I am an open source developer, who just switched to macOS a few weeks ago. I am basically looking for an alternative to Linux' /etc/nsswitch.conf. Not for custom DNS resolution, that's an easy problem to solve, but for users / groups / hosts resolution via custom network modules. Basically looking for a way how I can hook up into the OS in kind of the same way as an LDAP client would do, and provide my own NSS modules. Just for reference, I am developing rauthy which can do PAM authn / authz in combination with rauthy-pam-nss. It works perfectly fine on Linux systems, and I now want to make it work on macOS as well. I already know that macOS is running its mDNSResponder for DNS instead of having the nsswitch.conf, but I have not found an answer for users, groups and hosts.

Dear Team, We are working on retrieving email address of the user joined to Entra ID from Entra-joined macOS devices, specifically while running in a system context.The sudo dscl . -read /Users/$(whoami) RecordName command give the local user name whose password is synced with the entra ID. We would greatly appreciate guidance on how to retrieve the Entra ID joined user’s email address in a system context from Entra Joined mac devices, especially from those with prior experience in this area. Thank you for your support.

Hi Team, How can we fetch the macOS password requirement(for setting a new password) that are inforce during login for users? Is there a way to get this info in swift programming?

With macOS 15, and DSPlugin support removal we searched for an alternative method to be able to inject users/groups into the system dynamically. We tried to write an OpenDirectory XPC based module based on the documentation and XCode template which can be found here: https://developer.apple.com/library/archive/releasenotes/NetworkingInternetWeb/RN_OpenDirectory/chapters/chapter-1.xhtml.html It is more or less working, until I restart the computer: then macOS kernel panics 90% of the time. When the panic occurs, our code does not seem to get run at all, I only see my logs in the beginning of main() when the machine successfully starts. I have verified this also by logging to file. Also tried replacing the binary with eg a shell script, or a "return 0" empty main function, that also triggers the panic. But, if I remove my executable (from /Library/OpenDirectory/Modules/com.quest.vas.xpc/Contents/MacOS/com.quest.vas), that saves the day always, macOS boots just fine. Do you have an idea what can cause this behavior? I can share the boot logs for the boot loops and/or panic file. Do you have any other way (other than OpenDirectory module) to inject users/groups into the system dynamically nowadays? (MDM does not seem a viable option for us)

What Has Been Implemented Replaced the default loginwindow:login with a custom authorization plugin. The plugin: Performs primary OTP authentication. Displays a custom password prompt. Validates the password using Open Directory (OD) APIs. Next Scenario was handling password change Password change is simulated via: sudo pwpolicy -u robo -setpolicy "newPasswordRequired=1" On next login: Plugin retrieves the old password. OD API returns kODErrorCredentialsPasswordChangeRequired. Triggers a custom change password window to collect and set new password. Issue Observed : After changing password: The user’s login keychain resets. Custom entries under the login keychain are removed. We have tried few solutions Using API, SecKeychainChangePassword(...) Using CLI, security set-keychain-password -o oldpwd -p newpwd ~/Library/Keychains/login.keychain-db These approaches appear to successfully change the keychain password, but: On launching Keychain Access, two password prompts appear, after authentication, Keychain Access window doesn't appear (no app visibility). Question: Is there a reliable way (API or CLI) to reset or update the user’s login keychain password from within the custom authorization plugin, so: The keychain is not reset or lost. Keychain Access works normally post-login. The password update experience is seamless. Thank you for your help and I appreciate your time and consideration

Hello Apple Developer Support and Community, We are currently working on a project that involves developing a custom Open Directory module (ODModule) for macOS. We searched extensively for official Apple documentation on how to develop such modules. Unfortunately, we have only found the following high-level introduction: https://developer.apple.com/library/archive/releasenotes/NetworkingInternetWeb/RN_OpenDirectory/chapters/chapter-1.xhtml.html Aside from this brief overview, we have not been able to locate any detailed technical documentation that would help us understand the structure, lifecycle, APIs, or integration points of ODModules. Could you please advise: Is there any more detailed or internal documentation available regarding ODModule development? If so, is there a formal way to request access to it? We would greatly appreciate any guidance or direction you can provide. Thank you in advance! Best regards,

I have created an OpenDirectory module based on the template and docs here: https://developer.apple.com/library/archive/releasenotes/NetworkingInternetWeb/RN_OpenDirectory/chapters/chapter-1.xhtml.html After I copy my module in place and I set my module's configuration (see Configuration APIs section), my module does not get loaded. Currently the way I am able to start/reload it is sending a TERM signal to "opendirectoryd". (Launchctl refuses to stop it.) Then launchd restarts it, and my module gets started fine. Problem is that on some macOS this leads to system inresponsiveness for long time (even minutes). I have tried HUP signal, odutil reset cache etc, they do not help, my module does not get recognized. Is there a recommended way how to notify opendirectoryd about a new module? Repro: My example module can be found here: https://www.dropbox.com/scl/fi/qb8pa100yy56n5hangad0/MyODModule-250527-131702.tar.gz?rlkey=m96vb1rrxc6hml878jn64ybc8&st=h22tl4cy&dl=0 To reproduce the behaviour, uncomment line 12 in register_odmodule.sh: "/usr/bin/killall opendirectoryd", and compile and install the module with "make && sudo make install". And observe that it does not get loaded. Then "killall opendirectoryd", and observe that it got loaded. (To test for loaded or not, you can read on the node it creates with dscl: "dscl /MyExample -list /", or just see that it is not started as a process with "ps"). Thanks for any help in advance!

Hello, I've noticed some unexpected behavior when updating a user's FileVault password. The set up: All actions are performed in virtualized macOS 14 and 15.5 guests on a 15.5 Apple Silicon host. FileVault is enabled. sjsp is a standard user with a Secure Token. The Mac is bound to AD, and the domain is reachable. Reproduction: systemctl -secureTokenStatus sjsp shows it's ENABLED. fdesetup remove -user sjsp fdesetup add -usertoadd sjsp systemctl -secureTokenStatus sjsp shows it's DISABLED. Surprisingly, sjsp is still able to unlock FileVault. Looking at unified logs for opendirectoryd and fdesetup, I see that a password change is being attempted in response to fdesetup add, which is unexpected. default 13:34:41.320883+0100 opendirectoryd Changing password for <private> (E5CC46D7-0C1F-4009-8421-9AA8217CB784) info 13:34:41.321317+0100 opendirectoryd No unlock record exists for E5CC46D7-0C1F-4009-8421-9AA8217CB784 info 13:34:41.321331+0100 opendirectoryd <private> (E5CC46D7-0C1F-4009-8421-9AA8217CB784) is not a SecureToken user: no unlock record default 13:34:41.321341+0100 opendirectoryd Changing password for <private> (E5CC46D7-0C1F-4009-8421-9AA8217CB784): user <private> SecureToken, only new password provided, credential <private> default 13:34:41.321454+0100 opendirectoryd Changing password for <private> (E5CC46D7-0C1F-4009-8421-9AA8217CB784) with no existing unlock record info 13:34:41.321857+0100 opendirectoryd No unlock record exists for E5CC46D7-0C1F-4009-8421-9AA8217CB784 default 13:34:41.321873+0100 opendirectoryd Record <private> (E5CC46D7-0C1F-4009-8421-9AA8217CB784) is eligible for SecureToken default 13:34:41.322637+0100 fdesetup DMAPFS cryptoUserForMacOSUserForVolume DMErr=-69594 retErr=-69594 outAPFSCryptoUser=(null) default 13:34:41.322699+0100 opendirectoryd While changing password for <private> (E5CC46D7-0C1F-4009-8421-9AA8217CB784): Not adding SecureToken; other unlock records exist, but no existing unlock record provided If I disconnect the network and follow the reproduction steps then the Secure Token is retained. Reconnecting and waiting a while doesn't cause the Secure Token to be lost. There are no log entries about attempting to change the password. Any help or explanation would be appreciated, thanks in advance.

For login purposes, we may want to try automatically checking to see if an email address is set up in certain databases. It looks like the preferred way to do this is via ABAddressBook.shared().me(), then get the right key via in the properties? This, however, is treated as accessing the whole address book and brings up a confirmation dialogue. However, as I thought about it, that might not be the real way we'd want -- we'd want to go through Active Directory, perhaps? Am I making any sense, or just being incoherent? 😄

I am developing a sample authorization plugin to sync the user’s local password to the network password. During the process, I prompt the user to enter both their old and new passwords in custom plugin. After the user enters the information, I use the following code to sync the passwords: try record.changePassword(oldPssword, toPassword: newPassword) However, I have noticed that this is clearing all saved keychain information, such as web passwords and certificates. Is it expected behavior for record.changePassword to clear previously stored keychain data? If so, how can I overcome this issue and ensure the keychain information is preserved while syncing the password? Thank you for your help!

Description: I am attempting to use the OpenDirectory API ODRecord.changePassword to change a user's password without needing the old password, given that I have the appropriate permissions. The goal is to ensure that the password change operation bypasses third-party tools such as EDR or eBPF apps that might otherwise intercept commands, as the operation occurs directly via the API. Problem: When invoking the OpenDirectory API from a launch daemon with root privileges, I receive the following error message: Error Domain=com.apple.OpenDirectory Code=4001 "Operation was denied because the current credentials do not have the appropriate privileges." UserInfo={NSUnderlyingError=0x135907570 {Error Domain=com.apple.OpenDirectory Code=4001 "Credential cannot update user's SecureToken" UserInfo={NSDescription=Credential cannot update user's SecureToken}}, NSLocalizedDescription=Operation was denied because the current credentials do not have the appropriate privileges., NSLocalizedFailureReason=Operation was denied because the current credentials do not have the appropriate privileges.} It seems the error is related to SecureToken, and the underlying issue is that the current credentials (even though they are root-level) do not have the necessary privileges to update the SecureToken status for the user. Steps I’ve Taken: Tested the API via a launch daemon running with root privileges. Ensured that Full Disk Access was granted to the daemon, but this did not resolve the issue. Request: Has anyone encountered this specific issue where root privileges are insufficient to update the user password via the OpenDirectory API ? What additional steps or permissions are required for a user password change? Is there a specific API or method to elevate the privileges for modifying SecureToken, or a workaround to overcome this limitation? Any insights or guidance on this issue would be greatly appreciated! Thank you in advance for your help!

Previously, I used to have the below code to get workgroup / domain name of the active directory service provider. SCDynamicStoreRef storeRef = SCDynamicStoreCreate(NULL, (CFStringRef)@"GetWorkgroup", NULL, NULL); CFPropertyListRef global = SCDynamicStoreCopyValue (storeRef,CFSTR("State:/Network/Global/SMB")); id workgroup = [(__bridge NSDictionary *)global valueForKey:@"Workgroup"]; On few Macs (probably starting from Sonoma), the workgroup property is not set. What is the alternative to get this information programatically?

Is there any conceptual information for using the Open Directory Framework. The current documentation just lists function names, constants, etc. with nothing on how to use. I looked in the Apple archived documentation, but nothing. Seems like macOS developer documentation has been getting worse over time. Thanks, Richard

I have used functionality of changing user's password programmatically using the OpenDirectory framework. Once the password is updated successfully, can be use this password for Login sessions and authentication wherever required. But the same password is failing authenticate with Local Authentication Framework that is with LAContext and prefers always older password. Even restarting machine won't work. Changing current user's password using below method - do { let node = try ODNode(session: ODSession.default(), type: ODNodeType(kODNodeTypeLocalNodes)) let user = try node.record(withRecordType: kODRecordTypeUsers, name: NSUserName(), attributes: nil) try user.changePassword(currentPassword, toPassword: newPassword) print("Password changed successfully") } catch var error { print(error) } Once password is updated, then trying to authenticate password with LAContext using, let context = LAContext() context.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: "AuthenticationMessage".localized()) { success, error in DispatchQueue.main.async { completion(success, error) } print("authentication error = (String(describing: error?.localizedDescription))") } It won't accept the updated password. Any idea how to solve this problem?

I want to get the network-name (domain-name) on my Mac-Machine. Where iin the Settings does this domain name gets configured. I refer to this page which talks about computer name and host name, I could find where my hostname is present (Settings-&amp;gt;General-&amp;gt;Sharing-&amp;gt;local host name) but not anything related to the network-name (local -domain) . Even try to fetch this info using the linux api to getdomainname, api call succeeded but it returns Nothing. #include &amp;lt;iostream&amp;gt; #include &amp;lt;unistd.h&amp;gt; #include &amp;lt;limits.h&amp;gt; #include &amp;lt;cstring&amp;gt; int main() { char domainname[255]; // Get the domain name if (getdomainname(domainname, 255) != 0) { std::cout &amp;lt;&amp;lt; "Error getting domain name" &amp;lt;&amp;lt; std::endl; return 1; } std::cout &amp;lt;&amp;lt; "Domain name: " &amp;lt;&amp;lt; domainname &amp;lt;&amp;lt; std::endl; return 0; } Output Domain name: I even came across Search-Domains, Does it have anything to do with the network-name (domain name of the machine)?

I would like to know how to programmatically get, set, and display the password hint for a user in the login screen. Thanks

I had a need to display and search for contacts from my LDAP server. Seems the most efficient solution is to connect my Device (Application Contact) with my LDAP server. And with the Contacts framework I will be able to fetch all Local contacts including my LDAP contacts. Is there a solution to know from the CNContact if this contact is among my LDAP Contacts or other (Local, iCloud,..) If you have another solution how to search on my LDAP contacts do not hesitate to suggest me. OpenDirectory is not available on iOS Thanks

[Q] If the Active Directory a Mac is bound to changes, will there be a kNotifyDSCacheInvalidation* notification posted? e.g. The Mac starts, there are no Network Account Server set up. An admin user sets up an Active Directory Domain Controller as a Network Account Server. => kNotifyDSCacheInvalidation posted? or An Active Directory Domain Controller was set up as a Network Account Server. Another Active Directory Domain Controller is set up instead. => kNotifyDSCacheInvalidation posted? Ref. https://opensource.apple.com/source/Libnotify/Libnotify-80/notify_keys.h

We've been working with VMWare on a ticket related to slow upload/download transfers using the VMWare API/SDK on Mac. They believe the root cause is below.  The slow performance is caused by Apple's authentication subsystem (PAM/opendrectoryd) being slow and using a lot of CPU. The security for guestOps file transfer requires an authn check for every packet, packets are limited to ~60k bytes due to the underlying arch; hence every 60k bytes of data has a ~.2 second overhead for the authn. (We see no such delays for Linux or Windows.) Does anyone have any experience with PAM/opendirectoryd who might be able be help me?

i'm tying to create a custom LDAP configuration in a swift script, something similar to this without using python: https://github.com/Yohan460/Programmatic-OD-Python-Binding my script fails at the custom call - not sure if the issue is my data types or that the functions used in the python example don't exactly translate. any help is appreciated, thanks in advance! p.s - i'm a total swift n00b #!/usr/bin/swift import Foundation import OpenDirectory let fileName = "ldap.plist" let configData = try String(contentsOfFile: fileName) let config = Data(configData.utf8) let odSesh = ODSession.default() let configNode = try! ODNode(session: odSesh,type: ODNodeType(kODNodeTypeConfigure)) let outNode = try! configNode.customCall(99991, send: config)