What kind of Triangle?
Clients still use Active Directory for user authentication, while Open Directory supplies Managed Preferences only.
Every Profile Manager instance is an Open Directory Master. Apple has included a local group in Mac OS X Server called Profile Manager ACL. Users and groups from any directory domain that can be viewed in dscl can be added to this group. Adding objects to this group enables them to authenticate to the MyDevices portal but not administrate. Kerberos isn’t really used here, nor are nested groups. You’ll apply policies directly to Active Directory groups in Profile Manager.
Start by enabling directory services debug logging:
odutil set log debug
disable the debug logging:
odutil set log default
Now when you attempt to join Active Directory, you can look at the log at /var/log/opendirectoryd.log to see what’s occurring.
To disable encryption:
/usr/sbin/dsconfigad -packetencrypt disable
To reenable encryption:
/usr/sbin/dsconfigad -packetencrypt allow
When capturing traffic for the following ports:
UDP 53 - DNS
TCP 88 - Kerberos
TCP 389 - LDAP
TCP/UDP 464 - Kerberos Password Changes (KPasswd)
TCP 3268 - Global Catalog (LDAP)
to capture traffic over the built-in Ethernet connection to a file called “capture.out,” you could use the following syntax for tcpdump :
tcpdump –K -i en0 -s 0 -w capture.out port 88 or port 464 or port 53 or port 389 or port 3268
Please find the attach PDF MAC_OSX_LDAP_-_OD_golden_triangle.pdf