Set up LDAP access to Active Directory domains
Using Directory Utility, you can set up an LDAPv3 configuration to access an Active Directory domain on a Windows server. An LDAPv3 configuration gives you full control over mapping macOS record types and attributes to Active Directory object classes, search bases, and attributes.
Mapping some important macOS record types and attributes, such as the unique user ID (UID), requires that you extend the Active Directory schema.
An LDAPv3 configuration does not include the following features of the Active Directory connector listed in Directory Utility:
Dynamic generation of unique user ID and primary group ID
Creation of a local macOS home folder
Automatic mounting of the Windows home folder
Mobile user accounts with cached authentication credentials
Discovery of all domains in an Active Directory forest
Support for Active Directory replication and failover
For more information, see Active Directory integration.
Click Services.
Click the lock icon.
Enter an administrator’s user name and password, then click Modify Configuration (or use Touch ID).
Select LDAPv3, then click the Edit button (looks like a pencil).
Click New, then click Edit.
Enter a name in the Configuration Name field.
Enter the DNS or IP address of the Active Directory server in the Server Name or IP Address field.
If you want Open Directory to use SSL for connections with the Active Directory server, select Encrypt using SSL.
Before you select SSL, ask your Open Directory administrator if SSL is needed.
If Directory Utility can’t contact the Active Directory server, you might need to adjust your configuration access settings. For more information, see Change the connection settings for an LDAP or Open Directory server.
Click Search & Mappings.
Click the “Access this LDAPv3 server using” pop-up menu, choose Open Directory, then enter a search base.
Typically, the search base suffix is derived from the server’s DNS host name. For example, the search base suffix could be “dc=ods,dc=example,dc=com” for a server whose DNS host name is ods.example.com.
The Active Directory mapping template for an LDAPv3 configuration maps some macOS record types and attributes to object classes and attributes that are not part of a standard Active Directory schema. You can change the mappings defined by the template, or you can extend the Active Directory schema.
Alternatively, you might be able to access your Active Directory domain through the Active Directory connector instead of LDAPv3. For more information, see Configure domain access.
Click Security.
If Active Directory requires authentication to connect, select “Use authentication when connecting,” then enter the distinguished name and password of an Active Directory user account.
Click OK to finish creating the LDAP connection.
Click OK to finish configuring LDAPv3.