TweetFollow Us on Twitter

Directory Service Recipes

Volume Number: 22 (2006)
Issue Number: 11
Column Tag: Mac In The Shell

Directory Service Recipes

More Directory Services manipulation via the Command Line

by Edward Marczak

Introduction

Directory Services: used every day by users of OS X - whether they know it or not. Last month, this column covered the basics of directory services, and gave a few sample ideas. This month, I'll trot out some very practical uses of the command-line directory service tools.

Power Station

As I've alluded to in the past, command-line tools and scripting - shell based or GUI based AppleScript - can be much more powerful than GUI tools. Also, while I pointed out that LDAP is not a database, people still tend to think of it as one. The confusion is understandable: Directory Services protocols allow you to retrieve information via lookups. Depending on the protocol and your access, it may allow you to be the one to store information, too. Like any database, the retrieval of information is key: it would be useless if you could put information into the store without being able to access it. Combined with scripting, not only can we access data, but we can perform actions using the results.

Let's start out with reading and reporting on values. OS X Server using Open Directory stores just about everything for a given user in a record in LDAP. Sometimes, you'll want to know which users have some attribute. I do a lot of work with OS X e-mail systems, and a common request is an easy way to report on which users have mail enabled (or, conversely, which users are not mail enabled). Here's a handy little script that will do just that - show which users are set up for OS X e-mail:

mail-enabled.sh

#!/bin/sh
for user in $(dscl /LDAPv3/127.0.0.1 -list /Users)
do
        me=$(dscl /LDAPv3/127.0.0.1 -read /Users/$user MailAttribute)
        if [ "$me" !=  "No such key: MailAttribute"  ]; then
                echo "$user"
        fi
done

Do notice here that we're relying on the failure to find the attribute as a way to make our determination. If you want to find users who do not have mail enabled, just change the test from not equal ("!=") to equal ("=="). If you're a Kerio Mail Server user, and are using the Open Directory extensions, rather than "MailAttribute", you want to look for "kerio-Mail-Active: 1". Run this right on your OD master or replica to get your results. This can be extended to run from cron every night and produce a report via e-mail. You could even redirect the results to a file and use diff to report on new mail users, and users that have been disabled.

Everything but the Girl

Let's even go easier, but potentially more useful. Hierarchies on a network are useful. People tend to think in that manner, and like to press them into service. If you're using OD based logins, with or without network home directories, you have a handy tool at your disposal: your user list. More than once, I've been asked to create a sharepoint on the network, and then fill it with a directory for each user in the system. On a large system, this could be incredibly tedious. So, you script it. Or, in this case, you can even one-line it:

dscl /LDAPv3/127.0.0.1/ -list /Users | xargs mkdir

Of course, that will create directories at your current place in the structure. This means that you'll want to cd to the location you want them before running this command.

While handy, you probably need a little bit more, like setting the correct permissions, or even copying some default information into each folder. An easy framework for that is:

#!/bin/bash
dscl /LDAPv3/127.0.0.1/ -list /Users | while read user
do
  #Do your work here
done

Quick results from little work!

(Don't Burn the) Midnight Oil

Another really handy scenario crops up with OS X 10.4 in an all OD network. Using a tool like Apple Remote Desktop, you can certainly create local admin users on all machines in your network very easily. However, that can become a small management headache: If you want to change the password for the admin user, then you have to remember to get every box. It also doesn't allow for any fine-grained control. One great solution to this is to create admin groups in OpenDirectory. You can then nest these groups inside of the local NetInfo admin group. From there, simply moving users in and out of the OD admin groups will give them the correct permissions on a given machine. Let's look at an example.

Imagine that a company (or school) has two open labs: one for word processing/presentation development, and another for 3-D graphics. Each lab has a local support team that need admin rights to the Macs. You would create three groups in OpenDirectory: WPLabAdmins, 3DLabAdmins, and UberAdmins - the final group being able to administer both labs. Assign users to the appropriate groups. You'll then need the OD group's UUID, which of course can be scripted. Create the script as update-admin-group.sh:

update-admin-group.sh

#!/bin/bash
theUUID=$(dscl /Search -read /Groups/$1 apple-generateduid | sed 's/apple-generateduid: //g')
dscl /NetInfo/root -create /Groups/admin NestedGroups $theUUID

Then, run it on each group of machines as appropriate:

On all machines:

update-admin-group.sh UberAdmins

On the word processing machines:

update-admin-group.sh WPLabAdmins

Finally, on the 3D machines:

update-admin-group.sh 3DLabAdmins

Now, as people need admin access to a given machine, they can simply use their own OD ID. Very, very cool. Once this is set, you can just move people in and out of OD groups, rather than futz with anything on any local machine. Much better, right?

