Script to Create userPrincipalName for DSfW Domain Users

  • 7009832
  • 01-Dec-2011
  • 02-Jun-2016

Environment

Novell Open Enterprise Server 11.2 (OES11SP2)
Novell Open Enterprise Server 11.1 (OES11SP1)
Novell Open Enterprise Server 2 SP3 (OES2SP3)
Domain Services for Windows
DSfW

Situation

How to add a userPrincipalName attribute to a user.
Users can not login from Windows 7 VMWare View Linked clones.
Can not log in using the userPrincipalName. 

With MMC the the User Logon name field populates the userPrincipalName attribute on the creation of user.
iManager and ConsoleOne do not populate the userPrincipalName attribute with the standard plugins.

An example of logging in with the userPrincipalName: user@novell.com

Resolution

There are a number of ways to populate the userPrincipalNameAttribute.

1) Add dnsDomainName=<UPNSuffix> to the domain root container.   See TID 7004782 for more information.  This will populate the userPrincipalName for newly created users and when users login in (via ldap, nds, or using samAccountName).
2) Edit the userPrincipalName using iManager and the other tab on the user object.  
3) Create a custom plugin for iManager (Role Based Services has to be implemented for this option to work) 
4) Create a script to populate the userPrincipalName
 or run the script shown in the additional information section to adjust the userPrincipalName for all users.

Below is a script that will user the value in the cn attribute of a user to populate the userPrincipalName attribute.
When running the script be sure to make it executable and if the script was created in notepad or wordpad run dos2unix

example:
dos2unix userprincipalname.sh
chmod +x userprincipalname.sh

#userprincipalname script
#######################userprincipalname script #######################

#!/bin/bash

function skip_multivalued_cns ()
{
    echo
    echo "Searching for objects with multi valued CNs"
    echo "Such objects will not be updated"
    
    unlink /var/opt/novell/xad/log/multivalued_cns.log

    awk '
    BEGIN     { count = 0 }
    /dn: / { count = 0; dn = $2 }
    /cn: /  { ++count }
    /^$/    { if ( count > 1 ) print count,dn }
    ' $tmpfile1 > /var/opt/novell/xad/log/multivalued_cns.log

    if [ ! -s /var/opt/novell/xad/log/multivalued_cns.log ]
    then
        return 0
    fi

    echo
    echo "Objects with multi valued CNs found"

    declare -i cnt=0
    for i in "`cat /var/opt/novell/xad/log/multivalued_cns.log`"
    do
        cnt=`echo $i | awk '{print $1}'`
        dn=`echo $i | awk '{print $2}'`
        if [ "X$dn" = "X"]
        then
            continue
        fi
        echo
        if [ $cnt -eq 0 ]
        then
            echo "Ignoring $dn as CN attribute is missing"
        else
            echo "Ignoring $dn as CN attribute is multivalued"
        fi
        sed -i -e "/dn: $dn/,/^$/d" $tmpfile1
    done
}


dnsdomain=`/usr/bin/ldapsearch -x -b "" -s base dnsdomain | grep -i 'dnsdomain: ' | awk '{print $2}'`

if [ "X$dnsdomain" = "X" ]
then
    echo "DNS domain information missing"
    exit
fi
echo "DNS Domain Name : $dnsdomain"

defaultnamingcontext=`/usr/bin/ldapsearch -x -b "" -s base defaultnamingcontext | grep -i 'defaultnamingcontext: ' | awk '{print $2}'`

if [ "X$defaultnamingcontext" = "X" ]
then
    echo "Default Naming Context information missing"
    exit
fi
echo "Default Naming Context : $defaultnamingcontext"

export LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf

tmpfile1=`mktemp`
tmpfile2=`mktemp`

echo
echo "exporting all the users not having the userprincipalname attribute to $tmpfile1"
/usr/bin/ldapsearch -Q -LLL -Y EXTERNAL -b ${defaultnamingcontext} '(&(objectclass=user)(!(userprincipalname=*)))' dn cn > $tmpfile1
if [ $? -ne 0 ]
then
    "Exporting of users not having userprincipalname attribute failed"
    exit
fi

# skip multi-valued DNs
skip_multivalued_cns 

grep -i -e 'cn:\|dn:' $tmpfile1 > /dev/null 2>&1
if [ $? -ne 0 ]
then
    echo 
    echo "The final object list is empty. Nothing to update."
    exit 0
fi

echo""
echo "Generating a $tmpfile2 ldif file to populate the userprincipalname attribute"

sed -e "s/cn: \(.*\)/replace: userprincipalname\nuserprincipalname: \1@$dnsdomain/g" $tmpfile1 > $tmpfile2

echo "" | tee -a /var/opt/novell/xad/log/userprincipalname.log
echo "`date +"%b %d %Y %H:%m:%S"` Starting setting of userprincipalname attribute ..." | tee -a /var/opt/novell/xad/log/userprincipalname.log
echo "Executing $tmpfile2 ldif file ..." | tee -a /var/opt/novell/xad/log/userprincipalname.log
 
/usr/bin/ldapmodify -Y EXTERNAL -f $tmpfile2 2>&1 | tee -a /var/opt/novell/xad/log/userprincipalname.log
if [ $? -ne 0 ]
then
    echo 'Setting userprincipalname attribute failed'
    echo 'Check /var/opt/novell/xad/log/userprincipalname.log file for more details'
    exit
fi

unset LDAPCONF
#!/bin/bash

function skip_multivalued_cns ()
{
    echo
    echo "Searching for objects with multi valued CNs"
    echo "Such objects will not be updated"
    
    unlink /var/opt/novell/xad/log/multivalued_cns.log

    awk '
    BEGIN     { count = 0 }
    /dn: / { count = 0; dn = $2 }
    /cn: /  { ++count }
    /^$/    { if ( count > 1 ) print count,dn }
    ' $tmpfile1 > /var/opt/novell/xad/log/multivalued_cns.log

    if [ ! -s /var/opt/novell/xad/log/multivalued_cns.log ]
    then
        return 0
    fi

    echo
    echo "Objects with multi valued CNs found"

    declare -i cnt=0
    for i in "`cat /var/opt/novell/xad/log/multivalued_cns.log`"
    do
        cnt=`echo $i | awk '{print $1}'`
        dn=`echo $i | awk '{print $2}'`
        if [ "X$dn" = "X"]
        then
            continue
        fi
        echo
        if [ $cnt -eq 0 ]
        then
            echo "Ignoring $dn as CN attribute is missing"
        else
            echo "Ignoring $dn as CN attribute is multivalued"
        fi
        sed -i -e "/dn: $dn/,/^$/d" $tmpfile1
    done
}


dnsdomain=`/usr/bin/ldapsearch -x -b "" -s base dnsdomain | grep -i 'dnsdomain: ' | awk '{print $2}'`

if [ "X$dnsdomain" = "X"]
then
    echo "DNS domain information missing"
    exit
fi
echo "DNS Domain Name : $dnsdomain"

defaultnamingcontext=`/usr/bin/ldapsearch -x -b "" -s base defaultnamingcontext | grep -i 'defaultnamingcontext: ' | awk '{print $2}'`

if [ "X$defaultnamingcontext" = "X"]
then
    echo "Default Nmaing Context information missing"
    exit
fi
echo "Default Naming Context : $defaultnamingcontext"

export LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf

tmpfile1=`mktemp`
tmpfile2=`mktemp`

echo
echo "exporting all the users not having the userprincipalname attribute to $tmpfile1"
/usr/bin/ldapsearch -Q -LLL -Y EXTERNAL -b ${defaultnamingcontext} '(&(objectclass=user)(!(userprincipalname=*)))' dn cn > $tmpfile1
if [ $? -ne 0 ]
then
    "Exporting of users not having userprincipalname attribute failed"
    exit
fi

# skip multi-valued DNs
skip_multivalued_cns 

grep -i -e 'cn:\|dn:' $tmpfile1 > /dev/null 2>&1
if [ $? -ne 0 ]
then
    echo 
    echo "The final object list is empty. Nothing to update."
    exit 0
fi

echo""
echo "Generating a $tmpfile2 ldif file to populate the userprincipalname attribute"

sed -e "s/cn: \(.*\)/replace: userprincipalname\nuserprincipalname: \1@$dnsdomain/g" $tmpfile1 > $tmpfile2

echo "" | tee -a /var/opt/novell/xad/log/userprincipalname.log
echo "`date +"%b %d %Y %H:%m:%S"` Starting setting of userprincipalname attribute ..." | tee -a /var/opt/novell/xad/log/userprincipalname.log
echo "Executing $tmpfile2 ldif file ..." | tee -a /var/opt/novell/xad/log/userprincipalname.log
 
/usr/bin/ldapmodify -Y EXTERNAL -f $tmpfile2 2>&1 | tee -a /var/opt/novell/xad/log/userprincipalname.log
if [ $? -ne 0 ]
then
    echo 'Setting userprincipalname attribute failed'
    echo 'Check /var/opt/novell/xad/log/userprincipalname.log file for more details'
    exit
fi

unset LDAPCONF

Additional Information

related tids
TID 7008453 Users with more than 20 characters can not login to DSfW domain
TID 7004290 VMWare View Composer Server can not authenticate to DSfW