How To Add Active Directory Authentication Painlessly

About 2 months ago we decided to rewrite our client application for Mac OS. One of the new features we had to add was active directory authentication. It took us more time than we anticipated to implement this feature.

Client application for Windows already had active directory integrated. We knew that it worked with no issues based on customers’ reports. But some customers started asking for active directory for the Mac application as well. So here are things we learned while implementing it. There were two steps to implementing active directory:

1 – How to test if our implementation worked? When we implemented the Windows app, an active directory server hosted on the cloud was used for testing. We needed a testing environment for Mac.

2 – What APIs to use? Should we use Mac’s OpenDirectory API for it? Or should we be using openldap API that is cross platform and supports active directory?

Testing is really important part of software development. You have to know how to test each feature of your application. We thought we should set up our own active directory server and create user accounts and use it to test our Mac application. So we setup an Active Directory 2012 R2 on a machine and used it for testing, we had an active directory running. We tried to bind one of Windows laptops to it but the laptop could not find the server. The problem was that DNS server could not find the AD domain name so we had to add AD server IP address as a DNS server. That worked well and the Windows laptop was bound to the AD server. Now, it was Mac’s turn. We did the same thing for Mac, adding IP address of the AD server as a DNS server. We faced another problem with Mac. It was complaining that timeservers did not match. We finally figured out that we had to point the timeserver in Mac to the AD server IP address. Still, the binding process was failing due to a plugin error, which we could never solve. However, when we tried binding, from the status messages of binding process, we could tell that it was able to find the AD server and authenticate the user but fail after those steps. So we thought we do not need to bind the Mac to the AD server. If Mac can do authentication then we can do it as well. We were right!

After dabbling with this issue for more than we should have to get active directory set up on Mac and start implementation. We tried to use OpenDirectory API in Mac to implement active directory authentication but it proved to be very frustrating and had to abandon that route due to limited support and plugin issues Mac OS had. So what should we have done? Python! Believe us, python has API for everything! So indeed, there was one called ldap. We used it to do active directory authentication in Mac. It worked! We looked at its source code and it was C code that was doing most of the core part. We were able to trace the code and saw relevant includes such as #include which grabbed our attention. After researching further, we found out there is actually an API called openldap that is cross platform and supports AD. Why not use that? Ldap python module already has a code that does active directory authentication. So we just learned the function names that should have been used and implemented active directory authentication using openldap C API. At the end of the day, we had around 10 lines of code that took us around 5 days.

All in all, that was a different experience we had. Even though it took us so long to write 10 lines of code, now we support active directory in both Mac and Windows apps and our customers are happy about it. So it was worth it.
Contact Us!

Share on Facebook0Share on LinkedIn3Tweet about this on Twitter


You may also like

×