Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Connecting Mac to Google LDAP

guzhogi

guzhogi

macrumors 68040
Original poster
Aug 31, 2003
3,772
1,891
Wherever my feet take me…
Hi everyone, I'm taking an online course to better familiarize myself with Google G Suite administration. I'm at the point where the class teaches about Googles Identity Provider and LDAP services. I was wondering if & how to set it up so I can use my Google login as my Mac login. The online class pointed to this: https://support.google.com/a/answer/9089736?hl=en I have my own Google domain, did the steps to turn on LDAP in Google, create & install the certificate. When I go to System Preferences -> Users & Groups -> Login Options, the Google LDAP server isn't listed. I'm running macOS Catalina 10.15.4.
 
chrfr

chrfr

macrumors G5
Jul 11, 2009
13,707
7,277
guzhogi said:
Hi everyone, I'm taking an online course to better familiarize myself with Google G Suite administration. I'm at the point where the class teaches about Googles Identity Provider and LDAP services. I was wondering if & how to set it up so I can use my Google login as my Mac login. The online class pointed to this: https://support.google.com/a/answer/9089736?hl=en I have my own Google domain, did the steps to turn on LDAP in Google, create & install the certificate. When I go to System Preferences -> Users & Groups -> Login Options, the Google LDAP server isn't listed. I'm running macOS Catalina 10.15.4.
Click to expand...
You won't see the server name listed there; did you type it in? Also, I'm not sure that Google allows for this without extra software being installed on the Mac, but I've never tried it.

About the Secure LDAP service - Google Workspace Admin Help

Supported editions for this feature: Frontline Standard; Business Plus; Enterprise Standard and Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Edu
support.google.com
 
guzhogi

guzhogi

macrumors 68040
Original poster
Aug 31, 2003
3,772
1,891
Wherever my feet take me…
chrfr said:
You won't see the server name listed there; did you type it in? Also, I'm not sure that Google allows for this without extra software being installed on the Mac, but I've never tried it.

About the Secure LDAP service - Google Workspace Admin Help

Supported editions for this feature: Frontline Standard; Business Plus; Enterprise Standard and Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Edu
support.google.com
Click to expand...
Yeah, it looks like it was built for ldap apps, not direct connections. Just thought I'd ask.
 
DJLC

DJLC

macrumors 6502a
Jul 17, 2005
959
404
North Carolina
This was a topic of intense interest for me in my former job (I got a new one back in February, so my info isn't TOO outdated). You are correct you can't bind a Mac directly to GSuite's LDAP service; it's meant for apps, not a device.

I only found two answers to this:
  1. A super expensive cloud directory that could link up to GSuite and allow Macs to "bind." I wanna say it's called JumpCloud. Essentially JumpCloud becomes your LDAP directory but leans on GSuite as the IdP.
  2. The Mosyle Manager MDM has a beta feature that allows this. I ended up going this direction because it was 1000x more cost effective. This actually replaces the stock macOS loginwindow with a Google authentication screen. When a user successfully authenticates with their GSuite account, it matches it up to a local macOS user or creates one on-the-fly if the user doesn't already exist locally. Super slick. LOVED it a lot. I think this feature is priced around $2 / device / year on top of the cost for the MDM.

EDIT: Found the thread where several members and I discussed this in the recent past: https://forums.macrumors.com/thread...older-aka-mobile-account-share-point.2172876/
 
Last edited:
guzhogi

guzhogi

macrumors 68040
Original poster
Aug 31, 2003
3,772
1,891
Wherever my feet take me…
DJLC said:
This was a topic of intense interest for me in my former job (I got a new one back in February, so my info isn't TOO outdated). You are correct you can't bind a Mac directly to GSuite's LDAP service; it's meant for apps, not a device.

I only found two answers to this:
  1. A super expensive cloud directory that could link up to GSuite and allow Macs to "bind." I wanna say it's called JumpCloud. Essentially JumpCloud becomes your LDAP directory but leans on GSuite as the IdP.
  2. The Mosyle Manager MDM has a beta feature that allows this. I ended up going this direction because it was 1000x more cost effective. This actually replaces the stock macOS loginwindow with a Google authentication screen. When a user successfully authenticates with their GSuite account, it matches it up to a local macOS user or creates one on-the-fly if the user doesn't already exist locally. Super slick. LOVED it a lot. I think this feature is priced around $2 / device / year on top of the cost for the MDM.

EDIT: Found the thread where several members and I discussed this in the recent past: https://forums.macrumors.com/thread...older-aka-mobile-account-share-point.2172876/
Click to expand...
I was hoping for a more direct connection, but I'm not surprised. My current job use Jamf Connect. Just thought "Why bother paying $2 / device /year on top of G Suite, if I could use Google directly?" This is especially the case when my job has what seems like dozens of different 3rd party systems, many of which don't sync their user accounts. Many do use Google, but many don't. Just trying to remember all my passwords is a nightmare.
 
Brandon White

Brandon White

macrumors newbie
May 6, 2020
1
2
Boulder, CO
Hey, Brandon with JumpCloud here (not in any sales capacity) — DJLC is right to mention us above, as this sounds like a great use case for JumpCloud. We integrate our cloud-based LDAP directory with G Suite, then run a very lightweight agent on the Mac/Linux/Windows systems, to bind those systems to our LDAP. Pricing is flexible, with steep discounts for EDU, and you can test us for free — your first 10 users are free forever.
 
  • Like
Reactions: hobowankenobi and DJLC
guzhogi

guzhogi

macrumors 68040
Original poster
Aug 31, 2003
3,772
1,891
Wherever my feet take me…
Brandon White said:
Hey, Brandon with JumpCloud here (not in any sales capacity) — DJLC is right to mention us above, as this sounds like a great use case for JumpCloud. We integrate our cloud-based LDAP directory with G Suite, then run a very lightweight agent on the Mac/Linux/Windows systems, to bind those systems to our LDAP. Pricing is flexible, with steep discounts for EDU, and you can test us for free — your first 10 users are free forever.
Click to expand...
Thanks, but at this stage, I'm just running a trial G Suite account so I can train for the certification exam. Like I said in my previous post, my current job use JAMF Connect. If that should change, I'll mention JumpCloud.
 
  • Like
Reactions: hobowankenobi
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom