Configure access to an LDAP directory manually in Directory Utility on Mac
You can manually create a configuration that specifies how a Mac accesses an LDAPv3 or LDAPv2 directory. You must know the DNS host name or IP address of the LDAP directory server.
If the directory is not hosted by a Mac with macOS Server installed, you must know the search base and the template for mapping macOS data to the directory’s data. The supported mapping templates are:
From Server, for a directory that supplies its own mappings and search base, such as macOS Server
Open Directory server, for a directory that uses macOS Server for the macOS schema
Active Directory, for a directory hosted by a Windows 2000, Windows 2003 or later server
RFC 2307, for most directories hosted by UNIX servers
Custom, for directories that don’t use any of the above mappings
The LDAPv3 plug-in fully supports Open Directory replication and failover. If the Open Directory master becomes unavailable, the plug-in falls back to a nearby replica.
Important: If your computer name contains a hyphen, you might not be able to bind to a directory domain such as LDAP or Active Directory. To establish binding, use a computer name that does not contain a hyphen.
In the Directory Utility app on your Mac, click Services.
Click the lock icon.
Enter an administrator’s username and password, then click Modify Configuration (or use Touch ID).
Select LDAPv3, then click the Edit button (looks like a pencil).
Click New.
Enter the LDAP server’s DNS host name or IP address, then click Continue.
In the LDAP Mappings column, click the pop-up menu, then choose a mapping template or method:
If you choose From Server, a search base suffix is not needed. In this case, Open Directory assumes the search base suffix is the first level of the LDAP directory.
Click the Read from Server button to get a list of all record types and attributes. Record types not found in the local macOS directory domain, such as AutoServerSetup or Neighbourhoods, are marked in red in the Record Types and Attributes window.
If you choose a template such as Open Directory or RFC2307, enter the search base suffix for the LDAP directory, then click OK. You must enter a search base suffix, otherwise the computer can’t find information in the LDAP directory. Typically, the search base suffix is derived from the server’s DNS host name. For example, the search base suffix could be “dc=ods,dc=example,dc=com” for a server whose DNS host name is ods.example.com.
If you choose Custom, you must set up mappings between macOS record types and attributes and the classes and attributes of the LDAP directory you’re connecting to. See Configure LDAP Searches & Mappings.
Check with your Open Directory administrator to determine if SSL is required and if so, select SSL.
To change the following settings for this LDAP configuration, click Edit to display the options, make changes, then click OK.
Click Connection to set timeout options, specify a custom port or ignore server referrals. See Change connection settings for an LDAP or Open Directory server.
Click Search & Mappings to set up searches and mappings for an LDAP server. See Configure LDAP Searches & Mappings.
Click Security to set up an authenticated connection (instead of trusted binding) and other security policy options. See Change the LDAP connection security policy.
Click Bind to set up trusted bindings (if the LDAP directory supports it). See Set up authenticated binding for an LDAP directory.
Click OK to finish manually creating the configuration to access an LDAP directory.
If you want the computer to access the LDAP directory you created a configuration for, add the directory to a custom search policy in the Authentication pane and the Contacts pane of Search Policy in Directory Utility.
Before you can use macOS Server to create users on a non-Apple LDAP server that uses RFC 2307 (UNIX) mappings, you must edit the mapping of the Users record type. See Edit RFC 2307 mapping to enable creating users.
Important: If you change your IP address and computer name using changeip
while you are connected to a directory server, you must disconnect and reconnect to the directory server to update the directory with the new computer name and IP address. If you do not disconnect and reconnect to the directory server, the directory does not update and continues to use the old computer name and IP address.