Jamf Nation Community

Thanks @jvanosten when you said "it is set to apply to Users and not the computer." i checked both under Mobile device and Computer's configuration profile, there can't define users, only computer or Mobile device available.

Could you let me know more about the setting?

i saw there is a directory payload under computer configuration profile, but i tried to config it and deployed fail. no idea why.

From the screenshot it looks like you want to add the ldap server to Mac OS X. If thats the case a mobile device config profile wouldn't work.

The setting is stored in ~/Library/Preferences/com.apple.AddressBook.plist so you could set it with a custom conf profile or a logon script.

thanks @davidacland the preference .plist under my account folder, if it's deployed, will all my info will be copied to others?

do you have any advice on a logon script?

I would recommend trying a configuration profile on the "once" setting first as that's the most Apple approved method. The high level steps are:

1. Copy the list to your desktop and convert it to xml with plutil -convert xml1 /path/to/file
2. Open it in a text editor and delete any of the keys you don't want included in the profile
3. Use mcxtoprofile (available on github) to convert the plist to a configuration profile, specifically using the --manage Once option

@davidacland thanks it indeed distributes the ldap setting in this way, but the account password is missing for some reason. do you know how to add the password in this part?

I would imagine it's a keychain item in that case which you can add in using the security command line tool. I think there are a few threads about it already if you search on here.

@davidacland hmmm seems the password here is not stored in keychain.

@davidacland hi i've been struggling whole day finding the related thread and get the missing password back, but no luck. could you provide me me hint about it? it's kind of urgent for this case.

@Dalmatian I just want to confirm that using the method I described above does in fact work on my machines. I'm using Casper 9.73 and a Mac running 10.10.4. What I am doing is creating an LDAP configuration profile under the Mobile devices section. Once it has the settings I need, I save it and download it. I then go to Computers Configuration Profiles and import that mobileconfig profile. You need to set the "Level at which to apply the profile" setting to User Level. Save the config profile without a scope set. Go back into edit mode and click the lock in the upper section of the screen to remove the signature for the profile. Now edit the scope and save. This resigns the config profile and allows it to work with computers. I have verified that the password does come over into keychain and it adds the account to the internet accounts pane. I am also able to perform lookups in mail and contacts.

thanks @jvanosten "Go back into edit mode and click the lock in the upper section of the screen to remove the signature for the profile. " the lock mean the SCEP part? on my side, it's not configured. in the whole profile, only General and custom setting are configured. so i have nothing to remove. after i added my mac to the scope, the profile push didn't successfully, Name Logs Completed Remaining Failed Scope
ldap_test View 0 N/A 0 1 computer

Let's actually take a step back. Looks like now in 9.73 if you create a new Computer configuration profile and select User Level for the Level at which to provide the page refreshes and shows LDAP as a configuration option. So simply create a new config profile under computers and choose user level. Wait for the page to refresh and then you should see LDAP as a setting to choose from. Fill out the LDAP section and scope the profile. One extra thing to note about user level config profiles is that they only apply to MDM enabled users. So if you were to look at the test machine you have the profile scoped for you should see an MDM capable users section under General Inventory. If you don't have any MDM capable users then the profile will not install. If this is the case, login as a user on that computer and run sudo jamf mdm -userLevelMdm. This will make that user MDM capable on that computer.

@Dalmatian other than what @jvanosten jas advised, have you looked at the dsconfigldap command?

Hello!

I am having a problem deploying my LDAP settings on Mac computers running 10.11 OS. The server information is no longer stored in the user level ~/Library/Preferences/com.apple.AddressBook.plist file. I have determined that it is user level specific still but I am unsure on which PLIST file now stores this information.

Does anyone have any ideas? Thanks!