Moving from Active Directory (AD) to Open Directory (OD)
Does anyone have some scripts to move my exported LFID data from my Active Directory environment to my working OD environment. I do not want anything except Fullname or First, Last and username (for short name) to import. Passwords would be nice, but I have to get them out of AD first. I just don't want to recreate all the users.
Or the import format for importing to OD would be nice... I can edit the text file myself.
If the name of somain will remain the same then you don't have to do anything from BPC point of view.
You just to make sure that doing ping of "domain name" it will respond the new active directory GAD not the old one.
If the domain name was changed then from BPC point of view we are speaking actually about complete different users.
So the security must to be redone for all users.
domain1\user1 is different by dmain2\user1.
Regards
Sorin Radulescu
Similar Messages
-
Define a remote linux nfs home directory for an open directory's user
Hi,
I want to migrate from nis to open directory. Everything but "auto homes" looks good. As I create a user with the workgroup manager, under the 'Home' tab, I'm unable to specify a remotre nfs home directory(linux).
So, I want client01(linux) to authenticate on macsvr01(mac osX 10.6.2 / opendirectory). When authenticated, I want macsvr01 to tell client01 that it's home directory is hosted nfs on linuxsvr01(linux nfs file server).
When i look the workgroup manager, the only possibility seems to be 'afp'.
When I try to specificy nfs entries, I can't validate my setting because the 'Ok' button remains grayed out.
Any suggestions?
Thank you,
LucI assume you are creating folders in a file server and its a windows machine , is it ?
You can install a remote manager on file server or on any other machine in network and execute your scripts remotely using remote manager
Also you can execute your script like wscript c:\CreateFolder.vbs
Thanks
Suren
Edited by: Suren.Singh on Aug 10, 2010 3:20 PM -
Application launches fail after wake up from sleep when switching from one open directory to another
I take my MacBook Pro back and forth from home to work. Open Directory is set up at both locations running on Snow Leopard server. These two locations are entirely separate domains and IP networks. The only thing that is the same is my username and password, which is the same in both locations.
If I put my machine to sleep in one location and move to the other location and wake it up, I can usually launch one application, then no other applications launch and the machine is pretty much frozen up except for mouse cursor movement. Using command-shift-escape and relaunching the finder doesn't help.
It is as if the launch daemon has been made inoperative. Apps just sit and bounce.
Should one be able to log in one one network with open directory. Close all applications, move to an entirely different network, and wake up from sleep and continue working? The login/password is identical on both open directory setups.
Both home and work are set up so the users can "travel" and the machines are not "bound" to the open directory server.
I've started using the "other" login box to login in which I think keeps the machine more independent of open directory and that seems to work better for moving between networks.
Any ideas and/or comment welcome.
(my DNS seems fine in both environments. running changeip gets "success" in both places)After reading another post that popped up under "More Like This" after I posted this I may have found at least a temporary fix. Unplugging and reseating the MDP adapter in the MacPro didn't accomplish anything but unplugging/reseating the HDMI plug in the Viewsonic brought it back to life.
I guess I can live with this but it would be nice knowing that there's a more permanent fix for this. -
Date and Time Sync at boot for Active Directory/Open Directory Authenticati
All the macs in my school district are set to automatically sync their time with a network time server. They do not do this unless the system preference is opened. This poses a problem as all our users must authenticate against an Active Directory and an Open Directory server. If the time is out of sync they can not login, and therefore can not fix the time. I must then login in with a local admin account set the time and then the network account can login. I have tried using direct IP addresses for the NTP server. That doesn't work either. I have adjusted the tolerance of the AD server to accept a large discrepancy in time (did not work). Set the users to be mobile accounst (local home folders), did not work. The only fix will be to ensure that the time does sync at boot, before login. Is there a way to force the computer to sync at boot to a given NTP server, prior to the login window appearing?
I have come up with my own solution for this issue. It is a two part solution. We found that the computers are experiencing time drift and that after they get out of sync by 5 minutes they can no longer login. One would think that the setting in the Date and Time system preference to automatically synchronize the time would take care of this. That however is not the case that check mark does not affect the ntp service at all. It merely eliminates the need to click a button when entering the system preference. How did we discover this? well that is part of the solution. We used webmin (http://www.webmin.com) to look at the ntp configuration. No matter what changes we made with the Date & Time preferences nothing changed in the system ntp settings. So on to the solution: Install webmin, and configure the ntp protocol manually to sync at your desired interval (I did hourly). This stops time drift. Next create a startup item and associated plist to force time sync at boot (be sure to loop it as different machines initialize their network cards slower). I have made ours available for download (http://www.manheimcentral.org/~getzt/netTime.zip). I hope this helps others. We have found that this works fairly well.
-
Do I need Open Directory for multiple email addresses for Calendar users?
Hey all,
I have a single mac mini which I use simply as a calendar server for +/- 20 users. One day I might use Profile Manager to manage their iOS devices too. On the initial installation, we enabled Open Directory, although I'm not sure that it's required, and we have no plans re using it to manage network logins etc aside from existing calendaring.
I'm working through a migration from a Lion Server.app install to Mavericks, and due to some data corruption issues, we'll probably just rebuild the server and reimport the users calendars.
On my existing Lion Server installation, I can still use workgroup manager to assign multiple email addresses to calendar users, so that when a user invites another user to a calendar event using any of their email addresses (we have several variations), the invitation still gets pushed to the correct calendar user.
On Mavericks, without installing Open Directory, it seems I can't do this (I've downloaded Workgroup Manager for Mavericks, but it obviously can't connect to a local open directory). If Open Directory is optional, I'd rather not install it, to avoid overhead and complexity, but I still need a way to manage these multiple email addresses (aliases doesn't cut it).
Any ideas / suggestions?
Thanks,
DFor Calendar server to send actual email invitations to an attendee, two things must happen:
First, you need to configure Server.app > Calendar > Enable invitations by email. Enabling that will bring up a wizard dialog that will step you through the IMAP and SMTP account settings. The default values in that wizard will tell Calendar server to use the local Mail server (which you then would have to configure to use the appropriate SMTP relay, etc.). Or you can change the wizard settings to refer to an external IMAP and SMTP server. It is wise to use a dedicated IMAP account for Calendar server's use -- don't go using someone's personal IMAP account because there might be some "undesirable interactions", let's say. If you need help configuring this for, say, a Gmail account, I can help with that.
Second, the email address for the attendee must *not* be known to Calendar server, i.e. it should *not* be in the Directory. As you probably found out, if Calendar server sees that the attendee has an email address that is in the Directory, the attendee is considered to be "local" and the invitation will be delivered directly to the attendee's calendar client. If you simply leave those other email variations out of the Directory, Calendar server will consider that attendee "remote" and will send an actual email with a special attachment that calendar clients can understand.
Hope that helps. -
Authentication Delays / Slow Authentication for Open Directory Users
I'm experiencing delays when authenticating Open Directory users and it absolutely has me at my wit's end.
The problem is quite simple: any time an Open Directory user authenticates his password there is a delay of at least 5-10 seconds. This goes for clients that are bound to the directory server and also authenticating locally on the server. Here are some examples:
* On the server, there is a several second delay on the Login Window screen when trying to log in using an Open Directory account. Logging in as a local user is instantaneous.
* In Workgroup manager, authenticating as the Directory Administrator takes several seconds.
* On a remote computer, sharing the screen using an Open Directory user take several seconds and again, a local user is instantaneous. Screen sharing takes particularly long and often temporarily shows a sheet saying it has lost the connection with the server while authenticating.
