LDAP, NetInfo, seems they’ve been “split” please help

OSX Server 10.3.9. First, this thread seems to be describing the symptoms I'm seeing: http://www.macintouch.com/readerreports/macosx10_3_9/topic2797.html Basically, Workgroup Manager "appears' to be all hunky dory. But LDAP created admins can no longer auth to the NetInfo domain and NetInfo domain created admins can no longer auth to the LDAP domain. In both cases, the admin user is a member of admin(80) and has "Administer this server" and "Administer this direcory domain" checked. Now as far as logging in, access to files, groups listed in "groups" or id , all these look and act fine (as far as I can tell). The dichotomy runs deeper too: -) LDAP admin can't add users to netinfo groups EXCEPT as the primary gid (wtf). -) LDAP admin cannot toggle the "Administer this server" check box -) Netinfo admin cannot toggle the "Administer this domain" check box -) Users created by the local admin cannot be set as domain admin -) Users created by the LDAP admin cannot be set as local admin I could go on, but you get the picture. It's as if there's a wall between these two domains. I suspect (could be wrong, feel free to toss in yoru theories) that messing with user Password and Account expiry policies may have brought out the bug in the link above. FYI this machine has not been patched in approx 10mths nor am I at liberty to do so at the moment. *edit* I'd thought I'd add that I can browse the netinfo directory by doing: $ nicl / / > read groups/admin name: admin gid: 80 passwd: * users: root admin ldapadmin Where ldapadmin is the admin created in ldap. Also, I can auth to the local domain with a local admin and at the same time auth to the ldap domain with the ldap admin. this gives the appearance of having full authority. But even though this allows me to toggle fields like "Administer this server" again, it doesn't seem to have any actual effect (though the entries in nicl are updated). And finally, when using two acounts to auth like this I can add and remove users to local groups but it throws an error on save when adding (no error when removing the group). Error of type eDSInvalidAttributeType (-14131) on line 295 of /SourceCache/ServerManagerUserGeneral/ServerManagerUserGeneral-193.3.2/UserGroupPluginView.mm I was unable to google any info regarding this, but at least it's some error output, however cryptic (I wasn't even getting auth errors in my system.log).