Configuring Mac OS X LDAP Authorization for Leopard (Mac OS X 10.5.x) and Snow Leopard (Mac OS X 10.6.x)

This document details the steps required to configure Mac OS X LDAP authorization. It does not describe why you would want to do so, or how to test that you've performed this configuration properly. For that, you should read the document Authenticating and Authorizing Mac OS X Users.

These are the instructions for configuring Mac OS X for LDAP authorization under Leopard (Mac OS X 10.5.x), Snow Leopard (Mac OS X 10.6.x), and Lion (OS X 10.7.2+). If you are running Tiger (Mac OS X 10.4.x), you should use the Mac OS X LDAP Authorization Setup for Tiger (Mac OS X 10.4.x) document.

Steps to configure Mac OS X LDAP Authorization


  1. Launch '/System/Library/CoreServices/Directory Utility.app':


  2. Click the 'Show Advanced Settings' button.


  3. If the padlock in the lower left of the Directory Utility window is locked, click it so you are permitted to make configuration changes. Authenticate with the administrator's username and password. Anytime throughout these instructions, authenticate with the admin username and password if requested to do so.


  4. Click the 'Services' icon.


  5. Activate the LDAPv3 service.
    1. Verify that the LDAPv3 checkbox is checked
    2. Select (click) the LDAPv3 line
    3. Click the Pencil icon


  6. Get ready to manually add an LDAP server:
    1. Uncheck 'Add DHCP-supplied LDAP servers'
    2. Click the 'Show Options' button until it says 'hide options'


  7. Add an LDAP server:
    1. Click the 'New...' button


  8. Click the 'Manual' button.


  9. Begin configuration of PSU LDAP entry:
    1. Verify that the Enabled checkbox in checked on
    2. Enter the Configuration Name: PSU LDAP
    3. Enter the Server Name: dirapps.aset.psu.edu
    4. Uncheck the 'SSL' checkbox
    5. Click the 'Edit...' button


  10. Click the Connection tab to configure 'Connection' settings as follows:
    1. Open/Close times out in: 10 seconds
    2. Query times out in: 10 seconds
    3. Re-bind attempted in: 10 seconds
    4. Connection idles out in: 2 minutes
    5. Encrypt using SSL: NOT checked for 10.6 and earlier, CHECKED for 10.7 and 10.8
    6. Use custom port (389): NOT checked for 10.6 and earlier, CHECKED for 10.7 and 10.8 and set to "636"
      1. For 10.7 and later read our documentation on the security requirement to configure LDAP for SSL.
    7. Ignore server referrals: NOT checked
    8. Use LDAPv2 (read Only): NOT checked


  11. Click the 'Search & Mappings' button.


  12. Configure the 'Search & Mapping' settings:
    NOTE: Adding the "RecordName" (Steps 12-14) does not currently work in OS X Lion (10.7.2) and Mountain Lion (10.8.0). It is not needed for authorization on OS X Lion or OS X Mountain Lion. Directory Utility will allow you to add it, but does not save it when completeing the setup.
    1. Access this LDAP server using: CUSTOM
    2. In the left pane, select (click) 'Default Attribute Types'
    3. Click the 'Add...' button that is located under the left pane (Record Types and Attributes)


  13. Add the 'RecordName' attribute:
    1. Click the 'Attribute Types' radio button
    2. Scroll down and select (click) 'RecordName'
    3. Click the 'OK' button to add this Attribute Type


  14. Set the value that 'RecordName' maps to:
    1. Select (click) the 'RecordName' attribute you just added
    2. Click the 'Add...' button that is located under the right pane (Map to 'any' items in list)

    3. In the box that appears, type 'uid' (without the quotes).
      Clicking outside of the text area sets the value.


  15. Prepare to add a 'Users' record.
    Click the 'Add...' button under the left pane (Record Types and Attributes)


  16. Add a 'Users' record:
    1. Click the 'Record Types' radio button
    2. Scroll down and select (click) 'Users'
    3. Click the 'OK' button to add this Record Type


  17. Set the value that 'RecordName' maps to:
    1. Select (click) the 'Users' record type you just added
    2. Click the 'Add...' button that is located under the right pane (Map to 'any' items in list)

    3. In the box that appears, type 'inetOrgPerson' (without the quotes).
      Clicking outside of the text area sets the value.


  18. Set the Search base for the 'Users' record type:
    1. Search base: dc=PSU,dc=EDU
    2. Search In: all subtrees


  19. Add various attributes to the 'Users' Record.
    Click the 'Add...' button under the left pane (Record Types and Attributes)


  20. Add the various attributes:
    1. Click the 'Attribute Types' radio button
    2. Scroll down and select (click) 'AuthenticationAuthority'

    3. Scroll down and also select (command-click) 'NFSHomeDirectory'

    4. Scroll down and also select (command-click) 'PrimaryGroupID'

    5. Scroll down and also select (command-click) 'RealName' and 'RecordName'

    6. Scroll down and also select (command-click) 'UniqueID' and 'UserShell'
      Click the 'OK' button to add these attributes


  21. Set the values for the seven attributes just added.
    Use the same technique used to set the value for 'RecordName' in Section K.
    1. Set AuthenticationAuthority to: uid

    2. Set NFSHomeDirectory to: #/Users/psuguest

      NOTE: If you would like to allow every user to have their own unique home folder, change the NFSHomeDirectoy attribute in step 21-B to "#/Users/$uid$". This will create a new home folder for every user that logs in. Beware, these home folders will not be removed at login/logout/reboot. You will have to script or manually remove the home directories.

       

    3. Set PrimaryGroupID to: #5000

    4. Set RealName to: cn

    5. Set RecordName to: uid

    6. Set UniqueID to: uidNumber
      NOTE: For OS X Mountain Lion (10.8.x), the UniqueID entry is case sensitive to the LDAP attribute. Enter "uidNumber" in the right pane.

    7. Set UserShell to: #/bin/bash


  22. Configure the 'Security' settings:
    1. Click the 'Security' tab
    2. Set the 'Access to Directory' settings:
      • Use authentication when connecting: NOT checked
      • Distinguished Name: BLANK
      • Password: BLANK
    3. Set the 'Security Policy' settings:
      • Disable clear text passwords: NOT checked
      • Digitally sign all packets (requires Kerberos): NOT checked
      • Encrypt all packets (requires SSL or Kerberos): NOT checked
      • Block man-in-the-middle attacks (requires Kerberos): NOT checked

    Note: The 'Disable clear text passwords' does not refer to the users' Kerberos passwords being sent in the clear. This refers to the ldap password (from the 'Access to Directory' section in the top half of this window). We don't use an ldap password since we do an unauthenticated bind to ldap to obtain user credentials. But for at least some versions of 10.5.x and some version of our LDAP servers, it's critical that you verify that the 'Disable clear text passwords' button is NOT checked.


  23. Click the 'OK' button to save the configuration of the PSU LDAP server.


  24. Click the 'OK' button to save the configuration of the LDAP services.


  25. Add the LDAPv3 service to the locations used to search for user authentication information:
    1. Click the Search Policy icon.


  26. Add the LDAPv3 service to the locations used to search for user authentication information:
    1. Change the 'Search:' popup menu to: Custom Path
    2. Click the '+' icon


  27. Add the PSU LDAP directory domain to the search policy:
    1. Select (click) the /LDAPv3/dirapps.aset.psu.edu item.
    2. Click the 'Add' button.


  28. Click th