We found that we could get everything working with an OS X LDAP server except password changes. The OpenDirectory wasn't storing passwords the normal way. The 'official' way to change passwords was to run /usr/bin/dscl.

So here's the code we inserted to get it working. Perhaps this could be made into a patch that added a proper "OS X" checkbox to the ldap preference pane.

There are some limitations in our code. We are using the alt_login module to store a separate username for ldap and a more human-friendly real name in drupal. Replace $user->alt_login with $user->name or whatever to get the regular username.

This code may also be limited in that it assumes the ldap server and the drupal server are on the same machine. Maybe the 127.0.0.1 part could be changed to the server address if they are on different machines, but I can't test that myself.

Also, the password probably needs to be checked that it is clean, since this code does pass it to a shell command.

Insert this around line 651 of ldapdata.module. Comment out the line that say $writeout[$ldap_attr] = $pw; (or if making a proper patch, wrap it with an if conditional). Then add the lines below:

		//CHANGES FOR MAC OS X SERVER BELOW:
            	//$writeout[$ldap_attr] = $pw; //this has no effect on OS X

		$result = db_fetch_array(db_query("SELECT ldapdata_binddn, ldapdata_bindpw FROM {ldapauth} WHERE name = '%s'", $ldap_config_name));
		$dn = $result['ldapdata_binddn'];
		//we need to just get the uid username part:
		$diradmin = preg_replace('/.*uid=([a-zA-Z0-9]+)(,.*|$)/', '$1', $dn);
		$pass = $result['ldapdata_bindpw'];

		$cmd = "/usr/bin/dscl -u ".$diradmin." -P ".
                        $pass." /LDAPv3/127.0.0.1 -passwd /Users/".
                        $user->alt_login." ".$pw;
		$shelloutput = shell_exec($cmd);
		//for debugging:
		msg_r("Changing password for: ".$user->alt_login);
		//msg_r($cmd);
		if ($shelloutput) {
			msg_r("dscl error changing password: ".$shelloutput);
		} else {
			msg_r("dscl command to change password was successful");
		}

Comments

dugh’s picture

dugh CreditAttribution: dugh commented
Status: Active » Needs work

You can replace $user->alt_login with $user->name or whatever if not using alt_login. We required it because we wanted drupal usernames to be real full names (like "First Last") which were invalid usernames for the OS X ldap server though. The ldap server uses the alternative login name instead.

I also added a call to escapeshellarg() around the user name and $pw variables just in case.

itux_2009’s picture

itux_2009 CreditAttribution: itux_2009 commented
Status: Needs work » Postponed (maintainer needs more info)

1. Does not work if the domain administrator password is not specified explicitly
2. Specify a password to work, but now writes "incorrect digest response" when i want login

how to config for MacOS Server or please give me sample config if for you not a cost
and second, i wanna get registration that's write all data in LDAP how it do ? or what's module is doing it ?

johnbarclay’s picture

johnbarclay CreditAttribution: johnbarclay commented
Status: Postponed (maintainer needs more info) » Closed (won't fix)

Closing 5.x issues to clean out issue queue.