MacOS X Administrators from LDAP
I’ve been building an LDAP single sign-on system (for Linux, Mac and PC via Samba PDC) at $dayjob and I hit a wall with my MacOS X clients: it seemed that admins had to be specified locally. However, I finally found this solution which boils down to running this as root (or sudo) on each of your MacOS LDAP clients:
niutil -createprop / /groups/admin groupmembers ""
dseditgroup -o edit -a it -t group -n /NetInfo/DefaultLocalNode admin
Now, anyone who is in LDAP group “it” automatically has local administrator rights on the Mac, and thus can change settings and install software requiring authorization. Since I’m also running a Samba PDC out of the same LDAP, I could make that “Domain Admins” as well so the same admin group has admin rights on every Mac or PC client. Or you can fancy it up and create groups of administrative users for different groups of Mac clients, but since I’m the only IT person at $dayjob, I don’t have any use for that.
Also, I like having the “traffic signal” network status show up by default on the login window:
defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo DSStatus