OS X Server: Configuring clients to use SSL for Open Directory binding
This article explains how to configure an Open Directory server and OS X client to use SSL encryption for Open Directory binding.
First enable SSL encryption for Open Directory on the server and select a certificate to use. Refer to Server Help or the Administration Guide for your version of OS X Server.
Apple strongly recommends that you Obtain a trusted certificate to secure your SSL connection, but you can also use a self-signed certificate.
OS X Mountain Lion and Lion clients will automatically use SSL and import the necessary certificate when binding to an Open Directory server that supports it.
- Open System Preferences and select Users and Groups.
- Click the lock to make changes and enter an administrator password, if necessary.
- Click Login Options.
- Next to Network Account Server, click Add or Edit.
- If necessary, click the + button. Enter the name of the Open Directory server, then click OK.
- When prompted to trust the SSL certificates provided by the server, click Trust.
On Mac OS X v10.6 and v10.5 clients, you must manually import the server's SSL certificate before binding.
- On the client computer, open Terminal and use one of the following commands to obtain the certificate from the server:
openssl s_client -connect myServerName:636
openssl s_client -connect myServerName:636 -showcerts
Replace myServerName with the fully qualified domain name of the server. Note: the '-showcerts' argument is only necessary when binding to a Lion Server.
- If necessary, press Control-C to exit the openssl command.
- Copy the lines starting from the first "-----BEGIN CERTIFICATE-----" line up to and including the last "-----END CERTIFICATE-----" line. Important: A Lion Server will contain a chain of certificates. Be sure to include them all.
- Use the following command to create a file called "mycert" containing the text you copied:
pbpaste > ~/Desktop/mycert
- Use the following command to move the new certificate file to the openldap directory:
sudo mv ~/Desktop/mycert /etc/openldap/
- Using the sudo command and these instructions, edit the /etc/openldap/ldap.conf file. For example:
sudo pico /etc/openldap/ldap.conf
- Under the line "TLS_REQCERT demand" add a new line "TLS_CACERT /etc/openldap/mycert".
- Save the changes.
- Restart the client computer.
- Bind the client to the Open Directory server:
- In Mac OS X v10.6.4 to 10.6.8, open the Accounts pane of System Preferences, click Login Options, then click the "Join" or "Edit" button next to Network Account Server. Click the + button, enter the FQDN of the Open Directory master, and check the box "Require secure connection (SSL)" and click OK.
- In Mac OS X v10.6 through 10.6.3, open the Directory Utility application (located in /System/Library/CoreServices) and click the lock to make changes. Double-click "LDAPv3", then click the "New..." button. Enter the FQDN of the Open Directory master, check the box "Encrypt using SSL" and click Continue.
- In Mac OS X v10.5.x, open the Directory Utility application (located in /Applications/Utilities) and click the + button. Choose type "Open Directory", enter the FQDN of the Open Directory master, and check the box "Encrypt using SSL" and click OK.
You may use a different name for the "mycert" file as long as the name of the file matches the reference in ldap.conf.
If SSL is not properly configured on the server, the client will report "Unable to add server. (Server name or IP address) does not support directory connections encrypted with SSL" or "Unable to add server. Operation is not supported by the directory node. (10000)".