Portable Home Directories with OpenLDAP


When reading this one must remember that I have never had access to, or even seen, a copy of OS X Server. I work on a shoestring budget and can barely get a lab of OS X client machines.

If I had a copy of OS X server, I would not be doing this in the first place

That said, all of the pages I found on the Internet made assumptions about the configuration of the client, the server, the existing LDAP database, the user's access to an OS X server, or other factors that meant that no one who was not working in the author's environment could reproduce the results shown since devil was hiding in all those pesky little details which remained unstated in the article.

The result was that I read scores of articles and took a little away from each one, while throwing away even more since it was either incorrect, missing crucial information or relied on unstated assumptions that, of-course, were not true in my case.

The setting: Openldap on Centos 5.2 and OS X 10.5

Install openldap http://www.linuxmail.info/openldap-setup-howto/

Important steps:

Edit the file /etc/openldap/slapd.conf

suffix "dc=acme,dc=local"

rootdn "cn=manager,dc=acme,dc=local"

rootpw password

Copy the file /etc/openldap/DB_CONFIG.example and put it into /var/lib/ldap as DB_CONFIG.

[fix the acme and local of-course]

dn: dc=acme,dc=local

dc: acme

objectClass: domain

ldapadd -x -D "cn=manager,dc=acme,dc=local" -w password -f ~/base.ldif

Sample ldif file to get started (but wait for below):

dn: ou=People,dc=acme,dc=local

ou: People

objectClass: organizationalUnit

Basic commands:

ldapadd -x -D "cn=Manager,dc=lltl,dc=local" -w password -f ~/user2.ldif

ldapmodify -x -D "cn=Manager,dc=lltl,dc=local" -w password -f ~/user2.ldif

ldapdelete -h localhost -x -W -D "cn=Manager,dc=lltl,dc=local" -c "uid=ashand,ou=People,dc=lltl,dc=local"

ldappasswd -h localhost -x -w password -D "cn=Manager,dc=lltl,dc=local" -S "uid=ashand,ou=People,dc=lltl,dc=local"

ldapsearch -v -x -H ldaps://centos -b "dc=lltl,dc=local"

Don't forget to put some reasonable acl's in slapd.conf:

access to attrs=userPassword

by self write

by * auth

access to * by * read

access to dn.base="dc=lltl,dc=local" by * read

From http://www.spack.org/wiki/AppleOsxIntegrationWithOpenLdap

Get apple.schema


and put it in your schema directory (/etc/openldap/schema)

Install samba or get the samba.schema from the samba project and put that in the schema directory

From http://www.emmes-world.de/mac-afp-homes.html

Insert these lines into your slapd.conf:

include /etc/ldap/schema/samba.schema

include /etc/ldap/schema/apple.schema

include /etc/ldap/schema/netinfo.schema

schemacheck on

change the schema files slightly:


  1. BulletUncomment the definitions for authAuthority, apple-user-homeDirectory and apple-acl-entry.

  2. BulletMove the definition of authAuthority above its first usage, as an attribute has to be defined before it is used.

  3. BulletExtend the object class apple-user with the attribute apple-user-homeDirectory (insert $ apple-user-homeDirectory somewhere in the object class definitions MAY clause)


  1. BulletUncomment the attributes acctFlags, pwdLastSet, logonTime, logoffTime, kickoffTime, homeDrive, scriptPath, profilePath, userWorkstations, smbHome, gid and primaryGroupID, as they are used in the apple-user definition.

Top level object ldif file.

dn: dc=lltl,dc=local

objectClass: dcObject

objectClass: organization

#do I need the next line?

objectClass: domain

dc: lltl

dn: ou=People,dc=lltl,dc=local

ou: People

objectClass: top

objectClass: organizationalUnit

objectClass: domainRelatedObject

associatedDomain: spack.org

dn: ou=Group,dc=lltl,dc=local

ou: Group

objectClass: top

objectClass: organizationalUnit

objectClass: domainRelatedObject

associatedDomain: sack.org

dn: ou=mounts,dc=lltl,dc=local

ou: mounts

objectClass: top

objectClass: organizationalUnit

objectClass: domainRelatedObject

associatedDomain: lltl.local


#Sample Group

dn: cn=ashand,dc=lltl,dc=local

objectClass: posixGroup

objectClass: top

cn: ashand

userPassword: {crypt}x

gidNumber: 1015


#Sample Mount

dn: cn=centos:/data,ou=mounts,dc=lltl,dc=local

objectClass: mount

cn: centos:/data

#The following option goes with 'net' below and is required to fully use PHDs

mountDirectory: /Network/Servers/

#Make sure the nfs server exports with "allow insecure"

#and do not use the option below

#The mount is done in the name of an ordinary user and

#can't use a reserved port!

