Q: Open Directory, enabling users problem and diradmin password

Hello.

I have clean install of Server App (5.0.15) on El Capitan (10.11.3).

On this system I enable new DNS server (and create records for my new server and new clients). Then I make new Open Directory service.

After creating new OD I set password policies. After this action my diradmin account became disabled, although password for my diradmin meets new created policies. So I had to reset diradmin password using:

sudo ldappasswd -x -H ldapi://%2Fvar%2Frun%2Fldapi -S uid=diradmin,cn=users,dc=ldap1,dc=example,dc=com.

Next I wanted to check what happend when my account expire after inactive time. I set this time to 3 days. After 3 days, when I try to login on the client (10.10.5) I see message "Your account has been disabled. Conntact your system administrator for more information." Ok. I launch Server app, I authenticate as diradmin (first time I forgot that this password expired too, so after next reset password procedure I could authenticate) And try to enable account. So I edit expired user, and click check box "log in". Then Server app ask me for new password for this account. I creating new password. Then I trying to log in on the client, I see the same message as before: "Your account has been disabled. Conntact your system administrator for more information." So I checking what happened in server app, and I see that log in check box is disabled. So I repeat enabling user, but this time I check that in edit user window. log in check box is disabled after password changing. This same situation.

What happned with this new server. I have feeling that in SL Server there are less problems and that new software isn't good elaborated and tested.

So, am I doing something wrong with my sever? Why I must reset diradmin password after setting policies? Why I can't enable user. In the past information about disabled user was in LDAP, now I can't see where this information exist. Kerberos show that user is enabled. So I think, the last option is Apple Password Server? Correct? Is it possible to enable user from terminal? Why I can't enable user without changing his password? Maybe from terminal this is possible?

Przemek Tomala