Open Directory Keychain Question
I have set up open directory on my domain but I am having trouble with Keychain access over the network when users logging into network accounts. Whenever I log in using open directory, I can open all of my applications, however each time I log in to my user account all of my keychain passwords are reset. I can look into the user preferences file and see the keychain file, but for some reason whenever a user logs out the changes to it are lost.
Is Keychain access supported when network mounting user folders? If so, what is the proper way to implement keychain access?
mickey13 wrote:
I have 2 Apple servers. One is running 10.6 (server), the other is running 10.5 (server). I have my Open Directory on the 10.6 server, and I have the 10.5 server use it via LDAP for user authentication. What I'd like to do is to assign a home directory on the 10.5 server for users in the 10.6 Open Directory. Any ideas?
This should work the same way as normal.
Define the user accounts in Open Directory as normal via Workgroup Manager
On the 10.5 Server, set up a share point, usually AFP is used as the protocol, this is done in Server Admin
On the 10.5 Server, set up that share point to be an Automounted share for user home directories, this will register that share in Open Directory assuming you have already successfully connected the 10.5 Server to Open Directory system, this is also done in Server Admin
Go back to Workgroup Manager select a user account you want to store on the 10.5 server, click on the Home tab, you should now see the 10.5 share point listed as an available choice for storing home directories.
Click on the 10.5 share point and save the user account.
I normally now click on create Home directory, although this happens automatically when a user logs in for the first time.
It is perfectly ok to mix 10.5 and 10.6 servers in this manner. The client machines can also be a different version e.g. 10.4
What you are doing above even though you are mixing 10.5 and 10.6 servers, is the same as you would do to spread the workload of user home directories across multiple servers. While handling user home directories does not cause a massive amount of CPU activity (or memory use) it does cause a significant amount of disk activity and therefore at a certain level spreading user accounts across multiple servers is recommended.
Similar Messages
-
Open Directory Migration Question
Setup:
My company has two servers, both running 10.5.6. We are migrating from the server Fubar (xserve) as it has had a lot of problems and we want to do a fresh install on it (I was not the admin who initially set it up).
In order to get a 'fresh' OD going, we are recreating all the accounts on the new server Edoras (powerpc mac pro), making sure to preserve UID of the users.
Problem:
User A cannot change his password on Edoras after Directory Utility has been changed to point at it. He can change his password locally, but it does not propagate to Edoras, nor does a password change on Edoras affect his local machine.
The questions I haven't been able to get answers for are:
* Should the OD search string be different on Fubar and Edoras? Currently our search string is 'dc=fubar,dc=domain,dc=com'.
* Are there other attributes that have to be setup in OD besides UID? I noticed when using the Target tab in Workgroup Manager that there is a GeneratedUID attribute, does this need to match?
Thanks for any information/help.I did something like this recently. Unfortunately I couldn't get an answer on the Internet and had to re-configure Directory Access on the client machines manually.
I moved our system from a POwerMac G4 with several upgrades (eSATA card, eSATA Coolgear Enclosure, 7200.11 (yeah I know, bad drives to use) Seagate drives, 1.8 GHz PPC 7447 upgrade, 1.5GB of ram) to a new Mac Pro with a Highpoint RAID controller. The old G4 was very unreliable and couldn't hand
I had to go to each machine with ARD, open Directory Access, delete the LDAP entry and re-enter it. This was really annoying and confusing for me as the old server and the new server had:
The same version of OSX (ok, one was a PPC version and I special ordered the Intel version from Apple Tech Support), but they both were running 10.4.11 with the newest security patches.
The same OD Search Strings
The same IP Address for the Server
The same DNS name for the server
and the same user IDs and group settings
and I still had to re-do Directory Access using the client machines. Before re-doing the Directory Access re-binding I would try to login. The "other" icon would appear on the loging window, but when I would loging with the correct username and password the login windows would "shake it's head" and wouldn't let me login.
The biggest pain was that portable directories didn't sync correct anymore, so I had to manually backup, then delete the account, then re-bind, then re-create and restore the portable directory on each laptop manually.
Unfortunately I do not know the unix command to change directory binding to client computers using ARD. If such a command exists it would make things much easier for you. Does anyone know if a command exists? -
Open Directory Configuration Question
I've got a Mac-Mini based server running Mountain Lion (10.8.3) and Server.app (2.2.1). The server was migrated from Lion some weeks ago, the Server works OK, but seeing odd CPU usage and fairly frequent non-specific error reports which suggests that there are still a few odd gremlins lurking around that I'm trying to track down. So I'm trying to find things that appear odd. I've found one such in the reported configuration for Open Directory.
The server is configured to be an Open Directory master, and is the only Open Directory server we have. The panel for Open Directory in Server.app lists the single entry as follows:
* www.2gc.org (master)
* 10.0.1.2, 10.211.55.2, 10.37.129.2
The first IP address is the IP address of the server on our LAN. I have no idea what the second and third IP addresses are - they do not appear to have anything to do with any network we have configured. They are from the "private" address space - so I'm guessing they are non-functional since we don't have a network using either with these IP ranges within them - but they must have come from somewhere.
It is also not clear where / how these entries are set within ML.
It may be that this is all perfectly normal, or maybe symptomatic of something that can be cleaned up.
Would value any thoughts.
Thanks in advance.Hi Simon
Thanks for the thoughts. There are no other servers on the network - this is an isolated computer parked on a fixed IP with no downstream LAN - the 10.0.1.2 address is the one assigned it by the router that connects it to the outside world - but no other devices are connected to the sub-net the machine sits on: all services are provided through the fixed IP to machines accessing it directly from internet via FQDN.
All of which makes the presence of the other two IPs curious, and apparently unnecessary.
Good housekeeping suggests they could be removed - but unclear how these entries are set. But in the interim good to know that the presence of these IPs is probalby harmless. -
Open Directory authentication question
I have 2 Apple servers. One is running 10.6 (server), the other is running 10.5 (server). I have my Open Directory on the 10.6 server, and I have the 10.5 server use it via LDAP for user authentication. What I'd like to do is to assign a home directory on the 10.5 server for users in the 10.6 Open Directory. Any ideas?
mickey13 wrote:
I have 2 Apple servers. One is running 10.6 (server), the other is running 10.5 (server). I have my Open Directory on the 10.6 server, and I have the 10.5 server use it via LDAP for user authentication. What I'd like to do is to assign a home directory on the 10.5 server for users in the 10.6 Open Directory. Any ideas?
This should work the same way as normal.
Define the user accounts in Open Directory as normal via Workgroup Manager
On the 10.5 Server, set up a share point, usually AFP is used as the protocol, this is done in Server Admin
On the 10.5 Server, set up that share point to be an Automounted share for user home directories, this will register that share in Open Directory assuming you have already successfully connected the 10.5 Server to Open Directory system, this is also done in Server Admin
Go back to Workgroup Manager select a user account you want to store on the 10.5 server, click on the Home tab, you should now see the 10.5 share point listed as an available choice for storing home directories.
Click on the 10.5 share point and save the user account.
I normally now click on create Home directory, although this happens automatically when a user logs in for the first time.
It is perfectly ok to mix 10.5 and 10.6 servers in this manner. The client machines can also be a different version e.g. 10.4
What you are doing above even though you are mixing 10.5 and 10.6 servers, is the same as you would do to spread the workload of user home directories across multiple servers. While handling user home directories does not cause a massive amount of CPU activity (or memory use) it does cause a significant amount of disk activity and therefore at a certain level spreading user accounts across multiple servers is recommended. -
After Updating to Server 4.1 Open directory and LPAD gone
Hello,
two days ago I discovered that Open directory was not working on our Server (Mac Mini 2012). I suspect it stopped working after updating to 10.10.3 and OS-X Server 4.1. When I try to start Open directory in the Server App the Server App prompts: Unable to load Replica List. When I try to recreate my Open directory Server I Get: OD Server already exists.
I get the following log entries:
LDAP Log
Apr 11 22:03:02 server.seju.eu slapd[925]: @(#) $OpenLDAP: slapd 2.4.28 (Feb 24 2015 21:45:59) $
[email protected]:/BinaryCache/OpenLDAP/OpenLDAP-499.32.4~1/Objects/servers/slapd
Apr 11 22:03:02 server.seju.eu slapd[925]: daemon: SLAP_SOCK_INIT: dtblsize=8192
Apr 11 22:03:02 server.seju.eu slapd[925]: TLS: OPENDIRECTORY_SSL_IDENTITY identity preference overrode configured olcTLSIdentity "APPLE:server.seju.eu"
Apr 11 22:03:02 server.seju.eu slapd[925]: slap_add_listener: opened additional listener 'ldaps:///'
Apr 11 22:03:02 server.seju.eu slapd[925]: bdb(dc=server,dc=seju,dc=eu): unable to allocate memory for mutex; resize mutex region
Apr 11 22:03:02 server.seju.eu slapd[925]: bdb_db_open: database "dc=server,dc=seju,dc=eu" cannot be opened, err 12. Restore from backup!
Apr 11 22:03:02 server.seju.eu slapd[925]: bdb(dc=server,dc=seju,dc=eu): txn_checkpoint interface requires an environment configured for the transaction subsystem
Apr 11 22:03:02 server.seju.eu slapd[925]: bdb_db_close: database "dc=server,dc=seju,dc=eu": txn_checkpoint failed: Invalid argument (22).
Apr 11 22:03:02 server.seju.eu slapd[925]: backend_startup_one (type=bdb, suffix="dc=server,dc=seju,dc=eu"): bi_db_open failed! (12)
Apr 11 22:03:02 server.seju.eu slapd[925]: bdb_db_close: database "dc=server,dc=seju,dc=eu": alock_close failed
Apr 11 22:03:02 server.seju.eu slapd[925]: slapd stopped.
