An OS X Login Hook for Novell Networks


Managing OS X workstations on a Novell network is easier than it was, but nowhere near as easy as it should be. Although solutions such as Kanaka and the modified eDirectory schema for OS X can facilitate login and management of MCX settings, there are some areas where it is much easier to manage a Windows workstation than a Mac. This script attempts to address a few of those areas.

The script attached to this post is a "login hook" -- a special shell script that runs as root when a user logs into an OS X workstation. Login hooks can be written in any scripting languages that OS X supports, and this one is written in perl. For more information on login hooks, please see

The login hook attached does three things to help level the playing field between user login to OS X and Windows workstations on a Novell-based network.

  1. It adds the current user to the Staff group (gid 20). Many OS X integration solutions populate this value anyway, but in many environments (such as mine) another group is used instead. However, the user must still belong to Staff in order to use the workstation at a basic level (to run applications, for example).

  • It adds certain users to the local administrators group based on eDirectory group membership. Local admins are essentially part of the sudoers group on OS X, and this feature basically acts as a Dynamic Local User surrogate. In an academic environment, you will often want teachers and other "adults" to be local administrators so that they can change settings, add printers, etc. The script does not provide for the removal of a user, once added, but the user is added to the local administrators on a machine-by-machine rather than a global basis.

  • It autopopulates GroupWise information. On OS X, GroupWise does not have a mechanism for guessing what credentials a user will need to log in. This script does a lookup to eDirectory via LDAP and retrieves GW username, post office IP, and port. It then rewrite the master GroupWise preferences file with this information, and then rewrites it whenever another user logs in. If the user does not have a GroupWise account, the preferences file has blank information.

The purpose of this script is to provide smoother integration between eDirectory and OS X. You will probably want to chop it up and use bits of it in your own login hook. Please note that since you have eDirectory groups in a convenient array, it is easy to extend the script's functionality.

This script has been tested with OS X 10.3 - 10.5 and should work with 10.6. It targets GroupWise 7.x - 8.x. It supports any login scheme where OS X workstations are using eDirectory usernames (i.e. Kanaka, modified LDAP, local login with the same username as eDirectory). An eDirectory LDAP server that allows port 389 lookups is required.


Comment List