mike1210

Hi All,
Quick Mac question this time. I have an open directory bind script as below to bind clients via ARD 3.21. I have enabled SSL on the server to test but am unsure how to enable SSL binding on the script. The below script is without SSL enabled

computerid=`scutil --get ComputerName`

dsconfigldap -v -f -a Mac-serv -n cci-macserv.domain.com -c $computerid -u diradmin -p 'xxxpasswordxxx'
sleep 10

Does anyone know the switch I would have to add

Markus

add a -x in there? looking at the man page for dsconfigldap it states the following:

-x choose SSL connection

-x Connection to the LDAP server will only be made over SSL.

mike1210

A Big thank you again markus

If anyone is interested here are the bind scripts I use

#!/bin/sh

############################ AD_Bind_ARD ###########################
# Patrick Gallagher | patgmac@gmail.com
# Mac Admin Corner | Desktop Management
# This is a script that will bind a Mac to AD from ARD.
# Modified from Mike Bombich's ad-bind-login-tiger.sh script
# which can be found at Bombich.com: Mac OS X Management Custom Shell Script Library
# Needs to be modified for your enviornment
################################################## ##################


computerid=`/usr/sbin/scutil --get LocalHostName`

# Standard parameters
domain="uni.glam.ac.uk" # fully qualified DNS name of Active Directory Domain
udn="username" # username of a privileged network user
password="xxxpasswordxxx" # password of a privileged network user
ou="OU=AppleMac,OU=Resources,DC=Uni,DC=glam,DC=ac, DC=uk" # Distinguished name of container for the computer

# Advanced options
alldomains="enable" # 'enable' or 'disable' automatic multi-domain authentication
localhome="enable" # 'enable' or 'disable' force home directory to local drive
protocol="smb" # 'afp' or 'smb' change how home is mounted from server
mobile="enable" # 'enable' or 'disable' mobile account support for offline logon
mobileconfirm="disable" # 'enable' or 'disable' warn the user that a mobile acct will be created
useuncpath="enable" # 'enable' or 'disable' use AD SMBHome attribute to determine the home dir
user_shell="/bin/bash" # e.g., /bin/bash or "none"
preferred="-nopreferred" # Use the specified server for all Directory lookups and authentication
# (e.g. "-nopreferred" or "-preferred ad.server.edu")
admingroups="uni\support" # These comma-separated AD groups may administer the machine (e.g. "" or "APPLE\mac admins")

# Login hook setting -- specify the path to a login hook that you want to run instead of this script


### End of configuration

# Activate the AD plugin
defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist
sleep 5

# Bind to AD
dsconfigad -f -a $computerid -domain $domain -u $udn -p "$password" -ou "$ou"

# Configure advanced AD plugin options
if [ "$admingroups" = "" ]; then
dsconfigad -nogroups
else
dsconfigad -groups "$admingroups"
fi

dsconfigad -alldomains $alldomains -localhome $localhome -protocol $protocol \
-mobile $mobile -mobileconfirm $mobileconfirm -useuncpath $useuncpath \
-shell $user_shell $preferred

# Restart DirectoryService (necessary to reload AD plugin activation settings)
killall DirectoryService

# Add the AD node to the search path
if [ "$alldomains" = "enable" ]; then
csp="/Active Directory/All Domains"
else
csp="/Active Directory/$domain"
fi

#dscl /Search -create / SearchPolicy CSPSearchPath
#dscl /Search -append / CSPSearchPath "/Active Directory/All Domains"
#dscl /Search/Contacts -create / SearchPolicy CSPSearchPath
#dscl /Search/Contacts -append / CSPSearchPath "/Active Directory/All Domains"

# This works in a pinch if the above code does not
defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains"
defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Policy" -int 3
defaults write /Library/Preferences/DirectoryService/ContactsNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains"
defaults write /Library/Preferences/DirectoryService/ContactsNodeConfig "Search Policy" -int 3

plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist

above is active directory, below is the open directory

computerid=`scutil --get ComputerName`

dsconfigldap -v -f -x -a cci-macserv.domain.com -n Mac-serv -c $computerid -u diradmin -p 'xxxpasswordxxx'
sleep 10

dscl /Search -create / SearchPolicy CSPSearchPath
dscl /Search -append / CSPSearchPath "/Active Directory/All Domains"
dscl /Search -append / CSPSearchPath /LDAPv3/cci-macserv.isd.glam.ac.uk

sleep 10
dscl /Search/Contacts -create / SearchPolicy CSPSearchPath
dscl /Search/Contacts -append / CSPSearchPath "/Active Directory/All Domains"
dscl /Search/Contacts -append / CSPSearchPath /LDAPv3/cci-macserv.isd.glam.ac.uk

I know the search paths are actually written twice. I will try to intergrate them at some point. I found PPC Macs don't respond as well to scripts (bit hit and miss and take lot longer) as Intel Macs. Now I bind to AD, restart, bind to OD, restart. All done via ARD.

Please note I did not write either script just adapted them to suit our needs

Markus

** edit **
I'm guessing here that you're binding against AD and OD as you have both an AD and OD server containing users and the OD server (probably and OS X Server?) is a standalone server and not configured to be part of the AD domain, and thus you want to check against both authentication sources, rather than just AD.

Oh, one other tip for you, If you look in Directory Service/Utility (name depends on OS version) and edit the AD item, have a look under Advanced options, specifically the "mappings" section, you'll see an item for "Map UID to attribute", which will no doubt be unchecked and even if it is checked it'll probably be set to uniqueID. This may not be a good thing. Why not? Well, if the user doesn't get a good uid, odd things can happen in the OS, such as apps not launching or giving the user more permissions than they should have.

Here's what the AD plugin used to do, and probably still does, to generate the uid for a user:

We looked at the complete record for a user by using the terminal and the dscl utility. This allowed us to see all the information about the user, there is one field in there called GeneratedUID. This is being used to generate the mac OS UniqueID value. Bascially the Active Directory Directory Service Plugin takes the first 32 bits of the value, clears the top two bits (I'll be honest and say that this came from the dev team and not me!), and then uses this as the UniqueID. This explains why some UniqueID's will be higher than others and possibly why some users see problems and not others.

Why is the Active Directory Directory Service Plugin doing this? It's because there isn't a specific UniqueID field in AD, and you really want a UniqueID, so the plugin has to base it on something, and in theory this method will create a consistent uniqueID.

The problem with this is you can end up with very high value uids, higher than 4294959427, which is the value of unsigned long. The OS seriously does not like uid's greater than that value, and we have had users who have ended up with uid's over that value and they'd had odd problems.

So what to do? well, that's where that mapping option for the uid comes into play, we need to tell the AD plugin to use another value in an AD record, one that will exist, and will be unique. The one that seems to be frequently suggested is "uSNCreated", so you'd pop that into the field. This value is the create date for the user, which as it includes the time, will be unique, plus it won't be a stupidly long number which could upset the OS.

It's possible you could add a line to your script to set the mapping when setting up the bind.

mike1210

Thanks Markus, yeah Active Directory for student and staff user accounts and Open directory for computer settings. Open directory master on one campus, replica on the other. 1 gig link between them though