A meeting to discuss "Macintosh authentication using UW NetID" took place: Wednesday, June 29 2011 2:00 pm  - 3:30 pm Notes from the meeting of 6/29 (courtesy of Brian High) =================================-=- Dan Sinema, Apple Computer Inc. Mac OS X Directory Services/AD scenarios =================================-=- dsconfigad: to find group membership, to script mounting shares - static mapping only, no variables.  See: https://discussions.apple.com/message/2793427?messageID=2793427 (Maybe script around this?) MCX Attributes for policies can be stored as XML in LDAP - Volume Mounting - Energy Saver - Preferences Manifest per Application Auxiliary Classes "overlay" via LDIF Schema extensions See: http://www.opensource.apple.com/source/OpenLDAP/OpenLDAP-37/AppleExtras/apple.schema See: /etc/openldap/schema/apple.schema Magic Triangle: LDAP (groups) <==> Mac <==> AD (users) Magic Triangle with file services: OSX Server <= AD Plugin => AD <= SMB Server ^                                    ^            ^ |                            AD Plugin       | |                                     |            | \== SMB ============> MAC <== SMB ==/ Using just AD and SMB server: Scripting mounting from client-end: - login from AD - dseditgroups - launchd and plist to mount from SMB Lion has Profile Manager for remote management OSX has Workgroup Manager for local policies and can push to LDAP server or OSX Server =================================-=- Brian Arkills Delegated OUs =================================-=- See: Overview/review the UW "Netid" domain and delegated OUs UW Group Service has Hourly Sync Used for example: budget groups Offers: - DDNS - Free (costs paid by UWIT chargeback fee) - Domain Migration - Group Sync from old DC - delegated group of computers =================================-=- John Canfield, Stephen Bangs (CIS) How UW-IT computing labs manage authentication on Macintosh =================================-=- DeployStudio - Free - Imaging - works with UWWI Had to populate UW delegated group of computers to get it to work =================================-=- Martin Criminale, Andy Gravano How the ISchool manages authentication on Macintosh =================================-=- iMacs in labs dual-boot OSX/Windows, both using UWWI and automatically join UWWI as image is deployed They also use DeployStudio They use delegated group of computers as does CIS Use ARD since it is req'd by DeepFreeze Can't extend schema in delegated UWWI OU memberOf attribute is locked down so cannot use for assigning, for example admin rights, to users in UW groups only in local groups. (Group membership in UW Groups are not recognized) Time Mgmt. conflicts with Windows (due to dual boot configuration) 3 hour nightly management window. Links to other resources:

• Apple's AD integration doc https://support.apple.com/guide/directory-utility/integrate-active-directory-diru39a25fa2/mac

Outcome

No agreed upon proposal has emerged from this discussion. There are published ways to do Mac authentication integration.