On Dec 19, 2008, at 10:48 PM, Nigel Kersten wrote: > > > On Fri, Dec 19, 2008 at 7:23 PM, Crawford Kyle <kcrw...@gmail.com> > wrote: > > On Dec 19, 2008, at 7:55 PM, Nigel Kersten wrote: >> >> On Fri, Dec 19, 2008 at 2:29 PM, Carl Caum <carl.c...@gmail.com> >> wrote: >> >> Does anyone know how to go about joining Mac OS X Leopard to an >> Active >> Directory domain with puppet? >> Primarily it needs to be broken down in to doing LDAP authentication >> with a few attribute mappings and using kerberos for the password >> authentication. >> >> You're going to want to push out your DS preferences and then do an >> exec for the joining of the machine account I imagine, although you >> could do some of this with templates..... >> >> How were you doing this before Puppet? >> >> There are no native types now, because those of us doing the Mac >> stuff with Puppet don't work in AD environments :) >> >> I'm more than happy to spend time helping you work through this >> though Carl. I'm reasonably familiar with AD integration even >> though we don't do it here. >> >> This would be a great recipe to get up on the Puppet wiki. > > We are in a large AD environment using Puppet. We currently handle > the AD joining outside of Puppet with a python script in a launchd > job that runs at first boot, though we will probably be moving this > to Puppet. > > The typical steps are: > Make sure time server is set and time is set correctly ( ntpd.conf > or exec systemsetup ) > Activate AD plugin by enabling it in DirectoryService.plist. ( just > a simple key value but I think you need to restart DirectoryService > for it to notice ) > Configure AD plugin using dsconfigad options. ( this can take a lot > of options all of these just change key values in > ActiveDirectory.plist ) > Join to domain using dsconfigad with a limited AD account and > password with permissions to add machines to your OU. ( this would > need to exec the dsconfigad command with username, password, OU, > machine join name. Unfortunately the password is passed to > dsconfigad in clear text as a parameter ) > Set the authentication search path to Custom, and include your AD > domain node using dscl. ( dscl exec ) > > We do manage the time server with Puppet and setting a couple of > mapping attributes in the AD plists. > > I'm happy to help you get this all working in Puppet as well. > > oh cool. I didn't realize you were doing AD integration Kyle. > > How are you ensuring that AD continues to be configured on the > clients? Does the python launchd job do all of this? Or are you > managing some components as Puppet resources? > > I've been thinking for a while about how to mange DirectoryService > nodes as native Puppet types, but there are so many attributes to > think about I'm not sure it actually simplifies matters all that > much...
Yes, I've done a lot of AD integration work. The python script I wrote tests the configuration and scenarios related to AD Node status and takes action if necessary. The only part in Puppet so far is management of a couple AD plist keys. Agreed, DirectoryService node configuration can get complex. There may be lower hanging fruit like improved plist management that would help in all areas including DirectoryService. Kyle --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
