"Error of type eDSAuthFailed (-14090)" when attempting to disable a user in Workgroup Manager

In Workgroup Manager, there are two levels of authentication: first there's the "Workgroup Manager Connect" dialog, then there's the authentication bar just below the main window's toolbar. For the second authentication, I was diradmin, which was failing. I deleted my Keychain entry for that, restarted Workgroup Manager, then, for the second authentication, authenticated as root. Root was able to successfully disable the user account.

This is strange, because diradmin has the "administer this server" permission, which I would have thought would include permission to disable users.

If you want to understand what's happening :

http://support.apple.com/kb/HT3186 will help you understanding what's happening by checking more detailed directory services logs.

First steps would be to unbind / rebind clients if you remote the server access from Workgroup Manager on a client.

If you just want to resolve this :

Open Directory issues are really annoying to resolve, can be related a thousand of things. If your network schema is not too interlinked to third party systems, I would advise you to backup your users/groups/computer.

/Utilities/Workgroup Manager, Export (Password are not saved) Then you set the OD as standalone, and master again, it will recreate the LDAP and Kerberos /Utilities/Workgroup Manager, Import (You have to set new password for users).

note : Promoting a OD to Master then reimporting user account won't reset your collaborative services data such as wiki, web, PosGres, address book, calendars... etc

You can -otherwise- archive the OD(password remain intact for accounts), then restore, but it is probable that you restore the issue in the meantime.