Cant Edit Ldap Search Base in Open Directory

Greetings ,
My ldap search base wrong in my open directory . I have tried converting the server to standalone and back to a directory master and it still retains the old search base. How do i get rid of this, as it is causing problems.
Thanks In Advance

Any resolution to this? I am trying to configure OD and it's NOT using our FQDN for the server as the search base... instead of server.domain.NET it is putting in server.domain.COM - pretty sure that will cause problems.
I ran host <ip address> and checked our DNS settings on the server and everything is configured as .NET - cannot find this .COM anywhere. Am NOT in a position to do an uninstall and re-install as many folks have seemed to have done.
Mike

Similar Messages

  • Change LDAP Search Base:  Is archive/recreate required?

    This is the gist of the message that I'm getting while searching for an answer, but I wanted to ask it here just in case.
    I have a MacOS X server (10.4.9) that I need to join to an Active Directory... it was originally on it's own domain (xserve.mydomain.ca) and will now be on the corporate domain (xserve.myorg.ca).
    I've run changeip to change the IP address and switch over all the domain information. The forward and reverse lookups are happy and working and while I had to recreate home directories for some users, in the end, everything worked fairly well.
    Now I need to take the next step in the integration and get LDAP changed over to reflect the new FQDN. It is current dc=xserve, dc=mydomain, dc=ca ... so it needs to be dc=xserve, dc=myorg, dc=ca
    Is archiving the LDAP database... switching to Standalone... and recreating the OD Master with new LDAP search base the only way to make the change?
    And if so... does it actually work? (Home Directories don't matter too much.. but recereating 200 users, obviously would suck).
    Thank you very much.
    Chris Alemany
    Computer Technician
    Malaspina U-C
    Nanaimo, BC

    I'm hoping for a little detail here.
    The LDAP archive that is created through Server Admin
    is... comprehensive... ie. there are a LOT of
    different files in there.
    Of course as it isn't only a LDAP archive but contains the PasswordServer database, the kerberos database, server settings ...
    Where do I start in terms of "mangling" the data
    (which I assume means redoing all references to the
    old LDAP domain?
    You would need to export only the LDAP database via the appropiate ldapsearch command.
    As you begin to see this task is quite complex and without some decent knowledge about Mac OS X Server in general and specifically LDAP this task is doomed to fail. :o/
    You can start your way with this book:
    http://www.amazon.com/Apple-Training-System-Administration-Reference/dp/03213698 4X/ref=pdbbs_sr1/103-1936572-6371849?ie=UTF8&s=books&qid=1177352316&sr=8-1
    Sorry for the bad news,
    -Ralph

  • DHCP LDAP search base

    Hi,
    What setting should be put in the search base box in the LDAP tab of DHCP? I would like users to be able to access the OD database in tools such as the Address Book.
    (I currently have the dc=<name>,dc=<suffix> where these are the name.suffix of my domain). In this configuration, the users can not see the LDAP database.
    Thanks,
    Dave

    Hi Hiya,
    Thank you for taking the time to look at my question. Here's my problem. We're setting up a VOIP phone system and one of the questionnaire is to provide LDAP Search Base String of my AD. I'm not sure if I need
    to provide all this search base (DC, CN and OU) all I want to know is which of the element I should provide.
    I think my LDAP search base string is "OU=xxx,DC=mydomain,DC=local. (I'm still not sure but if you have an idea please help).
    Thank you.
    Jay
    aja

