Adding Client to open Directory

Similar Messages

• Scripts for adding/deleting/modifying Open Directory accounts?

  I think I have searched high and low for an answer to this question, but if I missed it please point me in the right direction. Where can I find information on scripts for adding/deleting/modifying open directory accounts? At the very least, a command line utility with some syntax guidelines! Any help would be greatly appreciated.

  Hi
  I personally don't know if any scripts although you can use the command line to do pretty much anything you want with the Open Directory. Consult the manual: man dscl. If you launch terminal and issue dscl you should see something like this:
  my-Laptop:~ me$ dscl
  dscl (v20.4)
  usage: dscl [options] [<datasource> [<command>]]
  datasource:
  localhost (default) or
  <hostname> (requires DS proxy support, >= DS-158) or
  <nodename> (Directory Service style node name) or
  <domainname> (NetInfo style domain name)
  options:
  -u <user> authenticate as user (required when using DS Proxy)
  -P <password> authentication password
  -p prompt for password
  -raw don't strip off prefix from DS constants
  -url print record attribute values in URL-style encoding
  -q quiet - no interactive prompt
  commands:
  -read <path> [<key>...]
  -create <record path> [<key> [<val>...]]
  -delete <path> [<key> [<val>...]]
  -list <path> [<key>]
  -append <record path> <key> <val>...
  -merge <record path> <key> <val>...
  -change <record path> <key> <old value> <new value>
  -changei <record path> <key> <value index> <new value>
  -search <path> <key> <val>
  -auth [<user> [<password>]]
  -authonly [<user> [<password>]]
  -passwd <user path> [<new password> | <old password> <new password>]
  Entering interactive mode...
  The above is for 10.4 and should server equally as well for 10.5.
  Hope this helps, Tony

• How do you bind Vista / XP clients to Open Directory?

  I have an OSX Server OD Master set up in 10.5.6.
  My OSX Clients can bind to it just fine using Directory Utility.
  How do you bind Vista / XP clients to Open Directory masters?
  Thanks

  @ jakelh:
  Make sure Kerberos is working on your server. Without it, PC logins will probably fail at least for Vista clients. Otherwise you'd have to downgrade a client-side setting on the Vista clients,
  http://www.builderau.com.au/blogs/codemonkeybusiness/viewblogpost.htm?p=33927074 6
  DNS is critical here, but Vista can have a problem with things that are correctly configured.
  IE: Vista defaults to a TCP/IP setting that can make it incompatible with existing network hardware
  http://www.tech-recipes.com/rx/1744/vistatcp_cannot_communicate_primary_dnsserve

• Authenticate windows users accessing os x client using open directory?

  I need to setup an OS X client machine (10.4.6) so that windows users (XP) can access folders based on their open directory credentials. (Using OS X server, open directory, windows PDC). If I turn on windows sharing in system preferences on the mac, it will only share local home folders to users with local accounts - not what I need. Any ideas? thanks.

  Thanks!  So now I see Open Directory, but it seems like it should be listed under the Server app with all the other services...
  Anyhow, I seem to remember a way to administer the users and groups.  This app shows me the status of the services, logs, settings.  The Server app, if I click on Add Users button, then click "connect to it" to supposedly connect to the directory server, it won't take my credentials.  I always get "Cannot authenticate to server.  Please authenticate by entering the name and password of a user account in this server's directory."
  Connect anonymously doesn't seem to do anything, it doesn't even dismiss the dialog.
  So what am I missing?

• Binding imaged clients to Open Directory?

  We created 10.5.2 image that we are trying to bind to Open Directory.
  The first imaged client binds fine and adds itself to OD. However, additional clients won't bind. They claim that the computer account already exists.
  I assume this is caused by each imaged client having the same "key" somewhere that it is using to bind to OD. Is there a way to regenerate this "key" on our clients once they are imaged?

