We have many iMacs in our school laboratory and there are hundreds of students.
I want to provide login credential (username, password) and students will be able to connect from any computer any time.
Is it technically possible to provide this functionality with MacOS Server?
Thank you.
iMac Pro
Yes. It is possible through the use of Open Directory. This is available through Apple's Server.app, which can be purchased via the App Store. The setup is relatively easy as you create your users and groups in Open Directory. Then you bind your Mac workstations to the domain and ensure that mobility settings are enabled.
However, you might want to rethink this approach. Do you already have Active Directory in your district? If so, you should use that as your centralized directory system and bind the Macs to AD to allow all user to login to any device.
Please note, at this time, network home folders are not encouraged. First, there is a lot of infrastructure that is needed and second, most apps do not properly support the feature any more. This will mean that data will not "follow" the student. For example, Johnny Student logs in to iMac003 in Math. This will create a home folder on iMac003. Data that Johnny creates will only be on that iMac. When Johnny moves to English in the afternoon and jumps on another iMac, then he creates another home folder and the data he creates on that machine is only on that machine. You would need to utilized Google Classroom or O365 to use centralized storage to prevent the distributed creation of content (of a local file server).
But yes, it is technically possible.
Reid
Yes. It is possible through the use of Open Directory. This is available through Apple's Server.app, which can be purchased via the App Store. The setup is relatively easy as you create your users and groups in Open Directory. Then you bind your Mac workstations to the domain and ensure that mobility settings are enabled.
However, you might want to rethink this approach. Do you already have Active Directory in your district? If so, you should use that as your centralized directory system and bind the Macs to AD to allow all user to login to any device.
Please note, at this time, network home folders are not encouraged. First, there is a lot of infrastructure that is needed and second, most apps do not properly support the feature any more. This will mean that data will not "follow" the student. For example, Johnny Student logs in to iMac003 in Math. This will create a home folder on iMac003. Data that Johnny creates will only be on that iMac. When Johnny moves to English in the afternoon and jumps on another iMac, then he creates another home folder and the data he creates on that machine is only on that machine. You would need to utilized Google Classroom or O365 to use centralized storage to prevent the distributed creation of content (of a local file server).
But yes, it is technically possible.
Reid
My guess here is that you are not setting the mobility payload on your Macs. Are the Macs under any type of management system that supports profiles? If so, you want to issue the mobility payload and set the devices to use mobile homes.
To test if your bind to OpenLDAP is working beyond that, you might be able to issue the createhmobilehomefolder command as a one off to prep a mobile home.
Take this example. You have a user created in OpenLDAP named tolga and the user has a home folder attribute of /Users/tolga. On a Mac bound to the domain, try the following:
sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -vn tolga
Test logging in as the user from the login window.
If this limited test works, then you can look to create a profile to set mobility on all the Macs. In Jamf, the payload looks like this:
If you do not have an MDM for the Macs, you can use Apple Configurator or Profile Manager to create a profile and install it manually.
Reid
Logging in at the login window using network i.e. LDAP credentials has in the past been possible in three slightly different ways.
Option 1 - Portable Home Directory has been discontinued by Apple for several years. Conspiracy theorists believe this was discontinued because Apple could never get PHD syncing to work reliably.
Option 2 - Mobile Account is what Strontium90 is suggesting and mostly still works. The sole problem is that if you are using OpenLDAP or FreeIPA or really anything other than either Open Directory or Active Directory you will hit a Catch-22 problem. If the account has been set to immediately require the user to change their password during login you get caught in a trap because a) at the point this happens you are not yet logged in and hence do not have a Kerberos ticket and b) OpenLDAP and FreeIPA do not support Apple's Password Server module which might otherwise get round this. It should work reasonably well with Active Directory and no problems with Open Directory.
Note: With a Mobile Account the user name on the local client Mac is identical to what is in the LDAP directory and the password is also kept in sync. However the home directory is only on the local client Mac.
Option 3 - Network Login with Network Home Directory. This has year by year been getting more and more impossible due to Apple changes. It is not even clear if it is possible at all in Catalina even ignoring all the previous many major issues. Basically do not even both to try this.
@tolga130
Apple have removed so many functions from Server.app that it is not clear whether this is possible anymore.
However try opening Server.app, going to users, selecting a user account you are using with a Network Login and Network Home Directory. Then see if the dialog looks anything like the first picture in the following thread.
OS X Server 5.X - limit home folder users… - Apple Community
You might want to try this on a temporary test account and then using Directory Utility to 'explore' that account to see the raw LDAP information.
Simple. Go to the View menu and select Open Directory. It will appear in Advanced once you do that.
Reid
Thank you.
I also tried to run openldap in one of them. I can successfully search ldap directory from another computers, no problem.
Other computers recognize the openldap server with no problem
But I still can't login from the login screen. I couldn't resolve the exact reason. I guess Catalina has a problem with OpenLDAP
Might this be because I don't use SSL?
One more question. When I open Mac OS Server, I can't see Open Directory under Advanced tab.
I purchased licence of Macos Server.
Here's a screenshot from a tutorial. What I can see is only Xsan under Advanced tab. Rest is not there.
Do I need to enable Profile Manager for this? (I'm on Catalina)
I hereby thank you! I succeeded to log in from another computer.
One last question, is there a way to set quota to each user in Mac Os Server?
I'd prefer each student not to reach 1-2GB limit.
I know how to configure this on openldap with ldif files.
But I'd prefer to manage this operation with Mac Os Server.
Many thanks for detailed answer. I will test them all when I go to work.
Thank you. I will check all of these.
Using MacOS Server like LDAP
