Using LDAP & Autofs to centralize logins & home directories w/Snow Leopard & Ubuntu 9.10

Avid readers of the Mr. Backup blog may be wondering what this has to do with backup, so let me get that out of the way right now.  I have three Macs (including one MacBook) at home and everyone in my family logs into each one of them.  I’d like the Macs to just be images and not not have any files that I need to back up on them.  I want all those files in a central place — mainly my Ubuntu 9.10 Linux server.  I also want to be able to centrally maintain user files, passwords, etc. without having to re-enter them when I re-image a box.  So that’s what this has to do with backup.

In addition, I spent way too much effort trying to do this, and the docs that are out there are collectively a mess.  They’re either outdated, not outdated but wrong, assume you know something that you don’t, or just non-existent.  What should have taken me an evening took about a week of hand wringing, head banging, and coffee slamming. So I’m hoping that this set of web pages will keep some poor soul from having to do the same.

Many thanks to all those web pages out there (referenced in this procedure where appropriate), and to my new Twitter buddies @tcom, @ericsiebert, @ibps & @ewantoo for their help in figuring this all out.  I couldn’t have done it without you.

For those of you that are new to my blog let me say this right now:  I am not an LDAP, automounter/autofs, MacOS, or Linux expert.  In fact, I’m very new to Macs and I didn’t know SQUAT about LDAP or automounter prior to starting this project.  But this works to your advantage, because I’m going to fill in all the blanks because I’m not going to assume that you know all this stuff either. 

Instead of doing this all in one web page, I’m going to put each major set of steps in its own web page and link to it.  Otherwise this page will get way too big.  I hope you find it useful.

Important note:  Ubuntu really updated it’s LDAP & automounter setup sometime recently, so a lot of the web pages you find (including some on Ubuntu’s web site) will be flat out wrong.  If you start seeing references to a slapd.conf file, then you’re looking at docs that won’t help you at all.  For example, the most common step you’ll find out there is to copy the apple.schema file to /etc/ldap/schema, then add “include /etc/ldap/schema/apple.schema” to your slapd.conf file.  (It’s OK if you don’t know what these files are yet, I’m just trying to illustrate my point.) Guess what?  slapd.conf is gone!  If a web page starts talking about the slapd.d directory, or importing schemas by using .ldif files and the ldapadd command, then you’re onto something.

i also thought I could do this without LDAP and without automounter, but trust me when I say that this is it.  If you want centralized home directories and logins, this is the only way you’re going to do it without buying a Mac OS server.  So let’s get on with it.

First let’s explain the pieces/parts that go into this whole process, and the terminology that I’ll be using

  • SMB/CIFS
    • This is short for the Server Message Block of Common Internet File System, which are two names for the same thing.  This is the protocol that Windows servers use to share files with other Windows servers.  Apple computers can mount SMB/CIFS shares, but it is not its native file sharing protocol.
  • AFP
    • Once upon a time, the Apple Filetalk Protocol was the only way you could share file between Macs.  Macs didn’t do SMB/CIFS and Windows computers didn’t do AFP and that was that.  It is still the “native” file sharing protocol in Mac OS, but Macs also speak NFS natively. AFP is also much more proprietary and requires a bit of maneuvering to support it on a Linux server.
  • NFS
    • The Network File System.  This has been the Unix way of sharing filesystems with other computers.  I chose to use NFS for my setup for a few reasons.  The biggest reason is that while Apple also supports SMB/CIFS and AFP, they seem to be migrating to NFS.  It’s also the native file sharing protocol for Linux, which is what I’m using as my server.  My experience has been that it outperforms SMB, and AFP. 
  • Server
    • The computer sharing its files with another computer or storing the usernames and passwords for the centralized login process.
  • Client
    • The computer mounting the server’s files and authenticating its users against the server.
  • LDAP
    • Borrowed from Wikipedia: The Lightweight Directory Access Protocol, or LDAP (pronounced /ˈɛl dรฆp/), is an application protocol for querying and modifying data using directory services running over TCP/IP.  A directory is a set of objects with attributes organized in a logical and hierarchical manner.

    • We will use LDAP to store a directory of users and the filesystems they store their data in. The LDAP server will be the Ubuntu server.  When someone attempts to log into a Mac, the Mac will query the LDAP directory to see if their username and password matches those stored in the LDAP directory. If it matches, the LDAP service then communicates back to the Mac that it’s OK to login. It also tells the client what the home directory of the user is.
  • slapd
    • Slapd is just the name for the process/service (called a daemon in Linux) that does the job of responding to LDAP requests — just like nfsd responds to NFS requests.  I don’t know why it’s not called ldapd.  I wasn’t in the meetings. ๐Ÿ˜‰
  • Home directory
    • Where all of the user’s files and configuration settings are stored.  When you’re on a Mac, and you login, you’ll see in the Finder that you have directories called Documents, Music, Pictures, etc.  These directories are all stored in your home directory.  In addition, when you make a Bookmark in Safari or Firefox, it’s stores the fact that you did that in a file somewhere in your home directory. By default in Mac OS, this directory is /Users/. Using LDAP we’re going to change that location to something like /home/, where /home/ is really a directory found on an NFS share on the Ubuntu server. That way, you’ll have the same files, Bookmarks, etc, no matter what computer you log into in your network.
  • Automounter
    • The automounter automatically mounts (and unmounts) filesystems — hence the name. The Ubuntu NFS server will be using NFS to share something like /blahblah/home1 (in my case server:/biglun/smbhome).  Underneath server:/biglun/smbhome is the directory curtis, which is my home directory.  When I log into the Mac, LDAP wil tell the Mac that my home directory is /home/curtis.  We need something to tell the Mac that server:/biglun/smbhome/curtis should be mounted as /home/curtis, and to mount it for us.  That will be the job of the automounter.  Then if I’m logged out, /home/curtis will eventually unmount (based on a timeout value). 
  • Ubuntu
    • Ubuntu is yet a Linux distribution based on Debian.  I switched from RedHat to Ubuntu a few years ago for a lot of reasons.  One is that it’s still free and easy to get free.  The other is that it’s focus is on making administration easy for the average person.  They do much more than RedHat at making packages to do the things you need to do.  Need to configure automounter?  Just load the autofs package.  Nice.  It also seems very popular with other people out there, which always helps when you’re trying to do something.

If there’s something else that’s unclear, just let me know and I’ll update this page.

Important Note: Unless stated otherwise, all the commands in this procedure should be run as root.  To become root from a typical admin user, just type sudo su and enter your password.  You can also just stay the regular user and put the word sudo in front of every command.  I’m using to a root prompt and that drives me crazy, so I just su to root.

The steps as I see them in this process are as follows

  1. Remove any vestages of LDAP & automounter that you have around
  2. Install and configure slapd & related utilities
  3. Import apple & samba schemas into LDAP
  4. Configure MacOS to talk to autenticate to LDAP & test it
  5. Setup NFS server and test basic (non-LDAP) automounter setup
  6. Add automounter schemas into LDAP
  7. Create a test user

Gee, it sounds so simple.  ๐Ÿ˜‰

Once you’ve done all that, you should be able to login as testuser1 and have it automatically mount the appropriate directory as /home/testuser1.  Once you’ve done that, you should open a Terminal window on the Mac client and you run the df -k command. You should see that /home/testuser1 is actually an nfs-mounted directory.

The only thing left then is to import your real users and their home directories.  What I did is use the same procedure that I used for making a test user.  Then I logged into the Mac that user predominantly uses and copied the entire contents of their old home directory (/Users/) to their new home directory.  One thing to be careful of here is to make sure that the automount uid is the same as the one they were using on the local Mac.

Written by W. Curtis Preston (@wcpreston), four-time O'Reilly author, and host of The Backup Wrap-up podcast. I am now the Technology Evangelist at Sullivan Strickler, which helps companies manage their legacy data

3 comments
  • Hello… and Thank-you for your informative article!!

    Have you noticed that when using automount for user home folders, the timeout before failing to mount is 120s seconds? (Try it!.. on the afp server set up a firewall shielding requests from a potential afp client… then ssh into that client).

    Do you know of any way to reduce that to 10seconds?

    I’ve looked in autofs.conf, and /Library/Preferences/com.apple.AppleFileserver.plist with no success ๐Ÿ™

    Any ideas?

  • Curtis – thanks a ton for this article. I was trying to figure out how to take advantage of my Ubuntu server to authenticate my family on the various machines we have (four macs, three OSX 10.7, one OSX 10.8). There were a few minor changes I had to make to your instructions to get it to work with Ubuntu 12.04, but after reading a bit on OpenLDAP and with this as a guide, it was pretty easy. One thing for OSX 10.7 and 10.8 – I had to add the steps found here

    http://blog.smalleycreative.com/administration/fixing-openldap-authentication-on-os-x-lion/

    to get the Mac client to authenticate. Also, I think I used Chown instead of Chmod for the one step.

    Hats off to you!

  • Great article. I am familiar with openLDAP and have integrated LDAP auth for Linux and Windows workstations and a few OS X workstations.

    Still, I found the blog a good read. Thanks for your time and effort to put the content in a logical manner.

    However, the links for each the 7 steps result in 404 – Component not found.

    To read the contents of each step, you have to click on the “” link; sort of counter intuitive.

    Please fix the links, so that they can be read in the order it is listed under “Steps”; to make the reading easier.

    Thanks