Group Syncronizing Issues with the Directory Utility and the Active Directory Pluggin

Apple LogoAfter we implemented ILM to sync our PeopleSoft data and Active Directory accounts, I was informed by one of our Mac techs that Active Directory groups were no longer syncing with our Mac clients and servers.  Accounts created under our old process would have group memberships updated when they were updated, however the new accounts would not have their group memberships updated.

While I can neither confirm nor deny that ILM was responsible for this, I believe this was a non-sequitur.  On a clean installation of Active Directory I continued to have this problem before using ILM to sync any accounts.  In our production environment we are also running OpenLDAP to complete the “Golden Triangle” (a special setup that Mac’s use to make things more complicated for the rest of us).  I shut down the OpenLDAP service in order to reduce complixity on that end as well.

In the end this means our setup consisted of a problem between two servers:

  1. Active Directory, running on Windows Server 2003
  2. MacOS X 10.5.8, using the Active Directory Pluggin (ver 1.6.5)

Through out the rest of this article I will assume you have implemented a bind to Active Directory (instructions on how to do that), and I will reference one group and one account for trouble shooting this issue, aptly named testuser, and testgroup.

At the command line on our Mac server, if you typed in this command:

id testuser

You might expect to see something like this:

uid=2098570484(testuser) gid=185005768({domain}\domain users)

If you add our testuser to our testgroup, you might expect to see a return like this:

uid=2098570484(testuser) gid=185005768({domain}\domain users), 12345({domain}\testgroup}

However, the user does not show up in the new group we added them to.  However if we look in the Directory Service data store using the dscl command using something along the lines of:

dscl . -read /Search/Users/testuser

We would see that the user is a member of the group in the Active Directory.  Somewhere between the id command, and the Directory Services data store there is a cache of users that is not getting updated.  One thing I noticed however, was that the cached data got updated  when Active Directory is rebound, or the Active Directory Plugin has its settings updated.  This means that you can run a command line update using dsconfigad with a benign setting update nightly to update your groups.

An example switch might be something like:

dsconfigad -nopreferred

After running this command, your groups should be updated.  You can validate this by running the id command.

October 29, 2009 • Tags: , , , • Posted in: Technology

Leave a Reply