LDAPv3 Authenticating to Active Directory (Part I)

Intro LDAP to AD Part I
LDAP to AD Part II LDAP to AD Part III
LDAP to AD Part IV LDAP to AD Part V
Misc ADmitMac
UserInfoMenu v1.02

Active Directory Integration in Three Hours or Less Article on AFP548.com
Mac OS X with Active Directory (Apple's PDF using LDAPv2)
Apple OIDs (For schema modifications)
NISSchema Attributes (Additional OIDs not covered by Apple)
University of Michigan LDAP info
Additional Docs on LDAP integration from JAMF Software
Mac OS X AD Integration Scripts (Shukwit.com)
Mac OS X Server: How to Avoid Sending Clear Passwords in a Kerberos Environment With LDAPv3

-- The Story Thus Far --

 

Since I haven't seen much on this I thought I'd write up what I've figured out so far which is far from complete. I don't know if this will work for everyone but I thought I'd post what I have and the rest of you can tear this apart. Please don't email me for help. I feel that I barely understand this as it is. :-)

-- Gathering the Information --

 

There are a few things you need to know to LDAP authenticate to an AD server. First, you need the IP address or DNS name of the server you will be LDAP authenticating to. Any Domain Controller running 2000 with active directory enabled will do. To test your address I suggest opening a terminal window and using PING to check your address. So, if you have the address of mydepartment.mycompany.com for a AD server you should be able to ping that and get a response.

Next up, you need to figure out the LDAP search base path. To get this going I suggest downloading this nifty java based LDAP browser here:

http://www.iit.edu/~gawojar/ldap/

Nab the ZIP file and unzip it. Open the extracted directory and double-click browser.jar. In the session list click NEW to create a new session. Enter the DNS/IP address for your AD server, the one you checked earlier by pinging it. Leave the PORT on its default setting unless you know your admin has changed it. For Version select 3 since it will default to 2. Beneath the BASE DN field click the Fetch DNs. Hopefully this will fill in your Base DN popup field with selectable entries. One of these entries (if you have more than one) is what you want to select. I can't tell you which since this is dependant on your AD configuration. Hopefully, your admin should know. A Base DN can look something like this:

DC=mydepartment,DC=mycompany,DC=net

Now that you've picked a Base DN fill in the user info section with something like:

cn=myuseraccount,cn=users

Click the append Base DN check box.

Fill in your password. Click Save and use this session to connect. If it works we now have enough info to setup LDAP authentication. If it doesn't double check that your BaseDN points to an area which contians a CN=Users. You can use the Anonymous bind to double check that your Host and Base DN are working. What you'll probably see is a record describing the LDAP server but nothing else. This, I'm told, is a normal security measure.

-- Configuring LDAP to AD Authentication --

 

Now that we have enough information its time to setup OS X 10.2. In the Utilities folder (inside Applications) double-click Directory Access. If you're not authenticate click the little LOCK on the lower left corner of the window so you can make changes.

  1. Check ENABLE on the LDAPv3 service (in the services pane).
  2. Click LDAPv3 to highlight it and click configure (you may need to auth again).
  3. Uncheck Use DHCP-supplied LDAP Server (you may want this later but we don't push an LDAP using our DHCP. Well, not yet anyway.)
  4. Click on the triangle to Show Options.
  5. Click the NEW button.
  6. Give your configuration a name like AD or such.
  7. Hit TAB and enter the DNS/IP address for your AD server in the "Server Name or IP Address" field.
  8. Select Active Directory from the "LDAP Mappings" field popup.
  9. When prompted for the "Search base suffix" enter in its entirety the Base DN path you got working using the LDAPBrowser java tool (including the DC=, etc. EVERYTHING)
  10. Click on this new entry and click the EDIT button.
  11. Check ON "Use authentication when connecting" and either enter your login account or a generic account created by your admin for LDAP authenticating purposes. This account is needed in order for LDAP to see the user list that will be used for authenticating.
  12. When you fill in the distinguished name field you will be using a combination of the user name and Base DN fields that worked during your tests with the LDAPBrowser tool. So, using my example the Distinguished Name would be: cn=myuseraccount,cn=users,dc=mydepartment,dc=mycompany,dc=net

    Don't forget to fill in the password. Don't worry, its stored in an encrypted format.
  13. Click Ok and then Click Ok again.
  14. Click on the authentication tab of the Directory Access window.
  15. Select Custom Path from the Search popup.
  16. Click the Add button.
  17. If all went well, you'll see the LDAP entry you created back on the SERVICES pane. Select it and click Add.
  18. Click Apply and close the window.
  19. Reboot (or maybe just logout but I reboot to be sure).
-- Final Testing --

 

When the GUI login comes up enter the name of an AD account (no CN= just your standard login) and its password. If its works you'll be drop kicked into the text mode Darwin login. Enter the name and password again and YOU'RE IN.

One final note, if you have a AD account that has the same login name as a local account on your machine OS X will ALWAYS use the local account since it will be first in the authentication path. You CANNOT change this. Instead, come up with different names for local accounts or simply append "l_" to the regular AD account name when you create local accounts so you have a quick formula for accessing local accounts.

Got GUI? -->

Email: Chuck Simciak