February 8, 2016

Integrating Mac OS X into Unix LDAP Environment with NFS Home Directories

Implementation Environment

While this document’s steps are specific to the following products, since all of them are standards-based, only product-specific knowledge would be needed to adopt this methodology to other environments (for e.g. OpenLDAP, Novell etc)

  • Directory Server: Sun ONE Directory Server 5.2
  • Home Directories: Hosted on a central Network Appliance file server, accessible via NFS

Preparing the Directory Server

Preparing the Directory Server for Apple’s use involves two steps: Extending the Schema and Populating the server with objects. Extending the schema, though it is quite simple a Sun ONE Directory Server or an OpenLDAP server, should only be performed by administrators who understand the DS operations very well and know how to back out the schema if necessary.

Extending the Directory Server Schema

In order for a Mac Server or Workstation to use an LDAP server for authentication and authorization services, it needs to find users, groups, computers, access policies and such data in ldap servers. Apple’s OD uses standard objectclasses such as posixAccount, shadowAccount, posixGroup etc to store and find user, group and computer information. In addition, it uses apple’s native (custom) attributes to store apple-specific information (e.g AFP homedir location, user’s icon, apple’s generated UID etc). The table below provides a list of the objects that Apple uses and the objectclasses they comprise of. For a full list of mappings including the objectclasses and attributes, please consult the Mac OS X Server Open Directory Administration Guide

Apple LDAP Mappings
LDAP Object Class Name Schema
inetOrgPerson RFC 2798
posixAccount RFC 2307
shadowAccount RFC 2307
apple-user Apple Extended Schema
posixGroup RFC 2307
apple-group Apple Extended Schema
People inetOrgPerson RFC 2798
Mounts mount Apple Extended Schema
Computer apple-computer Apple Extended Schema
Computer Lists apple-computer-list Apple Extended Schema
Config apple-configuration Apple Extended Schema
Preset Computer Lists apple-preset-computer-list Apple Extended Schema
Preset Groups apple-preset-group Apple Extended Schema
Preset Users apple-preset-user Apple Extended Schema
apple-printer Apple Extended Schema
printerIPP IETF-Draft-IPP-LDAP
AutoServerSetup apple-serverassistant-config Apple Extended Schema
Locations apple-locations Apple Extended Schema

There are couple of ways to get this native apple data into our LDAP server.

  • Using Unused Attributes

    One approach is to employ the unused attributes that are found in LDAP configuration to host this information. However, if the original vendor who is assigned those attributes decides to start using these attributes, then you will risk breaking the implementation and future upgrades can turn messy. Not Recommended

  • Import Apple Specific Schema

    Extending the LDAP Schema to include apple schema will allow us to store all of the Macintosh data in ldap servers in their own objectclasses and attributes. Schema extensions are a lot easier to perform and maintain in Sun ONE LDAP Servers and OpenLDAP servers than Active Directory. Recommended

    In order to realize the full functionality of Work Group Manager, it is best if you extend the LDAP Server with apple schema, which is what we have decided to do.

Note Of Caution: Apple’s schema is a work-in-progress. Apple declares that it may extend the schema to support the future version of Mac OS X and Mac OS X Server. The latest version of the schema can be found in the file


of any Mac OS X Server running the latest version of the OS.

The schema file, as it is, however, needs some formatting before it can be imported into Sun ONE Directory Server. The schema files for Directory Server are stored in


directory. These schema files are read once at start up time by the DS and are stored in

cn=schema entry

during runtime. The schema files are prefixed by a number and are read in alphanumerical order, since the order in which these schema files are read is critical.

The file


contains additional ACIs for the DS that may have been added using the console or via the command line. Also note that in a replicated environment, any changes made on the replicas’


file will be overwritten the next time the schema is replicated from the Master server. Schema modifications must always be made on the master server and they should be stored in separate files. For more information on Extending Sun ONE Directory Server Schema, please consult the Sun ONE Administration Guide.

We will store our apple schema in a file called


on the master server. This will ensure that this file will get read before the


. Also note that on the replica servers, you will NOT find a


after performing a schema replication. Instead, all of the new schema should be found merged in


on the replicas.

Pages: 1 2 3 4 5


  1. Rajeev,

    Ben is not alone; 10.6 does indeed do nothing when you click “write to server”. I have run tcpdump on the client, and it does not even try to make a network connection. So sadly, I don’t think this works for 10.6, so I’ve had to resort to passing around the .plist configuration to the clients, which kinda stinks. For reference, I use SSL with my configuration and the ACL’s are correct, because if I manually update the mappings on the clients, everything works just fine.

  2. I’ve got most of this working but I can’t get a user’s groups to come across. Only the primary group is associated with the user on login. Any ideas?

  3. I can’t for the life of me get Workgroup Manager working with my CentOS openldap server. It just can’t or won’t connect. Logs don’t seem to give any clues. Is there something specific in the ldap setup that identifies an OD master as OD instead of LDAP? Is this the problem? I can’t authenticate at all yet so sticking to Apache Directory Studio.


  1. […] article I had written about integrating Mac OS X with LDAP attracted a bit of attention. While I had […]

  2. […] posted a comment on my Mac OS X article about integrating Linux into a Mac OS X Open Directory Environment. I figured […]

  3. […] about integrating Apple into your exsiting Unix/NFS environment, please read the article Integrating Mac OS X into Unix LDAP Environment with NFS Home Directories. Rant:  Even with Leopard, there is no support for Microsoft DFS. […]

  4. […] First off, Leopard’s autofs DOES work with LDAP.  Second, we are also looking at a little bit of hardcoded application from Apple, ergo not very flexible. Third, the integration of Mac OS X into LDAP is not covered in this particular post, as it was quite heavily covered in this comprehensive article titled “Integrating Mac OS X into Unix LDAP Environment with NFS Home Directories“. […]

  5. […] article will add to Rajeev Karamchedu’s excellent post, “Integrating Mac OS X into Unix LDAP Environment with NFS Home Directories”, only with Leopard Server instead of Tiger. My goals are a bit different from […]

  6. […] because I’m writing as I go, and I don’t know how it will turn out. However, given that others have had success at employing this method to get NFS automounting home directories working from Solaris LDAP, there […]

  7. […] start the Directory Utility application. It is in Applications -> Utilities. I basically followed Rajeev Karamchedu’s instructions, under the “Mapping Remaining Attributes and ObjectClasses” […]

  8. homedir says:

    […] for integrating Mac OS X with Unix LDAP and NFS environment. A must-read for all Unix administratorshttp://rajeev.name/2006/09/09/integrating-mac-os-x-into-unix-ldap-environment-with-nfs-home-dir…suexec homedir – HowtoForge Forums HowtoForge – Linux Howtos and …suexec homedir […]

  9. […] Integrating Mac OS X into Unix LDAP Environment with NFS Home Directories Mac OS X and Mac OS X Server have been designed to fit into existing enterprise directory services. Apple’s extensible Open Directory architecture integrates with standards-based LDAP directory services, including Sun JAVA Enterprise Directory Server and IBM Directory Server, as well as with proprietary ones such as Microsoft’s Active Directory. […] […]

  10. […] I’ve gotten my LDAP directory up and running. It’s serving out the directory information, and I’ve been able to login on my Linux machine. Now, I want to get logins and home directories available on my OS X machines. This is some really good information out there on getting this working. Most of what is here is cobbled together from these sources among others: Mac OS X Server Open Directory Adminstration for Snow Leopard BackupCentral’s LDAPand Austofs for Ubuntu and Snow Leopard Rajeev Karamchedu’s excellent writeup for integrating OS X and LDAP […]

Speak Your Mind