Note: this has been updated as of NoMAD 1.1 build 734 beta to reflect the new dictionary of items.
What are Keychain Updates?
New in the NoMAD 1.1 Beta is the ability to update keychain items when a user changes their password.
Currently this is listed as a dictionary of keychain item names and account pattern pairs. NoMAD will look for these items in your keychain that have an account name that matches a search pattern. It will then update the item with the new password.
We expect there to be a lot of special casing here, so please investigate what items you’d like to change and if you need additional features.
Currently NoMAD can handle 6 different variables that you can use to create the account pattern match. These are domain, fullname, serial, shortname, upn, and email. You can build search patterns from all of these and mix with static characters. The variables are set off by << >>. For example the pattern <<shortname>>@company.com would expand to the AD shortname of the user followed by @company.com.
If an attribute is unavailable for a user it will default to blank. So <<email>> for a user with no e-mail address defined in AD will expand to “”. This may not be ideal, so please let us know if this doesn’t fit your needs.
How to make it work
First you’ll need to add an array of keychain item names
defaults write com.trusourcelabs.NoMAD KeychainItems -dict 'test1' '"<<upn>>"'
Note the single then double quotes to properly escape the <<>> characters in that command.
Now change your password in NoMAD v. 1.1(732) or later.
New in 1.1(732) and later is the
keychainItemsDebug flag that will provide more verbose output to the logs and attempt to update passwords everytime you sign in through the sign in window. This should make it much easier to determine what will be updated. Plus additional logging will be done of what items will be changed.
Keychain item example
In the keychain item below, the “Name” is what you add to the array in the NoMAD defaults. The “Account” field will need to match the substitution pattern for that item.
We know that this current methodology won’t always line up with what you may need, as such we’d love to hear from you as to how to make this better. In particular it’s quite possible that your user’s UPN doesn’t match up with the accounts in the Keychain Item. Please let us know on GitLab or the #nomad Slack channel.