Mac OS X authentication against OpenLDAP



This was more of pain than I ever anticipated.

Enable root account under Mac OS X

Yes you have to enable UNIX root. admin apparently doesn't work. Don't ask why. Guys from Dixie state wrote it up with screenshots so go to

http://cs.dixie.edu/ldap/mac/page2.php

Add LDAPv3 source to Directory Access

1. Open Directory Access from /Applications/Utilities
2. Click the Lock on the bottom of the window. You will be prompted for the root password.
3. You should now see something like this

Directory Access window
4. Click on LDAPv3 then click Configure
5. Check off "Use DHCP-supplied LDAP server"
6. Select Options then click Add
You should now see something like this
Mac OS X LDAP sources

7. Click Edit just to make sure all looks good

LDAP config

8. Click OK then OK again.
9. Now you'll be back at the Directory Access Window
10. Click on Authentication at the top of the window
11. Under Search Pull Down choose "Custom Path" then Click Add. Select ldap/ldap.domain.com source
12. Click OK and OK again until Directory Access closes.
13. Restart the machine
14. After the restart you should be able to log in as any valid LDAP user

Troubleshooting

1. If after configuring your LDAP you still can't authenticate and your /var/log/system.log contains messages like these

/System/Library/LoginPlugins/MCX.loginPlugin/Contents/MacOS/MCXCacher: DSOpenNode(): dsOpenDirNode("/LDAPv3/ldap.domain.edu") == -14002

The problem comes from the Format utility of the Directory Access which apparently keeps misconfiguration even if it is corrected. To correct

  1. Remove all contents of the directory /Library/Preferences/DirectoryService ie. double click on your Mac HDD
  2. Open /Applications/Utilities/Netinfo Manager and within it remove all  contents of /config/mcx-mask

Then restart the machine and reconfigure.

Thanks to http://futureshare.lip6.fr/MacOSXServer-Config-a.html for pointing this out :-).

Author: Vladimir Vuksan (E-mail) with help from Ryan Chapman.