Go Back   MacRumors Forums > Apple Systems and Services > OS X > Mac OS X Server, Xserve, and Networking

Reply
 
Thread Tools Search this Thread Display Modes
Old Jul 3, 2008, 12:54 PM   #1
damacus
macrumors member
 
Join Date: Jun 2007
Pulling account status en masse (CLI or LDAP) -- apple-user-passwordpolicy?

Hello,

I've written a rather nice and comprehensive PHP-based frontend for OSX server, however one issue I have is that I can only check whether a user is enabled or disabled one at a time, and only by calling into the server as root and issuing the below command (in this example to check mdavid) and then parsing the line to check if isDisabled=1 (locked) or =0 (unlocked).

pwpolicy -a diradmin -p <diradmin pw> -u mdavid -getpolicy

However, this means in my web user list, I will always list everyone (we have over 2,000 disabled users on our mail server) and on top of that won't be able to show status at least without doing many, many commands.

In best case, I'd be able to get this information from LDAP. I saw in the Apple Open Directory Admin 10.5 2nd Edition manual that there's some attribute called apple-user-passwordpolicy ... but I can't find it anywhere in LDAP! Do I have to do something special to enable this?

Failing that, under linux, the command "passwd -a -S" prints a list of all users and a code P/L (L is locked) as well as pwd expiration data. This style of using one command to get the status for everyone would also be sufficient.

Anyone have any ideas? Any help would be greatly appreciated.

Thanks,
Michael
damacus is offline   0 Reply With Quote
Old Jul 3, 2008, 12:57 PM   #2
yellow
Moderator
 
yellow's Avatar
 
Join Date: Oct 2003
Location: Portland, OR
Off the top of my head, I would expect "dscl" (directory service command line utility) to be able to get this info.. though I don't know the particulars. Check the man page on it.
yellow is offline   0 Reply With Quote
Old Jul 3, 2008, 01:09 PM   #3
damacus
Thread Starter
macrumors member
 
Join Date: Jun 2007
Quote:
Originally Posted by yellow View Post
Off the top of my head, I would expect "dscl" (directory service command line utility) to be able to get this info.. though I don't know the particulars. Check the man page on it.
Thanks for your response. Unfortunately, I've spent a bit of time in dscl already and I see no difference between the data before or after locking.

pwpolicy -a diradmin -u mdavid -setpolicy "isDisabled=0"
dscl /LDAPv3/127.0.0.1 -read /Users/mdavid > mdavid1
pwpolicy -a diradmin -u mdavid -setpolicy "isDisabled=1"
dscl /LDAPv3/127.0.0.1 -read /Users/mdavid > mdavid2
diff mdavid1 mdavid2

This shows no difference (at least in /Users/) between accounts that are locked and unlocked. As for the rest of the directory, I didn't see any information in the other paths that would seem to relate to user status.

Any thoughts?
damacus is offline   0 Reply With Quote

Reply
MacRumors Forums > Apple Systems and Services > OS X > Mac OS X Server, Xserve, and Networking

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Apple Address Book LDAP port question Jalopy Mac OS X Server, Xserve, and Networking 0 Nov 19, 2013 04:57 PM
Sys Pref crashes with ldap network account matt0001 OS X 2 Apr 5, 2013 07:39 AM
Network Account Status lights at login window cam6280 OS X 10.8 Mountain Lion 1 Apr 2, 2013 02:00 AM
Get CPU/GPU temperature on Apple TV 2 from CLI kraades Apple TV and Home Theater 2 Jul 9, 2012 09:13 AM
iMac User Account isn't working - other user account are Bottness iMac 1 Jun 2, 2012 07:48 PM

Forum Jump

All times are GMT -5. The time now is 01:30 AM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC