none
How to Configure LDAP Authentication for Mac OS and Azure AD

    General discussion

  • Just got this worked out and except for a few Mac OS caveats it works great.  If you’re looking to use Azure AD user accounts to manage local logins to Mac OS devices this will do the trick.  Suggestions for improvements welcome.

     

    Enjoy!

    -Mark

     

    Prerequisites

    1. Configure Secure LDAP (LDAPS) for an Azure AD Domain Services managed domain

     

    Network Account Server Setup

    1. System Preferences > Users & Groups > Login Options> click Lock Icon to allow changes
    2. Network Account Server > Join > Open Directory Utility > click Lock Icon to allow changes
    3. LDAPv3> edit Pencil > New > Server Name
      • Enter FQDN of your LDAPs end point, ie ldaps.mycompany.com
      • Check Encrypt using SSL > Manual
    4. Enter a Configuration Name of your choice > Edit
      • Check Use custom port and enter 636

     

    Search & Mappings Tab

    1. Click the (+) button and add the Users record type
      1. Enter your Search Base, ie dc=mycompany,dc=com
    2. With Users highlighted click (+) and add the following Attribute Types and associated values:
      • NFSHomeDirectory -#/Users/$sAMAccountName$
      • PrimaryGroupID - #20
      • RealNamecn
      • RecordNamesAMAccountName
      • UniqueIDuSNCreated
      • UserShell- #/bin/bash

     

    Security Tab

    1. Check Use authentication when connecting and enter a Distinguished name
      1. ie cn=username,ou=AADDC Users,dc=mycompany,dc=com
    2. OK> OK when done

     

    Search Policy Tab

    1. For Authentication and Contacts use the Search dropdown to select Custom path > (+) > ADD
      1. Choose the Directory Domain you just created
    2. Apply and close the Directory Utility
    3. You should now see the Network Account Server you just created with a green dot next to it.  If you see a red dot it either has not connected yet or something is wrong with your setup.  A reboot sometimes helps
    4. Logout and login as a valid Network user.

     

    Create mobile account

    GUI

    support.apple.com/kb/PH25671?locale=en_US

     

    Command Line

    sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n username

     

    Summary Comments

    After the mobile account is created you can make the network user a local admin and give them access to unlock the drive at boot time if using File Vault.

     

    A mobile account will also be needed if the user needs to log into the Mac while not connected to the Internet.

     

    Wireless is not available at the Mac OS login screen.  1st time users will have to login with an Ethernet connection.

    • Edited by Mark Zig Friday, April 14, 2017 2:14 PM
    Thursday, April 6, 2017 2:19 PM

All replies

  • Hello Mark,

    thank you very much for your guide.

    It helped a lot but I have questions to the Mappings Values.

    1. Are the Attribute Types you chose the only one I need for using the Authentication against the Azure ADDC?
    2. The blue values on the right of the attribute types are they default or do I need to put there my AD specific values?
    3. The #-Character in front of some Values, what does it actually mean?>

    My problem is that no matter how I configure the connection I get the Error-Message "Connection failed to node '/LDAPv3/mycompany.com' (2100)"

    Maybe someone can help me with my problem.

    If you need further information ask for it.

    Thursday, April 13, 2017 3:30 PM
  • Items in RED need to be your values and the GREEN attributes can be entered as is.


    • Edited by Mark Zig Friday, April 14, 2017 2:14 PM
    Friday, April 14, 2017 1:45 PM
  • Hi Mark, 

    thank you for your reply.

    When I try to connect to my A ADDC I get the error 'Server is not reachable' and when I chose the 'Directory editor' - Tab I get the error 'Connection failed to node...'.

    I wonder why it behaves like this because in ApacheDirectoryStudio I can connect and Browse the AD with the same credentials and search paths as in the System settings.

    Do you have an idea where my problem is?

    Thank you.

    P.S. From where do you have these parameters?


    • Edited by gusi1994 Tuesday, April 18, 2017 8:01 AM
    Tuesday, April 18, 2017 7:38 AM
  • Hello everyone, 

    I didn't get it to work over SSL. Maybe I installed the certificate to the wrong place in Mac Keychain.

    With a vpn connection to Azure it worked perfectly with the values Mark provided in the first post. Except the SSL specific ones.

    Tuesday, June 13, 2017 10:56 AM
  • Hello everyone,

    after one month of not paying attention to the settings and the functionality, i tried it again and it doesn't work anymore to connect to the Azure AD over a VPN connection. 

    Maybe someone has an update about something that microsoft changed in the implementation of the Azure ADDS.

    Wednesday, August 30, 2017 1:26 PM