Part of my post imaging process requires me to manually adjust the custom authentication search policy in Directory Utility. Since all of my users and groups live in Active Directory, we want the machine to look first in AD for a user when they enter their log in credentials by having a custom search policy for authentication where AD is above LDAP. I’ve always wanted a way to either script this out, or use ARD to send a command to do this, instead of manually logging in to each machine after it’s been restored and adjusting this via drag and drop.
When I started using DeployStudio a few years ago, I was hopeful this would find its way in to their AD Bind task. Since I’m still waiting for this to happen, I decided I would beat them to it.
What I found is a way to leverage the dscl command to first remove the incorrect search policy, and then add it back in the order I want. Use the ‘Send Unix Command’ feature of ARD to send these two commands to your target machines. You’ll need to adjust accordingly for your directories and your preferred order. In my case, I needed Active Directory first, followed by OD. I used the IP address of my Xserve for the OD entry.
First, send this command to remove the directories in your authentication search policy:
dscl /Search -delete / CSPSearchPath “/Active Directory/All Domains” /LDAPv3/10.20.0.90
Unix Command to Delete Your Existing Search Path
Next, send this command to add your directories, in the order you prefer:
dscl /Search -append / CSPSearchPath “/Active Directory/All Domains” /LDAPv3/10.20.0.90
Unix Command to Add Your New Custom Search Path
You can see the only difference is that the first command uses the -delete switch and the second one uses the the -append switch to add to your custom search policy. One caveat, if you’re not already using a custom search policy for authentication, you can enable it first with the command “dscl /Search -create / SearchPolicy CSPSearchPath”
If you’d like to do all of this to your contacts search policy too, just change every instance of “/Search” to be “/Search/Contacts”. If anyone wants to wrap this inside of package installer, or create a script to use with DeployStudio be my guest. I just ask that you strongly consider sharing it in the comments below.
