Re: OpenLDAP for Mac OS X Login and Authentication

>> According to the OS X docs, I ~should~ be able to have the login sequence
>> check LDAP directories for authentication ~before~ it checks NetInfo.
>Uh, that depends on which OS X docs you were reading. Using the stock
>lookupd (not built from source), LDAPv3 cannot be used, you must use LDAPv2.
>Luke has fixed this, but you must build lookupd from cvs source. I haven't
>successfully done this yet, I've played with building lookupd from source,
>but I haven't any luck.

I would highly recommend that you do attempt to do this. The stock LDAP
support in lookupd is *VERY OLD*. What is the problem? One thing that
I forgot to point out is that you will probably need to rebuild the
NetInfo.framework in Services/netinfo/common to build the lukeh-OpenLDAP
branch of lookupd which unfortunately will require you to rebuild and
reinstall netinfod and nibindd. You may prefer to wait for OS X 10.1.

>> 4. The LoginHook and LogoutHook parameters for customizing loginwindow do
>> not work (official word from Apple) and ~rumor says~ they will be removed
>> from future OS X releases.
>Hmm, I'm new to the hole OS X scene, and I have no idea what LoginHook is,
>maybe someone can enlighten me.

Runs an arbitary executable after logon. Totally irrelevant to authentication.

>Another idea is to use pam_ldap for Mac OS X , by Luke Howard (again).

That will help you with authentication only, not account information. Just
as you would typically use nss_ldap and pam_ldap on a Linux or Solaris box,
you might use LDAPAgent and pam_ldap on an OS X or Darwin machine. Getting
pam_ldap installed on OS X requires building the PAM framework, the PAM
loginwindow authenticator bundle, and rebuildling all the system utilities
that need PAM (such as ftpd and login). Non-trivial, but not too hard if
you really need PAM support :-)

Darwin PAM support is tracking FreeBSD-current, BTW.

If you would like Apple to incorporate PAM into the OS, I suggest you talk
to your Apple rep or use one of the feedback addresses on their website.


-- Luke

Luke Howard | lukehoward.com
PADL Software | www.padl.com