Directory Binding Script (Active and Open Directory) 10.7

Hi everyone
I'm reposting this in the right thread. I've written a Directory Binding Script for 10.6 and ported it now to 10.7 as among the things that have changed in the upgraded version is a refurbished directory binding enviroment.
The original thread can be found here: https://discussions.apple.com/thread/3090068. The script is applicable for clients as well and simplifies the binding process considerably.
Be aware that the reformatted script here contains some faulty line breaks. So you'll have to correct them in a proper text editor.
#!/bin/sh
#Uncomment the following line to abort the script on errors
#trap exit ERR
## Script to automate OD and AD Binding of Mac OS X 10.7 Servers
## Script written by Marc Horat, URZ Basel, 11.6.2010
## Updated: 12.08.2011
# With the use of the following sources as inspiration:
# http://www.howtomac.co.uk/?p=247
#Created by Ross Hamilton
#Clock restart / Remove existing settings
#Join to Open Directory and Active Directory
# Bombich's AD-Bind Script:
# This script binds to AD and configures advanced options of the AD plugin
# As this scripts contains a password, be sure to take appropriate security
# precautions
# A good way to run this script is to set it as a login hook on your master machine
# Because it only needs to be run once, the last thing this script does is to delete
# itself. If you have another login script that you typically run, include the
# script on your master machine, and indicate its path in the "newLoginScript"
# variable.
# If running this as a one-time login hook to bind to AD after imaging,
# be sure to enable auto-login (for any local user) before creating your master image
#################CONFIGURATION##########################
#OD
# These variables need to be configured for your env
odAdmin="YOURODADMIN" #enter your OD admin name between the quotes
odPassword="YOURODPW" # Enter your OD admin password between the quotes
oddomain="YOURODDOMAIN" # FQDN of your OD domain
computerGroup="YOURNEWODCOMPGROUP" # Add appropriate computer group you want machines to be added to, case sensitive
oldComputerGroup="YOUROLDODCOMPGROUP" # If the Computer is in a Group already
#AD
# Standard parameters
domain="YOURADDOMAIN"                              # fully qualified DNS name of Active Directory Domain
domainname="YOURADDOMAINNAME"                    #Name of the Domain as specified in the search paths
udn="YOURADADMIN"                              # username of a privileged network user
password="YOURADPW"                                                  # password of a privileged network user
ou="OU=YOUR,OU=OU,OU=URZ,OU=IN,DC=YOUR,DC=AD,DC=DOMAIN"                    # Distinguished name of container for the computer E.G. OU=Macs,OU=Computers,DC=AD,DC=DOMAIN,DC=CH
# Advanced options AD Plugin
alldomains="disable"                              # 'enable' or 'disable' automatic multi-domain authentication
localhome="disable"                              # 'enable' or 'disable' force home directory to local drive
protocol="smb"                                        # 'afp', 'smb' or 'nfs' (since 10.7) change how home is mounted from server
mobile="enable"                              # 'enable' or 'disable' mobile account support for offline logon
mobileconfirm="enable"                    # 'enable' or 'disable' warn the user that a mobile acct will be created
useuncpath="enable"                              # 'enable' or 'disable' use AD SMBHome attribute to determine the home dir
user_shell="/bin/bash"                    # e.g., /bin/bash or "none"
preferred="-preferred $domain"          # Use the specified server for all Directory lookups and authentication
# (e.g. "-nopreferred" or "-preferred ad.server.edu")
admingroups="$domainname\YOURADADMINGROUP" # These comma-separated AD groups may administer the machine (e.g. "" or "APPLE\macadmins")
packetsign="allow"                              # allow | disable | require
packetencrypt="allow"                    # allow | disable | require
passinterval="14"                              # number of days
namespace="domain"                              # forest | domain
# Login hook setting -- specify the path to a login hook that you want to run instead of this script
newLoginHook=""                    # e.g., "/Library/Management/login.sh"
################################# End of configuration
############ Begin of Script
# Host-specific parameters
# computerid should be set dynamically, this value must be machine-specific
# This value may be restricted to 19 characters! The only error you'll receive upon entering
# an invalid computer id is to the effect of not having appropriate privileges to perform the requested operation
#computerid=`/sbin/ifconfig en0 | awk '/ether/ { gsub(":", ""); print $2 }'` # MAC Address
#computerid=`hostname | sed 's/.unibas.ch//'`
#computerid=`/usr/sbin/scutil --get LocalHostName | cut -c 1-19` # Assure that this will produce unique names!
#computerid=`/usr/sbin/scutil --get LocalHostName`
computerid=`scutil --get ComputerName`
adcomputerid=`echo "$computerid" | tr [:lower:] [:upper:]`
# These variables probably don't need to be changed
# Determing if any directory binding exists
nicAddress=`ifconfig en0 | grep ether | awk '{print $2}'`
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
          check4ODtmp=`dscl localhost -list /LDAPv3 | grep -n 1 | sed 's/1://' | sed 's/2://'`
          check4OD=${check4ODtmp//[[:space:]]/}
          echo "Found LDAP: "$check4ODtmp
          check4ODaccttmp=`dscl /LDAPv3/"$check4OD" -read Computers/"$computerid" RealName | cut -c 11-`
          check4ODacct=${check4ODaccttmp//[[:space:]]/}
          echo "Found LDAP-Computer-Account: "$check4ODacct
else
          check4OD=""
          check4ODacct=""
          echo "No bound LDAP Server found"
fi
if [ $oldComputerGroup != "" ] && dscl localhost -list /LDAPv3 | grep . > /dev/null
then
          check4ODgroupMembershiptmp=`dscl /LDAPv3/"$check4OD" -read ComputerGroups/"$oldComputerGroup" | grep "$computerid"`
          check4ODgroupMembership=$check4ODgroupMembershiptmp
          echo "LDAP Group Membership in Group: "$oldComputerGroup
else
          check4ODgroupMembership=""
          echo "No LDAP Group Membership defined or not bound to a server"
fi
if dscl localhost -list "/Active Directory" | grep $domainname > /dev/null
then
          check4ADtmp=`dsconfigad -show | grep "Active Directory Domain" | sed 's/Active Directory Domain//' | sed 's/=//'`
          check4AD=${check4ADtmp//[[:space:]]/}
          echo "Found AD: "$check4AD
          check4ADaccttmp=`dsconfigad -show | grep "Computer Account" | sed 's/Computer Account//' | sed 's/=//'`
          check4ADacct=${check4ADaccttmp//[[:space:]]/}
          echo "Found AD-Account: "$check4ADacct
else
          check4AD=""
          check4ADacct=""
          echo "No AD-Account found"
fi
osversionlong=`sw_vers -productVersion`
osvers=${osversionlong:3:1}
#Time Sync
#Restart ntpdate
StartService ()
if [ "${TIMESYNC:=-YES-}" = "-YES-" ] && ! GetPID ntpd > /dev/null; then
          CheckForNetwork
if [ -f /var/run/NetworkTime.StartupItem -o "${NETWORKUP}" = "-NO-" ]; then exit; fi
          touch /var/run/NetworkTime.StartupItem
          echo "Starting network time synchronization"
# Synchronize our clock to the network‚Äôs time,
# then fire off ntpd to keep the clock in sync.
          ntpdate -bvs
          ntpd -f /var/run/ntp.drift -p /var/run/ntpd.pid
fi
echo ""
echo ""
sleep 5
#### Removing any existing directory bindings
#Clear OD Computer Account and delete entry from Computer group
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
          echo "This computer is bound to the following Open Directory Services:"
          dscl localhost -list /LDAPv3
          echo "With the Search Path entries:"
          dscl /Search -read / CSPSearchPath | grep /LDAP
          sleep 5
          if [ "${check4ODacct}" == "${computerid}" ]
          then
                    echo "This machine already has a computer account on $oddomain."
                    # Set the GUID
                    GUID="$(dscl /LDAPv3/$oddomain -read /Computers/${computerid} GeneratedUID | awk '{ print $2 }')"
                    echo "Found GUID: "$GUID
                    if [ "$oldComputerGroup" != "" ] && [ "$check4ODgroupMembership" != "" ]
                    then
                              echo "Removing entry from group $oldComputerGroup"
                              dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerGroups/"$oldComputerGroup" GroupMembership "${computerid}"
                              dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerGroups/"$oldComputerGroup" GroupMembers "${GUID}"
                              dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerLists/"$oldComputerGroup" Computers "${computerid}"
                    fi
