8 Replies Latest reply: Jun 24, 2012 1:56 PM by Tenn_Surety
Tenn_Surety Level 1 Level 1 (0 points)

10.7.3, bound to AD


Several questions that I can't seem to find the answer to on apple's KB.


1. When setting up an iphone to synch with the lion server, why does it only present mail and notes for synch? Is this just how it works, you have to setup the different services seperately for mail, contacts, and calendar? I can't believe that when an iphone has builtin support for exchange.


2. I followed http://support.apple.com/kb/HT3660 to get ical working for AD users.  I also followed http://support.apple.com/kb/HT5276 to get push notifications in ical and addressbook working for AD users.  It was initially working after following this doc, however now it's not. Even after restarting just get invalid username or password.The log file shows something about an OD crash which seems to coincide with an attempt to login to iCal using AD credentials.


3. I cannot edit user's shortnames via WGM. Even so, it wouldn't accomplish what i need. So i'm fine with just manually creating aliases.  I tried to edit the postfix aliases file for a test alias

group:     user1, user2


Doesn't work even after restarting mail it says it's unknown user.  Mailman doesn't work the way i expected. I need to create distrobution groups, not a maillist.


Anyone know how i can fix these issues?

Mac mini, Mac OS X (10.7.3), Lion Server
  • Tenn_Surety Level 1 Level 1 (0 points)

    Anyone have any thoughts on these?  I've resolved most everything or found it was outlook's fault (mail folders).


    another big one is the spam filtering blocking EVERYTHING. I turned it off and subscribed to spamhaus but i'd like to turn it on if there's a way to allow legit mail through.

  • Tenn_Surety Level 1 Level 1 (0 points)

    Fixed #2, iCal authentication.


    Anyone know why #1 and #3 don't happen?


    For WGM to edit AD accounts, I'm assuming the best thing is to Setup a OD replication instead of just binding to AD.


    Should I switch to OD Replica or Master?


    Will this break anything?  I believe I tried it once before and it broke authentication completely to AD... but i can't say I was already bound to AD.

  • Antonio Rocco Level 6 Level 6 (10,400 points)



    For the two sub-questions in 1 - yes and yes. Just an opinion but Apple have no interest in 'aping' something that Microsoft have been doing very well for many years. As long as IOS Devices (iPhones, iPads) can 'work' in a Windows Environment (mainly because EAS support is built-in) is all that matters.


    As for 3 - unless you're preapred to 'hack' the AD Schema in a major way you only have read only access to its LDAP Database from another platform. You could make changes to user accounts in a 'stub' database (Augmented Records) if you wanted to but that's another story and for what you want, probably not necessary?


    For your other post and if I've understood you correctly, you have to have two OS X Servers if you want OD Replication. One as the Master and the other as the Replica. As far as I know you can't make OS X Server a Replica of your DC. Neither can you make OS X Server a BDC of your DC.





  • Tenn_Surety Level 1 Level 1 (0 points)

    Thanks for the reply!  I've really got two huge issues.


    I didn't fix iCal authentication for AD users. I found it had several system certs, one for each time i tried to set it up via the server app. So i deleted those and set it up again and applied our certificate to the iCal service, bingo.  That seemed to fix it, temporarily. I can get logged in once with an AD account, however, i log out and then it doesn't log back in. It's almost as if it's bouncing.  The log file confuses me because i can see where it will says dovecot: auth od(username,ip) and that the account was found. Then it seems to connect again.


    The other huge issue is that spamfiltering doesn't let anything through, set as low as the slider will allow. I can't find documentation about how it really works.


    I know it's spamassisin but that's it. I also see that when i turn it off, message i saw get greylisted come through.  I'm just worried about leaving it on, going to bed and getting a call that no one has gotten emails. Is it normal to learn in the beginning and then to start working correctly?  I subscribed to zen from spamhouse but it blocks quite a bit of legit email, even though the senders domain and ip aren't blocked according to the check utility they have. which i found odd, so i took it off.

  • Antonio Rocco Level 6 Level 6 (10,400 points)



    "Is it normal to learn in the beginning and then to start working correctly?"


    In essence, yes.


    Graylisting is on by default when you configure and enable the Mail Service and it's actually a good thing if you're prepared to be patient. However you may decide you don't actually need it and resort to other methods of filtering mail to your domain. There are many tools available for any enterprise wishing to run it's own private mail server and graylisting is just one option. There are lots of resources explaining graylisting which you can google for yourself.


    However these might help?






    A good resource for all things OS X Mail Server is here:




    Your iCal Service issue for Active Directory Users may be answered here:




    However the problem you're describing with certificates is not good and you should really clear this up as soon as you can. There are some 'golden rules' regarding servers in general and OS X Server in particular. In no particular order these are:


    1 - Start at the end to begin at the beginning (a bit odd but it does make sense if you think about it)

    2 - DNS. Get this bit right and everything else will follow

    3 - If you mess up the initial configuraton right at the beginning it's best to start again

    4 - DNS. Get this bit right and everything else will follow

    5 - A lot of features you'd expect from a Mail Server for Enterprise use is not in the GUI. You will have to use Terminal sooner rather than later. This is also true to a lesser degree with other services.

    6 - DNS. Get this bit right and everything else will follow


    The above is only my opinion.


    If you've not already done so you may want to start again (wipe and reinstall) otherwise you may find as time goes on that the instability the server is suffering from at the moment will only get worse and usually when you least want it.





  • Tenn_Surety Level 1 Level 1 (0 points)

    Ok, thanks again for the reply!


    One last question.


    If i make the current mac server and OD Master, even though it's already bound to AD, will this break anything?


    this is only to give enable cardav access.




    can i setup a bind to AD using RFC2307 and link the UID to AD accounts?

  • Tenn_Surety Level 1 Level 1 (0 points)

    Ok, figured out my ical issue. My account had the callback set to TRUE. had to use ADSI edit and compare mine to another account, which worked. Turned that off and bingo.


    However, I assumed once setup i would be able to send email invitations via thunderbird+lightening, or is this also going to require Address Book functioning?

  • Tenn_Surety Level 1 Level 1 (0 points)

    meeting requests, etc working. Now i'm just trying to decipher apple's instructions for training the spam filter. I've created the two accounts.  What i'm confused about it is i keep reading that apple has a script that runs every 24 hours that pulls information from ALL users junk folders and uses that information to train the filter.