Google LDAP Deployment directions Instructions

These instructions follow a Series of Guides by Google on LDAP. The article demonstrates many types of Systems Including PaperCut-MF . The instructions Below are part of the macOS Deployment article Deployment phase which comes after the Preparation Phase  which was completed on a CCA Device beforehand. 

This Deployment phase instructs as follows:

System requirements

• The macOS must be Catalina Version 10.15.4 or later.
• A Google super admin user ID is required to complete step 1 in the preparation phase. (already completed)
• You need local admin permissions to perform this configuration.

1. Copy Files

Copy the Mac Profile file GOOGLE_LDAP_PROFILE2 (1).mobileconfig,  and the XML config ldap.google.com.plist file generated, and the python script ldaps_macos_script.py to the /tmp/ directory on the macOS device.

Files attached in this Document or this Link

2. Install Mobile Profile

This step involves installing the mobile profile, which is crucial for integrating with the Secure LDAP server.

GOOGLE_LDAP_PROFILE2 (1).mobileconfig

3. Install Python 3

Download and install Python 3 from the official Python website.

https://www.python.org/ftp/python/3.13.5/python-3.13.5-macos11.pkg

4. Install Dependencies

Once Python 3 is installed, open a terminal and run the following command to install the required pyobjc-framework-opendirectory dependency:

python3 -m pip install pyobjc-framework-opendirectory

5. Execute Python Script

Run the Python script to configure the Secure LDAP settings:

sudo python3 /tmp/ldaps_macos_script.py /tmp/ldap.google.com.plist

6. Restart your Machine

Restart the macOS machine

7. Connect to Secure LDAP and Create Mobile Account

After the script executes, run the following command to connect to the Secure LDAP server and set up a home path and mobile account(s):

sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n $uid -v

Tip: Replace $uid with the username part of the email address associated with the user’s Google account. For example, jsmith is the username part for jsmith@solarmora.com.

When prompted for the SecureToken admin user name, enter your admin username, and enter your password in the next prompt. This will add $uid into the FileVault. This is needed if the macOS disk is encrypted. 

 (Optional) Set the login screen preference

1. Go to System preferences > Users & Groups > Login Options at the bottom left.
2. Unlock the lock by providing admin credentials.
3. Change the Display login window as to Name and password.

8. Limitations and guidelines

• For users signing in to macOS using their Google credentials, their Workspace account username must be different from their macOS user profile user ID, or sign-in is blocked.
  
  
• Once a user starts signing in to macOS using Google credentials, user password management (reset or recovery) must happen on the Google website (for example, at myaccount.google.com or in the Google Admin console). If you choose to do password management using a third-party solution, then make sure the latest password is synchronized with Google.
  
  
• If the admin creates a new user or resets an existing user’s password with the Ask for a password change at the next sign-in setting turned on, the user cannot sign in to Mac using the temporary password set by the admin. 
  Workaround: The user needs to sign in to Google using another device (for example, their mobile device or other desktop device), set a permanent password, and then sign in to macOS using the new password. 
  
  
• The Mac must be connected to a working internet connection so that ldap.google.com is reachable during the first sign-in after the above configuration.  Any subsequent sign-ins won't need Internet access as long as you opted to set up a mobile account.
  
  
• Google Secure LDAP integration with macOS is tested on macOS Catalina, Big Sur, and Monterey.