Bind to Open Directory Script

I have been trying to come up with a script that I can run in ARD for each computer to bind to Open Directory. It seems like a hassle to log into each machine and bind it through Directory Utility. There are 10.4 and 10.5 machines as well as a few 10.3 on the network. The script I came up with is as follows:
dsconfigldap -u {USERNAME} -p {PASSWORD -l {LOCAL USERNAME} -q {LOCAL PASSWORD} -f -a {OD SERVER} -c {HOSTNAME} -n {OD SERVER}
sleep 20
dscl /Search -create / SearchPolicy CSPSearchPath
dscl /Search -append / CSPSearchPath /LDAPv3/fps-curry.wildwood.edu
exit 0
Some computers run the script with no errors, others do not. The error I get is this:
Cannot open remote host, error: DSOpenDirServiceErr
Data source (-l) is not valid.
Cannot open remote host, error: DSOpenDirServiceErr
Data source (-l) is not valid.

I am now getting the following error on some computers:
<main> attribute status: eDSNodeNotFound
This has something to do with adding the search policy. What is weird though is that sometimes if I run just the search policy again it will run without errors.

Similar Messages

How to bind (if possible) Windows 8 clients to OSX Open Directory 10.8?

I read several articles that I have to go through the magic triangle (bind the Open Directory to an Active Directory), but almost all of the articles are from 2012 and below.
This is possible now?
Thank you.

Hi mbellido,
Are you trying to bind a Windows 8 client to Open Directory (OS X 10.8)?
Thanks
Dan

Binding imaged clients to Open Directory?

We created 10.5.2 image that we are trying to bind to Open Directory.
The first imaged client binds fine and adds itself to OD. However, additional clients won't bind. They claim that the computer account already exists.
I assume this is caused by each imaged client having the same "key" somewhere that it is using to bind to OD. Is there a way to regenerate this "key" on our clients once they are imaged?

The answer is to remove the local KDC on the 10.5 clients. 10.5 uses the LKDC for personal file sharing - not needed for networked clients.
Run the following commands to kill LKDC before binding the machine to Open Directory:
sudo dscl /Local/Default delete /Config/KerberosKDC
sudo rm -rf /var/db/dslocal/nodes/Default/config/KerberosKDC.plist
See: http://forums.bombich.com/viewtopic.php?t=11834&highlight=lkdc

