Introduction
This article shows you how you can configure the OSX operating system so that you can log into your Mac computer using LogonBox Directory credentials.
If you have not installed LogonBox Directory, now is the time to do so. This discussion assumes you have a server installed, configured, and ready to go with users waiting to log into OSX.
Before you head off configuring OSX to connect to your directory there are a few values you will need to jot down. These are:
Directory Hostname
This will be the FQDN of your LogonBox Directory. This hostname must be resolvable from each client you want to log in from. If your users will be accessing the directory via the Internet then make sure you have firewalled and port-forwarded the directory from your public hostname/IP address.
Directory LDAP DN
The LDAP Distinguished Name is a uniquely formatted string that provides a way to resolve elements in the LDAP. You will need to know the root DN of your server. If you have not changed this, then it will be DC=System,DC=local.
Directory LDAP Port
Unless you have changed the default LDAPS interface, the port value will be 636 for the ldaps:// protocol.
Service Account
You will need an account that has permission to search the LDAP. We recommend creating a specific user with a minimal set of permissions. See our Creating a Service Account article for more information.
System Configuration
Navigate to the Users & Groups System Preferences pane and click on the Locked icon to enable you to make changes.
This should ask you to authenticate.
And once complete the lock page will show as unlocked.
Click on Login Options and then the Join button next to Network Account Server.
At the prompt, click on Open Directory Utility (there is no need to enter any value in the server field).
Again, on this page, you will need to go through the unlock procedure described above to unlock this page.
Select LDAPv3 and click the edit button just above the unlock icon.
After clicking edit, the following popup shows. Click on New to create a new configuration.
Enter the FQDN of your LogonBox Directory in the Server Name or IP Address field, and check the Encrypt using SSL option
Now click the Manual button, another popup appears showing the new directory entry. Highlight the entry and click Edit.
Yet another popup appears with some configuration details.
Here you can enter a name for your configuration, here I have called it LogonBox.
I have also increased the times out to 60 seconds. You may find this useful later if you decide you want to add 2FA to the LDAP authentication flow.
Finally, I have also changed the port number to 636 for the default SSL port for LDAP.
We now have to configure the Search & Mappings tab. This is a little tricky in the UI so to demonstrate I've created an animated gif here to show you how to do this.
In the Record Types and Attributes click + under the left-hand box. From the popup select Users and also Groups and click OK.
Select Users
In the right-hand box, click the + icon to create a new mapping and enter "posixAccount"
Ensuring Users is still highlighted in the left-hand box and the arrow next to Users is pointing down, click the + icon below again. Select all of the attributes from the left-hand side of the following table.
| GeneratedUID | local-guid |
| HomeDirectory | #/Users/Shared |
| NFSHomeDirectory | #/Users/Shared |
| PrimaryGroupID | gidNumber |
| RealName | description |
| RecordName | uid |
| UniqueID | uidNumber |
| UserShell | #/bin/bash |
Once all of the attributes are showing beneath the Users entry, click on each individual attribute and enter the value from the right-hand side of the above table in to the Map to box.
Now, repeating the same process, in the right-hand box select Groups and provide it with a new mapping of "posixGroup"
Repeat the attribute mapping process for Groups using the table below
| GroupMembership | uniqueMember |
| Member | uniqueMember |
| PrimaryGroupID | gidNumber |
| RecordName | cn |
You can see the above in action with the animated gif below.
Finally, click on the Security tab and provide a user account that will be used by the operating system to access LDAP. Here I have created a user called serviceAccount and you can find instructions for how to do this in the Creating a Service Account article.
Click OK. You will be returned to the services popup, click OK again to return to the services listing of the Directory Utility, you will likely be prompted here to provide your password to save the configuration.
Next in the Directory Utility, Search Policy tab. Select Custom Path in the Search Path, then click the + icon to add in the configuration you just created.
Testing Configuration
You have now configured OSX to access your LogonBox Directory LDAP server. Whilst still in Directory Utility you can click on the Directory Editor tab and select the new node you created to see if it lists your users.
Coming out of the Directory Utility back to Users and Groups preferences pane, ensure that "Allow network users to log in at login window" is checked
And now you are ready to log in to OSX with your LogonBox Directory accounts.
