[honestpuck]

I don’t actually use Lingon – I hack the launchd items by hand – but yes, I did use a launchd item.

I have a bunch of small things I do in the same launchd item that runs Bootpicker.

// Tony

[honestpuck]

ingenious,

10.5 DOES do a time sync on startup but if the time difference is too great it will not adjust the time.

If your AD server and your clients are pointing to the same time server then the best way of fixing this problem is to run ntpd early in the boot process with the -g and -q parameters. BTW ntpdate is deprecated and will disappear one day – ntpd now does the same thing with the -q param.

So try replacing your ntpdate command with ‘ntpd -g -q’ and see if that fixes it. Works for me.

// Tony

[honestpuck]

Yoshi,

Your problem is almost certainly that the login names are identical. If you check the order that Open Directory is using the various authentication methods local will be first.

Either change the account name or change the order and your AD login will work.

# Tony

[honestpuck]

[QUOTE BY= cdowns] what do you mean by "keytab" ?

thanks.

~!>D[/QUOTE]

The keytab is where KDC stores all the principals and keys for the various machine/service combinations. On OS X it can be found at /etc/krb5.keytab

Joel’s two excellent articles on Kerberos explain it all, you can find them in the ‘Old Articles’ section.

Tony Williams

[honestpuck]

Hi,

A few things for you to check on the client

1/ In the Directory Access utility the client is pointed at the right LDAP server, is using the RFC mappings not the Open Directory mappings and has the right search base.

2/ If that’s all OK then at the command line try using ldapsearch

ldapsearch -h ldap.example.com -b ‘dc=example,dc=com’ -s sub "(cn=username)" cn sn uid

that should return a record. If it doesn’t then try and figure out why – a -v could help.

Tony

[honestpuck]

[QUOTE BY= bossa nova] Can anyone tell me how to do a search for files modified within a two or three minute period from the terminal as root?

Thanks!
J[/QUOTE]

sudo find / -mmin 2

will find all files changed in the two minutes prior to the start of find.

Tony Williams

[honestpuck]

No, my module won’t work in Apache 2.0, though you could do the same hack to the Apache 2.0 module.

The problem is the difference between the model of group membership used by Netscape’s LDAP server, which most modules are written for, and the one Apple use.

I may eventually write an Apache 2.0 version of my hack, but I don’t know when.

Tony

[honestpuck]

You problem may be that the clients have cached some information that may not be true with the new install unless the machine name and IP are perfectly identical as are a bunch of other things.

First, try using LDAP settings manually rather than “from server”. All you need to know is that the LDAP Mappings are “Open Directory Server” and that the base suffix should be something like “dc=example, dc=com”

Then if you still have problems try deleting /Library/Preferences/edu.mit.Kerberos

It’s my guess that the server is not supplying the base name suffix properly.

Tony

[honestpuck]

Hi,

If you go ‘cat /Library/StartupItems/TimbuktuStartup/TimbuktuStartup’ you will see the exact command required.

'/Applications/Utilities/Timbuktu 6/Timbuktu Pro.app/Contents/SharedSupport/Host Relauncher' '/System/Library/Frameworks/Carbon.framework/Versions/A/Support/LaunchCFMApp'      '/Applications/Utilities/Timbuktu 6/Timbuktu Pro.app/Contents/SharedSupport/Timbuktu Extension'

and be very careful to keep those quotes in place.

Tony Williams

[honestpuck]

Well, not to beat my own drum, but I wrote a couple of good articles for MacDevCenter on LDAP under 10.3. Look at
http://www.oreillynet.com/pub/a/mac/2004/06/18/ldap.html and
http://www.oreillynet.com/pub/a/mac/2004/05/25/ldap.html

I use it for keeping a company wide phone and email book and have the phone and email info kept in with the user records. I also have a customer email list kept in ‘cn=customer’ – you can use any cn you like really, just make sure that when you add it you set it to contain the right schema.

As for editing you can’t go past phpLDAPadmin. It edits the entire database and lets you browse your schemas. I have it installed on the server in a protected directory so I get double security.

For getting information into the LDAP directory quickly I use a spreadsheet to build a tab delimited table and then a Perl script to load it into the directory.

Tony Williams

[honestpuck]

[QUOTE BY= tlindner@waterma] I have several mailman mailing lists which I would like users to be able to find whenever they search for people in the LDAP database.

How can I add entries for these mailing list in the LDAP database?[/QUOTE]

Add them as users into your database but don’t allow login. Have a look at how the system has set up the user ‘Unknow User’ and you can see how to have a useless user in your list. Just make the home directory in /var and the login shell as /usr/bin/false.

Tony Williams

[honestpuck]

[QUOTE BY= l008com] So I set up internet sharing using natd, dhcp and the most simple, unintrusive set of firewall rules. So now I need port mapping. I wrote up a bunch of rules and stuck them in /etc/natd.conf . The only problem is, after restarting natd, it doesn’t seem to have ‘picked up’ these rules. Is this the right place to put my rules? Or do I need to stick them someplace else?[/QUOTE]

I think you’ll find that natd.conf.apple or even better /etc/nat/natd.plist are the best place to put your rules – /etc/nat/natd.plist says that it is used to create nat.conf.apple and that natd is called using the -f option to get it read that file.

Tony Williams

[honestpuck]

Have a close look at all your logs. With a problem like this there is almost certainly going to be a clue in your logs that will help you (and us) to figuere out the problem and be that much closer to a solution.

Tony

[honestpuck]

Hi,

I think you’ll find that the best place to modify this is in the site config file which you’ll find in /etc/httpd/sites – if you only have the default site set up then it will be ‘0000_any_80_.conf’ and in that file you’ll find that the ‘AllowOverride None’ is not commented out – just change the line.

Tony

[honestpuck]

Hi,

Have you checked out ADRESS_REWRITING_README – I think you’ll find that you want to use canonical rewriting for your purpose, check out canonical(5) as well.

Tony

[Author]

Posts