Keychain Item Synching

Another feature introduced with NoMAD v. 1.1 is the ability for NoMAD to synchronize item’s in a users keychain whenever the user changes his or her password. Using this feature should keep users from being flooded with password errors for all of those applications that aren’t Kerberized.


NoMAD uses a dictionary of keychain item names and then account names to find the keychain items in the user’s keychain. The account name can use NoMAD’s variable substitution to create the account name since it most likely won’t be just the user’s UPN or shortname. All the standard NoMAD variables work here,
<<domain>>, <<fullname>>, <<serial>>, <<shortname>>, <<upn>>, and <<email>>.

For example, in the following keychain item,  the keychain item name is “NoMAD Fake App” and the account name is “joel@nomad.test”.

You can create this dictionary via the defaults command in a few ways. If you know everything all at once, you can create the dictionary inline.
defaults write com.trusourcelabs.NoMAD KeychainItems '{ "App1" = "User1"; "App2" = "User2"; "App3" = "User3"; }';
Just make sure you take care with all of the single and double quotes.

You can also do this with the -dict and -dict-add flags.

defaults write com.trusourcelabs.NoMAD KeychainItems -dict "App1" "User1"

defaults write com.trusourcelabs.NoMAD KeychainItems -dict-add “App2” “User2”


Run NoMAD in verbose mode and you’ll get lots of logs about what’s going, so that’s the first place to start. Included in this you’ll see if they keychain item was found and if there were any errors in changing it.

You can also set the KeychainItemsDebug pref key which will have NoMAD update the keychain items every time the user signs in instead of just when the password is changed. This should make testing variable substitution and other functions much easier.

Also keep in mind that not all applications use plain text passwords anymore. Many of the cloud services, for instance, will generate a user token and store that in the keychain instead. As such use Keychain Access to ensure that the password is actually what you think it is before attempting to have NoMAD manage it.

Still To Come

Currently this only changes application passwords and not Internet passwords. Look for that in a future update.

© 2017 Orchard & Grove Inc.