Posted on 10-12-2011 01:19 PM
I am looking for a way to query my AD server so that I can populate the email address field during a Casper Inventory with the last users' email address. Our Macs stay with one user for the life of the machine for the most part…
I can only imagine that somebody else has done this in the past.
Ideas?
-- Kevin
Posted on 10-12-2011 01:39 PM
Dscl is your friend, will send you code tomorrow, tis pub time in London town
Posted on 10-12-2011 01:44 PM
Search the archives for the last month or so for an e-mail from me..
There's a script called 'submit user info.sh' I posted.
Regards,
Ben.
Posted on 10-12-2011 01:49 PM
as long as OS X directory services can read the email attribute it
should be as simple as grabbing it via a log in script and then running
a recon adding the email to the asset. I don't run AD so I am not sure
how dscl reads the AD schema
Posted on 10-12-2011 01:59 PM
From: Ben Toms <bentoms at btopenworld.com> Date: 29 September 2011 13:48:36 GMT+01:00 To: "Anselmi, Carlo (MLN-IPG)" <carlo.anselmi at interpublic.com>, "Casper List(casper at list.jamfsoftware.com)" <casper at list.jamfsoftware.com> Subject: Re: [Casper] LDAP lookups to populate "Location" in JSS Reply-To: Ben Toms <bentoms at btopenworld.com>
try this version.. works for me (but you may need to customise what dscl fields it uses to populate the data).. It's my sept 2011 version... i've not posted it on my blog yet :) #!/bin/sh loggedInUser=/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'
accountType=dscl . -read /Users/$loggedInUser | ?grep UniqueID | cut -c 11-
if (( "$accountType" > 1000 )); then userRealname=dscl . -read /Users/$loggedInUser | awk '/^dsAttrTypeNative:original_realname:/,/^dsAttrTypeNative:original_shell:/' | head -2 | tail -1 |cut -c 2-
userEmail=dscl . -read /Users/$loggedInUser | grep EMailAddress: | cut -c 15-
userPosition=dscl . -read /Users/$loggedInUser | grep JobTitle: | cut -c 11-
if [[ -z $userPosition ]]; then userPosition=dscl . -read /Users/$loggedInUser | awk '/^JobTitle:/,/^JPEGPhoto:/' | head -2 | tail -1 | cut -c 2-
fi userPhone=dscl . -read /Users/$loggedInUser | grep -A 1 PhoneNumber: | tail -1 | cut -c 2-
userDepartment=dscl . -read /Users/$loggedInUser | grep "Company:" | cut -c 10-
if [[ -z $userDepartment ]]; then userDepartment=dscl . -read /Users/$loggedInUser | awk '/^Company:/,/^CopyTimestamp:/' | head -2 | tail -1 | cut -c 2-
fi if [[ $userDepartment == *entland* ]]; then userDepartment=dscl . -read /Users/$loggedInUser | grep "Department:" | cut -c 12-
if [[ -z $userDepartment ]]; then userDepartment=dscl . -read /Users/$loggedInUser | awk '/^Department:/,/^EMailAddress:/' | head -2 | tail -1 | cut -c 2-
fi fi echo "Submitting information for network account $loggedInUser..." jamf recon -endUsername "$loggedInUser" -realname "$userRealname" -email "$userEmail" -position "$userPosition" -phone "$userPhone" -department "$userDepartment" else echo "Submitting information for local account $loggedInUser..." userPosition="Local Account" jamf recon -endUsername "$loggedInUser" -position "$userPosition" fi
Regards,
Ben.
On 12 Oct 2011, at 21:49, "Thomas Larkin" <tlarki at kckps.org> wrote:
Posted on 10-12-2011 02:01 PM
It's in there somewhere :)
I run the below as a script once per day, the script then triggers a recon with the values found passed to recon.
YMMV as it depends on your AD setup.
Hope if helps.
Regards,
Ben.
Posted on 10-12-2011 02:06 PM
You should post that on the casper admin site script repository!
