Skip to main content

I know this is an odd question, but I hope someone out in the JNation can assist. I am trying to setup a lab station build. On this build people login against our LDAP to a locked down profile. When they logout the profile is deleted.



The hiccup I am having is that our LDAP doesn't have a UniqueID to map to. I was hoping to map every user who logs in to #601 or something. What I need to know is how to I flush that record during logout so the next user can login using the same UniqueID? I assume I have to run some sort of dscl command before I delete the home folder.



Any help would be greatly appreciated!!!

#!/bin/bash

function delete_local_user {

    if [ -z "$1" ]; then return; fi

    dscl . -delete /Users/${1}  &>/dev/null;

    if [ -d /Users/${1} ]; then echo deleting local account: /Users/${1}; rm -rf /Users/${1}; fi

}





function create_local_user {

    delete_local_user $1

        echo  - Creating local account: $1



    # Generate a new UniqueID

    aUID=99             # 99 = nobody

    while [ ! -z "`dscl . -search /Users UniqueID $aUID`" ]

    do 

        aUID=$RANDOM

        aUID=$((aUID % 100))    # Mod 100 keeps the value between 0-100

        aUID=$((aUID + 500))    # Add 500 = 500 - 599

    done

    # Create the local directory entry

    dscl . -create /Users/$1

    dscl . -create /Users/$1 UniqueID $aUID

    dscl . -create /Users/$1 RealName "$3"

    dscl . -create /users/$1 NFSHomeDirectory /Users/$1

    dscl . -create /Users/$1 UserShell /dev/null

#   dscl . -create /Users/$1 UserShell /bin/bash

    dscl . -create /Users/$1 PrimaryGroupID 20



    # Create the Home folder from template

    cp -a /System/Library/User Template/English.lproj /Users

    mv /Users/English.lproj /Users/$1



    # Set the password

    dscl . -passwd /Users/$1 $2



    # Fix the rights.

    chown -R ${1} /Users/${1}

    find /Users/${1}/Library -type f -exec chmod a-x {} ;



}





# Call the function:



create_local_user username userpass "User Name"

Have you tried kill opendirectoryd as part of your logout script?



Or



Perhaps you can change the UID of the account on the fly with some of what chris has suggested



aUID=$RANDOM

aUID=$((aUID % 100))    # Mod 100 keeps the value between 0-100

aUID=$((aUID + 500))    # Add 500 = 500 - 599



dscl . -change /Users/$1 UniqueID $old_static_mapped_UID $aUID


With Per's LoginScriptPlugin
you can run Login Scripts as root pre home directory mounting this might give you a chance to change the UID to a random number for the user logging in before their home directory is created and mounted.



check out



https://developer.apple.com/library/mac/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html#//apple_ref/doc/uid/10000172i-SW10-BAJCGEGG



specifically:



Authentication Plug-Ins



Authentication plug-ins are the recommended way to perform tasks during the login process. An authentication plug-in executes while the user is logging in, and is guaranteed to complete before the user is allowed to actually interact with his or her account.



You might write an authentication plug-in if you need to programmatically reset an account to a predetermined state, perform some administrative task such as deleting caches to reduce server utilization, and so on.



To learn more about writing an authentication plug-in, read Running At Login.

@calumhunter & @chris.hotte



Thanks for the scripts I will play with them tomorrow and see what sticks. I appreciate the help.
I have to figure out exactly how your suggestions work, but I will play around.



Thanks!

Ahh the joys of being down under. g/l

All the issues you will encounter repeatedly creating local accounts with randomly generated UID's are (hopefully) taken into account with the function. It works like this:




  • Expect 3 parameters passed in.

  • Delete the user name passed in from the local directory

  • While loop the random number generator test generated UID for conflict.

  • Create user in the local directory as per parameters passed in.

  • Copy the user template.

  • Assign ownership to the copied template to the newly created user.



I use this function for generic accounts with a known password for when a users directory account is unavailable for whatever reason. Its a limited account and counter policy, but it allows work to continue in a squeeze.

@pblake You might want to find a different approach come 10.11

I've found cached AD mobile accounts very troublesome, since after password change time they do not appear to update correctly and in my environment at least - results in consistent/frequent account lockouts. Thus my Kludge for this issue has been to clear the cached user account on the logout hook.

Turns out there was a unique field in the LDAP, but I have to obtain a privileged service account to read it. Once I got that, I was able to map it to a unique number.



Thanks all for the help!
Special Shouts to:
@chris.hotte
@nessts
@c0up3
@mm2270
@rhysforrester
@calumhunter

Terms & ConditionsCookie settings