I am using Google's method for connecting my Mac fleet to Google's LDAPs service using these instructions:

Connect LDAP clients to the Secure LDAP service

Everyting works great when I run the Python script from the terminal but when I generate a .app file using py2app for deployment, I get eDSNodeNotFound.  I am using localhost for the node.  From what I read, apparently apps do not have access to localhost.  I've some mentions of using the hostname or IP address with user authentication but those credentials are passed in clear text and I'm not willing to take that chance.  We have around 500 Macs to deploy this to.  I am using Python3 on MacOS 14.41. Py2App is version 0.28 (the latest).  I do not want to install the Python framework on my Mac fleet for security reasons.

Here is the exact error:

 /Users/Shared/dcsd_ldap/dist/ldap_python_config.app/Contents/MacOS/ldap_python_config ; exit;

<main> attribute status: eDSNodeNotFound

<dscl_cmd> DS Error: -14008 (eDSNodeNotFound)

The script is as follows (Works from terminal - fails from py2app application execution)

Follow the steps below to connect the macOS client for user account authentication using the Secure LDAP service.

System requirements

• The macOS must be Catalina Version 10.15.4 or later.
• A Google super admin user ID is required to complete step 1 in the preparation phase.
• You need local admin permissions to perform this configuration.

Contents:

• Preparation phase
• Deployment phase
• Limitations and guidelines
• Troubleshooting

Preparation phase

The instructions in this section focus on how to manually set up and test macOS authentication using the Secure LDAP service.

Step 1: Onboard macOS as an LDAP client in the Google Admin console

For instructions, see Add LDAP clients, or watch this Secure LDAP demo. You will also download an auto-generated TLS client certificate during this process. 

Step 2: Import the certificate into the system keychain

1. Copy the certificate (the zip file downloaded in step 1) and key to the macOS machine.
   Tip: Unzip the file to find cert and key files.
2. Import the key pair into the system keychain:

   1. Convert the key and cert into a PKCS 12 (p12) file. Run the following command in the terminal:
      
      openssl pkcs12 -export -out ldap-client.p12 -in ldap-client.crt -inkey ldap-client.key
      
      Tip: Write down the name of the .p12 file.
      
      The system will ask you to enter a password. Enter a password with which to encrypt the p12 file.

   2. Open the Keychain Access application.

   3. Click on the System keychain.

   4. Click File > Import Items.

   5. Select the ldap-client.p12 file created above.

   6. If prompted, enter the admin password to allow modification of the system keychain.

   7. Enter the password you created above to decrypt the .p12 file.

      Note: Expect to see a new cert and associated private key show up in the list of keys. It may be called LDAP Client. Write down the cert’s name for the next step below.
       
   8. Follow step 6 in the ldapsearch (macOS) section in this article to set up Access Control for the private key to add apps specified below. If the private key is not showing under the All Items category, try to switch to the My Certificates category, and locate the correct private key entry by expanding the corresponding certificate.
      
      The ldapsearch app, as specified in the instructions, is relevant only if troubleshooting is needed, and not for other purposes. It’s typically removed before providing users access to macOS.
      
      The following three apps must be added to the Access Control list:
      
      /System/Library/CoreServices/Applications/Directory Utility
      /usr/libexec/opendirectoryd
      /usr/bin/dscl

3. ​Add a line to the /etc/openldap/ldap.conf file, ensuring that "LDAP Client" is exactly the same certificate name as shown in the macOS Keychain Access application after importing the .p12 file (the name comes from the X.509 Subject Common Name of the generated certificate):
   
   sudo bash -c 'echo -e "TLS_IDENTITY\tLDAP Client" >> /etc/openldap/ldap.conf'

Step 3: Point the device to Google directory for authentication

Open the Directory Utility application to create a new LDAP directory node:

1. Click the lock to make changes and enter your password.
2. Select LDAPv3 and click the pencil icon to edit settings.
3. Click New…
4. For the server name, enter ldap.google.com, select Encrypt using SSL, and click Manual.
5. Select the new server name and click Edit…
6. Enter a descriptive name such as Google Secure LDAP for the configuration name.
7. Select Encrypt using SSL and make sure the port is set to 636.
8. Go to the Search & Mappings tab.
   1. Choose RFC2307 from the Access this LDAPv3 server using dropdown list.
   2. When prompted, enter the domain-related information into Search Base Suffix. For example, enter dc=zomato,dc=com for a domain name of zomato.com.
   3. Click OK.
   4. Configure attributes under the Users record type:
      1. In the Record Types and Attributes section, select Users and click the “+” button.
      2. In the popup window, choose Attribute Types, select GeneratedUID, and then click OK to close the popup window.
         
         GeneratedUID should be displayed under Users after it’s expanded.
          
