Open Directory Binding Issue

gskibum
Contributor III

Using a policy and a directory binding I am trying to enable authenticated directory bindings to Open Directory servers. On a test Mac I receive the following errors:

Using SSL:

Error: The binding was not successful:
dsconfigldap verbose mode
Using suggested computer ID 
Options selected by user:
Force authenticated (un)binding option selected
SSL was chosen
Add server option selected
Server name provided as 
LDAP Configuration name provided as 
Computer ID provided as 
Network username provided as 
No Local username determined
Adding new node to search policies

Please enter network user password: 
Certificates will be automatically added to your system keychain in order to talk to this server.
Would you like to continue (y/n)? 
Operation cancelled.

Not using SSL:

Error: The binding was not successful:
dsconfigldap verbose mode
Using suggested computer ID 
Options selected by user:
Force authenticated (un)binding option selected
Add server option selected
Server name provided as 
LDAP Configuration name provided as 
Computer ID provided as 
Network username provided as 
No Local username determined
Adding new node to search policies

Please enter network user password: 
Certificates are available for this server.
Would you like to add them to system keychain automatically (y/n)? Error: Authentication server refused operation because the current credentials are not authorized for the requested operation. (5101)

I can bind manually using Directory Utility with and without SSL.

In this case I am using a Mavericks client binding to a Yosemite server.

Any insight?

4 REPLIES 4

davidacland
Honored Contributor II
Honored Contributor II

It sounds like there are a few things at play. Excluding SSL, do you mean you can do an authenticated bind using the GUI?

We're not really using Open Directory any more but when we did we regularly had to fight authenticated binds. Normally we'd only be using OD for MCX so would do untrusted / unauthenticated binds.

gskibum
Contributor III

Hi David. Yes I a can bind with the GUI & Directory Utility. It's just with the policy and the directory binding

gachowski
Valued Contributor II

You can see the Jamf binary commands if you prevent the 1st reboot. I usually just boot the machine to target disk mode.

/Library/Application Support/JAMF

I forget the exact file, maybe first run?

C

gskibum
Contributor III

This did the trick.
https://jamfnation.jamfsoftware.com/discussion.html?id=4115

Which makes me wonder if the JSS built-in Directory Binding tool for Open Directory works at all.