Home > Linux, Mac administration, Mac OS X, Scripting > Binding to a Linux-based OpenLDAP server from 10.6.x and 10.7.x

Binding to a Linux-based OpenLDAP server from 10.6.x and 10.7.x

One of the services our IT team occasionally provides is connecting Mac desktops up to our Linux-hosted OpenLDAP server. Our OpenLDAP server doesn’t have any schema support built in for OS X, but historically we’ve gotten around that by using the RFC 2307 template support built into the LDAPv3 directory service plug-in. Then we hit Lion. Then we discovered how many other folks were having problems with Lion and OpenLDAP.

A lot of the problem was centered around the fact that Lion’s LDAP plug-in is now attempting to use the best SASL authentication method advertised by the LDAP server. Even if the server doesn’t require authentication, the Mac’s LDAP plug-in will still try to authenticate. What you’ll wind up with is an LDAP bind that allows lookups, but does not allow LDAP accounts to log in.

Most of the fixes involved going into the GUI and making some changes, then opening the relevant plist and making some more changes. Others recommended setting up the bind on one machine and then copying the relevant files from machine to machine.

Because I’m a lazy admin, I decided to see “How hard is this to script?” As it turned out, harder than you might think. Not all of the GUI buttons and tools have command-line equivalents and dsconfigldap turned out to be completely useless for this purpose.

In the end, I scripted the equivalent of “set up the bind on one machine, then copy the files.” I successfully bound one 10.7.x Mac, then studied the .plist carefully to find just the entries I needed for our OpenLDAP server. Then, I used a trick with /bin/cat that Peter Bukowinski showed me a while ago to feed the complete plist into a new file:



/bin/cat > /path/to/destination << ‘NEW_LDAP_BIND’

plist contents…



Since the technique worked on 10.7.x, I scripted my 10.6.x support in the script using the same model. At this point, the script handles everything about the OpenLDAP binding except for actually adding the LDAP domain to the authentication search path. I kept munging existing Active Directory search path entries in my testing, so it’s still necessary to go into Directory Utility at this point to add and promote the LDAP search path to be above our AD search path. For those folks who don’t have to worry about that, scripting the addition of your LDAP server to the authentication search path should be fairly straightforward.

For those interested, I’ve made the script available here. There are some Active Directory values mentioned that currently don’t do anything, but I’m planning to keep working on this script to see if I can fix the search path entry issue mentioned above.

Testing notes:

One difference I found between 10.6.x and 10.7.x plists were that, on 10.6.x all the RFC 2307 LDAP mappings are included in the plist and must be included in the script. On Lion, just referencing that RFC 2307 is being used seems to work fine.

Another thing I found in my 10.7.x testing was that you couldn’t send the plist output directly to /Library/Preferences/OpenDirectory/Configurations/LDAPv3. Weird, but there was so much weird going on that I made a note then worked around it by sending the plist first to /tmp, then moving the complete plist over into /Library/Preferences/OpenDirectory/Configurations/LDAPv3.

  1. merouman
    April 1, 2012 at 9:10 am

    very nice job. Works like a charm

    Thanks for all.

  2. May 31, 2012 at 12:54 pm

    I went through this exact same process three weeks ago. I ended up giving up on dsconfigldap and just set up LDAP using the GUI, copied the relevant plist files to my deployment server, scripted the copy of these files down to new 10.7.4 clients, and called it a day. This was after bashing my head against the desk for two weeks trying to get a scripted method working. Apple needs to fix the dsconfigldap tools. The main draw (at least to me) for using OS X in a corporate environment is that everything can be scripted. That is clearly not always the case any longer.

    I actually wrote a quick guide for people who are upgrading from Snow Leopard to Lion (it essentially revolves around disabling unsupported SASL authentication methods): http://blog.smalleycreative.com/administration/fixing-openldap-authentication-on-os-x-lion/

  3. richb
    April 8, 2013 at 8:37 pm

    have you had any luck with a script that uses an authenticated account rather than trust type anonymous? when using a a distinguished name and password ldap seems to break until you go into the guy and re-type the password to the account.

    • denmoff
      August 6, 2015 at 8:10 pm

      Wondering about this too.

      • denmoff
        August 7, 2015 at 1:35 pm

        I found something that works for me. I had to manually setup an LDAPv3 server on the client and put in the authenticated DN and password. Copied the /Library/Preferences/OpenDirectory/Configurations/LDAPv3/my.ldap.server.plist to the appropriate place in Rich’s script. Then packaged the plist that gets created in /Library/Preferences/OpenDirectory/DynamicData/. If i deploy that package to a fresh Mac and then run Rich’s modified script, the authentication is correct.

      • denmoff
        August 7, 2015 at 2:39 pm

        I think i spoke to soon. This doesn’t seem to work.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: