Binding eDirectory to Xserve?

Similar Messages

• Change binding port of Xserver rather than 6000

  Hi Sysop,
  Can we change the binding port of Xserver rather than port number 6000 ?
  And how we can make it done ?
  Thanks.

  Hi
  The configuration files for the Xserver on your host should be in
  /etc/dt/config/Xconfig
  /etc/dt/config/Xservers
  If these files have never been customised or don't exist you can copy the default versions of
  these files from
  /usr/dt/config/Xconfig
  /usr/dt/config/Xservers
  to /etc/dt/confi, you can then edit them.
  From your post it's unclear what you are trying to do, however the 2 config files above have
  quite a bit of useful information in them about the various settings for the Xserver.
  regards

• System freezes / crashes once a week

  Hi, I'm having a problem with one of my Xserves where it crashes once at least once a week, always on off hours but never at the same time twice. There doesn't seem to be any consistency as far as errors in the error logs. Here are snippets of the logs leading up to the last two crashes:
  4/16/09 12:09:33 AM /System/Library/CoreServices/FileSyncAgent.app/Contents/MacOS/FileSyncAgent[716 30] FileSyncAgent (uid=1033, pid=71630) sending greeting: 'com.apple.FileSync-1.0.5 FileSyncAgent-277.18 r? OKAY pid=71630'
  4/16/09 12:09:33 AM /System/Library/CoreServices/FileSyncAgent.app/Contents/MacOS/FileSyncAgent[716 30] FileSyncAgent (uid=1033, pid=71630) received client greeting: 'clientVersion com.apple.FileSync-1.0.5 FileSyncAgent-277.18 r? pid=215 log=(null)'
  4/16/09 12:10:49 AM com.apple.RemoteDesktop.agent[291] SystemFlippers: didn't consume all data for vers ID 1 (pBase = 0x1765c0, p = 0x1765c8, pEnd = 0x1765c9)
  4/16/09 12:11:40 AM com.apple.RemoteDesktop.agent[291] SystemFlippers: didn't consume all data for vers ID 1 (pBase = 0x1f147c0, p = 0x1f14807, pEnd = 0x1f14808)
  4/16/09 12:11:42 AM com.apple.RemoteDesktop.agent[291] SystemFlippers: didn't consume all data for vers ID 1 (pBase = 0x1f12390, p = 0x1f123aa, pEnd = 0x1f123ab)
  4/16/09 12:19:15 AM /System/Library/CoreServices/FileSyncAgent.app/Contents/MacOS/FileSyncAgent[716 30] FileSyncAgent (uid=1033, pid=71630) finished
  4/16/09 12:19:15 AM com.apple.syslogd[28] syslogd(28,0xa0588720) malloc: * error for object 0x107ea0: Non-aligned pointer being freed (2)
  4/16/09 12:19:15 AM com.apple.syslogd[28] * set a breakpoint in mallocerrorbreak to debug
  4/20/09 3:44:49 AM mds[62] (Error) Server: Peer checkin failed -- no store for path '/Volumes/Users'
  4/20/09 3:44:49 AM com.apple.AppleFileServer[100] MDSChannelPeerCreate: (os/kern) invalid argument
  4/20/09 3:44:50 AM /System/Library/CoreServices/FileSyncAgent.app/Contents/MacOS/FileSyncAgent[372 14] FileSyncAgent (uid=1033, pid=37214) sending greeting: 'com.apple.FileSync-1.0.5 FileSyncAgent-277.18 r? OKAY pid=37214'
