Home Forums OS X Server and Client Discussion Active Directory AD/OD Augmented Records

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • September 23, 2009 at 6:29 pm #377213
    turnertapes
    Participant

    Hi Everyone,

    I am currently configuring a Mac Lab in a University. They would like user accounts to be centrally managed using the AD network but they also want users to have two separate home directories, one accessed when logging in on a PC and the other accessed when logging in on a Mac.

    I have successfully been able to do this by using Augmented records as described in the excellent Leveraging AD by Mr. Bombich. I have imported several users manually and changed the records.

    The problem I am facing is importing 500+ users into WGM and configuring the Augmented records. I have downloaded a script from bombich.com that should import all users of a specified group into WGM and add the augmented records. Unfortunately, the script returns an error and no users are imported. I have tried entering the network information into the script in as many different way I can think of but I keep getting the same error. The error is below:

    *** Terminating app due to uncaught exception ‘NSParseErrorException’, reason: ‘XML parser error:
    Unexpected character n at line 1
    Old-style plist parser error:
    Unexpected ‘;’ or ‘=’ after key at line 1

    I have seen on the forums many users discussing Augmented record. Has anyone used the Bombich script to import multiple users and change the records?

    I would be grateful for any info or suggestions.

    September 23, 2009 at 11:16 pm #377221
    sramdeen
    Participant

    I have had some good and some not so good experiences with this. After failing with Bombich’s script and binary I thought I’d hack something together myself.

    The main problem I have come across is dealing with ADs where the users or even just a couple of users have spaces or special characters in their usernames.
    Most of the sites where I have worked have a great nomenclature for usernames. Usually something like first initial and then surname, or the other way around. In the case of schools & colleges they usually prefix or suffix with the year of enrolment unless it’s a very small school.

    I have had some ‘issues’ with the way that dscl reports group membership. I have found that if there are no usernames with spaces in a given group, the list of members will be returned, each separated by a space. For groups that have usernames with spaces, the usernames are separated by a new line. This isn’t the end of the world and can be adjusted for in the script. Perhaps a better fix would be to output dscl to a plist and then read the plist. I’ll have to try it when I have time.

    However, what I can’t seem to get working properly is augments for users that have a username somewhere in the AD with a space in it.

    For example, if I perform a `dscl /Search read Groups/all\ staff GroupMembership` I might get something like this:

    GroupMembership:
    DOMAIN\shalom cohen
    DOMAIN\richard brown

    However, looking at the user record for these users indicates that their ‘real’ username does not have any spaces in it:

    dscl /Search read Users/shalom\ cohen

    dsAttrTypeNative:sAMAccountName: scohen

    but:

    RecordName:
    scohen
    shalom cohen
    [email protected]
    DOMAIN\scohen
    DOMAIN\shalom cohen
    Shalom Cohen

    I’m not sure why a dscl query of a group is returning members of the group using their second ‘RecordName’ rather than their first or even the sAMAccountName.

    Anyhow, if you can account for that (I have used some ldapsearch routines in this particular version of the script to search for users in a given OU and return the sAMAccountName), you might be able to modify this script for your own usage:

    [code]
    #!/bin/bash
    # Stuart Ramdeen, Toucan Computing Ltd. 2009.
    PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/X11/bin
    APPLESERVER=”gsxserve01.domain.lea.sch.uk”
    APPLESERVERSHARE=”machomes”
    APPLESERVERPATHTOSHARE=”/Volumes/data/”
    DIRADMIN=”diradmin”
    DIRADMINPW=”PASSWORD”

    IFS=’

    y2002=”$(ldapsearch -x -LLL -H ldap://gsdc01.domain.lea.sch.uk -b ‘OU=Y2002,OU=Students,DC=domain,DC=lea,DC=sch,DC=uk’ -D “CN=macadmin,CN=Users,DC=domain,DC=lea,DC=sch,DC=uk” -w PASSWORD sAMAccountName|grep sAMAccountName|awk ‘{print $2}’)”
    y2003=”$(ldapsearch -x -LLL -H ldap://gsdc01.domain.lea.sch.uk -b ‘OU=Y2003,OU=Students,DC=domain,DC=lea,DC=sch,DC=uk’ -D “CN=macadmin,CN=Users,DC=domain,DC=lea,DC=sch,DC=uk” -w PASSWORD sAMAccountName|grep sAMAccountName|awk ‘{print $2}’)”
    y2004=”$(ldapsearch -x -LLL -H ldap://gsdc01.domain.lea.sch.uk -b ‘OU=Y2004,OU=Students,DC=domain,DC=lea,DC=sch,DC=uk’ -D “CN=macadmin,CN=Users,DC=domain,DC=lea,DC=sch,DC=uk” -w PASSWORD sAMAccountName|grep sAMAccountName|awk ‘{print $2}’)”
    y2005=”$(ldapsearch -x -LLL -H ldap://gsdc01.domain.lea.sch.uk -b ‘OU=Y2005,OU=Students,DC=domain,DC=lea,DC=sch,DC=uk’ -D “CN=macadmin,CN=Users,DC=domain,DC=lea,DC=sch,DC=uk” -w PASSWORD sAMAccountName|grep sAMAccountName|awk ‘{print $2}’)”
    y2006=”$(ldapsearch -x -LLL -H ldap://gsdc01.domain.lea.sch.uk -b ‘OU=Y2006,OU=Students,DC=domain,DC=lea,DC=sch,DC=uk’ -D “CN=macadmin,CN=Users,DC=domain,DC=lea,DC=sch,DC=uk” -w PASSWORD sAMAccountName|grep sAMAccountName|awk ‘{print $2}’)”
    y2007=”$(ldapsearch -x -LLL -H ldap://gsdc01.domain.lea.sch.uk -b ‘OU=Y2007,OU=Students,DC=domain,DC=lea,DC=sch,DC=uk’ -D “CN=macadmin,CN=Users,DC=domain,DC=lea,DC=sch,DC=uk” -w PASSWORD sAMAccountName|grep sAMAccountName|awk ‘{print $2}’)”
    y2008=”$(ldapsearch -x -LLL -H ldap://gsdc01.domain.lea.sch.uk -b ‘OU=Y2008,OU=Students,DC=domain,DC=lea,DC=sch,DC=uk’ -D “CN=macadmin,CN=Users,DC=domain,DC=lea,DC=sch,DC=uk” -w PASSWORD sAMAccountName|grep sAMAccountName|awk ‘{print $2}’)”
    y2009=”$(ldapsearch -x -LLL -H ldap://gsdc01.domain.lea.sch.uk -b ‘OU=Y2009,OU=Students,DC=domain,DC=lea,DC=sch,DC=uk’ -D “CN=macadmin,CN=Users,DC=domain,DC=lea,DC=sch,DC=uk” -w PASSWORD sAMAccountName|grep sAMAccountName|awk ‘{print $2}’)”
    media=”$(ldapsearch -x -LLL -H ldap://gsdc01.domain.lea.sch.uk -b ‘OU=Media,OU=Students,DC=domain,DC=lea,DC=sch,DC=uk’ -D “CN=macadmin,CN=Users,DC=domain,DC=lea,DC=sch,DC=uk” -w PASSWORD sAMAccountName|grep sAMAccountName|awk ‘{print $2}’)”

    if [[ “$1″ ]] ; then
    users=”$1”
    else
    users=($media $y2002 $y2003 $y2004 $y2005 $y2006 $y2007 $y2008 $y2009)
    fi

    #echo “${users[@]}”

    for u in “${users[@]}” ; do
    if [[ `dscl /Search read /Augments/Users:”$u” 2>/dev/null |grep -c RealName` -eq 0 ]] ; then
    echo “####################################################################”
    echo creating augmented records for user “$u”
    dscl -u “$DIRADMIN” -P “$DIRADMINPW” /LDAPv3/127.0.0.1 create /Augments/Users:”$u” ;
    dscl -u “$DIRADMIN” -P “$DIRADMINPW” /LDAPv3/127.0.0.1 create /Augments/Users:”$u” RealName “$u” ;
    dscl -u “$DIRADMIN” -P “$DIRADMINPW” /LDAPv3/127.0.0.1 create /Augments/Users:”$u” PrimaryGroupID 20 ;
    dscl -u “$DIRADMIN” -P “$DIRADMINPW” /LDAPv3/127.0.0.1 create /Augments/Users:”$u” GeneratedUID `uuidgen` ;
    dscl -u “$DIRADMIN” -P “$DIRADMINPW” /LDAPv3/127.0.0.1 create /Augments/Users:”$u” ServicesLocator “(null):(null):calendar” ;
    dscl -u “$DIRADMIN” -P “$DIRADMINPW” /LDAPv3/127.0.0.1 create /Augments/Users:”$u” UniqueID `id -u “$u”` ;
    dscl -u “$DIRADMIN” -P “$DIRADMINPW” /LDAPv3/127.0.0.1 create /Augments/Users:”$u” UserShell /usr/bin/false ;
    dscl -u “$DIRADMIN” -P “$DIRADMINPW” /LDAPv3/127.0.0.1 create /Augments/Users:”$u” HomeDirectory “afp://”$APPLESERVER”/”$APPLESERVERSHARE”$u” ;
    dscl -u “$DIRADMIN” -P “$DIRADMINPW” /LDAPv3/127.0.0.1 create /Augments/Users:”$u” NFSHomeDirectory “/Network/Servers/”$APPLESERVER””$APPLESERVERPATHTOSHARE””$APPLESERVERSHARE”/$u” ;
    echo created record for user “$u”
    echo “####################################################################”

    else
    echo augment exists for user “$u”, skipping
    fi
    done

    echo “#######################
    #You will need to issue a ‘sudo killall DirectoryService’ and ‘sudo createhomedir -s’ if new augments have been created
    #######################”
    exit 0

    [/code]

    Note the createhomedir bit at the end. I have had very mixed results using createhomedir -s after creating the augments. Even after a restart of DS or a complete server reboot, createhomedir doesn’t pick up all augmented users.
    I have also had to knock up a quick script to query the DS for augments and then check the ‘machomes’ folder to see if a home folder for that user exists. If it doesn’t, create it.

    Please feel free to suggest any improvements.

    Stu

  • Author
    Posts
Viewing 2 posts - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.