10.4.2, LDAP and Windows 2003 Server Active Directory

Question

Level 1

25 points

10.4.2, LDAP and Windows 2003 Server Active Directory

I was quite impressed when I finally got 10.4.2 to connect to my AD server using the AD DSPlugin.

However, I'm having a problem getting the LDAPv3 DSPlugin to work against the same server (Windows 2003 SP1 and Active Directory).

I know, I know, I should stay with the AD plugin as it works, but I want to try and get the LDAP plugin setup, simply to see how it's done.

So what is my problem?

OK, I go into DA, enable LDAPv3, and click configure.

I make sure "Add DHCP Supplied LDAP Servers....:" is disabled then I click new.

I enter the server name (have tried the dns name of "ads.myserver-test.com" and the dotted decimal IP address of the server) and do NOT enable "encrypt using SSL". I leave Use for Authentication and Use for Contacts enabled and click "continue".

It perfoms the inital discovery and I get to select the mapping. Active Directroy is auto selected as the template, so that's fine, searchbase is filled in as "DC=ads,DC=myserver-test,DC=com" which looks good to me, and it's certainly what was used for AD and worked.

I then click continue and that's it, nothing more happens.

I thus assume I need to manually configure things. I know when using LDAPBrowser I cannot perform an annonymous bind to the server via LDAP, I have to enter a userid and password, so maybe that's the problem, so I edit the configuration maually and on the "security" tab I enter the same user account I used in LDAPBrowser to connect.

I also manually go into Authentication and Contacts and add in the custom path for the server.

I apply the changes and reboot for good measure and then try and login as a user on the AD server and the login dialog shakes at me.

What am I doing wrong?

I've looked at the logs (System, Console and DirectoryService) and there does not seem to be anything meaningful as to why it's not working.

I can go into Terminal and issue "lookupd -d" and enter "userWithName: username" and it does return valid information for the user.

I've also used dscl and it will show LDAPv3 as a node and I can "ls" through it and -read a users record, so it seems that some form of communication is happening.

Any ideas greatly appreciated.

Posted on Aug 17, 2005 1:34 PM

Reply

Answer 1

Mark Warren4 Author

Level 1

25 points

Oct 6, 2005 11:36 AM in response to Mark Warren4

SOLVED!
I finally had some spare time to dig a little deeper into this, and having done that I feel such a fool!

I now have 10.2.8, 10.3.9 and 10.4.2 clients happily authenticating to my Active Directory via LDAP 🙂

What was I doing wrong? UniqueID, or more specifically, not mapping a uid. I had totally overlooked the fact that I might need to have a uid on the client computer and I foolishly thought that the default "Active Directory" mappings would obtain one for me, in a similar way to how the AD plugin works (by default it generates a uid based on the GeneratedUID field from the AD record, which isn't the best method in the world, but that's a whole other discussion).

Anyway, after reading a few articles here and there I realized I needed to map the UniqueID field to an AD attribute. Most articles said to use the uSNCreated value as that tends to be unique, though if you have multiple domains and servers it might not be totally unique. So I edited the "Users" item in the Mappings and for UniqueID I changed the value from UniqueID to uSNCreated.
I also changed PrimaryGroupID to #20 which tells it to use the static value of 20 for the gid, which is what you'd normally get for a local account.

Once I had done that and rebooted I could login using an AD account with no issues at all.

So, I'm very happy now 🙂

Reply

Answer 2

Oct 6, 2005 9:51 PM in response to Mark Warren4

Hi-
We're working on a Win2000Server, planning on joining a new flock of macs to AD in the next few days.
And the DC is a fresh install, too. (The XP machines seem to join perfectly, and users are authenticating from those PC's with no hassle)

Is it critical to have a three-part domain name (you are calling yours "ads.my-test.com"?), if this is just a local domain? We started to name it ISIDORE.local, until we heard of the hassles with the way Tiger calls the computers..."macName.local", so we have called the local domain: ISIDORE.edu...and the DC is named: 'schoolserver'

What I'm wondering is as we map these macs to AD...the "ads" portion of Your AD name...is that simply the servername, as in "schoolserver.isidore.edu"?

Was your "binding" failing, giving 'invalid domain' type error before you did the UniqueID thing?
(it's late...am I making sense with this question?)

