MacLdapAuthSnowLeopard
Setting up LDAP access to LLL server on a Macintosh client
This page describes how to set up LDAP authentication with SSL on Mac OSX 6 (Snow Leopard).
Disable SSL certificate verification
- Open a terminal by calling Applications/Utilities/Terminal (using the "Applications" icon in the doc)
- Edit the
/etc/ldap/ldap.conf
file and addTLS_REQCERT never
to the end (removing or commenting out any otherTLS_REQCERT
setting that might be there)
Open Directory access
Click on apple menu, and chose "System Preferences":
Click Accounts:
Click "Login Options" (lower left), and add a "Network Account Server":
Open Directory Utility:
- Doubleclick on the padlock (lower left of directory acess window) and enter admin user and password until padlock is open
- Select "LDAPv3" in list
- Click the pen icon to "Configure"
Click "New" to add a new configuration for connecting to your LDAP server:
Pick a configuration name, enter your server's name or IP address, tick "Encrypt using SSL", leave the default port (636), and click OK when done:
- Click on the tab "Search and Mappings", and the dialog below should be shown
- Pick "RFC 2307 (Unix)" template
- Enter
dc=lll,dc=lu
as search base
- Click Mounts in left hand pane
- Enter
ou=Mounts,dc=lll,dc=lu
as a search base - Check check "first level only"
N.B. It is expected that the template setting automatically changes from RFC 2307
to Custom
as soon as you change one of the setting.
- Click Users in left hand pane
- Enter
ou=People,dc=lll,dc=lu
as a search base - Check check "first level only"
- Click Groups in left hand pane
- Enter
ou=Groups,dc=lll,dc=lu
as a search base - Check check "first level only"
- Click ok
- Click "Search Policy" icon in Top Bar, and add your newly defined server using the + icon
On some newer version of MacOS, you may need to click on the "Search Policy" Icon at the top of the "Directory Utility" (only clickable if currently no service is being edited: click Ok or Cancel to dismiss if you are editing a service), and then add the newly defined service to the list.
Testing
Now is time for testing.
- Open a terminal by calling Applications/Utilities/Terminal in file manager
- In terminal, enter
dscl localhost list /Search/Users
. This displays a list of all users known by the macintosh. If everything worked, it should include all users from the server's LDAP database.
- If all users are included, log out, and log back in as one of the server users (you need to click "Other users" at the login window, then enter its name). It's expected that the login process is slow, as we have not yet set up mounting of
/home
. - If login was successful, clean away its temporary home directory (if the system created one)