MacOS – Authenticate Mac users by LDAP

ldapmacosNetworkSecurity

I connected to the LDAP server with a special account and searching password using the Directory Utility.

When I set the LDAPv3 Service to RFC2307 LDAP Mappings, with SSL checked, I can move to Directory Editor and authenticate using the username and password for the LDAP directory. I cannot login to the computer however.

I did this:

  1. Checked the box in Users & Groups – Allow network users to login ….
  2. Clicked Options
  3. Chose Only these network users
  4. Clicked + and searched for my LDAP username
  5. Selected the user name so it appears in the list.

When I try to login, the box only shakes and these log error messages arrive in the system.log.

Aug 31 10:35:58 MacBook-Pro SecurityAgent[1150]: User info context values set for 
userid
Aug 31 10:35:58 MacBook-Pro authorizationhost[1157]: Failed to authenticate
user <userid> (error: 13).

Some guides on the web indicate error 13 to be so:

Indicates that the session is not protected by a protocol such as
Transport Layer Security (TLS), which provides session 
confidentiality and the request will not be handled without
confidentiality enabled.

But I chose SSL and do not find a box or method to change this to TLS in the Mac Directory Utility. When I click Security in the setup section (where I put the "use authentication when connecting" information) the Security Policy options are unavailable with the message "Server capabilities and requirements determine the availability of options."

So, I cannot choose to sign all packets or to Encrypt all packets…

When I choose other connection schemes, like Open Directory or Custom, I was unable to even authenticate in the Directory Editor window. (Error 500, 2100)

The "authentication when connecting" information is the same that I use for web applications that provide access by LDAP so it surely works in the field. Just not apparently from the Mac when trying to login.

Have any advice to allow users to authenticate on this mac by LDAP to access share folders?

Best Answer

Here are some settings that are working for now to provide a Default Kiosk Style Account logging in by ldap authentication.

Fileserver: MacBookPro Mac OS: El Capitan

This is based on Connecting 10.5 to Stanford's LDAP

With this setup, all ldap users will log in, but have the same home directory and system user id. It is only useful if one ldap user at a time will log in to the machine.

Create the default user home folder contents

Make a standard user from Apple -> System preferences -> Users & Groups

User: ldaptemplate
Pass: randomAnyP@ssKe1

Login as the ldaptemplate. (Customize the desktop if you like.)

Logout

Make a folder with a unique id as the owner, then copy all inside ldaptemplate to the new folder. 

su -s 
mkdir /Users/ldap
rsync --quiet --recursive --links --perms --group --delete --extended-attributes /Users/ldaptemplate/ /Users/ldap
chown -R 900 /Users/ldap

Add the home directory reset script to the login hook

mkdir /Library/Management
nano /Library/Management/ldapcleanup.bash

Paste in the script below

#!/bin/bash
# /Library/Management/ldapcleanup.bash
# Copies the templates user home directory to the Kiosk user home dir
# When a Kiosk user logs in using LDAP authentication

templateDir="/Users/ldaptemplate/";
targetDir="/Users/ldap";
targetOwner=900;

# this script must be run as root, bail if it is not
if [ "$(whoami)" != "root" ]; then
echo "This script must be run as root!"
exit 0;
fi

# here we test to make sure both the directories we are using exist on this system
if [ ! -d $templateDir ] || [ ! -d $targetDir ]; then
echo "Either $templateDir or $targetDir did not exist!";
exit 0;
fi

# now we use rsync to make the target mirror the template
# note that we are not preserving owner
rsync --quiet --recursive --links --perms --group --delete --extended-attributes $templateDir $targetDir

# and then we make sure everything has the correct owner
chown -R $targetOwner $targetDir

exit 0;

Save the script and close the editor

control + x y return

Make the script run when a user logs in

 defaults write com.apple.loginwindow LoginHook /Library/Management/ldapcleanup.bash

Exit root user terminal mode

exit

Add your ldap.server.tld to the list in Directory Services

command + space -> Directory Utility -> enter

Click lock and authenticate to make changes

Choose LDAPv3 -> Edit -> New

    Server Name or IP Address: ldap2.server.tld
    √ Encrypt using SSL
    √ Use for authentication
    Continue

Select Server -> Click Edit

Set all the parts of each tab like below, so they match your ldap server requirements and information fields provided. Stuff here, worked on this particular job.

