Help

Anyone doing Live LDAP lookups? - Updated

jarednichols
Honored Contributor

Posted on ‎07-22-2010 04:41 AM

I talked to Jamf support yesterday and we think we may have found why it doesn't work. Basically, in order to do the live LDAP lookup, an initial lookup needs to be performed so that an LDAP ID is populated. This normally shows up in the left bottom portion of the location tab.

The problem lies when information changes and doesn't match against LDAP, specifically (for us anyway) with the Department field. If I pull my information from LDAP and populate my Department, it will be populated as "11-70." (We use our profitCenter attribute in LDAP as Department.) Now, because I have "11-70" defined as a department in the JSS, it matches what LDAP provided and fills it in.

Here's the problem: Let's say I changed departments (precicely the thing I want live LDAP lookup to handle). If my department in the JSS and department on LDAP mismatch, I get a "no results found" when performing the lookup. Support was able to replicate it on their end and is taking it to Dev.

In reality, the JSS shoudn't care – AT ALL – what it has in its record beyond the LDAP ID. I want everything pulled from LDAP, every time. Name, position, telephone number, email…. Everything. There shouldn't be matches.

So, support's aware and is working on it.

j
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

0 Kudos
4 REPLIES 4

jarednichols
Honored Contributor

Posted on ‎07-21-2010 04:05 PM

en the below script.

This will submit information from the users dscl records to the JSS (real n
ame, e-mail, position & phone number).. With it returning =93local account
=94 as position if the account is not ldap supplied.

This seems to work well on the macs, & the verbs employed will work on pc
=92s too.

BUT I need someone help to advise how to get the same information on a pc v
ia VBSCRIPT.. Anyone??

You could then have 4 separate extension attributes that will populate thes
e fields at every recon.

I.e. One for phone number (shell script mac, vbscript pc), position.. Etc..
.

#!/bin/sh
###########################################################################
#########################
#
# Copyright (c) 2010, JAMF Software, LLC. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
# Redistributions of source code must retain the above copy
right
# notice, this list of conditions and the following disclai
mer.
# Redistributions in binary form must reproduce the above c
opyright
# notice, this list of conditions and the following disclai
mer in the
# documentation and/or other materials provided with the di
stribution.
# * Neither the name of the JAMF Software, LLC nor the
# names of its contributors may be used to endorse or promo
te products
# derived from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND ANY
# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE I
MPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR ANY
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CA
USED AND
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE U
SE OF THIS
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
###########################################################################
#########################
#
# SUPPORT FOR THIS PROGRAM
#
# This program is distributed "as is" by JAMF Software, LLC's Resourc
e Kit team. For more
# information or support for the Resource Kit, please utilize the fol
lowing resources:
#
# http://list.jamfsoftware.com/mailman/listinfo/resourcekit
#
# http://www.jamfsoftware.com/support/resource-kit
#
# Please reference our SLA for information regarding support of this application:
#
# http://www.jamfsoftware.com/support/resource-kit-sla
#
###########################################################################
#########################
#
# ABOUT THIS PROGRAM
#
# NAME
# 010 Submit User Info.sh -- Submits dscl info for the local user to the jss
#
# SYNOPSIS
#
# If the $accountType parameter is null, then the account is a local ac
count & the position field
# in the JSS is populated with "Local Account"
#
# if the $accountType parameter is not null, then the accounts dscl reco
rds are queried for
# submition to the JSS.
#
# DESCRIPTION
# This script will check to see if the account is a Directory supplied a
ccount, & if so will
# populate the Realname, Email, Position & Phone number from the loggedi
n users local dscl record.
#
###########################################################################
#########################
#
# HISTORY
#
# Version: 1
#
# - Created by Ben Toms, June 26th 2010
#
###########################################################################
#########################
#
# DEFINE VARIABLES & READ IN PARAMETERS
#
###########################################################################
#########################

loggedInUserls -l /dev/console | cut -c 15-19
accountType`dscl . -read /Users/$loggedInUser | grep -A 1 OriginalNodeNa
me: | tail -1 | cut -c 2-`

if [[ "$accountType" "" ]]; then userPosition"Local Account"

jamf recon -endUsername $loggedInUser -position "$userPosition"
else userRealname`dscl . -read /Users/$loggedInUser | grep -A 1 dsAttrType
Native:original_realname: | tail -1 | cut -c 2-` userEmail`dscl . -read /Users/$loggedInUser | grep EMailAddress | cu
t -c 15-` userPosition`dscl . -read /Users/$loggedInUser | grep -A 1 JobTitle: | tail -1 | cut -c 2-` userPhone`dscl . -read /Users/$loggedInUser | grep -A 1 PhoneNumber: | tail -1 | cut -c 2-`

echo "Submitting dscl information for $loggedInUser..." jamf recon -endUsername "$loggedInUser" -realname "$userRealname" -email "$userEmail" -position "$userPosition" -phone "$userPhone"

fi

On 24/06/2010 14:23, "Thomas Larkin" <tlarki at kckps.org> wrote:

