Change attribute in AD via script

ocla__09
Contributor

We are in the process of piloting a new IM solution for the company, and part of that involves changing an attribute in AD, namely the one that lists the user's SIP address (msRTCSIP-PrimaryUserAddress)

I have been able to successfully read this value from AD:

dscl "/Active Directory/MYDOMAIN/All Domains" read /Users/USERNAME dsAttrTypeNative:msRTCSIP-PrimaryUserAddress

However, I am running into difficulties writing the new sip address value:

dscl "/Active Directory/DOMAIN/All Domains" create /Users/USER dsAttrTypeNative:msRTCSIP-PrimaryUserAddress "NEWSIPADDRESS" -u "SERVICEACCOUNT" -P "PASSWORD"
<main> attribute status: eDSPermissionError
<dscl_cmd> DS Error: -14120 (eDSPermissionError)

The aim is to be able to run this script in concert with the new IM app install.

Is there something clearly with the command (Have not done a lot of writing to AD from Terminal) or should I be looking deeper into the rights for that service account?

8 REPLIES 8

mm2270
Legendary Contributor III

I'm really not certain, but I think you may need to drop the dsAttrTypeNative from the lines. I was able to run this against my account and got my SIP address back in the results.

dscl "/Active Directory/MYDOMAIN/All Domains" read /Users/USERNAME msRTCSIP-PrimaryUserAddress

Maybe try doing the update in the same way, using just msRTCSIP-PrimaryUserAddress? I'm not willing to test this on my own AD record, so you'll need to try it out.

davidacland
Honored Contributor II
Honored Contributor II

Have you tried change instead of create? -change record_path key old_val new_val

I think create assumes a new attribute is being added.

mm2270
Legendary Contributor III

Ooh, good point @davidacland ! I didn't even think of that but you're right. You need to use -change to update an existing entry. -create should only be for creating a new entry in the record.

ocla__09
Contributor

I think part of the problem was that the service account credentials needed to be in front rather than at the end of the script.

Changing that allowed me to change the sip address.

davidacland
Honored Contributor II
Honored Contributor II

@ocla&&09 Out of interest, what was the full command in the end?

ocla__09
Contributor
dscl -u serviceaccount -P password "/Active Directory/domain/All Domains" -change /Users/username msRTCSIP-PrimaryUserAddress sip:oldaddress sip:newaddress

davidacland
Honored Contributor II
Honored Contributor II

Thanks

ocla__09
Contributor

No problem.