Sample Header Ad - 728x90

Configure LDAP through command line (NOT Directory Utility) on Ventura and Monterey

2 votes
0 answers
753 views
macos terminal command-line plist ldap
I can configure Directory Utility to make Mac machines (Monterey and above) authenticate users through my OpenLDAP (Ubuntu-based) server and everything works perfectly fine. But I need to do it through terminal cause I have to automate the process and hold the machines in the desired state via Puppet. I have three files named Contacts.plist Search.plist and ldapserver.company.com.plist and I want to place them (via Puppet) in the following paths respectively. 
/Library/Preferences/OpenDirectory/Configurations/Contacts.plist
/Library/Preferences/OpenDirectory/Configurations/Search.plist
/Library/Preferences/OpenDirectory/Configurations/LDAPv3/ldapserver.company.com.plist
I am not allowed to do this even as a root although it used to work before the new Apple filesystem layout (some Read-Only issue). But now I cannot put these files in there unless I boot up in recovery mode (to get rid of Read-Only issue). I do not want to put the system in such state at all. Apparently there is no way to create/replace such files in those paths and I have to configure it through some command-line tools (maybe like dsconfigldap or dscl). What I have done so far is running the following command (Found here ) 
dsconfigldap -fa ldapserver.company.com -n "My Company LDAP Server" -N
This creates ldapserver.company.com.plist in a binary format. I converted the file to an XML format and the content is shown below: 
description
        ldapserver.company.com
        module options
        
                AppleODClient
                
                        Server Mappings
                        
                
                ldap
                
                        Denied SASL Methods
                        
                                DIGEST-MD5
                        
                        LDAP Referrals
                        
                        Use DNS replicas
                        
                
        
        node name
        /LDAPv3/ldapserver.company.com
        options
        
                connection idle disconnect
                60
                connection setup timeout
                10
                destination
                
                        host
                        ldapserver.company.com
                        other
                        ldap
                        port
                        389
                
                man-in-the-middle
                
                no cleartext authentication
                
                packet encryption
                0
                packet signing
                0
                query timeout
                30
        
        template
        Open Directory Server
This configuration is all default and not desired by me (There is no mapping, the used port is 389 but I need 636, etc.). my desired config file is the following: 
description
        ldapserver.company.com
                mappings
        
                attributes
                
                        objectClass
                
                function
                ldap:translate_recordtype
                recordtypes
                
                      dsRecTypeStandard:Automount
                        
                                info
                                
                                        Group Object Classes
                                        OR
                                        Object Classes
                                        
                                                automount
                                        
                                        Search Base
                                        ou=automount,dc=company,dc=com
                                
                        
                        dsRecTypeStandard:Users
                        
                                attributetypes
                                
                                        dsAttrTypeStandard:NFSHomeDirectory
                                        
                                                native
                                                homeDirectory
                                        
                                
                                
                                        Group Object Classes
                                        OR
                                        Object Classes
                                        
                                                posixAccount
                                                inetOrgPerson
                                                shadowAccount
                                        
                                        Search Base
                                        ou=current,dc=company,dc=com
                                
                        
                
                template
                LDAPv3
        
        module options
        
                AppleODClient
                
                        Server Mappings
                        
                
                ldap
                
                        Denied SASL Methods
                        
                                DIGEST-MD5
                                NTLM
                                GSSAPI
                                CRAM-MD5
                        
                        LDAP Referrals
                        
                        Use DNS replicas
                        
                
        
        node name
        /LDAPv3/ldapserver.company.com
        options
        
                connection idle disconnect
                60
                connection setup timeout
                10
                destination
                
                        host
                        ldapserver.company.com
                        other
                        ldaps
                        port
                        636
                
                man-in-the-middle
                
                no cleartext authentication
                
                packet encryption
                3
                packet signing
                1
                query timeout
                30
        
        template
        LDAPv3
        trusttype
        anonymous
        uuid
        blah-blah-blah-blah-blah
I do not know how to use command-line tools to tweak that default file and write what I want. I do not want any sort of GUI alternative (like Apple Configurator or Blueprint etc.). All I want is a way to configure those three files (hereinabove mentioned) only through command-line. Please be aware that the desired config file might have some syntax error cause I did not copy the whole file as it was too long and I just copied a portion of it manually, which is prone to some syntax error. But I hope I have communicated what I intended to do. I'm open to any other approaches if only it can be done through command line. Any idea?
Asked by Roozbeh (41 rep)
Dec 20, 2022, 04:28 PM
Sidebar Ad - 300x250
Related Questions

Browse more questions from Ask Different (Apple)

More questions tagged "macos"
More questions tagged "terminal"
More questions tagged "command-line"
Footer Ad - 728x90