In our environment we have a very diverse server room but an almost exclusively Mac client base. We have standardised on a SunONE directory server for our central user database. Our Active Directory domain synchs (one-way) with the Sun through the Sun IDSync tool. For our Macs, however, the easiest thing was to use the Sun as the Mac domain authority. Not wishing to lose any functionality I devised a way to load the complete Apple schema onto the Sun enabling us to use it as if it were an Open Directory Server. Password Server and KDC are hosted on a real Mac OS X Server Open Directory Master with no users in its LDAP. We have had no problems with having the users on the Sun and the Passwords on the OD Master. This may prove useful to some people as the Sun is very picky about Schema LDIFs and many modifications to formatting were necessary to arrive at the enclosed files. Both files are necessary. This allows the SunONE to run an Open Directory LDAP Directory with schema checking on.

I also had to author a custom password page that would change the Mac OS password (Crypt for some users, OD for others) and then set the same password in Crypt in the user's LDAP record. This ensured all our systems had the same password for each user whether that user was an OD password user or not. I don't know if there would be interest in that.

For SunONE every space and return character is vital and the slightest change to the following schema files will result in them being rejected.

You will need both the apple schema and the apple_samba schema.

If these work for you then you will find that you can do anything you want in WorkGroup Manager to users, groups, computer lists, etc., etc., etc. whilst hosting them on your SunONE LDAP server without violating schema. You will still need an Open Directory master to host the KDC and Password Server. I have had no problems assigning Open Directory passwords to users on the SunONE LDAP server. In fact, all of my users are on the SunONE.

More recently I have found that if you are running this setup it is beneficial to set up clients to bind to both servers. The OD first and the SunONE second. In other words, in Directory Access you would set Authentication tab to have first the OD server (/LDAPv3/my.od.server/) and then the SunONE server (/LDAPv3/my.sunone.server/). This just ensures that any of the stuff that OD writes to the local LDAP server (Kerberos client configs, replica lists, etc.) will get seen by your clients.

You will also want to ensure that at least one Directory Administrator user on your OD LDAP has a matching user on the SunONE LDAP server and has been given Configuration Administrator priveleges by the SunONE server.

Sam Agnew
Weill Cornell Medical College in Qatar

Click here to download schema.