                    echo "Removing Computer entry $computerid in OD"
                    dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /Computers/"${computerid}"
          fi
          #List existing Directories
          echo "Removing OD-Binding to "$check4OD
          dsconfigldap -r "$check4OD"
          echo "Removing Search Path entries"
          dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4OD"
          dscl /Search/Contacts -delete / CSPSearchPath /LDAPv3/"$check4OD"
          dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4OD"
          sleep 5
else
          echo "No LDAP or OD Binding present.";
fi
echo ""
# Check a second time in order to delete any remaining LDAP-Bindings
echo "Scanning for further LDAP servers"
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
          echo "Found:"
          dscl localhost -list /LDAPv3
          echo "Removing OD-Binding to "$check4ODtmp
          dsconfigldap -r "$check4ODtmp"
          dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
          dscl /Search/Contacts -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
          dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
          sleep 5
else
          echo "No further LDAP or OD Binding present."
fi
echo ""
echo ""
#Remove the Active Directory binding
if [ "$check4AD" != "" ]
then
          echo "This computer is bound to the following Active Directory Services:"
          dscl localhost -list "/Active Directory"
          echo "With the Search Path entries:"
          dscl /Search -read / CSPSearchPath | grep /Active
          sleep 5
          echo "Removing any existing AD-Binding to "$check4AD
    dsconfigad -f -remove -username "$udn" -password "$password"
    echo "Removing Search Path entries"
          if [ "$preferred" != "-nopreferred" ]
          then
                    dscl /Search -delete / CSPSearchPath /Active Directory/"$domainname"
                    dscl /Search/Contacts -delete / CSPSearchPath /Active Directory/"$domainname"
                    dscl /Search -delete / CSPSearchPath /Active Directory/"$domainname"
          fi
          dscl /Search -delete / CSPSearchPath "/Active Directory/$domainname/All Domains"
          dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/$domainname/All Domains"
#remove search path entries from 10.6
    if dscl /Search -read / CSPSearchPath | grep /Active > /dev/null
    then
        dscl /Search -delete / CSPSearchPath "/Active Directory/$domainname/$domain"
        dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/$domainname/$domain"
    fi
          sleep 5
else
          echo "No Active Directory Binding present."
fi
echo ""
#Remove Existing Directory Services Config
echo "Removing existing DS Config"
if [ -d "/Library/Preferences/edu.mit.Kerberos" ]
then
          rm -R /Library/Preferences/edu.mit.Kerberos
fi
if [ -d "/etc/krb5.keytab" ]
then
          rm -R /etc/krb5.keytab
fi
# Clean up the DirectoryService configuration files
rm -Rfv /Library/Preferences/DirectoryService/*
#OD
echo ""
echo ""
echo "Binding to OD-Damin "$oddomain
sleep 5
dsconfigldap -v -a "$oddomain" -n "$oddomain" -c "$computerid"
echo "Killing opendirectoryd"
killall opendirectoryd
sleep 5
echo "Adding computer account $computerid to /LDAPv3/${oddomain} on $oddomain"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -create /Computers/"$computerid" ENetAddress "$nicAddress"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /Computers/"$computerid" RealName "$computerid"
# Set the GUID
GUID="$(dscl /LDAPv3/$oddomain -read /Computers/${computerid} GeneratedUID | awk '{ print $2 }')"
# Add computer to ComputerList and ComputerGroup
if [ $computerGroup != "" ]
then
          echo "Adding computer $computerid to OD group $computerGroup on $oddomain"
          dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerLists/"$computerGroup" apple-computers "$computerid"
          dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerGroups/"$computerGroup" apple-group-memberguid "${GUID}"
          dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerGroups/"$computerGroup" memberUid "$computerid"
fi
echo "Finished OD Binding."
sleep 5 # Give DS a chance to catch up
echo ""
echo ""
echo "Performing the AD Binding"
#AD
# Activate the AD plugin
defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist
#Use the existing AD-Computername or generate a new one
computeridtmp="default"
if [ "$check4ADacct" == "" ]
then
          LEN=$(echo ${#adcomputerid})
