open directory problems

let me guess

you ran these terminal commands on your OD master

sudo rm /usr/lib/sasl2/openldap/libgssapiv2.2.so

sudo rm /usr/lib/sasl2/openldap/libgssapiv2.la

well I did this after being on the phone with enterprise support...because this is what they told me to do which did allow me to see my 10.7.2 machine on my OD master but then on my client I got your error, and my OD server on the client didnt show up as green like my AD server. So I called back Apple Enterprise support and this is what they told me to do...

Remove the OD server off the client and remove from my workgroup mrg, on the OD server, reboot client, do a easy bind click yes or continue with you get the SSL pop up now you should be bound and it should show green, then on the OD master manually add your client to the workgroup mgr, by putting in your machine name and your machines MAC address it then should show up on the OD masters workgroup mgr list which it did and I was then able to push policys to it just like my 10.5 and 10.6 machines

not really as easy as it was with my 10.6 clients but it worked and that was my main concern you can try it and see if it works for you

Craig Morrison

Kirkwood Community College

Any chance of getting a copy of that script?

Thanks, that's what I was looking for. I have gotten the gui to work to the point of obeying computer level policies (that's via adding it & then clicking bind under the LDAPv3 settings). I use the golden triangle configuration and weird thing is it actually kind of worked with 7.1, just took forever for the yellow "some domain accounts not available" to go away. With 7.2 now logins are much faster but the yellow status is always there at login, even though under the account settings all servers are always green. I even tried changing the search paths & attributes manually but it never works. I did notice the atribute for server autoconfiguration is gone, wonder if this is somehow related.

It's extremely frustrating, I've had a lot of bugs in version 1 of Apple OSes but this is the worst I've experienced & that it got worse with 7.2 is just insane. We're looking at AD schema extension but I'm reading tons of horror stories about that all over the web. Apple tells us it's piece of cake yet I can no longer find their own documentation for it & blogs of people who've tried it would say otherwise.

Now we have new MacBook Pros that can't run Snow Leopard and Lion is utterly broken. Apple really doesn't get enterprise. We don't have the time & money to just upgrade when they tell us we should. They just don't get it, and I say this as an avid Apple user. I guess until it hurts their pocket book they probably never will get it.

This reply helped me immensely, although the underlying issue at hand does not make too much sense to me. Despite following your statements and yielding a success that persisted after a reboot, the pre-staging the computer account I did the following:

Disabled REQUIRE authenticated binding

Allowed authenticated binding

prestaged computer account

removed binding and OD from 10.7 client

reboot

add OD server

reboot

go into Directory Utility and manually bind

however, even though the computer name reflected the prestaged computer account in OD, it went ahead and created a new computer account, with a shortened identifier.

There is still something wrong with the OD binding to Snow Leopard. It appears to be something with the authentication as it binds just fine but then authentication later fails. We gave up on authentication and are simply adding the OD server to the client & then manually adding the machine to OD. We use the "golden triangle" config with AD and doing this restored our management of AD user accounts, though it isn't 100% reliable. I find it quite humorous that Apple is already announcing Mountain Lion with so many issues still remaining in Lion. Maybe people are right, maybe Lion is their Vista & Mountain Lion their Win 7.