Change the LDAP connection security policy
Using Directory Utility, you can configure a stricter security policy for an LDAPv3 connection than the security policy of the LDAP directory. For example, if the LDAP directory’s security policy permits clear-text passwords, you can set up an LDAPv3 connection so it doesn’t permit clear-text passwords.
Setting a stricter security policy protects your computer from a malicious hacker trying to use a rogue LDAP server to gain control of your computer.
The computer must communicate with the LDAP server to show the state of the security options. Therefore, when you change security options for an LDAPv3 connection, the computer’s authentication search policy should include the LDAPv3 connection.
The permissible settings for an LDAPv3 connection’s security options are subject to the LDAP server’s security capabilities and requirements. For example, if the LDAP server doesn’t support Kerberos authentication, several LDAPv3 connection security options are disabled.
Click Search Policy.
Make sure the LDAPv3 directory you want is listed in the search policy.
For more information about adding an LDAPv3 directory to the authentication search policy, see Define search policies.
Click the lock icon.
Enter an administrator’s user name and password, then click Modify Configuration (or use Touch ID).
Select LDAPv3, then click the Edit button (looks like a pencil).
If the list of server configurations is hidden, click Show Options.
Select the configuration for the directory you want, then click Edit.
Click Security, then change any of the following settings.
Note: The security settings here and on the corresponding LDAP server are determined when the LDAP connection is set up. The settings aren’t updated when server settings are changed.
If any of the last four options are selected but disabled, the LDAP directory requires them. If any of these options are not selected and disabled, the LDAP server doesn’t support them.
Use authentication when connecting: Determines whether the LDAPv3 connection authenticates itself with the LDAP directory by supplying the specified distinguished name and password. This option is not visible if the LDAPv3 connection uses trusted binding with the LDAP directory.
Bound to the directory as: Specifies the credentials the LDAPv3 connection uses for trusted binding with the LDAP directory. This option and the credentials can’t be changed here. Instead, you can unbind and then bind again with different credentials. For more information, see Stop trusted binding with an LDAP directory and Set up authenticated binding for an LDAP directory. This option is not visible unless the LDAPv3 connection uses trusted binding.
Disable clear-text passwords: Determines whether the password is to be sent as clear-text if it can’t be validated using an authentication method that sends an encrypted password.
Digitally sign all packets (requires Kerberos): Certifies that directory data from the LDAP server hasn’t been intercepted and modified by another computer while en route to your computer.
Encrypt all packets (requires SSL or Kerberos): Requires the LDAP server to encrypt directory data using SSL or Kerberos before sending it to your computer. Before you select the “Encrypt all packets (requires SSL or Kerberos)” checkbox, ask your Open Directory administrator if SSL is needed.
Block man-in-the-middle attacks (requires Kerberos): Protects against a rogue server posing as the LDAP server. Best if used with the “Digitally sign all packets” option.