  4/20/09 3:44:50 AM /System/Library/CoreServices/FileSyncAgent.app/Contents/MacOS/FileSyncAgent[372 14] FileSyncAgent (uid=1033, pid=37214) received client greeting: 'clientVersion com.apple.FileSync-1.0.5 FileSyncAgent-277.18 r? pid=215 log=(null)'
  4/20/09 3:53:01 AM /System/Library/CoreServices/FileSyncAgent.app/Contents/MacOS/FileSyncAgent[372 14] FileSyncAgent (uid=1033, pid=37214) finished
  4/20/09 4:14:01 AM mds[62] (Error) Server: Peer checkin failed -- no store for path '/Volumes/Users'
  4/20/09 4:14:01 AM com.apple.AppleFileServer[100] MDSChannelPeerCreate: (os/kern) invalid argument
  4/20/09 4:14:02 AM /System/Library/CoreServices/FileSyncAgent.app/Contents/MacOS/FileSyncAgent[373 22] FileSyncAgent (uid=1032, pid=37322) sending greeting: 'com.apple.FileSync-1.0.5 FileSyncAgent-277.18 r? OKAY pid=37322'
  4/20/09 4:14:02 AM /System/Library/CoreServices/FileSyncAgent.app/Contents/MacOS/FileSyncAgent[373 22] FileSyncAgent (uid=1032, pid=37322) received client greeting: 'clientVersion com.apple.FileSync-1.0.5 FileSyncAgent-277.18 r? pid=28098 log=(null)'
  4/20/09 4:14:43 AM /System/Library/CoreServices/FileSyncAgent.app/Contents/MacOS/FileSyncAgent[373 22] FileSyncAgent (uid=1032, pid=37322) finished
  4/20/09 5:05:21 AM mds[62] (Error) Server: Peer checkin failed -- no store for path '/Volumes/Users'
  4/20/09 5:05:21 AM com.apple.AppleFileServer[100] MDSChannelPeerCreate: (os/kern) invalid argument
  4/20/09 5:05:22 AM /System/Library/CoreServices/FileSyncAgent.app/Contents/MacOS/FileSyncAgent[374 90] FileSyncAgent (uid=1031, pid=37490) sending greeting: 'com.apple.FileSync-1.0.5 FileSyncAgent-277.18 r? OKAY pid=37490'
  4/20/09 5:05:22 AM /System/Library/CoreServices/FileSyncAgent.app/Contents/MacOS/FileSyncAgent[374 90] FileSyncAgent (uid=1031, pid=37490) received client greeting: 'clientVersion com.apple.FileSync-1.0.5 FileSyncAgent-277.18 r? pid=164 log=(null)'
  4/20/09 5:05:41 AM /System/Library/CoreServices/FileSyncAgent.app/Contents/MacOS/FileSyncAgent[374 90] FileSyncAgent (uid=1031, pid=37490) finished
  Another weird thing is every once in a while, after a crash, there will be one OD user who cannot log in to their PHD from their workstation, but can log in at other workstations. I've been able to get these users logged in by unbinding the workstation, deleting /var/db/dslocal/nodes/Default/users/user.plist and then re-binding.
  The Xserve is a dual core Xeon with 5 GB of RAM and serves OD, Jabber, AFP, RADIUS, SMB, and VPN.
  I've tried repairing permissions and upgrading the OS from 10.5.5 to 10.5.6 to no avail. Since the logs never have the same error twice before a crash, I'm left with few ideas on where to go from here. Any input would be greatly appreciated.

  A little more info: crashes are happening more frequently now. Always in the middle of the night with no errors reported in the log.
  During a crash, services stop working, but the server will still return a ping. If I physically go to the machine, it looks normal until I move the mouse and get a spinning beach ball.
  The last log entry is always FileSyncAgent trying to sync a home directory (background sync) of someone who has forgotten to log out at night, but the log entries look normal.
  Since, on the surface, it would appear FileSyncAgent is the problem, perhaps I'll start a thread in the PHD forum. Are there any known issues with syncing portable home directories that would explain this behavior in Leopard server 10.5.6?

• Evaluating Xserve to replace Novell eDirectory / Groupwise

  Hello all,
  I just wanted to get a feel for the capabilities of OS X Server. I've recently installed a new Xserve and have it providing DNS / DHCP / NAT / Print / Open Directory and Windows services. Today, I was able to get a Windows machine to authenticate to this machine and set up a roaming profile / home directory (after much research!) We also use Linux clients, and will probably start adding OS X clients to the network as well.
  I am looking to replace our current Novell eDirectory file / print services with OS X Server, and coming from that, I was wondering a couple of things.
  First off, can OS X Server provide automatic drive mapping / mounts to Windows / Linux clients? Currently, when a user logs into our Novell server, they get all their drives mapped automatically as part of a login script. These drives are just shares on the Novell fileserver. I would like to replicate this action for our users with OS X Server. Is this possible?
  Secondly, users logging into Novell get all their printers set up when they connect to the server. They don't have to add them, they just show up. Is there a way to make OS X Server provide the same service to Windows clients?
  Finally, can you set up Open Directory users to only have access to certain printers / drives etc? I know you can set up shares and access lists and all this, but I want to be able to define that by group or by user. For example, I want user X who is a developer to get access only to developer shares and developer printers, so I would think I could set up a group with those privileges and just assign that user to the "group" and they automatically get it. Can this be done is OS X?
  Most of our users are on Windows, and basically I'd love to be able to get away from Novell (particularly license costs) and move to OS X Server, without having to teach 200 users how to add drive mapping and printers and such. I don't want to have to visit 200 workstations either, so I am hoping I can define all this on the server and make it happen per client as they log in. Apple touts OS X Server as a good replacement for Active Directory / Novell eDirectory services so I'm hoping that it lives up to my expectations.
  Anyone care to chime in? Thanks, I look forwarding to making this work!
  Joe Jenkins
  Network Engineer
  Davis Tool Inc
  Xserve   Mac OS X (10.4.10)  

  Hi
  First off, can OS X Server provide automatic drive
  mapping / mounts to Windows / Linux clients?
  Currently, when a user logs into our Novell server,
  they get all their drives mapped automatically as
  part of a login script. These drives are just shares
  on the Novell fileserver. I would like to replicate
  this action for our users with OS X Server. Is this
  possible?
  If you launch WorkGroup Manager and click on the Windows tab there are settings there that should help you achieve what you want in some way.
  Secondly, users logging into Novell get all their
  printers set up when they connect to the server. They
  don't have to add them, they just show up. Is there a
  way to make OS X Server provide the same service to
  Windows clients?
  You can apply managed preferences for users defined in the Open Directory Node can access in terms of printers and quotas etc. There are some good 3rd-Party add-ons that can augment what is available also.
  Finally, can you set up Open Directory users to only
  have access to certain printers / drives etc? I know
  you can set up shares and access lists and all this,
  but I want to be able to define that by group or by
  user. For example, I want user X who is a developer
  to get access only to developer shares and developer
  printers, so I would think I could set up a group
  with those privileges and just assign that user to
  the "group" and they automatically get it. Can this
  be done is OS X?
  See the previous answer.
  Bear in mind that if these are networked printers on the same IP address range and subnet as the clients then anyone who knows how to add a network printer using Printer Setup Utility and/or has access to the local client admin account could bypass this easily. You could really lock things down by either physically connecting the printers to the server usings its second NIC or if they are USB printers use a USB hub.
  If they are all the same printer type you could have a Pool of printers.
  For example two to three Epson R800 Printers could be the Epson Pool. Users would access these printers as if they were just one printer. When a client sends a print job the server will spool it to the first printer. If the first printer runs out of paper or ink it will spool to the second printer and so on. The same thing would apply if more than one user decides to print at the same time. First person to the queue would get the first printer and so on. You could have a series of Printer Pools defined for a particular group that only users from that group can use.
  Hope this helps – Tony

• Binding XServe to Windows 2003 doamin

  We just got our new XServe box today. My question is during setup, do I want to configure to host an Open Directory domain or join an existing domain? Or both. Kind of new to the Mac scene so any help is appreciated. Thanks.

