[Casper] Remotely configure Directory Utility

Mon Jan 12 12:23:30 PST 2009

On Mon, Jan 12, 2009 at 3:12 PM, Steve Wood <swood at integerdallas.com> wrote:

> Thanks for clarifying what I forgot to clarify.  :-)  I sent that in a rush
> and shouldn't have.
>

No worries.  Thanks for the more comprehensive script.

One item I think that bears mentioning in regard to AD/OD interoperability
is the fact that if you are using the same computer name in both
directories, and your OD Master is bound to AD, all new machine names must
be created in OD first, then AD.  If you do it the other way around, OD,
being bound to AD, will see the AD machine name and not allow you to create
the same name in OD since it already exists.  I am certain that this is an
issue in 10.4.11 with Windows Server 2003.  I am fairly sure it is still an
issue in Leopard through 10.5.3 and with Windows Server 2008.

----------
Miles A. Leacy IV

 Certified System Administrator 10.4
 Certified Technical Coordinator 10.5
 Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com

On Mon, Jan 12, 2009 at 3:12 PM, Steve Wood <swood at integerdallas.com> wrote:

>  Thanks for clarifying what I forgot to clarify.  :-)  I sent that in a
> rush and shouldn't have.
>
> That script was for work at my old company and we did not have the benefit
> of Casper.  I agree with Miles, that you should not be passing credentials
> in the scripts if you can, and let Casper do your AD binding and your
> machine re-naming.
> *
>
> Steve Wood
> Director of IT
> *swood at integerdallas.com
>
> The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
> T 214.758.6813 | F 214.758.6901 | C 940.312.2475
>
>
>
> ------------------------------
> *From: *Miles Leacy <miles.leacy at themacadmin.com>
> *Date: *Mon, 12 Jan 2009 15:08:03 -0500
> *To: *Steve Wood <swood at integerdallas.com>
> *Cc: *Henry Bonath <hbonath at computersitecolumbus.com>, "
> casper at list.jamfsoftware.com" <casper at list.jamfsoftware.com>
> *Subject: *Re: [Casper] Remotely configure Directory Utility
>
>
> I let Casper's built-in mechanism handle AD binding to avoid putting
> account credentials in a script.  I hold not putting account credentials in
> a script as a best practice.
>
> Steve's script will get you to the same place, as well as binding to AD,
> but you'll have to do the following:
>
> (Forgive me if my explanations seem simplistic to anyone.  I'm aiming this
> at the new admin who would look at this script and be overwhelmed.)
>
> 1. Specify "yourODServer.name" and "yourADdomain", or pass in the values as
> parameters.
> 2. The following lines set the target machine's name to
> <siteId><serialnumber> and places the previous name in ARD custom data.  If
> you don't want to do this, remove the following lines:
>
> SiteId='NHV'
> OldName=`scutil --get ComputerName`
> SERIALNUM=`system_profiler | grep "Serial Number" | awk '{print $3}'`
> scutil --set ComputerName $SiteId$SERIALNUM
> scutil --set LocalHostName $SiteId$SERIALNUM
> scutil --set HostName $SiteId$SERIALNUM
> /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart
> -configure -computerinfo -set1 -1 $OldName
>
> 3. The script assumes that you want to use the Mac's computer name as the
> AD and LDAP machine name to bind to.  If this is not the case, you'll need
> to change the following line to get the computerid that will match your
> machine account in AD and/or LDAP:
>
> computerid=`scutil --get ComputerName`
>
> 4. In the "dsconfigldap" command, "diradmin" needs to be replaced with an
> LDAP account that has permissions to bind clients and "'pass'" needs to be
> replaced with that account's password.
>
> 5. In the "dsconfigad" command, "swood" should be replaced with an AD
> account ID that has permissions to bind machines to existing computer
> records (if the record already exists in AD) or permissions to create
> computer objects in the target OU (if the record does not exist).  "'pass'"
> needs to be replaced with that account's password.  "CN=Unsorted
> Computers,OU=Locations,DC=yourad,DC=net" needs to be replaced with the AD
> path to the container that contains your computer records (or in which you
> will be creating them).
>
> I prefer the script I provided in my previous message, however it is
> important to note that it assumes that your LDAP server does not require
> authenticated bindings.  I would love to see a Casper feature similar to the
> AD binding feature that would allow authenticated LDAP bindings without
> putting passwords into scripts.
>
> I leave setting computer names and turning on ARD to casper built-in
> functionality and a separate script, respectively.  This is out of an
> overarching management approach of being as modular as possible by breaking
> down actions into their smallest practical parts.
>
> I hope this is useful.
>
> ----------
> Miles A. Leacy IV
>
>  Certified System Administrator 10.4
>  Certified Technical Coordinator 10.5
>  Certified Trainer
> Certified Casper Administrator
> ----------
