OS X managed users
A managed user has certain preferences defined by the administrator (that’s you) which may or may not be editable after being set. The preferences are stored as attributes in LDAP namedapple-user-mcxflags and apple-user-mcxsettings whose values are Base64-encoded XML data.
XML configuration
The Correct way to store user preference information on OS X is to write an XML proplist in ~/Library/Preferences. For example a user’s Terminal preferences are stored in com.apple.Terminal.plist. These can be read with the defaults command:
$ defaults read com.apple.Terminal TerminalOpaqueness
0.75
They can also be displayed with the Property List Editor which is installed as part of Xcode Tools.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>TerminalOpaqueness</key>
<string>0.75</string>
</dict>
</plist>
Managed accounts
Managed accounts are configured with certain preferences by the administrator. The managed preferences are stored in the user’s LDAP profile in two fields. The apple-user-mcxflags attribute identifies the user as having managed settings and zero or more apple-user-mcxsettings attributes define the settings; one per application. They need to be mapped to MCXFlags and MCXSettings respectively in the DirectoryService.
The settings take effect at login and persist in one of three ways: Once, the user’s preferences may subsequently be changed; Often, any changes last only for the lifetime of the session; Always, the preferences may not be overridden at all.
Creating a managed account
The values to set in LDAP for managed user are Base64-encoded version of the appropriate XML proplists. apple-user-mxcflags needs to look like this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>has_mcx_settings</key>
<true/>
</dict>
</plist>
Each apple-user-mcxsettings entry looks similar to its original proplist representation, only wrapped inside other dictionaries. An example makes things clear. Our Terminal settings look like this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>mcx_application_data</key>
<dict>
<key>com.apple.Terminal</key>
<dict>
<key>Forced</key>
<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>TerminalOpaqueness</key>
<string>0.75</string>
</dict>
</dict>
</array>
</dict>
</dict>
</dict>
</plist>
The bits in bold are copied from the original XML. Everything outside that is required to construct a correct MCXSettings entry.
Note the Forced key. This represents a preference that is Always applied. One which is applied Often would appear under Set-Once instead. One which is applied Once appears under Set-Once with an mcx_data_timestamp entry above mcx_preference_settings, viz:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>mcx_application_data</key>
<dict>
<key>com.apple.Terminal</key>
<dict>
<key>Set-Once</key>
<array>
<dict>
<key>mcx_data_timestamp</key>
<date>2007-09-15T14:35:49Z</date>
<key>mcx_preference_settings</key>
<dict>
<key>TerminalOpaqueness</key>
<string>0.75</string>
</dict>
</dict>
</array>
</dict>
</dict>
</dict>
</plist>
As these preferences are stored as Base64 inside the directory it is necessary to convert them. Luckily OpenLDAP’s ldapmodify tool knows how to do this. All you need do is write the XML to a file and reference it in your LDIF.
dn: uid=manageduser,ou=users,dc=iain,dc=cx
apple-user-mcxflags:< file:///home/iain/ldaphacking/manageduser.mcxflags
apple-user-mcxsettings:< file:///home/iain/ldaphacking/manageduser.mcxsettings
Then run:
$ ldapmodify -f manageduser.ldif
