Publishers of technology books, eBooks, and videos for creative people

Home > Articles

  • Print
  • + Share This
This chapter is from the book

This chapter is from the book

Enabling LDAP

Lightweight Directory Access Protocol (LDAP) started as a way to track email contact information and eventually morphed into the way companies manage all their computers and users. While Active Directory, Open Directory, and OpenLDAP are all based on LDAP, for the purposes of this book, LDAP is used only as a contact database.

Most of the settings here are pretty basic (Figure 4.10), with a couple of exceptions. The first exception is the “Account Username” field. Depending on your server type, your account name can look like:

Figure 4.10.

Figure 4.10. LDAP settings

The last example is a full distinguished name and completely specifies the user, who in this case is john, in the users container in the domain It’s simple, but only if you know how to read LDAP-ese. In that sense, LDAP is kind of like VPN. If you’re running your LDAP server, you already know this; if you aren’t, schedule some time with your directory administrator and have that person help you set up this information.

The second LDAP setting that might catch you off guard is the Search Settings field, which requires some basic knowledge of LDAP structure. LDAP is, in general, structured like a tree. At the root, you have the domain, so would map to “dc=company, dc=com”. Everything expands out from there in a variety of containers (generally, although somewhat incorrectly, abbreviated as CN) and organizational units (OU).

When searching an LDAP directory, you obviously want to limit how much data has to be searched for the benefit of the search speed, and also to control the overall load on the system. A hundred devices searching thousands of entries are going to create a greater server load than if they’re searching a few hundred entries. So, you limit searches by the scope, or range, of the search and by the starting point. To set your search scope, you have three options:

  • Base, which searches only the defined search base. If the data you want is one level below that base, the search won’t find it.
  • One Level, which searches the base and the level immediately below it
  • Subtree, which searches the base and everything below the base regardless of the number of levels.

The next step is to set up your Search Base or starting point. Since you’re really just using LDAP for email contact information, you’ll want to set up the container or OU for your users. If your LDAP directory is Apple’s Open Directory, typically the OU will be the users container, the Open Directory Master computer name, and the domain name. So:


would be a typical search base for a generic Open Directory setup. Other LDAP implementations would be different, but similar to this.

By restricting your starting point to just the users container, you can set the search scope to be “Subtree”, and not worry about every device iterating through every part of the LDAP directory just to find Bob’s email address. When LDAP is set up, both the Email and Contacts apps on the device will automatically use LDAP data for activities such as autofilling email addresses in messages.

  • + Share This
  • 🔖 Save To Your Account