Open Directory and LDAP questions/difficulties

Hi, my company is about to try out OSX Server to replace our old Irix file server. In order to do this we need to run through a number of tests in order to validate the idea. Basically, the test setup is a PM G5 running OSX Server 10.4 and a connected Mac and/or PC on the G5's second ethernet port as test clients. The first ethernet port is connected to the local subnet (192.168.1.x) and, ideally, the OSX Server should have its own subnet on the second port and serve DHCP, AFP and SMB to that port only, along with an OD shared directory providing both authentication and home directories for users. (later on, if all is successful, it will serve those services on the company subnet). DNS is supplied by a separate server on the subnet (DNS caching server running tinydns)
I've read my way through the OSX Server documentation, and gathered all the information the Worksheet requires. The problems started occuring because we installed OSX Server over an OSX Client and broke off the Server Assistent, because we were worried at the time that turning on a Windows PDC would collide with our current (and very flaky) Samba server running on the Irix machine, and that DHCP might also collide with our current dhcp server.
As a consequence, we tried to set it up via the Server Admin Panel, Network Prefs, and the Workgroup Manager, after having connected the second ethernet port of the G5.
Doing this, and setting the OD service to an OD Master, along with a Search base of dc=hostname, dc=domain, dc=tld has not exactly changed much. The problem is that the info panel says that LDAP is not running. This confuses me no end. I thought OD was based upon LDAP. The server name in the Server Admin panel is hostname.local. And now I get to my real questions (finally):
1.Would it be better to just wipe the machine and start again using the Assistent, and set up the ODMaster that way?
2.When is an ODMaster not a local directory and when is it a shared directory (the hostname.local worries me)
3.What services exactly need to be running for the ODMaster to function properly
3.How do I configure the local subnet on the second port (should I use the Gateway Assistent or do it by hand), and how do I only serve those services to that port (do I do it by setting the router/gateway for those services as the IP of the second port or as localhost).
4.Do I need to simply enable LDAPv3 on the clients and set the search path to automatic to get the clients to Autheticate?
5.Do user and groups added to the hostname.local become part of the OD Domain?
I'm sorry if I come across as a total newbie. I'm used to doing most of this on the commandline in Linux (except for LDAP, which is new to me), and the GUI. I have managed to entangle myself quite nicely in all this and could really use some pointers.
Thanks in advance
Theo.
PowerBook G4   Mac OS X (10.4.7)  

1. Starting with a freshly installed OS X Server is recommended, but start no services at first, you need working DNS with reverse zone for the server IP to run OD Master (and other services). If the server domain is to be different from the existing network domain name setup DNS in OS X for the test domain.
2. I'm not sure I understand the question. LDAP/OD can be used on the server to "house" the user accounts but you don't have to bind computers to it.
If you don't use the more advanced possibilities with LDAP/OD I don't think the clients even need to have LDAP configured to be able to authenticate.
hostname.local = hostname and the standard Bonjour domainname .local ?
3a. DNS, so that reverse lookup works for the hostname before setting up OD Master. OD needs a "true" domainname Bonjour isn't sufficient. Setup/use something like mydomain.private.
3b. You don't need to do NAT, you can also route between two subnets (you would need a static route in your Internet router too).
If you want NAT you can use the GW assistant. The interface on the top of the list in Network config (where you can add more/alias interfaces) is the "main" interface used as the "WAN"/"Internet" interface.
4. If the clients are "standalone" (not bound to the OD domain or not using server based homefolders and such) I think you only need LDAP if you want the clients to be able to search for info in OD/LDAP. Not needed for authentication.
You can send out LDAP info with DHCP.
5. If you mean you add/enter users and groups to OD/LDAP directory it just means you can have different servers/clients using a central repository(?) for authentication purposes.
If you add (bind) machines to the domain you can to control what clients can do locally (priviledges), which applications they can run and so forth.
In /etc/smb.conf you can say which interface to use för samba (don't remember what to enter though). And if using the firewall (you must if you want NAT) you can stop Bonjour (mDNS - multicasts) from entering the "old" network if you like/need.

Similar Messages

  • Open Directory and passwords

    Hi, I have come across something really odd someone pointed out to me with Tiger Server, and this is something I've not been able to duplicated on Panther Server, or at least I don't think I have been able to.
    The situation is this: There are three people in my workgroup who have "administrative" privileges for our small server cluster. When logging into one of the servers, it is possible for a person with administrative privileges to log into the server with any user existing user name, and use their own password, or the global administrative password to log into any account. This does seem weird to me. Is there an article somewhere that explains this? I've done a bit of searching, but am not sure on what I am looking for here.
    I am starting to work with Open Directory and LDAP sharing of login information across a series of three servers and am wonder if it might be linked to this, and why/how, etc. Anyone with any good or bad thoughts on this.
    Thanks so much.

    Hi trotter,
    In fact this is a feature called 'masquerading' by Apple which can be very helpful, particularly when when troubleshooting permissions issues on mouted volumes. It allows admins to mount volumes via afp 'as users'.
    It was first implemented for Apple servers back in ASIP 6, and the feature exists in both Panther and Tiger.
    If you don't want this feature you can uncheck Serrver Admin > AFP > Access > Enable Administrator to masquerade... I believe the box is unchecked by default so one of the admins must have checked it.
    IMHO it would also be very useful for admins to be able to have the options to masquerade to user OD/NetInfo accounts also.
    HTH,
    b.

