Skip to main content
Question

Anyone doing Live LDAP lookups? - Updated

  • July 21, 2010
  • 4 replies
  • 33 views
J
Forum|alt.badge.img+24

I talked to Jamf support yesterday and we think we may have found why it doesn't work. Basically, in order to do the live LDAP lookup, an initial lookup needs to be performed so that an LDAP ID is populated. This normally shows up in the left bottom portion of the location tab.

The problem lies when information changes and doesn't match against LDAP, specifically (for us anyway) with the Department field. If I pull my information from LDAP and populate my Department, it will be populated as "11-70." (We use our profitCenter attribute in LDAP as Department.) Now, because I have "11-70" defined as a department in the JSS, it matches what LDAP provided and fills it in.

Here's the problem: Let's say I changed departments (precicely the thing I want live LDAP lookup to handle). If my department in the JSS and department on LDAP mismatch, I get a "no results found" when performing the lookup. Support was able to replicate it on their end and is taking it to Dev.

In reality, the JSS shoudn't care – AT ALL – what it has in its record beyond the LDAP ID. I want everything pulled from LDAP, every time. Name, position, telephone number, email…. Everything. There shouldn't be matches.

So, support's aware and is working on it.

j
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

    4 replies

    J
    Forum|alt.badge.img+24
    • jarednichols
    • Author
    • Valued Contributor
    • July 21, 2010

    en the below script.

    This will submit information from the users dscl records to the JSS (real n
    ame, e-mail, position & phone number).. With it returning =93local account
    =94 as position if the account is not ldap supplied.

    This seems to work well on the macs, & the verbs employed will work on pc
    =92s too.

    BUT I need someone help to advise how to get the same information on a pc v
    ia VBSCRIPT.. Anyone??

    You could then have 4 separate extension attributes that will populate thes
    e fields at every recon.

    I.e. One for phone number (shell script mac, vbscript pc), position.. Etc..
    .

    #!/bin/sh
    ###########################################################################
    #########################
    #
    # Copyright (c) 2010, JAMF Software, LLC. All rights reserved.
    #
    # Redistribution and use in source and binary forms, with or without
    # modification, are permitted provided that the following conditions are met:
    # Redistributions of source code must retain the above copy
    right
    # notice, this list of conditions and the following disclai
    mer.
    #     Redistributions in binary form must reproduce the above c
    opyright
    # notice, this list of conditions and the following disclai
    mer in the
    # documentation and/or other materials provided with the di
    stribution.
    # * Neither the name of the JAMF Software, LLC nor the
    # names of its contributors may be used to endorse or promo
    te products
    # derived from this software without specific prior written permission.
    #
    # THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND ANY
    # EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE I
    MPLIED
    # WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
    # DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR ANY
    # DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
    # (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
    # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CA
    USED AND
    # ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
    # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE U
    SE OF THIS
    # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    ###########################################################################
    #########################
    #
    # SUPPORT FOR THIS PROGRAM
    #
    # This program is distributed "as is" by JAMF Software, LLC's Resourc
    e Kit team. For more
    # information or support for the Resource Kit, please utilize the fol
    lowing resources:
    #
    # http://list.jamfsoftware.com/mailman/listinfo/resourcekit
    #
    # http://www.jamfsoftware.com/support/resource-kit
    #
    # Please reference our SLA for information regarding support of this application:
    #
    # http://www.jamfsoftware.com/support/resource-kit-sla
    #
    ###########################################################################
    #########################
    #
    # ABOUT THIS PROGRAM
    #
    # NAME
    # 010 Submit User Info.sh -- Submits dscl info for the local user to the jss
    #
    # SYNOPSIS
    #
    # If the $accountType parameter is null, then the account is a local ac
    count & the position field
    # in the JSS is populated with "Local Account"
    #
    # if the $accountType parameter is not null, then the accounts dscl reco
    rds are queried for
    # submition to the JSS.
    #
    # DESCRIPTION
    # This script will check to see if the account is a Directory supplied a
    ccount, & if so will
    # populate the Realname, Email, Position & Phone number from the loggedi
    n users local dscl record.
    #
    ###########################################################################
    #########################
    #
    # HISTORY
    #
    # Version: 1
    #
    # - Created by Ben Toms, June 26th 2010
    #
    ###########################################################################
    #########################
    #
    # DEFINE VARIABLES & READ IN PARAMETERS
    #
    ###########################################################################
    #########################

    loggedInUserls -l /dev/console | cut -c 15-19
    accountType`dscl . -read /Users/$loggedInUser | grep -A 1 OriginalNodeNa
    me: | tail -1 | cut -c 2-`

    if [[ "$accountType" "" ]]; then userPosition"Local Account"

    jamf recon -endUsername $loggedInUser -position "$userPosition"
    else userRealname`dscl . -read /Users/$loggedInUser | grep -A 1 dsAttrType
    Native:original_realname: | tail -1 | cut -c 2-` userEmail`dscl . -read /Users/$loggedInUser | grep EMailAddress | cu
    t -c 15-` userPosition`dscl . -read /Users/$loggedInUser | grep -A 1 JobTitle: | tail -1 | cut -c 2-` userPhone`dscl . -read /Users/$loggedInUser | grep -A 1 PhoneNumber: | tail -1 | cut -c 2-`

    echo "Submitting dscl information for $loggedInUser..." jamf recon -endUsername "$loggedInUser" -realname "$userRealname" -email "$userEmail" -position "$userPosition" -phone "$userPhone"

    fi

    On 24/06/2010 14:23, "Thomas Larkin" <tlarki at kckps.org> wrote:

    I use a login hook recon script that utilizes the dscl command to grab the
    ir short name and real name and then add them to the asset in inventory via recon. Otherwise, LDAP groups workfine for me in inventory.

    T
    Forum|alt.badge.img+31
    • tlarkin
    • Honored Contributor
    • July 22, 2010

    I just verified one of my test scripts and it doesn't work for various
    reasons. First, dscl looks at the local berkley database by default. However, when a network/portable user logs in their information is quite
    different. The records and strings you want to grab are also displayed
    in a different fashion. I am looking at getting it to work but my code
    is starting to get a bit convulted with a grep -A5 here, then an awk to
    get the string I want and then a grep -v at the end to get rid of the
    excess stuff I don't want.

    I may have to look into the cut command, but I personally am not a fan
    of it for several reasons. Plus, you have to factor in how long names
    our. Since I have a high hispanic user base there are tons of
    hyphenated last names. Which means lots and lots of characters.

    Just log into a network account and then ssh into that same client and
    run some dscl queries you will see that when dscl pulls info off the
    LDAPv3 Berkley database instead of the local one, it pulls a lot more
    information.

    -Tom

    --missing content--

    written the below script.

    This will submit information from the users dscl records to the JSS
    (real name, e-mail, position & phone number).. With it returning “local
    account” as position if the account is not ldap supplied.

    This seems to work well on the macs, & the verbs employed will work on
    pc’s too.

    BUT I need someone help to advise how to get the same information on a
    pc via VBSCRIPT.. Anyone??

    You could then have 4 separate extension attributes that will populate
    these fields at every recon.

    I.e. One for phone number (shell script mac, vbscript pc), position..
    Etc...

    #!/bin/sh
    ####################################################################################################
    #
    # Copyright (c) 2010, JAMF Software, LLC. All rights reserved.
    #
    # Redistribution and use in source and binary forms, with or
    without
    # modification, are permitted provided that the following
    conditions are met:
    # Redistributions of source code must retain the above
    copyright
    # notice, this list of conditions and the following
    disclaimer.
    #     Redistributions in binary form must reproduce the
    above copyright
    # notice, this list of conditions and the following
    disclaimer in the
    # documentation and/or other materials provided with
    the distribution.
    # * Neither the name of the JAMF Software, LLC nor the
    # names of its contributors may be used to endorse or
    promote products
    # derived from this software without specific prior
    written permission.
    #
    # THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND
    ANY
    # EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    THE IMPLIED
    # WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    PURPOSE ARE
    # DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR
    ANY
    # DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
    CONSEQUENTIAL DAMAGES
    # (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
    OR SERVICES;
    # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
    HOWEVER CAUSED AND
    # ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
    LIABILITY, OR TORT
    # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
    THE USE OF THIS
    # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    ####################################################################################################
    #
    # SUPPORT FOR THIS PROGRAM
    #
    # This program is distributed "as is" by JAMF Software, LLC's
    Resource Kit team. For more
    # information or support for the Resource Kit, please utilize the
    following resources:
    #
    # http://list.jamfsoftware.com/mailman/listinfo/resourcekit
    #
    # http://www.jamfsoftware.com/support/resource-kit
    #
    # Please reference our SLA for information regarding support of
    this application:
    #
    # http://www.jamfsoftware.com/support/resource-kit-sla
    #
    ####################################################################################################
    #
    # ABOUT THIS PROGRAM
    #
    # NAME
    # 010 Submit User Info.sh -- Submits dscl info for the local user to
    the jss
    #
    # SYNOPSIS
    #
    # If the $accountType parameter is null, then the account is a
    local account & the position field
    # in the JSS is populated with "Local Account"
    #
    # if the $accountType parameter is not null, then the accounts dscl
    records are queried for
    # submition to the JSS.
    #
    # DESCRIPTION
    # This script will check to see if the account is a Directory
    supplied account, & if so will
    # populate the Realname, Email, Position & Phone number from the
    loggedin users local dscl record.
    #
    ####################################################################################################
    #
    # HISTORY
    #
    # Version: 1
    #
    # - Created by Ben Toms, June 26th 2010
    #
    ####################################################################################################
    #
    # DEFINE VARIABLES & READ IN PARAMETERS
    #
    ####################################################################################################