Directory Binding Script (Active and Open Directory) 10.7

Hi everyone
I'm reposting this in the right thread. I've written a Directory Binding Script for 10.6 and ported it now to 10.7 as among the things that have changed in the upgraded version is a refurbished directory binding enviroment.
The original thread can be found here: https://discussions.apple.com/thread/3090068. The script is applicable for clients as well and simplifies the binding process considerably.
Be aware that the reformatted script here contains some faulty line breaks. So you'll have to correct them in a proper text editor.
#!/bin/sh
#Uncomment the following line to abort the script on errors
#trap exit ERR
## Script to automate OD and AD Binding of Mac OS X 10.7 Servers
## Script written by Marc Horat, URZ Basel, 11.6.2010
## Updated: 12.08.2011
# With the use of the following sources as inspiration:
# http://www.howtomac.co.uk/?p=247
#Created by Ross Hamilton
#Clock restart / Remove existing settings
#Join to Open Directory and Active Directory
# Bombich's AD-Bind Script:
# This script binds to AD and configures advanced options of the AD plugin
# As this scripts contains a password, be sure to take appropriate security
# precautions
# A good way to run this script is to set it as a login hook on your master machine
# Because it only needs to be run once, the last thing this script does is to delete
# itself. If you have another login script that you typically run, include the
# script on your master machine, and indicate its path in the "newLoginScript"
# variable.
# If running this as a one-time login hook to bind to AD after imaging,
# be sure to enable auto-login (for any local user) before creating your master image
#################CONFIGURATION##########################
#OD
# These variables need to be configured for your env
odAdmin="YOURODADMIN" #enter your OD admin name between the quotes
odPassword="YOURODPW" # Enter your OD admin password between the quotes
oddomain="YOURODDOMAIN" # FQDN of your OD domain
computerGroup="YOURNEWODCOMPGROUP" # Add appropriate computer group you want machines to be added to, case sensitive
oldComputerGroup="YOUROLDODCOMPGROUP" # If the Computer is in a Group already
#AD
# Standard parameters
domain="YOURADDOMAIN"                              # fully qualified DNS name of Active Directory Domain
domainname="YOURADDOMAINNAME"                    #Name of the Domain as specified in the search paths
udn="YOURADADMIN"                              # username of a privileged network user
password="YOURADPW"                                                  # password of a privileged network user
ou="OU=YOUR,OU=OU,OU=URZ,OU=IN,DC=YOUR,DC=AD,DC=DOMAIN"                    # Distinguished name of container for the computer E.G. OU=Macs,OU=Computers,DC=AD,DC=DOMAIN,DC=CH
# Advanced options AD Plugin
alldomains="disable"                              # 'enable' or 'disable' automatic multi-domain authentication
localhome="disable"                              # 'enable' or 'disable' force home directory to local drive
protocol="smb"                                        # 'afp', 'smb' or 'nfs' (since 10.7) change how home is mounted from server
mobile="enable"                              # 'enable' or 'disable' mobile account support for offline logon
mobileconfirm="enable"                    # 'enable' or 'disable' warn the user that a mobile acct will be created
useuncpath="enable"                              # 'enable' or 'disable' use AD SMBHome attribute to determine the home dir
user_shell="/bin/bash"                    # e.g., /bin/bash or "none"
preferred="-preferred $domain"          # Use the specified server for all Directory lookups and authentication
# (e.g. "-nopreferred" or "-preferred ad.server.edu")
admingroups="$domainname\YOURADADMINGROUP" # These comma-separated AD groups may administer the machine (e.g. "" or "APPLE\macadmins")
packetsign="allow"                              # allow | disable | require
packetencrypt="allow"                    # allow | disable | require
passinterval="14"                              # number of days
namespace="domain"                              # forest | domain
# Login hook setting -- specify the path to a login hook that you want to run instead of this script
newLoginHook=""                    # e.g., "/Library/Management/login.sh"
################################# End of configuration
############ Begin of Script
# Host-specific parameters
# computerid should be set dynamically, this value must be machine-specific
# This value may be restricted to 19 characters! The only error you'll receive upon entering
# an invalid computer id is to the effect of not having appropriate privileges to perform the requested operation
#computerid=`/sbin/ifconfig en0 | awk '/ether/ { gsub(":", ""); print $2 }'` # MAC Address
#computerid=`hostname | sed 's/.unibas.ch//'`
#computerid=`/usr/sbin/scutil --get LocalHostName | cut -c 1-19` # Assure that this will produce unique names!
#computerid=`/usr/sbin/scutil --get LocalHostName`
computerid=`scutil --get ComputerName`
adcomputerid=`echo "$computerid" | tr [:lower:] [:upper:]`
# These variables probably don't need to be changed
# Determing if any directory binding exists
nicAddress=`ifconfig en0 | grep ether | awk '{print $2}'`
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
          check4ODtmp=`dscl localhost -list /LDAPv3 | grep -n 1 | sed 's/1://' | sed 's/2://'`
          check4OD=${check4ODtmp//[[:space:]]/}
          echo "Found LDAP: "$check4ODtmp
          check4ODaccttmp=`dscl /LDAPv3/"$check4OD" -read Computers/"$computerid" RealName | cut -c 11-`
          check4ODacct=${check4ODaccttmp//[[:space:]]/}
          echo "Found LDAP-Computer-Account: "$check4ODacct
else
          check4OD=""
          check4ODacct=""
          echo "No bound LDAP Server found"
fi
if [ $oldComputerGroup != "" ] && dscl localhost -list /LDAPv3 | grep . > /dev/null
then
          check4ODgroupMembershiptmp=`dscl /LDAPv3/"$check4OD" -read ComputerGroups/"$oldComputerGroup" | grep "$computerid"`
          check4ODgroupMembership=$check4ODgroupMembershiptmp
          echo "LDAP Group Membership in Group: "$oldComputerGroup
else
          check4ODgroupMembership=""
          echo "No LDAP Group Membership defined or not bound to a server"
fi
if dscl localhost -list "/Active Directory" | grep $domainname > /dev/null
then
          check4ADtmp=`dsconfigad -show | grep "Active Directory Domain" | sed 's/Active Directory Domain//' | sed 's/=//'`
          check4AD=${check4ADtmp//[[:space:]]/}
          echo "Found AD: "$check4AD
          check4ADaccttmp=`dsconfigad -show | grep "Computer Account" | sed 's/Computer Account//' | sed 's/=//'`
          check4ADacct=${check4ADaccttmp//[[:space:]]/}
          echo "Found AD-Account: "$check4ADacct
else
          check4AD=""
          check4ADacct=""
          echo "No AD-Account found"
fi
osversionlong=`sw_vers -productVersion`
osvers=${osversionlong:3:1}
#Time Sync
#Restart ntpdate
StartService ()
if [ "${TIMESYNC:=-YES-}" = "-YES-" ] && ! GetPID ntpd > /dev/null; then
          CheckForNetwork
if [ -f /var/run/NetworkTime.StartupItem -o "${NETWORKUP}" = "-NO-" ]; then exit; fi
          touch /var/run/NetworkTime.StartupItem
          echo "Starting network time synchronization"
# Synchronize our clock to the network‚Äôs time,
# then fire off ntpd to keep the clock in sync.
          ntpdate -bvs
          ntpd -f /var/run/ntp.drift -p /var/run/ntpd.pid
fi
echo ""
echo ""
sleep 5
#### Removing any existing directory bindings
#Clear OD Computer Account and delete entry from Computer group
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
          echo "This computer is bound to the following Open Directory Services:"
          dscl localhost -list /LDAPv3
          echo "With the Search Path entries:"
          dscl /Search -read / CSPSearchPath | grep /LDAP
          sleep 5
          if [ "${check4ODacct}" == "${computerid}" ]
          then
                    echo "This machine already has a computer account on $oddomain."
                    # Set the GUID
                    GUID="$(dscl /LDAPv3/$oddomain -read /Computers/${computerid} GeneratedUID | awk '{ print $2 }')"
                    echo "Found GUID: "$GUID
                    if [ "$oldComputerGroup" != "" ] && [ "$check4ODgroupMembership" != "" ]
                    then
                              echo "Removing entry from group $oldComputerGroup"
                              dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerGroups/"$oldComputerGroup" GroupMembership "${computerid}"
                              dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerGroups/"$oldComputerGroup" GroupMembers "${GUID}"
                              dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerLists/"$oldComputerGroup" Computers "${computerid}"
                    fi
                    echo "Removing Computer entry $computerid in OD"
                    dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /Computers/"${computerid}"
          fi
          #List existing Directories
          echo "Removing OD-Binding to "$check4OD
          dsconfigldap -r "$check4OD"
          echo "Removing Search Path entries"
          dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4OD"
          dscl /Search/Contacts -delete / CSPSearchPath /LDAPv3/"$check4OD"
          dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4OD"
          sleep 5
else
          echo "No LDAP or OD Binding present.";
fi
echo ""
# Check a second time in order to delete any remaining LDAP-Bindings
echo "Scanning for further LDAP servers"
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
          echo "Found:"
          dscl localhost -list /LDAPv3
          echo "Removing OD-Binding to "$check4ODtmp
          dsconfigldap -r "$check4ODtmp"
          dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
          dscl /Search/Contacts -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
          dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
          sleep 5
else
          echo "No further LDAP or OD Binding present."
fi
echo ""
echo ""
#Remove the Active Directory binding
if [ "$check4AD" != "" ]
then
          echo "This computer is bound to the following Active Directory Services:"
          dscl localhost -list "/Active Directory"
          echo "With the Search Path entries:"
          dscl /Search -read / CSPSearchPath | grep /Active
          sleep 5
          echo "Removing any existing AD-Binding to "$check4AD
    dsconfigad -f -remove -username "$udn" -password "$password"
    echo "Removing Search Path entries"
          if [ "$preferred" != "-nopreferred" ]
          then
                    dscl /Search -delete / CSPSearchPath /Active Directory/"$domainname"
                    dscl /Search/Contacts -delete / CSPSearchPath /Active Directory/"$domainname"
                    dscl /Search -delete / CSPSearchPath /Active Directory/"$domainname"
          fi
          dscl /Search -delete / CSPSearchPath "/Active Directory/$domainname/All Domains"
          dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/$domainname/All Domains"
#remove search path entries from 10.6
    if dscl /Search -read / CSPSearchPath | grep /Active > /dev/null
    then
        dscl /Search -delete / CSPSearchPath "/Active Directory/$domainname/$domain"
        dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/$domainname/$domain"
    fi
          sleep 5
else
          echo "No Active Directory Binding present."
fi
echo ""
#Remove Existing Directory Services Config
echo "Removing existing DS Config"
if [ -d "/Library/Preferences/edu.mit.Kerberos" ]
then
          rm -R /Library/Preferences/edu.mit.Kerberos
fi
if [ -d "/etc/krb5.keytab" ]
then
          rm -R /etc/krb5.keytab
fi
# Clean up the DirectoryService configuration files
rm -Rfv /Library/Preferences/DirectoryService/*
#OD
echo ""
echo ""
echo "Binding to OD-Damin "$oddomain
sleep 5
dsconfigldap -v -a "$oddomain" -n "$oddomain" -c "$computerid"
echo "Killing opendirectoryd"
killall opendirectoryd
sleep 5
echo "Adding computer account $computerid to /LDAPv3/${oddomain} on $oddomain"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -create /Computers/"$computerid" ENetAddress "$nicAddress"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /Computers/"$computerid" RealName "$computerid"
# Set the GUID
GUID="$(dscl /LDAPv3/$oddomain -read /Computers/${computerid} GeneratedUID | awk '{ print $2 }')"
# Add computer to ComputerList and ComputerGroup
if [ $computerGroup != "" ]
then
          echo "Adding computer $computerid to OD group $computerGroup on $oddomain"
          dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerLists/"$computerGroup" apple-computers "$computerid"
          dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerGroups/"$computerGroup" apple-group-memberguid "${GUID}"
          dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerGroups/"$computerGroup" memberUid "$computerid"
fi
echo "Finished OD Binding."
sleep 5 # Give DS a chance to catch up
echo ""
echo ""
echo "Performing the AD Binding"
#AD
# Activate the AD plugin
defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist
#Use the existing AD-Computername or generate a new one
computeridtmp="default"
if [ "$check4ADacct" == "" ]
then
          LEN=$(echo ${#adcomputerid})
          if [ $LEN -lt 15 ]; then
                  echo "ComputerID "$adcomputerid " has 15 characters or less and is therefore suitable for AD-Binding. It is $adcomputerid"
                  computeridtmp=$adcomputerid
          else
                  echo "ComputerID "$adcomputerid " has 16 or more characters and needs to be modified for AD-Binding."
                    echo "Removing any -"
                  computeridtmp=${adcomputerid//-/}
                              LEN=$(echo ${#computeridtmp})
                              if [ $LEN -lt 15 ]; then
                                        echo "ComputerID "$computeridtmp" has now 15 characters or less and is therefore suitable for AD-Binding."
                              else
                                        echo "Only using the last 15 characters of the Computer name to be able to bind to AD."
                                        computeridtmp=${computeridtmp:(-15)}
                              fi
                  echo "Cropped Computername to "$computeridtmp
          fi
else
    computeridtmp=${check4ADacct//$/}
    echo "Found existing AD Account previously, attempting to recreate in the OU: "$computeridtmp
fi
echo ""
# Bind to AD
echo "Binding to AD-Domain "$domain" with computerid "$computeridtmp
dsconfigad -f -add "$domain" -username "$udn" -password "$password" -ou "$ou" -computer "$computeridtmp"
echo ""
echo "Setting the Advanced AD Plugin options"
# Configure advanced AD plugin options
if [ "$admingroups" = "" ]
then
          dsconfigad -nogroups
else
          dsconfigad -groups "$admingroups"
fi
dsconfigad -alldomains "$alldomains"
dsconfigad -localhome "$localhome"
dsconfigad -protocol "$protocol"
dsconfigad -mobile "$mobile"
dsconfigad -mobileconfirm "$mobileconfirm"
dsconfigad -useuncpath "$useuncpath"
dsconfigad -shell "$user_shell"
dsconfigad "$preferred"
dsconfigad -packetsign "$packetsign" -packetencrypt "$packetencrypt" -passinterval "$passinterval"
dsconfigad -namespace "$namespace"
sleep 5
echo ""
echo ""
# Add the OD & AD node to the search path
if [ "$alldomains" = "enable" ]
then
          csp="/Active Directory/$domainname/All Domains"
else
          csp="/Active Directory/$domainname"
fi
echo "Finished AD Binding."
echo "Adding Domain /LDAPv3/"$oddomain" and "$csp" to Search Path"
dscl /Search -create / SearchPolicy CSPSearchPath
dscl /Search/Contacts -create / SearchPolicy CSPSearchPath
echo "Adding OD.."
dscl /Search -append / CSPSearchPath /LDAPv3/"$oddomain"
dscl /Search/Contacts -append / CSPSearchPath /LDAPv3/"$oddomain"
echo "Adding AD.."
#Adding all Domains first to improve reliability under 10.7
if [ "$alldomains" != "enable" ]
then
    cspadall="/Active Directory/$domainname/All Domains"
    dscl /Search/Contacts -append / CSPSearchPath "$cspadall"
    dscl /Search -append / CSPSearchPath "$cspadall"
fi
dscl /Search/Contacts -append / CSPSearchPath "$csp"
dscl /Search -append / CSPSearchPath "$csp"
echo "Finished Updating Search Paths."
echo ""
echo ""
# Restart DirectoryService (necessary to reload AD plugin activation settings)
killall opendirectoryd
# Destroy the login hook (or change it)
if [ "${newLoginHook}" == "" ]
then
          defaults delete /var/root/Library/Preferences/com.apple.loginwindow LoginHook
else
          defaults write /var/root/Library/Preferences/com.apple.loginwindow LoginHook $newLoginHook
fi
sleep 5
# Customizing the login-Window
#defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo DSStatus
#defaults write /Library/Preferences/com.apple.loginwindow showInputMenu -bool TRUE
#defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool TRUE
# This works in a pinch if the above code does not
#defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains"
#defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Policy" -int 3
#plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist
#killall opendirectoryd
# Disable autologin
defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser
srm /etc/kcpassword
echo ""
echo ""
echo ""
echo "Now bound to OD Domain:"
dscl localhost -list /LDAPv3
echo "With Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /LDAP
echo "Now bound to AD Domain:"
dscl localhost -list "/Active Directory"
echo "With Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /Active
exit 0                    ## Success
exit 1                    ## Failure
Any inputs, questions and improvement suggestions are, of course, most welcome!
Cheers
See