  • Open Directory or LDAP Problem with 10.5 Client and 10.4 Server

    Yesterday, the client-server setup we've been using successfully FOR YEARS decided not to work on a v10.5.8 MacBook Pro client. Did not do anything to the v10.5 client recently (other than to boot it up). Not sure if any software was updated on the server recently (where do I check for this?). Curiously, a v10.4.11 client running on a Mac Pro (tower) continues to work fine/as though nothing's changed. It appears as though the only difference is v10.4 client (working) vs. v10.5 client (not working).
    Here is what IS working:
    1) Network Home Directories on dedicated drive partition of Mac running OS X Server v10.4.11. AFP, DNS, and Open Directory are all up and running (normally, I think) as shown in Server Admin application.
    2) Mac Pro (tower) client running v10.4.11 binds to and authenticates at v10.4.11 server. Any valid user can access their home directory on the server seamlessly when logging in at this v10.4.11 client Mac.
    3) That same v10.4.11 client Mac also contains a LOCAL admin user with its home directory on the local hard drive. That LOCAL admin account is used to update software on a per machine basis (and preclude users from adding unauthorized software, needing to use a specific machine, etc.).
    Here is what IS NOT working:
    4) On a MacBook Pro client running v10.5.8, the LOCAL admin account looses access to the partition containing its local home directory. The drive partition literally disappears. The only "solution" I've been able to find (and it's not truly a solution) is to turn off the Open Directory/LDAP binding (using the Directory Utility application). With binding turned off, the LOCAL admin user has no problem accessing their home directory on the local hard drive partition. Turn binding on again (using Directory Utility application), and the LOCAL admin user can no longer see its local home directory.
    Again, binding is necessary to allow regular users to use the v10.5 MacBook Pro with Network Home Directories (as in items 1-3 above). Binding should be turned on for this reason. However, with binding on, the LOCAL admin user cannot manage the computer because the local partition containing the admin home directory disappears/is inaccessible. Turn binding off, and the partition containing the admin home directory reappears.
    Perhaps there's something in the sever logs that will help. I don't really know how to read these, so if your help involves the logs, please refer to them explicitly (e.g., "in Server Admin, go to Open Directory->Logs->LDAP log" or similar).
    Any help greatly appreceated.

    Nope. Never used sso_util.
    I try to use Apple's GUI server management tools unless absolutely necessary/at the end of my rope (i.e., last step before re-install etc.). I figure there's just too many things going on under the hood: using the command line may fix one setting, but not re-configure the two or three others that Apple NEEDS in order to have the whole thing working in harmony. Unless you really know what's going on with all the configuration files, it's best to let the GUI manage the settings.
    In my particular circumstance, I've now got ALL Leopard clients, one Leopard v10.5 server, and one Tiger v10.4 server. Everything is working fine now, but it was not a simple matter getting the Tiger v10.4 server re-integrated into the otherwise ALL Leopard environment. OD/Kerberos is on the Leopard v10.5 server. Home directories are still on the Tiger v10.4 server.
    Two keys to getting THIS/MY set-up working:
    1) Tiger v10.4 server needs to have Open Directory set to "Connected to a Directory System" and has to be joined to the Kerberos realm that was set-up on the Leopard v10.5 server (use Server Admin to do all of this).
    2) Sharepoint on Tiger v10.4 server has to have SOME, but NOT ALL checkboxes for guest access enables/checked. See:
    http://discussions.apple.com/message.jspa?messageID=10903468#10903468
    Number 2 immediately above is contrary to what Apple manual for User Management reads, but this is what worked for me/my set up, after pulling my hair out following the manual's instructions to the letter and not getting the thing to work!

  • Open Directory and Mobile Home Folders

    Hi All,
    I am a bit confused about Open Directory and Mobile Accounts! here is our scenario. We have an Open Directory setup and all Accounts are set to mobile, accounts are almost 250+, my main problem is the Synchronization Conflicts, the accounts are automated to sync every 30 mins, the problem is every now and then schronization conflict windows popups, our users are complaining almost everytime, another problem is all of the users home folder has a qouta of 5GB, problem is there are users who excedd on the qouta some goes up to 60GB and 100GB, how do i solve this two problems. i am about to loose my mind. We setup like this in order for us to have a backup of all files of the users in case problem arises in the workstation. i have notice that synching file error comes up if you have temporary files used by any applications. the home folder of each user will exclude library, trash, music and entourage databse. Please Do help me.!!! Anyone who knows..?
    Environment
    OD Server - MacOS X Server Tiger 10.4.4
    Workstations - mix MacOS X Tiger 10.4.4 - 10.4.7
    AFP Home Folder - MacOS X Server Tiger 10.4.6 mounted Xsan Volume for home folders
    johnaris
    PLEASE HELP!

    Thanks for the info, by now i will look into that little utility that is very helpful (console!)
    Yes, I was thinking of synching our users at login and logout, the problem here is that, users here has bigger home folders.. mostly about 3GB, and it will took time to login a user, about 6-10 mins, depends on the network, we have networks users that that has slow networks and fast network on video editing users. What I did is that i excluded the Library in the synch options on each unit here, since we are not using Apple's Mail and iCal, it did minimize the synching error but the temp files and date discripancies are mostly that will generate an error, I am having really problems with this.
    thanks for the info i really appreciate it.

  • OXS server 3 with mavericks, it will not load up the assistant with open directory and will not allow me to use old open directory it was not a clean install just upgrade. any help or advise appreciated as i really need the server.

    OXS server 3 with mavericks, it will not load up the assistant with open directory and will not allow me to use old opeopen directory and will not allow me to use old open directory it was not a clean install just upgrade. any help or advise appreciated as i really need the server.

    I wonder if the disk being referred to is actually your iPod which is not plugged in. Maybe something has stuck thinking the iPod should be there.
    Try completely removing all the iTunes related programs according to this method.
    http://support.apple.com/kb/HT1923
    Restart you PC and see if startup improves.
    If it doesn't improve you need to consider the possibility that there is something else going on.
    If The problem goes away, hopefully a fresh install will be OK.

  • Terminal Commands to clean Open Directory and Profile Manager

    Hi,
    So I've made the fun decision to move to ML Server as we are just getting services up and we should be on the most recent software to start. I have had interment luck with Open Directory and Profile Manager and was looking for a way to wipe the data bases and start clean.
    I have tried getting to the  ( usr/share/devicemgr/backend and running wipDB.sh. however the database doesnot exist.
    It would be nice to clean the databases and setting instead of doing a full reinstall of MT Lion.
    Thanks!
    ~FSU IT

    So just found the fix for Profile Manger.
    http://support.apple.com/kb/HT5349
    Thanks to this post for finding it - https://discussions.apple.com/thread/4142185?tstart=0

  • After Updating to Server 4.1 Open directory and LPAD gone

    Hello,
    two days ago I discovered that Open directory was not working on our Server (Mac Mini 2012). I suspect it stopped working after updating to 10.10.3 and OS-X Server 4.1. When I try to start Open directory in the Server App the Server App prompts: Unable to load Replica List. When I try to recreate my Open directory Server I Get: OD Server already exists.
    I get the following log entries:
    LDAP Log
    Apr 11 22:03:02 server.seju.eu slapd[925]: @(#) $OpenLDAP: slapd 2.4.28 (Feb 24 2015 21:45:59) $
      [email protected]:/BinaryCache/OpenLDAP/OpenLDAP-499.32.4~1/Objects/servers/slapd
    Apr 11 22:03:02 server.seju.eu slapd[925]: daemon: SLAP_SOCK_INIT: dtblsize=8192
    Apr 11 22:03:02 server.seju.eu slapd[925]: TLS: OPENDIRECTORY_SSL_IDENTITY identity preference overrode configured olcTLSIdentity "APPLE:server.seju.eu"
    Apr 11 22:03:02 server.seju.eu slapd[925]: slap_add_listener: opened additional listener 'ldaps:///'
    Apr 11 22:03:02 server.seju.eu slapd[925]: bdb(dc=server,dc=seju,dc=eu): unable to allocate memory for mutex; resize mutex region
    Apr 11 22:03:02 server.seju.eu slapd[925]: bdb_db_open: database "dc=server,dc=seju,dc=eu" cannot be opened, err 12. Restore from backup!
    Apr 11 22:03:02 server.seju.eu slapd[925]: bdb(dc=server,dc=seju,dc=eu): txn_checkpoint interface requires an environment configured for the transaction subsystem
    Apr 11 22:03:02 server.seju.eu slapd[925]: bdb_db_close: database "dc=server,dc=seju,dc=eu": txn_checkpoint failed: Invalid argument (22).
    Apr 11 22:03:02 server.seju.eu slapd[925]: backend_startup_one (type=bdb, suffix="dc=server,dc=seju,dc=eu"): bi_db_open failed! (12)
    Apr 11 22:03:02 server.seju.eu slapd[925]: bdb_db_close: database "dc=server,dc=seju,dc=eu": alock_close failed
    Apr 11 22:03:02 server.seju.eu slapd[925]: slapd stopped.
    Open Directory Log
    2015-04-11 21:57:10.624284 CEST - AID: 0x0000000000000000 - opendirectoryd (build 382.20.2) launched...
    2015-04-11 21:57:10.752590 CEST - AID: 0x0000000000000000 - Logging level limit changed to 'error'
    2015-04-11 21:57:10.916732 CEST - AID: 0x0000000000000000 - Initialize trigger support
    2015-04-11 21:57:10.951833 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/SystemCache.bundle'
    2015-04-11 21:57:10.958469 CEST - AID: 0x0000000000000000 - Module: SystemCache - failed to load persistent state - Input/output error
    2015-04-11 21:57:10.962533 CEST - AID: 0x0000000000000000 - Registered node with name '/Active Directory' as hidden
    2015-04-11 21:57:10.962833 CEST - AID: 0x0000000000000000 - Registered node with name '/Configure' as hidden
    2015-04-11 21:57:10.963182 CEST - AID: 0x0000000000000000 - Discovered configuration for node name '/Contacts' at path '/Library/Preferences/OpenDirectory/Configurations//Contacts.plist'
    2015-04-11 21:57:10.963194 CEST - AID: 0x0000000000000000 - Registered node with name '/Contacts'
    2015-04-11 21:57:10.963438 CEST - AID: 0x0000000000000000 - Registered node with name '/LDAPv3' as hidden
    2015-04-11 21:57:10.966901 CEST - AID: 0x0000000000000000 - Registered node with name '/Local' as hidden
    2015-04-11 21:57:10.968600 CEST - AID: 0x0000000000000000 - Registered node with name '/NIS' as hidden
    2015-04-11 21:57:11.031990 CEST - AID: 0x0000000000000000 - Discovered configuration for node name '/Search' at path '/Library/Preferences/OpenDirectory/Configurations//Search.plist'
    2015-04-11 21:57:11.032007 CEST - AID: 0x0000000000000000 - Registered node with name '/Search'
    2015-04-11 21:57:12.343838 CEST - AID: 0x0000000000000000 - Discovered configuration for node name '/LDAPv3/127.0.0.1' at path '/Library/Preferences/OpenDirectory/Configurations/LDAPv3/127.0.0.1.plist'
    2015-04-11 21:57:12.343888 CEST - AID: 0x0000000000000000 - Registered subnode with name '/LDAPv3/127.0.0.1'
    2015-04-11 21:57:13.549377 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/legacy.bundle'
    2015-04-11 21:57:13.551131 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/search.bundle'
    2015-04-11 21:57:13.554053 CEST - AID: 0x0000000000000000 - '/Search' has registered, loading additional services
    2015-04-11 21:57:13.554064 CEST - AID: 0x0000000000000000 - Initialize augmentation support
    2015-04-11 21:57:13.557920 CEST - AID: 0x0000000000000000 - Successfully registered for Kernel identity service requests
    2015-04-11 21:57:13.557940 CEST - AID: 0x0000000000000000 - Adjusting kernel ID cache (100 -> 250) and membership cache (100 -> 500)
    2015-04-11 21:57:13.575235 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/PlistFile.bundle'
    2015-04-11 21:57:13.578418 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/FDESupport.bundle'
    2015-04-11 21:57:13.583810 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/AppleID.bundle'
    2015-04-11 21:57:13.615788 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ConfigurationProfiles.bundle'
    2015-04-11 21:57:13.619666 CEST - AID: 0x0000000000000000 - Registered subnode with name '/Local/Default'
    2015-04-11 21:57:13.632498 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ldap.bundle'
    2015-04-11 21:57:13.845588 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/AppleODClientLDAP.bundle'
    2015-04-11 21:57:13.849664 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/AppleODClientPWS.bundle'

