Knowledge base

Mac OS X Server: How to reset the Open Directory administrator password

Posted in Apple Mac OS

Summary

Learn how to reset the Open Directory administrator password.

Products Affected

Lion Server, Mac OS X Server 10.3, Mac OS X Server 10.4, Mac OS X Server 10.4.x (PowerPC), Mac OS X Server 10.4.x (Universal), Mac OS X Server 10.5, OS X Server (Mountain Lion)

You can reset the Open Directory administrator password without touching the user data. You might need to do this, for example, if an Open Directory administrator departs without providing the password.

You will need the slot ID for the Open Directory administrator user, so your first mission will be to extract the slot ID from the directory. The second part deals with changing the administrator password, for which you will need local administrator privileges on the server as well as access to the server via an interactive shell, such as Terminal or SSH.

Extracting the slot ID (Lion and Mountain Lion Server)

  1. Open Directory Editor with your administrator username and password.
  2. Navigate to the Open Directory Master node. 
  3. Select the directory administrator account.
  4. In the list of attributes that appears, click the disclosure triangle next to AuthenticationAuthority to display all associated values.
  5. Select the value within the AuthenticationAuthority attribute which begins with ";ApplePasswordServer;"
  6. Click the "Text" pane below.
  7. The value between ";ApplePasswordServer;" and the comma is the slot ID, as shown highlighted below. Copy this value for later use.

Extracting the slot ID (Mac OS X Server v10.3 through v10.6)

  1. Open Workgroup Manager with your administrator username and password.
  2. Navigate to the Open Directory Master node. (Note: Your Workgroup Manager connection can be to either the master or a replica, just so long as you navigate to the Master node once connected.)
  3. In Workgroup Manager Preferences select the option to "Show 'All Records' tab and inspector."
  4. Select the directory administrator account, and click the Inspector tab.
  5. In the list of attributes that appears, click the disclosure triangle next to AuthenticationAuthority to display all associated values.
  6. Select the value within the AuthenticationAuthority attribute that begins with ";ApplePasswordServer;".
  7. Click View.
  8. The value after ";ApplePasswordServer;" until the comma is the slot ID, as shown below. Copy this value for later use. 

Attribute name panel

Extracting the slot ID using Terminal (Mac OS X Server v10.3 through Mountain Lion Server)

  1. Log into the server using a local administrator user account, and open Terminal.
  2. Execute this command:
    sudo mkpassdb -dump
    
  3. Enter your administrator password when prompted. A list of user shortnames with corresponding slot ID's will be listed. 
  4. A list of user shortnames with corresponding slot ID's will be listed.
  5. Find the , which is located to the left of the directory administrators shortname. The ID starts with 0x and ends before the user's shortname. For example:

    "slot 002: 0x479e48fe68b4567000000002000000002 diradmin 03/11/2008 02:12:30 PM"

  6. Copy the value for later use.

Resetting the Open Directory administrator password (Mac OS X Server v10.3 through Mountain Lion Server)

  1. Log into the server using a local administrator user account, and open the Terminal.
  2. Enter this command:
    sudo su
  3. Enter your administrator password when prompted.
  4. Enter the following command:
    mkpassdb -setpassword slot-ID

    Replace with the value obtained above. You will be prompted for the new directory administrator password. If you are unable to obtain the using  Workgroup Manager you can use the extracting the slot ID using Terminal directions.
     
  5. Important: At this point, you have root privileges in this session. To avoid potential issues to the system, be sure to quit Terminal now.

Read more http://support.apple.com/kb/HT1194