OSX Server 3, Mac clients binding to OD and Profile Manager failing
- by dbf
I've made a setup containing a Mac Mini with OSX Server 3 (Mavericks 10.9.2) using Open Directory and Profile Manager (Mail, etc all set up and working).
Now the thing is, internally on the local network, everything works great. Clients can bind to the OD and the users are able to login. I can install trust and settings profiles (either custom or group profiles) and all services in the profiles mentioned are being configured correctly. I can log in and out, hump around and do it a 100 times on different macs with different users, it works.
My goal is to make this service publicly. The domain is with a FQDN which I own, for simplicity let's say server.domain.com. Now the only way for me to bind the clients to the OD is using LDAP mapping RCF2307 (without SSL) and a DN suffix of dc=server,dc=domain,dc=com using the Directory Utility. The options from server, or open directory will throw several errors like Connection failed to node '/LDAPv3/server.domain.com (2100).
First of all I don't really understand the problem why clients can't bind to the OD like it does locally, with and without SSL (all ports are open, literally all ports are open, not just 389,636 and 1640, wasn't sure if I was missing any).
When the clients are using LDAP mapping RFC2307 to bind (without SSL only), clients are able to authenticate, login and even load the Trust profile. But every Settings profile will fail with a Debug Message: Unable to find GUID in user record OD or fail to install saying missing user identification.
Is there any way to get this to work without RFC2307? Because there is quite some stuff missing when using RFC2307 and not pull the mapping from the server or use open directory.
Is this setup even possible? Or should I use VPN to authenticate with the OD?
The network setup is a Modem/Router (DHCP off) with WAN NATted to an Airport Extreme (Using DHCP+NAT). The AE does notify with a double NAT message but I haven't had any problems with it on any other service. So WAN - 192.168.2.220 (static), AE - 10.0.1.* (dhcp)
Output of DIG from the outside using dig server.domain.com
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;server.domain.com. IN A
;; ANSWER SECTION:
server.domain.com. 77 IN A 91.50.*.* (valid WAN IP)
;; SERVER 172.*.*.1#53(172.*.*.1) (iPhone)
DIG locally from a client and server (same output)
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;server.domain.com. IN A
;; ANSWER SECTION:
server.domain.com. 10800 IN A 10.0.1.11
;; AUTHORITY SECTION:
server.domain.com. 10800 IN NS domain.com. (used for email send in relay)
server.domain.com. 10800 IN NS server.domain.com.
;; SERVER 10.0.1.11#53(10.0.1.11)
Are there any things I should check? Only have OSX.
--
double NAT issue, plugged in the server directly on the Modem/Router with a static IP and issue remains. Guess that rules out the double NAT thing.
--
changeip -checkhostname comes with There is nothing to change, e.g. success.
Primary address = 10.0.1.11
Current HostName = server.domain.com
DNS HostName = server.domain.com
For now, I've made a workaround by using an admin account that forces a permanent VPN connection on boot. That means before it comes to the login, a connection is already made or underway.
I will continue this post when I have more time, also locating all the necessary .log files of each application involved. I have some suspicions but have to debug a bit more when I have more time on my hands ..
Unless, of course, I get sidetracked with having a life. Which is arguably
not very likely.
krypted.com
