I am setting up a series of new iMacs 24 inch 2023 models to use Google LDAP in a classroom setting. I have gone through the directions that Google provide as well as Apple on adding LDAP to the users and groups but have run into a very confusing problem: On the screen where network servers is listed it shows a red icon indicating it cannot connect to ldap.google.com. When I look further at the settings, and open the Directory Utility and click edit on the Google LDAP configuration, it shows the custom option is unchecked. ![Google Secure LDAP dialog ][1] I will click ok and then do the mandatory reboot and when I come back it is changed again or the option is unselected. ![Users & Groups - Login Options ][2] Has anyone run into this issue or have a way to get around it?

I can configure Directory Utility to make Mac machines (Monterey and above) authenticate users through my OpenLDAP (Ubuntu-based) server and everything works perfectly fine. But I need to do it through terminal cause I have to automate the process and hold the machines in the desired state via Puppet. I have three files named Contacts.plist Search.plist and ldapserver.company.com.plist and I want to place them (via Puppet) in the following paths respectively.

/Library/Preferences/OpenDirectory/Configurations/Contacts.plist
/Library/Preferences/OpenDirectory/Configurations/Search.plist
/Library/Preferences/OpenDirectory/Configurations/LDAPv3/ldapserver.company.com.plist

I am not allowed to do this even as a root although it used to work before the new Apple filesystem layout (some Read-Only issue). But now I cannot put these files in there unless I boot up in recovery mode (to get rid of Read-Only issue). I do not want to put the system in such state at all. Apparently there is no way to create/replace such files in those paths and I have to configure it through some command-line tools (maybe like dsconfigldap or dscl). What I have done so far is running the following command (Found here )

dsconfigldap -fa ldapserver.company.com -n "My Company LDAP Server" -N

This creates ldapserver.company.com.plist in a binary format. I converted the file to an XML format and the content is shown below:

description
        ldapserver.company.com
        module options
        
                AppleODClient
                
                        Server Mappings
                        
                
                ldap
                
                        Denied SASL Methods
                        
                                DIGEST-MD5
                        
                        LDAP Referrals
                        
                        Use DNS replicas
                        
                
        
        node name
        /LDAPv3/ldapserver.company.com
        options
        
                connection idle disconnect
                60
                connection setup timeout
                10
                destination
                
                        host
                        ldapserver.company.com
                        other
                        ldap
                        port
                        389
                
                man-in-the-middle
                
                no cleartext authentication
                
                packet encryption
                0
                packet signing
                0
                query timeout
                30
        
        template
        Open Directory Server

This configuration is all default and not desired by me (There is no mapping, the used port is 389 but I need 636, etc.). my desired config file is the following:

description
        ldapserver.company.com
                mappings
        
                attributes
                
                        objectClass
                
                function
                ldap:translate_recordtype
                recordtypes
                
                      dsRecTypeStandard:Automount
                        
                                info
                                
                                        Group Object Classes
                                        OR
                                        Object Classes
                                        
                                                automount
                                        
                                        Search Base
                                        ou=automount,dc=company,dc=com
                                
                        
                        dsRecTypeStandard:Users
                        
                                attributetypes
                                
                                        dsAttrTypeStandard:NFSHomeDirectory
                                        
                                                native
                                                homeDirectory
                                        
                                
                                
                                        Group Object Classes
                                        OR
                                        Object Classes
                                        
                                                posixAccount
                                                inetOrgPerson
                                                shadowAccount
                                        
                                        Search Base
                                        ou=current,dc=company,dc=com
                                
                        
                
                template
                LDAPv3
        
        module options
        
                AppleODClient
                
                        Server Mappings
                        
                
                ldap
                
                        Denied SASL Methods
                        
                                DIGEST-MD5
                                NTLM
                                GSSAPI
                                CRAM-MD5
                        
                        LDAP Referrals
                        
                        Use DNS replicas
                        
                
        
        node name
        /LDAPv3/ldapserver.company.com
        options
        
                connection idle disconnect
                60
                connection setup timeout
                10
                destination
                
                        host
                        ldapserver.company.com
                        other
                        ldaps
                        port
                        636
                
                man-in-the-middle
                
                no cleartext authentication
                
                packet encryption
                3
                packet signing
                1
                query timeout
                30
        
        template
        LDAPv3
        trusttype
        anonymous
        uuid
        blah-blah-blah-blah-blah

I do not know how to use command-line tools to tweak that default file and write what I want. I do not want any sort of GUI alternative (like Apple Configurator or Blueprint etc.). All I want is a way to configure those three files (hereinabove mentioned) only through command-line. Please be aware that the desired config file might have some syntax error cause I did not copy the whole file as it was too long and I just copied a portion of it manually, which is prone to some syntax error. But I hope I have communicated what I intended to do. I'm open to any other approaches if only it can be done through command line. Any idea?

I want to make Mac machines, in my network, use my LDAP Server to authenticate users. To do so, I tried the GUI tool "Directory Utility" and configured everything as desired and took a copy of following files which were created/modified after the attributes mappings and LDAP configuration:

/Library/Preferences/OpenDirectory/Configurations/Contacts.plist
/Library/Preferences/OpenDirectory/Configurations/Search.plist
/Library/Preferences/OpenDirectory/Configurations/LDAPv3/ldapserver.mycompany.com.plist

Now I want to deploy these files to the other Mac machines through Puppet to configure all of Mac machines to do the authentication process via the Ldap Server. But the problem is I do not have permission to write into those paths (even as a root). Apparently (I guess) the paths can be written through tools like Directory Utility (and maybe

). I used to use this approach before Big Sur and it was working perfectly fine but now I can't get it work. I need a way to configure this through terminal so I can automate (puppetise) the process. I googled it a lot but the only useful thing was

command which does not sound like it can be used to configure an LDAP node. I'm completely open to any other way to configure this and the only requirement is that it should be done through terminal. In another sense, is there any equivalent command-line utility for Directory Utility GUI?

I have a few resources that are in different domains, but all use the same LDAP authentication. So I have company.com, sceretCompanyDomain.com, companyDomainForDevTools.com, etc. Which all use same me@company.com/password LDAP login and password. All that is saved in Safari password storage. The problem is that Safari doesn't know those are all the same account. So it puts some annoying warnings and exclamation marks to tell me that it thinks I'm reckless. Is there a way to tell it that certain domains use the same account and not just the same password?

I have an OpenLDAP directory on an Ubuntu server that I am trying to use for user management, authentication and various other goodies. I can use this directory and its authentication information to: - log in to Ubuntu machines - mount NFS volumes from Synology on Ubuntu machines - mount NFS volumes from Synology on MacOS 11 machines - authenticate iOS and iPadOS devices with Radius - authenticate on MacOS in Directory Utility' Directory Editor - ... So I have done something right. However, the following are things that I cannot do, and I would be grateful for any wise words or advice that would help me: - on MacOS use an SMB/APFS disk exported from another Mac as a Time Machine backup disk - log in to a MacOS machine **(Edited below after a weekend of trial and error.)** When I try to select the SMB disk from another Mac to use for TM backup, I select the disk, put in the user's name and password, and hit "Connect". After a couple of seconds the window wobbles to indicate that the authentication has failed. In my logs I see the following

default	02:03:58.332679+0200	digest-service	digest-request: uid=0
default	02:03:58.332710+0200	digest-service	digest-request: init request
default	02:03:58.340797+0200	digest-service	digest-request: have no nodes with signing
default	02:03:58.342099+0200	digest-service	digest-request: init return domain: S-MAC-CW server: S-FMAC-CW indomain was: 
default	02:03:59.323723+0200	digest-service	digest-request: uid=0
default	02:03:59.334501+0200	digest-service	digest-request: authentication failed
default	02:03:59.334522+0200	digest-service	digest-request: od failed with -1561745586 proto=ntlmv2
default	02:03:59.334815+0200	digest-service	digest-request: user=S-MAC-CW\steve
default	02:03:59.335592+0200	digest-service	digest-request: kdc failed with 36150275 proto=unknown
default	02:03:59.335618+0200	digest-service	digest-request: guest failed with -1561745590 proto=ntlmv2

"steve" is the login name and the associated data is stored in the LDAP directory. "s-mac-cw" is the name of the machine I'm trying to log in to. The crux of the matter seems to me to be that he Mac is trying to authenticate the user S-MAC-CW\steve. _There is no such user._ S-MAC-CW is the MacMini, the domain is HOME so the Mac should be trying to authenticate HOME\steve. Noting the reference to NTLMv2, I have ensured that NTLM is one of the supportedSASLMechanisms recognised by OpenLDAP. I have also switched off SMB signing on the server and on the client. The LDAP logs simply show a successful lookup of the user "steve":

May  3 02:37:08 s-hrt0-cw slapd: conn=1208 op=2 SRCH base="dc=home,dc=arpa" scope=2 deref=3 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=steve)(cn=steve)))"
May  3 02:37:08 s-hrt0-cw slapd: conn=1208 op=2 SRCH attr=uid
May  3 02:37:08 s-hrt0-cw slapd: conn=1208 op=2 ENTRY dn="uid=steve,cn=users,dc=family,dc=home,dc=arpa"
May  3 02:37:08 s-hrt0-cw slapd: conn=1208 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
May  3 02:37:08 s-hrt0-cw slapd: conn=1208 op=3 SRCH base="dc=home,dc=arpa" scope=2 deref=3 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=steve)(cn=steve)))"
May  3 02:37:08 s-hrt0-cw slapd: conn=1208 op=3 SRCH attr=uidNumber uid userPassword
May  3 02:37:08 s-hrt0-cw slapd: conn=1208 op=3 ENTRY dn="uid=steve,cn=users,dc=family,dc=home,dc=arpa"
May  3 02:37:08 s-hrt0-cw slapd: conn=1208 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
May  3 02:37:10 s-hrt0-cw slapd: conn=1208 op=4 SRCH base="dc=home,dc=arpa" scope=2 deref=3 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=steve)(cn=steve)))"
May  3 02:37:10 s-hrt0-cw slapd: conn=1208 op=4 SRCH attr=uid
May  3 02:37:10 s-hrt0-cw slapd: conn=1208 op=4 ENTRY dn="uid=steve,cn=users,dc=family,dc=home,dc=arpa"
May  3 02:37:10 s-hrt0-cw slapd: conn=1208 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
May  3 02:37:10 s-hrt0-cw slapd: conn=1208 op=5 SRCH base="dc=home,dc=arpa" scope=2 deref=3 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=steve)(cn=steve)))"
May  3 02:37:10 s-hrt0-cw slapd: conn=1208 op=5 SRCH attr=uidNumber uid userPassword
May  3 02:37:10 s-hrt0-cw slapd: conn=1208 op=5 ENTRY dn="uid=steve,cn=users,dc=family,dc=home,dc=arpa"
May  3 02:37:10 s-hrt0-cw slapd: conn=1208 op=5 SEARCH RESULT tag=101 err=0 nentries=1 text=

