Actually I am finally getting the Sun diradmin to extend his schema just to test out further. I gave him the 92ldif file but he ran into this issue when trying to extend:

Bootstrap config – conn=-1 op=-1 msgId=-1 – System error The entry cn=schema in file /var/Sun/mps/slapd-vorik_test/config/schema/92apple.ldif is invalid (error 21: Invalid syntax) – object class apple-user: Unknown allowed attribute type “altSecurityIdentities”.

Have you come across this at all?

Thanks,

Don

I will follow up on that and keep you posted. Thanks!

Don

The best way to figure out what is going wrong is probably to increase the logging verbosity on the Sun DS, and watch the query logs as you try to add users to OD. I bet it’s looking for some authentication related attribute which it’s not finding. Possibly something relating to Kerberos.

Brent

Yes I have tried WGM on a client computer as well as the server. I get the same results on both when trying to use the Server menu “New Augmented User Records” where WGM crashes or if I try to use the plus to add LDAP external user to and OD group.

In the testing environment I am connecting to of the Sun Directory there are no groups set for me to test that I can see. Maybe this is part of the problem? I will check with diradmin for the S.D. and see if I don’t have read access to every attribute. Also since we were going to use the external directory to only authenticate and not store data for MCX I did not have him extend his schema.

Is that absolutely necessary if trying to attempt this?

Thanks,

Don

The members tab + globe icon is the right way to do it. You don’t need write privileges on the external LDAP server.

Are you running WGM on a client computer instead of on the OS X Server? That is the recommended way to do it for this purpose. Have you tried dragging a group, instead of user records, from the external LDAP into a group on your OD master? Also, in Workgroup Manager, under the Server menu, there is a new option, “New Augmented User Records”. Try that.

The book is ambiguous about support for augmenting user records from external LDAP servers which are not Active Directory or OD. Surely there is away; what’s so special about AD? Kerberos?

Brent

I have followed the set up per my Sun’s directory admins instructions where I am now able to to see lists of users from the external directory in WGM. This all looks fine and dandy until I either try to add an external user to an OD group, or try to augment a user record and select an external user.

Actually WGM will crash if I try to augment. If I try to add an external user to an OD group by clicking the members tab for the group and hitting the plus icon then using the globe to select the external DS, I see the list of users but when I drag a user over to the group I get a green plus icon while dragging but when I release the mouse in the members pane that user just never shows up at all.

I was wondering, do I need higher privileges to the external DS other than read only when binding to it? I wouldn’t think that the case but as of now that is all I have and thought that might be an issue.

Thanks,

Don

To create an augmented user record:

1. Make sure the directory services of the Mac OS X Server computer you’re using are configured to access the directory domain containing the original accounts and the directory domain where the augmented user records will reside. For instructions, see Open Directory Administration.
2. In Workgroup Manager, connect to the server that you’re importing augmented records to.
3. Click Accounts. Click the globe icon and choose the domain you’re importing augmented records to.
4. To authenticate, click the lock and enter the name and password of a directory administrator of the directory domain you chose in the previous step.
5. Choose Server > New Augmented User Records.
6. Select the user records you want to import. If you select a group, all members of that group are imported.
7. Click Create, and then click Done.