Using LDAP’s altServer on OS X Clients

Binding an OS X client to an LDAP server is pretty simple, but when it’s time to scale up, Apple wants us to use proxy servers and load balancers to offer failover and redundancy. This is by far the best approach, but sometimes setting up such a front-end for a cluster of servers is time or cost prohibitive depending on the scope of the project and the size of your fleet. In this case, it would be easier to simply have the OS X clients authenticate to a single server, using a list of trusted replica servers as a failover for when that primary server is unreachable for any reason. RFC4512 defines a LDAP attribute called altServer, and we can use that attribute to configure exactly such a setup.

UUIDs, LDAP and FileVault 2

Many thanks to Rich Trouton and Greg Neagle for helping me figure out why case matters to OS X when dealing with UUIDs. Couldn’t have written it better myself!

Der Flounder

A little-known fact about FileVault 2 is that it uses the GeneratedUID user attribute (also known as a UUID) of an account to help identify enabled accounts. For example, when you run the fdesetup list command, you’ll see the user information appear with both the username and UUID information.


For local accounts, this isn’t an issue as the OS will properly generate a UUID for the local account. Active Directory also generally handles this correctly on Macs, so I haven’t seen UUID problems occur for AD mobile users.

Where I have heard of problems has been with non-Apple LDAP servers. If the LDAP server doesn’t provide the GeneratedUID user attribute for mobile LDAP accounts on Macs, or it does not provide the UUID in the way that FileVault 2 is expecting, you may see one or more of the following behaviors:

1. The LDAP account’s icon disappearing from…

Gimp on OS X

Just pure awesome coming from the GIMP project. September brought version 2.8.2 to OS X, which no longer requires X11 or XQuartz to run. OS X 10.8.0 or higher is required. So far I’m very impressed. Good job to all involved!