Hi everyone
I'm reposting this in the right thread. I've written a Directory Binding Script for 10.6 and ported it now to 10.7 as among the things that have changed in the upgraded version is a refurbished directory binding enviroment.
The original thread can be found here: https://discussions.apple.com/thread/3090068. The script is applicable for clients as well and simplifies the binding process considerably.
Be aware that the reformatted script here contains some faulty line breaks. So you'll have to correct them in a proper text editor.
#!/bin/sh
#Uncomment the following line to abort the script on errors
#trap exit ERR
## Script to automate OD and AD Binding of Mac OS X 10.7 Servers
## Script written by Marc Horat, URZ Basel, 11.6.2010
## Updated: 12.08.2011
# With the use of the following sources as inspiration:
# http://www.howtomac.co.uk/?p=247
#Created by Ross Hamilton
#Clock restart / Remove existing settings
#Join to Open Directory and Active Directory
# Bombich's AD-Bind Script:
# This script binds to AD and configures advanced options of the AD plugin
# As this scripts contains a password, be sure to take appropriate security
# precautions
# A good way to run this script is to set it as a login hook on your master machine
# Because it only needs to be run once, the last thing this script does is to delete
# itself. If you have another login script that you typically run, include the
# script on your master machine, and indicate its path in the "newLoginScript"
# variable.
# If running this as a one-time login hook to bind to AD after imaging,
# be sure to enable auto-login (for any local user) before creating your master image
#################CONFIGURATION##########################
#OD
# These variables need to be configured for your env
odAdmin="YOURODADMIN" #enter your OD admin name between the quotes
odPassword="YOURODPW" # Enter your OD admin password between the quotes
oddomain="YOURODDOMAIN" # FQDN of your OD domain
computerGroup="YOURNEWODCOMPGROUP" # Add appropriate computer group you want machines to be added to, case sensitive
oldComputerGroup="YOUROLDODCOMPGROUP" # If the Computer is in a Group already
#AD
# Standard parameters
domain="YOURADDOMAIN"                              # fully qualified DNS name of Active Directory Domain
domainname="YOURADDOMAINNAME"                    #Name of the Domain as specified in the search paths
udn="YOURADADMIN"                              # username of a privileged network user
password="YOURADPW"                                                  # password of a privileged network user
ou="OU=YOUR,OU=OU,OU=URZ,OU=IN,DC=YOUR,DC=AD,DC=DOMAIN"                    # Distinguished name of container for the computer E.G. OU=Macs,OU=Computers,DC=AD,DC=DOMAIN,DC=CH
# Advanced options AD Plugin
alldomains="disable"                              # 'enable' or 'disable' automatic multi-domain authentication
localhome="disable"                              # 'enable' or 'disable' force home directory to local drive
protocol="smb"                                        # 'afp', 'smb' or 'nfs' (since 10.7) change how home is mounted from server
mobile="enable"                              # 'enable' or 'disable' mobile account support for offline logon
mobileconfirm="enable"                    # 'enable' or 'disable' warn the user that a mobile acct will be created
useuncpath="enable"                              # 'enable' or 'disable' use AD SMBHome attribute to determine the home dir
user_shell="/bin/bash"                    # e.g., /bin/bash or "none"
preferred="-preferred $domain"          # Use the specified server for all Directory lookups and authentication
# (e.g. "-nopreferred" or "-preferred ad.server.edu")
admingroups="$domainname\YOURADADMINGROUP" # These comma-separated AD groups may administer the machine (e.g. "" or "APPLE\macadmins")
packetsign="allow"                              # allow | disable | require
packetencrypt="allow"                    # allow | disable | require
passinterval="14"                              # number of days
namespace="domain"                              # forest | domain
# Login hook setting -- specify the path to a login hook that you want to run instead of this script
newLoginHook=""                    # e.g., "/Library/Management/login.sh"
################################# End of configuration
############ Begin of Script
# Host-specific parameters
# computerid should be set dynamically, this value must be machine-specific
# This value may be restricted to 19 characters! The only error you'll receive upon entering
# an invalid computer id is to the effect of not having appropriate privileges to perform the requested operation
#computerid=`/sbin/ifconfig en0 | awk '/ether/ { gsub(":", ""); print $2 }'` # MAC Address
#computerid=`hostname | sed 's/.unibas.ch//'`
#computerid=`/usr/sbin/scutil --get LocalHostName | cut -c 1-19` # Assure that this will produce unique names!
#computerid=`/usr/sbin/scutil --get LocalHostName`
computerid=`scutil --get ComputerName`
adcomputerid=`echo "$computerid" | tr [:lower:] [:upper:]`
# These variables probably don't need to be changed
# Determing if any directory binding exists
nicAddress=`ifconfig en0 | grep ether | awk '{print $2}'`
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
          check4ODtmp=`dscl localhost -list /LDAPv3 | grep -n 1 | sed 's/1://' | sed 's/2://'`
          check4OD=${check4ODtmp//[[:space:]]/}
          echo "Found LDAP: "$check4ODtmp
          check4ODaccttmp=`dscl /LDAPv3/"$check4OD" -read Computers/"$computerid" RealName | cut -c 11-`
          check4ODacct=${check4ODaccttmp//[[:space:]]/}
          echo "Found LDAP-Computer-Account: "$check4ODacct
else
          check4OD=""
          check4ODacct=""
          echo "No bound LDAP Server found"
fi
if [ $oldComputerGroup != "" ] && dscl localhost -list /LDAPv3 | grep . > /dev/null
then
          check4ODgroupMembershiptmp=`dscl /LDAPv3/"$check4OD" -read ComputerGroups/"$oldComputerGroup" | grep "$computerid"`
          check4ODgroupMembership=$check4ODgroupMembershiptmp
          echo "LDAP Group Membership in Group: "$oldComputerGroup
else
          check4ODgroupMembership=""
          echo "No LDAP Group Membership defined or not bound to a server"
fi
if dscl localhost -list "/Active Directory" | grep $domainname > /dev/null
then
          check4ADtmp=`dsconfigad -show | grep "Active Directory Domain" | sed 's/Active Directory Domain//' | sed 's/=//'`
          check4AD=${check4ADtmp//[[:space:]]/}
          echo "Found AD: "$check4AD
          check4ADaccttmp=`dsconfigad -show | grep "Computer Account" | sed 's/Computer Account//' | sed 's/=//'`
          check4ADacct=${check4ADaccttmp//[[:space:]]/}
          echo "Found AD-Account: "$check4ADacct
else
          check4AD=""
          check4ADacct=""
          echo "No AD-Account found"
fi
osversionlong=`sw_vers -productVersion`
osvers=${osversionlong:3:1}
#Time Sync
#Restart ntpdate
StartService ()
if [ "${TIMESYNC:=-YES-}" = "-YES-" ] && ! GetPID ntpd > /dev/null; then
          CheckForNetwork
if [ -f /var/run/NetworkTime.StartupItem -o "${NETWORKUP}" = "-NO-" ]; then exit; fi
          touch /var/run/NetworkTime.StartupItem
          echo "Starting network time synchronization"
# Synchronize our clock to the network‚Äôs time,
# then fire off ntpd to keep the clock in sync.
          ntpdate -bvs
          ntpd -f /var/run/ntp.drift -p /var/run/ntpd.pid
fi
echo ""
echo ""
sleep 5
#### Removing any existing directory bindings
#Clear OD Computer Account and delete entry from Computer group
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
          echo "This computer is bound to the following Open Directory Services:"
          dscl localhost -list /LDAPv3
          echo "With the Search Path entries:"
          dscl /Search -read / CSPSearchPath | grep /LDAP
          sleep 5
          if [ "${check4ODacct}" == "${computerid}" ]
          then
                    echo "This machine already has a computer account on $oddomain."
                    # Set the GUID
                    GUID="$(dscl /LDAPv3/$oddomain -read /Computers/${computerid} GeneratedUID | awk '{ print $2 }')"
                    echo "Found GUID: "$GUID
                    if [ "$oldComputerGroup" != "" ] && [ "$check4ODgroupMembership" != "" ]
                    then
                              echo "Removing entry from group $oldComputerGroup"
                              dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerGroups/"$oldComputerGroup" GroupMembership "${computerid}"
                              dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerGroups/"$oldComputerGroup" GroupMembers "${GUID}"
                              dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerLists/"$oldComputerGroup" Computers "${computerid}"
                    fi
                    echo "Removing Computer entry $computerid in OD"
                    dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /Computers/"${computerid}"
          fi
          #List existing Directories
          echo "Removing OD-Binding to "$check4OD
          dsconfigldap -r "$check4OD"
          echo "Removing Search Path entries"
          dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4OD"
          dscl /Search/Contacts -delete / CSPSearchPath /LDAPv3/"$check4OD"
          dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4OD"
          sleep 5
else
          echo "No LDAP or OD Binding present.";
fi
echo ""
# Check a second time in order to delete any remaining LDAP-Bindings
echo "Scanning for further LDAP servers"
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
          echo "Found:"
          dscl localhost -list /LDAPv3
          echo "Removing OD-Binding to "$check4ODtmp
          dsconfigldap -r "$check4ODtmp"
          dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
          dscl /Search/Contacts -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
          dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
          sleep 5
else
          echo "No further LDAP or OD Binding present."
fi
echo ""
echo ""
#Remove the Active Directory binding
if [ "$check4AD" != "" ]
then
          echo "This computer is bound to the following Active Directory Services:"
          dscl localhost -list "/Active Directory"
          echo "With the Search Path entries:"
          dscl /Search -read / CSPSearchPath | grep /Active
          sleep 5
          echo "Removing any existing AD-Binding to "$check4AD
    dsconfigad -f -remove -username "$udn" -password "$password"
    echo "Removing Search Path entries"
          if [ "$preferred" != "-nopreferred" ]
          then
                    dscl /Search -delete / CSPSearchPath /Active Directory/"$domainname"
                    dscl /Search/Contacts -delete / CSPSearchPath /Active Directory/"$domainname"
                    dscl /Search -delete / CSPSearchPath /Active Directory/"$domainname"
          fi
          dscl /Search -delete / CSPSearchPath "/Active Directory/$domainname/All Domains"
          dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/$domainname/All Domains"
#remove search path entries from 10.6
    if dscl /Search -read / CSPSearchPath | grep /Active > /dev/null
    then
        dscl /Search -delete / CSPSearchPath "/Active Directory/$domainname/$domain"
        dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/$domainname/$domain"
    fi
          sleep 5
else
          echo "No Active Directory Binding present."
fi
echo ""
#Remove Existing Directory Services Config
echo "Removing existing DS Config"
if [ -d "/Library/Preferences/edu.mit.Kerberos" ]
then
          rm -R /Library/Preferences/edu.mit.Kerberos
fi
if [ -d "/etc/krb5.keytab" ]
then
          rm -R /etc/krb5.keytab
fi
# Clean up the DirectoryService configuration files
rm -Rfv /Library/Preferences/DirectoryService/*
#OD
echo ""
echo ""
echo "Binding to OD-Damin "$oddomain
sleep 5
dsconfigldap -v -a "$oddomain" -n "$oddomain" -c "$computerid"
echo "Killing opendirectoryd"
killall opendirectoryd
sleep 5
echo "Adding computer account $computerid to /LDAPv3/${oddomain} on $oddomain"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -create /Computers/"$computerid" ENetAddress "$nicAddress"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /Computers/"$computerid" RealName "$computerid"
# Set the GUID
GUID="$(dscl /LDAPv3/$oddomain -read /Computers/${computerid} GeneratedUID | awk '{ print $2 }')"
# Add computer to ComputerList and ComputerGroup
if [ $computerGroup != "" ]
then
          echo "Adding computer $computerid to OD group $computerGroup on $oddomain"
          dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerLists/"$computerGroup" apple-computers "$computerid"
          dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerGroups/"$computerGroup" apple-group-memberguid "${GUID}"
          dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerGroups/"$computerGroup" memberUid "$computerid"
fi
echo "Finished OD Binding."
sleep 5 # Give DS a chance to catch up
echo ""
echo ""
echo "Performing the AD Binding"
#AD
# Activate the AD plugin
defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist
#Use the existing AD-Computername or generate a new one
computeridtmp="default"
if [ "$check4ADacct" == "" ]
then
          LEN=$(echo ${#adcomputerid})
          if [ $LEN -lt 15 ]; then
                  echo "ComputerID "$adcomputerid " has 15 characters or less and is therefore suitable for AD-Binding. It is $adcomputerid"
                  computeridtmp=$adcomputerid
          else
                  echo "ComputerID "$adcomputerid " has 16 or more characters and needs to be modified for AD-Binding."
                    echo "Removing any -"
                  computeridtmp=${adcomputerid//-/}
                              LEN=$(echo ${#computeridtmp})
                              if [ $LEN -lt 15 ]; then
                                        echo "ComputerID "$computeridtmp" has now 15 characters or less and is therefore suitable for AD-Binding."
                              else
                                        echo "Only using the last 15 characters of the Computer name to be able to bind to AD."
                                        computeridtmp=${computeridtmp:(-15)}
                              fi
                  echo "Cropped Computername to "$computeridtmp
          fi
else
    computeridtmp=${check4ADacct//$/}
    echo "Found existing AD Account previously, attempting to recreate in the OU: "$computeridtmp
fi
echo ""
# Bind to AD
echo "Binding to AD-Domain "$domain" with computerid "$computeridtmp
dsconfigad -f -add "$domain" -username "$udn" -password "$password" -ou "$ou" -computer "$computeridtmp"
echo ""
echo "Setting the Advanced AD Plugin options"
# Configure advanced AD plugin options
if [ "$admingroups" = "" ]
then
          dsconfigad -nogroups
else
          dsconfigad -groups "$admingroups"
fi
dsconfigad -alldomains "$alldomains"
dsconfigad -localhome "$localhome"
dsconfigad -protocol "$protocol"
dsconfigad -mobile "$mobile"
dsconfigad -mobileconfirm "$mobileconfirm"
dsconfigad -useuncpath "$useuncpath"
dsconfigad -shell "$user_shell"
dsconfigad "$preferred"
dsconfigad -packetsign "$packetsign" -packetencrypt "$packetencrypt" -passinterval "$passinterval"
dsconfigad -namespace "$namespace"
sleep 5
echo ""
echo ""
# Add the OD & AD node to the search path
if [ "$alldomains" = "enable" ]
then
          csp="/Active Directory/$domainname/All Domains"
else
          csp="/Active Directory/$domainname"
fi
echo "Finished AD Binding."
echo "Adding Domain /LDAPv3/"$oddomain" and "$csp" to Search Path"
dscl /Search -create / SearchPolicy CSPSearchPath
dscl /Search/Contacts -create / SearchPolicy CSPSearchPath
echo "Adding OD.."
dscl /Search -append / CSPSearchPath /LDAPv3/"$oddomain"
dscl /Search/Contacts -append / CSPSearchPath /LDAPv3/"$oddomain"
echo "Adding AD.."
#Adding all Domains first to improve reliability under 10.7
if [ "$alldomains" != "enable" ]
then
    cspadall="/Active Directory/$domainname/All Domains"
    dscl /Search/Contacts -append / CSPSearchPath "$cspadall"
    dscl /Search -append / CSPSearchPath "$cspadall"
fi
dscl /Search/Contacts -append / CSPSearchPath "$csp"
dscl /Search -append / CSPSearchPath "$csp"
echo "Finished Updating Search Paths."
echo ""
echo ""
# Restart DirectoryService (necessary to reload AD plugin activation settings)
killall opendirectoryd
# Destroy the login hook (or change it)
if [ "${newLoginHook}" == "" ]
then
          defaults delete /var/root/Library/Preferences/com.apple.loginwindow LoginHook
else
          defaults write /var/root/Library/Preferences/com.apple.loginwindow LoginHook $newLoginHook
fi
sleep 5
# Customizing the login-Window
#defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo DSStatus
#defaults write /Library/Preferences/com.apple.loginwindow showInputMenu -bool TRUE
#defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool TRUE
# This works in a pinch if the above code does not
#defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains"
#defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Policy" -int 3
#plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist
#killall opendirectoryd
# Disable autologin
defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser
srm /etc/kcpassword
echo ""
echo ""
echo ""
echo "Now bound to OD Domain:"
dscl localhost -list /LDAPv3
echo "With Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /LDAP
echo "Now bound to AD Domain:"
dscl localhost -list "/Active Directory"
echo "With Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /Active
exit 0                    ## Success
exit 1                    ## Failure
Any inputs, questions and improvement suggestions are, of course, most welcome!
Cheers
See

