Creating User Accounts and Exploring Directory Services


User and group records are two of the more important types of system data stored using directory services. As you manage directory services, it is important to be able to identify the key components of both record types.

In this exercise, you will create two standard user accounts and then use the commandline utility dscl to explore the types of information in the user and group records in the local directory services database on Mac OS X.

1.

On your client computer, log in as Apple Admin.

2.

Open the Accounts pane of System Preferences and create a new user account for Warren Peece using the following values:

Name: Warren Peece

Short name: warren

Password: 2bornot2b

Password hint: Hamlet

Do not give the account administrative authority.

3.

Create a second user account for Isadora Jarr with the following values:

Name: Isadora Jarr

Short name: isadora

Password: ml8ml8

Password hint: White Rabbit

Give Isadora's account administrative authority.

4.

Quit System Preferences.

Exploring Directory Services With dscl

The dscl utility is very useful for finding out what information is returned when DirectoryService requests are made. Since it is a command-line utility, it can be used remotely with ssh.

1.

Open Terminal.

2.

Display the manual page for dscl by typing man dscl.

3.

Read the Description paragraph and then quit the man page (press Control-Z).

As described in the man page, you use the dscl command-line utility to access and set information in a directory domain. The format of the command is

dscl [options] datasource [command]


Without specifying a command, dscl operates in interactive mode. This is useful for browsing available directory data.

4.

Run dscl in interactive mode by typing dscl localhost.

5.

At the prompt (/>), type list.

A list of data paths is displayed. For example:

Bonjour NetInfo SLP SMB Search Contact


6.

At the prompt, type cd Search.

The prompt changes to indicate that you are now in a path that can be used to search directory services for information.

7.

List the categories of records that can be searched by typing ls.

The ls command is the same as the list command. The records in a folder are organized in a hierarchy.

8.

Change to the Users folder by typing cd Users.

9.

List the records in the Users folder by typing ls.

You will see a record for each user account in the local database on this computer. Information that is normally stored in /etc/master.passwd (or /etc/group) on other UNIX systems is stored in these records.

10.

Display Warren's user record by typing read warren.

Read the information for Warren's user record and identify the following fields:

  • RealName (long name)

  • RecordName (short name)

  • UniqueID (UID)

  • GeneratedUID

  • NFSHomeDirectory (home directory path)

The Password attribute is listed, as well as the authentication method (Authentication- Authority), but the Password value is displayed as eight asterisks (********).

11.

Display the user record for Isadora and compare it to Warren's.

Notice that the two records contain the same attributes, even though Isadora has an admin account. An account's authority is not determined by the account itself; it depends on whether it belongs to the admin group.

12.

Navigate to the listing of group records by typing cd ../Groups.

Notice that navigating around in dscl is similar to using the command line to navigate the file system.

13.

List the records in the Groups folder by typing ls.

You will see a record for each group in the local data store. This information would normally be stored in /etc/groups on other UNIX systems.

14.

Display the contents of the admin group record. (The syntax of dscl on how to navigate and read records should be somewhat familiar now.)

In the GroupMembership field, you will see the short names of all the users who are members of the admin group (and are therefore administrators of the machine).

15.

Quit dscl by typing q and pressing the Return key.

Using dscl to Modify Directory Data

In this scenario, it's best if your security policy states that user records should not include the password hint. This, of course, would be up to the administrator to specify. You can use dscl to modify the user records and remove the password hint.

1.

Using root access (sudo), run the dscl command in interactive mode (sudo dscl localhost).

You don't need root access to view directory data, but you need root access to modify it. You can also modify data using dscl by authenticating in the command itself.

2.

Navigate to the listing of user records.

3.

Display Warren's user record.

Note the name of the attribute that contains the password hint.

4.

Use the delete command to delete the attribute containing the hint.

The format of the delete command is

delete path [key [val...]]


where path is the path to the record that you want to modify, key is the attribute to modified, and val is the value to be deleted. If you do not specify a value, the attribute is deleted.

5.

To delete the password hint from warren's user record, type delete warren AuthenticationHint.

6.

Display Warren's user record again.

The AuthenticationHint attribute is now gone.

7.

Delete the password hint from Isadora's user account.

8.

Quit dscl.

9.

Quit Terminal.

10.

Log out.

Try logging in several times as Warren and Isadora with incorrect passwords and verify that a password hint is not displayed.




Apple Training Series. Mac OS X System Administration Reference, Volume 1
Apple Training Series: Mac OS X System Administration Reference, Volume 1
ISBN: 032136984X
EAN: 2147483647
Year: 2005
Pages: 258
Authors: Schoun Regan

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net