Gilbert Wilson wrote: > Has anyone else had this kind of persistent corruption of their LDAP > system? What was causing it? How did you find it? > > Any leads or words of wisdom would be greatly appreciated.
For debugging purposes, I'd try to see if I could authenticate through LDAP and through kerberos. ldapsearch using a bind DN and password, and kinit are your friends here. As others have indicated, OpenDirectory is a three-way marriage between openldap, kerberos, and Apple's own PasswordServer or Service. I've managed to screw up accounts in OpenDirectory by resetting what password hash mechanisms OD is allowed to use. Every account created or who did not have a password reset before changing the password mechanisms couldn't login, even though LDAP and KRB auth both succeeded. Every account created or that had the password changed after changing the mechanisms could. The only way to fix that was to go back and re-enable all the password mechanisms, which would unbreak the older accounts and break the newer ones. :-( -- -- John E. Jasen ([EMAIL PROTECTED]) -- No one will sorrow for me when I die, because those who would -- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