          if [ $LEN -lt 15 ]; then
                  echo "ComputerID "$adcomputerid " has 15 characters or less and is therefore suitable for AD-Binding. It is $adcomputerid"
                  computeridtmp=$adcomputerid
          else
                  echo "ComputerID "$adcomputerid " has 16 or more characters and needs to be modified for AD-Binding."
                    echo "Removing any -"
                  computeridtmp=${adcomputerid//-/}
                              LEN=$(echo ${#computeridtmp})
                              if [ $LEN -lt 15 ]; then
                                        echo "ComputerID "$computeridtmp" has now 15 characters or less and is therefore suitable for AD-Binding."
                              else
                                        echo "Only using the last 15 characters of the Computer name to be able to bind to AD."
                                        computeridtmp=${computeridtmp:(-15)}
                              fi
                  echo "Cropped Computername to "$computeridtmp
          fi
else
    computeridtmp=${check4ADacct//$/}
    echo "Found existing AD Account previously, attempting to recreate in the OU: "$computeridtmp
fi
echo ""
# Bind to AD
echo "Binding to AD-Domain "$domain" with computerid "$computeridtmp
dsconfigad -f -add "$domain" -username "$udn" -password "$password" -ou "$ou" -computer "$computeridtmp"
echo ""
echo "Setting the Advanced AD Plugin options"
# Configure advanced AD plugin options
if [ "$admingroups" = "" ]
then
          dsconfigad -nogroups
else
          dsconfigad -groups "$admingroups"
fi
dsconfigad -alldomains "$alldomains"
dsconfigad -localhome "$localhome"
dsconfigad -protocol "$protocol"
dsconfigad -mobile "$mobile"
dsconfigad -mobileconfirm "$mobileconfirm"
dsconfigad -useuncpath "$useuncpath"
dsconfigad -shell "$user_shell"
dsconfigad "$preferred"
dsconfigad -packetsign "$packetsign" -packetencrypt "$packetencrypt" -passinterval "$passinterval"
dsconfigad -namespace "$namespace"
sleep 5
echo ""
echo ""
# Add the OD & AD node to the search path
if [ "$alldomains" = "enable" ]
then
          csp="/Active Directory/$domainname/All Domains"
else
          csp="/Active Directory/$domainname"
fi
echo "Finished AD Binding."
echo "Adding Domain /LDAPv3/"$oddomain" and "$csp" to Search Path"
dscl /Search -create / SearchPolicy CSPSearchPath
dscl /Search/Contacts -create / SearchPolicy CSPSearchPath
echo "Adding OD.."
dscl /Search -append / CSPSearchPath /LDAPv3/"$oddomain"
dscl /Search/Contacts -append / CSPSearchPath /LDAPv3/"$oddomain"
echo "Adding AD.."
#Adding all Domains first to improve reliability under 10.7
if [ "$alldomains" != "enable" ]
then
    cspadall="/Active Directory/$domainname/All Domains"
    dscl /Search/Contacts -append / CSPSearchPath "$cspadall"
    dscl /Search -append / CSPSearchPath "$cspadall"
fi
dscl /Search/Contacts -append / CSPSearchPath "$csp"
dscl /Search -append / CSPSearchPath "$csp"
echo "Finished Updating Search Paths."
echo ""
echo ""
# Restart DirectoryService (necessary to reload AD plugin activation settings)
killall opendirectoryd
# Destroy the login hook (or change it)
if [ "${newLoginHook}" == "" ]
then
          defaults delete /var/root/Library/Preferences/com.apple.loginwindow LoginHook
else
          defaults write /var/root/Library/Preferences/com.apple.loginwindow LoginHook $newLoginHook
fi
sleep 5
# Customizing the login-Window
#defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo DSStatus
#defaults write /Library/Preferences/com.apple.loginwindow showInputMenu -bool TRUE
#defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool TRUE
# This works in a pinch if the above code does not
#defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains"
#defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Policy" -int 3
#plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist
#killall opendirectoryd
# Disable autologin
defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser
srm /etc/kcpassword
echo ""
echo ""
echo ""
echo "Now bound to OD Domain:"
dscl localhost -list /LDAPv3
echo "With Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /LDAP
echo "Now bound to AD Domain:"
dscl localhost -list "/Active Directory"
echo "With Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /Active
exit 0                    ## Success
exit 1                    ## Failure
Any inputs, questions and improvement suggestions are, of course, most welcome!
Cheers
See

