Ok, first a quick thumbnail of my environment. K-12 school system, around 500 devices, almost 50/50 Windows and Mac (was 100% Windows just over a year ago). Using eDirectory 8.8 running on OES 11 for user authentication. Currently using Kanaka 2.81 to authenticate the Macs, but wondering if I wouldn't be better off going straight LDAP or LDAP+Kerberos instead.

At this point, all we are using Kanaka for is authentication. We use Jamf Casper Suite for general Mac management, and using any of Kanaka's Managed Client settings seems to cause problems with that. Wish I knew the guts of Kanaka's MCX bits for home directory mounting and icons so I could try to duplicate them in Casper profiles, but that's another question. Anyway, for straight authentication, Kanaka works well enough (except for the times the engine quits responding on all three of my eDir servers and no Macs can log in until I fix that), but I'd just as soon streamline things and eliminate one client from the mix in favor of OSXs baked in LDAP modules if I can. And if I can find a method that will minimize the interaction users have to have with their Login keychain after changing their eDirectory password, more's the better.

I've messed with LDAP authentication some, but haven't been able to get it working. I do have LDAP auth working with several other systems (GroupWise and Filr among them) so am not a total stranger to it, but also far from an expert. All three eDirectory servers show a green light in Directory Utility on my testing Mac, so I'm thinking the problem lies someplace in my mappings, but not sure where.

I've read most everything I can find online on eDirectory and OSX, but haven't gotten very far. Part of the problem is knowing for sure which bits actually apply to what I'm trying to do. Most of the guides I can find seem to be 10 plus years old and based on using pure network accounts. We're looking seriously at 1:1 MacBooks in the next couple of years, which means Mobile Accounts with local home directories (anybody who can tell me how to make Home Sync work dependably will be my friend forever) are the way to go. So, like with Randy Saeks' guide, which seems to be the gold standard but was written in a time of Netware 6.5 and Panther/Tiger, a lot of it seems not to apply to me running Yosemite with Mobile Accounts trying to talk to OES 11 servers. Or maybe it does and I just don't realize it. So, anyone who can offer a guide, or just some guidance or, heck, ask me a question which makes me feel a little foolish but points me in the right direction, I would be most appreciative. I know I can't be the only one out there trying to make Macs and eDirectory/OES play nice.

