How to fix OD diradmin account?

I am unable to add new accounts nor delete existing accounts in Open Directory despite being authenticated as diradmin. I can change existing user passwords though. Tried rebooting, no change. I was able to create and delete accounts earlier today. The options to create/delete accounts are disabled in the OSX Server Mountain Lion GUI.

Suggestions are appreciated.


Solution 1:

Hope this isn't too late, or that at least it is useful for others.

I tried http://support.apple.com/kb/ht1194 several times to no avail. I was simply unable to authenticate with the diradmin account.

An Apple support person recommended:

  1. Archive the OD from the Server.app → OD panel → action menu → Archive Open Directory Master…
  2. Select the server in the list and click on the minus button Once the OD has been destroyed, You will see the OD is now Off.
  3. Create the OD by switching back to ON and create the OD again with the same information as before (including the DirAdmin)
  4. Create a BackupDirAdmin account with WGM to have a backdoor, just in case
  5. In terminal restore the archive you saved in step 1 using

    sudo slapconfig -restoredb < archive-path >

  6. Retest the authentication after the directory has been restored.
Try as I might I couldn't get this to work, and then I noticed that in Mountain Lion server the slapconfig command had lost the -merge option so restoring the database was dumping both the new DirAdmin and backdoor account....

Bizarrely, after a lot of digging around I saw that mkpassdb has a -setadmin flag, so I tried to use this to elevate another slotId to admin rights. This worked, and then I was able to reset the password for the DirAdmin account.

Solution 2:

This worked for me at 10.10 Yosemite:

sudo ldapsearch -LLL -x -H ldap://127.0.0.1 -s base namingContexts

dn: namingContexts: dc=XXX-Produktion,dc=local

Put your dc= ,dc= into this:

sudo ldappasswd -x -H ldapi://%2Fvar%2Frun%2Fldapi -S uid=diradmin,cn=users,dc=XXX-Produktion,dc=local