      3. Click on the GeneratedUID, and click the “+” icon in the box on the right.
      4. Enter apple-generateduid in the text box, and click Enter.
      5. Under the Users node, click the NFSHomeDirectory attribute.
      6. In the screen on the right, update the value for this attribute to #/Users/$uid$
      7. Click OK and enter your password to save the changes.
9. From the Directory Utility window, configure the new LDAP config:
   1. Go to Search Policy tab.
   2. Click the lock icon to make changes, and enter the password of the current user when prompted.
   3. Change the dropdown option from Search Path to Custom path.
   4. Open the Authentication tab and click the “+” icon. 
   5. Choose /LDAPv3/ldap.google.com from the Directory Domains list, and then click Add.
   6. Click the Apply button, and enter your admin password if prompted.
10. Run the following four commands to disable the DIGEST-MD5, CRAM-MD5, NTLM, and GSSAPI SASL authentication mechanisms. The macOS will use Simple Bind to authenticate using the Google Secure LDAP service:
    
    sudo /usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string DIGEST-MD5" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/ldap.google.com.plist 
    
    sudo /usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string CRAM-MD5" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/ldap.google.com.plist
    
    sudo /usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string NTLM" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/ldap.google.com.plist
    
    sudo /usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string GSSAPI" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/ldap.google.com.plist
     
11. Reboot to reload the OpenDirectory configuration.

Step 4: Create a mobile account (allows offline login)

Any Google Workspace or Cloud Identity user can log in using a network account (Google account) using their username and password. This login process needs network connectivity. If a user needs to log in with or without connection to the network, a mobile account can be created. A mobile account lets you use your network account (Google account) username and password to sign in, whether or not you’re connected to the network. For more details, see Create and configure mobile accounts on Mac.

To create a mobile account for Secure LDAP users:

1. Run the following command to connect to the Secure LDAP server and set up a home path and mobile account(s):
   
   sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n $uid -v 
   
   Tip: Replace $uid with the username part of the email address associated with the user’s Google account. For example, jsmith is the username part for jsmith@solarmora.com.

2. When prompted for the SecureToken admin user name, enter your admin username, and enter your password in the next prompt. This will add $uid into the FileVault. This is needed if the macOS disk is encrypted. 

Step 5: (Optional) Set the login screen preference

1. Go to System preferences > Users & Groups > Login Options at the bottom left.
2. Unlock the lock by providing admin credentials.
3. Change the Display login window as to Name and password.

Step 6: Reboot and log in to your device

1. Make sure the device is connected to the Internet. If you don’t have an internet connection, the login for the Secure LDAP user will not work.
   Note: Internet connection is needed only for the first login. Any subsequent logins can occur without Internet access. 
2. Sign in to the device with the user account that's configured to use Secure LDAP for authentication. 

Deployment phase

The instructions in this section focus on automating the device configuration for your users. Perform steps 1 and 2 below on the same macOS device where you completed your manual configuration during the preparation phase. 

Step 1: Create a Mac Profile with certificate using Apple Configurator 2

1. Install Apple Configurator 2 on the machine where you manually configured macOS authentication with Secure LDAP.
2. Open Apple Configurator 2, create a new profile and in the Certificate section, click Configure, and import the previously generated .p12 file.
   Note: Make sure this .p12 has a password. Enter this password in the Password section of the Certificate.
3. Save this Profile. 
4. Open this profile in any text editor and add the following lines in first <dict> tag:
   
   <key>PayloadScope</key>
   <string>System</string>
   
   This is added, as Apple Configurator does not support profiles for macOS yet.
    
5. In the second <dict> tag, parallel to certificate data, add the following lines:
   
   <key>AllowAllAppsAccess</key>
   <true/>
   
   This will make sure that this certificate can be accessed by all applications.

Step 2: Convert Directory config file (plist) to xml 

In this step, you are extracting all the manual configurations that you completed during step 3 of the preparation phase into a XML file. You can use this file and the Mac profile created in step 1 above to automatically configure other macOS devices. 

1. Copy /Library/Preferences/OpenDirectory/Configurations/LDAPv3/ldap.google.com.plist to your desktop or elsewhere.
2. Convert it to XML so that you can inspect it in any text editor. Run the following command in Terminal:
   
   sudo plutil -convert xml1 <path>/ldap.google.com.plist
   
   You can access the file as <path>/ldap.google.com.plist.
    
3. Change the permission of the above file so that you can open the XML file. Make sure it is not empty.

Step 3: Create a python script to automate the configuration on your end-user devices

Copy the python script below and save it as a python file (.py file).

Note: This sample script is provided on an as-is basis. Google support will not provide support for sample scripts. 

Here is the line in the following script that fails.  The localhost nodename is what is failing (I believe).

os.system("dscl -q localhost -append /Search CSPSearchPath /LDAPv3/ldap.google.com")

The full script is below:

Ldap_pythong_config.py

#!/usr/bin/python
from OpenDirectory import ODNode, ODSession, kODNodeTypeConfigure
from Foundation import NSMutableData, NSData

import os
import sys

# Reading plist
GOOGLELDAPCONFIGFILE = open(sys.argv[1], "r")
CONFIG = GOOGLELDAPCONFIGFILE.read()
GOOGLELDAPCONFIGFILE.close()

# Write the plist
od_session = ODSession.defaultSession()
od_conf_node, err = ODNode.nodeWithSession_type_error_(od_session, kODNodeTypeConfigure, None)
request = NSMutableData.dataWithBytes_length_(b'\x00'*32, 32)
request.appendData_(NSData.dataWithBytes_length_(CONFIG, len(CONFIG)))
response, err = od_conf_node.customCall_sendData_error_(99991, request, None)

# Edit the default search path and append the new node to allow for login
os.system("dscl -q localhost -append /Search CSPSearchPath /LDAPv3/ldap.google.com")
os.system("bash -c 'echo -e \"TLS_IDENTITY\tLDAP Client\" >> /etc/openldap/ldap.conf' ")

Thank you for any help!  I am super frustrated.

Greg