  Since this is actually not an Xserve specific question you'll probably get more eyes on it in an OS X Server forum - there is one dedicated completely to Directory Services for 10.6: http://discussions.apple.com/forum.jspa?forumID=1353
  That being said if you want to bind to AD you should plan to do it from the start and do it early in the server set-up. The ideal way to do it is to configure the server in OD as "Stand Alone", bind to AD in the Directory Utility and then promote the OD status to "Master". The OS should take care of everything else for you.
  NOTES: If you already have an OD Master you can demote it to Stand Alone and then recreate this process but *it will destroy all OD records you've already created* so plan for that and back them up and reimport them. This is one big reason it is easiest to do this early on rather than later.
  Also you need good forward *and reverse* DNS services for OD/AD binding to work as planned.
  There are several other picky little things depending on how you're planning on using OD/AD services so do your homework and test early and often.
  My $.02,
  =Tod

• Binding Panther Client To Intel Xserve

  Is it possible to bind a iBook G4 running panther to a Intel Xserve running Tiger?
  And if so then what is the process?
    Mac OS X (10.4.8)  

  'Bind' in what way?
  The term means different things to different people.
  If you mean for directory services, then the answer is yes - use /Applications/Utilities/Directory Access on the iBook to link the client with the Open Directory server using LDAP. You'll need to know the directory administrator's password to complete the task.

• Using Xserve w/ XRAID, Binding to AD for Windows Filesharing. Issues.

  Hi all, first time post im hoping that you guys can lead me in the right direction with the issue that im having. Seems like I have tried everything.
  I installed an Xserver with a backend Xraid. My goal is to use the Server as a Windows file sharing passthrough for the storage on the Xraid. So I went ahead and bound the xsrv to AD, everything went fine. At that point Directory services asked me to go into server admin and click the "Join Kerberos" button. I went there and did that no errors. I went into workgroup manager, and I am authenticating to AD since i see AD groups and users etc. I create a share..,I then try to connect to the share, or even just browes the machine with smb. For example: (on windows) START->RUN->\\xsrv\ <ENTER>
  At this point I am challanged for a username and password. so it seems that AD integration is not working. I have looked over the logs, and I know the issue is with Kerberos....i see this:
  [2006/12/17 09:28:58, 1]
  /SourceCache/samba/samba-100.5/samba/source/smbd/sesssetup.c:replyspnegokerberos(184)
  Failed to verify incoming ticket!
  If i look into my Kerberos application i see that i DO NOT have a ticket either. Im almost sure this is the root cause of the issues..
  Here is another odd thing, I can't tell you how many times I have joined and unjoined the AD domain. Here is the odd thing, after the first time joining, I no longer have the "Join Kerberos" button in the server admin. Its just not there.
  Anyone that can help it would be much appricated.
  Xserver Xeon   Mac OS X (10.4.8)  

  What services was running on this machine prior to binding it to AD?
  If you have OD (master) setup you probably will get kerberos/LDAP problems.
  The server has it's IP/name setup in DNS (A and reverse PTR records - in AD DNS machine - does not always have reverse zone configured if smaller network)?
  What does /Library/Preferences/edu.mit.kerberos look like?
  changeip - checkhostname gives?
  I belive Tiger OS X Server automatically adds spnego=yes and security=ads to /etc/smb.conf when you bind to AD, older versions (Panther) does not.

• Binding Apple Xserver with XSAN 3 to AD

  Have anyone had any issue binding Apple Server 10.8.5 running Xsan 3 to Active Directory?

  We try to bind to an MS Exchange 2013 server and yes OD is setup.
  Thanks

• Any Issues with Binding/Home Directories SnowLeopard Client to Tiger Xserve

  Does anyone know if I can bind a Snow Leopard client to a Tiger Server?
  Can I sync Home Directories of a Snow Leopard client to a Tiger Server?
  Are there any major issues with Snow Leopard clients and Tiger Servers?
  Thanks in advance.

