Does anyone know is it possible to control the altServer and
namingcontexts attributes or possibly control which user (i.e. ACL) can
query for those attributes?

I have a customer where I implemented OSX integration by extending the
schema a couple of years ago. Everything was working fine (including
WorkGroup manager for management of the preferences on user, computer
and user and computer group objects) until the Lion came along.

I spent days analysing the network traces, and it is clear that Lion
ignores the ldap configuration, but as soon as it cannot get something
from the configured server, it queries that server for the
namingcontexts and altServer attributes, and then it's free for all from
what I can see.

It keeps hitting different servers randomly, but it looks like it tries
the servers with lowest IP address first.

There are a couple of issue with this:

1) Load balancer became totally useless. While initially a connection
is made through it (when the computer is configured to connect to eDir)
later on, it is hitting the real servers
2) Customer has many replicas, and unfortunately, each replica is a
separate naming context. So when Lion queries DSE Root, it gets all
these responses it needs to go through and query individually until it
finds the naming context that has osx part of the eDir. Sometimes it
gives up after a while, so managed preferences do not get loaded on the
3) DSfW has also been implemented recently, and this adds further
complexity as AD naming context returned by DSfW is also completely
different and even forcing everything to go to port 1389 does not work,
as good old Apple is shipping out beta quality software all the time,
and irrespective of the configuration it is still trying port 389 like

So, one idea for the resolution of this problem is to either not
respond to those queries unless you're authenticated with an appropriate
credentials, which could force Lion to behave like previous versions and
just use the configured ldap server or the ldapreplicas record in the
eDirectory. Or another one would be to provide the options in the ldap
server object, so that we can respond by the load balancer's virtual IP
when altServer is requested (or only the servers that do not have DSfW),
and also to be able to define the namingcontexts that will be returned
to the ldap client. Either way, I need to be able to control these
options if possible, and the question is if someone has done it before,
or whether Novell/netIQ are looking at providing this functionality to
make eDir more useable (I understand AD and OD have some of this

This is the first time I came across the application that actually uses
this method of finding out more about the ldap directory in order to
enhance its ability, so don't think it would matter much if we can
define those attributes to the values we find appropriate in different


lpavic's Profile:
View this thread: