Article:  |
More LDAP in Mac OS X Server | |
| Subject: | OD login and LDAP query not working | |
| Date: | 2004-06-23 16:24:13 | |
| From: | hakan_kaya | |
|
I have set up an OS X 10.3.3 as OD Master with KDC working. Users can access network shares, mail and ssh with single sign on. But they can only login to their machines as local users. What I just can't figure out is why it's not possible to login as an OD user with networked home folders. Also, I can't configure Address Book to query the ldap server so that other users info can be retrieved. I tried every possible search base combination. I think the problem is that there are sub entries like uid=user_name which don't fit into the search base scheme as described in various articles. What does work is, if I create a new entry with phpldapadmin, e.g. "people" and manually add entries for users and their email, phone etc. These infos can be retrieved using the search base cn=people,dc=domain,dc=tld
|
||
Showing messages 1 through 3 of 3.
-
Re: OD login and LDAP query not working
2004-06-23 17:52:06 tonywilliams [View]
-
Re: OD login and LDAP query not working
2004-06-24 01:02:11 hakan_kaya [View]
Dear Tony,
thank you very much for your valued attention. Concerning the first problem regarding users being unable to do networked login, I forgot to state that (on a test machine) there's only a local admin user. The uid and group info for the OD user only exists on the OD Master and is not used locally.
Thank you again for your great effort!
Hakan Kaya -
Re: OD login and LDAP query not working
2004-06-24 23:33:51 tonywilliams [View]
Hakan,
Carefully check your users in WorkGroup Manager. Then I suggest you use ldapsearch from the command line to check that the LDAP server is responding as you expect. If that is all OK double check the settings in Directory Access.
Tony
If I understand you correctly your first problem is that if someone has the same user id on their machine and on the LDAP server they only log on locally, not via LDAP. This is unchangeable as the search order in Directory Access requires that the local netinfo directory is searched before anything else.
Therefore the only way to fix this is to never have the same user id in both places. I suggest that you have a fixed user id for the local user on all machines (I use 'local' for an ordinary user and 'admin' for the admin user) or alternately use a different variation of the users name for the local id (I have used their first name and last initial for this - i.e. I'm tonyw on the local machine and tony_williams on the LDAP server).
For your second problem it appears that you have run into the problems in Apple's Workgroup Admin application, Address Book and LDAP. As I have said several times in these two articles the integration of these is seriously flawed. The major problem is that Workgroup Admin doesn't populate the right fields with the right information and in the case of the 'sn' container shoves the number '99' into every user.
The first perl script in this second article is designed to fix the information. You need to have the 'givenName', 'sn', 'cn' and 'mail' fields filled in properly in each user record for them to be searched properly in Address Book. Read both articles again while taking a close look at your user records in phpLDAPadmin and you should see where your problem is.
Tony Williams