Server App not seeing external LDAP users & groups

I have a clean 10.8.2 + Server install set up with our standard external LDAP directory (Novell's eDirectory in our case) configuration that is known to support Lion & Mountain Lion client LDAP authentication. With this same configuration on OS X 10.8.2 Server both Directory Utility and WGM can see all the LDAP users and groups as expected.
When I look for the external users & groups in the LDAP domain under the Server App "Accounts" heading I cannot see any entries in either users or groups lists. Should I be able to or is this a Server App quirk?
I can add individual LDAP users to a local group and enable access to individual services. How can I give access to services to all LDAP users without having to build & maintain a massive "All LDAP Users" local group?
Is there a published list of required LDAP attributes for users & groups for Mountain Lion Server? I suspect there are new requirements over and above those for 10.6 server but I have failed to find a good reference. I've noticed I get different behaviours for LDAP templates that includes a mapping for GeneratedUID to one which does not for example.
This is all so much more opaque than our superbly reliable Snow Leopard servers!
TIA

Ok, and again:
You want to see Users and Groups , which are stored in an third Party directory service like OpenLDAP, in your Server.app? This is what you have to do:
Connect the third party ldap to your server
Have all your external LDAP entries made so you can see them in the Workgroup Manager and are able to Login with them
When you see your LDAP-entry in the Directory Manager, change it from "From Server" to "RFC2307"
Edit the entry, add the following mapping to it:GeneratedUUID maps to apple-generateduuid
To your group and user entries in the external LDAP add the follwing attribute:apple-generateduuid gets the value taken from the output of "uuidgen"
Feel lucky
And there ist ist; now you are able to use The accounts taken from an external LDAP.

Similar Messages

  • How do I stop iTunes (10.7) from automatically launching upon restart?  "Open at Login" is NOT checked in the dock and I have removed the app from Login Items under Users/Groups.  I am using a MacBook version 10.7.5.  Thank you!

    How do I stop iTunes (10.7) from automatically launching upon restart?  "Open at Login" is NOT checked in the dock and I have removed the app from Login Items under Users/Groups.  I am using a MacBook version 10.7.5.  Thank you!

    Thanks for the response gakker, but I've double-checked the camera / iPhoto / Image Capture scenario, and I'm 100% positive it's got nothing to do with that.
    Plugging in my iPhone has no effect on anything related to this.
    The other thing I should have mentioned is that when iTunes on my Mac is NOT running, then nothing happens on my iPhone screen when I plug it in to my Mac. I only get the "Sync in progress" message when iTunes IS running.
    It's interesting though that you say you also get this "Sync in progress" message, albeit only for a second or two though.
    Can I just double-check something with you however... When you say:
    +"at no time was my iTunes playback interrupted"+
    do you mean the iTunes on your Mac? Because the problem I have is that the iPod-playback on my iPhone is interrupted.
    So can you clarify that for me, please? If you have music playing on your iPhone, and you then plug your iPhone into your Mac when iTunes is running on your Mac, does the music playback on the iPhone get interrupted?

  • Error while configuring external LDAP user store with weblogic

    Hi,
    I have weblogic 10.3 installed and I can access weblogic admin console using weblogic (admin) user. I want to use external ldap user store to access admin console with users present in external ldap.
    To do this, I have configured authentication provider and provided all the required details to connect to ldap.
    For example:
    Base DN: cn=admin,cn=Administrators,cn=dscc (user with which we will connect to LDAP)
    User DN: ou=People,dc=test,dc=com
    Group DN: ou=Groups,dc=test,dc=com
    This authentication provider is set to SUFFICIENT mode. I have deleted the default authentication provider.
    In the boot.properties file I have given the user name and password of the user with which LDAP instance was created something like below.
    password=xxxxxxx
    username=admin
    Now while starting the admin weblogic server, I am getting the below error:
    <Jul 25, 2012 2:22:28 PM IOT> <Critical> <Security> <BEA-090402> <Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.>
    <Jul 25, 2012 2:22:28 PM IOT> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.
    weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.
    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:960)
    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1054)
    at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
    at weblogic.security.SecurityService.start(SecurityService.java:141)
    at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
    Truncated. see log file for complete stacktrace
    Caused By: javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User admin javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User admin denied
    at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:261)
    at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    Truncated. see log file for complete stacktrace
    >
    <Jul 25, 2012 2:22:28 PM IOT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
    <Jul 25, 2012 2:22:28 PM IOT> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
    <Jul 25, 2012 2:22:28 PM IOT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
    Can anyone please suggest how to resolve this problem? If, anyone can suggest the exact steps to configure external ldap store to manage admin console via ldap users.
    Regards,
    Neeraj Tati.

