Contact Form    |   Email    |    Site Map
RSS

Active Directory + Open Directory Integration

If you are running Windows network and need to integrate Apple desktops and/or laptops onto your infrastructure then you've stumbled across the right article. I've been through this process on our own network and others, and have simplified the process into a short set of instructions.

Windows Server Setup

  1. The only change needed to your Windows network has to do with the number items returned from Active Directory when displaying AD users in Apple Work Group Manager. By default, Active Directory will return only the first 1000 users when queried with LDAP. To retrieve a set of results that is larger than 1000 users, you must set SizeLimit to its default value (zero) and set PageSize to a value that is greater than 1000 on your Active Directory server.
  2. In the Active Directory management tools, delete the computer account that is in there now and all the DNS entries for that computer.
  3. Now recreate the Active Directory computer account, and the fwd/reverse DNS entries for it.

Apple Server Setup

  1. I recommend starting with a fresh install of the operating system on your Open Directory master, and adding all the services you'll want to use in the process. If you are not certain what services you'll need don't worry, you can always add them later and none of them are necessary for AD OD integration.
  2. Bind the new server to Active Directory. Once you are finished be sure that Active Directory appears above LDAP in the authentication pane in Directory Access.
  3. In terminal run the following: sudo kerberosautoconfig -u which will regenerate your kerberos file. If you have a "can't find it error" remove the LDAP entry from the authentication pane in Directory Access, hit apply, re-run the command, then put the LDAP entry back in Directory Access, making sure that Active Directory is at the top.
  4. Ignore the "Join Kerberos" message if one appears, since this is an Open Directory Master.
  5. Open Workgroup Manager and enable "Show All Records" in the preferences, then click on the Bullseye tab. Authenticate to LDAP, then in the dropdown pick "config". Select the KerberosClient item, and in the inspector, change the RecordName to KerberosClient_DONOTUSE. This will prevent Open Directory from trying to push out a kerberos record that will conflict with Active Directory's kerberos. Save all changes.
  6. From terminal enter the following: sudo dsconfig -enablessso This force services on the Open Directory Master to use Active Directory for authentication.

Workgroup Manager

  1. Open up Workgroup Manager and pull up the Active Directory users (they should populate in the left column). If you can only see 1000 users and you know your network is larger than this you still need to extend your PageSize in AD. ,
  2. You can now add AD users to your Open Directory groups. You can also add Active Directory groups to Open Directory groups as well - pretty cool, no?
  3. You can now add MCX policies to groups under preferences.

Client Side

  1. Now go ahead and bind the clients to both the Open Directory Master and Active Directory. On the client side make sure Active Directory is first in the Authentication pane in Directory Access.
  2. Run sudo kerberosautoconfig -u on the clients, and then restart.
  3. You should be able to log into a client using an AD username and password, receive tickets, managed profiles, etc.

In most instances, it is best to setup the client with a mobile profile even with desktops. A mobile profile will allow users to login without a network connection and still recognize MCX preferences set forth by the server.