How to add an Open Directory server via a script

imagingmac-osxmac-osx-serverosx-leopardscripting

What is the best method to add an Open Directory server via a shell script on a brandly new imaged computer?

I've created a new image with InstaDMG and I'd like to add the Open Directory Server via a shell script rather than having to do it manually by hand using Directory Utility.

The computer does not have to bind the Open Directory. (Client: 10.5.7, Server: 10.4.11)

Best Answer

I discovered the method (Deploy Studio) I was deploying my images had scripts already to do the Open Directory binding - I've modified the scripts slightly to give the crux of the script for here to answer my question. This example only uses anonymous binding (not explicitly bound to the OD server)

#!/bin/sh

# Used ds_open_directory_binding.sh (v1.6) from Deploy Studio as a base for the explicit question.
# I recommend downloading Deploy Studio (http://deploystudio.com) to see other methods but the crux
# of how it is done can be read here. (eg. no error checking here)

#Enable LDAPv3 Plugin
defaults write /Library/Preferences/DirectoryService/DirectoryService "LDAPv3" Active 2>&1
chmod 600 /Library/Preferences/DirectoryService/DirectoryService.plist 2>&1

/usr/sbin/ipconfig waitall

#Configure LDAP
dsconfigldap -a 'server.example.com' 2>&1

#Restart DS
killall DirectoryService
sleep 5

#Create Search Policy
dscl localhost -create /Search SearchPolicy CSPSearchPath 2>&1

#Create Contacts
dscl localhost -create /Contact SearchPolicy CSPSearchPath 2>&1

#Add OD Server to the search path
dscl localhost -append /Search CSPSearchPath '/LDAPv3/server.example.com' 2>&1

#Add OD Server to Contact Search Policy
dscl localhost -append /Contact CSPSearchPath '/LDAPv3/server.example.com' 2>&1

Related Solutions

What commands will change Open Directory passwords

The handiest answer I've come across is to use the passwd command in conjunction with dscl. Here is the output from an interactive session (with the passwords replaced by asterices):

$ dscl -u diradmin -p ces 
Password: 
 > cd /LDAPv3/127.0.0.1/
/LDAPv3/127.0.0.1 > auth diradmin *****
/LDAPv3/127.0.0.1 > passwd Users/Atwo807 *****
/LDAPv3/127.0.0.1 > passwd Users/Atwo249 *****
/LDAPv3/127.0.0.1 > passwd Users/doesnotexist foobar
passwd: Invalid Path
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
/LDAPv3/127.0.0.1 > exit
Goodbye

Here is a python script to make the changes. You will need the pexpect module (sudo easy_install pexpect should get it for you; I don't think you need the dev tools installed).

#!/usr/bin/env python

import pexpect

def ChangePasswords(host, path, diradmin, diradmin_password, user_passwords, record_type='Users'):
    """Changes passwords in a Open Directory or similar directory service.

    host = the dns name or IP of the computer hosting the directory
    path = the pathname to the directory (ex. '/LDAPv3/127.0.0.1')
    diradmin = the directory administrator's shortname (ex. 'diradmin')
    diradmin_password = the directory administrator's password
    user_passwords = a dictionary mapping record names (typically, user's short
                     names) onto their new password
    record_type = the sort of records you are updating.  Typically 'Users'

    Returns a tuple.  The first entry is a list of all records (users) who
        failed to update.  The second entry is a list of all records (users)
        who successfully updated.
    """

    failed_list = []
    succeeded_list = []
    prompt = " > "

    child = pexpect.spawn("dscl -u %s -p %s" % (diradmin, host))

    if not (ReplyOnGoodResult(child, "Password:", diradmin_password) and
       ReplyOnGoodResult(child, prompt, "cd %s" % path) and
       ReplyOnGoodResult(child, prompt,
                        "auth %s %s"  % (diradmin, diradmin_password)) and
       ReplyOnGoodResult(child, prompt, None)):
        print "Failed to log in and authenticate"
        failed_list = user_passwords.keys()
        return (failed_list, succeeded_list)

    # We are now logged in, and have a prompt waiting for us
    expected_list = [ pexpect.EOF, pexpect.TIMEOUT,
                     '(?i)error', 'Invalid Path', prompt ]
    desired_index = len(expected_list) - 1
    for record_name in user_passwords:        
        #print "Updating password for %s" % record_name,

        child.sendline("passwd %s/%s %s" % (record_type, record_name,
                                            user_passwords[record_name]))
        if child.expect(expected_list) == desired_index:
            #print ": Succeeded"
            succeeded_list.append(record_name)
        else:
            #print ": Failed"
            failed_list.append(record_name)
            child.expect(prompt)

    child.sendline("exit")
    child.expect(pexpect.EOF)

    return (failed_list, succeeded_list)


def ReplyOnGoodResult(child, desired, reply):
    """Helps analyze the results as we try to set passwords.

    child = a pexpect child process
    desired = The value we hope to see 
    reply = text to send if we get the desired result (or None for no reply)
    If we do get the desired result, we send the reply and return true.
    If not, we return false."""

    expectations = [ pexpect.EOF, pexpect.TIMEOUT, '(?i)error', desired ]
    desired_index = len(expectations) - 1

    index = child.expect(expectations)
    if index == desired_index:
        if reply:
            child.sendline(reply)
        return True
    else:
        return False

You can use it as follows:

# This example assumes that you have named the script given above 'pwchange.py'
# and that it is in the current working directory
import pwchange 

(failed, succeeded) = pwchange.ChangePasswords("ces", "/LDAPv3/127.0.0.1", 
     "diradmin", "******", 
     { 'Atwo807' : '*****', 'Atwo249' : '*****', 
       'Nonexist' : 'foobar', 'Bad' : 'bad' })

print failed, succeeded
['Bad', 'Nonexist'] ['Atwo249', 'Atwo807']

Why is `slapconfig -backupdb` not creating disk image when run from cron on Snow Leopard Server

I experienced the same problem debugged the original script, for me the default expect timeout of 10 seconds was causing the embedded hdiutil command to be aborted. I fixed this by adding:

set timeout 120

In the expect script. Now the script is working fine again. My script:

#!/usr/bin/expect -f

set date [timestamp -format "%Y-%m-%d"]
set archive_path "path/to/you/backup/dir"
set archive_password "password"
set archive_name "opendirectory_backup"
set timeout 120

spawn /usr/sbin/slapconfig -backupdb $archive_path/$archive_name-$date
expect "Enter archive password"
send "$archive_password\r"
expect eof

Best Answer

Related Solutions

What commands will change Open Directory passwords

Why is `slapconfig -backupdb` not creating disk image when run from cron on Snow Leopard Server

Related Topic