-Tom
Posted on 10-12-2011 02:30 PM
I would, but... I'd like to tidy the text manipulation a bit 1st.
AD only seems to create attributes in some cases where they have values.
& sometimes those values are on 1 line, others 2...
Regards,
Ben.
Posted on 10-12-2011 08:51 PM
This works for us to populate email addresses in a script.
--------------
# grab the current user and query AD for the email address
CurrentUser=ls -l /dev/console | awk '{ print $3 }'
email=dscl "/Active Directory/All Domains/" -read /Users/$CurrentUser | grep EMailAddress | awk '{ print $2 }'
Posted on 10-13-2011 11:07 AM
That's works great. Even on our slow, old AD.
Is there a way to populate the JSS with this information? Running Recon is
the only way I know how to set the Location information.
Posted on 10-13-2011 01:33 PM
To actually make use of this is casper, will have to do more than just get the e-mail address. I'm assuming you are trying to populate Inventory > "SomeComputer" >Details > Location > "Email Address:"? If so I believe you will have to write to the database using the API. I'm not extremely familiar with this. Jamf may be of more assistance. However, since it grabs the e-mail address correctly, you can make this into an extension attribute.
Settings > Inventory Options > Inventory Collection Preferences > Extension Attributes > Add extension attribute. Change it to script and paste the following into the script field.
#!/bin/sh
CurrentUser=ls -l /dev/console | awk '{ print $3 }'
if [ "($CurrentUser)" = "root" ]; then
echo "Running as root which means no logged in user. Exit now" 1>&2
echo "<result>NA</result>"
exit 1
else
email=dscl "/Active Directory/All Domains/" -read /Users/$CurrentUser | grep EMailAddress | awk '{ print $2 }'
echo "<result>$email</result>"
fi
exit 0
That should set the extension attribute to the e-mail address of the logged in user as long as it is not "root". If an AD user is logged in and the e-mail address is there it will return that. You can see/search the field by using the advanced inventory search.
Aaron
Posted on 10-13-2011 02:33 PM
Wow,
That's what you get for reading. I tested this and it works. Rather than use an extension attribute, this could be a login script or similar with the following command: jamf recon -email yourname at e-mail.com. I be curious to know if there's a way torecon just the options specified and not do a full recon. It takes a machine quite a while to do a full recon. Also note that the following has no sanity check. It would be smart to make sure the result fits the format of an e-mail address...
#!/bin/sh
CurrentUser=ls -l /dev/console | awk '{ print $3 }'
if [ "($CurrentUser)" = "root" ]; then
echo "Running as root which means no logged in user. Exit now" 1>&2
else
email=dscl "/Active Directory/All Domains/" -read /Users/$CurrentUser | grep EMailAddress | awk '{ print $2 }'
jamf recon -email "$email"
fi
exit 0
Posted on 10-13-2011 10:07 PM
Back in v5 or 6 you could run a recon with just specified parameters.
Something like the below used to work:
recon -skipapps -skipplugins -emailaddress <some at email.fqdn>
But this behaviour has been 'corrected' & I've had a feature request since to have it reinvoked.
Regards,
Ben.
Posted on 10-14-2011 08:29 AM
Aaron, this script worked perfectly. THANK YOU!
Followup question:
While this script works on (most of) my machines, I have several (50-ish) that show up in inventory with a "Last User" of "Reboot". On these machines, of course the script fails because that is not a valid user account name and cannot be looked up in AD.
The machines have current users (with valid AD accounts), the Macs are are current in inventory and are actively checking into the JSS every 15 minutes.
Has anyone else seen this behavior? What would cause the last user to be "reboot?"
Kevin
Posted on 10-14-2011 10:38 PM
Not sure why it wouldnt work. I would try running the ls and dscl commands directly on the machine and see what happens.
Posted on 10-17-2011 04:07 AM
John,
If one user generally stays with a machine then you shouldn't need to keep updating each machine, so you can just let AD add in the details for through the JSS. If you have AD configured successfully in the JSS, then adding a user to the 'Location' for the machine should successfully update any of the fields that the JSS is told to collect.
