Open Directory Password Permissions

Similar Messages

• How to repair Open Directory Master after Changing Hostname

  Summary:
  How to repair Open Directory after Changing your Server's Hostname (see separate post)
  Problem:
  I had to change our server's hostname from a private hostname (server.name.private) to a public hostname (name.dyndns.org).
  Procedure:
  1. Precautions:
  Since I was anticipating major dramas I tested the change of hostname on a clone ( I used Super Duper, and I very strongly advise everybody to heed this warning because a change of hostname will corrupt your server services, in particular Open Directory)
  Second, I exported the network users from Server Admin and copied the archive to the Drop Folder of the server's local account (because the network accounts will be unavailable after demoting the OD Master.)
  2. Change hostname and demote OD Master
  a) I re-booted the server from the clone
  b) I changed the hostname in Server App and I noticed that the Open Directory Password and the Kerberos database were still stuck with the old hostname.
  c)  I then demoted to a standalone directory (Server Admin) and I tried to promote the server to an OD Master using the Server App (Manage Network Accounts). Server App always returned an error saying I should check my network settings.
  3. List of 'fixes'
  I tried the following fixes to no avail (which does not mean that you can skip them)
  a) I checked the DNS entries, forward and reverse were working fine (sudo checkip -changehostname)
  b) Checked with Lookup in Network Utility, all was fine
  c) I deleted all system certificates (Keychain) which showed the name of the previous hostname
  ( N.B. you need not delete email certificate and private/public keys)
  d) I tried to assign a new static IP in Networking Preferences (had no visible result)
  e) I re-booted from the working drive and I re-paired permissions on the clone; I ran disk repairs.
  Despite all this I could not re-create an OD Master.
  I then looked for this dubious folder /var/root/Library/Application Support/Certificate Authority.
  I could not find this folder when using the Finder's Go To Folder, nor did "Easy Find" see this folder.
  I was about to give up when I read the posts on this page and I entered the Terminal commands
  sudo rm -R /var/root/Library/Application\ Support/Certificate\ Authority/
  I had not much hope when I set about to re-create the OD Master from the Server App.
  But lo and behold !!! I did not trust my eyes when Server App claimed that the OD Master had been successfully created. And indeed, Server admin showed a running OD Master, LDAP, Kerberos and Password Server all running again !
  Final touch: re-import the user accounts.
  Epilogue:
  I woud not have been able to fix this issue had not so many others shared their experience and the working solution.
  (Refer : https://discussions.apple.com/thread/3219325?start=0&tstart=0 )
  Thank you all !
  Let's hope that Apple will fix this annoying issue in the next server update.
  Regards,
  Twistan

  Hi Rhyan,
  Please try clearing the security cache
  http://www.sharepointanalysthq.com/2014/05/active-directory-groups-and-sharepoint-security/
  https://sergeluca.wordpress.com/2013/07/06/sharepoint-2013-use-ag-groups-yes-butdont-forget-the-security-token-caching-logontokencacheexpirationwindow-and-windowstokenlifetime/
  http://webactivedirectory.com/active-directory/windows-active-directory-cached-user-credentials/
  Please remember to click 'Mark as Answer' on the answer if it helps you

• Open Directory and passwords

  Hi, I have come across something really odd someone pointed out to me with Tiger Server, and this is something I've not been able to duplicated on Panther Server, or at least I don't think I have been able to.
  The situation is this: There are three people in my workgroup who have "administrative" privileges for our small server cluster. When logging into one of the servers, it is possible for a person with administrative privileges to log into the server with any user existing user name, and use their own password, or the global administrative password to log into any account. This does seem weird to me. Is there an article somewhere that explains this? I've done a bit of searching, but am not sure on what I am looking for here.
  I am starting to work with Open Directory and LDAP sharing of login information across a series of three servers and am wonder if it might be linked to this, and why/how, etc. Anyone with any good or bad thoughts on this.
  Thanks so much.

  Hi trotter,
  In fact this is a feature called 'masquerading' by Apple which can be very helpful, particularly when when troubleshooting permissions issues on mouted volumes. It allows admins to mount volumes via afp 'as users'.
  It was first implemented for Apple servers back in ASIP 6, and the feature exists in both Panther and Tiger.
  If you don't want this feature you can uncheck Serrver Admin > AFP > Access > Enable Administrator to masquerade... I believe the box is unchecked by default so one of the admins must have checked it.
  IMHO it would also be very useful for admins to be able to have the options to masquerade to user OD/NetInfo accounts also.
  HTH,
  b.