  The answer is to remove the local KDC on the 10.5 clients. 10.5 uses the LKDC for personal file sharing - not needed for networked clients.
  Run the following commands to kill LKDC before binding the machine to Open Directory:
  sudo dscl /Local/Default delete /Config/KerberosKDC
  sudo rm -rf /var/db/dslocal/nodes/Default/config/KerberosKDC.plist
  See: http://forums.bombich.com/viewtopic.php?t=11834&highlight=lkdc

• 10.7.5 client shows open directory server not responding

  Hello,
  I am just starting to learn to use OS X Server.  I have created an Open Directory Master and want to connect my various Mac's around the home to.  My iMac is currently running 10.7.5 client and have tried to add the server as a Network Account Server  - re: below, but it shows it is not responding.
  As I am a real novice, have I missed something and how do I get this to work?
  Thanks,
  Nick

  You are likely having issues because you are not using DNS correctly.  The name "CowShed.local" is a bonjour name.  In order to properly use Open Directory you need DNS set up internally.  The reason is that the Kerberos component of Open Directory is very dependent on DNS.
  Generally, I would discourage the use of bogus top level domain.  However, since you say this is for home use, you can likely get away with the use of one (mac.leedern.int, mac.leederm.private, etc).  However, if you do, then you will not be able to use hosted services (mail, calendar, contacts, etc) transparently between the home and external networks (names will not route).
  If you own a domain name, you can use it internally and setup your DNS on the server.  Then distribute the servers's LAN IP address to all clients as the first DNS server.  This way, all your client devices can resolve the server's host name while on the LAN.
  Your journey starts at DNS.
  R-
  Apple Consultants Network
  Apple Professional Services
  Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

• Netboot, diskless clients, and Open Directory users?

  Hi, I've been reading through the System Image pdf & maybe it's me but a couple of things aren't clear.
  I want to set up diskless clients and allow users to log on to their network home folder using their OD login. Is this possible and where would be a good place to start with instructions on setup?
  thanks, Patrick

  Ok, I got it.
  But what if I want the OD user to have some configuration data on the local client?
  Let me explain that a bit better. The configuration I would like for my network and users is as follows: the server works only as an authentication server, I do not want roaming profiles or homes directory on the server; I just want the server to authenticate users when they log in to several client machines amongst the lan.
  For documents sharing, in fact, I much rather prefer using Dropbox, which allows my users to share on a WAN-instead-of-LAN basis.
  But a home local directory is needed for OD users to keep libraries, preferences files and so on.
  Back to the old Windows server (PDC) time, I used the server as a name server authentication only, still the client created a local profile for the user of the server.
  Does OD works this way too or am I missing something?
  Thank you.

• "Send to Color" Not Working in managed clients with Open Directory

  Hello,
  Previously, i try to do this from a local user, with finished sequence, initiated the "send to color" command from the pop up menu, named the project, graded the footage and output the results.
  However when i log with a network managed client when I click, "send to color", the dialog box comes up to name the Color project, which I do, but then when I click past that, nothing happens. Color does not open, nothing seems to be exported or "sent". Any ideas?

  Same issue here. Trashed prefs, no effect

• HT200182 Authentication Error when trying to bind client to Open Directory

  I know the diradmin password, and I've even tried resetting the password just in case and still no luck in getting the client to bind to the server. It keeps telling me authentication error - invalid username or password. I'm 100% sure the admin username is diradmin (default) and I'm 100% sure on the password. Caps Lock is not on, I've tried everthing. At this point I'm thinking I found a bug. Any ideas?

  Logs?

• Open Directory conection for Client inconsistant

  Hi,
  Been working setting up several labs during the summer and have come across a new problem.  When joining the computers to Open Directory the comptuers connect to the Replica and are added to the Open Directory list.  However, at the login screen the signal for the status of the directory connection keeps changing from Green to Yellow and never activates my preferences for the computer. 
  Anybody run into this before or have seen a solution to this?  Have tried to connect to other replicas as well as the master and have run into the same issue.
  Thanks!

