Home > Linux, Mac administration, Mac OS X, Scripting > Migrating Macs from one OpenLDAP domain to another OpenLDAP domain

Migrating Macs from one OpenLDAP domain to another OpenLDAP domain

A while ago, I needed to script a method for binding Macs running 10.6.x and later to our Linux-based OpenLDAP server. Recently, we needed to move our OpenLDAP domain to a different OpenLDAP domain as part of a larger directory service migration project. A small part of that project was moving the LDAP-bound Macs to the new LDAP domain, preferably with as little disruption as possible.

One enormous advantage I had with this LDAP move was the following:

All UIDs, GIDs, usernames, passwords and group names were going to be identical between the two LDAP domains.

As a consequence, I would not need to do any permissions changes, rebuild accounts, make sure people got new passwords or a host of other things normally associated with a directory service change. My task was essentially to tell the Macs “Stop talking to the OpenLDAP service at that address, start talking to this other OpenLDAP service at this address”

As part of the project, I also wanted to accommodate two separate Active Directory domains differently. I wasn’t binding to AD as part of this process, but if a particular Mac was bound to Domain A, I wanted to unbind. If a Mac was bound to Domain B, I didn’t want to unbind but I did want the new LDAP server to be the primary authentication source.

Using my previous OpenLDAP binding script as a starting point, I was able to build a script to handle moving our Macs without downtime or account changes. See below the jump for details.

This script will allow a Mac to connect to an OpenLDAP server using a simple anonymous bind and can be used to migrate a Mac from one LDAP server to another. It has been tested on Mac OS X 10.6.8, 10.7.5, 10.8.5 and 10.9.0.

If you are adapting this for your own use, run a search and replace for the following:

dc=replaceme,dc=org” (no quotes)

You’ll need to replace that with your own LDAP search base

ldap.server.here” (no quotes)

You’ll need to replace that with the fully qualified domain name of your OpenLDAP server.

The script is designed to check for the following:
1. Is the Mac bound to the old LDAP server?
2. Is the Mac bound to one of two AD domains:

Domain A (referred to in the script as OLDDOMAIN or olddomain.com)
Domain B (referred to in the script as NEWDOMAIN or newdomain.com)

The script will then perform the following actions:

If the Mac is bound to the old server and Domain A:
Remove the old LDAP server settings, add the new LDAP server settings, unbind from Domain A, and set the new LDAP server to be the primary authentication source.


If the Mac is bound to the old server and Domain B:
Remove the old LDAP server settings, add the new LDAP server settings, do not unbind from Domain B, and set the new LDAP server to be the primary authentication source


If the Mac is bound to the old server and not bound to AD:
Remove the old LDAP server settings, add the new LDAP server settings, and set the new LDAP server to be the primary authentication source.


If the Mac is bound to neither LDAP or AD:
Add the new LDAP server settings and set the new LDAP server to be the primary authentication source.

For those interested, I’ve made the script available here on my GitHub repo. I’ve also posted the script below.


#!/bin/sh
# Determine OS version
osvers=$(sw_vers -productVersion | awk -F. '{print $2}')
# Environment settings
LDAPdomain="new_ldap_server_here" # Fully qualified DNS of new LDAP server
oldLDAPdomain="old_ldap_server_here" # Fully qualified DNS of old LDAP server
oldADdomain="olddomain.com" # Fully qualified DNS name of the old Active Directory Domain
oldADdomainname="OLDDOMAIN" # Name of the old AD Domain as specified in the search paths
newADdomain="newdomain.com" # Fully qualified DNS name of the new Active Directory Domain
newADdomainname="NEWDOMAIN" # Name of the new AD Domain as specified in the search paths
# These variables probably don't need to be changed
# Determining if any directory binding exists
if dscl localhost -list /LDAPv3 | grep . > /dev/null; then
check4OD=$(dscl localhost -list /LDAPv3 | awk 'NR<2{print $NF}')
echo "Found LDAP: "$check4OD
else
echo "No LDAP binding found"
fi
# Check if bound to the old LDAP server
# and remove the old LDAP server settings
if [[ "${check4OD}" == "${oldLDAPdomain}" ]]; then
/bin/echo "This machine is joined to ${oldLDAPdomain}"
/bin/echo "Removing from ${oldLDAPdomain}"
dsconfigldap -r "${oldLDAPdomain}"
/usr/bin/dscl localhost -delete Search CSPSearchPath /LDAPv3/"${oldLDAPdomain}"
/usr/bin/dscl localhost -delete Contact CSPSearchPath /LDAPv3/"${oldLDAPdomain}"
fi
if [[ ${osvers} -lt 7 ]]; then
if [[ `dsconfigad -show | awk '/Active Directory Domain/{print $NF}'` == "$oldADdomain" ]]; then
check4oldAD=$(dsconfigad -show | awk '/Active Directory Domain/{print $NF}')
echo "Found AD: "$check4oldAD
check4newAD=""
else
echo "No olddomain.com AD binding found"
fi
if [[ $check4oldAD == "${oldADdomain}" ]]; then
dsconfigad -f -r -u nousernamehere -p nopasswordhere
fi
if [[ `dsconfigad -show | awk '/Active Directory Domain/{print $NF}'` == "$newADdomain" ]]; then
check4newAD=$(dsconfigad -show | awk '/Active Directory Domain/{print $NF}')
echo "Found AD: "$check4newAD
check4oldAD=""
else
echo "No newdomain.com AD binding found"
fi
fi
if [[ ${osvers} -ge 7 ]]; then
if [[ `dsconfigad -show | awk '/Active Directory Domain/{print $NF}'` == "$oldADdomain" ]]; then
check4oldAD=$(dsconfigad -show | awk '/Active Directory Domain/{print $NF}')
echo "Found AD: "$check4oldAD
check4newAD=""
else
echo "No olddomain.com AD binding found"
fi
if [[ $check4oldAD == "${oldADdomain}" ]]; then
dsconfigad -force -remove -u nousernamehere -p nopasswordhere
fi
if [[ `dsconfigad -show | awk '/Active Directory Domain/{print $NF}'` == "$newADdomain" ]]; then
check4newAD=$(dsconfigad -show | awk '/Active Directory Domain/{print $NF}')
echo "Found AD: "$check4newAD
check4oldAD=""
else
echo "No newdomain.com AD binding found"
fi
fi
echo ""
echo ""
echo "Binding to LDAP Domain "$LDAPdomain
if [[ ${osvers} -lt 7 ]]; then
if [[ ! -d '/Library/Preferences/DirectoryService' ]]; then
echo "mkdir /Library/Preferences/DirectoryService"
fi
if [[ -f /Library/Preferences/DirectoryService/DSLDAPv3PlugInConfig.plist ]]; then
echo "rm /Library/Preferences/DirectoryService/DSLDAPv3PlugInConfig.plist"
fi
fi
if [[ ${osvers} -lt 7 ]]; then
/bin/cat > /tmp/$LDAPdomain.plist << 'NEW_LDAP_BIND'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt;
<plist version="1.0">
<dict>
<key>LDAP PlugIn Version</key>
<string>DSLDAPv3PlugIn Version 1.5</string>
<key>LDAP Server Configs</key>
<array>
<dict>
<key>Attribute Type Map</key>
<array>
<dict>
<key>Native Map</key>
<array>
<string>cn</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:RecordName</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>createTimestamp</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:CreationTimestamp</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>modifyTimestamp</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:ModificationTimestamp</string>
</dict>
</array>
<key>Delay Rebind Try in seconds</key>
<integer>120</integer>
<key>Denied SASL Methods</key>
<array>
<string>DIGEST-MD5</string>
</array>
<key>Enable Use</key>
<true/>
<key>Idle Timeout in minutes</key>
<integer>2</integer>
<key>LDAP Referrals</key>
<true/>
<key>Local Security Level</key>
<dict>
<key>No ClearText Authentications</key>
<false/>
</dict>
<key>OpenClose Timeout in seconds</key>
<integer>15</integer>
<key>Port Number</key>
<integer>389</integer>
<key>Record Type Map</key>
<array>
<dict>
<key>Attribute Type Map</key>
<array>
<dict>
<key>Native Map</key>
<array>
<string>uid</string>
<string>cn</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:RecordName</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>cn</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:RealName</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>uidNumber</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:UniqueID</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>gidNumber</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:PrimaryGroupID</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>homeDirectory</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:NFSHomeDirectory</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>userPassword</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:Password</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>loginShell</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:UserShell</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>description</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:Comment</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>shadowLastChange</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:Change</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>shadowExpire</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:Expire</string>
</dict>
</array>
<key>Native Map</key>
<array>
<dict>
<key>Group Object Classes</key>
<string>OR</string>
<key>Object Classes</key>
<array>
<string>posixAccount</string>
<string>inetOrgPerson</string>
<string>shadowAccount</string>
</array>
<key>Search Base</key>
<string>dc=replaceme,dc=org</string>
</dict>
</array>
<key>Standard Name</key>
<string>dsRecTypeStandard:Users</string>
</dict>
<dict>
<key>Attribute Type Map</key>
<array>
<dict>
<key>Native Map</key>
<array>
<string>memberUid</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:GroupMembership</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>memberUid</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:Member</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>gidNumber</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:PrimaryGroupID</string>
</dict>
</array>
<key>Native Map</key>
<array>
<dict>
<key>Group Object Classes</key>
<string>OR</string>
<key>Object Classes</key>
<array>
<string>posixGroup</string>
</array>
<key>Search Base</key>
<string>dc=replaceme,dc=org</string>
</dict>
</array>
<key>Standard Name</key>
<string>dsRecTypeStandard:Groups</string>
</dict>
<dict>
<key>Attribute Type Map</key>
<array>
<dict>
<key>Native Map</key>
<array>
<string>mountDirectory</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:VFSLinkDir</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>mountOption</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:VFSOpts</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>mountType</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:VFSType</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>mountDumpFrequency</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:VFSDumpFreq</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>mountPassNo</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:VFSPassNo</string>
</dict>
</array>
<key>Native Map</key>
<array>
<dict>
<key>Group Object Classes</key>
<string>OR</string>
<key>Object Classes</key>
<array>
<string>mount</string>
</array>
<key>Search Base</key>
<string>dc=replaceme,dc=org</string>
</dict>
</array>
<key>Standard Name</key>
<string>dsRecTypeStandard:Mounts</string>
</dict>
<dict>
<key>Attribute Type Map</key>
<array>
<dict>
<key>Native Map</key>
<array>
<string>cn</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:RecordName</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>cn</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:RealName</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>sn</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:LastName</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>givenName</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:FirstName</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>mail</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:EMailAddress</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>telephoneNumber</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:PhoneNumber</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>homePhone</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:HomePhoneNumber</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>facsimileTelephoneNumber</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:FAXNumber</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>mobile</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:MobileNumber</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>pager</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:PagerNumber</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>street</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:AddressLine1</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>postalAddress</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:PostalAddress</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>street</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:Street</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>l</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:City</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>st</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:State</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>postalCode</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:PostalCode</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>c</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:Country</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>o</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:OrganizationName</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>departmentNumber</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:Department</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>title</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:JobTitle</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>buildingName</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:Building</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>userCertificate;binary</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:UserCertificate</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>userSMIMECertificate</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:UserSMIMECertificate</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>userPKCS12</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:UserPKCS12Data</string>
</dict>
</array>
<key>Native Map</key>
<array>
<dict>
<key>Group Object Classes</key>
<string>OR</string>
<key>Object Classes</key>
<array>
<string>inetOrgPerson</string>
</array>
<key>Search Base</key>
<string>dc=replaceme,dc=org</string>
</dict>
</array>
<key>Standard Name</key>
<string>dsRecTypeStandard:People</string>
</dict>
<dict>
<key>Attribute Type Map</key>
<array>
<dict>
<key>Native Map</key>
<array>
<string>cn</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:RecordName</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>authorityRevocationList;binary</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:AuthorityRevocationList</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>certificateRevocationList;binary</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:CertificateRevocationList</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>crossCertificatePair;binary</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:CrossCertificatePair</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>cACertificate;binary</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:CACertificate</string>
</dict>
</array>
<key>Native Map</key>
<array>
<dict>
<key>Group Object Classes</key>
<string>OR</string>
<key>Object Classes</key>
<array>
<string>certificationAuthority</string>
</array>
<key>Search Base</key>
<string>dc=replaceme,dc=org</string>
</dict>
</array>
<key>Standard Name</key>
<string>dsRecTypeStandard:CertificateAuthorities</string>
</dict>
<dict>
<key>Attribute Type Map</key>
<array>
<dict>
<key>Native Map</key>
<array>
<string>description</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:Comment</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>automountMapName</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:RecordName</string>
</dict>
</array>
<key>Native Map</key>
<array>
<dict>
<key>Group Object Classes</key>
<string>OR</string>
<key>Object Classes</key>
<array>
<string>automountMap</string>
</array>
<key>Search Base</key>
<string>dc=replaceme,dc=org</string>
</dict>
</array>
<key>Standard Name</key>
<string>dsRecTypeStandard:AutomountMap</string>
</dict>
<dict>
<key>Attribute Type Map</key>
<array>
<dict>
<key>Native Map</key>
<array>
<string>description</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:Comment</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>automountInformation</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:AutomountInformation</string>
</dict>
<dict>
<key>Native Map</key>
<array>
<string>automountKey</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:RecordName</string>
</dict>
</array>
<key>Native Map</key>
<array>
<dict>
<key>Group Object Classes</key>
<string>OR</string>
<key>Object Classes</key>
<array>
<string>automount</string>
</array>
<key>Search Base</key>
<string>dc=replaceme,dc=org</string>
</dict>
</array>
<key>Standard Name</key>
<string>dsRecTypeStandard:Automount</string>
</dict>
</array>
<key>SSL</key>
<false/>
<key>Search Timeout in seconds</key>
<integer>120</integer>
<key>Server</key>
<string>ldap.server.goes.here</string>
<key>Server Mappings</key>
<false/>
<key>Supported Security Level</key>
<dict>
<key>Man In The Middle</key>
<true/>
<key>No ClearText Authentications</key>
<true/>
<key>Packet Encryption</key>
<true/>
<key>Packet Signing</key>
<true/>
</dict>
<key>Template Name</key>
<string>RFC 2307 (Unix)</string>
<key>Template Search Base Suffix</key>
<string>dc=replaceme,dc=org</string>
<key>Template Version</key>
<string>10.4</string>
<key>UI Name</key>
<string>ldap.server.goes.here</string>
<key>Use DNS replicas</key>
<false/>
</dict>
</array>
<key>Service Principals to Create</key>
<string>host,afpserver,cifs,vnc</string>
</dict>
</plist>
NEW_LDAP_BIND
if [[ -f /Library/Preferences/DirectoryService/DSLDAPv3PlugInConfig.plist ]]; then
rm /Library/Preferences/DirectoryService/DSLDAPv3PlugInConfig.plist
mv /tmp/$LDAPdomain.plist /Library/Preferences/DirectoryService/DSLDAPv3PlugInConfig.plist
fi
echo "Killing DirectoryService"
killall DirectoryService
echo "Giving Directory Services some time to reload…"
sleep 10
echo "Killing DirectoryService"
killall DirectoryService
fi
if [[ ${osvers} -ge 7 ]]; then
if [[ ! -d /Library/Preferences/OpenDirectory/Configurations/LDAPv3 ]]; then
mkdir /Library/Preferences/OpenDirectory/Configurations/LDAPv3
fi
if [[ -f /Library/Preferences/OpenDirectory/Configurations/LDAPv3/$LDAPdomain.plist ]]; then
mv /Library/Preferences/OpenDirectory/Configurations/LDAPv3/$LDAPdomain.plist /tmp/config_$LDAPdomain.plist
fi
fi
if [[ ${osvers} -ge 7 ]]; then
/bin/cat > /tmp/$LDAPdomain.plist << 'NEW_LDAP_BIND'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt;
<plist version="1.0">
<dict>
<key>description</key>
<string>ldap.server.goes.here</string>
<key>mappings</key>
<dict>
<key>template</key>
<string>RFC2307</string>
</dict>
<key>module options</key>
<dict>
<key>AppleODClient</key>
<dict>
<key>Server Mappings</key>
<false/>
</dict>
<key>ldap</key>
<dict>
<key>Denied SASL Methods</key>
<array>
<string>DIGEST-MD5</string>
<string>NTLM</string>
<string>GSSAPI</string>
<string>CRAM-MD5</string>
<string>DIGEST-MD5</string>
</array>
<key>LDAP Referrals</key>
<true/>
<key>Template Search Base Suffix</key>
<string>dc=replaceme,dc=org</string>
<key>Use DNS replicas</key>
<false/>
</dict>
</dict>
<key>node name</key>
<string>/LDAPv3/new_ldap_server_here</string>
<key>options</key>
<dict>
<key>connection idle disconnect</key>
<integer>60</integer>
<key>connection setup timeout</key>
<integer>10</integer>
<key>destination</key>
<dict>
<key>host</key>
<string>ldap.server.goes.here</string>
<key>other</key>
<string>ldap</string>
<key>port</key>
<integer>389</integer>
</dict>
<key>man-in-the-middle</key>
<false/>
<key>no cleartext authentication</key>
<true/>
<key>packet encryption</key>
<integer>1</integer>
<key>packet signing</key>
<integer>1</integer>
<key>query timeout</key>
<integer>30</integer>
</dict>
<key>template</key>
<string>LDAPv3</string>
<key>trusttype</key>
<string>anonymous</string>
</dict>
</plist>
NEW_LDAP_BIND
if [[ ! -f /Library/Preferences/OpenDirectory/Configurations/LDAPv3/$LDAPdomain.plist ]]; then
mv /tmp/$LDAPdomain.plist /Library/Preferences/OpenDirectory/Configurations/LDAPv3/$LDAPdomain.plist
fi
sleep 5
echo "Killing opendirectoryd"
killall opendirectoryd
fi
echo "Finished OD Binding."
# Give DS a chance to catch up
sleep 5
if [[ -n "$check4oldAD" ]]; then
if [[ $check4oldAD == "${oldADdomain}" ]]; then
if [[ ${osvers} -ge 7 ]]; then
echo "Removing previous bindings"
dscl localhost -delete Search CSPSearchPath /Active\ Directory/"${oldADdomainname}"/All\ Domains
dscl localhost -delete Contact CSPSearchPath /Active\ Directory/"${oldADdomainname}"/All\ Domains
echo "Adding new LDAP binding"
dscl localhost -merge Search CSPSearchPath /LDAPv3/"${LDAPdomain}"
echo "Killing opendirectoryd"
killall opendirectoryd
fi
if [[ ${osvers} -lt 7 ]]; then
echo "Removing remaining AD entries"
dscl localhost -delete Search CSPSearchPath '/Active Directory/All Domains'
dscl localhost -delete Contact CSPSearchPath '/Active Directory/All Domains'
echo "Adding new LDAP binding"
dscl localhost -merge Search CSPSearchPath /LDAPv3/"${LDAPdomain}"
echo "Killing DirectoryService"
killall DirectoryService
fi
echo -n "Now bound to OD Domain: "
dscl localhost -list /LDAPv3
echo -n "With Search Path entries: "
dscl /Search -read / CSPSearchPath | grep /LDAP
fi
fi
if [[ -n "$check4newAD" ]]; then
if [[ $check4newAD == "${newADdomain}" ]]; then
if [[ ${osvers} -ge 7 ]]; then
echo "Removing previous bindings"
dscl localhost -delete Search CSPSearchPath /Active\ Directory/"${newADdomainname}"/All\ Domains
echo "Adding new LDAP binding"
dscl localhost -merge Search CSPSearchPath /LDAPv3/"${LDAPdomain}"
# Even if using All Domains, you need to add '/Active Directory/DOMAIN'
# to the authentication search path
dscl localhost -merge Search CSPSearchPath /Active\ Directory/"${newADdomainname}"
dscl localhost -merge Search CSPSearchPath /Active\ Directory/"${newADdomainname}"/All\ Domains
# If you're planning to use All Domains, remove '/Active Directory/DOMAIN'
# from the search path
dscl localhost -delete Search CSPSearchPath /Active\ Directory/"${newADdomainname}"
echo "Killing opendirectoryd"
killall opendirectoryd
fi
if [[ ${osvers} -lt 7 ]]; then
echo "Removing AD binding"
dscl localhost -delete Search CSPSearchPath '/Active Directory/All Domains'
echo "Adding new LDAP binding"
dscl localhost -merge Search CSPSearchPath /LDAPv3/"${LDAPdomain}"
dscl localhost -merge Search CSPSearchPath '/Active Directory/All Domains'
echo "Killing DirectoryService"
killall DirectoryService
fi
echo -n "Now bound to OD Domain: "
dscl localhost -list /LDAPv3
echo -n "With Search Path entries: "
dscl /Search -read / CSPSearchPath | grep /LDAP
echo -n "Now bound to AD Domain: "
dscl localhost -list "/Active Directory"
echo -n "With Search Path entries: "
dscl /Search -read / CSPSearchPath | grep /Active
fi
fi
if [[ $check4oldAD == "" ]] && [[ $check4newAD == "" ]]; then
if [[ ${osvers} -ge 7 ]]; then
echo "Adding new LDAP binding"
dscl localhost -merge Search CSPSearchPath /LDAPv3/"${LDAPdomain}"
echo "Killing opendirectoryd"
killall opendirectoryd
fi
if [[ ${osvers} -lt 7 ]]; then
echo "Adding new LDAP binding"
dscl localhost -merge Search CSPSearchPath /LDAPv3/"${LDAPdomain}"
echo "Killing DirectoryService"
killall DirectoryService
fi
echo -n "Now bound to OD Domain: "
dscl localhost -list /LDAPv3
echo -n "With Search Path entries: "
dscl /Search -read / CSPSearchPath | grep /LDAP
fi
exit 0 ## Success

view raw

gistfile1.txt

hosted with ❤ by GitHub

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: