When I first came in at my current work place, in 2007, there was no directory service for all the Macs I had to manage. There was an Active Directory, but no Mac OS X machines was bound to it.
When we replaced the production server by a shiny Intel Xserve, I did set up an Open Directory and it saved me an appreciable amount of time when the company began to grow.
After a few years, While I was happy of the choice I made, I realized that….
- Support is not so present. Unless you pay ludicrous amounts of money
- Fault tolerance is just not there.
- Software upgrades and hardware upgrades basically asks you to bring the whole directory service down. You HAVE to upgrade every machine that is serving the Open Directory. That means that you have to upgrade your Open Directory master and every replica, at about the same time…
- Migrations from one OS to the other of your server are not without problems.
- Various LDAP attributes are not there. Which cause problems with third party hardware and software…..
- You can’t Virtualize the thing easily.
- Xserves are not a viable option anymore, and they were poor Virtualization servers…
I began to look elsewhere.
I gave a long look to Active Directory, but I realized that besides costing a fortune, being able to do what I want with it would mean to modify the Schema, which is kinda iffy. Their virtualization requirements are not nice as well.
The deluge of people having problem after a Migration of Windows Server or a version of Mac OS X was worrying also.
I spoke with one nice integrator I knew. He told me about Novell eDirectory. This was two years ago. I successfully build one myself as a pet project and configured it to authenticate our VPN users. I toyed on it even more after. The product is referenced to in the Apple Training book “Mac OS X Directory Services v10.6”.
I run it on SuSE Linux Enterprise 11. But I think you can run it on RedHat, CentOS or Oracle Linux.
It’s an amazing product. Stable, efficient, standards compliant, full featured. Licensing is also very cheap.
I tried to modify my existing eDirectory to use it as a Mac OS LDAP server, but it turns out it was kinda time consuming and there are various gotchas… There are lots of attributes to add as well as Object Types. I would have been able to do it over the course of several months, but I didn’t want to make mistakes.
My integrator has the knowledge to make it work and he did. We built 2 new virtual servers from scratch. He’s apparently managing several big businesses with a Novell setup for this kind of use.
My Apple specific requirements were as follow.
- Being able to deal with nested user groups – It works !
- Being able to set and modify MCX attributes with Workgroup Manager – It works !
- Being able to have replicas. Working !
My machines are able to get their management and authentication information from the directory.
Some things are less intuitive to make, such as Computer groups and users because they can’t be created directly into Workgroup Manager anymore. They have to be created in Novell iManager, Novell’s web management interface for eDirectory. It’s not as easy as clicking in Workgroup Manager anymore but it’s not as hard as I make it sound.
Replicas are actually bound to the machine by adding another LDAP server to the client machines.
Since you end up with a “standards compliant” LDAP server, you can connect to it various other devices painlessly. For example, I successfully configured a FreeRadius server for our Wifi Authentication.
For the time being and in the future, this is the Yellow Brick road to directory service on Macs. My guess is also that this will be come less and less of an issue to support if Apple decides to drop the Open Directory Altogether and use the “Profile Manager” for MCX properties.
If you want further informations or would like the name of my contact who developed this wonderful piece of software, Feel free to reach me ! He’s able to have it deployed to your requirements remotely.