Mac OS X Server 10.3 or later: Enabling VPN-PPTP access for users in an LDAP domain
In Mac OS X Server 10.3 or later, you can use a command-line tool to enable PPTP-VPN connections for users who are in an LDAP domain.
This resolves a situation in which users can establish a VPN connection via PPTP to a Mac OS X Server that, once established, is not used by any network traffic.
An error message similar to this may appear in the server's VPN and system logs:
"MPPE required, but keys are not available."
This affects Mac OS X Server versions 10.3 through 10.6.x. You must have Mac OS X Server version 10.3.3 or later before following these steps.
- Run the tool /usr/sbin/vpnaddkeyagentuser as root with the LDAP node (directory in which users are present) name as the argument. For example, if the server that's running the VPN Service is also the LDAP Master, you would enter this command in Terminal:
sudo /usr/sbin/vpnaddkeyagentuser /LDAPv3/127.0.0.1
If the server that's running the VPN Service is not an LDAP Master, and the LDAP directory is on a different computer, use the IP address of the LDAP server in the command. For example, if the LDAP server is at 220.127.116.11, enter this command in Terminal:
sudo /usr/sbin/vpnaddkeyagentuser /LDAPv3/18.104.22.168
- The tool will prompt for username and password.
a. If the VPN Server is the LDAP master, type in the administrator name and password of the server.
b. If the LDAP directory is on a different server, type in the administrator name and password of the server that hosts the LDAP directory (or the administrator name and password that is used to add users to the LDAP directory in Workgroup Manager). The tool will add a user to the LDAP directory and set up additional configuration elements in the VPN Server so that it can support PPTP.
- Configure PPTP in the VPN Service Settings panel of the Server Admin.
- Start VPN Service.