Can't open perl script "/opatch.pl": No such file or directory

After installed Oracle 9.2.04 and applied patch p3006854, p3948480 and p4188455 on Linux AS4, I found that I can not start agent. If I execute "agentctl start", oracle will through our error like:
Starting Oracle Intelligent Agent.../u01/app/oracle/product/9.2.0/bin/dbsnmpwd: line 156: 1855 Segmentation fault nohup $ORACLE_HOME/bin/dbsnmp $*
$DBSNMP_WDLOGFILE 2>&1/u01/app/oracle/product/9.2.0/bin/dbsnmpwd: line 156: 1868 Segmentation fault nohup $ORACLE_HOME/bin/dbsnmp $* >>$DBSNMP_WDLOGFILE 2>&1
/u01/app/oracle/product/9.2.0/bin/dbsnmpwd: line 156: 1880 Segmentation fault nohup $ORACLE_HOME/bin/dbsnmp $* >>$DBSNMP_WDLOGFILE 2>&1
/u01/app/oracle/product/9.2.0/bin/dbsnmpwd: line 156: 1892 Segmentation fault nohup $ORACLE_HOME/bin/dbsnmp $* >>$DBSNMP_WDLOGFILE 2>&1
I searched Internet and some article said p3238244 is needed. So I started to install it. At the very beginning, the error is "Can not find ../oui/OraInstall.jar". I found this file in "../oui/jlib" and copy it to "../oui". Then I run "opatch apply" and the error is "Can't open perl script "/opatch.pl": No such file or directory". This time I can not find much similiar information from google.
Any idea?
PS: I changed path of inventory during the installation to "/henry/cwdata" ($ORACLE_HOME=/henry/app/oracle/product/9.2). Will this action cause the error below? What is the usage of inventory path exactly?
Much appreciated!
Henry

Below is my env and .bash_profile.
[oracle@henrylinux lib]$ env
SSH_AGENT_PID=2814
HOSTNAME=henrylinux
SHELL=/bin/bash
TERM=xterm
HISTSIZE=1000
NLS_LANG=AMERICAN_AMERICA.ZHS16GBK
GTK_RC_FILES=/etc/gtk/gtkrc:/home/oracle/.gtkrc-1.2-gnome2
WINDOWID=39880874
OLDPWD=/home/oracle
ORACLE_OWNER=oracle
USER=oracle
LS_COLORS=no=00:fi=00:di=00;34:ln=00;36:pi=40;33:so=00;35:bd=40;33;01:cd=40;33;0 1:or=01;05;37;41:mi=01;05;37;41:ex=00;32:*.cmd=00;32:*.exe=00;32:*.com=00;32:*.b tm=00;32:*.bat=00;32:*.sh=00;32:*.csh=00;32:*.tar=00;31:*.tgz=00;31:*.arj=00;31: *.taz=00;31:*.lzh=00;31:*.zip=00;31:*.z=00;31:*.Z=00;31:*.gz=00;31:*.bz2=00;31:* .bz=00;31:*.tz=00;31:*.rpm=00;31:*.cpio=00;31:*.jpg=00;35:*.gif=00;35:*.bmp=00;3 5:*.xbm=00;35:*.xpm=00;35:*.png=00;35:*.tif=00;35:
ORACLE_SID=ora92
GNOME_KEYRING_SOCKET=/tmp/keyring-BckaCh/socket
ORACLE_BASE=/henry/app/oracle
SSH_AUTH_SOCK=/tmp/ssh-nsWlKX2762/agent.2762
KDEDIR=/usr
SESSION_MANAGER=local/henrylinux:/tmp/.ICE-unix/2762
GDN_LANG=en_US
MAIL=/var/spool/mail/oracle
DESKTOP_SESSION=default
PATH=/usr/kerberos/bin:/usr/local/bin:/usr/bin:/bin:/usr/X11R6/bin:/home/oracle/ bin:/henry/app/oracle/product/9.2/bin:/henry/app/oracle/product/9.2/Apache/Apach e/bin:
INPUTRC=/etc/inputrc
PWD=/henry/app/oracle/product/9.2/ctx/lib
THREADS_FLAG=native
LANG=en_US.UTF-8
LC=en_US
ORACLE_TERM=xterm
GDMSESSION=default
SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass
HOME=/home/oracle
SHLVL=2
LD_ASSUME_KERNEL=2.4.19
GNOME_DESKTOP_SESSION_ID=Default
LOGNAME=oracle
LC_CTYPE=zh_CN.GB2312
CLASSPATH=/henry/app/oracle/product/9.2/JRE:/henry/app/oracle/product/9.2/jlib:/ henry/app/oracle/product/9.2/rdbms/jlib:/henry/app/oracle/product/9.2/network/jl ib
DBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbus-Z7HVMAC8Dh
LESSOPEN=|/usr/bin/lesspipe.sh %s
ORA_NLS33=/henry/app/oracle/product/9.2/ocommon/nls/admin/data
DISPLAY=:0.0
ORACLE_HOME=/henry/app/oracle/product/9.2
G_BROKEN_FILENAMES=1
COLORTERM=gnome-terminal
XAUTHORITY=/home/oracle/.Xauthority
_=/usr/bin/env
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
PATH=$PATH:$HOME/bin
export ORACLE_BASE=/henry/app/oracle
export ORACLE_HOME=$ORACLE_BASE/product/9.2
export PATH=$PATH:$ORACLE_HOME/bin:$ORACLE_HOME/Apache/Apache/bin:/sbin
export ORACLE_OWNER=oracle
export ORACLE_SID=ora92
export ORACLE_TERM=xterm
export LD_ASSUME_KERNEL=2.4.19
export THREADS_FLAG=native
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib
export NLS_LANG="AMERICAN_AMERICA.ZHS16GBK"
export ORA_NLS33=$ORACLE_HOME/ocommon/nls/admin/data
export DISPLAY=:0
export LANG=en_US
export GDN_LANG=en_US
export LC=en_US
export CLASSPATH=$ORACLE_HOME/JRE:$ORACLE_HOME/jlib:$ORACLE_HOME/rdbms/jlib:$ORACLE_HOME/network/jlib
export LC_CTYPE=zh_CN.GB2312
export PATH
unset USERNAME

Scripts for adding/deleting/modifying Open Directory accounts?

I think I have searched high and low for an answer to this question, but if I missed it please point me in the right direction. Where can I find information on scripts for adding/deleting/modifying open directory accounts? At the very least, a command line utility with some syntax guidelines! Any help would be greatly appreciated.

Hi
I personally don't know if any scripts although you can use the command line to do pretty much anything you want with the Open Directory. Consult the manual: man dscl. If you launch terminal and issue dscl you should see something like this:
my-Laptop:~ me$ dscl
dscl (v20.4)
usage: dscl [options] [<datasource> [<command>]]
datasource:
localhost (default) or
<hostname> (requires DS proxy support, >= DS-158) or
<nodename> (Directory Service style node name) or
<domainname> (NetInfo style domain name)
options:
-u <user> authenticate as user (required when using DS Proxy)
-P <password> authentication password
-p prompt for password
-raw don't strip off prefix from DS constants
-url print record attribute values in URL-style encoding
-q quiet - no interactive prompt
commands:
-read <path> [<key>...]
-create <record path> [<key> [<val>...]]
-delete <path> [<key> [<val>...]]
-list <path> [<key>]
-append <record path> <key> <val>...
-merge <record path> <key> <val>...
-change <record path> <key> <old value> <new value>
-changei <record path> <key> <value index> <new value>
-search <path> <key> <val>
-auth [<user> [<password>]]
-authonly [<user> [<password>]]
-passwd <user path> [<new password> | <old password> <new password>]
Entering interactive mode...
The above is for 10.4 and should server equally as well for 10.5.
Hope this helps, Tony

Binding Exchange server to Open Directory

So I am setting up an exchange 2010 sandbox machine to see how feasible the install and usage of the software is within the company. When running through the installation it wants the exchange server machine to be bound to an active directory. Well I dont have any active directory servers all I have is our open directory. How can I tie in the exchange binding to the open directory? I have heard about integrating between OD and AD but it seems like it requires yet another AD machine.
Any thoughts? Success Stories?

The answer is to remove the local KDC on the 10.5 clients. 10.5 uses the LKDC for personal file sharing - not needed for networked clients.
Run the following commands to kill LKDC before binding the machine to Open Directory:
sudo dscl /Local/Default delete /Config/KerberosKDC
sudo rm -rf /var/db/dslocal/nodes/Default/config/KerberosKDC.plist
See: http://forums.bombich.com/viewtopic.php?t=11834&highlight=lkdc

How do you bind Vista / XP clients to Open Directory?

I have an OSX Server OD Master set up in 10.5.6.
My OSX Clients can bind to it just fine using Directory Utility.
How do you bind Vista / XP clients to Open Directory masters?
Thanks

@ jakelh:
Make sure Kerberos is working on your server. Without it, PC logins will probably fail at least for Vista clients. Otherwise you'd have to downgrade a client-side setting on the Vista clients,
http://www.builderau.com.au/blogs/codemonkeybusiness/viewblogpost.htm?p=33927074 6
DNS is critical here, but Vista can have a problem with things that are correctly configured.
IE: Vista defaults to a TCP/IP setting that can make it incompatible with existing network hardware
http://www.tech-recipes.com/rx/1744/vistatcp_cannot_communicate_primary_dnsserve

Trouble binding 10.5 Server to 10.6 Open Directory

After a recent power outage one of my 10.5 Servers lost its connection to the OD Master. I am unable to get this system to re-bind to an Open Directory Master (10.6 Server). I had to force un-bind the 10.5 machine (via Directory Utility) because it could not contact the OD Master. After force unbinding the 10.5 Server system I checked Open Directory settings in Server Admin and the role was "Standalone Server".
Steps to reproduce problem:
1) Change role of 10.5 Server to "Connects to a Directory System" and rebooted the system.
2) Launch Directory Utility, click add server and enter the FQDN for my OD Master. SSL option is not checked.
3) Directory Utility tries to communicate with the OD Master for a few moments...displaying "verifying server address", then comes back with the error "there was no response from SERVER. Please check that the address you entered is correct".
(where SERVER = the FQDN for the OD Master)
I Checked that DNS was working and that the system (10.5 Server) could resolve the FQDN of the OD Master. When the above steps did not solve the problem I went to the OD Master and (from Workgroup Manager) deleted the previous entry for the 10.5 Server. This had no effect on the problem. Not sure what to try next?

Hi,
Welcome to the  Discussions
10.5 Server and specifically iChat Server has it's own forum
http://discussions.apple.com/forum.jspa?forumID=1235 (for Export)
10.6 Server has Forum called Collaboration Services for iChat Server (And a few other bits)
The Forums are within Categories.
Technically each is within it's own OS Category but Tiger, Leopard and Snow Leopard are all shown in this "Master Category" here
The reason I am posting these links is that I don't know enough about the Server version of iChat.
The chances are that someone in the 10.6 Server > Collaboration Services forum knows how to Export the list from 10.5 Server and input it in to 10.6 Server.
Hope this helps.
7:53 PM Monday; July 19, 2010
Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat"

Open Directory Binding doesn't want to activate

Hi all,
I have the following problem with binding computers to Open Directory. My setup is as follows: Master on one server, slave on the other, clients running in the network, no firewalls or anything. I took over from another guy and he didn't have binding enabled, I would like to set up a Software Update Service and push the SUS server to the computers using OD.
When I try to enable binding in the server config tool, it doesn't work (the box unchecks itself) the error message in slapconfig.log is the same as on terminal (running as root) where I have the following:
# slapconfig -setmacosxodpolicy -binding enabled
command: /usr/bin/ldapadd -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
modifying entry "cn=macosxodpolicy,cn=config,dc=try,dc=tohide,dc=this"
ldapadd command output:
ldap_modify: No such object (32)
matched DN: cn=config,dc=try,dc=tohide,dc=this
ldapadd command failed with status 32
Does anybody have an idea what this is or where the problem is?
The ou macosxodpolicy and container config are in the correct location (I think) and seem readable:
dn: cn=config,dc=try,dc=tohide,dc=this
cn: config
objectClass: container
entryUUID: 0c305f06-85a6-1028-9911-993fd9058318
creatorsName: uid=root,cn=users,dc=try,dc=tohide,dc=this
createTimestamp: 20040818210515Z
entryCSN: 2004081821:05:15Z#0x0002#0#0000
modifiersName: uid=root,cn=users,dc=try,dc=tohide,dc=this
modifyTimestamp: 20040818210515Z
dn: ou=macosxodconfig,cn=config,dc=try,dc=tohide,dc=this
ou: macosxodconfig
objectClass: top
objectClass: organizationalUnit
entryUUID: 0c335882-85a6-1028-9912-993fd9058318
creatorsName: uid=root,cn=users,dc=try,dc=tohide,dc=this
createTimestamp: 20040818210515Z
...

Just a couple thoughts and basic questions:
Is DNS properly configured? Can you do forward and reverse lookups? If you rin changeip checkhostname, what happens? And finally, how have you configured DirectoryAccess on the clients?
By your post, you've got a handle on this, but just want to cover all the bases.
I'm guessing it's possible your predecessor didn't have everything setup quite right to begin with. If you've setup a server before, then you know you need to setup DNS while the server is set as a standalone, then promote it to an OD master. If this was not done to begin with, you may be pounding your head against a wall to make it work. If possible, consider re-installing the server to get it right from the get go. You may be able to make a mis-configured server work (if that is the case) but you may see different issues down the road.
good luck and post back with more info - maybe someone smarter than me can help...
Jeff

Php authenticate to Open Directory

I have a Mac OS X Server with several realms, including some which require ssl. At present, when attempting to open a file in the secure realms, the default 401 http (or in this case https) authentication browser dialogue is brought up to request ID and password.
Ideally, I would like to avoid this by inputting the ID and password in a form (which I can customise, e.g. with help tips) which is submitted to a php script. I imagine if the form was in the secure realm, but accessible to all, and the script to which it was directed looked up the ID and password from Open Directory or LDAP(?) then I may be able to achieve this. However, I am at a loss as to how I can access the Open Directory IDs and passwords via php. Does anyone have any experience with this? According to phpinfo(), OpenLDAP 3001 is enabled.
Alternatively, I would be interested if anyone has some other customisable authentication method for accessing a secure realm.

