Mac OS X Server: How to reset the Open Directory administrator password

Summary

If you ever get into a situation where an Open Directory administrator leaves without handing over the password, this article details how to recover from this situation without touching the user data.

Products Affected

Mac OS X Server 10.3, Mac OS X Server 10.4, Mac OS X Server 10.4.x (PowerPC), Mac OS X Server 10.4.x (Universal), Mac OS X Server 10.5

This will require slot ID for the Open Directory administrator user, so the first goal will be to extract the slot ID from the directory. The second part deals with changing the administrator password, for which you will need local administrator privileges on the server and access to the server via an interactive shell, such as the Terminal or ssh.

Extracting the slot ID

  1. Open Workgroup Manager using your administrator username and password, and navigate to the Open Directory Master node. (Note: Your Workgroup Manager connection can be to either the master or a replica, just so long as you navigate to the Master node once connected.)
  2. In Workgroup Manager Preferences select the option to "Show 'All Records' tab and inspector."
  3. Select the directory administrator account, and click the Inspector tab.
  4. In the list of attributes that appears, click the disclosure triangle next to AuthenticationAuthority to display all associated values.
  5. Select the value within the AuthenticationAuthority attribute which begins with ";ApplePasswordServer;" and click View.
  6. The value after ";ApplePasswordServer;" until the comma is the slot ID, as shown below. Copy this value for later use.


 

Extracting the slot ID using Terminal

 

  1. Log into the server using a local administrator user account, and open Terminal.
  2. Execute this command:

    sudo mkpassdb -dump

  3. Enter your administrator password when prompted.
  4. A list of user shortnames with corresponding slot ID's will be listed. 
  5. Find the <slot ID> which will be located to the left of the directory administrators shortname. The ID starts with 0x and ends before the user's shortname example:

    "slot 002: 0x479e48fe68b4567000000002000000002 diradmin 03/11/2008 02:12:30 PM"
  6.  Copy the value for later use.


Resetting the Open Directory administrator password

  1. Log into the server using a local administrator user account, and open the Terminal.
  2. Enter this command:
    sudo su
  3. Enter your administrator password when prompted.
  4. Enter the following command:
    mkpassdb -setpassword slot-ID

    Replace <slot ID> with the value obtained in part 1. You will be prompted for the new directory administrator password. If you are unable to obtain the <slot ID> using  Workgroup Manager you can use the extracting the slot ID using Terminal directions.
     
  5. IMPORTANT: At this point, you have root privileges in this session. To avoid potential damages to the system in case of a mistake, be sure to quit the Terminal application now.
Not helpful Somewhat helpful Helpful Very helpful Solved my problem