With macOS Server, all account information must be in a specific delimited format with descriptive headers before it can be imported. Although making the files in the right format is not particularly hard, Passenger gives the ability to use pieces of imported data to form user and group specific data, concatenate names, short names, and reproducible passwords.
Some good uses for Passenger:
Passenger takes accepts comma, or tab-delimited text, including exports from all versions of macOS Server sans passwords. It can also import names of folders and Local Network Users on the same server Passenger is running on. (more…)
Many people do the work of creating their short names before bringing them into Passenger. But Passenger can do this work for you very easily for names and short names. (more…)
Passwords can be generated by a tough algorithm that takes a combination of the master password and the username. Passwords created this way can be regenerated with the same master password and username. There are a few styles of passwords to choose from which use a word-word or word number combination for security and easy memorization.
Password can also be formulated like names or simply passed through. (more…)
Exports for macOS Server ( more… ), user-defined customized text export ( more… ), Master Key, and Master Spell
Using the username or short names you imported or concatenated from imported data you can generate folders with those names including nesting user folders in group folders. You may even include to put folder names of your choice within these folders such as "Documents". ( more… )
If your short names are changing from one server to another, you can concatenate a relationship between the two so that you can move the contents home folders from one naming convention to another. (more…)
Set file level permissions in batch for macOS. Keep your own sets of permission sets. There's a default home directory preset for macOS Server. Export Permission sets as shell scripts. (more…)
The process for creating accounts is
Importing Local Network UsersPress Import on the toolbar and select "Local Network Users". After importing, you may want to sort by User ID using the column header and select and remove rows of special users.
Any tab-delimited or comma-delimited text file can be imported--a format most all database and spreadsheet applications can export. No need to worry about the order of your data fields or unneeded fields. Passenger allows you to match the correct fields and ignore unneeded fields.
Press Import on the toolbar, choose to import users from file, choose the text file and you will be presented with an dialog box that allows you to specify whether you are importing tab, colon, or comma-delimited text. Add field elements from the left list box to the right by dragging or double-clicking and order them as necessary by dragging. Select and use the delete key to remove items from the Importing Fields list. Use the <ignore> element to ignore any particular fields.
Use the ignore first line checkbox to keep the header from being imported as a row in such case that one exists as from macOS servers. Also use the "Match importing fields to header" button to automatically setup the importing fields for exports server exports.
The full name field is used if the field you are importing contains the first and last name. Passenger will figure out the first and last names from this imported field and apply them to first and last name components when it comes time to formulate names.
The group field can import one group per user to later be used to set groups for macOS Server. All fields can be exported with the custom export.
PresetsPresets can be created and named to maintain the lineup of data between imports that use the same lineup. Presets are automatically saved with every change if they are named and not None. Presets are kept in the Passenger folder in /Preferences/Import Presets so they can be easily moved with Passenger.
Importing names and groups from folders
Choose Import from the file menu , choose "Use folder name to create list of user names". The folder names inside the folder you choose will be imported as usernames.
There is an option "Import first level as groups, second as users". This will read the user names from inside the first folders and read the first folders as groups to which the users names belong.
Usernames (Real Names in macOS Server) can be derived in many different ways from the names imported. The two major components that can be used to formulate usernames are first and last names. If you imported full names, Passenger will break the full name into first and last. See filtering below for more details
Imported groups and user ids can also be used as components to build Usernames.
You construct the Real Name/Username using the tags shown at the top of the window shown above.
Repeating Real Name/Username
Another formula component is the ability to append numbers to create a multitude of usernames based on each name imported. A good example of how this can be used is if you have a group of students and you would like their usernames to be based on the teachers last name. The teachers name could be Andrews and the student usernames would be and001, and002, etc. Repeating can be done for up to 999 users. You can choose to have leading zeros by selecting a value for "Fixed digits for repeating numbers". Repeating digits are automatically appended to short names when this is used for Real Name/Usernames.
Constants in formulas
Constants such as a dash or period or some other constant can be used by typing it in the formula field. The sample field at the top left of the window shows you how the name will be concatenated.
Overwrite imported usernames
With this box unchecked, usernames are concatenated to fill in where usernames were not imported.
With this box checked, usernames are always concatenated regardless of what usernames were imported.
Short name concatention has many of the same components with the addition of basing the short name on the Username. Short Names are more restricted in what characters are allowed.
