There really is something broken about OSX’s use of LDAP as a directory server.
I dont have an OS X Server. That’s probably a good thing, because I think it must do something to the OOB netinfo that basically invalidates it.
Fro more information you can see my page taht has a more extensive documentataion of my experiences…
I dont know how they do that.
What needs to happen is this: At system start up after the network is enabled, I need to see some kind of attempt to read some information from the directory.
But I dont see any until AFTER a user logs in.
This means that users that are valid LDAP users cannot login to a machine until AFTER a netinfo user has logged in, and some of the LDAP information is known to the system.
Once that happens, any user with an LDAP entry can login.
Again, the first login has to be from a user with valid local netinfo creds, otherwise no dice. Once a local netinfo user has logged in, all is fine.
This is only for environments where all the machines have local netinfo databases, which is pretty par for the course in small environments. If you have an XServe, and everyone is migrated, then you are fine.
But this leadds me to wonder what happens to the 50% of other businesses that are not configured right, where profiles are not migrated to the server… There’s got to be trouble there.
OpenDirectory is very half baked right now, mostly the work needs to be done at the client side. I’ve been trying alot of things. I’ve customixed my lookupd prefs so that the default search order is Cache DS NI. This did not work. Does anyone know how to override the search order in Directory Access?
