Newsroom Update

Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: jonathanserafini
jonathanserafini Author
User level: Level 1
0 points

10.9 Changes to PasswordServer External Command

Has anyone noticed any 10.9 changes in regards to passwordserver's external commands ?


On 10.8 servers, I have modified the LDAP cn=config,cn=passwordserver apple-xmlplist entry to have it launch /usr/bin/authserver/tools/myscript on each password change. This in turn computes a hash that I can use to sync passwords with Google.


On the 10.9 boxes, however, I've noticed that the apple-xmlplist entry was missing. I've tried re-creating it with the same content as on the 10.8 machines, and then restarting both passwordserver and opendirectory but I'm not seeing the script getting launched.


Anyone have a hint ?


- Jon

OS X Mavericks (10.9)

Posted on Feb 10, 2014 11:55 AM

Reply
5 replies
User profile for user: DJEMiVT
DJEMiVT
User level: Level 1
35 points

Apr 14, 2014 11:58 AM in response to jonathanserafini

I also have this problem, and I'd like to update our opendirectory server to Mavericks. Any suggestions? Someone must have run into this? I've tried using Google's own "Google apps directory sync" but it requires LDAP to have a password attribute for it to work. Not optimal. Also with the externalcommand hook the password hash could be immediately pushed to Google. Apple has killed our ability to integrate with many enterprise systems by removing this funcitonality...

Reply
User profile for user: cedras
cedras
User level: Level 1
0 points

Jan 5, 2015 1:30 AM in response to jonathanserafini

It seems that Apple changed from MIT Kerberos to Heimdal Kerberos.

That's why some features, like the external-commands, are not available anymore.

However the Heimdal Kerberos has a function called "external-check". This function allows you to specify an external program which checks whether the password meets the password-requirements (see: http://www.h5l.org/manual/HEAD/info/heimdal/Password-changing.html#Password-chan ging).

It seems that this features is also implemented in the OSX Server (see: https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/ man5/krb5.conf.5.html).


I think it should be possible to define this option and use an external script to get the password in cleartext.

Reply
User profile for user: vierodo
vierodo
User level: Level 1
0 points

May 23, 2015 11:56 PM in response to DJEMiVT

I have the same problem running Server 4.0x.


@Cedras: have you found a solution? I tried to change krb5.conf (/etc/krb5.conf and/or /var/db/krb5kdc/kdc.conf) but it does not work.


Next i have entered some weak passwords using "weakpass_edit" but the PasswordServer seems to ignore this. So i think /usr/sbin/atuhserver/tools/weakpass is not used to check for weak passwords. How can this feature been (re)activated?

Reply

10.9 Changes to PasswordServer External Command

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up