Configure LDAP directory access in Directory Utility on Mac
Using Directory Utility, you can specify how your Mac accesses an LDAPv3 directory. You must know the DNS host name or IP address of the LDAP directory server.
If the directory is not hosted by a server that supplies its own mappings, you must know the search base and the template for mapping macOS data to the directory’s data.
Supported mapping templates are:
Open Directory server, for a directory that uses the Server schema
Active Directory, for a directory hosted by a Windows 2000 or later server
RFC 2307, for most directories hosted by UNIX servers
The LDAPv3 plug-in fully supports Open Directory replication and failover. If the Open Directory master becomes unavailable, the plug-in uses a nearby replica.
To specify custom mappings for the directory data, follow the instructions in Configure access to an LDAP directory manually instead of the instructions here.
Important: If your computer name contains a hyphen, you might not be able to bind to a directory domain such as LDAP or Active Directory. To establish binding, use a computer name that does not contain a hyphen.
In the Directory Utility app on your Mac, click Services.
Click the lock icon.
Enter an administrator’s username and password, then click Modify Configuration (or use Touch ID).
Select LDAPv3, then click the “Edit settings for the selected service” button .
Click New.
Enter the LDAP server’s DNS host name or IP address in the Server Name or IP Address field.
Select Encrypt using SSL if you want Open Directory to use Secure Sockets Layer (SSL) for connections with the LDAP directory.
Before you select this, ask your Open Directory administrator to determine if SSL is needed.
If Directory Utility can’t contact the LDAP server, you might need to adjust your configuration access settings. See Change connection settings for an LDAP or Open Directory server.
Click Continue.
Select the new LDAP server in the list, then click Edit.
Click Search & Mappings.
Click the “Access this LDAPv3 server using” pop-up menu, choose Open Directory, then enter a search base.
Typically, the search base suffix is derived from the server’s DNS host name. For example, the search base suffix could be “dc=ods,dc=example,dc=com” for a server whose DNS host name is ods.example.com.
If the directory server supports trusted binding, click Bind, then enter the name of the computer and the name and password of a directory administrator.
Binding might be optional.
Trusted binding is mutual. Each time the computer connects to the LDAP directory, they authenticate each other. If trusted binding is set up or the LDAP directory doesn’t support trusted binding, the Bind button does not appear. Make sure you supplied the correct computer name.
If an alert indicates a computer record exists, try again using a different computer name or click Overwrite to replace the existing computer record.
The existing computer record might be abandoned, or it might belong to another computer.
Before you replace an existing computer record, notify the LDAP directory administrator to make sure that replacing the record doesn’t disable another computer. In this case, the LDAP directory administrator must give the disabled computer a different name and add it back to the computer group it belonged to.
Click Security.
If the LDAP directory requires authentication to connect, select “Use authentication when connecting”, then enter the distinguished name and password of a user account in the directory.
An authentication connection is not mutual; the LDAP server authenticates the client but the client doesn’t authenticate the server.
The distinguished name can specify any user account that has permission to see data in the directory. For example, a user account whose short name is dirauth on an LDAP server and whose address is ods.example.com would have the distinguished name uid=dirauth,cn=users,dc=ods,dc=example,dc=com.
Important: If the distinguished name or password is incorrect, you can log in to the computer using user accounts from the LDAP directory.
Click OK to finish creating the LDAP connection.
Click OK to finish configuring LDAPv3 options.
If you want the computer to access this configured LDAP directory, add the directory to a custom search policy in the Authentication and Contacts panes of Search Policy in Directory Utility. For information about creating search policies, see Define search policies.