4

Is there a way to identify whether the logged in account is local account or active directory account on OS X? If yes, how can we retrieve the domain name?

Seema Kadavan
  • 2,538
  • 1
  • 16
  • 31

2 Answers2

3

You can create a CBUserIdentity for the user from their username:

CBUserIdentity* identity = [CBUserIdentity identityWithName:NSUserName() authority:[CBIdentityAuthority defaultIdentityAuthority]];

Then, you can obtain that user identity's authority:

CBIdentityAuthority* authority = identity.authority;

Then, you can see if that is the local authority (the alternative is the managed authority):

if ([authority isEqual:[CBIdentityAuthority localIdentityAuthority])
{
    // user is local
}
else
{
    // user is managed
}

The authority has a localizedName property, but that's not likely to include the domain name, I don't think. I don't know how to get that.

Update:

This is an approach using the Open Directory API:

ODSession* session = [ODSession defaultSession];
ODNode* node = [ODNode nodeWithSession:session type:kODNodeTypeAuthentication error:NULL];
ODQuery* query = [ODQuery queryWithNode:node forRecordTypes:kODRecordTypeUsers attribute:kODAttributeTypeRecordName matchType:kODMatchEqualTo queryValues:NSUserName() returnAttributes:kODAttributeTypeStandardOnly maximumResults:0 error:NULL];
NSArray* results = [query resultsAllowingPartial:NO error:NULL];
ODRecord* record = results.firstObject;

At this point, you can query the record for some of its attributes. One that may be of interest might be kODAttributeTypeMetaNodeLocation:

NSArray* attributes = [record valuesForAttribute:kODAttributeTypeMetaNodeLocation error:NULL];
NSString* attribute = attributes.firstObject;

For a local account, the meta node location should be "/Local/Default". I tested with an LDAP account and that gave ""/LDAPv3/my.ldap.server.example.com". I don't have an Active Directory account to test with.

Alternatively, you can try kODAttributeTypeMetaRecordName. For a local account, that returned nil. For an LDAP account, it gave the fully distinguished name: "uid=ken,ou=People,dc=example,dc=com". Again, I don't know what it would do for an Active Directory account.

You can log the record to see other attributes that are available. That will show the attribute keys as string values. You can look here to try to find a symbolic constant for the one(s) of interest, or check /System/Library/Frameworks/OpenDirectory.framework/Frameworks/CFOpenDirectory.framework/Headers/CFOpenDirectoryConstants.h for some which aren't documented.

Once you find what you really care about, you can maybe simplify the query by requesting just those instead of kODAttributeTypeStandardOnly. Also, you should consider running the query asynchronously rather than synchronously as I did in my example code.

Ken Thomases
  • 88,520
  • 7
  • 116
  • 154
  • This should be choose as the answer. And one more question, I'm going to using Open Directory API right now, but the official documents from Apple are really poor :( Where did you learn these API? How could i query the 'memberOf' attribute by using Open Directory? Thanks in advance – Bill Hoo Jul 20 '18 at 02:57
  • I don't remember where I learned them, exactly. I'm pretty sure I looked them up just because of this question, although I had known of their existence before then. I had a little previous experience with the `dscl` command. That's useful for interactive exploration. Apple's docs have been going steadily downhill. On the theory that the docs used to be better, I searched their legacy documentation archive and found [a programming guide](https://developer.apple.com/library/archive/documentation/Networking/Conceptual/Open_Directory/Introduction/Introduction.html). – Ken Thomases Jul 20 '18 at 03:47
  • 1
    Not sure about memberOf. Perhaps `kODAttributeTypeGroup` or `kODAttributeTypeNetGroups`. However, poking around with `dscl`, I didn't find an attribute that seemed to show secondary groups. (Primary, yes.) – Ken Thomases Jul 20 '18 at 03:49
  • Thanks for the timely reply, I think that programming guide still not clear than yours. And thank you for leading me to dscl. I can query the 'memberOf' attribute from Windows by using its API IDirectorySearch, so I'm wondering its the same on Mac. I'll try it and feedback here soon. – Bill Hoo Jul 20 '18 at 05:14
  • Finally it worked. I'm still not find an official kODAttributeTypeMemberOf type, so I'm hard coded the "memberOf" string to it: [record valuesForAttribute:@"memberOf" error:NULL] and it worked like a charm, thanks for guiding me here. :) – Bill Hoo Jul 20 '18 at 09:53
0

For me the code:

NSMutableString *userDataDirectory = [[NSMutableString alloc] initWithString:NSHomeDirectory()];
NSLog(@"%@", userDataDirectory);

prints: /Users/jwlaughton

Is this what you're looking for?

jwlaughton
  • 905
  • 1
  • 6
  • 11