(This Howto is based on the instructions at http://www.spack.org/wiki/AppleOsxIntegrationWithOpenLdap)

Setting up LDAP access to LLL server on a Macintosh client

This page describes how to set up LDAP authentication with SSL on Mac OSX 4.

Open Directory access

1. Doubleclick on hard disk icon (red circle 1)
2. In the filebrowser window, chose application on the left (2)
3. click on the "3 pane view" icon (3)
4. Open /Application/Utilities/DirectoryAccess (by first single-clicking on Utilities in left pane, then doubleclick "Directory Access" in middle pane)

On some versions of MacOS, you may instead need to do the following:

1. go into Apple->SystemSettings->Accounts instead
2. click on Login Options (lower left)
3. add a "Network Account Server"
4. Open Directory Utility

Enable and configure LDAPv3 plugin

1. Doubleclick on the padlock (lower left of directory acess window) and enter admin user and password until padlock is open
2. Select "LDAPv3" in list
3. Click "Configure"

Create a new directory server entry

• Click "New"

• Enter LDAP server's host name (in this example, <code>ldap.lgl.lu</code>
• Check "Encrypt using SSL"
• Click "Manual"

• Pick "RFC 2307 (Unix)" template
• Enter <code>dc=lgl,dc=lu</code> as search base
• Click ok

Configure LDAPv3 server entry

• If you want, assign a meaningful Configuration Name to entry by entering it in place of <code>Untitled 0</code>
• Select configuration (<code>Untitled 0</code> or whatever name you gave it)
• Click Edit

• Click "Search and Mappings" in tab bar
• Click Users in left hand pane
• Enter <code>ou=People,dc=lgl,dc=lu</code> as a search base
• Check check "first level only"
• Click Groups in left hand pane
• Enter <code>ou=Groups,dc=lgl,dc=lu</code> as a search base
• Check check "first level only"
• Click Mounts in left hand pane
• Enter <code>ou=Mounts,dc=lgl,dc=lu</code> as a search base
• Check check "first level only"

• Click ok

N.B. It is normal that the template setting automatically changes from <code>RFC 2307</code> to <code>Custom</code> as soon as you change one of the setting.

Add new LDAPv3 server entry as an authentication provider

In the Directory access window, click the Authentication tab.

Then, click the add button to add service /LDAPv3/ldap.lgl.lu (you can pick it from a list).

On some newer version of MacOS, you may need to proceed as follows instead: click on the "Search Policy" Icon at the top of the "Directory Utility" (only clickable if currently no service is being edited: click Ok or Cancel to dismiss if you are editing a service), and then add the newly defined service to the list.

Testing

Now is time for testing.

• Open a terminal by calling Applications/Utilities/Terminal in file manager
• In terminal, enter <code>dscl localhost list /Search/Users

</code>. This displays a list of all users known by the macintosh. If everything worked, it should include all users from the server's LDAP database.

• If all users are included, log out, and log back in as one of the server users (you need to click "Other users" at the login window, then enter its name). It's expected that the login process is slow, as we have not yet set up mounting of <code>/home</code>.
• If login was successful, clean away its temporary home directory (if the system created one)