Previous 1 2 Next 17 Replies Latest reply: Jul 1, 2008 2:32 PM by damacus
Brentk Level 1 Level 1 (15 points)
Hello,

I'm trying to write a script to add users, and I'm stuck on setting the password. If I use:

dscl -u adminuser -P adminpass /LDAPv3/127.0.0.1 -passwd /Users/$username $newpass

It adds a crypt password to the ldap server. Users created in this way cannot login to the iChat server (the script is supposed to add new users for ichat). If I use WGM to manually change their password after creation, then they can. Is there some way to either set the password as an 'OpenDirectory' password from the start, or to change the crypt password to an OpenDirectory password, from the command line, without interaction or using Expect?

Thanks!

MBP 15", Mac OS X (10.5)
  • jaydisc Level 4 Level 4 (1,400 points)
    Perhaps pwpolicy can help you instead:

    pwpolicy -a diradmin -u username -setpassword
  • Brentk Level 1 Level 1 (15 points)
    If I try to change the password with pwpolicy after creating the account with dscl, I get the error message:

    [newuser] is not a password server account.

    ...where [newuser] is the username of the user in question.

    Thanks for the idea though.
  • jaydisc Level 4 Level 4 (1,400 points)
    Sorry, I misread your post. Thought you were just trying to change existing passwords.
  • harry @ pmsi Level 3 Level 3 (535 points)
    Thanks very much for this thread. I have been trying to solve a similar type problem and misread pwpolicy for only changing password policy. Jaydisc cued me to relook.
    Anyway, I found that
    dscl localhost -passwd /LDAPv3/127.0.0.1/Users/username oldpassword newpassword
    allows a user to change his/her own password without interaction.
    using
    passwd -i OpenDirectory -l /LDAPv3/127.0.0.1 -u diradmin username
    will result in prompting diradmin password and new user password.

    Both methods result in a CHANGEPASS entry in Password Server Log of OD. The first is credited to the username and the second is credited to the diradmin. That is if your directory administrator is diradmin. If you use WGM to change the password the same entry is made, e.g. CHANGEPASS by diradmin.

    This means the Open Directory is updated and additionally the Kerberos password is updated.

    In my situation, pwpolicy and setpassword allows the imposition of a criteria for password such as min length, numeric, etc.

    Hope this helps,
    Harry
  • Brentk Level 1 Level 1 (15 points)
    It doesn't help. I need a way to set the password (in the PasswordServer) from the command line *without interaction*, as part of a script that creates user accounts.

    Thanks though.
  • harry @ pmsi Level 3 Level 3 (535 points)
    Have you tried something like this in your script:
    $sudo $dscl . -create /Users/$new_user
    $sudo $dscl . -append /Users/$new_user RealName "$fn $ln"
    $sudo $dscl . -append /Users/$new_user uid $new_uid
    $sudo $dscl . -append /Users/$new_user gid $new_gid
    $sudo $dscl . -append /Users/$new_user shell "$sh"
    $sudo $dscl . -append /Users/$new_user home "$hd"
    $sudo $dscl . -create /Users/$new_user passwd "*"

    As long as a value is included no interaction is required.
    Each key needs a specific line entry for the values. This is similar to the CLI example.
    HTH,
    Harry
  • Brentk Level 1 Level 1 (15 points)
    Thanks Harry,

    Yes, I've tried using -create instead of -passwd to set the password. There is no attribute 'passwd' though; you'll get the error:

    <main> attribute status: eDSInvalidAttributeType
    <dscl_cmd> DS Error: -14131 (eDSInvalidAttributeType)

    It does work if you use dscl ... -create /Users/$new_user Password 'any pass' (the attribute name is "Password"). This, however is worse than using -passwd. The problem with using -passwd is that it stores the password in ldap with the crypt cipher. If you use dscl ... -create ... Password ... instead, the password will get stored in ldap in clear text!

    In both cases, authentication to Apple's services such as iChat won't work, because the password needs to be stored in the PasswordServer, not in ldap. I'm pretty sure that dscl can't do this, since its a tool for manipulating the directory (ldap), but I'm hoping that there is some other non-interactive way to do it.

    Cheers,
    Brent
  • harry @ pmsi Level 3 Level 3 (535 points)
    Brentk,
    I think I understand your post. Between your experience and my using the line entry

    dscl localhost -passwd /LDAPv3/127.0.0.1/Users/username oldpassword newpassword

    which did update Open Directory, I take it a user can't be created with a password but a password can be subsequently changed.