Reply

Answer 3

Mark Warren4 Author

Level 1

25 points

Oct 7, 2005 7:28 AM in response to Rick Van Vliet

Hello Rick,
The "bind" button in the LDAP plugin did fail, it said "directory binding not supported" or something like that. I assume this is not what you mean though. I would guess you're asking if the lookup was working, and, from the terminal, yes it was. lookup -d using the "userWithName: nameofuser" command did return details on the user instead of 'nil' and dscl localhost did allow me to step through into the node, then the items and view a user's record.
This does make sense as I was simply connecting to the node and viewing data on it, I wasn't at that point trying to login to the computer, so mapping the variables wasn't happening. It was only when I tried to login that things failed, and that was due to the mapping being incorrectly setup.

The server's full dns name is ads.my-test.com. "ads" is the domain/workgroup name. You can find out what the OS thinks it is by going to "connect to server" then type in smb://addressofserver/ and click ok, this will display the SMB/CIFS login dialog, the topmost item should be auto filled in with the workgroup/domain that the computer is actually picking up from the server.

the full three part thing is technically needed as what you need to specify is the full dns name (or dotted decimal IP address, but DNS name would be better) of the server.

from the looks of things your full dns name would be schoolserver.isidore.edu, so in search base terms that would be dc=schoolserver,dc=isidore,dc=edu

The real question here is what are you using to get the macs to connect to AD, are you using the AD plugin or the LDAP plugin? If you can use the AD plugin I'd recommend doing that over using LDAP, especially if you have 10.4 clients as the setup is somewhat better for AD than it is for LDAP, also you don't have to mess around so much with the mapping of unique ID's it will auto generatre one if you don't have the "map Unique id to" option enabled, which is something LDAP does not do, and hence my problem.

The reason I was using LDAP over the AD plugin was to see if it could be done and what was involved.

I hope that helps.

Reply

Answer 4

Oct 7, 2005 8:02 AM in response to Mark Warren4

OK, Thanks mark.
I was working on both ldap and AD plug in.
And you know, i can't remember now, but it was the AD binding that was failing with Invalid Forest/Domain combination.
I have demoted this Test 2000Server, and I'm about to reinstall AD.
he real server is running in Michigan, I'm three states West. So I've never actually seen the real machine, and I'm working with a guy over iChat...and he's dong the work. (All mac's involvd are Tiger)
Servername= schoolserver
DNS name = isidore.edu
DHCP/DNS was running properly here (after fixing and finding a typo in DNS reverse).

Am I going to be "in trouble" by using the edu extension, instead of dot-local? (we are not regisered with isidore.edu....can this be causing the AD 'bind' errors?
"Real Server's" XP's are connecting and authenticating fine. "TestServer's" (here) XP's & 2000's are authienticating just fine. It's my single Mac, here in Test...that's really fighting me.
(I don't want the guy in Michigan to struggle like I have, and he's planning to add the macs into AD in the next day or so..

I'll wait to reinstall AD/DC on this server til i hear from you.

Thanks for your previous notes, and any help you can provide.

Reply

Answer 5

frodolives

Level 4

1,765 points

Oct 7, 2005 8:19 AM in response to Rick Van Vliet

I'm working with Rick on this, I've tried every possible combination for Active Directory Domain but all come back with error "Invalid Domain" an invalid domain and forest combination was specified " asking to enter a fully qualified DNS

Reply

Answer 6

Mark Warren4 Author

Level 1

25 points

Oct 7, 2005 8:37 AM in response to frodolives

OK, here's my experience of AD.

I had, first of all, simply installed AD and then tried to get the mac to bind to it using the AD Plugin, it would fail with the same message you are seeing.

I got a co-worker to run through things with me and the problem was due to the DNS name I was trying to use not being seen by the client. This made sense as I did not have DNS Server running on the AD server.

I still could not bind. Then I added the DNS servers IP address to my list of DNS servers in my network preference pane and then I could bind. Makes sense really.

Reply

Answer 7

Oct 7, 2005 9:27 AM in response to Mark Warren4

Thanks Mark -
Frodolives is working with me (or vice versa 😉 on this, and we'll check DNS later, and will probably make Server2000 into our DHCP master, too, since right now the router is doing that job.

We do appreciate your advice!
rick

Reply

Answer 8

frodolives

Level 4

1,765 points

Oct 7, 2005 9:29 AM in response to Mark Warren4

Well, in my case, I am running DNS server on the AD server, I put it's IP in there anyway for fun, still not sure what domain name I should be using though, likely that's my ignorance showing.

Reply

Answer 9

frodolives

Level 4

1,765 points

Oct 28, 2005 1:19 PM in response to frodolives

I had success binding now, seems the key was to put the IP of the server into the DNS servers list (Network Prefs), then I used a simple isidore.edu (in my case) in Directory Access for Active Directory Domain and it bound. Seems to work fine. Cool.

Reply