  Hi Ron Yochum;
  You might have more luck if you ask over in the Server Froum instead of here.
  Allan

• SharePoint 2010 with LDAP authentication, using NOVELL eDirectory

  One of my customers needs a SharePoint application that allows people to authenticate with either an Active Directory account (internal staff) or a Novell eDirectory account (external customers).
  Using the following article as a base guide (http://blogs.technet.com/b/speschka/archive/2009/11/05/configuring-forms-based-authentication-in-sharepoint-2010.aspx)
  I configured a claims-based test application that had Windows authentication enabled and Forms based authentication (FBA) enabled (this is on a Windows 2008 server and not a domain controller)
  In the Membership provider name text box I entered "LdapMember"
  In the Role provider name  text box I entered "LdapRole"
  In the web.config for the SharePoint Central Admin, I modified/added the following details right before </system.web>
  <membership>
  <providers>
  <add name="LdapMember"
  type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  userDNAttribute="dn"
  userNameAttribute="cn"
  userContainer="OU=people,O=validobject"
  userObjectClass="person"
  userFilter="(ObjectClass=person)"
  scope="Subtree"
  otherRequiredUserAttributes="sn,givenname,cn" />
  </providers>
  </membership>
  <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" >
  <providers>
  <add name="LdapRole"
  type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  groupContainer="OU=people,O=validobject"
  groupNameAttribute="cn"
  groupNameAlternateSearchAttribute="samAccountName"
  groupMemberAttribute="member"
  userNameAttribute="sAMAccountName"
  dnAttribute="distinguishedName"
  groupFilter="((ObjectClass=group)"
  userFilter="((ObjectClass=person)"
  scope="Subtree" />
  </providers>
  </roleManager>
  I modified the SecurityTokenServiceApplication web.config with these details
  <system.web>
  <membership>
  <providers>
  <add name="LdapMemebr"
  type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  userDNAttribute="dn"
  userNameAttribute="cn"
  userContainer="OU=people,O=validobject"
  userObjectClass="person"
  userFilter="(ObjectClass=person)"
  scope="Subtree"
  otherRequiredUserAttributes="sn,givenname,cn" />
  </providers>
  </membership>
  <roleManager enabled="true">
  <providers>
  <add name="LdapRole"
  type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  groupContainer="OU=people,O=validobject"
  groupNameAttribute="cn"
  groupNameAlternateSearchAttribute="samAccountName"
  groupMemberAttribute="member"
  userNameAttribute="sAMAccountName"
  dnAttribute="distinguishedName"
  groupFilter="(&amp;(ObjectClass=group))"
  userFilter="(&amp;(ObjectClass=person))"
  scope="Subtree" />
  </providers>
  </roleManager>
  </system.web>
  I modified the web.config of the test application I created with these details
  <roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
  <providers>
  <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
  <add name="LdapRole" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  groupContainer="OU=people,O=validobject"
  groupNameAttribute="cn"
  groupNameAlternateSearchAttribute="samAccountName"
  groupMemberAttribute="member"
  userNameAttribute="cn"
  dnAttribute="dn"
  groupFilter="(&amp;(ObjectClass=group))"
  userFilter="(&amp;(ObjectClass=person))"
  scope="Subtree" />
  </providers>
  </roleManager>
  <membership defaultProvider="i">
  <providers>
  <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
  <add name="LdapMember" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword= "validpassword"
  useDNAttribute="true"
  userDNAttribute="dn"
  userNameAttribute="cn"
  userContainer="OU=people,O=validobject"
  userObjectClass="person"
  userFilter="(ObjectClass=person)"
  scope="Subtree"
  otherRequiredUserAttributes="sn,givenname,cn" />
  </providers>
  </membership>
  With all of this configured, I can go to the new test site, I do see the form where I can choose either Windows authentication or Forms authentication. I can successfully login with Windows authentication, but forms authentication gives me me an error.
  The server could not sign you in. Make sure your user name and password are correct, and then try again.
  I can successfully login to a LDAP management tool, using the same credentials I entered on the form, so I know the username and password being submitted are correct. I get the following items in the event viewer
  8306 - SharePoint Foundation - The security token username and password could not be validated.
  in the SharePoint trace logs - Password check on 'testuser' generated exception: 'System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password could not be validated. and
  then this:
  Request for security token failed with exception: System.ServiceModel.FaultException: The security token username and password could not be validated.
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst)
  at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo)
  I monitored the LDAP server and did a packet-trace on the communication happening between the SharePoint server and the LDAP server and it is a bit odd. It goes like this:
  The SharePoint server successfully connects to the LDAP server, binding the ldapserviceid+password
  The LDAP server tells the SharePoint server it is ready to communicate
  the SharePoint server sends an LDAP query to the LDAP server, asking if the name entered in the form authentication page can be found.
  The LDAP server does the query, successfully finds the entered name and sends a success message back to SharePoint
  The LDAP server sends notification that it is done and is closing the connection that was bound to theldapserviceid+password
  The SharePoint server acknowledges the connection is closing
  ... and then nothing happens, except the error on SharePoint
  What I understand is that the SharePoint server, once it gets confirmation that the submitted username exists in LDAP, should attempt to make a new LDAP connection, bound to the username and password submitted in the form (rather than the LDAP service account
  specified in the web.config). That part does not seem to be happening.
  I am at a standstill on this and any help would be greatly appreciated.

