(Note: carefully type these taking into account the spaces and hitting the return key at the end of each line)
3) Email us the file named slapd_macosxserver.conf in your home directory.
This file contains the information we require to determine the BaseDN and AdminDN.
Limitations with Open Directory/LDAP
In an Open Directory domain, all users have a “Primary Group”, which is used for legacy reasons and for POSIX compliance. By default, the primary group of all all Open Directory users is set to the built-in “Users” group. It is recommended that you leave “Users” as the primary group (Best practice suggested by Microsoft).
Due to a limitation in Open Directory and PaperCut’s LDAP interface, when a user is a member of a group by virtue of it being the user’s primary group, they are not reported as a member of that group.
For example, if a user’s primary group is set to a group called “Staff”, then the user will not appear to be a member of “Staff” inside PaperCut.
This limitation is due to performance considerations. Looking up Primary Group membership on larger networks is very resource intensive as you need to “look” at every user. This contrasts with standard groups where you simply call to the server to retrieve membership.
If you need to use a group in PaperCut that is also used as a primary group - that is users are a member of a group by virtue of it being their primary group - then the work around is to create a mirror group. For example, if you have a group called “Staff” and are unable to use this group because of the primary group problem, create a new group called StaffStandard and add staff members to this group. You can take advantage of Open Directory’s query system to quick identify and add the staff users. The new group StaffStandard can then accurately be used in PaperCut.
The current release does not support Open Directory nested groups. We support nested groups in Microsoft Active Directory (native interface) and also plan on making this available to Open Directory users in a future release. Unfortunately it requires quite a few complex changes. The current LDAP support is very much geared to POSIX standard support and features like nested groups extend on this. We need to introduce support without upsetting many of our large customers running on POSIX based LDAP servers.
Create a flattened group non-nested group. Also make sure you email us and put your vote in for this development as all development is prioritized on requests.