Using AFP Network Home Directories for LDAP Users

This page explains a network setup using a HELIOS server for file server, and a separate LDAP server for authentication. It also describes the required steps to get a network based home directory for LDAP based users after logging on to a Mac client.

HELIOS server setup
Volume setup

The network home support for a Mac client requires a special setup on the HELIOS server. In this example, we assume vmsuse114.dyn.helios.de as the HELIOS server name.

As a first step, remove the HELIOS home directory entry (“~”) from the volume definition in HELIOS Admin. Then create a new volume “Users” at path “/Users”, with the option Guest Access enabled. In addition, set the AFP server preference enableguest via the command:

HELDIR/bin/prefvalue -k Programs/afpsrv/enableguest -t bool TRUE

For existing users, copy the old home directory with “dt” to the “/Users” directory and preserve the ownership and permissions by using the -p option.

HELDIR/bin/dt cp -Rp /home/USERNAME /Users

For new users, create a home directory for each user and make sure that the permissions are set properly, e.g.

HELDIR/bin/dt mkdir /Users/USERNAME
HELDIR/bin/dt chmod 700 /Users/USERNAME
HELDIR/bin/dt chown USERNAME /Users/USERNAME

These permissions make sure that only the user has access to their home directory.

Note: You cannot use an existing home directory structure because each home directory is a separate volume. If the old home directory is e.g. “/home/USERNAME”, it is not possible to define a volume “/home” because it would lead to a nested desktop setup, which is not supported.

Authentication setup

Authenticate the HELIOS server against LDAP as shown on our HELIOS Authentication Server LDAP web page. This example uses a Mac OS X Server (“Open Directory”/Password Server) setup.

Mac OS X Server setup

This example setup was performed on a freshly installed Mac OS X 10.7.2 Server.

  • Install and configure a Mac OS X 10.7.2 Server as Open Directory master (in this example, the host macsupport.helios.de is used)
  • Use the following “Home” setup for the user “odhelios”:
  • Add a “Mounts” record to the server in the LDAP database using the “Directory Utility”. It can be called from the “Tools” menu of the “Server.app”. The following entries must be added (some more entries are added automatically):
    • RecordName
      vmsuse114.dyn.helios.de:/Users
    • VFSLinkDir
      /Network/Servers
    • VFSOpts
      net
      url==afp://;AUTH=NO%20USER%20AUTHENT@vmsuse114.dyn.helios.de/Users
    • VFSType
      url
Mac client setup

To authenticate a Mac client against the LDAP server authenticate as admin user in “System Preferences > Users & Groups > Login Options” and click the Network Account Server button. Add the server macsupport.helios.de to enable the LDAP based authentication.

Verify the setup

(In this example the client "iMac" is used.)

ssh login as LDAP user on the client:
$ ssh odhelios@iMac
Password:
Last login: Thu Dec 1 11:11:22 2011
iMac:~ odhelios$ pwd
/Network/Servers/vmsuse114.dyn.helios.de/Users/odhelios

Finder login as LDAP user :

Logout and login again as user "odhelios".

Note: Do not use fast user switching on the Mac client for this test unless Mac OS X 10.7.2 is installed. Older versions may be buggy so that this won't work properly for an OD user in case a local user is also logged-in.