Here are some settings that are working for now to provide a Default Kiosk Style Account logging in by ldap authentication.
Fileserver: MacBookPro
Mac OS: El Capitan
This is based on Connecting 10.5 to Stanford's LDAP
With this setup, all ldap users will log in, but have the same home directory and system user id. It is only useful if one ldap user at a time will log in to the machine.
Create the default user home folder contents
Make a standard user from Apple -> System preferences -> Users & Groups
User: ldaptemplate
Pass: randomAnyP@ssKe1
Login as the ldaptemplate. (Customize the desktop if you like.)
Logout
Make a folder with a unique id as the owner, then copy all inside ldaptemplate to the new folder.
su -s
mkdir /Users/ldap
rsync --quiet --recursive --links --perms --group --delete --extended-attributes /Users/ldaptemplate/ /Users/ldap
chown -R 900 /Users/ldap
Add the home directory reset script to the login hook
mkdir /Library/Management
nano /Library/Management/ldapcleanup.bash
Paste in the script below
#!/bin/bash
# /Library/Management/ldapcleanup.bash
# Copies the templates user home directory to the Kiosk user home dir
# When a Kiosk user logs in using LDAP authentication
templateDir="/Users/ldaptemplate/";
targetDir="/Users/ldap";
targetOwner=900;
# this script must be run as root, bail if it is not
if [ "$(whoami)" != "root" ]; then
echo "This script must be run as root!"
exit 0;
fi
# here we test to make sure both the directories we are using exist on this system
if [ ! -d $templateDir ] || [ ! -d $targetDir ]; then
echo "Either $templateDir or $targetDir did not exist!";
exit 0;
fi
# now we use rsync to make the target mirror the template
# note that we are not preserving owner
rsync --quiet --recursive --links --perms --group --delete --extended-attributes $templateDir $targetDir
# and then we make sure everything has the correct owner
chown -R $targetOwner $targetDir
exit 0;
Save the script and close the editor
control + x y return
Make the script run when a user logs in
defaults write com.apple.loginwindow LoginHook /Library/Management/ldapcleanup.bash
Exit root user terminal mode
exit
Add your ldap.server.tld to the list in Directory Services
command + space -> Directory Utility -> enter
Click lock and authenticate to make changes
Choose LDAPv3 -> Edit -> New
Server Name or IP Address: ldap2.server.tld
√ Encrypt using SSL
√ Use for authentication
Continue
Select Server -> Click Edit
Set all the parts of each tab like below, so they match your ldap server requirements and information fields provided. Stuff here, worked on this particular job.
Connection Tab:
Configuration name: ldap2.server.tld
Server Name or IP Address: ldap2.server.tld
default timeouts
√ Encrypt using SSL
Default port is 636 (your server may need custom)
Search & Mappings Tab
This part makes or breaks the login. I needed only a minimal setting in the end. Basically the things on the left side of the boxes can map to LDAP properties on the right side. They may be information about the person or account stuff like network home folder and many other things.
Choose Custom, erase everything from left box then add following.
> People (Search base: ou=People,dc=server,dc=edu)
RecordName Map to uid
> UserAuthenticationData (Search base: ou=People,dc=server,dc=edu)
RecordName Map to uid
> Users Search base: ou=People,dc=server,dc=edu)
Map to inetOrgPerson
AuthenticationAuthority Map to uid
EMailAddress Map to mail
FirstName Map to givenName
JobTitle Map to title
LastName Map to sn
NFSHomeDirectory Map to #/Users/ldap
OrganizationName Map to serverEduStaffDepartment
(or some existing ldap field)
PostalAddress Map to postalAddress
PrimaryGroupID Map to #900
RealName Map to cn (users ldap full name)
RecordName Map to aid (users ldap id)
UniqueID Map to #900
(Default owner of that folder we made)
UserShell #/bin/bash
Security tab:
This ldap server requires the group authorized account to search it. Without this account the login screen on the Mac showed a red dot, unable to connect to the network. This information is setup and provided by the LDAP admin team in this organization.
Access to Directory
√ Use authentication when connecting
Distinguished Name: uid=someid,ou=SomeGroup,dc=server,dc=edu
Password: somelongpasswordstringprovidedbyldapadmins
Click OK, OK
Choose Search Policy
Click +
Add your new LDAP server to the list
Choose Directory Editor an try to use the LDAP search and login.
Select Users in node /LDAPv3/ldap.server.tld
* Try searching for your id, If you can't find it something wrong
with setup.
* Click the lock to authenticate. If you can't something did not
map right. Check that mac did not auto-correct 'uid'
Click lock to de-authenticate
Close Directory Utility
Allow network login from Users & Groups
This part is just telling mac to check the ldap directory for user accounts.
Click Apple -> System preferences -> Users & Groups
Automatic Login: Off
Display login window as Name and password
Show fast user switching menu as Full Name
Click the lock to make changes and authenticate
√ Allow network users to log in at login window
Click Edit near Network Account Server:
Click + and choose the ldap server created previously
After these changes, the MacBook was rebooted and I could log in as LDAP authenticated users. Log messages now show:
Sep 1 13:40:24 MacBook-Pro SecurityAgent[652]: User info context
values set for auser
Sep 1 13:40:44 MacBook-Pro KeyAccess[62]: opened session B8860100,
auser (en_US)
After all the setup was done, the answer to the original question, "Have any advice to allow users to authenticate on this mac by LDAP to access share folders?" is to setup everything like above, then share the folder with the network user.
Add network logins to the shared resource
Click Apple -> System preferences -> Sharing
Choose File Sharing
Select the Shared Folder:
Click + in the Users box
Choose Network Users
Search for the ldap ID you want to add
Highlight the user
Click Select
After this, when the backup toy was launched, the network users authenticated and the script ran as well as it did when authenticated against the local user account.
Best Answer
Samba no more, for Lion Server mount.cifs needs extra options, "nounix,sec=ntlmssp"
apologies for the delay!!