Users can’t log in or authenticate – Apple Mac OS X Server (Administrator’s Guide) User Manual

Users and Groups

203

m You must be a domain administrator for any Apple directory domain storing the account.

m The directory domain must be a NetInfo or LDAPv3 directory domain. Only these

domains can be updated using Workgroup Manager.

A Password Server User’s Password Can’t Be Modified

Before you can modify the password of a user whose password is validated using a Password
Server, you must

m be a domain administrator for the directory domain storing the user’s account

m have your own password validated by the same Password Server

Users Can’t Log In or Authenticate

Try these techniques to determine whether the source of the authentication problem is
configuration or the password itself:

m Reset the password to a known value, then determine whether there is still a problem. Try

using a 7-bit ASCII password, which is supported by most clients.

m If a Password Server is being used for the user and it is not set up to support the

authentication protocol needed by the user’s client, you can use Open Directory Assistant
to enable additional Password Server protocols. You may need to reset the user’s
password after changing the Password Server configuration.

m Basic authentication does not support many authentication protocols. To increase the

possibility that a user’s client applications will be supported, use the Password Server or
suggest that the user try a different application.

m For Kerberos troubleshooting tips, see “Kerberos Users Can’t Authenticate” on page 204.

m If a Password Server or non-Apple directory server used for password validation is not

available, reset the user’s password to use a server that is available.

m Make sure that the password contains characters supported by the authentication

protocol. Leading, embedded, and trailing spaces as well as special characters (for
example, option-8) are not supported by some protocols. For example, leading spaces
work over POP or AFP, but not over IMAP.

m Make sure that the keyboard being used by the user supports the characters necessary for

authentication.

m Make sure the client software encodes the password so that it is recognized correctly. For

example, Password Server recognizes UTF-8 encoded strings, which may not be sent by
some clients.

m Make sure that the client being used by the user supports the password length. For

example, LAN Manager only supports 14-character passwords, so passwords longer than
14 characters would cause an authentication failure even though Mac OS X Server’s
Windows service supports longer passwords.