Similar Messages

10.6 home directory mounting with active directory and open directory integration

Hi guys i am having some issues in my new mac environment. I have a windows network with an server 2008 active directory. I have just recentlly created a "magic triangle" setup with active directory and open directory. When my users login via windows their home folders mount perfect. When any user logs in to any iMac in the building it does not work. They login perfectly fine, but their home folders do not mount. When i try mounting them manually with smb, i get a prompt for credentials. I am thinking this is my issue, my Single sign on with kerbos is working but for some reason is not logging in correctly. If i type in my credentials with my domain first then my name it works.
For example DOMAIN\jsmith works, but the way i think the mac and active directory is doing it now is just jsmith without the DOMAIN.
I feel like this is the problem with the home folders not mounting.
Can anyone provide some help with this?
Thanks,
Dani

Hi dani190,
are you using the fully qualified domain name of the network server? ie if your server is bob. and your domain is domain.company.com. then the FQDNS would typically be bob.domain.company.com or bob.company.com.
If the FQDNS works, then have you checked in the AD to make sure the path to the network home folder uses the FQDNS?
For the contact search path, did you put the AD at the top the list? (in directory utility)
Did you set the WINS work group on your client computer to your domain?
ie:Apple Menu, System Preferences, Network, Active Network Port (ethernet and or airport) , Advanced Button, WINS Tab, set workgroup to the name of your domain. ie domain.company.com and or company.com

Binding Exchange server to Open Directory

So I am setting up an exchange 2010 sandbox machine to see how feasible the install and usage of the software is within the company. When running through the installation it wants the exchange server machine to be bound to an active directory. Well I dont have any active directory servers all I have is our open directory. How can I tie in the exchange binding to the open directory? I have heard about integrating between OD and AD but it seems like it requires yet another AD machine.
Any thoughts? Success Stories?

The answer is to remove the local KDC on the 10.5 clients. 10.5 uses the LKDC for personal file sharing - not needed for networked clients.
Run the following commands to kill LKDC before binding the machine to Open Directory:
sudo dscl /Local/Default delete /Config/KerberosKDC
sudo rm -rf /var/db/dslocal/nodes/Default/config/KerberosKDC.plist
See: http://forums.bombich.com/viewtopic.php?t=11834&highlight=lkdc

Binding imaged clients to Open Directory?

We created 10.5.2 image that we are trying to bind to Open Directory.
The first imaged client binds fine and adds itself to OD. However, additional clients won't bind. They claim that the computer account already exists.
I assume this is caused by each imaged client having the same "key" somewhere that it is using to bind to OD. Is there a way to regenerate this "key" on our clients once they are imaged?

The answer is to remove the local KDC on the 10.5 clients. 10.5 uses the LKDC for personal file sharing - not needed for networked clients.
Run the following commands to kill LKDC before binding the machine to Open Directory:
sudo dscl /Local/Default delete /Config/KerberosKDC
sudo rm -rf /var/db/dslocal/nodes/Default/config/KerberosKDC.plist
See: http://forums.bombich.com/viewtopic.php?t=11834&highlight=lkdc

Screen Sharing and Open Directory (10.8)

I'm trying to allow Open Directory users to login over Screen Sharing to my Mountain Lion servers. I have tried the solution on the page linked below and it isn't working. Maybe I'm missing something:
https://discussions.apple.com/thread/2329389?start=0&tstart=0

From the menu bar on the Screen Sharing server, select
 ▹ System Preferences... ▹ Users & Groups ▹ Login Options
and check the box marked
Allow network users to log in at the login window
If there's a closed padlock icon in the lower left corner of the preference pane, you may need to click it to unlock the settings. Enter your login password when prompted.
Note that this option is only available when the server is bound to a network directory server.

Adobe Premiere CS5 and Open Directory users - Premiere fails to start

We have several class rooms with desktops that are configured for Open Directory.
When a student logs in he's actually working in his home folder on the server and his user is also managed by the server.
This works fine for all the applications that we're using except for Adobe Premiere CS5 and Adobe After Effects CS5. Whenever a student tries to start one of them the application will hang and only a force quit can stop it. It is impossible to start these applications.
However, it is possible to use Premiere and After Effects using a local standard on the desktops. But I don't want to go that route. I want the managed users to be able to use those applications.
Has anyone found a solution for this?
Are you able to use this applications in a same environment?
I've played a lot with the permissions on the library, system and Adobe folders, but the problem doesn't seem to be related to them.
Setup:
AFP Server: Xserve intel running Mac OS X Server 10.6.5
OD Servers: Mac Mini Servers running Mac OS X Server 10.6.5
Clients: iMacs intel running Mac OS X 10.6.6

Safe Mode disables a lot of drivers and services, like networking. That would seem to indicate that something is running on your system that interferes somehow.
I'm just not sure how you'd go about tracking that down.

Initial setup and Open Directory problem

Hi,
I'm new to the MAC OS X server system and trying to get one up and running on a G5.
Unfortunately I can’t get the configuration up and running, and I have the feeling it already goes wrong during the initial setup. I was hoping you guys could help me out.
The purpose of the server is providing network user accounts (DNS + Open Dir.) and providing sharepoints.
I go trough following steps while installing from scratch:
- Install MAC OS X and run the Server install package from the OS X Server DVD (as you know, OSX Server is'n installing directly on G5)
- Choose keyboard layout, enter license and create an account "admin"
- Define static IP "192.168.1.1", add this IP as the first in the list of DNS Servers, add "company.local" in the search domain
- Install as a standalone server (so I can configure dns & other network services after basic setup)
- Check "network time server" (so time will be synced for Kerberos)
- Proceed, install and reboot
OSX Server seems to be installed fine and I can login with "admin". Next step I take is configuring DNS.
- create a zone "companyname.local.", use my IP as server address (192.168.1.1) and use "server" as the server name.
- add a machine record for DNS-testing (called "gateway", with the IP of "192.168.1.254")
Start the DNS service and reboot
- perform an nslookup with a second MAC with 192.168.1.1 as the nameserver and verify that DNS is resolving correctly.
DNS seems to be working fine, now I would like to get the Open Directory service to work:
- change "Standalone" to "Open directory master" in the server configuration panel
- provide a password for the directory admin
- use "SERVER.COMPANYNAME.LOCAL" as kerberos realm, and "dc=server,dc=companyname,dc=local" as the search base
- Save & start the service and perform a reboot to be sure all the new settings are in use
Unfortunately after this install open directory doesn't seem to work fine and also Kerberos doesn't start.
Concerning Kerberos: I get following output in the "Slapconfig log" Open Directory log file:
Starting LDAP server (slapd)
command: /usr/bin/ldapadd -c -x -D uid=root,cn=users,dc=maggie,dc=interesourcegroup,dc=local -w **
Hostname server.companyname.local is from Rendezvous
Skipping Kerberos configuration
Sorry to bother you with the entire walkthrough of the installation, but I have the feeling that I'm missing something while performing the basic install or DNS setup .. ?
Regards,
Seppe
G5 Mac OS X (10.4.6) /

We currently have a static IP and a public dns hosted
by MediaTemple, so I think I can create a subdomain
on MediaTemple and link it to our fixed IP address
("private.companyname.com" >> static ip) instead of
using dydns.. ?
Of course.
I suppose I can then use "private.companyname.com" as
the zone name on my G5 server and use
"server.private.companyname.com" for my local DNS?
Sounds reasonable.
If using this DNS, what will be the Kerberos REALM
and Search Base? And do I still need to specify
private.companyname.com as the Search Base in the
Network Settings of the clients and server?
Well, REALM and LDAP Search Base can set to whatever you like. On the other hand I've seen tools contacting kerberos servers break when the REALM is not part of the kerberos server fqdn.
So I'd stick with the usual recomandations and set kerberos REALM to your domain name (if there is no other kerberos server alread running and using this).
For the LDAP search domain I'd also follow the road of using domain name space as search base.
When dns will finally be setup properly, these setting will be autopopulated for you in the GUI. So test, test, test you dns with
host $ip and host $fqdn and then go on promoting "Standalone Server" to "Open Directory Master".
HTH
-Ralph

OS X Server and Open Directory

I am trying to use a Mac Mini as an Open Directory domain, however it fails on the Open Directory Setup.
The exact error from the log is a below:
Server[308]: An error occurred while configuring webiken as a directory server:
Error Domain=XSActionErrorDomain Code=78 "Server returned a non-zero status code" UserInfo=0x7fb826114140 {NSLocalizedDescription=Server returned a non-zero status code}
Any ideas to what this may be?
FYI: I think this is due to my network configuration. I connect to the internet via Wifi and I have a switch for LAN traffic, but there's no way to give the switch internet access. Is there anyway I can limit the LAN traffic to only use ethernet (en0) and internet traffic to only use WiFi?

