os-x integration with FreeIPA

New Contributor

I have "most" of this functioning. When logged in as a local user, users can kinit with LDAP username in terminal and pull a ticket.

BUT - I have two issues (and they appear to actually be the same issue).

User authenticates to LDAP at login screen. Password is accepted, opens to blank desktop. And after that - the user cannot do a thing (my assumption is that we are waiting for the homedirectory to be created.)

My observation is that no home directory is created.

When I run createhomedir, I get errors:

grant@iotrashcan02:/Users[20161214-10:09][#23]% sudo createhomedir -c -a -n /LDAPv3/ef-idm01.production.efilm.com creating home directories for (iotrashcan02.production.efilm.com) Entity: line 1: parser error : Document is empty /Users/hayesl ^ Entity: line 1: parser error : Document is empty /Users/user1 ^ Entity: line 1: parser error : Document is empty /Users/user3 ^ Entity: line 1: parser error : Document is empty /Users/user4 ^ [more lines like this for all users the directory] grant@iotrashcan02:/Users[20161214-10:10][#24]%

I tried again - run after kinit - same results.

Seems like I'm missing an LDAP mapping. Since I pull tickets, I have decent certainty the kerberos configuration is correct.

mappings follow:

grant@iotrashcan02:/Users[20161214-10:25][#29]% sudo odutil show nodenames Nodenames: Name State Refs Type External Locked Hidden
/Active Directory Online 1 X X /Configure Online 1 X X /Contacts Online 3 /LDAPv3 Online 2 X X /LDAPv3/ef-idm01.production.efilm.com Online 7 /Local 2 X X /Local/Default Online 27 X /NIS 1 X X /Search Online 16 grant@iotrashcan02:/Users[20161214-10:26][#30]% sudo odutil show configuration /LDAPv3/ef-idm01.production.efilm.com { description = "ef-idm.production.efilm.com"; mappings = { attributes = ( objectClass ); function = "ldap:translate_recordtype"; recordtypes = { "dsRecTypeStandard:Groups" = { attributetypes = { "dsAttrTypeStandard:PrimaryGroupID" = { native = gidNumber; }; "dsAttrTypeStandard:RecordName" = { native = cn; }; }; info = { "Group Object Classes" = OR; "Object Classes" = ( posixgroup ); "Search Base" = "cn=groups,cn=accounts,dc=production,dc=efilm,dc=com"; }; }; "dsRecTypeStandard:Users" = { attributetypes = { "dsAttrTypeStandard:AuthenticationAuthority" = { native = uid; }; "dsAttrTypeStandard:HomeDirectory" = { native = "#/Users/$uid$"; }; "dsAttrTypeStandard:NFSHomeDirectory" = { native = "#/Users/$uid$"; }; "dsAttrTypeStandard:PrimaryGroupID" = { native = gidNumber; }; "dsAttrTypeStandard:RealName" = { native = cn; }; "dsAttrTypeStandard:RecordName" = { native = uid; }; "dsAttrTypeStandard:UniqueID" = { native = uidNumber; }; "dsAttrTypeStandard:UserShell" = { native = loginShell; }; }; info = { "Group Object Classes" = OR; "Object Classes" = ( inetOrgPerson ); "Search Base" = "dc=production,dc=efilm,dc=com"; }; }; }; template = LDAPv3; }; "module options" = { AppleODClient = { "Server Mappings" = 0; }; ldap = { "Denied SASL Methods" = ( "DIGEST-MD5" ); "LDAP Referrals" = 0; "Use DNS replicas" = 0; }; }; "node name" = "ef-idm01.production.efilm.com"; options = { "connection idle disconnect" = 60; "connection setup timeout" = 10; destination = { host = "ef-idm01.production.efilm.com"; other = ldap; port = 389; }; "man-in-the-middle" = 0; "no cleartext authentication" = 0; "packet encryption" = 1; "packet signing" = 1; "query timeout" = 10; }; template = LDAPv3; trusttype = anonymous; uuid = "7K9D24A2-21CJ-413F-BADE-B795F7EB5912"; } grant@iotrashcan02:/Users[20161214-10:27][#31]%

I looked for breadcrumbs in the syslog and opendirectory logs. These are quiet - nothing.
I did a dscl read comparing a /Local/Default to LDAP. There are of course more items in the LDAP read, but I appear to have mapped each relevant item (those matching the local listing).

I have many linux hosts bound to this, but os-x is giving me a hard time. What did I miss?


New Contributor


It would be nice to see some more response to this issue.

For what its worth I am currently working on a similar issue. However I get the impression @gjanssen was trying to use network home directories. For this not only do you need the mappings to be correct but you need a file server to be setup to host the network home directories. You then need to have the appropriate field in each user account pointing to the network location of their home directory.

In my case I am trying to get it working with mobile accounts only. I have so far got as far as binding and I believe correct mappings and like @gjanssen kinit is working, I also have dscacheutil -q user -a name username working.

However when I try a first login with a network user to trigger creating a mobile account it fails - unlike with real OpenDirectory. If however I do this manually in Terminal it does work. See [https://www.freeipa.org/page/HowTo/Setup_FreeIPA_Services_for_Mac_OS_X_10.12](link URL)

I get the message -

Unable to create mobile account.
There was a problem creating your mobile account.

I found starting off with RFC2307 mappings and then customising as per the above link seemed more successful.

I have to say that both the OpenLDAP project and the FreeIPA projects suck big time from the point of view of supporting Mac clients. Mac clients have -

  • been around for a long time
  • had a stable configuration requirement for a long time
  • represent a significant user base
  • there is a reasonable amount of documentation about how OpenDirectory/LDAP/Kerberos/Password Server all work for Macs and even example code

And yet both projects as mentioned suck big time in how they support Macs leaving admins to do a lot of work themselves.

One could argue justifiably I believe that if your a Windows shop you will use ActiveDirectory and Apple have done the hard work for that, if however you are not a Window shop you are almost certainly going to have a significant number of Macs even if you don't use Apple's toy server software. Hence you would want to use OpenLDAP or FreeIPA both of which sadly have failed to deliver a full solution for Macs.

Some FreeIPA admins have recognised this and started - but not finished some plugins which in theory will help automate configuring FreeIPA for Mac clients. (The FreeIPA team themselves seem to have no interest in improving matters.)

See [https://pagure.io/freeipa/issue/4813](link URL)
and [https://github.com/abbra/freeipa-macosx-support](link URL)
and [https://github.com/d3vi1/freeipa-macosx-support](link URL)


Oops, the

sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n username'

command works but I cannot login to the resulting account, I get the same error -

Unable to create mobile account.
There was a problem creating your mobile account.

even though the account is created, is listed in both System Preferences and the Login screen and the home directory has been created locally.