  OK, our problem was resolved by removing any information about the ASP.NET role manager. Initially, we had information about a role manager defined in three different web.config files, as well as in the SharePoint Central Administration site, where there
  is the checkbox to Enable Forms Based Authentication (you see this when you first create the new SharePoint app, or afterwards by modifying the Authentication Provider for the app.) In either case, you will see two text boxes, underneath the checkbox item
  for enabling Forms Based Authentication:
  "ASP.NET Membership provider name"
  "ASP.NET Role manager name"
  We entered a name for Membership provider, and left Role manager blank.
  In the web.config for the SharePoint Central Administration site, the SecurityTokenServiceApplication app, and the web app we created with FBA enabled, we entered the following:
  <membership>
  <providers>
  <add name="LdapMember"
  type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
  server="ldap.server.address"
  port="389"
  useSSL="false"
  connectionUsername="cn=ldapserviceid,ou=sharepoint,ou=test,ou=location,o=validobject"
  connectionPassword="validpassword"
  useDNAttribute="false"
  userDNAttribute="dn"
  userNameAttribute="cn"
  userContainer="OU=people,O=validobject"
  userObjectClass="person"
  userFilter="(ObjectClass=person)"
  scope="Subtree"
  otherRequiredUserAttributes="sn,givenname,cn" />
  </providers>
  </membership>
  <roleManager>
  <providers>
  </providers>
  </roleManager>
  useDNAttribute="false" turned out to be important as well.
  So, for us to get LDAP authentication working between SharePoint 2010 and Novel eDirectory, we had to:
  leave anything related to the role provider blank
  configure the web.config in three different applications, with the proper connection information to reach our Novel eDir
  Ensure that useDNAttribute="false" was used in all three on the modified web.config files.
  Since our eDir is flat and used pretty much exclusively for external users, we had never done any sort of advanced role management configuration in eDir. So, by having role manager details in the web.config files, SharePoint was waiting for information from
  a non-existent role manager.

• Binding to Active Directory Problem. I am a Newb! probably something stupid

  Hey All,
  Trying to get my apple xsever to join our windows domain. I got it to bind and the user accounts show up on the machine but then it askes me to join it to the Active Directory Kerberos realm. I am confused.
  what i am trying to do is joint it to the windows domain for my admin account on the actual server and then set up local user accounts on the machine so when my mac users log in they authenticate using the local mac account and not the windows domain account. Does this make sense? From what i read macs authenticate using the local account before going to the windows account which is what i want. I am a total newb to this so forgive me for the stupid questions.
  cheers all,
  jess