Hi,
Not sure this will help, but OSX uses the top Interface for Internet...
10.5.x/10.6.x/10.7.x instructions...
System Preferences>Network, click on the little gear at the bottom next to the + & - icons, (unlock lock first if locked), choose Set Service Order.
The interface that connects to the Internet should be dragged to the top of the list.

Windows users and open directory

Since Server for 10.7 I've found I've had to create Windows users as local users rather than local network users to give them access to shares via SMB. Is this correct, or am I missing something? I was aware that you can't bind a Windows PC to Open Directory, but can it not authenticate at all through OD?
thanks

If I understand your question, then you are looking for a tool like Centrify. This will put all management on one platform.

SuPhp and Open Directory Administration

Hello,
I am trying to install suPhp and mod_suphp working on OS X Server 10.6.7
Everything seemed to compile and install just fine, but am getting an error in the apache log:
terminate called after throwing an instance of 'suPHP::LookupException'
My guess is that suPhp cannot find the user ID in /etc/passwd because OS X Server is using Open Directory Administration
My searches have not turned up anything.
Thank you!
~ Jeremy

Hello,
I am trying to install suPhp and mod_suphp working on OS X Server 10.6.7
Everything seemed to compile and install just fine, but am getting an error in the apache log:
terminate called after throwing an instance of 'suPHP::LookupException'
My guess is that suPhp cannot find the user ID in /etc/passwd because OS X Server is using Open Directory Administration
My searches have not turned up anything.
Thank you!
~ Jeremy

Active Directory and Open Directory not working

I am experiencing an issue, or several issues that I can't figure out how to resolve.
I have an Active Directory domain set up (running 2003 server R2) and it is humming along quite nicely.
A few weeks ago I got a new XServe running 10.5.4. Booted it up, bound it to AD, and then set up and OD Master on it so that I could manage some new Macs that we have.
The Macs are bound to both directories.
The issue I have comes in when using Workgroup Manager, and trying to add AD user to OD groups. The groups drawer is open, but the little directory menu at the top of the drawer does not include the entry for Active Directory. I see Local, Search Policy, and /LDAPv3/127.0.0.1...
If I try to pull down the directory menu above the user list, I see the following: Loca, Search Policy, Other..., /Active Directory/All Domains, and /LDAPv3/127.0.0.1.
If I select /Active Directory/All Domains from that list I get the following error.
+Unable to open the requested node.+
+The node /Active Directory/All Domains couldn’t be opened because an unexpected error of type -14002 occurred.+
I think these issues are related, but I can find no help on the first item (AD not showing up in the groups menu)
and a search for the second item only reveals the following page form Apple, which means absolutely nothing to me.
http://developer.apple.com/documentation/Networking/Reference/OpenDirectoryRef/Reference/reference.html
The killer is that this all worked at one point. I had an Apple Tech out here and he helped me set up this 'Golden Triangle" method of authenticating against both directories. And it works... sort of... I can create groups in OD and add OD machine accounts to the group to enforce some settings. But I can't bring in AD users, cause I can't see the AD user list.
I hear that this is supposed to work... I can't figure it out.
Any help would be appreciated.
Thanks for your time.
Bill

Hi
Can you access Active Directory from the command line using dscl?
In what order are the LDAP directories listed in Directory Utility on the Server?
Is Kerberos running on the OD Master?
If you issue klist from the command line on the server itself - what is the result?
Or don't bother with any of the above and start again. You've nothing to lose anyway apart from some managed preferences which you can redo in little time. Scrub the configuration in the AD plug-in and demote to Standalone. Restart and go for an AD rebind. Make sure the edu.mit.Kerberos file is created in /Library/Preferences. Launch WGM and you should see AD Users and Groups this time, If you do go for promotion again. What you want to see in the OD Overview pane is everything running apart from Kerberos and the search base reflecting the FQDN of the OD Master. Make sure there is the loopback entry (127.0.0.1) in the LDAPv3 plug in. Finally make sure the OD Master lists itself first in the Directory Search Order.
I'm assuming the Server is configured as Advanced and is updated to 10.5.4.
Tony

Netboot, diskless clients, and Open Directory users?

