One of my Mac boot scripts needs to grab a property from AD that is not one of the ones I can see with the built in tool called dscl, which is pretty much limited to Users, Groups, and Computer searches. Normally I would just do a raw ldap query, but I need this to happen before there is a user logged in to provide credentials. The built-in dscl obviously can get data out of AD without a user authenticating, so I assume there must be a way to do so in the computer account context or something. Unfortunately my googlefu has completely failed me so far.
Asked
Active
Viewed 325 times
1 Answers
2
I guess I'll answer my own question. For my needs it was in perl but it should be pretty obvious how to do the same in a straight shell script. I just needed to grab the machine credentials out of the ActiveDirectory.plist
sub get_LDAPEntries
{
my ($LDAPServer, $LDAPPort, $LDAPsearchbase, $LDAPfilter) = @_;
my $kerbID = `/usr/libexec/PlistBuddy /Library/Preferences/DirectoryService/ActiveDirectory.plist -c "print :'AD Computer Kerberos ID'"`;
chomp $kerbID;
my $password = `/usr/libexec/PlistBuddy /Library/Preferences/DirectoryService/ActiveDirectory.plist -c "print :'AD Computer Password'"`;
chomp $password;
my $LDAPSession = Net::LDAP->new($LDAPServer, port=>$LDAPPort);
$LDAPSession->bind($kerbID, password => $password) or die("Could not connect to LDAP server.");
my $results = $LDAPSession->search(base=>$LDAPsearchbase,filter=>$LDAPfilter);
$results->code && die "There was an error in the LDAP search: " . $results->error;
$LDAPSession->unbind;
my @LDAPEntries = $results->entries;
return @LDAPEntries;
}
Update: This only works on Snow Leopard (10.6). Lion (10.7) stores the AD password in the keychain and you will need to use the "security" command line utility to get to it... which is frankly kind of pain due to the password being output to stderr while the rest of the query is sent to stdout. I am going to decree Lion support as out of scope :-P
Geordie Korper
- 51
- 2