Knowledge base

Mac OS X v10.6, OS X Lion: Unable to restrict logins to network groups

Posted in Apple Mac OS

Symptoms

When editing the list of network users who are allowed to log in at the login window, a network group may not be added to the list.

Products Affected

Mac OS X 10.6, Lion Server, OS X Lion

Resolution

Append the network group's long name (the RealName attribute in Mac OS X Server and Lion Server) to the RecordName attribute. You must make this change for all network groups you would like to add to the list. Note: Make sure that you are appending another value to the RecordName attribute and not replacing or editing the existing value.

Directory Utility (Lion Server)

  1. Open the Users & Groups pane in System Preferences.
  2. If it is locked, click the lock icon to authenticate.
  3. Click the Login Options button.
  4. Next to Network Account Server, click the Edit button.
  5. Click the Open Directory Utility button to launch Directory Utility.
  6. Click Directory Editor in the top toolbar.
  7. From the "In node" pop-up menu, select /LDAPv3/127.0.0.1 if this is an Open Directory group.
  8. From the Viewing pop-up menu, select Groups.
  9. Click the lock to authenticate.
  10. Select the group you would like to edit in the left-hand column.
  11. Locate the RecordName attribute under the Name column. Click the RecordName attribute to select it.
  12. Click the plus button ("+") that appears on the far right to add a new value to this attribute.
  13. In the text field below, enter the long name for this record. The long name is the RealName attribute in Mac OS X Server.
  14. Click Save to save the changes.

The group you selected in step 10 can now be added to the list of network users allowed to log in.

Workgroup Manager (Mac OS X Server v10.6)

  1. In Workgroup Manager, choose Preferences from the Workgroup Manager menu.
  2. Click the checkbox to enable the "Show 'All Records' tab and inspector" option.
  3. Click OK to dismiss the Preferences window.
  4. Click the Inspector tab.
  5. Select Groups from the pop-up menu.
  6. Select the group you would like to edit in the left-hand column.
  7. Locate the RecordName attribute under the Name column. Click the RecordName attribute to select it.
  8. Click the New Value button to add a new value to this attribute.
  9. In the text field that appears, enter the long name for this record. The long name is the RealName attribute in Mac OS X Server.
  10. Click Save to save the changes.

The group you selected in step 6 can now be added to the list of network users allowed to log in.

Terminal (Lion Server or Mac OS X Server v10.6)

You can use the following terminal command to append a new value to a network group's RecordName attribute:

dscl -u diradmin -p /LDAPv3/127.0.0.1 -append /Groups/managedusers RecordName "Managed Users"

  • diradmin is the name of the directory administrator user. Enter this user's password when prompted.
  • managedusers is the short name of the network group record.
  • "Managed Users" is the long name of the network group record.

One Moment Please

Thanks for rating this article

Read more http://support.apple.com/kb/TS4013