AD InetOrgPerson Vs User and network mounts

[cperisho]

I’ve been bashing my head against a few problems and I’m hoping some awesome person here will help me with one or more of them.

I have a AD/OD setup arrived at by loosely following the Bombich paper and borrowing a bit from the Rennich paper. I am also working on Netbooting all of my lab clients and making them managed clients. Here is my setup:

Windows Server 2003 SP2- Active Directory
Mac OS X 10.4.10- Open Directory
In the “Golden Triangle” Configuration

Around 16 client Lab Macs some intel, some not, all with OS X 10.3 or higher.

The mac I am using for a test lab machine is an intel imac (one of those flat panel jobs) with 10.4.10

What works:
Macs authenticate against AD, Single Sign On works, my test Mac does this while netbooting.

Problem #1

The macs will let a AD InetOrgPerson log in and Access both AD and OD resources however Home folders will not automount. Other automounts wont mount either. This problem does not happen for ‘Users’ The distinction between Users and InetOrgPerson is lost on me but for some reason my predecessor decided that certain users should be one and some should be the other. Is there a way to make Mac want to treat these two the same?

Problem #2

Some of the macs in the lab will refuse to let a ‘User’ with a network home login with an error saying that the home folder is on a network share. The share is available and other macs can mount it no problem. I have not been able to track down what configuration is different. Again, my predecessor configured these. I could just wait till I get a working config and netboot them all, but i really want to figure out why this happens.

.

[cperisho]

I’m not exactly sure what an InetOrgPerson is either but from googling around a bit I learned a few things

1.An InetOrgPerson is an entity representing a person. It can be used in Active Directory in place of the User type object.

2. It is an LDAP standard and was added to Active Directory (Ironically in this case) for better compatibility with other LDAP systems.

I think my problem may have something to do with the mapping of attributes. OD can’t figure out what attribute to use for home directory with this InetOrgPerson type object. I’m not really sure how to tell it where to grab this data from.

Any ideas?

[cperisho]

Ah interesting. So, I think you’re saying that the AD plugin is looking for a AD User account and finding a LDAP object. The AD plugin is smart enough to allow authentication against it but not much else.

Maybe connecting to AD with BOTH the AD and the LDAP plugin would overcome this problem but maybe not. I’ll try it and report back.

I agree changing them to AD USERS is the preferable option. I’ll have to do some reading to see what the implications for email accounts and other settings are. I have a feeling this task will be non-trivial.

I’ll also ask my predecessor why he set it up this way.. I have his email addy..

[cperisho]

Okay, i did NOT try the LDAP plugin I decided changing InetOrgPerson to User was a much better solution and turned out to be pretty easy with ADSIedit.msc. I simply edit objectClass and remove the InetOrgPerson designation. This doesn’t *seem* to affect anything else and allows the mounts to work porperly.

My predecessor used InetOrgPerson because he had the impression that it would be more compatable with Open Directory. Which is sort of true in a sense I guess, but not with the setup I have here.

[Author]

Posts