Filtering Usernames and Short Names
Passenger does the following to create usernames from imported names:
More about names
If you choose to export full name, last name, or first name using custom text export, whatever was imported will remain intact and anything that was missing will be filled in by Passenger.
Overview of Passenger passwords
Good passwords should be secure and easy to remember.
Passwords can be concatenated from portions of Usernames, User IDs, Groups and first and last names just like Name concatenation
Passwords by algorithm using internal word list
For generation by algorithm, Passenger generates words and numbers or two-word passwords. The words are easy to remember and when combined with numbers or other words, they are difficult to guess. By default the word list Passenger uses is internally-encrypted inside of Passenger and unavailable.
They are generated by using an algorithm based on two components:
(username or short name) + (master password (known only to the administrator)) = password.
A fair analogy is lockers at a school. Whether combination or key, the students all have separate locker keys or combinations but the principal may have a single key to open all locks. Passenger similarly uses the master password in combination with the username to create a unique password and thus they can be regenerated by the administrator easily.
Users can't use Passenger to create the matching passwords without the master password. Additionally having the username and password cannot get someone the master password.
Passwords by algorithm using custom word list
You can supply your own word list. Look in Passenger's Preferences folder for a file named "Passenger Word List". When words are found in the file, Passenger will use your words to create passwords by algorithm. The usage will appear statistically random for both words and numbers but is always reproducible given the same word list, master password, and username or short name.
Security of passwords by algorithm
Probably nothing is impossible to crack but certain measures have been taken to ensure some level of security against discovering a master password. A long list of the usernames or short names and the resultant passwords would be necessary to try to figure out the master password that was used to create them. Ten years of widespread use hasn't resulted in any reports of a problem. Also, to deter this possibility, the default word list is encrypted in Passenger.
Probably an even higher level of security can be obtained using your own word list. In this case you should protect both your word list and your master password as if they are two keys. A different algorithm is used for custom word lists than for internal word lists to help protect the original algorithm.
If security is extremely critical, consider not using an algorithm except perhaps only for initial passwords.
Formulas for passwords
On the Accounts pane, choose the Concatenation tab, then the Passwords tab.
Here you have the ability to assemble the formulation yourself from the tags referenced in the top of the window shown below.
<fw0> is first word and <sw0> is second word. <aw0> is first word but limited to real words 6 characters or less suitable for younger people. Tags that have two characters like <fw0>, <sw0>, <fn0>, <ln0>, can have their case set by changing the case of the tag. For <fn0>, changing to <Fn0> gets Title Case and <FN0> gets UPPERCASE. Each replacement can be set to full length such as <fw0> or truncated to the number of characters you want such as <fw3> for the first 3 characters. For <fn0> and <ln0> it is also possible to truncate to the last nth characters of a name for example for the last 2 characters of the last name use <2ln>
Minimum fw/sw lengths will make sure when selecting words for first and second words to have whole words that are minimally 3 to 6 characters by your choice.The "Passwords based on" menu allows you to determine whether the username or the short name is used in the algorithm. Short names are only used for macOS and Delimited Text exports. Other exports will always use usernames.
There are thousands of words that Passenger draws from to create passwords. All the words should be fairly safe but because there are so many combinations possible there is a chance that two-word passwords might give an unanticipated meaning or message. It might be a good idea to glance over the passwords before issuing them, and in particular, the one for your boss. Any resemblance between your users and their passwords is coincidental--remember, you choose the master password that creates their passwords.
You can select to check for duplicates against the current directory of users on the Mac on which Passenger is running. Passenger does two different duplicate checks:
Adding users to macOS serversOnce you have users imported and you have chosen how Names and passwords are concatenated and you have decided how duplicates should be handled, you can move to the export tab to choose the macOS Server Export and press the setup button
If you choose to have Passenger create the User ID numbering, any imported User IDs won't be used for User IDs but imported User IDs will still be used if you specified their use in any concatentions.
If you do not select for Passenger to create User IDs starting with a specific number, imported User IDs will be used instead. If no User IDs were imported, none will be exported and MOSXS will create the User IDs.
Choose whether to use Basic 'crypt' passwords (Local) or Password Server (Open Directory). If you choose Basic, Passenger will encrypt the passwords. If you choose Password Server, make sure you are running a password server (Open Directory for instance) and test it in Workgroup Manager (or optionally Server in Lion 10.7 and up) to make sure that manually created users can have passwords created this way.