    BTW - I noticed the attribute PasswordPlus in the CLI attribute list on pg 108. Other than that I'm out of ideas today.
    Let me know if you find a cure,
    Harry
  • wstrucke Level 1 Level 1 (0 points)
    I've been using some php scripts i wrote to do this rather successfully. we use it to add single accounts, add batch accounts from our databases, reset passwords, etc...

    if you are using a shell script I'm not sure how you would add the account offhand. if you can create the account and get it to the point where the user has a crypt password as you indicated above, use this line to convert it to an open directory password:

    dscl -u adminusername -P adminpassword /LDAPv3/serverip -passwd /Users/clientusername newpassword 2>&1 &
  • Brentk Level 1 Level 1 (15 points)
    wstrucke wrote:
    I've been using some php scripts i wrote to do this rather successfully. we use it to add single accounts, add batch accounts from our databases, reset passwords, etc...

    if you are using a shell script I'm not sure how you would add the account offhand. if you can create the account and get it to the point where the user has a crypt password as you indicated above, use this line to convert it to an open directory password:

    dscl -u adminusername -P adminpassword /LDAPv3/serverip -passwd /Users/clientusername newpassword 2>&1 &


    I'm encouraged to hear that you managed to create working accounts with PHP. I'm actually doing the same thing, but I didn't want to give the webserver direct access to the directory/password servers, so instead the PHP scripts create a template, that are later read by a privileged script.

    Anyways -- the dscl command that you posted is exactly the same as the one in my original post. It creates the {crypt} password in OD. So, I wonder what the difference is between what we're doing...

    This part of your comment was interesting:

    if you are using a shell script I'm not sure how you would add the account offhand.


    How are you adding them with PHP? Are you using PHP's LDAP functions to add to the directory? How do you get a password into the PasswordServer?

    With my script I'm doing:

    dscl -u adminuser -P adminpass /LDAPv3/127.0.0.1 -create /Users/$username

    Then I add attributes using the same syntax with "AttributeName $attribute_value" appended. The attributes I add are: UserShell, RealName, FirstName, LastName, UniqueID, PrimaryGroupID, IMHandle, and MailAttribute.

    Then I run the -passwd command that you mentioned. This gives me a user with a {crypt} password in LDAP that is unable to authenticate to services.

    What are you doing differently?

    Many thanks!
  • wstrucke Level 1 Level 1 (0 points)
    Brentk wrote:

    I'm encouraged to hear that you managed to create working accounts with PHP. I'm actually doing the same thing, but I didn't want to give the webserver direct access to the directory/password servers, so instead the PHP scripts create a template, that are later read by a privileged script.


    I'm also cautious about giving the script access to the server directly (with passwords, etc), but I compromised by running it on a box that is only accessible internally on my network and very tightly secured (with lots of logs). The convenience of automating all of our account creation and management is worth the risk in my opinion. It saves me a least a month of work each year.


    Anyways -- the dscl command that you posted is exactly the same as the one in my original post. It creates the {crypt} password in OD. So, I wonder what the difference is between what we're doing...


    I am creating the account with the php ldap functions by binding to the server and adding the account with all requiring settings (plus some I require for our accounts) all at once. This successfully creates a valid account with a crypt password. I then use a function to does a bunch of checks (including the escapeshellcommand for input checking) then essentially just runs that command I posted previously:

    dscl -u adminusername -P adminpassword /LDAPv3/serverip -passwd /Users/clientusername newpassword 2>&1 &



    Then I add attributes using the same syntax with "AttributeName $attribute_value" appended. The attributes I add are: UserShell, RealName, FirstName, LastName, UniqueID, PrimaryGroupID, IMHandle, and MailAttribute.

    What are you doing differently?

    Many thanks!


    I'm feeling generous, so I will post a PDF of the entirety of my add account script here:

    http://ets.osu.edu/ldapuser.class.phpclip.pdf



    You will notice that this function calls a lot of other functions in the user object, but it should get the point across.

    - ws
  • Brentk Level 1 Level 1 (15 points)
    Thanks for the post!

    The key function appears to be missing though:

    # convert the password to open directory
    $this->set_password($pw);


    I don't see function set_password() anywhere...

    BTW - are your users logging in at workstations? I think WindowManager automatically creates PasswordServer entries at first login for accounts with their passwords in LDAP. My users are only using network services...

    Thanks again
  • wstrucke Level 1 Level 1 (0 points)
    Brentk wrote:
    Thanks for the post!

    The key function appears to be missing though:

    # convert the password to open directory
    $this->set_password($pw);


    I don't see function set_password() anywhere...

    BTW - are your users logging in at workstations? I think WindowManager automatically creates PasswordServer entries at first login for accounts with their passwords in LDAP. My users are only using network services...

    Thanks again


    as I indicated, all set password does is essentially run the shell command we discussed previously.

    Users are logging in at workstations, but they can also use any network services without doing so.

    The key here is that once you create an account with the php ldap functions (giving it a crypt password), calling the dscl command to reset the password automatically converts it to Open Directory.

    I suspect your problem might have to do with certain directory entries missing that are required to create a password server entry.
  • mrstrand Level 1 Level 1 (0 points)
    Would you be willing to post the full class? I'm wondering what some of your other functions like getnextid() and get_uuid() are working...
Previous 1 2 Next