Look at using dscl to do this. The authonly flag might fill what you're aiming to do. If nothing is returned then all is well with the password, so just test for ANYTHING generated. The below might be what you're looking for.

outputTest=$(dscl . authonly [accountname] [password])

result="yes"



[ "$outputTest"] && result="no"



echo "<result>$result</result>

Thanks @andrew.nicholas , I created the below script for my EA for that which uses some jamf code for encrypting strings. Not ideal since it can still be reversed, but slightly better then being in plain text and I don't know a better way. I'll probably add some more logic to validate that the account exists first and maybe some more around when errors are returned

#!/bin/sh



function DecryptString() {

    # Usage: ~$ DecryptString "Encrypted String" "Salt" "Passphrase"

    echo "${1}" | /usr/bin/openssl enc -aes256 -d -a -A -S "${2}" -k "${3}"

}



AcctName="ACCOUNTNAME"

AcctPWD=$(DecryptString 'STRING' 'SALT' 'PASSPHRASE')



outputTest=$(dscl . authonly $AcctName $AcctPWD)



if [ "$outputTest" = "" ]; then

    echo "<result>Match</result>"

else

    echo "<result>$outputTest</result>"

fi

Regarding other places to store login info, remember that macOS keychains are made for that sort of work, and root has no questions asked access to the System keychain… though so would admin users on the machine. You might want to try the add-generic-password variant of this:

/usr/bin/security add-internet-password -a "acctname" -D "Network Password" -s "printserver.example.com" -r "smb " -l "A Printer" -A -w 'P@$$w0rd' /Library/Keychains/System.keychain

How are you guys dealing with complex passwords (spaces, !, etc) with the dscl command?

You could put the username and password as parameters in the Jamf policy (script) $4 and $5. The username and password would not be in the script, therefore secure...