If you leave the fields blank and did not import Server URL or NFS Path, the home directories will be the default on the server. In most cases you don't have to set anything on this tab if you have the Server setup to have a sharepoint be used for home directories. If home directories are not setup properly after import into server, you can select all users in Server or Workgroup Manager and set them all at once.
Server URL (the afp://servername), URL Path, and NFS Path can be imported formatted exactly as they would successfully be typed in the MOSXS setup in Passenger. Passenger will do the colon translation automatically to any path imported or entered in the interface since colons are used as delimiters in the MOSXS import/export format.
You can create custom paths for home directories here using replacement tags shown on the left part of the window.
Group setting can be set on the Groups tab. Passenger will export the groups you enter and any groups you imported. Multiple groups can be imported per user by using the "Group(s)" field. Multiple groups can be comma separated in one Group(s) field or you can use as many Group(s) fields as you need. You will need to set a separate file name for the group export file which you will later import into Workgroup Manager to set the group assignments after you've imported your users into Workgroup Manager.
Incrementing the Group ID number is only used for groups that were imported into Passenger.
The group name used in Passenger will be either matched to an existing Group Short Name or if that Group Short name doesn't exist, a new group will be created with a Group Short Name but no Group Name. You may need to add the Group Name manually in Workgroup Manager. To assign users to existing groups on the server, use the Group Short Name and leave the Group ID blank.
To import groups into macOS Server you must first have imported the users into the server with Workgroup Manager . Groups are assigned by importing a separate file after importing the users so exporting groups requires that you set a file location for your groups file when everything is exported.
When importing the group file, in most cases you will also want to select append to existing for duplicate handling when importing into Workgroup Manager since the group may already exist and you are just adding users to the group.
The mail tab resembles that of the server. Imported forward addresses will be exported unless you decide to use the LDAP email address in which case it will be the email address you imported or the email address that is concatenated using the option on the Passenger window in the concatenation area.
Given the base paths for the different Windows paths, passenger will add short names to those paths and export them. The only difference between this and home directories is that currently base Windows paths cannot be imported so only what you set in this setup dialog can be used.
There are 4 replacement tags that you can use inside any path: <igroup> = imported group, <dept> = imported department, <org> = imported organization, and <building> = imported building.Send to server
Import to server
Export from Passenger and name the file that you will import into Server.app or Workgroup Manager
On server versions before Yosemite, open Workgroup Manager, select the proper domain and select import from the File menu and choose the file you exported from Passenger. If you also exported groups, import the group file after the users' file. Workgroup Manager is a separate download, here for 10.8 and here for 10.7 Lion and here for 10.9.
In Lion 10.7 and higher you can use the application Server to import using 'Import Accounts from File" from the Manager menu.
An important difference between importing with Server vs. Workgroup Manager: When importing with Server, services will be enabled for the users. When importing with Workgroup Manager, services will be disabled. Services can be turned on and off in batch in Server.
If you would like a copy of the data for other purposes, see Custom Text Export below.
Migrating from an older version of macOS Server
Apple provides directions for migrating in their own documentation. In some cases you may find for some reason that Passenger is a better choice for your situation such as when Apple no longer supports a proper migration because your server version is too old or on PowerPC. Here are directions for using Passenger.
The best recommendation for this is to do a clean install of the new version of the server. The drawback is that passwords cannot be preserved through this process. If you apply the upgrade to an existing older version of MOSXS, the passwords will be preserved and there is no need for Passenger.
If you've used Passenger before to create accounts and used an algorithm or other concatenation to create the passwords or imported them and they haven't been changed by the users since, or you use Passenger's passwords as initial passwords that your users can be ready to use, you can use Passenger.
Exporting and Previewing are available on the main window once the an export has been chosen and the setup for that export has been confirmed. Preview is not available for all exports. Preview allows you to see how the formulations are applying to your data so you can more easily modify the formulations are the source text in case there is a problem.
The export format Custom Text is provided to export tab or comma-delimited text for any export not specifically covered by Passenger. A good use for this might be to send information such as passwords back to a database or spreadsheet program to mail merge letters to deliver the users passwords. But there are enough options to create your own custom export for macOS Server. You an even use the export fields to add constants to what is actually exported. For instance "jabber\:<E-mail Address>".
The interface for exporting is similar to importing. You may choose which fields you want to export, in which order and whether the file be tab or comma-delimited. In addition, if you have the Auto-construct checkbox on, it will automatically create the Mac macOS Server export header as you choose which fields to export.
If you are not creating an export for macOS Server, you don't have to do anything with the two rightmost columns.
Unlike the import, there are few extra fields which you can export such as "Passenger Password" and <empty> and you can include a header which is any text you place in that field. All fields use replacement tags so they can be further customized with constants.The Passenger password is always the password generated by Passenger. The Imported Password is always the imported password unless the imported password is blank, in which case the Passenger password is used. In the case that the Passenger Password is used, it is based on the Passenger Username. If you want this password to remain blank, adjust the password formulation to suit. "Imported Username" and "Passenger Username" behave the same way.
The <empty> field is one that can be filled as a constant for all your users. Custom constant fields are denoted in the list box with "<" and ">" wrapped around the text. Once the field is in the Exported Fields column, the Edit Field button is enabled and you can press this to bring up a dialog where you can add the text for your constant. That field then changes to better represent your custom constant. There is no hard limit to how many custom constant fields you can export.
It's generally a good idea to try (or at least examine) your custom export and make adjustments before you quit Passenger so that you don't have to do all the setup over again. You can also do presets to keep the setup between launches of Passenger.
Presets can be created and named to maintain the setup for delimited text export. Presets are automatically saved with every change if they are named and not None. Presets are kept in the Passenger folder in /Preferences/Export Presets so they can be easily moved with Passenger.
Folders are created and named according to the short name or name/username formulation you choose. You have the ability to create the folders inside each one of these folders such as "Documents" and "Preferences".
Group and User folders
Folders are created from usernames and placed in the directory you set. If you choose to create parent folders from groups from the Folders setup, user folders will be created in group folders for which they are members.
You may also create standard folders for each group or user folder. For instance you might want to put a "Documents" folder in each user folder. Use "Also create these folders inside the account/group folders" to do so.
See Permissions for setting permissions in macOS.
You can drag your source file to the left column to start a new distribution item or press the + button to add one. Choose to copy, or delete first, or just delete.
You can limit your distribution to just those short names or usernames you have imported and concatenated in Accounts. Press Start and Distributor will ask for admin authorization to copy files into home directories. To set the permissions correctly you can then use PermissionsYou can also save your distribution set as a shell script if you'd like to make it into a daily maintenance script for your home directories. Use a utility like Cronnix to do this.
Mover moves folders and files from one set of account folders to another. It requires a relationship be known of the account folder names. It can use imported or formulated usernames and short names. It can move files from the root of each account folder or a subfolder of it. Import users either from a file or folders, set the formulations for username and short name as needed and select Mover from the Utilities menu.
Setup your migration instructions. Copy makes a copy, leaving the source account folders completely intact. This is safer but less informative. Move moves the contents of the folders whether or not they are on the same volume or another. This is riskier but will show you which files were moved and which were left behind. Any files that were matched will be removed from the source.
If a match is made, but there is a conflict because something in the destination folder has the same name as what is in the source folder, that part of the copy or move will not be made. There is no reporting of this. But the benefit of using move is it will leave the unmoved files or folders so that you can see which didn't make it. The migration is generally intended for new account folders that have nothing put in them yet.
Matches are case insensitive.
When a match is made, both the source account folders and the destination account folders which were matched, are touched meaning their modification date is set to present. I might have used labels or comments instead but neither is working or consistent in both Classic and macOS.
Let's say we want to move preferences from one folder to another. In one account folder structure, the Preferences folder is located right in the account folder. On the destination, it is located in the Library folder. To do this, put "Preferences" in the field for copy the contents of and put "Library/Preferences" in the to field. In this example, if the Preferences folder doesn't exist in on the source side, the match isn't made and the copy or move is not done. However, if the Preferences folder doesn't exist on the destination side, it will be created.
Using the relationship for folder names, it is possible to move the contents from one folder to another even though the names are different such as below where the username is used for the old account folders and the short name is used for the new.
Mistakes to permissions made as root can be very harmful if you stray out of the "Users" folder. This utility is a power-user utility that can easily be misused and careful attention and understanding is needed before proceeding to set permissions. MacinMind Software cannot assume any liability for misuse of this module.
Purpose and Uses
Permissions is a module in Passenger to set file level permissions in macOS on a group of user folders. It is able to set the owner of a folder to the name of that user's home folder. It can set different privileges for different subfolders and set them recursively or not.
You can also export these Permissions Set instructions as a shell script for automatic daily maintenance.
In order to set most permissions, it is necessary to be logged in as root. Passenger will use ssh to login to the local or remote computer as the user you specify. In order for this to work, Remote Login must be turned on in the System Preferences Sharing panel. The root login on macOS Server takes the same password it was given for the first administrator account created when the server was setup.
When you open the Permissions window using the menu item in the Utilities menu, the setup for permissions is macOS Servers's default permissions for home directories.
If you are running Passenger right on the server and the users home folders are in their default location--"Users" on the root of the volume--then Permissions is ready to apply default permissions to all folders and files in the Users folder.
To set permissions on a different volume, you may use "/Volumes/[name of drive]" as the beginning of your path. You can use the Choose base path button to alter all base paths in the permission set that have <username> already in the path. Otherwise, to ensure the path name is correct, check this name in the shell. This name can actually be different than the name of the drive that shows on the desktop. To do this, open the terminal and type:
The drive names will be in the right column. Use these drive names when entering the path in Permissions.
There is one tag replacement used in Permissions, "<username>". This tag has no direct relationship to any imported or formulated data in Passenger.
This tag has two purposes: In the path, the <username> tag simply means all folders in the preceding path. The second purpose is to remember that folder name to be used in setting owners.
You may add and remove different permission tasks using the lower "Add" and "Remove" buttons. The permissions are changed in the order of top to bottom. For instance, the home folder and all its contents are set to read only for the staff group. A later permission set gives read/write access to the "Public" folder and then write-only access to the "Drop Box" folder.
The first two permission sets cannot be edited and represent the default permissions given to shipping macOS Server. Create other sets for yourself and they will be kept between launches.
If there are errors, they will be reported in the details.
Save As Shell Script
You can also save a Permission Set you've designed in Permissions as a Shell Script which you can add to your System crontab so that it can run automatically on a schedule you choose on your server to correct permissions. Use a utility like Cronnix to do this.
The unregistered version of Passenger has all features enabled but for demonstration purposes allows for only 20 users to be imported and processed at a time. The Professional Edition has successfully imported and and exported over 70,000 users at a time. Having Passenger as shareware allows you to try it as long as you like before you buy. Passenger is not an expiring demo.
Passenger can be registered in two Editions, Standard and Professional, and with options for larger licenses for education and large businesses:
When you register you will receive a unique registration code by email which will unlock the Edition you chose. For credit card orders online you can receive your code in moments. Checks and purchase orders are also accepted.
To purchase visit http://macinmind.com/Passenger/Purchase
Passenger is shareware. If you use it regularly, please register and pay the shareware fee.
You can make copies of this software and distribute them as long as the software is not modified in any way and the registration information does not accompany the software.
You may not sell copies of this software. You may not rent, lease, or distribute this software as part of a shareware sampling package without the permission of the author. You may not decompile, disassemble, reverse engineer, copy, or create a derivative work from this software.
You are permitted to make a backup copy of this software. The Professional Edition is licensed as a Site License. If you use this software at more than one site, you should purchase the district-wide or world-wide license. You may make archival copies of the software for each License obtained under this Agreement. You may make copies of the written documentation which accompanies the software in support of your authorized use of the software.
Limited Warranty/Limitation of Liability
This software is licensed as is with the removal of shareware reminders for Standard Edition and Professional Edition registrations. This software is licensed with the removal of shareware reminders and the ability to process up to 150 users at once for Standard Edition and no hard limit (limited by RAM and hard disk space) for Professional Edition. Shareware allows you to "try before you buy" and I operate on the understanding that you are satisfied with the software before you register.
This warranty is in lieu of any other warranties, express or implied, including the implied warranties of merchantability and fitness for a particular purpose. In no event will the author be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out of your use of or inability to use the software.
I will attempt to answer technical support requests from registered users, but this service is offered on a reasonable efforts basis only, and I may not be able to resolve every support request. I can support the software only if it is used under conditions and on operating systems for which it is designed.
If any provision of this Agreement is found to be unlawful, void, or unenforceable, then that provision shall be severed from this Agreement and will not affect the validity and enforceability of any of the remaining provisions. This Agreement shall be governed by the laws of the State of Illinois.