• Can't log in to Lion Server. Open Directory Log Message says: unable to connect to password server

  I am setting up Lion Server. I can't log in to Lion Server from client.
  Checking the Open Directory Log: says: "unable to connect to password server" or
  "3394.14268, Node: /LDAPv3/127.0.0.1, Module: AppleODClient - unable to read Password Server response - connection to Password Server was closed, socket fd 18 (5205)"
  Thanks for help with this.

  I never discovered the problem, and instead rebuilt the server from the ground up.  I followed instructions at this discussion thread.  Very helpful.
  How To Install A (Almost) Working Lion Server With Profile Management/SSL/OD/Mail/iCal/Address Book/VNC/Web/etc.
  I have had some log-in problems with users.  I have found that restarting the server helps. If this doesn't work, I rebuild permissions on the server, followed by opening up Workgroup Manager, go to the user's password, click on options and require that the user change password on the next log-in. For some reason, this will usually fix the problem.  I then log in as the user, and "change" the password to the original one. Also note, that if you import a user, the password is not brought in.  You must enter it for each user that you imported.  Even so, I have often had to resort to the re-set password procedure to enable a log-in.

• Open Directory users prompted to change password after 10.8 to 10.9 server upgrade

  I just upgraded our 10.8.5 server to 10.9.3. I also upgraded Server.app to the most recent version (3.1.2). I made a complete backup first as a precaution.
  Existing non-admin users are being prompted to change their password when logging in. I've narrowed the problem down to a checkbox in the "Global Password Policy" settings in Server.app, specifically this checkbox: "Passwords must: be reset on first user login". I had that box checked in 10.8 so that new users would be prompted to create a password the first time they logged into a bound computer. It worked great and I'd like to continue using this feature in 10.9.
  If I uncheck this box in Server.app in 10.9.3, existing users can log in just fine with their existing passwords. If I re-check the box, non-admin users are suddenly prompted to change their password when logging in, even though they've logged in countless times in the past.
  Here are some things I've tried:
  * stopping and restarting the Open Directory service in Server.app
  * restarting the server
  * disabling and re-enabling an existing user account
  * inspecting user records in Directory Utility for any peculiar attributes
  * I used the mkpassdb -dump command to verify that the correct "last login time" is present for a particular user, but I'm not enough of an Open Directory expert to know if this is the attribute that the Global Password Policy relies on.
  Does anyone have any other ideas or suggestions?

  UPDATE: It looks like this issue applies to new (post-upgrade) accounts, too, suggesting that this has nothing to do with the upgrade process. Can anyone confirm this behavior? It's easy to test:
  1) Make sure the "Passwords must: be reset on first user login" box is unchecked.
  2) Create a new user in Open Directory.
  3) Log in once. No problem.
  4) Now check the "Passwords must: be reset on first user login" box.
  5) Try to log in again. Were you prompted to change your password? Logically, you shouldn't have been prompted, but users on my server are being prompted.

• How to set permissions IN Open Directory USING Open Directory groups?

  Hi all,
  Apologies if I've missed this but have been searching for two days trying to figure out how to delegate permissions within the OD to a number of different OD groups and i can't seem to find any way to do this either at the command line or with WGM.
  Examples: an OD group containing those who will manage the full directory need to have permissions on all containers, child objects, and their attributes in the directory. For this one in particular I seem to be able to nest a group in the default Admin group, but this isn't really what i'm after. I need to create OD groups with the ability only to manipulate objects of class apple-computer and similarly, apple-user (really all inetOrgPerson objects). In a nutshell: how do i set permissions on specific attributes or object classes using OD groups?
  thanks for any pointers...
  -andrew

  I think i just answered my own question: Open Directory is OpenLDAP. slapd is all i need.

• Linked PDF with Open Doc password- false, Edit Permissions- true, requires password to open AI doc

  I would like to password protect editing of a placed PDF. I have set the PDF Open Doc password to false and the Edit permissions to true. Illustrator still requires the permissions password to OPEN the Illustrator document. This would defeat the purpose, no?

  Well, it does seem to work, sort of. The Illustrator document with a placed, protected PDF asks for the password when opening. The password is also required when attempting to embed (edit) the linked PDF, as expected.
  I would think the correct behavior should be  for the Open Document password protection (or lack of) to control opening the Illustrator document and the Edit Permissions password to be applied when embedding or flattening the linked PDF, making it accessable to editing. Acrobat seems to be able to make this distinction.
  This would be a significant feature for users who need to restrict editing of sensitive portions of their layouts while allowing necessary prepress work downstream.