Open Directory Log
2015-04-11 21:57:10.624284 CEST - AID: 0x0000000000000000 - opendirectoryd (build 382.20.2) launched...
2015-04-11 21:57:10.752590 CEST - AID: 0x0000000000000000 - Logging level limit changed to 'error'
2015-04-11 21:57:10.916732 CEST - AID: 0x0000000000000000 - Initialize trigger support
2015-04-11 21:57:10.951833 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/SystemCache.bundle'
2015-04-11 21:57:10.958469 CEST - AID: 0x0000000000000000 - Module: SystemCache - failed to load persistent state - Input/output error
2015-04-11 21:57:10.962533 CEST - AID: 0x0000000000000000 - Registered node with name '/Active Directory' as hidden
2015-04-11 21:57:10.962833 CEST - AID: 0x0000000000000000 - Registered node with name '/Configure' as hidden
2015-04-11 21:57:10.963182 CEST - AID: 0x0000000000000000 - Discovered configuration for node name '/Contacts' at path '/Library/Preferences/OpenDirectory/Configurations//Contacts.plist'
2015-04-11 21:57:10.963194 CEST - AID: 0x0000000000000000 - Registered node with name '/Contacts'
2015-04-11 21:57:10.963438 CEST - AID: 0x0000000000000000 - Registered node with name '/LDAPv3' as hidden
2015-04-11 21:57:10.966901 CEST - AID: 0x0000000000000000 - Registered node with name '/Local' as hidden
2015-04-11 21:57:10.968600 CEST - AID: 0x0000000000000000 - Registered node with name '/NIS' as hidden
2015-04-11 21:57:11.031990 CEST - AID: 0x0000000000000000 - Discovered configuration for node name '/Search' at path '/Library/Preferences/OpenDirectory/Configurations//Search.plist'
2015-04-11 21:57:11.032007 CEST - AID: 0x0000000000000000 - Registered node with name '/Search'
2015-04-11 21:57:12.343838 CEST - AID: 0x0000000000000000 - Discovered configuration for node name '/LDAPv3/127.0.0.1' at path '/Library/Preferences/OpenDirectory/Configurations/LDAPv3/127.0.0.1.plist'
2015-04-11 21:57:12.343888 CEST - AID: 0x0000000000000000 - Registered subnode with name '/LDAPv3/127.0.0.1'
2015-04-11 21:57:13.549377 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/legacy.bundle'
2015-04-11 21:57:13.551131 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/search.bundle'
2015-04-11 21:57:13.554053 CEST - AID: 0x0000000000000000 - '/Search' has registered, loading additional services
2015-04-11 21:57:13.554064 CEST - AID: 0x0000000000000000 - Initialize augmentation support
2015-04-11 21:57:13.557920 CEST - AID: 0x0000000000000000 - Successfully registered for Kernel identity service requests
2015-04-11 21:57:13.557940 CEST - AID: 0x0000000000000000 - Adjusting kernel ID cache (100 -> 250) and membership cache (100 -> 500)
2015-04-11 21:57:13.575235 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/PlistFile.bundle'
2015-04-11 21:57:13.578418 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/FDESupport.bundle'
2015-04-11 21:57:13.583810 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/AppleID.bundle'
2015-04-11 21:57:13.615788 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ConfigurationProfiles.bundle'
2015-04-11 21:57:13.619666 CEST - AID: 0x0000000000000000 - Registered subnode with name '/Local/Default'
2015-04-11 21:57:13.632498 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ldap.bundle'
2015-04-11 21:57:13.845588 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/AppleODClientLDAP.bundle'
2015-04-11 21:57:13.849664 CEST - AID: 0x0000000000000000 - Loaded bundle at path '/System/Library/OpenDirectory/Modules/AppleODClientPWS.bundle'I had a similar problem. A couple days after upgrading, I encountered OD's "Unable to load replica" problem and had my server's certificate deleted from my system keychain!
Server.app + OD + LDAP are all extremely fragile and I just don't trust them during transitions, so I always keep an independent bootable backup with Carbon Copy Cloner and this preflight script. I'll post my notes for recovering OD below, but in my case, nothing worked this time, and I couldn't start OD robustly across reboots. Fortunately for me, my 12 hour old bootable backup was working, so I just used CCC to copy my bootable backup back. Not sure what I would have done had that not worked short of rebuilding everything from scratch.
Pre-steps:
0. Bootable backups, Time Machine backups, and dirserv backups of everything.
1. Disk Utility: Fix disk permissions, Fix disk
2. PRAM reset, Command-Option-P-R at boot
3. DiskWarrior to rebuild the disk directory
Possible steps to fix OD:
# Fix Open Directory "Unable to load replica"
# Try this first:
# https://support.apple.com/en-us/HT200018
# Quit Server.app
sudo mkdir /var/db/openldap/migration/
sudo touch /var/db/openldap/migration/.rekerberize
sudo killall PasswordService
# Open Server.app
# Try this second:
# http://apple.stackexchange.com/questions/79141/how-to-fix-failing-open-directory -database-cn-authdata-cannot-be-opened-err
sudo serveradmin stop dirserv
sudo launchctl unload -w /System/Library/LaunchDaemons/org.openldap.slapd.plist
sudo db_recover -h /var/db/openldap/authdata/
sudo /usr/libexec/slapd -Tt
sudo launchctl load -w /System/Library/LaunchDaemons/org.openldap.slapd.plist
sudo serveradmin start dirserv
# Try this third:
# https://discussions.apple.com/thread/6018956
sudo serveradmin stop dirserv
sudo slapconfig -restoredb /private/var/backups/ServerBackup_OpenDirectoryMaster.sparseimage
sudo serveradmin start dirserv
# Try this fourth (assuming ccc_preflight od backup):
# https://discussions.apple.com/thread/6018956
sudo serveradmin stop dirserv
sudo slapconfig -restoredb /private/var/backups/odbackup/od_2015-04-11.sparseimage
sudo serveradmin start dirserv
# Try this last:
sudo rsync -va /your-backup-drive-possibly-TM/private/var/db/openldap/authdata/ /private/var/db/openldap/authdata/
If your server cert gets deleted from the System keychain, you'll need to boot into the bootable backup and export the certificate+key that looks like hostname.domainname.tld, signed by IntermediateCA_HOSTNAME.DOMAINNAME.TLD_1, copy this to the server drive, import back into the System keychain. The cert should then appear within Server.app again. See here for how to do this if all you have is the System keychain file.
If anyone has reliable advice how to fix a corrupt OD that would be a huge help. -
Server 3 / SSL Certificate / Open Directory - Problem!
We've updated from Server 2 to Server 3 / OS X 10.9.
We have an SSL certificate for server from Comodo.
Under Server 2, all worked just fine, with the SSL certificate being used to secure all services (configure via Server app).
Under Server 3, all works just fine, but Open Directory will not accept certificate - so Certificates / Settings in Server 3 app shows "Custom Configuration" for Settings - and on inspecting this it is because Open Directory set to be not secured but everything else is using SSL.
I've tried setting the Open Directory to use the SSL, but when ever I do it simply bounces back to being unsecured.
Does this matter? Presumably it should be possible (as the standard setting appears to try and set Open Directory to use the SSL certificate), but not sure whether trying to fix is simply a fools errand.
Anyone got any clues as to whether to fix or not, and if to fix, how?
Thanks in advance.Have you check to see that the certificate is indeed "Trusted" by your server?
Above, you stated that they're in the etc/certificates folder, but that doesn't mean that the server likes them. You can create a "Self Signed" Certificate and still have certificates in there. That doesn't mean that anyone else on the planet has to trust them.
Open Keychain Access in your utilities folder. Depending on how you have it configured, you may have to look around to find the certificate in question. It may be under login, or System.
When you select your Certificate, if it's there, does it show as trusted?
Another thing you can check... Often times Certificate authories, use Intermdeiate certificates. Since anyone can sell a certificate, in order to have it trusted, you need to have it signed by someone else. A good example is Godaddy. They sell both SSL and Code signing certificates of all flavours. In order to get them to be trusted, the "Intermediate Certificate" needs to also be installed in the keychain. My Godaddy cert looks to be trusted by Verisign via an intermediate.
Have a look here... https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid =1182
Not sure if it's directly relevant, but there it is.
The point is, I think you need to verify that your certificate is trusted by your server. OD won't use an untrusted certificate.
--an afterthought-- Anything in the logs?
Open up your server window where you try to select the certificate for OD. Also, in another window open up the terminal. In terminal, type:
tail -f /var/log/system.log
In the server window try to select the certificate and click done. See what the output in terminal says. -
Open Directory: "Unable to load replica list"
I'm currently running Mavericks Server 3.1 on my Mac Mini at the home network. I had some issues with the client logins and went for local accounts on the clients instead. Today I finally wanted to fix the problem and go all Open Directory. But the Open Directory service was shut off when I opened the server software. I tried to turn it on but got a message saying "Unable to load replica list". I updated the software to the latest 3.1 but are still having the same issue. I never had any replica list, I only had a standard one from the start, but it seems I can't do anyhing there now.
LDAP log:
Mar 21 22:48:38 xxYY.com slapd[172]: @(#) $OpenLDAP: slapd 2.4.28 (Nov 12 2013 12:02:47) $
[email protected]:/private/var/tmp/OpenLDAP/OpenLDAP-491.1~1/servers/slapd
Mar 21 22:48:38 xxYY.com.com slapd[172]: daemon: SLAP_SOCK_INIT: dtblsize=8192
Mar 21 22:48:39 xxYY.com.com slapd[172]: TLS: found identity in keychain using identity preference.
Mar 21 22:48:42 xxYY.com.com slapd[172]: slap_add_listener: opened additional listener 'ldaps:///'
Mar 21 22:48:42 xxYY.com.com slapd[172]: bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
Mar 21 22:48:44 xxYY.com.com slapd[172]: slapd starting
Mar 21 22:48:44 xxYY.com.com slapd[172]: daemon: posting com.apple.slapd.startup notification
Mar 21 22:48:54 xxYY.com.com slapd[172]: => bdb_idl_delete_key: c_del id failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30994)
Mar 21 22:48:54 xxYY.com.com slapd[172]: conn=1022 op=3: attribute "entryCSN" index delete failure
Mar 21 22:50:02 xxYY.com.com slapd[172]: => bdb_idl_delete_key: c_get failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30994)
Mar 21 22:50:02 xxYY.com.com slapd[172]: conn=1042 op=3: attribute "entryCSN" index delete failure
I don't understand any of this other than the obvious failure words. Can anyone understand this and help me here?This procedure is a diagnostic test. It makes no changes to your data. If you have more than one user account, you must be logged in as an administrator to carry out these instructions.
Please triple-click anywhere in the line below on this page to select it:
sudo /usr/libexec/slapd -Tt | pbcopy
Copy the selected text to the Clipboard by pressing the key combination command-C.
Launch the built-in Terminal application in any of the following ways:
☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.
Paste into the Terminal window by pressing the key combination command-V. I've tested these instructions only with the Safari web browser. If you use another browser, you may have to press the return key after pasting. You'll be prompted for your login password. Nothing will be displayed when you type it. If you don’t have a login password, you’ll need to set one before you can run the command. You may get a one-time warning to be careful. Confirm. You don't need to post the warning.
If you see a message that your username "is not in the sudoers file," then you're not logged in as an administrator. Log in as one and start over.
Wait for a new line ending in a dollar sign ($) to appear below what you entered.
The output of the command will be automatically copied to the Clipboard. If the command produced no output, the Clipboard will be empty. Paste into a reply to this message.
The Terminal window doesn't show the output. Please don't copy anything from there. -
Open Directory access from outside of network / internet
Hello all,
Got a question I'd love to get some help on, I have some users who are outside of my network and I'd like them to connect into the open directory on our leopard server so they can use the Shared iCal calendars, addresses, etc.
So my questions are A) Is it possible to connect in from outside the network and get access to the directory without having to have a seperate user account and use our VPN every time you want to connect? - if not is this the only way to do it (would you have to connect via the Mac VPN and then connect to the directory?)
B) is it possible to do this "seamlessly" so that you don't have to change any settings, login details each time you switch between your local user from outside the network and your directory access. (so basically if you are in iCal if you have internet access it will connect you to the directory, without you doing anything extra?)
Hope that makes sense, I can't seem to find the answers I need in the manuals, if I knew how this was meant to work I could probably have a fair go at figuring out how to actually do it (firewall changes etc)
Thanks in advance for the help
MartinSo my questions are A) Is it possible to connect in from outside the network and get access to the directory without having to have a seperate user account and use our VPN every time you want to connect? - if not is this the only way to do it (would you have to connect via the Mac VPN and then connect to the directory?)
If your OD server is visible from the internet -- i.e., it has a public address -- then you can do this without the VPN. However, it's not advisable to have a server exposed in that fashion.
You would be better off doing this through the VPN:
- Remote user connects to internet at hotel, for example.
- Remote user initiates VPN connection.
- Remote user now has access to iCal server and directory information.
Explain to the users that this information is private to the company, and private company resources are only available through the VPN. Allowing access without the VPN would be similar to the company posting its Employee roster and meeting calendars on the face of the building where any person (or competitor) could see them.
B) is it possible to do this "seamlessly" so that you don't have to change any settings, login details each time you switch between your local user from outside the network and your directory access. (so basically if you are in iCal if you have internet access it will connect you to the directory, without you doing anything extra?)
It's just one extra step: Connect to VPN. You're still the same local user on the computer.
If you're talking about laptop users needing directory access to authenticate when logging into their computers, well...That sounds like a whole other situation.
Hopefully this helps.
Bryan Vines -
Open Directory Usefulness for Home Server
I'm using Mountain Lion Server primarily as a web server, but as a retired tech writer/programmer I like to fool around with things in case I ever need to return to work. I set up the Open Directory master as part of the installation process, but I'm not sure how useful it is for me. When my site was hosted on Mobileme I got about 30 visits in a day max, and about 1 comment every year or two. So my questions are:
How useful is the Open Directory for me, and is there any point in keeping it turned on?
Is it useful for people outside of my LAN?
Any additional comments, or information are appreciated.<bump>
-
DNS, Open Directory, and wow my head hurts
OK, I’m slowly pulling my ear hairs out over this. My comprehension of the DNS world is modest at best (I know enough to get into trouble). I did not set up most of this (not the DNS parts anyway), and I’m trying to unravel what exactly is going on. Maybe it’s exactly as it should be; but it seems awfully convoluted to me, so if you’re bored and want to show off your expertise and ability to explain it to a kindergartener, please read on…
Let’s say my Domain is mydomain.com. (You can probably figure out what it really is, but I’d rather not sprinkle a post with it.)
Our firewall is a Sophos UT320. It obviously supports forwarding of DNS info from our ISP. While it’s own documentation says it does not have a full-fledged dns server, it does have something called “Static Entries” which seems to be a bare-bones dns server of sorts. I can set any static domain name (myserver.mydomain.com for example), point it to a server on our lan, and everyone internally can get to that server by using myserver.mydomain.com instead of 192.168.blah.blah. It also supports reverse DNS, so if I issue a host 192.168.blah.blah command from my computer, I get “blah.blah.168.192.in-addr.arpa domain name pointer myserver.mydomain.com.” My guess is that it’s only serving up A records. No one from outside our LAN can access these servers or records (unless they’re on a VPN of course).
Now, in our lan, we have a bunch of Mac Servers. Our Open Directory server has DNS service enabled on it, and the primary zone is set to od.mydomain.com. It has some A records pointing to myserver.mydomain.com, myotherserver.mydomain.com, etc.
Another server, located at, myserver.mydomain.com, has a DNS service who’s primary zone is mydomain.com (yes, it matches our external domain name). It contains A records for itself, the OD Server, and others.
Reverse lookup works fine throughout the lan.
All DNS Servers’ Forwarders are our router.
I did a test where I turned off all these internal DNS servers (yes, there’s more) and pointed all the servers to the router. It seemed fine at first, I could issue HOST commands to and from every server to every other one and resolve both names and addresses. The router seemed to be doing fine.
After a day or so (I assume after the TTL elapsed), people started getting permissions errors on the servers, so I turned it all back on.
This is with 10.6.8 Servers (one is running 10.9 but it doesn't seem to have DNS running).
So here’s my questions:
Why would my OD Server’s DNS Service’s primary zone be “od.mydomain.com” and not just “mydomain.com”?
Does it make sense (or even matter) to have these DNS entries ending in mydomain.com when that’s our website’s address? (We host our own site and email server, btw.)
Why would OD not work after all these DNS Servers were turned off, when HOST command shows it can get to every other machine and they can get to it? What else, besides the A record and reverse lookup, could be included in the full-blown DNS servers that wouldn’t be in the Sophos bare-bones one, but still allow reverse lookups to function? What else does OD want from DNS??
Wouldn’t it be better, even if this all was necessary, to set up a single internal DNS Server (ok, maybe plus a backup)? Why would this service be running, with a variety of A records, on almost every server we have?
Is there a site that can explain DNS, and actually define every acronym, abbreviation, etc it uses? Every time I try to learn something I go down a wiki rabbit hole.
Thanks!
JeffOK, the answer to this seemed to be to not rely on Sophos' "Static Entries" DNS functionality. Even though it allows "HOST" commands to work for both reverse and forward lookups, OD and/or Kerberos needs more. Once I made a zone on our OD Server that listed itself, our replica server, AND our email server (which uses Kerberos), and made what I think is now a proper secondary DNS server on our replica server, and pointed the OD server's DNS to itself, the replica to itself, and kept the email server using the Sophos for DNS, it worked.
-
Directory Binding Script (Active and Open Directory) 10.7
Hi everyone
I'm reposting this in the right thread. I've written a Directory Binding Script for 10.6 and ported it now to 10.7 as among the things that have changed in the upgraded version is a refurbished directory binding enviroment.
The original thread can be found here: https://discussions.apple.com/thread/3090068. The script is applicable for clients as well and simplifies the binding process considerably.
Be aware that the reformatted script here contains some faulty line breaks. So you'll have to correct them in a proper text editor.
