LDAPv3/127.0.0.1 vs elsewhere for user records

[baliset]

Summary: Confusion over whether users in Workgroup Manager need to be outside the default “LDAPv3/127.0.0.1” location for network visibility. Inability to authenticate to newly created directories.

We’ve got a new 10.4 Server. My intention was to start over with a brand new installation and export/import users in from our old 10.3 server. The differences in setup between 10.3 and 10.4 have left me a little confused:

Our 10.3.8 server had a LAN IP of 192.168.9.99. I can’t remember what hoops I jumped through when I set it up, but its WGM points to /LDAPv3/192.168.9.99 and that’s where all my users seem to be. Clients pointed to this IP in Directory Access show a login screen with all the network users created in that directory and all is well.

The upgrade to 10.3.9 changed the schema for LDAP. I’ve deliberately steered away from 10.3.9 because it breaks our mail, but I note the documentation shows that LDAPv3/127.0.0.1 is forcibly added to several config areas after a 10.3.8 to 10.3.9 upgrade. The only reason I mention this is because my default setup in 10.4 shows some similarities and I’m not sure as to their significance.

I installed 10.4 Server clean on a new machine and gave it exactly the same machine name/IP settings as our old server (yes, the old one is now off-line). I selected Open Directory Master. I note that WGM logs me into an LDAP domain titled “LDAPv3/127.0.0.1”. I can authenticate against this directory with the “diradmin” login and I can create users.

Now I’m used to any network path containing the loopback IP (127.0.0.1) as being shorthand for “only on this machine, not necessarily visible elsewhere”, so, considering the config on my old server, am assuming that I need to create a directory which will come up as “LDAPv3/192.168.9.99” like the old server, but am I right? I’ve tried creating such a directory in Directory Access (Services -> LDAPv3 -> Configure -> New). I am unable to log into this domain using WGM at some times but I can at others, with little pattern to the failure! After adding it in D.A, it is “visible” in WGM but I cannot authenticate to it for the purpose of adding users (either with root or diradmin).

Of course the purpose of the exercise here is to have client machines pointed to the new server boot up and populate the login screen with a long list of network users. I do not know if the presence or absence of a functioning LDAPv3/192.168.9.99 directory is related to this or not. If my users should all be under 127.0.0.1 then set me straight.

I’ve “captured” the client (lab) machines into the computers list under WGM and “told” them to display the login screen as a list (including network users), as well as going into their D.A settings and pointing their LDAP to 192.168.9.99. No dice.

Thus: Where should my user records reside?
Why can I see and only occasionally authenticate to a directory I add as “LDAPv3/192.168.9.99”?
Why don’t client Macs see this list when pointed there in their own Directory Access app?

Thanks in advance for anyone who can help here… Yes, I’ve tried the manual, but it’s poor.

[andrina]

So, your server’s WorkGroup Manager should indeed be pointing to 127.0.0.1, as well as Directory Access on your server – only your clients should be pointing to the IP or FQDN. So, to answer your initial question, your user records should be in /LDAPv3/127.0.0.1. As for the client machines seeing the server – how long are you waiting after booting the machine before trying to log in as a network user? Try some troubleshooting techniques on your client systems, like killing the DirectoryService process, or taking a look through ‘dscl localhost’ – you should be able to navigate into your LDAP structure and see your users, if not it may give you an error message that will point you in the right direction.
Cheers,
Andrina

[Author]

Posts