• Open Directory LDAPv3 Password and Diradmin recovery

  Hi Everyone,
  I have just inherited a 10.4.x PPC G5 server from another department and unfortunately the previous sysadmin didn't write down the Open Directory Admin username and password. Is there a way I can recover the username and reset the password?
  I've had to change the ip and I need to run the changeip command and it will ask me for the LDAP admin username and password.
  Regards
  Chris

  Hi
  The Directory Administrator account name and password are not required to run the changeip command. Whoever has given you this information is wrong. Diradmin only has authority over the LDAP Directory node. Either root or the default System Administrator account name and password (UID501) will do this for you.
  Navigate to the Users folder, see the House icon? The name against the house icon will be the short name of the System Administrator account. If you don’t know the password for this account you can boot the G5 from any 10.4 installer disk (or the original installer disks that came with the G5) and use the Reset Password Utility to define a new password for the System Administrator account. Root will also use this password. After the restart run the changeip command and provde the newly defined password.
  Hope this helps – Tony

• No Open Directory under password type pulldown

  When creating a new user. I need to select a password type of "Open Directory" but it is not there. There is only "Shadow Password".
  I have gone to Server admin and changed the Open Directory from "Standalone Server" to "Open Directory Master" but no luck.
  What am I doing wrong ?

  This is the start of me trying to unlock the screensaver as a PHD user, off the network, internet on.
  Oct 8 23:11:57 DL-MBP authorizationhost[737]: k5_authenticate(): got -1765328228 (Cannot contact any KDC for requested realm) on plugins/krb5/krb5_operations.c:54
  Oct 8 23:11:58 DL-MBP authorizationhost[737]: -[SFBuiltinAuthenticate performDSPasswordAuth](): got -1765328228 (Cannot contact any KDC for requested realm) on authhostbuiltins.m:845
  Oct 8 23:11:58 DL-MBP com.apple.SecurityServer[22]: Engine::authorize: Rule::evaluate returned -60008 returning errAuthorizationInternal
  This is me now unlocking the screensaver using a local admin login.
  Oct 8 23:12:03 DL-MBP com.apple.SecurityServer[22]: uid 1045 succeeded authenticating as user admin (uid 502) for right system.login.screensaver.
  Oct 8 23:12:03 DL-MBP com.apple.SecurityServer[22]: Succeeded authorizing right system.login.screensaver by client /System/Library/CoreServices/loginwindow.app for authorization created by /System/Library/CoreServices/loginwindow.app.
  This is me now unlocking the screensaver with off the network with internet off, a successful local cache result.
  Oct 8 23:13:57 DL-MBP authorizationhost[737]: k5_authenticate(): got -1765328228 (Cannot contact any KDC for requested realm) on plugins/krb5/krb5_operations.c:54
  Oct 8 23:13:57 DL-MBP authorizationhost[737]: -[SFBuiltinAuthenticate performDSPasswordAuth](): got -1765328228 (Cannot contact any KDC for requested realm) on authhostbuiltins.m:845
  Oct 8 23:13:57 DL-MBP com.apple.SecurityServer[22]: uid 1045 succeeded authenticating as user terrywest (uid 1045) for right system.login.screensaver.
  Oct 8 23:13:57 DL-MBP com.apple.SecurityServer[22]: Succeeded authorizing right system.login.screensaver by client /System/Library/CoreServices/loginwindow.app for authorization created by /System/Library/CoreServices/loginwindow.app.

• **want to create a user account from "Crypted Password" to "Open Directory"

  I have create a user account with "user password type: Crypted Password"
  is there any way I can script it to "user password type: open directory"
  I've use perl-ldap to create user account but I don't know how to change user password type to open directory,
  because my script will add a new node in the directory, I just need a way to make the "user password type" to "Open Directory" AT CREATION TIME, not modifing it after a have a user account, the script below will generate a node in the directory with "Crypted Password" as User Password Type,
  is there any attribute I need to add to make it "Open Directory" or perl command, applescript, bash, objective c(hopefully not)....
  thank for reading...
  $res = $c->add(dn => 'uid=testing,cn=users,dc=microsoft,dc=info',
  attr => [
  'cn' => 'testing',
  'gidNumber' => '20',
  'homeDirectory' => '99',
  'objectclass' => 'inetOrgPerson', 'posixAccount', 'shadowAccount', 'apple-user', 'extensibleObject','organizationalPerson','top','person',
  'sn' => 'testing',
  'uid' => 'testing',
  'uidNumber' => '5000',
  1. 'apple-generateduid' => '27318931-B341-4364-91B4-84E4AAAD1234', #026F",
  'givenName' => 'testing',
  1. 'loginShell' => '/bin/bash',
  'userPassword' => 'testing' ,
  1. 'homePhone' => '555-2020',
  2. 'mail' => '[email protected]'
  die "unable to add, errorcode #".$res->code().$res->error if $res->code( );
  thanks

