[an error occurred while processing this directive]
[an error occurred while processing this directive] [an error occurred while processing this directive]

Mac OS X & UH LDAP

Overview

It is possible to configure your client Mac OS X computer to authenticate against the UH LDAP server. This document will walk you through the steps necessary to accomplish this. This document will be limited in scope to just accomplishing the authentication process. It will not go into detail about managing these client computers via a Mac Server. This document was written specifically for Mac OS 10.3.8, aka "Panther".

Note, you should not do this to your own computer unless you want anyone with a UH username and password to have access to your computer. These instructions are generally meant for computer labs of the UH System. This document will not go into detail about how to limit the scope of the authentication process to a specific department or group of users.

Configuring Client

  1. On the client computer, navigate to the Directory Access application, located in the Utilities folder in the Applications folder.

  2. Double click Directory Access to open the application.

  3. If everything is grayed out, as in the sample below, click on the padlock in the lower left corner and enter the administrator account and password.

  4. After authenticating, make sure that LDAPv3 is enabled, click on it once to select it, and then click on the Configure button.

  5. Make sure the Use DHCP-supplied LDAP Server check box is UNCHECKED. Click on the down arrow next to Show Options

  6. Click on the New button, enter UH LDAP for the Configuration Name, ldap.hawaii.edu for the Server Name or IP Address, click on the checkbox for SSL, and then choose RFC 2307 (Unix) for LDAP mappings.

  7. After you select RFC 2307 (Unix) for LDAP mappings, a window will open prompting you to enter the Search Base Suffix. Type in ou=People, dc=hawaii, dc=edu and then click on the OK button.

  8. Click on the Edit button. In the connection tab, there is a checkbox for Use authentication when connecting. You DO NOT have to enable this UNLESS you require students to authenticate against the UH LDAP. If you do wish to authenticate students, then you would check this check box and enter the special DN and password provided to you by the UH LDAP administrator.

  9. Click on the Search & Mappings tab on the top right of the window. Click on the down arrow next to Users. Click on the UniqueID option once to select it. On the right side of the window, double click on uidNumber. Delete uidNumber and enter uhuuid.

  10. Leave the other fields with their default values. Click on the OK button. Click on the OK button in the next window, and you should be returned to the main Directory Access window.

  11. Click on the Authentication tab located at the top-middle of the window.

  12. In the Search box, change the option from Automatic to Custom.

  13. Click on the Add button and choose /LDAPv3/ldap.hawaii.edu. Click on the Add button to add the LDAP directory to your search path. Your window should look similar to the one below when completed.

  14. Click on the Apply button to save your changes, quit Directory Access, and restart the computer for the changes to take effect.

  15. That's it, your client computer should now authenticate against the UH LDAP directory.

Some Notes

  • With the release of Mac OS 10.3.9, some users have experienced problems with LDAP authentication. Recommend testing the latest Mac OS release before rolling out to all of your clients. Always test each security release by Apple before blindly applying the updates to all of your machines.

  • If you also want to use a Mac Server to manage your clients, you will need to add it to your list of directories in the Authentication tab of Directory Access.

  • Make sure you disable the DHCP-supplied LDAP server as mentioned in step 5. A rogue DHCP server could cause havoc if that option is checked.

  • Noticed in testing that if a Special DN and password is not entered as stated in step 8, that once the user is authenticated, they will be shown a console prompt, prompting for login. Basically, the user will only get a command line interface, as opposed to Apple's graphical user interface. In addition, in testing, one cannot use their UH username and password for this second prompt.
[an error occurred while processing this directive]