Open Radar

 
Summary:
The PasswordServer private framework used by PasswordService its settings use the function ldap_search_ext_s coming from the LDAP framework with values in the attribute field, to receive only useful content from the LDAP server.

The Directory Service in the same time don't use this filter because it need to display all available data.

But this difference mess up the whole configuration if we set the cn=passwordserver,cn=config,dc=office,dc=inig-services,dc=com apple-xmlplist to a custom value (to set an ExternalCommand for the PasswordService for example).

Indeed, using ldap_search_ext_s without or without attributes specified in the request don't return the same result.

Steps to Reproduce:
On OS X Server
— open Directory Utility and add custom settings for your XMLPlist option in /LDAPv3/127.0.0.1/Config/passwordserver
--> 1st problem if it's a new installation and not a 10.8 update, you don't have the XMLPlist field with the default content, you've to add it

As a custom settings, you can set the ExternalCommand to weakpass or what ever debug script you've in /usr/sbin/authserver/tools.

Or for more simple troubleshooting, simply add a new listening port.


Reload PasswordService and check open port or the behavior on password change.

Expected Results:
The PasswordService should take the settings set with DirectoryUtility.

Actual Results:
The PasswordService still use a default content.

Version:
OS X Server 3.1.2
OS X 10.9.3

Notes:
This bug wasn't in 10.8 version.

Sample code in attachment.

Don't forget to set a XMLPlist content via Directory Utility before anything.

You can file a demo custom content in the sample code.