ccsimply

Q: How to kill an Open Directory - Password be reset on first user login

Hi all,

 

I've been running into this issue for quite some time now, however, I've finally grown tired of it. I want to set a password policy, but the option to "reset password on first user login" completely kills OpenDirectory.

 

Running OS X Server 10.11.3 and 5.0.15, though this has also occurred in Yosemite versions. This particular scenario is a brand new, clean install in a VM. Only OpenDirectory, and proper DNS are enabled. DNS was configured completely by the Server app when setting the host name and checks out good in Terminal.

 

I've created a few test OpenDirectory users and confirmed I am able to log in with them. I can set any other option in the Password Policy just fine, however, the minute I enable "reset password on first user login", my OpenDirectory is ruined.

 

I'm unable to add new users, I'm unable to change passwords, the previous password policies I had set no longer work. I.E. user cannot change password when logging in for the first time. Proper password is entered, but login window shakes when attempting to configure the new password.

 

Error received after the OpenDirectory gets hosed is "Operation is not supported by the directory node." Not only is the directory hosed, but it becomes hella difficult to even remove or disable the service.

 

Does anyone have any thoughts? I'd really like to enable this function so I'm not creating a temporary password for users, then relying on them to change it themselves.

 

Thanks,

MacBook Pro, OS X El Capitan (10.11.3), 8GB RAM, SSD, 4GB allotted to VM

Posted on Mar 15, 2016 2:03 PM

Close

Q: How to kill an Open Directory - Password be reset on first user login

  • All replies
  • Helpful answers

  • by eibbor,Helpful

    eibbor eibbor Sep 21, 2016 12:25 PM in response to ccsimply
    Level 1 (14 points)
    Sep 21, 2016 12:25 PM in response to ccsimply

    This still seems to be happening - The diradmin account gets borked. Did you ever find a way to set this policy successfully?

     

    This command will unlock the global policy and restore the account so you can use OD again, but it is just a fix, not a solution.

     

    sudo pwpolicy -n /LDAPv3/ldapi://%2Fvar%2Frun%2Fldapi clearaccountpolicies

     

    see Apple Doc here...

    OS X Server (Yosemite): Global policies can lock out Admin accounts - Apple Support

     

    I can't believe there is a document like that but still no fix from Apple?? Really? I must have missed something. I really need this password policy to work...

  • by eibbor,Helpful

    eibbor eibbor Sep 21, 2016 12:46 PM in response to eibbor
    Level 1 (14 points)
    Sep 21, 2016 12:46 PM in response to eibbor

    ...ok, I missed something...

     

    You need to open terminal and type su diradmin

    That will let you change the diradmin password and after that the policy works.

     

    credit to 'cszymanski' on this other thread for that idea...

    Password policy "change password at first login" errors!

     

    So basically diradmin is included in the policy and needs a password reset too (even though this is plainly a mistake as it locks you out of the GUI) 

     

    Also I don't know what would happen if you set the policy to change every n-months? Presumably your OD bindings etc will break every n-months? Admins should have a separate policy and not be included in global policy (though nothing wrong with encouraging change of admin passwords generally - just not when it breaks stuff).

  • by ccsimply,

    ccsimply ccsimply Sep 21, 2016 12:47 PM in response to eibbor
    Level 1 (5 points)
    Sep 21, 2016 12:47 PM in response to eibbor

    Thanks for the info eibbor. I had not come across any solutions, your workarounds will be very helpful.