Mac OS X v10.5: Active Directory - Name and password considerations when binding with Directory Utility or dsconfigad

Products Affected

Mac OS X 10.5, Mac OS X Server 10.5, Mac OS X 10.5, Microsoft Active Directory

Symptoms

Mac OS X v10.5 includes two utilities used to bind computers to Microsoft Active Directory. Directory Utility is an application, and dsconfigad is a command-line utility accessed through Terminal. Both may be used to configure the Active Directory connector in Directory Utility.

When binding a Mac OS X client to Active Directory or changing the password of an Active Directory account, it is important to ensure that the computer names and passwords used in the binding process are less than 16 characters and use valid characters for Active Directory computer account names. Entering a longer computer name or invalid characters may cause client binding to Active Directory to not work, or cause Mac OS X to bind to Active Directory with a truncated computer name. Similarly, entering a password longer than 15 characters may cause a different password to be saved than the password entered, requiring a reset of the password.

Resolution

The dsconfigad utility validates input for computer names and passwords when binding to Active Directory, but Directory Utility does not.

To ensure that the Active Directory connector binds as expected:

Use dsconfigad to configure Mac OS X client binding to Active Directory, or to change passwords for Active Directory accounts

Use computer names and passwords that are less than 16 characters in length, and which only contain alphanumeric (A–Z, a–z), numbers (0–9), - (dash) and/or _ (underscore) characters when binding with Directory Utility

Note: Although the underscore character is valid in hostnames, it is not a valid component in a DNS domain name. If the Active Directory domain being bound to contains an underscore in the domain name, binding and services will not function as expected.

Additional Information

For more information about the length and character set requirements for use with Active Directory, see this Microsoft article.

Important: Mention of third-party websites and products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the selection, performance or use of information or products found at third-party websites. Apple provides this only as a convenience to our users. Apple has not tested the information found on these sites and makes no representations regarding its accuracy or reliability. There are risks inherent in the use of any information or products found on the Internet, and Apple assumes no responsibility in this regard. Please understand that a third-party site is independent from Apple and that Apple has no control over the content on that website. Please contact the vendor for additional information.

Rate this article: