You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Unable to add LDAP server in Mac OS 10.11

I must be missing something simple since this is a feature that has been available in Mac OS for years and years but I am unable to add an LDAP account in Mac OS 10.11 El Capitan.


Actually I can add a new account (which uses Internet accounts) but when I choose Simple Authentication I am not presented with a place to enter the user name and password, I did find a bit later that I can add the account without the credentials, then go into the Contacts application's preference panel and add the user name and password there but even after doing that I am unable to search the LDAP server.


I have also verified that if I use the migration tool to move an account from a machine running an older system to 10.11 the LDAP account is marked as inactive and adding the username and password in that case also does not work for me.


Can anyone tell me how to add authenticated LDAP accounts to 10.11 El Capitan? This feature is very important to us because we use it to allow our Mac users to access our shared address book.


Thanks in advance.

iMac, OS X Yosemite (10.10)

Posted on Oct 13, 2015 10:44 AM

Reply
15 replies

Nov 1, 2015 7:10 PM in response to roarkh

same problem here, since upgrade to 10.11, i was hoping the 10.11.1 can solve this problem but in vain.

it shows in console:

-----------

Contacts[1451]: Could not get password: Error Domain=SecKeychain Code=-25300 "Password for youname@ldap.domain.com:0 not found" UserInfo={NSLocalizedDescription=Password for yourname@ldap.domain.com:0 not found} Password for yourname@ldap.domain.com:0 not found

-------

but I have fill the paswword in the Contacts application's preference panel

Dec 23, 2015 6:28 AM in response to roarkh

Same here as well, had LDAP configured under my contacts app for lookups against our corporate LDAP server. Was working just fine in all previous versions of OSX but since the upgrade to El Capitan its been broken. No output to console either when querying through the Contacts app to a known contact, it just returns no result. I haven't gone so far as running wireshark to see if anything is even being sent but a quick troll of other forums confirms that this behaviour isn't isolated to my machine alone (see http://apple.stackexchange.com/questions/210081/contacts-ldap-account-on-10-11-e l-capitan).


Somebody from Apple needs to fix this as it was clearly broken by the update.

Dec 28, 2015 8:00 AM in response to roarkh

Hi

You may be interested by my own experience in the ldap migration with el capitan : Here s what I have posted

Following my migration to ElCapitan 10.11.2 last week, the ldap service with my enterprise directory was not working anymore.

Looking at the console, when I was performing a contact search, it was telling me that the password was not available :

"28/12/2015 16:12:35,773 Contacts[479]: Could not get password: Error Domain=SecKeychain Code=-25300 "Password for xxxxxx@yyyyyy not found" UserInfo={NSLocalizedDescription=Password for xxxxxxxxx@yyyyyyy not found} Password for xxxxxx@yyyyyy not found"

It has taken a couple of days to find the clue !

a- go in the keychain app

b- search for user id of your ldap server among the passwords

c- in my case it gave me a line in the results giving me the ldap server address as an internet account

d- looking in the infos, the "where" was telling ldap://yyyyy (address of the server)

e- what I have done was to modify the line to suppress "ldap://" giving so yyyy

f- I have saved the modification that in fact resulted in a new "where" definition which is : ldap://yyyyy/yyyyy (strange is'nt it ?)

But now my ldap service works again !

This is the good part !

The bad part is that during my investigations, I have used a fresh osx user profile to make tests !

As it was fresh, I had no ldap server defined for this user

And the behavious that I have observed was that in configuring the ldap account and then the contacts preferences to set the password,

the Console was telling me repeatedly that it was not possible to save the access password I had entered !

I have tried to create manualy the password in keychain but did not solve the problem ....

Hope it will help

Regards

Feb 18, 2016 1:37 AM in response to roarkh

Hi,


I am also unable to add a working LDAP server either via contacts or via system setup on MacOS El Capitan 10.11.3. However, when I do ldapsearch via the command line it works. So if I try:


ldapsearch -H "ldap://ldap1.fh-augsburg.de/" -x -b "ou=People,dc=FH-Augsburg,dc=DE" "(sn=Smith)"


then it works on the command line. But I was not able to do this via account configuration in contacts or system settings->internet-accounts. This all worked on the previous MacOS version. The previous test with the mentioned ldap server only works in my intranet, because the server is only reachable in my intranet.


a) Is there some manual configuration possibility via some configuration file (maybe /etc/...) ?

b) How should I configure the ldap server via the GUI to have it working like in ldapsearch?

c) Will ldap.conf settings be honored by Contacts and Email?


Friedrich

Feb 18, 2016 3:20 AM in response to roarkh

Yep I see this as well, the Contacts app is not presenting any boxes to allow you to enter the user name and password. To me this is clearly a bug and I know the Contacts app has had various others for other types of accounts.


No you cannot use an LDAP.conf file to fix this, however you could try using a Profile Manager i.e. mobileconfig file to configure an account while waiting for Apple to fix this.


What is the LDAP server? Perhaps that server can also support CardDav or something else instead.


Another option would be to use Directory Utility to add an LDAP server and also to add it to the Contacts search path. You can define an authenticated bind in Directory Utility.


Note: For LDAP binding in Directory Utility you need to use the full distinguished name e.g. uid=fred,cn=users,dc=server,dc=domain,dc=com

Feb 18, 2016 4:41 AM in response to roarkh

Hi,


for whatever reason it now works. I left the entry in accounts and now: magic. Maybe it takes some time until contacts recognizes that there is a new ldap server? Now I removed the ldap entry and tried it again. The steps are:


1. System Settings -> Internet Accounts -> Add LDAP Server


2. This are my settings:


User uploaded file

3. Then it looks like this


User uploaded file

For whatever reason it works now, i.e. I can go to contacts and search in the ldap database for names.


Friedrich

May 25, 2016 2:28 AM in response to Thomas_fr

Thomas_fr wrote:


This solution work fine. Like this, Mail & Contacts can use LDAP contacts search account


🙂


BUT...


Why Apple don't fix this issue ?? For pro users, it's a dramatic regression !!!

This particular bug does not affect my site as we use CardDav but I have just checked the latest El Capitan build and it still is broken. 😢


I have reported so many bugs in El Capitan that is now becoming quite a task to retest them all each time a new build is issued and update my bug report tickets. However Apple have fixed some but obviously not all of them. 😢


The more people report this as a bug the greater the chance Apple will do something about it.


You can sign up for free for the Public Beta and report bugs to Apple via that. See https://beta.apple.com/sp/betaprogram/

Oct 8, 2016 1:15 AM in response to roarkh

The change that was introduced since El Capitan is that the LDAP bind is done anonymous, it is no longer using the credentials of the user to do the bind. As a result, in most cases the LDAP addressbook returns no results, because (for a good reason) an addressbook should should return contact details to anonymous users.


The question is why was this changed and how can it be fixed. I see the same behavior in Sierra.


And why isn't there at least an official response from Apple why this change was introduced?

Unable to add LDAP server in Mac OS 10.11

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.