Proper Apple Open Directory Alternative…. Finally

When I first came in at my current work place, in 2007, there was no directory service for all the Macs I had to manage. There was an Active Directory, but no Mac OS X machines was bound to it.

When we replaced the production server by a shiny Intel Xserve, I did set up an Open Directory and it saved me an appreciable amount of time when the company began to grow.

After a few years, While I was happy of the choice I made, I realized that….

  1. Support is not so present. Unless you pay ludicrous amounts of money
  2. Fault tolerance is just not there.
  3. Software upgrades and hardware upgrades basically asks you to bring the whole directory service down. You HAVE to upgrade every machine that is serving the Open Directory. That means that you have to upgrade your Open Directory master and every replica, at about the same time…
  4. Migrations from one OS to the other of your server are not without problems.
  5. Various LDAP attributes are not there. Which cause problems with third party hardware and software…..
  6. You can’t Virtualize the thing easily.
  7. Xserves are not a viable option anymore, and they were poor Virtualization servers…

I began to look elsewhere.

I gave a long look to Active Directory, but I realized that besides costing a fortune, being able to do what I want with it would mean to modify the Schema, which is kinda iffy. Their virtualization requirements are not nice as well.

The deluge of people having problem after a Migration of Windows Server or a version of Mac OS X was worrying also.


I spoke with one nice integrator I knew. He told me about Novell eDirectory. This was two years ago. I successfully build one myself as a pet project and configured it to authenticate our VPN users. I toyed on it even more after. The product is referenced to in the Apple Training book “Mac OS X Directory Services v10.6”.

I run it on SuSE Linux Enterprise 11. But I think you can run it on RedHat, CentOS or Oracle Linux.

It’s an amazing product. Stable, efficient, standards compliant, full featured. Licensing is also very cheap.

I tried to modify my existing eDirectory to use it as a Mac OS LDAP server, but it turns out it was kinda time consuming and there are various gotchas… There are lots of attributes to add as well as Object Types. I would have been able to do it over the course of several months, but I didn’t want to make mistakes.

My integrator has the knowledge to make it work and he did. We built 2 new virtual servers from scratch. He’s apparently managing several big businesses with a Novell setup for this kind of use.


My Apple specific requirements were as follow.

  1. Being able to deal with nested user groups – It works !
  2. Being able to set and modify MCX attributes with Workgroup Manager – It works !
  3. Being able to have replicas. Working !

My machines are able to get their management and authentication information from the directory.

Some things are less intuitive to make, such as Computer groups and users because they can’t be created directly into Workgroup Manager anymore. They have to be created in Novell iManager, Novell’s web management interface for eDirectory. It’s not as easy as clicking in Workgroup Manager anymore but it’s not as hard as I make it sound.

Replicas are actually bound to the machine by adding another LDAP server to the client machines.

Since you end up with a “standards compliant” LDAP server, you can connect to it various other devices painlessly. For example, I successfully configured a FreeRadius server for our Wifi Authentication.

For the time being and in the future, this is the Yellow Brick road to directory service on Macs. My guess is also that this will be come less and less of an issue to support if Apple decides to drop the Open Directory Altogether and use the “Profile Manager” for MCX properties.

If you want further informations or would like the name of my contact who developed this wonderful piece of software, Feel free to reach me ! He’s able to have it deployed to your requirements remotely.

14 Responses to “Proper Apple Open Directory Alternative…. Finally”

  1. Gonçalo says:

    Hello. TY for your gold time!

    I am (like) a sys admin for a corporate network and we have a Open Directory with several XServes (10.6.x). I am facing the dark side of cannot upgrade these servers to something more recent, and i’m considering to replace them in a near future for mac minis. I am afraid of performance capabilities and integration with old LDAP directory accounts. We have several services running like Email, AFP, VPN, Calendar and so on.

    Do you consider this Novell eDirectory for upgrade?


  2. Moofo says:

    As far as I can tell, For Mac OS X on the client side, there is NO difference between the Open Directory and a regular LDAP server. Now, on the server side, I guess things becomes a lot more hairy, as those services requires other entries in the LDAP server…

    I know AFP and SMB are working, for the rest, I guess you would have to test.

    To be frank, I’ve been served better by other products to provide Mail/Calendaring/Contacts than the “Collaboration package” in Mac OS X.

    For the VPN, many cheap hardware appliances provide this service in a much more reliable way. Worst Case, a VM or PC Hardware can make a proper PF sense appliance.

    You’ll get out of your comfort zone, but you’ll gain some comfort as redundancy and fault tolerance will take care of eventual problems.

    If I were still on 10.6 I would definitely upgrade to eDirectory instead of cascading my directory to 10.6, 10.7 (Lots of changes happened there), 10.8 and 10.9. My OpenDirectory is broken. I can’t upgrade it past 10.7.5 nor add any replicas. That’s why I wanted to switch to something else.

