Apple macOS logins over LDAP

How to get network-based logins working on Apple macOS devices with Foxpass

📘

Note: each user that logs into a macOS machine must be enabled as an Engineering User or Posix User in Foxpass

1. Foxpass setup

  1. Note your Base DN on the dashboard page. Copy/paste it somewhere.
  2. Create an LDAP Binder account with the name 'macOS' on the LDAP binders page. Copy/paste the generated password! It is only displayed once.

2. Enable Network Account server

Open System Preferences
Open Users & Groups
Click the lock to make changes
Click Login Options
Click "Join..." next to Network Account Server

3. Set up LDAP configuration

Click "Open Directory Utility..."
Click the lock to make changes
Choose LDAPv3
Click the tiny pencil icon
Click New...
Server Name or IP Address: ldap.foxpass.com
tick "Encrypt using SSL"
tick "Use for authentication"
tick "Use for contacts"
Click Manual
Set configuration name to "Foxpass"

4. Set up LDAP Mappings

LDAP Mappings should say "Custom"
Click "Edit..."

If you have MFA on, you might want to increase your "Open/Close times out in" value up from 10 seconds. 60 seconds should give your users enough time to respond to the MFA prompt.

Under "Connection":
Use custom port: 636

Under "Search & Mappings":
Click the '+' under "Record Types and Attributes"
Choose "users"
Drop down the arrow for "Users"
Highlight "Users"
Click the '+' and choose each of the following:

  • GeneratedUID
  • NFSHomeDirectory
  • PrimaryGroupID
  • RealName
  • RecordName
  • UniqueID
  • UserShell

Map each to the following in the right-side:

  • Users: posixAccount
  • GeneratedUID: apple-generateduid
  • NFSHomeDirectory: #/Users/$uid$
  • PrimaryGroupID: #20
  • RealName: cn
  • RecordName: uid
  • UniqueID: uidNumber
  • UserShell: #/bin/bash

Highlight "Users"
For "Search base" enter "ou=people,dc=example,dc=com" (replace with your domain)

Click the '+' under "Record Types and Attributes"
Choose "Groups"
Drop down the arrow for "Groups"
Highlight "Groups"
Click the '+' and choose each of the following:

  • GroupMembership
  • Member
  • PrimaryGroupID
  • RecordName

Map each to the following in the right-side:

  • Groups: posixGroup
  • GroupMembership: memberUid
  • Member: memberUid
  • PrimaryGroupID: gidNumber
  • RecordName: cn

Highlight "Groups"
For "Search base" enter "ou=groups,dc=example,dc=com" (replace with your domain)

Under "Security"
Tick "Use authentication when connecting"
Distinguished Name: "cn=macOS,dc=example,dc=com"
Password:

Click OK
Click OK

5. Set up search policy

Click "Search Policy"
Switch "Automatic" to "Custom path"
Click '+'
Select "/LDAPv3/ldap.foxpass.com"
Click Add
Click Apply
Close the window

6. Let them log in

Tick 'Allow network users to log in at login window'

7. Debug

Here are some handy debug commands

flush the cache:
dscacheutil -flushcache

look up a user
dscacheutil -q user -a name

8. Rollout

Rollout procedure varies, but here are some ways our customers have done it:

Follow instructions in steps 1 through 5, above. This will create the plist files needed.
Copy plist files from the following two locations. These files can be deployed to other macOS workstations.

/Library/Preferences/OpenDirectory/Configurations/LDAPv3/Foxpass.plist
/Library/Preferences/OpenDirectory/Configurations/Search.plist

The bind username and password set in the "Security -> Use authentication when connecting" step is stored in the macOS System Keychain.

To insert this into the System Keychain via command line on a new system use the following command.

sudo /usr/bin/security add-generic-password -a "cn=yourBindAccount,dc=yourDomainHere,dc=com" -w "yourPassword" -s "/LDAPv3/Foxpass" -l "/LDAPv3/Foxpass" -A /Library/Keychains/System.keychain

Be sure to restart opendirectoryd (or restart MacOS), otherwise the new config will not be visible in MacOS Directory Utility.

sudo /bin/launchctl stop com.apple.opendirectoryd