    Hi,
    Please refer the below content that I found for Oracle 11g in the docs.
    "If an LDAP Authentication provider is the only configured Authentication provider for a security realm, you must have the Admin role to boot WebLogic Server and use a user or group in the LDAP directory. Do one of the following in the LDAP directory:
    By default in WebLogic Server, the Admin role includes the Administrators group. Create an Administrators group in the LDAP directory, if one does not already exist. Make sure the LDAP user who will boot WebLogic Server is included in the group.
    The Active Directory LDAP directory has a default group called Administrators. Add the user who will be booting WebLogic Server to the Administrators group and define Group Base Distinguished Name (DN) so that the Administrators group is found.
    If you do not want to create an Administrators group in the LDAP directory (for example, because the LDAP directory uses the Administrators group for a different purpose), create a new group (or use an existing group) in the LDAP directory and include the user from which you want to boot WebLogic Server in that group. In the WebLogic Administration Console, assign that group the Admin role."
    Now in my LDAP directory, setup is in such a way that Administrators is a group created under following heirarchy " cn=Administrators,ou=Groups,dc=test,dc=com" and there is one user added in this Administrators group.
    The problem that I am having is when I modify the Admin role in which Administrators group should be added what exaclty I should give in Admin role. Whether I should give only Administrators or full DN: cn=Administrators,ou=Groups,dc=test,dc=com ???
    When i give full DN, it takes every attribute as different, i mean cn=Administrators as different and ou=Groups as different and shows a message that cn=Administrators does not exist.
    Here not sure what to do.
    Also if external ldap authentication provider is the only provider then I need to give the user information in boot.properties file also for weblogic to boot properly. Now, what should I give there in user? still complete DN ??
    Regards,
    Neeraj Tati.

  • External LDAP user only has search priviledge in UCM

    After I have configed external LDAP successfully in weblogic console, I can see all user from external LDAP. And external LDAP user can login UCM successfully, but these users only has search priviledge. I want external LDAP user has Admin priviledge as weblogic(Default in embed LDAP). How to solve it. Any help will be appreciated greatly! Otherwise, I refer to Oracle's ducument,
    51.1.14 LDAP Users Not Receiving Some Administrator Privileges
    UCM inspects for the group "Administrators" on each user's login to grant UCM roles. If a user should have access to the UCM admin server, the UCM server requires that the user be a member in a group named "Administrators."
    How to add external LDAP user to the group of Administrators.

    Hi ,
    You can use Credential Maps to be achieve the requirement:
    Steps for the same are :
    1. Login to UCM - Administration - Credential Maps .
    2. Create the map name and the following mapping :
    <ldap role> , admin
    3. Save the changes
    4. Navigate to <domain_home>/ucm/cs/data/providers/jpsuserprovider/provider.hda
    add the following variable there :
    ProviderCredentialsMap=<map name created in step 2>
    5. Save the changes and restart ucm server .
    After that login with the user who has the ldap role that is mapped in stpe 2 , this user will have the ucm admin role .
    Hope this helps .
    Thanks
    Srinath

  • How to only synchronize one specific LDAP user group with SAP?

    Hi,
    Hopefully this is the correct forum to post this in. I want to have continuous one-way synchronization of users from my LDAP server to my SAP central system. I've started configure in SAP using transaction SM59 and LDAP. Can I somewhere set that only one specific LDAP user group shall be transferred to SAP (they do not need to be assigned to any specific group, profile, role in SAP) - or should this be done on the LDAP server side (or is it at all possible)?
    Correct me if I'm wrong, but the User Group field in the report RSLDAPSYNC_USER only concerns SAP user groups right? This would therefore not be sufficient since I want to select the users to synchronize based on user groups in the directory.
    Thanks, Oscar

