-
All replies
-
Helpful answers
-
Jan 2, 2016 3:00 AM in response to pvlvskby pvlvsk,is there anyone who can help me with this?
Thank you!
-
Jan 2, 2016 4:12 AM in response to pvlvskby FromOZ,Hi - is your server running in German?
The log says "missing externalID" oder "[user] not found" when an ldap user tries to login to mydevices.
Is the 'oder' German for 'or'?
Have you looked at the log of OpenLDAP on the Ubuntu box when you attempt to log in?
You can also look at the system accounts on your OS X Server 5.x install by choosing 'View > Show System Accounts' from the menu. Perhaps there is a specific (system) account that has to speak between the OS X and Unbuntu systems.
HTH
-
Jan 2, 2016 8:59 AM in response to FromOZby pvlvsk,FromOZ wrote:
Hi - is your server running in German?
The log says "missing externalID" oder "[user] not found" when an ldap user tries to login to mydevices.
Is the 'oder' German for 'or'?
Have you looked at the log of OpenLDAP on the Ubuntu box when you attempt to log in?
You can also look at the system accounts on your OS X Server 5.x install by choosing 'View > Show System Accounts' from the menu. Perhaps there is a specific (system) account that has to speak between the OS X and Unbuntu systems.
HTH
Yes, its running in German, sorry
The problem is, like I said that the server itself connects to the ldap directory without problems. I can see users and for example - I can authenticate users for the smb service. But in profile manager I see only local server accounts but no ldap users.
I will check the ldap log soon. Here is the error which comes in system.log of the OS X Server, when an ldap user tries to login to xxx.local/mydevices:
Jan 2 17:50:59 mdm com.apple.xpc.launchd[1] (com.apple.collabd.preview[46846]): Service exited with abnormal code: 65
Jan 2 17:51:02 mdm collabd[46765]: [CSServiceDispatcher.m:261 21d000 +11ms] Caught exception "Missing externalID" [CSAuthServiceError] executing [http]Request{AuthService.validateUsername:andPassword:remember:(<<scrubbed>>)} :
(
0 CoreFoundation 0x00007fff85e8cae2 __exceptionPreprocess + 178
1 libobjc.A.dylib 0x00007fff9589273c objc_exception_throw + 48
2 CSService 0x0000000108436975 -[CSAuthService updateCurrentSessionWithExternalID:remember:] + 1755
3 CSService 0x0000000108430739 -[CSAuthService sessionForUsername:andPassword:remember:] + 565
4 CSService 0x0000000108430469 -[CSAuthService validateUsername:andPassword:remember:] + 73
5 CoreFoundation 0x00007fff85d5717c __invoking___ + 140
6 CoreFoundation 0x00007fff85d56fce -[NSInvocation invoke] + 286
7 CSService 0x00000001083b008e -[CSServiceDispatcher executeRequest:asPartOfBatch:usingServiceImpl:] + 4567
8 CSService 0x00000001083b0c14 __43-[CSServiceDispatcher executeBatchRequest:]_block_invoke_3 + 83
9 CSService 0x00000001083b58bc -[NSArray(CollabBlockMethods) map:] + 249
10 CSService 0x00000001083b0b6d __43-[CSServiceDispatcher executeBatchRequest:]_block_invoke_2 + 160
11 CSService 0x00000001083b5f99 +[CSExecutionTimer recordTime:ofBlock:] + 76
12 CSService 0x00000001083b5dd2 +[CSExecutionTimer timerNamed:aroundBlock:] + 76
13 CSService 0x00000001083b08bd __43-[CSServiceDispatcher executeBatchRequest:]_block_invoke + 323
14 PostgreSQLClient 0x0000000108306ec4 -[PGCConnection transactionInBlock:onError:] + 157
15 CSService 0x00000001083b06f3 -[CSServiceDispatcher executeBatchRequest:] + 277
16 CSService 0x0000000108424124 +[CSServiceDispatchHTTPRouter routeServiceRequest:response:] + 594
17 CSService 0x00000001083b680f __21-[CSServiceBase init]_block_invoke_6 + 48
18 CSService 0x0000000108421757 __53-[CSRoutingHTTPConnection httpResponseForMethod:URI:]_block_invoke + 110
19 CSService 0x00000001084246c9 -[CSHTTPBackgroundResponse bounce:] + 284
20 Foundation 0x00007fff955b6c6f __NSThread__start__ + 1351
21 libsystem_pthread.dylib 0x00007fff8961bc13 _pthread_body + 131
22 libsystem_pthread.dylib 0x00007fff8961bb90 _pthread_body + 0
23 libsystem_pthread.dylib 0x00007fff89619375 thread_start + 13
-
Jan 3, 2016 5:05 AM in response to pvlvskby Leopardus,Guten Tag,
Profile Manager requires that the Mac server running Profile Manager also be an Open Directory server. However it is still possible to bind the Mac running Profile Manager to other directory servers as well. It will then search for user accounts to authenticate in the search order you define in Directory Utility.
