Creating User Accounts

To create a user account in a directory domain, you must have administrator privileges for the domain.

To create user accounts in an LDAPv3 directory on a non-Apple server, use Directory Utility to map the LDAPv3 directory attributes to Open Directory user and group attributes. For more information about user account elements that might need to be mapped, see “Understanding What You Can Import and Export” on page 273.

To create users in an Active Directory domain, use Active Directory administration tools on a Windows computer. You can’t use Workgroup Manager to create user accounts, group accounts, computer accounts, or computer groups in a standard Active Directory domain. If you extend the schema of the Active Directory domain, you can create computer groups in Active Directory.

To create user accounts for Windows users, create them on a Mac OS X Server PDC, which creates them in the server’s LDAP directory. Windows users with accounts on the PDC server can log in to the Windows domain from a Windows workstation. These user accounts can be used to authenticate to Windows file service and other services, and to Mac OS X computers on the network.

You can create user accounts in the Mac OS X Server PDC LDAP directory but not in a BDC read-only LDAP directory. If you have a BDC, the PDC server replicates the new accounts to the BDC.

If you create user accounts in a server’s local directory domain, you can only

authenticate for services provided by that server. You can’t use these accounts to log in to a Mac OS X client computer or to perform Windows domain login. However, Windows users can authenticate with Windows file service, mail service, and other platform-neutral services.

For instructions on mapping LDAPv3 attributes or connecting to Active Directory, see Open Directory Administration.

To create a user account:

1 In Workgroup Manager, click Accounts.

2 Make sure the directory services of the Mac OS X Server computer you’re using are configured to access the directory domain.

For instructions, see Open Directory Administration.

3 Click the globe icon and then choose the domain where you want the user’s account to reside.

For Mac OS X Server v10.5 or later, Local and /Local/Default refer to the local directory domain.

4 To authenticate, click the lock and enter the name and password of a directory administrator.

5 Choose Server > New User or click New User in the toolbar.

6 In the panes provided, specify settings for the user.

For details, see “Working with Basic Settings” on page 65 through “Working with Windows Settings” on page 89.

You can also use a preset or an imported file to create a user account. For details, see “Using Presets to Create Accounts” on page 64 and “Using Workgroup Manager to Import Accounts” on page 275.

From the command line:

1 Identify an unused user ID by using the dscl tool to display lists of assigned user IDs and group IDs:

54 Chapter 4 Setting Up User Accounts

Chapter 4 Setting Up User Accounts 55

$ dscl /LDAPv3/ipaddress -list /Users UniqueID| awk ’{print $2}’ | sort -n

Replace /LDAPv3/ipaddress with the location of your directory domain (the way it appears in the search path in Directory Access).

After you enter the command, the dscl tool displays a list of assigned user ID numbers, similar to the following output. These user IDs are for computer accounts that are included with Mac OS X Server:

-2 0 1 99 25 26 27 70 71 75 76 77 78 79 501

Important: Select a user ID that isn’t in the list of assigned user ID numbers created when you install Mac OS X Server.

2 Start the dscl tool in interactive mode, specifying the computer you are using as the source of directory service data, and use the dscl tool to create a nonadministrator user account:

$ dscl localhost

>

In interactive mode, the dscl tool displays the current folder in the directory domain (not the current folder in the file system) and a “>” character as a prompt.

3 Change the current folder to /LDAPv3/ipaddress/Users by entering the path at the prompt:

> cd /LDAPv3/ipaddress/Users

Replace ipaddress with the IP address of your directory server.

4 Authenticate as an administrator by entering the following command, replacing adminusername with your administrator user name, and entering your administrator password when prompted:

> auth adminusername

5 Create a user account, replacing ajohnson with the new user account’s short name and specifying the path to the new user’s home folder in /Users/:

> create ajohnson HomeDirectory “<home_dir><url>afp://sp.apple.com/

Users</url><path>ajohnson</path></home_dir>”

> create ajohnson NFSHomeDirectory /Network/Servers/sp.apple.com/Users/

ajohnson

Replace sp.apple.com with your home folder server’s location.

6 Specify the new user’s default UNIX shell:

> create ajohnson UserShell /bin/bash

7 Specify the user ID, replacing 1234 with the new user’s ID:

> create ajohnson UniqueID 1234

8 Specify the long name for the new user account, replacing Anne Johnson with the actual long name:

> create ajohnson RealName “Anne Johnson”

9 Review the settings of your new user account by entering the following command, replacing ajohnson with the new user account’s short name as before:

> read ajohnson

10 View settings for your new user account.

Settings for your new user account appear similar to the following output:

dsAttrTypeNative:apple-generateduid:1B2A3456-E7C8-9EC1-2345-678D912E3456 dsAttrTypeNative:cn: anne johnson

dsAttrTypeNative:gidNumber: 99

dsAttrTypeNative:HomeDirectory: /LDAPv3/ipaddress/Users/ajohnson dsAttrTypeNative:loginShell: /bin/bash

dsAttrTypeNative:objectClass: inetOrgPerson posixAccount shadowAccount apple-user extensible object organizationalPerson top person dsAttrTypeNative:sn: ajohnson

dsAttrTypeNative:uid: ajohnson dsAttrTypeNative:uidNumber: 1234

AppleMetaNodeLocation: /LDAPv3/ipaddress

GeneratedUID:1B2A3456-E7C8-9EC1-2345-678D912E3456 LastName: johnson

NFSHomeDirectory: /LDAPv3/ipaddress/Users/ajohnson PasswordPlus:********

PrimaryGroupID: 99 RealName: Anne Johnson RecordName: ajohnson anne

RecordType: dsRecTypeStandard:Users UniqueID: 1234

56 Chapter 4 Setting Up User Accounts

Chapter 4 Setting Up User Accounts 57 UserShell: /bin/bash

11 Assign a password to the account by entering the following command, replacing ajohnson with the new account’s short name:

> passwd ajohnson

12 Quit dscl by entering:

> quit

The dscl tool displays Goodbye, and then the standard shell prompt appears.

13 Use the ssh tool to connect to the server where you are hosting home folders:

$ ssh -l username server

Replace username with the name of an administrator user on the remote server and replace server with the name or IP address of the server.

14 Create the home folder for the new user.

Use the -s option if you are using a network directory domain or the -c option if you are using a local directory domain. You must run the command to create the home folder with root privileges.

$ sudo createhomedir -s -u ajohnson

The user account is now complete and can be used for logging in. For more information, see the dscl man page.