    My 4 Xserves are still on 10.6 even though 3 of them would support 10.9. They bastardized the admin too much, and the change of SMB server is making me nervous…

    I’m planning to migrate my file servers to something else. As soon as I can.

  3. John Lockwood says:

    I totally agree with Jean-Sébastien’s comments about Open Directory suitability and while from a technical point of view Active Directory can be considered superior it is too complicated and too expensive.

    However rather than Novell eDirectory why not Linux OpenLDAP? Since Open Directory is based on OpenLDAP one would expect there to be less issues using it and I know from personal experience you can virtualise Linux and OpenLDAP and have a real fault-tolerent setup. I did not have the opportunity to fully test the use of computer groups but MCX worked fine as did Workgroup Manager. In any case the current best practice is not to use computer groups and MCX anymore and instead to use an MDM solution.

  4. Moofo says:

    First of all, eDirectory is not LDAP. it’s X.500. You can set parts of the tree as LDAP entry points. That may allow you to segment your company as you please without using several different directory servers.

    Second, the password system in eDirectory is vastly superior to what’s in OpenLDAP. It doesn’t matter much for the mac, but it does for some other services you may plug into it.

    Third, I would not have been able to sell this to my management without proper commercial support. To be frank, the price is really cheap.

    Fourth, very large corporations are using eDirectory, and they have been for a long time.

    Five, I haven’t been able to find a proper web gui for OpenLDAP. Call me picky. iManager is really old, but the plugin interface brings some nice functions to just several mouse clicks.

    So, choosing to build the same thing with OpenLDAP is a matter of choice.

  5. I have used Novell SBS and later the full suite for my company as we started off with PCs
    After moving to MACs I tried to use it awhile but the filehandling with network drives and authentication was hard to set up
    I was however very pleased with security, mail, calendar, contacts, VPN, robustness of the entire system
    And it’s very managable from a small company to a very large one.
    The additional services it offers as part of the small businell package is good – for example an enterprise Dropbox solution on your own server with superior security and managability. The macs connect to the server thru a thirdparty product included in the package – Kanaka. And it’s a dream to setup and manage. Zenworks gives you controll over the companys hardware from ipads,phones to pcs and macs.
    I still have a license for it as it’s so cheap and it gets me a very good system although I use a mac mini server as fileserver nowadays as my company is only me.
    The only drawback is a poorly made mac-client for the mail/calendar/contacts system Groupwise compared to what they offer the pc world, but webmail is very good
    I still consider Geoupwise to be the best emailsystem in the world and would use it if I still would need an own mailserver.

    Hope this helps someones descissionmaking. At least try it!


  6. Gonçalo says:

    Let me understand… The mail, VPN, cal, and remaining services run at eDirectory? Or can I keep the actual servers and bind them to “eDirectory like Master”?

  7. Moofo says:

    You can keep your existing Xserves and bind them to the eDirectory.

    I was just telling you that I’m using it on Mac OS X server currently solely for permissions for file service (Mac and Windows). I haven’t tested the compatibility with other services, but my guess is that it would work.

    My mail/calendar/contact is done with Zimbra
    My VPN is done by an appliance.

  8. Moofo says:

    @Dominicus Björkstam

    My service provider’s recipe doesn’t need to use kanaka. It’s much more compatible and alleviate the need to use this 3rd party software.

    I wanted to disrupt the Apple ecosystem as little as possible. I’m currently setting MCX attributes through workgroup manager, but I will test through Profile Manager soon.

    I agree GroupWise is very advanced, but for smaller shops, I think it is overkill.

  9. Gonçalo says:


    Actual Servers will bind to eDirectory
    New servers (they will be mavericks server) bind also to eDirectory
    What should I do with my actual Directory Master? And the Replicas?

  10. Moofo says:

    You will need a different Mapping file to bind 10.6 and 10.9.

    You will need to turn off slapd and the password server in your existing servers. I would destroy the Open Directory.

  11. @ Moofo

    Yes I know you only use the directory part from Novell but the SmallBusiness Suite gives a 5-20 people office much value for the money. It’s overkill as regard to the services if you only have 3 people, but it’s a perfect setup for 5-20 people or more.
    Haven’t used it in about 2 years now as I’m only working single now, BUT it would definately be my first choice in a medium-sized office. And Kanaka comes with the suite so it’s not any additional cost.

    Have a happy eastern,


  12. Moofo says:

    @Dominicus Björkstam

    To be frank, I didn’t know about the SmallBusiness suite ! It seems nice. But I don’t want to go this road with 200 + macs here !

    Happy easter.

  13. I like reading an article that cann make people think.

    Also, many thanks for allowing for me to comment!

  14. Values like recognizability, user trust and model image are also mirrored within the
    SERPs to a sure extent.

Leave a Reply