Published on MacDevCenter (
 See this if you're having trouble printing code examples

Discover the Power of Open Directory (Part 3)

by Noah Gift

If you have been following this three-part series on Open Directory, you will have seen in the last article that it is relatively easy to use NFS to host common home directories for Linux and OS X clients. It is also quite simple to use existing NFS file servers of any type for home directories for Open Directory.

Open Directory is possibly the most agile and flexible directory server on the planet. In this final article, we are going to cover two items. First, we will take a look at MCX, or Manage Client for OS X, and see how we can use the OS X specific schema attributes for Mobility, a way of synchronizing laptops to a network profile, and changing Dock settings. Finally, we will travel into the Wacky World of Windows and make Windows use Open Directory for authentication and Home Directories.

Using MCX for Mobility and Account Configuration

Recall that in the last article our OS X client has a NFS Home Directory. While it is incredibly cool that OS X and Linux share the same directory, it would be even cooler if your OS X laptop could cache the network home directory locally and synchronize changes when you get back to your home network.

With Mobility it is a snap. Wouldn't it also be great if you could control the look of all of new accounts before they are even created? MCX does this as well.

Setting Up Mobility

Let's highlight our "oduser" from Parts 1 and 2 and go to the Preferences section and select Mobility. Under Rules, Manage, select Always and make sure that ~/ is set for Login & Logout Sync and Background Sync. These options are fairly intuitive and I will leave it to your best judgment to decide on how to configure options like background synchronization. Refer to Figures 1 and 2 to get an idea of what this should look like.

Figure 1. MCX preferences

Figure 2. Enable synchronization

Finally, refer to Figure 3 to make sure that your account has the option Synchronize account for offline use.

Figure 3. Create offline synchronization

Now let's go to our client and test things out. Log out of your oduser account if you're logged in and then log back in. You will immediately be prompted with a dialog asking if you would like to create a Mobility account. Approve this request, and you will now have Mobility. If you see something like Figure 4, then Mobility has been set up.

Figure 4. Mobility enabled

Next, let's create a document on your desktop by doing a screen capture of your desktop. Select Sync Home Now as shown in Figure 5.

Figure 5. Sync home now

This action will synchronize everything in your home directory with your network profile. If you now shell into your Linux box as oduser you will notice there is a picture in your desktop! This is just scratching the surface, but will hopefully give you some ideas of how to use Mobility.

Figure 6. A Sync picture

Adding New Items to the Dock

I also wanted to briefly touch on the fact that you could manage many aspects of a user account by using Managed Preferences. In Figure 7 you can see that I added the terminal to the dock of oduser. There are many more things your can manage, which should give you some idea of the power of Open Directory.

Figure 7. Managed preferences

Authenticating Windows and Setting Up Roaming Profiles

The big fireworks show of this article is getting Windows to work with Open Directory. I will be authenticating a Windows 2003 Server client against Open Directory and setting up a roaming profile served off of Open Directory.

Setting Up Windows Services on Open Directory and Joining the OS X PDC

First, let's set up a PDC, or Primary Domain Controller. Go to the Server Manager, select Windows, and go to the Settings tab, and configure it to be a PDC as shown in Figure 8.

Figure 8. Set up a PDC

Now, under the Advanced tab configure your options to match what is in Figure 9.

Figure 9. Configure WINS

Next, let's join up a Windows 2003 Server to Open Directory. I set up a Virtual Machine using VMWare Fusion Beta as shown in Figure 10. I also manually changed the lmhosts file on Windows to hardcode our pretendco server like we did in Part 1 on OS X (see Figure 11).

Figure 10. Windows 2003 Virtual Machine

Figure 11. The lm hosts

Open up a command line and ping your Open Directory server to make sure you can get to it before you try to join to the domain. Once you have done this, go ahead and join your machine to the domain as shown in Figure 12.

Figure 12. Join pretendco

If all went as planned, you should now see a dialog (as shown in Figure 13) welcoming you to the pretendco domain. Next you will need to restart your computer and log in as oduser to test if it works.

Figure 13. Pretendco login

If things worked correctly you will see something like what is shown in Figure 14. This will log us in to a local account using our previously created LDAP credentials. For quite a few situations this will work just fine, but if you want roaming profiles don't worry because OS X can do that too!

Figure 14. Welcome pretendco

Sharing Out Windows and Using Roaming Profiles

The easiest way to set up roaming profiles with Open Directory is to just share out a partition via SMB. I happen to have another partition on my OS X Server called data. I just shared this partition out as shown in Figures 15 and 16.

Figure 15. Windows share

Figure 16. Windows share config

Next, go to the Workgroup Manager and configure the Windows settings for oduser as shown in Figure 17. Notice that you need to create a profiles\oduser directory and a oduser directory.

Figure 17. oduser Windows settings

Make sure that you also give both of these directories the proper permissions as shown in Figure 18. Basically oduser\staff needs to own profiles\oduser and oduser. When you log in to your Windows account you will be using a roaming profile which will cache data back and forth to the server.

Figure 18. The oduser permissions

To verify this, log in to your Open Directory server and take a look at the data directory as shown in Figure 19. As you can see, it is fully populated with Windows stuff. Congratulations, Windows is now using Open Directory!

Figure 19. A successful roaming profile


You really should not use local host files for DNS. I only did this in this article because it was easier to explain the concepts we covered without adding the complexity of DNS. If you do want to set up DNS, I recommend doing it either on OS X or Linux. Red Hat has a great article on configuring DNS at home.

In this series, we set up Open Directory, bound Linux to Open Directory, created shared NFS home directories for Linux and OS X, set up Mobility and introduced MCX, and, finally, even got Windows to join Open Directory. I hope I gave you the impression that Open Directory is amazing and can do things many other directory servers only dream of. In addition, Open Directory is fairly easy to set up. I would love to hear about how other people are using Open Directory either at home, in education environment, or in a corporate setting.

Noah Gift is the co-author of Python For Unix and Linux by O'Reilly. He is an author, speaker, consultant, and community leader, writing for publications such as IBM Developerworks, Red Hat Magazine, O'Reilly, and MacTech, and Manning.

Return to

Copyright © 2009 O'Reilly Media, Inc.