  Hi
  set up the xserve as an Open directory Master
  will it place nice on the network
  with the rest of the windows servers that we have.
  There should be no problem in doing this. All you need to do is decide whether you want your Mac Server to run its own DNS Service or to use the existing DNS service being provided by the AD Server. Open Directory Master requires DNS Services running somewhere.
  i just want to have a mac studio of about 35 people be
  kind of an island within a sea of windows users. If
  there can be cross over there then fine.. but really
  i want the mac to work well with the apple server and
  if i can get the windows clients hooked up also then
  fine.
  There should be no problem with this.
  When you say studio do you mean a graphics design studio? Or are you talking about a video production studio? If the answer is yes to either one or both then perhaps a simple file server would do. An Open Directory Master is OK in this environment but your network needs to be up to job. Ideally gigabit ethernet certainly for video production and also if your studio are heavy photoshop users. You could get away with 100Base-T but with 35 heavy users editing files stored on the server as well as Home folders it may be a bit too much. If this is the situation in your studio you would be better placed working locally and saving the files back to the server at the end of the day. You would set up your users with names and passwords in the OD directory node. Your studio can use those account details to log on to the server to access share points but still work locally if they need to. If you start windows services on the mac server then there should be no reason for windows clients to access share points on the mac server as well. Be careful how you configure windows services as you already have existing PC servers on the network.
  As you have already stated your aim is to keep the macs completely separate from the PCs then consider connecting all your macs to a separate switch and have them running of a different IP address range and subnet mask. You could then use an intervening router to handle traffic between the two networks, this way you control cross platform access to shared resources. If you understand networks, routers etc then you should be able to accomplish this without too much trouble. Again searching the Server forums should give you plenty of ideas and advice on the best way to achieve what you want. As ever defining and deciding what you want you want the server to do is half the problem.

• Binding Snow Leopard Clients to 10.5.8 server

  We have just purchased three new iMacs to add into our current network. We are using Network Home Directories hosted on an Intel Xserve running 10.5.8 server. The iMacs are all loaded with Snow Leopard (10.6.1).
  I cannot bind the computers to the server to allow login using network accounts. I attempt this via System Preferences-> Accounts -> Login Options -> Join Network Account Server.
  The error message is "Authentication failed. Please check the name and password and try again."
  I have attempted to add the computer using both the first authentication window (when clicking Join), and the Open Directory Utility.
  I can add computers using 10.5.8 client. I was also able to install Snow Leopard (10.6) as an upgrade to one of the 10.5.8 machines and maintain the network login functionality.
  Thanks for any help or advice.

  I am not sure I am doing what you suggest correctly.
  From the directory utility i was able to pull down the File menu
  and connect to the xserve using the diradmin account. This caused
  a new path to appear in the search policy tab.
  However, i still cannot bind to the server and still get the
  authentication error when I try.
  After rereading your post, I realized that you had added the path
  a different way. So I deleted the one I had added via File -->
  Connect and just went to the Search Policy tab and added a custom
  path the way you said. Same results in the end. I could not bind.
  I may just install 10.5 on these computers and be done with it.
  My method was a little different. In Directory Utility, I went
  to Advanced Settings, hit the '+' and added the open directory
  server. Then I went to the Services tab, selected LDAPv3, and
  hit the little pencil to edit. Then I selected the open
  directory server, hit Edit, and tried to bind, but it wouldn't
  work at first. Back in the Directory Servers tab, I noticed that
  the little status light was grey instead of green. Then I went
  to the Search Policy tab and noticed that the open directory
  server wasn't in the path, so I went to Custom Path and manually
  added it. After that, I was able to bind and the little status
  light went green.
  However, in this process I also did some other messing around on
  the command line. After the first time I tried to bind and
  couldn't, I quit the Directory Utility and opened a Terminal
  window. As root, I wiped out the /private/etc/krb5.keytab file
  and the contents of the /private/var/db/krb5kdc directory, and
  then rebooted. That is:
  cd /private/etc
  sudo mv krb5.keytab krb5.keytab.orig
  cd /private/var/db/krb5kdc
  sudo rm -rf *
  (Be careful with the last command!)

• Mac OS X 10.5 Leopard and eDirectory

  Hello, all! I am trying to set up a Mac to authenticate against eDirectory running atop a Netware 6.5. So far, I have been successful in binding the Mac to eDirectory, and I am able to browse the directory as well as read object attributes without problem. However, I am not able to authenticate against the server for login. I have verified that usernames and passwords are correct, and am able to authenticate against the directory on windows clients, but authentication still fails on the Mac. Running DSTrace, I consistently see the following error: " BIO ctrl called with unknown cmd 7 ". If anyone has any ideas, please help! Thanks.

