Using UT with MAC OS X server (LDAP)

[lschafroth]

I am currently using UT 6.2 in our school environment. We use an xserve with LDAP for our entire district and we have a 2003 server running Active Directory for other services. UT currently does not support LDAP but I have found a way to make it work using an existing AD server.

AD SERVER SETUP:

I queried our LDAP (xserve) accounts and exported the accounts and passwords using Passport. You can also use Apache Directory Studio which works well with the MAC.

If you have more then 1000 accounts, follow this LINK to adjust the settings on your AD server.

I found a site that provided me with a script to import the mac accounts into my AD server. http://www.rlmueller.net/CreateUsers.htm

You have two files called CreateUsers.vbs and ExampleUSers.xls.

I loaded the exported files from my MAC into Excel and set the seperator as the colon ":" and all the fields were there as needed. Here is an example from my spreadsheet using madeup names:

Code:

Container/OU                      First Name  Initial  Last Name    Password  Common Name   NT Name    Logon Name	        Home Folder  Home Drive  Logon Script  Groups
cn=Users,dc=domainname,dc=local   John                 Doe          password  13doejoh      13doejoh   13Doe John                                               HSStudents
cn=Users,dc=domainname,dc=local   Jane                 Doe          password  12doejan      12doejan   12Doe Jane                                               HSStudents

We use the graduation year, 3 digits from their last name and 3 digits from their first name. On the mac, their long name is yy last first all spelled out and the shortname is the ones you see above.

Edit the vbs file to reflect the name of your spreadsheet if you change the name of it, then run the vbs file and it will create the users on the AD server. They will show up in the list as the shortname. The script will sometimes throw an error stating it could not create an account but the account is always created. Not sure why but it works. Just keep clicking OK and it will keep going.

Once this is done make sure to configure your UT box via AD Connector. Once the accounts are created you can list AD accounts in UT. ONce you see the accounts you are ready to go.

MAC LOGIN SCRIPT:

Save the following code in a file called adlogon_user.sh

Code:

#!/usr/bin/env bash

# Bash skips errors and resumes by default

# Time in seconds to sleep between request
SLEEP_PERIOD=300

# Lets define the protocol to be used.
URL_PREFIX="http"

# Determine if different ip provided in command line arguement
if [ $# -eq 1 ]; then
  SERVERNAME="$1"
else
  SERVERNAME="192.168.1.1"
fi

# Take out the comments below for testing the script
# echo "ServerName is:"
# echo $SERVERNAME

# Execute script until successful
while true; do
  strUser=$USER
  strDomain=$(domainname)
  strHostname=$(hostname -s)
  URLCOMMAND=${URL_PREFIX}"://"${SERVERNAME}"/adpb/registration?username="${strUser}"&domain="${strDomain}"&hostname="${strHostname}"&action=login"

# Take out the comments below for testing the urlcommand
# echo $URLCOMMAND
# curl arguments: -f fails silently, -s silent mode with no progress status, -m maximum execution time allowed
curl -f -s -m 10 $URLCOMMAND
sleep $SLEEP_PERIOD
done

NOTE: Change the IP address in the code to the real IP address of your UT internal address.

I set the attributes to executable from the terminal window. You can load Terminal on your mac. Type in the command chmod 755 then drag the filename adlogon_user.sh from your desktop to the terminal and it will add the full path of the file to the terminal window command. Press enter and now the file is executable.

Now create a file called adlogon.plist and paste the following into it:

Code:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>adlogon</string>
<key>ProgramArguments</key>
<array>
<string>/usr/sbin/adlogon_user.sh</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>

You then need to copy the files to all your MAC computers. I did this via Apple Remote desktop. I selected every computer in my district that was running and sent the files all at once, or you can do it manually. (ick)

Copy the adlogon_user.sh file to "/usr/sbin"
Copy the adlogon.plist file to "/Library/LaunchAgents"

Now when a user logs into their MAC, regardless of whether they used a local account, a network account or their longname or shortname, the shortname, computer name and IP will be reported to the UT box. I have this running on about 650 MACs and it has no ill effects on the UT box or the machines.

Now you can go to Policy Manager and add the users to any rack of your choosing. If you dont want the users active in AD, you can disable them once you have added them to UT. The AD server is only queried when setting up the policies.

This is a hard way to do it and requires an existing AD server, but you can get AD super cheap with the edu discounts.

This is working awesome on our network and now we can secure internet access via username and not IP. Now when a student tries to login to a staff computer the user access rights follow the user, NOT the computer!

I hope this was as clear as mud.

Lannie

[sharrisonUK]

Quote:

... The AD server is only queried when setting up the policies.

Does this mean you have to re-run the policy set up every time there is a new user added to AD?

[lschafroth]

Quote:

Originally Posted by sharrisonUK

Does this mean you have to re-run the policy set up every time there is a new user added to AD?

When you add a new user you have to go into the policy and add them to the existing list. Right now UT does NOT support AD Groups so we have to touch the policy every single time a user is added and etc.

It's not the best way of doing it, but without groups, it's the only way. Works great so far for us. Now we just need the direct LDAP support and we are golden!

Lannie

[sharrisonUK]

Quote:

Originally Posted by lschafroth

When you add a new user you have to go into the policy and add them to the existing list. Right now UT does NOT support AD Groups so we have to touch the policy every single time a user is added and etc.

...This must be a bit of a chore with your 1,500 user community - changes in a group of 300 keeps me on my toes... Anyway, I guess it keeps us admins in business!

Quote:

Originally Posted by lschafroth

It's not the best way of doing it, but without groups, it's the only way. Works great so far for us. Now we just need the direct LDAP support and we are golden!

...We have a different setup - with AD & OD integrated (All credit to Mike Bombich - httpcolonslashslashwwwdotBOMBICHdotcomslashMACTIPS slashACTIVEDIRdothtml ) where user's authenticate against AD account whether logging onto a PC or a Mac. When set up and application caching tweaked, this work great.

So if I'm on the right track, all I would have to do is add a new user in AD, find them in UT through the AD Connector and add them to the right Rack through Policy Manager.

You are right, UT AD Group awareness would be a very good feature, as would an LDAP connector.

BTW - Thanks for a great post!

- Simon

[lschafroth]

It's not fun at all when working with 6.2. It does not sort the usernames at all, so try finding an account when you have 2000+. We've grown to that many once you add all the staff and the students. Not fun at all.

Once 7.0.1, they should have the sorting fixed, but still no groups.

Lannie

[gliverman]

lschafroth: I have Macs that authenticate off of AD directly. Would your scripts above make them play nice with Untangle 7.1 so that I could map those users to a rack instead of having to put them on static ip's or dhcp reservations to map them?

[lschafroth]

Quote:

Originally Posted by gliverman

lschafroth: I have Macs that authenticate off of AD directly. Would your scripts above make them play nice with Untangle 7.1 so that I could map those users to a rack instead of having to put them on static ip's or dhcp reservations to map them?

yes the script doesnt care where the ad comes from. It just talked to the UT box. You would have to edit the script to change the IP of the UT box and thats it.

Lannie

[gliverman]

Sweet, thanks.

[gliverman]

FYI: I posted an enhancement request about getting this script distributed with Untangle for Mac's that are already bound to AD. It can be seen at http://bugzilla.untangle.com/show_bug.cgi?id=7216

[lschafroth]

Excellent!!

thanks,

Lannie