Usage: systemsetup -getremotelogin
Display whether remote login is on or off.
Usage: systemsetup -setremotelogin
Set remote login to either or . Use “systemsetup -f -setremotelogin off” to suppress prompting when turning remote login off.
and use the correct password, also I note you are accessing your ldap via ssl (ldaps://server.ourdomain.co.uk), is ssl actually enabled on your OD server?
Your user ou should probably be set to something like:
$_LDAP_CONF[‘user_ou’] = “users”
Your group ou:
$_LDAP_CONF[‘group_ou’] = “groups”;
But you also need to change the user_branch to:
$_LDAP_CONF[‘user_branch’] = “cn={$_LDAP_CONF[‘user_ou’]},” . $_LDAP_CONF[‘branch’];
I would use the archive and restore functionality in server admin. That way you will get the entire ldap directory including passwords.
You should test this migration first, make sure you can change users passwords after the migration, move machines etc. There are still some issues with migrating from 10.5 to 10.6 using the archive method.
These may be resolved in future releases of 10.6.
After investigating this more, it would not appear to be very straight forward to achieve this. If you create a new test OD (open Directory) account and make it a limited admin, then have a look at the updated/new olcAccess entries, you will see something similar to :
[code]
olcAccess: {3}to dn.onelevel=”cn=groups,dc=my,dc=od,dc=com” a
ttrs=apple-mcxflags,apple-mcxsettings by dynacl/idattr/APPLYTO:635DF24E-E00A
-4C72-9DFD-BDE9A78F505D.exact=AE04147C-41BD-4B86-99E9-0DC14332ABB0 write by
set=”user/uid & [cn=admin,cn=groups,dc=my,dc=od,dc=com]/memb
erUid” write by sockurl=”ldapi://%2Fvar%2Frun%2Fldapi” write by dn.exact=”c
n=my.od.com$,cn=computers,dc=my,dc=od,dc=com”
write by * read
[/code]
where [b]635DF24E-E00A-4C72-9DFD-BDE9A78F505D[/b] is the apple-generateduid of the group whose attributes that user is allow to change
and [b]AE04147C-41BD-4B86-99E9-0DC14332ABB0[/b] is the apple-generateduid of the user able to write the apple-mcxflags and apple-mcxsettings attributes
So…. I tried to create a new ACL for a computer list so that same user would be able to write the apple-mcxflags and apple-mcxsettings attributes using the following acl:
[code]
olcAccess: {27}to dn.onelevel=”cn=computer_lists,dc=my,dc=od,dc=com” attrs=apple-mcxflags,apple-mcxsettings
by dynacl/idattr/APPLYTO:8F0F2D81-E1B9-4830-B4AB-2F854FA74422.exact=AE04147C-41BD-4B86-99E9-0DC14332ABB0 write
by set=”user/uid & [cn=admin,cn=groups,dc=my,dc=od,dc=com]/memberUid” write
by sockurl=”ldapi://%2Fvar%2Frun%2Fldapi” write
by dn.exact=”cn=its-macmgr.my.od.com$,cn=computers,dc=my,dc=od,dc=com” write
by * read
[/code]
where [b]8F0F2D81-E1B9-4830-B4AB-2F854FA74422[/b] is the apple-generateduid of the computer list I want to user to be able to change the apple-mcxflags and apple-mcxsettings attributes of
and [b]AE04147C-41BD-4B86-99E9-0DC14332ABB0[/b] is the apple-generateduid of the user able to write the apple-mcxflags and apple-mcxsettings attributes of that group
But whenever I try to add this to OD via workgroup manager (using the all records inspector) I get an error (eDSAttributeNotFound -14134) and when I try to use a directory editor (apache directory studio) I get an LDAP error 80.
Anyone else got any suggestions on this??
By the way the 3rd edition of Open_Directory_Admin_v10.5 removes any reference to Configuring Record Privileges.. must have been put in the too hard basket??
The security polices on the client are accessed using the Directory Access Utility in the Utilities folder. If you click on your LDAP config for the required server, and click the Security Tab and you will see your client security policies: Disable clear text passwords, Digitally sign all packets, Encrypt all packets, block man in the middle attacks. No SSL is not required when disabling clear text passwords, to put it simply, SSL just enables encrypted communication between the client and server.
In the end as Josh noted above, Trusted binding is not actually required for most networks, unless you have security issues with non-authorized machines joining your OD. I have many systems in place that run managed login/login scripts that sync from the server at startup, login and logout which means I can have this feature without having to use trusted binding – note it only came into effect with 10.4 – what was every one doing before 10.4 came along if they wanted managed login/logout scripts.
If you want some really good reference material, have a look at the Apple Training Series book “Mac OS X System Administration Reference Vol1” using the link on the left hand side of this page, it’s a really good book and also contains the required study material for ACSA.
Are you getting any errors in /var/log/system.log regarding DirectoryService on the clients? If you are, post the relevant section so we can have a look.
Make sure your security policies match on the client and server. Since you are using trusted binding, I think you will find the client will not try to authenticate using clear text passwords, but the server may not be configured for this (or it might be the other way round).
You may need to check that your security policies on the client and server match. Most likely, your client will have a setup which (since you have used binding) has disabled clear text passwords. If your OD server setup has clear text passwords enabled, then you will see the symptoms you are experiencing. You should see some error messages to this effect on the client machine in /var/log/system.log.
The solution then would be to match up the security policies between the client and server so that they either both allow or not allow clear text passwords.
And that gets ldap binding working from the command line. (note the -v switch just gives me verbose results from the command so are not needed in the “production” environment.
I am assuming you are not running word and quark on the actual server, but running them on a client which is connected to the server via an afp share point or home folder which the files being worked exist??
If so, I would apply the 10.4.7 update on the server (and probably the client as well) which fixes a few issues with the AFP server, and may resolve the issues your are experiencing.
Recent Comments