#!/bin/sh
#Uncomment the following line to abort the script on errors
#trap exit ERR
## Script to automate OD and AD Binding of Mac OS X 10.7 Servers
## Script written by Marc Horat, URZ Basel, 11.6.2010
## Updated: 12.08.2011
# With the use of the following sources as inspiration:
# http://www.howtomac.co.uk/?p=247
#Created by Ross Hamilton
#Clock restart / Remove existing settings
#Join to Open Directory and Active Directory
# Bombich's AD-Bind Script:
# This script binds to AD and configures advanced options of the AD plugin
# As this scripts contains a password, be sure to take appropriate security
# precautions
# A good way to run this script is to set it as a login hook on your master machine
# Because it only needs to be run once, the last thing this script does is to delete
# itself. If you have another login script that you typically run, include the
# script on your master machine, and indicate its path in the "newLoginScript"
# variable.
# If running this as a one-time login hook to bind to AD after imaging,
# be sure to enable auto-login (for any local user) before creating your master image
#################CONFIGURATION##########################
#OD
# These variables need to be configured for your env
odAdmin="YOURODADMIN" #enter your OD admin name between the quotes
odPassword="YOURODPW" # Enter your OD admin password between the quotes
oddomain="YOURODDOMAIN" # FQDN of your OD domain
computerGroup="YOURNEWODCOMPGROUP" # Add appropriate computer group you want machines to be added to, case sensitive
oldComputerGroup="YOUROLDODCOMPGROUP" # If the Computer is in a Group already
#AD
# Standard parameters
domain="YOURADDOMAIN" # fully qualified DNS name of Active Directory Domain
domainname="YOURADDOMAINNAME" #Name of the Domain as specified in the search paths
udn="YOURADADMIN" # username of a privileged network user
password="YOURADPW" # password of a privileged network user
ou="OU=YOUR,OU=OU,OU=URZ,OU=IN,DC=YOUR,DC=AD,DC=DOMAIN" # Distinguished name of container for the computer E.G. OU=Macs,OU=Computers,DC=AD,DC=DOMAIN,DC=CH
# Advanced options AD Plugin
alldomains="disable" # 'enable' or 'disable' automatic multi-domain authentication
localhome="disable" # 'enable' or 'disable' force home directory to local drive
protocol="smb" # 'afp', 'smb' or 'nfs' (since 10.7) change how home is mounted from server
mobile="enable" # 'enable' or 'disable' mobile account support for offline logon
mobileconfirm="enable" # 'enable' or 'disable' warn the user that a mobile acct will be created
useuncpath="enable" # 'enable' or 'disable' use AD SMBHome attribute to determine the home dir
user_shell="/bin/bash" # e.g., /bin/bash or "none"
preferred="-preferred $domain" # Use the specified server for all Directory lookups and authentication
# (e.g. "-nopreferred" or "-preferred ad.server.edu")
admingroups="$domainname\YOURADADMINGROUP" # These comma-separated AD groups may administer the machine (e.g. "" or "APPLE\macadmins")
packetsign="allow" # allow | disable | require
packetencrypt="allow" # allow | disable | require
passinterval="14" # number of days
namespace="domain" # forest | domain
# Login hook setting -- specify the path to a login hook that you want to run instead of this script
newLoginHook="" # e.g., "/Library/Management/login.sh"
################################# End of configuration
############ Begin of Script
# Host-specific parameters
# computerid should be set dynamically, this value must be machine-specific
# This value may be restricted to 19 characters! The only error you'll receive upon entering
# an invalid computer id is to the effect of not having appropriate privileges to perform the requested operation
#computerid=`/sbin/ifconfig en0 | awk '/ether/ { gsub(":", ""); print $2 }'` # MAC Address
#computerid=`hostname | sed 's/.unibas.ch//'`
#computerid=`/usr/sbin/scutil --get LocalHostName | cut -c 1-19` # Assure that this will produce unique names!
#computerid=`/usr/sbin/scutil --get LocalHostName`
computerid=`scutil --get ComputerName`
adcomputerid=`echo "$computerid" | tr [:lower:] [:upper:]`
# These variables probably don't need to be changed
# Determing if any directory binding exists
nicAddress=`ifconfig en0 | grep ether | awk '{print $2}'`
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
check4ODtmp=`dscl localhost -list /LDAPv3 | grep -n 1 | sed 's/1://' | sed 's/2://'`
check4OD=${check4ODtmp//[[:space:]]/}
echo "Found LDAP: "$check4ODtmp
check4ODaccttmp=`dscl /LDAPv3/"$check4OD" -read Computers/"$computerid" RealName | cut -c 11-`
check4ODacct=${check4ODaccttmp//[[:space:]]/}
echo "Found LDAP-Computer-Account: "$check4ODacct
else
check4OD=""
check4ODacct=""
echo "No bound LDAP Server found"
fi
if [ $oldComputerGroup != "" ] && dscl localhost -list /LDAPv3 | grep . > /dev/null
then
check4ODgroupMembershiptmp=`dscl /LDAPv3/"$check4OD" -read ComputerGroups/"$oldComputerGroup" | grep "$computerid"`
check4ODgroupMembership=$check4ODgroupMembershiptmp
echo "LDAP Group Membership in Group: "$oldComputerGroup
else
check4ODgroupMembership=""
echo "No LDAP Group Membership defined or not bound to a server"
fi
if dscl localhost -list "/Active Directory" | grep $domainname > /dev/null
then
check4ADtmp=`dsconfigad -show | grep "Active Directory Domain" | sed 's/Active Directory Domain//' | sed 's/=//'`
check4AD=${check4ADtmp//[[:space:]]/}
echo "Found AD: "$check4AD
check4ADaccttmp=`dsconfigad -show | grep "Computer Account" | sed 's/Computer Account//' | sed 's/=//'`
check4ADacct=${check4ADaccttmp//[[:space:]]/}
echo "Found AD-Account: "$check4ADacct
else
check4AD=""
check4ADacct=""
echo "No AD-Account found"
fi
osversionlong=`sw_vers -productVersion`
osvers=${osversionlong:3:1}
#Time Sync
#Restart ntpdate
StartService ()
if [ "${TIMESYNC:=-YES-}" = "-YES-" ] && ! GetPID ntpd > /dev/null; then
CheckForNetwork
if [ -f /var/run/NetworkTime.StartupItem -o "${NETWORKUP}" = "-NO-" ]; then exit; fi
touch /var/run/NetworkTime.StartupItem
echo "Starting network time synchronization"
# Synchronize our clock to the network’s time,
# then fire off ntpd to keep the clock in sync.
ntpdate -bvs
ntpd -f /var/run/ntp.drift -p /var/run/ntpd.pid
fi
echo ""
echo ""
sleep 5
#### Removing any existing directory bindings
#Clear OD Computer Account and delete entry from Computer group
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
echo "This computer is bound to the following Open Directory Services:"
dscl localhost -list /LDAPv3
echo "With the Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /LDAP
sleep 5
if [ "${check4ODacct}" == "${computerid}" ]
then
echo "This machine already has a computer account on $oddomain."
# Set the GUID
GUID="$(dscl /LDAPv3/$oddomain -read /Computers/${computerid} GeneratedUID | awk '{ print $2 }')"
echo "Found GUID: "$GUID
if [ "$oldComputerGroup" != "" ] && [ "$check4ODgroupMembership" != "" ]
then
echo "Removing entry from group $oldComputerGroup"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerGroups/"$oldComputerGroup" GroupMembership "${computerid}"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerGroups/"$oldComputerGroup" GroupMembers "${GUID}"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerLists/"$oldComputerGroup" Computers "${computerid}"
fi
echo "Removing Computer entry $computerid in OD"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /Computers/"${computerid}"
fi
#List existing Directories
echo "Removing OD-Binding to "$check4OD
dsconfigldap -r "$check4OD"
echo "Removing Search Path entries"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4OD"
dscl /Search/Contacts -delete / CSPSearchPath /LDAPv3/"$check4OD"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4OD"
sleep 5
else
echo "No LDAP or OD Binding present.";
fi
echo ""
# Check a second time in order to delete any remaining LDAP-Bindings
echo "Scanning for further LDAP servers"
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
echo "Found:"
dscl localhost -list /LDAPv3
echo "Removing OD-Binding to "$check4ODtmp
dsconfigldap -r "$check4ODtmp"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
dscl /Search/Contacts -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
sleep 5
else
echo "No further LDAP or OD Binding present."
fi
echo ""
echo ""
#Remove the Active Directory binding
if [ "$check4AD" != "" ]
then
echo "This computer is bound to the following Active Directory Services:"
dscl localhost -list "/Active Directory"
echo "With the Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /Active
sleep 5
echo "Removing any existing AD-Binding to "$check4AD
dsconfigad -f -remove -username "$udn" -password "$password"
echo "Removing Search Path entries"
if [ "$preferred" != "-nopreferred" ]
then
dscl /Search -delete / CSPSearchPath /Active Directory/"$domainname"
dscl /Search/Contacts -delete / CSPSearchPath /Active Directory/"$domainname"
dscl /Search -delete / CSPSearchPath /Active Directory/"$domainname"
fi
dscl /Search -delete / CSPSearchPath "/Active Directory/$domainname/All Domains"
dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/$domainname/All Domains"
#remove search path entries from 10.6
if dscl /Search -read / CSPSearchPath | grep /Active > /dev/null
then
dscl /Search -delete / CSPSearchPath "/Active Directory/$domainname/$domain"
dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/$domainname/$domain"
fi
sleep 5
else
echo "No Active Directory Binding present."
fi
echo ""
#Remove Existing Directory Services Config
echo "Removing existing DS Config"
if [ -d "/Library/Preferences/edu.mit.Kerberos" ]
then
rm -R /Library/Preferences/edu.mit.Kerberos
fi
if [ -d "/etc/krb5.keytab" ]
then
rm -R /etc/krb5.keytab
fi
# Clean up the DirectoryService configuration files
rm -Rfv /Library/Preferences/DirectoryService/*
#OD
echo ""
echo ""
echo "Binding to OD-Damin "$oddomain
sleep 5
dsconfigldap -v -a "$oddomain" -n "$oddomain" -c "$computerid"
echo "Killing opendirectoryd"
killall opendirectoryd
sleep 5
echo "Adding computer account $computerid to /LDAPv3/${oddomain} on $oddomain"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -create /Computers/"$computerid" ENetAddress "$nicAddress"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /Computers/"$computerid" RealName "$computerid"
# Set the GUID
GUID="$(dscl /LDAPv3/$oddomain -read /Computers/${computerid} GeneratedUID | awk '{ print $2 }')"
# Add computer to ComputerList and ComputerGroup
if [ $computerGroup != "" ]
then
echo "Adding computer $computerid to OD group $computerGroup on $oddomain"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerLists/"$computerGroup" apple-computers "$computerid"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerGroups/"$computerGroup" apple-group-memberguid "${GUID}"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerGroups/"$computerGroup" memberUid "$computerid"
fi
echo "Finished OD Binding."
