[sunnyape]

Unfortunately, I don’t know of a way to do it with the GUI.

I tried a couple of LDAP browsing tools and couldn’t find a solution either. If the worst comes to the worst, I’ll make a little app to do it.

[sunnyape]

ARGGG! I’ve worked it out.

SUS [i]is[/i] downloading all the updates, but it is now showing some updates as being a single item. For example, the entry ‘Mac OS X Update’ contains two entries: one for OS X 10.5.8, one for 10.6.2.

You now have to open each and every item to find out if it contains multiple versions inside since there is no external indication that the item contains multiple entries! And, since only one version can be active in each item at once, if you run a mixed 10.5 / 10.6 network, only half the Mac clients will find anything to update!

Sheesh. This is a big leap backwards for SUS. They need to dramatically revise the SUS interface to show which items contain multiple entries and also allow ALL the entries to be available, if required.

[sunnyape]

Using dscl might help. You could make a script or app that asks for their password then resets it. Something like :

[code]#!/bin/bash

userName=”/usr/bin/whoami”

echo “Please enter your new password”
read thePassword

/usr/bin/dscl /LDAPv3/yourdomain.com passwd /Users/$userName “$thePassword”[/code]

[sunnyape]

It looks like your issue is to do with the configuration of your OD server.

In the Settings / Policies / Binding, check you have ‘Enable authenticated directory binding’ turned on and you don’t have the ‘Disable clear text passwords’ turned on. Using the ‘Require authenticated binding between directories and clients’ is optional, but leave it off while you are testing.

[sunnyape]

I think I’ve worked it out.

When I prep the image, prior to deployment, I use a cleanup script that also regenerates the KDC. This has always been fine for 10.5 and 10.5 server.

With 10.6, you need to delete and re-generate the system keychain as well as the KDC before making an image for deployment.

For those with similar issues, do this in your image prep script and your binds should be OK.

[code]# Delete and re-generate the System keychain
rm -rf /Library/Keychains/System.keychain
/usr/sbin/systemkeychain -C

# Delete and re-generate the KDC database
rm -rf /var/db/krb5kdc
/usr/libexec/configureLocalKDC
[/code]

[sunnyape]

I just read the man pages on DirectoryService and can see that the error -14278 converts to ‘ePlugInNotActive’

I know the plug-in is active, as I write the pref file first and restart the service, thus:

[code]defaults write /Library/Preferences/DirectoryService/DirectoryService “LDAPv3” “Active”
killall DirectoryService[/code]

If I manually use the Directory Utility app to do the OD bind, all works well. Any ideas why the OD plug-in sometimes reports that it is not active when doing a bind via dsconfigldap

[sunnyape]

Can you supply the dsconfigldap code you’re using to do the bind?

To reset the KDC database on an SOE image before deploying it, use something like :

[code]rm -rf /var/db/krb5kdc
/usr/libexec/configureLocalKDC[/code]

[Author]

Posts