Apple Open Directory Linux Client Setup (Red Hat Enterprise Linux & Derivatives)

If you need to enable logins for macOS Server Open Directory Network Users on a Red Hat Enterprise Linux or Derivative system, here’s how to do it. I’ve tested this on Fedora 34, and Oracle Linux 8.5.

Apple Open Directory offers user id information via LDAPv3, and authentication is through Kerberos so we can set this up in two stages.

Run all commands as root or prefix with sudo

Kerberos Authentication:

1. dnf install krb5-workstation krb5-libs
2. vi /etc/krb5.conf
   • You need to uncomment and edit the EXAMPLE.COM references to match your server which should be based on the Open Directory server’s domain name levels so for example realm ‘PROFILEMANAGER.MACINTOSH-RESCUE.NET’ and profilemanager.macintosh-rescue.net for the ldc and admin_server:
3. You can now attempt to obtain a Kerberos token with a command like kinit -P merlin
4. Enter the users password when prompted then confirm receipt of the token with klist

You should now have the Kerberos authentication part working.

LDAP Configuration

This part is a but fiddly since you have to make some duplicate entries. This part enables your client system to see the Network User accounts:

1. dnf -y install openldap-clients sssd sssd-ldap oddjob-mkhomedir
2. authselect select sssd with-mkhomedir --force
3. vi /etc/openldap/ldap.conf
   • You need to change the ‘BASE’ and ‘URI’ lines to something like the following:
     • BASE dc=profilemanager,dc=macintosh-rescue,dc=net
     • URI ldap://profilemanager.macintosh-rescue.net
4. vi /etc/sssd/sssd.conf
   • You need to input something like the following into this new file:

5. chmod 600 /etc/sssd/sssd.conf
6. systemctl enable sssd oddjobd
7. shutdown -r now

Test The Setup

You should now be able to login as a Network User and a home directory will be created in /home/USERNAME