* Connecting with AFP takes several seconds when using an Open Directory login
* On a client computer, unlocking the screen after sleep or screen saver takes several seconds for Open Directory users
* Connecting with SSH does NOT exhibit the behavior
In addition to all of this, I've seen periodic random unexplainable freezes for several seconds on client computers that are bound to the directory even when logged in as a local user account (and with no other users logged in.) For example, launching applications often results in a freeze. After unbinding the computer from the directory the problem goes away entirely.
The history of the problem:
Used Tiger Server for over a year = no problems
Clean install of Leopard Server 10.5.0 back in October = no problems
Update to Leopard Server 10.5.1 = no problems
Then, all of the sudden one day several weeks back I started having problems. The server had been up for a few weeks. I didn't install any updates. I didn't change any configuration. Literally the only thing that I had done recently was unplug the Apple Cinema Display and keyboard+mouse that was connected to the server. Then I started having problems so I plugged the display, keyboard and mouse back in to troubleshoot it. I cleared the directory services caches on my server and clients and rebooted the Airport Base Station that's serving as my router and eventually the problem went away. I wish I could tell you which of those things resolved the problem but I have no idea. It was fine for a couple more weeks (and incidentally I once again unplugged the display, keyboard and mouse from the server). Then last week I started having problems again and this time no amount of rebooting, cache clearing, rebinding, troubleshooting using information in these forums or anything else will fix the problem. I only mention the display/keyboard/mouse thing because it's literally the only thing I changed around the time the problems started happening. I truly don't think it has anything to do with it.
So in desperation I backed up and did a clean install today. Here's the process I used:
0. Erase the disk
1. Install Leopard Server 10.5.0 from the install DVD
2. In the setup assistant, use the Advanced Configuration option but I didn't enable any services. Set up network settings and host name of myserver.mydomain.private.
3. Reboot
4. Use Software Update to update to 10.5.1 and Security Update 2007-009 v1.1
5. Reboot
6. Configure DNS (see below for detailed configuration)
7. Reboot
8. Change role to Open Directory Master
9. Reboot
... and the problem is still there. Simply logging into the server GUI with the Directory Administrator account has the delay. Authenticating in Workgroup Manager has the delay. I haven't even bothered to set up AFP or any other users yet. I'm truly at my wit's end and I'm ready to chuck the server out the window.
I've done a lot of googling and searching of these forums looking for answers. All of the responses seem to point to a problem with DNS or with the Kerberos realm. I believe all of my setup is correct. Here it is:
== Basic Configuration ==
OS: Mac OS X Server 10.5.1 (9B18) with Security Update 2007-009 v.1.1
Services Enabled:
DNS
Open Directory
(All other services are not yet enabled)
== DNS Setup ==
Primary Zone: mydomain.private.
Allows zone transfer: no
Nameservers: ns.mydomain.private.
myserver (Machine) 10.0.22.201
ns (Alias) myserver.mydomain.private.
Reverse Zone: 22.0.10.in-addr.arpa.
10.0.22.201 (Reverse Mapping) myserver.mydomain.private.
Accept recursive queries from the following networks:
localnets
Forwarder IP Addresses:
208.67.222.222
208.67.220.220
== Open Directory Setup ==
Role: Open Directory Master
LDAP Search Base: dc=myserver,dc=mydomain,dc=private
Kerberos Realm: myserver.mydomain.private
== Network Configuration ==
Configure: Manually
IP Address: 10.0.22.201
Subnet Mask: 255.255.255.0
Router: 10.0.22.1
DNS Server: 127.0.0.1
Search Domains: mydomain.private
== Other Stuff ==
Using 'changeip -checkhostname' verifies that the hostname and DNS hostname are both myserver.mydomain.private.
I set the realm to myserver.mydomain.private (though the default was myserver.local) based on the advice of another poster to this forum. Kerberos.app reveals something interesting: the kdc and admin servers are both myserver.local and the domains are .local and local. I tried changing all instances of 'local' to 'mydomain.private' to see if that would solve the problem. No luck.
I verified on a client that 'host myserver' and 'host 10.0.22.201' return proper DNS and reverse DNS resolutions.
Hopefully one of the gurus out there will be able to help me out.
Thanks,
jeffI gathered together some log information for when I try to authenticate user 'diradmin' in Workgroup Manager. You can see from the log messages that this authentication took 4 seconds. There's an interesting error message in slapd.log (see below) but it doesn't say what it's looking for in the keytab that it's not finding. Grr! I've provided a listing of the principles in my keytab. I haven't monkeyed around with it at all -- this is just what resulted from promoting the server to an Open Directory Master.
== kdc.log ==
Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): handling authdata
Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): handling authdata
Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): .. .. ok
Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): .. .. ok
Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
Dec 30 18:21:52 myserver.mydomain.private krb5kdc[79](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for ldap/[email protected]
Dec 30 18:21:52 myserver.mydomain.private krb5kdc[79](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for ldap/[email protected]
== slapd.log ==
Dec 30 18:21:48 myserver slapd[36]: <= bdbsubstringcandidates: (authAuthority) index_param failed (18)
Dec 30 18:21:52 myserver slapd[36]: SASL [conn=20] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No principal in keytab matches desired name)
== sudo klist -k ==
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
3 cifs/[email protected]
3 cifs/[email protected]
3 cifs/[email protected]
3 ldap/[email protected]
3 ldap/[email protected]
3 ldap/[email protected]
3 xgrid/[email protected]
3 xgrid/[email protected]
3 xgrid/[email protected]
3 vpn/[email protected]
3 vpn/[email protected]
3 vpn/[email protected]
3 ipp/[email protected]
3 ipp/[email protected]
3 ipp/[email protected]
3 xmpp/[email protected]
3 xmpp/[email protected]
3 xmpp/[email protected]
3 XMPP/[email protected]
3 XMPP/[email protected]
3 XMPP/[email protected]
3 host/[email protected]
3 host/[email protected]
3 host/[email protected]
3 smtp/[email protected]
3 smtp/[email protected]
3 smtp/[email protected]
3 nfs/[email protected]
3 nfs/[email protected]
3 nfs/[email protected]
3 http/[email protected]
3 http/[email protected]
3 http/[email protected]
3 HTTP/[email protected]
3 HTTP/[email protected]
3 HTTP/[email protected]
3 pop/[email protected]
3 pop/[email protected]
3 pop/[email protected]
3 imap/[email protected]
3 imap/[email protected]
3 imap/[email protected]
3 ftp/[email protected]
3 ftp/[email protected]
3 ftp/[email protected]
3 afpserver/[email protected]
3 afpserver/[email protected]
3 afpserver/[email protected] -
Can't log in to Lion Server. Open Directory Log Message says: unable to connect to password server
I am setting up Lion Server. I can't log in to Lion Server from client.
Checking the Open Directory Log: says: "unable to connect to password server" or
"3394.14268, Node: /LDAPv3/127.0.0.1, Module: AppleODClient - unable to read Password Server response - connection to Password Server was closed, socket fd 18 (5205)"
Thanks for help with this.I never discovered the problem, and instead rebuilt the server from the ground up. I followed instructions at this discussion thread. Very helpful.
How To Install A (Almost) Working Lion Server With Profile Management/SSL/OD/Mail/iCal/Address Book/VNC/Web/etc.
I have had some log-in problems with users. I have found that restarting the server helps. If this doesn't work, I rebuild permissions on the server, followed by opening up Workgroup Manager, go to the user's password, click on options and require that the user change password on the next log-in. For some reason, this will usually fix the problem. I then log in as the user, and "change" the password to the original one. Also note, that if you import a user, the password is not brought in. You must enter it for each user that you imported. Even so, I have often had to resort to the re-set password procedure to enable a log-in. -
Showing Open Directory Groups on XP
Hello,
I want to add an open directory created group (of an open directory master) to a workstations Power Users group in XP.
