[fherbert]

Use systemsetup (man systemsetup for more info)

Usage: systemsetup -getremotelogin
Display whether remote login is on or off.

Usage: systemsetup -setremotelogin
Set remote login to either or . Use “systemsetup -f -setremotelogin off” to suppress prompting when turning remote login off.

[fherbert]

I am having the same problem (mac mini server running 10.6.4). However my problems only started after applying the Security Update 2010-005.

A 10.6.4 client was unable to connect via afp until i installed the 2010-005 security update on the client as well.

The 10.5.8 clients are not able to connect via afp, even after the 2010-005 security update has been installed on them.

I have had to change all my afp shares to smb as a temporary workaround.

I also have no service access restrictions.

Did your problems start after applying the 2010-005 security update?

[fherbert]

I would try setting your bind dn to an user that can query your OD, and don’t forget the password, unless you can do anonymous queries on your OD.

ie:
$_LDAP_CONF[‘servers’][0][‘bind_dn’] = “cn=adminuser,cn=users,dc=server,dc=ourdomanin,dc=co,dc=uk”;

and use the correct password, also I note you are accessing your ldap via ssl (ldaps://server.ourdomain.co.uk), is ssl actually enabled on your OD server?

Your user ou should probably be set to something like:
$_LDAP_CONF[‘user_ou’] = “users”

Your group ou:
$_LDAP_CONF[‘group_ou’] = “groups”;

But you also need to change the user_branch to:
$_LDAP_CONF[‘user_branch’] = “cn={$_LDAP_CONF[‘user_ou’]},” . $_LDAP_CONF[‘branch’];

[fherbert]

I would use the archive and restore functionality in server admin. That way you will get the entire ldap directory including passwords.
You should test this migration first, make sure you can change users passwords after the migration, move machines etc. There are still some issues with migrating from 10.5 to 10.6 using the archive method.
These may be resolved in future releases of 10.6.

[fherbert]

After investigating this more, it would not appear to be very straight forward to achieve this. If you create a new test OD (open Directory) account and make it a limited admin, then have a look at the updated/new olcAccess entries, you will see something similar to :

[code]
olcAccess: {3}to dn.onelevel=”cn=groups,dc=my,dc=od,dc=com” a
ttrs=apple-mcxflags,apple-mcxsettings by dynacl/idattr/APPLYTO:635DF24E-E00A
-4C72-9DFD-BDE9A78F505D.exact=AE04147C-41BD-4B86-99E9-0DC14332ABB0 write by
set=”user/uid & [cn=admin,cn=groups,dc=my,dc=od,dc=com]/memb
erUid” write by sockurl=”ldapi://%2Fvar%2Frun%2Fldapi” write by dn.exact=”c
n=my.od.com$,cn=computers,dc=my,dc=od,dc=com”
write by * read

[/code]

where [b]635DF24E-E00A-4C72-9DFD-BDE9A78F505D[/b] is the apple-generateduid of the group whose attributes that user is allow to change
and [b]AE04147C-41BD-4B86-99E9-0DC14332ABB0[/b] is the apple-generateduid of the user able to write the apple-mcxflags and apple-mcxsettings attributes

So…. I tried to create a new ACL for a computer list so that same user would be able to write the apple-mcxflags and apple-mcxsettings attributes using the following acl:

[code]
olcAccess: {27}to dn.onelevel=”cn=computer_lists,dc=my,dc=od,dc=com” attrs=apple-mcxflags,apple-mcxsettings
by dynacl/idattr/APPLYTO:8F0F2D81-E1B9-4830-B4AB-2F854FA74422.exact=AE04147C-41BD-4B86-99E9-0DC14332ABB0 write
by set=”user/uid & [cn=admin,cn=groups,dc=my,dc=od,dc=com]/memberUid” write
by sockurl=”ldapi://%2Fvar%2Frun%2Fldapi” write
by dn.exact=”cn=its-macmgr.my.od.com$,cn=computers,dc=my,dc=od,dc=com” write
by * read

[/code]

where [b]8F0F2D81-E1B9-4830-B4AB-2F854FA74422[/b] is the apple-generateduid of the computer list I want to user to be able to change the apple-mcxflags and apple-mcxsettings attributes of
and [b]AE04147C-41BD-4B86-99E9-0DC14332ABB0[/b] is the apple-generateduid of the user able to write the apple-mcxflags and apple-mcxsettings attributes of that group

But whenever I try to add this to OD via workgroup manager (using the all records inspector) I get an error (eDSAttributeNotFound -14134) and when I try to use a directory editor (apache directory studio) I get an LDAP error 80.

Anyone else got any suggestions on this??

By the way the 3rd edition of Open_Directory_Admin_v10.5 removes any reference to Configuring Record Privileges.. must have been put in the too hard basket??

[fherbert]

What is the current problem with your dns? – ie what are the errors in the logs.

[fherbert]

I have found you need to edit the software update preference in workgroup manager and put the full URL of the software update server:
[b]
http://your.software.updateserver:8088/index.sucatalog%5B/b%5D

You can also put this address into a web browser and double check software update is in fact running correctly.

Also, you may want to check the managed preferences on the client to make sure they are getting the software update settings:

[code]defaults read /Library/Managed Preferences/{username}/com.apple.SoftwareUpdate[/code]

And see what this displays….. it should be something along the lines of:

[code]{CatalogURL = “http://your.software.updateserver:8088/index.sucatalog”; }[/code]

[fherbert]

Why not do away with the linksys router and make the os x server be the LAN gateway?

[fherbert]

Is there anything in your netatalk logs on the FC6 box?? Usually in /var/log/netatalk.log I think.

[fherbert]

The security polices on the client are accessed using the Directory Access Utility in the Utilities folder. If you click on your LDAP config for the required server, and click the Security Tab and you will see your client security policies: Disable clear text passwords, Digitally sign all packets, Encrypt all packets, block man in the middle attacks. No SSL is not required when disabling clear text passwords, to put it simply, SSL just enables encrypted communication between the client and server.
In the end as Josh noted above, Trusted binding is not actually required for most networks, unless you have security issues with non-authorized machines joining your OD. I have many systems in place that run managed login/login scripts that sync from the server at startup, login and logout which means I can have this feature without having to use trusted binding – note it only came into effect with 10.4 – what was every one doing before 10.4 came along if they wanted managed login/logout scripts.
If you want some really good reference material, have a look at the Apple Training Series book “Mac OS X System Administration Reference Vol1” using the link on the left hand side of this page, it’s a really good book and also contains the required study material for ACSA.

[fherbert]

Hi guys

Are you getting any errors in /var/log/system.log regarding DirectoryService on the clients? If you are, post the relevant section so we can have a look.

Cheers

[fherbert]

Make sure your security policies match on the client and server. Since you are using trusted binding, I think you will find the client will not try to authenticate using clear text passwords, but the server may not be configured for this (or it might be the other way round).

[fherbert]

You may need to check that your security policies on the client and server match. Most likely, your client will have a setup which (since you have used binding) has disabled clear text passwords. If your OD server setup has clear text passwords enabled, then you will see the symptoms you are experiencing. You should see some error messages to this effect on the client machine in /var/log/system.log.
The solution then would be to match up the security policies between the client and server so that they either both allow or not allow clear text passwords.

[fherbert]

Well, I’ll answer my own post for others info.

It turns out (makes sense when you think about it) that when binding to ldap, you need to pass the computer name of the computer you are binding as.

So… if my client computer name is ibook01 then the command from the above post will turn into somthing like:

[quote]dsconfigldap -f -a my.od.server [b]-c ibook01[/b] -u odadminname -p odadminpassword -v[/quote]

And that gets ldap binding working from the command line. (note the -v switch just gives me verbose results from the command so are not needed in the “production” environment.

[fherbert]

I am assuming you are not running word and quark on the actual server, but running them on a client which is connected to the server via an afp share point or home folder which the files being worked exist??

If so, I would apply the 10.4.7 update on the server (and probably the client as well) which fixes a few issues with the AFP server, and may resolve the issues your are experiencing.

[Author]

Posts