Sunday, May 29, 2011

Mac and OpenLDAP: Local homes for network users

I wanted a Mac to authenticate users against our Debian OpenLDAP server, but to create a local home directory on the Mac (see here for more details). The usual configuration for network users on the Mac is to mount their homes from the server over NFS. There are many excellent instructions on the net on how to do that. But finding help on how to have them use a local home instead was much more difficult.

It turns out it can be done very simply, by disabling one line in /etc/auto_master on the Mac. By default, it contains +auto_master, which tells the Mac's automounter to look for an automount map in LDAP. If this line is disabled, the Mac will create a local home for network users the first time they log in. Since our userHomes in LDAP are defined as /home/username, the Mac home is created under /home instead of /Users, which is fine.

So for such a setup, you do NOT need to import an Apple schema into your LDAP directory. (That was quite a hassle because you need to tweak the original schema which is not quite kosher; but it was unnecessary).

All you need to do is comment out this single line in /etc/auto_master to make it

#+auto_master  # Use directory service

Or copy/paste this:

sudo perl -i.orig -pe 's/^(\+auto_master.*)/## $1/' /etc/auto_master

Labels: , , , , , ,

3 Comments:

Anonymous rm said...

I have been fighting snow leopard for a week trying to let network authenticated users login and get a local account. I tried your solution with no success. Is there anything else related to your setup that might make this work? The LDAP server I authenticate against does store NFS directory info - only user credentials.

15 June, 2011 04:52  
Anonymous rm said...

I should have previewed! I meant to say that our ldap server does NOT share NFS directory information.

15 June, 2011 04:53  
Blogger Milivoj said...

Do you have a /home directory on your Mac? I can't remember if it was there, if it was created by the Mac or if I created it manually.

My local dirs for net users are under /home on the Mac, probably because LDAP has that in it's homeDirectory attribute.

Here is the full list of the attributes defined for my users:

dn: uid=[...],ou=People,[...]
uid: [...]
cn: [...]
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: sambaSamAccount
loginShell: /bin/bash
uidNumber: 1014
homeDirectory: /home/[USERNAME]
gecos: [...]
structuralObjectClass: account
entryUUID: [...]
creatorsName:
createTimestamp: [...]
sambaSID: [...]
displayName: [...]
sambaLogonTime: 0
sambaLogoffTime: [...]
sambaKickoffTime: [...]
sambaPwdCanChange: [...]
sambaPwdMustChange: [...]
sambaPasswordHistory: [...]
sambaLogonHours: [...]
sambaAcctFlags: [U ]
sambaBadPasswordCount: 0
sambaBadPasswordTime: 0
gidNumber: 513
sambaNTPassword: [...]
sambaPwdLastSet: [...]
userPassword:: [...]
entryCSN: [...]
modifiersName: [...]
modifyTimestamp: [...]

21 June, 2011 16:03  

Post a Comment

<< Home