  Ok, I got it.
  But what if I want the OD user to have some configuration data on the local client?
  Let me explain that a bit better. The configuration I would like for my network and users is as follows: the server works only as an authentication server, I do not want roaming profiles or homes directory on the server; I just want the server to authenticate users when they log in to several client machines amongst the lan.
  For documents sharing, in fact, I much rather prefer using Dropbox, which allows my users to share on a WAN-instead-of-LAN basis.
  But a home local directory is needed for OD users to keep libraries, preferences files and so on.
  Back to the old Windows server (PDC) time, I used the server as a name server authentication only, still the client created a local profile for the user of the server.
  Does OD works this way too or am I missing something?
  Thank you.

• How to bind (if possible) Windows 8 clients to OSX Open Directory 10.8?

  I read several articles that I have to go through the magic triangle (bind the Open Directory to an Active Directory), but almost all of the articles are from 2012 and below.
  This is possible now?
  Thank you.

  Hi mbellido,
  Are you trying to bind a Windows 8 client to Open Directory (OS X 10.8)?
  Thanks
  Dan

• Use Open Directory for intranet web acces

  Is it possible to tap in to Open Directory user information from other services than those build into the server? And that way use the Open Directory authentication for our own home-made service?
  We plan to setup an intranet on our OS X 10.6 server. We're still not sure whether to use one of the popular Open Source cms/portal platforms such as Drupal or maybe even WordPress.
  1. I would like to use the users accounts in our Open Directory to authenticate to the intranet. Is that possible in any way?
  2. Or does anyone know of a way to modify e.g. the build in blog function and integrate that with another system such as Drupal or WordPress?
  I'm guessing there are blocks of code in the blog that handle user authentication. And if I keep them where they are on the server and include them in other Drupal files, it may be possible? Is the build in blog build on an open source system like some of the other services on Mac OS X server? A system I can read about anywhere?
  +Note: The build in blog or wiki service does not match our needs for an intranet. We need to customize it a lot to make i suit our needs.+
  3. Plan B could be to export our 100 users and passwords from Open Directory and import them in the intranet system. But as far as I know it's impossible to export the passwords. Right?
  +New users would then have to be added to both Open Directory and the separate intranet system in the future. That would be okay for working but not perfect Plan B.+

  ryanowich wrote:
  Is it possible to tap in to Open Directory user information from other services than those build into the server?
  Yes.
  And that way use the Open Directory authentication for our own home-made service?
  Sure. I have HP OpenVMS systems that are authenticating to Mac OS X Server boxes. LDAP has a callable interface for applications written in most any active programming language, and many packages already have LDAP support.
  We plan to setup an intranet on our OS X 10.6 server. We're still not sure whether to use one of the popular Open Source cms/portal platforms such as Drupal or maybe even WordPress.
  You need to narrow your requirements and your ideas somewhat, and work toward a list of features.
  I have some discussions posted of what I went through when I ended up picking Drupal.
  1. I would like to use the users accounts in our Open Directory to authenticate to the intranet. Is that possible in any way?
  Network servers (Apache, DHCP, etc) can authenticate to LDAP, but (once granted access via DHCP and RADIUS, or analogous) clients don't usually further authenticate.
  Within Drupal, the [Drupal|http://drupal.org] module [ldapauth|http://drupal.org/node/118092] would be worth a test. That's an available connection into LDAP. (Haven't prototyped that module, though.)
  2. Or does anyone know of a way to modify e.g. the build in blog function and integrate that with another system such as Drupal or WordPress?
  You're apparently not familiar with Drupal. You might want to learn more about it, and particularly its extensibility. Drupal can be connected to some refrigerators, if you were inclined to do so.
  I'm guessing there are blocks of code in the blog that handle user authentication. And if I keep them where they are on the server and include them in other Drupal files, it may be possible? Is the build in blog build on an open source system like some of the other services on Mac OS X server? A system I can read about anywhere?
  Including random blocks of code isn't a strategy for success. Understanding the basics of how the pieces fit together tends to be a better strategy. For Drupal, there's always the [Drupal documentation|http://drupal.org/documentation], or the available books on the CMS. Or you can call in somebody that's done this stuff.
  +Note: The build in blog or wiki service does not match our needs for an intranet. We need to customize it a lot to make i suit our needs.+
  The built-in services are limited, yes. I've been running Drupal on Mac OS X Server for years now.
  3. Plan B could be to export our 100 users and passwords from Open Directory and import them in the intranet system. But as far as I know it's impossible to export the passwords. Right?
  I would sincerely hope you don't get the passwords out of your authentication system. That would be bad. Cleartext passwords are bad news. You don't want that ability.
  +New users would then have to be added to both Open Directory and the separate intranet system in the future. That would be okay for working but not perfect Plan B.+
  That would be a hassle.
  And I've tested with Wordpress on Mac OS X Server, but haven't deployed it in production. I'll leave discussions of its features and capabilities to others. That written, you might try the [Wordpress web site|http://Wordpress.org], as I'd expect there would be discussions of LDAP there.
  I'd suggest determining your requirements, otherwise you're going to flail around given the numbers of options an alternatives here. If you have your requirements, then you have a framework to pick your tools. [Here is what I looked at when I picked Drupal|http://labs.hoffmanlabs.com/node/100].