Note there is no mention of sambaNTPassword, which I would have expected if SMB was invoking NTLM. After this sequence the user name/password window does its wobble. I am flummoxed and would appreciate some help in interpreting these error messages and solving the underlying problem. Steve

We're running a file-sharing server running MacOS 10.15 that is bound (for reasons outside of my control) to a bare openldap (slapd) server running on Ubuntu Server 18.04. The LDAP server is using a "self-signed" cert on its SSL interface, as the organization I'm at has their own CA. After working some magic to load the apple.schema and backfill apple guids for each user/group, every service that we offer for our mac clients bound to LDAP (AFP, screen sharing, ssh, etc) will successfully authenticate authorized network users/groups, *except for SMB*. Right now I am just trying to get smb sharing from a mac client to the file share. Some notes: - SMB was initially not working for non-admin local accounts. I manually added the SMB SACL group, com.apple.access_smb, as it wasn't there by default. The resolves access issues for local accounts, but not network accounts. Not sure why it doesn't ship with that group since the PAM module specifically references it:

% cat /etc/pam.d/smbd
# smbd: service ACL account management support
account required    pam_sacl.so sacl_service=smb allow_trustacct
session required    pam_permit.so

I can confirm that my network user is a member,

% dseditgroup -o checkmember -m $USER com.apple.access_smb
yes $USER is a member of com.apple.access_smb

- Following the instructions in: https://support.apple.com/en-us/HT204021 , I have disallowed validate negotiate requests from the client and only allowed SMB v2 on the server. There are no options for "authenticated binds" or Open Directory replica, as also referenced in the link. - The config for the LDAP binding in directory utility uses custom mappings and authentication as a read-only user. I've added some custom mappings for apple-y and other things, and included the output of odutil at the bottom in case there are any obvious mappings I am missing. - The tail-end of the debug logs when trying to mount shared drives using SMB as a network user show some ocspd errors, so for the time being I've added 127.0.0.1 ocsp.apple.com to my /etc/hosts. Long story short I *still* cannot get network users to mount shared drives over SMB. From the client, the login box errors with the invalid request "shake". From the fileshare server, I pull the following using smbdiagnose - note we still have the ocspd error, and the smbd: transact: gss_accept_sec_context: major_status: 0xd0000, minor_status: 0xa2e9a74a doesn't seem to go anywhere...

smbd: (Security) [com.apple.securityd:security_exception] mach error: 1100
smbd: (Security) [com.apple.securityd:ocspdError] ocspdGlobals: error contacting server
smbd: (Security) [com.apple.securityd:ocspdError] ocspdTrustSettingsRead: OCSPD server error
smbd: (Security) [com.apple.securityd:trustSettings] TrustSettings: record not found for domain 1
smbd: (Security) [com.apple.securityd:trustSettings] TrustSettings(domain 1) destructor
smbd: (Security) [com.apple.securityd:trustSettings] tsGetGlobalTrustSettings: could not connect to ocspd for domain (1)
smbd: (Security) [com.apple.securityd:trustSettingsEval] evaluateCert: no trust settings
smbd: (Security) [com.apple.securityd:trustSettings] SecTrustSettingsEvaluateCert: found in domain 2
smbd: (Security) [com.apple.securityd:codedir] 0x7fb400437110 validating slot -2
smbd: (Security) [com.apple.securityd:unixio] open(/System/Library/KerberosPlugins/KerberosFrameworkPlugins/SCKerberosConfig.bundle/Contents/Info.plist,0x0,0x1b6) = 7
smbd: (Security) [com.apple.securityd:unixio] close(7) err: 0
smbd: (Security) [com.apple.securityd:codedir] 0x7fb400437110 validating slot -1
smbd: (Security) [com.apple.securityd:cfloadfile] failed to fetch /System/Library/KerberosPlugins/KerberosFrameworkPlugins/SCKerberosConfig.bundle/Contents/_CodeSignature/CodeTopDirectory error=-10
smbd: (Security) [com.apple.securityd:unixio] open(/System/Library/KerberosPlugins/KerberosFrameworkPlugins/SCKerberosConfig.bundle/Contents/MacOS/SCKerberosConfig,0x0,0x1b6) = 7
smbd: (Security) [com.apple.securityd:unixio] 7 fcntl(48,0x1) = 0
smbd: (Security) [com.apple.securityd:unixio] close(7) err: 0
smbd: (Security) [com.apple.securityd:codedir] 0x7fb400437110 validating slot -1
smbd: (Security) [com.apple.securityd:staticCode] 0x7fb40041c908 loaded InfoDict 0x7fb401a14790
smbd: (Security) [com.apple.securityd:cfloadfile] failed to fetch /System/Library/KerberosPlugins/KerberosFrameworkPlugins/SCKerberosConfig.bundle/Contents/_CodeSignature/CodeEntitlements error=-10
smbd: (Security) [com.apple.securityd:handleobj] create 0x7fb401a0fd1d for 0x7fb401a0fd00
smbd: (Security) [com.apple.securityd:cssm] 0x7fb401a0fd00 attached module 0x7fb40052ee50(AppleX509CL) (ssid 0 type 8)
smbd: (Security) [com.apple.securityd:cssm] 0x7fb401a0fd00 detach module 0x7fb40052ee50(AppleX509CL)
smbd: (Security) [com.apple.securityd:unixio] close(8) err: 0
smbd: logoff_dequeue_session: Processing session id: 0xc86e29a600000001
smbd: handle_logoff_event: Session not in active state, sessid: 0xc86e29a600000001, state: 1
smbd: transact: gss_accept_sec_context: major_status: 0xd0000, minor_status: 0xa2e9a74a

