone out there.
Note 2: This is on a production environment for the company I do IT forand it's been working like a charm.
http://apple.stackexchange.com/questions/21246/mac-os-binding-to-samba-pdc
https://hermanbanken.nl/2011/01/22/openldap-server-mac-osx-clients/
https://wikispaces.psu.edu/display/clcmaclinuxwikipublic/Mountain+Lion+Authentication+Configuration#MountainLionAuthenticationConfiguration-2https://wikispaces.psu.edu/display/clcmaclinuxwikipublic/Mountain+Lion+Authentication+Configuration#MountainLionAuthenticationConfiguration-2https://wikispaces.psu.edu/display/clcmaclinuxwikipublic/Mountain+Lion+Authentication+Configuration#MountainLionAuthenticationConfiguration-2https://wikispaces.psu.edu/display/clcmaclinuxwikipublic/Mountain+Lion+Authentication+Configuration#MountainLionAuthenticationConfiguration-2%29ConfigureLDAPforAuthorizationhttps://wikispaces.psu.edu/display/clcmaclinuxwikipublic/Mountain+Lion+Authentication+Configuration#MountainLionAuthenticationConfiguration-2%29ConfigureLDAPforAuthorizationhttps://wikispaces.psu.edu/display/clcmaclinuxwikipublic/Mountain+Lion+Authentication+Configuration#MountainLionAuthenticationConfiguration-2%29ConfigureLDAPforAuthorizationhttps://wikispaces.psu.edu/display/clcmaclinuxwikipublic/Mountain+Lion+Authentication+Configuration#MountainLionAuthenticationConfiguration-2%29ConfigureLDAPforAuthorizationhttp://apple.stackexchange.com/questions/21246/mac-os-binding-to-samba-pdchttp://apple.stackexchange.com/questions/21246/mac-os-binding-to-samba-pdchttps://hermanbanken.nl/2011/01/22/openldap-server-mac-osx-clients/https://hermanbanken.nl/2011/01/22/openldap-server-mac-osx-clients/https://hermanbanken.nl/2011/01/22/openldap-server-mac-osx-clients/http://apple.stackexchange.com/questions/21246/mac-os-binding-to-samba-pdchttps://wikispaces.psu.edu/display/clcmaclinuxwikipublic/Mountain+Lion+Authentication+Configuration#MountainLionAuthenticationConfiguration-2%29ConfigureLDAPforAuthorizationhttps://wikispaces.psu.edu/display/clcmaclinuxwikipublic/Mountain+Lion+Authentication+Configuration#MountainLionAuthenticationConfiguration-2%29ConfigureLDAPforAuthorizationhttps://wikispaces.psu.edu/display/clcmaclinuxwikipublic/Mountain+Lion+Authentication+Configuration#MountainLionAuthenticationConfiguration-2%29ConfigureLDAPforAuthorizationhttps://wikispaces.psu.edu/display/clcmaclinuxwikipublic/Mountain+Lion+Authentication+Configuration#MountainLionAuthenticationConfiguration-2https://wikispaces.psu.edu/display/clcmaclinuxwikipublic/Mountain+Lion+Authentication+Configuration#MountainLionAuthenticationConfiguration-2https://wikispaces.psu.edu/display/clcmaclinuxwikipublic/Mountain+Lion+Authentication+Configuration#MountainLionAuthenticationConfiguration-2 -
7/24/2019 389 Directory Server
24/24
https://derflounder.wordpress.com/2012/03/02/binding-to-a-linux-based-openldap-server-from-10-6-x-
and-10-7-x/
http://vuksan.com/linux/mac-os-x-ldap/openldap-mac-os-x-authentication.html
http://hermanbanken.nl/2011/01/22/openldap-server-mac-osx-clients/#script
http://www.dummies.com/how-to/content/how-to-bind-mac-os-x-clients-to-a-shared-domain.html
https://www.hawaii.edu/bwiki/display/UHIAM/LDAP+authentication+for+Mac+OS+X+10.7
http://www.drchaos.com/configuring-apple-os-x-with-active-directory/
http://rajeev.name/2006/09/09/integrating-mac-os-x-into-unix-ldap-environment-with-nfs-home-
directories/
http://blog.michael.kuron-germany.de/2009/04/building-your-own-opendirectory-server-on-linux/
https://derflounder.wordpress.com/2012/03/02/binding-to-a-linux-based-openldap-server-from-10-6-x-and-10-7-x/https://derflounder.wordpress.com/2012/03/02/binding-to-a-linux-based-openldap-server-from-10-6-x-and-10-7-x/https://derflounder.wordpress.com/2012/03/02/binding-to-a-linux-based-openldap-server-from-10-6-x-and-10-7-x/http://vuksan.com/linux/mac-os-x-ldap/openldap-mac-os-x-authentication.htmlhttp://vuksan.com/linux/mac-os-x-ldap/openldap-mac-os-x-authentication.htmlhttp://hermanbanken.nl/2011/01/22/openldap-server-mac-osx-clients/#scripthttp://hermanbanken.nl/2011/01/22/openldap-server-mac-osx-clients/#scripthttp://www.dummies.com/how-to/content/how-to-bind-mac-os-x-clients-to-a-shared-domain.htmlhttp://www.dummies.com/how-to/content/how-to-bind-mac-os-x-clients-to-a-shared-domain.htmlhttps://www.hawaii.edu/bwiki/display/UHIAM/LDAP+authentication+for+Mac+OS+X+10.7https://www.hawaii.edu/bwiki/display/UHIAM/LDAP+authentication+for+Mac+OS+X+10.7http://www.drchaos.com/configuring-apple-os-x-with-active-directory/http://www.drchaos.com/configuring-apple-os-x-with-active-directory/http://rajeev.name/2006/09/09/integrating-mac-os-x-into-unix-ldap-environment-with-nfs-home-directories/http://rajeev.name/2006/09/09/integrating-mac-os-x-into-unix-ldap-environment-with-nfs-home-directories/http://rajeev.name/2006/09/09/integrating-mac-os-x-into-unix-ldap-environment-with-nfs-home-directories/http://blog.michael.kuron-germany.de/2009/04/building-your-own-opendirectory-server-on-linux/http://blog.michael.kuron-germany.de/2009/04/building-your-own-opendirectory-server-on-linux/http://blog.michael.kuron-germany.de/2009/04/building-your-own-opendirectory-server-on-linux/http://rajeev.name/2006/09/09/integrating-mac-os-x-into-unix-ldap-environment-with-nfs-home-directories/http://rajeev.name/2006/09/09/integrating-mac-os-x-into-unix-ldap-environment-with-nfs-home-directories/http://www.drchaos.com/configuring-apple-os-x-with-active-directory/https://www.hawaii.edu/bwiki/display/UHIAM/LDAP+authentication+for+Mac+OS+X+10.7http://www.dummies.com/how-to/content/how-to-bind-mac-os-x-clients-to-a-shared-domain.htmlhttp://hermanbanken.nl/2011/01/22/openldap-server-mac-osx-clients/#scripthttp://vuksan.com/linux/mac-os-x-ldap/openldap-mac-os-x-authentication.htmlhttps://derflounder.wordpress.com/2012/03/02/binding-to-a-linux-based-openldap-server-from-10-6-x-and-10-7-x/https://derflounder.wordpress.com/2012/03/02/binding-to-a-linux-based-openldap-server-from-10-6-x-and-10-7-x/