I'm going to agree with James that SL's AD support is much more robust than Tiger/Leopard. Specifically, kerberos referrals finally work, so odd non-hierarchical domains won't cause panics. We also have a fairly unique AD environment, but we've been able to tune things to work very well from Tiger through SL. Even if you had/have issues with authenticating to the domain, you should be able to bind, remove AD from your authentication search path, and keep it in your contacts search path. Login window won't check AD then, and you should be free to continue using whatever other data source you have for user accounts (local, ldap, whatever).
As for being able to use LDapper, I agree that if you can do an LDAP bind and pull certs, the DS should be able to do the same. If you can't make it work with your environment, I would recommend opening a ticket with Apple. I know that the current Exchange/AD cert lookup leaves much to be desired. I'm glad that cert lookup is finally there, but you should be able to pull certs from the GAL without being bound to AD, and you should still be able to do DS lookup of contacts in AD without setting up an Exchange account in Mail. (Why the heck did they remove that from the GUI?)
--DH
On Sep 4, 2009, at 7:03 AM, James Alcasid wrote: I have seen what you had mentioned in Tiger, we both have. I have not experienced it in testing with Leopard and do not expect such issues in SL. As you know Palo Alto had experienced the issue that you mentioned but a modification to the AD plug-in was made by Rick Lemmon, Apple. These changes were integrated into Leo updates and SL.
--
James Alcasíd, ACSA | VeriSolv Technologies Department of Veterans Affairs | Enterprise Infrastructure Engineering 470 L’Enfant Plaza Suite 3100, Washington DC 20024 Office (202) 245-4573, Mobile (703) 400-1471
Note: This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity.
From: Cerniuk William <email@hidden> Date: Thu, 3 Sep 2009 23:54:07 -0400 To: "Daniel S. Hoit" <email@hidden> Cc: Fed Talk <email@hidden> Subject: Re: [Fed-Talk] Re: Fed-talk Digest, Vol 6, Issue 221
That is good intel. The problem with binding to AD for us is that our AD is not structured in a normal way (so said MS).
This structure throws the Mac directory system for a loop and eventually stalls the Mac completely at login and then during some background process when and if the user actually gets logged in.
So from an operational standpoint, it would be very beneficial if the certs could be looked up and pulled over without the Mac being hardware bound (object in the OU) to Active Directory but instead just ad hoc binding while making LDAP data requests.
If (big if) the cert can be found via LDapper drilling into AD (?) then why can't they be pulled over without joining the Mac to the Domain?
V/R, Wm. Cerniuk 703.594.7616 Daniel S. Hoit Lawrence Livermore National Laboratory phone: 925-424-5256 |