IamOnline

Q: Profile Manager web only management using Active Directory users and groups

Does anyone know how to set profile manager up so that under Users or Groups on the myserver.com/profilemanager/ page that it just displays "Search for Users" or "Search for Groups" and allows you to search Active Directory through this page?

 

A friend has this set up, though he can't remember how he did it.

 

If the server is set up this way then Profile Manager can be managed completely from the web page and there is no need to manually import users into the server app. For both active directory users and groups you are able to just search for the user or group that you want to apply profile settings to or assign devices to and do it completely from the web page. This is an ideal set up.

 

Thoughts on how to make this work?

Mac mini, Mac OS X (10.7.4)

Posted on May 22, 2012 2:43 PM

Close

Q: Profile Manager web only management using Active Directory users and groups

  • All replies
  • Helpful answers

  • by Pedro Santos Logica,

    Pedro Santos Logica Pedro Santos Logica May 28, 2012 12:21 PM in response to IamOnline
    Level 1 (0 points)
    May 28, 2012 12:21 PM in response to IamOnline

    IamOnline,

    What you need is to use the Directory Utility in the Tools top menu in the Server app, and then bind the AD from your domain

  • by Pedro Santos Logica,

    Pedro Santos Logica Pedro Santos Logica May 28, 2012 2:23 PM in response to Pedro Santos Logica
    Level 1 (0 points)
    May 28, 2012 2:23 PM in response to Pedro Santos Logica

    Btw, How do you import the AD users to the Users on the Server app?

  • by IamOnline,

    IamOnline IamOnline May 29, 2012 12:29 PM in response to Pedro Santos Logica
    Level 1 (0 points)
    May 29, 2012 12:29 PM in response to Pedro Santos Logica

    Thank you Pedro,

     

    Here is what I have set up so far.

     

    I updated OS X to 10.7.4

    I used Directory Utility to join OS X to AD.

    I followed these directions to set up Profile Manager. http://krypted.com/iphone/setting-up-profile-manager-in-lion-server/

    I installed the OS X Server Admin Tools

    I launched Server Admin to grant access to Profile Manager for Domain Admins and Domain Users. (Adding domain admins first allows admins to log in to /profilemanager page to manage profile manager. Domain users can log in to /mydevices page)

    Launched Server App and under Groups I edited the Workgroup group and added Domain Admins and Domain Users. (Again Domain Admins first followed by Domain Users. The order seems to matter as far as the server recognizing the admin rights of the domain admins group.)

    Followed these directions to change the web authentication to plaintext to work with AD Logons http://support.apple.com/kb/HT4837

    Then Launched the Profile Manager and check the box under the About tab for the Workgroup group for "Can Enable Remote Management"

     

    These steps above get me to a functional profile manager that works with AD groups and AD logins for the /profilemanager and /mydevices page.

    I can search for groups under the groups section, but under the users section I can only see local users or users that are imported from Active Directory.

     

    To import users from Active Directory you Launch the Server App and under the users section click the +. There will be a pulldown to import user from another directory. If you start typing a name you should see names populate in the search window that yo ucan select and choose import.

     

    What I seem to be missing is a piece that allows the user section of the /profilemanager webpage to do a query search of Active Directory. If this were set up then manually adding users through the Server app wouldn't be necessary. I have tried some extra steps for setting up the Magic Triangle, but have so far had no luck with those if they are even needed.

     

    This command to stop kerberos for the open directory master fails at the step to remove the logon http://docs.info.apple.com/article.html?path=ServerAdmin/10.6/en/odfd7bf26f.html

    If that were to succeed then using this command     sudo dsconfigad -enableSSO    would kerberize the AD in the computer.

    Even if that were working I'm not sure that is what is required to get AD queries to work on the webpage.

     

    I get the impression that what I want to do is possible with some hackery, but is outside apple's supported use design for profile manager.

     

    Ian