Jamf Nation Community

Can you bind by hand? The script would require the diradmin account
credential, the local computer name and have to run as root for an
authenticated bind to work for a computer into WGM.

---

Thomas Larkin
TIS Department
KCKPS USD500
tlarki at kckps.org
blackberry: 913-449-7589
office: 913-627-0351

I can't bind by hand. I get that unexpected error message. This is after I demoted my ODM to standalone and promoted it back to ODM.

...sent from a mobile device.

Are you binding by IP or by FQDN?

I tried both but neither worked.

...sent from a mobile device.

On Jun 16, 2009, at 7:10 AM, "Thomas Larkin" <tlarki at kckps.org<mailto:tlarki at kckps.org>> wrote:

Are you binding by IP or by FQDN?

Have you tried putting Directory Service in debug mode to see what the error
is you are receiving?
http://krypted.com/mac-os-x/mac-os-x-directory-services-debug-log/

That link will show you how to do it and where the log is.

Steve Wood
Director of IT
swood at integer.com

The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475

can you give an example of what you are trying? Also, is there anything
on your network that would stop a bind? I forget what port open
directory uses, let me look it up...

Directory services uses port 625 I guess, here is the kbase. Maybe
something isn't allowing the traffic?

This is a freshly installed server? You may want to download the combo
updater and rerun it.

http://support.apple.com/kb/TS1629

1) Entered the required data into the Casper bind to OD script. The computer bound, but not securely.
2) Attempted to bind manually the following way: - opened Directory Utility - clicked Services - double-clicked LDAPv3 - highlighted the configuration entry and clicked Edit - clicked Bind - entered a computer ID, directory admin username and directory admin password, then clicked OK - received error
3) Clicked OK on the error dialogue to close it, then clicked the Security tab - selected "Use authentication when connecting" and entered the distinguished name (I think that's the directory admin username?) and password - clicked Bind, and proceeded from step two, bullet six - clicked OK, and got the error again

I tried Steve's recommendation of putting DirectoryService into debug mode, and this is the resulting log:

Jun 16 08:24:30 BaseTest DirectoryService[532]: Ref table dealloc callback, API Call: dsCloseDirNode(), PlugIn Used: LDAPv3, Result: 0, Duration: 32.10 usec
Jun 16 08:24:30 BaseTest DirectoryService[532]: Client: Directory Utilit, PID: 2710, API: dsCloseDirNode(), LDAPv3 Used : Result: 0, Duration: 1.39 usec
Jun 16 08:24:33 BaseTest DirectoryService[532]: Client: Directory Utilit, PID: 2710, API: dsVerifyDirRefNum(), Server Used : Result: 0, Duration: 110.90 usec
Jun 16 08:24:33 BaseTest DirectoryService[532]: Client PID: 2710, has 4 open references.
Jun 16 08:24:33 BaseTest DirectoryService[532]: Client: Directory Utilit, PID: 2710, API: dsOpenDirNode(), LDAPv3 Used : Result: 0, Duration: 13.06 usec
Jun 16 08:24:33 BaseTest DirectoryService[532]: Internal Dispatch, API: dsVerifyDirRefNum(), Server Used : Result: 0, Duration: 41.92 usec
Jun 16 08:24:33 BaseTest DirectoryService[532]: Client: Directory Utilit, PID: 2710, API: dsDoPlugInCustomCall(), LDAPv3 Used : Result: 0, Duration: 106260.11 usec
Jun 16 08:24:33 BaseTest DirectoryService[532]: Client PID: 2710, has 3 open references.
Jun 16 08:24:33 BaseTest DirectoryService[532]: Ref table dealloc callback, API Call: dsCloseDirNode(), PlugIn Used: LDAPv3, Result: 0, Duration: 58.25 usec
Jun 16 08:24:33 BaseTest DirectoryService[532]: Client: Directory Utilit, PID: 2710, API: dsCloseDirNode(), LDAPv3 Used : Result: 0, Duration: 2.07 usec

Thanks for everyone's help on this, btw.

On 6/16/09 7:48 AM, "Thomas Larkin" <tlarki at kckps.org> wrote:

can you give an example of what you are trying? Also, is there anything
on your network that would stop a bind? I forget what port open
directory uses, let me look it up...

Directory services uses port 625 I guess, here is the kbase. Maybe
something isn't allowing the traffic?

This is a freshly installed server? You may want to download the combo
updater and rerun it.

http://support.apple.com/kb/TS1629

New issue:

I manually deleted the bind entry and recreated it in Directory Utiilty by clicking New, entering the FQDN of the server, keeping the default options checked (Use for authentication and Use for contacts) and clicking Continue. I get a drop-down that says "Authenticated directory binding is optional. Enter information to bind." I enter the directory admin username and password, exactly as they are in the Casper script and exactly as they are to actually log into WGM, and I receive the following error: "Invalid credentials supplied. The credentials you supplied were not valid, please try again." But they are valid!

On 6/16/09 8:29 AM, "Jeff Strauss" <jstrauss at loyolahs.edu> wrote:

1) Entered the required data into the Casper bind to OD script. The computer bound, but not securely.
2) Attempted to bind manually the following way: - opened Directory Utility - clicked Services - double-clicked LDAPv3 - highlighted the configuration entry and clicked Edit - clicked Bind - entered a computer ID, directory admin username and directory admin password, then clicked OK - received error
3) Clicked OK on the error dialogue to close it, then clicked the Security tab - selected "Use authentication when connecting" and entered the distinguished name (I think that's the directory admin username?) and password - clicked Bind, and proceeded from step two, bullet six - clicked OK, and got the error again

I tried Steve's recommendation of putting DirectoryService into debug mode, and this is the resulting log:

Jun 16 08:24:30 BaseTest DirectoryService[532]: Ref table dealloc callback, API Call: dsCloseDirNode(), PlugIn Used: LDAPv3, Result: 0, Duration: 32.10 usec
Jun 16 08:24:30 BaseTest DirectoryService[532]: Client: Directory Utilit, PID: 2710, API: dsCloseDirNode(), LDAPv3 Used : Result: 0, Duration: 1.39 usec
Jun 16 08:24:33 BaseTest DirectoryService[532]: Client: Directory Utilit, PID: 2710, API: dsVerifyDirRefNum(), Server Used : Result: 0, Duration: 110.90 usec
Jun 16 08:24:33 BaseTest DirectoryService[532]: Client PID: 2710, has 4 open references.
Jun 16 08:24:33 BaseTest DirectoryService[532]: Client: Directory Utilit, PID: 2710, API: dsOpenDirNode(), LDAPv3 Used : Result: 0, Duration: 13.06 usec
Jun 16 08:24:33 BaseTest DirectoryService[532]: Internal Dispatch, API: dsVerifyDirRefNum(), Server Used : Result: 0, Duration: 41.92 usec
Jun 16 08:24:33 BaseTest DirectoryService[532]: Client: Directory Utilit, PID: 2710, API: dsDoPlugInCustomCall(), LDAPv3 Used : Result: 0, Duration: 106260.11 usec
Jun 16 08:24:33 BaseTest DirectoryService[532]: Client PID: 2710, has 3 open references.
Jun 16 08:24:33 BaseTest DirectoryService[532]: Ref table dealloc callback, API Call: dsCloseDirNode(), PlugIn Used: LDAPv3, Result: 0, Duration: 58.25 usec
Jun 16 08:24:33 BaseTest DirectoryService[532]: Client: Directory Utilit, PID: 2710, API: dsCloseDirNode(), LDAPv3 Used : Result: 0, Duration: 2.07 usec

Thanks for everyone's help on this, btw.

On 6/16/09 7:48 AM, "Thomas Larkin" <tlarki at kckps.org> wrote:

can you give an example of what you are trying? Also, is there anything
on your network that would stop a bind? I forget what port open
directory uses, let me look it up...

Directory services uses port 625 I guess, here is the kbase. Maybe
something isn't allowing the traffic?

This is a freshly installed server? You may want to download the combo
updater and rerun it.

http://support.apple.com/kb/TS1629

are you using the diradmin account or an account you promoted to a directory administrator? I only ask this because I had lots of problems with my account I promoted to directory administrator and went back to using the diradmin account.

---

Thomas Larkin
TIS Department
KCKPS USD500
tlarki at kckps.org
blackberry: 913-449-7589
office: 913-627-0351

I'm using the diradmin account, but I changed the diradmin username to something else at setup.

On 6/16/09 8:51 AM, "Thomas Larkin" <tlarki at kckps.org> wrote:

are you using the diradmin account or an account you promoted to a directory administrator? I only ask this because I had lots of problems with my account I promoted to directory administrator and went back to using the diradmin account.

---

Thomas Larkin
TIS Department
KCKPS USD500
tlarki at kckps.org
blackberry: 913-449-7589
office: 913-627-0351

Oh I've seen and had something like this a year or so ago,

Damn let me remember, hmmmm what's ur ssl selected?

