
Setting Up LDAP Access to Active Directory Domains
Using Directory Access, you can set up an LDAPv3 configuration to access an Active Directory domain on a Windows server. An LDAPv3 configuration gives you full control over mapping of Mac OS X record types and attributes to Active Directory object classes, search bases, and attributes. Mapping of some important Mac OS X record types and attributes, such as the unique user ID (UID), requires extending the Active Directory schema.
An LDAPv3 configuration does not include many features of the Active Directory plug-in listed in Directory Access. These include dynamic generation of unique user ID and primary group ID; creation of a local Mac OS X home directory; automatic mounting of the Windows home directory; cached authentication credentials; discovery of all domains in an Active Directory forest; and support for Active Directory replication and failover. You can learn more about the Active Directory plug-in in another help topic.
You can use Directory Access to create a configuration that specifies how Mac OS X accesses a particular LDAPv3 or LDAPv2 directory.
- In Directory Access, click Services.
- If the lock icon is locked, click it and type the name and password of an administrator.
- Select LDAPv3 in the list of services, then click Configure.
- If the list of server configurations is hidden, click Show Options.
- Click New and enter a name for the configuration.
- Press Tab and enter the Active Directory server's DNS name or IP address.
- Click the pop-up menu next to the DNS name or IP address and choose Active Directory.
- Enter the search base for the Active Directory domain, then click OK.
- Select the SSL checkbox if you want Open Directory to use Secure Sockets Layer (SSL) for connections with the Active Directory server.
The Active Directory mapping template for an LDAPv3 configuration maps some Mac OS X record types and attributes to object classes and attributes that are not part of a standard Active Directory schema. You can change the mappings defined by the template or extend the Active Directory schema. (Alternatively, you may be able to access your Active Directory domain via the Active Directory plug-in instead of LDAPv3.)
If you want the computer to access the Active Directory domain for which you just created an LDAPv3 configuration, you must add the directory to a custom search policy in the Authentication or Contacts pane of Directory Access. You must also make sure LDAPv3 is enabled in the Services pane. Other help topics have instructions for these tasks.