Agile Tortoise
Greg Pierce’s blog
« RE: Plone, Active Directory authentication, Mac OS X Pleasure Boat Captians for Truth »
Panther Server mail services and Active Directory
Apple’s been making great strides in incorporating Mac OS X into Windows networks, but it’s still not all there. I’ve got a new XServe that will be a file and email server for our organization. The file services setup and integration with Active Directory authentication was a total breeze…not so with Mail services (or other settings that require user settings to be stored in the directory).
I’m posting these instructions because I haven’t seen them clearly laid out elsewhere. If you want to enable the use of Apple’s Workgroup Manager to set properties of Active Directory users, you have to extend your AD schema with Apple’s LDAP attributes. There is an excellent set of VB Scripts to do this available at Shukwit.com. Basically, follow their directions to expand your schema only, running the “autorunschema.vbs” script only. You do not need to run the scripts to set UID and GID’s, or follow any of their instructions on the OS X side — all of which are geared toward using the old LDAP Directory services plugin on Jaguar.
Then go to your OS X Server box, and bind it to the AD using /Applications/Utilities/DirectoryAccess. This article, and Apple’s docs, have a good walk-though of that so I won’t repeat it here.
Assuming you are now properly bound, and have added the AD to your authentication path and have tested logon using AD accounts, you can then go edit the file /Library/Preferences/DirectoryService/ActiveDirectory.plist. You’ll have to “chmod g+rw” it to be able to write to it. The file already has all the mappings setup, but you need to add attribute you wish to write to under the section “AD Attr Access Control List”. In my case, at this time, I only needed to add the following:
<key>dsAttrTypeStandard:MailAttribute</key>
<integer>1</integer>
This enables storage of the mail attributes for enabling and disabling mail for accounts, setting quotas, etc. All this info is stored in one attribute in XML format. You could repeat this process for other attributes you need.
You can now safely go to the Workgroup Manager and enable mail for AD users. This sounds pretty easy now that I write it out, but I’ve burned a bunch of brain cells putting together all the pieces of the puzzle to get this working. If you can’t change your AD schema, you might look at ADMitMac from Thursby. They have an alternate solution to the problem, but I wasn’t too please with the way it worked OMM.
August 30th, 2004 at 7:58 pm
A post didn’t go out in email today. Just testing. g.
August 30th, 2004 at 9:09 pm
To repeat my earlier messages, I have not received posts from your web
page for sometime- over a week, maybe over two weeks (time has been crazy
for us lately). I also no longer get the family page posts, nor can
I access the family page since you took the link off your web page.
I have tried several times to reregister for that or get a new password,
no response to my requests.
I miss reading about my grandsons! The web page is my main source
of information.
Heard from NIH this afternoon. Although they have not gotten back the
genetic tests yet, the basic blood work is done and my iron related
numbers are worse, so they want me to go ahead an start treatment this
week. Will be going in on Wednesday afternoon, and they will take
out 2 pints of blood. They are, however, hooking me up to a system that
will pull out the red blood cells and they will then put the remaining
plasma and some additional saline IV back into me, to help prevent
dehydration. Think I will not drive myself for this one! I am
a little anxious as I have passed out before after minor medical
procedures. Hopefully after a few times I will feel more confident
about being behind the wheel afterward. They cheerfully admit that
some folks do pass out, so it is not just me. They do have a
"canteen" where you can sit and munch on cookies and juice for
a while. Another new adventure in life!
Love, Mom
September 13th, 2004 at 8:46 am
Per my previous post, I’ve been working on getting Active Directory integrated with Panther’s mail services. My prior setup notes work, almost completely…but there’s one hurdle I can’t seem to get past. After puzzling over the exact sequence for awhile, I’ve discovered the problem.
Cyrus won’t let you login until you have received an email on the server. I knew this. Even though I had enabled email for AD accounts, Cyrus was refusing to accept mail for them. Postfix identified the accounts as local and passed the mail on to Cyrus, but it choked claim mail was not enabled for the user.
It appears that, in my current setup, the AD user has to be a member of an AD group with rights to Administer the Panther box at the time they first receive email. After that, I can remove admin privileges and everything works fine, but I guess Cyrus drops privs to the user level and is unable to create the appropriate mailboxes, or authenticate the user at that level.
This is an annoyance, though one I can live with since I don’t have to create all that many new email accounts, but it is quite odd to me. Local users on the Panther box don’t need any special rights to be setup with new mail accounts, so I’m not sure what’s different about the AD users.