Leopard & AD @UK

Posted on May 11, 2008 by

During the summer of 08, we’re replacing most of the OSX servers and upgrading the rest to 10.5. As part of the overall set of summer updates, we are also going to utilize AD for authentication where ever possible.

Currently we run two 10.4 servers bound to AD (only, no local OD or MT) which provide web/unix services to all students (and some faculty/staff), and file services (aka ‘Locker’) to all users in our WinXX based labs. Our Mac based labs, however, use a private OD so they can manage user preference and other attributes. This has become difficult to manage, as virtually all other student services are using AD (or link blue as we call it) for authentication — plus our labs are ‘merging’ over the summer as well, so all labs will have WinXX and Mac systems…oh, and we’re moving a significant number of winXX machines to Vista, so we’ll probably also see a lot of switchers in the fall.

Our AD environment is a little unusual. We have a forest called ‘uky.edu’, and two subdomains ‘ad.uky.edu’ and ‘mc.uky.edu’. Our users may be in either domains, and there is not standard user container in either. One set of administrators maintains ad.uky.edu and another maintains mc.uky.edu. Our Acad Tech group does not have domain admin access in either, though we do have various containers and groups that we own. There’s at least one rouge DC in the MC side at any one time, but that’s another story.

We tried a few experiements with Leopard in workgroup mode, and it pretty much doesn’t work. Only a small fraction of the user base is listed in the GUI for import. Trying to import all users from a gorup, appears to finish in 5 secs — which seems pretty fast for a groups with 30,000 entries. And of course it was since nothing was imported. I suspect that maybe some of these tools don’t know how to deal with ‘Ranged’ results coming back form AD, but it could be something else.

We’re currenty messing with Advanced mode and building our own Augment records — what Joel R calls the ‘Cylinder of Destiny’. However, documentation is a bit sparse, and Workgroup manager still doesn’t seem to behave well, occasionally dropping core, often not finding something that is clearly there, and sometimes getting disconnected and will not reconnect without a restart. For the most part that’s just as well, since given the scale of our user base ( approx 28,000 students, 4500 faculty, and 10,000+ staff ), most things need to be done in bulk.

In addition to wondering what the best way to activate the use of Augment records on each server and, of course, what exactly should/must we be building into these augment records some other questions might be:

  • automatic detection of changes — how do we know when users are added/removed from the AD, It looks like there is an API for requesting that, or we could write our own via perl or php and ldap, but…
  • bulk augments / group augments — could we apply an augment like Group:WikiAccess for example?
This entry was posted in AD, IT, OS X, sysadm

Leave a Reply