Server.app Users add button is disabled

I had the same problem after doing a backup and restore of Open Directory. When I started Server.app, the system log showed:

servermgrd: servermgr_accounts: got error 5000 trying to auth to local LDAP node

I found Open Directory error codes here:

https://developer.apple.com/library/mac/#documentation/Networking/Reference/Open DirectoryErrors/Reference/reference.html

and it turned out that the error code means: "The provided credentials are invalid with the current node". So the userid/password combination was incorrect.

I did not know as which user severmgrd is authenticating to Open Directory (I would think it would be the Directory Admin user), but I figured that the password would be kept in the system keychain (go to the keychain app and select 'system' in the column on the left). Indeed there were two entries of type 'application password' in the system keychain with the name '/LDAPv3/127.0.0.1', which is Open Directory on the localhost. They had the same password but different userid's. One of them had the userid 'P60' and the other 'hostname_of_the_server$' (the DNS name of the server followed by a dollar sign). Using a directory browser I was able to find the latter in Open Directory under cn=computers, but I could not find an entry with name 'P60' in Open Directory. So I took a shot and deleted the 'P60' entry from the system keychain and voila Server.app could create, delete users and groups and make changes!

So I would look for bogus application password entries in the system keychain, Hope this helps.

Where the P60 entry came from I don't know, but it was created shortly after the time on which I changed the IP address of the server. I used Server.app to change it (this was recommended by Apple support). This triggered me to have a look at the 'hostname_of_the_server$' entry in Open Directory. It still contained an attribute ipHostNumber with as a value the old IP address. I changed that into the new IP address. Apparently the Server.app IP migration did not change this value. I'm not sure if this matters though.

I had the similar problem but simple deletion one of the record didn't help.

In my case:

Server.app was unable to connect to local LDAP (same error: got error 5000 trying to auth to local LDAP node). Just local users.

Workgroup Manager didn't have any problems.

I found two /LDAPv3/127.0.0.1 records in the Keychain > System tab:

thirst one with account - server.domain.com$

second had account just server$

both had different passwords.

Steps to fix:

Go to Server.app > Utilities > Directory Utility > Services > LDAPv3 > edit

You probably will see two records 127.0.0.1 or localhost.

Remove them.

Go to Keychain > System tab

remove /LDAPv3/127.0.0.1 records.

Come back to Directory Utilities LDAPv3 and create new record again:

server name 127.0.0.1, LDAP Mappings - from Server

This procedure should recreate new record in the Keychain with the proper account (server.domain.com$) and password.

I've been beating my head against the wall for days dealing with this. Deleted the extra keychain entry, and wallah, back in business. Thanks!

What is the password supposed to be though? Directory Utilities won't create the keychain entry for me unless I specify that auth is needed, then I type server.domain.com$ as the auth username, but what's the password? It's not my diradmin password, I tried that, nor is it the local admin password, nor is it the local root password...

The password gererates by the system somehow. And you don't need to enter username server.domain.com$

Actually I don't remember where you can specify auth option.

I'm out of office and can help you more on tuesday.

Brill. I had the *exact* issue - the multiple keychain passwords were caused by my mistakenly binding to 127.0.0.1 using the FQDN of my machine as the CN in the Bind dialog. I realized my error and rebound using the machine name - but the keychain PW remained. Nice catch, Peter Jurg2!

-Paul