{"id":6088,"date":"2019-06-09T20:44:59","date_gmt":"2019-06-09T17:44:59","guid":{"rendered":"https:\/\/kifarunix.com\/?p=6088"},"modified":"2021-06-08T11:01:41","modified_gmt":"2021-06-08T08:01:41","slug":"configure-openldap-authentication-on-macos-x","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/configure-openldap-authentication-on-macos-x\/","title":{"rendered":"Configure OpenLDAP Authentication on MacOS X"},"content":{"rendered":"\n

Welcome to our tutorial on how to configure OpenLDAP authentication on MacOS X. Fortunately, MacOS X systems ship with a utility called Directory Utility<\/a>. According to Apple Support, Directory Utility can be used to add and configure advanced connections to directory servers. When configured, your Mac OS can access the directory servers for user information and other administrative data stored in the directory domain of directory servers. Some of the directory servers that can be configured include Open Directory, Active Directory, or LDAP directory server.<\/p>\n\n\n\n

\"Configure<\/figure>\n\n\n\n

Configure OpenLDAP Authentication on MacOS X<\/h2>\n\n\n\n

Follow through this guide to join your MacOS X system to an OpenLDAP directory to facilitate user authentication.<\/p>\n\n\n\n

NOTE: This guide is based on Mac OS Sierra.<\/strong><\/p>\n\n\n\n

Configure Access OpenLDAP Directory<\/h3>\n\n\n\n

To begin with, you need to configure access to an OpenLDAP directory server on your MacOS X using the Directory Utility app.<\/p>\n\n\n\n

To open the Directory Utility app, click the search icon at the top right corner and type Directory Utility<\/code><\/strong>. Press Enter to open the app.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

You can as well access the directory utility from Users and Groups preferences > Login Options > Network Account Server > Join > Open Directory Utility<\/code><\/strong>.<\/p>\n\n\n\n

When the app opens up, click the lock at the bottom left and authenticate as an administrative user for you to be able to modify your directory services configuration.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

In this demo, we are using OpenLDAP as our directory server. As such, select LDAPv3 from the list and click the pen like Edit button<\/strong> to configure the selected plugin.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

On the setup wizard that opens up, click New<\/strong> to add a new OpenLDAP directory server. Enter the resolvable hostname or IP address of the OpenLDAP server.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

If you are using LDAP with SSL, be sure to check the SSL box.<\/p>\n\n\n\n

Click Manual<\/strong> to enter manually configure your OpenLDAP server directory settings. Next click Edit<\/strong> to edit the connection.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Under the Connection<\/strong> tab, set the name of the connection, change address if need be, choose whether to use SSL and custom port, if need be, and you can leave other default settings.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Under Search and Mappings<\/strong>, select RFC2307<\/strong> as the mapping template for LDAPv3 and enter your OpenLDAP directory search base<\/strong> suffix.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Under Security<\/strong>, click the check box, Use Authentication when connecting<\/strong>, and enter your OpenLDAP BIND DN<\/strong> and its password.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Click OK<\/strong> when done with settings. Your connection settings now looks like as in below;<\/p>\n\n\n\n

\"Configure<\/figure>\n\n\n\n

Click OK<\/strong> to close the configuration wizard. This takes you back to Directory Utility app.<\/p>\n\n\n\n

Click on Search Policy<\/strong> tab and choose where to search for user information. In this case, we will select Custom Path<\/strong> and click the + (plus)<\/strong> sign to add your LDAP directory domain. Select the domain connection and click add<\/strong>.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The Search Policy<\/strong> tab should now look like;<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

You can do the same for Contacts<\/strong>.<\/p>\n\n\n\n

Verify MacOS OpenLDAP User Authentication<\/h3>\n\n\n\n

You can now verify user authentication by clicking on Directory Editor<\/strong> tab on Directory Utility<\/strong> app.<\/p>\n\n\n\n

Select Viewing Users<\/strong> in node \/LDAPv3\/yourLDAPaddress<\/strong>. To verify user authentication, click the padlock (Not authenticated<\/strong>). Enter the LDAP username and password to verify authentication. If authentication is successful, you should now be able to see your LDAP users and their details;<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Next, save the settings by clicking on the Services<\/strong> tab and clicking Apply<\/strong>. If you want, click the lock to prevent further changes.<\/p>\n\n\n\n

You can as well verify user information using id<\/code> command on the terminal. For example, we have user, janedoe, on our LDAP directory. To verify its details;<\/p>\n\n\n\n

id janedoe<\/code><\/pre>\n\n\n\n
uid=10010(janedoe) gid=10010(janedoe) groups=10010(janedoe),223(com.apple.access_loginwindow),702(com.apple.sharepoint.group.2),12(everyone),62(netaccounts),701(com.apple.sharepoint.group.1)<\/code><\/pre>\n\n\n\n
Login as OpenLDAP User on MacOS<\/h3>\n\n\n\n
Before you can be able to login as an LDAP user or a directory user, you need to enable network users to login. Hence;<\/p>\n\n\n\n
  1. Open Users and Groups preference settings <\/li>
  2. Click the padlock to make changes<\/li>
  3. Click on Login Options<\/strong>.<\/li>
  4. Ensure that your Network Account Server<\/strong> is connected. Otherwise join the server.<\/li>
  5. Check the Allow network users to login at login Window<\/strong>. Click Options<\/strong> to allow all users or specific network users to login at login.<\/li>
  6. Once done, click the lock to prevent further changes.<\/li><\/ol>\n\n\n\n
    Note that you also need to create a home directory for the user on the system<\/strong> as per the LDAP entry. Below is our sample LDAP user information.<\/p>\n\n\n\n
    ldapsearch -Y EXTERNAL -H ldapi:\/\/\/ -b \"ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\" uid=janedoe -LLL -Q<\/code><\/pre>\n\n\n\n
    dn: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: inetOrgPerson\nobjectClass: posixAccount\nobjectClass: shadowAccount\nobjectClass: extensibleObject\nuid: janedoe\ncn: jane\nsn: Doe\nloginShell: \/bin\/bash\nuidNumber: 10010\ngidNumber: 10010\nshadowMax: 60\nshadowMin: 1\nshadowWarning: 7\nshadowInactive: 7\nshadowLastChange: 0\nhomeDirectory: \/Users\/janedoe\nuserPassword:: e1NTSEF9Rmpjb0VzRE8rRlFBcEp1UWNFclVhWGdmNFYyNGdxdkI=<\/code><\/pre>\n\n\n\n
    Therefore, the home directory we will create for the user, janedoe<\/code>, is \/Users\/janedoe<\/code>.<\/p>\n\n\n\n
    mkdir \/Users\/janedoe<\/code><\/pre>\n\n\n\n
    chown -R janedoe:janedoe \/Users\/janedoe<\/code><\/pre>\n\n\n\n
    Now, log out and try to login as an LDAP user.<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    If the login fails, reboot your machine and retry. Ensure that your system is connected to LDAP directory server.<\/p>\n\n\n\n
    Upon successful authentication, go through your new account setup and there you go, logged in to your Mac OS X via your OpenLDAP directory server. <\/p>\n\n\n\n
    \"Configure<\/figure>\n\n\n\n
    You have successfully configured OpenLDAP authentication on MacOS X. One thing to note is that, any network user, provided by the OpenLDAP directory can login to your system. In our next guide, we will learn how to restrict OpenLDAP authentication on MacOS X to specific user.<\/p>\n\n\n\n
    Configure Offline Authentication by following the link below;<\/p>\n\n\n\n
    Configure Offline Authentication via OpenLDAP on MacOS X<\/a><\/p>\n\n\n\n
    That brings us to the end of our tutorial on how to configure OpenLDAP authentication on MacOS X.<\/p>\n\n\n\n
     Reference<\/h3>\n\n\n\n
    About Directory Utility<\/a><\/p>\n\n\n\n
    Related Tutorials<\/h3>\n\n\n\n
    Install and Setup OpenLDAP Server on Ubuntu 20.04<\/a><\/p>\n\n\n\n
    Install and Setup phpLDAPadmin on Ubuntu 20.04<\/a><\/p>\n\n\n\n
    Configure SSSD for LDAP Authentication on Ubuntu 20.04<\/a><\/p>\n\n\n\n
    Configure OpenVPN LDAP Based Authentication<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
    Welcome to our tutorial on how to configure OpenLDAP authentication on MacOS X. Fortunately, MacOS X systems ship with a utility called Directory Utility. According<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[285,121,1099],"tags":[1681,1679,1680,1678,1677,286,1676],"class_list":["post-6088","post","type-post","status-publish","format-standard","hentry","category-directory-server","category-howtos","category-openldap","tag-authentication","tag-configure-directory-authentication-on-mac-os-x","tag-mac-os-x","tag-mac-os-x-directory-utility","tag-mac-os-x-openldap-authentication","tag-openldap","tag-setup-openldap-authentication-on-mac-os-x","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/6088"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=6088"}],"version-history":[{"count":13,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/6088\/revisions"}],"predecessor-version":[{"id":6144,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/6088\/revisions\/6144"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=6088"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=6088"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=6088"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}