  • Open Directory, third party LDAP search path problem on Snow Leopard

    Happy new year folks,
    I ran into an interesting problem this past week in regards to a third party LDAP directory in the Search path (which used to work on previous versions). The issue brings the server to its knees eventually. I'm still digging through the logs, but here's the general breakdown...
    1. Add third-party LDAP to the OD node list. This has always worked on previous versions, and appears to still work at the most basic level. I can navigate the node with DSCL, read records, etc.
    1. Add third-party LDAP to the OD search path.
    2. Wait a few minutes....
    3. The server begins to slow down. Apache, SSH, ServerAdmin service stop responding. I'm able to run "top" briefly, which shows an increase of threads.
    4. Restart the server and quickly remove the directory from the OD search path
    5. Server goes back to being rock solid with very nice response times for Apache, SSH, ServerAdmin, etc.
    If anyone has any debugging suggestions, or has seen this before, let me know.
    Jaime
    --- Below is some console output leading up to the chaos. Before adding to search path, everything looks good --------------------
    bash-3.2# dscl
    Entering interactive mode... (type "help" for commands)
    read /LDAPv3/ldap.itd.umich.edu/Users/jaimelm cn
    dsAttrTypeNative:cn:
    Jaime Magiera
    Jaime L Magiera 1
    Jaime L Magiera
    --- Add to Search Path, which hangs ------------------------------------------------------------------------------
    bash-3.2# dscl /Search -append / CSPSearchPath /LDAPv3/ldap.itd.umich.edu
    --- DSCL in debug mode contains the following ----------------------------------------------
    2010-01-01 19:26:25 EST - T[0x00000001037A5000] - Client: ipfw, PID: 1097, API: libinfo, Server Used : libinfomig DAR : Procedure = getprotobynumber (13) : Result code = 0
    2010-01-01 19:26:25 EST - T[0x00000001037A5000] - Client: sso_util, PID: 1103, API: dsFindDirNodes(), Server Used : DAR : 1 : Dir Ref = 16779669 : Requested nodename = /Search
    2010-01-01 19:26:25 EST - T[0x00000001037A5000] - Plug-in call "dsDoPlugInCustomCall()" failed with error = -14292.
    2010-01-01 19:26:25 EST - T[0x00000001037A5000] - Port: 27151 Call: dsDoPlugInCustomCall() == -14292
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsFindDirNodes(), Server Used : DAR : 1 : Dir Ref = 16779
    707 : Requested nodename = /LDAPv3/ldap.itd.umich.edu
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsFindDirNodes(), Server Used : DAR : 2 : Dir Ref = 16779707 : Result code = 0
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsVerifyDirRefNum(), Server Used : DAC : Dir Ref 167797072010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsVerifyDirRefNum(), Server Used : DAR : Dir Ref 16779707
    : Result code = 0
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsFindDirNodes(), Server Used : DAC : Dir Ref 16779707 :
    Data buffer size = 1282010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsFindDirNodes(), Server Used : DAR : 1 : Dir Ref = 16779
    707 : Requested nodename = ConfigNode2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsFindDirNodes(), Server Used : DAR : 2 : Dir Ref = 16779
    707 : Result code = 0
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: Requesting dsOpenDirNode with PID = 1114, UID = 0, and EUID = 0
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsOpenDirNode(), Configure Used : DAC : Dir Ref = 16779707 : Node Name = /Configure
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsOpenDirNode(), Configure Used : DAR : Dir Ref = 1677970
    7 : Node Ref = 33556926 : Result code = 0
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsVerifyDirRefNum(), Server Used : DAC : Dir Ref 16779707
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsVerifyDirRefNum(), Server Used : DAR : Dir Ref 16779707 : Result code = 0
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsGetDirNodeInfo(), Configure Used : DAC : Node Ref = 33556926 : Requested Attrs = dsAttrTypeStandard:OperatingSystemVersion : Attr Type Only Flag = 0
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsGetDirNodeInfo(), Configure Used : DAR : Node Ref = 33556926 : Result code = 0
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsGetDirNodeInfo(), Search Used : DAC : Node Ref = 33556924 : Requested Attrs = dsAttrTypeStandard:LSPSearchPath : Attr Type Only Flag = 0
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsGetDirNodeInfo(), Search Used : DAR : Node Ref = 33556924 : Result code = 0
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Client: dscl, PID: 1114, API: dsDoPlugInCustomCall(), Search Used : DAC : Node Ref = 33556924 : Request Code = 444
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Checking for Search Node XML config file:
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - /Library/Preferences/DirectoryService/SearchNodeConfig.plist
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Have written the Search Node XML config file:
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - /Library/Preferences/DirectoryService/SearchNodeConfigBackup.plist
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - Setting search policy to Custom search
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - CSearchPlugin::SwitchSearchPolicy: switch - reachability of node </LDAPv3/127.0.0.1> retained as <true>
    2010-01-01 19:26:36 EST - T[0x000000010070A000] - CSearchPlugin::CheckNodes: checking network node reachability on search policy 0x0000000000002201
    2010-01-01 19:26:36 EST - T[0x00000001037A5000] - CCachePlugin::EmptyCacheEntryType - Request to empty all types - Flushing the cache
    2010-01-01 19:26:36 EST - T[0x000000010070A000] - Client: Requesting dsOpenDirNode with PID = 0, UID = 0, and EUID = 0
    2010-01-01 19:26:36 EST - T[0x000000010070A000] - Internal Dispatch, API: dsOpenDirNode(), LDAPv3 Used : DAC : Dir Ref = 16777216 : Node Name = /LDAPv3/127.0.0.1
    2010-01-01 19:26:36 EST - T[0x000000010070A000] - Internal Dispatch, API: dsOpenDirNode(), LDAPv3 Used : DAR : Dir Ref = 16777216 : Node Ref = 33556929 : Result code = 0
    2010-01-01 19:26:36 EST - T[0x000000010070A000] - CSearchPlugin::CheckNodes: calling dsOpenDirNode succeeded on node </LDAPv3/127.0.0.1>
    2010-01-01 19:26:36 EST - T[0x000000010070A000] - Internal Dispatch, API: dsCloseDirNode(), LDAPv3 Used : DAC : Node Ref = 33556929
    2010-01-01 19:26:36 EST - T[0x000000010070A000] - Internal Dispatch, API: dsCloseDirNode(), LDAPv3 Used : DAR : Node Ref = 33556929 : Result code = 0
    2010-01-01 19:26:36 EST - T[0x0000000103181000] - mbr_mig - dsFlushMembershipCache - force cache flush (internally initiated)
    2010-01-01 19:26:36 EST - T[0x000000010070A000] - Client: Requesting dsOpenDirNode with PID = 0, UID = 0, and EUID = 0
    2010-01-01 19:26:36 EST - T[0x0000000103181000] - Membership - dsNodeStateChangeOccurred - flagging all entries as expired
    2010-01-01 19:26:36 EST - T[0x000000010070A000] - Internal Dispatch, API: dsOpenDirNode(), LDAPv3 Used : DAC : Dir Ref = 16777216 : Node Name = /LDAPv3/ldap.itd.umich.edu
    2010-01-01 19:26:36 EST - T[0x000000010070A000] - CLDAPNodeConfig::InternalEstablishConnection - Node ldap.itd.umich.edu - Connection requested for read
    2010-01-01 19:26:36 EST - T[0x000000010070A000] - CLDAPNodeConfig::FindSuitableReplica - Node ldap.itd.umich.edu - Attempting Replica connect to 141.211.93.133 for read
    2010-01-01 19:26:36 EST - T[0x0000000102481000] - CCachePlugin::SearchPolicyChange - search policy change notification, looking for NIS
    2010-01-01 19:26:36 EST - T[0x0000000102481000] - Internal Dispatch, API: dsGetDirNodeInfo(), Search Used : DAC : Node Ref = 33554436 : Requested Attrs = dsAttrTypeStandard:SearchPath : Attr Type Only Flag = 0
    ------- From another screen, I do "id jaimelm", which hangs ------------------------------------------------------------------------
    : Requested Rec Names = jaimelm : Rec Name Pattern Match:8449 = eDSiExact : Requested Rec Types = dsRecTypeStandard:Users
    2010-01-01 19:36:55 EST - T[0x00000001082A2000] - Internal Dispatch, API: dsGetRecordList(), Search Used : DAC : 2 : Node Ref = 33554436 : Requested Attrs = dsAttrTypeStandard:AppleMetaNodeLocation;dsAttrTypeStandard:RecordName;dsAttrTy peStandard:Password;dsAttrTypeStandard:UniqueID;dsAttrTypeStandard:GeneratedUID; dsAttrTypeStandard:PrimaryGroupID;dsAttrTypeStandard:NFSHomeDirectory;dsAttrType Standard:UserShell;dsAttrTypeStandard:RealName;dsAttrTypeStandard:Keywords : Attr Type Only Flag = 0 : Record Count Limit = 1 : Continue Data = 0
    2010-01-01 19:37:03 EST - T[0x0000000108325000] - Client: httpd, PID: 157, API: mbr_syscall, Server Used : process kauth result 0x0000000102022B30
    2010-01-01 19:37:03 EST - T[0x00000001083A8000] - Client: httpd, PID: 151, API: mbr_syscall, Server Used : process kauth result 0x0000000102022C50
    2010-01-01 19:37:05 EST - T[0x000000010842B000] - Client: httpd, PID: 203, API: mbr_syscall, Server Used : process kauth result 0x0000000102022D70
    2010-01-01 19:37:15 EST - T[0x00000001084AE000] - Client: httpd, PID: 994, API: mbr_syscall, Server Used : process kauth result 0x0000000102023890
    2010-01-01 19:37:26 EST - T[0x0000000108531000] - Client: httpd, PID: 198, API: mbr_syscall, Server Used : process kauth result 0x0000000102023980
    2010-01-01 19:37:31 EST - T[0x00000001085B4000] - Client: httpd, PID: 161, API: mbr_syscall, Server Used : process kauth result 0x0000000~

    Hi
    I'm in agreement with harry here but what I'm struggling to understand is why you are seeing this as a problem? I'm also struggling to see this as being a possibility in a single server environment if I understand your post correctly?
    Promotion to OD Master with all that entails absolutely rests on a properly configured and tested internal DNS Service. The Kerberos Realm's foundation (and with that the ability of the server to perform its function as KDC and offer LDAP services) entirely depends on what is configured in the DNS Service. This will include the server name, domain name and tld. The Kerberos Realm automatically configures itself using that information. Likewise the searchbase.
    Its more than possible to change the Realm name and with it the LDAP search base (in certain circumstances) and have an OD Master, however Kerberos won't start it won't need to as the KDC will be elsewhere. You generally see this when augmenting Windows AD with MCX. In that situation Realm name and search base will reflect what is set on the Active Directory. Client computers will use what is set there for contact and authentication information before looking at the OD Master for anything else.
    Does this help? Tony

  • Authentication Delays / Slow Authentication for Open Directory Users

    I'm experiencing delays when authenticating Open Directory users and it absolutely has me at my wit's end.
    The problem is quite simple: any time an Open Directory user authenticates his password there is a delay of at least 5-10 seconds. This goes for clients that are bound to the directory server and also authenticating locally on the server. Here are some examples:
    * On the server, there is a several second delay on the Login Window screen when trying to log in using an Open Directory account. Logging in as a local user is instantaneous.
    * In Workgroup manager, authenticating as the Directory Administrator takes several seconds.
    * On a remote computer, sharing the screen using an Open Directory user take several seconds and again, a local user is instantaneous. Screen sharing takes particularly long and often temporarily shows a sheet saying it has lost the connection with the server while authenticating.
    * Connecting with AFP takes several seconds when using an Open Directory login
    * On a client computer, unlocking the screen after sleep or screen saver takes several seconds for Open Directory users
    * Connecting with SSH does NOT exhibit the behavior
    In addition to all of this, I've seen periodic random unexplainable freezes for several seconds on client computers that are bound to the directory even when logged in as a local user account (and with no other users logged in.) For example, launching applications often results in a freeze. After unbinding the computer from the directory the problem goes away entirely.
    The history of the problem:
    Used Tiger Server for over a year = no problems
    Clean install of Leopard Server 10.5.0 back in October = no problems
    Update to Leopard Server 10.5.1 = no problems
    Then, all of the sudden one day several weeks back I started having problems. The server had been up for a few weeks. I didn't install any updates. I didn't change any configuration. Literally the only thing that I had done recently was unplug the Apple Cinema Display and keyboard+mouse that was connected to the server. Then I started having problems so I plugged the display, keyboard and mouse back in to troubleshoot it. I cleared the directory services caches on my server and clients and rebooted the Airport Base Station that's serving as my router and eventually the problem went away. I wish I could tell you which of those things resolved the problem but I have no idea. It was fine for a couple more weeks (and incidentally I once again unplugged the display, keyboard and mouse from the server). Then last week I started having problems again and this time no amount of rebooting, cache clearing, rebinding, troubleshooting using information in these forums or anything else will fix the problem. I only mention the display/keyboard/mouse thing because it's literally the only thing I changed around the time the problems started happening. I truly don't think it has anything to do with it.
    So in desperation I backed up and did a clean install today. Here's the process I used:
    0. Erase the disk
    1. Install Leopard Server 10.5.0 from the install DVD
    2. In the setup assistant, use the Advanced Configuration option but I didn't enable any services. Set up network settings and host name of myserver.mydomain.private.
    3. Reboot
    4. Use Software Update to update to 10.5.1 and Security Update 2007-009 v1.1
    5. Reboot
    6. Configure DNS (see below for detailed configuration)
    7. Reboot
    8. Change role to Open Directory Master
    9. Reboot
    ... and the problem is still there. Simply logging into the server GUI with the Directory Administrator account has the delay. Authenticating in Workgroup Manager has the delay. I haven't even bothered to set up AFP or any other users yet. I'm truly at my wit's end and I'm ready to chuck the server out the window.
    I've done a lot of googling and searching of these forums looking for answers. All of the responses seem to point to a problem with DNS or with the Kerberos realm. I believe all of my setup is correct. Here it is:
    == Basic Configuration ==
    OS: Mac OS X Server 10.5.1 (9B18) with Security Update 2007-009 v.1.1
    Services Enabled:
    DNS
    Open Directory
    (All other services are not yet enabled)
    == DNS Setup ==
    Primary Zone: mydomain.private.
    Allows zone transfer: no
    Nameservers: ns.mydomain.private.
    myserver (Machine) 10.0.22.201
    ns (Alias) myserver.mydomain.private.
    Reverse Zone: 22.0.10.in-addr.arpa.
    10.0.22.201 (Reverse Mapping) myserver.mydomain.private.
    Accept recursive queries from the following networks:
    localnets
    Forwarder IP Addresses:
    208.67.222.222
    208.67.220.220
    == Open Directory Setup ==
    Role: Open Directory Master
    LDAP Search Base: dc=myserver,dc=mydomain,dc=private
    Kerberos Realm: myserver.mydomain.private
    == Network Configuration ==
    Configure: Manually
    IP Address: 10.0.22.201
    Subnet Mask: 255.255.255.0
    Router: 10.0.22.1
    DNS Server: 127.0.0.1
    Search Domains: mydomain.private
    == Other Stuff ==
    Using 'changeip -checkhostname' verifies that the hostname and DNS hostname are both myserver.mydomain.private.
    I set the realm to myserver.mydomain.private (though the default was myserver.local) based on the advice of another poster to this forum. Kerberos.app reveals something interesting: the kdc and admin servers are both myserver.local and the domains are .local and local. I tried changing all instances of 'local' to 'mydomain.private' to see if that would solve the problem. No luck.
    I verified on a client that 'host myserver' and 'host 10.0.22.201' return proper DNS and reverse DNS resolutions.
    Hopefully one of the gurus out there will be able to help me out.
    Thanks,
    jeff

