LDAP extension for AFP support?


We want to migrate away from MacOSX Server OpenDirectory as file- and dir-server. As possible file server or NAS we are evaluating linux based DSS v7 from Open-E as this solution does support AFP, SAMBA and NFS protocol. Although AFP is not supported in the future, we still have with AFP the best overall performance and compatibility – admitting that in the meantime MacOSX network user home accounts have to be served by SAMBA for undocumented compatibility reasons.

The DSS v7 system can be bound successfully by LDAP client connection to our existing MacOSX Server OpenDirectory. Unfortunately only AFP client mount connections are working but SAMBA are not, as the samba4 LDAP schema that is used by Apple OpenDirectory is not standard and outdated. Thus the SAMBA service on DSS v7 can not start up successfully at the moment of binding.

We can bind also the DSS v7 system successfully by LDAP to the Univention Server. So we can successfully establish MacOS client connections by SAMBA to the DSS v7 shares. Unfortunately MacOS client connections by AFP to the DSS v7 shares do not work. User authentication on AFP connections are working, but it is reported that there is no share available for AFP connection, although on the DSS v7 AFP is assigned to all shares. In the DSS v7 log I can see:

afpd: nss_ldap: could not search LDAP server - Insufficient access


afpd[27610] {dsi_stream.c:504} (error:DSI): dsi_stream_read: len:0, unexpected EOF

So it seems that AFP-demon on the DSS v7 system is expecting additional (share related) attributes from the LDAP information provided from the Univention Server (seen that LDAP information from the Apple OpenDirectory is providing them).

Thus I would like to ask if it is possible to extend the standard Univention LDAP-schema tree with AFP attributes in order that AFP Client connections are possible on the DSS v7 NAS? And how and where can those AFP specific attributes inserted in the Univention LDAP tree?

Many thanks in advance for any hint. best regards,


P.S. I copied an actuall apple.schema file to the /usr/share/univention-ldap/schema/, restarted the LDAP service, but can not see the apple.schema on the Univention object list.


in order to understand how LDAP schema extensions work on UCS, you should really read the corresponding documentation. Note that this only applies to the OpenLDAP server, not the Samba 4 LDAP.

The UCS LDAP servers (both OpenLDAP on ports 7389/7636 as well as the Samba 4 LDAP on ports 389/636) disallow anonymous binds/searches. If at all possible, you should configure that afpd to bind with a known user account before trying its searches.

If you really cannot do that, you can configure OpenLDAP and Samba to allow anonymous searches. Look at ucr search 'anonymous|strong/auth'

Kind regards


Thank you for your reponse.
Binding of the DSS v7 NAS to the Univention LDAP is done with authenticated user and works for Samba-client connection, but not for the afp-client connection. But I will give try the anonymous search setting.

Best regards,