LDAP directory mappings
Requirements
Mac OS X 10.2 and higher
Notes
Alternatively you can use Apple’s Active Directory plug-in. This guide was created using Mac OS X 10.2 for our 2003 setup. The process has stayed the same for our 2005 setup but with the addition of GID added to telephoneNumber.
Apple made it easy to authenticate to other LDAP based directory servers with a little plug-in called LDAPv3. This is how to get the server (or Mac OS X CLIENT) to grab its user list from Active Directory, which in turn will enable you to add users to Macintosh Manager. Following is a step by step guide for setting up the LDAP plugin.
First open Directory Access which is located in /Applications/Utilities. You may need to click the lock and enter your username and password on the local machine to make changes.
Highlight LDAPv3 and click configure. This is where you enter the location of the Active Directory server. Name the configuration, put in the ADs IP address or DNS name, then under “LDAP Mappings” make sure you choose Active Directory from the pull down menu.
Next, a window will pop up asking for a “Search Base Suffix”. Now what’s this? It’s just the Windows 2000 domain - in full. The domain at our site is simply “WHS” so i would enter DC=WHS. But most Windows 2000 configurations would have something on the end, such as a .com. Enter your domain name here.
The configuration now needs editing. Click edit. Under the “connection” tab, enter in a user name and password combination to allow Mac OS X to query AD. Any user will do. I’ve made a normal user called LDAP with a password on my Active Directory. Tick “Use authentication when connecting” and in the “Distinguished Name:” field, enter “CN=USER_NAME,CN=Users,DC=YOURDOMAIN”. USER_NAME being a user in your AD, and YOURDOMAIN being the information you typed in just before under the Search Base Suffix.
Just a quick note, CN=Users is where the user is kept in AD. If it is kept in an Organisational Unit you would need to replace the CN with OU. More discussion a little down the track.
Now onto the “Search & Mappings” tab. This is where you set up how Mac OS X looks for information on Active Directory. Let’s look at the “Users” entry first. Click on it, and you’ll notice under “Search Base” is CN=Users, DC=YOURDOMAIN, DC=com, DC=au. You need to modify this to where all of your users are kept in the AD. If they all live in the group Users, then just leave how it is, or input the location that the users are stored in the AD.
Note: the LDAPv3 plug-in will only query one configuration per server. This isn’t good if your users are organised in the AD (as was our case) in organisational units Staff and Students in the root of the AD. To get around this, we created an OU “AllUsers” of which the OU’s Staff and Students are contained.
Now click the arrow next to “Users” to expand it. You need to change the mappings for the following:
RecordName needs sAMAccountName added, and cn removed.
UniqueID needs postalCode added.
RealName needs to have cn removed and sAMAccountName added (this is because when logging on, Mac OS uses the full name, which will make problems when connecting to the home directory located on the Windows 2000 server.
HomeDirectory needs homeDirectory removed, and replaced with streetAddress
NFSHomeDirectory needs userSharedFolderOther removed, and “info” added.
Now click OK, and OK again. Now under the “Authentication” tab, we need to make the computer look at the LDAP server we just configured. Select “Custom Path” from the pull down, then click add and select the configuration.
Click Apply and then restart the computer.
On the server you can assign users to groups via workgroup manager if you wish.