    I gathered together some log information for when I try to authenticate user 'diradmin' in Workgroup Manager. You can see from the log messages that this authentication took 4 seconds. There's an interesting error message in slapd.log (see below) but it doesn't say what it's looking for in the keytab that it's not finding. Grr! I've provided a listing of the principles in my keytab. I haven't monkeyed around with it at all -- this is just what resulted from promoting the server to an Open Directory Master.
    == kdc.log ==
    Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): handling authdata
    Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): handling authdata
    Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): .. .. ok
    Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): .. .. ok
    Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
    Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
    Dec 30 18:21:52 myserver.mydomain.private krb5kdc[79](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for ldap/[email protected]
    Dec 30 18:21:52 myserver.mydomain.private krb5kdc[79](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for ldap/[email protected]
    == slapd.log ==
    Dec 30 18:21:48 myserver slapd[36]: <= bdbsubstringcandidates: (authAuthority) index_param failed (18)
    Dec 30 18:21:52 myserver slapd[36]: SASL [conn=20] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No principal in keytab matches desired name)
    == sudo klist -k ==
    Keytab name: FILE:/etc/krb5.keytab
    KVNO Principal
    3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
    3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
    3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
    3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
    3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
    3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
    3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
    3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
    3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
    3 cifs/[email protected]
    3 cifs/[email protected]
    3 cifs/[email protected]
    3 ldap/[email protected]
    3 ldap/[email protected]
    3 ldap/[email protected]
    3 xgrid/[email protected]
    3 xgrid/[email protected]
    3 xgrid/[email protected]
    3 vpn/[email protected]
    3 vpn/[email protected]
    3 vpn/[email protected]
    3 ipp/[email protected]
    3 ipp/[email protected]
    3 ipp/[email protected]
    3 xmpp/[email protected]
    3 xmpp/[email protected]
    3 xmpp/[email protected]
    3 XMPP/[email protected]
    3 XMPP/[email protected]
    3 XMPP/[email protected]
    3 host/[email protected]
    3 host/[email protected]
    3 host/[email protected]
    3 smtp/[email protected]
    3 smtp/[email protected]
    3 smtp/[email protected]
    3 nfs/[email protected]
    3 nfs/[email protected]
    3 nfs/[email protected]
    3 http/[email protected]
    3 http/[email protected]
    3 http/[email protected]
    3 HTTP/[email protected]
    3 HTTP/[email protected]
    3 HTTP/[email protected]
    3 pop/[email protected]
    3 pop/[email protected]
    3 pop/[email protected]
    3 imap/[email protected]
    3 imap/[email protected]
    3 imap/[email protected]
    3 ftp/[email protected]
    3 ftp/[email protected]
    3 ftp/[email protected]
    3 afpserver/[email protected]
    3 afpserver/[email protected]
    3 afpserver/[email protected]

  • Initial setup and Open Directory problem

    Hi,
    I'm new to the MAC OS X server system and trying to get one up and running on a G5.
    Unfortunately I can’t get the configuration up and running, and I have the feeling it already goes wrong during the initial setup. I was hoping you guys could help me out.
    The purpose of the server is providing network user accounts (DNS + Open Dir.) and providing sharepoints.
    I go trough following steps while installing from scratch:
    - Install MAC OS X and run the Server install package from the OS X Server DVD (as you know, OSX Server is'n installing directly on G5)
    - Choose keyboard layout, enter license and create an account "admin"
    - Define static IP "192.168.1.1", add this IP as the first in the list of DNS Servers, add "company.local" in the search domain
    - Install as a standalone server (so I can configure dns & other network services after basic setup)
    - Check "network time server" (so time will be synced for Kerberos)
    - Proceed, install and reboot
    OSX Server seems to be installed fine and I can login with "admin". Next step I take is configuring DNS.
    - create a zone "companyname.local.", use my IP as server address (192.168.1.1) and use "server" as the server name.
    - add a machine record for DNS-testing (called "gateway", with the IP of "192.168.1.254")
    Start the DNS service and reboot
    - perform an nslookup with a second MAC with 192.168.1.1 as the nameserver and verify that DNS is resolving correctly.
    DNS seems to be working fine, now I would like to get the Open Directory service to work:
    - change "Standalone" to "Open directory master" in the server configuration panel
    - provide a password for the directory admin
    - use "SERVER.COMPANYNAME.LOCAL" as kerberos realm, and "dc=server,dc=companyname,dc=local" as the search base
    - Save & start the service and perform a reboot to be sure all the new settings are in use
    Unfortunately after this install open directory doesn't seem to work fine and also Kerberos doesn't start.
    Concerning Kerberos: I get following output in the "Slapconfig log" Open Directory log file:
    Starting LDAP server (slapd)
    command: /usr/bin/ldapadd -c -x -D uid=root,cn=users,dc=maggie,dc=interesourcegroup,dc=local -w **
    Hostname server.companyname.local is from Rendezvous
    Skipping Kerberos configuration
    Sorry to bother you with the entire walkthrough of the installation, but I have the feeling that I'm missing something while performing the basic install or DNS setup .. ?
    Regards,
    Seppe
    G5 Mac OS X (10.4.6) /

    We currently have a static IP and a public dns hosted
    by MediaTemple, so I think I can create a subdomain
    on MediaTemple and link it to our fixed IP address
    ("private.companyname.com" >> static ip) instead of
    using dydns.. ?
    Of course.
    I suppose I can then use "private.companyname.com" as
    the zone name on my G5 server and use
    "server.private.companyname.com" for my local DNS?
    Sounds reasonable.
    If using this DNS, what will be the Kerberos REALM
    and Search Base? And do I still need to specify
    private.companyname.com as the Search Base in the
    Network Settings of the clients and server?
    Well, REALM and LDAP Search Base can set to whatever you like. On the other hand I've seen tools contacting kerberos servers break when the REALM is not part of the kerberos server fqdn.
    So I'd stick with the usual recomandations and set kerberos REALM to your domain name (if there is no other kerberos server alread running and using this).
    For the LDAP search domain I'd also follow the road of using domain name space as search base.
    When dns will finally be setup properly, these setting will be autopopulated for you in the GUI. So test, test, test you dns with
    host $ip and host $fqdn and then go on promoting "Standalone Server" to "Open Directory Master".
    HTH
    -Ralph

  • Open directory Server admin APP, crashes

    HI all.
    ON my 10.7.2 lion server for some reason my server admin app keeps crashing under the Open
    directory Section...
    Here are the screen shots..

    Also I cant make any changes under the Open Directory in server Admin...
    Everything is greyed OUT...

  • ICal and CalDAV issues: Address Panel - Open Directory Lookup? & others.

    An overview of my setup:
    I'm using Google Calendar through CalDAV (set up with Calaboration), and have no problems synchronizing events. These are dealing with attendees.
    Several parts to this one, so to start:
    1) It appears that, likely with any CalDAV calendar, my Address Panel becomes an "Open Directory Lookup" instead of searching my trusty Address Book contacts, which I would prefer. I also cannot type in names/email addresses and have them auto-complete, which I assume is now searching the empty Open Directory.
    Is there a way I can force this to still use my Address Book? Or does anyone know a way to hook my Google contacts (in Gmail) into a directory search that will come up in the new panel?
    2) When people add me as a "guest" in Google Calendar (== attendee in iCal), I see it in my calendar on iCal. I see myself in the list, with my name and email address... but I cannot RSVP. Google recommends that I add my Gmail account hooked to my Calendar to my "me" card in Address Book, which I have done, but it still does not recognize, well, Me.
    I'm stumped. Is there something I'm missing? Something else I need to do in iCal?

    Thanks for the answer.
    I guess because I was deleting the 'local' calendar with some of my test accounts and not others I would sometimes get the local Address Book panel by default and sometimes the Open Directory panel.
    I agree it's pretty confusing.

  • Server 3.1.2: Unable to locate search base: -1 Can't contact LDAP server

    Hello all—
    I've been getting repeated errors below in my system.log.  I'm running OS X 10.9.3 with Server version 3.1.2.  I've replaced my actual server name with "my.servername.net" in the log entries. Thanks for any advice!  —michael
    May 30 17:47:03 leo com.apple.launchd[1] (org.openldap.slapd): Throttling respawn: Will start in 7 seconds
    May 30 17:47:04 my.servername.net PasswordService[1345]: int pwsf_GetPublicKey(char *): ldap_search_ext_s cn=authdata for Public Key returned -1
    May 30 17:47:04 leo com.apple.launchd[1] (com.apple.PasswordService[1345]): Exited with code: 1
    May 30 17:47:04 leo com.apple.launchd[1] (com.apple.PasswordService): Throttling respawn: Will start in 10 seconds
    May 30 17:47:06 my.servername.net xscertd-helper[1351]: ldap_search_ext_s returned -1 - Can't contact LDAP server when searching for bdb suffix, exiting
    May 30 17:47:06 leo com.apple.launchd[1] (com.apple.xscertd-helper[1351]): Exited with code: 1
    May 30 17:47:06 leo com.apple.launchd[1] (com.apple.xscertd-helper): Throttling respawn: Will start in 10 seconds
    May 30 17:47:09 my.servername.net xscertd[335]: Failed sending LookupCRLByCARecordName command to com.apple.xscertd.helper: The operation couldn’t be completed. (com.apple.certificateserver error 42005.)
    May 30 17:47:14 my.servername.net PasswordService[1363]: -[PasswordServerPrefsObject getSearchBase]: Unable to locate search base: -1 Can't contact LDAP server
    May 30 17:47:14 my.servername.net PasswordService[1363]: -[PasswordServerPrefsObject loadXMLData]: Unable to locate passwordserver config record's plist attribute: -1 Can't contact LDAP server
    May 30 17:47:14 my.servername.net PasswordService[1363]: -[PasswordServerPrefsObject getSearchBase]: Unable to locate search base: -1 Can't contact LDAP server
    May 30 17:47:14 my.servername.net PasswordService[1363]: -[PasswordServerPrefsObject saveXMLData]: ldap_modify_ext_s of the passwordserver config record's plist attribute: -1 Can't contact LDAP server
    May 30 17:47:14 leo com.apple.launchd[1] (org.openldap.slapd[1359]): Exited with code: 1
    May 30 17:47:14 leo com.apple.launchd[1] (org.openldap.slapd): Throttling respawn: Will start in 7 seconds
    May 30 17:47:14 my.servername.net PasswordService[1363]: int pwsf_GetPublicKey(char *): ldap_search_ext_s cn=authdata for Public Key returned -1
    May 30 17:47:14 leo com.apple.launchd[1] (com.apple.PasswordService[1363]): Exited with code: 1
    May 30 17:47:14 leo com.apple.launchd[1] (com.apple.PasswordService): Throttling respawn: Will start in 10 seconds
    May 30 17:47:16 my.servername.net xscertd-helper[1365]: ldap_search_ext_s returned -1 - Can't contact LDAP server when searching for bdb suffix, exiting
    May 30 17:47:16 leo com.apple.launchd[1] (com.apple.xscertd-helper[1365]): Exited with code: 1
    May 30 17:47:16 leo com.apple.launchd[1] (com.apple.xscertd-helper): Throttling respawn: Will start in 10 seconds
    May 30 17:47:20 my.servername.net xscertd[335]: Failed sending LookupCRLByCARecordName command to com.apple.xscertd.helper: The operation couldn’t be completed. (com.apple.certificateserver error 42005.)
    May 30 17:47:24 my.servername.net PasswordService[1375]: -[PasswordServerPrefsObject getSearchBase]: Unable to locate search base: -1 Can't contact LDAP server
    May 30 17:47:24 my.servername.net PasswordService[1375]: -[PasswordServerPrefsObject loadXMLData]: Unable to locate passwordserver config record's plist attribute: -1 Can't contact LDAP server
    May 30 17:47:24 my.servername.net PasswordService[1375]: -[PasswordServerPrefsObject getSearchBase]: Unable to locate search base: -1 Can't contact LDAP server
    May 30 17:47:24 my.servername.net PasswordService[1375]: -[PasswordServerPrefsObject saveXMLData]: ldap_modify_ext_s of the passwordserver config record's plist attribute: -1 Can't contact LDAP server
    May 30 17:47:25 leo com.apple.launchd[1] (org.openldap.slapd[1371]): Exited with code: 1
    May 30 17:47:25 leo com.apple.launchd[1] (org.openldap.slapd): Throttling respawn: Will start in 7 seconds
    May 30 17:47:25 my.servername.net PasswordService[1375]: int pwsf_GetPublicKey(char *): ldap_search_ext_s cn=authdata for Public Key returned -1
    May 30 17:47:25 leo com.apple.launchd[1] (com.apple.PasswordService[1375]): Exited with code: 1
    May 30 17:47:25 leo com.apple.launchd[1] (com.apple.PasswordService): Throttling respawn: Will start in 10 seconds
    May 30 17:47:26 my.servername.net xscertd-helper[1377]: ldap_search_ext_s returned -1 - Can't contact LDAP server when searching for bdb suffix, exiting
    May 30 17:47:26 leo com.apple.launchd[1] (com.apple.xscertd-helper[1377]): Exited with code: 1
    May 30 17:47:26 leo com.apple.launchd[1] (com.apple.xscertd-helper): Throttling respawn: Will start in 10 seconds
    May 30 17:47:30 my.servername.net xscertd[335]: Failed sending LookupCRLByCARecordName command to com.apple.xscertd.helper: The operation couldn’t be completed. (com.apple.certificateserver error 42005.)

    Unfortunately this problem wasn't solved this way.  After dragging the Server.app to the trash and then retrieving it ("Put Back") and launching it, and re-starting services, my problem still persists.
    Here are relevant system.log file entries. (Note the hostname is "leo"—I've changed the FQDN to leo.myservername.net):
    Jun  6 22:57:31 leo.myservername.net PasswordService[1011]: int pwsf_GetPublicKey(char *): ldap_search_ext_s cn=authdata for Public Key returned -1
    Jun  6 22:57:31 leo com.apple.launchd[1] (com.apple.PasswordService[1011]): Exited with code: 1
    Jun  6 22:57:31 leo com.apple.launchd[1] (com.apple.PasswordService): Throttling respawn: Will start in 10 seconds
    Jun  6 22:57:32 leo.myservername.net xscertd-helper[1014]: ldap_search_ext_s returned -1 - Can't contact LDAP server when searching for bdb suffix, exiting
    Jun  6 22:57:32 leo com.apple.launchd[1] (com.apple.xscertd-helper[1014]): Exited with code: 1
    Jun  6 22:57:32 leo com.apple.launchd[1] (com.apple.xscertd-helper): Throttling respawn: Will start in 10 seconds
    Jun  6 22:57:34 leo.myservername.net xscertd[333]: Failed sending LookupCRLByCARecordName command to com.apple.xscertd.helper: The operation couldn’t be completed. (com.apple.certificateserver error 42005.)
    Jun  6 22:57:40 leo com.apple.launchd[1] (org.openldap.slapd[1016]): Exited with code: 1
    Jun  6 22:57:40 leo com.apple.launchd[1] (org.openldap.slapd): Throttling respawn: Will start in 7 seconds
    Jun  6 22:57:40 leo.myservername.net com.apple.SecurityServer[22]: Session 100004 created
    Jun  6 22:57:41 leo.myservername.net PasswordService[1024]: -[PasswordServerPrefsObject getSearchBase]: Unable to locate search base: -1 Can't contact LDAP server
    Jun  6 22:57:41 leo.myservername.net PasswordService[1024]: -[PasswordServerPrefsObject loadXMLData]: Unable to locate passwordserver config record's plist attribute: -1 Can't contact LDAP server
    Jun  6 22:57:41 leo.myservername.net PasswordService[1024]: -[PasswordServerPrefsObject getSearchBase]: Unable to locate search base: -1 Can't contact LDAP server
    Jun  6 22:57:41 leo.myservername.net PasswordService[1024]: -[PasswordServerPrefsObject saveXMLData]: ldap_modify_ext_s of the passwordserver config record's plist attribute: -1 Can't contact LDAP server
    Jun  6 22:57:41 leo.myservername.net PasswordService[1024]: int pwsf_GetPublicKey(char *): ldap_search_ext_s cn=authdata for Public Key returned -1
    Jun  6 22:57:41 leo com.apple.launchd[1] (com.apple.PasswordService[1024]): Exited with code: 1
    Jun  6 22:57:41 leo com.apple.launchd[1] (com.apple.PasswordService): Throttling respawn: Will start in 10 seconds
    Jun  6 22:57:42 leo.myservername.net xscertd-helper[1028]: ldap_search_ext_s returned -1 - Can't contact LDAP server when searching for bdb suffix, exiting
    Jun  6 22:57:42 leo com.apple.launchd[1] (com.apple.xscertd-helper[1028]): Exited with code: 1
    Jun  6 22:57:42 leo com.apple.launchd[1] (com.apple.xscertd-helper): Throttling respawn: Will start in 10 seconds
    Jun  6 22:57:45 leo.myservername.net xscertd[333]: Failed sending LookupCRLByCARecordName command to com.apple.xscertd.helper: The operation couldn’t be completed. (com.apple.certificateserver error 42005.)
    Also, for what it's worth, "Open Directory" in the Server.app has no settings within it. Nor will it stay "on." I'm not using OD per se, and am happy to leave it off, but it's possible the errors above are preventing it from running.
    Thanks for any other solutions. —michael

  • LDAP External Authentication Multiple Search Base DNs question

    hi,
    im trying two add two LDAP search DNs to a portal 6.2 organisation.
    with one search base dn it works fine.
    when i add another, all ldap auth for that org stops working.
    the docs confusingly state that if you have multiple search dns (not talking about multiple ldap servers here - just the search base dns) that you should prefix each entry with the local server name. the docs however provide no examples of the syntax.
    can anyone provide an example for multiple search dns? e.g. is it <server:port>:o=<etc> (doesn't seem to work).
    thanks

    hi,
    yes i have.. but when you enter more than one it stop working... with only one entry in the gui it will work for that entry but when you add another it stops working...
    i had to use a manual workaround like this to get the second going... :(
    External ldap authentication
    register the LDAP authentication service in the gui and setup the first DN as normal.
    create the first set of entries for the ldap host and the base dn in the gui as normal etc.
    the gui in the admin console is not working (depending on your point of view), so you need to add the second ldap config manually -
    All commands are run from the /apps/jes/SUNWam/bin directory
    1. Get an encrypted value for the bind dns (cn=Directory Manager) password you want to bind to the ldap directory as by using the ampassword utility shipped with Identity Server.
    ./ampassword -e directory_manager password
    More information on this utility can be found in the Sun ONE Identity Server Administration Guide.
    2. Copy the encrypted password as the value for the iplanet-am-auth-ldap-bind-passwd in the XML file (serviceAddMultipleLDAPConfigurationRequests.xml) created in Step 1. The XML file contains a template for creating the second LDAP DN.
    3. Modify the data XML file accordingly so that the relevant details are provided for the 2nd ldap server (bind dn search base etc) and load this into the portal directory using the amadmin command line tool as follows from the /opt/SUNWam/bin directory
    ./amadmin -u amadmin -w administrator_password -v -t serviceAddMultipleLDAPConfigurationRequests.xml
    If the imported xml values are incorrect delete and reload the imported xml data using amadmin command tool. Alternatively you can modify the ldap data directly on the primary identity server (ldap server) using a client browser though this method is not supported .
    You should be able to see new imported values for the second ldap server at dn:ou=subconfig1,ou=default,ou=OrganizationConfig,ou=1.0,ou=iPlanetAMAuthLDAP
    Service,ou=services,ou=ORG,o=lgaq.qld.gov.au on the primary ldap server (where ORG is the organisation you wanted to add the second DN).

  • Open Directory and LDAP questions/difficulties

    Hi, my company is about to try out OSX Server to replace our old Irix file server. In order to do this we need to run through a number of tests in order to validate the idea. Basically, the test setup is a PM G5 running OSX Server 10.4 and a connected Mac and/or PC on the G5's second ethernet port as test clients. The first ethernet port is connected to the local subnet (192.168.1.x) and, ideally, the OSX Server should have its own subnet on the second port and serve DHCP, AFP and SMB to that port only, along with an OD shared directory providing both authentication and home directories for users. (later on, if all is successful, it will serve those services on the company subnet). DNS is supplied by a separate server on the subnet (DNS caching server running tinydns)
    I've read my way through the OSX Server documentation, and gathered all the information the Worksheet requires. The problems started occuring because we installed OSX Server over an OSX Client and broke off the Server Assistent, because we were worried at the time that turning on a Windows PDC would collide with our current (and very flaky) Samba server running on the Irix machine, and that DHCP might also collide with our current dhcp server.
    As a consequence, we tried to set it up via the Server Admin Panel, Network Prefs, and the Workgroup Manager, after having connected the second ethernet port of the G5.
    Doing this, and setting the OD service to an OD Master, along with a Search base of dc=hostname, dc=domain, dc=tld has not exactly changed much. The problem is that the info panel says that LDAP is not running. This confuses me no end. I thought OD was based upon LDAP. The server name in the Server Admin panel is hostname.local. And now I get to my real questions (finally):
    1.Would it be better to just wipe the machine and start again using the Assistent, and set up the ODMaster that way?
    2.When is an ODMaster not a local directory and when is it a shared directory (the hostname.local worries me)
    3.What services exactly need to be running for the ODMaster to function properly
    3.How do I configure the local subnet on the second port (should I use the Gateway Assistent or do it by hand), and how do I only serve those services to that port (do I do it by setting the router/gateway for those services as the IP of the second port or as localhost).
    4.Do I need to simply enable LDAPv3 on the clients and set the search path to automatic to get the clients to Autheticate?
    5.Do user and groups added to the hostname.local become part of the OD Domain?
    I'm sorry if I come across as a total newbie. I'm used to doing most of this on the commandline in Linux (except for LDAP, which is new to me), and the GUI. I have managed to entangle myself quite nicely in all this and could really use some pointers.
    Thanks in advance
    Theo.
    PowerBook G4   Mac OS X (10.4.7)  

    1. Starting with a freshly installed OS X Server is recommended, but start no services at first, you need working DNS with reverse zone for the server IP to run OD Master (and other services). If the server domain is to be different from the existing network domain name setup DNS in OS X for the test domain.
    2. I'm not sure I understand the question. LDAP/OD can be used on the server to "house" the user accounts but you don't have to bind computers to it.
    If you don't use the more advanced possibilities with LDAP/OD I don't think the clients even need to have LDAP configured to be able to authenticate.
    hostname.local = hostname and the standard Bonjour domainname .local ?
    3a. DNS, so that reverse lookup works for the hostname before setting up OD Master. OD needs a "true" domainname Bonjour isn't sufficient. Setup/use something like mydomain.private.
    3b. You don't need to do NAT, you can also route between two subnets (you would need a static route in your Internet router too).
    If you want NAT you can use the GW assistant. The interface on the top of the list in Network config (where you can add more/alias interfaces) is the "main" interface used as the "WAN"/"Internet" interface.
    4. If the clients are "standalone" (not bound to the OD domain or not using server based homefolders and such) I think you only need LDAP if you want the clients to be able to search for info in OD/LDAP. Not needed for authentication.
    You can send out LDAP info with DHCP.
    5. If you mean you add/enter users and groups to OD/LDAP directory it just means you can have different servers/clients using a central repository(?) for authentication purposes.
    If you add (bind) machines to the domain you can to control what clients can do locally (priviledges), which applications they can run and so forth.
    In /etc/smb.conf you can say which interface to use för samba (don't remember what to enter though). And if using the firewall (you must if you want NAT) you can stop Bonjour (mDNS - multicasts) from entering the "old" network if you like/need.

  • Open Directory or LDAP Problem with 10.5 Client and 10.4 Server

    Yesterday, the client-server setup we've been using successfully FOR YEARS decided not to work on a v10.5.8 MacBook Pro client. Did not do anything to the v10.5 client recently (other than to boot it up). Not sure if any software was updated on the server recently (where do I check for this?). Curiously, a v10.4.11 client running on a Mac Pro (tower) continues to work fine/as though nothing's changed. It appears as though the only difference is v10.4 client (working) vs. v10.5 client (not working).
    Here is what IS working:
    1) Network Home Directories on dedicated drive partition of Mac running OS X Server v10.4.11. AFP, DNS, and Open Directory are all up and running (normally, I think) as shown in Server Admin application.
    2) Mac Pro (tower) client running v10.4.11 binds to and authenticates at v10.4.11 server. Any valid user can access their home directory on the server seamlessly when logging in at this v10.4.11 client Mac.
    3) That same v10.4.11 client Mac also contains a LOCAL admin user with its home directory on the local hard drive. That LOCAL admin account is used to update software on a per machine basis (and preclude users from adding unauthorized software, needing to use a specific machine, etc.).
    Here is what IS NOT working:
    4) On a MacBook Pro client running v10.5.8, the LOCAL admin account looses access to the partition containing its local home directory. The drive partition literally disappears. The only "solution" I've been able to find (and it's not truly a solution) is to turn off the Open Directory/LDAP binding (using the Directory Utility application). With binding turned off, the LOCAL admin user has no problem accessing their home directory on the local hard drive partition. Turn binding on again (using Directory Utility application), and the LOCAL admin user can no longer see its local home directory.
    Again, binding is necessary to allow regular users to use the v10.5 MacBook Pro with Network Home Directories (as in items 1-3 above). Binding should be turned on for this reason. However, with binding on, the LOCAL admin user cannot manage the computer because the local partition containing the admin home directory disappears/is inaccessible. Turn binding off, and the partition containing the admin home directory reappears.
    Perhaps there's something in the sever logs that will help. I don't really know how to read these, so if your help involves the logs, please refer to them explicitly (e.g., "in Server Admin, go to Open Directory->Logs->LDAP log" or similar).
    Any help greatly appreceated.

    Nope. Never used sso_util.
    I try to use Apple's GUI server management tools unless absolutely necessary/at the end of my rope (i.e., last step before re-install etc.). I figure there's just too many things going on under the hood: using the command line may fix one setting, but not re-configure the two or three others that Apple NEEDS in order to have the whole thing working in harmony. Unless you really know what's going on with all the configuration files, it's best to let the GUI manage the settings.
    In my particular circumstance, I've now got ALL Leopard clients, one Leopard v10.5 server, and one Tiger v10.4 server. Everything is working fine now, but it was not a simple matter getting the Tiger v10.4 server re-integrated into the otherwise ALL Leopard environment. OD/Kerberos is on the Leopard v10.5 server. Home directories are still on the Tiger v10.4 server.
    Two keys to getting THIS/MY set-up working:
    1) Tiger v10.4 server needs to have Open Directory set to "Connected to a Directory System" and has to be joined to the Kerberos realm that was set-up on the Leopard v10.5 server (use Server Admin to do all of this).
    2) Sharepoint on Tiger v10.4 server has to have SOME, but NOT ALL checkboxes for guest access enables/checked. See:
    http://discussions.apple.com/message.jspa?messageID=10903468#10903468
    Number 2 immediately above is contrary to what Apple manual for User Management reads, but this is what worked for me/my set up, after pulling my hair out following the manual's instructions to the letter and not getting the thing to work!

  • MMP using wrong search base when doing LDAP query.

    Hi all,
    I installed a new MMP (sun java communication suite v5 on Redhat linux x86).
    When an imap user connects to MMP, the MMP does an ldap query for attributes "MailHostAttrs mailHost".
    This query fails because the search base is
    SRCH base="dc=my,dc=domain,dc=com,o=my.domain.com"
    instead of simply "o=my.domain.com"
    When I ran 'configure' I specified the Organization DN to be o=my.domain.com
    And I've specified the following in the ImapProxyAService.cfg file:
    LdapUrl "ldap://ldap1.my.domain.com:389/o=my.domain.com"
    UserGroupDN "o=my.domain.com"
    DefaultDomain my.domain.com
    So why does it use "dc=my,dc=domain,dc=com,o=my.domain.com"?
    I must be missing something but I can't find it.

    Hi,
    kevin_sysadmin wrote:
    So why does it use "dc=my,dc=domain,dc=com,o=my.domain.com"?
    I must be missing something but I can't find it.The first step the MMP will do to resolve the base DN for a hosted domain is a directory search along the lines of (this is for schema 2 which is the default for a new install):
    [26/Oct/2007:16:46:23 +1000] conn=3152 op=1 msgId=2 - SRCH base="dc=aus,dc=sun,dc=com" scope=2 filter="(&(objectClass=sunManagedOrganization)(|(associatedDomain=aus.sun.com)(sunPreferredDomain=aus.sun.com)))" attrs=ALL
    So in my case I have default:LdapUrl "ldap://server.aus.sun.com/dc=aus,dc=sun,dc=com" and default:DefaultDomain aus.sun.com
    So you will probably find that you have a hosted domain configured under "dc=my,dc=domain,dc=com,o=my.domain.com" which got created during installation but not propagated with users.
    Regards,
    Shane.

  • How to configure Open Directory base DN

    Hi,
    I have been using OpenLDAP on a Synology NAS drive, but this has some serious shortcomings with Mac clients (eg. roaming profiles simply doesn't work).
    So I have bought a MacMini which among other things will replace my existing LDAP server with Open Directory.
    As a dry run, I enabled the Open Directory and went through the simple set up and I had a basic system up in no time.  However I have come up against an annoying issue with the base DN used by Open Directory and I hope someone will be able to help me.
    My existing LDAP has a base DN that looks like this: dc=myorg, dc=local
    So when users log in, they can use a username which conforms to the following format: [email protected]
    The problem is that Open Directory likes to set the base DN to: dc=macservername, dc=myorg, dc=local
    meaning that a fully qualified user account name now becomes: [email protected]
    This seems bonkers to me.  For example, what would happen if I introduce a second Mac server into the mix and failover to it - the servername element of the DN becomes redundant or if it changes, I need to communicate with all users.
    I must be missing something obvious - but there doesn't seem to be much in the way of configuration that I can see through the Server application.
    So, my question is, how can I configure my base dn without the servername so that my existing username context remains the same?
    Many thanks - I look forward to any responses.

    I agree with Dal78 Apple using a base DN of servername.example.com rather than just example.com is illogical. In fact originally they did seem to use just example.com as the format but in recent years now use server.example.com as the format. When I first encountered this change it was still possible to overridge the use of servername.example.com and force it to use just example.com as the format. In more recent times I have decided to leave things the way Apple do it.
    I don't know if there is an official answer as to why, but a possible guess is that you can now have multiple Open Directory servers for a single domain. This is the 'Locales' option in Server.app. It maybe that including the servername makes it possible/easier to implement this.
    I also agree Strontium90 do not use a .local root domain for Open Directory. In theory there are hacks to (sort of) get this to work, but Apple engineers will typically run screaming for the woods when they encounter this.
    PS. Briefly Apple also did the same illogical thing with DNS zones, whereby the zone name for a domain was servername.example.com instead of example.com this at least they have stopped doing.

  • I cant edit an CS4 file open in CS6. Colours, Most of the tools are in-active

    I cant edit an CS4 file open in CS6. Colours, Most of the tools are in-activeC

    once is enough to ask. Editing problemCS6

Maybe you are looking for

  • Automated report email notification using SCCM 2012

    For SCCM mail notification using Office365 exchange. Is smtp rely required.. Please suggest and provide link 

  • How do I add a search field to "Find on this page?"

    Hi, I have a topic that contains 2 frames. The first frame (frame 1) is a topic that I want to add a search field to. The second frame (frame 2) displays external content (a directory listing of files). I'd like users to be able to enter all or part

  • IPhone 5

    Hello. I have a problem with activation my iPhone 5. I have bought the iPhone one month ago and update iOS 8.1.3 yesterday. After update iPhone has an activation screen and asks previous owner's Apple ID and Password. I don't know Apple ID and Passwo

  • Packet writing on Mac

    I have finally figured out how to use packet writing on Mac OS X. This information had to be shared. The software needed for writing to a DVD like a floppy disk is already in Mac OS 10.6. I think the main problem is trying to format a DVD in the UDF

  • Deleted iPhoto events download to iPhone

    I sync my photos on my iPad and iPhone through iTunes.  I select to sync the last 20 events but I have old events from iPhoto showing up in iTunes that I cannot delete.  These are random photos that I do not have an event for in iPhoto, they are grou