Configuring LDAP Searches and Mappings


Using Directory Access, you can edit the mappings, search bases, and search scopes that specify how Mac OS X finds specific data items in an LDAP directory. You can edit these settings separately for each LDAP directory configuration listed in Directory Access. Each LDAP directory configuration specifies how Mac OS X accesses data in an LDAPv3 or LDAPv2 directory.

Important:   When mapping Mac OS X user attributes to a read/write LDAP directory domain (an LDAP domain that is not read-only), the LDAP attribute mapped to RealName must not be the same as the first attribute in a list of LDAP attributes mapped to RecordName. For example, the cn attribute must not be the first attribute mapped to RecordName if cn is also mapped to RealName. If the LDAP attribute mapped to RealName is the same as the first attribute mapped to RecordName, problems will occur when you try to edit the full (long) name or the first short name in Workgroup Manager.

For detailed specifications of Mac OS X record types and attributes, refer to "Mac OS X Server Open Directory Administration For Version 10.3 or Later" (available at www.apple.com/server/documentation/).

To edit the search bases and mappings for an LDAP server:

  1. In Directory Access, click Services.
  2. If the lock icon is locked, click it and type the name and password of an administrator.
  3. Select LDAPv3 in the list of services, then click Configure.
  4. If the list of server configurations is hidden, click Show Options.
  5. Select a server configuration in the list, then click Edit.
  6. Click Search & Mappings.
  7. Select the mappings that you want to use as a starting point, if any.

    Click the "Access this LDAPv3 server using" pop-up menu and choose a mapping template to use its mappings as a starting point, or choose Custom to begin with no predefined mappings.

    Or click "Read from Server" to edit the mappings currently stored in the LDAP directory server whose configuration you are editing.

  8. Add record types and change their search bases as needed.

    To add record types, click the Add button below the Record Types and Attributes list. In the sheet that appears, select Record Types, select one or more record types from the list, and then click OK.

    To change the search base of a record type, select it in the Record Types and Attributes List. Then click the "Search base" field and edit the search base.

    To remove a record type, select it in the Record Types and Attributes List and click Delete.

    To add a mapping for a record type, select the record type in the Record Types and Attributes List. Then click the Add button below "Map to __ items in list" and enter the name of an object class from the LDAP directory. To add another LDAP object class, you can press Return and enter the name of the object class. Specify whether to use all or any of the listed LDAP object classes by using the pop-up menu above the list.

    To change a mapping for a record type, select the record type in the Record Types and Attributes List. Then double-click the LDAP object class that you want to change in the "Map to __ items in list" and edit it. Specify whether to use all or any of the listed LDAP object classes by using the pop-up menu above the list.

    To remove a mapping for a record type, select the record type in the Record Types and Attributes List. Then click the LDAP object class that you want to remove from the "Map to __ items in list" and click the Delete button below "Map to __ items in list."

  9. Add attributes and change their mappings as needed.

    To add attributes to a record type, select the record type in the Record Types and Attributes List. Then click the Add button below the Record Types and Attributes list. In the sheet that appears, select Attribute Types, select one or more attribute types, and then click OK.

    To add a mapping for an attribute, select the attribute in the Record Types and Attributes List. Then click the Add button below "Map to __ items in list" and enter the name of an attribute from the LDAP directory. To add another LDAP attribute, you can press Return and enter the name of the attribute.

    To change a mapping for an attribute, select the attribute in the Record Types and Attributes List. Then double-click the item that you want to change in the "Map to __ items in list" and edit the item name.

    To remove a mapping for an attribute, select the attribute in the Record Types and Attributes List. Then click the item that you want to remove from the "Map to __ items in list" and click the Delete button below "Map to __ items in list."

    To change the order of attributes displayed in the list on the right, drag the attributes up or down in the list.

  10. Click Write to Server if you want to store the mappings in the LDAP directory so that it can supply them automatically to its clients.

    You must enter a search base to store the mappings, a distinguished name of an administrator (for example, cn=admin,dc=example,dc=com), and a password. If you are writing mappings to an Open Directory LDAP server, the correct search base is "cn=config, <suffix>" (where <suffix> is the server's search base suffix, such as "dc=example,dc=com").

    The LDAP directory supplies its mappings to clients that are configured to use an automatic search policy.

    The LDAP directory also supplies its mappings to clients that have been configured manually to get mappings from the server.