IT Services Technical Notes - Mac OS X How To: Using Mac OS X 10.4 in a Computer Lab

Search:

Using Mac OS X 10.4 in a Computer Lab

Complete the following before continuing:

How to Configure Kerberos
How to Enable Mac OS X 10.4 Kerberos Authentication at Login
How to Install and Configure OpenAFS (Optional)
How to Install and Configure attach (Optional)
How to Mount an AFS Directory at Login (Optional)
How to Mount an AFP, SMB (or FTP) Volume at Login (Optional)
How to Install, Configure and Use NetPrint (Optional)
How to Configure LDAP

About LDAP

The Lightweight Directory Access Protocol (LDAP) is a protocol for accessing online directory services. It runs directly over TCP, and can be used to provide a centralized way for applications and services to retrieve information stored in directories. Often, the information that is being sought is configuration information.
Iowa State runs an LDAP server that contains user Net-Id configuration information. Using this information along with the Kerberos Authentication that you have previously enabled, a lab computer can be setup to allow a lab user to login without having to create a local Mac OS X user account on each lab computer.

Configuring LDAP

Mac OS X and applications that use Mac OS X directory services get information about users, servers and other objects from directories listed in the "Directory Access" application.
Follow these steps to configure the local LDAP client to access Iowa State's LDAP server:

Open "Directory Access" (/Applications/Utilities/Directory Access).

Authenticate by clicking on the padlock if necessary.

Click on the "Services" tab.

Uncheck all "Enable" checkboxes, except for "Bonjour".

Check the "Enable" checkbox for "LDAPv3". Select "LDAPv3" to highlight it.

Click the "Configure..." button.

Uncheck the "Add DHCP-supplied LDAP Servers to automatic search policies" box if it is checked.

Click the "New..." button.

Click the "Manual" button on the "New LDAP Connection" window that pops up.

Enter "LDAP-Iowa State" in the "Configuration Name" field.

Enter "ldap.iastate.edu" in the "Server Name or IP Address" field.

Click the "Edit..." button.

Click on the "Search & Mappings" tab.

Select "RFC 2307 (Unix)" from the "Access this LDAPv3 server using" pull down menu.

Enter "dc=iastate,dc=edu" in the "Search Base Suffix" window that pops up.

Click the "OK" button.

Under "Default Attribute Types":

Change the "RecordName" mapping to "uid".
Note: Once you do this, it will change to a "Custom" setting instead of the RFC 2307. This is not a problem.

Under "Users":

Check that the RealName mapping is "cn".

Change the "Unique ID" mapping to "isupersonuidnumber".

Change the "PrimaryGroupID" mapping to "isupersongidnumber".

Change the "NFSHomeDirectory" mapping to "isupersonmacosxlabpath".

Change the "UserShell" mapping to "#/bin/bash".

Click the "OK" button.

Check the "Enable" checkbox for "LDAP-Iowa State" if it is not checked.

Click the "OK" botton to save the changes. Authenticate if necessary.

Click on the "Authentication" tab.

Select "Custom path" on the "Search:" pull-down menu.

Click the "Add..." button.

Click the "/LDAPv3/ldap.iastate.edu" line if it is not highlighted.

Click the "Add" button:

Click the "Apply" button to apply changes.

Quit the application.

Setting up Common Login Directory

A common login directory (called "labuser") can be used by all lab users when they log in. There are several different methods you can use to setup a common login directory for your lab. The information shown below is just one of those methods. Use this method or implement your own.
Follow these steps to create a common login directory and to set preferences, etc. for this directory.

Create a new user ("labuser") that you will use to create the initial common login directory. Choose a secure password for this new account.

Login as "labuser".

Optional: If you want to use the "attach" application described under "How to Mount an AFS Dirctory at Login":

Download and install attach
Open System Preferences and select the Accounts pane.
Under the Startup Items tab, add the attach application to your login items:

Click the "Add" button.

Browse to the Applications folder and open the "attach" application.

Optionally add any other application that you want the lab user to run when they log in.

Set any other perference that you want to apply to all lab users logging into this machine.
Examples are:

If you want to change the appeareance and behavior of the Dock and what items appear in the Dock, do these changes now.

Many applications, such as iTunes, QuickTime, etc., set up one time preferences the first time they are run. For these cases, you should run these applicaitons to create these preferences so that the lab user does not have to do them each time they login and run one of these applications.

Many applications, such as QuickTime, check for updates automatically. You should turn this feature off for these applications.

The system itself will check for updates automatically. You should turn this feature off.

Clear all caches and bookmarks you have have set while logged in as "labuser". Whatever is left set for "labuser", the user will see when he or she logs in.

Logout of "labuser" and log back in with your administrator account.

Then open a terminal session (/Applications/Utilities/Terminal) to create the "users" group:

echo 'users:*:101:root' | sudo niload -m group .

Download the LoginHook and LogoutHook scripts from here and then run the "LoginoutHooks.pkg" installer. This installer will install the LoginHook and LogoutHook scripts in /usr/athena/etc and define these scripts to the system:

sudo defaults write com.apple.loginwindow LoginHook \ /usr/athena/etc/LoginHook sudo defaults write com.apple.loginwindow LogoutHook \ /usr/athena/etc/LogoutHook

If you use a different administrator account other then "admin", you will need to edit these scripts to specify what the administrator account is named.

Login again as "labuser". This is necessary so that the LogoutHook script can copy the /Users/labuser directory to a safe location to be used as a fresh copy when a lab user logs in.

If everything was set up correctly, you should be able to log into the Mac OS X client machine with the Kerberos username and password without having to have a local Mac OS X user account by that name. The LDAP server will be looked at, and the user found, but since no password exsits on the LDAP server, authentication will be delegated to the Kerberos.
When the "labuser" account logs in, any changes you make during this login will be safed by the LogoutHook when the "labuser" account logs out.

Fast User Switching

We strongly recommend that you do not use the fast user switching in a lab environment. The only way to switch between network users is to go to a login window. Logging in there will re-join the running session rather than starting a new one. If you need to restart or shut down the machine, you will need a local admin username and password if other users are logged in. We have verified that everything works as it should, however the results are not what any subsequent users will expect.

Last updated August 31, 2009