Jamf Nation Community

ianmb · ‎01-20-2014

Hi,

I'm in the process of integrating some Macs into our predominately Windows
(AD) environment. For some reason, the HPC guys decided that they'd set up
an LDAP server of their own when they set up their Linux-based systems
rather than work to get Unix extensions into our existing AD environment.

I have next to no knowledge of AD. I'm wondering whether to integrate my
Macs into the existing Windows AD infrastructure, or hook into the
alternative LDAP server. For those that have been through these cycles,
could you tell me what the least painful route would be, and the pros/cons
of each?

I've read through the Apple whitepaper on AD integration and it implies
it's a very simplistic process, is that really the case in practice? Can I just plug Macs straight in, or is a third part plugin like Centrify recommended?

Thanks for any advice.

PeterClarke · ‎01-20-2014

Hi, We have not done that, but we have needed to link to both AD and OD for some machines..
(In our case those Macs are connected to Xsan..)

In the end, it depends on what DATA, and specifically WHERE your Network Accounts, are defined, -- as to which LDAP you need to connect to. ( in order to access those accounts )

In some cases supplemental data, can be obtained / utilised by also connecting to a second LDAP..
But in this case the First and Second LDAP's also need to be connected together..

So that, the second LDAP get's its network account's from the first LDAP..

Otherwise the two LDAP server aren't talking to each other - and are independent.
- In that case the accounts on each are nothing to do with each other !!

PeterClarke · ‎01-20-2014

Oh and with AD - Yes Macs can plug straight in..

( You need to use "Directory Utility", -- That's now located in:
/System/Library/Core Services/Directory Utility -- Drag to Admin Dock., and use from there.

Start with Manually configuring it.. if it works OK, then you can think about automating the settings.
- we have scripted ours. Casper is also able to offer AD binding.

But in a complex case, you will likely have to use a custom configuration - at least to some extent.

jonarnt · ‎01-20-2014

We are using the built in AD functionality in Mavericks and that is very good. You should think through what you are trying to achieve though. It does not really matter what you do if it is just centralised user accounts, but if you are using domain groups for access control to resources it does.

ianmb · ‎01-20-2014

Essentially we want to use our primary Windows AD server for user accounts i.e. Mac users can log into their systems with the same username and password combination they use for Windows desktops.

Also, we will want to make use of AD-CS and have Macs receive certificates per device so they can log on to our staff wireless network when on campus.

mojo21221 · ‎01-20-2014

Just a gotcha, make sure to put the check in the box to make them a Mobile Account, when joining AD, if you want to give them the ability to login to the mac when it is not connected to the Network. As for the AD-CS, you will want to leverage Casper to push a Configuration Profile with the correct settings for Wifi...

Report Inappropriate Content · ‎01-20-2014

AD 2008 and later and Macs since 10.8 work fine together for basic setups and 802.1X authentication.

WHile Casper will handle bindings without any problem, you should familiarize yourself with the dsconfigad command, namely ```
dsconfigad -show
``` to view current AD bidning information - very helpful in troubleshooting.

You may want to also check out Centrify http://www.centrify.com/products/mac-edition.asp for some added functionality.

ianmb · ‎01-22-2014

Thanks guys. Does anyone know what attributes I'm likely to need in AD to support our Macs?

Any examples most welcome!

JimAllsop · ‎01-22-2014

@pete_c this looks like a sudo replacement for JAMF. why would you use this and not just use JAMF? What do you use it for mostly?

Jamf Nation Community

Macs in AD