Ah Ha!

dscl: incredibly useful. However, I'd be remiss if I didn't mention its counterpart that appeared in 10.4: dseditgroup. dseditgroup appeared to make it easier to work with groups, especially with the new ability to have nested groups.

By default, dseditgroup operates on NetInfo data, but, as the 'ds' suggests, will work with any Directory Service plug-in. This includes anything you can set up in Directory Utility, such as LDAP and Active Directory. So, while we're speaking about admin accounts, let's see examples of dseditgroup in action.

To read all information about a NetInfo group, simply use dseditgroup groupname. So, to see your admin group:

# dseditgroup admin
Recordname <admin>
10 attribute(s) found
Attribute[1] is <dsAttrTypeStandard:AppleMetaNodeLocation>
        Value[1] is </NetInfo/DefaultLocalNode>
Attribute[2] is <dsAttrTypeStandard:RecordType>
        Value[1] is <dsRecTypeStandard:Groups>
Attribute[3] is <dsAttrTypeStandard:RecordName>
        Value[1] is <admin>
Attribute[4] is <dsAttrTypeStandard:PrimaryGroupID>
        Value[1] is <80>
Attribute[5] is <dsAttrTypeStandard:Password>
        Value[1] is <*>
Attribute[6] is <dsAttrTypeStandard:GroupMembership>
        Value[1] is <root>
        Value[2] is <localadmin>
Attribute[7] is <dsAttrTypeStandard:GeneratedUID>
        Value[1] is <ABCEEFAB-CDEF-ABCD-ECAB-CDEF00000050>
Attribute[8] is <dsAttrTypeStandard:SMBSID>
        Value[1] is <S-1-5-32-544>
Attribute[9] is <dsAttrTypeStandard:RealName>
        Value[1] is <Administrators>
Attribute[10] is <dsAttrTypeStandard:GroupMembers>
        Value[1] is <43C93B6A-CFB9-4C24-A464-EA51320B62D2>
        Value[2] is <F047F2F1-F5A9-4B73-BBB4-454550B09CB4>

The same thing can be accomplished for an OD group, using the -n switch:

# dseditgroup -n /LDAPv3/127.0.0.1 admin

dseditgroup also has operations to manipulate groups, either local (NetInfo), or other datastore. To remove a user from an OD admin group, you could handle it this way:

dseditgroup -o edit -n /LDAPv3/127.0.0.1 -u admin-user -p -d user-to-delete -t user admin

Note that sensitive operations against Directory Services will require authentication, as seen here with the -u and -p flag.

Conclusion

Directory services in general are an incredibly powerful way to maintain a central store for objects on a network, easing administration. The usefulness of these services wouldn't be diminished if only GUI tools were available. I do hope, though, that I've illustrated how powerful scripting and command-line tools can be, and what they bring to the process.

Media of the month: Michael Bartosh's posthumously released Mac OS X Tiger Administration. A surprise follow-up to his Panther Server Administration after being told that the Tiger version was cancelled. This PDF-only version of the book was started by Michael, and completed by several of his good friends after Michael passed away. It's available from <http://www.orielly.com>.

Again, it's time to make your plans for MacWorld! Hope to see people on the show floor, or at either of the sessions I'll be presenting (old news to long-time readers of my column, though!). In any case, I'll see you in print next month.

References:

dscl man page

dseditgroup man page


Ed Marczak owns and operates Radiotope, a technology consulting practice with a focus on business process enhancement, network and system integration, and, more generally, all things Mac.

