Skip navigation

Binding 10.7 client to 10.7 OD server

1336 Views 7 Replies Latest reply: Oct 19, 2012 6:46 AM by simen RSS
kr2008 Calculating status...
Currently Being Moderated
Jun 28, 2012 12:26 PM

Hi,

 

Previously I was able to bind my clients via script to AD & OD servers.  Recently, we just setup our 10.7.4 OD server to enable Profile Manager, with a self-signed SSL certificate.  Since we've made that change, during the binding process we receive a new prompt:

 

Certificates are available for this server.

Would you like to add them to system keychain automatically (y/n)?

 

Is there a way to answer this prompt from within our script?  Or is there an option we can throw in the dsconfigldap command to address this question?

 

I've tried binding the client from Terminal with just this command:

 

dsconfigldap -v -a myserver.edu -n myserver.edu -c computername

 

I still get the prompt to add the certificates.  This one prompt is throwing a huge wrinkle into our deployment workflow.  Any help would be greatly appreciated!

 

Thanks,

 

- Keith

Mac OS X (10.7.4)
  • Strontium90 Level 4 Level 4 (2,895 points)
    Currently Being Moderated
    Jun 28, 2012 3:17 PM (in response to kr2008)

    Fast thought as I am running.  Did you try with the -x switch?  I apologize for not testing before posting.

  • Strontium90 Level 4 Level 4 (2,895 points)
    Currently Being Moderated
    Jun 28, 2012 9:01 PM (in response to kr2008)

    how about prefixing it with yes

     

    yes | dsconfigldap ....

     

    not in the lab.  still did not test

  • Strontium90 Level 4 Level 4 (2,895 points)
    Currently Being Moderated
    Jun 29, 2012 5:07 PM (in response to kr2008)

    Whoa!  If I knew you were from Hawaii I would have flown out to solve it

     

    Glad to help. 

  • wilsonad1 Calculating status...
    Currently Being Moderated
    Aug 22, 2012 7:45 AM (in response to kr2008)

    I am going to add this for whats is worth.  Our ARD script is similar but it pull the computer name first and I had to answer the question after the fact or else it wouldn't work.  So here is how my code worked out for me.

     

    computerid='scutil --get ComputerName'


    dsconfigldap -vf -a 'servername' -n 'configname' -c $computerid -u 'diradmin' -p 'diradminpass' -l'localadmin' -q'localadminpass'


    sleep 1


    yes

    Mountain Lion Server, OS X Server
  • simen Calculating status...
    Currently Being Moderated
    Oct 19, 2012 6:46 AM (in response to kr2008)

    Using information from this site and my own scripting experience I present to you a more secure way to do it which supports munki and other deployment tools without having the password to the ODM or client in clear text on the client or on packages easeliy accessable on a http server:

     

    On server:

     

    ssh-keygen

     

    Save the output of ~/.ssh/id_rsa.pub to your clip board

     

    Then create a launchd or something so that this runs at startup

     

    nc -kl 1337 | xargs -n 1 -I host ssh -q -o StrictHostKeyChecking=no root@host /usr/local/bin/setupLDAP diradminpassword localadminpassword > /dev/null 2>&1

     

     

    On client:

     

    Create script (to use in a package as postinstall or something):

     

    #!/bin/bash
    # Turns on ssh

    systemsetup -f -setremotelogin On

     

    # Sets up passwordless login to root account from server

    echo "ssh-rsa FROM_YOUR_CLIPBOARD_A_VERYLONGOUTPUTOFCHARACTERS admin@server.domain.no" >> /var/root/.ssh/authorized_keys

     

    # installs setupLDAP

    mkdir -p /usr/local/bin

    cat > /usr/local/bin/setupLDAP <<'EOF'

    #!/bin/sh

     

    PATH=/bin:/sbin:/usr/bin:/usr/sbin

    export PATH

     

    computerid=`scutil --get ComputerName`; yes | dsconfigldap -vfs  -a 'server.domain.no' -n 'server' -c $computerid -u 'diradmin' -p $1 -l 'l' -q $2

    EOF

    chmod +x /usr/local/bin/setupLDAP

     

    End note

     

    That was the code, now you just add the skeleton And to clearify what this does, first we let the server connect to the client as root even though root access is "disabled" (he has no password and therefore you can't log in as root as default). Then we create a small script to setup OD binding (/usr/local/bin/setupLDAP) but this script doesn't contain the passwords. Then the client send a request to the small socket server on the server with it's hostname, then the server connects to that hostname and executes /usr/local/bin/setupLDAP with the needed passwords.

    Mac mini, OS X Mountain Lion (10.8.2)

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.