I connected to the LDAP server with a special account and searching password using the Directory Utility.
When I set the LDAPv3 Service to RFC2307 LDAP Mappings, with SSL checked, I can move to Directory Editor and authenticate using the username and password for the LDAP directory. I cannot login to the computer however.
I did this:
- Checked the box in Users & Groups – Allow network users to login ….
- Clicked Options
- Chose Only these network users
- Clicked + and searched for my LDAP username
- Selected the user name so it appears in the list.
When I try to login, the box only shakes and these log error messages arrive in the system.log.
Aug 31 10:35:58 MacBook-Pro SecurityAgent[1150]: User info context values set for
userid
Aug 31 10:35:58 MacBook-Pro authorizationhost[1157]: Failed to authenticate
user <userid> (error: 13).
Some guides on the web indicate error 13 to be so:
Indicates that the session is not protected by a protocol such as
Transport Layer Security (TLS), which provides session
confidentiality and the request will not be handled without
confidentiality enabled.
But I chose SSL and do not find a box or method to change this to TLS in the Mac Directory Utility. When I click Security in the setup section (where I put the "use authentication when connecting" information) the Security Policy options are unavailable with the message "Server capabilities and requirements determine the availability of options."
So, I cannot choose to sign all packets or to Encrypt all packets…
When I choose other connection schemes, like Open Directory or Custom, I was unable to even authenticate in the Directory Editor window. (Error 500, 2100)
The "authentication when connecting" information is the same that I use for web applications that provide access by LDAP so it surely works in the field. Just not apparently from the Mac when trying to login.
Have any advice to allow users to authenticate on this mac by LDAP to access share folders?
Best Answer
Here are some settings that are working for now to provide a Default Kiosk Style Account logging in by ldap authentication.
Fileserver: MacBookPro Mac OS: El Capitan
This is based on Connecting 10.5 to Stanford's LDAP
With this setup, all ldap users will log in, but have the same home directory and system user id. It is only useful if one ldap user at a time will log in to the machine.
Create the default user home folder contents
Make a standard user from Apple -> System preferences -> Users & Groups
Login as the ldaptemplate. (Customize the desktop if you like.)
Logout
Make a folder with a unique id as the owner, then copy all inside ldaptemplate to the new folder.
Add the home directory reset script to the login hook
Paste in the script below
Save the script and close the editor
Make the script run when a user logs in
Exit root user terminal mode
Add your ldap.server.tld to the list in Directory Services
command + space -> Directory Utility -> enter
Click lock and authenticate to make changes
Choose LDAPv3 -> Edit -> New
Select Server -> Click Edit
Set all the parts of each tab like below, so they match your ldap server requirements and information fields provided. Stuff here, worked on this particular job.
Connection Tab:
Search & Mappings Tab
This part makes or breaks the login. I needed only a minimal setting in the end. Basically the things on the left side of the boxes can map to LDAP properties on the right side. They may be information about the person or account stuff like network home folder and many other things.
Choose Custom, erase everything from left box then add following.
Security tab:
This ldap server requires the group authorized account to search it. Without this account the login screen on the Mac showed a red dot, unable to connect to the network. This information is setup and provided by the LDAP admin team in this organization.
Choose Search Policy
Choose Directory Editor an try to use the LDAP search and login.
Allow network login from Users & Groups
This part is just telling mac to check the ldap directory for user accounts.
After these changes, the MacBook was rebooted and I could log in as LDAP authenticated users. Log messages now show:
After all the setup was done, the answer to the original question, "Have any advice to allow users to authenticate on this mac by LDAP to access share folders?" is to setup everything like above, then share the folder with the network user.
Add network logins to the shared resource
After this, when the backup toy was launched, the network users authenticated and the script ran as well as it did when authenticated against the local user account.