Today I switched the group membership of one person in Open Directory to change their external authentication account and thus their FileMaker privilege set. The change did not take effect and the user retained their existing privileges. I fixed the problem by using the command line directory service member utility.
The first thing I did was check group membership on the client machine by typing:
sudo dsmemberutil checkmembership -u 1234 -g 5678
You will need to replace 1234 with the user ID of the person you are testing and the 5678 with the group ID of which you are testing membership. If the user is not a member of the group, terminal will respond with
user is not a member of the group.
If the user is a member of the group, then terminal will respond with
user is a member of the group.
Perform this check on both the client machine and the FileMaker Server machine. If either gives information that is contrary to the current configuration of the user in Open Directory then you need to flush the directory cache. This can be accomplished by typing
You can run dsmemberutil checkmembership again to verify all is correct. FileMaker external authentication should work correctly when all machines see proper group membership.