Specifications
Using Directory Service Tools
The following are miscellaneous directory service tools that you can use to congure
directory services and to troubleshoot problems.
Operating on Directory Service Domains
Use dscl, a general-purpose tool, for operating on directory domains. You can create,
read, and manage directory data. If invoked without commands, dscl runs in an
interactive mode, reading commands from standard input.
The following example shows basic dscl tool uses:
To verify access to an LDAPv3 directory:
To verify that you can access an LDAPv3 directory: m
$ dscl localhost
> cd /LDAPv3/directory.example.com/Users
> ls
You should see a list of the server’s network user accounts.
For more information, see the dscl man page.
Manipulating a Single Named Group Record
Use dseditgroup to manipulate a single named group record on the default local
directory domain or on the specied directory domain. The following examples show
uses for dseditgroup.
To manipulate a group record:
To view the attributes of a group in the local directory domain: m
$ dseditgroup -o read groupname
To create a group in a domain: m
$ dseditgroup -o create -n /LDAPv3/ldap.example.com -u diradmin_name
-P diradmin_password -r "Group Name" -c "comment" -s 1234 -k "some
keyword" groupname
To create a Windows group in a domain and set the domain group relative m
identier (RID):
$ dseditgroup -o create -n /LDAPv3/ldap.example.com -u diradmin_name -P
diradmin_password -r "Group Name" groupname
$ dscl -u diradmin_name -P diradmin_password /LDAPv3/ldap.example.com
-create /Groups/groupname SMBRID RID
To delete a group from a domain: m
$ dseditgroup -o delete -n /LDAPv3/ldap.example.com -u diradmin_name -P
diradmin_password groupname
208 Chapter 9 Maintaining Open Directory Services