Open directory administrator's password to manage

Similar Messages

• SuPhp and Open Directory Administration

  Hello,
  I am trying to install suPhp and mod_suphp working on OS X Server 10.6.7
  Everything seemed to compile and install just fine, but am getting an error in the apache log:
  terminate called after throwing an instance of 'suPHP::LookupException'
  My guess is that suPhp cannot find the user ID in /etc/passwd because OS X Server is using Open Directory Administration
  My searches have not turned up anything.
  Thank you!
  ~ Jeremy

  Hello,
  I am trying to install suPhp and mod_suphp working on OS X Server 10.6.7
  Everything seemed to compile and install just fine, but am getting an error in the apache log:
  terminate called after throwing an instance of 'suPHP::LookupException'
  My guess is that suPhp cannot find the user ID in /etc/passwd because OS X Server is using Open Directory Administration
  My searches have not turned up anything.
  Thank you!
  ~ Jeremy

• Open Directory - Unable to login Workgroup Manager

  I am unable to login to Workgroup Manager with my diradmin account.
  I know the password is correct.
  This is on Mac OS X Lion 10.7.2
  Everything was working fine last night, but then it stopped functioning.  I am able to see all the users, but they are greyed out.  When I try to login, I get "The login information is not valid for this server" 
  The LDAP log shows a bunch of the same errors that it did not show before.
  slapd[76]: SASL Failure: GSSAPI Error: Miscellaneous failure.
  Please advise.  Thank you.
  Samson

  Try logging in to Workgroup Manager using the local admin account not the diradmin account. If this works, then try accessing the /LDAPv3/127.0.0.1 choice using the diradmin account.

• Is this the OS X Server Directory Administrator Account?

  Hello,
  I have enabled root access on my local user but I accidentally deleted the Directory Administrator account in the Server App the was under the Users tab. Now when I try to gain root access to /LDAPv3/127.0.0.1 the username and password to authentic it is not the same as my local computer administrator account. If anyone can explain to me what the account is that I can't root and how to edit it, I would appriciate it thanks.

  There seems to be some general confusion around authentication on OS X lately; you're not the only one that's been wondering about this recently.
  There are two separate login systems available within OS X.  These are the local authentication database, and distributed authentication database.  These can coexist.  Local authentication is basically LDAP, but just for your local OS X host.  Distributed authentication is full-on network distributed authentication; it's the same authentication database, but shared across multiple computers.  
  An OS X client uses local authentication for the root account, and for other accounts created in the local authentication directory.
  An OS X client can use distributed authentication when it has been "bound" to a distributed authentication system.  The distributed authentication system that the client is "bound" to might be OS X Server or Linux running Open Directory and LDAP and Kerberos, or it might be Microsoft Windows Server and a distributed authentication configuration comprised of Active Directory and related pieces.
  With Open Directory on OS X Server, the diradmin user is the default user that can administer the distributed authentication database, but it's certainly not the only such user that can be created in the database.  Consider when there's a larger deployment of OS X systems.  You might have folks that can administer a local system, but the folks that administer all systems are usually different.    In some other installations, the local admin user is only a backup, and only used should the Open Directory configuration require maintenance or reconfiguration.  You don't want to run around to all your Mac or Windows systems and add a new user or disable a user that leaves the organization, for instance, or that needs to have their password reset.  You want to do that in one spot.  That's what a distributed directory provides.
  The OS X Server 10.6 Open Directory Administration manual might provide an introduction to the environment, and the Workgroup Manager tool is still a common way to manage Open Directory on OS X and OS X Server. (While it was once integrated with the server administration tools, Workgroup Manager is now a separate download.)
  To reset and recreate the diradmin user here, I'd probably trash Server.app, reset the Server.app environment, and reinstall Server.app and reconfigure the local setup.  This if you've not accumulated a whole lot of configuration details within the local server configuration.  Here are the closest I've seen to official reset instructions.  This will nuke your Server.app configuration.  (I'd also encourage have a full-disk backup or two, but that's generally recommended, general good practice and geerally appropriate management paranoia.)
  FWIW, also have a look at your backup strategy, too.  Even the most skilled folks can and do occasionally make a mistake, and disks and computers do fail, and databases do get corrupted, and computers do occasionally get dropped or stolen.  Have a backup.  Or two.

• Open Directory Keychain Question

  I have set up open directory on my domain but I am having trouble with Keychain access over the network when users logging into network accounts. Whenever I log in using open directory, I can open all of my applications, however each time I log in to my user account all of my keychain passwords are reset. I can look into the user preferences file and see the keychain file, but for some reason whenever a user logs out the changes to it are lost.
  Is Keychain access supported when network mounting user folders? If so, what is the proper way to implement keychain access?

  mickey13 wrote:
  I have 2 Apple servers.  One is running 10.6 (server), the other is running 10.5 (server).  I have my Open Directory on the 10.6 server, and I have the 10.5 server use it via LDAP for user authentication.  What I'd like to do is to assign a home directory on the 10.5 server for users in the 10.6 Open Directory.  Any ideas?
  This should work the same way as normal.
  Define the user accounts in Open Directory as normal via Workgroup Manager
  On the 10.5 Server, set up a share point, usually AFP is used as the protocol, this is done in Server Admin
  On the 10.5 Server, set up that share point to be an Automounted share for user home directories, this will register that share in Open Directory assuming you have already successfully connected the 10.5 Server to Open Directory system, this is also done in Server Admin
  Go back to Workgroup Manager select a user account you want to store on the 10.5 server, click on the Home tab, you should now see the 10.5 share point listed as an available choice for storing home directories.
  Click on the 10.5 share point and save the user account.
  I normally now click on create Home directory, although this happens automatically when a user logs in for the first time.
  It is perfectly ok to mix 10.5 and 10.6 servers in this manner. The client machines can also be a different version e.g. 10.4
  What you are doing above even though you are mixing 10.5 and 10.6 servers, is the same as you would do to spread the workload of user home directories across multiple servers. While handling user home directories does not cause a massive amount of CPU activity (or memory use) it does cause a significant amount of disk activity and therefore at a certain level spreading user accounts across multiple servers is recommended.

• When i integrate Mac client to the domain open directory, he don't ask me account DirAdmin, Why ?

  When i integrate Mac client to the domain open directory, he don't ask me account DirAdmin, Why ?
  I don't want all people can integrate mac client to the open directoy without authentification
  I want he ask me account diradmin for integrate client mac os x to the domain open directory of Lion Server
  I have made a magic triangle
  Thanks

  Malik-O wrote:
  When i integrate Mac client to the domain open directory, he don't ask me account DirAdmin, Why ?
  I don't want all people can integrate mac client to the open directoy without authentification
  1 ) I want he ask me account diradmin for integrate client mac os x to the domain open directory of Lion Server
  Authentication (with open directory admin username & password) is off by default. In Mountain Lion there is no longer a GUI to manage that and some of the other binding options. In Lion, I think you could use Server Admin (or was it Workgroup Manager) -- I can't remember, but there were little checkboxes.
  To make authentication mandatory in Mountain Lion, you can use this on the Server:
  sudo slapconfig -setmacosxodpolicy -binding required
  Use the following to check the binding policies:
  slapconfig -getmacosxodpolicy
  You might want to check the slapconfig man page, you'll find some of the other options that were in Server Admin in Lion, e.g. disable cleartext, block man-in-middle, etc.
  Edit, I just saw you're still using Lion Server, not Mountain Lion. I'm pretty sure the above commands will work on Lion Server as well.

• Unable to set up Kerberos when creating Open Directory Master-beginner!

  I'm trying to promote a standalone server to an Open Directory master.
  In the Kerberos section I am typing my FQDN into the Realm field
  which is studioserver.example.com.
  However the searchbase is already filled with dc=studioserver,dc=local
  I've tried every different permutation but when I save the settings, the overview shows that Kerberos is stopped and therefore no KDC is created.
  I've used Lookup to confirm that DNS is ok...could this still be the problem?
  Any help much appreciated.

