MacOSX 10.7.2 LDAP authentication 0. Enable root. * Go to a terminal prompt * ~ sudo su - root * type your password * You're root! * # passwd * create a password for root. * Log off * Log on as root. Yes. 1. Add LDAPv3 Directory access * Open Directory Access from /Applications/Utilities or under System Preferences > Users & Groups. * Click the Lock on the bottom of the window. * Click on LDAPv3 then click Configure * Select Options then click Add Enter a configuration name; e.g. myldap Server Name: LDAP server canonical dns or IP address; e.g. myldap.my.com Click on LDAP Mappings and select RFC 2307 (Unix) For search base, put in your LDAP search base; e.g. dc=my,dc=com Don not Check SSL * Click edit and make sure all settings are at either their default or match your environment Under Search and Mappings, if you're using a stock OpenLDAP install, it is safe to have a "Search in" all subtrees set. This is recommended. Check all Record types and attributes. When done, Save Template. Somewhere. Click OK, and OK again. * At the Directory Access windows, Go to "Search Policy" and click on Authentication. You're now going to add a Directory domain. Select Custom Path 2. Add the LDAPv3 server you just added. Click the + and add /LDAPv3/Server Name Keep /Local/Default at the top; if not you'll not be able to logon with a local user account. Once done, test your LDAP configuration by going to Directory Editor (also in Directory Access). In the search box, search for a known account. Did you mess up? Check, /var/log/system.log for -14002 errors. 1. Remove all contents of directory /Library/Preferences/DirectoryService 2. Open /Applications/Utilities/Netinfo Manager and remove contents of directory /config/mcx-mask If not, time to allow logons. There's a bug in OSX 10.7.2 not allowing LDAP users to logon. Nice. Let's fix that. 1. As root... # ldapsearch -x -h myldap.my.com -b "" -s base "(objectclass=*)" supportedSASLMechanisms You should see something akin to: supportedSASLMechanisms: NTLM supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5 This shows you the sort of authentication mechanisms your LDAP server supports. Let's make OSX add the SASL mechanisms - even if your LDAP server isn't using them. 2. Open the Opendirectoryd plist for your LDAPv3 server in /Library/Preferences/OpenDirectory/Configurations/LDAPv3, and add all of the advertised SASL garnered from above to the Denied SASL Methods array in the plist file. Simply browse to the file, double click and use xcode to edit. Add the items here: module options > ldap > Denied SASL Methods add string items. Add the strings exactly as provided by your LDAP server. 3. Reboot the OSX machine and you'll then be able to logon using a LDAP-defined user.