Home Forums OS X Server and Client Discussion Open Directory Changing passwords via LDAP modify

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • December 28, 2004 at 2:33 pm #360249
    gw1500se
    Participant

    I need to write a script to change users’ passwords. I have everything set up and working (connect and bind) but now need some help formulating the modify string.

    We are using advanced authentication so I take it, it is not a simple matter of just modifying ‘userPassword’ (indeed, already tried that). I am guessing I need to modify ‘AuthAuthority’ which seems to have 2 entries (‘Kerberosv5’ and ‘ApplePasswordServer’).

    Could one of you LDAP experts help me put together the correct string to set user passwords? TIA.

    December 28, 2004 at 5:28 pm #360251
    gw1500se
    Participant

    Thanks for the reply.

    Yes, on the OD server.

    December 29, 2004 at 4:56 pm #360267
    gw1500se
    Participant

    Thanks for the reply. The ‘dscl’ command was the key. I wish I knew how to find commands when I don’t know what to look for. Rolling Eyes

    January 1, 2005 at 7:05 am #360279
    Detrius
    Participant

    [QUOTE BY= gw1500se] Thanks for the reply. The ‘dscl’ command was the key. I wish I knew how to find commands when I don’t know what to look for. Rolling Eyes [/QUOTE]

    Apple’s Server Admin Guides are very helpful. Surprisingly, the ACSA Skill Assessment Guides also have a lot of information as to which commands you should be aware of.

    January 5, 2005 at 10:17 pm #360326
    Anonymous
    Guest

    Can you post an example of how to change the password for a dummy user with UID = test?

    Much appriciated. I have been trying to figure out how to do this with PHP and ldap_modify, but you can’t access the password server as far as I can tell. But, running the shell script against the remote server should work too.

    Thanks,

    April 18, 2006 at 7:24 pm #365999
    gadams
    Participant

    Here is an example

    dscl -u directoryAdminsUsername -P dirAdminsPassword /LDAPv3/127.0.0.1 -passwd /Users/test thePasswordToBeSet

    I create a user through LDAP without an authAuthority or password attribute then run the command above which fills in authAuthority and password attributes.

    On 10.4 servers this creates an OpenDirectory password and on 10.3 creates a crypt password.

    10.3 looks like
    AuthenticationAuthority: ;basic;
    Password: f/M20JHIh.gIM

    10.4 looks like
    AuthenticationAuthority: ;ApplePasswordServer;0x444525ea6ca0……
    Password: ********

    Both 10.3 and 10.4 servers create OpenDirectory passwords when creating new users in WorkGroup Manager.
    I would like to know what I would have to do to make OpenDirectory /ApplePasswordServer passwords in 10.3 or have some control over the type of password created.

    August 1, 2006 at 6:00 pm #366724
    ak
    Participant

    I have a question closely related to this older thread: is it possible to change a user’s password from a remote machine that is not running OS X, using just an LDAP modify request?

    Our organization has a web interface that is used to change or reset passwords. The passwords are reset on an OpenDirectory server and an ActiveDirectory server — the two need to stay in sync.

    Currently, I’m having a script SSH into the OpenDirectory server and execute an expect script that calls ‘passwd’ for the specified user. This is slow and kludgey. I don’t want to depend on SSH for this.

    I’d really like to be able to use -only- an LDAP modify command triggered from a remote machine (running Linux).

    So: is it possible to issue an LDAP-modify command that succeeds in changing a user’s password on OpenDirectory?

    August 2, 2006 at 5:34 am #366729
    arekdreyer
    Member

    [quote]So: is it possible to issue an LDAP-modify command that succeeds in changing a user’s password on OpenDirectory?[/quote]

    Try asking again. Normally, a user’s password is not stored in Open Directory (if it is stored, it would be stored in a crypted hash, readable by any user who wants to grab it for an offline attack).

    A user’s password [actually various hashes of the password] is stored in the password server database, and in the kerberos principal database.

    So, no, it’s not possible to use LDAP commands to modify pws and kdc info.

    August 4, 2006 at 10:39 pm #366756
    ak
    Participant

    Thanks for the response! Alas, it’s not the answer I was hoping for.

    Are you aware of any other mechanism — other than an SSH tunnel — which can be used to issue a remote command (after appropriate authentication) which can reset a password? I’m thinking in terms of (shudder) ActiveDirectory, which allows a password change via LDAPS.

    Again, thanks for the reply.

  • Author
    Posts
Viewing 9 posts - 1 through 9 (of 9 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.