Open directory fails upon set up

Similar Messages

• Open directory fail

  cannot change any parameter on open directory
  and cannot create a new user.
  an unexpected error of type 14120 occurred, all other settings where saved

  Hi
  If you browse the discussion forum you should find this:
  http://discussions.apple.com/thread.jspa?threadID=1251475&tstart=0
  Basically browsing using the Finder or Side Panel does not work well or breaks easily (as far as I can tell it has been like this since 10.2). In an OD environment trying to connect and getting a ticket using that method will probably fail. The workaround - or the 'fix' - is to use 'Connect to Server' from the Go Menu using the Server's IP address. In my experience it does not seem to matter whether AFP is set to Kerberos, Any or Standard for the authentication method. It also does not seem to matter whether the Server is configured in Standard or Advanced.
  I've not come across anything yet regarding Workgroup. Probably in that configuration it may not be an issue as this mode - as far as I can see - is ideal for AD-OD integration. In that environment OSX Server would not be the KDC and mac clients will be using the AD for SSO.
  Since this has been happening since 10.2 I don't see Apple addressing this anytime soon, however you never know?
  Tony

• My user's permissions are gone, open directory service was set to off

  Mac Mini running OSX 10.9.2.  OSX Server version 3.1.1.
  I already repaired the disk permision via the disk utility, there was a lot that was wrong.  I did not personally turn the open directory service off.  I am able to turn the open directory service back on, but now it says "Unable to load replica list"  and then promptly turns itself back off.  It's almost like the service just lost all of it's settings, although the Status is green saying it is available at *******.******. before it switches off.  Any ideas?

  You can attempt a recovery.  Follow these steps:
  1:  Stop Open Directory if it happens to still be running.  This must be done using the command line.
       sudo launchctl unload /System/Library/LaunchDaemons/org.openldap.slapd.plist
  2:  Run the db_recover tool and attempt to repair the damage.
       sudo db_recover -v -h /var/db/openldap/openldap-data/
  3:Reboot the server.  Cross fingers.
  R-
  Apple Consultants Network
  Apple Professional Services
  Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

• Open Directory startup error

  Hi,
  10.8.2 / Server 2.2
  Attempting to turn Open Directory fails with the message:
  An error occurred on the server while processing a command.
  The error occurred while processing a command of type 'setState' in plug-in 'servermgr_dirserv'
  How can I resolve this?
  Thanks.

  Thanks for replying. It's a new install, and it worked for about 2 days before it stopped working. I'm not sure what changes I made to break OD.
  I'm probably not knowlegable enough to understand the log file, even if I knew where to look. Apple did position this as "server for the rest of us" with a low price, so I'm using it to learn. And since I'm using this to learn, I don't mind starting over. But as far as I can see I see no option of creating a new master database, only a replicate record.
  Again, thanks for replying.

• Unable to replicate Open Directory server

  I have a Master OD server that is currently being replicated to an offsite OD.
  But im looking to run a dedicated Mini for the offsite, but i cannot get the new mini to replicate.
  The slapconf log says the credentials are invalid. and exits with error code=69
  I have reset the directory admin password. made sure the network settings were all correct and the hostname and DNS name are correct.
  the OS and server versions are identical between the 2 servers.
  Anyone have any thoughts???

  Can't Create Replica in Open Directory
  Failed to setup Open Directory Replica.
  Still not possible to create OD Replic under Lion Server

• Configure DNS on Snow Leopard for private NAT with Open Directory

  I am needing to set up DNS on Snow Leopard server 10.6.4 for use with Snow Leopard clients only. On the server, I have two IPs, one public connections outside the network, and one private within the NAT range. DNS was not originally set up on the server, but Open Directory was (sort of). I've demoted the server from OD master to stand alone, but still can't get this to work.
  This server is only for setting up and using Open Directory + NetInstall services inside the network. In effect, it isn't serving web pages and isn't registered with our upstream DNS. What I am assigned to do is get Open Directory to set up user profiles and network shares and home directories. So, what I need is this -
  a basic DNS config I can do in Server Admin that will set up DNS to resolve to the local server NAT IP for Open Directory purposes;
  and provide DNS for outside the OS X server for the specified Snow Leopard clients.
  DHCP is running (but the clients were configured with static IPs in the NAT range). This serves as the DHCP server for the entire network (Windows + Mac clients that aren't in the static NAT range).

  Thanks for your replies. I realize I'm not making clear the way this network is configured . Also, the only services running on the Snow Leopard server are (at this time):
  dhcpd - in the 10.136.31.x range;
  dns - same as before;
  planned to add are:
  Open Directory (for network logins)
  Software update;
  Web (only on the 10.136.31.x Ethernet);
  mySQL (localhost only - for moodle);
  NAT is not set up on the Snow Leopard server itself. We have an outside router, a Cisco 2811. This router provides routing for both the public IP range, and the NAT range is configured in this router. The forwarding dns is located in LR and Fayetteville. So what I need is dns on Snow Leopard to forward outside queries to the state DNS servers, and resolve the local NAT IP only for Open Directory and a set of Snow Leopard clients.
  Is this going to be possible?

• How to configure Open Directory base DN

  Hi,
  I have been using OpenLDAP on a Synology NAS drive, but this has some serious shortcomings with Mac clients (eg. roaming profiles simply doesn't work).
  So I have bought a MacMini which among other things will replace my existing LDAP server with Open Directory.
  As a dry run, I enabled the Open Directory and went through the simple set up and I had a basic system up in no time.  However I have come up against an annoying issue with the base DN used by Open Directory and I hope someone will be able to help me.
  My existing LDAP has a base DN that looks like this: dc=myorg, dc=local
  So when users log in, they can use a username which conforms to the following format: [email protected]
  The problem is that Open Directory likes to set the base DN to: dc=macservername, dc=myorg, dc=local
  meaning that a fully qualified user account name now becomes: [email protected]
  This seems bonkers to me.  For example, what would happen if I introduce a second Mac server into the mix and failover to it - the servername element of the DN becomes redundant or if it changes, I need to communicate with all users.
  I must be missing something obvious - but there doesn't seem to be much in the way of configuration that I can see through the Server application.
  So, my question is, how can I configure my base dn without the servername so that my existing username context remains the same?
  Many thanks - I look forward to any responses.

  I agree with Dal78 Apple using a base DN of servername.example.com rather than just example.com is illogical. In fact originally they did seem to use just example.com as the format but in recent years now use server.example.com as the format. When I first encountered this change it was still possible to overridge the use of servername.example.com and force it to use just example.com as the format. In more recent times I have decided to leave things the way Apple do it.
  I don't know if there is an official answer as to why, but a possible guess is that you can now have multiple Open Directory servers for a single domain. This is the 'Locales' option in Server.app. It maybe that including the servername makes it possible/easier to implement this.
  I also agree Strontium90 do not use a .local root domain for Open Directory. In theory there are hacks to (sort of) get this to work, but Apple engineers will typically run screaming for the woods when they encounter this.
  PS. Briefly Apple also did the same illogical thing with DNS zones, whereby the zone name for a domain was servername.example.com instead of example.com this at least they have stopped doing.

• Open Directory refusing to use the server's certificate

  We have an SSL certificate signed by a 3rd party (Digicert) and our Maverick's server refuses to accept it for use with Open Directory (though other services appear to be using it).
  Here is a related thread discussing the problem.
  We need SSL to work with Open Directory in our environment so I'd like to try whiping out the Open Directory data and set up our Maverick's Server as an OD master from scratch now that the certificate has been added to the server (it wasn't there when OD was originally turned on). What I don't want to do is re-install the entire OS.
  Any tips on how to do this? 

  I am having this exact same problem, and just noticed it. The certs we use here (Office of Information Technology at University of Massachusetts Amherst) are most often issued by InCommon.org so there shouldn't be a problem with this.
  I am now wondering if this is causing a related problem with Profile Manager.
  This is happening on Server v3.0.3.

• Creating Open Directory Replica fails with Server Admin Error Value 1127

  Hallo,
  I have seen a lot of similar threads here and they were helpful up to a certain point, but in the end, they did not solve my problem.
  Currently, it comes down to this. The Server Admin Error message ist really meaningless and I could not find a single for the error value on the whole wide web. As such, I switched to the command line versions of the tools involved to geht more meaningful results. It worked. Specifically, creating a replica of an openldap master means using slapconfig.
  When executing
  slapconfig -createreplica master.ourdomain.com diradmin
  as root on the prospective replica machine, I get the following error message:
  ssh command failed with status 127
  That command is not allowed with the root account via public key authentication.
  That makes perfect sense to me, but how is it meant to work then?
  Executing slapconfig as admin tells me that this tool is to be executed as root. On the other hand, root login via ssh is not allowed in Mac OS X by default, which seems fine to me. I even changed /etc/sshd_config on the Open Directory Master machine to "PermitRootLogin yes". However, neither reloading ssh using launchctl nor restarting the whole server made this setting operational. Trying to login from command line as root still tells me:
  root login is not permitted to this machine via public key authentication.
  While this is the current state where I need help urgently, I changed some other things before. I tell about to exclude these issues as possible reason of failure. I got this message for quite a while:
  Replica Setup failed : This machine does not have a valid computer name
  I was sure, this machine meant the target machine, the open directory master, because the domain had changed there once before I had taken over responsibility as an admin in this environment. And in fact, changeip disguised an issue there. The command proposed by changeip to fix the situation did not seem appropriate because this machine is multihomed with a public and a private IP adress. Proper name resolution is available for both interfaces including reverse lookup. I dont like this setup, but it was the only way to get mail service running smoothly. Running changeip on the machine itself using these arguments
  changeip /LDAPv3/127.0.0.1 internalIP internalIP old.ours.com current.ours.com
  reported success in updating password server, open directory, both interfaces, hostconfig (which in fact did not change) and samba. It reported an issue with kadmin which is related to Kerberos (we dont use Kerberos yet).
  Changing the hostname of the server using changeip did not solve the issue. I then found the hint to check with scutil. This showed that the Hostname was not set on the prospective replica machine. (A question aside: in how many place is the hostname stored? The traditional /etc/hostname has gone, but seems to be replaces with several other configuration files and databases. I cant see this as an advantage). Setting the hostname using scutil worked fine. However, it did not solve the problem either. At least, slapconfig now started to complain about not being able to log in as root instead of failing from the start.
  I also checked all log files on bboth machines that might have to do with openldap, as there are /var/log/slapd.log, /var/log/system.log and /Library/Log/slapconfig.log. I also checked the log of th layer on top of openldap which is /Library/Log/DirectoryService.server.log. None of them revealed anything noticeable beside a lot of of entries that I have googled in the last few hours and which all dont seem to be associated with the problem in question.
  I will take a break now, but I have to fix this until tomorrow and I hope to get the ultimate hint from you, dear reader.
  Thanks and bye, Christian Völker

  ssh command failed with status 127
  That command is not allowed with the root account via public key authentication.
  Initial OD replication takes place via 'ssh'. If you have 'sshd' configured on the OD Master to authenticate with public keys then the OD replica will not be able to communicate with the OD Master via 'ssh'. You must configure the OD Master to use 'ssh' with password authentication and root login enabled.
  Demote the replica back to standalone. Stop any services that you may have running on the primary network interface. Then stop any services that you may have running on the secondary network interface. In the 'Network' System Prefpane remove the IP number from the secondary interface then deactivate the secondary network interface.
  Assign the private IP address and hostname that you wish to use for the replica to the primary network interface. Assign the 'public' IP number to the secondary interface. Check the DNS to see that the IP address and hostname for the primary network interface resolve both forward and reverse for the hostname of the replica that you have chosen. If it does not, fix your DNS before proceeding.
  In the 'Sharing' System Prefpane, change the name of the machine to the hostname (server.domain.tld) of the replica that you have chosen. Then use 'changeip -checkhostname' to see if the IP/hostname matches. Fix it if it doesn't.
  Then configure the /etc/sshd_config file on the OD master like this:
  \# Authentication:
  PermitRootLogin yes
  PasswordAuthentication yes
  PubkeyAuthentication no
  and the /etc/ssh_config file on the OD replica like this:
  PasswordAuthentication yes
  PubkeyAuthentication no
  Then from the OD replica as the 'root' user issue:
  slapconfig -createreplica <ODMasterIPorFQDN> <diradmin user>
  Make sure that the 'diradmin' user's password contains only alpha-numeric characters -no 'option-characters' or symbols, change it first if it does. Once the process completes, reactivate the secondary interface for the 'public' IP and check the configuration of services that will be using that IP, then start your other services. Secure the 'ssh' service on both machines to disable password authentication and 'root' logins.

• Open Directory and connection to shared folders fail

  Hi,
  For testing i've setup an Open Directory Master (Leopard server 10.5.2) with shared folders and portable home directories.
  Login and synhronizing works as it should. But once logged in, when i click on the server in finder i just get connection failed. When i choose "connect as" and log in as the same user and password as authenticated at the login to the computer (authenticated to OD) it works.
  I thought it should work like a single sign on?
  Any clues?

  Hi
  If you browse the discussion forum you should find this:
  http://discussions.apple.com/thread.jspa?threadID=1251475&tstart=0
  Basically browsing using the Finder or Side Panel does not work well or breaks easily (as far as I can tell it has been like this since 10.2). In an OD environment trying to connect and getting a ticket using that method will probably fail. The workaround - or the 'fix' - is to use 'Connect to Server' from the Go Menu using the Server's IP address. In my experience it does not seem to matter whether AFP is set to Kerberos, Any or Standard for the authentication method. It also does not seem to matter whether the Server is configured in Standard or Advanced.
  I've not come across anything yet regarding Workgroup. Probably in that configuration it may not be an issue as this mode - as far as I can see - is ideal for AD-OD integration. In that environment OSX Server would not be the KDC and mac clients will be using the AD for SSO.
  Since this has been happening since 10.2 I don't see Apple addressing this anytime soon, however you never know?
  Tony

• Setting up Open Directory and iCal server.

  Hello:
  I'm new to open directory - please help or point me in the right direction. I'm trying to set up a OSx server 10.5 running on a PowerMac G4.
  I need iCal/DNS/FS/VPN/WEB/Open Directory as services enabled.
  For testing purposes I've set up a small network with three machines all running 10.5.6.
  I've tired over and over to do this via an advanced server but have not be able to get everything to work so I did a basic server allowing the server set up to input all my settings. Everything built and started up without issue but I could not get iCal to work. I let the set up sit over night and when I returned the next morning the MacMini screen had a window saying that a directory server has been found that offers these following services ...WEB - iCal etc. Do you want to configure your workstation. I did and everything worked as aspected. I thought that I finally got it!
  I wanted to see the all of the settings so I converted the server to an advanced server and everything still worked. ( From the one workstation ).
  I imported a users exported file from the server I'm trying to fix then the groups file. Everything still worked from the Mac Mini but I could not connect from the other workstation.
  I never received the Open Directory message about services being offered etc.
  Both machines have identical network settings ( Fixed I.P. pointing the DNS to the server.) AFP sees the server from both workstations but I can not login from the third workstation using any known good user name and password not even the admin or the Macmini account and password that works from the Mac mini. I don't really know anything about open directory, do you need to register the computer name with the server or something to that effect.
  Why would it take hours for that original service offering to go out to the first workstation?
  Thanks for any help you can offer. All of my OSX server experience has been setting up file servers never any of the other offerings.
  Thanks,
  Rick

  Sorry,
  I posted this to the wrong forum. I re-posted in Open Directory.
  Thanks,
  Rick

• How to set permissions IN Open Directory USING Open Directory groups?

  Hi all,
  Apologies if I've missed this but have been searching for two days trying to figure out how to delegate permissions within the OD to a number of different OD groups and i can't seem to find any way to do this either at the command line or with WGM.
  Examples: an OD group containing those who will manage the full directory need to have permissions on all containers, child objects, and their attributes in the directory. For this one in particular I seem to be able to nest a group in the default Admin group, but this isn't really what i'm after. I need to create OD groups with the ability only to manipulate objects of class apple-computer and similarly, apple-user (really all inetOrgPerson objects). In a nutshell: how do i set permissions on specific attributes or object classes using OD groups?
  thanks for any pointers...
  -andrew

  I think i just answered my own question: Open Directory is OpenLDAP. slapd is all i need.

• Application launches fail after wake up from sleep when switching from one open directory to another

  I take my MacBook Pro back and forth from home to work.  Open Directory is set up at both locations running on Snow Leopard server.  These two locations are entirely separate domains and IP networks.  The only thing that is the same is my username and password, which is the same in both locations.
  If I put my machine to sleep in one location and move to the other location and wake it up, I can usually launch one application, then no other applications launch and the machine is pretty much frozen up except for mouse cursor movement.  Using command-shift-escape and relaunching the finder doesn't help.
  It is as if the launch daemon has been made inoperative.  Apps just sit and bounce.
  Should one be able to log in one one network with open directory. Close all applications, move to an entirely different network, and wake up from sleep and continue working?  The login/password is identical on both open directory setups.
  Both home and work are set up so the users can "travel" and the machines are not "bound" to the open directory server.
  I've started using the "other" login box to login in which I think keeps the machine more independent of open directory and that seems to work better for moving between networks.
  Any ideas and/or comment welcome.
  (my DNS seems fine in both environments.  running changeip gets "success" in both places)

  After reading another post that popped up under "More Like This" after I posted this I may have found at least a temporary fix.  Unplugging and reseating the MDP adapter in the MacPro didn't accomplish anything but unplugging/reseating the HDMI plug in the Viewsonic brought it back to life.
  I guess I can live with this but it would be nice knowing that there's a more permanent fix for this.

• Disabling Kerberos After Setting Up an Open Directory Master - Mavericks

  I am attempting to setup the "magic triangle" and one of the steps is to follow  KB: Mac OS X 10.6 Server Admin: Disabling Kerberos After Setting Up an Open Directory Master
  However, the command mentioned to disable Kerberos does not work on Mavericks as I get remove parameter not found.   What is proper way to disable kerberos on a mavericks open directory master server so that Active Directory takes over for kerberos properly?
  The article for the magic triangle configuration that I am following is: https://it.uoregon.edu/Magic-Triangle-setup
  Also, is Apple's best practice in a "magic triangle" situation to join the client computers to OD and AD?

  Mavericks server seems to be smart enough to disable its Kerberos for you if you bind the server to AD before you create your OD Master.
  if you want to use Workgroup Manager in Mavericks to manage preferences then yes you need to bind clients to AD and OD. We are doing this with Mavericks. it works.
  however, Apple has now deprecated Workgroup Manager in favor of Profile Manager. If you switch to Profile Manager then you enroll clients to the server instead of binding them to OD.
  pick yer poison. :-)

• Unable to set Open Directory master on brand new server

  I have a brand new Mac Mini server running 10.6.2 which I am unable to set as an OD master, receiving the error "There was a configuration error when configuring your server as an Open Directory Master. See the Configuration Log for more information about the failure."
  The log reads as follows...
  2010-01-10 10:34:31 +1100 - slapconfig -createldapmasterandadmin
  2010-01-10 10:34:31 +1100 - Creating password server slot
  2010-01-10 10:34:31 +1100 - command: /usr/sbin/mkpassdb -a -u diradmin -p -q
  2010-01-10 10:34:32 +1100 - command: /usr/sbin/mkpassdb -a -u root -p -q
  2010-01-10 10:34:32 +1100 - command: /usr/sbin/mkpassdb -a -u paisleypark.local$ -p -q
  2010-01-10 10:34:32 +1100 - command: /usr/sbin/mkpassdb -setcomputeraccount 0x4b4912886b8b45670000001b0000001b
  2010-01-10 10:34:32 +1100 - Setting SASL realm to <OpenDirectory.pIxrV9>
  2010-01-10 10:34:32 +1100 - command: /usr/sbin/mkpassdb -setrealm OpenDirectory.pIxrV9
  2010-01-10 10:34:32 +1100 - Copied file from /etc/openldap/slapd.conf to /etc/openldap/slapd.conf.backup.
  2010-01-10 10:34:34 +1100 - command: /usr/bin/net getlocalsid
  2010-01-10 10:34:34 +1100 - Removed file at path /var/db/openldap/openldap-data/DB_CONFIG.
  2010-01-10 10:34:34 +1100 - Starting LDAP server (slapd)
  2010-01-10 10:34:54 +1100 - Error: The slapd process did not start.
  2010-01-10 10:34:54 +1100 - Stopping LDAP server (slapd)
  2010-01-10 10:34:54 +1100 - Removed file at path /var/run/slapconfig.lock.
  ... but I am unable to locate any reference to the specific error in these forums or via my friendly neighbourhood Google.
  Any ideas greatly appreciated.

  Well, like I mentioned, if DNS is not properly configured, all bets are off. And again, if you start services before making it an OD master, you could be asking for trouble. You may be able to fix the installation, but I'd seriously consider starting over.
  You might be able to fix what you have well enough to make it work, but what happens in 6 months when it gets flaky about something. You may end up wondering of there was something wrong to begin with.
  So yes, I'd start over.