Integrating OS X and AD
Right, I'm getting a little confused now with integrating OS X and Active Directory.
I have an OS X server (10.5) and half a dozen or so OS X clients. My intention is to have the server get its users from the AD, the clients get their prefs and authentication via the OS X server and everything lives happily ever after.
I have got the OS X server bound to the AD domain and can see the users (only 1000, even though there are more objects than that in the AD??), and a client which has the OD server and the AD server as it's servers. So, an AD user can log in just fine.
The problem is the use of the Workgroup Manager to restrict privileges etc... How do I do this? Everywhere I look, it points to 'it can't be done unless you buy a third party program or extend the AD schema' - without explaining what extensions to the schema need doing.
And also talks about Mappings. I can understand the mappings issue, but what ID should I assign to the UID?
Can someone provide me with some info on how to do what I want, without spending more money on software?
your users authenticate directly to the AD not the osxserver(OD). You will loose the ability to manage prefs on a per user basis though. you need to setup your clients machines to point to both AD and OD.(edit: sorry just realised you already have this setup if you have problems change the order in DirectoryAcess)
In OD create a new Group for each group you want managed, i just add a 'M' to the corresponding AD Group i want to manage so things don't get confusing.
then within Workgroup manager just drag the AD Group into the new OD Group.
hope that helps a bit. sorry on the lack of info just realised i need to be some where :P
The 1000 objects is the default limit AD returns for searches, you need to increase it, I forget where at the moment as i've only done it once.
Yes, you will be unable to have per user settings when you use AD when OD is hosting the preferences. As gaz350 mentioned you can use groups (you create a group on OD with a different name and then add the AD group to it). Machine level management will also work too.
As far as schema and mappings go you don't need to do anything unless you really need user level preferences.
Extending the AD is not for the faint of heart. There is no documentation that I can find, only the schema files from OD itself. There is no support and additional schema changes can break the installation, uninstallation and operation of exchange (and other things)
If you do extend the schema then all those preferences can be stored in AD. I've not found any examples where this has been done.
"One caveat: There is a 1,000-user per page display limit built into AD.
To alter that limit (and display all of your users up to the 19,999 WGM limit), go to the AD Master and do the following:
1. Open ADSI Edit and navigate to Expand the Configuration Container>Expand Services>Expand Windows NT>Expand Directory Service>Expand Query-Policies;
2. Pull up properties on "Default Query Policy";
3. Select "IDAPAdminLimits";
4. Set "MaxPageSize" to the number of records you want returned."
I should add a big WARNING to that ADSI edit information as you can kill AD from there.
Updating the Schema
Everyone Frowns upon the extension of the AD schema. Well on all the posts i have read anyway.
If its the way you want to go there is a free set of batch files that will extend the AD schema for you:
If you have the option of a VM then you could perhaps try it in there. :)
Well, I've now figured out most of it. And have the client getting prefs for users.
I've now bumped into another problem. This problem is to do with network shares.
Originally all our pupil shares were on a DFS tree, but I've changed this to a direct path for now, so I am getting something mounted in OS X. However, as the home directories are a sub directory of a share, how do I get it to not place the entire share on the desktop, but just the subdirectory?