[slazar]

Yeah I can confirm that in the AD-OD setup you should not do directory binding with the OD directory. Add the OD server in the LDAPv3 settings, but don’t enter credentials. Just click continue. Been wrestling with this for a while, just broke through.

[slazar]

Add the OD server to the LDAPv3 configuration, but don’t enter any credentials when it shows you the computer name. This causes it to be an anonymous connection (unbound) and the preferences will show up more consistently.

[slazar]

Totally! I see immediate results. I deleted both the LDAPv3 connection and the account in the server. Then I re-added the LDAPv3 connection but without binding to the directory. Then I logged out and back in, and the settings stuck for every user. Then I changed it back to a bound connection and it barely worked or worked slowly.

little dance

[slazar]

AHA! When a group works, it always works, until you reboot…
My users are in only one group. If I hold down option the window shows no groups. I am managing the machines with computer lists.

This is what is going on:

I am mistakenly binding my clients to the OD directory. If I do this, then I get huge inconsistencies in whether the managed preferences apply or not. I was doing it with AD users inside the OD group. That was also inconsistent but at least the settings would be cached for that user and they would show up most of the time. With a AD group in the OD group, it appears to be worse and the user does not get cached managed prefs.

So the lesson here is: If you are doing a golden triangle setup, DON’T bind your machines to the OD domain! At the directory binding section don’t type in a username or password. Just click Continue.

[slazar]

It is inconsistent when the users log in. I have dock settings on seven different OD groups. Sometimes the dock settings show up, and sometimes the dock settings don’t show up. Each OD group has a corresponding AD group inside of it. There are alot of AD users and each user is in one of those AD groups.

example:

OD Group         AD Group      AD User
---------------------------------------------
odkinder         kinder        studentk
odfirstgrade     firstgrade    student1
odsecondgrade    secondgrade   student2
odthirdgrade     thirdgrade    student3
odfourthgrade    fourthgrade   student4
odfifthgrade     fifthgrade    student5
odsixthgrade     sixthgrade    student6

Some of the OD groups seem to work, and some don’t. No clue why.

[slazar]

Hmm, I made one OD group per AD group and placed only one AD group in each OD group. But it seems to apply inconsistently. Anyone have this type of problem or has gotten it to work with nested groups? What does your setup look like?

[slazar]

hmm okay, seems like the nested groups works best with just one AD group inside the OD group. If I do the dscl command and take a look at the LDAP group, my apple-group-nestedgroup only shows four separate group Generated IDs. I have seven AD groups in the OD group.

[slazar]

Nevermind, I deleted the OD group and created a new one. It worked after that. I think that group got corrupted.

[Author]

Posts