OSX LDAP setup issues

Posted on


I can’t get my head around LDAP configuration under OSX (Yosemite).

The thing is that I have received the following parameters from the IT department. I have replaced fields that are internal with somestring, example and myhostname:

binddn cn=somestring,ou=connectors,dc=example,dc=com
bindpw somepassword
nss_base_passwd ou=people,dc=example,dc=com?onehost=myhostname
nss_base_shadow ou=people,dc=example,dc=com?onehost=myhostname
nss_base_group ou=group,dc=example,dc=com?onehost=myhostname

I am not sure how to connect the nss_base information with the OSX config? Also,
is the container with users.

What I did in OSX Sys Preferences/Users & Groups/Login Options is:

  1. I added two Network Account Servers
  2. Once added, I edited them in Open Directory Utility.
  3. I changed LDAPv3 configuration where:
    a. On one server I set LDAP Mappings to “From Server” and on second one to “One Directory”
    b. Then I edited, and on security, I configured authentication with the below. This should ensure that this host first authenticates with LDAP and then executes user authentication:

    • Distinguished name: cn=somestring,ou=connectors,dc=example,dc=com
    • Password: somepassword
      c. None of the options worked

I have no idea why it does not work now. The log file does not tell anything about the unsuccessful/successful communication to LDAP, and this command lists the user details:

ldapsearch -h xxx.yyy.zzz.www -p 389 -v -D "cn=somestring,ou=connectors,dc=example,dc=com" -b "dc=example,dc=com" -w somepassword -t "(uid=username)"

Any suggestions?


I managed to figure it out.

The problem was with the LDAP mappings. I have chosen now RFC2307 LDAP mapping on the Search & Mappings confi page, together with the server authentication paarmeters:

Use authentication when connecting: True
Distinguished name: cn=somestring,ou=connectors,dc=example,dc=com
Password: somepassword

Also, the key is that you reboot after every change you make. If the OSX reports that it can not reach LDAP server (and you validate you can telnet to the LDAP port on LDAP server) then you need to delete the servers from configuration and re-add them.

Leave a Reply

Your email address will not be published. Required fields are marked *