Skip to main content
Question

deploy ldap setting to all Mac


Forum|alt.badge.img+6

Hi All

i'm trying to find a way to deploy our ldap setting via JSS to all our users MACs. so that user could find our ldap account in Internet accounts on their mac like below attached pic

14 replies

jvanosten
Forum|alt.badge.img+3
  • New Contributor
  • 4 replies
  • July 24, 2015

I haven't tested this but I believe you could setup the LDAP payload in a Mobile Devices configuration profile. If you go to Mobile Devices -> Configuration Profiles and create a new one, you should see LDAP as an option. Configure all your settings there and then download the configuration profile. Now go back to the Computers configuration profiles section and import that profile you just created. That should be able to deploy the settings for LDAP to your Macs. For whatever reason, certain payload options (Mail, Contacts, Calendars, LDAP) that apply to both iOS and OS X can only be set in a Mobile Device configuration profile which just means you have to create the profile under the mobile device section and then import into the computer configuration profiles section. This may be obvious but make sure when you import the configuration profile for LDAP into the computers profile section that it is set to apply to Users and not the computer. I don't believe the profile will work if it's set for computer. Hope this helps.


Forum|alt.badge.img+6
  • Author
  • Contributor
  • 68 replies
  • July 26, 2015

Thanks @jvanosten when you said "it is set to apply to Users and not the computer." i checked both under Mobile device and Computer's configuration profile, there can't define users, only computer or Mobile device available.

Could you let me know more about the setting?

i saw there is a directory payload under computer configuration profile, but i tried to config it and deployed fail. no idea why.


davidacland
Forum|alt.badge.img+18
  • Valued Contributor
  • 1811 replies
  • July 26, 2015

From the screenshot it looks like you want to add the ldap server to Mac OS X. If thats the case a mobile device config profile wouldn't work.

The setting is stored in ~/Library/Preferences/com.apple.AddressBook.plist so you could set it with a custom conf profile or a logon script.


Forum|alt.badge.img+6
  • Author
  • Contributor
  • 68 replies
  • July 26, 2015

thanks @davidacland the preference .plist under my account folder, if it's deployed, will all my info will be copied to others?

do you have any advice on a logon script?


davidacland
Forum|alt.badge.img+18
  • Valued Contributor
  • 1811 replies
  • July 26, 2015

I would recommend trying a configuration profile on the "once" setting first as that's the most Apple approved method. The high level steps are:

  1. Copy the list to your desktop and convert it to xml with plutil -convert xml1 /path/to/file
  2. Open it in a text editor and delete any of the keys you don't want included in the profile
  3. Use mcxtoprofile (available on github) to convert the plist to a configuration profile, specifically using the --manage Once option

Forum|alt.badge.img+6
  • Author
  • Contributor
  • 68 replies
  • July 27, 2015

@davidacland thanks it indeed distributes the ldap setting in this way, but the account password is missing for some reason. do you know how to add the password in this part?


davidacland
Forum|alt.badge.img+18
  • Valued Contributor
  • 1811 replies
  • July 27, 2015

I would imagine it's a keychain item in that case which you can add in using the security command line tool. I think there are a few threads about it already if you search on here.


Forum|alt.badge.img+6
  • Author
  • Contributor
  • 68 replies
  • July 27, 2015

@davidacland hmmm seems the password here is not stored in keychain.


Forum|alt.badge.img+6
  • Author
  • Contributor
  • 68 replies
  • July 28, 2015

@davidacland hi i've been struggling whole day finding the related thread and get the missing password back, but no luck. could you provide me me hint about it? it's kind of urgent for this case.


jvanosten
Forum|alt.badge.img+3
  • New Contributor
  • 4 replies
  • July 28, 2015

@Dalmatian I just want to confirm that using the method I described above does in fact work on my machines. I'm using Casper 9.73 and a Mac running 10.10.4. What I am doing is creating an LDAP configuration profile under the Mobile devices section. Once it has the settings I need, I save it and download it. I then go to Computers Configuration Profiles and import that mobileconfig profile. You need to set the "Level at which to apply the profile" setting to User Level. Save the config profile without a scope set. Go back into edit mode and click the lock in the upper section of the screen to remove the signature for the profile. Now edit the scope and save. This resigns the config profile and allows it to work with computers. I have verified that the password does come over into keychain and it adds the account to the internet accounts pane. I am also able to perform lookups in mail and contacts.


Forum|alt.badge.img+6
  • Author
  • Contributor
  • 68 replies
  • July 28, 2015

thanks @jvanosten "Go back into edit mode and click the lock in the upper section of the screen to remove the signature for the profile. " the lock mean the SCEP part? on my side, it's not configured. in the whole profile, only General and custom setting are configured. so i have nothing to remove. after i added my mac to the scope, the profile push didn't successfully, Name Logs Completed Remaining Failed Scope
ldap_test View 0 N/A 0 1 computer


jvanosten
Forum|alt.badge.img+3
  • New Contributor
  • 4 replies
  • July 28, 2015

Let's actually take a step back. Looks like now in 9.73 if you create a new Computer configuration profile and select User Level for the Level at which to provide the page refreshes and shows LDAP as a configuration option. So simply create a new config profile under computers and choose user level. Wait for the page to refresh and then you should see LDAP as a setting to choose from. Fill out the LDAP section and scope the profile. One extra thing to note about user level config profiles is that they only apply to MDM enabled users. So if you were to look at the test machine you have the profile scoped for you should see an MDM capable users section under General Inventory. If you don't have any MDM capable users then the profile will not install. If this is the case, login as a user on that computer and run sudo jamf mdm -userLevelMdm. This will make that user MDM capable on that computer.


bentoms
Forum|alt.badge.img+35
  • Legendary Contributor
  • 4331 replies
  • August 9, 2015

@Dalmatian other than what @jvanosten jas advised, have you looked at the dsconfigldap command?


Forum|alt.badge.img+10

Hello!

I am having a problem deploying my LDAP settings on Mac computers running 10.11 OS. The server information is no longer stored in the user level ~/Library/Preferences/com.apple.AddressBook.plist file. I have determined that it is user level specific still but I am unsure on which PLIST file now stores this information.

Does anyone have any ideas? Thanks!


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings