Q: OS X Server 10.9.x Client will not bind to LDAP/OD Server 10.9.x

Many Open Directory problems can be resolved by taking the following steps. Test after each one, and back up all data before making any changes.

1. The OD master must have a static IP address on the local network, not a dynamic address.

2. You must have a working DNS service, and the master's hostname must match its fully-qualified domain name. To confirm, select the server by name in the sidebar of the Server application window, then select the Overview tab. Click the Edit button on the Host Name line. On the Accessing your Server sheet, Domain Name should be selected. On the Accessing your Server sheet, change the Host Name, if necessary. The server must have at least a three-level name (e.g. "server.yourdomain.com"), and the name must not be in the ".local" top-level domain, which is reserved for Bonjour.

3. The primary DNS server used by the master must be 127.0.0.1 (that is, itself) unless you're using another server for internal DNS. The only DNS server set on the clients should be the internal one, which they should get from DHCP if applicable.

4. Follow these instructions to rebuild the Kerberos configuration on the master.

5. If you use authenticated binding, check the validity of the master's certificate. The common name must match the hostname and domain name. Deselecting and then reselecting the certificate in Server.app has been reported to have an effect in some cases.

6. Unbind and then rebind the clients in the Users & Groups preference pane. Use the fully-qualified domain name of the master.

7. Reboot the master and the clients.

8. Don't log in to the server with a network user's account.

9. Export all OD users, delete them, turn off OD, turn it back on, and import. Ensure that the UID's are in the 1001+ range.

I use the golden triangle for my labs. After I updated servers and clients to Mavericks, I am unable to bind Mavericks clients to OpenDirectory. Mountain Lion and prior OS's clients will bind to my Mavericks' OD server via authenticated bind.

I found that if I don't do an authenticated bind, Mavericks clients will connect.

This is like 10.5 vs 10.6 and 10.7 vs 10.8. Apple seems to be releasing a crappy OS full of poorly implemented feature, followed by a solid OS. I am beginning to wonder if Yosemite will solve the Mavericks OS issues.

Hi all,

I'm new to the forum, so apologies if I'm repeating anything. I had the same issue, where mavericks client binded without authentication. However after adding the server IP address in system pref>networks>advanced then click DNS. Under DNS address add the servers IP at top of list, make sure it's the same on the server. Simple did a restart of client and server and binding worked when adding the server in users and groups and entering diradmin password.

hope this help.

I have the same problem here, but I am using real, static IPs. Following Linc Davis suggestions:

1. The server has a static IP all right, a real one.

2. Both server name and computer name show the fully qualified domain name of the server, let's say family.myorg.org.

3. The DNS server is correctly set in both the clients and the server, and it is also a real IP address. When doing dig and dig -x for the server, returned information is correct.

4. I rebuild the kerberos, as the instructions show.

5. I am using a real Certificate, in which the computer name matches my server name.

6. I am not sure what that means. In System Preferences, in the User and Groups pane, on the server, I see only the admin user (local user) and the local groups, not the network users or groups. Can you please elaborate on this?

7. Rebooted countless times.

8. I can't log in the server with a network user account, only with admin, a local user.

9. I have no idea how to do that. Care to elaborate please.

I've also created a new network user, from Server.app, still the same behavior.

Many thanks for any help you can provide.

This ship has probably sailed already. But one thing that was not mentioned is that the clients time needs to be in sync with the Open Directory server. Kerberos requires no more than 5 minute deviation. The easiest way to fix this is to point the Server to a well known time server (time.apple.com) and point all the clients to use the server's fully qualified domain name (or IP address) for their time server. Hope that helps someone.

To be honest I don't think it's the problem here but it cold still be worth having a look at the server certificate and the server certificate's CA certificate and see that they are trusted by the clients (either manually or pushed with Apple MDM or similar).