    We've used a repository constant to specify the LDAP filter for reading users / groups from the LDAP target.
    E.g. LDAP_FILTER_USERS (&(objectCategory=person)(objectClass=user))
    Then we also have a constant for the LDAP_STARTING_POINT
    For our AD Group Initial Load we filter according to these settings:
    LDAP_FILTER_GROUPS = (objectclass=group)
    LDAP_STARTING_POINT_GROUPS = ou=IDMManagedGroups,ou=Groups,dc=cfstest,dc=le,dc=ac,dc=uk
    The above example only reads AD groups starting at the specified OU
    Then in a Job From LDAP Pass the LDAP URL looks like this:
    LDAP://%$rep.LDAP_HOST%:%$rep.LDAP_PORT%/%$rep.LDAP_STARTING_POINT_GROUPS%?*?SUB?%$rep.LDAP_FILTER_GROUPS%
    I hope this helps
    Paul

  • Time machine not seeing external hard drive in time line

    can anyone help
    time machine not seeing external hard drive in time line
    before 2013
    information say in 2009 is not accessable to view this
    i must select external drive from finder
    the time machine icon not recognising

    thanks for reply
    when i open time machine the time line on right side of page
    has date ranging from 2014 back to 2010 but only highlight date from 2014 back to 2013
    anything before 2013 is greyed out and cannot not be selected
    when i touch the pages they only rush towards me a limited amount then stops
    also why it shows date as 2014 is strange

  • Maps app not working on Network Users

    Maps app not working on network users on client machines?, is everyone having same issue?, Thanks in Advance

    Sometimes it does, sometimes it does not. I assume we're talking about network users with home folders on a remote volume…
    The only thing I could do about it was to inform Apple…

  • MBA mid-2012 does not see external display on wakeup

    My mid-2012 MBA does not see external displays on wakeup. VERY annoying
    I have a BenQ 24" HD display connected by HDMI and it is not seen by the Air on wakeup. I have to open the laptop, pull the mini-DV plug out 3 or 4 times before the display is recognised - some of the time. Most of the time requires a reboot with multiple cable/plug inserts.
    What an absolute POS this mid-2012 MBA is! Apple finally fixed the garbage colours on external displays in 10.8.4 but the issue of recognisisng external displays remains. Its a crock. Totally regret buyiing this POS.
    Have reset PRAM, SMS, cleared prefs etc etc ad nauseum. No solution with any of them. After almost a year of this garbage, the laptop is close to being thrown out as e-waste.

    macbook pro 13" 2012
    osx 10.8.4
    adaptor
    http://www.maplin.co.uk/mini-displayport-to-dvi-adaptor-454323
    display: philips 230c1hsb
    i have reset PRAM but nothing happens

  • Imac does not see external speakers

    Running an iMac with 10.8.2 and it does not see external Bose speakers

    Got the same issue here; it has worked for some time, but then suddenly it stopped.
    : (

  • DBCA did not see the ASM disk group in NODE 2 but see in NODE 1

    Are there anyone who encountered creating a database using DBCA with ASM as file system?
    Our issue before is in both nodes the DBCA did not see the ASM disk group.
    But after setting the TNS_ADMIN in both nodes and running the DBCA as administrator in Node 1, the DBCA able to see now the ASM disk group. Unfortunately, in Node 2 it didn't work out?
    So we didn't know why is it from Node 2, the DBCA still didn't see the ASM disk group?Since it is both the same.
    Any ideas? Please advise.
    For you information, we are using Windows 64-bit, Oracle 11g R2
    Thank you in advance for those who will respond.
    Edited by: 822505 on Dec 20, 2010 7:47 PM

    822505 wrote:
    Are there anyone who encountered creating a database using DBCA with ASM as file system?
    Our issue before is in both nodes the DBCA did not see the ASM disk group.
    But after setting the TNS_ADMIN in both nodes and running the DBCA as administrator in Node 1, the DBCA able to see now the ASM disk group. Unfortunately, in Node 2 it didn't work out?
    So we didn't know why is it from Node 2, the DBCA still didn't see the ASM disk group?Since it is both the same.
    Any ideas? Please advise.
    For you information, we are using Windows 64-bit, Oracle 11g R2
    Thank you in advance for those who will respond.
    Are the disks given to the ASM are visible from Node2?
    Aman....

  • Server name change leads to Server.app not being able to add users/groups

    I changed the name of my server from vanroodewierda.rna.nl to rna.nl. I recreated my DNS setup (only used on the LAN) and everything works. I do have one problem, though: in Server.app, it is impossible to add/delete users and groups. (Yes, I can use Workgroup Manager, but this situation makes the system less robust, certainly, so it should not persist)
    changeip -checkhostname says all is well:
    $ sudo changeip -checkhostname
    Password:
    Primary address     = 192.168.2.66
    Current HostName    = rna.nl
    DNS HostName        = rna.nl
    The names match. There is nothing to change.
    dirserv:success = "success"
    system log says
    Apr  7 12:36:47 rna.nl servermgrd[5046]: servermgr_accounts: got error 5000 trying to auth to local LDAP node
    Apr  7 12:36:48 rna.nl servermgrd[5046]: flushing dns cache
    Apr  7 12:36:54 rna.nl servermgrd[5046]: servermgr_accounts: got error 5000 trying to auth to local LDAP node
    Apr  7 12:36:55 rna.nl servermgrd[5046]: --Module servermgr_devicemgr's response has retain count of 3.
    Apr  7 12:36:55 rna.nl servermgrd[5046]: --request was {
    Apr  7 12:36:55 rna.nl servermgrd[5046]: --response was {
    Apr  7 12:36:55 rna.nl servermgrd[5046]: servermgr_accounts: got error 5000 trying to auth to local LDAP node
    Apr  7 12:37:01 rna.nl servermgrd[5046]: nsc_smb XPC: handle_event error : < Connection invalid >
    Apr  7 12:37:01 rna.nl servermgrd[5046]: nsc_smb XPC: handle_event error : < Connection invalid >
    Apr  7 12:37:27 rna.nl servermgrd[5046]: nsc_smb XPC: handle_event error : < Connection invalid >
    Apr  7 12:37:48 rna.nl servermgrd[5046]: -[AccountsRequestHandler(AccountsSystemConfigurationObservation) registerForKeychainEventNotifications]: SecKeychainAddCallback() status: -25297
    Apr  7 12:37:48 rna.nl servermgrd[5046]: servermgr_accounts: got error 5000 trying to auth to local LDAP node
    Apr  7 12:38:48 rna.nl servermgrd[5046]: servermgr_accounts: got error 5000 trying to auth to local LDAP node
    Apr  7 12:41:24 rna.nl servermgrd[5046]: getting service list
    Apr  7 12:46:25 rna.nl servermgrd[5046]: No requests in 300 seconds, shutting down
    Apr  7 12:48:38 rna.nl servermgrd[148]: -[AccountsRequestHandler(AccountsOpenDirectoryHelpers) openLocalLDAPNodeIfNeeded]: dsLocalLDAP = (null), error = Error Domain=com.apple.OpenDirectory Code=2100 "Connection failed to node '/LDAPv3/127.0.0.1'" UserInfo=0x7f9fc501c950 {NSLocalizedDescription=Connection failed to node '/LDAPv3/127.0.0.1', NSLocalizedFailureReason=Connection failed to the directory server.}
    Apr  7 12:48:49 rna.nl servermgrd[148]: servermgr_accounts: noteDirectorySearchPolicyChanged (reopening nodes)
    Apr  7 12:48:50 rna.nl serveradmin[156]: --Module servermgr_devicemgr's response has retain count of 3.
    Apr  7 12:48:52 rna.nl servermgrd[148]: servermgr_accounts: got error 5000 trying to auth to local LDAP node
    Apr  7 12:48:52 rna.nl serveradmin[156]: servermgr_accounts: noteDirectorySearchPolicyChanged (reopening nodes)
    Apr  7 12:48:53 rna.nl serveradmin[156]: servermgr_accounts: got error 5000 trying to auth to local LDAP node
    Apr  7 12:49:44 rna.nl servermgrd[148]: servermgr_accounts: got error 5000 trying to auth to local LDAP node