sleep 5 # Give DS a chance to catch up
echo ""
echo ""
echo "Performing the AD Binding"
#AD
# Activate the AD plugin
defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist
#Use the existing AD-Computername or generate a new one
computeridtmp="default"
if [ "$check4ADacct" == "" ]
then
LEN=$(echo ${#adcomputerid})
if [ $LEN -lt 15 ]; then
echo "ComputerID "$adcomputerid " has 15 characters or less and is therefore suitable for AD-Binding. It is $adcomputerid"
computeridtmp=$adcomputerid
else
echo "ComputerID "$adcomputerid " has 16 or more characters and needs to be modified for AD-Binding."
echo "Removing any -"
computeridtmp=${adcomputerid//-/}
LEN=$(echo ${#computeridtmp})
if [ $LEN -lt 15 ]; then
echo "ComputerID "$computeridtmp" has now 15 characters or less and is therefore suitable for AD-Binding."
else
echo "Only using the last 15 characters of the Computer name to be able to bind to AD."
computeridtmp=${computeridtmp:(-15)}
fi
echo "Cropped Computername to "$computeridtmp
fi
else
computeridtmp=${check4ADacct//$/}
echo "Found existing AD Account previously, attempting to recreate in the OU: "$computeridtmp
fi
echo ""
# Bind to AD
echo "Binding to AD-Domain "$domain" with computerid "$computeridtmp
dsconfigad -f -add "$domain" -username "$udn" -password "$password" -ou "$ou" -computer "$computeridtmp"
echo ""
echo "Setting the Advanced AD Plugin options"
# Configure advanced AD plugin options
if [ "$admingroups" = "" ]
then
dsconfigad -nogroups
else
dsconfigad -groups "$admingroups"
fi
dsconfigad -alldomains "$alldomains"
dsconfigad -localhome "$localhome"
dsconfigad -protocol "$protocol"
dsconfigad -mobile "$mobile"
dsconfigad -mobileconfirm "$mobileconfirm"
dsconfigad -useuncpath "$useuncpath"
dsconfigad -shell "$user_shell"
dsconfigad "$preferred"
dsconfigad -packetsign "$packetsign" -packetencrypt "$packetencrypt" -passinterval "$passinterval"
dsconfigad -namespace "$namespace"
sleep 5
echo ""
echo ""
# Add the OD & AD node to the search path
if [ "$alldomains" = "enable" ]
then
csp="/Active Directory/$domainname/All Domains"
else
csp="/Active Directory/$domainname"
fi
echo "Finished AD Binding."
echo "Adding Domain /LDAPv3/"$oddomain" and "$csp" to Search Path"
dscl /Search -create / SearchPolicy CSPSearchPath
dscl /Search/Contacts -create / SearchPolicy CSPSearchPath
echo "Adding OD.."
dscl /Search -append / CSPSearchPath /LDAPv3/"$oddomain"
dscl /Search/Contacts -append / CSPSearchPath /LDAPv3/"$oddomain"
echo "Adding AD.."
#Adding all Domains first to improve reliability under 10.7
if [ "$alldomains" != "enable" ]
then
cspadall="/Active Directory/$domainname/All Domains"
dscl /Search/Contacts -append / CSPSearchPath "$cspadall"
dscl /Search -append / CSPSearchPath "$cspadall"
fi
dscl /Search/Contacts -append / CSPSearchPath "$csp"
dscl /Search -append / CSPSearchPath "$csp"
echo "Finished Updating Search Paths."
echo ""
echo ""
# Restart DirectoryService (necessary to reload AD plugin activation settings)
killall opendirectoryd
# Destroy the login hook (or change it)
if [ "${newLoginHook}" == "" ]
then
defaults delete /var/root/Library/Preferences/com.apple.loginwindow LoginHook
else
defaults write /var/root/Library/Preferences/com.apple.loginwindow LoginHook $newLoginHook
fi
sleep 5
# Customizing the login-Window
#defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo DSStatus
#defaults write /Library/Preferences/com.apple.loginwindow showInputMenu -bool TRUE
#defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool TRUE
# This works in a pinch if the above code does not
#defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains"
#defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Policy" -int 3
#plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist
#killall opendirectoryd
# Disable autologin
defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser
srm /etc/kcpassword
echo ""
echo ""
echo ""
echo "Now bound to OD Domain:"
dscl localhost -list /LDAPv3
echo "With Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /LDAP
echo "Now bound to AD Domain:"
dscl localhost -list "/Active Directory"
echo "With Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /Active
exit 0 ## Success
exit 1 ## Failure
Any inputs, questions and improvement suggestions are, of course, most welcome!
Cheers
SeeHi everyone
I'm reposting this in the right thread. I've written a Directory Binding Script for 10.6 and ported it now to 10.7 as among the things that have changed in the upgraded version is a refurbished directory binding enviroment.
The original thread can be found here: https://discussions.apple.com/thread/3090068. The script is applicable for clients as well and simplifies the binding process considerably.
Be aware that the reformatted script here contains some faulty line breaks. So you'll have to correct them in a proper text editor.
#!/bin/sh
#Uncomment the following line to abort the script on errors
#trap exit ERR
## Script to automate OD and AD Binding of Mac OS X 10.7 Servers
## Script written by Marc Horat, URZ Basel, 11.6.2010
## Updated: 12.08.2011
# With the use of the following sources as inspiration:
# http://www.howtomac.co.uk/?p=247
#Created by Ross Hamilton
#Clock restart / Remove existing settings
#Join to Open Directory and Active Directory
# Bombich's AD-Bind Script:
# This script binds to AD and configures advanced options of the AD plugin
# As this scripts contains a password, be sure to take appropriate security
# precautions
# A good way to run this script is to set it as a login hook on your master machine
# Because it only needs to be run once, the last thing this script does is to delete
# itself. If you have another login script that you typically run, include the
# script on your master machine, and indicate its path in the "newLoginScript"
# variable.
# If running this as a one-time login hook to bind to AD after imaging,
# be sure to enable auto-login (for any local user) before creating your master image
#################CONFIGURATION##########################
#OD
# These variables need to be configured for your env
odAdmin="YOURODADMIN" #enter your OD admin name between the quotes
odPassword="YOURODPW" # Enter your OD admin password between the quotes
oddomain="YOURODDOMAIN" # FQDN of your OD domain
computerGroup="YOURNEWODCOMPGROUP" # Add appropriate computer group you want machines to be added to, case sensitive
oldComputerGroup="YOUROLDODCOMPGROUP" # If the Computer is in a Group already
#AD
# Standard parameters
domain="YOURADDOMAIN" # fully qualified DNS name of Active Directory Domain
domainname="YOURADDOMAINNAME" #Name of the Domain as specified in the search paths
udn="YOURADADMIN" # username of a privileged network user
password="YOURADPW" # password of a privileged network user
ou="OU=YOUR,OU=OU,OU=URZ,OU=IN,DC=YOUR,DC=AD,DC=DOMAIN" # Distinguished name of container for the computer E.G. OU=Macs,OU=Computers,DC=AD,DC=DOMAIN,DC=CH
# Advanced options AD Plugin
alldomains="disable" # 'enable' or 'disable' automatic multi-domain authentication
localhome="disable" # 'enable' or 'disable' force home directory to local drive
protocol="smb" # 'afp', 'smb' or 'nfs' (since 10.7) change how home is mounted from server
mobile="enable" # 'enable' or 'disable' mobile account support for offline logon
mobileconfirm="enable" # 'enable' or 'disable' warn the user that a mobile acct will be created
useuncpath="enable" # 'enable' or 'disable' use AD SMBHome attribute to determine the home dir
user_shell="/bin/bash" # e.g., /bin/bash or "none"
preferred="-preferred $domain" # Use the specified server for all Directory lookups and authentication
# (e.g. "-nopreferred" or "-preferred ad.server.edu")
admingroups="$domainname\YOURADADMINGROUP" # These comma-separated AD groups may administer the machine (e.g. "" or "APPLE\macadmins")
packetsign="allow" # allow | disable | require
packetencrypt="allow" # allow | disable | require
passinterval="14" # number of days
namespace="domain" # forest | domain
# Login hook setting -- specify the path to a login hook that you want to run instead of this script
newLoginHook="" # e.g., "/Library/Management/login.sh"
################################# End of configuration
############ Begin of Script
# Host-specific parameters
# computerid should be set dynamically, this value must be machine-specific
# This value may be restricted to 19 characters! The only error you'll receive upon entering
# an invalid computer id is to the effect of not having appropriate privileges to perform the requested operation
#computerid=`/sbin/ifconfig en0 | awk '/ether/ { gsub(":", ""); print $2 }'` # MAC Address
#computerid=`hostname | sed 's/.unibas.ch//'`
#computerid=`/usr/sbin/scutil --get LocalHostName | cut -c 1-19` # Assure that this will produce unique names!
#computerid=`/usr/sbin/scutil --get LocalHostName`
computerid=`scutil --get ComputerName`
adcomputerid=`echo "$computerid" | tr [:lower:] [:upper:]`
# These variables probably don't need to be changed
# Determing if any directory binding exists
nicAddress=`ifconfig en0 | grep ether | awk '{print $2}'`
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
check4ODtmp=`dscl localhost -list /LDAPv3 | grep -n 1 | sed 's/1://' | sed 's/2://'`
check4OD=${check4ODtmp//[[:space:]]/}
echo "Found LDAP: "$check4ODtmp
check4ODaccttmp=`dscl /LDAPv3/"$check4OD" -read Computers/"$computerid" RealName | cut -c 11-`
check4ODacct=${check4ODaccttmp//[[:space:]]/}
echo "Found LDAP-Computer-Account: "$check4ODacct
else
check4OD=""
check4ODacct=""
echo "No bound LDAP Server found"
fi
if [ $oldComputerGroup != "" ] && dscl localhost -list /LDAPv3 | grep . > /dev/null
then
check4ODgroupMembershiptmp=`dscl /LDAPv3/"$check4OD" -read ComputerGroups/"$oldComputerGroup" | grep "$computerid"`
check4ODgroupMembership=$check4ODgroupMembershiptmp
echo "LDAP Group Membership in Group: "$oldComputerGroup
else
check4ODgroupMembership=""
echo "No LDAP Group Membership defined or not bound to a server"
fi
if dscl localhost -list "/Active Directory" | grep $domainname > /dev/null
then
check4ADtmp=`dsconfigad -show | grep "Active Directory Domain" | sed 's/Active Directory Domain//' | sed 's/=//'`
check4AD=${check4ADtmp//[[:space:]]/}
echo "Found AD: "$check4AD
check4ADaccttmp=`dsconfigad -show | grep "Computer Account" | sed 's/Computer Account//' | sed 's/=//'`
check4ADacct=${check4ADaccttmp//[[:space:]]/}
echo "Found AD-Account: "$check4ADacct
else
check4AD=""
check4ADacct=""
echo "No AD-Account found"
fi
osversionlong=`sw_vers -productVersion`
osvers=${osversionlong:3:1}
#Time Sync
#Restart ntpdate
StartService ()
if [ "${TIMESYNC:=-YES-}" = "-YES-" ] && ! GetPID ntpd > /dev/null; then
CheckForNetwork
if [ -f /var/run/NetworkTime.StartupItem -o "${NETWORKUP}" = "-NO-" ]; then exit; fi
touch /var/run/NetworkTime.StartupItem
echo "Starting network time synchronization"
# Synchronize our clock to the network’s time,
# then fire off ntpd to keep the clock in sync.
ntpdate -bvs
ntpd -f /var/run/ntp.drift -p /var/run/ntpd.pid
fi
echo ""
echo ""
sleep 5
#### Removing any existing directory bindings
#Clear OD Computer Account and delete entry from Computer group
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
echo "This computer is bound to the following Open Directory Services:"
dscl localhost -list /LDAPv3
echo "With the Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /LDAP
sleep 5
if [ "${check4ODacct}" == "${computerid}" ]
then
echo "This machine already has a computer account on $oddomain."
# Set the GUID
GUID="$(dscl /LDAPv3/$oddomain -read /Computers/${computerid} GeneratedUID | awk '{ print $2 }')"
echo "Found GUID: "$GUID
if [ "$oldComputerGroup" != "" ] && [ "$check4ODgroupMembership" != "" ]
then
echo "Removing entry from group $oldComputerGroup"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerGroups/"$oldComputerGroup" GroupMembership "${computerid}"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerGroups/"$oldComputerGroup" GroupMembers "${GUID}"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /ComputerLists/"$oldComputerGroup" Computers "${computerid}"
fi
echo "Removing Computer entry $computerid in OD"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$check4OD" -delete /Computers/"${computerid}"
fi
#List existing Directories
echo "Removing OD-Binding to "$check4OD
dsconfigldap -r "$check4OD"
echo "Removing Search Path entries"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4OD"
dscl /Search/Contacts -delete / CSPSearchPath /LDAPv3/"$check4OD"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4OD"
sleep 5
else
echo "No LDAP or OD Binding present.";
fi
echo ""
# Check a second time in order to delete any remaining LDAP-Bindings
echo "Scanning for further LDAP servers"
if dscl localhost -list /LDAPv3 | grep . > /dev/null
then
echo "Found:"
dscl localhost -list /LDAPv3
echo "Removing OD-Binding to "$check4ODtmp
dsconfigldap -r "$check4ODtmp"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
dscl /Search/Contacts -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
dscl /Search -delete / CSPSearchPath /LDAPv3/"$check4ODtmp"
sleep 5
else
echo "No further LDAP or OD Binding present."
fi
echo ""
echo ""
#Remove the Active Directory binding
if [ "$check4AD" != "" ]
then
echo "This computer is bound to the following Active Directory Services:"
dscl localhost -list "/Active Directory"
echo "With the Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /Active
sleep 5
echo "Removing any existing AD-Binding to "$check4AD
dsconfigad -f -remove -username "$udn" -password "$password"
echo "Removing Search Path entries"
if [ "$preferred" != "-nopreferred" ]
then
dscl /Search -delete / CSPSearchPath /Active Directory/"$domainname"
dscl /Search/Contacts -delete / CSPSearchPath /Active Directory/"$domainname"
dscl /Search -delete / CSPSearchPath /Active Directory/"$domainname"
fi
dscl /Search -delete / CSPSearchPath "/Active Directory/$domainname/All Domains"
dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/$domainname/All Domains"
#remove search path entries from 10.6
if dscl /Search -read / CSPSearchPath | grep /Active > /dev/null
then
dscl /Search -delete / CSPSearchPath "/Active Directory/$domainname/$domain"
dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/$domainname/$domain"
fi
sleep 5
else
echo "No Active Directory Binding present."
fi
echo ""
#Remove Existing Directory Services Config
echo "Removing existing DS Config"
if [ -d "/Library/Preferences/edu.mit.Kerberos" ]
then
rm -R /Library/Preferences/edu.mit.Kerberos
fi
if [ -d "/etc/krb5.keytab" ]
then
rm -R /etc/krb5.keytab
fi
# Clean up the DirectoryService configuration files
rm -Rfv /Library/Preferences/DirectoryService/*
#OD
echo ""
echo ""
echo "Binding to OD-Damin "$oddomain
sleep 5
dsconfigldap -v -a "$oddomain" -n "$oddomain" -c "$computerid"
echo "Killing opendirectoryd"
killall opendirectoryd
sleep 5
echo "Adding computer account $computerid to /LDAPv3/${oddomain} on $oddomain"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -create /Computers/"$computerid" ENetAddress "$nicAddress"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /Computers/"$computerid" RealName "$computerid"
# Set the GUID
GUID="$(dscl /LDAPv3/$oddomain -read /Computers/${computerid} GeneratedUID | awk '{ print $2 }')"
# Add computer to ComputerList and ComputerGroup
if [ $computerGroup != "" ]
then
echo "Adding computer $computerid to OD group $computerGroup on $oddomain"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerLists/"$computerGroup" apple-computers "$computerid"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerGroups/"$computerGroup" apple-group-memberguid "${GUID}"
dscl -u "${odAdmin}" -P "${odPassword}" /LDAPv3/"$oddomain" -merge /ComputerGroups/"$computerGroup" memberUid "$computerid"
fi
echo "Finished OD Binding."
sleep 5 # Give DS a chance to catch up
echo ""
echo ""
echo "Performing the AD Binding"
#AD
# Activate the AD plugin
defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist
#Use the existing AD-Computername or generate a new one
computeridtmp="default"
if [ "$check4ADacct" == "" ]
then
LEN=$(echo ${#adcomputerid})
if [ $LEN -lt 15 ]; then
echo "ComputerID "$adcomputerid " has 15 characters or less and is therefore suitable for AD-Binding. It is $adcomputerid"
computeridtmp=$adcomputerid
else
echo "ComputerID "$adcomputerid " has 16 or more characters and needs to be modified for AD-Binding."
echo "Removing any -"
computeridtmp=${adcomputerid//-/}
LEN=$(echo ${#computeridtmp})
if [ $LEN -lt 15 ]; then
echo "ComputerID "$computeridtmp" has now 15 characters or less and is therefore suitable for AD-Binding."
else
echo "Only using the last 15 characters of the Computer name to be able to bind to AD."
computeridtmp=${computeridtmp:(-15)}
fi
echo "Cropped Computername to "$computeridtmp
fi
else
computeridtmp=${check4ADacct//$/}
echo "Found existing AD Account previously, attempting to recreate in the OU: "$computeridtmp
fi
echo ""
# Bind to AD
echo "Binding to AD-Domain "$domain" with computerid "$computeridtmp
dsconfigad -f -add "$domain" -username "$udn" -password "$password" -ou "$ou" -computer "$computeridtmp"
echo ""
echo "Setting the Advanced AD Plugin options"
# Configure advanced AD plugin options
if [ "$admingroups" = "" ]
then
dsconfigad -nogroups
else
dsconfigad -groups "$admingroups"
fi
dsconfigad -alldomains "$alldomains"
dsconfigad -localhome "$localhome"
dsconfigad -protocol "$protocol"
dsconfigad -mobile "$mobile"
dsconfigad -mobileconfirm "$mobileconfirm"
dsconfigad -useuncpath "$useuncpath"
dsconfigad -shell "$user_shell"
dsconfigad "$preferred"
dsconfigad -packetsign "$packetsign" -packetencrypt "$packetencrypt" -passinterval "$passinterval"
dsconfigad -namespace "$namespace"
sleep 5
echo ""
echo ""
# Add the OD & AD node to the search path
if [ "$alldomains" = "enable" ]
then
csp="/Active Directory/$domainname/All Domains"
else
csp="/Active Directory/$domainname"
fi
echo "Finished AD Binding."
echo "Adding Domain /LDAPv3/"$oddomain" and "$csp" to Search Path"
dscl /Search -create / SearchPolicy CSPSearchPath
dscl /Search/Contacts -create / SearchPolicy CSPSearchPath
echo "Adding OD.."
dscl /Search -append / CSPSearchPath /LDAPv3/"$oddomain"
dscl /Search/Contacts -append / CSPSearchPath /LDAPv3/"$oddomain"
echo "Adding AD.."
