Active Directory,  Mac OS X,  Mac OS X Server,  Mac Security,  Mass Deployment,  Windows Server

Mac OS X: Force LDAP Signing using dsconfigad

dsconfigad did not support signing of LDAP packets in 10.4.x.  However, this was an upgrade that was introduced in the 10.5 version of the AD Plug-in.  Provided that your Active Directory environment uses LDAP signing, a standard policy with DCs, you can mirror your settings on the DC in dsconfigad by using the -packetsigning option followed by either an allow, disable or require variable.  To force LDAP signing, just run the following command:

dsconfigad -packetsigning required

To then disable signing if your environment doesn’t support it use the following command:

dsconfigad -packetsigning disable

The default variable is allow, which will use LDAP signing when possible.