The process is basically:
1. connect to ldap server
2. search for user by login name given
3. if user is found, try binding to server with login name and password given
4. if binding is successful then user supplied correct name and password; else login fails
Here is a snippet of my login function:
<pre>function login($name, $pass)
// connect to ldap
ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
$ldap_connect = ldap_connect("ldap.domain.com");
if($ldap_connect == false) {
return false;
elseif($ldap_connect == true) {
if( !empty($name) && !empty($pass) ) {
$dn = 'dc=domain,dc=com';
$filter = "(&(objectclass=person)(userPassword=*)(|(uid=$name)(cn=$name)) )";
$attributes = array( 'cn', 'userpassword', 'uid');
$search_result = ldap_search($ldap_connect, $dn, $filter, $attributes);
$info = ldap_get_entries($ldap_connect, $search_result);
if( $info\['count'\] ) {
$ldap_bind = ldap_bind($ldap_connect, $info[0]\['dn'\], $pass);
if($ldap_bind == false) {
return false;
else
return false;
else
return false;
}</pre>
Message was edited by: skrying

SAMPLE RECEIVING OPEN INTERFACE SCRIPT(ROI 이용자를 위한 SCRIPT)

제품: MFG_PO
작성날짜 : 2006-05-11
SAMPLE RECEIVING OPEN INTERFACE SCRIPT(ROI 이용자를 위한 SCRIPT)
================================================================
PURPOSE
Receiving Open Interface(ROI)를 좀더 쉽게 사용할 수 있도록 만들어진
tool이라고 할 수 있다. 이 script를 이용을 통해 user는 PO no, user id,
Org id를 입력하면 script는 PO에서 최소한의 data를 가져와 receiving
transaction을 생성하기 위해 ROI에 data를 입력한다.
Receiving Transaction Processor는 insert 된 data를 실행한다.
Explanation
Instructions:
1.Script exroi.sql을 local computer에 copy 하거나 sqlplus 환경의 text
edior에 script 내용을 cut&paste 한다.
2.사용가능한 PO no, User id, Org id를 결정한다.
3.sqlplus prompt에서 아래와 같이 입력한다.
SQL> @ezroi.sql
4.PO no, User id, Org id를 입력하라는 prompt를 볼 수 있을 것이다.
5.exroi.sql script를 관련된 PO data를 가져와 rcv_headers_interface 및
rcv_transactions_interface tables에 insert 한다.
만일 PO shipment lind이 closed, cancelled, fully received 되었다면
ROI table에 data를 insert 하지 않는다.
Note: 이 script가 data를 validate 하진 않으며,ROI API 자체 validation
이 실행될 뿐이다.
6.Script가 끝나면 Receiving Transaction Processor를 실행하여 insert 된
lines을 처리할 수 있다. Transaction Status Summary 화면을 통해 실행된
line이 pending 인지 error 상태인지 확인할 수 있다.
Notes:
1.Org_id parameter 값을 찾는법:
a) Application에 접속, Help> Diagnostics> Examine으로 이동.
Block:$Profile$, Field: ORG_ID 를 선택한다.
b) ORG_ID 값을 note 해 놓고 ORG_ID prompt시 이 값을 입력한다.
2.User_Name parameter 값을 찾는법:
a) Application에 접속, Help> Diagnostics> Examine으로 이동.
Block:$Profile$, Field: USER_NAME 를 선택한다.
b) USER_NAME 값을 note 해 놓고 USER_NAME prompt시 이 값을 입력한다.
Example
"eZROI.sql' script...
--*** eZROI ***
--*** by ***
--*** Preston D. Davenport ***
--*** Oracle Premium Applications Support ***
--*** Oracle Worldwide Global Support Services ***
--*** Date: 23-JUL-2003 - Beta release ***
--*** Date: 09-SEP-2003 - Rev A Added multi- ***
--*** shipment line capability ***
--*** Parameters: ***
--*** ORG_ID Organization ID ***
--*** USER_NAME FND User Name ***
--*** PO_NUMBER Purchase Order Number ***
--*** This script intended for a standard Purchase ***
--*** Order document to be inserted into the Oracle ***
--*** Receiving Open Interface (ROI) via the standard ***
--*** Oracle open interface api for a simple Receive ***
--*** transaction. ***
--*** Note: This script only considers open Purchase ***
--*** Orders. This script will not allow over- ***
--*** receipt, cancelled or closed PO's to be ***
--*** inserted into the ROI and received ***
CLEAR BUFFER
SET VERIFY OFF
SET LINESIZE 140
SET PAGESIZE 60
SET ARRAYSIZE 1
SET SERVEROUTPUT ON SIZE 100000
SET FEEDBACK OFF
SET ECHO OFF
DECLARE
X_USER_ID NUMBER;
X_PO_HEADER_ID NUMBER;
X_VENDOR_ID NUMBER;
X_SEGMENT1 NUMBER;
X_ORG_ID NUMBER;
X_LINE_NUM NUMBER;
BEGIN
DBMS_OUTPUT.PUT_LINE('***ezROI RCV API Insert Script***');
SELECT PO_HEADER_ID , VENDOR_ID , SEGMENT1 , ORG_ID
INTO X_PO_HEADER_ID , X_VENDOR_ID , X_SEGMENT1 , X_ORG_ID
FROM PO_HEADERS_ALL
WHERE SEGMENT1 = '&PO_NUMBER'
AND ORG_ID = &ORG_ID;
SELECT USER_ID INTO X_USER_ID
FROM FND_USER
WHERE USER_NAME = UPPER('&USER_NAME');
INSERT INTO RCV_HEADERS_INTERFACE
HEADER_INTERFACE_ID ,
GROUP_ID ,
PROCESSING_STATUS_CODE ,
RECEIPT_SOURCE_CODE ,
TRANSACTION_TYPE ,
LAST_UPDATE_DATE ,
LAST_UPDATED_BY ,
LAST_UPDATE_LOGIN ,
VENDOR_ID ,
EXPECTED_RECEIPT_DATE ,
VALIDATION_FLAG
SELECT
RCV_HEADERS_INTERFACE_S.NEXTVAL ,
RCV_INTERFACE_GROUPS_S.NEXTVAL ,
'PENDING' ,
'VENDOR' ,
'NEW' ,
SYSDATE ,
X_USER_ID ,
0 ,
X_VENDOR_ID ,
SYSDATE ,
'Y'
FROM DUAL;
DECLARE
CURSOR PO_LINE IS
SELECT PL.ITEM_ID , PL.PO_LINE_ID , PL.LINE_NUM ,
PLL.QUANTITY , PL.UNIT_MEAS_LOOKUP_CODE ,
MP.ORGANIZATION_CODE , PLL.LINE_LOCATION_ID ,
PLL.CLOSED_CODE , PLL.QUANTITY_RECEIVED ,
PLL.CANCEL_FLAG, PLL.SHIPMENT_NUM
FROM PO_LINES_ALL PL ,
PO_LINE_LOCATIONS_ALL PLL ,
MTL_PARAMETERS MP
WHERE PL.PO_HEADER_ID = X_PO_HEADER_ID
AND PL.PO_LINE_ID = PLL.PO_LINE_ID
AND PLL.SHIP_TO_ORGANIZATION_ID = MP.ORGANIZATION_ID;
BEGIN
FOR CURSOR1 IN PO_LINE LOOP
IF CURSOR1.CLOSED_CODE IN ('APPROVED','OPEN')
AND CURSOR1.QUANTITY_RECEIVED < CURSOR1.QUANTITY
AND NVL(CURSOR1.CANCEL_FLAG,'N') = 'N'
THEN
INSERT INTO RCV_TRANSACTIONS_INTERFACE
INTERFACE_TRANSACTION_ID ,
GROUP_ID ,
LAST_UPDATE_DATE ,
LAST_UPDATED_BY ,
CREATION_DATE ,
CREATED_BY ,
LAST_UPDATE_LOGIN ,
TRANSACTION_TYPE ,
TRANSACTION_DATE ,
PROCESSING_STATUS_CODE ,
PROCESSING_MODE_CODE ,
TRANSACTION_STATUS_CODE ,
PO_LINE_ID ,
ITEM_ID ,
QUANTITY ,
UNIT_OF_MEASURE ,
PO_LINE_LOCATION_ID ,
AUTO_TRANSACT_CODE ,
RECEIPT_SOURCE_CODE ,
TO_ORGANIZATION_CODE ,
SOURCE_DOCUMENT_CODE ,
DOCUMENT_NUM ,
HEADER_INTERFACE_ID ,
VALIDATION_FLAG
SELECT
RCV_TRANSACTIONS_INTERFACE_S.NEXTVAL ,
RCV_INTERFACE_GROUPS_S.CURRVAL ,
SYSDATE ,
X_USER_ID ,
SYSDATE ,
X_USER_ID ,
0 ,
'RECEIVE' ,
SYSDATE ,
'PENDING' ,
'BATCH' ,
'PENDING' ,
CURSOR1.PO_LINE_ID ,
CURSOR1.ITEM_ID ,
CURSOR1.QUANTITY ,
CURSOR1.UNIT_MEAS_LOOKUP_CODE ,
CURSOR1.LINE_LOCATION_ID ,
'RECEIVE' ,
'VENDOR' ,
CURSOR1.ORGANIZATION_CODE ,
'PO' ,
X_SEGMENT1 ,
RCV_HEADERS_INTERFACE_S.CURRVAL ,
'Y'
FROM DUAL;
DBMS_OUTPUT.PUT_LINE('PO line: '||CURSOR1.LINE_NUM||' Shipment: '||CURSOR1.SHIPMENT_NUM||' has been inserted into ROI.');
ELSE
DBMS_OUTPUT.PUT_LINE('PO line '||CURSOR1.LINE_NUM||' is either closed, cancelled, received.');
END IF;
END LOOP;
DBMS_OUTPUT.PUT_LINE('*** ezROI COMPLETE - End ***');
END;
COMMIT;
END;
SET VERIFY ON
Reference Documents
Note 245334.1

