+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 18
Mac Thread, dsconfigldap and ARD in Technical; dsconfigldap apparently has a problem where the -c switch is required as opposed to being optional as stated in the ...
  1. #1

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,192
    Thank Post
    300
    Thanked 215 Times in 185 Posts
    Rep Power
    57

    dsconfigldap and ARD

    dsconfigldap apparently has a problem where the -c switch is required as opposed to being optional as stated in the man page.

    This leaves me with a bit of a problem as i was trying to use it via ARD.

    How can i get around this without visiting all the clients manually?

    Is there a way i can populate a variable with the computerid and use it in the dsconfigldap command through ARD.

    Thanks for any help.

  2. #2

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,192
    Thank Post
    300
    Thanked 215 Times in 185 Posts
    Rep Power
    57

    Re: dsconfigldap and ARD

    How does anyone else bind to the AD and OD after the re-image process?

  3. #3
    Rozzer's Avatar
    Join Date
    Aug 2005
    Location
    South West
    Posts
    720
    Thank Post
    21
    Thanked 81 Times in 61 Posts
    Rep Power
    33

    Re: dsconfigldap and ARD

    I have used a script before by sending it over ARD.

    computerid=`scutil --get ComputerName`

    dsconfigldap -v -f -a OD_SERVER -n OD_SERVER -c $computerid -u ADMIN_USERNAME -p 'ADMIN_PASSWORD'
    sleep 10
    dsconfigad -f -a $computerid -domain AD_DOMAIN -u OU_ADMIN -p 'OU_ADMIN_PASSWORD' - ou "CN=Computers,OU=Engineering,DC=ads,DC=demo,DC=com "
    sleep 20

    dscl /Search -create / SearchPolicy CSPSearchPath
    dscl /Search -append / CSPSearchPath /LDAPv3/OD_SERVER
    dscl /Search -append / CSPSearchPath "/Active Directory/All Domains"

    sleep 10
    dscl /Search/Contacts -create / SearchPolicy CSPSearchPath
    dscl /Search/Contacts -append / CSPSearchPath /LDAPv3/OD_SERVER
    dscl /Search/Contacts -append / CSPSearchPath "/Active Directory/All Domains"

    # You will notice that in our environment, we have listed our OD server first, then AD. Depending upon your
    # environment, you may need to reverse the order.


    Works most of the time can be a little flake. Make sure you run it as root from ARD.

  4. #4

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,192
    Thank Post
    300
    Thanked 215 Times in 185 Posts
    Rep Power
    57

    Re: dsconfigldap and ARD

    How does this work?

    Is the $ set by the computerid = 'scutil'.

    Is this the case when creating any .sh file when setting and using variables. I would like to get better at writing scripts. Any good sites you know of to get learning?

  5. #5
    manxdan's Avatar
    Join Date
    May 2007
    Location
    Isle of Man
    Posts
    43
    Thank Post
    5
    Thanked 3 Times in 3 Posts
    Rep Power
    16

    Re: dsconfigldap and ARD

    neatly avoided the issue here by not binding the clients.
    I don't know if bind is necessary with AD, but we don't lose any of the functionality of OD by not binding. Benefits include:
    using netrestore with Bombich's post-restore scripting means imaging is literally command N and walk away.
    teacher laptops (and they all have 'em) acquire all internet, printing and file sharing services as soon as they enter almost any School on the Island.
    IMHO
    BIND just introduces an unnecessarytwo way server/client authentication, who needs it?

  6. #6

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,192
    Thank Post
    300
    Thanked 215 Times in 185 Posts
    Rep Power
    57

    Re: dsconfigldap and ARD

    I use to bind to just the AD and manually create the OD authentication configuration and leave them unbound but have since moved away from that to trial other methods.

    I have moved to an OD only bind-required setup. The OD has the same kerberos realm as the AD and so far no problems.

    It even seems to authenticate across the AD with the users name and password (they are in both AD and OD as the same anyway) using kerberos.

    I moved away from AD as it seemed unreliable when pulling down the managed prefs for the computers. Some machines didn't pick them up.

    After binding to the OD i have found that this no longer happens.

    What post-restore script have you used?

    I tried to get the xp installation post-restore script to work but couldn't.

    I think i put it in the right place.

  7. #7
    manxdan's Avatar
    Join Date
    May 2007
    Location
    Isle of Man
    Posts
    43
    Thank Post
    5
    Thanked 3 Times in 3 Posts
    Rep Power
    16

    Re: dsconfigldap and ARD

    set-names: just saves the hassle of re-naming the computers. the names are looked up in the "machine_specific_data.csv" file which holds names and other info against HW addresses. You do have to maintain this file of course. the file needs to be just so (i find that i have to run it through BBedit and save it as a generic OSX file with UNIX line endings) or all the clients pick up the first name in the list.
    and set-ARD-data:
    allows you to populate the four info fields in ARD.
    I generally use: serial number,WGM computer list,MAC address, and model
    not essential, but is helpful in ARD.

  8. #8

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,192
    Thank Post
    300
    Thanked 215 Times in 185 Posts
    Rep Power
    57

    Re: dsconfigldap and ARD

    Have you tried setting up the direct connection to the ARD database which then allows the net-restore to pull the name direct from the ARD database?

    I tried setting this up and followed the relatively simple guidelines only to get an error on the postresql connection to the ARD db. If i used the mysql db connection instead all seemed to be ok.

    I would like to get this working. If youhave managed to set this previously i would be interested to know how you overcome this error, that is indeed if you encountered it.

    How do you populate the ARD info fields with serial number and such things?

    You can also get this directly in ARD in the column fields and also reports as well. I must admit the ARD tool is really pretty neat.

  9. #9
    manxdan's Avatar
    Join Date
    May 2007
    Location
    Isle of Man
    Posts
    43
    Thank Post
    5
    Thanked 3 Times in 3 Posts
    Rep Power
    16

    Re: dsconfigldap and ARD

    no I haven't played with the ARD server yet, although the user and application use tracking could be very useful.
    I do this by using slightly modified copies of the script examples that come with netrestore <Netrestore/Resources/Example Scripts/Post-Actions>
    in the set-ARD-data script, the instances of "'{ print $5 }" etc. refer to the columns in your machine_specific_data.csv file so you can put what you like in them. Though for the serial number I use the script in the example that reads the number straight off the machine.
    BTW if the script fails to find a record with the machine's MAC address, it names the machine with it's MAC address which makes any that fall through the net dead easy to find. good init?
    Also, machines which have had replacement motherboards apparently have no serial number!

  10. #10

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,192
    Thank Post
    300
    Thanked 215 Times in 185 Posts
    Rep Power
    57

    Re: dsconfigldap and ARD

    Mmm. that serial number thing is interesting. How do you audit your hardware then? I mean would still be eligible to use the old serial number?

    One of ARDs' key features is its ability to audit hardware. You could add internal assett numbers to the csv file as well i suppose for the ARD info boxes.

    As you can probably tell i haven't had the chance to really play with Net-restore at all.

    I have to create a master image (if any changes made since last one) and re-image entire ICT suite and laptops (40 in total) in one afternoon which incidentally is a dual boot environment.

    Having the ability to completely deploy both of these unattended would be a god send.

  11. #11
    manxdan's Avatar
    Join Date
    May 2007
    Location
    Isle of Man
    Posts
    43
    Thank Post
    5
    Thanked 3 Times in 3 Posts
    Rep Power
    16

    Re: dsconfigldap and ARD

    I guess so, I just take the serial from the casing or inside the battery compartment and use that.
    Are you net-booting PPC and Intel machines? I haven't had any joy yet creating a universal netboot. I have the necessary kit etc. but it resolutely refuses to boot either one or the other so I'm reduced to tinkering with Server Admin to switch between PPC or Intel netboots.
    netrestoring 40 machines in a day is do-able, I tend to set them off 10 at a time, or set off a whole suite of 30 or more overnight.
    The chaps at our LEA who have on ocassion had hundreds of laptops to do managed to get the multicast netrestore running to great effect.

  12. #12

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,192
    Thank Post
    300
    Thanked 215 Times in 185 Posts
    Rep Power
    57

    Re: dsconfigldap and ARD

    see this is the problem i. have i cannot start them and leave them since i have to start the xp partition going after the mac side has finished. If they take longer than expected it throws me out time-wise. I have been looking into multicasting and will probably look into it more soon.

    I only work term-time and only have the friday afternoon between 12-4pm for maintenance. I have to start the re-image process on last friday afternoon of the term. Give me 4 hours to re-image 40 machines twice and then re-join the both images to each domain and rename them beforehand.
    To make it worse some of the macs are running on 10-100mb (1gb hardware connected to 100mb switch) and so seems to slow down the whole process. These can take upto an hour to re-image, whereas the 1gb switch machines take around 15-20 minutes. connections.

    Nightmare.

    Leopard is your friends when creating universal images. universal images can be deployed apparently from Tiger server once created in Leopard.

    http://forums.bombich.com/viewtopic.php?t=11060

  13. #13
    manxdan's Avatar
    Join Date
    May 2007
    Location
    Isle of Man
    Posts
    43
    Thank Post
    5
    Thanked 3 Times in 3 Posts
    Rep Power
    16

    Re: dsconfigldap and ARD

    multicast is a good deal quicker

    I can only sympathise, I am indeed fortunate that I am not obliged to use AD and that my superiors have not felt it necessary to expose our students to the misery of xp.

    slower processors hold up the process also, I still have some 600Mhz kit which takes three times longer to restore than the new whizzy intel machines.

    yaay for leopard.
    it'll be a few months before we roll out large scale, I'd have been happy with a universal netboot. . . for now

  14. #14

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,192
    Thank Post
    300
    Thanked 215 Times in 185 Posts
    Rep Power
    57

    Re: dsconfigldap and ARD

    So how do you run your accounts?

    I have just moved over to networked accounts and am currently off ill. But my missus works in the same place and apparently staff are moaning that the log in process is now getting slower.

    I obviously cannot confirm yet but am interested in finding out.

    If it does turn out to be the case. what would you suggest. I have started looking into a clear caches script for log out.

  15. #15
    manxdan's Avatar
    Join Date
    May 2007
    Location
    Isle of Man
    Posts
    43
    Thank Post
    5
    Thanked 3 Times in 3 Posts
    Rep Power
    16

    Re: dsconfigldap and ARD

    just the out of the box MAC stuff: XServe, OSX Server, Workgroup Manager, etc.

    the login process is fairly intensive network wise, but I only really find it an issue when logging in a class on wireless laptops, Apple base stations don't load share (neither do most others I think) and this can be painfully slow.
    In the Primary schools here they've moved to mobile accounts to speed things up, but mobile accounts don't help much with our users as they can end up synch'ing Gbs of stuff.
    Works well with one to one scheme though (kids taking MacBooks home)

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •