iChat server authentication via two seperate AD domains?

[jdyck]

I am setting up an iChat server for my school district, but we are in the (slow) process of migrating to an entirely new domain – this puts me in the awkward position of trying to get my iChat server to accept users from two different domains. I’ve bound my OS X server to one domain and that works great – all my AD users have an iChat account, but I can’t figure out how to bring in the second domain. I though I might be able to use the LDApv3 plugin to bring in the second domain, but maybe I’m doing something wrong… I’m entering the IP address of the DC for the second domain, it comes up and auto-selects the AD Server template with the dc= stuff autoentered, but I can’t click the Continue button to go any further, and i don’t see any option to enter an AD username/password to get the AD info…
Guess I should ask: first, is this even possible? and second, how do I do it if it is?
Thanks for any advice offered
Cheers
Jeff

[jdyck]

OK, I’m back – it’s been a hectic couple of weeks getting ready for the start of the school year, and I finally got a chance to get back to this today – think I’m close, but it’s not quite there yet. Any input/ideas/suggestions would be greatly appreciated.
What I’ve done so far:
First of all I downloaded LDAPPER and tinkered around to figure out the settings until I was successfully able to browse and search through the AD directory. Essentially just the IP address of the server, the search base = dc=fully,dc=qualified,dc=domain,dc=name kinda thing, and authenticating with an admin account.

The iChat server is already bound to the First AD domain via the ADplugin, and that is working fine…
So then I went into Directory Access on the iChat server and created a new LDAPv3 with the following settings:
Connection: Added server IP, no other changes (ie: SSL, custom port, server refrals, etc all off).
Search & Mappings: Access this LDAPv3 server using Active Directory, edited the “Users” search base to look in the whole directory rather than just Users, since otherwise I don’t see the users in all our OUs. Everything else left as is.
Security: Turned on “Use authentication when connecting” and added a Distinguished name in the form of “[email protected]” – all other options are left off.
Then I went to the Authentication tab and added the new LDAPv3 setting so that it is between the First AD domain and 127.0.0.1. I clicked Apply.

I can now drop into the Terminal and do a dscl localhost and cd to /LDAPv3/IPAddress/Users, and ls will give me a list of users. However, if I try to read the properties of a user I get the following error…
2006-09-08 14:36:19.376 dscl[1420] *** My Uncaught Exception: ([DSoDataList initWithDir:value:] value is not a valid NSString nor NSData)
I can go into Workgroup manager and browse both the users and groups of the new domain, I can even drag a user/group from new domain into the Access permissions of a file share… I can even go into Server Admin and find the users as part of the Service ACLs lists… However, if I actually try to login to a fileshare I get an error that “Connection Failed. Unknown user, incorrect password, or login is disabled. Please retype the name and password or contact the server’s administrator.”
It almost seems to me like the user/group names are coming through, but not the properties, so things like passwords aren’t working…
Any ideas?

[getalong]

I know this post is old, and my reply is slightly off-topic, but this is the only place I’ve found this exact dscl error message–however, I’m not trying anything with iChat.

I just NetBoot/Restored a brand-new MBP 15 C2D, and after binding this MBP to our AD, I get the same results posted: dscl into local machine, cd to /Active\ Directory/All\ Domains/Users/, ls lists all AD users, BUT when I try to read any users, I get…

dscl[228] *** My Uncaught Exception: ([DSoDataList initWithDir:value:] value is not a valid NSString nor NSData)

As I said, this is the same error jdyck mentioned. Did you figure it out?

This is the third machine I’ve bound to AD (from this NetRestore image), and the first one to have this problem. I’ve attempted to Unbind/Bind (again), reinstall 10.4.9 Combo (desparate) with no resolve.

For the sake of time, I’m gonna Netboot this puppy again, and see hope for the best.

[Author]

Posts