opendirectoryd

Using LDAP’s altServer on OS X Clients

Binding an OS X client to an LDAP server is pretty simple, but when it’s time to scale up, Apple wants us to use proxy servers and load balancers to offer failover and redundancy. This is by far the best approach, but sometimes setting up such a front-end for a cluster of servers is time or cost prohibitive depending on the scope of the project and the size of your fleet. In this case, it would be easier to simply have the OS X clients authenticate to a single server, using a list of trusted replica servers as a failover for when that primary server is unreachable for any reason. RFC4512 defines a LDAP attribute called altServer, and we can use that attribute to configure exactly such a setup.
(more…)

Sandboxing vs. LocalMCX

This is a (albeit late) follow up post to a conversation started over on MacEnterprise as well as the MunkiDev list.

If you use LocalMCX to manage machines, this post by Greg Neagle is probably very familiar to you. In it, Greg outlines some of the changes that came with dscl in Mountain Lion and how those changes affect Local MCX management. Basically, the changes were such that you could no longer use dscl or Workgroup Manager to create or modify MCX settings and groups in your custom (non-“Default”) node.

It turns out, we can still use those tools to edit and manage our custom nodes. The problem isn’t a rewrite of dscl to specifically reject custom local MCX nodes, as many of us suspected. It’s sandboxing.

So what changed? Mountain Lion is all about Sandboxing (which is a very good thing). Apple’s goal with its App Sandbox is to split applications into collections of binaries so that each of those binaries can be assigned only the permissions and resources that it needs to do its job. When Apple sandboxed opendirectoryd, they rightly gave it read/write access to /var/db/dslocal/nodes/Default and nothing else. This is actually very good news for us because sandbox permissions can be modified, meaning we can get Workgroup Manager to edit users/groups/etc directly in our custom node. Here’s how:

  1. Open /System/Library/Sandbox/Profiles/com.apple.opendirectoryd.sbin your favorite text editor
  2. Find the line referring to /var/db/dslocal/nodes/Default, should be line 43 (notice how this is under the allow file-write* container?)
  3. Insert a new line after that one with the following contents, making adjustments where needed for your local MCX path:
    #"^(/private)?/var/db/dslocal/nodes/MCX(/|$)"
    
  4. Reload the daemon, effectively forcing sandboxd to reload the permissions:
    killall opendirectoryd

Keep in mind, this only solves the problem of getting our favorite MCX editing tools back in our hands without the need to copy records back and forth between nodes, so it really wouldn’t make sense to push this out to all of your OS X client machines.

That’s it. You should now be able to use Workgroup Manager again to edit your local MCX settings, in place.