Newsroom Update

Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: jonathanserafini
jonathanserafini Author
User level: Level 1
0 points

Directory server external commands

How does one get password server to launch external commands in 10.9 ?


In 10.6, you used to be able to configure the passwordserver.plist file to run external commands each time a password was changed. In 10.7 and 10.8, this was also possible however the configuration had migrated an LDAP node under cn=config.


As of 10.9, however, I can't seem to figure out how to get this working. The configuration key wasn't present in the LDAP directory and re-creating it based off of information from a 10.8 directory server hasn't helped.


If anyone has a clue, I'd me most appreciative. Or perhaps some hidden Apple documentation would be awesome as well.


Our use case for this is pretty simple ... We've a Linux box running Google Directory Sync ( GADS ) which polls OpenDirectory and uses the information contained to create Google accounts or synchronize Google passwords to those we have in OD. To do this, however, the externalcommand is required so that we can add a hashed password in an OpenDirectory LDAP key. Otherwise, the sync tool would have no access to a password hash for the user.


Regards,

- Jonathan.

OS X Mavericks (10.9)

Posted on Feb 25, 2014 10:48 AM

Reply
7 replies
User profile for user: sonicsoul
sonicsoul
User level: Level 1
0 points

Mar 3, 2014 1:24 PM in response to jonathanserafini

Jonathan,


I have been trying to solve this puzzle for a few days now with no luck.


I contacted Apple Enterprise support and made it to a senior advisor who said he would ask some of the engineers. At first they wanted me to create a support contract, but I countered that I just purchased Server 3.0 and this is an undocumented change.


We aren't asking for help on configruing OD to work with 3rd party products - I just need to know if the ExternalCommand functionality has been removed completely or has been migrated (again) to a different area.


I'll let you know if I come up with something in the meantime...


Ron

Reply
User profile for user: DJEMiVT
DJEMiVT
User level: Level 1
35 points

Apr 14, 2014 12:02 PM in response to jonathanserafini

This is a big deal and we need a work around. We have no way to sync Open Directory to Google at this point. I can't get the password SHA1 hash from LDAP so I can't use Google's own "Google Apps Directory Sync" and the externalcommand was the only way to send hashes to Google. Without this functionality I'm left with very few options. Has anyone been successful in figuring out a way to hook in an external password script?


Thanks

Reply
User profile for user: sonicsoul
sonicsoul
User level: Level 1
0 points

Apr 14, 2014 12:37 PM in response to DJEMiVT

I agree. I'm extremely disappointed by the response I got from Apple Engineering. They acted as if no one in the world is using this ExternalCommand and they would have to really look into what happened to it in Server 3.0. I showed them various blog posts and reputable academic organizations that are using it to sync with Google Apps via GADS and they kept insisting it was a custom third party configuration which required a support contract.


I made it absolutely clear that I did not want their help in setting up or configuring or troubleshooting whatever I did with ExternalCommand, I just wanted to know where it went in 3.0.


I probably wasted 20 hours of work trying to return pre-3.0 fucntionality but no combination of settings or deep dives into the OD configs would work. I'm open to any suggestions at this point.

Reply
User profile for user: craigfrommelbourne
craigfrommelbourne
User level: Level 1
4 points

Dec 10, 2014 4:40 AM in response to sonicsoul

Anyone get any progress on this?


I had an idea to throw around that may be useless.

If someone knows that this wont work, let me know.


Can we head off /usr/sbin/PasswordService via its Launchctl plist and replace it with our script?


Inside our script, we could have something like

/usr/sbin/PasswordService -n | read password

...

....

or

/usr/sbin/PasswordService -n < /dev/stdin

read password

.....

....

I'll check the correct command piping(/redirecting?) the output to stdin and test and will reply here.

Reply

Directory server external commands

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up