Changing OD password by command line

 

Login to the server running Open Directory and run the following to be prompted to change snoopdog’s password

sudo passwd -i OpenDirectory -l /LDAPv3/127.0.0.1 -u diradmin snoopdog

found here: https://discussions.apple.com/thread/1509269

NAME

     passwd — modify a user’s password

SYNOPSIS

     passwd [-i infosystem [-l location]] [-u authname] [user]

DESCRIPTION

     The passwd utility changes the user’s password.  If the user is not the super-user, passwd first prompts for the current password and will not continue unless the correct password is entered.

     When entering the new password, the characters entered do not echo, in order to avoid the password being seen by a passer-by.  The passwd utility

     prompts for the new password twice in order to detect typing errors.

     The new password should be at least six characters long and not purely alphabetic.  Its total length should be less than _PASSWORD_LEN (currently 128

     characters), although some directory systems allow longer passwords.  Numbers, upper case letters, and meta characters are encouraged.

     Once the password has been verified, passwd communicates the new password to the directory system.

     -i infosystem

           This option specifies where the password update should be applied.  Under Mac OS X 10.5 and later, supported directory systems are:

           PAM   (default) Pluggable Authentication Modules.

           opendirectory

                 A system conforming to Open Directory APIs and supporting updates (including LDAP, etc).  If no -l option is specified, the search node is used.

           file  The local flat-files (included for legacy configurations).

           nis   A remote NIS server containing the user’s password.

     -l location

           This option causes the password to be updated in the given location of the chosen directory system.

           for file,

                 location may be a file name (/etc/master.passwd is the default)

           for nis,

                 location may be a NIS domainname

           for opendirectory,

                 location may be a directory node name

           for PAM,

                 location is not used

     -u authname

           This option specifies the user name to use when authenticating to the directory node.

     user  This optional argument specifies the user account whose password will be changed.  This account’s current password may be required, even when

           run as the super-user, depending on the directory system.

FILES

     /etc/master.passwd  The user database

     /etc/passwd         A Version 7 format password file

     /etc/passwd.XXXXXX  Temporary copy of the password file

SEE ALSO

     chpass(1), login(1), dscl(1), passwd(5), pwd_mkdb(8), vipw(8)

     Robert Morris and Ken Thompson, UNIX password security.

HISTORY

     A passwd command appeared in Version 6 AT&T UNIX.

Mac OS X                        August 18, 2008                       Mac OS X

Open Directory audit log data into Splunk

illustrated Splunk server configuration steps

I put Splunk server scripts for dispersing here

Splunk >> bin >> scripts

sudo nano /Applications/Splunk/bin/scripts/Example_OD.sh

 

Script input:

#!/bin/bash
sudo log stream –level info –style syslog

 

# trying json

sudo log stream –level info –style syslog

 

 

 

 

 

 

Forwarder Management:

Settings >> Forwarder management

Screen Shot 2019-09-21 at 7.59.06 AM.png

Settings >> Forwarder management >> Clients

B2019-09-21 at 8.05.33 AM.pngSettings >> Forwarder management >> Server Classes

Screen Shot 2019-09-21 at 8.00.03 AM.png

 

New Server Class

Screen Shot 2019-09-21 at 8.00.29 AM.png

 

 

Data >> Data Inputs

Screen Shot 2019-09-21 at 8.01.03 AM.png

 

Data >> Data Inputs >> Forwarded Inputs >> Scripts

Screen Shot 2019-09-21 at 8.10.52 AM.png

Change the sourcetype to jsonc2019-09-21 at 8.13.14 AM.png

 

Once everything is in place you should be able to search and find information in this example I created am account “teddyboy” in OPen Directory, the following shows a query from the script which stream the slapd, and opendirectoryd data

D09-21 at 8.41.17 AM.png

 

Change/check the local inputs.conf files from the scripts running on the Open Directory server.

sudo nano /Applications/SplunkForwarder/etc/apps/_server_app_OD_Servers/local/inputs.conf

 

reads:

  GNU nano 2.0.6 File: …ps/_server_app_OD_Servers/local/inputs.conf           

[script://$SPLUNK_HOME/etc/apps/_server_app_OD_Servers/bin/ScriptName_OD.sh]

disabled = 0

index = default

interval = 60.0

sourcetype = linux_messages_syslog

 

Trying this

sourcetype = oracle:audit:xml

or this

sourcetype = _json

Change/check the local inputs.conf files from the forwarder running on the Open Directory server.

sudo nano /Applications/SplunkForwarder/etc/system/local/inputs.conf

 

reads:

[monitor:///var/audit/]

[default]

host = ClientMachineHostName.local

Change/check the local output.conf files from the forwarder running on the Open Directory server.

[tcpout]

defaultGroup = default-autolb-group

[tcpout:default-autolb-group]

server = 10.1.2.3:9997

[tcpout-server://10.1.2.3:9997]

 

 

To search and find OD account creation success, I query from the json sourcetype

ODNodeCreateRecord request

—–

This records barbie account record getting created: dsAttrTypeStandard:RecordName\= (\n barbie\n

{ “category:session“, “processImageUUID:DB3-0037-332C-8D8E-8C7350E88A01“, “processUniqueID: 85, “threadID: 1383910, “timestamp:2019-09-22 06:24:07.668536-0400“, “traceID: 2065501346005252, “messageType:Info“, “activityID: 854237, “processID: 85, “machTimestamp: 394733628137612, “timezoneName: “”, “subsystem:com.apple.opendirectoryd“, “senderProgramCounter: 65579, “eventMessage:ODNodeCreateRecord request, NodeID: 0A1D-30AA-4FA7-B1C1-12E9F78DFF20, RecordType: dsRecTypeStandard:Users, RecordName: <private>, Attributes: {\n \dsAttrTypeStandard:Comment\= (\n );\n \dsAttrTypeStandard:EMailAddress\= (\n );\n \dsAttrTypeStandard:FirstName\= (\n );\n \dsAttrTypeStandard:HomeDirectory\= (\n );\n \dsAttrTypeStandard:HomeDirectoryQuota\= (\n 0\n );\n \dsAttrTypeStandard:Keywords\= (\n );\n \dsAttrTypeStandard:LastName\= (\n barbie\n );\n \dsAttrTypeStandard:NFSHomeDirectory\= (\n \\/Users\/barbie\\n );\n \dsAttrTypeStandard:PrimaryGroupID\= (\n 20\n );\n \dsAttrTypeStandard:RealName\= (\n barbie\n );\n \dsAttrTypeStandard:RecordName\= (\n barbie\n );\n \dsAttrTypeStandard:UniqueID\= (\n 1006\n );\n \dsAttrTypeStandard:UserShell\= (\n \\/bin\/bash\\n );\n}”, “senderImageUUID:D350A9B3-0037-332C-8D8E-8C7350E88A01“, “processImagePath:\/usr\/libexec\/opendirectoryd“, “senderImagePath:\/usr\/libexec\/opendirectoryd” }

____

Delete a record, “eventMessage:Delete a record“, “processImagePath:\/Applications\/Server.app\/Contents\/MacOS\/Server“,

{ “processImageUUID:388D1B12-E930-3D81-AB34-6EFAA44E12EF“, “processUniqueID: 28164, “threadID: 1386945, “timestamp:2019-09-22 06:32:34.581205-0400“, “traceID: 1181143700349387010, “eventType:OSActivityCreateEvent“, “activityID: 857809, “processID: 28164, “machTimestamp: 395240545174841, “timezoneName: “”, “senderProgramCounter: 56111, “eventMessage:Delete a record“, “senderImageUUID:29F55F7B-379F-3053-8FF3-5C6675A3DD4D“, “processImagePath:\/Applications\/Server.app\/Contents\/MacOS\/Server“, “senderImagePath:\/System\/Library\/Frameworks\/OpenDirectory.framework\/Versions\/A\/Frameworks\/CFOpenDirectory.framework\/Versions\/A\/CFOpenDirectory” }

 

 

Screen Shot 2019-09-22 at 6.28.36 AM