How do I add LDAP authentication for Mac OS X 10.9 & 10.10?

It is possible to configure your client Mac OS X computer to authenticate against the UH LDAP server. Follow the steps below to setup LDAP authentication. This document will be limited in scope to just accomplishing the authentication process. It will not go into detail about managing these client computers via a Mac Server. This document was written specifically for Mac OS 10.7, aka "Lion".

Note: You should not do this to your own computer unless you want anyone with a UH username and password to have access to your computer. These instructions are generally meant for computer labs of the UH System. This document will not go into detail about how to limit the scope of the authentication process to a specific department or group of users.
  1. Open System Preferences

  2. Select Users & Groups

  3. Click the lock icon at bottom of the window and authenticate with an administrator account to allow changes to be made
     
  4. Select Login Options
     
  5. For "Display login window as:" Name and password
     
  6. Uncheck Show fast user switching
     
  7. Click the Join… button on Network Account Server
     
  8. Click Open Directory Utility…
     
  9. Click the lock icon at bottom of the window and authenticate with an administrator account to allow changes to be made
     
  10. Select LDAPv3 and then click the pencil button
     
  11. Click the arrow next to Show Options
     
  12. Click the New… button
     
  13. Type ldap.hawaii.edu in the Server Name or IP Address text field
     
  14. Make sure Encrypt using SSL, Use for authentication, and Use custom port 636 are checked
     
  15. Click the Manual button
     
  16. Type UH LDAP for Configuration Name, then press the Return key
     
  17. Change LDAP Mappings to Custom
     
  18. For Search Base Suffix, type dc=Hawaii, dc=edu, then click OK
     
  19. Then click the Edit… button
     
  20. On the Connection tab, uncheck Use custom port
     
  21. On the Search & Mappings tab, Click the (+) button and add Users
     
  22. You'll also need to add the following under Users:
    Password
    PrimaryGroupID
    RealName
    RecordName
    UniqueID
    UserShell

     
  23. Select Users from the left pane, and in the right pane add inetOrgPerson
     
  24. Select Password from the left pane, and in the right pane add userPassword
     
  25. Select PrimaryGroupID from the left pane, and in the right pane add #5000 or whatever you set it to
     
  26. Select RealName from the left pane, and in the right pane add cn
     
  27. Select RecordName from the left pane, and in the right pane add uid
     
  28. Select UniqueID from the left pane, and in the right pane add uhuuid
     
  29. Select SuserShell from the left pane, and in the right pane add #/bin/bash
     
  30. On the Security tab, check Use authentication when connecting and type your Distinguished Name and Password that was provided by the LDAP administrator
     
  31. Click OK
     
  32. Check to Enable the LDAP connection and then click OK
     
  33. Click on Search Policy
     
  34. On the Authentication tab, Select Custom path from the Search drop down box
     
  35. Click the Plus button
     
  36. Select /LDAPv3/ldap.hawaii.edu and click the Add button
     
  37. Click Apply
     
  38. Open Terminal
     
  39. Type sudo su
     
  40. Enter/create your root password
     
  41. Enter the following lines in Terminal:
    • /usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string CRAM-MD5" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/ldap.hawaii.edu.plist
    • /usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string NTLM" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/ldap.hawaii.edu.plist
    • /usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string GSSAPI" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/ldap.hawaii.edu.plist
  42. Restart the computer

You should now be able to authenticate via LDAP once Network accounts become available.

Please rate the quality of this answer: Poor Fair Okay Good Excellent
Not the answer you were looking for? Try different keyword combinations and if you still can’t find your answer, please contact us.
Article ID: 1625
Created: Fri, 07 Nov 2014 3:49pm
Modified: Mon, 09 Feb 2015 3:46pm