Export from Standalone to Open Directory

Similar Messages

• Converting from Standalone to Open Directory Master

  I want to change my server to an Open Directory Master from a standalone server so that mail clients can use Kerberos to send and receive email. I want to do this just to increase security measures on my network. I have been sucessfully running the server for 3 years or so but am not very knowlegable about Open directories.
  My questions is this.
  1. Is there any documentation on makeing the change to Open Directory Master with the sole purpose of being able to Authenticate using Kerberos for mail clients. Step by step would be great.

  Take a look at www.afp548.com for some good tutorials on the subject.
  The admin guide should have step by step instructions as well.
  One thing, you will need to move your users from the local "domain" to the OD "domain" in order for them to use kerberos. e.g. all your current user records have a dir node path of "/Users", and you will need to move them to "LDAPv3/127.0.0.1/Users".
  Hope this gets you started
  - Leland

• What is the impact of destroying and re-creating from scratch the Open Directory Master?

  In order to try and solve some nasty issues hat I have since upgrading to OS X Server 3,0 I am considering completely destroying my OD Master and re-creating the users and groups from scratch. Before doing so (of course I will have multiple backups) I would like to understand:
  1.   When re-creating the users and groups is it sufficient to use the same ‘Unix’ groupid and userid numbers or do I also need to use the original GeneratedUIDs (is that even possible)? Are there any other aspects of the users/groups that I need to be sure to preserve?
  2.   Will there be any impact to services and their data from doing this? Specifically, I have users with data in Mail, Calendar, Contacts and the WiKi. Will they still be able to access their data after the OD destroy/re-create or is that data somehow tied to more than just the username (e.g. does it use the user/group UUID or indeed any other UUID from OD)?
  3.   Will there be any impact to OS X clients bound to the OD? Should I unbind them before destroying and re-bind them afterwards? Will there be any negative impact on the network users who log in via these systems (they all have ‘mobile’ accounts which do *not* sync to the server - all their data is local to the client)?
  Thanks in advance for any advice especially from anyone who has gone through this process.
  Chris

  Hi Rob,
  I have solevd my issue and I did not need to destroy / re-create the Open Directory. See my post here https://discussions.apple.com/thread/5785838 for all the gory details. The long and the short of it was that my problems all came from a point in the past when I changed the hostname of my server after I had created the Open Directory master. Seems like that is a very bad idea! Based on what I found it seems liek any small flaw in DNS forward and reverse name resolution can also cause similar issues. I don't knwo if either of thsoe may apply to your situation?
  As part of troubleshooting my issue I actually created a 'replica' of my server setup on another machine includingthe OD and associated users and groups. What I found was that many services (certainly mail, calendar and contacts) depend completely on the OD users and groups UUIDS. So if you wish to preserve user's data across an OD destroy and re-create it is vital that you carefully note for each group its Unix GID and its OD UUID and for each user their Unix uid, primary group id and UUID. When you are re-creating your OD master, as you create each group, use Directory editor to change its UUID to the original value. Similarly for Users. If you don't then users will no longer have access to any existign Mail, Contacts or Calendar data afterwards!
  HTH,
  Chris

• Unbinding From A Dead Open Directory

  My Mac Server (OD Master) threw its hard drive. I have no backup. I'm trying to unbind my laptop in Directory Services. When I click Unbind, it asks for my directory admin user name and password, and then nothing. The dialog closes and the LDAP entry is still there. Any ideas?

  Greetings!
  I've had to forcibly unbind a few times... if you can't force an unbind in "Directory Access" of the Client machine... try this (at your own risk of course):
  On the client machine
  -Open "NetInfo Manager"
  -Delete "mcx_cache"
  -Delete "mcx_cache" in "config"
  -Quit NetInfo Manager
  -Delete "/Library/Managed Preferences/."
  reboot
  I think at one point I also tried deleting "/Library/Preferences/DirectoryService/."
  I'm no sysadmin and I'm learnin' as I go, but that's how I've unbound a few machines in my "messin' about".
  In case I'm off on the lingo, by "." I mean all files in that folder.
  If anybody knows of additional files that should be deleted, or knows of another method of achieving the unbind manually... please post your thoughts!
  Hope that works for ya. Let us know. Cheers!

• Initial setup and Open Directory problem

  Hi,
  I'm new to the MAC OS X server system and trying to get one up and running on a G5.
  Unfortunately I can’t get the configuration up and running, and I have the feeling it already goes wrong during the initial setup. I was hoping you guys could help me out.
  The purpose of the server is providing network user accounts (DNS + Open Dir.) and providing sharepoints.
  I go trough following steps while installing from scratch:
  - Install MAC OS X and run the Server install package from the OS X Server DVD (as you know, OSX Server is'n installing directly on G5)
  - Choose keyboard layout, enter license and create an account "admin"
  - Define static IP "192.168.1.1", add this IP as the first in the list of DNS Servers, add "company.local" in the search domain
  - Install as a standalone server (so I can configure dns & other network services after basic setup)
  - Check "network time server" (so time will be synced for Kerberos)
  - Proceed, install and reboot
  OSX Server seems to be installed fine and I can login with "admin". Next step I take is configuring DNS.
  - create a zone "companyname.local.", use my IP as server address (192.168.1.1) and use "server" as the server name.
  - add a machine record for DNS-testing (called "gateway", with the IP of "192.168.1.254")
  Start the DNS service and reboot
  - perform an nslookup with a second MAC with 192.168.1.1 as the nameserver and verify that DNS is resolving correctly.
  DNS seems to be working fine, now I would like to get the Open Directory service to work:
  - change "Standalone" to "Open directory master" in the server configuration panel
  - provide a password for the directory admin
  - use "SERVER.COMPANYNAME.LOCAL" as kerberos realm, and "dc=server,dc=companyname,dc=local" as the search base
  - Save & start the service and perform a reboot to be sure all the new settings are in use
  Unfortunately after this install open directory doesn't seem to work fine and also Kerberos doesn't start.
  Concerning Kerberos: I get following output in the "Slapconfig log" Open Directory log file:
  Starting LDAP server (slapd)
  command: /usr/bin/ldapadd -c -x -D uid=root,cn=users,dc=maggie,dc=interesourcegroup,dc=local -w **
  Hostname server.companyname.local is from Rendezvous
  Skipping Kerberos configuration
  Sorry to bother you with the entire walkthrough of the installation, but I have the feeling that I'm missing something while performing the basic install or DNS setup .. ?
  Regards,
  Seppe
  G5 Mac OS X (10.4.6) /

  We currently have a static IP and a public dns hosted
  by MediaTemple, so I think I can create a subdomain
  on MediaTemple and link it to our fixed IP address
  ("private.companyname.com" >> static ip) instead of
  using dydns.. ?
  Of course.
  I suppose I can then use "private.companyname.com" as
  the zone name on my G5 server and use
  "server.private.companyname.com" for my local DNS?
  Sounds reasonable.
  If using this DNS, what will be the Kerberos REALM
  and Search Base? And do I still need to specify
  private.companyname.com as the Search Base in the
  Network Settings of the clients and server?
  Well, REALM and LDAP Search Base can set to whatever you like. On the other hand I've seen tools contacting kerberos servers break when the REALM is not part of the kerberos server fqdn.
  So I'd stick with the usual recomandations and set kerberos REALM to your domain name (if there is no other kerberos server alread running and using this).
  For the LDAP search domain I'd also follow the road of using domain name space as search base.
  When dns will finally be setup properly, these setting will be autopopulated for you in the GUI. So test, test, test you dns with
  host $ip and host $fqdn and then go on promoting "Standalone Server" to "Open Directory Master".
  HTH
  -Ralph

• Unable to export from the node.

  I need to export from a node in directory server.
  This node contain more than 1 million user.
  I am unable to export the node.
  I have tried running ldap search on the node but i only git the node ldif and then ldapserach hangs.
  From start console also nothing happens.
  I used ldapbrowser to export but that is also hanging.
  Any ideas how to export the node.
  I have seen the
  I am using Sun ds 5.2 patch 4 on solaris sparc

  Try stopping your Directory Server instance and running db2ldif to export the database into an LDIF file.

• Could someone help with question about PNG export from Illustrator?

  I am having issues with PNG exports from Illustrator not opening up once exported.

  ANd exactly sorry, this is useless. You have not provided any details about your export settings, version of AI, system info, how you are trying to view and so on. Just saying that it doesn't work is simply not good enough.
  Mylenium

• Define a remote linux nfs home directory for an open directory's user

  Hi,
  I want to migrate from nis to open directory. Everything but "auto homes" looks good. As I create a user with the workgroup manager, under the 'Home' tab, I'm unable to specify a remotre nfs home directory(linux).
  So, I want client01(linux) to authenticate on macsvr01(mac osX 10.6.2 / opendirectory). When authenticated, I want macsvr01 to tell client01 that it's home directory is hosted nfs on linuxsvr01(linux nfs file server).
  When i look the workgroup manager, the only possibility seems to be 'afp'.
  When I try to specificy nfs entries, I can't validate my setting because the 'Ok' button remains grayed out.
  Any suggestions?
  Thank you,
  Luc

  I assume you are creating folders in a file server and its a windows machine , is it ?
  You can install a remote manager on file server or on any other machine in network and execute your scripts remotely using remote manager
  Also you can execute your script like wscript c:\CreateFolder.vbs
  Thanks
  Suren
  Edited by: Suren.Singh on Aug 10, 2010 3:20 PM

• Moving Mail Users from a Local Directory to Open Directory

  Hi,
  We have been running a standalone mail server for a few years. We have recently upgraded to 10.5 for all of our servers. We have also been running an Open Directory server for the last year or so. Now I am trying to move my email users from the Local Directory on the Mail server to the LDAP server. Obviously we do not want to change account names, so I find I need to delete the local user and then enable the user through the LDAP. This works fine, but I need to bring the original IMAP files/folders forward.
  My question is what is the best practice? I thought backing up the Mail folder in each user's Library and reimporting it would work, but it won't take the IMAP mbox (I can see all the .emlx files in the backup of the user's Mail folder).
  So again, I had a user called user1 in my mail server Local directory say server1. I also have an Open Directory server2 with the same username on it. I have bound server1 to server2. I can see the server2 (OD) accounts on the server1 (mail). I then need to delete user1 from Local server1 directory in order to enable mail to user1 from the OD. This does work, but again, I need bring the mail files/folders to the new OD account on server1.
  thanks,
  mike

  Tony,
  Let me check of the migration manual, thank you!
  I really thought this was going to easier than this. The current accounts are IMAP, and therefore when I "hook up" the new OD account, which doesn't really need anything done on the client side because it is the same username and password and server as the current Local account. When it syncs, the old emails on the IMAP account in the user's Mail program clear since the new OD account is empty on the server.
  I just really thought duplicating the Mail folder in the client's home Library would allow me to import the emails back in. I have tried highlighting the mailboxes (Inbox, and personal folders), archiving them, and then reimporting seemed to work, but I need to beat it up before I start working on live accounts. One account I did try lets me read the emails from the user, but when I try dragging them to the IMAP folders from the import folder, I get a NULL character problem on IMAP append error. NOT to chase that, but it was something else that tripped me up.
  You do bring up a good point, I think the accounts were originally setup as POP and IMAP. I'll chase some ideas about that.
  Let me play around, you've been great considering my awful explanation of this different situation.
  thanks again,
  mike

• Creating User Acct's in Open Directory from External Source

  Hello,
  I am trying to find a way to automate the creation of user accounts in OpenDirectory. I have a MS SQL database that has the usernames and passwords in it now, and I'm looking to export those out of there and have an automatic way to create matching accounts in the OpenDirectory service on OSX Server.
  Gary

  It's unfortunate that there's no better way to do this. We're using ssh with a pre-shared key to our Open Directory server to run a script which runs dsimport to create the accounts on the Open Directory.
  This works fine for importing/creating accounts, but it doesn't help us change passwords that we are pushing down to Open Directory from our metadirectory solution.
  Here's the python we use to generate the dsimport entries:
  dsimport_base = '0x0A 0x5C 0x3A 0x2C dsRecTypeStandard:Users 11 dsAttrTypeStandard:RecordName dsAttrTypeStandard:GeneratedUID dsAttrTypeStandard:AuthMethod dsAttrTypeStandard:Password dsAttrTypeStandard:UniqueID dsAttrTypeStan\
  dard:PrimaryGroupID dsAttrTypeStandard:RealName dsAttrTypeStandard:UserShell dsAttrTypeStandard:HomeDirectory dsAttrTypeStandard:EMailAddress dsAttrTypeNative:postOfficeBox'
  dsimport_entry = '%s:%s:dsAuthMethodStandard\\:dsAuthClearText:%s:%s:%s:%s:%s:%s:%s:Ganymede managed [%s]'
  params = (obj.Username,
  obj.Global_UID,
  obj.Password.plaintext,
  obj.UID,
  self.getPrimaryGID(obj),
  obj.Full_Name,
  obj.Login_Shell,
  '/Users/' + obj.Username,
  obj.Username + '@arlut.utexas.edu',
  obj._oid)
  new_entry = dsimport_base + '\n' + dsimport_entry % tuple([str(value).replace(':', '\\:') for value in params]) + '\n' # not handling signature aliases yet
  and here's the Perl that is run on the far end of the ssh pipeline which
  reads the list of 'new_entry' lines generated by our Python:
  #!/usr/bin/perl
  # This script receives files on STDIN and runs dsimport on them.
  # Jonathan Abbey
  # 22 October 2009
  use File::Temp qw/ tempfile tempdir /;
  $adminuser = 'diradmin';
  $adminpass = 'seekret';
  ($fh, $filename) = tempfile();
  @users = ();
  while () {
  if (/^([^0][^:]+):/) {
  push(@users, $1);
  print $_;
  print $fh $_;
  close($fh);
  system('/usr/bin/dsimport', '-g', $filename, '/LDAPv3/127.0.0.1', 'O', '-u', $adminuser, '-p', $adminpass, '-v');
  unlink($filename);
  foreach $user (@users) {
  system('/usr/bin/pwpolicy', '-a', $adminuser, '-p', $adminpass, '-u', $user, '-setpolicy', 'canModifyPasswordforSelf=0');
  We've been trying to use kadmin to change passwords, but it seems flaky, with occasional 'policy reject' complaints breaking the sync.

• 10.7.2: still can't replicate 10.6 Open Directory or restore from backup

  I am trying to migrate my Open Directory (OD) database from an Xserve running 10.6.8 to an iMac running 10.7.2 now. As before the update to 10.7.2, I am unable to make the Lion server an OD replica of the OD database running on Snow Leopard.
  This is what I do (please let me know, if anyting I do is wrong):
  On the Snow Leopard Server (SLS) in the Server Admin utility, I go to the Open Directory service, the "Archive" subsection, choose a target directory for "Archive In", and click on the Archive button. I am then asked to name my archived database and provide a password. Let's say, it is "OD Archive," the file generated will be "OD Archive.sparseimage".
  I copy this Sparseimage to the deskop of my Leopard Server (LS).
  I then open the same place in the Server Admin utility on the LS. In the "Restore from" section I browse to the LS desktop and "Choose" the saved Sparseimage. I click on "Restore," at which point I am asked for the password of the archived OD database. When I supply it, it appears that my OD archive is being imported.
  However, going into the Workgroup Manager on the LS, and logging in as diradmin, into /LDAPv3/127.0.0.1, shows no users from my SLS having been migrated. Why has this still not been fixed?
  Likewise, when I try to make the LS an Open Directory replica of the SLS, I again, even after this updated informed that my OD database admin credentials are incorrect, when they are not. I had surely expeced a fix for this by the time we reached 10.7.2.

  Historically you have not been able to mix versions between an Open Directory Master and Replica, that is both would either have to be Snow Leopard, or both would have to be Lion.
  I have not tried upgrading to Lion this way (I am currently leaving my servers on Snow Leopard) but I can suggest the following based on experiences with Snow Leopard Servers.
  As you already appear to have done, in Snow Leopard Server make an Archive of your Open Directory setup
  Make sure you also have a backup of the entire Snow Leopard Server so you can go back to it if you can't successfully move to Lion
  Setup the hostname, IP address and DNS records (which might mean setting up a DNS server) for the new Lion Server
  Check this using the command line
  sudo changeip -checkhostname
  Make the new Lion Server in to a new empty Open Directory Master
  Test this new Open Directory Master by creating a test user and then deleting afterwards
  Now move on to the restoring of the Open Directory Archive, when I did this last time, I found that I was given two choices, either to completely replace the Open Directory with the one from the Archive, or to merge the two together. I found that trying to replace failed and resulted in an empty Open Directory like you report, I found that chosing merge did work successfully
  If the above still does not work, then you might have to consider the following alternative approach.
  On the Snow Leopard Server in Workgroup Manager export all the user accounts except the Admin and DirAdmin accounts
  Optionally export all the Groups
  Optionally export all the Computer Groups
  Setup the new Lion Server
  Create a new empty Open Directory
  Import the files exported from Workgroup Manager
  This will not keep the original passwords. You will have to set a password for each account.

• How to migrate Open Directory from 10.6 to another server with 10.8?

  Hello all,
  I have a Mac Pro running Mac OS X Server 10.6.8 with Open Directory active. Now I bought a new Mac Pro running MAC OS 10.8 and I also bought the OS X Server app.
  What I want to know is how can I migrate the users and their home folders from old server with Snow Leopard to the new one? The Open Directory Archive does this job?
  Regards,
  Carlos.

  Ok. I did a test and I saw that it exports only the information account. So I suppose that I have to copy the home folder using scp or something similar. Is that correct? 
  I also have to keep the same hostname from the old server in the new server or this can be done in a different way?
  Thanks.

• Open Directory Migration from Mac OSX Server 10.4.11 to 10.8?

  I manage an old (2004) G5 Xserve still successfully running OS X 10.4.11 with about 450 users in the Open Directory. I just purchased a Mac mini Server which will run OSX Server 10.8. I want to migrate all the user accounts from the old G5 Xserve to the new Mac Mini server. Can someone spell out the step-by-step process or point me to a document that can help me. I have searched through many of the apple discussion forum threads and Apple Server migration docs, but have not found a clear path to follow to get the old OSX 10.4.11 user accounts onto the new OSX 10.8 Mac Mini server. 
  The G5 server does not serve mail, print, or any other services other than the user accounts (home directories) for the users.
  Help!!!  Thanks.
  John

  If you don't mind clearing ser passwords, then I would export users from 10.4 and import into 10.8
  There are some issues with service ACLs in doing this, but its still the fastest process.
  If users are allowed to set their own PW, the you give provide preset pw's (either unique or common) and a URL to allow users to reset their PW.
  If you need to retain passwords, what I would do is clone the 10.4 server, then upgrade it all the way to 10.8 then archive OD from that and import into a clean-install of 10.8 server.
  Whataver you do, don't rely on a 10.4 to 10.8 migration, you'll want a clean 10.8 install.
  The offline 10.4 -> 10.8 would allow you to retain PWs, but it creates alot of extra work for you.

• HT3801 How do I remove Open directory services from primary MDC?

  I configured my xSAN mdc as an open directory master but I don't need to manage users from the MDC. How do I turn off Open directory on my master mdc and replicas?
  Thanks,
  Tom

  Hi
  Launch Server Admin on your Replica. Select the server's name in the sidebar on the left. Select the Open Directory Service. Click on Settings and change the Role to Standalone.
  Treat any other Replica you may have the same way.
  Launch Server Admin on your Master. Select the server's name in the sidebar on the left. Select the Open Directory Service. Click on Settings and change the Role to Standalone.
  Once you've demoted your OD Master to Standalone you will delete everything to do with the LDAP Database - users, groups, passwords etc but not home folders. If you have local users these won't be affected.
  If for some reason you may want to revert back to users etc that were stored in the LDAP Database then back them up first using the usual methods available on the platform.
  HTH?
  Tony

• **want to create a user account from "Crypted Password" to "Open Directory"

  I have create a user account with "user password type: Crypted Password"
  is there any way I can script it to "user password type: open directory"
  I've use perl-ldap to create user account but I don't know how to change user password type to open directory,
  because my script will add a new node in the directory, I just need a way to make the "user password type" to "Open Directory" AT CREATION TIME, not modifing it after a have a user account, the script below will generate a node in the directory with "Crypted Password" as User Password Type,
  is there any attribute I need to add to make it "Open Directory" or perl command, applescript, bash, objective c(hopefully not)....
  thank for reading...
  $res = $c->add(dn => 'uid=testing,cn=users,dc=microsoft,dc=info',
  attr => [
  'cn' => 'testing',
  'gidNumber' => '20',
  'homeDirectory' => '99',
  'objectclass' => 'inetOrgPerson', 'posixAccount', 'shadowAccount', 'apple-user', 'extensibleObject','organizationalPerson','top','person',
  'sn' => 'testing',
  'uid' => 'testing',
  'uidNumber' => '5000',
  1. 'apple-generateduid' => '27318931-B341-4364-91B4-84E4AAAD1234', #026F",
  'givenName' => 'testing',
  1. 'loginShell' => '/bin/bash',
  'userPassword' => 'testing' ,
  1. 'homePhone' => '555-2020',
  2. 'mail' => '[email protected]'
  die "unable to add, errorcode #".$res->code().$res->error if $res->code( );
  thanks

  Since this question isn't Xserve specific a better place to get an answer is probably in the Directory Services forum: http://discussions.apple.com/forum.jspa?forumID=1353
  That being said if you are trying to migrate Crypt accounts to OD accounts then the short answer is no. You need an unencrypted password to put the password into OD via a script do short of cracking the encrypted password, inserting it in plain text into the OD user account creation process then I don't think you can.
  You should be able to dictate the password (and any other settings you can do from the GUI) but the password is the missing piece. Under really old OS X systems I actually suspect you can get passwords to export (hinted at by an Apple engineer I discussed this with) but there is probably a faster and more straightforward solution.
  What I have done is export from NetInfo, clean the accounts via script and then reimport the accounts into the new system. I usually assign a password and dictate "Must change password at next login" and then email people the temporary passwords. It's been a while but I believe you can mass select and then dictate password settings so if that works for you create accounts with all the same password and then you can select by group and make changes - eg Must change password at login.
  Good luck,
  =Tod