6 Replies Latest reply: Aug 8, 2014 11:34 PM by Picoscope
EBL Level 1 Level 1 (10 points)

Trying to add a new user in Server.app (Mountain Lion) but the + button is greyed out.  Why?

  • Peter Jurg2 Level 1 Level 1 (60 points)

    I had the same problem after doing a backup and restore of Open Directory. When I started Server.app, the system log showed:

     

    servermgrd: servermgr_accounts: got error 5000 trying to auth to local LDAP node

     

    I found Open Directory error codes here:

    https://developer.apple.com/library/mac/#documentation/Networking/Reference/Open DirectoryErrors/Reference/reference.html

     

    and it turned out that the error code means: "The provided credentials are invalid with the current node". So the userid/password combination was incorrect.

     

    I did not know as which user severmgrd is authenticating to Open Directory (I would think it would be the Directory Admin user), but I figured that the password would be kept in the system keychain (go to the keychain app and select 'system' in the column on the left). Indeed there were two entries of type 'application password' in the system keychain with the name '/LDAPv3/127.0.0.1', which is Open Directory on the localhost. They had the same password but different userid's. One of them had the userid 'P60' and the other 'hostname_of_the_server$' (the DNS name of the server followed by a dollar sign). Using a directory browser I was able to find the latter in Open Directory under cn=computers, but I could not find an entry with name 'P60' in Open Directory. So I took a shot and deleted the 'P60' entry from the system keychain and voila Server.app could create, delete users and groups and make changes!

     

    So I would look for bogus application password entries in the system keychain, Hope this helps.

     

    Where the P60 entry came from I don't know, but it was created shortly after the time on which I changed the IP address of the server. I used Server.app to change it (this was recommended by Apple support). This triggered me to have a look at the 'hostname_of_the_server$' entry in Open Directory. It still contained an attribute ipHostNumber with as a value the old IP address. I changed that into the new IP address. Apparently the Server.app IP migration did not change this value. I'm not sure if this matters though. 

  • Belimor Level 1 Level 1 (0 points)

    I had the similar problem but simple deletion one of the record didn't help.

     

    In my case:

    Server.app was unable to connect to local LDAP (same error: got error 5000 trying to auth to local LDAP node). Just local users.

    Workgroup Manager didn't have any problems.

     

    I found two /LDAPv3/127.0.0.1 records in the Keychain > System tab:

    thirst one with account - server.domain.com$

    second had account just server$

    both had different passwords.

     

    Steps to fix:

    Go to Server.app > Utilities > Directory Utility > Services > LDAPv3 > edit

    You probably will see two records 127.0.0.1 or localhost.

    Remove them.

    Go to Keychain > System tab

    remove /LDAPv3/127.0.0.1 records.

    Come back to Directory Utilities LDAPv3 and create new record again:

    server name 127.0.0.1, LDAP Mappings - from Server

     

    This procedure should recreate new record in the Keychain with the proper account (server.domain.com$) and password.

  • Jack Stenner Level 1 Level 1 (30 points)

    I've been beating my head against the wall for days dealing with this. Deleted the extra keychain entry, and wallah, back in business. Thanks!

  • hughescr Level 1 Level 1 (0 points)

    What is the password supposed to be though?  Directory Utilities won't create the keychain entry for me unless I specify that auth is needed, then I type server.domain.com$ as the auth username, but what's the password?  It's not my diradmin password, I tried that, nor is it the local admin password, nor is it the local root password...

  • Belimor Level 1 Level 1 (0 points)

    The password gererates by the system somehow. And you don't need to enter username server.domain.com$

    Actually I don't remember where you can specify auth option.

     

    I'm out of office and can help you more on tuesday.

  • Picoscope Level 1 Level 1 (5 points)

    Brill. I had the *exact* issue - the multiple keychain passwords were caused by my mistakenly binding to 127.0.0.1 using the FQDN of my machine as the CN in the Bind dialog. I realized my error and rebound using the machine name - but the keychain PW remained. Nice catch, Peter Jurg2!

     

    -Paul