Child pages
  • macOS Authentication Configuration
Skip to end of metadata
Go to start of metadata

CLC Authentication and Authorization for OS X using Penn State's Kerberos and LDAP Services

These steps were tested on macOS 10.12.3, build 16D32.

1) Configure Kerberos for Authentication

Configure and enable Kerberos for Authentication:

    Download:    <>
    Install here:    /etc/
    Move and change the permissions of the krb5.conf file:

Confirm that you can successfully obtain a Kerberos Ticket Granting Ticket (TGT):

Use "kinit" with your username to generate a ticket. Use "kilst" to show that your userID has a "krbtgt" ticket, then use "kdestroy" to destroy/invalidate the ticket.

Assuming that you successfully obtained a kerberos TGT, proceed to the next section to configure LDAP for authorization.

2) Configure LDAP for Authorization

Enable Directory Services with LDAP for Authorization

- Open /System/Library/CoreServices/Directory\
- Unlock, authenticate as the local admin.
- Select "LDAPv3" then the edit (Pencil) icon button.
- Click the "New …" button
- In the Server Name or IP Address field enter: ""
    - Encrypt using SSL:        NOT CHECKED (We will enable SSL manually in few steps)
    - Use for authentication:    NOT CHECKED
    - Use for contacts:        CHECKED
- Select the "Continue" button and NOT the Manual button! It appears that the selecting the "Continue" button forces the OS to do additional inspection of the LDAP server, and may help with enabling the Users and Groups system pref pane to recognize that network user logins are enabled.

- On the "" line, change the LDAP Mappings pop-up menu to "Custom", which will display a new window to configure the Search and Mappings.

- CRITICAL: Select the Connection tab and change these settings:

  • Check (enable) the Encrypt using SSL option
  • Change the Use custom port to 636

- Select the "Search & Mappings" tab, if it's not already the active tab.

  • Click the "Add..." button under the left window, Record Types and Attributes.
  • Click the 'Record Types' radio button
  • Scroll down and select (click) 'Users'
  • Click the 'OK' button to add this Attribute Type
  • Select (click) the 'Users' record type you just added
  • Click the 'Add...' button that is located under the right pane (Map to 'any' items in list)
    • In the box that appears, type 'inetOrgPerson' (without the quotes).   Clicking outside of the text area sets the value.
  • Set the Search base for the 'Users' record type:
    • Search base: dc=psu,dc=edu
    • Search In: all subtrees
  • Next, add the required LDAP attributes to the 'Users' Record.
    • Click the 'Add...' button under the  left  pane (Record Types and Attributes)
      • Click the 'Attribute Types' radio button,
        • Scroll down and select the following attributes (command-click to select multiple):
          • AuthenticationAuthority
          • GeneratedUID
          • NFSHomeDirectory
          • PrimaryGroupID
          • RealName
          • RecordName
          • UniqueID
          • UserShell
          • Set the values for the previous attributes in the left pane to (All Values are CASE SENSITIVE in 10.8, which is NOT following the LDAP spec, and is considered a Bug that Apple needs to fix):

            NOTE: To enable all users to use an unique home folder, change the NFSHomeDirectory variable to #/Users/$uid$

            Record AttributeValue





    • Click "OK" to commit the changes for the LDAP config.
    • Click "OK" to save all changes.

Add to the Search Path:

    - Click "Search Policy"
    - Set the "Search:" drop-down menu to "Custom path"
    - Click the "+" Button
    - Select "/LDAPV3/" and click the "Add" button.
    - Click the "Apply" button.
    - Quit out of Directory Utility.

Enable logins for Network Users at the LoginWindow:

    - Apple Menu -> System Preferences
    - Users & Groups Pref Pane
    - Unlock the Pad Lock and Authenticate as local admin
    - Click "Login Options"
    - Turn OFF Automatic Login
    - Set "Display login window as" to "Name and password"
        - This setting can also be configured with a command. Run the following line in the terminal to set the loginwindow to show username and password fields:

    - Enable "Allow network users to log in at login window",
        - Click "Options…" and set "All Network users", Click DONE.
    - Network Account Server: The server should be listed and showing a green "gum drop" icon.

Confirm that you can identify LDAP users:

Use the "id <userID>" command in the terminal. It should return the userID uid number and groups:

3) Enable Kerberos tickets at login

Applying the below configuration changes will enable the OS to automatically obtain a Kerberos TGT for the logged in user. This is quite handy when you want the user to be able to mount servers that are "kerberized".

First make a backup copy of the file, edit the /etc/pam.d/authorization file and add two additional lines to the top:

Insert these two additional lines:

Use a text editor like 'vi' and 'emacs', use a GUI editor like TextWrangler, BBEdit, or TextMate, or use this terminal command:

Check the /etc/pam.d/authorization looks like the following example:

4) Test Logins

Restart, login with your Penn State Access ID, open terminal and verify that you have a ticket with "klist". Open System Preferences and "Accounts" to verify you are a network user.

If you have some users that can login and others that can't, it's possible that they are not yet listed in LDAP, OR their LDAP attributes might be missing or have the wrong case. To check for a userid, do the follow from the command line (

If any of the attributes do NOT appear, then there might be an issue with the user's LDAP record, with either missing attributes or attributes with non matching case of letters.

5) Additional System Changes

LoginWindow StartupDelay

To help curb the loginwindow from showing the status of the server as red, you can use this command to tell the it to wait until DNS is ready before starting. Doing this helps keep the "red dot of despair" from appearing after boot.

Screen Saver Authentication

If you plan on using a screen saver with kerberos users, you will need to edit the /etc/pam.d/screensaver file to allow kerberos users to dismiss it. Without this change, kerberos users could be locked out of their machine when the screen saver starts.

  • No labels