Need to perform lookups on Open Directory from Linux? Need to determine a search base to use an LDAP plug-in for a third party with Active Directory? Determining the layout of a directory service can be important for a number of tasks. Most of these have to do with connecting systems of different platforms with one another. In OS X, there are a number of tools that will look up directory service information. Most are based on ldapsearch. Using ldapsearch, you can determine whether a search base is good, whether a directory service responds to a given request and validate some assumptions you may have about an LDAP environment. Let’s…
-
-
Missing Option w/ OD Presets
When you are using a preset with Open Directory, it will copy a number of settings from a template, or preset, that you have created. But the preset will not keep the managed preferences. But you can copy the managed preferences you have defined. I know that this has been covered before by a few different people, but it has mostly been for Local MCX or other types of uses. But if you are using Open Directory and you want to create a template, here’s what I do. Once I’ve configured a group’s managed preferences as I want them, I will save the group in Workgroup Manager and then open…
-
New GUI Directory Services Debug Tool
DSDebug is a small, quick little tool that just puts a server into Directory Services debug mode, waits for a specified amount of time and then drops a file on your desktop with the logs, placing the server back into a non-Directory Services debug mode. That’s all. It’s mostly designed to send to an Open Directory server’s administrator, tell them to double-click on it and not have to step anyone through typing much. It waits mostly so you can know how long it’s going to wait… Nice, small and compact. In the future I will likely build in a pattern matcher with some known, common errors, color coding, etc (or…
-
Invitation to Bind in Mac OS X Server
One of the new features introduced in Mac OS X Server is the new invitation to bind. You can send an email to a user, once you have created their account. To do so, from Server Preferences, click on the account you would like to send an invitation for and then click on the cog icon below the list of users. Amongst the options will be a choice to “Send Invitation to ” followed by the users short name. If you send this then the user will get an html formatted email similar to the following: If the user then clicks on the Automatically Configure My Mac icon they will…
-
slap overlay
That’s all I really have to say: database bdb suffix dc=krypted,dc=com … overlay accesslog logdb cn=log logops writes reads logold (objectclass=person) database bdb suffix cn=log … index reqStart eq access to * by dn.base=”cn=audits,dc=krypted,dc=com” read
-
Open Directory Populated ARD Computer Lists
In Mac OS X 10.5-based Open Directory (or higher) and Apple Remote Desktop 3.3 (or higher) you can now add directory services objects as computer lists. Simply open Apple Remote Desktop from a bound computer, click on Scanner and then click on the drop-down list for the type of scanner. Here, select Directory Server and you should start to see your Open Directory objects populating the list, obviating a previous article on populating lists at deployment time. BTW, if you’re interested in creating computer lists based on Active Directory, start with cn=computer_lists. Note: Turns out Randy Saeks has also done an article on this topic. Find it here: http://rsaeks.wordpress.com/2009/11/23/using-opendirectory-computer-lists-with-apple-remote-desktop/
-
Replica Trees & Tuning Open Directory
You have a fairly large Open Directory environment and you go to add the 33rd replica but you get a funny error that dserr doesn’t have listed. The reason is likely that a single Open Directory Master can only have 32 replicas. However, you can have 32 replicas on each replica (thus having a replica tree), ergo allowing for a total of 1,024 replicas and a master. So rather than bind that 33rd replica to a master, move to a replica tree model, trying to offload replicas in as geographically friendly a fashion as possible (thus reducing slap traffic on your WAN links) by repositioning replicas per site. Similar to…
-
Setting up a Dual Directory with Snow Leopard Server
In Snow Leopard Server it seems that someone at Apple figured out that a bunch of people were building these weird triangle, or dual directory, thingies. So, if you bind a Mac OS X Server to Active Directory and then open Server Admin and then click on Open Directory you’ll see a button to Kerberize Services. Once you’ve Kerberized the services, if you click on the Change… button for Role you’ll see a different option than you normally see when setting an Open Directory Master. In the Choose Directory Role screen you’ll see a new screen that tells you that you’re connected to another directory. It will then ask if…
-
Snow Leopard & Managed Client Preferences
In Mac OS X 10.6’s Open Directory, when you add ManagedClient to managed preferences you end up with two com.apple.mail entries (one suffixed with .managed). One is called com.apple.mail.managed, which is used for Mail for 10.5 and below and frankly doesn’t seem to be complete, so I’ve manually populated my environment with keys from 10.5 Server. The other is com.apple.mail, which now supports SSL, but only gives the drop-downl list for Always, showing no options in Once/Often. One thing that was a bit confusing to me is what Beau and I discovered to be a GUI bug, where when you click on a manifest and then click on Once, Often…
-
Ticket Viewer: What's in a Name Anyway?
Kerberos.app + Snow Leopard = Ticket Viewer. I’m not sure what the point of this is, but I’m guessing it will become clear some day. Possibly Apple plans on also integrating some other form of tickets? Curious, but easy to figure out quickly since the icon didn’t change…