August 23, 2014

Integrating Mac OS X into Unix LDAP Environment with NFS Home Directories

Adjusting the Apple Schema
Some Notes about Apple Schema and Sun ONE Directory Server:

  • The apple.schema needs to be converted to ldif format before it can be imported. A formatted apple.schema can be downloaded here. Note that this file includes both the native apple schema and also the samba scheme that is used by apple objects. Sun ONE Directory Server does not include samba schema so I have included it here.

  • The standard unix nfs clients use the ldap attribute


    to mount the NFS home directory from the server. In almost all the cases, the value for this attribute is


    . This is also the attribute that apple by default uses, to mount its home directory. However, in order to implement Apple’s Portable Home Directories fully, apple expects a different value for this attribute (i.e.


    ). Fortunately, the apple schema also includes an alternative attribute called


    to be used in such cases. This attribute comes commented out and needs to be uncommented before importing.

Populating with Data

Once the schema has been successfully extended, it is now time to create the various containers and objects that Mac OS X expects to find in the directory server. Since the LDAP Servers are already in service to authenticate Unix users and provide NFS home directory locations, the LDAP tree may look like the following:


  • dc=example,dc=com
    • ou=People – BaseDN location for Unix User Accounts, Address Book entries
    • ou=Group – Base DN location for Unix, Netscape and Other Groups
    • ou=Hosts – Base DN location for Computers
    • ou=Protocols
    • ou=Services

For populating the Macintosh Objects and Entries, we have decided to organize the our tree in the following fashion. Proper organization of objects in a directory tree can save the IT Staff a lot of headaches in future as more and more services are integrated into the LDAP environment. An optimal directory tree structure is also site-specific. You do not want to send your IT Staff running around changing the LDAP configurations on all machines because the directory tree structure has changed. This will not only add delay and implementation costs on the IT side, but will also result in downtime to your users – who may not be very happy as a result.


  • dc=example,dc=com
    • ou=PeopleThese entries will be extended to become apple-user objects
    • ou=GroupThese entries will be extended to become apple-group objects
    • ou=HostsBase DN location for Computers
    • ou=Protocols
    • ou=Services
    • ou=macosx – New OU created to hold all other Mac Objects for easier management
      • ou=accesscontrols
      • ou=autoserversetup
      • ou=certificateauthorities
      • ou=computer_lists
      • ou=computers
      • ou=config
      • ou=filemakerservers
      • ou=locations
      • ou=machines
      • ou=mount
      • ou=neighborhoods
      • ou=preset_computer_lists
      • ou=preset_groups
      • ou=preset_users

How did we know that these containers are needed by Apple ?

On an OS X Server, we started the Open Directory Server and created one admin user. We then dumped the directory tree contents to a file to see what containers Apple is looking for. This approach guarantees that Apple Work Group Manager will work with our LDAP server without any problems.

In our existing LDAP directory, a standard unix user account object looks something like this:

% ldapsearch -h ldapmaster  -b "ou=people,dc=example,dc=com" -L uid=testuser
dn: uid=testuser,ou=People,dc=example,dc=com
homeDirectory: /home/testuser
sn: User
givenName: testuser
cn: TEST
loginShell: /bin/tcsh
gidNumber: 400
uid: testuser
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
uidNumber: 8000
gecos: Test User Account

The following attributes and objectclasses need to be added to this user object in order to make it into an apple-user object.

objectclass: apple-user
attribute: authAuthority
attribute: apple-user-homeDirectory

  • authAuthority: authAuthority attribute contains information about how the user’s password needs to be verified. Since the authentication requests are not going to an Open Directory server, the value of authAuthority should be set to



  • apple-user-homeDirectory: This is the location of your NFS home directory in this format
    • /Network/Servers/path/to/nfs/home/directory

