Many of you are aware that you can open Directory Access, click on the Server menu item, click Connect, and fill in the address, username, and password of an OS X Server and then make changes to the server’s authentication settings as if you are at the console.
I needed to remote control Directory Access the other day on a plain OS X box that I was using for some server functions, but unlike a full OS X Server, Remote Directory Access would not work.
Read on for how to potentially solve this…Then I remembered a great tip from “Essential Mac OS X Panther Server Administration” by Michael Bartosh. On pages 116-117, he discusses Directory Access, and mentions in a tip-
DirectoryService knows whether to listen on port 625 according to the existance of the /Library/Preferences/DirectoryService/.DSTCPListening file. By creating this file and restarting the DirectoryService daemon, it is feasible to access Mac OS X client directory data and configuration remotely.
So I did it, and it worked perfectly. This could be quite useful to incorporate into a deployed image if you occasionally have computers that forget their directory data. Security implications are an exercise for the reader.
Ed. Note: You should probably be more than a bit careful with this since it’s an open port on your client systems that any breach of would cause some serious ramifications. I typically use ssh and dscl and friends to manage this.
On the other hand, this is also a handy tip to use in reverse. You have an OS X Server but it’s a stand alone and you really don’t want it listening on the DS port. Remove the file and restart DS.
About Dave Provine
- Web |
- More Posts (1)
Wow, thank you for this awesome tip!
This will make it easier for me to change the LDAP plug-in options to get LDAP settings from a DHCP server on a number of machines without having to go to each one. All I need to do is push out the file to all of these machines, and then send a Unix command to restart DS, and then connect to each machine one by one and change the setting.
Now, is there a way to take the repetition out of this task? can i somehow make this change on a number of machines simultaneously? I don’t want to affect other plugins’ settings (e.g. i don’t want to change settings for the AD plugin – just for LDAP).
Please excuse my idiocy. I forgot there are separate .plists for each DS plugin. I shall go hang my head in shame now, and then push out the .plist using ARD. 🙂
You can also easily manipulate the Directory Access settings using the DSCL command line tool as well as simply pushing out plists.
Dean Shavit
Author of Mac HelpMate
[link:]http://www.machelpmate.com