Mac OS X: Force LDAP Signing using dsconfigad

dsconfigad did not support signing of LDAP packets in 10.4.x.  However, this was an upgrade that was introduced in the 10.5 version of the AD Plug-in.  Provided that your Active Directory environment uses LDAP signing, a standard policy with DCs, you can mirror your settings on the DC in dsconfigad by using the -packetsigning option followed by either an allow, disable or require variable.  To force LDAP signing, just run the following command:

dsconfigad -packetsigning required

To then disable signing if your environment doesn’t support it use the following command:

dsconfigad -packetsigning disable

The default variable is allow, which will use LDAP signing when possible.

One comment

  • April 14, 2012 - 6:52 pm | Permalink

    Thanks for this very useful information – spent a good half hour researching AD error 2887 problem (client not using LDAP signing) before I found this. Just a small point for clarity, the command is actually:

    dsconfigad -packetsign require

  • Comments are closed.