Scripting Live LDAP Lookups

Since you're performing this at login (by user 'nobody'), you should
be able to identify the current user by listing the last person who
logged in and was allocated a console:

last | grep -m1 console | awk '{ print $1 }'

Then you can perform a lookup with ldapsearch. The arguments of this
command vary greatly depending on directory server configuration, but
the whole thing will look something like this:

lastuser=last | grep -m1 console | awk '{print $1}' ; ldapsearch -x
-LLL -h ldap.ad.yourorg.com -b "dc=AD,dc=YOURORG,dc=COM"
"cn=${lastuser}"

Brandt

--

J. Brandt Buckley
Systems Architect
IGPP

brandt at ucsd.edu http://igpp.ucsd.edu
P: +1 858 534 8145 F: +1 858 822 1418

Institute of Geophysics and Planetary Physics
Scripps Institution of Oceanography
University of California, San Diego

8785 Biological Grade, Suite 4112
La Jolla, Ca. 92037-0225

There are a few ways you can detect the currently logged in user. My personal favorite is detecting who the current owner of /dev/console is. Also whenever Casper runs a log in policy the $3 variable will return the current user. If you use the built in apple tools to do login hooks $1 will return the current logged in user. An example of what I use to grab the current user in scripts is as follows:

CurrentUser=/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'

I thought this was all tried several times over the last year (myself
attempting as well), and there was a bug or something that was blocking
the live ldap from working.

John Wojda

Lead System Engineer, DEI

3333 Beverly Rd. B2-338B

Hoffman Estates, IL 60179

Phone: (847)286-7855

Page: (224)532.3447

Team Lead: Matt Beiriger
<mailto:mbeirig at searshc.com;jwojda at searshc.com?subject=John%20Wojda%20Fe
edback&body=I%20am%20contacting%20you%20regarding%20John%20Wojda.>

Yea, I know how to find the currently logged in user. My problem is finding the equivalent in the command line of pushing the "Check Name" button in the JSS and doing it via policy.

Regards,
-Sean Hansell

Well you can use that in combination with recon to add the user to the asset in the JSS and I do believe you can use it to look it up and add the user but it requires a bit more configuration work. I know in the past working with Jamf on this it was an option they gave me but I never explored due to us having our own independent inventory system tied into our enrollment system. I would contact Jamf Support and see if they cannot help you with this one.

That's a very clever method. It returns 'root' when run at login, though.

Brandt

What what inventory fields are you looking to populate based on LDAP
attributes? (or am I misunderstanding what you're trying to
accomplish)

Brandt

Yup at the loginwindow root owns the console, so a simple test of who owns console will stop the script from running

if [[ $CurrentUser = root ]] then exit 1 else "computer is not at login window, proceeding..." fi

However, if you have it run as a log in policy, it will always run when a user logs in. All scripts run as root from Casper and from log in/out hooks using the Apple tools as well. Now, if you design your OS image in a certain manner (like all non admin home folders live in /Users) you can always loop through /Users to execute policy.

exmaple

for i in `/bin/ls /Users | /usr/bin/grep -v "Shared"` ; do

some Unix commands /Users/$i/some/path