Configuring Mac OS X LDAP Authorization for Tiger (Mac OS X 10.4.x)

This document details the steps required to configure Mac OS X LDAP authorization. It does not describe why you would want to do so, or how to test that you've performed this configuration properly. For that, you should read the document Authenticating and Authorizing Mac OS X Users.

These are the instructions for configuring Mac OS X for LDAP authorization under Tiger (Mac OS X 10.4.x). If you are running Leopard (Mac OS X 10.5.x), you should use the Mac OS X LDAP Authorization Setup for Leopard (Mac OS X 10.5.x) document.

Steps to configure Mac OS X LDAP Authorization

Launch '/Applications/Utilities/Directory Access'.

If the padlock in the lower left of the Directory Access window is locked, click it so you are permitted to make configuration changes. Authenticate with the administrator's username and password. Anytime throughout these instructions, authenticate with the admin username and password if requested to do so.
Deactivate all services except LDAPv3 and Bonjour (which can't be turned off):
1. Click the Services tab
2. Uncheck all checkboxes EXCEPT LDAPv3
3. Select (click) the LDAPv3 line
4. Click the Configure... button
Get ready to manually add an LDAP server:
1. Uncheck 'Add DHCP-supplied LDAP servers'
2. Click the 'Show Options' button until it says 'hide options'
3. Click the 'New...' button
Click the 'Manual' button.
Begin configuration of PSU LDAP entry:
1. Verify that the Enabled checkbox in checked on
2. Enter the Configuration Name: PSU LDAP
3. Enter the Server Name: ldap.psu.edu
4. Uncheck the 'SSL' checkbox
5. Click the 'Edit...' button
Click the Connection tab to configure 'Connection' settings as follows:
1. Open/Close times out in: 10 seconds
2. Query times out in: 10 seconds
3. Re-bind attempted in: 10 seconds
4. Connection idles out in: 2 minutes
5. Encrypt using SSL: NOT checked
6. Use custom port (389): NOT checked
7. Ignore server referrals: NOT checked
8. Use LDAPv2 (read Only): NOT checked
Click the 'Search & Mappings' button.
Configure the 'Search & Mapping' settings:
1. Access this LDAP server using: CUSTOM
2. In the left pane, select (click) 'Default Attribute Types'
3. Click the 'Add...' button that is located under the left pane (Record Types and Attributes)
Add the 'RecordName' attribute:
1. Click the 'Attribute Types' radio button
2. Scroll down and select (click) 'RecordName'
3. Click the 'OK' button to add this Attribute Type
Set the value that 'RecordName' maps to:
1. Select (click) the 'RecordName' attribute you just added
2. Click the 'Add...' button that is located under the right pane (Map to 'any' items in list)
3. In the box that appears, type 'uid' (without the quotes).
  Clicking outside of the text area sets the value.
Prepare to add a 'Users' record.
Click the 'Add...' button under the left pane (Record Types and Attributes)
Add a 'Users' record:
1. Click the 'Record Types' radio button
2. Scroll down and select (click) 'Users'
3. Click the 'OK' button to add this Record Type
Set the value that 'Users' maps to:
1. Select (click) the 'Users' record type you just added
2. Click the 'Add...' button that is located under the right pane (Map to 'any' items in list)
3. In the box that appears, type 'inetOrgPerson'
Set the Search base for the 'Users' record type:
1. Search base: dc=PSU,dc=EDU
2. Search In: all subtrees
Add various attributes to the 'Users' Record.
Click the 'Add...' button under the left pane (Record Types and Attributes)
Add the various attributes:
1. Click the 'Attribute Types' radio button
2. Scroll down and select (click) 'AuthenticationAuthority'
3. Scroll down and also select (command-click) 'NFSHomeDirectory'
4. Scroll down and also select (command-click) 'PrimaryGroupID'
5. Scroll down and also select (command-click) 'RealName' and 'RecordName'
6. Scroll down and also select (command-click) 'UniqueID' and 'UserShell'
7. Click the 'OK' button to add these attributes
Set the values for the seven attributes just added.
Use the same technique used to set the value for 'RecordName' in Section K.
1. Set AuthenticationAuthority to: #;Kerberosv5;;$uid$;DCE.PSU.EDU
  Note: the image below chops off the right side of the AuthenticationAuthority value.
2. Set NFSHomeDirectory to: #/Users/guest
3. Set PrimaryGroupID to: #5000
4. Set RealName to: cn
5. Set RecordName to: uid
6. Set UniqueID to: psuidnumber
7. Set UserShell to: #/bin/bash
Click the 'OK' button to save the configuration of the PSU LDAP server.
Click the 'OK' button to save the configuration of the LDAPv3 service.
Add the LDAPv3 service to the locations used to search for user authentication information:
1. Click the Authentication Tab
2. Change the 'Search:' popup menu to: Custom Path
3. Click the 'Add...' button
Select (click) the /LDAPv3/ldap.psu.edu item.
Click the 'Add' button.
Click the Apply button to save the changes you've made to Directory Access.
Quit Directory Access.
Restart the Mac to activate the LDAP changes.

As stated above, please refer to the document Authenticating and Authorizing Mac OS X Users to see how you might take advantage of LDAP authorization under Mac OS X.

© 2009, The Pennsylvania State University. All rights reserved.
This site maintained by the Classroom and Lab Computing group of Information Technology Services.
Suggestions and comments about this web site: CLC Webmasters; Other contacts here.

This page was last modified: 11/28/2007 6:54:58 PM.