#mountOption: resvport

mountOption: rw

mountOption: nfsv3

mountOption: tcp

#The following option is required to fully use PHDs

mountOption: net

mountOption: url==nfs://centos/data

mountType: url


#sample user

dn: uid=ashand,ou=People,dc=lltl,dc=local

uidNumber: 3646

#emailAddress: billg@hotmail.com

gidNumber: 1015

objectClass: top

#objectClass: person

#objectClass: organizationalPerson

#objectClass: account

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: apple-user

objectClass: shadowAccount

#objectClass: inetLocalMailRecipient

#objectClass: kerberosSecurityObject

homeDirectory: /home/ashand

#homeDirectory: <home_dir><url>nfs://centos/data</url><path>ashand</path></home_


cn: Adam Shand

displayName: Adam Shand

sn: Shand

givenName: Adam

uid: ashand

gecos: Adam Shand

loginShell: /bin/bash

userPassword: {crypt}e2NZHp2Si4=

mail: joe@hotmail.com

labeledURI: http://msn.com/

telephoneNumber: 800-111-2222

postalAddress: 123 45 Nowhere Ave, Edmonton, AB, T1X 1T1

#apple-user-homeurl: <home_dir><url>nfs://centos/data/</url><path>ashand</path><


apple-user-homeDirectory: /Network/Servers/centos/data/ashand

authAuthority: ;basic;

One can use portable home directories with the nfs mount at any point but if one does not use the –net- option and associated mount path, attempts to change the sync settings by the end user will crash the preferences pane. In some cases this may be a good thing. Note also that the mcx entries are not required but are an example of how to put them into the ldap entry for a user.

To add mcx data to a user (group???) use the following entries:

apple-mcxflags: <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-/

/Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><pli

st version="1.0"><dict><key>has_mcx_settings</key><true/></dict></plist>

apple-mcxsettings: <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC

"-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0"><dict><key>mcx_application_data</key><dict><key>com.apple.f










Add the ldap server to the client via Directory Utility, Select Unix mappings.

Then edit the entry and choose to edit mappings.

  1. BulletUsers

  2. BulletMapping: inetOrgPerson, posixAccount, shadowAccount and apple-user

  3. BulletSearch Base: ou=People,dc=example,dc=com

  4. BulletScope: First level Only

  5. BulletRecordName

  6. BulletMapping: uid,cn

  7. BulletRealName

  8. BulletMapping: displayName,cn

  9. BulletNFSHomeDirectory

  10. BulletMapping: apple-user-homeDirectory

  11. BulletHomeDirectory

  12. BulletMapping: apple-user-homeurl

  1. BulletGroups

  2. BulletMapping: posixGroup, apple-group

  3. BulletSearch Base: Ou=Group,dc=lltl,dc=local

To map mcx entries map mcx-flags to apple-mcxflags and mcx-settings to apple-mcxsetting for the Users and Groups.

To apply this to more machines you can save the template. (It won't show up in the pull down menu until directory utility is restarted since it only scans for templates from the one directory and only once on startup) Then you can copy the temple to the template directory: /Users/eric/Library/Application Support/Directory Access/LDAPv3/Templates for the user who will set up the other machines.

To make an LDAP account into a mobile account. There is a setting to do this automatically via the ldap server but I do not know what it is and I do not have OS X server to use as a guide. Fortunately it is not that hard to do it manually.

For any account you want to be mobile run this command on the client before you try to log into the LDAP account for the first time:

sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n <ldap user name> -p <ldap user password> -X -s -v

Once could also try this:

sudo defaults write /Library/Preferences/com.apple.loginwindow mobileAccountActions '{ <ldap user username> = { archiveDeletedHome = 0; createAtLogin = 1; deleteAtLogout = 0; deleteHomeWithAccount = 0; }; }'

from http://managingosx.wordpress.com/2006/03/15/portable-home-directories-without-open-directory/

but it still does not push the directive out from the ldap server so it does not help all that much.

The account will be turned into a mobile account the next time the user logs in.


Create a certificate for the server:

sudo openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 3650

Add the following to slapd.conf

TLSCACertificateFile /etc/openldap/ssl/server.pem

TLSCertificateFile /etc/openldap/ssl/server.pem

TLSCertificateKeyFile /etc/openldap/ssl/server.pem

TLSVerifyClient never

Using vi /etc/openldap/ldap.conf

On the client lower (some is better than none) the security by changing to:


In directory utility check the ssl box.

Reboot the client.

To create mcx setting, the only way I know how is to install the free OS X server admin tools on a regular OS X machine. Use a dummy account or group created for this purpose, log on to the localhost with the workgroup manager program and set the permissions you want on the dummy account or user.

Then use dscl to read the mcx-settings p-list created for that user or group.

Edit out the white space and put it in an ldif file to add or modify.

Not the most elegant, but it works fine.