Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Enable a pre-installed LDAP interface to NetInfo UNIX
OK, I'm perhaps too excited about this, but I've just discovered that what appears to be Apple's OpenDirectory (sans GUI, of course) exists in the non-Server version. While poking around, I came across /etc/openldap, which has configs and schema files for, among other things, NetInfo!

WARNING: if you don't have the firewall turned on, others could connect to your LDAP server and view your NetInfo information.

With two simple tweaks, I had LDAP running, and access to it with an LDAP browser:
  1. Modify /etc/openldap/slapd.conf; on line 19, you'll see the line:
    change it to:
  2. Modify /etc/hostconfig by adding the line:
Now run:
 % sudo /System/Library/StartupItems/LDAP/LDAP start
It will start the LDAP server, and you can access it, with a blank base DN and anonymous bind (ie. no User DN/password) This is a flaw, IMO, but if you have the firewall turned on, you're good. I'm looking into how to require authentication, and hopefully will be able to enable SSL, as well. If you're looking for a decent Java-based LDAP browser, check out this one, from Jarek Gawor.

I'm really jazzed about this, because finally I have an easy way to authenticate Tomcat app users against my local user database!

[Editor's note: As this is well beyond what I do with my machine, I'm not 100% certain as to how this hint compares to this one, although they clearly have some similarities. So I thought I'd err on the side of 'too much information' and publish this one as well, just in case.]
  • Currently 3.00 / 5
  You rated: 4 / 5 (3 votes cast)

Enable a pre-installed LDAP interface to NetInfo | 14 comments | Create New Account
Click here to return to the 'Enable a pre-installed LDAP interface to NetInfo' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Authored by: sharumpe on Sep 02, '02 05:32:38PM
This tells you how to access your local netinfo information via LDAP, whereas the other tip tells you how to replace your local (or network) NetInfo database with a network LDAP server.

The reason I am happy about this is that it is relatively easy to work with LDAP via programming languages like Java.

Mr. Sharumpe

[ Reply to This | # ]
Please explain
Authored by: bluehz on Sep 02, '02 11:29:44PM

Would someone be so kind as to offer a quick explanation of the benefits and uses of LDAP. Guess I never really delved into it - I always thought it was a mechanism for finding people e-mail addresses (from my limited exposure to LDAP in Eudora).

[ Reply to This | # ]
Please explain
Authored by: nekura on Sep 03, '02 06:12:18AM

LDAP (Lightweight Directory Access Protocol) is, basically, a protocol to access a tree-like database. It supports either direct access (you want an information and you know where it is in the tree) or search (you know partial information on what you are looking for).
This is, of course, a very restrictive view of this powerful tool.

LDAP can be used to achieve many tasks.
Email address directories is one of the most known of the end-user, but it's also very common to use LDAP as an user database, for authentication purposes.

A more powerful use can be to store and manage resources of a system : accounts, groups, shares, printers, servers... and that's exactly what does NetInfo, the core database of the OS X system. (As a side note, this is also the case with Active Directory, at the core of Win2k servers)
I've not had my hands on a running OS X server, but I would guess it uses LDAP to allow network users to identify themselves against a centralized user database, and allow them access to resources.

[ Reply to This | # ]
LDAP auth hits SSL snag
Authored by: Willfon on Sep 04, '02 08:39:26AM
We have been trying to get our Jaguar macs to authenticate using SSL encrypted LDAP connections to our OpenLDAP v2.1.3 Linux computer. As long as the SSL is switched off things work smothly. The moment we turn SSL encryption on everything stops. For quite some time as well, since timeout is set to a default 120 seconds. I have tried to get help for this on several mailing lists, but have yet to find a fix to this problem.

The error log from the server is here[] for the interested. We have now sendt a question about this to ADC.

[ Reply to This | # ]

It works here...
Authored by: mefoster on Dec 11, '02 06:55:59AM

I have LDAP/SSL authentication working against our openldap servers.

Initially I ran into all of the problems that you have but eventually figured out that the LDAP client needs to be able to verify the server cert (we sign our own).

The solution is to put a copy of the CAcert that signed the server cert somewhere on the client. /System/Library/OpenSSL/certs will do.

Then you need to tell the client where to find it.
Edit /etc/openldap/ldap.conf and add the line:

TLS_CACERT /System/Library/OpenSSL/certs/<caertfile>

where <cacertfile> is the name of the file you copied.

Now... if only I could get it to work with TLS on port 389...


[ Reply to This | # ]
Disabling Anonymous Binding
Authored by: OmegaAtUMD on Jan 02, '03 05:00:22AM

After sniffing around in the OpenLDAP administrator's guide, I've found a way to eliminate anonymous binds to the LDAP/NetInfo bridge. Add the following line to /etc/openldap/slapd.conf

disallow bind_anon

[ Reply to This | # ]
Disabling Anonymous Binding
Authored by: swensnt on May 27, '03 06:00:35PM
I believe that Apple's acquisition of the NetInfo bridge from PADL is what makes this magic happen. PADL also has a nice document posted at their site concerning Advanced Open Directory configuration

[ Reply to This | # ]
Slow SLAPD and "Bad IPREMOTE value" error
Authored by: fletcherpenney on Mar 24, '03 04:14:38PM

I followed the directions and was able to get my ldap server started. Additionally, I enabled at startup by adding LDAPSERVER=-YES- to my /etc/hostconfig.

In NetInfo Manager, I added a /people setting and added some contacts there and configured address book to reference this by adding cn=people to the Search Base.

It works, both in Address Book and in for tracking down the email addresses included here. (I have done this to allow sharing of my contacts to other computers on my local network).

The problem is this: slapd is REALLY slow to respond. I am able to do a search on a local university's ldap infitely faster than on my local server which contains only 3 addresses (plus the netinfo data).

