[camps]

This is possible and I’ve got a working environment in 10.3.x server and client. I would assume that 10.4.x is the same setup.

In regard to your first problem of authentication order. Directory Services uses the list of Authentication Paths to look for the username that you supply when logging in. By default it checks against the local netinfo database and that can’t be changed (hence the grayed out listing). If it doesn’t find a matching username there, it moves onto the next listing. Now if you have an account in AD that matches the supplied username in the loginwindow then the client will pass on the password supplied to see if it matches that found in AD. If it does, you’re in, if not, then the authentication stops as it has found a matching username but the password doesn’t match up. It doesn’t even try to move onto the OD listing in Authentication because it found the matching username in AD. Basically you can’t have the same user name in AD as in OD. If you have a username in OD but not in AD it won’t matter what order the Authentication paths are in as it will search them all until it finds a match. I’m not sure why you would have the same user account in AD & OD anyway. What’s the purpose for that since the AD user accounts can’t be migrated into OD user accounts, only added to OD groups.

As for the problem with WGM & browsing LDAP, first check in terminal on the machine you are using WGM with the ‘dscl’ tool. This allows you to see what Directory Services sees. Type ‘dscl localhost’ in the terminal so you get a prompt that looks like ‘>’ Use normal commands like cd and ls to move around the structure. ‘ls’ the first prompt and you should see Active Directory and LDAPv3. If not then you don’t have Directory Services setup properly. ‘cd’ into LDAPv3 and ‘ls’. You should see the LDAP server name or IP that you setup in Directory Services. If you can see that then WGM should also. If all that pans out you can also try using an LDAP tool like Ldapper (check versiontracker) to check that you have the right settings entered into Directory Services.

Also a note on managing AD users with WGM. You will have to extend the AD schema to include the Mac specific containers for the WGM settings. You can’t just connect to an AD structure and start managing clients. Talk to your Apple SE for more info on that.
You can start managing clients with OD out of the box, though. The OD group you have will work fine. Also keep note that the order of override in WGM is User overrides Computer overrides Group. Most settings applied at the Computer level will override Group settings of the same.

Hope this helps.

-Eric

[Author]

Posts