We are new to JAMF and are in the middle of setting things up. Need to know if it's possible for the JSS to see users in nested groups. it's working just fine seeing users in groups but we are running OS X Server 10.7 and are utilizing group nesting.
+14Hi @ben.coumerilh and @monogrant,
If you look at your Open Directory settings in the JSS, and go to the Mappings tab, and then look under User Group Membership Mappings, there should be a checkbox called Use recursive group searches. Give that a try. If that's already turned on, and the JSS still isn't recognizing nested groups, we may need to dig a little deeper.
Hope that helps!
-Kitzy
+2Haha! Thanks @kitzy ! I never got back to this. When I go to my settings under that tab I have Member Location drop down set to "Group Object" The only way that checkbox that you talk of appears is if I change that setting to "User Object" I sure wouldn't want to change that setting without absolutely knowing what it will do as all of our iPads have things scoped to them based on group memberships. I wouldn't want them to fall out of scope. What do you think?
+14Oh wow, I didn't realize how old this thread was!
Unfortunately, I don't know of a good way to test the group membership changes without actually changing it. You may want to spin up a secondary test JSS (ask your TAM about getting a development key) and point it at your OD and mkae the changes so you can see what happens without affecting your production systems. That's the approach I'd take if I were in your shoes.
Hope that helps!
-Kitzy
+14I've confirmed with my TAM and my own testing - adding a second OD mapping is just fine. Just make sure you rename the correct one!
I cannot for the life of me get my mappings correct.
If you do a user level object, you then need to specify WHERE on the user object the group mappings are.
Using jxplorer, I can't find any mapping for groups on users...this is a puzzler.
+14Using jxplorer it appears that Apple puts the User membership in a few fields that the JSS isn't reading.
It appears that user records don't contain much group info. The group info lives on group objects and "group object" doesn't have the "nested" button. I'm also seeing the JSS doesn't ID groups by "apple-generateduid" and doesn't look at the "apple-group-memberguid" or "apple-group-nestedgroup". It's using the usual gidNumber and cn name. Apple has a few extra flags in their OD organization and since the JSS isn't looking for those it doesn't understand the way things are nested.
Right now I'm running a stock OD server on 10.9 - totally out of the box, server app only, no workgroup manager tweaks.
Reply
Most helpful members this week
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.