Can't quiet remember but for secure it's to do with ur security settings on the of master and the settings on the client,

I'm at home so I can't look for u, but I'f my memory serves me it to do with it security settings

Have a look at the options and Try a few and let me know if u can help more

Criss

I will bet you that may be your problem. Try changing it back to the diradmin account and see what happens.

I have no idea why, but when i was setting up the directory last year I didn't want people using the diradmin account so I never had to change the password and just promoted their mobile accounts to directory administrators. Well, I would promote one co-workers account and it would never work, so I ended up just letting the few people that need access to WGM have the diradmin credentials.

I stopped trying after about 3 weeks of trying to get it to work, Apple had no answer for me.

---

Thomas Larkin
TIS Department
KCKPS USD500
tlarki at kckps.org
blackberry: 913-449-7589
office: 913-627-0351

That's weird, because when I went through Apple training a few months ago we securely bound machines with minimal prep... I have the book right next to me actually, and nothing out of the ordinary has been changed on either the client or the server, but I'll look through anyway.

On 6/16/09 8:59 AM, "Criss Myers" <cmyers at uclan.ac.uk> wrote:

Oh I've seen and had something like this a year or so ago,

Damn let me remember, hmmmm what's ur ssl selected?

Can't quiet remember but for secure it's to do with ur security settings on the of master and the settings on the client,

I'm at home so I can't look for u, but I'f my memory serves me it to do with it security settings

Have a look at the options and Try a few and let me know if u can help more

Criss

On 16 Jun 2009, at 16:29, Jeff Strauss <jstrauss at loyolahs.edu> wrote:

1) Entered the required data into the Casper bind to OD script. The computer bound, but not securely.
2) Attempted to bind manually the following way: - opened Directory Utility - clicked Services - double-clicked LDAPv3 - highlighted the configuration entry and clicked Edit - clicked Bind - entered a computer ID, directory admin username and directory admin password, then clicked OK - received error
3) Clicked OK on the error dialogue to close it, then clicked the Security tab - selected "Use authentication when connecting" and entered the distinguished name (I think that's the directory admin username?) and password - clicked Bind, and proceeded from step two, bullet six - clicked OK, and got the error again

I tried Steve's recommendation of putting DirectoryService into debug mode, and this is the resulting log:

Jun 16 08:24:30 BaseTest DirectoryService[532]: Ref table dealloc callback, API Call: dsCloseDirNode(), PlugIn Used: LDAPv3, Result: 0, Duration: 32.10 usec
Jun 16 08:24:30 BaseTest DirectoryService[532]: Client: Directory Utilit, PID: 2710, API: dsCloseDirNode(), LDAPv3 Used : Result: 0, Duration: 1.39 usec
Jun 16 08:24:33 BaseTest DirectoryService[532]: Client: Directory Utilit, PID: 2710, API: dsVerifyDirRefNum(), Server Used : Result: 0, Duration: 110.90 usec
Jun 16 08:24:33 BaseTest DirectoryService[532]: Client PID: 2710, has 4 open references.
Jun 16 08:24:33 BaseTest DirectoryService[532]: Client: Directory Utilit, PID: 2710, API: dsOpenDirNode(), LDAPv3 Used : Result: 0, Duration: 13.06 usec
Jun 16 08:24:33 BaseTest DirectoryService[532]: Internal Dispatch, API: dsVerifyDirRefNum(), Server Used : Result: 0, Duration: 41.92 usec
Jun 16 08:24:33 BaseTest DirectoryService[532]: Client: Directory Utilit, PID: 2710, API: dsDoPlugInCustomCall(), LDAPv3 Used : Result: 0, Duration: 106260.11 usec
Jun 16 08:24:33 BaseTest DirectoryService[532]: Client PID: 2710, has 3 open references.
Jun 16 08:24:33 BaseTest DirectoryService[532]: Ref table dealloc callback, API Call: dsCloseDirNode(), PlugIn Used: LDAPv3, Result: 0, Duration: 58.25 usec
Jun 16 08:24:33 BaseTest DirectoryService[532]: Client: Directory Utilit, PID: 2710, API: dsCloseDirNode(), LDAPv3 Used : Result: 0, Duration: 2.07 usec

Thanks for everyone's help on this, btw.

On 6/16/09 7:48 AM, "Thomas Larkin" <tlarki at kckps.org <mailto:tlarki at kckps.org> > wrote:

can you give an example of what you are trying? Also, is there anything
on your network that would stop a bind? I forget what port open
directory uses, let me look it up...

Directory services uses port 625 I guess, here is the kbase. Maybe
something isn't allowing the traffic?

This is a freshly installed server? You may want to download the combo
updater and rerun it.

http://support.apple.com/kb/TS1629 <http://support.apple.com/kb/TS1629>

Whaddaya know. Demoted ODM back to Standalone, re-promoted, used the default diradmin account name, and the client binds just fine. That. Is. Really. Annoying.

Thanks for your help, Tom. Thanks everyone!

- Jeff

On 6/16/09 9:01 AM, "Thomas Larkin" <tlarki at kckps.org> wrote:

I will bet you that may be your problem. Try changing it back to the diradmin account and see what happens.

I have no idea why, but when i was setting up the directory last year I didn't want people using the diradmin account so I never had to change the password and just promoted their mobile accounts to directory administrators. Well, I would promote one co-workers account and it would never work, so I ended up just letting the few people that need access to WGM have the diradmin credentials.

I stopped trying after about 3 weeks of trying to get it to work, Apple had no answer for me.

---

Thomas Larkin
TIS Department
KCKPS USD500
tlarki at kckps.org
blackberry: 913-449-7589
office: 913-627-0351

Yup, file a bug report and complain with Apple. That is what I did when I found out it wouldn't work for me either.

They need to overhaul their tiered administration in my humble opinion.

---

Thomas Larkin
TIS Department
KCKPS USD500
tlarki at kckps.org
blackberry: 913-449-7589
office: 913-627-0351

If I don't want to hardcode the values of my server, diradmin username and password into the bindtoOD script in the Resource Kit, where do I put them? I've never entered values into any Casper app before...

On 6/16/09 9:26 AM, "Thomas Larkin" <tlarki at kckps.org> wrote:

Yup, file a bug report and complain with Apple. That is what I did when I found out it wouldn't work for me either.

They need to overhaul their tiered administration in my humble opinion.

---

Thomas Larkin
TIS Department
KCKPS USD500
tlarki at kckps.org
blackberry: 913-449-7589
office: 913-627-0351

I don't think there is a way around it. However, I am watching the webcast right now of JAMF's Casper version 7. There is a lot of binding tools now built into the JSS you can configure in the JSS GUI and then apply via policy.

The password has to be stored somewhere to authenticate. If you run it over casper it should be ran over ssh, and then you can always wipe all logs if you want to be paranoid after it runs.

I am not sure if you can have the script pull the password off of a remote location and I am not sure that would be any more secure. I say hard code and and let casper run it over ssh. That way the script stays on your server share with ACLs and such protecting it.

---

Thomas Larkin
TIS Department
KCKPS USD500
tlarki at kckps.org
blackberry: 913-449-7589
office: 913-627-0351

I just ask because now I can bind securely, but it still won't work via the script at image time.

On 6/16/09 10:45 AM, "Thomas Larkin" <tlarki at kckps.org> wrote:

I don't think there is a way around it. However, I am watching the webcast right now of JAMF's Casper version 7. There is a lot of binding tools now built into the JSS you can configure in the JSS GUI and then apply via policy.

The password has to be stored somewhere to authenticate. If you run it over casper it should be ran over ssh, and then you can always wipe all logs if you want to be paranoid after it runs.

I am not sure if you can have the script pull the password off of a remote location and I am not sure that would be any more secure. I say hard code and and let casper run it over ssh. That way the script stays on your server share with ACLs and such protecting it.

---

Thomas Larkin
TIS Department
KCKPS USD500
tlarki at kckps.org
blackberry: 913-449-7589
office: 913-627-0351

Figured it out:

the OD bind script doesn't actually have the -f flag set to securely bind my password has a $ in it, so I switched the "" surrounding it in the script to '' the local administrator username and password are not set in the script and they're (apparently) required so I set them it was and always has been set to run at reboot * the directory admin username (apparently) must be "diradmin"

I found the source code to dsconfigldap and searched for the error I was receiving ("Unable to obtain auth rights to update DirectoryService LDAP configuration") when running the script locally to determine that the local admin username and password are necessary. http://src.gnu-darwin.org/DarwinSourceArchive/expanded/DSTools/DSTools-60.1/dsconfigldap/main.cpp.

OK, that's enough mail from me for one day. Thanks to everyone for their help!

- Jeff