How do I add LDAP authentication for Mac OS X 10.11 & newer?

It is possible to configure your client Mac OS X computer to authenticate against the UH LDAP server. Follow the steps below to setup LDAP authentication. This document will be limited in scope to just accomplishing the authentication process. It will not go into detail about managing these client computers via a Mac Server.

Note: You should not do this to your own computer unless you want anyone with a UH username and password to have access to your computer. These instructions are generally meant for computer labs of the UH System. This document will not go into detail about how to limit the scope of the authentication process to a specific department or group of users.

Before proceeding, make sure that your Users & Groups are configured in System Preferences.
 

  1. Open System Preferences
  2. Select Users & Groups
  3. Click the lock icon at bottom of the window and authenticate with an administrator account to allow changes to be made
  4. Select Login Options
  5. For "Display login window as:" Name and password
  6. Uncheck Show fast user switching
  7. Click the Join… button on Network Account Server
  8. Click Open Directory Utility…
  9. Click the lock icon at bottom of the window and authenticate with an administrator account to allow changes to be made
  10. Select LDAPv3 and then click the pencil button
  11. Click the arrow next to Show Options
  12. Click the New… button
  13. Type ldap.hawaii.edu in the Server Name or IP Address text field
  14. Make sure Encrypt using SSL, Use for authentication are checked
  15. Click the Manual button
  16. Click Edit
  17. Type ldap.hawaii.edu for Configuration Name
  18. Uncheck Use custom port
  19. Click Search & Mappings
  20. On the Search & Mappings tab, Click the (+) button and add Users    
  21. For Search Base Suffix, type dc=Hawaii, dc=edu
  22. You'll also need to add the following under Users:
    • Password
    • PrimaryGroupID
    • RealName
    • RecordName
    • UniqueID
    • UserShell
  23. Select Users from the left pane, and in the right pane add inetOrgPerson  
  24. Select Password from the left pane, and in the right pane add userPassword
  25. Select PrimaryGroupID from the left pane, and in the right pane add #YourGroupIDNum. This should be the same as your MacOS Group ID number.
  26. Select RealName from the left pane, and in the right pane add cn
  27. Select RecordName from the left pane, and in the right pane add uid
  28. Select UniqueID from the left pane, and in the right pane add uhuuid
  29. Select SuserShell from the left pane, and in the right pane add #/bin/bash
  30. On the Security tab, check Use authentication when connecting and type your Distinguished Name and Password that was provided by the LDAP administrator
  31. Click OK
  32. On the Directory Utility click OK
  33. Click on Search Policy
  34. Click the (+) button on the Authentication tab
  35. Select /LDAPv3/ldap.hawaii.edu and click the Add button
  36. Click Apply
  37. Open Terminal
  38. Type sudo su
  39. Enter/create your root password
  40. Type vi /etc/openldap/ldap.conf
  41. Change “TLS_REQCERT    demand” to “TLS_REQCERT   never” and save the file.
  42. Type vi /etc/openldap/ldap.conf.default
  43. Change “TLS_REQCERT    demand” to “TLS_REQCERT   never” and save the file.
  44. Enter the following lines in Terminal:
    • /usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string CRAM-MD5"/Library/Preferences/OpenDirectory/Configurations/LDAPv3/ldap.hawaii.edu.plist
    • /usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string NTLM"/Library/Preferences/OpenDirectory/Configurations/LDAPv3/ldap.hawaii.edu.plist
    • /usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string GSSAPI" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/ldap.hawaii.edu.plist
  45. Make sure that your ldap.hawaii.edu.plist is in XML format.
  46. Restart the computer


You should now be able to authenticate via LDAP once Network accounts become available.

 

Please rate the quality of this answer: Poor Fair Okay Good Excellent
Not the answer you were looking for? Try different keyword combinations and if you still can’t find your answer, please contact us.
Article ID: 1731
Created: Wed, 29 Mar 2017 3:08pm
Modified: Thu, 30 Mar 2017 11:17am