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

Mellel 3.5.5 - The word processor for sc...
Mellel is the leading word processor for OS X and has been widely considered the industry standard since its inception. Mellel focuses on writers and scholars for technical writing and multilingual... Read more
Bookends 12.8.3 - Reference management a...
Bookends is a full-featured bibliography/reference and information-management system for students and professionals. Bookends uses the cloud to sync reference libraries on all the Macs you use.... Read more
Carbon Copy Cloner 4.1.18 - Easy-to-use...
Carbon Copy Cloner backups are better than ordinary backups. Suppose the unthinkable happens while you're under deadline to finish a project: your Mac is unresponsive and all you hear is an ominous,... Read more
Hopper Disassembler 4.2.14- - Binary dis...
Hopper Disassembler is a binary disassembler, decompiler, and debugger for 32- and 64-bit executables. It will let you disassemble any binary you want, and provide you all the information about its... Read more
BetterTouchTool 2.291 - Customize Multi-...
BetterTouchTool adds many new, fully customizable gestures to the Magic Mouse, Multi-Touch MacBook trackpad, and Magic Trackpad. These gestures are customizable: Magic Mouse: Pinch in / out (zoom... Read more
Sound Studio 4.8.11 - Robust audio recor...
Sound Studio lets you easily record and professionally edit audio on your Mac. Easily rip vinyls and digitize cassette tapes, or record lectures and voice memos. Prepare for live shows with live... Read more
Sound Studio 4.8.11 - Robust audio recor...
Sound Studio lets you easily record and professionally edit audio on your Mac. Easily rip vinyls and digitize cassette tapes, or record lectures and voice memos. Prepare for live shows with live... Read more
BetterTouchTool 2.291 - Customize Multi-...
BetterTouchTool adds many new, fully customizable gestures to the Magic Mouse, Multi-Touch MacBook trackpad, and Magic Trackpad. These gestures are customizable: Magic Mouse: Pinch in / out (zoom... Read more
Carbon Copy Cloner 4.1.18 - Easy-to-use...
Carbon Copy Cloner backups are better than ordinary backups. Suppose the unthinkable happens while you're under deadline to finish a project: your Mac is unresponsive and all you hear is an ominous,... Read more
Hopper Disassembler 4.2.14- - Binary dis...
Hopper Disassembler is a binary disassembler, decompiler, and debugger for 32- and 64-bit executables. It will let you disassemble any binary you want, and provide you all the information about its... Read more

The best 2v2 card combos in Clash Royale
2v2 is making it's grand return toClash Royalequite soon. 2v2 has quickly become one of the game's most popular gameplay modes, though they still have yet to make it a permanent fixture in the game. 2v2 is exciting and adds some new flavor to... | Read more »
The best games we played this week - Aug...
Another busy week has come to a close. We played a lot of excellent games this week and now it's time to look back and reflect on some our favorites. Here are our picks for the week of August 18. [Read more] | Read more »
War Wings beginner's guide - how to...
War Wings is the newest project from well-established game maker Miniclip. It's a World War II aerial dogfighting game with loads of different airplane models to unlock and battle. The game offers plenty of single player and multiplayer action. We... | Read more »
How to win every 2v2 battle in Clash Roy...
2v2 is coming back to Clash Royale in a big way. Although it's only been available for temporary periods of time, 2v2 has seen a hugely positive fan response, with players clamoring for more team-based gameplay. Soon we'll get yet another taste of... | Read more »
Roll to Win with Game of Dice’s new upda...
Joycity’s hit Game of Dice gets a big new update this week, introducing new maps, mechanics, and even costumes. The update sets players loose on an exciting new map, The Cursed Tower, that allows folks to use special Runes mid-match. If you feel... | Read more »
Bottom of the 9th (Games)
Bottom of the 9th 1.0.1 Device: iOS iPhone Category: Games Price: $4.99, Version: 1.0.1 (iTunes) Description: Play the most exciting moment of baseball in this fast-paced dice and card game! | Read more »
The best apps for viewing the solar ecli...
If you somehow missed the news, many parts of the United States will be witness to a total solar eclipse on August 21 for the first time in over 90 years. It'll be possible to see the eclipse in at least some capacity throughout the continental U... | Read more »
The 5 best mobile survival games
Games like ARK: Survival Evolved and Conan Exiles have taken the world of gaming by storm. The market is now flooded with hardcore survival games that send players off into the game's world with nothing but maybe the clothes on their back. Never... | Read more »
Portal Walk (Games)
Portal Walk 1.0 Device: iOS Universal Category: Games Price: $1.99, Version: 1.0 (iTunes) Description: Portal Walk is adventure and relaxing platform game about Eugene. Eugene stuck between worlds and trying to find way back home.... | Read more »
Technobabylon (Games)
Technobabylon 1.0 Device: iOS Universal Category: Games Price: $4.99, Version: 1.0 (iTunes) Description: City of Newton, 2087. Genetic engineering is the norm, the addictive Trance has replaced almost any need for human interaction,... | Read more »

Price Scanner via MacPrices.net

15-inch 2.2GHz Retina MacBook Pro, Apple refu...
Apple has Certified Refurbished 2015 15″ 2.2GHz Retina MacBook Pros available for $1699. That’s $300 off MSRP, and it’s the lowest price available for a 15″ MacBook Pro. An Apple one-year warranty is... Read more
Apple refurbished Mac minis available startin...
Apple has Certified Refurbished Mac minis available starting at $419. Apple’s one-year warranty is included with each mini, and shipping is free: – 1.4GHz Mac mini: $419 $80 off MSRP – 2.6GHz Mac... Read more
Apple refurbished iPad Pros available startin...
Apple has Certified Refurbished 2016 12″ WiFi iPad Pros available starting at $589. An Apple one-year warranty is included with each model, and shipping is free: – 32GB 12″ iPad Pro WiFi: $589... Read more
Weekend sale: 13-inch MacBook Pros for up to...
Amazon has new 2017 13″ MacBook Pros on sale today for up to $200 off MSRP, each including free shipping: – 13″ 3.1GHz/256GB Space Gray MacBook Pro (MPXV2LL/A): $1599.99 $200 off MSRP – 13″ 3.1GHz/... Read more
Back To School With The Edge Desk All-in-one...
Back to school is just around the corner, and the ergonomically correct Edge Desk all-in-one portable kneeling desk is ideal for students living in dorms and small apartments, Edge Desk features:... Read more
Norton Core Secure Wi-Fi Router Now Available...
First introduced at the 2017 Consumer Electronics Show (CES), Norton Core, a secure, high-performance Wi-Fi router, fundamentally changed the concept of Wi-Fi routers by making security the primary... Read more
ViewSonic Adds New 27-inch 4K UHD Monitor to...
ViewSonic Corp. has introduced the VP2785-4K, a 27-inch 4K UHD (3840×2160) monitor that delivers precise and consistent color representation and performance to ensure incredible image quality. Built... Read more
Apple now offering Certified Refurbished 2017...
Apple is now offering Certified Refurbished 2017 27″ iMacs for up to $350 off original MSRP. Apple’s one-year warranty is standard, and shipping is free. The following models are available: – 27″ 3.... Read more
13-inch 2.3GHz MacBook Pros on sale for $100...
Amazon has the new 2017 13″ 2.3GHz MacBook Pros on sale today for $100 off MSRP, each including free shipping: – 13″ 2.3GHz/128GB Space Gray MacBook Pro (MPXQ2LL/A): $1199.99 $100 off MSRP – 13″ 2.... Read more
Clearance 2016 13-inch MacBook Airs available...
B&H Photo has clearance 2016 13″ MacBook Airs available for up to $200 off original MSRP. Shipping is free, and B&H charges NY & NJ sales tax only: – 13″ 1.6GHz/128GB MacBook Air (MMGF2LL... Read more

Jobs Board

Development Operations and Site Reliability E...
Development Operations and Site Reliability Engineer, Apple Payment Gateway Job Number: 57572631 Santa Clara Valley, California, United States Posted: Jul. 27, 2017 Read more
Frameworks Engineering Manager, *Apple* Wat...
Frameworks Engineering Manager, Apple Watch Job Number: 41632321 Santa Clara Valley, California, United States Posted: Jun. 15, 2017 Weekly Hours: 40.00 Job Summary Read more
Map Quality Analyst Lead, *Apple* Maps Eval...
…a team of subject matter experts measuring the quality of a range of Apple Maps algorithms, such as Map search, recommendations, and routing. Our group works with Read more
Business Development Manager, *Apple* Pay -...
Job Summary Apple Pay is seeking an experienced Business Development professional to join the Apple Pay team to develop partnerships and strategic alliances with Read more
Information Systems Engineer, *Apple* Retai...
Job Summary Do you have a passion for the technology and systems that make Apple amazing? Are you interested in joining IS&T Retail on what they do best? This is an Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.