Tiny Deathstars of Foulness

dsconfigad did not support signing of LDAP packets in 10.4.x.  However, this was an upgrade that was introduced in the 10.5 version of the AD Plug-in.  Provided that your Active Directory environment uses LDAP signing, a standard policy with DCs, you can mirror your settings on the DC in dsconfigad by using the -packetsigning option followed by either an allow, disable or require variable.  To force LDAP signing, just run the following command: dsconfigad -packetsigning required To then disable signing if your environment doesn’t support it use the following command: dsconfigad -packetsigning disable The default variable is allow, which will use LDAP signing when possible.

September 27th, 2008

Posted In: Active Directory, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, Windows Server

Tags: , , , ,

  • Thanks for this very useful information – spent a good half hour researching AD error 2887 problem (client not using LDAP signing) before I found this. Just a small point for clarity, the command is actually:

    dsconfigad -packetsign require