Keychain Item Syncing

Another feature introduced with NoMAD v. 1.1 is NoMAD’s ability to synchronize items in a users keychain whenever the user changes his or her password. Using this feature should keep users from being flooded with password errors for all of those applications that aren’t Kerberized.


NoMAD uses a dictionary of keychain item names and then account names to find the keychain items in the user’s keychain. The account name can use NoMAD’s variable substitution to create the account name since it most likely won’t be just the user’s UPN or shortname. All the standard NoMAD variables work here: <<domain>>, <<fullname>>, <<serial>>, <<shortname>>, <<upn>>, and <<email>>.

In the following keychain item example, the keychain item name is “NoMAD Fake App” and the account name is “joel@nomad.test”:

You can create this dictionary via the defaults command in a few ways. If you know everything all at once, you can create the dictionary inline:
defaults write com.trusourcelabs.NoMAD KeychainItems '{ "App1" = "User1"; "App2" = "User2"; "App3" = "User3"; }';
(Make sure you take care with all of the single and double quotes.)

You can also do this with the -dict and -dict-add flags:

defaults write com.trusourcelabs.NoMAD KeychainItems -dict "App1" "User1"

defaults write com.trusourcelabs.NoMAD KeychainItems -dict-add "App2" "User2"


Run NoMAD in verbose mode, and you’ll get lots of logs about what’s going on— so that’s the first place to start. Included in this, you’ll see whether the keychain item was found and if there were any errors in changing it.

You can also set the KeychainItemsDebug preference key, which will have NoMAD update the keychain items every time the user signs in, rather than simply when the password is changed. This should greatly simplify testing variable substitution and other functions.

Keep in mind that not all applications use plain text passwords anymore; many of the cloud services, for instance, will generate a user token and store that in the keychain instead. Thus, use Keychain Access to ensure that the password is actually what you think it is before attempting to have NoMAD manage it.

Still To Come

Currently, this only changes application passwords and not Internet passwords. Look for that in a future update.