Resource Type: dsconfigad
- Defined in:
- lib/puppet/type/dsconfigad.rb
- Providers:
-
default
Overview
Manage OS X Active Directory binding and configuration options.
A custom Puppet type for scripted binding and AD plugin configuration for OS X using the ‘dsconfigad` utility.
Most of the accepted parameters map directly to supported options in ‘dsconfigad` and their descriptions are lifted directly from the man page.
Example:
dsconfigad { 'some.domain':
ensure => 'present',
computerid => 'some_machine',
username => 'some_user',
password => 'a_password',
ou => 'CN=Computers',
domain => 'some.domain',
mobile => 'disable',
mobileconfirm => 'disable',
localhome => 'disable',
useuncpath => 'enable',
protocol => 'afp',
shell => '/bin/false',
groups => ['SOME_DOMAIN\some_group','SOME_DOMAIN\another_group'],
passinterval => '0',
}
Properties
-
alldomains
This flag determines whether the plugin allows authentication from any domain in the forest. When this is enabled, individual domains will not be visible, only “All Domains”. If it is disabled, you will have the ability to select the specific domains that can authenticate to this computer. Enabled by default.
Supported values:- enable
- disable
-
authority
This feature is not described in the man page. Enable or disable generation of Kerberos authority
Supported values:- enable
- disable
-
ensure
(defaults to: present)
The basic property that the resource should be in.
Supported values:- present
- absent
-
ggid
This specifies the attribute to be used for the GID of the group. By default, a group GID is generated from the Active Directory GUID of the group.
-
gid
This specifies the attribute to be used for the GID of the user. By default, a GID is derived from the primaryGroupID of the user (typically Domain Users).
-
groups
Use the listed groups to determine who has local administrative privileges on this computer.
-
localhome
This flag determines whether the plugin forces all home directories to be local to the computer (i.e. /Users/username)
Supported values:- enable
- disable
-
mobile
This flag determines whether the plugin will enable mobile account support for offline logon.
Supported values:- enable
- disable
-
mobileconfirm
This flag determines whether the plugin will warn the user when a mobile account is going to be created.
Supported values:- enable
- disable
-
namespace
Sets the primary account username naming convention. By default it is set to “domain” naming which assumes no conflicting user accounts across all domains. If your Active Directory forest has conflicts setting this to “forest” will prefix all usernames with “DOMAIN" to ensure unique naming between domains (e.g., ”ADDOMAINuser1“). Warning: this will change the primary name of the user for all logins. Changing this setting on an existing system will cause any existing homes to be unused on the local machine.
Supported values:- forest
- domain
-
packetencrypt
By default packet encryption is allowed but not required, but can be required or disabled (for example if debugging a problem). This ensures that the data to/from the server is encrypted and signed guaranteeing the content was not tampered with and cannot be seen by other computers on the network.
Supported values:- disable
- allow
- require
-
packetsign
By default packet signing is allowed but not required, but can be required or disabled (for example if debugging a problem). This ensures that the data to/from the server is not tampered with by another computer before received it is received.
Supported values:- disable
- allow
- require
-
passinterval
Set how often the computer trust account password should be changed (default 14 days).
Supported values:- /^\d+$/
-
preferred
Use the specified server for all Directory lookups and authentications. If the server is no longer available, it will fail-over to other servers.
-
protocol
This flag determines how a home directory is mounted on the desktop. By default SMB is used, but AFP can be used for use with Mac OS X Server or 3rd Party AFP solutions on Windows Servers
Supported values:- smb
- afp
-
restrictddns
Restricts Dynamic DNS updates to specific interfaces (e.g., en0, en1, en2, etc.). To disable restrictions pass “” as the list.
-
sharepoint
Enable or disable mounting of the network home as a sharepoint.
Supported values:- enable
- disable
-
shell
Use the specified shell (e.g., “/bin/bash”) if a shell attribute does not exist in the directory for the user logging into this computer. Use a shell value of “none” to disable use of a default shell, preserving values that are only specified in the directory.
-
uid
This specifies the attribute to be used for the UID of the user. By default, a UID is generated from the Active Directory GUID.
-
useuncpath
This flag determines whether the plugin uses the UNC specified in the Active Directory when mounting the network home. If this is dis- abled, the plugin will look for Apple schema extensions to mount the home directory.
Supported values:- enable
- disable
Parameters
-
computer
The “computerid” to add the specified Domain
-
force
(defaults to: enable)
Force the process (i.e., join the existing account or remove the binding)
Supported values:- enable
- disable
-
fqdn (namevar)
The fully-qualified DNS name of the Domain to be used when adding the computer to the Directory (e.g. domain.ads.example.com).
-
leave
(defaults to: disable)
Leaves the current domain (preserving the computer record in the directory).
Supported values:- enable
- disable
-
ou
The LDAP DN of the container to use for adding the computer. If this is not specified, it will default to the container “CN=Computers” within the domain that was specified. (e.g. “CN=Computers,DC=domain,DC=ads,DC=demo,DC=com”
-
password
Password to use in conjunction with the specified username.
-
provider
The specific backend to use for this ‘dsconfigad` resource. You will seldom need to specify this — Puppet will usually discover the appropriate provider for your platform.
-
username
Username of a Network account that has administrative privileges to add/remove this computer to/from the specified Domain