February 7, 2016

WGM on LDAP Directory

The article I had written about integrating Mac OS X with LDAP attracted a bit of attention. While I had mentioned in that document that we do manage our [tag]mac[/tag] os x users using WGM, I have not provided information on how I was able to integrate WGM with a non-OD server.

In this post, however, I am attempting to bridge that gap and provide information as to how exactly we were able to get WGM working with our LDAP server. Our LDAP server happens to be a Sun Directory Server, as opposed to a more commonly used [tag]OpenLDAP[/tag] server. Still, it does not matter since they all are standards-based.

In order to get WGM working, we need to get a few things ironed out first:

  1. The computer you are using to run WGM should be configured to use LDAP for authentication. That is done using the Directory Access application.

  2. The computer should also have the Server Admin tools installed. Never mind if the mac is not actually a server. You can simply go the apple download website and download the Server Admin Tools application.
  3. A LDAP account with write privileges. There is more detailed explanation of this below.

When you start up WGM, a dialog box will pop up to enter the Address, username and password.

  • In the address field, enter the hostname of the client machine that you are on (say client.example.com). You could also specify localhost.

  • In the username field, enter a valid username
  • In the password field, enter a valid password

Once you successfully authenticate, the Workgroup manager window will open up. By default, it will query the LDAP server that is configured on the client and will pull all of the apple objects. The configuration of the LDAP server in Directory Access will dictate what objects are queried and shown here.

You will also notice that on the top portion of the window, you will see a text line

Viewing directory: /LDAPv3/<ldap server name>. Not authenticated

If the sidebar is not showing any accounts, then verify the LDAP configuration, specifically the Search & Mappings tab and ensure that you have it configured correctly.

In order to modify an object, you will need to bind with proper credentials. If you click on the lock icon on the right side of the window, you will get a dialog box to enter the logon username and password. Enter your username and password. The user binding is also looked up according to the LDAP configuration you have in place.

If you are not having luck with these instructions, then you probably should re-visit this article and make sure you have followed the steps properly. If all else fails, drop me a note!


  1. thanks for this follow-up. i’ll try it when i’m at home. but things could get complicated because i want to use kerberos for authentication.

  2. Julien Blanchard says:

    I successfully managed to use WGM with OpenLDAP but I can’t use the Windows tab for any user, it’s all grayed. Do you know if it’s possible to create windows users from WGM on an OpenLDAP ? How to set the passord type to OpenDirectory on OpenLDAP (which seems to be the problem in WGM) ?
    Anyway thanks a lot for all your posts on Mac OSX and OpenLDAP integration which helped me a lot.


  3. Lyndon Van Wagner says:

    Hi. Thanks for the information on setting up desktop Mac OS X clients to use OpenLDAP. I’ve got ldap running on a Linux system, but it has no data, just the schemas loaded. How do I get my users, etc into it? I’ve tried following your notes, and did the Schema mappings, got WGM running, but it won’t authenicate. According to my slapd.conf my rootdn is “cn=Manager,dc=my-domain,dc=com” . And I’m using default security & access. I believe I’m running with unix authenication – not kerberos. Any ideas ?

Speak Your Mind