Ben is not alone; 10.6 does indeed do nothing when you click “write to server”. I have run tcpdump on the client, and it does not even try to make a network connection. So sadly, I don’t think this works for 10.6, so I’ve had to resort to passing around the .plist configuration to the clients, which kinda stinks. For reference, I use SSL with my configuration and the ACL’s are correct, because if I manually update the mappings on the clients, everything works just fine.

apple-user-homeurl: nfs://fas3170.myco.com/vol/homes /users/rajeev
homeDirectory: /home/rajeev

To understand exactly what the client is requesting from the server, my suggestion is to turn up the debug logging on the OSX LDAP server and watch the access logs.

your article help a lot. But I still encounter some problems. I’m trying to use NFS + Kerberos + LDAP. I’m using OS X 10.5. The LDAP users can login, but they won’t get their home directories. It seams as if the mac system isn’t even trying to mount the NFS share. The Kerberos configuration seams to be fine, because the user gets a valid ticket. Perhaps you could explain the apple-user-homeurl, homeDirectory values. I don’t quiet get it if i need the apple-user-homeurl value for nfs. Is it possible that 10.5 changed the way how you mount the home directory?

Best reagrds,

Ulrich

http://images.apple.com/business/solutions/it/docs/Modifying_the_Active_Directory_Schema.pdf

However, a machine that I have upgraded to Snow Leopard (10.6.2) – although able to see the ODS clone – seems to ignore it completely. WGM 10.6.2 won’t let me log in with the credentials which work for Leopard. The shell “id” command doesn’t return any information from the ODS clone.

I presume that Apple has changed the schemas for ODS, though the only change I have been able to identify is the introduction of apple_auxillary.schema. Adding that to my ODS clone has not solved the problem though.

Do you have any insight into what needs to be done to get an ODS clone running for Snow Leopard clients?

Steve

Thanks again
Juan

The link to the apple.schema seems to be broken now. Is there any chance I can still get a copy of that file?

I’m battling with one problem, however;
Users in the ldap belong to multiple groups, but on the OSX only the primary group of an user is visible.

Any ideas or pointers here?

Thanks
Peter

It broke when I upgraded to 10.5. By looking at the protocol messages, I’ve come up with a few extra things that need to be done if you want WGM to play nicely under OS X 10.5.

I can’t figure out how to get the trackback thing to work properly, but my notes here

I would like to use Directory.app for creating contacts (people and groups).
We can already read contacts (also with Mail.app and Address Book.app) but when trying to create a “New Shared Contact” I always get “An error occured during authentication – Unable to verify credentials for server myhost.mydomain.dom”

In system.log I can see (loglevel stats) a search “SRCH attr=authAuthority” which results in “SEARCH RESULT tag=101 err=0 nentries=1 text=” so I assume that there must be something missing in my setup.

I would really appreciate if anyone could give me a hint `cause I´m working an this for weeks now an I´m stuck.

Thanks in advance and best regards
maceis

I can create users just fine, but sharing is the difficult part that doesn’t seem to work at all. Checking off “custom mount” as the location to share anything always returns a “device busy” at the terminal on the other 4 nodes (and I assume I shouldn’t add the master’s IP to the “export to” list), and checking off “use as user home directories” for the home directories on the RAID just created new default home directory folders with owner root and doesn’t share any of the pre-existing content from the RAID to any of the other nodes. Have you ever had this problem before? I have no idea what I’m doing wrong because I think I’ve tried everything.

1. What about any already existing ones, ie: extensibleObject. Should they be removed?

2. What about ‘Map to any/all items in list’? Do they matter, and how if so?

Thanks
:)

You do not have to add this to all users. One advantage of LDAP is that objects are extensible individually. You can extend individual user object to be apple-user objects.

I do have a question about extending the posix users and groups to be apple-user and apple-group objects. Do I have to add that object class to all users and groups in the directory? I only have a few users that need to use OS X and I would like to only extend those users and not every user and group. However, when I browse nfs shares, OS X can’t resolve user IDs to usernames that haven’t been made apple-users. It also can’t resolve any group names. I would have thought the posixAccount and posixGroup mappings would have taken care of this.

Upon closer inspection I see that there is a “Map to [any|all] items in this list” setting in Directory Utility. I also see that I can drag the mappings up and down (perhaps to prioritize?).

Can you shed some light on this? If I can avoid modifying every user and group account in the directory, that would be preferable.
I am running OS X 10.5.4 on the client.

Thanks.

I am sure you have already done this but I had to ask. Once you click “Write to server” and nothing happens, have you checked the LDAP Server and see if the macosxodconfig entry gets changed ? (LDAP debug access logs should also help). Sometimes, changing a specific mapping to a bogus value and looking for that in the XML text of the macosxodconfig entry will also help…

What is not clear is

a) whether the ldap server is receiving the request at all from the client.

b) If it did receive the request, then what did the access log say..?
do you have access to the access logs on the server ?

Running tcpdump on the client will also help …

HTH

It does, and I enter my admin credentials. Then, nada. I’m not certain I have the LDAP server’s ACLs right, though I can create anything with the same credentials under phpLDAPadmin. I’m out of time on this work right now, I hope to get another shot in the next few weeks… (I’d love to find an up to date “from zero to OpenLDAP + OS X” howto – I’ve more or less been stumbling from place to place piecing things together, no doubt I’ve missed something along the way!)
Thanks,
Ben

What I am unsure from your comments is whether or not a dialog box pops up when you click “Write to Server”.. This dialog box should contain fields to enter

Distinguished Name
• Password
• Search Base

If the dialog box does not even show up, then I would start looking at the LDAP client configuration leading up to it.

It it does show up and you are entering values correctly (remember the search base — the client will create a ou=macosxodconfig entry under this suffix and stores its config info.), then I would check

• Read/Write Permissions to the LDAP server with the DN/Pwd pair
• Read/Write ACLs on the suffix being used
• Network tracing may be in order if the above two tests check out..

HTH

(remember the SearchBase is the searchbase where the client can