Mac OS X Server user can't change password

I have non-admin users who need to change their password. The passwd command is apparently limited to administrators.

On the Server website, there's a change password link, but it doesn't work, and users receive an error. Internally, Mac OS X logs the following message:

Jan 21 01:56:02 domain.com collabd[247]: [CSAuthService.m:506 ab93000 +206ms] Could not change password for user 1234 with error Error Domain=com.apple.OpenDirectory Code=4001 "Operation was denied because the current credentials do not have the appropriate privileges." UserInfo=0x1234567890abc {NSLocalizedDescription=Operation was denied because the current credentials do not have the appropriate privileges., NSLocalizedFailureReason=Operation was denied because the current credentials do not have the appropriate privileges.}

I have the option in the website service checked to allow changing passwords. What would be causing this error?

EDIT: Users created with the Server app are fine, but the trouble is with users created with dscl on the command line. Here are the exact commands used to create a test user named "qwer":

sudo dscl . create /Users/qwer UniqueID 507
sudo dscl . create /Users/qwer PrimaryGroupID 20
sudo dscl . create /Users/qwer UserShell /bin/bash
sudo dscl . create /Users/qwer NFSHomeDirectory /Users/qwer
sudo mkdir /Users/qwer
sudo chown qwer:staff /Users/qwer
sudo passwd qwer

I then executed sudo dscl . read /Users/qwer and compared it with sudo dscl . read /Users/uiop for a second test user.

In the records, the following keys are unique to the user created with the Server app:

dsAttrTypeNative:_writers_hint
dsAttrTypeNative:_writers_jpegphoto
dsAttrTypeNative:_writers_passwd
dsAttrTypeNative:_writers_picture
dsAttrTypeNative:_writers_realname
dsAttrTypeNative:_writers_UserCertificate
LastName
RealName

These match:

AppleMetaNodeLocation
PasswordPolicyOptions
PrimaryGroupID
RecordType
UserShell

And these are unique to each user (or in the case of Password are obfuscated):

dsAttrTypeNative:KerberosKeys
dsAttrTypeNative:ShadowHashData
AuthenticationAuthority
GeneratedUID
GeneratedUID
NFSHomeDirectory
RecordName
UniqueID
Password

I checked AuthenticationAuthority but the only thing different is the username in the string, so that could be considered equivalent as well.

Additionally, groups qwer and groups uiop give exactly the same output.

There doesn't appear to be anything preventing "qwer" from changing their password except for the fact that their user account was created on the command line; however, the dscl method should be perfectly valid.


According to this old article (10.3!), the lack of a _writers_password property in the NetInfo database would prevent users from changing their password. That's really outdated, but it seems like a reasonable place to start.

http://support.apple.com/kb/TA21256

(Edit)

From some other sources (as far back as "Running Mac OS X Tiger" page 136) it looks like _writers_passwd is a list of users who can change that particular user's password. So, setting it to the username should be sufficient.


First, the passwd command doesn't require any administrator access to change your own password.

I think you have a certificate problem. Have a look in the Certificate pane of the Server app and check that all your certificates are still valid and that there is no warning about a service not using a certificate in the bottom pane. It looks like the web server is not being allowed to make the password change for some reason.

You could also go to /Library/Server/Wiki/Config and run plutil on all the plist files to make sure nothing is too wrong there. I'd also check that all the file permissions look sane.

Do you get the same error for both standard and admin users? Can an admin user successfully check into Profile Manager?