I use a login hook recon script that utilizes the dscl command to grab the
ir short name and real name and then add them to the asset in inventory via recon. Otherwise, LDAP groups workfine for me in inventory.

0 Kudos

tlarkin
Honored Contributor

Posted on ‎07-22-2010 08:46 AM

I just verified one of my test scripts and it doesn't work for various
reasons. First, dscl looks at the local berkley database by default. However, when a network/portable user logs in their information is quite
different. The records and strings you want to grab are also displayed
in a different fashion. I am looking at getting it to work but my code
is starting to get a bit convulted with a grep -A5 here, then an awk to
get the string I want and then a grep -v at the end to get rid of the
excess stuff I don't want.

I may have to look into the cut command, but I personally am not a fan
of it for several reasons. Plus, you have to factor in how long names
our. Since I have a high hispanic user base there are tons of
hyphenated last names. Which means lots and lots of characters.

Just log into a network account and then ssh into that same client and
run some dscl queries you will see that when dscl pulls info off the
LDAPv3 Berkley database instead of the local one, it pulls a lot more
information.

-Tom

--missing content--

written the below script.

This will submit information from the users dscl records to the JSS
(real name, e-mail, position & phone number).. With it returning “local
account” as position if the account is not ldap supplied.

This seems to work well on the macs, & the verbs employed will work on
pc’s too.

BUT I need someone help to advise how to get the same information on a
pc via VBSCRIPT.. Anyone??

You could then have 4 separate extension attributes that will populate
these fields at every recon.

I.e. One for phone number (shell script mac, vbscript pc), position..
Etc...

#!/bin/sh
####################################################################################################
#
# Copyright (c) 2010, JAMF Software, LLC. All rights reserved.
#
# Redistribution and use in source and binary forms, with or
without
# modification, are permitted provided that the following
conditions are met:
# Redistributions of source code must retain the above
copyright
# notice, this list of conditions and the following
disclaimer.
# Redistributions in binary form must reproduce the
above copyright
# notice, this list of conditions and the following
disclaimer in the
# documentation and/or other materials provided with
the distribution.
# * Neither the name of the JAMF Software, LLC nor the
# names of its contributors may be used to endorse or
promote products
# derived from this software without specific prior
written permission.
#
# THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND
ANY
# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR
ANY
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
THE USE OF THIS
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
####################################################################################################
#
# SUPPORT FOR THIS PROGRAM
#
# This program is distributed "as is" by JAMF Software, LLC's
Resource Kit team. For more
# information or support for the Resource Kit, please utilize the
following resources:
#
# http://list.jamfsoftware.com/mailman/listinfo/resourcekit
#
# http://www.jamfsoftware.com/support/resource-kit
#
# Please reference our SLA for information regarding support of
this application:
#
# http://www.jamfsoftware.com/support/resource-kit-sla
#
####################################################################################################
#
# ABOUT THIS PROGRAM
#
# NAME
# 010 Submit User Info.sh -- Submits dscl info for the local user to
the jss
#
# SYNOPSIS
#
# If the $accountType parameter is null, then the account is a
local account & the position field
# in the JSS is populated with "Local Account"
#
# if the $accountType parameter is not null, then the accounts dscl
records are queried for
# submition to the JSS.
#
# DESCRIPTION
# This script will check to see if the account is a Directory
supplied account, & if so will
# populate the Realname, Email, Position & Phone number from the
loggedin users local dscl record.
#
####################################################################################################
#
# HISTORY
#
# Version: 1
#
# - Created by Ben Toms, June 26th 2010
#
####################################################################################################
#
# DEFINE VARIABLES & READ IN PARAMETERS
#
####################################################################################################

loggedInUser=ls -l /dev/console | cut -c 15-19
accountType=`dscl . -read /Users/$loggedInUser | grep -A 1
OriginalNodeName: | tail -1 | cut -c 2-`

