Mac Open Directory/LDAP Configuration

KB Home   |   Mac Open Directory/LDAP Configuration

I’d like some assistance configuring PaperCut to work with my Open Directory/LDAP network

PaperCut version’s 8.4 or higher will now attempt to auto detect Open Directory and LDAP configurations on Mac OS X Server. The default LDAP configuration options detected should work on most sites.

If however the auto configuration option does not work, or you’d like us to verify your LDAP configuration, please send through your Open Directory server’s configuration file using this procedure:

1) Login as an admin on your master Open Directory server and open the Terminal (command prompt).
2) Type:
         sudo cp /private/etc/openldap/slapd_macosxserver.conf ~
         sudo chmod 666 ~/slapd_macosxserver.conf
(Note: carefully type these taking into account the spaces and hitting the return key at the end of each line)
3) Email us the file named slapd_macosxserver.conf in your home directory.

This file contains the information we require to determine the BaseDN and AdminDN.

Limitations with Open Directory/LDAP

Primary Group

In an Open Directory domain, all users have a “Primary Group”, which is used for legacy reasons and for POSIX compliance. By default, the primary group of all all Open Directory users is set to the built-in “Users” group. It is recommended that you leave “Users” as the primary group (Best practice suggested by Microsoft).

Due to a limitation in Open Directory and PaperCut’s LDAP interface, when a user is a member of a group by virtue of it being the user’s primary group, they are not reported as a member of that group.

For example, if a user’s primary group is set to a group called “Staff”, then the user will not appear to be a member of “Staff” inside PaperCut.

This limitation is due to performance considerations. Looking up Primary Group membership on larger networks is very resource intensive as you need to “look” at every user. This contrasts with standard groups where you simply call to the server to retrieve membership.

Work around:

If you need to use a group in PaperCut that is also used as a primary group - that is users are a member of a group by virtue of it being their primary group - then the work around is to create a mirror group. For example, if you have a group called “Staff” and are unable to use this group because of the primary group problem, create a new group called StaffStandard and add staff members to this group. You can take advantage of Open Directory’s query system to quick identify and add the staff users. The new group StaffStandard can then accurately be used in PaperCut.

Nested Groups

The current release does not support Open Directory nested groups. We support nested groups in Microsoft Active Directory (native interface) and also plan on making this available to Open Directory users in a future release. Unfortunately it requires quite a few complex changes. The current LDAP support is very much geared to POSIX standard support and features like nested groups extend on this. We need to introduce support without upsetting many of our large customers running on POSIX based LDAP servers.

Work around:

Create a flattened group non-nested group. Also make sure you email us and put your vote in for this development as all development is prioritized on requests.

Also see


Categories: Implementation / Deployment, Domains / Directories


Keywords: LDAP, OpenDirectory, Apple Mac OSX Server

Comments

Share your findings and experience with other PaperCut users. Feel free to add comments and suggestions about this Knowledge Base article. Please don't use this for support requests.

Article last modified on September 24, 2009, at 06:35 PM
Printable View   |   Article History   |   Edit Article