[Legacy] Mac Open Directory/LDAP Configuration
PaperCut version’s 8.4 or higher will now attempt to auto detect Open Directory and LDAP configurations on Mac OS X Server. The default LDAP configuration options detected should work on most sites.
If however the auto configuration option does not work, or you’d like us to verify your LDAP configuration, please send through your Open Directory server’s configuration file using this procedure:
adminon your master Open Directory server and open the Terminal (command prompt).
sudo cp /private/etc/openldap/slapd_macosxserver.conf ~ sudo chmod 666 ~/slapd_macosxserver.conf
slapd_macosxserver.confin your home directory.
This file contains the information we require to determine the
In an Open Directory domain, all users have a “Primary Group”, which is used for legacy reasons and for POSIX compliance. By default, the primary group of all Open Directory users is set to the built-in “Users” group. It is recommended that you leave “Users” as the primary group (Best practice suggested by Microsoft).
Due to a limitation in Open Directory and PaperCut’s LDAP interface, when a user is a member of a group by virtue of it being the user’s primary group, they are not reported as a member of that group.
For example, if a user’s primary group is set to a group called “Staff”, then the user will not appear to be a member of “Staff” inside PaperCut.
This limitation is due to performance considerations. Looking up Primary Group membership on larger networks is very resource intensive as you need to “look” at every user. This contrasts with standard groups where you simply call to the server to retrieve membership.
If you need to use a group in PaperCut that is also used as a primary group - that is users are a member of a group by virtue of it being their primary group - then the work around is to create a mirror group. For example, if you have a group called “Staff” and are unable to use this group because of the primary group problem, create a new group called
StaffStandard and add staff members to this group. You can take advantage of Open Directory’s query system to quick identify and add the staff users. The new group
StaffStandard can then accurately be used in PaperCut.
The current release does not support Open Directory nested groups. We support nested groups in Microsoft Active Directory (native interface) and also plan on making this available to Open Directory users in a future release. Unfortunately it requires quite a few complex changes. The current LDAP support is very much geared to POSIX standard support and features like nested groups extend on this. We need to introduce support without upsetting many of our large customers running on POSIX based LDAP servers.
Create a flattened group non-nested group. Also make sure you email us and put your vote in for this development as all development is prioritized on requests.
Keywords: LDAP, OpenDirectory, Apple Mac OSX Server