Does anyone have any suggestions on other routes to try re: samba authenticated against an openldap server? Is it even possible? If not, is there an alternative filesharing protocol that would allow mounting shared drives to both macos and windows clients? Thanks for any help you're able to give! The OD configuration for the LDAP server, as mentioned:

% sudo odutil show configuration /LDAPv3/$LDAP_SERVER
{
    description = "$LDAP_SERVER";
    mappings =     {
        attributes =         (
            objectClass
        );
        function = "ldap:translate_recordtype";
        recordtypes =         {
            "dsRecTypeStandard:Groups" =             {
                attributetypes =                 {
                    "dsAttrTypeStandard:CreationTimestamp" =                     {
                        native = createTimestamp;
                    };
                    "dsAttrTypeStandard:GeneratedUID" =                     {
                        native = "apple-generateduid";
                    };
                    "dsAttrTypeStandard:GroupMembers" =                     {
                        native = "apple-group-memberguid";
                    };
                    "dsAttrTypeStandard:GroupMembership" =                     {
                        native = memberUid;
                    };
                    "dsAttrTypeStandard:Member" =                     {
                        native = memberUid;
                    };
                    "dsAttrTypeStandard:ModificationTimestamp" =                     {
                        native = modifyTimestamp;
                    };
                    "dsAttrTypeStandard:PrimaryGroupID" =                     {
                        native = gidNumber;
                    };
                    "dsAttrTypeStandard:RealName" =                     {
                        native = cn;
                    };
                    "dsAttrTypeStandard:RecordName" =                     {
                        native = cn;
                    };
                };
                info =                 {
                    "Group Object Classes" = OR;
                    "Object Classes" =                     (
                        posixGroup,
                        "apple-group"
                    );
                    "Search Base" = "...";
                };
            };
            "dsRecTypeStandard:Mounts" =             {
                attributetypes =                 {
                    "dsAttrTypeStandard:CreationTimestamp" =                     {
                        native = createTimestamp;
                    };
                    "dsAttrTypeStandard:ModificationTimestamp" =                     {
                        native = modifyTimestamp;
                    };
                    "dsAttrTypeStandard:RecordName" =                     {
                        native = cn;
                    };
                    "dsAttrTypeStandard:VFSDumpFreq" =                     {
                        native = mountDumpFrequency;
                    };
                    "dsAttrTypeStandard:VFSLinkDir" =                     {
                        native = mountDirectory;
                    };
                    "dsAttrTypeStandard:VFSOpts" =                     {
                        native = mountOption;
                    };
                    "dsAttrTypeStandard:VFSPassNo" =                     {
                        native = mountPassNo;
                    };
                    "dsAttrTypeStandard:VFSType" =                     {
                        native = mountType;
                    };
                };
                info =                 {
                    "Group Object Classes" = OR;
                    "Object Classes" =                     (
                        mount
                    );
                    "Search Base" = "...";
                };
            };
            "dsRecTypeStandard:OrganizationalUnit" =             {
                attributetypes =                 {
                    "dsAttrTypeStandard:AddressLine1" =                     {
                        native = street;
                    };
                    "dsAttrTypeStandard:City" =                     {
                        native = l;
                    };
                    "dsAttrTypeStandard:Comment" =                     {
                        native = description;
                    };
                    "dsAttrTypeStandard:Country" =                     {
                        native = c;
                    };
                    "dsAttrTypeStandard:FAXNumber" =                     {
                        native = facsimileTelephoneNumber;
                    };
                    "dsAttrTypeStandard:Password" =                     {
                        native = userPassword;
                    };
                    "dsAttrTypeStandard:PhoneNumber" =                     {
                        native = telephoneNumber;
                    };
                    "dsAttrTypeStandard:PostalAddress" =                     {
                        native = postalAddress;
                    };
                    "dsAttrTypeStandard:PostalCode" =                     {
                        native = postalCode;
                    };
                    "dsAttrTypeStandard:RealName" =                     {
                        native = cn;
                    };
                    "dsAttrTypeStandard:RecordName" =                     {
                        native = ou;
                    };
                    "dsAttrTypeStandard:State" =                     {
                        native = st;
                    };
                    "dsAttrTypeStandard:Street" =                     {
                        native = street;
                    };
                };
                info =                 {
                    "Group Object Classes" = OR;
                    "Object Classes" =                     (
                        organizationalUnit
                    );
                    "Search Base" = "...";
                };
            };
            "dsRecTypeStandard:People" =             {
                attributetypes =                 {
                    "dsAttrTypeStandard:AddressLine1" =                     {
                        native = street;
                    };
                    "dsAttrTypeStandard:Building" =                     {
                        native = buildingName;
                    };
                    "dsAttrTypeStandard:City" =                     {
                        native = l;
                    };
                    "dsAttrTypeStandard:Country" =                     {
                        native = c;
                    };
                    "dsAttrTypeStandard:CreationTimestamp" =                     {
                        native = createTimestamp;
                    };