    Apr  7 12:49:44 rna.nl servermgrd[148]: servermgr_accounts: got error 5000 trying to auth to local LDAP node
    Apr  7 12:49:44 rna.nl servermgrd[148]: getting service list
    Apr  7 12:50:44 rna.nl servermgrd[148]: servermgr_accounts: got error 5000 trying to auth to local LDAP node
    Apr  7 12:53:44 rna.nl servermgrd[148]: No requests in 300 seconds, shutting down
    Apr  7 12:56:59 rna.nl servermgrd[422]: servermgr_accounts: got error 5000 trying to auth to local LDAP node
    Apr  7 12:57:00 rna.nl servermgrd[422]: flushing dns cache
    Apr  7 12:57:03 rna.nl servermgrd[422]: servermgr_accounts: got error 5000 trying to auth to local LDAP node
    Apr  7 12:57:04 rna.nl servermgrd[422]: --Module servermgr_devicemgr's response has retain count of 3.
    Apr  7 12:57:04 rna.nl servermgrd[422]: --request was {
    Apr  7 12:57:04 rna.nl servermgrd[422]: --response was {
    Apr  7 12:57:04 rna.nl servermgrd[422]: servermgr_accounts: got error 5000 trying to auth to local LDAP node
    Apr  7 12:57:08 rna.nl servermgrd[422]: nsc_smb XPC: handle_event error : < Connection invalid >
    Apr  7 12:57:59 rna.nl servermgrd[422]: -[AccountsRequestHandler(AccountsSystemConfigurationObservation) registerForKeychainEventNotifications]: SecKeychainAddCallback() status: -25297
    Apr  7 12:58:00 rna.nl servermgrd[422]: servermgr_accounts: got error 5000 trying to auth to local LDAP node
    Apr  7 12:58:59 rna.nl servermgrd[422]: servermgr_accounts: got error 5000 trying to auth to local LDAP node
    In All messages, I see that the name VANROODEWIERDA.RNA.NL is still used (note: vanroodewierda.rna.nl is an alias in DNS for rna.nl)
    4/7/13 1:07:55.037 PM kdc[73]: AS-REQ [email protected] from 192.168.2.86:56402 for krbtgt/[email protected]
    4/7/13 1:07:55.046 PM kdc[73]: AS-REQ [email protected] from 192.168.2.86:56402 for krbtgt/[email protected]
    4/7/13 1:07:55.048 PM kdc[73]: Client sent patypes: REQ-ENC-PA-REP
    4/7/13 1:07:55.048 PM kdc[73]: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
    4/7/13 1:07:55.072 PM kdc[73]: AS-REQ [email protected] from 192.168.2.86:56901 for krbtgt/[email protected]
    4/7/13 1:07:55.081 PM kdc[73]: AS-REQ [email protected] from 192.168.2.86:56901 for krbtgt/[email protected]
    4/7/13 1:07:55.082 PM kdc[73]: Client sent patypes: ENC-TS, REQ-ENC-PA-REP
    4/7/13 1:07:55.083 PM kdc[73]: ENC-TS pre-authentication succeeded -- [email protected]
    4/7/13 1:07:55.083 PM kdc[73]: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
    4/7/13 1:07:55.083 PM kdc[73]: Requested flags: forwardable
    There is one stupid thing I might have done myself that caused this. In WGM in my Machines directory there was a machine called vanroodewierda.rna.nl$, I removed that and replaced it with the same MAC address and the name rna.nl$. Might the following have to do with that?
    4/7/13 2:03:57.457 PM kdc[73]: Server not found in database: ldap/[email protected]: no such entry found in hdb
    4/7/13 2:03:57.457 PM kdc[73]: Failed building TGS-REP to 127.0.0.1:50170
    4/7/13 2:03:57.458 PM opendirectoryd[31]: GSSAPI Error:  Miscellaneous failure (see text (Server (ldap/[email protected]) unknown while looking up 'ldap/[email protected]' (cached result, timeout in 1200 sec))
    What must I do to correct this? It feels like something should change in the Keychain and/or in Kerberos, but what and how?
    Thanks,