  Are you tracing with +LDAP, +AUTH and +NMAS on?
  > I have tried both authenticated bind and anonymous
  bind with the same result: I am able to read objects and their
  attributes in the directory, but unable to sign on as a user from the
  directory.
  I'm not sure what you mean by that last phrase. Having bound to eDir via
  LDAP, that's as logged on as LDAP gets. The DA in LDAP stands for
  Directory Access, and that's all it gets you - access to the directory,
  not the the server's other resources.
  If you are trying to authenticate to eDir to get access to the file
  system on NW you need to attach via CIFS or AFPTCP.
  Andrew C Taubman
  Novell Support Forums Volunteer SysOp
  http://support.novell.com/forums
  (Sorry, support is not provided via e-mail)
  Opinions expressed above are not
  necessarily those of Novell Inc.

• How do I get OS X Lion workstation to bind to OS X Leopard Server?

  I encounter insurmountable error when trying to get my new mac mini to bind to my network server.
  Mac Mini running Mac OS X 10.7.2
  XServer running Mac OS X Server 10.5.8
  On the mini, when in System Preferences > Users & Groups and clicking Join... I type in the IP of my Server.  It firstly returns the message, "This server does not provide a secure (SSL) connection.  Do you want to continue?".
  After I click Continue it prompts for Client Computer ID (which I leave as the default).
  For User Name and Password I enter the Directory Admin details.
  It then returns the error, "Unable to add server.  Your account on the server does not have privileges to overwrite the computer record <computername>.  Please inform the server administrator.
  Any help would be gratefully received.

  Hi Tony,
  Thank you for your tip.
  Using Server Admin > OD > Settings > Policies > Binding, I have ensured that the 'Enable authenticated directory binding' option in unchecked.  Still no luck.
  I then used Directory Utility to add the server to the search path etc.  In System Preferences > Accounts > Login Options on the mini it now shows the correct address for the Network Acccount Server and a green light.  However, when I then try to login using a network account it simply pauses for a minute, then returns to the login prompt.
  I shall continue to try...

• Binding WinXP Machines to SMB Domain on Mac OS X Server

  I've got an Xserve running OS X Server 10.5.6 acting as a Primary Domain Controller (PDC) in SMB using the domain name "DOMAIN". I have set up DNS on the Xserve as well with a primary zone for the domain "domain.lcl" and a machine entry for the server "server" with a reverse mapping to it's IP address 192.168.1.10.
  Open Directory is running as a Master and has users in it.
  I am trying to bind my Windows XP boxes to the domain so that they can use the logins/profiles from the Xserve. I go to Control Panel -> System -> Computer Name and click Change. I enter the domain as "DOMAIN" and the computer name as "winxp1".
  However, I end up getting an error message when I attempt the bind. Here's what I get:
  ~~~~~
  The domain name domain might be a NetBIOS domain name. If this is the case, verify that the domain name is properly registered with WINS.
  If you are certain that the name is not a NetBIOS domain name, then the following information can help you troubleshoot your DNS configuration.
  The following error occurred when DNS was queried for the service location (SRV) resource record used to locate a domain controller for domain domain:
  The error was: "DNS name does not exist."
  (error code 0x0000232B RCODENAMEERROR)
  The query was for the SRV record for ldap._tcp.dc.msdcs.domain
  Common causes of this error include the following:
  - The DNS SRV record is not registered in DNS.
  - One or more of the following zones do not include delegation to its child zone:
  domain
  . (the root zone)
  ~~~~~
  I added the appropriate SRV entry in DNS and I still get the same error.
  Any suggestions on how to make this work?
  OR
  Is there an alternative to using Open Directory user logins and roaming profiles on Windows machines other than this method?
  Thanks!

  Yeah, WINS server ended up being the solution. However, I believe WINS is being phased out in favor of DNS, especially in the world of Active Directories, so there must be a way to do this in DNS as well.