Active Directory credential caching issues under OS X 10.5.5 (and 10.5.4)
We are experiencing issues with cached credentials and login delays using the Active Directory DirectoryServices plugin under 10.5. In our case, the plugin works fine as long as the system is on one of our networks, and credential caching works when the system is disconnected. Everything is repeatable, scripted and reasonably well tested. We're pretty happy with how it's working on-site. Once a system leaves our network however, as laptops tend to do, it is not possible to log in without a massive delay. Looking into the issue, I have determined that the following contribute to the problem:
1) There are 9 active directory servers in our "/Library/Preferences/DirectoryServices/ActiveDirectoryDynamicData.plist" file.
2) The timeout appears to be 90 seconds, according to the string value of the LDAP Connection Timeout element in "/Library/Preferences/DirectoryServices/ActiveDirectory.plist".
The login delay does seems to coincide with the value of 90 seconds multiplied by the number of AD servers, about 13 1/2 minutes. Changing the value of the LDAP Connection Timeout does not seem to resolve the issue, even after a reboot. Moving the ActiveDirectoryDynamicData.plist file out of the way (to prevent the system from contacting any AD servers) does not seem to resolve the issue either. I'd like the ability to force cached credentials without the AD delay. Is this possible to change this value without rebooting, or at least without patching the binaries?
I am currently testing on a MacBook Air with 10.5.5, and the following procedure was used from the command line to configure AD (note that you'd need to replace the AD username, OU, and domain values):
dsconfigad -a `hostname -s` -u "ad-admin-user-replaceme" -ou "OU=Whatever, OU=You, OU=Have" -domain=example.com -mobile enable -mobileconfig disable -useuncpath disable
dscl -q localhost -create /Search SearchPolicy ds AttrTypeStandard:CSPSearchPath
defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist
Reboot and all seems to be working for us, except when the systems leave our network.
Note that the last command (plutil) is not strictly necessary, but the DirectoryService utility seems to write the file in xml1 format, so this makes things consistent with what Apple is doing and hopefully less likely to break anything.
1) There are 9 active directory servers in our "/Library/Preferences/DirectoryServices/ActiveDirectoryDynamicData.plist" file.
2) The timeout appears to be 90 seconds, according to the string value of the LDAP Connection Timeout element in "/Library/Preferences/DirectoryServices/ActiveDirectory.plist".
The login delay does seems to coincide with the value of 90 seconds multiplied by the number of AD servers, about 13 1/2 minutes. Changing the value of the LDAP Connection Timeout does not seem to resolve the issue, even after a reboot. Moving the ActiveDirectoryDynamicData.plist file out of the way (to prevent the system from contacting any AD servers) does not seem to resolve the issue either. I'd like the ability to force cached credentials without the AD delay. Is this possible to change this value without rebooting, or at least without patching the binaries?
I am currently testing on a MacBook Air with 10.5.5, and the following procedure was used from the command line to configure AD (note that you'd need to replace the AD username, OU, and domain values):
dsconfigad -a `hostname -s` -u "ad-admin-user-replaceme" -ou "OU=Whatever, OU=You, OU=Have" -domain=example.com -mobile enable -mobileconfig disable -useuncpath disable
dscl -q localhost -create /Search SearchPolicy ds AttrTypeStandard:CSPSearchPath
defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist
Reboot and all seems to be working for us, except when the systems leave our network.
Note that the last command (plutil) is not strictly necessary, but the DirectoryService utility seems to write the file in xml1 format, so this makes things consistent with what Apple is doing and hopefully less likely to break anything.
Yes, Mac OS X (10.5.5), Yas, und it is good