[Network Administration]: More LDAP and OSX

This is a continuation of the last post for LDAP integration with OSX. Since then, I’ve become more frustrated with it. I’ve been able to get LDAP-enabled logins to work, and basic automounted home directories. I also got some of the apple-specific attributes to be recognized. But one thing that I’ve not been able to get to work at all is to read the attribute/object mapping from the server. The “write to server” portion of DirectoryUtility is not working at all on OS X 10.6.8 (snow leopard). And by not working, I mean, I don’t even see a connection established at the server. I also tried with Lion and didn’t have any success there either. I read a couple of comments here and there about it not working for other people, but other than that I’ve not found any other information on it. What a waste of time… I’m currently resigned to try to write out the mappings to a plist that I can copy from machine to machine.

Anyway, on with it! I made a number of changes in DirectoryUtility (found in /System/Library/CoreServices/ in OSX 10.6.8 – Snow Leopard). To start I updated the people and group entries in my directory. For the users, I extended the objectClass by apple-user and added the authAuthority and apple-user-homeDirectory attributes. For the groups, I extended the objectClass by apple-group.

dn: uid=user,ou=people,dc=ldap,dc=server,dc=tld
changeType: modify
add: objectClass
objectClass: apple-user

add: authAuthority
authAuthority: ;basic;

add: apple-user-homeDirectory
apple-user-homeDirectory: /Network/Servers/filer/volume1/accounts/user

dn: cn=users,ou=groups,dc=ldap,dc=server,dc=tld
changeType: modify
add: objectClass
objectClass: apple-group

Next, I created an organizationalUnit for the macosx objects, and a sub unit for mount information.


With this setup I can add my mounts for OS X into the mount container. This is similar to the home automounts. Since I’m going to be using my linux shares for my OS X home directories, I need to have them also compatible with OS X. The OS X skeleton accounts are in /System/Library/User Template/. One nice thing here is that I’ll can have unified shell rc files for both. Also, both use the "Desktop" directory to hold the desktop items, so anything there will show up on the desktop in both Darwin and Linux. The mac skeleton account has a lot more directories in it though.

One change that I did make with regards to some of the liked how-to’s above was to not use the apple-user-homeDirectory attribute. I left it there pointing at the /Network/Servers/filer/volume1/accounts/user, but I’m not mapping it to anything in Directory Utility. I just pointed NFSHomeDirectory to the homeDirectory attribute. It seemed to work alright, and I already have the directories mounting with autofs. In this case ~/ points at /home/user as it would on a normal unix box.

This all seems to work for the macs. For my mac laptop, I wanted to use portable home directories as outlined above for my own personal user account at least. You can create a mobile account (for using PHDs) at the command line with the command /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount. There doesn’t seem to be a lot of documentation on it, but a number of pages come up with a google search. The easiest thing to do is to run it without any arguments, and it will give a listing of all of the switches that it takes. Note: it needs to be run as root. I ran mine like:
sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -u user -X -s -v. This then mapped my local home directory to /Users/user from /home/user. The command will create some plists and files:

  • /var/db/dslocal/nodes/Default/users/user.plist – This appears to be the local entry for the user in the machines directory services
  • ~/.account – This appears to be a locally cached copy of the user data from the LDAP directory
  • ~/Library/Preferences/com.apple.homeSync.plist – This is the preferences for the home sync