I get the following error in my system log:

Could this be related to the slowdown?

Any ideas on how to speed up slapd?

I was unable to find anything useful by a net search....

Thanks for the tip, and for any help anyone can offer!

[ Reply to This | # ]
Help needed
Authored by: sebastian on Sep 19, '03 09:20:02PM

Following the description I have access to the LDAP server with the Java application.
Unfortunately I do not get any results with an Address Book search.

I did not set a cn= and searched for the user and realnames, no results. (everything on this machine locally)

I also started LDAP with sudo /usr/libexec/slapd -d 1 and the lines start running whenever I query from Address Book.
When starting the server with this command I get a lot of "Invalid path" errors.

I also get such an error on a query:

==> netinfo_back_op_result dsstatus=2004 rc=32 msg=DSA2004: Invalid Path
send_ldap_result: conn=2 op=1 p=2
send_ldap_response: msgid=2 tag=101 err=32
ber_flush: 35 bytes to sd 7
<== netinfo_back_op_result
connection_get(7): got connid=2
connection_read(7): checking for input on id=2
ber_get_next: tag 0x30 len 5 contents:
ber_get_next on fd 7 failed errno=0 (Undefined error: 0)

Any suggestions?

[ Reply to This | # ]
Slow SLAPD and "Bad IPREMOTE value" error
Authored by: valeriol on Jan 29, '04 03:41:59PM

I know that your's is an old post ....

I have the same problem as you and I was wondering if you ever figured out the solution.


[ Reply to This | # ]
Enable a pre-installed LDAP interface to NetInfo
Authored by: jurg on Jun 14, '03 04:54:44PM

I had some problems trying to use this hint.

The first was that the startupfile /System/Library/StartupItems/LDAP/LDAP had to include the full path to slapd instead of just executing slapd, i.e. /usr/libexec/slapd

The second was that it just didn't work on my jaguar client machine, i.e. slapd started, but gave null response to every ldap request.

I found out that if by default the netinfo db under '/' has a property 'trusted_networks' that has no value. This means only requests from the machine itself will be answered. I inserted a value '10.0.1', being the subnet my machine is on and now the ldap server would answer all requests from within this subnet (only is supported I guess, somewhat primitive).

The last problem was that it now gave null response not only to requests from the machine itself, but alll machines in the subnet. The solution to this problem was to go to the directory /machines/localhost in netinfo (using netinfo manager) and add a property called 'suffix' with an empty value (meaning the ldap basedn for the host localhost is ""). You should search with that basedn when using an ldap client. If you use basedn: cn=users you restrict yourself to the /users directory in netinfo.

Knowing not a thing about netinfo it took me a couple of hours web surfing to find out I had to do this. I think on Jaguar server this hint works sort of 'out of thee box', but on the client I had to add these things.

I also added a directory /people in netinfo under which I now store my contacts. The file /private/etc/openldap/schema/netinfo.schema indicates that for info stored in /users there is special mapping between some netinfo properties and ldap attribute names. However, under /people you can use attribute names as in the inetorgperson objectclass (as in /private/etc/openldap/schema/inetorgperson.schema).

[ Reply to This | # ]
Enable a pre-installed LDAP interface to NetInfo
Authored by: winstonford on Nov 06, '03 10:48:22PM

2 minor but crucial changes for atleast 10.2.8 :

on #2, should be all uppercase ' LDAPSERVER=-YES- '

start command should be uppercase as well ' sudo /System/Library/StartupItems/LDAP/LDAP start '

do ' ps -ax | grep slapd ' to see if it's running.

---' the web to the people.

[ Reply to This | # ]
DSA2004: Invalid Path / this one is WEIRD!!!
Authored by: nick on Dec 05, '03 10:09:15AM

i tried this hint to implement a content-management-system on our x-server with the given users: the php-cms authenticates vs. ldap (as i couldn't figure out to auth vs. netinfo: is there mod_auth_apple for apache2?).

i'm an ldap-beginner, but it worked fine. with all but a few of the users. the users wich didn't work happened to be the top users on the list in the ldap-browser. first i thought it had s.t. to do with the number of users: 128 worked, 9 didn't. hmm... 128... nice binary number... then i added additional users and deleted some... and it behaved incedible weird: 128/9 (working/not working); 128/10; 129/10; 140/17 (!); 141/17; 142/9(!)... the number of working/notworking users altered in a way that i couldn't see a pattern. the error in the logs was "send_ldap_result: err=32 matched="" text="DSA2004: Invalid Path"

the top 9 users where always not working. then the (absurd?) thought came to me, that it had something to do with the case of the user-name. i didn't think it was likely as i had situations in wich users without capital letters didn't work, too. but that did the trick. i had to change "_writers_passwd", "_writers_tim_password" and "name" to attribues without capital letters.

anyone knows, why? i guess it has s.t. to do with apples netinfo-to-ldap bridge (bug or feature?)

[ Reply to This | # ]
Enable a pre-installed LDAP interface to NetInfo
Authored by: admanter on Oct 04, '07 10:24:22AM

Has anyone tried to do this on a regular install of 10.4?
the startup item doesnt exist. I've put alot of time into
trying to make it work, I've found the slapd server on
tiger in /usr/libexec/slapd and the config file in
i can start the server using
su -c /usr/libexec/slapd
but thats as much as i can figure out, i dont know how
to get it to start at boot. I've searched everywhere i can
think of but it seems anyone doing this did it 3 years ago,
and has since bought os x server.
I want to use it for user authentication and mapping
home directories to a few other 10.4 clients, i've only got
6 machines to do this for, so server seems to be way to
much for this.

[ Reply to This | # ]