ICT Documentation Apple MAC Tips & Tricks Integrate Open Directory with Active Directory

Integrate Open Directory with Active Directory

    Table of contents
    No headers

    What kind of Triangle?

    • Magic Triangle
    • Golden Triangle
    • Dual Directory


    Clients still use Active Directory for user authentication, while Open Directory supplies Managed Preferences only.

    Every Profile Manager instance is an Open Directory Master. Apple has included a local group in Mac OS X Server called Profile Manager ACL. Users and groups from any directory domain that can be viewed in dscl can be added to this group. Adding objects to this group enables them to authenticate to the MyDevices portal but not administrate. Kerberos isn’t really used here, nor are nested groups. You’ll apply policies directly to Active Directory groups in Profile Manager.

    Start by enabling directory services debug logging:
    odutil set log debug

    disable the debug logging:
    odutil set log default

    Now when you attempt to join Active Directory, you can look at the log at /var/log/opendirectoryd.log to see what’s occurring.

    To disable encryption:
    /usr/sbin/dsconfigad -packetencrypt disable
    To reenable encryption:
    /usr/sbin/dsconfigad -packetencrypt allow

    When capturing traffic for the following ports:
    UDP 53 - DNS
    TCP 88 - Kerberos
    TCP 389 - LDAP
    TCP/UDP 464 - Kerberos Password Changes (KPasswd)
    TCP 3268 - Global Catalog (LDAP)

    to capture traffic over the built-in Ethernet connection to a file called “capture.out,” you could use the following syntax for tcpdump :
    tcpdump –K -i en0 -s 0 -w capture.out port 88 or port 464 or port 53 or port 389 or port 3268


    Please find the attach PDF MAC_OSX_LDAP_-_OD_golden_triangle.pdf

    Page last modified 13:36, 20 Jan 2014 by Anonymous?


    You must login to post a comment.


    FileSizeDateAttached by 
    Document details
    690.21 kB13:35, 20 Jan 2014Anonymous?Actions