[Casper] Remotely configure Directory Utility

Steve Wood swood at integerdallas.com
Mon Jan 12 12:12:51 PST 2009 

Thanks for clarifying what I forgot to clarify.  :-)  I sent that in a rush
and shouldn’t have.

That script was for work at my old company and we did not have the benefit
of Casper.  I agree with Miles, that you should not be passing credentials
in the scripts if you can, and let Casper do your AD binding and your
machine re-naming.


Steve Wood
Director of IT
swood at integerdallas.com

The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475




From: Miles Leacy <miles.leacy at themacadmin.com>
Date: Mon, 12 Jan 2009 15:08:03 -0500
To: Steve Wood <swood at integerdallas.com>
Cc: Henry Bonath <hbonath at computersitecolumbus.com>,
"casper at list.jamfsoftware.com" <casper at list.jamfsoftware.com>
Subject: Re: [Casper] Remotely configure Directory Utility

I let Casper's built-in mechanism handle AD binding to avoid putting account
credentials in a script.  I hold not putting account credentials in a script
as a best practice.

Steve's script will get you to the same place, as well as binding to AD, but
you'll have to do the following:

(Forgive me if my explanations seem simplistic to anyone.  I'm aiming this
at the new admin who would look at this script and be overwhelmed.)

1. Specify "yourODServer.name" and "yourADdomain", or pass in the values as
parameters.
2. The following lines set the target machine's name to
<siteId><serialnumber> and places the previous name in ARD custom data.  If
you don't want to do this, remove the following lines:

SiteId='NHV'
OldName=`scutil --get ComputerName`
SERIALNUM=`system_profiler | grep "Serial Number" | awk '{print $3}'`
scutil --set ComputerName $SiteId$SERIALNUM
scutil --set LocalHostName $SiteId$SERIALNUM
scutil --set HostName $SiteId$SERIALNUM
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resource
s/kickstart -configure -computerinfo -set1 -1 $OldName

3. The script assumes that you want to use the Mac's computer name as the AD
and LDAP machine name to bind to.  If this is not the case, you'll need to
change the following line to get the computerid that will match your machine
account in AD and/or LDAP:

computerid=`scutil --get ComputerName`

4. In the "dsconfigldap" command, "diradmin" needs to be replaced with an
LDAP account that has permissions to bind clients and "'pass'" needs to be
replaced with that account's password.

5. In the "dsconfigad" command, "swood" should be replaced with an AD
account ID that has permissions to bind machines to existing computer
records (if the record already exists in AD) or permissions to create
computer objects in the target OU (if the record does not exist).  "'pass'"
needs to be replaced with that account's password.  "CN=Unsorted
Computers,OU=Locations,DC=yourad,DC=net" needs to be replaced with the AD
path to the container that contains your computer records (or in which you
will be creating them).

I prefer the script I provided in my previous message, however it is
important to note that it assumes that your LDAP server does not require
authenticated bindings.  I would love to see a Casper feature similar to the
AD binding feature that would allow authenticated LDAP bindings without
putting passwords into scripts.

I leave setting computer names and turning on ARD to casper built-in
functionality and a separate script, respectively.  This is out of an
overarching management approach of being as modular as possible by breaking
down actions into their smallest practical parts.

I hope this is useful.

----------
Miles A. Leacy IV

 Certified System Administrator 10.4
 Certified Technical Coordinator 10.5
 Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com <http://www.themacadmin.com>




2009/1/12 Steve Wood <swood at integerdallas.com>
> Unless Miles or someone else has a better way, this is how I've done it in the
> past, using these commands in a script:
> 
> 
> 
> #!/bin/bash/
> OD_SERVER=yourODServer.name'
> AD_DOMAIN='yourADdomain'
> SiteId='NHV'
> OldName=`scutil --get ComputerName`
> SERIALNUM=`system_profiler | grep "Serial Number" | awk '{print $3}'`
> scutil --set ComputerName $SiteId$SERIALNUM
> scutil --set LocalHostName $SiteId$SERIALNUM
> scutil --set HostName $SiteId$SERIALNUM
> /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/
> kickstart -configure -computerinfo -set1 -1 $OldName
> 
> computerid=`scutil --get ComputerName`
> 
> dsconfigldap -v -f -a $OD_SERVER -n OD_SERVER -c $computerid -u diradmin -p
> 'pass'
> sleep 10
> dsconfigad -f -a $computerid -domain $AD_DOMAIN -u swood -p 'pass' -ou
> "CN=Unsorted Computers,OU=Locations,DC=yourad,DC=net"
> sleep 20
> 
> dscl /Search -create / SearchPolicy CSPSearchPath
> dscl /Search -append / CSPSearchPath /LDAPv3/$OD_SERVER
> dscl /Search -append / CSPSearchPath "/Active Directory/All Domains"
> 
> sleep 10
> dscl /Search/Contacts -create / SearchPolicy CSPSearchPath
> dscl /Search/Contacts -append / CSPSearchPath /LDAPv3/$OD_SERVER
> dscl /Search/Contacts -append / CSPSearchPath "/Active Directory/All Domains"
> 
> 
> 
> 
> 
> Steve Wood
> Director of IT
> swood at integerdallas.com <http://swood@integerdallas.com>
> 
> The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
> T 214.758.6813 | F 214.758.6901 | C 940.312.2475
> 
> 
> 
> 
> From: Henry Bonath <hbonath at computersitecolumbus.com
> <http://hbonath@computersitecolumbus.com> >
> Date: Mon, 12 Jan 2009 14:27:53 -0500
> To: "casper at list.jamfsoftware.com <http://casper@list.jamfsoftware.com> "
> <casper at list.jamfsoftware.com <http://casper@list.jamfsoftware.com> >
> Subject: [Casper] Remotely configure Directory Utility
> 
> Is there any way out there to remotely configure LDAPv3 plugin for server
> search paths?
> So far, the only way that may be possible that I can see is to push out .plist
> files with directory info to /Library/Preferences/DirectoryService
> 
> Thanks in advance!
> -Henry 
> 
>  
> Henry Bonath
> Network Engineer
> Computer Site Columbus
> 6155-N Huntley Road
> Columbus, OH 43229
> computersitecolumbus.com <http://computersitecolumbus.com>
> Tel: 614.786.7100
> Cell: 614.738.0822
> Fax: 614.786.7310 Your I.T. Department
> 
> 14:29:15 Mon 12 Jan 2009
> This message (and any associated files) is intended only for the use of the
> individual or entity to which it is addressed and may contain information that
> is confidential, subject to copyright or constitutes a trade secret. If you
> are not the intended recipient you are hereby notified that any dissemination,
> copying or distribution of this message, or files associated with this
> message, is strictly prohibited. If you have received this message in error,
> please notify us immediately by replying to the message and deleting it from
> your computer. 
> 
> 
> _______________________________________________
> Casper mailing list
> Casper at list.jamfsoftware.com <http://Casper@list.jamfsoftware.com>
> http://list.jamfsoftware.com/mailman/listinfo/casper
> 
> 
> 
> --
> The information contained in this email transmission is solely for the
> addressee(s) named above and is privileged and/or confidential.  If the reader
> of this message is not the intended recipient or the person responsible to
> deliver it to the intended recipient; he or she is prohibited from reading or
> disclosing the information contained in this transmission.  Any examination,
> use, dissemination, distribution, or copying of this communication is strictly
> prohibited.  Please contact us immediately by telephone for instructions if
> you have received this communication in error: (214) 758-6800
> 
> 
> _______________________________________________
> Casper mailing list
> Casper at list.jamfsoftware.com
> http://list.jamfsoftware.com/mailman/listinfo/casper
> 
> 
> 



--
The information contained in this email transmission is solely for the addressee(s) named above and is privileged and/or confidential.  If the reader of this message is not the intended recipient or the person responsible to deliver it to the intended recipient; he or she is prohibited from reading or disclosing the information contained in this transmission.  Any examination, use, dissemination, distribution, or copying of this communication is strictly prohibited.  Please contact us immediately by telephone for instructions if you have received this communication in error: (214) 758-6800
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090112/f7adbc50/attachment.htm

More information about the Casper mailing list