User profile for user: mm-tech
mm-tech Author
User level: Level 1
12 points

How to access an LDAP user account when disconnected from the work network

Re: LDAP cannot access without network connection


I wanted to post clarity to the steps provided by @paolof.


  1. Users & Groups" preferences
  2. "Login Options"
  3. "Network Account Server" -> Edit -> add my server
  4. open "Directory Utility" -> "LDAPv3" -> set "Search & Mappings" with the correct "search base" and into "Security" add username and password


Then I go to login window, insert LDAP username and password and the authentication works.

  1. From LDAP user go into "Users and Groups"
  2. "Mobile account" -> select "create...", after this the system reboot.
  3. After the reboot I insert the previous LDAP username and password and it works again.


VAGUE:

I switch off the wifi connection and reboot the system, at the login I have the message that the LDAP system won't work because I'm out of the network. I try anyway to insert LDAP username and password, but the access is deny.

CLARITY:

  1. Logoff as the LDAP user (which allows the LDAP user account to sync)
  2. Login with an local admin account
  3. Turn off the WiFi
  4. Logoff local admin account
  5. Login with LDAP username and password, which should work successfully.

Tested with macOS Sierra, High Sierra and Mojave on iMac, MacBook Pro and MacBook Air

MacBook Pro, macOS Mojave (10.14.1)

Posted on Nov 19, 2018 12:23 PM

Reply

Similar questions

1 reply
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,697 points

Nov 27, 2018 3:16 AM in response to mm-tech

As far as I can tell from the steps you describe you appear to have successfully linked a client Mac to an LDAP server and this is proven by your being able to successfully login to the Mac using LDAP account credentials.


However I see nothing listed in your post that shows you have told the client Mac it should create a mobile account on the client Mac when you do an LDAP login. This is an extra step. Historically this was done by adding the computer to a managed group list in Workgroup Manager - this uses an approach called mcx for managed preferences. These days a similar but different method is to enrol the client Mac in to an MDM system and the MDM system would then push out a profile containing the equivalent setting. This setting tells the client Mac to create a matching local account which will be synced in terms of username and password to the ldap account. (It does not sync the users home directory.)


Here is what the relevant setting looks like in Apple's Profile Manager. (It is under the heading of Mobility.)


User uploaded file


Without the client Mac having created a matching local account i.e. mobile account then there is no account available to login in to when you are not connected to the LDAP server.


It would be helpful to know which LDAP server you are using.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

How to access an LDAP user account when disconnected from the work network

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up