The Lightweight Directory Access Protocol (LDAP) is a protocol for
accessing online directory services. It runs directly over TCP, and can
be used to provide a centralized way for applications and services to
retrieve information stored in directories. Often, the information that
is being sought is configuration information.
Iowa State runs an LDAP server that contains user Net-Id configuration
information. Using this information along with the Kerberos
Authentication that you have previously enabled, a lab computer can be
setup to allow a lab user to login without having to create a local Mac
OS X user account on each lab computer.
Configuring LDAP
Mac OS X and applications that use Mac OS X directory services get
information about users, servers and other objects from directories
listed in the "Directory Utility" application.
Follow these steps to configure the local LDAP client to access Iowa
State's LDAP server:
Open "Directory Utility" (/Applications/Utilities/Directory Utility).
Authenticate by clicking on the padlock.
Click on the "Show Avanced Settings" button.
Click on the "Services" tab.
Click on the "Enable" checkbox for "LDAPv3" if it is not checked and select
"LDAPv3" if it is not selected.
Click on the button.
Uncheck the "Add DHCP-supplied LDAP Servers to automatic search
policies" box if it is checked.
Click the "New" button.
Click the "Manual" button.
Enter "LDAP-Iowa State" in the "Configuration Name" field.
Enter "ldap.iastate.edu" in the "Server Name or IP Address" field.
Click on the "Edit..." button.
Click on the "Connection" tab.
Optionally change these values:
Open/close times out in 10 seconds
Query times out in 10 seconds
Re-bind attempted in 10 seconds
Connection idles out in 2 minutes
Click on the "Search & Mappings" tab.
Select "Custom" from the "Access this LDAPv3 server using" pull-down menu.
Click the "Add..." button.
Click on "Attribute Types.
Scrool down and select "RecordName".
Click the "OK" button.
Click on the "Add..." button.
Type in "uid".
Click the "Add..." button.
Click on "Record Types".
Scrool down and select "Users".
Click the "OK" button.
Select "Users".
Click the "Add..." button.
Type in "inetOrgPerson".
Type in "dc=iastate,dc=edu" into the "Search Base:" field.
Click on "all subtrees" for "Search in:".
Click on the "Add..." button.
Select "Attribute Types".
Scroll down and select "AuthenticationAuthority".
Scroll down more and "command-click" select the following:
Select "Custom path" from the "Search:" pull-down menu.
Click on the "+" button.
Select "/LDAPv3/ldap.iastate.edu" if it is not selected.
Click the "Add" button.
Click the "Apply" button to apply changes.
Quit the "Directory Utility" application.
Restart the system for the LDAP changes to take effect.
Setting up a Common Login Directory
A common login directory (in the text and examples below we used
"labuser", but you may use any local account name you choose) can be
used by all lab users when they log in. There are several different
methods you can use to setup a common login directory for your lab. The
information shown below is just one of those methods. Use this method
or implement your own.
Follow these steps to create a common login directory and to set
preferences, etc. for this directory.
Login as an administrator
Create labuser Account and users Group
Open "System Preferences".
Click on the "Accounts" tab.
Authenticate by clicking on the padlock.
Click on the "+" button to create the "labuser" account.
Select "Administrator" from the "New Account:" pull-down menu. The
"labuser" account will need to be an administrator in order to install
software.
Type in "labuser" in the "Name:" and "Short Name:" fields and a password
in the "Password:" and "Verify:" fields.
Click "Create Account" to create the "labuser" account.
Click on the "+" button to create the "users" group.
Select "Group" from the "New Account:" pull-down menu.
Type in "users" in the "Name" field.
Click "Create Group" to create the "users" group.
Click on "labuser" under "Membership:" to add the "labuser" account to
the "users" group.
Command-Click on "users" and select "Advanced Options...".
Change "Group ID:" to "101".
Click the "OK" button to save the change.
Click on "labuser" to select it.
Command-Click on "labuser" and select "Advanced Options...".
Change the "Group ID" to "101".
Click the "OK" button.
Because of a bug in Mac OS X 10.5, users who have an isuPersonUidNumber
less then 500 will not be able to login via the login window. As of
August 14, 2008, no students will have a uid that is less then 500.
However, some faculty or staff may. If you have faculty or staff that
can't login to your lab because they have a uid less then 500, contact
the Solution Center and ITS can change the uid of this person to a uid
greater then 500.
Install LoginHook and LogoutHook scripts
Download the loginhook and logouthook scripts from
here. Then run the LoginoutHook.pkg package installer to install
the loginhook and logouthook scripts to the /usr/athena/etc directory
and to define these scripts to the system:
This installer will also install the "detach" script it it does not exist
in the /usr/athena/etc directory.
If you use a different administrator account other then "admin", you
will need to edit the loginhook script to specify what the
administrator account is named. If you use a local account other then
"labuser", you need to edit both the loginhook and logouthook scripts
to specify what the local account is named.
Login as Labuser
If you want to use the "attach" application, then
download and install
attach.
If you want to use the "NetPrint" application, then
download, install and configure
NetPrint.
Install and configure any other application that you want the lab user
to run when they log in.
Set any other perference that you want to apply to all lab users
logging into this machine. Examples are:
If you want to change the appeareance and behavior of the Dock and
what items appear in the Dock, do these changes now.
Many applications, such as iTunes, QuickTime, etc., set up one time
preferences the first time they are run. For these cases, you should
run these applicaitons to create these preferences so that the lab user
does not have to do them each time they login and run one of these
applications.
Many applications, such as QuickTime, check for updates automatically.
You should turn this feature off for these applications.
The system itself will check for updates automatically. You should
turn this feature off.
Whenever the "labuser" account logs in, any changes you make during this
login will be automatically saved by the logouthook script when the
"labuser" account logs out.
Clear all Caches, Bookmarks, Recent Items menus and anything else you
may have set while logged in as "labuser" before you logout -- whatever
is left under "labuser", the user will see when he or she logs in.
If everything was set up correctly, you should be able to log into the
Mac OS X client machine with the Kerberos username and password without
having to have a local Mac OS X user account by that name.
Fast User Switching
We strongly recommend that you do not use the fast user switching in a
lab environment. The only way to switch between network users is to go
to a login window. Logging in there will re-join the running session
rather than starting a new one. If you need to restart or shut down the
machine, you will need a local admin username and password if other
users are logged in. We have verified that everything works as it
should, however the results are not what any subsequent users will
expect.
button.