    @John & MrHoffMan,
    thanks for replying.
    - I know about the split-horizon DNS, it is by design so that, say, mail.rna.nl on the LAN resolves to the same machine as on the WAN and people can take their laptops anywhere and mail 'just works'.
    I tried this in Server.app (last night also). I now changed from rna.nl to rna.nl to vanroodewierda.rna.nl and back to rna.nl. (I did this because a change to the same might be ignored by some services and I wanted to force them). In the system log I notice (esp. the first 4 lines):
    Apr  7 18:28:21 rna.nl changeip_certs[5029]: found identity for vanroodewierda.rna.nl in keychain
    Apr  7 18:28:21 rna.nl changeip_certs[5029]: certificate for vanroodewierda.rna.nl is not self-signed
    Apr  7 18:28:21 rna.nl changeip_certs[5029]: no self-signed identity for the previous hostname 'vanroodewierda.rna.nl' found in keychain
    Apr  7 18:28:21 rna.nl changeip_certs[5029]: not generating a self-signed certificate for new hostname 'rna.nl'
    Apr  7 18:28:21 rna.nl serveradmin[5034]: servermgr_jabber[N]: Processing changeip request.
    Apr  7 18:28:22 rna.nl changeip_mail.py[5035]: Mail Service change IP: old hostname: "vanroodewierda.rna.nl (192.168.2.66)" to: new hostname: "rna.nl (192.168.2.66)"
    Apr  7 18:28:22 rna.nl changeip_mail.py[5035]: Mail Service new host/domain/IP settings:
                        mail:postfix:submit_cred:rna.nl:username = "submit"
                        mail:postfix:submit_cred:rna.nl:password = "8OOkDnAXKi8bHYHwft1mWs"
                        mail:postfix:mydomain = "rna.nl"
                        mail:imap:postmaster_address = "[email protected]"
                        mail:postfix:submit_cred:nl:username = "submit"
                        mail:postfix:submit_cred:nl:password = "8OOkDnAXKi8bHYHwft1mWs"
                        mail:postfix:add_whitelist_host = "rna.nl"
                        mail:postfix:add_whitelist_domain = "nl"
    Apr  7 18:28:22 rna.nl com.apple.SecurityServer[22]: Succeeded authorizing right 'system.privilege.admin' by client '/Applications/Server.app/Contents/ServerRoot/usr/libexec/ServerEventAgent' [147] for authorization created by '/Applications/Server.app/Contents/ServerRoot/usr/libexec/ServerEventAgent' [147] (2,0)
    Apr  7 18:28:22 rna.nl com.apple.SecurityServer[22]: Succeeded authorizing right 'system.privilege.admin' by client '/Library/PrivilegedHelperTools/com.apple.serverd' [89] for authorization created by '/Applications/Server.app/Contents/ServerRoot/usr/libexec/ServerEventAgent' [147] (100000,0)
    Apr  7 18:28:22 rna.nl serveradmin[5034]: servermgr_jabber[I]: Proxy65 config file successfully created.
    Apr  7 18:28:22 rna.nl kdc[73]: AS-REQ [email protected] from 127.0.0.1:64299 for krbtgt/[email protected]
    Apr  7 18:28:22 --- last message repeated 1 time ---
    Apr  7 18:28:22 rna.nl kdc[73]: Client sent patypes: REQ-ENC-PA-REP
    Apr  7 18:28:22 rna.nl kdc[73]: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
    Apr  7 18:28:22 rna.nl kdc[73]: AS-REQ [email protected] from 127.0.0.1:52730 for krbtgt/[email protected]
    Apr  7 18:28:22 --- last message repeated 1 time ---
    Apr  7 18:28:22 rna.nl kdc[73]: Client sent patypes: ENC-TS, REQ-ENC-PA-REP
    Apr  7 18:28:22 rna.nl kdc[73]: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
    Apr  7 18:28:23 rna.nl servermgrd[1402]: servermgr_accounts: got error 5000 trying to auth to local LDAP node
    Problem remains, but I wonder: can I remove the identities in Keychain that may be messing things up? And if so, which ones? Some are even duplicated in System and login key chain.
    (never mind the weird whitelist domains Server creates, I'm managing that by hand anyway)

