- Jamf Nation Community
- Products
- Jamf Pro
- Re: Nested Groups in Open Directory
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Nested Groups in Open Directory
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-14-2012 03:55 PM
We are new to JAMF and are in the middle of setting things up. Need to know if it's possible for the JSS to see users in nested groups. it's working just fine seeing users in groups but we are running OS X Server 10.7 and are utilizing group nesting.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-25-2015 01:03 PM
I have the same question.
Did you ever find a resolution?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-25-2015 01:30 PM
Hi @ben.coumerilh and @monogrant,
If you look at your Open Directory settings in the JSS, and go to the Mappings tab, and then look under User Group Membership Mappings, there should be a checkbox called Use recursive group searches. Give that a try. If that's already turned on, and the JSS still isn't recognizing nested groups, we may need to dig a little deeper.
Hope that helps!
-Kitzy
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-25-2015 01:43 PM
Haha! Thanks @kitzy ! I never got back to this. When I go to my settings under that tab I have Member Location drop down set to "Group Object" The only way that checkbox that you talk of appears is if I change that setting to "User Object" I sure wouldn't want to change that setting without absolutely knowing what it will do as all of our iPads have things scoped to them based on group memberships. I wouldn't want them to fall out of scope. What do you think?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-25-2015 01:48 PM
Oh wow, I didn't realize how old this thread was!
Unfortunately, I don't know of a good way to test the group membership changes without actually changing it. You may want to spin up a secondary test JSS (ask your TAM about getting a development key) and point it at your OD and mkae the changes so you can see what happens without affecting your production systems. That's the approach I'd take if I were in your shoes.
Hope that helps!
-Kitzy
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-26-2015 02:05 PM
I've confirmed with my TAM and my own testing - adding a second OD mapping is just fine. Just make sure you rename the correct one!
I cannot for the life of me get my mappings correct.
If you do a user level object, you then need to specify WHERE on the user object the group mappings are.
Using jxplorer, I can't find any mapping for groups on users...this is a puzzler.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-26-2015 02:43 PM
Using jxplorer it appears that Apple puts the User membership in a few fields that the JSS isn't reading.
It appears that user records don't contain much group info. The group info lives on group objects and "group object" doesn't have the "nested" button. I'm also seeing the JSS doesn't ID groups by "apple-generateduid" and doesn't look at the "apple-group-memberguid" or "apple-group-nestedgroup". It's using the usual gidNumber and cn name. Apple has a few extra flags in their OD organization and since the JSS isn't looking for those it doesn't understand the way things are nested.
Right now I'm running a stock OD server on 10.9 - totally out of the box, server app only, no workgroup manager tweaks.
