Given the same remote LDAP server, why does Directory Utility work on one machine but not on the other?

macos ldap directory-utility

Solution 1:

I learnt the following whilst fixing this problem. Perhaps it will help someone else in the future.

A MacOS LDAP client configured with Directory Utility stores the configuration data for LDAP servers that it knows about in /Library/Preferences/OpenDirectory/Configurations/LDAPv3 in plists named <servername>.plist. These files can be manipulated with odutil (see man odutil).

Directory Utility can be used to upload those plists from the local file system or from the LDAP server itself.

To access the plist from the local file system, copy it to ~/Library/Application Support/Directory Access/LDAPv3/Templates and ensure that it is called <anything>.plist (i.e. it must have the filetype .plist). After that has been done, if you edit the server data in Directory Utility under the 'Search & Mappings' tab, in the drop-down labelled 'Access this LDAPv3 server using' you will see the text '<anything>' from the filename of the plist. If you select this, the settings from your plist will be applied to the client.

Similarly, it is possible to create an entry in the LDAP server itself that contains exactly the same text and use that instead. The following shows what I see in ldapvi when I look at the entry I created:

13 ou=macosxodconfig,<local RDN>,<LDAP base DN>
objectClass: top
objectClass: organizationalUnit
ou: macosxodconfig
description:; <?xml version="1.0" encoding="UTF-8"?>\
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">\
<plist version="1.0">\
<dict>\
    ...the rest of the plist comes here ...
</dict>\
</plist>

Note: everything from the ";" to the end of the definition is the contents of our plist - without the "\"s, which are an artefact of ldapvi. How you get the plist into your server is up to you: I use Apache Directory Studio. The only apparent restriction is that the entry must be an organizationalUnit called ou=macosxodconfig. After that has been done, if you edit the server data in Directory Utility under the 'Search & Mappings' tab, in the drop-down labelled 'Access this LDAPv3 server using' you will see the option 'From Server'. If you select this, you will be prompted for a search base (I suggest you choose '<local RDN>,<LDAP base DN>', replacing the stuff in angle brackets with something that makes sense on your context. The settings from your plist will then be applied to your client.

Just in case you forgot, you have to tell MacOS that your are using an LDAP server. You do this in System Preferences -> 'Users & Groups' -> 'Login Options': to the right you will see the label 'Network Account Server' with an 'Edit...' button next to it. Authenticate yourself by clicking on the lock at the bottom of the window, click on the 'Edit...' button and add your server(s) to the list here.

You may also need to go back to Directory Utility and add your LDAP server(s) to its 'Search Policy' (tab on the home window).

Steve

Related

How to change the system folders (Pictures, Movies etc)
If a photo is imported to Aperture via Photo Stream, is it safe to delete it from iCloud?
Apache config resetting after every OS update
How can I use rEFInd boot manager without an enter key?
Is my Mac compatible with Big Sur?
Lock fullscreen app positions
Photos missing in iCloud, only thumbnails available locally - can I extract the thumbnails?
How to quote a path variable "$1" that contains spaces?
Airdrop Cancels Transfers with no error message
AppleScript to add URL to Pi-hole whitelisting
Black line appears below screenshot when I paste it into Word
Can I directly record a video in iCloud Drive (/Google Drive)?