Inital setup of Open Directory

Similar Messages

• Initial setup and Open Directory problem

  Hi,
  I'm new to the MAC OS X server system and trying to get one up and running on a G5.
  Unfortunately I can’t get the configuration up and running, and I have the feeling it already goes wrong during the initial setup. I was hoping you guys could help me out.
  The purpose of the server is providing network user accounts (DNS + Open Dir.) and providing sharepoints.
  I go trough following steps while installing from scratch:
  - Install MAC OS X and run the Server install package from the OS X Server DVD (as you know, OSX Server is'n installing directly on G5)
  - Choose keyboard layout, enter license and create an account "admin"
  - Define static IP "192.168.1.1", add this IP as the first in the list of DNS Servers, add "company.local" in the search domain
  - Install as a standalone server (so I can configure dns & other network services after basic setup)
  - Check "network time server" (so time will be synced for Kerberos)
  - Proceed, install and reboot
  OSX Server seems to be installed fine and I can login with "admin". Next step I take is configuring DNS.
  - create a zone "companyname.local.", use my IP as server address (192.168.1.1) and use "server" as the server name.
  - add a machine record for DNS-testing (called "gateway", with the IP of "192.168.1.254")
  Start the DNS service and reboot
  - perform an nslookup with a second MAC with 192.168.1.1 as the nameserver and verify that DNS is resolving correctly.
  DNS seems to be working fine, now I would like to get the Open Directory service to work:
  - change "Standalone" to "Open directory master" in the server configuration panel
  - provide a password for the directory admin
  - use "SERVER.COMPANYNAME.LOCAL" as kerberos realm, and "dc=server,dc=companyname,dc=local" as the search base
  - Save & start the service and perform a reboot to be sure all the new settings are in use
  Unfortunately after this install open directory doesn't seem to work fine and also Kerberos doesn't start.
  Concerning Kerberos: I get following output in the "Slapconfig log" Open Directory log file:
  Starting LDAP server (slapd)
  command: /usr/bin/ldapadd -c -x -D uid=root,cn=users,dc=maggie,dc=interesourcegroup,dc=local -w **
  Hostname server.companyname.local is from Rendezvous
  Skipping Kerberos configuration
  Sorry to bother you with the entire walkthrough of the installation, but I have the feeling that I'm missing something while performing the basic install or DNS setup .. ?
  Regards,
  Seppe
  G5 Mac OS X (10.4.6) /

  We currently have a static IP and a public dns hosted
  by MediaTemple, so I think I can create a subdomain
  on MediaTemple and link it to our fixed IP address
  ("private.companyname.com" >> static ip) instead of
  using dydns.. ?
  Of course.
  I suppose I can then use "private.companyname.com" as
  the zone name on my G5 server and use
  "server.private.companyname.com" for my local DNS?
  Sounds reasonable.
  If using this DNS, what will be the Kerberos REALM
  and Search Base? And do I still need to specify
  private.companyname.com as the Search Base in the
  Network Settings of the clients and server?
  Well, REALM and LDAP Search Base can set to whatever you like. On the other hand I've seen tools contacting kerberos servers break when the REALM is not part of the kerberos server fqdn.
  So I'd stick with the usual recomandations and set kerberos REALM to your domain name (if there is no other kerberos server alread running and using this).
  For the LDAP search domain I'd also follow the road of using domain name space as search base.
  When dns will finally be setup properly, these setting will be autopopulated for you in the GUI. So test, test, test you dns with
  host $ip and host $fqdn and then go on promoting "Standalone Server" to "Open Directory Master".
  HTH
  -Ralph

• Open Directory Server appears as /LDAPv3/127.0.0.1, not as /LDAPv3/FQDN

  I am running Mac OS X Server 10.4.7 and when I setup my Open Directory Master it shows in Directory Access Utility and Workgroup Manager as /LDAPv3/127.0.0.1.
  This not make sense since a nslookup anwers correctly for IP address and Hostname. So, I think it would shows as /LDAPv3/FQDN
  If I change the field "Server Name or IP Address" in LDAPv3 section of Directory Access Utility to the FDQN, Workgroup Manager shows /LDAPv3/FQDN and works perfectly, but if I try to create an Open Directory Replica in another server, I receive a message "Unable to Authenticate on Server as Directory Admin"

  Thanks for your answer Ralph!
  Really I get my other server promoted to an OD Replica when my OD Master appears as /LDAPv3/127.0.0.1, but I was in doubt about this when I go to the Replica's WGM Sharing pane to set User's folder as an Automount Point in /LDAPv3 Directory because it shows as /LDAPv3/127.0.0.1
  Maybe I am wrong, but in the Replica's server this will point to the localhost directory. This assumption is correct?

• Problems with Active Directory Users showing as not found in Open Directory work group manager

  I’m running a golden triangle setup with Open directory assigning group policy and authentication provide by active directory. In workgroup manager I can search through the AD and add users or computers to groups in OD workgroup manager. However when I save and refresh the users or computer appear as ‘not found’. Is there a reason for this?

  Hi Zero
  It's very reassuring to know im not the only one having issues with this..
  Im on my second re install of the server.. I like you have no wish to do another clean install as everything else is connected and it seems like the answer is probably very simple.
  So today im going to re- run the terminal commands as layed out in the online guides.
  However i was kinda hoping someone would be able to supply us with an answer.
  thanks
  J

• Authentication Delays / Slow Authentication for Open Directory Users

  I'm experiencing delays when authenticating Open Directory users and it absolutely has me at my wit's end.
  The problem is quite simple: any time an Open Directory user authenticates his password there is a delay of at least 5-10 seconds. This goes for clients that are bound to the directory server and also authenticating locally on the server. Here are some examples:
  * On the server, there is a several second delay on the Login Window screen when trying to log in using an Open Directory account. Logging in as a local user is instantaneous.
  * In Workgroup manager, authenticating as the Directory Administrator takes several seconds.
  * On a remote computer, sharing the screen using an Open Directory user take several seconds and again, a local user is instantaneous. Screen sharing takes particularly long and often temporarily shows a sheet saying it has lost the connection with the server while authenticating.
  * Connecting with AFP takes several seconds when using an Open Directory login
  * On a client computer, unlocking the screen after sleep or screen saver takes several seconds for Open Directory users
  * Connecting with SSH does NOT exhibit the behavior
  In addition to all of this, I've seen periodic random unexplainable freezes for several seconds on client computers that are bound to the directory even when logged in as a local user account (and with no other users logged in.) For example, launching applications often results in a freeze. After unbinding the computer from the directory the problem goes away entirely.
  The history of the problem:
  Used Tiger Server for over a year = no problems
  Clean install of Leopard Server 10.5.0 back in October = no problems
  Update to Leopard Server 10.5.1 = no problems
  Then, all of the sudden one day several weeks back I started having problems. The server had been up for a few weeks. I didn't install any updates. I didn't change any configuration. Literally the only thing that I had done recently was unplug the Apple Cinema Display and keyboard+mouse that was connected to the server. Then I started having problems so I plugged the display, keyboard and mouse back in to troubleshoot it. I cleared the directory services caches on my server and clients and rebooted the Airport Base Station that's serving as my router and eventually the problem went away. I wish I could tell you which of those things resolved the problem but I have no idea. It was fine for a couple more weeks (and incidentally I once again unplugged the display, keyboard and mouse from the server). Then last week I started having problems again and this time no amount of rebooting, cache clearing, rebinding, troubleshooting using information in these forums or anything else will fix the problem. I only mention the display/keyboard/mouse thing because it's literally the only thing I changed around the time the problems started happening. I truly don't think it has anything to do with it.
  So in desperation I backed up and did a clean install today. Here's the process I used:
  0. Erase the disk
  1. Install Leopard Server 10.5.0 from the install DVD
  2. In the setup assistant, use the Advanced Configuration option but I didn't enable any services. Set up network settings and host name of myserver.mydomain.private.
  3. Reboot
  4. Use Software Update to update to 10.5.1 and Security Update 2007-009 v1.1
  5. Reboot
  6. Configure DNS (see below for detailed configuration)
  7. Reboot
  8. Change role to Open Directory Master
  9. Reboot
  ... and the problem is still there. Simply logging into the server GUI with the Directory Administrator account has the delay. Authenticating in Workgroup Manager has the delay. I haven't even bothered to set up AFP or any other users yet. I'm truly at my wit's end and I'm ready to chuck the server out the window.
  I've done a lot of googling and searching of these forums looking for answers. All of the responses seem to point to a problem with DNS or with the Kerberos realm. I believe all of my setup is correct. Here it is:
  == Basic Configuration ==
  OS: Mac OS X Server 10.5.1 (9B18) with Security Update 2007-009 v.1.1
  Services Enabled:
  DNS
  Open Directory
  (All other services are not yet enabled)
  == DNS Setup ==
  Primary Zone: mydomain.private.
  Allows zone transfer: no
  Nameservers: ns.mydomain.private.
  myserver (Machine) 10.0.22.201
  ns (Alias) myserver.mydomain.private.
  Reverse Zone: 22.0.10.in-addr.arpa.
  10.0.22.201 (Reverse Mapping) myserver.mydomain.private.
  Accept recursive queries from the following networks:
  localnets
  Forwarder IP Addresses:
  208.67.222.222
  208.67.220.220
  == Open Directory Setup ==
  Role: Open Directory Master
  LDAP Search Base: dc=myserver,dc=mydomain,dc=private
  Kerberos Realm: myserver.mydomain.private
  == Network Configuration ==
  Configure: Manually
  IP Address: 10.0.22.201
  Subnet Mask: 255.255.255.0
  Router: 10.0.22.1
  DNS Server: 127.0.0.1
  Search Domains: mydomain.private
  == Other Stuff ==
  Using 'changeip -checkhostname' verifies that the hostname and DNS hostname are both myserver.mydomain.private.
  I set the realm to myserver.mydomain.private (though the default was myserver.local) based on the advice of another poster to this forum. Kerberos.app reveals something interesting: the kdc and admin servers are both myserver.local and the domains are .local and local. I tried changing all instances of 'local' to 'mydomain.private' to see if that would solve the problem. No luck.
  I verified on a client that 'host myserver' and 'host 10.0.22.201' return proper DNS and reverse DNS resolutions.
  Hopefully one of the gurus out there will be able to help me out.
  Thanks,
  jeff

  I gathered together some log information for when I try to authenticate user 'diradmin' in Workgroup Manager. You can see from the log messages that this authentication took 4 seconds. There's an interesting error message in slapd.log (see below) but it doesn't say what it's looking for in the keytab that it's not finding. Grr! I've provided a listing of the principles in my keytab. I haven't monkeyed around with it at all -- this is just what resulted from promoting the server to an Open Directory Master.
  == kdc.log ==
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): handling authdata
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): handling authdata
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): .. .. ok
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): .. .. ok
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
  Dec 30 18:21:52 myserver.mydomain.private krb5kdc[79](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for ldap/[email protected]
  Dec 30 18:21:52 myserver.mydomain.private krb5kdc[79](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for ldap/[email protected]
  == slapd.log ==
  Dec 30 18:21:48 myserver slapd[36]: <= bdbsubstringcandidates: (authAuthority) index_param failed (18)
  Dec 30 18:21:52 myserver slapd[36]: SASL [conn=20] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No principal in keytab matches desired name)
  == sudo klist -k ==
  Keytab name: FILE:/etc/krb5.keytab
  KVNO Principal
  3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
  3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
  3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
  3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
  3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
  3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
  3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
  3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
  3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
  3 cifs/[email protected]
  3 cifs/[email protected]
  3 cifs/[email protected]
  3 ldap/[email protected]
  3 ldap/[email protected]
  3 ldap/[email protected]
  3 xgrid/[email protected]
  3 xgrid/[email protected]
  3 xgrid/[email protected]
  3 vpn/[email protected]
  3 vpn/[email protected]
  3 vpn/[email protected]
  3 ipp/[email protected]
  3 ipp/[email protected]
  3 ipp/[email protected]
  3 xmpp/[email protected]
  3 xmpp/[email protected]
  3 xmpp/[email protected]
  3 XMPP/[email protected]
  3 XMPP/[email protected]
  3 XMPP/[email protected]
  3 host/[email protected]
  3 host/[email protected]
  3 host/[email protected]
  3 smtp/[email protected]
  3 smtp/[email protected]
  3 smtp/[email protected]
  3 nfs/[email protected]
  3 nfs/[email protected]
  3 nfs/[email protected]
  3 http/[email protected]
  3 http/[email protected]
  3 http/[email protected]
  3 HTTP/[email protected]
  3 HTTP/[email protected]
  3 HTTP/[email protected]
  3 pop/[email protected]
  3 pop/[email protected]
  3 pop/[email protected]
  3 imap/[email protected]
  3 imap/[email protected]
  3 imap/[email protected]
  3 ftp/[email protected]
  3 ftp/[email protected]
  3 ftp/[email protected]
  3 afpserver/[email protected]
  3 afpserver/[email protected]
  3 afpserver/[email protected]

• Open Directory and connection to shared folders fail

  Hi,
  For testing i've setup an Open Directory Master (Leopard server 10.5.2) with shared folders and portable home directories.
  Login and synhronizing works as it should. But once logged in, when i click on the server in finder i just get connection failed. When i choose "connect as" and log in as the same user and password as authenticated at the login to the computer (authenticated to OD) it works.
  I thought it should work like a single sign on?
  Any clues?

  Hi
  If you browse the discussion forum you should find this:
  http://discussions.apple.com/thread.jspa?threadID=1251475&tstart=0
  Basically browsing using the Finder or Side Panel does not work well or breaks easily (as far as I can tell it has been like this since 10.2). In an OD environment trying to connect and getting a ticket using that method will probably fail. The workaround - or the 'fix' - is to use 'Connect to Server' from the Go Menu using the Server's IP address. In my experience it does not seem to matter whether AFP is set to Kerberos, Any or Standard for the authentication method. It also does not seem to matter whether the Server is configured in Standard or Advanced.
  I've not come across anything yet regarding Workgroup. Probably in that configuration it may not be an issue as this mode - as far as I can see - is ideal for AD-OD integration. In that environment OSX Server would not be the KDC and mac clients will be using the AD for SSO.
  Since this has been happening since 10.2 I don't see Apple addressing this anytime soon, however you never know?
  Tony

• Migrating NIS users to Open Directory

  Was wondering if anyone has any experience with migrating NIS users over to Open Directory? I have setup an Open Directory server (10.6) and am looking to move about 150 users from my NIS server to it.
  I can move the users/GIDs easy enough but want to move passwords also so the move it transparent to the users.
  Any ideas?
  Thanks!

  The answer appears to be that as long as your local pre-existing account password matches your domain account, then once the machine is bound, shared servers managed by Active Directory are automatically authenticated. No migration necessary. Only issues I came across had to do with old keychain entries that needed to be removed.
  Hope someone out there can learn from my confusion.

• 2 Open Directory masters: will I have Kerberos confilcts?

  In the following scenerio, will I create a conflict/problem with kerberos?
  A Faculty Server is faculty.mydomain.org and a separate Student Server is student.mydomain.org (yup, same domain). Both are Open Directory masters (10.4), both have kerberos running. Both are on the same network subnet 255.0.0.0. Both are running DNS.
  Why are they both open directory masters? Because they need not share directory information, and it seems more secure to keep them separate worlds.
  However, I'm reading the Open Directory Administration manual, and it states that if you setup an Open Directory master on a network that has an Active Directory domain, you'll then create a kerberos conflict. It doesn't address if you have 2 Open Directory masters on the same network - but the logic makes sense that you'd create the same conflict - is that true?
  Thank you!

  Jeff - thank you for your reply. I agree - I think I am going about this wrong. I'm stuck in a 6-yr old methodology - and it's time to move on. So, I now have a question about best practices. Would the following be my best scenerio - or would you, or others, suggest an alternative setup?
  450 students with 60 desktop client computers employing network home directories, plus another 35 unbound student laptop and old desktop computers not using network or portable home directories. 50 staff members with laptops and desktops that will use a mix of portable home directories, and unbound clients.
  Now, onto a 3 server setup: 1 new xServe providing Open Directory kerberos authentication services to all student and staff. 1 new MacPro running Server 10.4 for faculty home directories and services, and another identical MacPro for student home directories and services. All servers using dual ethernet aggregated links to a 1000/100 network, (servers will be 2 gigabit, wired clients will be a mix of 1000 or 100mbps, and 54mbps for wireless).
  All systems are on the same network in the same building.
  Should I go this route, or would an Open Directory replication server be the better way to go? Or, something else that I haven't thought of?
  Any constructive thoughts appreciated!
  Message was edited by: Nova
  Message was edited by: Nova

• Open Directory Setup Error

  I attempted to set up the Open Directory on Lion Server.  I entered all the information and clicked the Setup button.  It said it had an error while setting it up and that I should restart the Server to fix it.  I did that and now when I go to connect, I get the message "An error occurred while attempting to bind diradmin to 192.168.1.90.  Please try again."  Now what?  Is there a way to clear the settings and start over?  Mac Mini - Server 10.7.2.

  I just encountered this error.  "An error occurred while attempting to bind diradmin to ' and the my local IP address.
  What fixed it for me was to set the IP address to 127.0.0.1 (which means the current machine) rather than the current machine's actual IP address.  Of course it should be the same thing, but it seems to be picky!

• Open Directory setup on 10.7.3

  Hi All,
  I am trying to setup test server with following services:
  DHCP
  DNS
  Open Directory
  Profile Manager
  Software Update
  But not having much of success. I have installed 10.7.3 on virtual machine (Using Fusion 4) on Mac Pro and given a 4 GB of RAM. This machine is running in its own bubble, it has no communication even with host. So I have configured DHCP and DNS services which seems to be working fine (I have confirmed with another client which can get IP and DNS server address from this server).
  Now whenever I have tried to run OD setup using both tools (Server App and Admin Tool), it takes forever to configure (more than 1 hour) and then it fails with error saying "check your network settings". I have checked and machine has proper IP address (tried both DHCP and Static) and also used "lookup" utility to resolve the DNS address both ways (forward and reverse).
  Is there anything that missing in my steps?
  Thanks,

  I don't have the exact message right now because I have deleted that virtual machine after getting that error message. I am going thru the setup again and I will record it if I get that message again.
  Would be able to tell me anything wrong with my setup? Here is what I have and what I am doing:
  Lion is installed on a virtual machine using VMware fusion.
  I haved added two NICs to that machine so that I can have one with static IP address and other hand NAT connection so that machine can I have outside communication for server install. I have tried to install with one NIC with static IP address but it won't let me install without internet connection.
  Then I go thru installing server component of Lion installation and once that is done then I have installed brand new Admin tools package.
  Then I disable the network connection and I use the Admin tool to install DHCP and DNS server so that it isolated environment which is free of any outside changes.
  Under the DHCP scope, I added my server to have a static IP address which was previously configured before installing the server component. And for DNS service I have added my machine as well.
  After rebooting the machine, I use the server App to configure OD service which ask me couple of question and get started on this setup but takes forever (like an hour or more).
  Do I need to do anthying else which might be required for this setup?
  Thanks for your help and sorry for the long and boring post,

• Can't complete initial setup - Open Directory problems

  "Easy to set up, easy to run" my big ***. On initial bootup, the automatic setup failed. "There may be a problem with the Open Directory." A few days later, it was suddenly working. So I set up and enjoyed one, count em, one user account. Then it stopped working again. I can't set up a Group. I can't use Workgroup Manager successfully, either. The whole server has been one big mess of fail.
  Is this a common problem? Is there a fix? A workaround? Do I need to take this thing back??

  Check this site out for starters
  http://www.wazmac.com/serversnetwork/fileservers/osxserversetup/index.htm
  It's not just for schools, and it offers a lot of info on setting up OS X server.
  It is possible that there is some hardware problem, but it's more likely that you need to setup the server correctly. If you're not familiar with OS X Server, it's not necessarily easy.

• Help with mail users and setup 10.6 mail server bound to 10.8 Open Directory

  We have a 10.7 Open Directory server which was upgraded from 10.6.  We have had some Open Directory issues since the upgrade.  I am manually creating a 10.8 server as a replacement for the 10.7 server.  All settings for services are running as expected and we are ready to turn over to the new server except for a problem with the ability to receive email.
  Setup in both the original and the replacement has the OD server with DNS running with a correct MX record pointing to our 10.6 mail server.
  In the replacement OD server the mail users were created as network users, with no userhome, with access to the mail service, and email addresses given. 
  The mail server was unbound from the original OD server, bound to the replacement OD server without SSL exactly as with the original, and restarted.
  Initially the mail service said that mail clients had the wrong name or password.  Opened WGM 10.6 on the MAIL server and checked the OD records.  They showed the mail users not having the checkbox saying they were set up to receive mail selected.  Selected the checkbox to receive mail.
  Now the mail client seems to connect to the server correctly but does not show the emails in the system for the users.  It is as though there is no email and the account is brand new.
  Unbind the mail server from the replacement OD server, rebind it to the original OD server, and restart.
  Mail clients connect and receive the mail in the accounts as expected.
  Any ideas?
  Thanks

  I figured out what the mail server is doing.  It has created new email stores for each of the new users.  If we bind to the original OD it uses the original set of email stores.  If we bind to the replacement OD it uses the new set of email stores.
  I have tried to make sure that the userIDs match in each OD but that did not help.
  The server is working for each OD.  Does anyone know if I can tell the 10.6 mail server to use the old emails in the mailstore for the new user in the new OD?
  If nothing else I can solve the problem by archiving the emails and copying them into the new user when running the new OD.

• Open Directory Migration Question

  Setup:
  My company has two servers, both running 10.5.6. We are migrating from the server Fubar (xserve) as it has had a lot of problems and we want to do a fresh install on it (I was not the admin who initially set it up).
  In order to get a 'fresh' OD going, we are recreating all the accounts on the new server Edoras (powerpc mac pro), making sure to preserve UID of the users.
  Problem:
  User A cannot change his password on Edoras after Directory Utility has been changed to point at it. He can change his password locally, but it does not propagate to Edoras, nor does a password change on Edoras affect his local machine.
  The questions I haven't been able to get answers for are:
  * Should the OD search string be different on Fubar and Edoras? Currently our search string is 'dc=fubar,dc=domain,dc=com'.
  * Are there other attributes that have to be setup in OD besides UID? I noticed when using the Target tab in Workgroup Manager that there is a GeneratedUID attribute, does this need to match?
  Thanks for any information/help.

  I did something like this recently. Unfortunately I couldn't get an answer on the Internet and had to re-configure Directory Access on the client machines manually.
  I moved our system from a POwerMac G4 with several upgrades (eSATA card, eSATA Coolgear Enclosure, 7200.11 (yeah I know, bad drives to use) Seagate drives, 1.8 GHz PPC 7447 upgrade, 1.5GB of ram) to a new Mac Pro with a Highpoint RAID controller. The old G4 was very unreliable and couldn't hand
  I had to go to each machine with ARD, open Directory Access, delete the LDAP entry and re-enter it. This was really annoying and confusing for me as the old server and the new server had:
  The same version of OSX (ok, one was a PPC version and I special ordered the Intel version from Apple Tech Support), but they both were running 10.4.11 with the newest security patches.
  The same OD Search Strings
  The same IP Address for the Server
  The same DNS name for the server
  and the same user IDs and group settings
  and I still had to re-do Directory Access using the client machines. Before re-doing the Directory Access re-binding I would try to login. The "other" icon would appear on the loging window, but when I would loging with the correct username and password the login windows would "shake it's head" and wouldn't let me login.
  The biggest pain was that portable directories didn't sync correct anymore, so I had to manually backup, then delete the account, then re-bind, then re-create and restore the portable directory on each laptop manually.
  Unfortunately I do not know the unix command to change directory binding to client computers using ARD. If such a command exists it would make things much easier for you. Does anyone know if a command exists?

• Open directory install error

  Hello,
  I have a MAC Mini with OSX 10.8.4 and Server 2.2.1 ,
  I am trying to configure Profile Manager on the Server.app but i encountered after a long time an  error :
  when i create Open Directory master .
  LDAP log:
  Jul 12 16:17:58 mdm.dom-ad-etandex.fr slapd[1970]: @(#) $OpenLDAP: slapd 2.4.28 (Apr 25 2013 19:11:59) $
                      [email protected]:/private/var/tmp/OpenLDAP/OpenLDAP-208.4~3/servers/slapd
  Jul 12 16:17:58 mdm.dom-ad-etandex.fr slapd[1970]: daemon: SLAP_SOCK_INIT: dtblsize=8192
  Jul 12 16:17:58 mdm.dom-ad-etandex.fr slapd[1970]: /etc/openldap/slapd_macosxserver.conf: line 228: invalid path: No such file or directory
  Jul 12 16:17:58 mdm.dom-ad-etandex.fr slapd[1970]: slapd stopped.
  sudo -changeip checkhostname is succesful even dig work.
  I tryied to reinstall Server.app , rm some directory but i still have this error...
  Does someone has any clue ?

  I have the exact same issue, same setup.

• Open Directory won't start after crash no logins

  Server was crashed due to work in the room. OD will not start. I've tried every fix I can find, but the main problem is that this command will not work:
  sudo launchctl unload /System/Library/LaunchDaemons/org.openldap.slapd.plist
  I also have time machine backups but which files should I replace? Thanks

  Hi,
  First thing to check is that DNS is set up correctly.
  in Terminal, type:
  $ sudo changeip -checkhostname
  This should return your server IP address, current hostname and DNS hostname; the hostnames should be the same.
  Finally it should issue a message that says:
  The names match. There is nothing to change.
  dirserv:success = “success”
  if there is a mismatch here, you will need to fix in the Network tab of the Server app, and the DNS settings.
  It could also be a problem with a remnant of a previous OD setup although you say that you are attempting to set it up, so not sure why there would be a remnant.
  You can "clean out" the old LDAP info by issuing this command but it will wipe out your Open Directory databases on the machine you issue it on; you have been warned....
  Doing this will then let Server app prompt you in the OD settings to 1. set up OD or 2. restore from an archive.
  The command is:
  $ sudo slapconfig -destroyldapserver
  Finally , if you are having problems, turn on logging:
  $ sudo slapconfig -enableslapdlog
  this writes OD logs to /var/log/slapd.log
  Hope that helps. I had that exact issue on a server that was hosting a replica and that stopped working after update of server.app .