• Directory Utility wont connect to Open Directory Server on Xserv 10.5.1

  I am trying to set up the ical service on the xserve, I have the server set up as the OD master when I went into the directory utility app it would not located the server until I changed the search policy to custom which included LDAPv3. Once I did that the server popped up in the directory utility list but it says "server is not responding"
  Any one else having this issue or know what might be the solution?

  Have you tried adding the server to the client using 'servername.local' instead of its DNS name? I have had flaky problems adding clients to the directory server using the DNS name and found using 'servername.local' to be much more reliable.

• Open directory server crashing every 30 days / clients unable to connect to calendar, contacts server

  Hello everyone,
  I am running an up to date Mavericks Server which serves exclusively as a calendar and contacts server for about two dozens devices. The server is reachable via DynDNS, however, the public IP hardly ever changes (only once or twice a year maybe). Tried setting the OS X DNS Server to serve "all clients" and "some clients".
  For about 6 months (i.e. also under Mountain Lion), I am having a very strange problem. Roughly every 20-30 days, clients will not be able to connect to the server, instead getting a "wrong password" dialog. Restarting the open directory server will help for the next 30 days.
  I have tried repairing the database as detailed here, however, the issue persists.
  Any help would be highly appreciated!
  I would have tried setting up a clean server installation, migrating calendars/contacts manually and re-adding all users by hand, however, I am not aware of an easy way to do so. The terminal command for calendar backup is broken under mavericks (might work with this workaround) and re-adding users manually would apparently involve correcting user UUIDs afterwards in order to match the migrated calendar data. Do you know of a better approach?
  Thanks a lot!
  DPSG-Scout

  Hi Linc,
  This looks the most relevant to me:
  opendirectory.log
  2014-03-11 11:13:09.460675 CET - 333.2628758.2628759 - Client: Python, UID: 93, EUID: 93, GID: 93, EGID: 93
  2014-03-11 11:13:09.460675 CET - 333.2628758.2628759, Node: /Local/Default, Module: PlistFile - predicates with 'AND' are not supported
  2014-03-11 12:09:00.296514 CET - State information (some requests have been active for extended period):
            Sessions: {
                28 -- opendirectoryd:
                            Session ID: 7BFBA6FE-A968-4399-A129-E3A5945E2A81
                            Refs: singleton
                            Type: Default
                            Target: localhost
            Nodes: {
                43 -- authd:
                            Node ID: 6D0E236D-6DBD-4E8C-BC01-B3F50C2C2D8E
                            Nodename: /LDAPv3/127.0.0.1
                            Session ID: <Default>
                            Refs: 1
                            Internal Use: X
  an many more similar ones…
  Thanks for your effort!

