Volume Number: 23 (2007)
Issue Number: 11
Column Tag: MacEnterprise
New ways of manipulating Directory Services
By Philip Rinehart, Yale University
User Account Changes
Occasionally, questions about user accounts and how to maintain them appear on the Macenterprise list. Leopard changes the landscape, as NetInfo no longer exists. What does this mean practically? All user account information is now stored as flat text files. No more messing around with command line utilities like nicl, nidump, etc. All access is now accomplished using the command line directory service utility, dscl. Let's take a look at how it works.
Dscl, Directory Service Command Line, utility was originally introduced in Tiger. With the death of NetInfo, it is the new way of manipulating user accounts. Also, astute users may note that NetInfo Manager is now completely gone, so any manipulation of NetInfo attributes must be accomplished by using dscl. Directory Service attributes can be changed, appended or deleted. Let's take a very basic example.
dscl . -read /Users/myuser
This example operates on the local node by using the period, and returns all of the attributes for myuser. The command returns a list of all of the values that would have been seen in NetInfo Manager. They are printed out as a single line for each value. While interesting, it only begins to tap dscl for its true power. Here's a second example, listing all the users on the local system, as well as their UniqueID values (UID).
dscl /Local/Default -list /Users UniqueID
This command is a really quick way to list any attribute of any user that is stored in the local Directory Services store. Notice a slight difference in this command? Instead of using a period, the full node is specified, in this case, the local database, /Local/Default. Let's step back just a second. Since NetInfo is gone, where is all the information? Here is the complete path:
Explore the contents of the directory, notice how everything is a plist? One of the decisions made when moving away from NetInfo is that all of the information is now stored in xml plist format in the above directory. As an interesting side effect, any properly formatted plist that is added to the user will now appear on the system as a valid user. Returning to our UID example, now that the UID is known for any user, it is a pretty simple operation to change a UID on the fly. Back to dscl:
dscl /Local/Default -create /Users/myuser UniqueID 503
This command takes the current UniqueID value for myuser and overwrites or it with the new value. Instead of the user's previous value for UniqueID, a new one has now been put in place. Note that use of the create option will completely overwrite any current value. If the value does not exist, it creates it in the plist.
PUMP IT UP
All of our example dscl commands will work in Tiger. Dscl in Leopard has been beefed up considerably. It now has the ability to read subkeys through the use of additional command line options. If you ever looked at a NetInfo record that contained mcx information, you know that mcx settings are typically sent to the client as a plist. Now that this information is stored in a flat plist with nested values, dscl needs a way to manipulate the data. New options have been added, readpl, readpli, and createpl, createpli. Unfortunately the syntax is difficult to master, as it requires a very specific format. Here's a somewhat simplified example for managed preferences.
dscl . -readpl /Users/myuser MCXSettings mcx_application_data:com.apple.finder
Note the syntax of the key, colons separate nested values. In this particular case, the managed preference key for the Finder is read. This example should give you a taste of how the command works, but getting the path exactly right can be a bit tricky. Fortunately, there is a way out of the weeds, with a new mcx options for dscl..
One of the major complaints in previous versions of OS X was the inability to easily understand and manipulate managed preferences. Leopard is the first version of OS X that has options to help manage via script, or the command line. It has also been quite difficult to troubleshoot managed client preferences, and to truly understand what is going on when managed preferences are applied. Let's look at our friend dscl again, this time with an eye toward the options that were added to dscl. Here's a very simple example:
dscl . -readmcx /User/myuser
Note how the information is returned. Each managed preference is returned as a set of values with a consistent format. So for example, if a Finder preference was managed, the value might look like this:
App domain: com.apple.finder
Cool! The mcxread option is useful, but even more useful is the ability to set, import and export keys with dscl and its associated mcx commands. Imagine being able to set preferences from the command line from a client! A sample process could be:
dscl . -mcxexport /Users/myuser -o /tmp/export.plist com.apple.finder
This command exports the managed client settings for myuser. The settings can then be altered in the exported file, export.plist with any text editor. Once finished editing, use this command to import the changed values:
dscl . -mcximport /Users/myuser -d /tmp/export.plist
One note about this command, the -d option deletes any keys that existed previously. It is equivalent to calling mcxdelete for every key found in the import file. There are many options available for command line managed preference manipulation of preferences, which are not documented in the manual page. So how can you find the proper options? Use the flag -mcxhelp.
dscl . -mcxhelp
This short command returns all of the options available, and is quite thorough in its description of how to use the command line options.
What if you only want to see what managed preferences are being applied? A new command for Leopard, mcxquery has been added. It can be called directly to present all of the options for any known user, group or machine. Here's how:
mcxquery -user myuser -group mygroup -computer mycomputer
This command returns a list of all managed preferences for all three options. Additionally, it specifies exactly which domain the management is being applied from. If it is a user management preference, it indicates the managed preference. Very useful! Now that Leopard is finally out, a whole new world of discovery awaits us. As always, see you on the lists!
Philip Rinehart is co-chair of the steering committee leading the Mac OS X Enterprise Project (macenterprise.org) and is the Lead Mac Analyst at Yale University. He has been using Macintosh Computers since the days of the Macintosh SE, and Mac OS X since its Developer Preview Release. Before coming to Yale, he worked as a Unix system administrator for a dot-com company. He can be reached at: email@example.com.
The MacEnterprise project is a community of IT professionals sharing information and solutions to support Macs in an enterprise. We collaborate on the deployment, management, and integration of Mac OS X client and server computers into multi-platform computing environments.