    loggedInUser=ls -l /dev/console | cut -c 15-19
    accountType=`dscl . -read /Users/$loggedInUser | grep -A 1
    OriginalNodeName: | tail -1 | cut -c 2-`

    if [[ "$accountType" == "" ]]; then userPosition="Local Account"

    jamf recon -endUsername $loggedInUser -position "$userPosition"
    else userRealname=`dscl . -read /Users/$loggedInUser | grep -A 1
    dsAttrTypeNative:original_realname: | tail -1 | cut -c 2-` userEmail=`dscl . -read /Users/$loggedInUser | grep EMailAddress |
    cut -c 15-` userPosition=`dscl . -read /Users/$loggedInUser | grep -A 1
    JobTitle: | tail -1 | cut -c 2-` userPhone=`dscl . -read /Users/$loggedInUser | grep -A 1
    PhoneNumber: | tail -1 | cut -c 2-`

    echo "Submitting dscl information for $loggedInUser..." jamf recon -endUsername "$loggedInUser" -realname "$userRealname"
    -email "$userEmail" -position "$userPosition" -phone "$userPhone"

    fi

    On 24/06/2010 14:23, "Thomas Larkin" <tlarki at kckps.org> wrote:

    I use a login hook recon script that utilizes the dscl command to grab
    their short name and real name and then add them to the asset in
    inventory via recon. Otherwise, LDAP groups workfine for me in
    inventory.

    bentoms
    Forum|alt.badge.img+35
    • bentoms
    • Hall of Fame
    • July 23, 2010

    Well this has been working fine for use for a while now.. below are the guts of the script.. we run it at login on ALL managed computers.. we use Active Directory for all our network accounts

    The cut commands are mererly to remove the beginning of the returned strings, same as tail.

    For example:

    dscl . -read /Users/btoms | grep -A 1 dsAttrTypeNative:original_realname:

    would return

    dsAttrTypeNative:original_realname: Toms, Ben (Grey Communications Group - IT)

    Instead if we do

    dscl . -read /Users/btoms | grep -A 1 dsAttrTypeNative:original_realname: | tail -1 | cut -c 2-

    it becomes:

    Toms, Ben (Grey Communications Group - IT)

    i.e. it’s removed the 1st line & the 1st character from the string, giving us the value we want.

    So far this is working fine on English, French & dutch macs..

    # HARDCODED VALUE FOR "loggedInUser" IS SET HERE
    loggedInUser=""

    # CHECK TO SEE IF A VALUE WAS PASSED IN PARAMETER 4 AND, IF SO, ASSIGN TO "loggedInUser"

    if [ "$3" != "" ] && [ "$loggedInUser" == "" ]; then
    loggedInUser=$3
    fi

    ####################################################################################################
    #
    # SCRIPT CONTENTS - DO NOT MODIFY BELOW THIS LINE
    #
    ####################################################################################################

    accountType=dscl . -read /Users/$loggedInUser | ?grep UniqueID | cut -c 11-

    if [["$accountType" ?-gt "1000"]];then userRealname=dscl . -read /Users/$loggedInUser | grep -A 1 dsAttrTypeNative:original_realname: | tail -1 | cut -c 2- userEmail=dscl . -read /Users/$loggedInUser | grep EMailAddress | cut -c 15- userPosition=dscl . -read /Users/$loggedInUser | grep -A 1 JobTitle: | tail -1 | cut -c 2- userPhone=dscl . -read /Users/$loggedInUser | grep -A 1 PhoneNumber: | tail -1 | cut -c 2-

    echo "Submitting information for network account $loggedInUser..." jamf recon -endUsername "$loggedInUser" -realname "$userRealname" -email "$userEmail" -position "$userPosition" -phone "$userPhone"

    else echo "Submitting information for local account $loggedInUser..." userPosition="Local Account" jamf recon -endUsername $loggedInUser -position "$userPosition"
    fi

    Ben Toms
    IT Support Analyst GREY Group
    The Johnson Building, 77 Hatton Garden, London, EC1N 8JS
    T: +44 (0) 20-3037-3819 |
    Main: +44 (0) 20 3037 3000 | IT Helpdesk: +44 (0) 20 3037 3883

    A
    Forum|alt.badge.img+5
    • abenedict
    • Contributor
    • August 4, 2010

    This is exactly what I am looking for as well. I can easily script in
    pulling the LDAP ID, but I want the JSS to do all of the lookups on that ID
    live so that the info is always current. I hope they can add that
    functionality soon. In the meantime I am going to write a script that
    populates all of that info at each login, plus its good scripting practice
    for me.
    --
    Alan Benedict
    ?
    Macintosh Technician
    The Integer Group
    O: 515-247-2738
    C: 515-770-8234
    http://www.integer.com

    Terms & ConditionsCookie settingsAccessibility statement