I have the same problem on ESXI 5.5 for over a month now, tried the patches, tried the LTS kernel which others say results in an immediate result without patches, nothing seems to work and nobody seems to be able to offer a solution.
Did you make any progress ??
Error! Build of vmblock.ko failed for: 3.10.25-1-lts (x86_64)
Consult the make.log in the build directory
/var/lib/dkms/open-vm-tools/2013.09.16/build/ for more information.
make[2]: *** No rule to make target '/var/lib/dkms/open-vm-tools/2013.09.16/build/vmblock/linux/inode', needed by '/var/lib/dkms/open-vm-tools/2013.09.16/build/vmblock/vmblock.o'. Stop.
Makefile:1224: recipe for target '_module_/var/lib/dkms/open-vm-tools/2013.09.16/build/vmblock' failed
make[1]: *** [_module_/var/lib/dkms/open-vm-tools/2013.09.16/build/vmblock] Error 2
make[1]: Leaving directory '/usr/src/linux-3.10.25-1-lts'
Makefile:120: recipe for target 'vmblock.ko' failed
Last edited by crankshaft (2014-01-10 11:32:32)

Binding to Active Directory Problem. I am a Newb! probably something stupid

Hey All,
Trying to get my apple xsever to join our windows domain. I got it to bind and the user accounts show up on the machine but then it askes me to join it to the Active Directory Kerberos realm. I am confused.
what i am trying to do is joint it to the windows domain for my admin account on the actual server and then set up local user accounts on the machine so when my mac users log in they authenticate using the local mac account and not the windows domain account. Does this make sense? From what i read macs authenticate using the local account before going to the windows account which is what i want. I am a total newb to this so forgive me for the stupid questions.
cheers all,
jess

Hi
set up the xserve as an Open directory Master
will it place nice on the network
with the rest of the windows servers that we have.
There should be no problem in doing this. All you need to do is decide whether you want your Mac Server to run its own DNS Service or to use the existing DNS service being provided by the AD Server. Open Directory Master requires DNS Services running somewhere.
i just want to have a mac studio of about 35 people be
kind of an island within a sea of windows users. If
there can be cross over there then fine.. but really
i want the mac to work well with the apple server and
if i can get the windows clients hooked up also then
fine.
There should be no problem with this.
When you say studio do you mean a graphics design studio? Or are you talking about a video production studio? If the answer is yes to either one or both then perhaps a simple file server would do. An Open Directory Master is OK in this environment but your network needs to be up to job. Ideally gigabit ethernet certainly for video production and also if your studio are heavy photoshop users. You could get away with 100Base-T but with 35 heavy users editing files stored on the server as well as Home folders it may be a bit too much. If this is the situation in your studio you would be better placed working locally and saving the files back to the server at the end of the day. You would set up your users with names and passwords in the OD directory node. Your studio can use those account details to log on to the server to access share points but still work locally if they need to. If you start windows services on the mac server then there should be no reason for windows clients to access share points on the mac server as well. Be careful how you configure windows services as you already have existing PC servers on the network.
As you have already stated your aim is to keep the macs completely separate from the PCs then consider connecting all your macs to a separate switch and have them running of a different IP address range and subnet mask. You could then use an intervening router to handle traffic between the two networks, this way you control cross platform access to shared resources. If you understand networks, routers etc then you should be able to accomplish this without too much trouble. Again searching the Server forums should give you plenty of ideas and advice on the best way to achieve what you want. As ever defining and deciding what you want you want the server to do is half the problem.

Open Directory Migration Question

Setup:
My company has two servers, both running 10.5.6. We are migrating from the server Fubar (xserve) as it has had a lot of problems and we want to do a fresh install on it (I was not the admin who initially set it up).
In order to get a 'fresh' OD going, we are recreating all the accounts on the new server Edoras (powerpc mac pro), making sure to preserve UID of the users.
Problem:
User A cannot change his password on Edoras after Directory Utility has been changed to point at it. He can change his password locally, but it does not propagate to Edoras, nor does a password change on Edoras affect his local machine.
The questions I haven't been able to get answers for are:
* Should the OD search string be different on Fubar and Edoras? Currently our search string is 'dc=fubar,dc=domain,dc=com'.
* Are there other attributes that have to be setup in OD besides UID? I noticed when using the Target tab in Workgroup Manager that there is a GeneratedUID attribute, does this need to match?
Thanks for any information/help.

I did something like this recently. Unfortunately I couldn't get an answer on the Internet and had to re-configure Directory Access on the client machines manually.
I moved our system from a POwerMac G4 with several upgrades (eSATA card, eSATA Coolgear Enclosure, 7200.11 (yeah I know, bad drives to use) Seagate drives, 1.8 GHz PPC 7447 upgrade, 1.5GB of ram) to a new Mac Pro with a Highpoint RAID controller. The old G4 was very unreliable and couldn't hand
I had to go to each machine with ARD, open Directory Access, delete the LDAP entry and re-enter it. This was really annoying and confusing for me as the old server and the new server had:
The same version of OSX (ok, one was a PPC version and I special ordered the Intel version from Apple Tech Support), but they both were running 10.4.11 with the newest security patches.
The same OD Search Strings
The same IP Address for the Server
The same DNS name for the server
and the same user IDs and group settings
and I still had to re-do Directory Access using the client machines. Before re-doing the Directory Access re-binding I would try to login. The "other" icon would appear on the loging window, but when I would loging with the correct username and password the login windows would "shake it's head" and wouldn't let me login.
The biggest pain was that portable directories didn't sync correct anymore, so I had to manually backup, then delete the account, then re-bind, then re-create and restore the portable directory on each laptop manually.
Unfortunately I do not know the unix command to change directory binding to client computers using ARD. If such a command exists it would make things much easier for you. Does anyone know if a command exists?

Open directory unable to start up after crash

Hi everyone,
Our OS X Server 10.8.4 crashed. After booting up again open directory doesn't want to start up so LDAP isn't running which means nobody can access their mails or do anything.
When trying to start the Open Directory service in the "Server" app it just says "Unable to load replica list"
Looking at the Open Directory Log after trying to switch it on this is what I get :
2013-06-28 15:22:53.830872 SAST - 43.7184, Module: AppleODClientLDAP - unable to create LDAP connection context - no server specified
2013-06-28 15:22:53.830888 SAST - 43.7184 - Client: opendirectoryd, UID: 0, EUID: 0, GID: 0, EGID: 0
2013-06-28 15:22:53.830888 SAST - 43.7184, Module: AppleODClientLDAP - unable to open connection to LDAP server - unable to create connection context
2013-06-28 15:23:23.832473 SAST - 43.7189 - Client: opendirectoryd, UID: 0, EUID: 0, GID: 0, EGID: 0
2013-06-28 15:23:23.832473 SAST - 43.7189, Module: AppleODClientLDAP - unable to create LDAP connection context - no server specified
2013-06-28 15:23:23.832488 SAST - 43.7189 - Client: opendirectoryd, UID: 0, EUID: 0, GID: 0, EGID: 0
2013-06-28 15:23:23.832488 SAST - 43.7189, Module: AppleODClientLDAP - unable to open connection to LDAP server - unable to create connection context
Does anyone have any advice on how to get it up and running again? I'd hate to lose all my users emails and do the server over. I have a time machine backup of a week ago as well which I guess is the second-to-last resort to restore the entire server from there?
Please help, I'm desperate here
Thanks
J

I was able to restore the existing server with the automatic OD backup that Server.app creates. When my OD fails to start after a crash and db_recover commands don't work, it's always worked for me to restore the odmaster from a backup using the command:
sudo slapconfig -restoredb /private/var/backups/ServerBackup_OpenDirectoryMaster.sparseimage
I'm careful to keep an independent OD backup with Carbon Copy Cloner and this preflight script.
You can also grab an earlier version of the sparse image ServerBackup_OpenDirectoryMaster.sparseimage from a Time Machine backup. It's also possible to rsync the database files directory from a Time Machine backup.

Bind to Open Directory Script

Similar Messages

Maybe you are looking for