Remotely configure Directory Utility

Not applicable

Is there any way out there to remotely configure LDAPv3 plugin for server search paths?
So far, the only way that may be possible that I can see is to push out .plist files with directory info to /Library/Preferences/DirectoryService

Thanks in advance!
-Henry

6 REPLIES 6

milesleacy
Valued Contributor

I let Casper's built-in mechanism handle AD binding to avoid putting account
credentials in a script. I hold not putting account credentials in a script
as a best practice.
Steve's script will get you to the same place, as well as binding to AD, but
you'll have to do the following:

(Forgive me if my explanations seem simplistic to anyone. I'm aiming this
at the new admin who would look at this script and be overwhelmed.)

  1. Specify "yourODServer.name" and "yourADdomain", or pass in the values as parameters.
  2. The following lines set the target machine's name to <siteId><serialnumber> and places the previous name in ARD custom data. If you don't want to do this, remove the following lines:

SiteId='NHV'
OldName=scutil --get ComputerName
SERIALNUM=system_profiler | grep "Serial Number" | awk '{print $3}'
scutil --set ComputerName $SiteId$SERIALNUM
scutil --set LocalHostName $SiteId$SERIALNUM
scutil --set HostName $SiteId$SERIALNUM
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart
-configure -computerinfo -set1 -1 $OldName

  1. The script assumes that you want to use the Mac's computer name as the AD and LDAP machine name to bind to. If this is not the case, you'll need to change the following line to get the computerid that will match your machine account in AD and/or LDAP:

computerid=scutil --get ComputerName

  1. In the "dsconfigldap" command, "diradmin" needs to be replaced with an
    LDAP account that has permissions to bind clients and "'pass'" needs to be
    replaced with that account's password.

  2. In the "dsconfigad" command, "swood" should be replaced with an AD
    account ID that has permissions to bind machines to existing computer
    records (if the record already exists in AD) or permissions to create
    computer objects in the target OU (if the record does not exist). "'pass'"
    needs to be replaced with that account's password. "CN=Unsorted
    Computers,OU=Locations,DC=yourad,DC=net" needs to be replaced with the AD
    path to the container that contains your computer records (or in which you
    will be creating them).

I prefer the script I provided in my previous message, however it is
important to note that it assumes that your LDAP server does not require
authenticated bindings. I would love to see a Casper feature similar to the
AD binding feature that would allow authenticated LDAP bindings without
putting passwords into scripts.

I leave setting computer names and turning on ARD to casper built-in
functionality and a separate script, respectively. This is out of an
overarching management approach of being as modular as possible by breaking
down actions into their smallest practical parts.

I hope this is useful.

----------
Miles A. Leacy IV

? Certified System Administrator 10.4
? Certified Technical Coordinator 10.5
? Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com

Not applicable

Thanks for clarifying what I forgot to clarify. :-) I sent that in a rush
and shouldn’t have.

That script was for work at my old company and we did not have the benefit
of Casper. I agree with Miles, that you should not be passing credentials
in the scripts if you can, and let Casper do your AD binding and your
machine re-naming.

Steve Wood
Director of IT
swood at integerdallas.com

The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475

milesleacy
Valued Contributor
On Mon, Jan 12, 2009 at 3:12 PM, Steve Wood <swood at integerdallas.com> wrote: Thanks for clarifying what I forgot to clarify. :-) I sent that in a rush and shouldn't have.

No worries. Thanks for the more comprehensive script.

One item I think that bears mentioning in regard to AD/OD interoperability
is the fact that if you are using the same computer name in both
directories, and your OD Master is bound to AD, all new machine names must
be created in OD first, then AD. If you do it the other way around, OD,
being bound to AD, will see the AD machine name and not allow you to create
the same name in OD since it already exists. I am certain that this is an
issue in 10.4.11 with Windows Server 2003. I am fairly sure it is still an
issue in Leopard through 10.5.3 and with Windows Server 2008.

----------
Miles A. Leacy IV

? Certified System Administrator 10.4
? Certified Technical Coordinator 10.5
? Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com

On Mon, Jan 12, 2009 at 3:12 PM, Steve Wood <swood at integerdallas.com> wrote:

Not applicable

Unless Miles or someone else has a better way, this is how I’ve done it in
the past, using these commands in a script:

#!/bin/bash/
OD_SERVER=yourODServer.name'
AD_DOMAIN='yourADdomain'
SiteId='NHV'
OldName=scutil --get ComputerName
SERIALNUM=system_profiler | grep "Serial Number" | awk '{print $3}'
scutil --set ComputerName $SiteId$SERIALNUM
scutil --set LocalHostName $SiteId$SERIALNUM
scutil --set HostName $SiteId$SERIALNUM
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resource
s/kickstart -configure -computerinfo -set1 -1 $OldName

computerid=scutil --get ComputerName

dsconfigldap -v -f -a $OD_SERVER -n OD_SERVER -c $computerid -u diradmin -p
'pass'
sleep 10
dsconfigad -f -a $computerid -domain $AD_DOMAIN -u swood -p 'pass' -ou
"CN=Unsorted Computers,OU=Locations,DC=yourad,DC=net"
sleep 20

dscl /Search -create / SearchPolicy CSPSearchPath
dscl /Search -append / CSPSearchPath /LDAPv3/$OD_SERVER
dscl /Search -append / CSPSearchPath "/Active Directory/All Domains"

sleep 10
dscl /Search/Contacts -create / SearchPolicy CSPSearchPath
dscl /Search/Contacts -append / CSPSearchPath /LDAPv3/$OD_SERVER
dscl /Search/Contacts -append / CSPSearchPath "/Active Directory/All
Domains"

Steve Wood
Director of IT
swood at integerdallas.com

The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475

milesleacy
Valued Contributor

!/bin/bash

##### HEADER BEGINS #####
# scr_sys_dsConfigLDAP.bash
#
# Created 20070212 by Miles A. Leacy IV
# miles.leacy at themacadmin.com
# Modified 20090106 by Miles A. Leacy IV
# Copyright 2009 Miles A. Leacy IV
#
# This script may be copied and distributed freely as long as this header
remains intact.
#
# This script is provided "as is". The author offers no warranty or
guarantee of any kind.
# Use of this script is at your own risk. The author takes no
responsibility for loss of use,
# loss of data, loss of job, loss of socks, the onset of armageddon, or any
other negative effects.
#
# Test thoroughly in a lab environment before use on production systems.
# When you think it's ok, test again. When you're certain it's ok, test
twice more.
#
# This script adds an LDAP configuration and sets the custom search path.
# Replace "ldap.server.ext" with your LDAP server's FQDN or use a script
parameter to pass
# a value from Casper.
#
# If you don't use Active directory, comment out or delete all lines that
# contain "Active Directory".
#
# This script is intended for use as an "At Reboot" script with Casper
Imaging.
#
##### HEADER ENDS #####

# add LDAP config
dsconfigldap -v -a ldap.server.ext

# set up the custom search paths
dscl /Search -create / SearchPolicy CSPSearchPath
dscl /Search -append / CSPSearchPath "/Active Directory/All Domains"
dscl /Search -append / CSPSearchPath /LDAPv3/ldap.server.ext
dscl /Search/Contacts -create / SearchPolicy CSPSearchPath
dscl /Search/Contacts -append / CSPSearchPath "/Active Directory/All
Domains"
dscl /Search/Contacts -append / CSPSearchPath /LDAPv3/ldap.server.ext

----------
Miles A. Leacy IV

? Certified System Administrator 10.4
? Certified Technical Coordinator 10.5
? Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com

Not applicable

Thanks so much!