Authenticate Mac users by LDAP
I connected to the LDAP server with a special account and searching password using the Directory Utility.
When I set the LDAPv3 Service to RFC2307 LDAP Mappings, with SSL checked, I can move to Directory Editor and authenticate using the username and password for the LDAP directory. I cannot login to the computer however.
I did this:
- Checked the box in Users & Groups - Allow network users to login ....
- Clicked Options
- Chose Only these network users
- Clicked + and searched for my LDAP username
- Selected the user name so it appears in the list.
When I try to login, the box only shakes and these log error messages arrive in the system.log.
Aug 31 10:35:58 MacBook-Pro SecurityAgent[1150]: User info context values set for
userid
Aug 31 10:35:58 MacBook-Pro authorizationhost[1157]: Failed to authenticate
user <userid> (error: 13).
Some guides on the web indicate error 13 to be so:
Indicates that the session is not protected by a protocol such as
Transport Layer Security (TLS), which provides session
confidentiality and the request will not be handled without
confidentiality enabled.
But I chose SSL and do not find a box or method to change this to TLS in the Mac Directory Utility. When I click Security in the setup section (where I put the "use authentication when connecting" information) the Security Policy options are unavailable with the message "Server capabilities and requirements determine the availability of options."
So, I cannot choose to sign all packets or to Encrypt all packets...
When I choose other connection schemes, like Open Directory or Custom, I was unable to even authenticate in the Directory Editor window. (Error 500, 2100)
The "authentication when connecting" information is the same that I use for web applications that provide access by LDAP so it surely works in the field. Just not apparently from the Mac when trying to login.
Have any advice to allow users to authenticate on this mac by LDAP to access share folders?
Here are some settings that are working for now to provide a Default Kiosk Style Account logging in by ldap authentication.
Fileserver: MacBookPro Mac OS: El Capitan
This is based on Connecting 10.5 to Stanford's LDAP
With this setup, all ldap users will log in, but have the same home directory and system user id. It is only useful if one ldap user at a time will log in to the machine.
Create the default user home folder contents
Make a standard user from Apple -> System preferences -> Users & Groups
User: ldaptemplate
Pass: randomAnyP@ssKe1
Login as the ldaptemplate. (Customize the desktop if you like.)
Logout
Make a folder with a unique id as the owner, then copy all inside ldaptemplate to the new folder.
su -s
mkdir /Users/ldap
rsync --quiet --recursive --links --perms --group --delete --extended-attributes /Users/ldaptemplate/ /Users/ldap
chown -R 900 /Users/ldap
Add the home directory reset script to the login hook
mkdir /Library/Management
nano /Library/Management/ldapcleanup.bash
Paste in the script below
#!/bin/bash
# /Library/Management/ldapcleanup.bash
# Copies the templates user home directory to the Kiosk user home dir
# When a Kiosk user logs in using LDAP authentication
templateDir="/Users/ldaptemplate/";
targetDir="/Users/ldap";
targetOwner=900;
# this script must be run as root, bail if it is not
if [ "$(whoami)" != "root" ]; then
echo "This script must be run as root!"
exit 0;
fi
# here we test to make sure both the directories we are using exist on this system
if [ ! -d $templateDir ] || [ ! -d $targetDir ]; then
echo "Either $templateDir or $targetDir did not exist!";
exit 0;
fi
# now we use rsync to make the target mirror the template
# note that we are not preserving owner
rsync --quiet --recursive --links --perms --group --delete --extended-attributes $templateDir $targetDir
# and then we make sure everything has the correct owner
chown -R $targetOwner $targetDir
exit 0;
Save the script and close the editor
control + x y return
Make the script run when a user logs in
defaults write com.apple.loginwindow LoginHook /Library/Management/ldapcleanup.bash
Exit root user terminal mode
exit
Add your ldap.server.tld to the list in Directory Services
command + space -> Directory Utility -> enter
Click lock and authenticate to make changes
Choose LDAPv3 -> Edit -> New
Server Name or IP Address: ldap2.server.tld
√ Encrypt using SSL
√ Use for authentication
Continue
Select Server -> Click Edit
Set all the parts of each tab like below, so they match your ldap server requirements and information fields provided. Stuff here, worked on this particular job.
Connection Tab:
Configuration name: ldap2.server.tld
Server Name or IP Address: ldap2.server.tld
default timeouts
√ Encrypt using SSL
Default port is 636 (your server may need custom)
Search & Mappings Tab
-
This part makes or breaks the login. I needed only a minimal setting in the end. Basically the things on the left side of the boxes can map to LDAP properties on the right side. They may be information about the person or account stuff like network home folder and many other things.
Choose Custom, erase everything from left box then add following.
> People (Search base: ou=People,dc=server,dc=edu) RecordName Map to uid > UserAuthenticationData (Search base: ou=People,dc=server,dc=edu) RecordName Map to uid > Users Search base: ou=People,dc=server,dc=edu) Map to inetOrgPerson AuthenticationAuthority Map to uid EMailAddress Map to mail FirstName Map to givenName JobTitle Map to title LastName Map to sn NFSHomeDirectory Map to #/Users/ldap OrganizationName Map to serverEduStaffDepartment (or some existing ldap field) PostalAddress Map to postalAddress PrimaryGroupID Map to #900 RealName Map to cn (users ldap full name) RecordName Map to aid (users ldap id) UniqueID Map to #900 (Default owner of that folder we made) UserShell #/bin/bash
Security tab:
-
This ldap server requires the group authorized account to search it. Without this account the login screen on the Mac showed a red dot, unable to connect to the network. This information is setup and provided by the LDAP admin team in this organization.
Access to Directory √ Use authentication when connecting Distinguished Name: uid=someid,ou=SomeGroup,dc=server,dc=edu Password: somelongpasswordstringprovidedbyldapadmins Click OK, OK
Choose Search Policy
Click +
Add your new LDAP server to the list
Choose Directory Editor an try to use the LDAP search and login.
Select Users in node /LDAPv3/ldap.server.tld
* Try searching for your id, If you can't find it something wrong
with setup.
* Click the lock to authenticate. If you can't something did not
map right. Check that mac did not auto-correct 'uid'
Click lock to de-authenticate
Close Directory Utility
Allow network login from Users & Groups
This part is just telling mac to check the ldap directory for user accounts.
Click Apple -> System preferences -> Users & Groups
Automatic Login: Off
Display login window as Name and password
Show fast user switching menu as Full Name
Click the lock to make changes and authenticate
√ Allow network users to log in at login window
Click Edit near Network Account Server:
Click + and choose the ldap server created previously
After these changes, the MacBook was rebooted and I could log in as LDAP authenticated users. Log messages now show:
Sep 1 13:40:24 MacBook-Pro SecurityAgent[652]: User info context
values set for auser
Sep 1 13:40:44 MacBook-Pro KeyAccess[62]: opened session B8860100,
auser (en_US)
After all the setup was done, the answer to the original question, "Have any advice to allow users to authenticate on this mac by LDAP to access share folders?" is to setup everything like above, then share the folder with the network user.
Add network logins to the shared resource
Click Apple -> System preferences -> Sharing
Choose File Sharing
Select the Shared Folder:
Click + in the Users box
Choose Network Users
Search for the ldap ID you want to add
Highlight the user
Click Select
After this, when the backup toy was launched, the network users authenticated and the script ran as well as it did when authenticated against the local user account.