|Jul 3, 2008, 12:54 PM||#1|
Pulling account status en masse (CLI or LDAP) -- apple-user-passwordpolicy?
I've written a rather nice and comprehensive PHP-based frontend for OSX server, however one issue I have is that I can only check whether a user is enabled or disabled one at a time, and only by calling into the server as root and issuing the below command (in this example to check mdavid) and then parsing the line to check if isDisabled=1 (locked) or =0 (unlocked).
pwpolicy -a diradmin -p <diradmin pw> -u mdavid -getpolicy
However, this means in my web user list, I will always list everyone (we have over 2,000 disabled users on our mail server) and on top of that won't be able to show status at least without doing many, many commands.
In best case, I'd be able to get this information from LDAP. I saw in the Apple Open Directory Admin 10.5 2nd Edition manual that there's some attribute called apple-user-passwordpolicy ... but I can't find it anywhere in LDAP! Do I have to do something special to enable this?
Failing that, under linux, the command "passwd -a -S" prints a list of all users and a code P/L (L is locked) as well as pwd expiration data. This style of using one command to get the status for everyone would also be sufficient.
Anyone have any ideas? Any help would be greatly appreciated.
|Jul 3, 2008, 12:57 PM||#2|
Off the top of my head, I would expect "dscl" (directory service command line utility) to be able to get this info.. though I don't know the particulars. Check the man page on it.
|Jul 3, 2008, 01:09 PM||#3|
pwpolicy -a diradmin -u mdavid -setpolicy "isDisabled=0"
dscl /LDAPv3/127.0.0.1 -read /Users/mdavid > mdavid1
pwpolicy -a diradmin -u mdavid -setpolicy "isDisabled=1"
dscl /LDAPv3/127.0.0.1 -read /Users/mdavid > mdavid2
diff mdavid1 mdavid2
This shows no difference (at least in /Users/) between accounts that are locked and unlocked. As for the rest of the directory, I didn't see any information in the other paths that would seem to relate to user status.
|Thread Tools||Search this Thread|
|thread||Thread Starter||Forum||Replies||Last Post|
|Apple Address Book LDAP port question||Jalopy||Mac OS X Server, Xserve, and Networking||0||Nov 19, 2013 04:57 PM|
|Sys Pref crashes with ldap network account||matt0001||OS X||2||Apr 5, 2013 07:39 AM|
|Network Account Status lights at login window||cam6280||OS X 10.8 Mountain Lion||1||Apr 2, 2013 02:00 AM|
|Get CPU/GPU temperature on Apple TV 2 from CLI||kraades||Apple TV and Home Theater||2||Jul 9, 2012 09:13 AM|
|iMac User Account isn't working - other user account are||Bottness||iMac||1||Jun 2, 2012 07:48 PM|
All times are GMT -5. The time now is 09:43 PM.