  Hi
  If DNS is configured correctly then the Kerberos Realm and search base fields will be both filled in automatically. The only difficult you have to do is decide on the Directory Administrator name and password and click OK.
  The only way out of this is to demote back to Standalone. This will trash the LDAP configuration and database effectively allowing you to start again. Export any users and groups first. Home folders (if you have created any) will not be affected.
  Go back and stop the DNS Service and delete the configuration you have in there, stop any other service you have running as well as deleting any configuration that depends on DNS. If you have configured DHCP, stop this and delete the configuration. Restart the server. Start simple file services first, AFP etc and then move onto DNS. Make sure this is resolving correctly. Avoid .local.
  Follow the instructions given in the first thread.
  You could also download the Open Directory Administration Manual from here:
  http://www.apple.com/support/manuals/macosxserver/
  Tony

• Open Directory authentication question

  I have 2 Apple servers.  One is running 10.6 (server), the other is running 10.5 (server).  I have my Open Directory on the 10.6 server, and I have the 10.5 server use it via LDAP for user authentication.  What I'd like to do is to assign a home directory on the 10.5 server for users in the 10.6 Open Directory.  Any ideas?

  mickey13 wrote:
  I have 2 Apple servers.  One is running 10.6 (server), the other is running 10.5 (server).  I have my Open Directory on the 10.6 server, and I have the 10.5 server use it via LDAP for user authentication.  What I'd like to do is to assign a home directory on the 10.5 server for users in the 10.6 Open Directory.  Any ideas?
  This should work the same way as normal.
  Define the user accounts in Open Directory as normal via Workgroup Manager
  On the 10.5 Server, set up a share point, usually AFP is used as the protocol, this is done in Server Admin
  On the 10.5 Server, set up that share point to be an Automounted share for user home directories, this will register that share in Open Directory assuming you have already successfully connected the 10.5 Server to Open Directory system, this is also done in Server Admin
  Go back to Workgroup Manager select a user account you want to store on the 10.5 server, click on the Home tab, you should now see the 10.5 share point listed as an available choice for storing home directories.
  Click on the 10.5 share point and save the user account.
  I normally now click on create Home directory, although this happens automatically when a user logs in for the first time.
  It is perfectly ok to mix 10.5 and 10.6 servers in this manner. The client machines can also be a different version e.g. 10.4
  What you are doing above even though you are mixing 10.5 and 10.6 servers, is the same as you would do to spread the workload of user home directories across multiple servers. While handling user home directories does not cause a massive amount of CPU activity (or memory use) it does cause a significant amount of disk activity and therefore at a certain level spreading user accounts across multiple servers is recommended.

• Do I need to use open directory on Yosemite Server, I'm only looking to use file sharing and VPN

  I'm setting up a new mac mini server with Yosemite and I was wondering if there are any advantages or disadvantages to not using the open directory service? The only services I'm planning on using are File Sharing and VPN.

  You don't need Open Directory unless you want to manage user accounts centrally on the server.

• Php authenticate to Open Directory

  I have a Mac OS X Server with several realms, including some which require ssl. At present, when attempting to open a file in the secure realms, the default 401 http (or in this case https) authentication browser dialogue is brought up to request ID and password.
  Ideally, I would like to avoid this by inputting the ID and password in a form (which I can customise, e.g. with help tips) which is submitted to a php script. I imagine if the form was in the secure realm, but accessible to all, and the script to which it was directed looked up the ID and password from Open Directory or LDAP(?) then I may be able to achieve this. However, I am at a loss as to how I can access the Open Directory IDs and passwords via php. Does anyone have any experience with this? According to phpinfo(), OpenLDAP 3001 is enabled.
  Alternatively, I would be interested if anyone has some other customisable authentication method for accessing a secure realm.

  The process is basically:
  1. connect to ldap server
  2. search for user by login name given
  3. if user is found, try binding to server with login name and password given
  4. if binding is successful then user supplied correct name and password; else login fails
  Here is a snippet of my login function:
  <pre>function login($name, $pass)
  // connect to ldap
  ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
  $ldap_connect = ldap_connect("ldap.domain.com");
  if($ldap_connect == false) {
  return false;
  elseif($ldap_connect == true) {
  if( !empty($name) && !empty($pass) ) {
  $dn = 'dc=domain,dc=com';
  $filter = "(&(objectclass=person)(userPassword=*)(|(uid=$name)(cn=$name)) )";
  $attributes = array( 'cn', 'userpassword', 'uid');
  $search_result = ldap_search($ldap_connect, $dn, $filter, $attributes);
  $info = ldap_get_entries($ldap_connect, $search_result);
  if( $info\['count'\] ) {
  $ldap_bind = ldap_bind($ldap_connect, $info[0]\['dn'\], $pass);
  if($ldap_bind == false) {
  return false;
  else
  return false;
  else
  return false;
  }</pre>
  Message was edited by: skrying

• 2 Open Directory masters: will I have Kerberos confilcts?

  In the following scenerio, will I create a conflict/problem with kerberos?
  A Faculty Server is faculty.mydomain.org and a separate Student Server is student.mydomain.org (yup, same domain). Both are Open Directory masters (10.4), both have kerberos running. Both are on the same network subnet 255.0.0.0. Both are running DNS.
  Why are they both open directory masters? Because they need not share directory information, and it seems more secure to keep them separate worlds.
  However, I'm reading the Open Directory Administration manual, and it states that if you setup an Open Directory master on a network that has an Active Directory domain, you'll then create a kerberos conflict. It doesn't address if you have 2 Open Directory masters on the same network - but the logic makes sense that you'd create the same conflict - is that true?
  Thank you!

  Jeff - thank you for your reply. I agree - I think I am going about this wrong. I'm stuck in a 6-yr old methodology - and it's time to move on. So, I now have a question about best practices. Would the following be my best scenerio - or would you, or others, suggest an alternative setup?
  450 students with 60 desktop client computers employing network home directories, plus another 35 unbound student laptop and old desktop computers not using network or portable home directories. 50 staff members with laptops and desktops that will use a mix of portable home directories, and unbound clients.
  Now, onto a 3 server setup: 1 new xServe providing Open Directory kerberos authentication services to all student and staff. 1 new MacPro running Server 10.4 for faculty home directories and services, and another identical MacPro for student home directories and services. All servers using dual ethernet aggregated links to a 1000/100 network, (servers will be 2 gigabit, wired clients will be a mix of 1000 or 100mbps, and 54mbps for wireless).
  All systems are on the same network in the same building.
  Should I go this route, or would an Open Directory replication server be the better way to go? Or, something else that I haven't thought of?
  Any constructive thoughts appreciated!
  Message was edited by: Nova
  Message was edited by: Nova

• Open Directory and passwords

  Hi, I have come across something really odd someone pointed out to me with Tiger Server, and this is something I've not been able to duplicated on Panther Server, or at least I don't think I have been able to.
  The situation is this: There are three people in my workgroup who have "administrative" privileges for our small server cluster. When logging into one of the servers, it is possible for a person with administrative privileges to log into the server with any user existing user name, and use their own password, or the global administrative password to log into any account. This does seem weird to me. Is there an article somewhere that explains this? I've done a bit of searching, but am not sure on what I am looking for here.
  I am starting to work with Open Directory and LDAP sharing of login information across a series of three servers and am wonder if it might be linked to this, and why/how, etc. Anyone with any good or bad thoughts on this.
  Thanks so much.

  Hi trotter,
  In fact this is a feature called 'masquerading' by Apple which can be very helpful, particularly when when troubleshooting permissions issues on mouted volumes. It allows admins to mount volumes via afp 'as users'.
  It was first implemented for Apple servers back in ASIP 6, and the feature exists in both Panther and Tiger.
  If you don't want this feature you can uncheck Serrver Admin > AFP > Access > Enable Administrator to masquerade... I believe the box is unchecked by default so one of the admins must have checked it.
  IMHO it would also be very useful for admins to be able to have the options to masquerade to user OD/NetInfo accounts also.
  HTH,
  b.

• Open Directory LDAPv3 Password and Diradmin recovery

  Hi Everyone,
  I have just inherited a 10.4.x PPC G5 server from another department and unfortunately the previous sysadmin didn't write down the Open Directory Admin username and password. Is there a way I can recover the username and reset the password?
  I've had to change the ip and I need to run the changeip command and it will ask me for the LDAP admin username and password.
  Regards
  Chris

  Hi
  The Directory Administrator account name and password are not required to run the changeip command. Whoever has given you this information is wrong. Diradmin only has authority over the LDAP Directory node. Either root or the default System Administrator account name and password (UID501) will do this for you.
  Navigate to the Users folder, see the House icon? The name against the house icon will be the short name of the System Administrator account. If you don’t know the password for this account you can boot the G5 from any 10.4 installer disk (or the original installer disks that came with the G5) and use the Reset Password Utility to define a new password for the System Administrator account. Root will also use this password. After the restart run the changeip command and provde the newly defined password.
  Hope this helps – Tony

• Can't log in to Lion Server. Open Directory Log Message says: unable to connect to password server

  I am setting up Lion Server. I can't log in to Lion Server from client.
  Checking the Open Directory Log: says: "unable to connect to password server" or
  "3394.14268, Node: /LDAPv3/127.0.0.1, Module: AppleODClient - unable to read Password Server response - connection to Password Server was closed, socket fd 18 (5205)"
  Thanks for help with this.

  I never discovered the problem, and instead rebuilt the server from the ground up.  I followed instructions at this discussion thread.  Very helpful.
  How To Install A (Almost) Working Lion Server With Profile Management/SSL/OD/Mail/iCal/Address Book/VNC/Web/etc.
  I have had some log-in problems with users.  I have found that restarting the server helps. If this doesn't work, I rebuild permissions on the server, followed by opening up Workgroup Manager, go to the user's password, click on options and require that the user change password on the next log-in. For some reason, this will usually fix the problem.  I then log in as the user, and "change" the password to the original one. Also note, that if you import a user, the password is not brought in.  You must enter it for each user that you imported.  Even so, I have often had to resort to the re-set password procedure to enable a log-in.

• Open Directory users prompted to change password after 10.8 to 10.9 server upgrade

  I just upgraded our 10.8.5 server to 10.9.3. I also upgraded Server.app to the most recent version (3.1.2). I made a complete backup first as a precaution.
  Existing non-admin users are being prompted to change their password when logging in. I've narrowed the problem down to a checkbox in the "Global Password Policy" settings in Server.app, specifically this checkbox: "Passwords must: be reset on first user login". I had that box checked in 10.8 so that new users would be prompted to create a password the first time they logged into a bound computer. It worked great and I'd like to continue using this feature in 10.9.
  If I uncheck this box in Server.app in 10.9.3, existing users can log in just fine with their existing passwords. If I re-check the box, non-admin users are suddenly prompted to change their password when logging in, even though they've logged in countless times in the past.
  Here are some things I've tried:
  * stopping and restarting the Open Directory service in Server.app
  * restarting the server
  * disabling and re-enabling an existing user account
  * inspecting user records in Directory Utility for any peculiar attributes
  * I used the mkpassdb -dump command to verify that the correct "last login time" is present for a particular user, but I'm not enough of an Open Directory expert to know if this is the attribute that the Global Password Policy relies on.
  Does anyone have any other ideas or suggestions?

  UPDATE: It looks like this issue applies to new (post-upgrade) accounts, too, suggesting that this has nothing to do with the upgrade process. Can anyone confirm this behavior? It's easy to test:
  1) Make sure the "Passwords must: be reset on first user login" box is unchecked.
  2) Create a new user in Open Directory.
  3) Log in once. No problem.
  4) Now check the "Passwords must: be reset on first user login" box.
  5) Try to log in again. Were you prompted to change your password? Logically, you shouldn't have been prompted, but users on my server are being prompted.