> voice: 1-347-277-7321
> miles.leacy at themacadmin.com
> www.themacadmin.com <http://www.themacadmin.com>
>
>
>
>
> 2009/1/12 Steve Wood <swood at integerdallas.com>
>
> Unless Miles or someone else has a better way, this is how I've done it in
> the past, using these commands in a script:
>
>
>
> #!/bin/bash/
> OD_SERVER=yourODServer.name'
> AD_DOMAIN='yourADdomain'
> SiteId='NHV'
> OldName=`scutil --get ComputerName`
> SERIALNUM=`system_profiler | grep "Serial Number" | awk '{print $3}'`
> scutil --set ComputerName $SiteId$SERIALNUM
> scutil --set LocalHostName $SiteId$SERIALNUM
> scutil --set HostName $SiteId$SERIALNUM
> /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart
> -configure -computerinfo -set1 -1 $OldName
>
> computerid=`scutil --get ComputerName`
>
> dsconfigldap -v -f -a $OD_SERVER -n OD_SERVER -c $computerid -u diradmin -p
> 'pass'
> sleep 10
> dsconfigad -f -a $computerid -domain $AD_DOMAIN -u swood -p 'pass' -ou
> "CN=Unsorted Computers,OU=Locations,DC=yourad,DC=net"
> sleep 20
>
> dscl /Search -create / SearchPolicy CSPSearchPath
> dscl /Search -append / CSPSearchPath /LDAPv3/$OD_SERVER
> dscl /Search -append / CSPSearchPath "/Active Directory/All Domains"
>
> sleep 10
> dscl /Search/Contacts -create / SearchPolicy CSPSearchPath
> dscl /Search/Contacts -append / CSPSearchPath /LDAPv3/$OD_SERVER
> dscl /Search/Contacts -append / CSPSearchPath "/Active Directory/All
> Domains"
>
>
>
> *
>
> Steve Wood
> Director of IT
> *
> swood at integerdallas.com <http://swood@integerdallas.com>
>
> The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
> T 214.758.6813 | F 214.758.6901 | C 940.312.2475
>
>
>
> ------------------------------
> *From: *Henry Bonath <hbonath at computersitecolumbus.com <
> http://hbonath@computersitecolumbus.com> >
> *Date: *Mon, 12 Jan 2009 14:27:53 -0500
> *To: *"casper at list.jamfsoftware.com <http://casper@list.jamfsoftware.com>
> " <casper at list.jamfsoftware.com <http://casper@list.jamfsoftware.com> >
> *Subject: *[Casper] Remotely configure Directory Utility
>
> Is there any way out there to remotely configure LDAPv3 plugin for server
> search paths?
> So far, the only way that may be possible that I can see is to push out
> .plist files with directory info to /Library/Preferences/DirectoryService
>
> Thanks in advance!
> -Henry
> ------------------------------
>
> Henry Bonath
> Network Engineer
> Computer Site Columbus
> 6155-N Huntley Road
> Columbus, OH 43229
> computersitecolumbus.com <http://computersitecolumbus.com>
> Tel: 614.786.7100
> Cell: 614.738.0822
> Fax: 614.786.7310
> *Your I.T. Department*
>
> ------------------------------
>
> 14:29:15 Mon 12 Jan 2009
> This message (and any associated files) is intended only for the use of the
> individual or entity to which it is addressed and may contain information
> that is confidential, subject to copyright or constitutes a trade secret. If
> you are not the intended recipient you are hereby notified that any
> dissemination, copying or distribution of this message, or files associated
> with this message, is strictly prohibited. If you have received this message
> in error, please notify us immediately by replying to the message and
> deleting it from your computer.
>
> ------------------------------
> _______________________________________________
> Casper mailing list
> Casper at list.jamfsoftware.com <http://Casper@list.jamfsoftware.com>
> http://list.jamfsoftware.com/mailman/listinfo/casper
>
>
> ------------------------------
> --
> The information contained in this email transmission is solely for the
> addressee(s) named above and is privileged and/or confidential.  If the
> reader of this message is not the intended recipient or the person
> responsible to deliver it to the intended recipient; he or she is prohibited
> from reading or disclosing the information contained in this transmission.
>  Any examination, use, dissemination, distribution, or copying of this
> communication is strictly prohibited.  Please contact us immediately by
> telephone for instructions if you have received this communication in error:
> (214) 758-6800
>
>
> _______________________________________________
> Casper mailing list
> Casper at list.jamfsoftware.com
> http://list.jamfsoftware.com/mailman/listinfo/casper
>
>
>
>
>
> ------------------------------
> --
>
> The information contained in this email transmission is solely for the addressee(s) named above and is privileged and/or confidential.  If the reader of this message is not the intended recipient or the person responsible to deliver it to the intended recipient; he or she is prohibited from reading or disclosing the information contained in this transmission.  Any examination, use, dissemination, distribution, or copying of this communication is strictly prohibited.  Please contact us immediately by telephone for instructions if you have received this communication in error: (214) 758-6800
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090112/cc394864/attachment.html 