Apple Training Series: Mac OS X System Administration Reference, Volume 1

Although some LDAP attributes seem similar to Open Directory attributes, their uses are very different. The following definitions refer to a default configuration of the LDAPv3 plug-in on Mac OS X and a default configuration of the LDAP directory on Mac OS X Server:

• uid: This attribute in an LDAP directory refers to the short name of a user account. In Open Directory, this is one of the attributes mapped to RecordName. This attribute should not be confused with the user's ID used in the Mac OS X file system.

• uidNumber: This attribute is mapped to the UniqueID attribute in Open Directory, and the value is the same as the user's ID used in the file system. Much of the process of associating files to user accounts and determining authorization is done using the user's ID.

• apple-generateduid: This attribute is unique to Mac OS X. It maps to the Open Directory attribute GeneratedUID, and its value is a 128-bit value.

For user accounts, there are two available attributes for home folders in LDAP:

• homeDirectory: This LDAP attribute maps to the Open Directory attribute NFSHomeDirectory. The value of this attribute is the local file-system path to the user's home folder (for example, /Users/johnsigna).

• apple-user-homeurl: This attribute maps to the HomeDirectory attribute in Open Directory. The value of this attribute is a tagged entry that specifies the URL and share point for the location of a home folder, regardless of whether it is an Apple Filing Protocol (AFP) or SMB-based home folder.

It is critical that these attribute differences be understood. It's just human nature to see what we want to see, and mistakenly assume that UID stands for a user's ID value rather than the short name for a user account.

Networked User Attributes

LDAP and Open Directory make it possible to use network user accounts to store and administer account information in a remote data store, thus removing the need to handle many local accounts.

Network user accounts offer the following benefits:

• Network home folders enable administrators to provide users with a consistent, controlled interface while providing access to their documents from any computer.

• Administrators can manage clients by controlling permissions on mobile computers and reserve certain resources for specific groups or individuals.

• Administrators can secure computer usage in "open" environments, such as administrative offices, classrooms, kiosks, or computer labs.

In addition to the standard attributes for user accounts, network user accounts make use of the following attributes:

• HomeDirectory: The location of an AFP-based home folder in UTF-8 XML text. The value for this attribute must be accurate for network users to log in.

• MCXSettings: The managed preferences for the user, stored in a multivalued UTF-8 XML plist.

• MCXFlags: Determines whether the MCXSettings attribute is loaded, stored in a single valued UTF-8 XML plist.

Managed Client Attributes

The configurations for managed client and mobile account options are stored in the LDAP directory using the apple-mcxsettings and apple-mcxflags attributes. Each user, group, or computer account that has managed preferences enforced would have a base-64 value assigned to those attributes in the entry. The information is stored as encoded XML code that will be interpreted by the client computer when it binds to the LDAP server. The results are placed on the client based on the type of settings. Depending on the number of preferences managed, the mcxsettings value can be quite large. While this is not a problem, it does permit the administrator to paste the value into any text editor and manually edit any values he or she wants, then paste the string back into the value field.

The managed preferences, when passed down to Mac OS X, can reside in several places:

• Managed preferences for the current user are placed in ~/Library/Preferences and include mobile account settings for the user.

• Managed login preferences are placed in /Library/Managed Preferences/username, where username is the name of the logged in user.

• Managed startup (boot) preferences are placed in /Library/Managed Preferences.

Managed group preferences are applied when the login window appears, and managed computer and mount settings are applied when the computer boots.

The data is also stored in mcx_cache in the local NetInfo database (/var/db/netinfo/ local.nidb) for offline use. This information can be removed from the database using NetInfo Manager or Workgroup Manager running locally.