Apple Event: May 7th at 7 am PT

Learn more

Add to your calendar 

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Mike Lichtenwalner
Mike Lichtenwalner Author
User level: Level 1
0 points

Profile Manager does not see LDAP users

We are a K-12 school district with MacBook Pros on carts for students to use. On the backend, we are running Novell's eDirectory (LDAP) for authentication, and our Profile Manger server is a Mini running Yosemite (10.10.4) and OS X Server 4.1.3.


Goal: Teachers and students should be able to login to a MBP using their LDAP username/password (this works via a bind between the MBPs and the LDAP server). Profile Manager should assign permissions based on the user who logged into the MBP.


What we did: Each MBP and the OS X Server is bound to LDAP (eDirectory), and users can login successfully using LDAP credentials. In the Server app -> Users (and Groups), we can see LDAP users and Groups, and we can assign LDAP users to Local and Local Network Groups.


The Problem: In Profile Manager, we can see Local and Local Network uses as well as Local and Local Network Groups. We can see no LDAP users or groups, and we cannot see the LDAP users who were assigned to Local and Local Network Groups. In a nutshell, the Server app sees the LDAP users/groups, but Profile Manager does not.


Does anyone have a hint as to why Profile Manager does not see the LDAP users?


Thanks!

Mike

Mac mini, OS X Yosemite (10.10.4)

Posted on Jul 7, 2015 11:20 AM

Reply
3 replies
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,685 points

Jul 9, 2015 5:24 AM in response to Mike Lichtenwalner

Profile Manager runs its own Open Directory system which is separate to any other Open Directory system you might have. (Yes I know your not using Open Directory.)


In your case your eDirectory is the equivalent of the other main Open Directory system that would apply. So you have Profile Manager using its own Open Directory database to tracks devices, and initially it will be unaware of the other directory system. The next step is to make sure the Mac running Profile Manager is configured to connect to (in your case) your eDirectory just like your client Macs. It is perfectly possible for a Mac to be connected to multiple directory systems, this is after all how a 'golden triangle' setup is configured with Macs connected to both Open Directory and Active Directory. In your case the Profile Manager server needs to be connected to its own Open Directory and to your eDirectory.


It may also be necessary to set the priority order of these directories i.e. maybe you will need to put eDirectory first in the list, this is done using the Directory Utility located at


/System/Library/CoreServices/Applications/Directory Utility.app


Now I have not used eDirectory myself so I cannot say whether it is going to be compatible enough for this purpose, Apple themselves only talk about Open Directory and Active Directory systems.

Reply
User profile for user: Mike Lichtenwalner
Mike Lichtenwalner Author
User level: Level 1
0 points

Jul 9, 2015 11:25 AM in response to John Lockwood

Thanks for the reply, John!


Open Directory is running on the Profile Manager server (we don't use OD for anything else), and the OD server is successfully bound to eDirectory (an eDir user can login at the server console and the Server app sees the eDir users). We tried changing the order of the directories in the Directory Utility, but that had no effect on Profile Manager seeing LDAP users.


Thanks again for the feedback!

Reply

Profile Manager does not see LDAP users

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up