I have:
Setup open directory as an open directory master.
Setup Samba as a PDC.
Kerberos and dns are setup correctly.
everything shows it's running fine.
added users, and then added groups in Workgroup Manager.
Added the SMBRID of 512 to one created group so it automatically maps to the Domain Admins.
That works great.
Can't figure out for the life of me how to get my groups I created to be selectable in XP so I can add them to the Power Users group. They just don't show up. Other groups that are in the local directory show up. Groups like _amavisd show up. So what is the key?
It would be great if someone somewhere knows the answer to this as I have been banging my head against the wall for two weeks now.
Thanks in advance to anyone who knows.....Hello,
I'm answering my own post here. After a couple weeks of banging my head against the wall I found one solution in the forums, but it may not be easy to find so here is the solution for adding groups you have created in OD to the local power users group.
If you click add user in the user manager window (which pops up after double clicking users in the control panel) and then enter the group name, it can be the full name even with spaces, in the user field, and then put the domain in, and then add the user, select other for group and then pick power users, and finish/ok. Now if you reboot and go look at the groups under user settings advanced you will see that it has added that group to the power users, and is not listed under users.
Freaking weird that you can add this way, and that the groups still do not show when you do a search for them, but hey, it works. Hope this helps someone. -
How to transfer user accounts from Active Directory to Open Directory
Please help me , want to tranfer user accounts from Active Directory (Windows server 2012 ) to Open Directory (OS X server 10..2.9)
Hi,
Go to the advanced administration for the OSX Server:
https://help.apple.com/advancedserveradmin/mac/3.1/#apd6D7FE39D-32AA-400C-91E1-5 0ABC15655C8
This pretty easy way of connecting your server to the Windows server should give AD users access to OD services. That will be a good start.
Read up on this as well:
http://support.apple.com/kb/PH15469
Do you want to import them all or just the Mac users?
Goodluck!
Jeffrey -
Moving Mail Users from a Local Directory to Open Directory
Hi,
We have been running a standalone mail server for a few years. We have recently upgraded to 10.5 for all of our servers. We have also been running an Open Directory server for the last year or so. Now I am trying to move my email users from the Local Directory on the Mail server to the LDAP server. Obviously we do not want to change account names, so I find I need to delete the local user and then enable the user through the LDAP. This works fine, but I need to bring the original IMAP files/folders forward.
My question is what is the best practice? I thought backing up the Mail folder in each user's Library and reimporting it would work, but it won't take the IMAP mbox (I can see all the .emlx files in the backup of the user's Mail folder).
So again, I had a user called user1 in my mail server Local directory say server1. I also have an Open Directory server2 with the same username on it. I have bound server1 to server2. I can see the server2 (OD) accounts on the server1 (mail). I then need to delete user1 from Local server1 directory in order to enable mail to user1 from the OD. This does work, but again, I need bring the mail files/folders to the new OD account on server1.
thanks,
mikeTony,
Let me check of the migration manual, thank you!
I really thought this was going to easier than this. The current accounts are IMAP, and therefore when I "hook up" the new OD account, which doesn't really need anything done on the client side because it is the same username and password and server as the current Local account. When it syncs, the old emails on the IMAP account in the user's Mail program clear since the new OD account is empty on the server.
I just really thought duplicating the Mail folder in the client's home Library would allow me to import the emails back in. I have tried highlighting the mailboxes (Inbox, and personal folders), archiving them, and then reimporting seemed to work, but I need to beat it up before I start working on live accounts. One account I did try lets me read the emails from the user, but when I try dragging them to the IMAP folders from the import folder, I get a NULL character problem on IMAP append error. NOT to chase that, but it was something else that tripped me up.
You do bring up a good point, I think the accounts were originally setup as POP and IMAP. I'll chase some ideas about that.
Let me play around, you've been great considering my awful explanation of this different situation.
thanks again,
mike -
Directory Binding Script (Active and Open Directory) 10.7
Hi everyone
I'm reposting this in the right thread. I've written a Directory Binding Script for 10.6 and ported it now to 10.7 as among the things that have changed in the upgraded version is a refurbished directory binding enviroment.
The original thread can be found here: https://discussions.apple.com/thread/3090068. The script is applicable for clients as well and simplifies the binding process considerably.
Be aware that the reformatted script here contains some faulty line breaks. So you'll have to correct them in a proper text editor.
#!/bin/sh
#Uncomment the following line to abort the script on errors
#trap exit ERR
## Script to automate OD and AD Binding of Mac OS X 10.7 Servers
## Script written by Marc Horat, URZ Basel, 11.6.2010
## Updated: 12.08.2011
# With the use of the following sources as inspiration:
# http://www.howtomac.co.uk/?p=247
#Created by Ross Hamilton
#Clock restart / Remove existing settings
#Join to Open Directory and Active Directory
# Bombich's AD-Bind Script:
# This script binds to AD and configures advanced options of the AD plugin
# As this scripts contains a password, be sure to take appropriate security
# precautions
# A good way to run this script is to set it as a login hook on your master machine
# Because it only needs to be run once, the last thing this script does is to delete
# itself. If you have another login script that you typically run, include the
# script on your master machine, and indicate its path in the "newLoginScript"
# variable.
# If running this as a one-time login hook to bind to AD after imaging,
# be sure to enable auto-login (for any local user) before creating your master image
#################CONFIGURATION##########################
#OD
# These variables need to be configured for your env
odAdmin="YOURODADMIN" #enter your OD admin name between the quotes
odPassword="YOURODPW" # Enter your OD admin password between the quotes
oddomain="YOURODDOMAIN" # FQDN of your OD domain
computerGroup="YOURNEWODCOMPGROUP" # Add appropriate computer group you want machines to be added to, case sensitive
oldComputerGroup="YOUROLDODCOMPGROUP" # If the Computer is in a Group already
#AD
# Standard parameters
domain="YOURADDOMAIN" # fully qualified DNS name of Active Directory Domain
domainname="YOURADDOMAINNAME" #Name of the Domain as specified in the search paths
udn="YOURADADMIN" # username of a privileged network user
password="YOURADPW" # password of a privileged network user
ou="OU=YOUR,OU=OU,OU=URZ,OU=IN,DC=YOUR,DC=AD,DC=DOMAIN" # Distinguished name of container for the computer E.G. OU=Macs,OU=Computers,DC=AD,DC=DOMAIN,DC=CH
# Advanced options AD Plugin
alldomains="disable" # 'enable' or 'disable' automatic multi-domain authentication
localhome="disable" # 'enable' or 'disable' force home directory to local drive
protocol="smb" # 'afp', 'smb' or 'nfs' (since 10.7) change how home is mounted from server
mobile="enable" # 'enable' or 'disable' mobile account support for offline logon
mobileconfirm="enable" # 'enable' or 'disable' warn the user that a mobile acct will be created
useuncpath="enable" # 'enable' or 'disable' use AD SMBHome attribute to determine the home dir
user_shell="/bin/bash" # e.g., /bin/bash or "none"
preferred="-preferred $domain" # Use the specified server for all Directory lookups and authentication
# (e.g. "-nopreferred" or "-preferred ad.server.edu")
admingroups="$domainname\YOURADADMINGROUP" # These comma-separated AD groups may administer the machine (e.g. "" or "APPLE\macadmins")
packetsign="allow" # allow | disable | require
packetencrypt="allow" # allow | disable | require
passinterval="14" # number of days
namespace="domain" # forest | domain
# Login hook setting -- specify the path to a login hook that you want to run instead of this script
newLoginHook="" # e.g., "/Library/Management/login.sh"
################################# End of configuration
############ Begin of Script
# Host-specific parameters
# computerid should be set dynamically, this value must be machine-specific
# This value may be restricted to 19 characters! The only error you'll receive upon entering
# an invalid computer id is to the effect of not having appropriate privileges to perform the requested operation
#computerid=`/sbin/ifconfig en0 | awk '/ether/ { gsub(":", ""); print $2 }'` # MAC Address
#computerid=`hostname | sed 's/.unibas.ch//'`
#computerid=`/usr/sbin/scutil --get LocalHostName | cut -c 1-19` # Assure that this will produce unique names!
#computerid=`/usr/sbin/scutil --get LocalHostName`
computerid=`scutil --get ComputerName`
adcomputerid=`echo "$computerid" | tr [:lower:] [:upper:]`
# These variables probably don't need to be changed
# Determing if any directory binding exists
nicAddress=`ifconfig en0 | grep ether | awk '{print $2}'`
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
check4ODtmp=`dscl localhost -list /LDAPv3 | grep -n 1 | sed 's/1://' | sed 's/2://'`
check4OD=${check4ODtmp//[[:space:]]/}
echo "Found LDAP: "$check4ODtmp
check4ODaccttmp=`dscl /LDAPv3/"$check4OD" -read Computers/"$computerid" RealName | cut -c 11-`
check4ODacct=${check4ODaccttmp//[[:space:]]/}
echo "Found LDAP-Computer-Account: "$check4ODacct
else
check4OD=""
check4ODacct=""
echo "No bound LDAP Server found"
fi
if [ $oldComputerGroup != "" ] && dscl localhost -list /LDAPv3 | grep . > /dev/null
then
check4ODgroupMembershiptmp=`dscl /LDAPv3/"$check4OD" -read ComputerGroups/"$oldComputerGroup" | grep "$computerid"`
check4ODgroupMembership=$check4ODgroupMembershiptmp
echo "LDAP Group Membership in Group: "$oldComputerGroup
else
check4ODgroupMembership=""
echo "No LDAP Group Membership defined or not bound to a server"
fi
if dscl localhost -list "/Active Directory" | grep $domainname > /dev/null
then
check4ADtmp=`dsconfigad -show | grep "Active Directory Domain" | sed 's/Active Directory Domain//' | sed 's/=//'`
check4AD=${check4ADtmp//[[:space:]]/}
echo "Found AD: "$check4AD
check4ADaccttmp=`dsconfigad -show | grep "Computer Account" | sed 's/Computer Account//' | sed 's/=//'`
check4ADacct=${check4ADaccttmp//[[:space:]]/}
echo "Found AD-Account: "$check4ADacct
else
check4AD=""
check4ADacct=""
echo "No AD-Account found"
fi
osversionlong=`sw_vers -productVersion`
osvers=${osversionlong:3:1}
#Time Sync
#Restart ntpdate
StartService ()
if [ "${TIMESYNC:=-YES-}" = "-YES-" ] && ! GetPID ntpd > /dev/null; then
CheckForNetwork
if [ -f /var/run/NetworkTime.StartupItem -o "${NETWORKUP}" = "-NO-" ]; then exit; fi
touch /var/run/NetworkTime.StartupItem
echo "Starting network time synchronization"
# Synchronize our clock to the network’s time,
# then fire off ntpd to keep the clock in sync.
ntpdate -bvs
ntpd -f /var/run/ntp.drift -p /var/run/ntpd.pid
fi
echo ""
echo ""
sleep 5
#### Removing any existing directory bindings
#Clear OD Computer Account and delete entry from Computer group
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
echo "This computer is bound to the following Open Directory Services:"
dscl localhost -list /LDAPv3
echo "With the Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /LDAP
sleep 5
if [ "${check4ODacct}" == "${computerid}" ]
then
echo "This machine already has a computer account on $oddomain."
# Set the GUID
GUID="$(dscl /LDAPv3/$oddomain -read /Computers/${computerid} GeneratedUID | awk '{ print $2 }')"
echo "Found GUID: "$GUID
if [ "$oldComputerGroup" != "" ] && [ "$check4ODgroupMembership" != "" ]
then
echo "Removing entry from group $oldComputerGroup"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerGroups/"$oldComputerGroup" GroupMembership "${computerid}"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerGroups/"$oldComputerGroup" GroupMembers "${GUID}"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerLists/"$oldComputerGroup" Computers "${computerid}"
fi
echo "Removing Computer entry $computerid in OD"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /Computers/"${computerid}"
fi
#List existing Directories
echo "Removing OD-Binding to "$check4OD
dsconfigldap -r "$check4OD"
echo "Removing Search Path entries"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4OD"
dscl /Search/Contacts -delete / CSPSearchPath /LDAPv3/"$check4OD"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4OD"
sleep 5
else
echo "No LDAP or OD Binding present.";
fi
echo ""
# Check a second time in order to delete any remaining LDAP-Bindings
echo "Scanning for further LDAP servers"
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
echo "Found:"
dscl localhost -list /LDAPv3
echo "Removing OD-Binding to "$check4ODtmp
dsconfigldap -r "$check4ODtmp"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
dscl /Search/Contacts -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
sleep 5
else
echo "No further LDAP or OD Binding present."
fi
echo ""
echo ""
#Remove the Active Directory binding
if [ "$check4AD" != "" ]
then
echo "This computer is bound to the following Active Directory Services:"
dscl localhost -list "/Active Directory"
echo "With the Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /Active
sleep 5
echo "Removing any existing AD-Binding to "$check4AD
dsconfigad -f -remove -username "$udn" -password "$password"
echo "Removing Search Path entries"
if [ "$preferred" != "-nopreferred" ]
then
dscl /Search -delete / CSPSearchPath /Active Directory/"$domainname"
dscl /Search/Contacts -delete / CSPSearchPath /Active Directory/"$domainname"
dscl /Search -delete / CSPSearchPath /Active Directory/"$domainname"
fi
dscl /Search -delete / CSPSearchPath "/Active Directory/$domainname/All Domains"
dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/$domainname/All Domains"
#remove search path entries from 10.6
if dscl /Search -read / CSPSearchPath | grep /Active > /dev/null
then
dscl /Search -delete / CSPSearchPath "/Active Directory/$domainname/$domain"
dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/$domainname/$domain"
fi
sleep 5
else
echo "No Active Directory Binding present."
fi
echo ""
#Remove Existing Directory Services Config
echo "Removing existing DS Config"
if [ -d "/Library/Preferences/edu.mit.Kerberos" ]
then
rm -R /Library/Preferences/edu.mit.Kerberos
fi
if [ -d "/etc/krb5.keytab" ]
then
rm -R /etc/krb5.keytab
fi
# Clean up the DirectoryService configuration files
rm -Rfv /Library/Preferences/DirectoryService/*
#OD
echo ""
echo ""
echo "Binding to OD-Damin "$oddomain
sleep 5
dsconfigldap -v -a "$oddomain" -n "$oddomain" -c "$computerid"
echo "Killing opendirectoryd"
killall opendirectoryd
sleep 5
echo "Adding computer account $computerid to /LDAPv3/${oddomain} on $oddomain"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -create /Computers/"$computerid" ENetAddress "$nicAddress"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /Computers/"$computerid" RealName "$computerid"
# Set the GUID
GUID="$(dscl /LDAPv3/$oddomain -read /Computers/${computerid} GeneratedUID | awk '{ print $2 }')"
# Add computer to ComputerList and ComputerGroup
if [ $computerGroup != "" ]
then
echo "Adding computer $computerid to OD group $computerGroup on $oddomain"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerLists/"$computerGroup" apple-computers "$computerid"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerGroups/"$computerGroup" apple-group-memberguid "${GUID}"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerGroups/"$computerGroup" memberUid "$computerid"
fi
echo "Finished OD Binding."
sleep 5 # Give DS a chance to catch up
echo ""
echo ""
echo "Performing the AD Binding"
#AD
# Activate the AD plugin
defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist
#Use the existing AD-Computername or generate a new one
computeridtmp="default"
if [ "$check4ADacct" == "" ]
then
LEN=$(echo ${#adcomputerid})
if [ $LEN -lt 15 ]; then
echo "ComputerID "$adcomputerid " has 15 characters or less and is therefore suitable for AD-Binding. It is $adcomputerid"
computeridtmp=$adcomputerid
else
echo "ComputerID "$adcomputerid " has 16 or more characters and needs to be modified for AD-Binding."
echo "Removing any -"
computeridtmp=${adcomputerid//-/}
LEN=$(echo ${#computeridtmp})
if [ $LEN -lt 15 ]; then
echo "ComputerID "$computeridtmp" has now 15 characters or less and is therefore suitable for AD-Binding."
else
echo "Only using the last 15 characters of the Computer name to be able to bind to AD."
computeridtmp=${computeridtmp:(-15)}
fi
echo "Cropped Computername to "$computeridtmp
fi
else
computeridtmp=${check4ADacct//$/}
echo "Found existing AD Account previously, attempting to recreate in the OU: "$computeridtmp
fi
echo ""
# Bind to AD
echo "Binding to AD-Domain "$domain" with computerid "$computeridtmp
dsconfigad -f -add "$domain" -username "$udn" -password "$password" -ou "$ou" -computer "$computeridtmp"
echo ""
echo "Setting the Advanced AD Plugin options"
# Configure advanced AD plugin options
if [ "$admingroups" = "" ]
then
dsconfigad -nogroups
else
dsconfigad -groups "$admingroups"
fi
dsconfigad -alldomains "$alldomains"
dsconfigad -localhome "$localhome"
dsconfigad -protocol "$protocol"
dsconfigad -mobile "$mobile"
dsconfigad -mobileconfirm "$mobileconfirm"
dsconfigad -useuncpath "$useuncpath"
dsconfigad -shell "$user_shell"
dsconfigad "$preferred"
dsconfigad -packetsign "$packetsign" -packetencrypt "$packetencrypt" -passinterval "$passinterval"
dsconfigad -namespace "$namespace"
sleep 5
echo ""
echo ""
# Add the OD & AD node to the search path
if [ "$alldomains" = "enable" ]
then
csp="/Active Directory/$domainname/All Domains"
else
csp="/Active Directory/$domainname"
fi
echo "Finished AD Binding."
echo "Adding Domain /LDAPv3/"$oddomain" and "$csp" to Search Path"
dscl /Search -create / SearchPolicy CSPSearchPath
dscl /Search/Contacts -create / SearchPolicy CSPSearchPath
echo "Adding OD.."
dscl /Search -append / CSPSearchPath /LDAPv3/"$oddomain"
dscl /Search/Contacts -append / CSPSearchPath /LDAPv3/"$oddomain"
echo "Adding AD.."
#Adding all Domains first to improve reliability under 10.7
if [ "$alldomains" != "enable" ]
then
cspadall="/Active Directory/$domainname/All Domains"
dscl /Search/Contacts -append / CSPSearchPath "$cspadall"
dscl /Search -append / CSPSearchPath "$cspadall"
fi
dscl /Search/Contacts -append / CSPSearchPath "$csp"
dscl /Search -append / CSPSearchPath "$csp"
echo "Finished Updating Search Paths."
echo ""
echo ""
# Restart DirectoryService (necessary to reload AD plugin activation settings)
killall opendirectoryd
# Destroy the login hook (or change it)
if [ "${newLoginHook}" == "" ]
then
defaults delete /var/root/Library/Preferences/com.apple.loginwindow LoginHook
else
defaults write /var/root/Library/Preferences/com.apple.loginwindow LoginHook $newLoginHook
fi
sleep 5
# Customizing the login-Window
#defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo DSStatus
#defaults write /Library/Preferences/com.apple.loginwindow showInputMenu -bool TRUE
#defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool TRUE
# This works in a pinch if the above code does not
#defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains"
#defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Policy" -int 3
#plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist
#killall opendirectoryd
# Disable autologin
defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser
srm /etc/kcpassword
echo ""
echo ""
echo ""
echo "Now bound to OD Domain:"
dscl localhost -list /LDAPv3
echo "With Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /LDAP
echo "Now bound to AD Domain:"
dscl localhost -list "/Active Directory"
echo "With Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /Active
exit 0 ## Success
exit 1 ## Failure
Any inputs, questions and improvement suggestions are, of course, most welcome!
Cheers
SeeHi everyone
I'm reposting this in the right thread. I've written a Directory Binding Script for 10.6 and ported it now to 10.7 as among the things that have changed in the upgraded version is a refurbished directory binding enviroment.
The original thread can be found here: https://discussions.apple.com/thread/3090068. The script is applicable for clients as well and simplifies the binding process considerably.
Be aware that the reformatted script here contains some faulty line breaks. So you'll have to correct them in a proper text editor.
#!/bin/sh
#Uncomment the following line to abort the script on errors
#trap exit ERR
## Script to automate OD and AD Binding of Mac OS X 10.7 Servers
## Script written by Marc Horat, URZ Basel, 11.6.2010
## Updated: 12.08.2011
# With the use of the following sources as inspiration:
# http://www.howtomac.co.uk/?p=247
#Created by Ross Hamilton
#Clock restart / Remove existing settings
#Join to Open Directory and Active Directory
# Bombich's AD-Bind Script:
# This script binds to AD and configures advanced options of the AD plugin
# As this scripts contains a password, be sure to take appropriate security
# precautions
# A good way to run this script is to set it as a login hook on your master machine
# Because it only needs to be run once, the last thing this script does is to delete
# itself. If you have another login script that you typically run, include the
# script on your master machine, and indicate its path in the "newLoginScript"
# variable.
# If running this as a one-time login hook to bind to AD after imaging,
# be sure to enable auto-login (for any local user) before creating your master image
#################CONFIGURATION##########################
#OD
# These variables need to be configured for your env
odAdmin="YOURODADMIN" #enter your OD admin name between the quotes
odPassword="YOURODPW" # Enter your OD admin password between the quotes
oddomain="YOURODDOMAIN" # FQDN of your OD domain
computerGroup="YOURNEWODCOMPGROUP" # Add appropriate computer group you want machines to be added to, case sensitive
oldComputerGroup="YOUROLDODCOMPGROUP" # If the Computer is in a Group already
#AD
# Standard parameters
domain="YOURADDOMAIN" # fully qualified DNS name of Active Directory Domain
domainname="YOURADDOMAINNAME" #Name of the Domain as specified in the search paths
udn="YOURADADMIN" # username of a privileged network user
password="YOURADPW" # password of a privileged network user
ou="OU=YOUR,OU=OU,OU=URZ,OU=IN,DC=YOUR,DC=AD,DC=DOMAIN" # Distinguished name of container for the computer E.G. OU=Macs,OU=Computers,DC=AD,DC=DOMAIN,DC=CH
# Advanced options AD Plugin
alldomains="disable" # 'enable' or 'disable' automatic multi-domain authentication
localhome="disable" # 'enable' or 'disable' force home directory to local drive
protocol="smb" # 'afp', 'smb' or 'nfs' (since 10.7) change how home is mounted from server
mobile="enable" # 'enable' or 'disable' mobile account support for offline logon
mobileconfirm="enable" # 'enable' or 'disable' warn the user that a mobile acct will be created
useuncpath="enable" # 'enable' or 'disable' use AD SMBHome attribute to determine the home dir
user_shell="/bin/bash" # e.g., /bin/bash or "none"
preferred="-preferred $domain" # Use the specified server for all Directory lookups and authentication
# (e.g. "-nopreferred" or "-preferred ad.server.edu")
admingroups="$domainname\YOURADADMINGROUP" # These comma-separated AD groups may administer the machine (e.g. "" or "APPLE\macadmins")
packetsign="allow" # allow | disable | require
packetencrypt="allow" # allow | disable | require
passinterval="14" # number of days
namespace="domain" # forest | domain
# Login hook setting -- specify the path to a login hook that you want to run instead of this script
newLoginHook="" # e.g., "/Library/Management/login.sh"
################################# End of configuration
############ Begin of Script
# Host-specific parameters
# computerid should be set dynamically, this value must be machine-specific
# This value may be restricted to 19 characters! The only error you'll receive upon entering
# an invalid computer id is to the effect of not having appropriate privileges to perform the requested operation
#computerid=`/sbin/ifconfig en0 | awk '/ether/ { gsub(":", ""); print $2 }'` # MAC Address
#computerid=`hostname | sed 's/.unibas.ch//'`
#computerid=`/usr/sbin/scutil --get LocalHostName | cut -c 1-19` # Assure that this will produce unique names!
#computerid=`/usr/sbin/scutil --get LocalHostName`
computerid=`scutil --get ComputerName`
adcomputerid=`echo "$computerid" | tr [:lower:] [:upper:]`
# These variables probably don't need to be changed
# Determing if any directory binding exists
nicAddress=`ifconfig en0 | grep ether | awk '{print $2}'`
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
check4ODtmp=`dscl localhost -list /LDAPv3 | grep -n 1 | sed 's/1://' | sed 's/2://'`
check4OD=${check4ODtmp//[[:space:]]/}
echo "Found LDAP: "$check4ODtmp
check4ODaccttmp=`dscl /LDAPv3/"$check4OD" -read Computers/"$computerid" RealName | cut -c 11-`
check4ODacct=${check4ODaccttmp//[[:space:]]/}
echo "Found LDAP-Computer-Account: "$check4ODacct
else
check4OD=""
check4ODacct=""
echo "No bound LDAP Server found"
fi
if [ $oldComputerGroup != "" ] && dscl localhost -list /LDAPv3 | grep . > /dev/null
then
check4ODgroupMembershiptmp=`dscl /LDAPv3/"$check4OD" -read ComputerGroups/"$oldComputerGroup" | grep "$computerid"`
check4ODgroupMembership=$check4ODgroupMembershiptmp
echo "LDAP Group Membership in Group: "$oldComputerGroup
else
check4ODgroupMembership=""
echo "No LDAP Group Membership defined or not bound to a server"
fi
if dscl localhost -list "/Active Directory" | grep $domainname > /dev/null
then
check4ADtmp=`dsconfigad -show | grep "Active Directory Domain" | sed 's/Active Directory Domain//' | sed 's/=//'`
check4AD=${check4ADtmp//[[:space:]]/}
echo "Found AD: "$check4AD
check4ADaccttmp=`dsconfigad -show | grep "Computer Account" | sed 's/Computer Account//' | sed 's/=//'`
check4ADacct=${check4ADaccttmp//[[:space:]]/}
echo "Found AD-Account: "$check4ADacct
else
check4AD=""
check4ADacct=""
echo "No AD-Account found"
fi
osversionlong=`sw_vers -productVersion`
osvers=${osversionlong:3:1}
#Time Sync
#Restart ntpdate
StartService ()
if [ "${TIMESYNC:=-YES-}" = "-YES-" ] && ! GetPID ntpd > /dev/null; then
CheckForNetwork
if [ -f /var/run/NetworkTime.StartupItem -o "${NETWORKUP}" = "-NO-" ]; then exit; fi
touch /var/run/NetworkTime.StartupItem
echo "Starting network time synchronization"
# Synchronize our clock to the network’s time,
# then fire off ntpd to keep the clock in sync.
ntpdate -bvs
ntpd -f /var/run/ntp.drift -p /var/run/ntpd.pid
fi
echo ""
echo ""
sleep 5
#### Removing any existing directory bindings
#Clear OD Computer Account and delete entry from Computer group
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
echo "This computer is bound to the following Open Directory Services:"
dscl localhost -list /LDAPv3
echo "With the Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /LDAP
sleep 5
if [ "${check4ODacct}" == "${computerid}" ]
then
echo "This machine already has a computer account on $oddomain."
# Set the GUID
GUID="$(dscl /LDAPv3/$oddomain -read /Computers/${computerid} GeneratedUID | awk '{ print $2 }')"
echo "Found GUID: "$GUID
if [ "$oldComputerGroup" != "" ] && [ "$check4ODgroupMembership" != "" ]
then
echo "Removing entry from group $oldComputerGroup"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerGroups/"$oldComputerGroup" GroupMembership "${computerid}"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerGroups/"$oldComputerGroup" GroupMembers "${GUID}"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerLists/"$oldComputerGroup" Computers "${computerid}"
fi
echo "Removing Computer entry $computerid in OD"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /Computers/"${computerid}"
fi
#List existing Directories
echo "Removing OD-Binding to "$check4OD
dsconfigldap -r "$check4OD"
echo "Removing Search Path entries"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4OD"
dscl /Search/Contacts -delete / CSPSearchPath /LDAPv3/"$check4OD"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4OD"
sleep 5
else
echo "No LDAP or OD Binding present.";
fi
echo ""
# Check a second time in order to delete any remaining LDAP-Bindings
echo "Scanning for further LDAP servers"
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
echo "Found:"
dscl localhost -list /LDAPv3
echo "Removing OD-Binding to "$check4ODtmp
dsconfigldap -r "$check4ODtmp"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
dscl /Search/Contacts -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
sleep 5
else
echo "No further LDAP or OD Binding present."
fi
echo ""
echo ""
#Remove the Active Directory binding
if [ "$check4AD" != "" ]
then
echo "This computer is bound to the following Active Directory Services:"
dscl localhost -list "/Active Directory"
echo "With the Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /Active
sleep 5
echo "Removing any existing AD-Binding to "$check4AD
dsconfigad -f -remove -username "$udn" -password "$password"
echo "Removing Search Path entries"
if [ "$preferred" != "-nopreferred" ]
then
dscl /Search -delete / CSPSearchPath /Active Directory/"$domainname"
dscl /Search/Contacts -delete / CSPSearchPath /Active Directory/"$domainname"
dscl /Search -delete / CSPSearchPath /Active Directory/"$domainname"
fi
dscl /Search -delete / CSPSearchPath "/Active Directory/$domainname/All Domains"
dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/$domainname/All Domains"
#remove search path entries from 10.6
if dscl /Search -read / CSPSearchPath | grep /Active > /dev/null
then
dscl /Search -delete / CSPSearchPath "/Active Directory/$domainname/$domain"
dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/$domainname/$domain"
fi
sleep 5
else
echo "No Active Directory Binding present."
