Scripting directory services events is one of the most common ways that the OS X community automates post-imaging tasks. As such, there are about as many flavors of directory services scripts are there engineers that know both directory services and have a little scripting experience. In OS X Lion, many aspects of directory services change and bring with them new techniques for automation. The biggest change is the move from DirectoryService to opendirectoryd.
In Snow Leopard and below, when you performed certain tasks, you restarted the directory services daemon, DirectoryService. The same is true in Lion, except that instead of doing a killall on DirectoryService, you do it on opendirectoryd:
Also, local account passwords in OS X have been moved into attributes within user account property lists and so there is no longer a /var/db/shadow/hash directory. Therefore, copying property lists and their associated password hash file is no longer a necessary process.
dsperfmonitor vs odutil
Next, dsperfmonitor has gone to the great binary place in the sky to join dirt and DirectoryService. It is somewhat replaced with odutil. The odutil command is pretty easy and straight forward. You can see all open sessions, nodes, modules, requests, statistics and nodenames using the show verb (along with those subcommands). You can also set the logging level for directory services to alert, critical, error, warning, notice, info and debug, each with more and more events that are trapped. This is done with the set log verb along with the level (which is by default set to error):
odutil set log debug
The odutil command is also used to enable statistics. These are pretty memory intensive (or they were on a mini w/ 4GB of memory in it but might not be with your 32GB of RAM fortified Xserve). This is done using odutil’s set statistics verb w/ an option of either on or off:
odutil set statistics on
Note: It’s worth noticing that stats are persistent across restarts, so don’t forget to turn it off.
For Open Directory administrators, you’ll be elated to know that your LDAP bind script just got a bit shorter. Now, search policies are updated automatically when binding via dsconfigldap. But, if you have a bunch of scripting that you don’t want to rip apart you can still do search policies manually by using the spiffy new -S option for dsconfigldap (yes, I just insinuated that -S was for spiffy, what’s it to ya’?!?!).
scutil can now be used to view Active Directory Kerberos information. scutil can also be used to query the search node and interface states. klist no longer seems to function properly, so use ktutil to with a list verb to see service principals:
Not to be left out, the Active Directory binding tool, dsconfigad, got some new flair as well (yes, I just insinuated that dsconfigad was really Jennifer Aniston’s contribution to OS X and I challenge you to prove me wrong). There is now a -restrictDDNS option, which I’m sure you can guess disable dynamic DNS registration in Active Directory-integrated DNS zones. There’s also the rockin’ new -authority option, which enabls or disables Kerberos authority generation. Finally, dsconfigad gets some minor cosmetic changes. -f becomes -force, -r becomes -remove, -lu becomes -localuser, -lp becomes localpassword, -u becomes username, -p becomes -password, but the original options still work. Who knows how long the old operators will stick around, but my guess is they’ll be around until dsconfgad isn’t…
Most options and settings for the AD plug-in should now be configured following the AD bind process (thanks to @djstarr for that little addition). How does this impact your scripts. Just move the settings to the bottom of the script if they give you gruff… Also, the -enableSSO option has been changed to -enablesso.
Finally, defaults allows you to put the .plist in the command when you use a file path to list them out. This should eliminate the 6 backspaces we often had to type to test certain things after auto-completing file names… 🙂
I published an article up on AFP548 on how directory services plug-ins work
. If you’re curious about directory services plug-ins or just unable to sleep and need something to knock you out, this should be an interesting read.
dsconfigad did not support signing of LDAP packets in 10.4.x. However, this was an upgrade that was introduced in the 10.5 version of the AD Plug-in. Provided that your Active Directory environment uses LDAP signing, a standard policy with DCs, you can mirror your settings on the DC in dsconfigad by using the -packetsigning option followed by either an allow, disable or require variable. To force LDAP signing, just run the following command:
dsconfigad -packetsigning required
To then disable signing if your environment doesn’t support it use the following command:
dsconfigad -packetsigning disable
The default variable is allow, which will use LDAP signing when possible.
You can use the adplugin to customize the amount of time a client is trusted by Active Directory. It can be done by using the following command:
dsconfigad -passinterval 30
To find all the printers you have available through Active Directory:
dscl ‘/Active Directory/All Domains’ -list /Printers PrinterURI
dsconfigad can be used to bind to Active Directory from the command line. Use as follows:
dsconfigad -show [-lu username] [-lp password]
dsconfigad [-f] [-a computerid] -domain fqdn -u username [-p password]
[-lu username] [-lp password] [-ou dn] [-status]
dsconfigad -r -u username [-p password] [-lu username] [-lp password]
dsconfigad [-lu username] [-lp password] [-mobile enable | disable]
[-mobileconfirm enable | disable]
[-localhome enable | disable] [-useuncpath enable | disable]
[-protocol afp | smb] [-shell value] [-uid attribute | -nouid]
[-gid attribute | -nogid] [-ggid attribute | -noggid]
[-preferred server | -nopreferred]
[-groups “group1,group2,…” | -nogroups] [-alldomains enable | disable]
[-packetsign allow | disable | require]
[-packetencrypt allow | disable | require]
[-passinterval value] [-namespace forest | domain]
dsconfigad -staticmap attribute-type attribute-value [-lu username]
Tiger does not have any namespace support in dsconfigad. So no multi-domain same account name functionality. Hint: Might be in Leopard (might not).