[macdojo]

I have gotten the “bounce back” when using 2 WGM windows. Try expanding the Users& Groups tray on the active AGM window and then using the pull-down menu to select the Active Directory node. Add your groups from there.

[macdojo]

OK, Joel! That worked. You’re the King. Where do I send the bottle of Scotch? But wait there’s more…

Flushed with success I ran to the IT guys only to have them tell me that they don’t want to manage 2 directories, ie adding a user in AD requires adding one in OD. So, we’re talking schema changes, right?

Thanks again

[macdojo]

OK, so if I am comfortable doing MCX by group, should I use the AD plugin or the LDAP approach? Based on trial-and-error, it seems like I cannot simultaneoulsy be an OD master and do AD binding because the AD only seems to work if OD has me “connected to a directory system.” Yet, when I am not an OD master, MCX breaks. So I’ve been trying to get my user records in to WGM by LDAP, but cannot seem to get it right either. The last is most likely a mappings issue, since LDAPper works fine with my auth and search base. Jeez, any help would be good. Here’s what I want: MCX by group (or computer), which would require the ability to see my AD users & groups.

If I start as an OD master and then configure the AD plug-in, I can bind but cannot add the node in WGM.

If I start as “Connected to” I can bind and see all my records (up to 1000) in WGM, but MCX won’t work. If I try to promote the server to an OD master at this point, I end up breaking the AD node and cannot auth to OD either, unless I create another admin account and auth as that.

Working on some things…

[macdojo]

Just an update folks – oh, and craigh? I feel your pain –

OK, I now can login from clients with AD creds, AND get client mgt – the key was to put the AD server policy ahead of the LDAP policy in Directory Access. While mgt by comp is OK, I want more granularity. I am hoping that by doing LDAP in Dir Acc to the AD servers, I can get a user list which I can use to manage the Mac clients by user. Currently I can browse the tree with LDapper, but I haven’t been able to bind with Dir Acc. I get the typical delays when booting the Xserve. When trying to access the new LDAP node in WGM, it allows me to select it, but the OK button will not close and authenticate me to the node. I get: DSOpenNode(): dsOpenDirNode(“/LDAPv3/10.101.0.47”) == -14002… aka… something is up with my credentials. LDapper wants credentials in this form: DOMAIN\Administrator, whereas, Dir Access wants the distinguished name. I cannot seem to get it right and I’ve tried every combination of OU,CN,DC that seem correct. 

Working through it…

[macdojo]

Thanks, Joel. For now, here’s what I am trying…

Xserve was bound to AD, unbound it and made it an OD master.

Clients are bound to domain AND bound to Xserve via LDAP. MCX is working (mgmt by computer, of course).

I can login to AD network shares, so I know my creds are being accepted— but not yet login at the login pane.

My homdirs are on a Dell NAS, and the Win gusy have installed ExtremeZIP, but its still in default state. That’s where I’m at so far.

BTW, tho I’ve got the AppleCare Premium contract, the Apple guys stated that all Active Directory integration stuff requires an Enterprise Support contract ($6K+/yr).

Thanks!

[macdojo]

I should describe what I am trying to achieve: single-signon to the AD domain with client management (e.g., WGM, possible netboot ) via Xserve. Not sure how to configure Xserve beyond the AD plug-in, or how to configure Directory Access on the client side (LDAP, AD, etc).

Thank!

[Author]

Posts