Hello!
I am working with a school district that, until recently, was using Open Directory authentication with Active Directory accounts on two XServes, both running OS X Server 10.4.8. Recently, I helped the Mac administrator there install a new XServe running 10.4.9; this server is meant to replace the other two. We've re-created the same groups from both of the two older servers, and the AD accounts show up as they should.
Unfortunately, we're running into two problems:
1. If a workstation includes LDAP entries for BOTH servers, we can log in, and in fact we see groups from both servers. If it includes LDAP entries only for the new server, we cannot log in at all.
2. Attempting to log in from a workstation as an administrator to either of the old servers allows us to pick the group from which we get our privileges. No such choice comes up for the new one.
I've looked in the LDAP logs for the new server and found a series of errors that look like this:
Jun 15 08:08:36 bcsd-osx slapd[48]: <= bdb_equality_candidates: (apple-computers) index_param failed (18)\n
Jun 15 08:08:37 bcsd-osx slapd[48]: <= bdb_substring_candidates: (apple-mcxflags) index_param failed (18)\n
<snip of repeat entries>
On that last part, see
look for the 2nd reply from Josh Wisenbaker
Surprising for what should be a brand new server, I'd suggest verifying the system drive with diskutil / Disk Utility |
