Jamf Nation Community

ooshnoo · ‎05-05-2014

Hi..

After following intructions by Dan on this page:
https://jamfnation.jamfsoftware.com/discussion.html?id=7292

I've also seen this link and still can't get it to work:
https://jamfnation.jamfsoftware.com/discussion.html?id=6311

I've setup an EA to grab AD group membership. Works great...only on some clients. Other times if fails with the message: No such key: dsAttrTypeNative:memberOf

The trouble is that this attribute does exist for the user..and all users. I can see it in Apache Directory Studio.

the script in my EA is as follows. Anyone know what I'm doing wrong, or is there an easier to way display AD group membership for a user???

currUser=$( /usr/bin/who | /usr/bin/awk '/console/{ print $1 }' ) Groups=$( dscl /Active Directory/XX/All Domains read /Users/$currUser dsAttrTypeNative:memberOf | awk -F"OU" '{ print $1 }' | sed -e 's/CN=//g;s/,$//g;1d' ) echo "<result>$Groups</result>"

jhbush · ‎05-05-2014

@ooshnoo it works for me. I'm not sure I would put that much data into a field though.

ooshnoo · ‎05-06-2014

I tried a different more reliable command and it worked.

currUser=$( /usr/bin/who | /usr/bin/awk '/console/{ print $1 }' ) Groups=$( id $currUser | tr "," " " | sed -n 's/^.*(/(/p' | tr -d '()' ) echo "<result>$Groups</result>"

blueice03 · ‎03-24-2015

So I've tried the following:

dscl "/Active Directory/*YOURDOMAIN*/All Domains" -read /Groups/*groupname*
 dsAttrTypeNative:member

And I get the same No such key: dsAttrTypeNative:member error. I can access almost every other key within that group but that one. Here is what that group lists for its keys:
dsAttrTypeNative:member;range=0-1499:
And I can access this key directly through Directory Services.
So I know it exists, why can't Directory Services access it via command line?

Jamf Nation Community

Show AD User Group memberships with extension attribute