# File lib/puppet/provider/nameservice/directoryservice.rb, line 291
291:     def self.set_password(resource_name, guid, password_hash)
292:         password_hash_file = "#{@@password_hash_dir}/#{guid}"
293:         begin
294:             File.open(password_hash_file, 'w') { |f| f.write(password_hash)}
295:         rescue Errno::EACCES => detail
296:             fail("Could not write to password hash file: #{detail}")
297:         end
298: 
299:         # NBK: For shadow hashes, the user AuthenticationAuthority must contain a value of
300:         # ";ShadowHash;". The LKDC in 10.5 makes this more interesting though as it
301:         # will dynamically generate ;Kerberosv5;;username@LKDC:SHA1 attributes if
302:         # missing. Thus we make sure we only set ;ShadowHash; if it is missing, and
303:         # we can do this with the merge command. This allows people to continue to
304:         # use other custom AuthenticationAuthority attributes without stomping on them.
305:         #
306:         # There is a potential problem here in that we're only doing this when setting
307:         # the password, and the attribute could get modified at other times while the
308:         # hash doesn't change and so this doesn't get called at all... but
309:         # without switching all the other attributes to merge instead of create I can't
310:         # see a simple enough solution for this that doesn't modify the user record
311:         # every single time. This should be a rather rare edge case. (famous last words)
312: 
313:         dscl_vector = self.get_exec_preamble("-merge", resource_name)
314:         dscl_vector << "AuthenticationAuthority" << ";ShadowHash;"
315:         begin
316:             dscl_output = execute(dscl_vector)
317:         rescue Puppet::ExecutionFailure => detail
318:             fail("Could not set AuthenticationAuthority.")
319:         end
320:     end