Intergation of OS X server with external LDAP

You don't say what Directory Server software you are already using on the Linux systems. The most common one is OpenLDAP which Apple's own Open Directory is based on but not identical to.

It should be possible to use the Linux OpenLDAP system for your Mac clients although you will likely need to make some modest changes on the Linux server to fully support the Macs. I have not done this myself although I have worked at an organisation already using OpenLDAP for Mac clients. I found the following articles which discuss this.

http://hermanbanken.nl/2011/01/22/openldap-server-mac-osx-clients/

https://macosxhosting.wordpress.com/2008/02/19/integrating-osx-clients-with-an-o penldap-directory/

https://www.chriscantwell.co.uk/2009/12/mac-osx-authentication-against-openldap/

http://pig.made-it.com/ldap-mac.html

Note: In theory once you have made the modifications to your OpenLDAP setup and 'bound' a Mac to the Linux OpenLDAP server it is then possible to run the old Workgroup Manager 10.9 on a Mac to add user accounts.

I get the impression these articles do not cover Kerberos which is closely related to the topic of Directory Services. When you setup (real) Open Directory, Kerberos gets setup to match all behind the scenes, this is the benefit of using Apple's software. You should therefore try and ensure your Linux setup also has a working Kerberos setup as well before starting this project as it is likely to make life a lot easier in the long run.

Note: There are two main implementations of Kerberos, the original one was from MIT and a newer one is called Heimdal, both are available for Linux. Apple used to use the MIT one and have now switched to the Heimdal one. It seems the reason is that MIT one stopped being updated although personally I found the old MIT one worked better. This article maybe of interest https://www.secure-endpoints.com/heimdal/ The reason I mention this is that if the people who configure your Linux system have not yet set it up it maybe that using the Heimdal might make things slightly easier as it would match what Apple use and you cannot change what Apple use but could make the choice on the Linux server if it has not already been installed and setup.

I had not come across FreeIPA before but as far as I can see if you follow those steps from that article and bind your Macs to FreeIPA then it should allow using FreeIPA to authenticate Mac logins both to login to the client Macs and to login to for example other Linux services like SAMBA for SMB and NetAtalk for AFP.

If you did use some Mac servers as well then they also could be configured and bound to FreeIPA and in theory the Mac services would authenticate to FreeIPA.

The manual steps could be pre-configured as part of your process to build Macs before issuing them, however this is where I believe a correctly configured OpenLDAP and Kerberos setup might be simpler as it needs less to no customising at the Mac end only at the OpenLDAP server end.

In terms of managing Macs, these days the recommendation is to use Profile Manager or similar rather than the old style MCX settings. If you use Profile Manager then it is possible to have the Profile Manager server also bound to a separate directory server although I know people have had problems when this was not a separate Open Directory server. Using some other MDM solution avoids that e.g. JAMF Casper Suite.

I do not see it being necessary to duplicate users in to both Open Directory and say FreeIPA, it maybe that even with FreeIPA you could use a similar approach to that used a lot with Active Directory i.e. a 'Golden Triangle' aka. 'Magic Triangle' setup. See the following articles and even though they will be mainly about Active Directory a similar approach for another Directory Service may be equally possible.

http://krypted.com/tag/magic-triangle/

http://www.techrepublic.com/article/pro-tip-how-to-configure-a-golden-triangle/