(With compliments to John Lockwood)
vG
Leo
-
-
Jan 19, 2016 7:41 AM in response to pvlvskby pvlvsk,So I assume, there is no one, who had success with using OSX Server with OpenLDAP Accounts for Profile Manager. Sad...
-
Jan 19, 2016 10:06 AM in response to pvlvskby Leopardus,Vielleicht gehts es mit einfach 'localhost' am erste stelle? Ich selbst bin mich nicht sicher, weil ich es nur zusammen mit AD ausprobiert hatte. Dort hatte ich die AD auf zweite Platz.
Leo
-
Jan 19, 2016 11:06 PM in response to pvlvskby Blaidd Drwg,★HelpfulIt can be made to work, but not with the default RFC2307 mappings, since there is no GeneratedUID. Profile Manager (and a lot of other stuff in OS X) wants a GeneratedUID for each user and group.
On the Mac side, you need to add a mapping for GeneratedUID in Users and Groups to some attribute in LDAP. On the LDAP server, you need to decide which attribute to use that can store a unique GUID for each user and group. OpenLDAP has an entryUUID operational attribute which you could use pretty easily; it's already populated with a unique GUID for each user and group, but you need to make it readable and indexed. Maybe run that by an OpenLDAP master before you do that. Alternatively, use another attribute or extend your schema with the Apple schema.
Once you decide what attribute to map GeneratedUID to, configure one Mac manually with the custom mappings with Directory Utility, then save a template file plist. Then ldapadd a record in LDAP like this:
dn: ou=macosxodconfig,dc=ldap,dc=example,dc=com
ou: macosxodconfig
objectClass: organizationalUnit
objectClass: top
description:< file:///home/admin/MyTemplate.plist
Edit the search base (dc=ldap...) as needed. "MyTemplate.plist" is the file you saved from Directory Utility. With this record in LDAP, any Macs you bind to LDAP in the future will find this record and automatically configure the custom mappings.
-
Jan 19, 2016 11:11 PM in response to Blaidd Drwgby pvlvsk,YES!!! Blaidd Drwg, thank you! I mapped the GUID to entryUUID in Directory Utility and now an LDAP user can login to the /mydevices page. But the problem is now, that profilemanager says that this user doesn't have permissions to access this page...
profilemanager.log
The logged in user does not have permission to access the user portal ({"succeeded"=>"true", "longName"=>"User Test", "uid"=>"6c819426-cf47-1031-8a29-0b08975019c1", "generated_uid"=>"6c819426-cf47-1031-8a29-0b08975019c1", "shortName"=>"utest", authed_at=>1453273211, auth_token=[FILTERED]>[FILTERED]})
Also the LDAP users are still not there in Profile Manager under "users"...
-
Jan 20, 2016 12:00 AM in response to pvlvskby pvlvsk,I know, this problems were solved with Workgroup Manager in the past, but there isn't such tool now in the Server 5 app... And Profile Manager isn't in the "Access to services..." menu when I edit a user in Server App... I tried to add an LDAP user to the "workgroup", but still no luck.
-
Jan 20, 2016 1:55 AM in response to pvlvskby Leopardus,It should be possible to create LDAP groups in OS X Server's Open Directory Service and populate these proxy groups with Groups/Users from your OpenLDAP accounts. Use the LDAP groups that you created to provide access to services and data.
Leo
-
Jan 20, 2016 2:40 AM in response to pvlvskby Leopardus,Your server must be bound to the OpenLDAP and the server (OS X) must be promoted to be the master. To create the proxy group in OS X Server:
- Open Server.app
- Select Groups on the left side column
- Set the Groups to Local Network Groups. It is the Open Directory groups container.
- Select the + button for the New Group pane.
- Enter the Full Name for the group indicating what OS X Group this should be, maybe starting with a unique character so that this will not conflict with an existing group in your OpenLDAP
- Tab to allow autocomplete in the Group Name
- Click on the OK
You now have an Open Directory group on a server that is bound to your OpenLDAP server. You only have to populate this group with the respective OpenLDAP users:
- Double click on your new Group Name to select and open.
- Locate the Members field and click on +
- This will create a new entry. Start to type a few characters and the names will start to appear to select the appropriate user.
- Repeat for each user or group that you want to include into the OS X Server LDAP group that you created.
- Remember to add Keywords if needed, and Notes to remind you some months down the line of why you did what.
- Of course, if there is a lot of users to add select in the menu pane the Window => Show Accounts Browser and; select all the users you want, and subsequently drag them to the Members window.
- Press the OK button.
You can define access by selecting Edit Access to Services on the Gear selection as is required.
Leo
(With Comliments to Reid)
-
-
Jan 20, 2016 3:25 AM in response to pvlvskby Leopardus,Just to confirm, did you edit the mdm-users permissions to allow group members access to the portal?
You will find that when you log in as an Admin under About / Uber. There you will have to grant access and login rights to the group.
Leo