Connection Tab:

Configuration name: ldap2.server.tld
Server Name or IP Address: ldap2.server.tld
default timeouts
√ Encrypt using SSL
Default port is 636 (your server may need custom)

Search & Mappings Tab

  • This part makes or breaks the login. I needed only a minimal setting in the end. Basically the things on the left side of the boxes can map to LDAP properties on the right side. They may be information about the person or account stuff like network home folder and many other things.

    Choose Custom, erase everything from left box then add following.

    > People         (Search base: ou=People,dc=server,dc=edu)
    RecordName   Map to uid
> UserAuthenticationData (Search base: ou=People,dc=server,dc=edu)
    RecordName  Map to uid
> Users      Search base: ou=People,dc=server,dc=edu) 
             Map to inetOrgPerson
    AuthenticationAuthority  Map to uid
    EMailAddress             Map to mail
    FirstName                Map to givenName
    JobTitle                 Map to title
    LastName                 Map to sn
    NFSHomeDirectory         Map to #/Users/ldap
    OrganizationName         Map to serverEduStaffDepartment
                             (or some existing ldap field)
    PostalAddress            Map to postalAddress
    PrimaryGroupID           Map to #900 
    RealName                 Map to cn (users ldap full name)
    RecordName               Map to aid (users ldap id)
    UniqueID                 Map to #900
                            (Default owner of that folder we made)
    UserShell                #/bin/bash

Security tab:

  • This ldap server requires the group authorized account to search it. Without this account the login screen on the Mac showed a red dot, unable to connect to the network. This information is setup and provided by the LDAP admin team in this organization.

    Access to Directory
  √ Use authentication when connecting 
  Distinguished Name: uid=someid,ou=SomeGroup,dc=server,dc=edu
  Password: somelongpasswordstringprovidedbyldapadmins

Click OK, OK

Choose Search Policy 

Click + 
Add your new LDAP server to the list

Choose Directory Editor an try to use the LDAP search and login.

Select Users in node /LDAPv3/ldap.server.tld
    * Try searching for your id, If you can't find it something wrong
      with setup.
    * Click the lock to authenticate. If you can't something did not
      map right. Check that mac did not auto-correct 'uid'

Click lock to de-authenticate

Close Directory Utility

Allow network login from Users & Groups

This part is just telling mac to check the ldap directory for user accounts.

Click Apple -> System preferences -> Users & Groups

    Automatic Login: Off
    Display login window as Name and password
    Show fast user switching menu as Full Name
    Click the lock to make changes and authenticate
    √ Allow network users to log in at login window
    Click Edit near Network Account Server: 
    Click + and choose the ldap server created previously

After these changes, the MacBook was rebooted and I could log in as LDAP authenticated users. Log messages now show:

Sep  1 13:40:24 MacBook-Pro SecurityAgent[652]: User info context 
                values set for auser
Sep  1 13:40:44 MacBook-Pro KeyAccess[62]: opened session B8860100,
                auser (en_US)

After all the setup was done, the answer to the original question, "Have any advice to allow users to authenticate on this mac by LDAP to access share folders?" is to setup everything like above, then share the folder with the network user.

Add network logins to the shared resource

Click Apple -> System preferences -> Sharing
Choose File Sharing
Select the Shared Folder:
Click + in the Users box
Choose Network Users
Search for the ldap ID you want to add
Highlight the user
Click Select

After this, when the backup toy was launched, the network users authenticated and the script ran as well as it did when authenticated against the local user account.

Related Question