20110629: Mac authentication using UW NetIDs

A meeting to discuss “Macintosh authentication using UW NetID” took place:

Wednesday, June 29 2011

2:00 pm  – 3:30 pm

Notes from the meeting of 6/29 (courtesy of Brian High)

=================================-=-
Dan Sinema, Apple Computer Inc.
Mac OS X Directory Services/AD scenarios
=================================-=-
dsconfigad: to find group membership, to script mounting shares
– static mapping only, no variables.  See:
https://discussions.apple.com/message/2793427?messageID=2793427
(Maybe script around this?)

MCX Attributes for policies can be stored as XML in LDAP
– Volume Mounting
– Energy Saver
– Preferences Manifest per Application

Auxiliary Classes “overlay” via LDIF Schema extensions
See: http://www.opensource.apple.com/source/OpenLDAP/OpenLDAP-37/AppleExtras/apple.schema
See: /etc/openldap/schema/apple.schema

Magic Triangle:

LDAP (groups) <==> Mac <==> AD (users)

Magic Triangle with file services:

OSX Server <= AD Plugin => AD <= SMB Server
^                                    ^            ^
|                            AD Plugin       |
|                                     |            |
\== SMB ============> MAC <== SMB ==/

Using just AD and SMB server:

Scripting mounting from client-end:
– login from AD
– dseditgroups
– launchd and plist to mount from SMB

Lion has Profile Manager for remote management

OSX has Workgroup Manager for local policies
and can push to LDAP server or OSX Server

=================================-=-
Brian Arkills
Delegated OUs
=================================-=-

See: Overview/review the UW “Netid” domain and delegated OUs

UW Group Service has Hourly Sync

Used for example: budget groups
Offers:
– DDNS
– Free (costs paid by UWIT chargeback fee)
– Domain Migration
– Group Sync from old DC
– delegated group of computers

=================================-=-
John Canfield, Stephen Bangs (CIS)
How UW-IT computing labs manage authentication on Macintosh
=================================-=-
DeployStudio
– Free
– Imaging
– works with UWWI

Had to populate UW delegated group of computers to get it to work

=================================-=-
Martin Criminale, Andy Gravano
How the ISchool manages authentication on Macintosh
=================================-=-
iMacs in labs dual-boot OSX/Windows, both using UWWI and automatically join UWWI as image is deployed
They also use DeployStudio
They use delegated group of computers as does CIS
Use ARD since it is req’d by DeepFreeze
Can’t extend schema in delegated UWWI OU
memberOf attribute is locked down so cannot use for assigning, for example admin rights, to users in UW groups only in local groups.
(Group membership in UW Groups are not recognized)
Time Mgmt. conflicts with Windows (due to dual boot configuration)
3 hour nightly management window.

Links to other resources:

• Apple’s AD integration doc https://support.apple.com/guide/directory-utility/integrate-active-directory-diru39a25fa2/mac

Outcome

No agreed upon proposal has emerged from this discussion. There are published ways to do Mac authentication integration.