Tips December 13, 2006 at 9:10 am

Remote Control of Directory Access

Many of you are aware that you can open Directory Access, click on the Server menu item, click Connect, and fill in the address, username, and password of an OS X Server and then make changes to the server’s authentication settings as if you are at the console.

I needed to remote control Directory Access the other day on a plain OS X box that I was using for some server functions, but unlike a full OS X Server, Remote Directory Access would not work.

Read on for how to potentially solve this…Then I remembered a great tip from “Essential Mac OS X Panther Server Administration” by Michael Bartosh. On pages 116-117, he discusses Directory Access, and mentions in a tip-

DirectoryService knows whether to listen on port 625 according to the existance of the /Library/Preferences/DirectoryService/.DSTCPListening file. By creating this file and restarting the DirectoryService daemon, it is feasible to access Mac OS X client directory data and configuration remotely.

So I did it, and it worked perfectly. This could be quite useful to incorporate into a deployed image if you occasionally have computers that forget their directory data. Security implications are an exercise for the reader.

Ed. Note: You should probably be more than a bit careful with this since it’s an open port on your client systems that any breach of would cause some serious ramifications. I typically use ssh and dscl and friends to manage this.

On the other hand, this is also a handy tip to use in reverse. You have an OS X Server but it’s a stand alone and you really don’t want it listening on the DS port. Remove the file and restart DS.

3 Comments

  • Wow, thank you for this awesome tip!

    This will make it easier for me to change the LDAP plug-in options to get LDAP settings from a DHCP server on a number of machines without having to go to each one. All I need to do is push out the file to all of these machines, and then send a Unix command to restart DS, and then connect to each machine one by one and change the setting.

    Now, is there a way to take the repetition out of this task? can i somehow make this change on a number of machines simultaneously? I don’t want to affect other plugins’ settings (e.g. i don’t want to change settings for the AD plugin – just for LDAP).

    • Please excuse my idiocy. I forgot there are separate .plists for each DS plugin. I shall go hang my head in shame now, and then push out the .plist using ARD. 🙂

    • You can also easily manipulate the Directory Access settings using the DSCL command line tool as well as simply pushing out plists.

      Dean Shavit
      Author of Mac HelpMate
      [link:]http://www.machelpmate.com

Leave a reply

You must be logged in to post a comment.