No Open Directory under password type pulldown

Similar Messages

• Open Directory and passwords

  Hi, I have come across something really odd someone pointed out to me with Tiger Server, and this is something I've not been able to duplicated on Panther Server, or at least I don't think I have been able to.
  The situation is this: There are three people in my workgroup who have "administrative" privileges for our small server cluster. When logging into one of the servers, it is possible for a person with administrative privileges to log into the server with any user existing user name, and use their own password, or the global administrative password to log into any account. This does seem weird to me. Is there an article somewhere that explains this? I've done a bit of searching, but am not sure on what I am looking for here.
  I am starting to work with Open Directory and LDAP sharing of login information across a series of three servers and am wonder if it might be linked to this, and why/how, etc. Anyone with any good or bad thoughts on this.
  Thanks so much.

  Hi trotter,
  In fact this is a feature called 'masquerading' by Apple which can be very helpful, particularly when when troubleshooting permissions issues on mouted volumes. It allows admins to mount volumes via afp 'as users'.
  It was first implemented for Apple servers back in ASIP 6, and the feature exists in both Panther and Tiger.
  If you don't want this feature you can uncheck Serrver Admin > AFP > Access > Enable Administrator to masquerade... I believe the box is unchecked by default so one of the admins must have checked it.
  IMHO it would also be very useful for admins to be able to have the options to masquerade to user OD/NetInfo accounts also.
  HTH,
  b.

• Open Directory LDAPv3 Password and Diradmin recovery

  Hi Everyone,
  I have just inherited a 10.4.x PPC G5 server from another department and unfortunately the previous sysadmin didn't write down the Open Directory Admin username and password. Is there a way I can recover the username and reset the password?
  I've had to change the ip and I need to run the changeip command and it will ask me for the LDAP admin username and password.
  Regards
  Chris

  Hi
  The Directory Administrator account name and password are not required to run the changeip command. Whoever has given you this information is wrong. Diradmin only has authority over the LDAP Directory node. Either root or the default System Administrator account name and password (UID501) will do this for you.
  Navigate to the Users folder, see the House icon? The name against the house icon will be the short name of the System Administrator account. If you don’t know the password for this account you can boot the G5 from any 10.4 installer disk (or the original installer disks that came with the G5) and use the Reset Password Utility to define a new password for the System Administrator account. Root will also use this password. After the restart run the changeip command and provde the newly defined password.
  Hope this helps – Tony

• HT4641 Is it possible to open files under password?

  Is it possible to open files ms office under the password?

  Trying opening the file from Tracker and then doing a Save As to the new location.

• **want to create a user account from "Crypted Password" to "Open Directory"

  I have create a user account with "user password type: Crypted Password"
  is there any way I can script it to "user password type: open directory"
  I've use perl-ldap to create user account but I don't know how to change user password type to open directory,
  because my script will add a new node in the directory, I just need a way to make the "user password type" to "Open Directory" AT CREATION TIME, not modifing it after a have a user account, the script below will generate a node in the directory with "Crypted Password" as User Password Type,
  is there any attribute I need to add to make it "Open Directory" or perl command, applescript, bash, objective c(hopefully not)....
  thank for reading...
  $res = $c->add(dn => 'uid=testing,cn=users,dc=microsoft,dc=info',
  attr => [
  'cn' => 'testing',
  'gidNumber' => '20',
  'homeDirectory' => '99',
  'objectclass' => 'inetOrgPerson', 'posixAccount', 'shadowAccount', 'apple-user', 'extensibleObject','organizationalPerson','top','person',
  'sn' => 'testing',
  'uid' => 'testing',
  'uidNumber' => '5000',
  1. 'apple-generateduid' => '27318931-B341-4364-91B4-84E4AAAD1234', #026F",
  'givenName' => 'testing',
  1. 'loginShell' => '/bin/bash',
  'userPassword' => 'testing' ,
  1. 'homePhone' => '555-2020',
  2. 'mail' => '[email protected]'
  die "unable to add, errorcode #".$res->code().$res->error if $res->code( );
  thanks

  Since this question isn't Xserve specific a better place to get an answer is probably in the Directory Services forum: http://discussions.apple.com/forum.jspa?forumID=1353
  That being said if you are trying to migrate Crypt accounts to OD accounts then the short answer is no. You need an unencrypted password to put the password into OD via a script do short of cracking the encrypted password, inserting it in plain text into the OD user account creation process then I don't think you can.
  You should be able to dictate the password (and any other settings you can do from the GUI) but the password is the missing piece. Under really old OS X systems I actually suspect you can get passwords to export (hinted at by an Apple engineer I discussed this with) but there is probably a faster and more straightforward solution.
  What I have done is export from NetInfo, clean the accounts via script and then reimport the accounts into the new system. I usually assign a password and dictate "Must change password at next login" and then email people the temporary passwords. It's been a while but I believe you can mass select and then dictate password settings so if that works for you create accounts with all the same password and then you can select by group and make changes - eg Must change password at login.
  Good luck,
  =Tod

• How can I add Adobe Acrobat into my Applications under content type so I can open up pdfs in a firefox window?

  firefox won't open pdf's in a new window. I get a blank page. When viewing my application options, Adobe Acrobat is not listed under content type anywhere. I entered about:plugins in the address bar and it is showing that I do in fact have Adobe acrobat.
  File: nppdf32.dll
  Version: 7.0.8.218
  Adobe Acrobat Plug-In Version 7.00 for Netscape
  I also know I have it, because I have no problem using it in IE.
  What can I do to get pdfs to open in a firefox window?

  Thanks. That worked.
  I went to the profiles directory by putting %APPDATA% in the run window, then in explorer went to mozilla, firefox, profiles, and deleted the mimeTypes.rdf file after making sure firefox was closed. Opened firefox again and mailto links worked. Tried it on my friend's computer and it work on it as well.

• Open Directory users prompted to change password after 10.8 to 10.9 server upgrade

  I just upgraded our 10.8.5 server to 10.9.3. I also upgraded Server.app to the most recent version (3.1.2). I made a complete backup first as a precaution.
  Existing non-admin users are being prompted to change their password when logging in. I've narrowed the problem down to a checkbox in the "Global Password Policy" settings in Server.app, specifically this checkbox: "Passwords must: be reset on first user login". I had that box checked in 10.8 so that new users would be prompted to create a password the first time they logged into a bound computer. It worked great and I'd like to continue using this feature in 10.9.
  If I uncheck this box in Server.app in 10.9.3, existing users can log in just fine with their existing passwords. If I re-check the box, non-admin users are suddenly prompted to change their password when logging in, even though they've logged in countless times in the past.
  Here are some things I've tried:
  * stopping and restarting the Open Directory service in Server.app
  * restarting the server
  * disabling and re-enabling an existing user account
  * inspecting user records in Directory Utility for any peculiar attributes
  * I used the mkpassdb -dump command to verify that the correct "last login time" is present for a particular user, but I'm not enough of an Open Directory expert to know if this is the attribute that the Global Password Policy relies on.
  Does anyone have any other ideas or suggestions?

  UPDATE: It looks like this issue applies to new (post-upgrade) accounts, too, suggesting that this has nothing to do with the upgrade process. Can anyone confirm this behavior? It's easy to test:
  1) Make sure the "Passwords must: be reset on first user login" box is unchecked.
  2) Create a new user in Open Directory.
  3) Log in once. No problem.
  4) Now check the "Passwords must: be reset on first user login" box.
  5) Try to log in again. Were you prompted to change your password? Logically, you shouldn't have been prompted, but users on my server are being prompted.

• Can't log in to Lion Server. Open Directory Log Message says: unable to connect to password server

  I am setting up Lion Server. I can't log in to Lion Server from client.
  Checking the Open Directory Log: says: "unable to connect to password server" or
  "3394.14268, Node: /LDAPv3/127.0.0.1, Module: AppleODClient - unable to read Password Server response - connection to Password Server was closed, socket fd 18 (5205)"
  Thanks for help with this.

  I never discovered the problem, and instead rebuilt the server from the ground up.  I followed instructions at this discussion thread.  Very helpful.
  How To Install A (Almost) Working Lion Server With Profile Management/SSL/OD/Mail/iCal/Address Book/VNC/Web/etc.
  I have had some log-in problems with users.  I have found that restarting the server helps. If this doesn't work, I rebuild permissions on the server, followed by opening up Workgroup Manager, go to the user's password, click on options and require that the user change password on the next log-in. For some reason, this will usually fix the problem.  I then log in as the user, and "change" the password to the original one. Also note, that if you import a user, the password is not brought in.  You must enter it for each user that you imported.  Even so, I have often had to resort to the re-set password procedure to enable a log-in.

• Virtual keyboard does not open when attempting to type in username or password fields

  virtual keyboard does not open when attempting to type in username or password fields. This occurs on multiple websites. HTC Incredible on Verizon network. Current updates on phone. Fennec update dated 9-20-2010. This used to work a couple weeks ago.

  Thanks for the report. We're working on fixing this; you can see the current status here: https://bugzilla.mozilla.org/show_bug.cgi?id=591047
  This bug should be fixed within the next week or so, and will be fixed in the upcoming beta release.

• Open directory administrator's password to manage

  hi.
  i have a mac os x server 10.4 with Open Directory.
  Now I want to add some new users and some new Computer to my domain. When I login into Open Directory I enable to see the tree of my ldap domain but I unable to add new user or computer.
  Why this problem? I see the user that there are. I have just try to login and unlock the Open directory with some other user, but i can't solve. I can't see enable the bottom for "add user" and the "add computer".
  can you help me?
  thanks

  Hi
  have a mac os x server 10.4 with Open Directory
  You should really post this in the relevant Forum as this is for 10.5 Server:
  http://discussions.apple.com/forum.jspa?forumID=713
  Having said that I have to ask the obvious. If you want to add/delete/amend - amongst other things - users to the /LDAPv3/127.0.0.1 node you have to click the lock on the right hand side and authenticate using the Directory Administrator (diradmin) account name and password. Once you've done that you should be able to work within that node.
  Tony

• RoundCube Webmail Authenticating against Open Directory on Mountain Lion 10.8.x

  Hello all,
  I've been battling this issue for over a month with no success. Here is what we got:
  Mac Mini Server running Mountain Lion Server 10.8.2 running Calendar, Contacts, Mail and Web services.
  With there being no webmail present I've gone thru the process of installing RoundCube.
  I'm using Postgres as the database.
  When I test the ability to login I get the following error messages in the console.app
  10/12/12 10:13:27.071 AM log[182]: auth: Error: od(andrew,::1): Authentication server failed to complete the requested operation.
  10/12/12 10:13:27.071 AM log[182]: auth: Error: od(andrew,::1): authentication failed for user=andrew, method=DIGEST-MD5
  The first line I find the most interesting but have had no success determinign exactly what it means.
  I'm using open directory to authenticate and it is working perfectly with every other service so I'm led to believe it's an issue between RoundCube and Open Directory.
  ANY help would be appreciated emmensely!

  Sorry about taking so long to get back on here working on this. I've switched over to MySQL. I had a hard time because mysql.sock was located under /tmp/ rather than /var/mysql/ but I fixed that by using the following command:
  sudo ln -s /tmp/mysql.sock /var/mysql/mysql.sock
  Then I reinstalled roundcube. Here is my main.inc.php file:
  <?php
  +-----------------------------------------------------------------------+
  | Main configuration file                                               |
  |                                                                       |
  | This file is part of the Roundcube Webmail client                     |
  | Copyright (C) 2005-2011, The Roundcube Dev Team                       |
  |                                                                       |
  | Licensed under the GNU General Public License version 3 or            |
  | any later version with exceptions for skins & plugins.                |
  | See the README file for a full license statement.                     |
  |                                                                       |
  +-----------------------------------------------------------------------+
  $rcmail_config = array();
  // LOGGING/DEBUGGING
  // system error reporting: 1 = log; 2 = report (not implemented yet), 4 = show, 8 = trace
  $rcmail_config['debug_level'] = 1;
  // log driver:  'syslog' or 'file'.
  $rcmail_config['log_driver'] = 'file';
  // date format for log entries
  // (read http://php.net/manual/en/function.date.php for all format characters) 
  $rcmail_config['log_date_format'] = 'd-M-Y H:i:s O';
  // Syslog ident string to use, if using the 'syslog' log driver.
  $rcmail_config['syslog_id'] = 'roundcube';
  // Syslog facility to use, if using the 'syslog' log driver.
  // For possible values see installer or http://php.net/manual/en/function.openlog.php
  $rcmail_config['syslog_facility'] = LOG_USER;
  // Log sent messages to <log_dir>/sendmail or to syslog
  $rcmail_config['smtp_log'] = true;
  // Log successful logins to <log_dir>/userlogins or to syslog
  $rcmail_config['log_logins'] = false;
  // Log session authentication errors to <log_dir>/session or to syslog
  $rcmail_config['log_session'] = false;
  // Log SQL queries to <log_dir>/sql or to syslog
  $rcmail_config['sql_debug'] = false;
  // Log IMAP conversation to <log_dir>/imap or to syslog
  $rcmail_config['imap_debug'] = false;
  // Log LDAP conversation to <log_dir>/ldap or to syslog
  $rcmail_config['ldap_debug'] = false;
  // Log SMTP conversation to <log_dir>/smtp or to syslog
  $rcmail_config['smtp_debug'] = false;
  // IMAP
  // the mail host chosen to perform the log-in
  // leave blank to show a textbox at login, give a list of hosts
  // to display a pulldown menu or set one host as string.
  // To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
  // Supported replacement variables:
  // %n - http hostname ($_SERVER['SERVER_NAME'])
  // %d - domain (http hostname without the first part)
  // %s - domain name after the '@' from e-mail address provided at login screen
  // For example %n = mail.domain.tld, %d = domain.tld
  $rcmail_config['default_host'] = 'localhost';
  // TCP port used for IMAP connections
  $rcmail_config['default_port'] = 143;
  // IMAP AUTH type (DIGEST-MD5, CRAM-MD5, LOGIN, PLAIN or empty to use
  // best server supported one)
  $rcmail_config['imap_auth_type'] = null;
  // If you know your imap's folder delimiter, you can specify it here.
  // Otherwise it will be determined automatically
  $rcmail_config['imap_delimiter'] = null;
  // If IMAP server doesn't support NAMESPACE extension, but you're
  // using shared folders or personal root folder is non-empty, you'll need to
  // set these options. All can be strings or arrays of strings.
  // Folders need to be ended with directory separator, e.g. "INBOX."
  // (special directory "~" is an exception to this rule)
  // These can be used also to overwrite server's namespaces
  $rcmail_config['imap_ns_personal'] = null;
  $rcmail_config['imap_ns_other']    = null;
  $rcmail_config['imap_ns_shared']   = null;
  // By default IMAP capabilities are readed after connection to IMAP server
  // In some cases, e.g. when using IMAP proxy, there's a need to refresh the list
  // after login. Set to True if you've got this case.
  $rcmail_config['imap_force_caps'] = false;
  // By default list of subscribed folders is determined using LIST-EXTENDED
  // extension if available. Some servers (dovecot 1.x) returns wrong results
  // for shared namespaces in this case. http://trac.roundcube.net/ticket/1486225
  // Enable this option to force LSUB command usage instead.
  $rcmail_config['imap_force_lsub'] = false;
  // Some server configurations (e.g. Courier) doesn't list folders in all namespaces
  // Enable this option to force listing of folders in all namespaces
  $rcmail_config['imap_force_ns'] = false;
  // IMAP connection timeout, in seconds. Default: 0 (no limit)
  $rcmail_config['imap_timeout'] = 0;
  // Optional IMAP authentication identifier to be used as authorization proxy
  $rcmail_config['imap_auth_cid'] = null;
  // Optional IMAP authentication password to be used for imap_auth_cid
  $rcmail_config['imap_auth_pw'] = null;
  // Type of IMAP indexes cache. Supported values: 'db', 'apc' and 'memcache'.
  $rcmail_config['imap_cache'] = null;
  // Enables messages cache. Only 'db' cache is supported.
  $rcmail_config['messages_cache'] = false;
  // SMTP
  // SMTP server host (for sending mails).
  // To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
  // If left blank, the PHP mail() function is used
  // Supported replacement variables:
  // %h - user's IMAP hostname
  // %n - http hostname ($_SERVER['SERVER_NAME'])
  // %d - domain (http hostname without the first part)
  // %z - IMAP domain (IMAP hostname without the first part)
  // For example %n = mail.domain.tld, %d = domain.tld
  $rcmail_config['smtp_server'] = 'localhost';
  // SMTP port (default is 25; use 587 for STARTTLS or 465 for the
  // deprecated SSL over SMTP (aka SMTPS))
  $rcmail_config['smtp_port'] = 25;
  // SMTP username (if required) if you use %u as the username Roundcube
  // will use the current username for login
  $rcmail_config['smtp_user'] = '';
  // SMTP password (if required) if you use %p as the password Roundcube
  // will use the current user's password for login
  $rcmail_config['smtp_pass'] = '';
  // SMTP AUTH type (DIGEST-MD5, CRAM-MD5, LOGIN, PLAIN or empty to use
  // best server supported one)
  $rcmail_config['smtp_auth_type'] = '';
  // Optional SMTP authentication identifier to be used as authorization proxy
  $rcmail_config['smtp_auth_cid'] = null;
  // Optional SMTP authentication password to be used for smtp_auth_cid
  $rcmail_config['smtp_auth_pw'] = null;
  // SMTP HELO host
  // Hostname to give to the remote server for SMTP 'HELO' or 'EHLO' messages
  // Leave this blank and you will get the server variable 'server_name' or
  // localhost if that isn't defined.
  $rcmail_config['smtp_helo_host'] = '';
  // SMTP connection timeout, in seconds. Default: 0 (no limit)
  $rcmail_config['smtp_timeout'] = 0;
  // SYSTEM
  // THIS OPTION WILL ALLOW THE INSTALLER TO RUN AND CAN EXPOSE SENSITIVE CONFIG DATA.
  // ONLY ENABLE IT IF YOU'RE REALLY SURE WHAT YOU'RE DOING!
  $rcmail_config['enable_installer'] = false;
  // provide an URL where a user can get support for this Roundcube installation
  // PLEASE DO NOT LINK TO THE ROUNDCUBE.NET WEBSITE HERE!
  $rcmail_config['support_url'] = 'http://www.crawfordworks.ca/contact';
  // replace Roundcube logo with this image
  // specify an URL relative to the document root of this Roundcube installation
  $rcmail_config['skin_logo'] = null;
  // automatically create a new Roundcube user when log-in the first time.
  // a new user will be created once the IMAP login succeeds.
  // set to false if only registered users can use this service
  $rcmail_config['auto_create_user'] = true;
  // use this folder to store log files (must be writeable for apache user)
  // This is used by the 'file' log driver.
  $rcmail_config['log_dir'] = 'logs/';
  // use this folder to store temp files (must be writeable for apache user)
  $rcmail_config['temp_dir'] = 'temp/';
  // lifetime of message cache
  // possible units: s, m, h, d, w
  $rcmail_config['message_cache_lifetime'] = '10d';
  // enforce connections over https
  // with this option enabled, all non-secure connections will be redirected.
  // set the port for the ssl connection as value of this option if it differs from the default 443
  $rcmail_config['force_https'] = false;
  // tell PHP that it should work as under secure connection
  // even if it doesn't recognize it as secure ($_SERVER['HTTPS'] is not set)
  // e.g. when you're running Roundcube behind a https proxy
  // this option is mutually exclusive to 'force_https' and only either one of them should be set to true.
  $rcmail_config['use_https'] = false;
  // Allow browser-autocompletion on login form.
  // 0 - disabled, 1 - username and host only, 2 - username, host, password
  $rcmail_config['login_autocomplete'] = 0;
  // Forces conversion of logins to lower case.
  // 0 - disabled, 1 - only domain part, 2 - domain and local part.
  // If users authentication is not case-sensitive this must be enabled.
  // After enabling it all user records need to be updated, e.g. with query:
  // UPDATE users SET username = LOWER(username);
  $rcmail_config['login_lc'] = 0;
  // Includes should be interpreted as PHP files
  $rcmail_config['skin_include_php'] = false;
  // display software version on login screen
  $rcmail_config['display_version'] = false;
  // Session lifetime in minutes
  // must be greater than 'keep_alive'/60
  $rcmail_config['session_lifetime'] = 10;
  // session domain: .example.org
  $rcmail_config['session_domain'] = '';
  // session name. Default: 'roundcube_sessid'
  $rcmail_config['session_name'] = null;
  // Backend to use for session storage. Can either be 'db' (default) or 'memcache'
  // If set to memcache, a list of servers need to be specified in 'memcache_hosts'
  // Make sure the Memcache extension (http://pecl.php.net/package/memcache) version >= 2.0.0 is installed
  $rcmail_config['session_storage'] = 'db';
  // Use these hosts for accessing memcached
  // Define any number of hosts in the form of hostname:port or unix:///path/to/sock.file
  $rcmail_config['memcache_hosts'] = null; // e.g. array( 'localhost:11211', '192.168.1.12:11211', 'unix:///var/tmp/memcached.sock' );
  // check client IP in session athorization
  $rcmail_config['ip_check'] = false;
  // check referer of incoming requests
  $rcmail_config['referer_check'] = false;
  // X-Frame-Options HTTP header value sent to prevent from Clickjacking.
  // Possible values: sameorigin|deny. Set to false in order to disable sending them
  $rcmail_config['x_frame_options'] = 'sameorigin';
  // this key is used to encrypt the users imap password which is stored
  // in the session record (and the client cookie if remember password is enabled).
  // please provide a string of exactly 24 chars.
  $rcmail_config['des_key'] = 'Qw4jLYQK+MyNLPIRmON7Lq+Z';
  // Automatically add this domain to user names for login
  // Only for IMAP servers that require full e-mail addresses for login
  // Specify an array with 'host' => 'domain' values to support multiple hosts
  // Supported replacement variables:
  // %h - user's IMAP hostname
  // %n - http hostname ($_SERVER['SERVER_NAME'])
  // %d - domain (http hostname without the first part)
  // %z - IMAP domain (IMAP hostname without the first part)
  // For example %n = mail.domain.tld, %d = domain.tld
  $rcmail_config['username_domain'] = '';
  // This domain will be used to form e-mail addresses of new users
  // Specify an array with 'host' => 'domain' values to support multiple hosts
  // Supported replacement variables:
  // %h - user's IMAP hostname
  // %n - http hostname ($_SERVER['SERVER_NAME'])
  // %d - domain (http hostname without the first part)
  // %z - IMAP domain (IMAP hostname without the first part)
  // For example %n = mail.domain.tld, %d = domain.tld
  $rcmail_config['mail_domain'] = '';
  // Password charset.
  // Use it if your authentication backend doesn't support UTF-8.
  // Defaults to ISO-8859-1 for backward compatibility
  $rcmail_config['password_charset'] = 'ISO-8859-1';
  // How many seconds must pass between emails sent by a user
  $rcmail_config['sendmail_delay'] = 0;
  // Maximum number of recipients per message. Default: 0 (no limit)
  $rcmail_config['max_recipients'] = 0;
  // Maximum allowednumber of members of an address group. Default: 0 (no limit)
  // If 'max_recipients' is set this value should be less or equal
  $rcmail_config['max_group_members'] = 0;
  // add this user-agent to message headers when sending
  $rcmail_config['useragent'] = 'Roundcube Webmail/'.RCMAIL_VERSION;
  // use this name to compose page titles
  $rcmail_config['product_name'] = 'Tri Innovations Webmail';
  // try to load host-specific configuration
  // see http://trac.roundcube.net/wiki/Howto_Config for more details
  $rcmail_config['include_host_config'] = false;
  // path to a text file which will be added to each sent message
  // paths are relative to the Roundcube root folder
  $rcmail_config['generic_message_footer'] = '';
  // path to a text file which will be added to each sent HTML message
  // paths are relative to the Roundcube root folder
  $rcmail_config['generic_message_footer_html'] = '';
  // add a received header to outgoing mails containing the creators IP and hostname
  $rcmail_config['http_received_header'] = false;
  // Whether or not to encrypt the IP address and the host name
  // these could, in some circles, be considered as sensitive information;
  // however, for the administrator, these could be invaluable help
  // when tracking down issues.
  $rcmail_config['http_received_header_encrypt'] = false;
  // This string is used as a delimiter for message headers when sending
  // a message via mail() function. Leave empty for auto-detection
  $rcmail_config['mail_header_delimiter'] = NULL;
  // number of chars allowed for line when wrapping text.
  // text wrapping is done when composing/sending messages
  $rcmail_config['line_length'] = 72;
  // send plaintext messages as format=flowed
  $rcmail_config['send_format_flowed'] = true;
  // don't allow these settings to be overriden by the user
  $rcmail_config['dont_override'] = array();
  // Set identities access level:
  // 0 - many identities with possibility to edit all params
  // 1 - many identities with possibility to edit all params but not email address
  // 2 - one identity with possibility to edit all params
  // 3 - one identity with possibility to edit all params but not email address
  $rcmail_config['identities_level'] = 0;
  // Mimetypes supported by the browser.
  // attachments of these types will open in a preview window
  // either a comma-separated list or an array: 'text/plain,text/html,text/xml,image/jpeg,image/gif,image/png,application/pdf'
  $rcmail_config['client_mimetypes'] = null;  # null == default
  // mime magic database
  $rcmail_config['mime_magic'] = '/usr/share/misc/magic';
  // path to imagemagick identify binary
  $rcmail_config['im_identify_path'] = null;
  // path to imagemagick convert binary
  $rcmail_config['im_convert_path'] = null;
  // maximum size of uploaded contact photos in pixel
  $rcmail_config['contact_photo_size'] = 160;
  // Enable DNS checking for e-mail address validation
  $rcmail_config['email_dns_check'] = false;
  // PLUGINS
  // List of active plugins (in plugins/ directory)
  $rcmail_config['plugins'] = array();
  // USER INTERFACE
  // default messages sort column. Use empty value for default server's sorting,
  // or 'arrival', 'date', 'subject', 'from', 'to', 'fromto', 'size', 'cc'
  $rcmail_config['message_sort_col'] = '';
  // default messages sort order
  $rcmail_config['message_sort_order'] = 'DESC';
  // These cols are shown in the message list. Available cols are:
  // subject, from, to, fromto, cc, replyto, date, size, status, flag, attachment, 'priority'
  $rcmail_config['list_cols'] = array('subject', 'status', 'fromto', 'date', 'size', 'flag', 'attachment');
  // the default locale setting (leave empty for auto-detection)
  // RFC1766 formatted language name like en_US, de_DE, de_CH, fr_FR, pt_BR
  $rcmail_config['language'] = null;
  // use this format for date display (date or strftime format)
  $rcmail_config['date_format'] = 'Y-m-d';
  // give this choice of date formats to the user to select from
  $rcmail_config['date_formats'] = array('Y-m-d', 'd-m-Y', 'Y/m/d', 'm/d/Y', 'd/m/Y', 'd.m.Y', 'j.n.Y');
  // use this format for time display (date or strftime format)
  $rcmail_config['time_format'] = 'H:i';
  // give this choice of time formats to the user to select from
  $rcmail_config['time_formats'] = array('G:i', 'H:i', 'g:i a', 'h:i A');
  // use this format for short date display (derived from date_format and time_format)
  $rcmail_config['date_short'] = 'D H:i';
  // use this format for detailed date/time formatting (derived from date_format and time_format)
  $rcmail_config['date_long'] = 'Y-m-d H:i';
  // store draft message is this mailbox
  // leave blank if draft messages should not be stored
  // NOTE: Use folder names with namespace prefix (INBOX. on Courier-IMAP)
  $rcmail_config['drafts_mbox'] = 'Drafts';
  // store spam messages in this mailbox
  // NOTE: Use folder names with namespace prefix (INBOX. on Courier-IMAP)
  $rcmail_config['junk_mbox'] = 'Junk';
  // store sent message is this mailbox
  // leave blank if sent messages should not be stored
  // NOTE: Use folder names with namespace prefix (INBOX. on Courier-IMAP)
  $rcmail_config['sent_mbox'] = 'Sent Messages';
  // move messages to this folder when deleting them
  // leave blank if they should be deleted directly
  // NOTE: Use folder names with namespace prefix (INBOX. on Courier-IMAP)
  $rcmail_config['trash_mbox'] = 'Trash';
  // display these folders separately in the mailbox list.
  // these folders will also be displayed with localized names
  // NOTE: Use folder names with namespace prefix (INBOX. on Courier-IMAP)
  $rcmail_config['default_folders'] = array('INBOX', 'Drafts', 'Sent Messages', 'Junk', 'Trash');
  // automatically create the above listed default folders on first login
  $rcmail_config['create_default_folders'] = false;
  // protect the default folders from renames, deletes, and subscription changes
  $rcmail_config['protect_default_folders'] = true;
  // if in your system 0 quota means no limit set this option to true
  $rcmail_config['quota_zero_as_unlimited'] = false;
  // Make use of the built-in spell checker. It is based on GoogieSpell.
  // Since Google only accepts connections over https your PHP installatation
  // requires to be compiled with Open SSL support
  $rcmail_config['enable_spellcheck'] = true;
  // Enables spellchecker exceptions dictionary.
  // Setting it to 'shared' will make the dictionary shared by all users.
  $rcmail_config['spellcheck_dictionary'] = false;
  // Set the spell checking engine. 'googie' is the default. 'pspell' is also available,
  // but requires the Pspell extensions. When using Nox Spell Server, also set 'googie' here.
  $rcmail_config['spellcheck_engine'] = 'googie';
  // For a locally installed Nox Spell Server, please specify the URI to call it.
  // Get Nox Spell Server from http://orangoo.com/labs/?page_id=72
  // Leave empty to use the Google spell checking service, what means
  // that the message content will be sent to Google in order to check spelling
  $rcmail_config['spellcheck_uri'] = '';
  // These languages can be selected for spell checking.
  // Configure as a PHP style hash array: array('en'=>'English', 'de'=>'Deutsch');
  // Leave empty for default set of available language.
  $rcmail_config['spellcheck_languages'] = NULL;
  // Makes that words with all letters capitalized will be ignored (e.g. GOOGLE)
  $rcmail_config['spellcheck_ignore_caps'] = false;
  // Makes that words with numbers will be ignored (e.g. g00gle)
  $rcmail_config['spellcheck_ignore_nums'] = false;
  // Makes that words with symbols will be ignored (e.g. g@@gle)
  $rcmail_config['spellcheck_ignore_syms'] = false;
  // Use this char/string to separate recipients when composing a new message
  $rcmail_config['recipients_separator'] = ',';
  // don't let users set pagesize to more than this value if set
  $rcmail_config['max_pagesize'] = 200;
  // Minimal value of user's 'keep_alive' setting (in seconds)
  // Must be less than 'session_lifetime'
  $rcmail_config['min_keep_alive'] = 60;
  // Enables files upload indicator. Requires APC installed and enabled apc.rfc1867 option.
  // By default refresh time is set to 1 second. You can set this value to true
  // or any integer value indicating number of seconds.
  $rcmail_config['upload_progress'] = false;
  // Specifies for how many seconds the Undo button will be available
  // after object delete action. Currently used with supporting address book sources.
  // Setting it to 0, disables the feature.
  $rcmail_config['undo_timeout'] = 0;
  // ADDRESSBOOK SETTINGS
  // This indicates which type of address book to use. Possible choises:
  // 'sql' (default) and 'ldap'.
  // If set to 'ldap' then it will look at using the first writable LDAP
  // address book as the primary address book and it will not display the
  // SQL address book in the 'Address Book' view.
  $rcmail_config['address_book_type'] = 'sql';
  // In order to enable public ldap search, configure an array like the Verisign
  // example further below. if you would like to test, simply uncomment the example.
  // Array key must contain only safe characters, ie. a-zA-Z0-9_
  $rcmail_config['ldap_public'] = array();
  // If you are going to use LDAP for individual address books, you will need to
  // set 'user_specific' to true and use the variables to generate the appropriate DNs to access it.
  // The recommended directory structure for LDAP is to store all the address book entries
  // under the users main entry, e.g.:
  //  o=root
  //   ou=people
  //    uid=user@domain
  //  mail=contact@contactdomain
  // So the base_dn would be uid=%fu,ou=people,o=root
  // The bind_dn would be the same as based_dn or some super user login.
  * example config for Verisign directory
  $rcmail_config['ldap_public']['Verisign'] = array(
    'name'          => 'Verisign.com',
    // Replacement variables supported in host names:
    // %h - user's IMAP hostname
    // %n - http hostname ($_SERVER['SERVER_NAME'])
    // %d - domain (http hostname without the first part)
    // %z - IMAP domain (IMAP hostname without the first part)
    // For example %n = mail.domain.tld, %d = domain.tld
    'hosts'         => array('directory.verisign.com'),
    'port'          => 389,
    'use_tls'                => false,
    'ldap_version'  => 3,       // using LDAPv3
    'user_specific' => false,   // If true the base_dn, bind_dn and bind_pass default to the user's IMAP login.
    // %fu - The full username provided, assumes the username is an email
    //       address, uses the username_domain value if not an email address.
    // %u  - The username prior to the '@'.
    // %d  - The domain name after the '@'.
    // %dc - The domain name hierarchal string e.g. "dc=test,dc=domain,dc=com"
    // %dn - DN found by ldap search when search_filter/search_base_dn are used
    'base_dn'       => '',
    'bind_dn'       => '',
    'bind_pass'     => '',
    // It's possible to bind for an individual address book
    // The login name is used to search for the DN to bind with
    'search_base_dn' => '',
    'search_filter'  => '',   // e.g. '(&(objectClass=posixAccount)(uid=%u))'
    // DN and password to bind as before searching for bind DN, if anonymous search is not allowed
    'search_bind_dn' => '',
    'search_bind_pw' => '',
    // Default for %dn variable if search doesn't return DN value
    'search_dn_default' => '',
    // Optional authentication identifier to be used as SASL authorization proxy
    // bind_dn need to be empty
    'auth_cid'       => '',
    // SASL authentication method (for proxy auth), e.g. DIGEST-MD5
    'auth_method'    => '',
    // Indicates if the addressbook shall be hidden from the list.
    // With this option enabled you can still search/view contacts.
    'hidden'        => false,
    // Indicates if the addressbook shall not list contacts but only allows searching.
    'searchonly'    => false,
    // Indicates if we can write to the LDAP directory or not.
    // If writable is true then these fields need to be populated:
    // LDAP_Object_Classes, required_fields, LDAP_rdn
    'writable'       => false,
    // To create a new contact these are the object classes to specify
    // (or any other classes you wish to use).
    'LDAP_Object_Classes' => array('top', 'inetOrgPerson'),
    // The RDN field that is used for new entries, this field needs
    // to be one of the search_fields, the base of base_dn is appended
    // to the RDN to insert into the LDAP directory.
    'LDAP_rdn'       => 'cn',
    // The required fields needed to build a new contact as required by
    // the object classes (can include additional fields not required by the object classes).
    'required_fields' => array('cn', 'sn', 'mail'),
    'search_fields'   => array('mail', 'cn'),  // fields to search in
    // mapping of contact fields to directory attributes
    //   for every attribute one can specify the number of values (limit) allowed.
    //   default is 1, a wildcard * means unlimited
    'fieldmap' => array(
      // Roundcube  => LDAP:limit
      'name'        => 'cn',
      'surname'     => 'sn',
      'firstname'   => 'givenName',
      'title'       => 'title',
      'email'       => 'mail:*',
      'phone:home'  => 'homePhone',
      'phone:work'  => 'telephoneNumber',
      'phone:mobile' => 'mobile',
      'phone:pager' => 'pager',
      'street'      => 'street',
      'zipcode'     => 'postalCode',
      'region'      => 'st',
      'locality'    => 'l',
  // if you uncomment country, you need to modify 'sub_fields' above
  //    'country'     => 'c',
      'department'  => 'departmentNumber',
      'notes'       => 'description',
  // these currently don't work:
  //    'phone:workfax' => 'facsimileTelephoneNumber',
  //    'photo'        => 'jpegPhoto',
  //    'organization' => 'o',
  //    'manager'      => 'manager',
  //    'assistant'    => 'secretary',
    // Map of contact sub-objects (attribute name => objectClass(es)), e.g. 'c' => 'country'
    'sub_fields' => array(),
    'sort'          => 'cn',    // The field to sort the listing by.
    'scope'         => 'sub',   // search mode: sub|base|list
    'filter'        => '(objectClass=inetOrgPerson)',      // used for basic listing (if not empty) and will be &'d with search queries. example: status=act
    'fuzzy_search'  => true,    // server allows wildcard search
    'vlv'           => false,   // Enable Virtual List View to more efficiently fetch paginated data (if server supports it)
    'numsub_filter' => '(objectClass=organizationalUnit)',   // with VLV, we also use numSubOrdinates to query the total number of records. Set this filter to get all numSubOrdinates attributes for counting
    'sizelimit'     => '0',     // Enables you to limit the count of entries fetched. Setting this to 0 means no limit.
    'timelimit'     => '0',     // Sets the number of seconds how long is spend on the search. Setting this to 0 means no limit.
    'referrals'     => true|false,  // Sets the LDAP_OPT_REFERRALS option. Mostly used in multi-domain Active Directory setups
    // definition for contact groups (uncomment if no groups are supported)
    // for the groups base_dn, the user replacements %fu, %u, $d and %dc work as for base_dn (see above)
    // if the groups base_dn is empty, the contact base_dn is used for the groups as well
    // -> in this case, assure that groups and contacts are separated due to the concernig filters!
    'groups'        => array(
      'base_dn'     => '',
      'scope'       => 'sub',   // search mode: sub|base|list
      'filter'      => '(objectClass=groupOfNames)',
      'object_classes' => array("top", "groupOfNames"),
      'member_attr'  => 'member',   // name of the member attribute, e.g. uniqueMember
      'name_attr'    => 'cn',       // attribute to be used as group name
  // An ordered array of the ids of the addressbooks that should be searched
  // when populating address autocomplete fields server-side. ex: array('sql','Verisign');
  $rcmail_config['autocomplete_addressbooks'] = array('sql');
  // The minimum number of characters required to be typed in an autocomplete field
  // before address books will be searched. Most useful for LDAP directories that
  // may need to do lengthy results building given overly-broad searches
  $rcmail_config['autocomplete_min_length'] = 1;
  // Number of parallel autocomplete requests.
  // If there's more than one address book, n parallel (async) requests will be created,
  // where each request will search in one address book. By default (0), all address
  // books are searched in one request.
  $rcmail_config['autocomplete_threads'] = 0;
  // Max. numer of entries in autocomplete popup. Default: 15.
  $rcmail_config['autocomplete_max'] = 15;
  // show address fields in this order
  // available placeholders: {street}, {locality}, {zipcode}, {country}, {region}
  $rcmail_config['address_template'] = '{street}<br/>{locality} {zipcode}<br/>{country} {region}';
  // Matching mode for addressbook search (including autocompletion)
  // 0 - partial (*abc*), default
  // 1 - strict (abc)
  // 2 - prefix (abc*)
  // Note: For LDAP sources fuzzy_search must be enabled to use 'partial' or 'prefix' mode
  $rcmail_config['addressbook_search_mode'] = 0;
  // USER PREFERENCES
  // Use this charset as fallback for message decoding
  $rcmail_config['default_charset'] = 'ISO-8859-1';
  // skin name: folder from skins/
  $rcmail_config['skin'] = 'larry';
  // show up to X items in messages list view
  $rcmail_config['mail_pagesize'] = 50;
  // show up to X items in contacts list view
  $rcmail_config['addressbook_pagesize'] = 50;
  // sort contacts by this col (preferably either one of name, firstname, surname)
  $rcmail_config['addressbook_sort_col'] = 'surname';
  // the way how contact names are displayed in the list
  // 0: display name
  // 1: (prefix) firstname middlename surname (suffix)
  // 2: (prefix) surname firstname middlename (suffix)
  // 3: (prefix) surname, firstname middlename (suffix)
  $rcmail_config['addressbook_name_listing'] = 0;
  // use this timezone to display date/time
  // valid timezone identifers are listed here: php.net/manual/en/timezones.php
  // 'auto' will use the browser's timezone settings
  $rcmail_config['timezone'] = 'auto';
  // prefer displaying HTML messages
  $rcmail_config['prefer_html'] = true;
  // display remote inline images
  // 0 - Never, always ask
  // 1 - Ask if sender is not in address book
  // 2 - Always show inline images
  $rcmail_config['show_images'] = 0;
  // compose html formatted messages by default
  // 0 - never, 1 - always, 2 - on reply to HTML message only
  $rcmail_config['htmleditor'] = 0;
  // show pretty dates as standard
  $rcmail_config['prettydate'] = true;
  // save compose message every 300 seconds (5min)
  $rcmail_config['draft_autosave'] = 300;
  // default setting if preview pane is enabled
  $rcmail_config['preview_pane'] = false;
  // Mark as read when viewed in preview pane (delay in seconds)
  // Set to -1 if messages in preview pane should not be marked as read
  $rcmail_config['preview_pane_mark_read'] = 0;
  // Clear Trash on logout
  $rcmail_config['logout_purge'] = false;
  // Compact INBOX on logout
  $rcmail_config['logout_expunge'] = false;
  // Display attached images below the message body
  $rcmail_config['inline_images'] = true;
  // Encoding of long/non-ascii attachment names:
  // 0 - Full RFC 2231 compatible
  // 1 - RFC 2047 for 'name' and RFC 2231 for 'filename' parameter (Thunderbird's default)
  // 2 - Full 2047 compatible
  $rcmail_config['mime_param_folding'] = 0;
  // Set true if deleted messages should not be displayed
  // This will make the application run slower
  $rcmail_config['skip_deleted'] = false;
  // Set true to Mark deleted messages as read as well as deleted
  // False means that a message's read status is not affected by marking it as deleted
  $rcmail_config['read_when_deleted'] = true;
  // Set to true to never delete messages immediately
  // Use 'Purge' to remove messages marked as deleted
  $rcmail_config['flag_for_deletion'] = false;
  // Default interval for keep-alive/check-recent requests (in seconds)
  // Must be greater than or equal to 'min_keep_alive' and less than 'session_lifetime'
  $rcmail_config['keep_alive'] = 60;
  // If true all folders will be checked for recent messages
  $rcmail_config['check_all_folders'] = false;
  // If true, after message delete/move, the next message will be displayed
  $rcmail_config['display_next'] = false;
  // 0 - Do not expand threads
  // 1 - Expand all threads automatically
  // 2 - Expand only threads with unread messages
  $rcmail_config['autoexpand_threads'] = 0;
  // When replying place cursor above original message (top posting)
  $rcmail_config['top_posting'] = false;
  // When replying strip original signature from message
  $rcmail_config['strip_existing_sig'] = true;
  // Show signature:
  // 0 - Never
  // 1 - Always
  // 2 - New messages only
  // 3 - Forwards and Replies only
  $rcmail_config['show_sig'] = 1;
  // When replying or forwarding place sender's signature above existing message
  $rcmail_config['sig_above'] = false;
  // Use MIME encoding (quoted-printable) for 8bit characters in message body
  $rcmail_config['force_7bit'] = false;
  // Defaults of the search field configuration.
  // The array can contain a per-folder list of header fields which should be considered when searching
  // The entry with key '*' stands for all folders which do not have a specific list set.
  // Please note that folder names should to be in sync with $rcmail_config['default_folders']
  $rcmail_config['search_mods'] = null;  // Example: array('*' => array('subject'=>1, 'from'=>1), 'Sent' => array('subject'=>1, 'to'=>1));
  // Defaults of the addressbook search field configuration.
  $rcmail_config['addressbook_search_mods'] = null;  // Example: array('name'=>1, 'firstname'=>1, 'surname'=>1, 'email'=>1, '*'=>1);
  // 'Delete always'
  // This setting reflects if mail should be always deleted
  // when moving to Trash fails. This is necessary in some setups
  // when user is over quota and Trash is included in the quota.
  $rcmail_config['delete_always'] = false;
  // Directly delete messages in Junk instead of moving to Trash
  $rcmail_config['delete_junk'] = false;
  // Behavior if a received message requests a message delivery notification (read receipt)
  // 0 = ask the user, 1 = send automatically, 2 = ignore (never send or ask)
  // 3 = send automatically if sender is in addressbook, otherwise ask the user
  // 4 = send automatically if sender is in addressbook, otherwise ignore
  $rcmail_config['mdn_requests'] = 0;
  // Return receipt checkbox default state
  $rcmail_config['mdn_default'] = 0;
  // Delivery Status Notification checkbox default state
  $rcmail_config['dsn_default'] = 0;
  // Place replies in the folder of the message being replied to
  $rcmail_config['reply_same_folder'] = false;
  // Sets default mode of Forward feature to "forward as attachment"
  $rcmail_config['forward_attachment'] = false;
  // Defines address book (internal index) to which new contacts will be added
  // By default it is the first writeable addressbook.
  // Note: Use '0' for built-in address book.
  $rcmail_config['default_addressbook'] = null;
  // Enables spell checking before sending a message.
  $rcmail_config['spellcheck_before_send'] = false;
  // Skip alternative email addresses in autocompletion (show one address per contact)
  $rcmail_config['autocomplete_single'] = false;
  // Default font for composed HTML message.
  // Supported values: Andale Mono, Arial, Arial Black, Book Antiqua, Courier New,
  // Georgia, Helvetica, Impact, Tahoma, Terminal, Times New Roman, Trebuchet MS, Verdana
  $rcmail_config['default_font'] = '';
  // end of config file

• Open directory server crashing every 30 days / clients unable to connect to calendar, contacts server

  Hello everyone,
  I am running an up to date Mavericks Server which serves exclusively as a calendar and contacts server for about two dozens devices. The server is reachable via DynDNS, however, the public IP hardly ever changes (only once or twice a year maybe). Tried setting the OS X DNS Server to serve "all clients" and "some clients".
  For about 6 months (i.e. also under Mountain Lion), I am having a very strange problem. Roughly every 20-30 days, clients will not be able to connect to the server, instead getting a "wrong password" dialog. Restarting the open directory server will help for the next 30 days.
  I have tried repairing the database as detailed here, however, the issue persists.
  Any help would be highly appreciated!
  I would have tried setting up a clean server installation, migrating calendars/contacts manually and re-adding all users by hand, however, I am not aware of an easy way to do so. The terminal command for calendar backup is broken under mavericks (might work with this workaround) and re-adding users manually would apparently involve correcting user UUIDs afterwards in order to match the migrated calendar data. Do you know of a better approach?
  Thanks a lot!
  DPSG-Scout

  Hi Linc,
  This looks the most relevant to me:
  opendirectory.log
  2014-03-11 11:13:09.460675 CET - 333.2628758.2628759 - Client: Python, UID: 93, EUID: 93, GID: 93, EGID: 93
  2014-03-11 11:13:09.460675 CET - 333.2628758.2628759, Node: /Local/Default, Module: PlistFile - predicates with 'AND' are not supported
  2014-03-11 12:09:00.296514 CET - State information (some requests have been active for extended period):
            Sessions: {
                28 -- opendirectoryd:
                            Session ID: 7BFBA6FE-A968-4399-A129-E3A5945E2A81
                            Refs: singleton
                            Type: Default
                            Target: localhost
            Nodes: {
                43 -- authd:
                            Node ID: 6D0E236D-6DBD-4E8C-BC01-B3F50C2C2D8E
                            Nodename: /LDAPv3/127.0.0.1
                            Session ID: <Default>
                            Refs: 1
                            Internal Use: X
  an many more similar ones…
  Thanks for your effort!

• Password Types Change Unexpectedly

  I have recently rebuilt an xServe, installing 10.4 via clean install, and recreating users from scratch. I am having difficulty configuring access for Windows users. So far I have narrowed it down to password types. I understand that Windows users should have "Shadow Password" set for the User Password Type. This is how I configured each of the created users. Now when I review created users, most revert back to "Crypt Password" types. When I change the password type to Shadow, leave that record, then return, the password shows as Crypt again.
  Some users do have Shadow Passwords, but I can't determine why some stick and others don't.
  The server is configured as a stand alone server, without connections to Open Directory or any other servers.
  Any suggestions will be greatly appreciated.
  PowerBook G4 17   Mac OS X (10.4)  

  Firstly you need to be running the server as an Open Directory master in order to run it as a Primary Domain Controller so that it can authenticate Windows users. Check the link for Windows Services Administration under http://www.apple.com/server/documentation/
  I hope that helps if not give some more info about what you are trying to do.
  "Mac OS X Server can host a PDC only if the server is an Open Directory master, and can
  host a BDC only if the server is an Open Directory replica"

• Open Directory: "Unable to load replica list"

  I'm currently running Mavericks Server 3.1 on my Mac Mini at the home network. I had some issues with the client logins and went for local accounts on the clients instead. Today I finally wanted to fix the problem and go all Open Directory. But the Open Directory service was shut off when I opened the server software. I tried to turn it on but got a message saying "Unable to load replica list". I updated the software to the latest 3.1 but are still having the same issue. I never had any replica list, I only had a standard one from the start, but it seems I can't do anyhing there now.
  LDAP log:
  Mar 21 22:48:38 xxYY.com slapd[172]: @(#) $OpenLDAP: slapd 2.4.28 (Nov 12 2013 12:02:47) $
  [email protected]:/private/var/tmp/OpenLDAP/OpenLDAP-491.1~1/servers/slapd
  Mar 21 22:48:38 xxYY.com.com slapd[172]: daemon: SLAP_SOCK_INIT: dtblsize=8192
  Mar 21 22:48:39 xxYY.com.com slapd[172]: TLS: found identity in keychain using identity preference.
  Mar 21 22:48:42 xxYY.com.com slapd[172]: slap_add_listener: opened additional listener 'ldaps:///'
  Mar 21 22:48:42 xxYY.com.com slapd[172]: bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
  Mar 21 22:48:44 xxYY.com.com slapd[172]: slapd starting
  Mar 21 22:48:44 xxYY.com.com slapd[172]: daemon: posting com.apple.slapd.startup notification
  Mar 21 22:48:54 xxYY.com.com slapd[172]: => bdb_idl_delete_key: c_del id failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30994)
  Mar 21 22:48:54 xxYY.com.com slapd[172]: conn=1022 op=3: attribute "entryCSN" index delete failure
  Mar 21 22:50:02 xxYY.com.com slapd[172]: => bdb_idl_delete_key: c_get failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30994)
  Mar 21 22:50:02 xxYY.com.com slapd[172]: conn=1042 op=3: attribute "entryCSN" index delete failure
  I don't understand any of this other than the obvious failure words. Can anyone understand this and help me here?

  This procedure is a diagnostic test. It makes no changes to your data. If you have more than one user account, you must be logged in as an administrator to carry out these instructions.
  Please triple-click anywhere in the line below on this page to select it:
  sudo /usr/libexec/slapd -Tt | pbcopy
  Copy the selected text to the Clipboard by pressing the key combination command-C.
  Launch the built-in Terminal application in any of the following ways:
  ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
  ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
  ☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.
  Paste into the Terminal window by pressing the key combination command-V. I've tested these instructions only with the Safari web browser. If you use another browser, you may have to press the return key after pasting. You'll be prompted for your login password. Nothing will be displayed when you type it. If you don’t have a login password, you’ll need to set one before you can run the command. You may get a one-time warning to be careful. Confirm. You don't need to post the warning.
  If you see a message that your username "is not in the sudoers file," then you're not logged in as an administrator. Log in as one and start over.
  Wait for a new line ending in a dollar sign ($) to appear below what you entered.
  The output of the command will be automatically copied to the Clipboard. If the command produced no output, the Clipboard will be empty. Paste into a reply to this message.
  The Terminal window doesn't show the output. Please don't copy anything from there.

• Open Directory setState error

  Hi,
  I had an Open Directory system working fine, rebooted my (Mac Mini 2011) server and now it refuses to start. I get:
  "An error occurred on the server while processing a command. The error occurred while processing a command of type 'setState' in plug-in 'servermgr_dirserv'"
  I had this error before on an old installation of OS X which I have since reinstalled.
  What's going on? Open Directory seems to me to be completely and utterly unstable, and not fit for purpose. All of a sudden it's stopped working and therefore I can't login using my normal username and password. What gives?!

  Looking at the logs I'm getting these errors:
  [email protected]:/private/var/tmp/OpenLDAP/OpenLDAP-208.1~6/servers/slapd
  Sep 30 19:48:32 woz.private slapd[1629]: slap_add_listener: opened additional listener 'ldaps:///'
  Sep 30 19:48:32 woz.private slapd[1629]: bdb(dc=woz,dc=private): file id2entry.bdb has LSN 1/1837404, past end of log at 1/1693634
  Sep 30 19:48:32 woz.private slapd[1629]: bdb(dc=woz,dc=private): Commonly caused by moving a database from one database environment
  Sep 30 19:48:32 woz.private slapd[1629]: bdb(dc=woz,dc=private): to another without clearing the database LSNs, or by removing all of
  Sep 30 19:48:32 woz.private slapd[1629]: bdb(dc=woz,dc=private): the log files from a database environment
  Sep 30 19:48:32 woz.private slapd[1629]: bdb(dc=woz,dc=private): /var/db/openldap/openldap-data/id2entry.bdb: unexpected file type or format
  Sep 30 19:48:32 woz.private slapd[1629]: bdb_db_open: database "dc=woz,dc=private": db_open(/var/db/openldap/openldap-data/id2entry.bdb) failed: Invalid argument (22).
  Sep 30 19:48:32 woz.private slapd[1629]: backend_startup_one (type=bdb, suffix="dc=woz,dc=private"): bi_db_open failed! (22)
  Sep 30 19:48:32 woz.private slapd[1629]: bdb_db_close: database "dc=woz,dc=private": alock_close failed
  Sep 30 19:48:32 woz.private slapd[1629]: slapd stopped.