This discussion is locked
Mavalos88
Level 1 (5 points)

Q: Can't change user password type to Open Directory

Hi guys,

I'm trying to change all my users to an Open Directory password. The problem is that when i log in to Work group manager and try to do it I get the following message:

*Cannot set record to Open Directory because you are not an Open Directory password server administrator.*

*In order to select Open Directory, your own password type must be Open Directory. Administrators with other password types cannot set a user’s password type to Open Directory.*

So then I tried to change my own password to Open Directory and it's grayed out.
I tried logging as diradmin, as root, as my own user, and I can't do anything to fix this.
I created a new user under the Open Directory service (which i'd assume would have an Open Directory type password) and no luck.

I have no idea how to fix this.

Any suggestions?

Mac OS X (10.6.1)

Posted on Nov 3, 2009 6:43 PM

Close
Mavalos88

Q: Can't change user password type to Open Directory

  • All replies
  • Helpful answers

  • by Gordon Davisson,

    Gordon Davisson Gordon Davisson Nov 8, 2009 12:10 PM in response to Mavalos88
    Level 3 (520 points)
    Nov 8, 2009 12:10 PM in response to Mavalos88
    I haven't seen this particular problem since (IIRC) v10.3, and the tool I used to fix it back then (NeST) went away in v10.5, so it took a little rooting around to find a repair procedure that'd work under v10.6. Here's what I came up with:

    1) Create an alias for your existing directory admin account by adding a second Short Name for it under the Basic tab in Workgroup Manager. I'll use the name "tempadmin", but you can use whatever you want.

    2) Open a terminal window on the server, and run the command (replacing diradmin and tempadmin with the actual real name and alias for your directory admin account):

      sudo slapconfig -settopasswordserver diradmin tempadmin

    Note that this will prompt for the password for the account you're logged into, then the diradmin and tempadmin passwords. What this does is convert the diradmin account from a crypt-style password to Open Directory-style (and it's the reason you needed to create the alias; if you listed the same admin account twice, it'd gripe and refuse to do anything useful). What it doesn't do is mark the diradmin account as an administrator in the password server's database, so there's a third step to fix that.

    3) Run the command:

      sudo mkpassdb -setadmin diradmin

    At this point, diradmin should be set up as a fully-functional directory administrator; try creating a new directory admin account in Workgroup Manager to make sure.

    If you don't mind my asking, do you have any idea what happened to create this situation? As I said, I haven't seen it in a long time...