How do I remove authenticated Open Directory binding to itself?

In attempts to solve my file sharing issues I have at some point on macOS Mojave + Server, using Directory Utility, bound the Open Directory server to itself using Directory Utility (I was quite desperate). Now, with all the changes I made I was able to get the client machine use authenticated binding to the server machine and now SMB file sharing works. So far so good, but I cannot change the passwords of users anymore. When I try, I get the following error:

existing connection is not authenticated and the old password is not present: password change denied

DNS is ok. What I can find is that in the past one could 'rekerberize' the server but that information is old (Mavericks) so I don't want to try.

I was looking at removing the local authenticated binding on macOS Mojave Server. But in Directory Utility that is greyed out. And I do not dare to remove/recreate the LDAP server with Directory Utility on a production server yet (very scared).


Solution 1:

While trying to get this done I accidentally found a way to do this:

  1. On the server, in Directory Utility, in Services/LDAPv3 I tried to add another copy of the local server (127.0.0.1). The same name was not accepted so I went manual, created it with the name localhost This was created, but then it turned out that it had overwritten the previous OD. All my users, everything was gone. Panic.
  2. I stopped OD in Server.app
  3. Ran "sudo slapconfig -destroyldapserver" in Terminal
  4. Ran "sudo slapconfig -restoredb 20200112-albus-odbackup.sparseimage" (I did make a backup before I went mucking about)

My OD is now up and running again, the users are back it took Server.app a while to sync with reality) and the authenticated binding between the server and itself is gone. /LDAPv3/127.0.0.1 only shows one computer, so I'll need to reauthenticate the client machine.

Probably not the way to do it and certainly not for the faint of heart.