  Since this question isn't Xserve specific a better place to get an answer is probably in the Directory Services forum: http://discussions.apple.com/forum.jspa?forumID=1353
  That being said if you are trying to migrate Crypt accounts to OD accounts then the short answer is no. You need an unencrypted password to put the password into OD via a script do short of cracking the encrypted password, inserting it in plain text into the OD user account creation process then I don't think you can.
  You should be able to dictate the password (and any other settings you can do from the GUI) but the password is the missing piece. Under really old OS X systems I actually suspect you can get passwords to export (hinted at by an Apple engineer I discussed this with) but there is probably a faster and more straightforward solution.
  What I have done is export from NetInfo, clean the accounts via script and then reimport the accounts into the new system. I usually assign a password and dictate "Must change password at next login" and then email people the temporary passwords. It's been a while but I believe you can mass select and then dictate password settings so if that works for you create accounts with all the same password and then you can select by group and make changes - eg Must change password at login.
  Good luck,
  =Tod

• Open directory administrator's password to manage

  hi.
  i have a mac os x server 10.4 with Open Directory.
  Now I want to add some new users and some new Computer to my domain. When I login into Open Directory I enable to see the tree of my ldap domain but I unable to add new user or computer.
  Why this problem? I see the user that there are. I have just try to login and unlock the Open directory with some other user, but i can't solve. I can't see enable the bottom for "add user" and the "add computer".
  can you help me?
  thanks

  Hi
  have a mac os x server 10.4 with Open Directory
  You should really post this in the relevant Forum as this is for 10.5 Server:
  http://discussions.apple.com/forum.jspa?forumID=713
  Having said that I have to ask the obvious. If you want to add/delete/amend - amongst other things - users to the /LDAPv3/127.0.0.1 node you have to click the lock on the right hand side and authenticate using the Directory Administrator (diradmin) account name and password. Once you've done that you should be able to work within that node.
  Tony

• My user's permissions are gone, open directory service was set to off

  Mac Mini running OSX 10.9.2.  OSX Server version 3.1.1.
  I already repaired the disk permision via the disk utility, there was a lot that was wrong.  I did not personally turn the open directory service off.  I am able to turn the open directory service back on, but now it says "Unable to load replica list"  and then promptly turns itself back off.  It's almost like the service just lost all of it's settings, although the Status is green saying it is available at *******.******. before it switches off.  Any ideas?

  You can attempt a recovery.  Follow these steps:
  1:  Stop Open Directory if it happens to still be running.  This must be done using the command line.
       sudo launchctl unload /System/Library/LaunchDaemons/org.openldap.slapd.plist
  2:  Run the db_recover tool and attempt to repair the damage.
       sudo db_recover -v -h /var/db/openldap/openldap-data/
  3:Reboot the server.  Cross fingers.
  R-
  Apple Consultants Network
  Apple Professional Services
  Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

• Strange Permissions problem when creating new Open Directory user

  I just set up a mac lab to authenticate to an Open Directory server which also stores home folders. All of the initial users I created work fine, there were about 50 users that I set up. When I added a new user this morning though, it would not allow him to access anything within his home folder (i.e. nothing worked)
  I went back to the server and took a look at the Users share and noticed that when his accound was created, instead of setting the owner of the folder to his username (xxx123) it was set to his userid number (1024). I did a chown on his directory to his username and he was then able to access his home directory from the clients.
  I realize I found a fix, but I would prefer to not have to do this every time I create a new user. Why is this happening?

  Have you used the "Role" drop-down to "SYSDBA"? - if not, you get the ORA-01017 error.

• Brand new Open Directory server not authenticating 10.9, 3.3.2

  I'm hoping somebody here has ran into this as it's driving me up a wall.
  I'm on a completely clean install of OS X Mavericks, with the installation from the App Store.
  On top of that, a completely clean install of Server.app 3.2.2 is installed.
  This server has a FQDN, and when I check to see if the hostname resolves in DNS, it totally does. DNS is not turned on as a service, but DNS server settings are correct and the server can hit the outside internet just fine.
  So my steps are as follows: Install Mavericks, clean onto a new partition. Update with all patches. Set Static IP. Install Server 3.2.2 which installs without error. Check hostname settings. All good there. Verify permissions. Create OD Master. I cannot get a single newly created with Server.app Local Network user to log in, even with home folders all 100% local to the client machine. I've unbound and rebound the client machine. I've restarted everything. Nothing.
  When attempting to log in, if I set it to reset password at next login, the prompt to reset the password will appear. I know at least initial auth is taking place, or I wouldn't be getting a password reset screen. After attempting to reset the password, neither the original temporary nor reset password will work. Users cannot log in.
  Here are the errors generated, with my info edited out:
  Jan 14 17:49:35 server slapd[111]: passwd_extop: (null) changed password for uid=test,cn=users,dc=controller,dc=domain,dc=edu
  Jan 14 17:49:35 server slapd[111]: => bdb_idl_delete_key: c_get failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30994)
  Jan 14 17:49:35 server slapd[111]: conn=1181 op=3: attribute "entryCSN" index delete failure
  Jan 14 17:49:41 server slapd[111]: => bdb_idl_delete_key: c_get failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30994)
  Jan 14 17:49:41 server slapd[111]: conn=1197 op=3: attribute "entryCSN" index delete failure
  I understand this is common for users upgrading from 10.6.8 but this is completely clean. I'm not usually administering an OS X server; I'm completely lost.
  Have tried: Recreating master, rekerberizing
  Using scutil and host to verify the DNS on the server works perfectly. Am I missing something small with DNS? We are a fairly large org with DNS not being provided by this server. If you think a different log file would help, please let me know which one.

  What do you get from this:
  sudo /usr/libexec/slapd -Tt
  Anything in /Library/Logs/slapconfig.log?
  Also, have you tried the suggestion here:
  Open Directory - Local Network User/Group - GONE

• Migrate existing users from local domains to Open Directory.

  Here is the environment I'm working with:
  Small local environment (8-10) users. Everyone is on their own laptop, everyone is authenticating to their local directories. Network files are stored on a server, with everyone using a single shared user ID to authenticate and access the files.
  I have just installed a Xserve, and it is now serving DNS, DHCP, NTP, WWW. I want to setup Open Directory in Master mode, create user IDs for everyone, and then assign permissions to the shared files area.
  The one part that I'm not sure how to approach is the local laptops. If user "John Doe" has a local ID "jdoe" that he has been using on his local laptop, how does he migrate over to being "jdoe" in the OD domain, while reatining his "local" home directory and files? The problem I think I'll have is that when I create "jdoe" on the domain, he will have a UID of (say) 10001, but his local UID is 501 (as is the UID of all the other employees since they are all the first user on each of their respective laptops.) so when he logs back into his laptop after it has been attached to the OD domain, I assume that the laptop will see "jdoe" from the OD domain as a new user and create a new home for him (with the UID:10001), so now John cannot see any of his old files and such.
  Also, as a side question: I've worked with Windows ID before, and I know once you join a windows computer to a domain and then login to it, it creates a new user and caches the authentication info, so that when the laptop is not connected to the corporate network, the user can still login and work. Does Open Directory do the same on the laptops?
  Thanks for any help.

  Retaining password is a manual process of asking the user what his or her password is and then creating it in OD.
  As for migration of account, it is rather simple, provided the short name of the user remains consistent across directory systems. For example, if you have a user named Joe User and his short name is juser with a home folder in /Users/juser. And you create the same account in OD. You can do these few short actions.
  1: Bind system to the domain
  2: From the Admin account, and using Terminal from root, navigate to /var/db/dslocal/nodes/Default/users and find the plist file for the user (in our example, juser.plist).
  3: Delete the file using rm
  4: Restart the machine or restart Open Directory
  5: Log in as the admin user and change ownership of the users home folder. Recall that when the user is in the local domain, the UID was likely 502, 503, etc (you do have a standard local admin at 501 right?) Now that the user is in OD, the UID will be 4 digits, something like 1027. So understanding that user attributes and user data are independent, you now have a folder in /Users titled juser and owned by uid 50x. You need to make it owned by juser from the OD domain. User this:
  sudo chown -R juser /Users/juser
  6: Log out of the admin account
  7: Log in as the user after choosing Other at login window.
  Assuming you have your OD account set up properly, you will likely be asked to confirm the caching of the users credentials. This will path you right back into the user's home folder and all will be right with the world.
  This is simple and quick. If the shortnames are different, throw an mv into the mix to rename the home folder to match the domain shortname. If you have no local admin, then you will need to reset DSLocal and start again.