I occasionally see OS X Server’s Open Directory flip out, sometimes a simple repair of the LDAP databases seems to fix it, sometimes you need to go deeper.
If repairing the databases doesn’t work, then I try to recover the databases from a recent backup. If that doesn’t work, then it’s probably time to destroy and recreate Open Directory.
In this particular case, a restore from backup appeared to work, except I couldn’t authenticate as the Directory Administrator, or anyone else in the directory for that matter. This meant I couldn’t reset anyone’s passwords either.
I tried resetting the Directory Administrator password from Terminal, but that didn’t work. I was able to use Server.app however to make an export of the Users and Groups to text files.
First I destroyed OD, and set it up again from scratch. Next I imported all the users and then finally I imported the groups. All that was left was to reset the passwords for each user. Or so I thought.
Even though I imported all the groups from the export file, thereby ensuring they retained the same UIDs as previously, as creating an OD also creates the workgroup group, this group had a different UID from before, and importing the group just updated the group membership. As this group had been used in ACLs, the ACL uses the GeneratedUID, not the simple numeric GID, so none of my ACLs matched up any more.
Fortunately it’s not difficult to change a group’s UID, here’s how to do it.
- Find the current UID for the group:
sudo dscl /LDAPv3/127.0.0.1 -read /Groups/workgroup GeneratedUID
- Take note of the GeneratedUID
- Using dscl, update the existing group and change it’s UID
sudo dscl -u diradmin -p /LDAPv3/127.0.0.1 -change /Groups/workgroup GeneratedUID <Old-UID> <New-UID>
I then turned Open Directory off and on again just to flush any changes and checking with ls -ale to show ACLs, I could see that it had picked up the correct group and was no longer showing me a UID instead of the group name.