Hi, I've been reading through the System Image pdf & maybe it's me but a couple of things aren't clear.
I want to set up diskless clients and allow users to log on to their network home folder using their OD login. Is this possible and where would be a good place to start with instructions on setup?
thanks, Patrick

Ok, I got it.
But what if I want the OD user to have some configuration data on the local client?
Let me explain that a bit better. The configuration I would like for my network and users is as follows: the server works only as an authentication server, I do not want roaming profiles or homes directory on the server; I just want the server to authenticate users when they log in to several client machines amongst the lan.
For documents sharing, in fact, I much rather prefer using Dropbox, which allows my users to share on a WAN-instead-of-LAN basis.
But a home local directory is needed for OD users to keep libraries, preferences files and so on.
Back to the old Windows server (PDC) time, I used the server as a name server authentication only, still the client created a local profile for the user of the server.
Does OD works this way too or am I missing something?
Thank you.

OS 10.4 and Open Directory intergration

Dear All,
first of all, I would like to say Hello to all users!
I have a MBPro with OS 10.4.10.
As this is also my office computer, I need to integrate it into Corporate network.
As I browse through network neighborhood, Finder displays 2030-2050 elements in the current domain (alphabetically). The whole network is around 3500 elements.
Can I do anything about that.
The second problem I have is actually the whole subject - printing.
I have a XEROX DOC machine, connected to the network with IP address.
Whatever I do or configure, I'm getting always "client-error-bad-request"
I can ping the IP succesfully.
When I want to connect to a windows 2000 shared printer, I get Error-50 or Error-43.
Can anybody help me?
I will supply any other details if necessary.
Maartinez

I still use Classic in 10.4.11 on a PPC Mac with all the current OS updates.
10.5 drops support for Classic on all Macs. However, even if you lose Classic environment within OS X 10.5, should you upgrade, your G4 Tower still has the option to boot into OS 9, if your model is one of the earlier ones before FW800 was introduced. OS 9 and OS X can be installed on the same hard drive partition.
Different versions of OS X can be installed on different partitions, so you could even have a bootable 10.4 system with Classic support and try out 10.5 on another drive/partition if you needed to run 10.5 for some reason.
"Upgrading" the OS is always a consideration of your investment in all your apps, the hardware, and third-party devices (printer/scanner/camera/etc) and all those drivers. When you upgrade the OS sometimes you need to upgrade everything else, and often the more cost-effective solution is to keep the old machine running the old stuff, and get a new machine to run new stuff. Rather than upgrading an old machine to still support the old stuff but can't quite run all the new stuff very well if at all.
640 MB RAM is really barely enough for doing any serious work in OS X, you should consider at least 1GB or max it out to 1.5GB or 2GB, whatever the limit is for that G4 tower model. The older RAM for those models is fairly cheap now.

Roundcube and Open Directory

Hi,
I use Roundcube instead of Squirrelmail. Everything is ok but I would like to use LDAP to fill the Adresses Book of Roundcube.
How to configure it ?

Hi,
I use Roundcube instead of Squirrelmail. Everything is ok but I would like to use LDAP to fill the Adresses Book of Roundcube.
How to configure it ?

Directory Utility wont connect to Open Directory Server on Xserv 10.5.1

I am trying to set up the ical service on the xserve, I have the server set up as the OD master when I went into the directory utility app it would not located the server until I changed the search policy to custom which included LDAPv3. Once I did that the server popped up in the directory utility list but it says "server is not responding"
Any one else having this issue or know what might be the solution?

Have you tried adding the server to the client using 'servername.local' instead of its DNS name? I have had flaky problems adding clients to the directory server using the DNS name and found using 'servername.local' to be much more reliable.

Directory Binding Script (Active and Open Directory) 10.7

Similar Messages

Maybe you are looking for