# File lib/puppet/provider/nameservice/directoryservice.rb, line 291 291: def self.set_password(resource_name, guid, password_hash) 292: password_hash_file = "#{@@password_hash_dir}/#{guid}" 293: begin 294: File.open(password_hash_file, 'w') { |f| f.write(password_hash)} 295: rescue Errno::EACCES => detail 296: fail("Could not write to password hash file: #{detail}") 297: end 298: 299: # NBK: For shadow hashes, the user AuthenticationAuthority must contain a value of 300: # ";ShadowHash;". The LKDC in 10.5 makes this more interesting though as it 301: # will dynamically generate ;Kerberosv5;;username@LKDC:SHA1 attributes if 302: # missing. Thus we make sure we only set ;ShadowHash; if it is missing, and 303: # we can do this with the merge command. This allows people to continue to 304: # use other custom AuthenticationAuthority attributes without stomping on them. 305: # 306: # There is a potential problem here in that we're only doing this when setting 307: # the password, and the attribute could get modified at other times while the 308: # hash doesn't change and so this doesn't get called at all... but 309: # without switching all the other attributes to merge instead of create I can't 310: # see a simple enough solution for this that doesn't modify the user record 311: # every single time. This should be a rather rare edge case. (famous last words) 312: 313: dscl_vector = self.get_exec_preamble("-merge", resource_name) 314: dscl_vector << "AuthenticationAuthority" << ";ShadowHash;" 315: begin 316: dscl_output = execute(dscl_vector) 317: rescue Puppet::ExecutionFailure => detail 318: fail("Could not set AuthenticationAuthority.") 319: end 320: end