Mac OS X 10.6 Snow Leopard

Setting up your Mac to use the MPG CA LDAP server (in fact, the LDAP server of the DFN-Verein) enables Apple Mail to send encrypted messages to colleagues, and to verify signed messages you receive from them. Here is what you have to do:

Open Directory Utility. To do that, open System Preferences, click onto the Accounts icon, select Login Options, click Edit… or Add… next to Network Account Server:, then click Open Directory Utility…

In the Services pane, authenticate as an admin, select LDAPv3, click the pencil icon below the list. Click New… in the sheet that opens, then Manual in the modal dialog which appears. Enter “o=Max-Planck-Gesellschaft,ou=DFN-PKI,o=DFN-Verein,c=de” into the search base suffix field of the resulting dialog and click OK.

(Note that in the image above the first component of the search base suffix is missing.) Enter an name for the new configuration, enter “ldap.pca.dfn.de” into the Server Name field and use RFC 2307 as the mapping scheme and click OK.

In the Search Policy pane, add the new configuration to the Contacts tab. Make sure that Custom Path is selected in the Search popup menu.

Go back to the Services pane, select the new configuration, click Edit… and choose the Search & Mappings tab. In the left list of the dialog that opens, choose the Users record type and click Add… underneath the list.

In the resulting sheet, select the two attribute types UserCertificate and EMailAddress and click OK.

Select UserCertificate in the left list, double-click onto the empty right list, and type “userCertificate;binary”.

Select EMailAddress in the left list, double click onto the empty right list, type “mail”, and finally click OK.

Close Directory Utility, open Activity Monitor. Choose all processes in the popup menu on the top right. Select the process named DirectoryService and click Quit Process.

  • Authenticate as an admin, and click Quit in the dialog sheet coming up. Close Activity Monitor.
  • Open Keychain Access and choose Preferences…

Enable Search Directory Services For Certificates and quit Keychain Access.

As a test, open Address Book, select the Directory Services group, type a name of a person you’d like to send mail to, for example Rainer Kleinrensing.

In the list of names, choose one record and click onto the little hook left to the e-mail address of the record. This should bring up a dialog displaying the certificate of that address, including the complete chain.