Monday: Cycled to work. Sunny.

Tuesday: Cycled to work. Sunny.

Wednesday: Cycled to work. Sunny.

Thursday: Drove to work with the roof down. Rain.

Friday: Cycled to work. Sunny.

I already knew how to save the LDAP config back to the LDAP server and initialise a client using Directory Utility.app. That works well and is easy to understand. Unfortunately it requires using the GUI. It’s hard to script GUIs. I also already knew which files were changed when configuring DirectoryService so it shouldn’t be too hard to automate the process.

Configuring LDAP requires two steps. First you tell the DirectoryService LDAPv3 plugin about your server then you add LDAP to the search node list.

The first file edited is /Library/Preferences/DirectoryService/DSLDAPv3PlugInConfig.plist. It’s created whether you use the Advanced section of the GUI to configure the server manually or just pull everything from ou=macosxodconfig. Read the linked articles if the above makes no sense.

Simply copying a working configuration file from somewhere else is possible and in an environment with lots of identically-configured machines it may even be desirable. You may not necessarily want to do it, however, if you have other LDAP servers, NIS server, OpenDirectory servers, Active Directory servers etc already configured on a particular machine. This was the case for my OS X Server machine, for example. Luckily we can script the addition of the LDAP profile.

    # dsconfigldap -a ldap.iain.cx

If you’ve already written the configuration back to the LDAP server, the above is all that’s needed to tell the workstation about it.

The second file, which determines whether or not the LDAP service is consulted for authentication, is /Library/Preferences/DirectoryService/SearchNodeConfig.plist. Because it’s a small file it’s easy to use Perl, cfengine or $YOUR_FAVOURITE_SCRIPTING_TOOL to add the correct lines viz:

            <key>Search Node Custom Path Array</key>
            <array>
                    <string>/LDAPv3/ldap.iain.cx</string>
            </array>

    ...

            <key>Search Policy</key>
            <integer>3</integer>

Exercise for the reader: you could use defaults to do it.

It seems the Search Policy=3 section is needed to set a Custom search path (ie actually using the settings we’ve configured).

Aside: If your LDAP schema includes contact details you can also configure ContactsNodeConfig.plist in the same way.

Once the proplists have been edited you simply kill DirectoryService and wait for it to be automagically restarted. Everything should then Just Work!

To confirm this:

   # dscacheutil -configuration
    DirectoryService Cache search policy:
        /Local/Default
        /BSD/local
        /LDAPv3/ldap.iain.cx