    For e.g. if your NFS server path to your home directory is nfsserver:/vol/home/testuser. On all unix/linux clients, it is (usually) mounted at /home/testuser. On a Mac, however, for portable home directories to work, the apple-user-homeDirectory should be set to :

    apple-user-homeDirectory: /Network/Servers/nfsserver/vol/home/testuser

Modify the user object to include these attributes

% ldapmodify -h ldapmaster -D FakeDirAdminUserName -w FakeDirAdminPassword
dn: uid=testuser, ou=people,dc=example,dc=com
changetype: modify
add: objectclass
objectclass: apple-user
add: authAuthority
authAuthority: ;basic;
add: apple-user-homeDirectory
apple-user-homeDirectory: /Network/Servers/nfsserver/vol/home/testuser
modifying entry "uid=testuser,ou=people,dc=example,dc=com"

Pages: 1 2 3 4 5


  1. Rajeev,

    Ben is not alone; 10.6 does indeed do nothing when you click “write to server”. I have run tcpdump on the client, and it does not even try to make a network connection. So sadly, I don’t think this works for 10.6, so I’ve had to resort to passing around the .plist configuration to the clients, which kinda stinks. For reference, I use SSL with my configuration and the ACL’s are correct, because if I manually update the mappings on the clients, everything works just fine.

  2. I’ve got most of this working but I can’t get a user’s groups to come across. Only the primary group is associated with the user on login. Any ideas?

  3. I can’t for the life of me get Workgroup Manager working with my CentOS openldap server. It just can’t or won’t connect. Logs don’t seem to give any clues. Is there something specific in the ldap setup that identifies an OD master as OD instead of LDAP? Is this the problem? I can’t authenticate at all yet so sticking to Apache Directory Studio.


  1. [...] article I had written about integrating Mac OS X with LDAP attracted a bit of attention. While I had [...]

  2. [...] posted a comment on my Mac OS X article about integrating Linux into a Mac OS X Open Directory Environment. I figured [...]

  3. [...] about integrating Apple into your exsiting Unix/NFS environment, please read the article Integrating Mac OS X into Unix LDAP Environment with NFS Home Directories. Rant:  Even with Leopard, there is no support for Microsoft DFS. [...]

  4. [...] First off, Leopard’s autofs DOES work with LDAP.  Second, we are also looking at a little bit of hardcoded application from Apple, ergo not very flexible. Third, the integration of Mac OS X into LDAP is not covered in this particular post, as it was quite heavily covered in this comprehensive article titled “Integrating Mac OS X into Unix LDAP Environment with NFS Home Directories“. [...]

  5. [...] article will add to Rajeev Karamchedu’s excellent post, “Integrating Mac OS X into Unix LDAP Environment with NFS Home Directories”, only with Leopard Server instead of Tiger. My goals are a bit different from [...]

  6. [...] because I’m writing as I go, and I don’t know how it will turn out. However, given that others have had success at employing this method to get NFS automounting home directories working from Solaris LDAP, there [...]

  7. [...] start the Directory Utility application. It is in Applications -> Utilities. I basically followed Rajeev Karamchedu’s instructions, under the “Mapping Remaining Attributes and ObjectClasses” [...]

  8. homedir says:

    [...] for integrating Mac OS X with Unix LDAP and NFS environment. A must-read for all Unix administrators…suexec homedir – HowtoForge Forums HowtoForge – Linux Howtos and …suexec homedir [...]

  9. [...] Integrating Mac OS X into Unix LDAP Environment with NFS Home Directories Mac OS X and Mac OS X Server have been designed to fit into existing enterprise directory services. Apple’s extensible Open Directory architecture integrates with standards-based LDAP directory services, including Sun JAVA Enterprise Directory Server and IBM Directory Server, as well as with proprietary ones such as Microsoft’s Active Directory. [...] [...]

  10. [...] I’ve gotten my LDAP directory up and running. It’s serving out the directory information, and I’ve been able to login on my Linux machine. Now, I want to get logins and home directories available on my OS X machines. This is some really good information out there on getting this working. Most of what is here is cobbled together from these sources among others: Mac OS X Server Open Directory Adminstration for Snow Leopard BackupCentral’s LDAPand Austofs for Ubuntu and Snow Leopard Rajeev Karamchedu’s excellent writeup for integrating OS X and LDAP [...]

  11. […] Guide to integrating Mac OS X with LDAP and Unix Home Directories · Rajeev Karamchedu […]

Speak Your Mind