How to fix OD diradmin account?

I am unable to add new accounts nor delete existing accounts in Open Directory despite being authenticated as diradmin. I can change existing user passwords though. Tried rebooting, no change. I was able to create and delete accounts earlier today. The options to create/delete accounts are disabled in the OSX Server Mountain Lion GUI.

Suggestions are appreciated.

Solution 1:

Hope this isn't too late, or that at least it is useful for others.

I tried http://support.apple.com/kb/ht1194 several times to no avail. I was simply unable to authenticate with the diradmin account.

An Apple support person recommended:

1. Archive the OD from the Server.app → OD panel → action menu → Archive Open Directory Master…
2. Select the server in the list and click on the minus button Once the OD has been destroyed, You will see the OD is now Off.
3. Create the OD by switching back to ON and create the OD again with the same information as before (including the DirAdmin)
4. Create a BackupDirAdmin account with WGM to have a backdoor, just in case
5. In terminal restore the archive you saved in step 1 using

   sudo slapconfig -restoredb < archive-path >

6. Retest the authentication after the directory has been restored.

Bizarrely, after a lot of digging around I saw that mkpassdb has a -setadmin flag, so I tried to use this to elevate another slotId to admin rights. This worked, and then I was able to reset the password for the DirAdmin account.

Solution 2:

This worked for me at 10.10 Yosemite:

sudo ldapsearch -LLL -x -H ldap://127.0.0.1 -s base namingContexts

dn: namingContexts: dc=XXX-Produktion,dc=local

Put your dc= ,dc= into this:

sudo ldappasswd -x -H ldapi://%2Fvar%2Frun%2Fldapi -S uid=diradmin,cn=users,dc=XXX-Produktion,dc=local