XCreds Password Verification with Google Cloud Secure LDAP

Created On
Last Updated On
byTimothy Perfitt
You are here:

XCreds verifies a user’s password by either verifying the refresh token is still valid or authentication with the user’s credentials via ROPG. Google Cloud does not support either of these methods, but supports password verification via LDAP. If your Google Cloud subscription supports LDAP integration, you can configure XCreds to check for password changes via Secure LDAP on Google Cloud.

The following setup is required:

  1. Enabling Google LDAP in Google Cloud
  2. Installing the client credentials into the system keychain
  3. Configure a settings key in XCreds to verify password changes with LDAP

This guide provides the information needed to set up XCreds with Secure LDAP on Google Cloud for password change checking.

Enable Google LDAP in Google Cloud

Google Secure LDAP is not enabled by default. To enable Google Secure LDAP, follow the instructions provided by Google. During setup, an ldap-client cert and ldap-client key will be generated. These files are used in the next step.

Install the Client Credentials into the System Keychain

In order for XCreds to authenticate with Google Cloud over Secure LDAP, a client certificate must be installed in the System Keychain and the ldap command line tool must be given access to the certificate. The instructions below provide steps to install the identity manually to the system keychain. You can also use MDM to deploy the identity.

  1. Convert the certificate and key files to one PKCS12 formatted file. At a command prompt, enter the following:

openssl pkcs12 -inkey ldap-client.key -in ldap-client.crt -export -out ldap-client.p12

  1. Enter your password to encrypt the output file.
  2. Click in the upper-right corner of the menu bar, and type Keychain Access.
  3. Open the Keychain Access application, and from the list on the left, click System.
  4. Click the File option in the top-left menu bar and select Import Items.
  5. Browse to the location with the generated ldap-client.p12, select ldap-client.p12, and click Open.
  6. If prompted, enter your password.
  7. A certificate with the name LDAP Client should now appear on the list of System Keychain certificates.
  8. Click the arrow next to the LDAP Client certificate. A private key appears below that.
  9. Double-click the private key.
  10. From the dialog box, select the Access Control tab and click + in the lower-left corner.
  11. From the window that opens, type Command+Shift+G to open a new window, and then replace the existing text with /usr/bin/ldapsearch.
  12. Click Go.
  13. This opens a window with ldapsearch highlighted.
  14. Click Add.
  15. Click Save Changes, and enter your password if prompted.

Configure XCreds Settings to Verify Password Changes with LDAP

To enable LDAP for XCreds, follow the XCreds Admin Guide to edit the XCreds configuration mobileconfig file. Add the preference key shouldUseLDAPForPasswordChangeChecking and set its value to true, then reinstall the configuration file in macOS Settings.

Once enabled, XCreds will be able to use LDAP when verifying the user’s password.

Connect With Us

Sign Up for XCreds Security and Product Updates

Enter your information below to receive email updates when there is new information specifically regarding this product and how to use it. Alternatively, to receive email updates for general information from Twocanoes Software, please see the Subscribe page.

Name
Tags: