Using dscl to set user passwords without interaction

Question

Level 1

19 points

Using dscl to set user passwords without interaction

Hello,

I'm trying to write a script to add users, and I'm stuck on setting the password. If I use:

dscl -u adminuser -P adminpass /LDAPv3/127.0.0.1 -passwd /Users/$username $newpass

It adds a crypt password to the ldap server. Users created in this way cannot login to the iChat server (the script is supposed to add new users for ichat). If I use WGM to manually change their password after creation, then they can. Is there some way to either set the password as an 'OpenDirectory' password from the start, or to change the crypt password to an OpenDirectory password, from the command line, without interaction or using Expect?

Thanks!

MBP 15", Mac OS X (10.5)

Posted on May 3, 2008 7:04 PM

Reply

Answer 1

jaydisc

Level 4

1,464 points

May 3, 2008 10:38 PM in response to Brentk

Perhaps pwpolicy can help you instead:

pwpolicy -a diradmin -u username -setpassword

Reply

Answer 2

Brentk Author

Level 1

19 points

May 9, 2008 12:14 PM in response to wstrucke

You could be right about the missing attributes. I will try a more complete set of them, including a userPassword entry, before running the dscl command with -passwd, and see if that does the trick.

Thanks again

Reply

Answer 3

Brentk Author

Level 1

19 points

May 4, 2008 9:58 AM in response to jaydisc

If I try to change the password with pwpolicy after creating the account with dscl, I get the error message:

[newuser] is not a password server account.

...where [newuser] is the username of the user in question.

Thanks for the idea though.

Reply

Answer 4

jaydisc

Level 4

1,464 points

May 4, 2008 4:45 PM in response to Brentk

Sorry, I misread your post. Thought you were just trying to change existing passwords.

Reply

Answer 5

May 5, 2008 7:27 AM in response to jaydisc

Thanks very much for this thread. I have been trying to solve a similar type problem and misread pwpolicy for only changing password policy. Jaydisc cued me to relook.
Anyway, I found that
dscl localhost -passwd /LDAPv3/127.0.0.1/Users/username oldpassword newpassword
allows a user to change his/her own password without interaction.
using
passwd -i OpenDirectory -l /LDAPv3/127.0.0.1 -u diradmin username
will result in prompting diradmin password and new user password.

Both methods result in a CHANGEPASS entry in Password Server Log of OD. The first is credited to the username and the second is credited to the diradmin. That is if your directory administrator is diradmin. If you use WGM to change the password the same entry is made, e.g. CHANGEPASS by diradmin.

This means the Open Directory is updated and additionally the Kerberos password is updated.

In my situation, pwpolicy and setpassword allows the imposition of a criteria for password such as min length, numeric, etc.

Hope this helps,
Harry

Reply

Answer 6

Brentk Author

Level 1

19 points

May 5, 2008 9:01 AM in response to harry-pmsi

It doesn't help. I need a way to set the password (in the PasswordServer) from the command line *without interaction*, as part of a script that creates user accounts.

Thanks though.

Reply

Answer 7

May 5, 2008 11:45 AM in response to Brentk

Have you tried something like this in your script:
$sudo $dscl . -create /Users/$new_user
$sudo $dscl . -append /Users/$new_user RealName "$fn $ln"
$sudo $dscl . -append /Users/$new_user uid $new_uid
$sudo $dscl . -append /Users/$new_user gid $new_gid
$sudo $dscl . -append /Users/$new_user shell "$sh"
$sudo $dscl . -append /Users/$new_user home "$hd"
$sudo $dscl . -create /Users/$new_user passwd "*"

As long as a value is included no interaction is required.
Each key needs a specific line entry for the values. This is similar to the CLI example.
HTH,
Harry

Reply

Answer 8

Brentk Author

Level 1

19 points

May 5, 2008 1:30 PM in response to harry-pmsi

Thanks Harry,

Yes, I've tried using -create instead of -passwd to set the password. There is no attribute 'passwd' though; you'll get the error:

<main> attribute status: eDSInvalidAttributeType
<dscl_cmd> DS Error: -14131 (eDSInvalidAttributeType)

It does work if you use dscl ... -create /Users/$new_user Password 'any pass' (the attribute name is "Password"). This, however is worse than using -passwd. The problem with using -passwd is that it stores the password in ldap with the crypt cipher. If you use dscl ... -create ... Password ... instead, the password will get stored in ldap in clear text!

In both cases, authentication to Apple's services such as iChat won't work, because the password needs to be stored in the PasswordServer, not in ldap. I'm pretty sure that dscl can't do this, since its a tool for manipulating the directory (ldap), but I'm hoping that there is some other non-interactive way to do it.

Cheers,
Brent

Reply

Answer 9

May 5, 2008 1:48 PM in response to Brentk

Brentk,
I think I understand your post. Between your experience and my using the line entry

dscl localhost -passwd /LDAPv3/127.0.0.1/Users/username oldpassword newpassword

which did update Open Directory, I take it a user can't be created with a password but a password can be subsequently changed.

BTW - I noticed the attribute PasswordPlus in the CLI attribute list on pg 108. Other than that I'm out of ideas today.
Let me know if you find a cure,
Harry

Reply

Answer 10

wstrucke

Level 1

0 points

May 7, 2008 12:34 PM in response to harry-pmsi

I've been using some php scripts i wrote to do this rather successfully. we use it to add single accounts, add batch accounts from our databases, reset passwords, etc...

if you are using a shell script I'm not sure how you would add the account offhand. if you can create the account and get it to the point where the user has a crypt password as you indicated above, use this line to convert it to an open directory password:

dscl -u adminusername -P adminpassword /LDAPv3/serverip -passwd /Users/clientusername newpassword 2>&1 &

Reply

Answer 11

Brentk Author

Level 1

19 points

May 7, 2008 12:59 PM in response to wstrucke

wstrucke wrote:
I've been using some php scripts i wrote to do this rather successfully. we use it to add single accounts, add batch accounts from our databases, reset passwords, etc...

if you are using a shell script I'm not sure how you would add the account offhand. if you can create the account and get it to the point where the user has a crypt password as you indicated above, use this line to convert it to an open directory password:

dscl -u adminusername -P adminpassword /LDAPv3/serverip -passwd /Users/clientusername newpassword 2>&1 &

I'm encouraged to hear that you managed to create working accounts with PHP. I'm actually doing the same thing, but I didn't want to give the webserver direct access to the directory/password servers, so instead the PHP scripts create a template, that are later read by a privileged script.

Anyways -- the dscl command that you posted is exactly the same as the one in my original post. It creates the {crypt} password in OD. So, I wonder what the difference is between what we're doing...

This part of your comment was interesting:

if you are using a shell script I'm not sure how you would add the account offhand.

How are you adding them with PHP? Are you using PHP's LDAP functions to add to the directory? How do you get a password into the PasswordServer?

With my script I'm doing:

dscl -u adminuser -P adminpass /LDAPv3/127.0.0.1 -create /Users/$username

Then I add attributes using the same syntax with "AttributeName $attribute_value" appended. The attributes I add are: UserShell, RealName, FirstName, LastName, UniqueID, PrimaryGroupID, IMHandle, and MailAttribute.

Then I run the -passwd command that you mentioned. This gives me a user with a {crypt} password in LDAP that is unable to authenticate to services.

What are you doing differently?

Many thanks!

Reply

Answer 12

wstrucke

Level 1

0 points

May 7, 2008 2:12 PM in response to Brentk

Brentk wrote:

I'm encouraged to hear that you managed to create working accounts with PHP. I'm actually doing the same thing, but I didn't want to give the webserver direct access to the directory/password servers, so instead the PHP scripts create a template, that are later read by a privileged script.

I'm also cautious about giving the script access to the server directly (with passwords, etc), but I compromised by running it on a box that is only accessible internally on my network and very tightly secured (with lots of logs). The convenience of automating all of our account creation and management is worth the risk in my opinion. It saves me a least a month of work each year.

Anyways -- the dscl command that you posted is exactly the same as the one in my original post. It creates the {crypt} password in OD. So, I wonder what the difference is between what we're doing...

I am creating the account with the php ldap functions by binding to the server and adding the account with all requiring settings (plus some I require for our accounts) all at once. This successfully creates a valid account with a crypt password. I then use a function to does a bunch of checks (including the escape shellcommand for input checking) then essentially just runs that command I posted previously:

dscl -u adminusername -P adminpassword /LDAPv3/serverip -passwd /Users/clientusername newpassword 2>&1 &

Then I add attributes using the same syntax with "AttributeName $attribute_value" appended. The attributes I add are: UserShell, RealName, FirstName, LastName, UniqueID, PrimaryGroupID, IMHandle, and MailAttribute.

What are you doing differently?

Many thanks!

I'm feeling generous, so I will post a PDF of the entirety of my add account script here:

http://ets.osu.edu/ldapuser.class.phpclip.pdf

You will notice that this function calls a lot of other functions in the user object, but it should get the point across.

- ws

Reply

Answer 13

Brentk Author

Level 1

19 points

May 7, 2008 3:18 PM in response to wstrucke

Thanks for the post!

The key function appears to be missing though:

# convert the password to open directory
$this->set_password($pw);

I don't see function set_password() anywhere...

BTW - are your users logging in at workstations? I think WindowManager automatically creates PasswordServer entries at first login for accounts with their passwords in LDAP. My users are only using network services...

Thanks again

Reply

Answer 14

wstrucke

Level 1

0 points

May 7, 2008 3:46 PM in response to Brentk

Brentk wrote:
Thanks for the post!

The key function appears to be missing though:

# convert the password to open directory
$this->set_password($pw);

I don't see function set_password() anywhere...

BTW - are your users logging in at workstations? I think WindowManager automatically creates PasswordServer entries at first login for accounts with their passwords in LDAP. My users are only using network services...

Thanks again

as I indicated, all set password does is essentially run the shell command we discussed previously.

Users are logging in at workstations, but they can also use any network services without doing so.

The key here is that once you create an account with the php ldap functions (giving it a crypt password), calling the dscl command to reset the password automatically converts it to Open Directory.

I suspect your problem might have to do with certain directory entries missing that are required to create a password server entry.

Reply

Answer 15

mrstrand

Level 1

0 points

May 8, 2008 6:38 PM in response to wstrucke

Would you be willing to post the full class? I'm wondering what some of your other functions like getnextid() and get_uuid() are working...

Reply