pvlvsk

Q: Third-party LDAP Authentication in Profile Manager

Hello,

 

we have set up LDAP Authentication against our Ubuntu OpenLDAP Server, which works fine for all services except profile manager. I can't see groups nor users in the PM web ui. Login under server.local/mydevices isn't working too.

 

The log says "missing externalID" oder "[user] not found" when an ldap user tries to login to mydevices.

 

Unfortunately this doesn't help too:

 

OS X Server: Using the Profile Manager or Wiki service with Active Directory or third-party LDAP services - Apple Suppor…

 

I appreciate your help.

 

Thank you

 

 

 

OSX Server 5.0.15 on El Capitan 10.11.2

Posted on Dec 22, 2015 5:53 AM

Close

Q: Third-party LDAP Authentication in Profile Manager

  • All replies
  • Helpful answers

Previous Page 2
  • by pvlvsk,

    pvlvsk pvlvsk Jan 20, 2016 3:55 AM in response to Leopardus
    Level 1 (4 points)
    Jan 20, 2016 3:55 AM in response to Leopardus

    Yes, allow Access to "mydevices" and allow download config profile is activated in the about tab of the group...

  • by Leopardus,

    Leopardus Leopardus Jan 20, 2016 4:51 AM in response to pvlvsk
    Level 4 (1,122 points)
    Desktops
    Jan 20, 2016 4:51 AM in response to pvlvsk

    pvlvsk wrote:

     

    Yes, allow Access to "mydevices" and allow download config profile is activated in the about tab of the group...

    Initially, we allow device enrolment as well, but we close it afterwards. Later we do open a window for a certain time again, to allow for changes.

    You could try it. Maybe have a look at your everybody/all users setting as well. This is something small, but I cant lay my finger on it!

     

    Leo

  • by pvlvsk,

    pvlvsk pvlvsk Jan 20, 2016 6:44 AM in response to Leopardus
    Level 1 (4 points)
    Jan 20, 2016 6:44 AM in response to Leopardus

    That is the problem, that I can't allow device enrollment, because our OpenLDAP users aren't visible in profile manager. All groups including "Everyone" have the enrollment option activated...

     

    With the help of Blaidd Drwg now the users can authenticate at the mydevices page, but are getting a "no permission" error and are still not visible in profile manager. Proxying OpenLDAP Users in OD groups doesn't work as well. I need an another solution....

     

    I thought already of wrapping OpenLDAP in an another AD, but it is much way overkill for just wanting users be able to authenticate at Profile Manager page of OSX Server. That's a very frustrating experience, Apple!

  • by Leopardus,

    Leopardus Leopardus Jan 23, 2016 10:27 AM in response to pvlvsk
    Level 4 (1,122 points)
    Desktops
    Jan 23, 2016 10:27 AM in response to pvlvsk

    Could you confirm that you did bind the Mac to your Ubuntu LDAP before creating the Open Directory? If not, you will probably have to start over, at least with the Open Directory.

     

    Leo

  • by Blaidd Drwg,

    Blaidd Drwg Blaidd Drwg Jan 28, 2016 3:15 AM in response to pvlvsk
    Level 1 (109 points)
    Jan 28, 2016 3:15 AM in response to pvlvsk

    Sorry, I don't remember having this problem in earlier versions.

     

    I'm not sure, but it might be that Profile Manager is searching for users with certain attributes that are not present in your LDAP directory. If it doesn't find any matching records, that could explain why you don't see them in Profile Manager.

  • by Leopardus,

    Leopardus Leopardus Jan 28, 2016 6:16 AM in response to pvlvsk
    Level 4 (1,122 points)
    Desktops
    Jan 28, 2016 6:16 AM in response to pvlvsk

    Which is why the AD/OpenLDAP has to be created before the Open Directory of OS X. We know that PM requires the use of Open Directory, and it will only function correctly with it. But it has to BIND to the Open LDAP before the creation of the Open Directory. Only then will it function correctly.

     

    Leo

Previous Page 2