-
All replies
-
Helpful answers
-
Jan 13, 2014 3:46 AM in response to MacAttack8888by Antonio Rocco,Hi
"is this the OS X Server Directory Administrator Account?"
Yes.
The diradmin name should never be the same as the local admin account. You can use the same password if you wish. The account is created when starting the Profile Manager service which also configures and starts the Open Directory service.
It makes no sense to start the Open Directory service without the Profile Manager service. Just my opinion but I would never use the diradmin account to administer anything other than the LDAP directory. I would not log into the server with it nor would I configure shares with it.
HTH?
Tony
-
Jan 13, 2014 5:26 AM in response to MacAttack8888by MrHoffman,★HelpfulThere seems to be some general confusion around authentication on OS X lately; you're not the only one that's been wondering about this recently.
There are two separate login systems available within OS X. These are the local authentication database, and distributed authentication database. These can coexist. Local authentication is basically LDAP, but just for your local OS X host. Distributed authentication is full-on network distributed authentication; it's the same authentication database, but shared across multiple computers.
An OS X client uses local authentication for the root account, and for other accounts created in the local authentication directory.
An OS X client can use distributed authentication when it has been "bound" to a distributed authentication system. The distributed authentication system that the client is "bound" to might be OS X Server or Linux running Open Directory and LDAP and Kerberos, or it might be Microsoft Windows Server and a distributed authentication configuration comprised of Active Directory and related pieces.
With Open Directory on OS X Server, the diradmin user is the default user that can administer the distributed authentication database, but it's certainly not the only such user that can be created in the database. Consider when there's a larger deployment of OS X systems. You might have folks that can administer a local system, but the folks that administer all systems are usually different. In some other installations, the local admin user is only a backup, and only used should the Open Directory configuration require maintenance or reconfiguration. You don't want to run around to all your Mac or Windows systems and add a new user or disable a user that leaves the organization, for instance, or that needs to have their password reset. You want to do that in one spot. That's what a distributed directory provides.
The OS X Server 10.6 Open Directory Administration manual might provide an introduction to the environment, and the Workgroup Manager tool is still a common way to manage Open Directory on OS X and OS X Server. (While it was once integrated with the server administration tools, Workgroup Manager is now a separate download.)
To reset and recreate the diradmin user here, I'd probably trash Server.app, reset the Server.app environment, and reinstall Server.app and reconfigure the local setup. This if you've not accumulated a whole lot of configuration details within the local server configuration. Here are the closest I've seen to official reset instructions. This will nuke your Server.app configuration. (I'd also encourage have a full-disk backup or two, but that's generally recommended, general good practice and geerally appropriate management paranoia.)
FWIW, also have a look at your backup strategy, too. Even the most skilled folks can and do occasionally make a mistake, and disks and computers do fail, and databases do get corrupted, and computers do occasionally get dropped or stolen. Have a backup. Or two.