fi
echo ""
#Remove Existing Directory Services Config
echo "Removing existing DS Config"
if [ -d "/Library/Preferences/edu.mit.Kerberos" ]
then
rm -R /Library/Preferences/edu.mit.Kerberos
fi
if [ -d "/etc/krb5.keytab" ]
then
rm -R /etc/krb5.keytab
fi
# Clean up the DirectoryService configuration files
rm -Rfv /Library/Preferences/DirectoryService/*
#OD
echo ""
echo ""
echo "Binding to OD-Damin "$oddomain
sleep 5
dsconfigldap -v -a "$oddomain" -n "$oddomain" -c "$computerid"
echo "Killing opendirectoryd"
killall opendirectoryd
sleep 5
echo "Adding computer account $computerid to /LDAPv3/${oddomain} on $oddomain"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -create /Computers/"$computerid" ENetAddress "$nicAddress"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /Computers/"$computerid" RealName "$computerid"
# Set the GUID
GUID="$(dscl /LDAPv3/$oddomain -read /Computers/${computerid} GeneratedUID | awk '{ print $2 }')"
# Add computer to ComputerList and ComputerGroup
if [ $computerGroup != "" ]
then
echo "Adding computer $computerid to OD group $computerGroup on $oddomain"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerLists/"$computerGroup" apple-computers "$computerid"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerGroups/"$computerGroup" apple-group-memberguid "${GUID}"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerGroups/"$computerGroup" memberUid "$computerid"
fi
echo "Finished OD Binding."
sleep 5 # Give DS a chance to catch up
echo ""
echo ""
echo "Performing the AD Binding"
#AD
# Activate the AD plugin
defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist
#Use the existing AD-Computername or generate a new one
computeridtmp="default"
if [ "$check4ADacct" == "" ]
then
LEN=$(echo ${#adcomputerid})
if [ $LEN -lt 15 ]; then
echo "ComputerID "$adcomputerid " has 15 characters or less and is therefore suitable for AD-Binding. It is $adcomputerid"
computeridtmp=$adcomputerid
else
echo "ComputerID "$adcomputerid " has 16 or more characters and needs to be modified for AD-Binding."
echo "Removing any -"
computeridtmp=${adcomputerid//-/}
LEN=$(echo ${#computeridtmp})
if [ $LEN -lt 15 ]; then
echo "ComputerID "$computeridtmp" has now 15 characters or less and is therefore suitable for AD-Binding."
else
echo "Only using the last 15 characters of the Computer name to be able to bind to AD."
computeridtmp=${computeridtmp:(-15)}
fi
echo "Cropped Computername to "$computeridtmp
fi
else
computeridtmp=${check4ADacct//$/}
echo "Found existing AD Account previously, attempting to recreate in the OU: "$computeridtmp
fi
echo ""
# Bind to AD
echo "Binding to AD-Domain "$domain" with computerid "$computeridtmp
dsconfigad -f -add "$domain" -username "$udn" -password "$password" -ou "$ou" -computer "$computeridtmp"
echo ""
echo "Setting the Advanced AD Plugin options"
# Configure advanced AD plugin options
if [ "$admingroups" = "" ]
then
dsconfigad -nogroups
else
dsconfigad -groups "$admingroups"
fi
dsconfigad -alldomains "$alldomains"
dsconfigad -localhome "$localhome"
dsconfigad -protocol "$protocol"
dsconfigad -mobile "$mobile"
dsconfigad -mobileconfirm "$mobileconfirm"
dsconfigad -useuncpath "$useuncpath"
dsconfigad -shell "$user_shell"
dsconfigad "$preferred"
dsconfigad -packetsign "$packetsign" -packetencrypt "$packetencrypt" -passinterval "$passinterval"
dsconfigad -namespace "$namespace"
sleep 5
echo ""
echo ""
# Add the OD & AD node to the search path
if [ "$alldomains" = "enable" ]
then
csp="/Active Directory/$domainname/All Domains"
else
csp="/Active Directory/$domainname"
fi
echo "Finished AD Binding."
echo "Adding Domain /LDAPv3/"$oddomain" and "$csp" to Search Path"
dscl /Search -create / SearchPolicy CSPSearchPath
dscl /Search/Contacts -create / SearchPolicy CSPSearchPath
echo "Adding OD.."
dscl /Search -append / CSPSearchPath /LDAPv3/"$oddomain"
dscl /Search/Contacts -append / CSPSearchPath /LDAPv3/"$oddomain"
echo "Adding AD.."
#Adding all Domains first to improve reliability under 10.7
if [ "$alldomains" != "enable" ]
then
cspadall="/Active Directory/$domainname/All Domains"
dscl /Search/Contacts -append / CSPSearchPath "$cspadall"
dscl /Search -append / CSPSearchPath "$cspadall"
fi
dscl /Search/Contacts -append / CSPSearchPath "$csp"
dscl /Search -append / CSPSearchPath "$csp"
echo "Finished Updating Search Paths."
echo ""
echo ""
# Restart DirectoryService (necessary to reload AD plugin activation settings)
killall opendirectoryd
# Destroy the login hook (or change it)
if [ "${newLoginHook}" == "" ]
then
defaults delete /var/root/Library/Preferences/com.apple.loginwindow LoginHook
else
defaults write /var/root/Library/Preferences/com.apple.loginwindow LoginHook $newLoginHook
fi
sleep 5
# Customizing the login-Window
#defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo DSStatus
#defaults write /Library/Preferences/com.apple.loginwindow showInputMenu -bool TRUE
#defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool TRUE
# This works in a pinch if the above code does not
#defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains"
#defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Policy" -int 3
#plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist
#killall opendirectoryd
# Disable autologin
defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser
srm /etc/kcpassword
echo ""
echo ""
echo ""
echo "Now bound to OD Domain:"
dscl localhost -list /LDAPv3
echo "With Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /LDAP
echo "Now bound to AD Domain:"
dscl localhost -list "/Active Directory"
echo "With Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /Active
exit 0 ## Success
exit 1 ## Failure
Any inputs, questions and improvement suggestions are, of course, most welcome!
Cheers
See -
Convert Open Directory mobile accounts to Active Directory mobile accounts
We have 200 or so Macs using OD mobile accounts.
Implementing Active Directory, getting rid of Open Directory.
How do I change the mobile accounts from OD accounts to AD accounts so that it authenticates against the AD Domain Controller and thus change compter login password when it's changed in AD?
I can convert accounts this way:
a. Delete users’ user account in User preferences pane of System Preferences, but choose to not change the home directory.
b. Log into users’ account by choosing the other option, thus creating a mobile account.
c. Log out, log into admin account, delete the newly created home directory, rename the home directory from the deleted users account to match the name of the deleted home directory and do a chown –R on the directory for that user.
Obviously doing above 200x times is tedious and I'd like to avoid this if possible!
Any other ideas? Preferably a script I can deploy to all computers?I am also testing Leopard in my Active Directory domain and here is what I have found so far. The wireless networks in Leopard seem to be a combination of Panther and Tiger. Each 'Location' that you set has its own list of preferred networks. I have one location for when I am locally on the domain network and others for my bench network and all others under 'Automatic'. The one problem with what you are talking about is that if people change locations and forget to change it back before they log in, it will not find the network, however, adding the other networks all in one location is fine as long as the AD network is on top. You also have to wait about 20 - 30 seconds after you reach the login prompt before proceeding or it will log in without being connected and the AD resources will not be available. I am also finding that Panther knew when it was not on the AD network and did not give any errors, however Leopard squawks when I log in on a different network.
Cheers,
Rob -
How to create an embedded link with VBScript that references user website from Active Directory?
