# File lib/puppet/provider/nameservice/directoryservice.rb, line 281
281:   def self.set_password(resource_name, guid, password_hash)
282:     password_hash_file = "#{@@password_hash_dir}/#{guid}"
283:     begin
284:       File.open(password_hash_file, 'w') { |f| f.write(password_hash)}
285:     rescue Errno::EACCES => detail
286:       fail("Could not write to password hash file: #{detail}")
287:     end
288: 
289:     # NBK: For shadow hashes, the user AuthenticationAuthority must contain a value of
290:     # ";ShadowHash;". The LKDC in 10.5 makes this more interesting though as it
291:     # will dynamically generate ;Kerberosv5;;username@LKDC:SHA1 attributes if
292:     # missing. Thus we make sure we only set ;ShadowHash; if it is missing, and
293:     # we can do this with the merge command. This allows people to continue to
294:     # use other custom AuthenticationAuthority attributes without stomping on them.
295:     #
296:     # There is a potential problem here in that we're only doing this when setting
297:     # the password, and the attribute could get modified at other times while the
298:     # hash doesn't change and so this doesn't get called at all... but
299:     # without switching all the other attributes to merge instead of create I can't
300:     # see a simple enough solution for this that doesn't modify the user record
301:     # every single time. This should be a rather rare edge case. (famous last words)
302: 
303:     dscl_vector = self.get_exec_preamble("-merge", resource_name)
304:     dscl_vector << "AuthenticationAuthority" << ";ShadowHash;"
305:     begin
306:       dscl_output = execute(dscl_vector)
307:     rescue Puppet::ExecutionFailure => detail
308:       fail("Could not set AuthenticationAuthority.")
309:     end
310:   end