                    "dsAttrTypeStandard:Department" =                     {
                        native = departmentNumber;
                    };
                    "dsAttrTypeStandard:EMailAddress" =                     {
                        native = mail;
                    };
                    "dsAttrTypeStandard:FAXNumber" =                     {
                        native = facsimileTelephoneNumber;
                    };
                    "dsAttrTypeStandard:FirstName" =                     {
                        native = givenName;
                    };
                    "dsAttrTypeStandard:HomePhoneNumber" =                     {
                        native = homePhone;
                    };
                    "dsAttrTypeStandard:JobTitle" =                     {
                        native = title;
                    };
                    "dsAttrTypeStandard:LastName" =                     {
                        native = sn;
                    };
                    "dsAttrTypeStandard:MobileNumber" =                     {
                        native = mobile;
                    };
                    "dsAttrTypeStandard:ModificationTimestamp" =                     {
                        native = modifyTimestamp;
                    };
                    "dsAttrTypeStandard:OrganizationName" =                     {
                        native = o;
                    };
                    "dsAttrTypeStandard:PagerNumber" =                     {
                        native = pager;
                    };
                    "dsAttrTypeStandard:PhoneNumber" =                     {
                        native = telephoneNumber;
                    };
                    "dsAttrTypeStandard:PostalAddress" =                     {
                        native = postalAddress;
                    };
                    "dsAttrTypeStandard:PostalCode" =                     {
                        native = postalCode;
                    };
                    "dsAttrTypeStandard:RealName" =                     {
                        native = cn;
                    };
                    "dsAttrTypeStandard:RecordName" =                     {
                        native = cn;
                    };
                    "dsAttrTypeStandard:State" =                     {
                        native = st;
                    };
                    "dsAttrTypeStandard:Street" =                     {
                        native = street;
                    };
                    "dsAttrTypeStandard:UserCertificate" =                     {
                        native = "userCertificate;binary";
                    };
                    "dsAttrTypeStandard:UserPKCS12Data" =                     {
                        native = userPKCS12;
                    };
                    "dsAttrTypeStandard:UserSMIMECertificate" =                     {
                        native = userSMIMECertificate;
                    };
                };
                info =                 {
                    "Group Object Classes" = OR;
                    "Object Classes" =                     (
                        inetOrgPerson
                    );
                    "Search Base" = "...";
                };
            };
            "dsRecTypeStandard:Users" =             {
                attributetypes =                 {
                    "dsAttrTypeStandard:Change" =                     {
                        native = shadowLastChange;
                    };
                    "dsAttrTypeStandard:Comment" =                     {
                        native = description;
                    };
                    "dsAttrTypeStandard:CreationTimestamp" =                     {
                        native = createTimestamp;
                    };
                    "dsAttrTypeStandard:Expire" =                     {
                        native = shadowExpire;
                    };
                    "dsAttrTypeStandard:GeneratedUID" =                     {
                        native = "apple-generateduid";
                    };
                    "dsAttrTypeStandard:ModificationTimestamp" =                     {
                        native = modifyTimestamp;
                    };
                    "dsAttrTypeStandard:NFSHomeDirectory" =                     {
                        native = "#/System/Volumes/Data/Users/$uid$";
                    };
                    "dsAttrTypeStandard:Password" =                     {
                        native = userPassword;
                    };
                    "dsAttrTypeStandard:PrimaryGroupID" =                     {
                        native = gidNumber;
                    };
                    "dsAttrTypeStandard:RealName" =                     {
                        native = cn;
                    };
                    "dsAttrTypeStandard:RecordName" =                     {
                        native = uid;
                    };
                    "dsAttrTypeStandard:UniqueID" =                     {
                        native = uidNumber;
                    };
                    "dsAttrTypeStandard:UserShell" =                     {
                        native = loginShell;
                    };
                };
                info =                 {
                    "Group Object Classes" = OR;
                    "Object Classes" =                     (
                        posixAccount,
                        inetOrgPerson,
                        shadowAccount,
                        "apple-user"
                    );
                    "Search Base" = "...";
                };
            };
        };
    };
    "module options" =     {
        AppleODClient =         {
            "Server Mappings" = 0;
        };
        ldap =         {
            "Denied SASL Methods" =             (
                "DIGEST-MD5",
                "CRAM-MD5",
                NTLM,
                GSSAPI
            );
            "LDAP Referrals" = 0;
            "Template Search Base Suffix" = "...";
            "Use DNS replicas" = 0;
        };
    };
    "node name" = "$LDAP_SERVER";
    options =     {
        "connection idle disconnect" = 60;
        "connection setup timeout" = 30;
        destination =         {
            host = "LDAP_HOST";
            other = ldaps;
            port = 636;
        };
        "man-in-the-middle" = 0;
        "no cleartext authentication" = 0;
        "packet encryption" = 3;
        "packet signing" = 1;
        "query timeout" = 60;
    };
    template = LDAPv3;
    trustaccount = "$TRUSTED_ACCOUNT";
    trustoptions =     (
        "system keychain"
    );
    trusttype = authenticated;
    uuid = "...";
}

In Windows you can use the "net" command to do this quite easily:

net group /domain groupName

Which checks if **groupName** exists in your current domain. Is there something equivalent in Mac?

