Mac OS X authentication against OpenLDAP
This was more of pain than I ever anticipated.
account under Mac OS X
Yes you have to enable UNIX root. admin apparently doesn't work. Don't
ask why. Guys from Dixie state wrote it up with screenshots so go to
source to Directory Access
1. Open Directory Access from /Applications/Utilities
2. Click the Lock on the bottom of the window. You will be prompted for
the root password.
3. You should now see something like this
4. Click on LDAPv3 then click Configure
5. Check off "Use DHCP-supplied LDAP server"
6. Select Options then click Add
You should now see something like this
- Enter a configuration name ie: Master LDAP
- Server Name: your Master LDAP server name ie. ldap.domain.com
- Click on LDAP Mappings and select RFC 2307 (Unix)
- A window will pop up that will ask you for a search base. Put ie.
- Check SSL
7. Click Edit just to make sure all looks good
8. Click OK then OK again.
9. Now you'll be back at the Directory Access Window
10. Click on Authentication
at the top of the window
11. Under Search Pull Down choose "Custom
Path" then Click Add. Select
12. Click OK and OK again until Directory Access closes.
13. Restart the machine
14. After the restart you should be able to log in as any valid LDAP
1. If after configuring your LDAP you still can't authenticate and your
/var/log/system.log contains messages like these
DSOpenNode(): dsOpenDirNode("/LDAPv3/ldap.domain.edu") == -14002
problem comes from the Format utility of the Directory
Access which apparently keeps misconfiguration even if it is
corrected. To correct
- Remove all contents of the directory
/Library/Preferences/DirectoryService ie. double click on your Mac HDD
- Open /Applications/Utilities/Netinfo Manager and within it remove
all contents of /config/mcx-mask
Then restart the machine and reconfigure.
Thanks to http://futureshare.lip6.fr/MacOSXServer-Config-a.html
for pointing this out :-).
Vladimir Vuksan (E-mail) with help from Ryan