    I had a similar problem. A couple days after upgrading, I encountered OD's "Unable to load replica" problem and had my server's certificate deleted from my system keychain!
    Server.app + OD + LDAP are all extremely fragile and I just don't trust them during transitions, so I always keep an independent bootable backup with Carbon Copy Cloner and this preflight script. I'll post my notes for recovering OD below, but in my case, nothing worked this time, and I couldn't start OD robustly across reboots. Fortunately for me, my 12 hour old bootable backup was working, so I just used CCC to copy my bootable backup back. Not sure what I would have done had that not worked short of rebuilding everything from scratch.
    Pre-steps:
    0. Bootable backups, Time Machine backups, and dirserv backups of everything.
    1. Disk Utility: Fix disk permissions, Fix disk
    2. PRAM reset, Command-Option-P-R at boot
    3. DiskWarrior to rebuild the disk directory
    Possible steps to fix OD:
    # Fix Open Directory "Unable to load replica"
    # Try this first:
    # https://support.apple.com/en-us/HT200018
    # Quit Server.app
    sudo mkdir /var/db/openldap/migration/
    sudo touch /var/db/openldap/migration/.rekerberize
    sudo killall PasswordService
    # Open Server.app
    # Try this second:
    # http://apple.stackexchange.com/questions/79141/how-to-fix-failing-open-directory -database-cn-authdata-cannot-be-opened-err
    sudo serveradmin stop dirserv
    sudo launchctl unload -w /System/Library/LaunchDaemons/org.openldap.slapd.plist
    sudo db_recover -h /var/db/openldap/authdata/
    sudo /usr/libexec/slapd -Tt
    sudo launchctl load -w /System/Library/LaunchDaemons/org.openldap.slapd.plist
    sudo serveradmin start dirserv
    # Try this third:
    # https://discussions.apple.com/thread/6018956
    sudo serveradmin stop dirserv
    sudo slapconfig -restoredb /private/var/backups/ServerBackup_OpenDirectoryMaster.sparseimage
    sudo serveradmin start dirserv
    # Try this fourth (assuming ccc_preflight od backup):
    # https://discussions.apple.com/thread/6018956
    sudo serveradmin stop dirserv
    sudo slapconfig -restoredb /private/var/backups/odbackup/od_2015-04-11.sparseimage
    sudo serveradmin start dirserv
    # Try this last:
    sudo rsync -va /your-backup-drive-possibly-TM/private/var/db/openldap/authdata/ /private/var/db/openldap/authdata/
    If your server cert gets deleted from the System keychain, you'll need to boot into the bootable backup and export the certificate+key that looks like hostname.domainname.tld, signed by IntermediateCA_HOSTNAME.DOMAINNAME.TLD_1, copy this to the server drive, import back into the System keychain. The cert should then appear within Server.app again. See here for how to do this if all you have is the System keychain file.
    If anyone has reliable advice how to fix a corrupt OD that would be a huge help.

  • Mac Open Directory and Sun Java DS

    We have Mac Open Directory Servers running on OSX 10.4.x domain. I am thinking about moving this domain by implementing Sun Identity Management solution. However, I am not able to find the Mac Open Directory in the IDM Supported standards. My Sun Directory Server synchronizes with the Windows AD using IDSYNC but I am not sure how a similar environment can be implemented for Open Directory. Is there a product from Sun for synchronizing accounts with Open Directory from the Sun Java DS?

    Mac Open Directory supports the LDAPv3 protocol so you could use Sun IdM's LDAP adapter to manage entries in Mac OD. I would probably set up Sun IdM to perform the synchronization. You configuration would depend on what source was authoritative.
    The tough thing is that Active Sync would probably not work for Mac OD so automatically doing a synchronization based on updates in the Mac OD would not be feasible unless you created and Active Sync adapter. If done it before. It's not too difficult.

  • DNS, Open Directory, and wow my head hurts

    OK, I’m slowly pulling my ear hairs out over this.  My comprehension of the DNS world is modest at best (I know enough to get into trouble). I did not set up most of this (not the DNS parts anyway), and I’m trying to unravel what exactly is going on.  Maybe it’s exactly as it should be; but it seems awfully convoluted to me, so if you’re bored and want to show off your expertise and ability to explain it to a kindergartener, please read on…
    Let’s say my Domain is mydomain.com. (You can probably figure out what it really is, but I’d rather not sprinkle a post with it.)
    Our firewall is a Sophos UT320. It obviously supports forwarding of DNS info from our ISP.  While it’s own documentation says it does not have a full-fledged dns server, it does have something called “Static Entries” which seems to be a bare-bones dns server of sorts. I can set any static domain name (myserver.mydomain.com for example), point it to a server on our lan, and everyone internally can get to that server by using myserver.mydomain.com instead of 192.168.blah.blah.  It also supports reverse DNS, so if I issue a host 192.168.blah.blah command from my computer, I get “blah.blah.168.192.in-addr.arpa domain name pointer myserver.mydomain.com.” My guess is that it’s only serving up A records.  No one from outside our LAN can access these servers or records (unless they’re on a VPN of course).
    Now, in our lan, we have a bunch of Mac Servers.  Our Open Directory server has DNS service enabled on it, and the primary zone is set to od.mydomain.com.  It has some A records pointing to myserver.mydomain.com, myotherserver.mydomain.com, etc.
    Another server, located at, myserver.mydomain.com, has a DNS service who’s primary zone is mydomain.com (yes, it matches our external domain name). It contains A records for itself, the OD Server, and others.
    Reverse lookup works fine throughout the lan.
    All DNS Servers’ Forwarders are our router.
    I did a test where I turned off all these internal DNS servers (yes, there’s more) and pointed all the servers to the router. It seemed fine at first, I could issue HOST commands to and from every server to every other one and resolve both names and addresses.  The router seemed to be doing fine.
    After a day or so (I assume after the TTL elapsed), people started getting permissions errors on the servers, so I turned it all back on.
    This is with 10.6.8 Servers (one is running 10.9 but it doesn't seem to have DNS running).
    So here’s my questions:
    Why would my OD Server’s DNS Service’s primary zone be “od.mydomain.com” and not just “mydomain.com”?
    Does it make sense (or even matter) to have these DNS entries ending in mydomain.com when that’s our website’s address? (We host our own site and email server, btw.)
    Why would OD not work after all these DNS Servers were turned off, when HOST command shows it can get to every other machine and they can get to it?  What else, besides the A record and reverse lookup, could be included in the full-blown DNS servers that wouldn’t be in the Sophos bare-bones one, but still allow reverse lookups to function?  What else does OD want from DNS??
    Wouldn’t it be better, even if this all was necessary, to set up a single internal DNS Server (ok, maybe plus a backup)?  Why would this service be running, with a variety of A records, on almost every server we have?
    Is there a site that can explain DNS, and actually define every acronym, abbreviation, etc it uses?  Every time I try to learn something I go down a wiki rabbit hole.
    Thanks!
    Jeff

    OK, the answer to this seemed to be to not rely on Sophos' "Static Entries" DNS functionality.  Even though it allows "HOST" commands to work for both reverse and forward lookups, OD and/or Kerberos needs more.  Once I made a zone on our OD Server that listed itself, our replica server, AND our email server (which uses Kerberos), and made what I think is now a proper secondary DNS server on our replica server, and pointed the OD server's DNS to itself, the replica to itself, and kept the email server using the Sophos for DNS, it worked.

  • Open directory and Active directory

    Hello everyone.
    I am from a school in london. We currently have 8 servers (7 running Server 2003 and a recently installed Mac server running os x server 10.5)
    We have recently installed new macs into our media room and need them to be set up to work with the current domain setup.
    what we wish to do is to run the media centers computers through the Mac server but get the existing domain information from the Active directory server running windows. As i have not set up a mac server before I am having certain difficulties doing this. The first time we set up the active directory on the mac server we could log into the mac computers but could not change any of the policies to different groups to allow or deny certain applications from running. Everytime i go to save a policy for a certain group we get the error message
    "Error while saving record "Finchley\Level 1@ Error -14140
    Im guessing this is because we are trying to save that to the active directory and not onto the mac server so how can we Map the active directory to the Macs open directory so that we can customize the mac group policies?
    Sorry if that didnt make alot of sense im typing abit fast
    Thanks

    Have you been here?
    http://docs.info.apple.com/article.html?path=DirectoryAccess/1.8/en/c7od45.html
    It should be straight forward, depending on how your AD accounts are setup.
    Unfortunately, I currently see a bug in the system which is often causing the home directory share to fail to mount when I use the AD plug-in in its default configuration. I'm pleading with Apple to fix this soon.
    If you use the plug-in in "true network home" fashion, by unchecking the 'force local home' option, then you should avoid this annoying bug. This method however requires plenty of network bandwidth and space for your entire Mac home folder.

