NoMAD Login AD
Hi everyone! You have found your way to the repo for NoMAD Login AD, or NoLoAD for short. This project can be seen as a companion to our other AD authentication product for macOS, NoMAD. You can use either one independently from each other, and both contain all the bits and pieces you need to talk to AD.
NoLoAD is a replacement login window for macOS 10.12 and higher. It allows you to login to a Mac using Active Directory accounts, without the need to bind the Mac to AD and suffer all the foibles that brings.
About this release
The current production version of NoLoAD is 1.3.0.
For those of you that are new to NoLo, the basic features are:
- You can login to a Mac using AD without being bound
- Just-in-time provisioning user provisioning to create a local account
- "Demobilization" of previously cached AD accounts
- Local accounts can always login
- Ability to enable FileVault on APFS without a logout
- Choose between a macOS-style loginscreen, or the older loginwindow types
- Customize the login screen with your own art and background
- Display a EULA for users to accept on login
- Create a keychain item for NoMAD
What's new in 1.3.0
BackgroundImageAlphaan Integer from 0-10 which determines the alpha value for the background image in 10% increments, i.e. a value of
3would be a 30% alpha This was broken before and is now fixed.
DenyLocalBoolean determines if local user accounts are allowed to sign in, or if all auth is forced through AD.
DenyLocalExcludedArray or strings of user shortnames that will be allowed to authenticate locally instead of via AD.
DenyLoginUnlessGroupMemberArray of strings of AD group names. When an AD user is authenticating, only allow login if the user is a member of one of these groups.
EnableFDERecoveryKeyPathString of a folder path where the recovery key will be stored. NoLo will create this folder if it does not already exist.
EnableFDERekeyBoolean that determines if the FileVault personal recovery key should be rotated when a valid FileVault user signs in.
LDAPServersArray of strings of LDAP servers that you would like to use for AD authentication instead of using SRV record lookup.
LoginLogoAlphaan Integer from 0-10 which determines the alpha value for the logo image in 10% increments, i.e. a value of
3would be a 30% alpha This was broken before and is now fixed.
LoginLogoDatais working again.
NotifyLogStyleTakes a string of
noneand will add the appropriate log file to the the Notify mechanism.
ScriptPathPath to a script for the RunScript mechanism to run.
ScriptArgsArray of strings of arguments to give the script being run by the RunScript mechanism.
<<User>>will be replaced with the current user's shortname,
<<First>>with the current user's first name,
<<Last>>with the current user's last name,
<<Principal>>with the current user's Kerberos principal.
UseCNForFullNameUse the the user's cn from AD instead of attempting to create the user name from the first and last name attributes of the user's AD record.
UsernameFieldPlaceholdertext to place into the user field in the loginwindow to give a hint as to what to enter.
UserInputOutputPathstring determining the path where the
userinfo.plistwill be written.
UserInputUIa rather complicated dictionary that contains the settings for up to 4 text fields and 4 pop up buttons that will be shown during the UserInput mechanism. Look in the ConfigSamples folder in the source for an example of this configuration profile.
UserInputLogopath to a logo file to use for the UserInput mechanism.
UserInputTitlestring for the UserInput mechanism title.
UserInputMainTextstring for the UserInput text.
NoMADLoginAD:RunScriptwill run a script of your choosing as set by the preferences. This is typically marked as
privilegedto allow the script to run as root.
NoMADLoginAD:Notifyruns the Notify screen. See the DEPNotify project for more information.
NoMADLoginAD:UserInputdisplays up to 4 text fields and 4 pull down menus to allow the user to enter information during the login process.
- The Demobilize mechanism will work with mobile accounts from other services than just Apple's AD plugin.
- The Demobilze and Notify mechanisms can be used without the NoMAD Login login window UI.
Please file any issues, or requested features, in the project issue tracker.
How to get started
Getting started with NoLoAD is easy, but currently it takes a few steps. It's also easy to revert to the Apple login window in case you run in to any issues.
Installing is easy!
- Download NoMAD Login AD.
- Install the package. This will automatically update your authorization database using the
authchangertool included in the package.
Building from source:
Take a look in our Wiki to see how to get started with Carthage and Xcode.
Using NoMAD Login AD is easy. Just enter your AD username and password in
username@domain format and your password. If the domain is visible on the network, NoMAD Login AD will discover the domain details and then authenticate your account. Once that is done it will create a local account that matches the AD one and complete the login. You can then use NoMAD as you normally would from the menu bar to keep the accounts synchronized.
Since the created account is a local one, you won't suffer any network delays when logging in or unlocking your Mac. From the login window, NoLoAD will simply defer to the regular local login process for any local accounts. At this point you could even just go back to the Apple Loginwindow, but where is the fun in that?
Enticing you to stay now is the ability to customize the login experience with your own logos and background images. More info, and a gallery of options, can be found in the wiki.
I want to get off this crazy ride!
When you decide that you've had enough it's easy to go back to the standard login window.
sudo authchanger -resetto reload the default
system.login.consolemechanisms into the AuthorizationDB.
- If you've had to do this from a SSH session behind the NoLoAD login window you can simply run
sudo killall loginwindowin order to restart the login window to the defaults.
Alternatively you can reset the authorization database by removing
/var/db/auth.db from the machine and rebooting. This can be done in single user mode or while booted from the recovery partition and removing this file from the main partition.