Have a look at
Settings > LDAP Server Connections > Edit > Mappings
and check that Email Address is mapped correctly for your AD. We actually don't want email address, so I map this to our Project field and then in
Settings > Inventory Options > Inventory Display Preferences > Location
I Custom Label the Email Address to Project. Of course, this is automated and doesn't allow for changes.
-------------
However, if you still wish to script it, then you can shave down the commands to make them more efficient. You say that your recon is taking ages, so if you have a lot of scripts trying to run for EA or otherwise, it is worth doing the following:
You don't need awk, just use stat instead to get the console user
stat -f%Su /dev/console
Directory Services can directly query any key. Eg.
dscl -q localhost read /Active Directory/All Domains/Users/$CurrentUser EMailAddress
Use cut not awk!
dscl -q localhost read /Active Directory/All Domains/Users/$CurrentUser EMailAddress | cut -d " " -f 2
You could also add another check. If user is root, then:
LastUser=defaults read /Library/Preferences/com.apple.loginwindow lastUserName
The more pipes you use and the more instances of awk and grep you are running the slower the scripts will run. Although we have all got use to very powerful machines where it doesn't seem to matter how lazy we can be with these 'little' scripts, the more instances of these that you are trying to run at the same time, then the impact will actually start to show.
So something like:
#!/bin/bash
currentUser=stat -f%Su /dev/console
if [[ "$currentUser" == "root" ]]
then
lastUser=defaults read /Library/Preferences/com.apple.loginwindow lastUserName
if [[ "$lastUser" != "" ]]
then
eMail=dscl -q localhost read /Active Directory/All Domains/Users/$lastUser EMailAddress | cut -d " " -f 2
else
logger -t $0 message "Running as root which means no logged in user. Unable to update email address"
fi
else
eMail=dscl -q localhost read /Active Directory/All Domains/Users/"$currentUser" EMailAddress | cut -d " " -f 2
jamf recon -email "$eMail"
fi
exit 0
Of course, this script is currently assuming that the user is an AD user and not a local user. Ideally there should be a section to allow for this.
As Thomas mentioned, the jamf recon will allow you to populate these fields, but I am unaware (glad to hear if someone does know if this is possible) of a way to get the JSS to redo a query on a user, without logging into the web page, edit the location of the machine and hit the search button.
In an ideal world, the process would be something like:
jamf recon -endUsername sholden -query
Then you wouldn't need to be grabbing all of the different fields, ldap could do it for you.
Sean
--missing content--
The following options allow you to specify inventory information for the computer:
-assetTag The Asset Tag of the computer
-endUsername The username of the primary user
-realname The Real Name of the primary user
-email The email address of the primary user
-position The Position (Job Title) of the primary user
-building The text representation of a Building in the JSS
-department The text representation of a Department in the JSS
-phone The Phone number of the primary user
-room The Room that the computer is in
-ldapServerID The JSS ID of the LDAP Server that the user belongs to
-userID The User ID of the account in the LDAP Server
You can just use recon with the -email switch to add the email address to that asset in inventory
Posted on 10-19-2011 10:18 AM
For anyone else who may be interested, I already have a feature request with Jamf for the ability to use the jamf recon to tell the JSS to query the username and repopulate the Location details; email, phone, etc.
FR-0975
eg.
jamf recon -endUsername sholden -query
If you feel it would be useful then please jump on the bandwagon.
Sean
--missing content--
The following options allow you to specify inventory information for the computer:
-assetTag The Asset Tag of the computer
-endUsername The username of the primary user
-realname The Real Name of the primary user
-email The email address of the primary user
-position The Position (Job Title) of the primary user
-building The text representation of a Building in the JSS
-department The text representation of a Department in the JSS
-phone The Phone number of the primary user
-room The Room that the computer is in
-ldapServerID The JSS ID of the LDAP Server that the user belongs to
-userID The User ID of the account in the LDAP Server
You can just use recon with the -email switch to add the email address to that asset in inventory