Run shell script on password change

I have a question regarding an issue we are having with our Open Directory server (Mac LDAP server) which is based on openLDAP. Our Open Directory server is our main source of authentication for many online services including but not limited to Google Apps, we used Randy Seaks tutorial to sync OD passwords t our google apps domain because open directory stores passwords in format that google apps doesn’t recognize:

Which is basically attaching a shell script to store users’ passwords in SHA1 (read by google) in another user’s attribute on password change and it has been working like charm for us but now we are now moving to Open Directory 10.11 where everything has changed and I’m stuck in where and how to trigger a shell script on users’ password change, the script is:


Get password from stdin. This will be the password change running through password server.

read password

Hash the password using the SHA1 method and store into “password”.

password=echo -n $password | /usr/bin/openssl dgst -sha1 -hex

touch $LDIFMOD
echo -e “dn: uid=$1,cn=users,dc=domain,dc=domain,dc=org\nchangetype: modify\nreplace: pager\npager: $password” > $LDIFMOD

Change the following fields to match your system

DIRADMIN - directory admin username

PASSWORD - Directory admin password

ldapmodify -xD uid=admin,cn=users,dc=domain,dc=domain,dc=org -w adminpassword -f $LDIFMOD -v

Any idea how something similar can be done in openLDAP?

Thanks you so much.