“Update” Cached User-Information from Apples OpenDirectory

Allgemein, Mac

TLDR

There is no way of Updating Cached informations. You have to delete the cached User and recreate it.

The Story

The other day we had a problem with an OpenDirectory-User that was working on a mobile account on a laptop running MacOS 10.7. The user got a new laptop and to configure everything for the user we had to change the password to one we knew. So the password was changed in the OpenDirectory. We configured everything and the user changed his password back to a new one.

Everything fine – we thought.

Until the user went back home with his shiny new laptop, opened it up and tried to log in with the new password. the login-dialog shook and denied access. So the user was clever and tried the intermediate password we also knew. And voila – access was granted.

What happened?

The OpenDirectory cached the users password locally. And as we did not change the password on the laptop but on a different machine the laptops cache has not been informed that there is new password information. So the old password was still lurking around there.

The situation was not dramatic, as it was clear, when to use what password, but nice is different.

So what to do?

There seems to be no mechanism to tell the Mac Client that the cached information is no longer valid other than to delete the information. So we had to delete the user while keeping the users homedirectory.

Nothing easier than that. Fire up your terminal and run the following command:

sudo dscl . -remove /Users/[username]

This will remove the user [username] from the userlist but keeps the homedirectory as it is.

Note: You should only do so with a cached mobile user!!!! To find out about your cached users run this snippet: 

dscl . -list /Users AuthenticationAuthority | grep LocalCachedUser | awk '{print $1}'

.
This will only output users that are cached. Do not touch other users as long as you do not know exactly what you are doing!!!!

After removing the users entry connect to the network and login as [username]. You will be prompted whether you want to create a mobile user or not. When you select “yes” the user will again be created as cached user. This time with the correct password!

Oh and don’t worry about the homedirectory. Everything stays as it is. The machine realizes that the directory already exists and simply synchronizes the content with the server.

Kudos to infusiontechsolutions.