I have an LDAP server (OpenLDAP) running under Ubuntu 20.04 that I use for user authentication in my network, which consists of Linux servers and MacOS 11 clients. On my desktop, which runs MacOS 11.1, I can use Directory Utility to access the LDAP database without any problems. I have a MacMini that I upgraded last week to MacOS 11.2. When I try to use Directory Utility on that machine, I get the error "Connection failed to the directory server (2100)" as soon as I select the LDAP server (as "/LDAPv3/*servername*") and before any prompt for username and password. There is a known problem with logging in to remote LDAP servers that can be resolved by executing the following script:

#! /bin/bash

for f in /Library/Preferences/OpenDirectory/Configurations/LDAPv3/*
do
  LDAP_SERVER=/usr/bin/basename $f ".plist"
  echo $LDAP_SERVER

  SASL_MECHANISMS="/usr/bin/ldapsearch -x -h $LDAP_SERVER -b '' -s base -LLL "(objectclass=*)" supportedSASLMechanisms | awk '{if($2 != "") printf "%s ",$2}'"
  echo "  $SASL_MECHANISMS"

  /usr/bin/odutil set configuration /LDAPv3/$LDAP_SERVER  module ldap option "Denied SASL Methods" $SASL_MECHANISMS

done

I have executed this on both the desktop and the MacMini. So it seems that I have a different problem. I looked at the log file of the LDAP server to see what happened when I selected /LDAPv3/servername and got the following:

Feb  7 01:42:17 s-tow-00 slapd: conn=1266 fd=16 ACCEPT from IP=192.168.1.32:54621 (IP=0.0.0.0:389)
Feb  7 01:42:17 s-tow-00 slapd: conn=1266 fd=16 closed (connection lost)

Feb  7 01:42:28 s-tow-00 slapd: conn=1267 fd=16 ACCEPT from IP=192.168.2.127:65230 (IP=0.0.0.0:389)
Feb  7 01:42:28 s-tow-00 slapd: conn=1267 fd=16 closed (connection lost)
Feb  7 01:42:28 s-tow-00 slapd: conn=1268 fd=16 ACCEPT from IP=192.168.2.127:65231 (IP=0.0.0.0:389)
Feb  7 01:42:28 s-tow-00 slapd: conn=1268 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Feb  7 01:42:28 s-tow-00 slapd: conn=1268 op=0 SRCH attr=supportedSASLMechanisms defaultNamingContext namingContexts schemaNamingContext saslRealm
Feb  7 01:42:28 s-tow-00 slapd: conn=1268 op=0 ENTRY dn=""
Feb  7 01:42:28 s-tow-00 slapd: conn=1268 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=

The MacMini (conn=1266, IP=192.168.1.32) returns immediately, whereas the desktop (1267, 1268, 192.168.2.127) proceeds to initiate a query. I looked at the files in /Library/Preferences/OpenDirectory/Configurations/LDAPv3 on both machines to see if there was any difference there. Both contain entries for my LDAP servers (let's call them *server1* and *server2*). On the desktop, their permissions were 0644, whereas on the MacMini they were 0600. I cannot change the permissions with chmod (thank you, SIP), so I started Directory Utility with sudo, but the problem still persisted, so I conclude that it has nothing to do with permissions. I then experimented with dscl in interactive mode. On the desktop I got the following:

> ls /LDAPv3/server1
Automount
AutomountMap
CertificateAuthorities
Groups
Mounts
OrganizationalUnit
People
Users

whereas all the MacMini could manage was

> ls /LDAPv3/server1
ls: Invalid Path
 DS Error: -14009 (eDSUnknownNodeName)

I'm at a bit of a loss knowing how to proceed. I thought about exporting the configuration from the desktop using Directory Utility's "Write to Server" and then importing it on the MacMini, but I get "Operation is not supported by the directory node.", which I guess means that I have configured something incorrectly. I *can* "Save Template...", but the directory that I was told was intended for templates (~/Library/Application Support/Directory Access/LDAPv3/Templates) is stubbornly ignored on the MacMini. Does anyone have any suggestions, please, as to how to proceed? Steve

I’m looking for an GUI based ldap browser here that supports certificate authentication I previously used softerra on windows. I’ve looked into: PhpLdap admin, Jxplorer, Ldapadmin tool. - I checked into LdapSofts ldap browser but their product doesn’t support cert auth - I am aware of the Directory Utility on the Mac but I don’t need a full directory and also don’t know if it can be configured as just a client with cert auth - I have Apache Directory Studio but It doesn’t support cert auth I’m specifically using certs from a smart card. I need the GUI to look at specific attributes of user accounts without having to convert them; which is why I’d prefer not to use CLI. Does anyone have a GUI tool they know works with certs?

I'm trying to kerberize services on an iMac that is bound to an external Kerberos KDC on a Linux computer. I assume that I have to use sso_util and do it like this: sso_util configure -v 7 -r EXAMPLE.COM -f /LDAPv3/kdc.example.com -a diradmin/admin all where EXAMPLE.COM is the name of the realm and kdc.example.com is the Linux computer which hosts LDAP and Kerberos. I get the following error message:

GetRealmFromDir: looking up the realm name in the KerberosKDC config record in node
/LDAPv3/ldap.keps.de
GetRealmFromDir: Couldn't get attributes of kerberoskdc record
GetRealmFromDir: didn't find a KerberosKDC record, looking in the KerberosClient record
GetConfigFromDir: failed to find the KerberosClient config record in the directory error = 4101
GetRealmFromDir: didn't find a KerberosClient record either, returning NULL
GetRealmFromDir: realm is :(null)
Invalid Realm Name

It looks like I must put some configuration data in the LDAP database but what data according to what schema?

Is there a way to import and export LDAP settings in macOS Catalina? In previous OS versions, when installing a new laptop, we will connect it to our LDAP server simply by copying some files with our settings like: /Library/Preferences/OpenDirectory/Configurations/LDAPv3/ldap_server_fqdn.plist /Library/Preferences/OpenDirectory/Configurations/Search.plist Since Catalina, this solution doesn't work anymore. We always have to register the configuration/bindings manually.

I'm using Catalina 10.15.4 OSX as client and FreeBSD 12-1 with openldap-sasl-server-2.4.48_1 as Openldap server. I've configured the LDAP server using Direct Utility. - I can see the LDAP users on Directory Editor tab; - I can use "id user" in terminal showing the user, its groups etc; - I can use "dscl localhost -read /Search/Users/user" that shows all user info; - I can use "dscacheutil -q user -a name user" that shows all user info; - I can change to root in terminal and then "su - user" and it works (I've created the home directory and mapped to #/Users/$uid$; - BUT I CAN'T login using user. All network users are enabled to login. I've tried using "ssh user@localhost" and at Login Window. It doesn't work. Setting debug with "odutil set log debug" and taking a look in Console logs: opendirectoryd failed CRAM-MD5 authentication for authzid - '' authcid - '' error 49 opendirectoryd ODRecordVerifyPassword failed with result ODErrorCredentialsInvalid opendirectoryd nw_path_evaluator_start [78C31F06-08D0-4EF9-B584-EB41028A814D IPv6#0d17d740.389 generic, local: IPv6#ef0057ec.49455, indefinite] path: unsatisfied (No network route) On server, CRAM-MD5 is available. supportedSASLMechanisms: SCRAM-SHA-1 supportedSASLMechanisms: SCRAM-SHA-256 supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: NTLM What's going wrong? How to use LDAP users on OSX? - There are some tutorial on the Internet about editing a directory configuration file (plist). However, this had worked in later versions of OSX. For example: /usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string DIGEST-MD5" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver.plist /usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string CRAM-MD5" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver.plist /usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string NTLM" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver.plist /usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string GSSAPI" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver.plist In Catalina we can't edit anymore this file (yourldapserver.plist). I've tried to usa another tool, **defaults**, but the file can only be altered if we copy it to another place. At the normal system location we can't edit to test these configurations.

I'm looking for an automated way to set up LDAPv3 on OSx Catalina. There is an additional level of complexity as we need to set a custom search base for the Automount, Groups, and Users. Prior to catalina: /Library/Preferences/OpenDirectory/Configurations/Search.plist /Library/Preferences/OpenDirectory/Configurations/LDAPv3/my_ldap_server.plist These files are now write-protected, yet the OS is still capable of writing to them it seems(or rather the /System/Volumes/Data/Library/... variant) I can't understand why sudo/root can't write to these files as I can't find a firm link that would limit this in /usr/share/firmlinks I'm also open to other automated ways of setting up LDAP connections by the way :) EDIT: Please note that I'm not looking to edit the files mentioned above. I'm trying to automate LDAP setup! It can be done in the system preferences, and I'm just looking for a terminal way to do the same.

The goal: Remove LDAP Contacts account from list of the Internet Accounts. The problem: Removed LDAP account reappears in the Accounts list in 5 seconds after deletion. Current OS: macOS 10.13 High Sierra Steps: 1. System Preferences -> Internet Accounts 2. Select the LDAP Account 3. Press "-" button 4. Press "Remove From All" button on the pop-up dialog window "Do you want to remove the LDAP account “ldap.hostname.com” from all your computers using iCloud Keychain?" 5. Account removed from the list 6. After 5 second appears in the list.

I've been working on an Ubuntu 16.04 server that has LDAPv3 active via OpenLDAP, my client machines are all macOS from El Capitan upto High Sierra. On the server I have the samba schema implemented, along with the apple schema implemented: serveradmin@Magic:~$ sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn dn: cn=schema,cn=config dn: cn={0}core,cn=schema,cn=config dn: cn={1}cosine,cn=schema,cn=config dn: cn={2}nis,cn=schema,cn=config dn: cn={3}inetorgperson,cn=schema,cn=config dn: cn={4}ppolicy,cn=schema,cn=config dn: cn={5}samba,cn=schema,cn=config dn: cn={6}apple,cn=schema,cn=config serveradmin@Magic:~$ On my client machine I am able to connect to the LDAPv3 server from the Directory Utility by changing the connection type to RFC2307 and editing the base to be ou=People,dc=salty,dc=domain,dc=com. I can see my users in the Directory Editor: I can connect to my file share over smb://. However, when I try to log in as one of my users it will not allow me to log in. The log files show something like the following: CDT - AID 0x000..26 93.7657.7246, Node: /LDAPv3/10.0.1.57, Module ldap __odnode_copy_record_block_invoke: 4101: No predicates provided or CDT - AID 0x000..1042 394.3858, Node: /LDAPv3/10.0.1.57, Module: ldap - failed to retrieve password for credential No matter what I do it seems like I keep getting the same error message. What is causing this problem, and how can I fix it?

Is it possible to use the Open Directory of the macOS Server app to store and retrieve S/MIME (X.509) certificates with the user data? *Background:* I would like to share our public S/MIME certificates over our LDAP, so they can automatically be retrieved from any (supporting) client without having to import them manually. I have found articles that claim it is possible in general with OpenLDAP, but how can it be done with Open Directory? I understand there are the attributes userCertificate and userSMIMECertificate for this. Are they available in Open Directory, and if not, can they be added? And once they are added, can they be updated through the Server app or just from the command line? The server is on Sierra in case that matters. I'd appreciate any reply or comment or link to a howto that could help.

I connected to the LDAP server with a special account and searching password using the Directory Utility. When I set the LDAPv3 Service to RFC2307 LDAP Mappings, with SSL checked, I can move to Directory Editor and authenticate using the username and password for the LDAP directory. I cannot login to the computer however. I did this: 1. Checked the box in Users & Groups - Allow network users to login .... 1. Clicked Options 1. Chose Only these network users 1. Clicked + and searched for my LDAP username 1. Selected the user name so it appears in the list. When I try to login, the box only shakes and these log error messages arrive in the system.log. Aug 31 10:35:58 MacBook-Pro SecurityAgent: User info context values set for userid Aug 31 10:35:58 MacBook-Pro authorizationhost: Failed to authenticate user (error: 13). Some guides on the web indicate error 13 to be so: Indicates that the session is not protected by a protocol such as Transport Layer Security (TLS), which provides session confidentiality and the request will not be handled without confidentiality enabled. But I chose SSL and do not find a box or method to change this to TLS in the Mac Directory Utility. When I click Security in the setup section (where I put the "use authentication when connecting" information) the Security Policy options are unavailable with the message "Server capabilities and requirements determine the availability of options." So, I cannot choose to sign all packets or to Encrypt all packets... When I choose other connection schemes, like Open Directory or Custom, I was unable to even authenticate in the Directory Editor window. (Error 500, 2100) The "authentication when connecting" information is the same that I use for web applications that provide access by LDAP so it surely works in the field. Just not apparently from the Mac when trying to login. Have any advice to allow users to authenticate on this mac by LDAP to access share folders?

How do I enable the root account ? I don't see any options related the system user. Do I enter the server as "localhost"? What do I select here? System Software Overview: System Version: OS X 10.10.2 (14C1510) Kernel Version: Darwin 14.1.0 Boot Volume: Mac OSx Boot Mode: Normal Computer Name: A MacBook Pro User Name: thufir (thufir) Secure Virtual Memory: Enabled Time since boot: 1:03 Hardware Overview: Model Name: MacBook Pro Model Identifier: MacBookPro9,1 Processor Name: Intel Core i7 Processor Speed: 2.3 GHz Number of Processors: 1 Total Number of Cores: 4 L2 Cache (per Core): 256 KB L3 Cache: 6 MB Memory: 4 GB Boot ROM Version: MBP91.00D3.B08 SMC Version (system): 2.1f175 Serial Number (system): C02HH5JQDV33 Hardware UUID: FBB1FF0A-6EAC-5423-9E8F-405B181EF5F3 Sudden Motion Sensor: State: Enabled

I have created an ldap server (hosted externally with a domain name) on a ubuntu 18.04 machine with openLDAP. I configured linux machines to allow my users to connect using ldap and it works as expected (the user can log-in on the machine, and it creates a new home directory). However on mac, I can list my users in the Directory Utility : And I can get my user information (with his group declared in ldap) bash$ id -p hlarget uid hlarget groups sysadmin everyone netaccounts com.apple.sharepoint.group.1 But when I try to login as the admin user to edit my directory, I have a 2100 error. And when I try to log using ssh hlarget@localhost, or even in session manager, I cannot : failed CRAM-MD5 authentication for authzid - 'dn:cn=hlarget+o=example+ou=users,ou=users,dc=example,dc=com' authcid - 'hlarget' error 49 I'm pretty sure it's an encryption error (I use ssha encryption for my UserPassword). How can i figure out what the problem is? And how to fix it?

Is it possible to have Mail pull matches from an LDAP directory as I type them in the To/Cc/Bcc fields?