• Open Directory or LDAP Problem with 10.5 Client and 10.4 Server

  Yesterday, the client-server setup we've been using successfully FOR YEARS decided not to work on a v10.5.8 MacBook Pro client. Did not do anything to the v10.5 client recently (other than to boot it up). Not sure if any software was updated on the server recently (where do I check for this?). Curiously, a v10.4.11 client running on a Mac Pro (tower) continues to work fine/as though nothing's changed. It appears as though the only difference is v10.4 client (working) vs. v10.5 client (not working).
  Here is what IS working:
  1) Network Home Directories on dedicated drive partition of Mac running OS X Server v10.4.11. AFP, DNS, and Open Directory are all up and running (normally, I think) as shown in Server Admin application.
  2) Mac Pro (tower) client running v10.4.11 binds to and authenticates at v10.4.11 server. Any valid user can access their home directory on the server seamlessly when logging in at this v10.4.11 client Mac.
  3) That same v10.4.11 client Mac also contains a LOCAL admin user with its home directory on the local hard drive. That LOCAL admin account is used to update software on a per machine basis (and preclude users from adding unauthorized software, needing to use a specific machine, etc.).
  Here is what IS NOT working:
  4) On a MacBook Pro client running v10.5.8, the LOCAL admin account looses access to the partition containing its local home directory. The drive partition literally disappears. The only "solution" I've been able to find (and it's not truly a solution) is to turn off the Open Directory/LDAP binding (using the Directory Utility application). With binding turned off, the LOCAL admin user has no problem accessing their home directory on the local hard drive partition. Turn binding on again (using Directory Utility application), and the LOCAL admin user can no longer see its local home directory.
  Again, binding is necessary to allow regular users to use the v10.5 MacBook Pro with Network Home Directories (as in items 1-3 above). Binding should be turned on for this reason. However, with binding on, the LOCAL admin user cannot manage the computer because the local partition containing the admin home directory disappears/is inaccessible. Turn binding off, and the partition containing the admin home directory reappears.
  Perhaps there's something in the sever logs that will help. I don't really know how to read these, so if your help involves the logs, please refer to them explicitly (e.g., "in Server Admin, go to Open Directory->Logs->LDAP log" or similar).
  Any help greatly appreceated.

  Nope. Never used sso_util.
  I try to use Apple's GUI server management tools unless absolutely necessary/at the end of my rope (i.e., last step before re-install etc.). I figure there's just too many things going on under the hood: using the command line may fix one setting, but not re-configure the two or three others that Apple NEEDS in order to have the whole thing working in harmony. Unless you really know what's going on with all the configuration files, it's best to let the GUI manage the settings.
  In my particular circumstance, I've now got ALL Leopard clients, one Leopard v10.5 server, and one Tiger v10.4 server. Everything is working fine now, but it was not a simple matter getting the Tiger v10.4 server re-integrated into the otherwise ALL Leopard environment. OD/Kerberos is on the Leopard v10.5 server. Home directories are still on the Tiger v10.4 server.
  Two keys to getting THIS/MY set-up working:
  1) Tiger v10.4 server needs to have Open Directory set to "Connected to a Directory System" and has to be joined to the Kerberos realm that was set-up on the Leopard v10.5 server (use Server Admin to do all of this).
  2) Sharepoint on Tiger v10.4 server has to have SOME, but NOT ALL checkboxes for guest access enables/checked. See:
  http://discussions.apple.com/message.jspa?messageID=10903468#10903468
  Number 2 immediately above is contrary to what Apple manual for User Management reads, but this is what worked for me/my set up, after pulling my hair out following the manual's instructions to the letter and not getting the thing to work!