You can manually create a configuration that specifies how Mac OS X accesses an LDAPv3 or LDAPv2 directory. You must know the DNS name or IP address of the LDAP directory server.
If the directory is not hosted by Mac OS X Server, you must know the search base and the template for mapping Mac OS X data to the directory’s data. The supported mapping templates are:
 From Server, for a directory that supplies its own mappings and search base, such as Mac OS X Server
 Open Directory Server, for a directory that uses the Mac OS X Server schema
 Active Directory, for a directory hosted by a Windows 2000, Windows 2003, or later server
 RFC 2307, for most directories hosted by UNIX servers
 Custom, for directories that don’t use any of the above mappings
The LDAPv3 plug-in fully supports Open Directory replication and failover. If the Open Directory master becomes unavailable, the plug-in falls back to a nearby replica.
Important: If your computer name contains a hyphen, you might not be able to join or bind to a Directory Domain such as LDAP or Active Directory. To establish binding, use a computer name that does not contain a hyphen.
To manually configure access to an LDAP directory:
1 Open System Preferences and click Accounts.
2 If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator.
3 Click Login Options, then click Join or Edit.
4 Click Open Directory Utility.
5 If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator.
6 Click Services.
7 In the list of services, select LDAPv3 and click the Edit (/) button.
You can select LDAPv3 in the list of services without selecting the Enable checkbox for LDAPv3.
8 Click New, then click Manual.
9 Enter a name for the configuration.
10 Press Tab and enter the DNS name or IP address of the server that hosts the LDAP directory you want to access.
11 Next to the DNS name or IP address, click the pop-up menu and choose a mapping template or method:
If you choose From Server, a search base suffix is not needed. In this case, Open Â
Directory assumes the search base suffix is the first level of the LDAP directory.
If you choose a template, enter the search base suffix for the LDAP directory and Â
click OK. You must enter a search base suffix or the computer can’t find information in the LDAP directory.
Typically, the search base suffix is derived from the server’s DNS name. For example, the search base suffix could be “dc=ods,dc=example,dc=com” for a server whose DNS name is ods.example.com.
Chapter 8 Advanced Directory Client Settings 139
If you choose Custom, you must set up mappings between Mac OS X record Â
types and attributes and the classes and attributes of the LDAP directory you’re connecting to. For more information, see “Configuring LDAP Searches and Mappings” on page 146.
12 Before you select the “Encrypt using SSL” checkbox, check with your Open Directory administrator to determine if SSL is needed.
13 To change the following settings for this LDAP configuration, click Edit to display the options for the selected LDAP configuration, make changes, and click OK when you finish editing the LDAP configuration options.
Click Connection to set timeout options, specify a custom port, ignore server Â
referrals, or force use of the LDAPv2 (read-only) protocol. For more information, see “Changing the Connection Settings for an LDAP Directory” on page 143.
Click Search & Mappings to set up searches and mappings for an LDAP server.
Â
For more information, see “Setting Up Trusted Binding for an LDAP Directory”
on page 149.
Click Security to set up an authenticated connection (instead of trusted binding) Â
and other security policy options. For more information, see “Changing the Security Policy for an LDAP Connection” on page 145.
Click Bind to set up trusted bindings (if the LDAP directory supports it). For more Â
information, see “Setting Up Trusted Binding for an LDAP Directory” on page 149.
14 Click OK to finish manually creating the configuration to access an LDAP directory.
15 If you want the computer to access the LDAP directory you created a configuration for, add the directory to a custom search policy in the Authentication pane and the Contacts pane of Search Policy in Directory Utility, then make sure LDAPv3 is enabled in the Services pane.
For more information, see “Enabling or Disabling LDAP Directory Services” on page 133 and “Defining Custom Search Policies” on page 129.
Note: Before you can use Workgroup Manager to create users on a non-Apple LDAP server that uses RFC 2307 (UNIX) mappings, you must edit the mapping of the Users record type. For more information, see “Editing RFC 2307 Mapping to Enable Creating Users” on page 155.
Important: If you change your IP address and computer name using changeip while you are connected to a directory server, you must disconnect and reconnect to the directory server to update the directory with the new computer name and IP address.
If you do not disconnect and reconnect to the directory server, the directory will not update and will continue to use the old computer name and IP address.