  • Open Directory and AFP

    Hello, I have been having some problems setting up Tiger Server to have the clients home directory hosted on the server. When the client tries to login, it gives them an error saying they are unable to log on at this time because of afp. If anyone could help or point me to a guide it would be appreciated.
    -Bobby

    Hi
    For 10.4 Server you should really post in the 10.4 OD Forum here:
    http://discussions.apple.com/forum.jspa?forumID=713
    However it does not really matter. You may find what follows useful:
    A Simplified Method for Deploying Open Directory Services
    A centralized authentication and authorization service providing automounting home folders for network users and control for service administrators using managed preferences. Ideal for Schools, Colleges, Libraries, Universities and in some cases, Private Companies
    These instructions are for the GUI only with no manual configuration and hardly any recourse for the command line. These instructions also assume that this will be the only server on the network.
    Substitute appropriately the examples given for your situation. The example used is for a pretend school called ‘High School’
    Assuming you have installed the Server Software and on restart the Server Setup Assistant has launched. We’ll use Administrator as the long name and admin as the short name with admin as the password for the default Server Administrator account (UID 501). We’ll assign a fixed IP address of 172.16.16.254, a subnet mask of 255.255.255.0 and the router/gateway IP address offering access to the internet as 172.16.16.1. Key in any ISP supplied DNS Server IP addresses in the DNS Servers field in the Network Preferences Control Panel. The server name will be server. You will see the server name in the Sharing Preferences Pane (server.local) as well as Server Admin > Computers & Services. The Server can be reached either using this name, its IP address, its loopback address and later on, after the DNS Service has been configured, its Fully Qualified Domain Name (FQDN). Don’t start any services apart from Remote Desktop, save the configuration as a text file and restart the Server. After the restart log in using the newly created System Administrator account details. Now would be a good time to test internet connectivity as well as running Software Update and installing all the updates relevant for the server.
    Start simple file services first: AFP and if necessary Windows. If there is more than one PC already on the network switch off Workgroup Master Browser and Domain Master Browser found in Server Admin > Windows > Advanced > Services. Create a test user in the local server directory (NetInfo) and test using a client computer to access the default share points: Users, Groups, Public. Don’t be tempted to delete these folders as the server will complain. If you don’t want to use these you can simply unshare the share points and create new ones. You could for example create share points on a connected XServe RAID and share these instead. Save any changes made.
    The instructions that follow are for simple DNS Settings which will do to successfully deploy an Open Directory Master
    Click on DNS Service Settings > Zones > click the + icon > General. The Server IP address will already be there, key in the Fully Qualified Domain Name (FQDN). This can either be a real world domain name or a pretend domain name. As long as it resembles fully qualified domain names it will do, avoid using .local.
    In this example we will use server.highschool.sch.org.
    Save the changes
    Now click Start Service. You will have to click Start Service twice as Server Admin does not start the service the first time as that is when the config files are written. These are kept in two locations: /etc/host.config and /var/named. The second time you click Start Service you will get the green light. Now set the Logging level to Debug and save the changes again. Launch System Preferences > Network > Configure > TCP/IP > key in the Server’s own IP address 172.16.16.254 in the DNS Servers field and remove any other IP address. Apply and save changes. Launch a web browser and see if you can get on the internet. Inspect the DNS logs in Server Admin and you will see entries starting with createfetch as well as received control command channel status: ready. By this time you should be on the internet using the server’s own IP address instead of ones supplied by your ISP or Router. Test and qualify the DNS Service by launching terminal and issuing the host command:
    host server.highschool.sch.org
    server.highschool.sch.org has address 172.16.16.254
    host 172.16.16.254
    254.16.16.172.in-addr.arpa domain name pointer host172-16-16-254.in-addr.server.highschool.sch.org
    This qualifies the forward and reverse pointers for the DNS Service
    Remember that a properly configured and qualified DNS service is crucial to the more advanced technologies available on OSX Server. Apple themselves recommend using DNS even if the Server is providing simple file services such as AFP
    If you want the Server to issue IP addresses then consider using the DHCP Service. If your router is already doing this then there is no need to bother just yet. Once you get comfortable and familiar with the Server you could look at this later on.
    Back to Server Admin
    Click on Open Directory > Settings > Select Standalone and now select Open Directory Master. As soon as you do this you will be prompted to create the Directory Administrator account, by default diradmin. You can’t use the standard administrator account. You dont have to use diradmin as the name you can use another name, but don’t be tempted to use admin. For this example we will leave it as it is as well as defining the password as diradmin. If DNS Services are correctly configured you will see the Kerberos Realm field already filled in for you and it will look like this: SERVER.HIGHSCHOOL.SCH.ORG. As you can see it will be the FQDN but in capitalized form. The search base will be automatically filled in also and it will look like this: dc=server,dc=highschool,dc=sch,dc=org.
    Save changes.
    Launch Directory Access /Applications/Utilities and click on LDAPv3, authenticate if required to do so. Inspect the configuration setting there and you should see the Server’s loopback address 127.0.0.1 has been entered as a New Configuration. This is normal and gets added upon promotion. Now launch Workgroup Manager and select the appropriate Directory Node LDAPv3/127.0.0.1. Authenticate using the newly created Directory Administrator account: diradmin. If everything has gone well you will see the Directory Administrator user (UID 1000) already there. Create a new user called Andrew Barton, short name: andybarton, UID 1025, password andyb, click Save. Select Sharing and make sure that the default Users folder is set to share, now click on Network Mount and click the lock, authenticate using the diradmin account and set the Users home folder to automount Home Directories. Click Save. Click Accounts, select Andy Barton, click Home, verify that the Home Folder path says afp://server.highschool.sch.org/Users, select this and click Create Home Now followed by Save. Navigate to the Finder, double click the Server hard drive, double click the Users folder and verify that the folder andybarton has been created. Double clicking on this folder will show the usual set of home folders with no entry signs on all of them apart from public and sites. Carry on populating the LDAP Directory Node with desired users. Once you have finished click on the Groups tab and create a group and call it Music Class, populate this group with desired users. We will look at Managed Preferences (MCX) for this group later on.
    In this example Music Class has 30 iMacs. Use the first iMac as a model for all the others. Create an administrator account on the first iMac with a strong password. Avoid using Administrator and admin as these could conflict with the Server admin account. Don’t use a User Account already created on the Server. I will use MC Administrator as the long name and mcadmin as the short name, switch off auto log-in. Install all relevant site license software on this mac. Set the iMac’s name in the Sharing Preferences Pane to iMac01, the .local part will be automatically filled in for you, save all changes. Run all software updates available for the mac, restart the mac. You can now use this mac as the ‘Golden Mac’ – a template for all the other iMacs. You can target disk mode this first mac to the second mac and after cloning change the name of the second mac to iMac02. Or you could image iMac01 to an external firewire drive, connect the drive to the server and use Apple Remote Desktop (ARD) to push out the image to all the other macs. You could also use System Image Utility, PackageMaker and NetInstall. As you can see there are numerous ways of doing this.
    Back to iMac01
    Log in using the mcadmin account, launch Directory Access (Applications/Utilities), click on the lock and authenticate, select LDAPv3, click Configure, deselect ‘Add DCHP-supplied LDAP servers to automatic search policies’, click New and key in either the IP address 172.16.16.254 or better still its FQDN. If you are going to use the Server’s FQDN then make sure the Server’s IP address is in the clients DNS Servers field. Server discovery should be fairly quick, you will see iMac01.local’s computer in the first field and you will be prompted for a network user name and password, don’t bother with this just click OK and then continue, you will then see the Server Configuration in the Services window, click OK. Click on Authentication and verify that Custom Path is displayed, you should see /LDAPv3/172.16.16.254 or the server FQDN as the second Directory Domain displayed (the first one will be the local NetInfo node and will be grayed out). Do the same for the Contacts tab, click OK and quit Directory Access, select log out from the Apple menu and you should now see a log in window displaying the local mcadmin account as well as ‘Other’. Click Other, key in andybarton as the name and andyb as the password, you should now be logged into the Home Folder for that user on the server. Launch TextEdit, type a few words and save the Untitled document to the Documents folder, now log out. Go to Workgroup Manager, select Sharing, select Users, select andybarton, select Documents and you should see the Untitled document grayed out.
    Managed Preferences or MCX
    Select the Music Class Group, click on Preferences > Finder > Views > Always > Default View and select the smallest setting for the dock size, click Done, go back to the client and log in again as andybarton and see if the dock size has changed. The order in which managed preferences take precedence are:
    User
    Computer
    Group
    If a setting is defined in Group and also defined differently in Users, the Users setting will take precedence. Managed Preferences can be accumulative also. What can be managed for Users and Groups are the same. Computer Lists are the same with the addition of Energy Saver. Play with these settings as seems appropriate to you. If you decide to manage clients using Computer Liststhen create your own (by type and location), try not to use the default lists. The same advice applies to Network Views.
    As time goes by and you become more familiar and comfortable you can start integrating the Software Update Service, NetBoot/NetInstall, Mail Services, Print Services and any other Service that seems appropriate to you.
    Hope this helps, Tony

  • Setting up Open Directory and iCal server.

    Hello:
    I'm new to open directory - please help or point me in the right direction. I'm trying to set up a OSx server 10.5 running on a PowerMac G4.
    I need iCal/DNS/FS/VPN/WEB/Open Directory as services enabled.
    For testing purposes I've set up a small network with three machines all running 10.5.6.
    I've tired over and over to do this via an advanced server but have not be able to get everything to work so I did a basic server allowing the server set up to input all my settings. Everything built and started up without issue but I could not get iCal to work. I let the set up sit over night and when I returned the next morning the MacMini screen had a window saying that a directory server has been found that offers these following services ...WEB - iCal etc. Do you want to configure your workstation. I did and everything worked as aspected. I thought that I finally got it!
    I wanted to see the all of the settings so I converted the server to an advanced server and everything still worked. ( From the one workstation ).
    I imported a users exported file from the server I'm trying to fix then the groups file. Everything still worked from the Mac Mini but I could not connect from the other workstation.
    I never received the Open Directory message about services being offered etc.
    Both machines have identical network settings ( Fixed I.P. pointing the DNS to the server.) AFP sees the server from both workstations but I can not login from the third workstation using any known good user name and password not even the admin or the Macmini account and password that works from the Mac mini. I don't really know anything about open directory, do you need to register the computer name with the server or something to that effect.
    Why would it take hours for that original service offering to go out to the first workstation?
    Thanks for any help you can offer. All of my OSX server experience has been setting up file servers never any of the other offerings.
    Thanks,
    Rick

    Sorry,
    I posted this to the wrong forum. I re-posted in Open Directory.
    Thanks,
    Rick

  • Open Directory and connection to shared folders fail

    Hi,
    For testing i've setup an Open Directory Master (Leopard server 10.5.2) with shared folders and portable home directories.
    Login and synhronizing works as it should. But once logged in, when i click on the server in finder i just get connection failed. When i choose "connect as" and log in as the same user and password as authenticated at the login to the computer (authenticated to OD) it works.
    I thought it should work like a single sign on?
    Any clues?

    Hi
    If you browse the discussion forum you should find this:
    http://discussions.apple.com/thread.jspa?threadID=1251475&tstart=0
    Basically browsing using the Finder or Side Panel does not work well or breaks easily (as far as I can tell it has been like this since 10.2). In an OD environment trying to connect and getting a ticket using that method will probably fail. The workaround - or the 'fix' - is to use 'Connect to Server' from the Go Menu using the Server's IP address. In my experience it does not seem to matter whether AFP is set to Kerberos, Any or Standard for the authentication method. It also does not seem to matter whether the Server is configured in Standard or Advanced.
    I've not come across anything yet regarding Workgroup. Probably in that configuration it may not be an issue as this mode - as far as I can see - is ideal for AD-OD integration. In that environment OSX Server would not be the KDC and mac clients will be using the AD for SSO.
    Since this has been happening since 10.2 I don't see Apple addressing this anytime soon, however you never know?
    Tony

  • Autherntication using Open Directory and NO home folder

    We are looking to set up an Open Directory on a Snow Leopard server in our medium sized company - we would like to use it for Single Sign On authentication but do not want to create home folders on the server. All we want OD to do is authenticate
    We have been able to authenticate using OD bound and unbound but both need home folders. Is there a way to have no home holder and still authenticate?
    thanks

    What I did was in WGM select a user account. Then select the Home tab. Click the + button to add a home folder. In the sheet that drops down, in the bottom box put /Users/username. Leave the other boxes blank. This will create a home folder locally on whatever machine the user logs into.

  • AR Open Items and Aging question

    Hi
    I have one question on AR Open Items aging. If Doc 100000 is posted on 4/1 with amount 25. Suppose it is cleared on 4/8. Now i get two records to BI. One will replace the existing record with Clearing Doc no and other one new posting for the clearing doc.
    Delta load on 4/1/2011               
    Posting Date     Doc no     Amount      Clearing Doc
    4/1/2011     1000000     25     
    Delta load on 4/8/2011               
    4/1/2011     1000000     25     1000025
    4/8/2011     1000025     -25     1000025
    My question is If I run the Aging report on 4/9/2011 with key date value 4/1/2011 will the result show 25 amount as Open item or cleared item?
    If I want to show status of the document as of old date, Should I take daily snapshots of the data?
    Please let me know your thoughts!
    Thank you
    Sree

    HI Sree..
    That document was open on 4/1/2011......and was cleared on 4/8/2011................
    If you execute the R/3 report FBL5N (Customer Line Item Display) with the "Open at key date" 4/1/2011.........the report will show the document as open item.....
    What your Aging Report in the BI side will show it depeds on the design of the report.....but as per my understanding if the Query get executed with key date value 4/1/2011 ....then the report should show the document as Open Item..
    In that case the restricted keyfigure should design in such a way that it will compare the Clearing Date with the Key date......if the Key Date < Clearing date then the document will be trreated as an Open Item........if Key Date >= Clearing date then the Document will be displayed as an Open Item.........
    We are also using such a report.......Infact we have also designed in such a way so that the report can display how old the document is 90 days, 30 days....etc. by giving the Offset value......
    But frankly speaking it depends on your requirement and the design of the Query....
    Regards,
    Debjani......

Maybe you are looking for

  • If I wanted to upgrade my iPod touch to the more expensive version, how long would I have to do so? (UK)

    If I went to an Apple store in the UK with my 16GB iPod touch 5th gen and the receipt (do I 100% need a receipt?), how long after the purchase date am I allowed to get it replaced for the more expensive 32GB version? Is it the same as getting a refun

  • Google Apps

    Hello, I have my E72 since yesterday and I want to connect it to my Google Apps account for synchronising my mail, contacts and calendar. I tried MfE but it just don't work. I'm able to use GMail trough a normal IMAP account so that is working.  But

  • How to copy customer in oracle applications in R12

    how to copy customer in oracle applications in R12

  • Send form. data from standalone pdf to LC Forms

    Hello, I am new in Adobe LC ES platform and would like to ask for advice with following. I need to provide user with a standalone pdf form, user should then be able to fill the form and send it to LiveCycle Forms server. I originally thought that eas

  • Multiple replacements with same problem

    I cannot count how many replacement Motorola android RAZR HD I have had but its getting ridiculous. Must have been  at least 4 in the last couple weeks. My wife has had her iPhone since we started our contract but I must be at 10+ droids by now. They