Leopard LDAP setup for UMOD

Following these steps will cause your Leopard machine to obtain all of its account information from UMOD in addition to any local accounts. After following these steps, you can use your Kerberos password for most things on your machine. The only thing currently known to not accept your Kerberos password is the ARD (Remote Management) service. Note that it accepts your Kerberos PASSWORD - it is not getting a Kerberos TICKET. This is all being done by the fact that UMOD accepts pass-through authentication for Kerberos passwords.

The following services have been tested with this authentication:

SSH (remote login)
sudo
su
AFP
Screen sharing
Preference unlocking
Screen saver unlocking
Server Preferences*
Workgroup Manager*
Server Admin*

* These services require the UMOD user to also be a member of the "admin" (80) group. You can add someone to this group with this command: sudo dseditgroup -o edit -t user -a dpugh admin

The following services have been tested and do NOT work (though there may be yet undiscovered ways to make them work):

ARD (Remote Management)
Wiki Server

SECURITY WARNING: If you have any sharing services (remote login/ssh, file sharing, screen sharing, etc) enabled, following this procedure will allow everyone in the University community to connect to your computer unless you limit the access through other means.

Launch /Applications/Utilities/Directory Utility. Ignore the Looking for Mac OS X Servers message - don't wait for it to complete. If everything is greyed out, click the lock icon to unlock

Click the Show Advanced Settings button.

Click the Services button.

Double-click LDAPv3.

Click the New... button

Click the Manual button.

Set the fields as follows:

Configuration Name: UMOD
Server Name: ldap.itd.umich.edu
LDAP Mappings: RFC 2307 Unix

Search Base Suffix: dc=umich,dc=edu

SSL: Selected

Click OK

Click Search Policy button.

On the Authentication tab, click the Add (+) button. If an Add (+) button is not shown, set the pulldown for Search to Custom path. A dialog will appear.

Choose /LDAPv3/ldap.itd.umich.edu and click the Add button.

Click the Apply button. (this will take about 30 seconds to process)

Close Directory Utility.

(I think the fact that you need to do the next 2 steps are bugs, but it does work, so here they are):

As root (use sudo), use your favorite text editor (vi, nano, pico, emacs, etc) to modify /etc/openldap/ldap.conf. Change the TLS_REQCERT line from demand to never:
TLS_REQCERT never
An explaination of this LDAP issue can be found here, at AFP548

Reboot

If you want to test it, launch /Applications/Utilities/Terminal and type

  id johndoe

(or any other uniqname of a person that does not have an account on your computer). If it comes back with their uid (and some other stuff) you're all set. If you see a 'no such user' result, your LDAP configuration is not working.