1

In the school division I work for, we have an Open Directory Master in each of a dozen schools. There are settings I'd like to manage in multiple directories for multiple work or computer groups.

The brain-dead way to do this is to bring up each directory in turn (with Workgroup Manager), select all the groups I want to manage, and tweak all the preferences, and repeat for each server, hoping that I do it right and get identical results.

Is there a better way?

I thought there was some sort of way to copy and paste settings from workgroup manager. I know there is some sort of command that can be issued to export and import settings. It really seems like there ought to be a tool that does this. (Granted, Workgroup Manager would work more nicely if we were using a single master and multiple replicas, but we aren't going to try that again any time soon.)

Clinton Blackmore
  • 3,510
  • 6
  • 35
  • 61

2 Answers2

2

Well, I'll start answering my own question.

To get a listing of which nodes have managed preferences on a remote Open Directory Master, you can do something like this:

dscl -u DIRADMINUSER -p -url HOST \
     list /LDAPv3/127.0.0.1/TYPE MCXSettings \
     | cut -d " " -f 1

Substitute in correct values for words in all caps. HOST is an IP or DNS name or your Open Directory Master. The -url setting exports the values in URL encoding, which, handily enough, means that they all stay on one line and we can apply the cut command. Note that if you want to specify the password on the commandline instead of being securely prompted for it, replaced -p with -P 'PASSWORD'.

For the TYPE, you most likely want to use:

  • Groups (for a workgroup/group of users)
  • ComputerGroups
  • Computers
  • Users

Let's say we have a user group (TYPE=Group) called Grade5 (ITEMNAME=Grade5). To copy the data remotely, we could substitute in for this command:

dscl -u DIRADMINUSER -p HOST \
    mcxexport /LDAPv3/127.0.0.1/TYPE/ITEMNAME \
    -format plist \
    -o EXPORTFILE.plist

Now, you can not (easily) import the file remotely due to Radar 4122565. So, copy the EXPORTFILE.plist to the Open Directory Master where you want to duplicate settings, and, on that box, import it as follows:

dscl -u DIRADMINUSER -p \
    /LDAPv3/127.0.0.1 mcximport /TYPE/NEWITEMNAME \
    EXPORTFILE.plist

Note that several "application domains" (think preference files) can be managed. To see which ones are, use:

dscl -u DIRADMINUSER -p HOST \
    mcxread /LDAPv3/127.0.0.1/TYPE/ITEMNAME \
    -format text \
    | grep "App domain" | uniq | cut -d " " -f3-

You can then export just one application domain, or even an application domain and a specific key.

dscl -u DIRADMINUSER -p HOST \
    mcxexport /LDAPv3/127.0.0.1/TYPE/ITEMNAME \
    -format plist \
    -o EXPORTFILE.plist APP_DOMAIN KEYNAME

I might use "com.apple.dock" for the APP_DOMAIN and omit the KEYNAME if I wanted all the settings for the dock, and I might use a APP_DOMAIN of com.apple.mcxprinting with a KEYNAME of PrintFooter if I wanted just the print footer setting for printing.

After exporting the setting, you can import it as usual. (I haven't tested yet to see if it overwrites things or not.)

Lastly, note that it is possible to use mcxread and mcxset instead of mcxexport and mcximport.

Clinton Blackmore
  • 3,510
  • 6
  • 35
  • 61
0

You can export and import JUST the workgroups (based on your purposes) via the menu bar -> Server -> Export (or Import). I definitely bow respectfully to the shell scripting in your follow-up post, but it might be more high end than you're comfortable using.

Also, you can have remote-bulding server simply "Connect To" an Open Directory Master instead of making them Replicas. You get most of the same advantages. I've personally run both Connected and Replica servers for years. I've even done both of those over heavily utilized T-1 connections. (In fact, there are only two reasons to use a Replica instead of a Connected setting. One is for performance when in a remote, latency heavy site. The other is for redundancy -- the master can go down and users can still login.)

Maybe that would give you your ideal solution? What kinds of problems did you have with Replicas? Maybe I could help, if you're interested.

Data Scavenger
  • 477
  • 3
  • 9