  • LDAP user groups not visible for configuring a Group Portal

    Hi,
    We have created a Custom Security Realm(myRealm) on WebLogic 7.0 SP2 in which
    I've added the Novell LDAP Authentication provider as the authentication provider
    and then set "myRealm" as the default realm for the domain. I am able to start
    the WLS server instance and login to portalAppTools with the "administrator" account.
    We would like to configure a Group Portal. In Portal Administration interfaces,
    when I click on Group Administartion, I am unable to see any of my external LDAP
    groups. I know that we cannot create/delete users or groups in the external LDAP
    repository thru the Admin UI but the documentation says that I should be able
    to view the users/groups in the Admin UI. Authentication against the external
    LDAP repository works fine. Can anybody suggest the reason why we are unable to
    view any of the Users or Groups in our external LDAP repository thru the User
    Administration interfactes.
    Appreciate any feedback.
    Thanks
    Vikram

    Hi Jim,
    I've configured a default LDAP V2 Compatibility Realm by modifying the Config.xml
    file. I was able to restart Weblogic and see the LDAP Groups and Users thru the
    WLS console. In our project we've a unique requirement wherein all Application
    Groups and User Accounts would be stored in an LDAP repository and all BEA SERVICE
    level accounts and groups are stored in a Database (groups like AdminEligible,
    Administrators etc.). We need to be able to look at the groups in both the Database
    and LDAP repositories in order to administer and configure a Group Portal. On
    the outset it looks like we will not be able to do what we want to with the current
    portal framework. Please suggest if there are any alternatives in order to implement
    this solution. I am sure there are lot of other Clients who cannot create groups
    like Administrators, AdminEligible etc in their LDAP repositories and will be
    forced to think of alternatives.
    I would appreciate if you can reply back at your earliest convenience.
    Thanks
    Vikram
    Jim Litton <replyto@newsgroup> wrote:
    The Weblogic 7.0 Authentication Providers (new JAAS Framework) is not
    supported with Portal 7.0. You will need to configure the Compatibility
    Security CustomRealm for Novell to try to get Portal working.
    see defaultLDAPRealmForNovellDirectoryServices at
    http://e-docs.bea.com/wls/docs61/adminguide/cnfgsec.html#1083149
    In addition, remember to test functionality through the Weblogic
    Console. If you can see groups and users there okay it is very likely
    that Portal will operate.
    -- Jim
    Vikram wrote:
    Hi,
    We have created a Custom Security Realm(myRealm) on WebLogic 7.0 SP2in which
    I've added the Novell LDAP Authentication provider as the authenticationprovider
    and then set "myRealm" as the default realm for the domain. I am ableto start
    the WLS server instance and login to portalAppTools with the "administrator"account.
    We would like to configure a Group Portal. In Portal Administrationinterfaces,
    when I click on Group Administartion, I am unable to see any of myexternal LDAP
    groups. I know that we cannot create/delete users or groups in theexternal LDAP
    repository thru the Admin UI but the documentation says that I shouldbe able
    to view the users/groups in the Admin UI. Authentication against theexternal
    LDAP repository works fine. Can anybody suggest the reason why we areunable to
    view any of the Users or Groups in our external LDAP repository thruthe User
    Administration interfactes.
    Appreciate any feedback.
    Thanks
    Vikram

  • Enable group mailing list in Server.app not working

    Hello everyone,
    I have been trying to enable a new (?) feature of Server.app : "Enable group mailing list". Until now, it does not work for me. When I try to send an email to the group [email protected], Mail tells me that the smtp server cannot send my message. Here is what I see on the server's /var/log/mail.log file :
    Sep 10 16:55:54 testserver01.pretendco.net postfix/smtpd[2311]: NOQUEUE: reject: RCPT from testclient01.pretendco.net[10.1.101.10]: 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown in local recipient table; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<testclient01.pretendco.net>
    Sep 10 16:55:54 testserver01.pretendco.net postfix/smtpd[2311]: disconnect from testclient01.pretendco.net[10.1.101.10]
    It is interesting to note that group mailing list aren't even mentioned in the Mac OS X Server Advanced Administration Guide :
    http://help.apple.com/advancedserveradmin/mac/10.8/#apd9430d30c-5796-4a20-a8f9-1 20638938942
    Does any has any good/bad experience with group mailing lists under Mountain Lion Server ? Any advice ?
    Thanks a lot !

