?
Solved

Xserve and Apple Macs not included in the LDAP auth process . . . Active Directory used for PCs

Posted on 2010-01-07
23
Medium Priority
?
588 Views
Last Modified: 2013-11-11
We have a mixed environment Linux Win Mac;
We are using LDAP via the LDAP Browser\Editor version 2.8.2 to manage auths.
As stated the Macs do not use LDAP for network auths. We thought OpenLDAP may be a solution.
What are the best of breed solutions for this?


0
Comment
Question by:Bradley Haynes
  • 14
  • 9
23 Comments
 
LVL 32

Expert Comment

by:nappy_d
ID: 26205444
Well, you could use Active Directory and a third pary app called Centrify(www.centrify.com)

I currently use it for authenticating Macs in my AD infrastructure. The Windows clients natively function and Centrify has a Linux client.
0
 
LVL 8

Author Comment

by:Bradley Haynes
ID: 26205530
I have requested and evaluation copy. Are there open source solutions as well?
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 26205664
none others I know of besides openldap
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
LVL 8

Author Comment

by:Bradley Haynes
ID: 26205777
Is there a way to use Open Directory on the X Server to connect to Active Directory?
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 26205803
Yes and no.  The xServe would have read access to the users and groups in AD.  You would then create groups in OD on the xServe and you can then link objects in AD to groups created in OD for xServe Access.

This is known as the golden triangle.

To start this process, you have to bind the xServe to AD using the Active directory plugin that is located in the Utility folder\Directory Utility.
0
 
LVL 8

Author Comment

by:Bradley Haynes
ID: 26205898
This (the golden triangle) looks like the road to travel. I have a meeting now. I will revisit this early tomorrow morning.

thx
0
 
LVL 8

Author Comment

by:Bradley Haynes
ID: 26212496
Status update - I need to hack the server to reset the root password. I do not have the installation DVD so I hope restarting in Single user mode will be the way.
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 26212767
Acutally you dont need to.  If you run the command line sudo and enter the password of the user you are logged on as.  If this user has full admin privileges, then automatically, they are part of the sudoers group.
0
 
LVL 8

Author Comment

by:Bradley Haynes
ID: 26212804
No access what so ever. The former owner/system admin of this left "abruptly".
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 26213010
Then yes, single user mode will do it for you :)
0
 
LVL 8

Author Comment

by:Bradley Haynes
ID: 26213258
I now have access and I found this "guide" for setting up Open Dir to work with Active Dir.

http://macdevcenter.com/pub/a/mac/2003/08/05/active_directory.html?page=2
0
 
LVL 8

Author Comment

by:Bradley Haynes
ID: 26214261
I have followed these instructions and I am unable to bind to the fqdn of my AD box.

http://www.makemacwork.com/bind-to-active-directory.htm
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 26279899
Did you set a preferred DC for connection?
0
 
LVL 8

Author Comment

by:Bradley Haynes
ID: 26286420
I have set the preferred DC to the Active Domain server.
Still I get the invalid domain message.
I have attempted to use the administrative log in and passwd.

I have also connected from the Shared Devices to the server successfully with my account info which is a domain admin account.
0
 
LVL 8

Author Comment

by:Bradley Haynes
ID: 26288929
I went into AD and added the xserve manually and attempted to bind to it with the same error message. I checked the logs on the AD server and found nothing related to the current issue. I did find the connection I made from the shared devices. So the two nodes are talking.

?????
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 26289201
Is this Leopard server 10.6?

Do you have multiple DCs spread across your corporate network, local and WAN?

If you've answered yes to both questions above, I don't think you will get this working with the native AD plugin.

Here is why, for some reason when the OS X client is trying to join AD, is it not always communicating with the same DC throughout the binding process. It seems to bounce from dc1 to dc3 or to dc7, etc. (This was my company's experience as we monitored traffic during the process).

Apple had no answer or fix for this.

We have since moved away from the native AD plugin to www.centrify.com and have been happy since.
0
 
LVL 8

Author Comment

by:Bradley Haynes
ID: 26293886
This Server is 10.5; a PDC and a backup/failover DC on a LAN.
I checked the logs on AD and saw the connection from the Shared devices but not from the Bind attempts. I also created the object(computer) in AD attempted to Bind without success with or without the object. The Bind from OD to AD is supposed to create the object in AD if I am understanding this correctly.
0
 
LVL 8

Author Comment

by:Bradley Haynes
ID: 26296739
re: version 10.6 .  .  . we do not have licensing for this. The primary SME for macs wants to wait six months for the "dust" to settle before going forward with this upgrade.

I have searched high and low [Google and the like] and found nada.
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 26296895
Sorry not sure what you mean by "wants six month for the "dust" to settle......."
0
 
LVL 8

Author Comment

by:Bradley Haynes
ID: 26297943
The person responsible for the Macs and their apps does not want to do the upgrade until after another six months. Also we do not have licensing for it.
0
 
LVL 8

Author Comment

by:Bradley Haynes
ID: 26327854
It looks like a third party solution will have to be the way to go.
Too much time spent on this. I went commando line on this and found I could do a nslookup on the AD server but no ping response; after I set the DNS in the named file to explicitly resolve to the assigned IP. Still this did not resolve the issue of Binding the OD to AD.

My head hurts :(
0
 
LVL 32

Accepted Solution

by:
nappy_d earned 2000 total points
ID: 26328903
My points exactly.  Since 10.5, Apple broke all the rules of how to implement AD integration and probably don't care...

Use my recommendation.  I do this and you will be happy. see this solution of mine for some addit'l info http://www.experts-exchange.com/Apple/Operating_Systems/OS_X/Snow_Leopard_OS_10.6/Q_24930218.html
0
 
LVL 8

Author Closing Comment

by:Bradley Haynes
ID: 31674313
Thank you, as always EE like totally ROCKS IT.   wooooo hoooo
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The error "There was an error performing the update" occurred on a Mac OS X client workstation running  Symantec AntiVirus for Mac (http://www.symantec.com/business/products/purchasing.jsp?pcid=pcat_security&pvid=825_1) - the Enterprise product vers…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question