if [[ "$accountType" == "" ]]; then userPosition="Local Account"

jamf recon -endUsername $loggedInUser -position "$userPosition"
else userRealname=`dscl . -read /Users/$loggedInUser | grep -A 1
dsAttrTypeNative:original_realname: | tail -1 | cut -c 2-` userEmail=`dscl . -read /Users/$loggedInUser | grep EMailAddress |
cut -c 15-` userPosition=`dscl . -read /Users/$loggedInUser | grep -A 1
JobTitle: | tail -1 | cut -c 2-` userPhone=`dscl . -read /Users/$loggedInUser | grep -A 1
PhoneNumber: | tail -1 | cut -c 2-`

echo "Submitting dscl information for $loggedInUser..." jamf recon -endUsername "$loggedInUser" -realname "$userRealname"
-email "$userEmail" -position "$userPosition" -phone "$userPhone"

fi

On 24/06/2010 14:23, "Thomas Larkin" <tlarki at kckps.org> wrote:

I use a login hook recon script that utilizes the dscl command to grab
their short name and real name and then add them to the asset in
inventory via recon. Otherwise, LDAP groups workfine for me in
inventory.

0 Kudos

bentoms
Release Candidate Programs Tester

Posted on ‎07-23-2010 06:07 AM

Well this has been working fine for use for a while now.. below are the guts of the script.. we run it at login on ALL managed computers.. we use Active Directory for all our network accounts

The cut commands are mererly to remove the beginning of the returned strings, same as tail.

For example:

dscl . -read /Users/btoms | grep -A 1 dsAttrTypeNative:original_realname:

would return

dsAttrTypeNative:original_realname: Toms, Ben (Grey Communications Group - IT)

Instead if we do

dscl . -read /Users/btoms | grep -A 1 dsAttrTypeNative:original_realname: | tail -1 | cut -c 2-

it becomes:

Toms, Ben (Grey Communications Group - IT)

i.e. it’s removed the 1st line & the 1st character from the string, giving us the value we want.

So far this is working fine on English, French & dutch macs..

# HARDCODED VALUE FOR "loggedInUser" IS SET HERE
loggedInUser=""

# CHECK TO SEE IF A VALUE WAS PASSED IN PARAMETER 4 AND, IF SO, ASSIGN TO "loggedInUser"

if [ "$3" != "" ] && [ "$loggedInUser" == "" ]; then
loggedInUser=$3
fi

####################################################################################################
#
# SCRIPT CONTENTS - DO NOT MODIFY BELOW THIS LINE
#
####################################################################################################

accountType=dscl . -read /Users/$loggedInUser | ?grep UniqueID | cut -c 11-

if [["$accountType" ?-gt "1000"]];then userRealname=dscl . -read /Users/$loggedInUser | grep -A 1 dsAttrTypeNative:original_realname: | tail -1 | cut -c 2- userEmail=dscl . -read /Users/$loggedInUser | grep EMailAddress | cut -c 15- userPosition=dscl . -read /Users/$loggedInUser | grep -A 1 JobTitle: | tail -1 | cut -c 2- userPhone=dscl . -read /Users/$loggedInUser | grep -A 1 PhoneNumber: | tail -1 | cut -c 2-

echo "Submitting information for network account $loggedInUser..." jamf recon -endUsername "$loggedInUser" -realname "$userRealname" -email "$userEmail" -position "$userPosition" -phone "$userPhone"

else echo "Submitting information for local account $loggedInUser..." userPosition="Local Account" jamf recon -endUsername $loggedInUser -position "$userPosition"
fi

Ben Toms
IT Support Analyst GREY Group
The Johnson Building, 77 Hatton Garden, London, EC1N 8JS
T: +44 (0) 20-3037-3819 |
Main: +44 (0) 20 3037 3000 | IT Helpdesk: +44 (0) 20 3037 3883

0 Kudos

abenedict
New Contributor II

Posted on ‎08-03-2010 06:56 PM

This is exactly what I am looking for as well. I can easily script in
pulling the LDAP ID, but I want the JSS to do all of the lookups on that ID
live so that the info is always current. I hope they can add that
functionality soon. In the meantime I am going to write a script that
populates all of that info at each login, plus its good scripting practice
for me.
--
Alan Benedict
?
Macintosh Technician
The Integer Group
O: 515-247-2738
C: 515-770-8234
http://www.integer.com

0 Kudos