    Hello Mark23 and thanks for your help !
    The log says nothing particular when I (un)set the "Enable Group Mailing List Option". The only difference I see is a line saying mail_groups[127]: sleeping for: 1 hour(s). I have no idea what this means exactly. Googling it did not help me much either.
    I post the /etc/aliases file below. Interesting : every time I (un)set the "Enable Group Mailing List" option, the /etc/aliases last access time changes. But the md5 hash of the file stays the same.
    I guess that the "sudo newaliases" uses /etc/aliases to construct the binary database file /etc/aliases.db ? It seems that this script is run every time I (un)check the option since the access time of *both* /etc/aliases and /etc/aliases.db are changed to the current time.
    Do you have any other option checked ?
    Here is my /etc/aliases (I removed the blocks of comments at the beginning and at the end):
    # Person who should get root's mail. Don't receive mail as root!
    #root:                    you
    # Basic system aliases -- these MUST be present
    MAILER-DAEMON:          postmaster
    postmaster:          root
    # General redirections for pseudo accounts
    bin:                    root
    daemon:                    root
    named:                    root
    nobody:                    root
    uucp:                    root
    www:                    root
    ftp-bugs:          root
    postfix:          root
    # Put your local aliases here.
    # ==== Begin auto-generated section ========================================
    # This section of the aliases file is auto-generated by server admin tools
    # Please do not edit this section or your modifications will be lost
    # === End auto-generated section ===========================================
    # Well-known aliases
    manager:          root
    dumper:                    root
    operator:          root
    abuse:                    postmaster
    # trap decode to catch security attacks
    decode:                    root

  • Server admin not seeing directory users from workgroup manager

    I am setting up a new Xserve with Snow Leopard (get 'em while we can). We have eight other XServes running Leopard or Snow Leopard server. On those machines we have set up file sharing over AFP. The machines are connected to our Active Directory server and our users authenticate using their domain passwords. All of our other servers were setup in Leopard and were upgraded to Snow Leopard. We have not had any issues authenticating to those boxes.
    This is the first one that we have actually setup new-out-of-the-box in Snow Leopard. I can set Workgroup Manager up to connect to our AD, and can see and search my domain users and groups in Workgroup Manager. When I try to set up my File Shares in Server Admin, none of my domain users show up-only local accounts.
    What have I missed? In Leopard, when I connected to the domain, the users immediately became available in Server Admin. Not so in SL, at least on this box.
    Help?

    Hi
    The first thing to check is if you've bound the Server to the AD Domain. The second thing is if the /Active Directory/All Domains is in the Search Policy. If you don't do either of these WorkGroup Manager won't display anything coming from the AD Schema.
    In 10.6 Apple moved the Directory Utility from where it used to be in /Applications/Utilities and made it part of the Accounts Preferences Pane. Perhaps it's this change that's confusing you? I would not advise doing this but it's also possible you used the Server Setup Assistant to do most of the configuration? If you did maybe something went wrong at that stage (won't be the first time) and you need to manually bind the Server instead?
    As ever make sure this server is using the same NTP Server as the others.
    Tony

  • ICloud for pages app not working on network users having home folder on Mac Mini Lion server

    Does anyone know how to make iCloud for pages work on network users having home folder on server, having home folder on local Client iCloud for Pages works fine but when home folder is on Server iCloud for Pages app does not work. My Clients are Running Mountain Lion 10.8.2, my Server is a Mac Mini Lion Server.

    Hi Tim,
    No fix yet, my home folders reside on a thunderbolt external hard drive, I also tested having home folders on default server HD and no changes, I called Apple Support a while ago, they replicated the issue, it just does not work on network users, they did not say when will it be fix.
    The version of Pages I am using is from the Apple Store.
    Hector

Maybe you are looking for

  • Monthly TPM1 without reset for FX forward in Hedge Accounting

    Hi, I would like a clarification on the "standard" way of resetting the valuated position of an FX forward (using Hedge Accounting position management procedure) when using TPM1 and the "mid-year valuation without reset" option. When executing TPM1,

  • Purchase Order release procedure

    Hi All, My client is having following requirement for Purchase Order release procedure. Plant 1                    -    1 Release code (Manager) Plant 2             -    2 Release Codes (Manager, Sr Manager)       Plant 3             -    3 Release C

  • Pictograms for Self-Service (MSS/ESS)

    Hi Carmen, First Question: How upload this Pictograms in the t.code SE80? Right click on Pictograms folder > Import MIME Objects Take in count you're using by this way a standard folder. To use a custom folder, for ESS i suggest you ask for your Basi

  • How can our customer edit our Captivate 6 content with Captivate 5?

    Our company has decided to dive into the e-learning business and create e-learnings.  We just purchased a Captivate 6 subscription, unfortunately before finding out our customer uses Captivate 5.  He would like to edit our files once in a while when

  • Standard price in Material master

    Hello, in the Table MBEW und Field STPRS ther is the actual standard preis. We actualise (change) the preis every Friday. It means we have another price on saturday How can I see the Preis from wednesday on saturday. It's there any table for change h