Mac OS X Server Web Password 1.0

I've updated my Mac OS X Server Web Password application so that the installer package now works properly, and added a page where an administrator can reset a user's password. If you're already using version 0.9, the upgrade should just go on top of the existing package seamlessly.

The application is written in WebObjects, which is in turn based on Java. This is nice from a number of points of view, but for changing passwords it has one serious downside: you can't make any system calls directly. One of the key points behind Java is that it runs the same anywhere -- on a Mac, on a Windows server, on a Linux box, on a Solaris box; but this means that you can't make operating-system specific calls from your Java code directly. You need to use the Java-Native Interface (JNI) to make operating system calls, which is what I did in the files OpenDirJNI.c and OpenDirJNI.java.

An alternative approach would be to call the passwd binary from within the WebObjects application. However, this has a serious security hole -- if someone is in a position to run /bin/ps on your server at the right time, they might be able to see the user's new password being passed as a command line argument to passwd. I use direct Open Directory API calls instead, which don't have this vulnerability.

Using the Open Directory API's also opens up a set of tricks that you couldn't do using passwd. If your Mac OS X Server is bound to an Active Directory domain, Mac and Windows users can use the web page to change their AD passwords by editing the file

/Library/WebObjects/Applications/MOSXSWebPassword.woa/Contents/Resources/Properties.

Change the line that reads:

directoryNodeList=("/NetInfo/root","/LDAPv3/127.0.0.1")

to read:

directoryNodeList=("/NetInfo/root","/ActiveDirectory/AllDomains")

then stop and re-start the WebObjects service in Server Admin.

If your web server is not your Open Directory master, change the LDAPv3 entry so that it points at the correct LDAP server. E.g., if your OD master is at 192.168.17.33, then change the directoryNodeList to be:

directoryNodeList=("/NetInfo/root","/LDAPv3/192.168.17.33")

then stop and restart the WebObjects service.

It's free, released under the GNU GPL, and source code is available. Give it a try and let me know how it works for you. You can download it from my website at:

http://ps-enable.com/software/MOSXSWebPassword_1_0.dmg/view

Plone Sites

Just to give you an idea of what you can do with Plone, here are a few Plone sites that I've set up recently:

http://ncac-cubscoutspack8.org/

http://ccespta.org/

http://btrcapitalgroup.com/

The ccespta.org website is the closest to the basic Plone appearance, with only a change to the logo graphic and some re-ordering of the portlets in the left and right columns. The ncac-cubscoutspack8.org website is a more radical makeover, with some serious CSS work to change the color scheme and some workflow security work to hide some folders. In particular, there are members-only folders that don't appear to people who are not logged into the website. The btrcapitalgroup.com website is a full appearance makeover, with heavy CSS modifications and graphic design work.

The cub scouts website is hosted on a Mac Mini, with another Mac Mini serving as a caching front end. The other two websites are hosted at highspeedrails.com, using their Starter service at $340 per year. It's a pretty affordable way to set up a website where all you need is the ability to use Word in order to maintain the content on the website.


--Paul