Jamf Nation Community

esl-francois · ‎03-26-2012

Good morning all !

My first post, so let me introduce myself : I'm Francois, I'm the administrator of 350+ macs, 70+ servers, network, telephony… and a casper suite user for two years ! It made my life really easier, I'm very happy about it. My company sells language studies, and owns 4 language schools. We have around 40 remote offices worldwide, adding a bit of complexity ;-) I live in Montreux in Switzerland. Everyone should experience the Montreux Jazz Festival some day !

So now, the IT stuff :

I'm setting up a new Open Directory server on 10.7.3 to replace my older 10.6.8 server.

This time, I would like to use SSL and authenticated bindings. It looks like it's not possible to use the built-in tools.

Is there a simple method to do this, or should I script a bit ? I found the bindToLDAP.sh script in the Ressource Kit, but there's no mention of any authentification.

FYI I checked these options on my ODM :

Enable authenticated directory binding
Disable clear text passwords
Encrypt all packets
Digitally sign all packets
Block man-in-the-middle attacks
Allow users to edit their own contact information

Any help would be very appreciated.

Thanks in advance,

Francois

esl-francois · ‎03-30-2012

It do work in a payload-free package, in postflight.

If you use luggage, check it out :
https://github.com/ftiff/ftiff-scripts/tree/master/luggage/Bind_to_Opendir_10.7

#!/bin/sh

# Script I use to bind a 10.7 client to Open Directory + SSL
# Use only on startup volume

# Define variables for path to executables
DSCONFIGLDAP="/usr/sbin/dsconfigldap"

# Define variables
ODM="nestor.esl.lan"

# Output variables
echo We will bind to $ODM


# Bind to the Open Directory Master
echo $DSCONFIGLDAP -vsemgx -a $ODM
$DSCONFIGLDAP -vsemgx -a $ODM << EOF
y
EOF

# done ! :)

View solution in original post

esl-francois · ‎03-29-2012

Ok so after a bit of research, I find I could simply use Casper Admin ;-)

But it doesn't work on 10.7. The scripts hangs and the computer never get bound.
The reason is that dsconfigldap expects an answer, wether to trust or not the certificate (see below).

I did the trick of changing ldap.conf to add TLS_CACERT but it didn't work.

I also tried to create a postinstall script that would do :

dsconfigldap -vsemgx -a nestor.esl.lan >> EOF
y 
EOF

It works if I launch it from CLI, but not inside a payload-free package.

I'm sure there's a way to do it cleanly… Any idea ?

esl-francois · ‎03-30-2012

It do work in a payload-free package, in postflight.

If you use luggage, check it out :
https://github.com/ftiff/ftiff-scripts/tree/master/luggage/Bind_to_Opendir_10.7

#!/bin/sh

# Script I use to bind a 10.7 client to Open Directory + SSL
# Use only on startup volume

# Define variables for path to executables
DSCONFIGLDAP="/usr/sbin/dsconfigldap"

# Define variables
ODM="nestor.esl.lan"

# Output variables
echo We will bind to $ODM


# Bind to the Open Directory Master
echo $DSCONFIGLDAP -vsemgx -a $ODM
$DSCONFIGLDAP -vsemgx -a $ODM << EOF
y
EOF

# done ! :)

gskibum · ‎06-19-2015

I've been trying to get this to work. It mostly does work however I still see the prompt inside the logs:

Certificates will be automatically added to your system keychain in order to talk to this server. Would you like to continue (y/n)?

Even though the << EOF variable is set.

In spite of this it seems the certificate is set and the box is successfully bound as I am able to log in with directory accounts.

I'm testing this on a Mavericks box. Is there an update for above Lion?

bmodesitt · ‎07-25-2015

Add a -N to the end of the dsconfigldap command. This will assume 'y' when certificates are added.

bughollow · ‎04-05-2016

I am trying on 10.10 machines where the server stopped responding. The built in directory binding in Casper does not work!

I can manually join to the server using System Preferences, but need to do this remotely if possible. I am using Casper 9.82. Do I need to add parameters to the script (full script at the end).

This is the result. Help!

[STEP 1 of 4]
Executing Policy CAWS - Air 11 - Directory Policy Script
[STEP 2 of 4]
Running script CAWS-SRV1 Directory Binding...
Script exit code: 78
Script result: We will bind to caws-srv1.caws.lan
/usr/sbin/dsconfigldap -vsemgx -a caws-srv1.caws.lan
Computer with the name 'caws-air-11' already exists
dsconfigldap verbose mode
Using suggested computer ID Options selected by user:
Enforce Secure Authentication is enabled
SSL was chosen
Add server option selected
Server name provided as Computer ID provided as Local username determined to be Enforce man-in-the-middle only policy if server supports it.
Adding new node to search policies
Enforce packet encryption policy if server supports it.
Enforce packet signing policy if server supports it.
Non-interactive.

Error running script: return code was 78.
[STEP 3 of 4]
[STEP 4 of 4]

The Script:

!/bin/sh

Define variables for path to executables

DSCONFIGLDAP="/usr/sbin/dsconfigldap"

Define variables

ODM="caws-srv1.caws.lan"

Output variables

echo We will bind to $ODM

Bind to the Open Directory Master

echo $DSCONFIGLDAP -vsemgx -a $ODM
$DSCONFIGLDAP -vsemgx -a $ODM -N << EOF
y
EOF