Lion introduced OpenDirectory as a replacement for DirectoryService. The configuration looks practically identical in the GUI, but the output plist files are different enough that you have to recreate them. I use a custom LDAP mapping, so to help me remember my settings, I had my old DSLDAPv3PlugInConfig.plist open in a text editor while I went through the tedious process of recreating it. Not everyone has to make these mappings and I know a lot of people can get away with using the standard RFC mapping. Lucky me.
If you have to create a custom mapping, but haven’t done it before, it’s straightforward enough, but easy to leave things out by mistake. In the Search & Mappings tab, you are mapping LDAP attributes to OpenDirectory attributes. On the left side of the screen, you must add high level Record Types first, then populate them with Attribute Types. Then, on the right side of the screen, you add the LDAP names, like uid or userPassword. If you have an ldif file of a user on your LDAP server as an example, or use a transparent LDAP editor like phpldapadmin, the LDAP names will be easy to find. Then it just becomes a matter of discovering what Mac OS X calls each thing.
In earlier versions of Mac OS X, I copied DSLDAPv3PlugInConfig.plist and SearchNodeConfig.plist to /Library/Preferences/DirectoryService and told puppet to restart the com.apple.DirectoryServices service. Super straightforward! This left me totally unprepared for a truly horrible snafu when trying to script our LDAP settings in Mac OS X Lion the same way.
So in Lion, I copied the correct files (Search.plist, Contacts.plist, and ldap.domainname.plist) into the correct places, but when I told puppet to restart the com.apple.opendirectoryd service, the service fell over and refused to start back up. Worse, now that OpenDirectory was dead and no longer mapped my user name to my user id, suddenly I could’t use sudo anymore or run anything with administrator privileges. Even single user mode couldn’t help me, and deleting the entire contents of /Library/Preferences/OpenDirectory didn’t seem to help. Next I tried reinstalling, but apparently that didn’t overwrite the correct files either. That’s right, I got stuck having to FORMAT my drive just to get a working copy of Lion back.
So where did I go wrong? As it turns out, after reading some online documentation more closely, you are SUPPOSED to run killall opendirectoryd and avoid ever touching its launchctl file at all. I was skeptical, but I tried it and suddenly, it WORKED. From there, it was trivial to script this in puppet:
exec {
"com.apple.opendirectoryd":
command => "killall opendirectoryd",
refreshonly => true;
}
file {
"/Library/Preferences/OpenDirectory/Configurations/LDAPv3":
owner => root,
group => wheel,
mode => 750,
ensure => directory;
"/Library/Preferences/OpenDirectory/Configurations/Search.plist":
owner => root,
group => wheel,
mode => 600,
ensure => present,
notify => Exec["com.apple.opendirectoryd"],
source => "puppet:///modules/ldap/Search.plist";
"/Library/Preferences/OpenDirectory/Configurations/Contacts.plist":
owner => root,
group => wheel,
mode => 600,
ensure => present,
notify => Exec["com.apple.opendirectoryd"],
source => "puppet:///modules/ldap/Contacts.plist";
"/Library/Preferences/OpenDirectory/Configurations/LDAPv3/ldap.domainname.plist":
owner => root,
group => wheel,
mode => 600,
ensure => present,
notify => Exec["com.apple.opendirectoryd"],
source => "puppet:///modules/ldap/ldap.domainname.plist"
}