Today I’m hacking together some things I’ve learned during administrating a bunch of Macs that had to use a centralized OpenLDAP-cluster as “OpenDirectory”-backend.
To get authentication as well as authorization to work we had to tweak the mapping of Apples DirectoryService-fields to the LDAP-Attributes of our OPenLDAP.
Luckily it’s not rocket science as Apples own OpenDirectory is based on OpenLDAP as well, so there are some parallels.
NOTE: ALL the things described here apply to MacOS 10.8 clients and an OpenLDAP-backend. They worked out for our settings. If you change any of your settings you are doing so on your own risk!
So first of all: Where can you change those mappings? I’ve put together some screenshots to guide you through the way:
- Open your System Preferences Users & Groups-panel
- Go to the Login Options
- Click onto the Edit-button next to your Network Account Server (you might have to unlock the settings by entering an administrative username and password)
- In the opening modal window click onto Open Directory Utility… – This will open the Directory Utility. There might be different ways to get there as starting the App right from
- In the Directory Utility highlight LDAPv3 and click onto the edit-button below the list (or double click LDAPv3)
- In the opening modal window you see a column LDAP Mappings where you should be able to change the setting for your server. By default it is set to Open Directory but you should also be able to choose Custom from the list.
- Choosing Custom will open a settings window where you can alter the existing LDAP-Mapping.
On the left hand side Record Types and Attributes list you can scroll down to Users and open the Record Type by clicking the triangle. Then you can select the Attribute RealName. This will show the entry cn in the right hand list. That means, that the LDAP-Attribute cn is mapped to the DirectoryService-Attribute RealName. You might now be able to change that to the mail-address by either deleting the cn-entry and adding a new one with the value mail (or whatever is the LDAP-Attribute you store your email-address in) or you can edit the cn-entry by double-clicking it.
Once you are finished you can save the new template by clicking Save Template…. You should store the plist-file in the folder
/Library/Application Support/Directory Access/LDAPv3/Templates. When you do so, your own, new mapping scheme will show up in the select box of step 6 (after a fresh start of the Directory Utility as the list is always read at application start).