Directory Service
> dscl . [-u user][-p |-P password][-f filepath] [-raw][-plist] [-url][-q] [datasource [command]]
(v10.5.3) don 't forgety the dot
Create, read, and manage Directory Service data.
Runs interactively, without command
Key access editor for datastore, commands: list, search, create, read, append, merge, change, delete and diff
.
It has no knowledge of the of the datastore such as which keys are valid or used for a particular path,
nor does it have any rules as to which type of values are valid for particular keys nor which values are appropriate.
It does seem to be the tool to access the user authorization datastore for mac os.
tab completion: When pathnames are being typed, pressing tab will search to auto-complete the partial name, showing posible matches and attempting to correct capitilization .
options | |||||||||||||||||||||||||||||
-plist |
file path
.-f
access is added to the local node Local/Target
which points to the
database located at the filepath
.
For the localonly
a DirectoryService daemon is activated.
With hostname or IP address
use -u
and either -P
or -p
to authenticate with to the remote host.
Example: Volumes/Build100/var/db/dslocal/nodes/Default
accesses that database via the nodename Local/Target
The modes of operation correspond to whether the datasource is a node or a host.
/Users/alice |
On command line, escape path components containing /
characters.
To read a mount record with the name "ldapserver:/Users
" in the "/Mounts
" path, use:
dscl . read /Mounts/ldaphost:\/Users
read [path [key …]] |cut -c1-100† |
mcsread record path [optArgs] [appdomain [keyName]]
|
record path
:: record in the directory node is to be operated on (example: /Users/mcs1
) required
In interactive mode use '.' to mean 'current directory' (the directory that was last set using the 'cd' command).
Example appDomain
: 'com.apple.dock'
Example keyName
: 'tilesize'
keyPath
:: path to a sub-plist within an existing key value.
mount-controls:dvd:1
the 2nd†
element within the array with
the key name dvd
within the key called mount-controls
mcsDomain
:: type of management applied to the key:
none
(not managed), always
, once
, often
or unset
.
keyValue
::new value to be used for a key.
Use the same syntax as the defaults
command line tool.
When specifying plist or xml values, enclose the parameter in apostrophes.
For example:
dscl ... '(authenticate, eject)' dscl ... 'real64.0/real'The MCX extensions follow the same syntax as other
dscl
comamnds, follow the same authentication rules and can be used in both interactive and command-line modes Local command-line example
$ dscl . mcxread /Users/mcxtest com.apple.dock tilesize $ dscl -u admin -P apple . mcxset /Users/mcxtest com.apple.dock tilesize always -float 32Local interactive example
$ dscl > cd /NetInfo/Users/mcxtest > mcxread . com.apple.dock = ** for write-based commands you must first 'cd' to the appropriate node and then issue the 'auth' command ** > cd /NetInfo/Users/mcxtest > auth admin apple > mcxset . com.apple.dock tilesize always -float 32
$ dscl -u diradmin -P apple 10.0.116.132 mcxread /LDAPv3/127.0.0.1/Users/phd1 = =To modify values to node remotely use
mcxset
.Remote interactive example
$ dscl -u diradmin -P apple 10.0.116.132 > mcxread /LDAPv3/127.0.0.1/Users/phd1 com.apple.SoftwareUpdate CatalogURL ** for write-based commands you must first 'cd' to the appropriate node and then issue the 'auth' command ** > cd /LDAPv3/127.0.0.1 > auth diradmin apple > mcxset Users/phd1 com.apple.dock tilesize always -float 62.5
mcxread record path [optArgs] [appDomain [<var>keyName ]]
Display existing values for MCX preference key(s). |
which version of the key should be retrieved. Default version 1 keys are searched for.
| -o filePath the output file where results should be written. Default results are written to stdout.
| -format xml|plist|text how the output should be formatted. Default | text.
appDomain
the application domain you want to retrieve keys from. | If omitted or = then all application domains will be dumped for the specified record.
keyName the name of the key you want to retrieve. | If omitted or is equal to = then all keys will be displayed.
|
Examples:
Display the value of the 'autohide' key in the 'com.apple.dock' application domain
> mcxread /Users/mcx1 com.apple.dock autohide
.
Display in XML format, all the keys in the 'com.apple.dock' application domain
> mcxread /Users/mcx1 -format xml com.apple.dock =
Display in plist format, all keys for all application domains for the current record
> mcxread . -format plist = =
mcxset record path [optArgs] appDomain keyName
[mcxDomain[keyValue [UPK ]]]
| ||||||||||||||||||||||
[optArgs]
Examples:Set the 'autohide' key in the com.apple.dock domain to a value of TRUE with 'always' management.mcxset /Users/mcx1 com.apple.dock autohide always -bool 1Move the 'autohide' key to 'once' management, preserving the existing value of the key. mcxset . com.apple.dock autohide onceRemove management of the autohide key in com.apple.dock domain for the current record. mcxset . com.apple.dock autohide noneSet the value of autohide to FALSE, preserving the existing management level mcxset . com.apple.dock autohide . -bool 0Set the tilesize key to the floating point number 64.0 mcxset . com.apple.dock tilesize .Examples specifying UPKs: mcxset . com.apple.test testkey-Raw always '(1,2,3)' '< input=testkey-Raw; output=testkey; mcx_remove_duplicates=1; mcx_replace=1; mcx_union_as_dictionary=0;}' mcxset . com.apple.test testkey-Raw always '< keya=a; keyb=b; keyc=c; }' '< output=testkey; mcx_union_as_dictionary=1;}' |
mcxedit record path [optArgs] appDomain keyPath [keyValue ]Update the value of an existing MCX preference key. | |||||||||
[optArgs]
Examples: mcxedit . com.apple.dock autohide -bool 1Set the dvd key within the 'mount-controls' dictionary to the array containing two strings: 'authenticate' and 'eject'
mcxedit . com.apple.systemuiserver mount-controls:dvd '(authenticate, eject)'Same effect as previous example, just using xml syntax mcxedit . com.apple.systemuiserver mount-controls:dvd <array><string>authenticate</string><string>eject</string></array>Change the 2nd array element within the 'dvd' key of the 'mount-controls' dictionary to the string 'deny' mcxedit . com.apple.systemuiserver mount-controls:dvd:1 denyRemove the 'dvd' key of the 'mount-controls' dictionary mcxedit . com.apple.systemuiserver mount-controls:dvd |
mcxdelete record path [optArgs] [appDomain [keyName]]
==remove management of MCX preference key(s). equivalent to using the mcxset command with a mcxDomain value of none .
[optArgs]
Examples: No longer manage the 'autohide' Dock key. mcxdelete . com.apple.dock autohideDelete management of all Dock-related keys. mcxdelete . com.apple.dockDelete management of all keys for the current record. mcxdelete . | ||||||
mcxdeleteall record path [optArgs] [appDomain [keyName]]
Works identically to mcxdelete except that this command does not require you to specify a path to a specific record. Instead, the path can point to a node or record type and all records within will be processed.
Examples: mcxdeleteall UsersRemove management of all Dock-related keys for ALL computer records. mcxdeleteall Computers com.apple.dockRemove management of the 'autohide' Dock key for ALL group records. mcxdeleteall Groups com.apple.dock autohideRemove ALL management keys for ALL users, groups, computers, computer groups and computer lists in the node. mcxdeleteall . |
mcxexport -o file record path [optArgs] [appDomain
[keyName ]]
Same functionality as Example: mcxexport . -o /tmp/export.plist com.apple.dock |
mcximport record path [optArgs] file Imports the keys/values exported. Each key/value in will be processed with mcxset .
i.e the data in the import file is added to the existing data.
[optArgs]
Examples: mcximport . /tmp/export.plist mcximport . -d /tmp/export.plist |
Run in host mode, then when this command is run the current directory must be in the subdirectories of a node.
dscl . read /Users/www |cut -c1-140 # avoid showing all the JPEGPhoto data AppleMetaNodeLocation: /Local/Default GeneratedUID: FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000046 NFSHomeDirectory: /Library/WebServer Password: * PrimaryGroupID: 70 RealName: World Wide Web Server RecordName: _www www RecordType: dsRecTypeStandard:Users UniqueID: 70 UserShell: /usr/bin/false
> dscl Entering interactive mode... (type "help" for commands) > ls Local Contact SearchCreate or replace the UserShell attribute value for the www user record
dscl . -create /Users/www UserShell /usr/bin/false
Create or replace the test key of the mcx_application_data:loginwindow plist value for the MCXSettings
attribute of the user1 user record
dscl . -createpl /Users/user1 MCXSettings mcx_application_data:loginwindow:test value
List the uniqueID values for all user records on a given node
dscl /LDAPv3/ldap.company.com -list /Users UniqueID
Attempt append a value that has spaces in it
dscl . -append /Users/www Comment "This is a comment"
dscl returns - (255) on error.
> read /Users/dgerman
Don't forget the dot!
Cannot open remote host, error: DSOpenDirServiceErr
read . /Users/www
/Users/www: (null)
dscl . read /Groups/staff
AppleMetaNodeLocation: /Local/Default
GeneratedUID: ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000014
GroupMembership: root rut dgerman _serialnumberd
Password: *
PrimaryGroupID: 20
RealName: Staff
RecordName: staff BUILTIN\Users
RecordType: dsRecTypeStandard:Groups
SMBSID: S-1-5-32-545
dgerman 8/7/12
# dscl . read /Users/dgerman | cut -c1-120 # don't show ALL the JPEGphoto dsAttrTypeNative:_writers_hint: dgerman dsAttrTypeNative:_writers_jpegphoto: dgerman dsAttrTypeNative:_writers_LinkedIdentity: dgerman dsAttrTypeNative:_writers_passwd: dgerman dsAttrTypeNative:_writers_picture: dgerman dsAttrTypeNative:_writers_realname: dgerman dsAttrTypeNative:_writers_UserCertificate: dgerman dsAttrTypeNative:accountPolicyData: <xml version="1.0" encoding="UTF-8"> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>creationTime<key> <real>1453774461.1459241<real> <key>failedLoginCount<key> <integer>0<integer> <key>failedLoginTimestamp<key> <integer>0<integer> <key>lastLoginTimestamp<key> <real>978307200<real> <key>passwordLastSetTime<key> <real>1354061376<real> <dict> <plist> dsAttrTypeNative:LinkedIdentity: <xml version="1.0" encoding="UTF-8"?> <DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>appleid.apple.com</key> <dict> <key>allows password reset</key> <true/> <key>linked identities</key> <array> <dict> <key>unverified name</key> <string>dgermanapl@real-world-systems.com<string> <dict> <array> <dict> <dict> <plist> AppleMetaNodeLocation: /Local/Default AuthenticationAuthority: ;Kerberosv5; ;dgerman@LKDC:SHA1.E08104A89DD6B9076C3EAFDB36F44C0C27EAB1A3; LKDC:SHA1.E08104A89DD6B9076C3EAFDB36F44C0C27EAB1A3; ;ShadowHash;HASHLIST:ls xxxxxx (does not report anything) Maybe it's not a directory, tryAuthenticationHint: initals 2x hex Building: Real-world-Systems.com GeneratedUID: D974AB7E-DDD1-4F89-823F-B65965D43013 HomePhoneNumber: 973/226-6672 JPEGPhoto: ffd8ffe0 00104a46 … + + + + + + many words of hex + + + + + + … NFSHomeDirectory: /Users/dgerman link to /Volumes/DATA/dgerman Password: ******** Picture: /Library/User Pictures/Animals/Butterfly.tif PrimaryGroupID: 20 RealName: Dennis German RecordName: dgerman RecordType: dsRecTypeStandard:Users UniqueID: 501 UserShell: /bin/bash
dscl . read /groups/staff|cut -c1-140 dsAttrTypeNative:record_daemon_version: 4850000 AppleMetaNodeLocation: /Local/Default GeneratedUID: ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000014 GroupMembership: root dgerman rut _serialnumberd Password: * PrimaryGroupID: 20 RealName: Staff RecordName: staff BUILTIN\Users RecordType: dsRecTypeStandard:Groups SMBSID: S-1-5-32-545
./Default: aliases config groups machines networks users .plist ./Default/aliases: administrator manager nobody operator MAILER-AGENT MAILER-DAEMON postmaster dumper ./Default/config: KerberosKDC SharePoints ./Default/config/SharePoints: Dennis German's Public Folder admin's Public Folder rut's Public Folder ./Default/groups: _amavisd _appowner _appserveradm _appserverusr _ard _atsserver _calendar _clamav _cvs _devdocs _guest _installer _jabber _keytabusers _lp _lpadmin _mailman _mcxalr _mdnsresponder _mysql _pcastagent _pcastserver _postdrop _postfix _qtss _sandbox _securityagent _serialnumberd _spotlight _sshd _svn _teamsserver _tokend _unknown _update_sharing _uucp _windowserver _www _xgridagent _xgridcontroller accessibility admin authedusers bin certusers consoleusers daemon dialer everyone group interactusers kmem localaccounts mail netaccounts netusers network nobody nogroup operator owner procmod procview smmsp staff sys tty utmp wheel com.apple.sharepoint.group.1 com.apple.sharepoint.group.2 com.apple.sharepoint.group.3
dscl . readall /groups RealName RecordName GroupMembershipSeems to insist on listing GroupMembership first. Only shown here are interesting entries.GroupMembership: _accessoryupdater RealName: Accessory Update Daemon RecordName: _accessoryupdater - RealName: SPAM Assassin Group 2 RecordName: _amavisd amavisd - GroupMembership: _analyticsd RealName: Analytics Daemon RecordName: _analyticsd … - GroupMembership: dgerman rut mgerman RealName: App Server Admins RecordName: _appserveradm appserveradm - GroupMembership: dgerman rut mgerman RealName: Application Server RecordName: _appserverusr appserverusr - … - GroupMembership: dgerman rut mgerman RealName: Print Administrators RecordName: _lpadmin lpadmin BUILTIN\Print Operators - … - GroupMembership: root rut mgerman dgerman RealName: Administrators RecordName: admin BUILTIN\Administrators - RealName: Authenticated Users RecordName: authedusers BUILTIN\Authenticated Users - … - RealName: Dennis German's Public Folder RecordName: com.apple.sharepoint.group.1 - RealName: rut's Public Folder RecordName: com.apple.sharepoint.group.2 - RealName: Marilyn German's Public Folder RecordName: com.apple.sharepoint.group.3 - RealName: DATA RecordName: com.apple.sharepoint.group.4 - RealName: Macintosh HD RecordName: com.apple.sharepoint.group.5 - 586,1 83% ./Default/machines: broadcasthost localhost ./Default/networks: loopback ./Default/users: _amavisd _appowner _appserver _ard _atsserver _calendar _clamav _cvs _cyrus _devdocs _eppc _installer _jabber _lp _mailman _mcxalr _mdnsresponder _mysql _pcastagent _pcastserver _postfix _qtss _sandbox _securityagent _serialnumberd _spotlight _sshd _svn _teamsserver _tokend _unknown _update_sharing _uucp _windowserver _www _xgridagent _xgridcontroller admin dgerman root rut nobody daemon> dscl . read /users/dgerman | cut-c1-90 # cut to mininize JPG output scl_cmd DS Error: -14009 (eDSUnknownNodeName) oops dscl while interactive
read xxxxxx
August 25, 2003 Mac OS X
dscl . read /Groups/staff AppleMetaNodeLocation: /Local/Default GeneratedUID: ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000014 GroupMembership: root Password: * PrimaryGroupID: 20 RealName: Staff RecordName: staff BUILTIN\Users RecordType: dsRecTypeStandard:Groups SMBSID: S-1-5-32-545
AuthMethod dsAuthMethodStandard: " dsAuthChangePasswd ( dsAuthseems redundant) " dsAuthClearText " dsAuthNodeNativeCanUseClearText " dsAuthNodeNativeCannotUseClearText " dsAuthReadSecureHash " dsAuthWriteSecureHash " dsAuthSetPasswd " dsAuthSetPasswdAsRoot " dsAuthWithAuthorizationRef " dsAuthSetCertificateHashAsRoot " dsAuthNodeNTLMv2 " dsAuthSMBNTKey " dsAuthMSCHAP2 NodePath: Local Default ReadOnlyNode: ReadWrite RealName: Default RecordType: dsRecTypeStandard: " AFPUserAliases " Aliases " Automount " AutomountMap " ComputerGroups " ComputerLists " Computers " Config " Ethernets " Groups " Hosts " Mounts " NetGroups " Networks " People " PresetComputerGroups " PresetComputerLists " PresetComputers " PresetGroups " PresetUsers " Protocols " RPC " Services " SharePoints " Users " TrustInformation: FullTrust Anonymous
Use dscl instead of netinfo
sudo plistbuddy /private/var/db/dslocal/nodes/Default/users/dgerman.plist >0 # some unprintable stuff! jpegphotoExample of user plist as displayed by plistbuddy Opendirectory.
sudo ls -l /private/var/db/dslocal/nodes/Default/users/dgerman.plist rw------- 1 root wheel 336094 Mar 17 12:04 /private/var/db/dslocal/nodes/Default/users/dgerman.plist./Default/groups users aliases config machines networksFiles as of Oct 2007
use dscl instead of netinfo