LDAPtoAD3

LDAPv3 Authenticating to Active Directory (Part V)

Intro	LDAP to AD Part I
LDAP to AD Part II	LDAP to AD Part III
LDAP to AD Part IV	LDAP to AD Part V
Misc	ADmitMac
UserInfoMenu v1.02

Active Directory Integration in Three Hours or Less Article on AFP548.com
Mac OS X with Active Directory (Apple's PDF using LDAPv2)
Apple OIDs (For schema modifications)
NISSchema Attributes (Additional OIDs not covered by Apple)
University of Michigan LDAP info
Additional Docs on LDAP integration from JAMF Software
Mac OS X AD Integration Scripts (Shukwit.com)
Mac OS X Server: How to Avoid Sending Clear Passwords in a Kerberos Environment With LDAPv3

-- Miscellaneous Tidbits --

If you are receiving numerous pauses as the result of not using your LDAP connection within several minutes I'm told this is an issue with the OS X client. Its suppose to have been fixed as of 10.2.4. Alternately, a cron job that runs a script with the command killall DirectoryService will force the DirectoryService daemon to restart before "it goes stupid".
If you want to use AD based accounts to have admin rights on a workstation you need to add them to the Admin group. This can be done by either adding the account to the local Admin group or by deleteing the local Admin group altogether and then recreating it in AD (matching the GID and everything else). At that point, adding an AD account to the AD based Admin group is fairly simple.

To add an AD account to the local admins group login as a local admin, run terminal, and enter:

nicl . append /groups/admin users <username>
where <username> is the short name of the directory account you want to have local admin rights.

In short what the command says is to execute NICL, tell NICL we are working with the local NetInfo(.), we want to add something (append), we want to add this something to the admin group (/groups/admin), we are adding a user (users) and the name of that user is <username>.

To remove the account simply enter:

nicl . delete /groups/admin users <username>
As of 10.2.3 (or thereabouts) OS X can now autocreate a home directory if it has rights and one is not found. The upside of this is if you specify a home directory in AD that points to the local file system one will be created. (Actually, I haven't tested this in AD but I have gotten emails back saying it should.) So, to do this it should be a simple matter of skipping all the schema changes covered in part V and modifying the userSharedFolderOther user attribute in AD to contain a local path that looks something like this: /Users/ricore.As long as the ricore folder is not found OS X will autocreate the directory with the appropriate UID and rights. The big plus of a local home directory is that you don't have to worry about the browser cache trying to span a network connection with a server based home directory. Server access can be handled via Applescripts setup as either icons or entries in the Login Items system preferences.
I got word from Alex Yu that it is possible to do LDAP over SSL. I haven't tested this but here is what he had to say (copied from an Apple discussion thread):

Okay, okay, for those who can't get AD and ldap over ssl to work, check this out!
I have finally solved the puzzle. The connection hostname that you entered in LDAPv3 settings has to be the full hostname of the AD server. For example, my-server.dept.mycompany.com.

Yes, I know that both my-server.dept.mycompany.com and dept.mycompany.com hosts could point to the same machine, but LDAP over SSL will not work unless the connecting hostname matches to the certificate's hostname. If my-server.dept.mycompany.com is not a valid DNS record, just add it to your /etc/hosts file. For example:

# echo "your_ad_server_ip my-server.dept.mycompany.com" >> /etc/hosts

This is how you get the correct and "working" CA certificate. Open up a terminal and enter:

# openssl s_client -connect your_ad_server_ip:636 {a lot of information} type QUIT

Select from "-----BEGIN CERTIFICATE-----" to "-----END CERTIFICATE-----" and copy and paste it into a local file (anywhere you want). For example, /System/Library/OpenSSL/certs/my-server.pem. Edit /etc/openldap/ldap.conf and add "TLS_CACERT /System/Library/OpenSSL/certs/my-server.pem" (without quotes). Reboot.
A follow up on the SSL certificate issue from Ryan Suarez:

On how to get the correct and "working" CA certificate... This information was incorrect and did not work for me. This step actually retrieved the signed certificate, not the CA certificate.
I had my SSL certificate signed by equifax. I had to go to their site and download their CA certificate to put on the OSX client. After which, ldap/ssl started working for me.

Email: Chuck Simciak