Hi, i try setting LDAP authentication on macOS. I add apple.schema on LDAP-server and filled several attributes at users and groups:
# id first.last uid=1537(first.last) gid=3174 groups=3174,1101(SRV0027),12(everyone),62(netaccounts),701(com.apple.sharepoint.group.1),702(com.apple.sharepoint.group.2) # dscl /LDAPv3/ldap.example.com -read /Users/first.last dsAttrTypeNative:displayName: last, first dsAttrTypeNative:mailHost: imap.example.com dsAttrTypeNative:mailQuota: 1048576 dsAttrTypeNative:objectClass: top inetOrgPerson kolabInetOrgPerson mailRecipient organizationalPerson person posixAccount shadowAccount apple-user extensibleObject dsAttrTypeNative:ou: ou=People,dc=example,dc=com dsAttrTypeNative:preferredLanguage: ru_RU AppleMetaNodeLocation: /LDAPv3/inldap.example.com AppleMetaRecordName: uid=first.last,ou=People,dc=example,dc=com Company: My Company EMailAddress: email@example.com FirstName: first GeneratedUID: F8C2ED3B-07E0-4222-83F2-2A58203CF919 HomeDirectory: /Users/first.last LastName: last NFSHomeDirectory: /home/first.last Password: PrimaryGroupID: 3174 RealName: first last RecordName: first.last RecordType: dsRecTypeStandard:Users UniqueID: 1537 UserShell: /bin/bash
I add LDAP-server, but when i log in system home dir can not create. I edit /etc/auto_master, but it don't fix. If i create home dir manually then all right.
I don't have idea, please need help! :(
In your output I see "NFSHomeDirectory: /home/first.last"
On macOS the attribute NFSHomeDirectory: is the local path to your home (which could be an url for network homes, but usually /Users/first.last) (OS X is not using the LDAP homedir attribute, but you can use that attribute to calculate other attributes with mappings.
Change the mapping for NFShomedir and try again. I would not be surprised that the home will be created at login.
I answered under the assumption you want this:
A local home folder (created from /System/Library/User Template/) for any user from LDAP that log's in to the Mac.
If you want network home folder (similar to windows roaming profiles) enter the url for that in the NFSHomeDir (like afp://server.example.com/Users/first.last)
There are a few more details you need to take into account with using a 'plain' LDAP server, please read the chapter 3 of this book : Mac OS X Directory Services v10.6: A Guide to Open Directory....
by Arek Dreyer,Ben Greisler aviailable in iBooks store , and partly availlable in Google books.
Althoug this book is written for 10.6, this should still work.
I have not edited /etc/auto_master so far, I guess you do not have to edit this to make the network home folder work, but I have not worked with 'plain' LDAP since 10.8, so please investigate.
Network home folders are not promoted by Apple, but they still work. Please stay away from syncronizing a cached local home of a network home (called 'Portable Home Directory' or PHD). It never works without errors, and is removed from macOS Sierra.
I am using an LDAP server but also running into issues creating home directories on first login. Currently this NFSHomeDirectory attribute is default set as : /home/first.last similar to above which causes the login not to work or create a new user home directory based on the local user template folder. If I open directory utility and change that attribute to #/Users/$uid$ it works like a charm. How do I set that attribute in script or on a programatic level so I don't have to touch every machine?
I have the same question as @bkimelman We currently have NFSHomeDirectory set to #/Users/$uid$ and we Screen Share and log in, macOS creates the user's home directory... but we have a fleet of headless Mac Minis and I need to find a way to do this, so that anyone in the department can ssh into a machine and get their home directory created. I tried:
sudo /usr/sbin/createhomedir -u <username>
But that seemed to literally do nothing, (no home directory created...)
I also tried:
sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n <username>
and it appeared to work, but I was unable to use my ldap password afterwards to login.