Articles August 25, 2004 at 12:12 am

AD/OD Group Synchronization

This script synchronizes AD group membership with OD group membership.

Use this to better manage MCX settings for AD groups. You can download it here.This script will grab the membership of an AD group and insert that list into an OD group. While you can’t apply MCX preferences to an AD group without schema modification, you can now manage the OD group and end up with a similar effect when using an OS X Server to add MCX settings.

Run this as often as you need to keep your OD group synched with your AD group.

To work, the script requires that it be run on a machine that is joined to the AD domain and has the OD server at least configured in the LDAPv3 plugin in Directory Access.

The OD system does not have to be in the machine’s authentication path. This means that you could run this script on your OS X Server that’s hosting your network home folders if you have that extensive of a setup.

Once you have it added, you’ll need to find out the “path” to the OD domain as used by Directory Services. Such as /LDAPv3/10.0.1.10 for an OD server whose IP was set to 10.0.1.10 in Directory Access. Use dscl to find this.

You will also need to feed the script the group id of an AD group. Use Workgroup Manager or any of the command line directory service utilities to find this out. Also supply the shortname of the OD group that you want to synchronize with.

This script can potentially be a bit of a security nightmare, since it requires a plaintext copy of your OD admin password somwhere. As such I’d advise you to run this on an admin-only machine or a machine that does not allow non-admin shell access.

An ideal setup would be to hard code your admin user name and password into the defaults at the beginning of the script. Then you can call the script from cron and only need to pass in the AD group’s gid and the OD group’s short name.

Again, if this is all set up on an admin machine with a leg in both the AD domain and the OD domain, then security is not a big issue. Hard code the password into the script in the definitions section and then set the rest up in the cron tab.

For example, after hardcoding the OD domain’s admin username and password into the script and the Directory Service path to it, you could call the script like this:


adodgroupsynch -a 98347749 -o adusers

Which would synchronize the membership of the AD group with grop id “98347749” with the OD gropu adusers.

No Comments

Leave a reply

You must be logged in to post a comment.