Reading Directory Attributes

jafuller
Contributor

Using "dscl" to read a multi value attribute is causing me some trouble.

I'd like to be able to read "dsAttrTypeNative:otherLoginWorkstations" but due to the multi value capability, I haven't been successful in doing so.

Example:

dscl /Active Directory/STARBUCKS/All Domains -read /Users/<userID> dsAttrTypeNative:otherLoginWorkstations

Any thoughts on this one?

1 ACCEPTED SOLUTION

jafuller
Contributor

Our AD permission set is granular where we have a domain service account with the proper rights to update the attribute we're working to write to.

I have been successful using the -append command to write to the attribute when authenticating with this account. The reason I couldn't read the attribute is that there was no value in the attribute from this particular user object. Once I read from an object that had a value in this attribute, it was successful.

Here is the command via Terminal:

dscl -u <userid> -p /Active Directory/STARBUCKS/All Domains -append /Users/jafuller otherLoginWorkstations '"TestValueSurroundedByDoubleQuotes"'

It is in interactive mode to allow for the password to be typed. However, it can run directly from a bash script which we're going to explore putting into a policy to run post imaging at first login.

View solution in original post

14 REPLIES 14

rockpapergoat
Contributor III

what's your problem doing this -- are you trying to parse the output or something? reading multi-value attributes should work fine.

mm2270
Legendary Contributor III

I don't even see an attribute with that name in our AD environment. Can you post what the output looks like? It should be possible to get what you need from it.

jafuller
Contributor

The more I dig into this, the deeper it gets. This attribute while it exists when going to the "Attribute Editor" tab in Active Directory Users and Computers on a Windows 7 computer, it doesn't show when reading a user object's attributes out to a TXT file.

Are there other types for dsAttrTypeNative (like dsAttrTypeExtended, etc)?

I've never used the "dscl" command, so I'm reading up on all I can at this point.

talkingmoose
Moderator
Moderator

I don't see this attribute as well when I use dscl against our Active Directory system.

Here are a few quick tips for dscl. This is how I learned to browse and find things.

You can use dscl interactively or as part of a command. To use it interactively type dscl into a Terminal window. You'll be given a "> " prompt.

**dscl**
 >

You can use the ls (list) command to begin browsing the hierarchy:

**> ls**
*Active Directory
BSD
Local

Contact
Search*

You can use the cd (change directory) command to dive into any of the items you see displayed:

**> cd Active Directory/**
*/Active Directory >*

Keep using ls and cd to list contents in the current location and change to any of those items. Eventually, you'll want to probably dive into the Users area in Active Directory:

10.6 and earlier

*/Active Directory/All Domains/Users >*

10.7 and later

*/Active Directory/DOMAIN/All Domains/Users >*

This is where you'll find user records:

**/Active Directory/All Domains/Users > ls**
*aalia
abeauli
acarrol
acobery
acolon
acrosby
... and more AD user accounts*

If you know the specific user account then use the read command to get information about it:

**/Active Directory/All Domains/Users > read jcool**
*dsAttrTypeNative:accountExpires: 0
dsAttrTypeNative:ADDomain: talkingmoose.pvt
dsAttrTypeNative:adminCount: 0
dsAttrTypeNative:badPasswordTime: 129816807969396730
dsAttrTypeNative:badPwdCount: 0
dsAttrTypeNative:cn:
 Cool, Joe
... and loads more about this user*

You'll see items in the form of "attribute: value" with a space between the items. If you know the specific attribute you want to see for a user then add it to the end of your read statement:

**/Active Directory/All Domains/Users > read jcool FirstName**
*FirstName: Joe*

If you're looking for something specific that you can call in a script then I suggest using dscl as a command rather than interactively. In your script you'd write:

**dscl "/Active Directory/All Domains" -read /Users/jcool FirstName**
*FirstName: Joe*

Use awk to trim off what you don't need:

**dscl "/Active Directory/All Domains" -read /Users/jcool FirstName | awk 'BEGIN {FS=": "} {print $2}'**
*Joe*

To answer your question about seeing "dsAttrTypeNative":

dscl "/Active Directory/All Domains" -read /Users/jcool | grep dsAttrTypeNative

I see plenty of this type of attribute.

dscl "/Active Directory/All Domains" -read /Users/jcool | grep dsAttrTypeExtended

I don't get anything for this. Are you sure this is a user attribute and not something like a domain or computer attribute?

mm2270
Legendary Contributor III

I also see plenty of 'dsAttrTypeNative:' when I run a search against our AD. I just don't see the 'otherLoginWorkstations' one anywhere.

Can you give us some background on what that attribute supposedly is, and why its important to you? There may be another way to grab the info you're looking for

jafuller
Contributor

@wiliam smith: thank you for the thorough post. The dsAttrTypeNative is the only one I see as well. My question was, is that the only type of attribute in that particular format? It sounds like it is.

@Mike: our Networking team uses this field for computer specific data related to our VPN posture check. I want to write out values to this multi-value field at imaging time to remove a manual step to do so.

rockpapergoat
Contributor III

so are you saying you can't see the value when using dscl for lookups, or you want to parse the output or something? i'm still not clear what your problem is here.

are you trying to add/update the values in AD using dscl? if so, i think that's the wrong approach (and tool) for the job.

if it's an AD attribute unique to your setup, others won't have any luck referencing it in their directories.

if dscl doesn't give you what you want, use ldapsearch instead.

clarify the problem, and someone can help.

jafuller
Contributor

@rockpapergoat: dscl works just fine. My goal was to be able to use a post-image script to write attributes of the computer that was just imaged to the user object in AD. The attribute I was given to write to was "otherLoginWorkstations" and it is a multi-value field. What I was not aware of, that has been made plain, is that it isn't a standard attribute within AD.

I will post my results after discussing this issue with our network / AD team. Thank you all for your interest and support.

jarednichols
Honored Contributor

I'm not entirely sure that dscl can actually write *back* to your directory. Has someone done this before?

otherLoginWorkstations certainly sounds like your AD was extended, though I'm not sure that's the problem. If you use ADSIEdit can you see any of the attributes?

mm2270
Legendary Contributor III

My suspicion is dscl will not work in writing back to your AD directory. The -create and -append options work fine for the local node, but I've never used it to write into AD. I'd be curious to see if that actually works. Something tells me it woo't though.

rockpapergoat
Contributor III

writing back to AD via dscl won't work. it may work if you authenticate as a domain admin account, but i still wouldn't do it that way. it's not the right tool for this job.

jafuller
Contributor

Our AD permission set is granular where we have a domain service account with the proper rights to update the attribute we're working to write to.

I have been successful using the -append command to write to the attribute when authenticating with this account. The reason I couldn't read the attribute is that there was no value in the attribute from this particular user object. Once I read from an object that had a value in this attribute, it was successful.

Here is the command via Terminal:

dscl -u <userid> -p /Active Directory/STARBUCKS/All Domains -append /Users/jafuller otherLoginWorkstations '"TestValueSurroundedByDoubleQuotes"'

It is in interactive mode to allow for the password to be typed. However, it can run directly from a bash script which we're going to explore putting into a policy to run post imaging at first login.

spotter
New Contributor III

I'm currently working on a login script but instead of looking at the Member Of attribute I need to base it on the user OU within AD.

Has anyone had created this with success? If so can you share?

Thanks in advance...

jarednichols
Honored Contributor

OU or security group? If it's security group you can use id instead.