Wed Dec 2 13:19:05 ICT 2015

Configuring Mac OS X for CSIM

Quite some work is needed to make Mac OS X behave in CSIM environment. The default configuration of Apple system is not much stadard. In this note, I tried to list all I had to do to configure our iMac.

When installing Mac OS X, a local account is created on the machine, with root. privileges. The account name is toor and the password is the administrator password of the PCs.

Host name

Set the hot name at command line with:

sudo scutil --set Hostname name

Then set the host name in the Sharing panel in the Preferences. Also selet Remote Login, for All Users to allo sshd.

Mounting /home

To mount CSIM home directories automatically, create the directory /home then add:

oak.cs.ait.ac.th:/home /home nfs -P,-i, -b 0 0

in /etc/fstab

The mount(8) must be automatically executed at boot time, this is done by adding ~on/MacOSX/fstab.plist into /Library/LaunchDaemon.

Mail service

postfix must be configured to send all email to CSIM mail server, you must configure the fle /etc/postfix/main.cf and add the lines:

masquerade_domains = cs.ait.ac.th
relayhost = mail.cs.ait.ac.th
mydomain = cs.ait.ac.th
myorigin = $mydomain

Printers

Printers are configured with he service lpr on the remote host banyan.cs.ait.ac.th.

Install AIT root certificates

Install http://cs.ait.ac.th/ait-itserv.crt and http://cs.ait.ac.th/ait-new.crt.

With Mac OS X 10.11, only the second one is necessary, the system will not allow self signed root CA with MD5 algorithm.

Root certificates must be installed to be allways trusted.

User authentication with OpenLDAP

In the control panel for Users, in Account login option, select Allow net user to login at login window

In Open Directory, add one entry for ldap2.cs.ait.ac.th. The exact configuration for LDAP is obtained by copying ~on/MacOSX/ldap2.cs.ait.ac.th.plist into /Library/preferences/OpenDirectory/Configuration/LDAPv3.

This .plist file contains all the configuration the LDAP server, including the mapping of Apple Open Diretory attributes into OpenLDAP attributes.

It also contains an important section that disable SASL authentication for DIGEST-MDS, GSSAPI, CRAM-MD5 and NTLM. In Mac OS X 10.6, there were not such a problem as authentication was only basend on Simple Bind. But 10.7 and later introduced SASL authentication; it must be disabled.

            Denied SASL Methods = Array {
                DIGEST-MD5
                GSSAPI
                CRAM-MD5
                NTLM
            }

The .plist file is read and edited with /usr/libexec/PlistBuddy.

In the Directory Utility, you must add LDAP to the Search Policy for both Authentication and Contacts. Authorisation should read:

/local/default
/LDAPv3/ldap2.cs.ait.ac.th

and Contacts should read:

/LDAPv3/ldap2.cs.ait.ac.th
/local/default

Users that are members of LDAP Group admin have administrator and privileges on the machine.

Configure the screen saver

In the Preference, change the Energy saving to never turn the system to sleep: the system is not really clever at recognizing when it is active and would turn to sleep in the middle of a file transfer!

Set a screen saver and in the Security and Privacy panel set the Require password immediately after sleep or screen saver.


Posted by Olivier | Permanent link | File under: administration, mac_os_x, ldap
/\