Contacts - an LDAP-aware address book application built into Mac OS X. Directory Utility - a utility for configuring access to several types of directory servers, including LDAP; built into Mac OS X. Download JXplorer. Download either the base open source JXplorer, or the larger JXplorer + JXWorkbench package (which includes the reporting engine and JXWorkbench.
Active Directory (AD) is one of the key tools that IT teams use to organize corporate network infrastructures. This includes all their assets and users. It helps manage domains, identities, user groups, and protected content for user accounts. For inconsistent IT environments (ones with both Windows and Mac®), it has the disadvantage of being a Windows solution. Because of this, admins face challenges when working with Mac clients—not all features and instructions work for Mac. Apple® uses its own implementation of the Lightweight Directory Access Protocol (LDAP) standard to connect Mac devices to AD servers or domain controllers: Open Directory. This means that admins lack important features of Active Directory. For example, group policies have no effect on Mac computers. Group Policies are a common feature that allows admins to regulate a range of user rights.
Connecting Mac Devices via Active Directory
However, Mac devices can be connected via Active Directory. Apple offers their Directory Utility to accomplish this. It enables administrators to integrate Mac clients into an existing AD environment. Once the Mac clients are integrated via AD, at least some policies take effect for these clients. Examples include policies for domain passwords and identical user and domain login credentials, along with protected resource authorization. Another alternative for connecting a Mac with a domain controller is to choose the „Users & Groups“ option in the system settings under „Login options“ >„Network account server”. In practice, however, configuring Mac clients manually one by one using Active Directory is not ideal.
Integrating Mac clients into an Active Directory network
Using Microsoft SCCM and Parallels® Mac Management for Microsoft® SCCM is a significantly easier way for administrators to integrate Mac clients into an Active Directory network. The SCCM Active Directory System Discovery tool automatically identifies new Mac devices on the network. And then installs the Parallels Mac client software on them. Check out the “Installing Parallels Mac Client Using Discovery Methods” section of the Administrator’s Guide for a detailed description of how this works.
Learn more about how to manage Mac devices like PCs with Parallels Mac Management in our weekly Webinars. Register now for free!
Links:
Apple Support | Directory Utility User Guide
Stackexchange | Active directory on MacOS
Directory Utility User Guide
You can manually create a configuration that specifies how a Mac accesses an LDAPv3 or LDAPv2 directory. You must know the DNS host name or IP address of the LDAP directory server.
If the directory is not hosted by a Mac with macOS Server installed, you must know the search base and the template for mapping macOS data to the directory’s data. The supported mapping templates are:
From Server, for a directory that supplies its own mappings and search base, such as macOS Server
Open Directory server, for a directory that uses macOS Server for the macOS schema
Active Directory, for a directory hosted by a Windows 2000, Windows 2003, or later server
RFC 2307, for most directories hosted by UNIX servers
Custom, for directories that don’t use any of the above mappings
The LDAPv3 plug-in fully supports Open Directory replication and failover. If the Open Directory master becomes unavailable, the plug-in falls back to a nearby replica.
Important: If your computer name contains a hyphen, you might not be able to bind to a directory domain such as LDAP or Active Directory. To establish binding, use a computer name that does not contain a hyphen.
In the Directory Utility app on your Mac, click Services.
Click the lock icon.
Enter an administrator’s user name and password, then click Modify Configuration (or use Touch ID).
Select LDAPv3, then click the “Edit settings for the selected service” button .
Click New.
Enter the LDAP server’s DNS host name or IP address, then click Continue.
In the LDAP Mappings column, click the pop-up menu, then choose a mapping template or method:
If you choose From Server, a search base suffix is not needed. In this case, Open Directory assumes the search base suffix is the first level of the LDAP directory.
Click the Read from Server button to get a list of all record types and attributes. Record types not found in the local macOS directory domain, such as AutoServerSetup or Neighborhoods, are marked red in the Record Types and Attributes window.
If you choose a template such as Open Directory or RFC2307, enter the search base suffix for the LDAP directory, then click OK. You must enter a search base suffix or the computer can’t find information in the LDAP directory. Typically, the search base suffix is derived from the server’s DNS host name. For example, the search base suffix could be “dc=ods,dc=example,dc=com” for a server whose DNS host name is ods.example.com.
If you choose Custom, you must set up mappings between macOS record types and attributes and the classes and attributes of the LDAP directory you’re connecting to. See Configure LDAP Searches & Mappings.
Check with your Open Directory administrator to determine if SSL is required and if so, select SSL.
To change the following settings for this LDAP configuration, click Edit to display the options, make changes, then click OK.
Click Connection to set timeout options, specify a custom port, or ignore server referrals. See Change connection settings for an LDAP or Open Directory server.
Click Search & Mappings to set up searches and mappings for an LDAP server. See Configure LDAP Searches & Mappings.
Click Security to set up an authenticated connection (instead of trusted binding) and other security policy options. See Change the LDAP connection security policy.
Click Bind to set up trusted bindings (if the LDAP directory supports it). See Set up authenticated binding for an LDAP directory.
Click OK to finish manually creating the configuration to access an LDAP directory.
If you want the computer to access the LDAP directory you created a configuration for, add the directory to a custom search policy in the Authentication pane and the Contacts pane of Search Policy in Directory Utility. See Define search policies.
Free Ldap Tool For Mac
Before you can use macOS Server to create users on a non-Apple LDAP server that uses RFC 2307 (UNIX) mappings, you must edit the mapping of the Users record type. See Edit RFC 2307 mapping to enable creating users.
Important: If you change your IP address and computer name using changeip
while you are connected to a directory server, you must disconnect and reconnect to the directory server to update the directory with the new computer name and IP address. If you do not disconnect and reconnect to the directory server, the directory does not update and continues to use the old computer name and IP address.