Blog

Local Password Sync

Local Password Sync
Setting the defaults key to force local password synching:

defaults write com.trusourcelabs.NoMAD LocalPasswordSync 1

Will cause NoMAD to check on Sign In to ensure that your AD password is in sync with your local password. If the passwords do not match, NoMAD will attempt to update the local account password to the network password.

Note that this process is only from Network to local. In other words NoMAD will not take a local password and update AD with it. Also this works for both AD bound systems and unbound systems.

The basic flow is as follows:

1. Take the password supplied by the user and attempt to get Kerberos credentials with it.

2. If successful then check the password against the local user password using the OpenDirectory APIs.

3. If the network password does not match the local password, alert the user and prompt them for their local password.

4. Using the local password, first check to ensure it is the correct local password.

5. If the password is correct then change the local password, the user’s local Keychain password and the user’s FileVault password from the local password to the network password.

This process will also be followed when the user changes their network password. Assuming the local password was already in sync, NoMAD will use the old and new network passwords submitted by the user to change the local password.

© 2017 Orchard & Grove Inc.