If you’ve ever worked with an OS X server you will have come across the Directory Administrator. The Directory Administrator is essentially the all-powerful user in an Open Directory (OD). This user is created when promoting a Mac server from a standalone machine, with only a dslocal directory, to an Open Directory Master (ODM.)
Once promoted the server has an OD created on it with a mandatory Directory Administator. The password for this mandatory user is set up when promoting the server and can only be changed by a directory administator. If you forget the password for all directory administrators you can no longer modify directory information and have to reset the password from the command-line.
You require local administrator access to the server to reset the Directory Administator’s password. Without local admin access you’ll need to dump your OD and start over. Not nice when you have several hundred users plus in your OD!
First off we need to get the slot ID for the Directory Administator. This is done as follows…
$ sudo mkpassdb -dump | awk '/diradmin/ { print $3 }'
If your Directory Administrator does not have a shortname of diradmin you will need to change the string in between the forward slashes. For example, if you directory administrator has a shortname of “doug” you’d use the following command…
$ sudo mkpassdb -dump | awk '/doug/ { print $3 }'
Returns: 0x00000000000000000000000000000001
This command will return a hexadecimal number similar to the one indicated above. A hexadecimal string will often start with 0x and will contain only numbers and the letters A to F.
We need this slot ID in order to reset the password using mkpassdb rather than the shortname á la passwd. For our slot ID of 0×0…1 we would use the following command…
$ sudo su
Enter your local administrator password. We do this rather than sudoing the next command directly to avoid any confusion with which password to enter.
$ mkpassdb -setpassword 0x00000000000000000000000000000001
At this point you’ll be asked to set a new password for the directory administrator. You could also use this method to reset the passwords of other users but most system administrators are happy working with GUI applications most of the time.
I’m in the process of setting up a Ruby script to search for the slot ID using the corresponding short name and then initiate the password reset. The script will take another day or so tops and then I’ll replace this paragraph with the code.
