Skip navigation
This discussion is archived

Using dscl to set user passwords without interaction

9708 Views 17 Replies Latest reply: Jul 1, 2008 2:32 PM by damacus RSS
1 2 Previous Next
Brentk Level 1 Level 1 (15 points)
Currently Being Moderated
May 3, 2008 7:04 PM
Hello,

I'm trying to write a script to add users, and I'm stuck on setting the password. If I use:

dscl -u adminuser -P adminpass /LDAPv3/127.0.0.1 -passwd /Users/$username $newpass

It adds a crypt password to the ldap server. Users created in this way cannot login to the iChat server (the script is supposed to add new users for ichat). If I use WGM to manually change their password after creation, then they can. Is there some way to either set the password as an 'OpenDirectory' password from the start, or to change the crypt password to an OpenDirectory password, from the command line, without interaction or using Expect?

Thanks!
MBP 15", Mac OS X (10.5)
  • jaydisc Level 4 Level 4 (1,400 points)
    Currently Being Moderated
    May 3, 2008 10:38 PM (in response to Brentk)
    Perhaps pwpolicy can help you instead:

    pwpolicy -a diradmin -u username -setpassword
    MacBook, Mac OS X (10.4.9)
  • jaydisc Level 4 Level 4 (1,400 points)
    Sorry, I misread your post. Thought you were just trying to change existing passwords.
    MacBook, Mac OS X (10.4.9)
  • harry @ pmsi Level 3 Level 3 (535 points)
    Thanks very much for this thread. I have been trying to solve a similar type problem and misread pwpolicy for only changing password policy. Jaydisc cued me to relook.
    Anyway, I found that
    dscl localhost -passwd /LDAPv3/127.0.0.1/Users/username oldpassword newpassword
    allows a user to change his/her own password without interaction.
    using
    passwd -i OpenDirectory -l /LDAPv3/127.0.0.1 -u diradmin username
    will result in prompting diradmin password and new user password.

    Both methods result in a CHANGEPASS entry in Password Server Log of OD. The first is credited to the username and the second is credited to the diradmin. That is if your directory administrator is diradmin. If you use WGM to change the password the same entry is made, e.g. CHANGEPASS by diradmin.

    This means the Open Directory is updated and additionally the Kerberos password is updated.

    In my situation, pwpolicy and setpassword allows the imposition of a criteria for password such as min length, numeric, etc.

    Hope this helps,
    Harry
    mini 1.83 core 2 duo 2GB RAM + 500GB ext drive, Mac OS X (10.5.1), iMac G5, PB G4 (3)
  • harry @ pmsi Level 3 Level 3 (535 points)
    Currently Being Moderated
    May 5, 2008 11:45 AM (in response to Brentk)
    Have you tried something like this in your script:
    $sudo $dscl . -create /Users/$new_user
    $sudo $dscl . -append /Users/$new_user RealName "$fn $ln"
    $sudo $dscl . -append /Users/$new_user uid $new_uid
    $sudo $dscl . -append /Users/$new_user gid $new_gid
    $sudo $dscl . -append /Users/$new_user shell "$sh"
    $sudo $dscl . -append /Users/$new_user home "$hd"
    $sudo $dscl . -create /Users/$new_user passwd "*"

    As long as a value is included no interaction is required.
    Each key needs a specific line entry for the values. This is similar to the CLI example.
    HTH,
    Harry
    mini 1.83 core 2 duo 2GB RAM + 500GB ext drive, Mac OS X (10.5.1), iMac G5, PB G4 (3)
  • harry @ pmsi Level 3 Level 3 (535 points)
    Brentk,
    I think I understand your post. Between your experience and my using the line entry

    dscl localhost -passwd /LDAPv3/127.0.0.1/Users/username oldpassword newpassword

    which did update Open Directory, I take it a user can't be created with a password but a password can be subsequently changed.

    BTW - I noticed the attribute PasswordPlus in the CLI attribute list on pg 108. Other than that I'm out of ideas today.
    Let me know if you find a cure,
    Harry
    mini 1.83 core 2 duo 2GB RAM + 500GB ext drive, Mac OS X (10.5.1), iMac G5, PB G4 (3)
  • wstrucke Calculating status...
    I've been using some php scripts i wrote to do this rather successfully. we use it to add single accounts, add batch accounts from our databases, reset passwords, etc...

    if you are using a shell script I'm not sure how you would add the account offhand. if you can create the account and get it to the point where the user has a crypt password as you indicated above, use this line to convert it to an open directory password:

    dscl -u adminusername -P adminpassword /LDAPv3/serverip -passwd /Users/clientusername newpassword 2>&1 &
    Mac OS X (10.4.11)
  • wstrucke Level 1 Level 1 (0 points)
    Brentk wrote:

    I'm encouraged to hear that you managed to create working accounts with PHP. I'm actually doing the same thing, but I didn't want to give the webserver direct access to the directory/password servers, so instead the PHP scripts create a template, that are later read by a privileged script.


    I'm also cautious about giving the script access to the server directly (with passwords, etc), but I compromised by running it on a box that is only accessible internally on my network and very tightly secured (with lots of logs). The convenience of automating all of our account creation and management is worth the risk in my opinion. It saves me a least a month of work each year.


    Anyways -- the dscl command that you posted is exactly the same as the one in my original post. It creates the {crypt} password in OD. So, I wonder what the difference is between what we're doing...


    I am creating the account with the php ldap functions by binding to the server and adding the account with all requiring settings (plus some I require for our accounts) all at once. This successfully creates a valid account with a crypt password. I then use a function to does a bunch of checks (including the escapeshellcommand for input checking) then essentially just runs that command I posted previously:

    dscl -u adminusername -P adminpassword /LDAPv3/serverip -passwd /Users/clientusername newpassword 2>&1 &



    Then I add attributes using the same syntax with "AttributeName $attribute_value" appended. The attributes I add are: UserShell, RealName, FirstName, LastName, UniqueID, PrimaryGroupID, IMHandle, and MailAttribute.

    What are you doing differently?

    Many thanks!


    I'm feeling generous, so I will post a PDF of the entirety of my add account script here:

    http://ets.osu.edu/ldapuser.class.phpclip.pdf



    You will notice that this function calls a lot of other functions in the user object, but it should get the point across.

    - ws
    Mac OS X (10.4.11)
  • wstrucke Level 1 Level 1 (0 points)
    Brentk wrote:
    Thanks for the post!

    The key function appears to be missing though:

    # convert the password to open directory
    $this->set_password($pw);


    I don't see function set_password() anywhere...

    BTW - are your users logging in at workstations? I think WindowManager automatically creates PasswordServer entries at first login for accounts with their passwords in LDAP. My users are only using network services...

    Thanks again


    as I indicated, all set password does is essentially run the shell command we discussed previously.

    Users are logging in at workstations, but they can also use any network services without doing so.

    The key here is that once you create an account with the php ldap functions (giving it a crypt password), calling the dscl command to reset the password automatically converts it to Open Directory.

    I suspect your problem might have to do with certain directory entries missing that are required to create a password server entry.
    Mac OS X (10.5.2)
  • mrstrand Calculating status...
    Would you be willing to post the full class? I'm wondering what some of your other functions like getnextid() and get_uuid() are working...
    Macbook, Mac OS X (10.4.11)
1 2 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.