[MacTUG] Golden Triangle Woes with 10.5 clients on 10.6 server

[Ian Turner]

ours may be different, because we NEVER "bind" to OD, we just "link"

and it was critical for us that AD be first in the custom search path 
for authentication, because we don't have any user accounts in OD; and 
we ONLY have the AD domain in the contacts custom search path

The issue we had with Leopard and OD (also with Snow Leopard) was the 
Posix compliant (I think) change to Open SSL/Open LDAP.  We use SSL to 
encrypt traffic between the client and OD server ( a tick box when you 
set up the link to OD)

Tiger was "promiscuous" and accepted any cert.  Starting with Leopard, 
they went to the other extreme, by default.  So, if the server is 
"there" the light would go "green", but we couldn't communicate.

I think we "reverted" to the old behaviour( instead of having to have 
each server cert propagated to all the clients), and if I remember, the 
change is in /etc/openldap/lddap.conf  ( we found this with google 
somehow, and I probably have a pointer to the article at the office)

change TLS_REQCERT always  (or somesuch)
to TLS_REQCERT  never

We haven't really tried deployStudio to "join"  - I seem to have heard 
mixed results, and I know my script works, and by running it in bulk 
through ARD, I can see any problems

Ian

On 10-04-29 4:58 PM, Donald Duff-McCracken wrote:
> Hi Guys
>
> I have been happily deploying my lab image to my new 10.6 machines, and
> getting deploystudio to bind to AD and OD. However when I do the same
> thing on the 10.5 macs I am running into problems. Before going out the
> wider world (but after I googled around) I thought I would see if anyone
> here has some ideas. I totally forgot to try the 10.5 clients. Arrrrgh.
>
> The weird part of the problem is that it is not AD that appears to be
> giving me the grief, it appears to be OD. I am “blaming” my OD bind
> because if I do not bind to OD and just bind to AD then I can log on. Of
> course none of the nice stuff that OD gives (and is obviously not a
> solution!). I am guessing that OD is trying to do authentication and
> (obviously) failing at it. I have changed the search order so that AD is
> before OD an visa versa, and this did not help.
>
> To add to the head-scratching, the client thinks everything is hunky
> dory. When bound using deploystudio, the bindings are viewed as
> successful. When I do it by hand, they appear to work. When I check
> their status in Directory Utility, they both get the ‘green light’ all
> systems go status.
>
> The last frustration in this darned thing is that this was going to be
> the only term when I was using 10.5 in the golden triangle. Over the
> summer I am buying enough new macs that I can migrate to 10.6. Maybe I
> am buying them sooner, haha.
>
>
> ------------------------------------
> Donald Duff-McCracken
> Technical Services Manager
> Mapping, Analysis & Design
> Faculty of Environmental Studies
> University of Waterloo
> (519) 888-4567 x32151
> http://www.fes.uwaterloo.ca/computing/people/don.html
> ------------
> To request help from MAD please us Request Tracker. For info see:
> http://www.fes.uwaterloo.ca/computing/faculty_staff/
> ------------
> This email communication is intended as a private communication for the
> sole use of the primary addressee and those individuals listed for
> copies in the original message. The information contained in this email
> is private and confidential and If you are not an intended recipient you
> are hereby notified that copying, forwarding or other dissemination or
> distribution of this communication by any means is prohibited. If you
> are not specifically authorized to receive this email and if you believe
> that you received it in error please notify the original sender
> immediately.
>
>
>
> _______________________________________________
> MacTUG mailing list
> MacTUG at lists.uwaterloo.ca
> https://lists.uwaterloo.ca/mailman/listinfo/mactug