I have scoured the web for days and have not been able to quite come up with exactly what I need for this. I have created an Outlook signature deployment using VBScript which sets information in an already formatted Word doc using placeholders. (Ex. [Displayname],
[Initial], [City])
All of that works as expected, but now marketing would like to have an embedded link reference some of our users personal web pages. So the link would display some kind of standard text like "Click Here". Once clicked on the user would be redirected
to the personal web page of the person who sent the email. My problem is, I have no idea how to get the hyperlink to pull in the information from Active Directory...another problem is I know only enough coding to be dangerous so I am stuck.
Here is a sample of what I am working with, I am hoping someone can point me in the right direction. Thanks!
'----- Connect to AD and get user info -----'
Set objSysInfo = CreateObject("ADSystemInfo")
Set WshShell = CreateObject("WScript.Shell")
strUser = objSysInfo.UserName
Set objUser = GetObject("LDAP://" & strUser)
strDisplayName = objUser.displayName
strFirstname = objUser.FirstName
strLastName = objUser.givenName
strInitials = objUser.initials
strName = objUser.FullName
strTitle = objUser.Title
strDescription = objUser.Description
strOffice = objUser.physicalDeliveryOfficeName
strCred = objUser.info
strPOBox = objUser.postOfficeBox
strStreet = objUser.StreetAddress
strCity = objUser.l
strPostCode = objUser.PostalCode
strPhone = objUser.TelephoneNumber
strMobile = objUser.Mobile
strFax = objUser.FacsimileTelephoneNumber
strEmail = objUser.mail
strWeb = objuser.wWWHomePage
'----- Apply any modifications to Active Directory fields -----
'Use company info page if user does not have a Linked-In account specified
if strweb = "" Then strweb = "http://www.linkedin.com/company/58654"
'----- Open Word template in read-only mode {..Open(filename,conversion,readonly)} -----
Set objWord = CreateObject("Word.Application")
Set objDoc = objWord.Documents.Open(strTemplatePath & strTemplateName,,True)
Set objEmailOptions = objWord.EmailOptions
Set objSignatureObject = objEmailOptions.EmailSignature
Set objSignatureEntries = objSignatureObject.EmailSignatureEntries
'----- Replace template text placeholders with user specific info -----
SearchAndRep "[DisplayName]", strDisplayName, objWord
SearchAndRep "[Name]", strName, objWord
SearchAndRep "[Description]", strDescription, objWord
SearchAndRep "[Title]", strTitle, objWord
SearchAndRep "[Street]", strStreet, objWord
SearchAndRep "[POBox]", strPOBox, objword
SearchAndRep "[City]", strCity, objWord
SearchAndRep "[State]", strState, objWord
SearchAndRep "[PostCode]", strPostCode, objWord
SearchAndRep "[Phone]", strPhone, objWord
SearchAndRep "[Mobile]", strMobile, objWord
SearchAndRep "[Fax]", strFax, objWord
SearchAndRep "[Email]", strEmail, objWord
'SearchAndRep "[Web]", strWeb, objWord
'----- Replace template hyperlink placeholders with user specific info -----
'SearchAndRepHyperlink "[email]", strWeb, objDoc
SearchAndRepHyperlink "[Web]", strWeb, objDoc
'----- Set signature in Outlook -----
Set objSelection = objDoc.Range()
objSignatureEntries.Add "NewCBSig", objSelection
objSignatureObject.NewMessageSignature = "NewCBSig"
'see note below if a different reply signature is desired
'objSignatureObject.ReplyMessageSignature = "Full Signature"
'----- Close signature template document -----
objDoc.Saved = TRUE
objDoc.Close
objWord.QuitCan you ask a specific question? You have posted a script and noted you need a link but there is no question.
¯\_(ツ)_/¯ -
Open Directory / Active Directory SSH access
I have recently bound all of our web and database servers on our active directory and open directory realms. I am able to augment the AD records for my account and the accounts of the other admins, give them NFS home directories and all is great. We can login to any machine with our AD password and get our homes. Problem is 9 times out of 10 we all prefer using SSH and the CLI for most of what we do. I can login to any of these machines with an OD user and get their home directory, but when I try with an AD user I cannot authenticate.
So to recap:
* Login works for both OD / AD users at the login window
* SSH login works for OD users
* SSH login does not work for AD users.
I don't even know where to begin with debugging this one. Any help would be greatly appreciated.
Message was edited by: Coleman NitroyOkay adding even more information to this (maybe this topic needs to be moved to a different sub forum)
Instead of assuming SSH would automatically work via AD/OD binds like the Login window does (apparently magically) I went thru and setup the SSHd on a test box to work via kerberos logins.
On the client side I enabled GSSAPIAuthentication as well and here is the error I get for (ssh -v [email protected]):
debug1: Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database.
Then it kicks over to the next authentication method. To enable AD login via the login window I didn't have to do anything special. Kerberos tickets are generated and all is well. I am not certain as to why or how SSH works via OD automagically but still no luck getting it to work with AD. Not getting this working would be a large loss for our lab.
Anyone....?
Message was edited by: Coleman Nitroy -
Open directory and Active directory
Hello everyone.
I am from a school in london. We currently have 8 servers (7 running Server 2003 and a recently installed Mac server running os x server 10.5)
We have recently installed new macs into our media room and need them to be set up to work with the current domain setup.
what we wish to do is to run the media centers computers through the Mac server but get the existing domain information from the Active directory server running windows. As i have not set up a mac server before I am having certain difficulties doing this. The first time we set up the active directory on the mac server we could log into the mac computers but could not change any of the policies to different groups to allow or deny certain applications from running. Everytime i go to save a policy for a certain group we get the error message
"Error while saving record "Finchley\Level 1@ Error -14140
Im guessing this is because we are trying to save that to the active directory and not onto the mac server so how can we Map the active directory to the Macs open directory so that we can customize the mac group policies?
Sorry if that didnt make alot of sense im typing abit fast
ThanksHave you been here?
http://docs.info.apple.com/article.html?path=DirectoryAccess/1.8/en/c7od45.html
It should be straight forward, depending on how your AD accounts are setup.
Unfortunately, I currently see a bug in the system which is often causing the home directory share to fail to mount when I use the AD plug-in in its default configuration. I'm pleading with Apple to fix this soon.
If you use the plug-in in "true network home" fashion, by unchecking the 'force local home' option, then you should avoid this annoying bug. This method however requires plenty of network bandwidth and space for your entire Mac home folder.
Maybe you are looking for
-
When trying to export a Shared Mailbox folder in Outlook 2007 to PDF, messages are failing consistently. We are using the latest and greatest Adobe Acrobat XI. It will export a little bit of the folder and then fail the rest of the items. There are a
-
Checkout - modify record fails
Hi all, I am facing a strange problem with Java API SP06. I am checking out the main table records and I am setting field values for a record. When i execute modifyrecords command for the checkedout maintable record, I am getting a server exception..
-
Purchase Order / GR Document / MIRO Document in CJI3
Hi All, Would like to ask why above document(Purchase Order / GR Document / MIRO Document in CJI3) not able show in the Report CJI3. Check Point : My Purchase Order and GR Document is contain WBS Element that to Project ID. Thank in advance for the
-
Can files for older versions of Photoshop Elements be deleted
I am running Windows 8.1 (64-bit Version). I recently purchased and successfully downloaded and installed Adobe Photoshop Elements 13. Prior to installation, I de-installed Photoshop Elements 12. I had previously owned Version 10 and 11 which have be
-
Skip minutes from date and time field
Hi, i have a date time column in my table. for example the value is '2014-10-16 12:10:00.000' i need to select only the value '2014-10-16 12:10'. means without minutes. how to achieve this? Thanks Kasim