#Adding all Domains first to improve reliability under 10.7
if [ "$alldomains" != "enable" ]
then
cspadall="/Active Directory/$domainname/All Domains"
dscl /Search/Contacts -append / CSPSearchPath "$cspadall"
dscl /Search -append / CSPSearchPath "$cspadall"
fi
dscl /Search/Contacts -append / CSPSearchPath "$csp"
dscl /Search -append / CSPSearchPath "$csp"
echo "Finished Updating Search Paths."
echo ""
echo ""
# Restart DirectoryService (necessary to reload AD plugin activation settings)
killall opendirectoryd
# Destroy the login hook (or change it)
if [ "${newLoginHook}" == "" ]
then
defaults delete /var/root/Library/Preferences/com.apple.loginwindow LoginHook
else
defaults write /var/root/Library/Preferences/com.apple.loginwindow LoginHook $newLoginHook
fi
sleep 5
# Customizing the login-Window
#defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo DSStatus
#defaults write /Library/Preferences/com.apple.loginwindow showInputMenu -bool TRUE
#defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool TRUE
# This works in a pinch if the above code does not
#defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains"
#defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Policy" -int 3
#plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist
#killall opendirectoryd
# Disable autologin
defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser
srm /etc/kcpassword
echo ""
echo ""
echo ""
echo "Now bound to OD Domain:"
dscl localhost -list /LDAPv3
echo "With Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /LDAP
echo "Now bound to AD Domain:"
dscl localhost -list "/Active Directory"
echo "With Search Path entries:"
dscl /Search -read / CSPSearchPath | grep /Active
exit 0 ## Success
exit 1 ## Failure
Any inputs, questions and improvement suggestions are, of course, most welcome!
Cheers
See -
Creating Open Directory Replica fails with Server Admin Error Value 1127
Hallo,
I have seen a lot of similar threads here and they were helpful up to a certain point, but in the end, they did not solve my problem.
Currently, it comes down to this. The Server Admin Error message ist really meaningless and I could not find a single for the error value on the whole wide web. As such, I switched to the command line versions of the tools involved to geht more meaningful results. It worked. Specifically, creating a replica of an openldap master means using slapconfig.
When executing
slapconfig -createreplica master.ourdomain.com diradmin
as root on the prospective replica machine, I get the following error message:
ssh command failed with status 127
That command is not allowed with the root account via public key authentication.
That makes perfect sense to me, but how is it meant to work then?
Executing slapconfig as admin tells me that this tool is to be executed as root. On the other hand, root login via ssh is not allowed in Mac OS X by default, which seems fine to me. I even changed /etc/sshd_config on the Open Directory Master machine to "PermitRootLogin yes". However, neither reloading ssh using launchctl nor restarting the whole server made this setting operational. Trying to login from command line as root still tells me:
root login is not permitted to this machine via public key authentication.
While this is the current state where I need help urgently, I changed some other things before. I tell about to exclude these issues as possible reason of failure. I got this message for quite a while:
Replica Setup failed : This machine does not have a valid computer name
I was sure, this machine meant the target machine, the open directory master, because the domain had changed there once before I had taken over responsibility as an admin in this environment. And in fact, changeip disguised an issue there. The command proposed by changeip to fix the situation did not seem appropriate because this machine is multihomed with a public and a private IP adress. Proper name resolution is available for both interfaces including reverse lookup. I dont like this setup, but it was the only way to get mail service running smoothly. Running changeip on the machine itself using these arguments
changeip /LDAPv3/127.0.0.1 internalIP internalIP old.ours.com current.ours.com
reported success in updating password server, open directory, both interfaces, hostconfig (which in fact did not change) and samba. It reported an issue with kadmin which is related to Kerberos (we dont use Kerberos yet).
Changing the hostname of the server using changeip did not solve the issue. I then found the hint to check with scutil. This showed that the Hostname was not set on the prospective replica machine. (A question aside: in how many place is the hostname stored? The traditional /etc/hostname has gone, but seems to be replaces with several other configuration files and databases. I cant see this as an advantage). Setting the hostname using scutil worked fine. However, it did not solve the problem either. At least, slapconfig now started to complain about not being able to log in as root instead of failing from the start.
I also checked all log files on bboth machines that might have to do with openldap, as there are /var/log/slapd.log, /var/log/system.log and /Library/Log/slapconfig.log. I also checked the log of th layer on top of openldap which is /Library/Log/DirectoryService.server.log. None of them revealed anything noticeable beside a lot of of entries that I have googled in the last few hours and which all dont seem to be associated with the problem in question.
I will take a break now, but I have to fix this until tomorrow and I hope to get the ultimate hint from you, dear reader.
Thanks and bye, Christian Völkerssh command failed with status 127
That command is not allowed with the root account via public key authentication.
Initial OD replication takes place via 'ssh'. If you have 'sshd' configured on the OD Master to authenticate with public keys then the OD replica will not be able to communicate with the OD Master via 'ssh'. You must configure the OD Master to use 'ssh' with password authentication and root login enabled.
Demote the replica back to standalone. Stop any services that you may have running on the primary network interface. Then stop any services that you may have running on the secondary network interface. In the 'Network' System Prefpane remove the IP number from the secondary interface then deactivate the secondary network interface.
Assign the private IP address and hostname that you wish to use for the replica to the primary network interface. Assign the 'public' IP number to the secondary interface. Check the DNS to see that the IP address and hostname for the primary network interface resolve both forward and reverse for the hostname of the replica that you have chosen. If it does not, fix your DNS before proceeding.
In the 'Sharing' System Prefpane, change the name of the machine to the hostname (server.domain.tld) of the replica that you have chosen. Then use 'changeip -checkhostname' to see if the IP/hostname matches. Fix it if it doesn't.
Then configure the /etc/sshd_config file on the OD master like this:
\# Authentication:
PermitRootLogin yes
PasswordAuthentication yes
PubkeyAuthentication no
and the /etc/ssh_config file on the OD replica like this:
PasswordAuthentication yes
PubkeyAuthentication no
Then from the OD replica as the 'root' user issue:
slapconfig -createreplica <ODMasterIPorFQDN> <diradmin user>
Make sure that the 'diradmin' user's password contains only alpha-numeric characters -no 'option-characters' or symbols, change it first if it does. Once the process completes, reactivate the secondary interface for the 'public' IP and check the configuration of services that will be using that IP, then start your other services. Secure the 'ssh' service on both machines to disable password authentication and 'root' logins. -
How to set permissions IN Open Directory USING Open Directory groups?
Hi all,
Apologies if I've missed this but have been searching for two days trying to figure out how to delegate permissions within the OD to a number of different OD groups and i can't seem to find any way to do this either at the command line or with WGM.
Examples: an OD group containing those who will manage the full directory need to have permissions on all containers, child objects, and their attributes in the directory. For this one in particular I seem to be able to nest a group in the default Admin group, but this isn't really what i'm after. I need to create OD groups with the ability only to manipulate objects of class apple-computer and similarly, apple-user (really all inetOrgPerson objects). In a nutshell: how do i set permissions on specific attributes or object classes using OD groups?
thanks for any pointers...
-andrewI think i just answered my own question: Open Directory is OpenLDAP. slapd is all i need.
-
Moving Mail Users from a Local Directory to Open Directory
Hi,
We have been running a standalone mail server for a few years. We have recently upgraded to 10.5 for all of our servers. We have also been running an Open Directory server for the last year or so. Now I am trying to move my email users from the Local Directory on the Mail server to the LDAP server. Obviously we do not want to change account names, so I find I need to delete the local user and then enable the user through the LDAP. This works fine, but I need to bring the original IMAP files/folders forward.
My question is what is the best practice? I thought backing up the Mail folder in each user's Library and reimporting it would work, but it won't take the IMAP mbox (I can see all the .emlx files in the backup of the user's Mail folder).
So again, I had a user called user1 in my mail server Local directory say server1. I also have an Open Directory server2 with the same username on it. I have bound server1 to server2. I can see the server2 (OD) accounts on the server1 (mail). I then need to delete user1 from Local server1 directory in order to enable mail to user1 from the OD. This does work, but again, I need bring the mail files/folders to the new OD account on server1.
thanks,
mikeTony,
Let me check of the migration manual, thank you!
I really thought this was going to easier than this. The current accounts are IMAP, and therefore when I "hook up" the new OD account, which doesn't really need anything done on the client side because it is the same username and password and server as the current Local account. When it syncs, the old emails on the IMAP account in the user's Mail program clear since the new OD account is empty on the server.
I just really thought duplicating the Mail folder in the client's home Library would allow me to import the emails back in. I have tried highlighting the mailboxes (Inbox, and personal folders), archiving them, and then reimporting seemed to work, but I need to beat it up before I start working on live accounts. One account I did try lets me read the emails from the user, but when I try dragging them to the IMAP folders from the import folder, I get a NULL character problem on IMAP append error. NOT to chase that, but it was something else that tripped me up.
You do bring up a good point, I think the accounts were originally setup as POP and IMAP. I'll chase some ideas about that.
Let me play around, you've been great considering my awful explanation of this different situation.
thanks again,
mike -
Open Directory Master creation failure.
I am running into consistent Failures while attempting to setup Open Directory Master on 10.8 server. It seems to fail in creating an Intermidiary CA and suggests there is already one. I have combed Keychain for, and removed any entires that refer to the suggested cert. Yet I am still unable to get this OD Master up and running. Here's the log files:
2012-09-10 18:49:05 +0000 Success. Master creation is possible.
2012-09-10 18:49:12 +0000 Success. Master creation is possible.
2012-09-10 18:49:13 +0000 slapconfig -createldapmasterandadmin
2012-09-10 18:49:13 +0000 command: /usr/bin/sntp -s time.apple.com.
2012-09-10 18:49:29 +0000 Success. Master creation is possible.
2012-09-10 18:49:29 +0000 Starting LDAP server (slapd)
2012-09-10 18:49:29 +0000 Waiting for slapd to start
2012-09-10 18:49:31 +0000 slapd started
2012-09-10 18:49:31 +0000 command: /usr/bin/ldapadd -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
2012-09-10 18:49:46 +0000 command: /usr/sbin/slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
2012-09-10 18:49:46 +0000 Stopping LDAP server (slapd)
2012-09-10 18:49:54 +0000 Starting LDAP server (slapd)
2012-09-10 18:49:54 +0000 Waiting for slapd to start
2012-09-10 18:49:54 +0000 slapd started
2012-09-10 18:49:54 +0000 Save of LDAP configuration failed with error 2100
2012-09-10 18:49:54 +0000 command: /usr/bin/ldapmodify -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
2012-09-10 18:49:54 +0000 adding new entry "olcOverlay=unique,olcDatabase={1}bdb,cn=config"
adding new entry "olcOverlay=dynid,olcDatabase={1}bdb,cn=config"
adding new entry "olcOverlay=dynid,olcDatabase={1}bdb,cn=config"
adding new entry "olcOverlay=dynid,olcDatabase={1}bdb,cn=config"
adding new entry "olcOverlay=dynid,olcDatabase={1}bdb,cn=config"
adding new entry "olcOverlay=dynid,olcDatabase={1}bdb,cn=config"
adding new entry "olcOverlay=dynid,olcDatabase={1}bdb,cn=config"
adding new entry "olcOverlay=nestedgroup,olcDatabase={1}bdb,cn=config"
adding new entry "olcOverlay={0}odusers,olcDatabase={-1}frontend,cn=config"
adding new entry "olcOverlay=syncprov,olcDatabase={1}bdb,cn=config"
adding new entry "olcOverlay=syncprov,olcDatabase={2}bdb,cn=config"
2012-09-10 18:49:54 +0000 command: /usr/bin/ldapadd -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
2012-09-10 18:49:54 +0000 adding new entry "cn={9}customSchema,cn=schema,cn=config"
2012-09-10 18:49:54 +0000 command: /usr/bin/ldapmodify -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
2012-09-10 18:49:55 +0000 command: /usr/bin/ldapsearch -x -LLL -H ldapi://%2Fvar%2Frun%2Fldapi -b cn=config -s base olcServerID
2012-09-10 18:49:55 +0000 command: /usr/bin/ldapmodify -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
2012-09-10 18:49:55 +0000 Setting SASL realm to <DANDYBOX.NET>
2012-09-10 18:49:55 +0000 command: /usr/sbin/mkpassdb -setrealm DANDYBOX.NET
2012-09-10 18:49:55 +0000 command: /usr/sbin/mkpassdb -o -u diradmin -p -q
2012-09-10 18:49:56 +0000
2012-09-10 18:49:56 +0000 command: /usr/sbin/mkpassdb -setadmin 0x4fff1e36fb7811e1bd063c07545a924d 0
2012-09-10 18:49:57 +0000 Admin's entry UUID is: 77bfb2d2-4884-4303-a9b6-c1d39758ab9b
2012-09-10 18:49:57 +0000 Starting password server
2012-09-10 18:49:58 +0000 Stopping LDAP server (slapd)
2012-09-10 18:50:01 +0000 Starting LDAP server (slapd)
2012-09-10 18:50:01 +0000 Waiting for slapd to start
2012-09-10 18:50:01 +0000 slapd started
2012-09-10 18:50:01 +0000 Configuring Kerberos server, realm is DANDYBOX.NET
2012-09-10 18:50:01 +0000 command: /usr/sbin/kdcsetup -a diradmin -p **** -v 1 DANDYBOX.NET
2012-09-10 18:50:06 +0000 Opening ldapi connection to the LDAP user data
Opening ldapi connection to the LDAP auth data
Creating KDC for OD Master
Creating Kerberos directory
Creating KDC Config File
Creating Kerberos ACL file
Adding KDC config data to the KerberosKDC config record
Adding KDC config data to the KerberosClient config record
Creating KDC database
Using existing master key file
Creating Kerberos principal for 'diradmin'
Creating Kerberos auth authority for 'diradmin'
Creating Kerberos alt security identity for 'diradmin'
Successfully created KDC for OD Master
2012-09-10 18:50:06 +0000 command: /usr/sbin/sso_util configure -x -r DANDYBOX.NET -f /LDAPv3/ldapi://%2Fvar%2Frun%2Fldapi -a diradmin -p **** -v 1 all
2012-09-10 18:50:06 +0000 command: /usr/sbin/mkpassdb -kerberize
2012-09-10 18:50:08 +0000 Updating user records and principals
2012-09-10 18:50:25 +0000 Asking OpenDirectoryConfig to bind to server: 127.0.0.1
2012-09-10 18:50:27 +0000 Attempting to open /LDAPv3/127.0.0.1 node
2012-09-10 18:50:27 +0000 Verified /LDAPv3/127.0.0.1 node is available
2012-09-10 18:50:29 +0000 command: /usr/sbin/sso_util info -r /LDAPv3/127.0.0.1 -p
2012-09-10 18:50:30 +0000 Creating root CA with DandyBox Open Directory Certification Authority
2012-09-10 18:50:32 +0000 Creating intermediate CA with IntermediateCA_DANDYBOX.NET_1
2012-09-10 18:50:32 +0000 ***Error creating intermediate CA. Error - The specified item already exists in the keychain.
2012-09-10 18:50:32 +0000 Intermediate CA creation failed with error - -25299
2012-09-10 18:50:32 +0000 Destroying OD master as CA creation failed with error 75
2012-09-10 18:50:32 +0000 Logging slapd container data to /var/run/slapconfig_error_1347303032
2012-09-10 18:50:32 +0000 Stopping LDAP server (slapd)
2012-09-10 18:50:34 +0000 command: /usr/sbin/slapcat -l /var/run/slapconfig_error_1347303032/user.ldif
2012-09-10 18:50:34 +0000 command: /usr/sbin/slapcat -b cn=authdata -l /var/run/slapconfig_error_1347303032/authdata.ldif
2012-09-10 18:50:34 +0000 Error retrieving kerberos realm
2012-09-10 18:50:34 +0000 CopyReplicaArray: ldap_search_ext_s failed
2012-09-10 18:50:34 +0000 Error retrieving replica array
2012-09-10 18:50:34 +0000 Deleting Cert Authority related data
2012-09-10 18:50:34 +0000 Removed directory at path /var/root/Library/Application Support/Certificate Authority/DandyBox Open Directory Certification Authority.
2012-09-10 18:50:35 +0000 No intCAIdentity, not removing int CA from keychain
2012-09-10 18:50:35 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd.plist
2012-09-10 18:50:35 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd-helper.plist
2012-09-10 18:50:35 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertadmin.plist
2012-09-10 18:50:35 +0000 void _destroyLDAPServer(const char *): Failed to find computer record named dandybox.net$: 2100 Connection failed to the directory server.
2012-09-10 18:50:35 +0000 Updating ldapreplicas on primary master
2012-09-10 18:50:35 +0000 CopyPrimaryMaster: CopyLdapReplicas failed
2012-09-10 18:50:35 +0000 Unable to locate primary master
2012-09-10 18:50:35 +0000 Primary master node is nil!
2012-09-10 18:50:35 +0000 Unable to locate ldapreplicas record: 0 (null)
2012-09-10 18:50:35 +0000 Error setting read ldap replicas array: 0 (null)
2012-09-10 18:50:35 +0000 Error setting write ldap replicas array: 0 (null)
2012-09-10 18:50:35 +0000 ODRecord *_getODRecord(ODNode *, NSString *, NSString *, NSArray *): ODNodeRef parameter error
2012-09-10 18:50:35 +0000 int _removeReplicaFromConfigRecord(ODNode *, NSString *): ODRecord not found
2012-09-10 18:50:35 +0000 Error synchronizing ldapreplicas: 0 (null)
2012-09-10 18:50:35 +0000 Removing self from the database
2012-09-10 18:50:35 +0000 Warning: An error occurred while re-enabling GSSAPI.
2012-09-10 18:50:35 +0000 Stopping LDAP server (slapd)
2012-09-10 18:50:35 +0000 Stopping password server
2012-09-10 18:50:36 +0000 cleanKeytab: unable to retrieve default realm
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/openldap-data/__db.001.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/openldap-data/__db.002.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/openldap-data/__db.003.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/openldap-data/__db.004.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/openldap-data/__db.005.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/openldap-data/__db.006.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/openldap-data/altSecurityIdentities.bdb.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/openldap-data/apple-config-realname.bdb.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/openldap-data/apple-generateduid.bdb.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-memberguid.bdb.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-nestedgroup.bdb.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-realname.bdb.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/openldap-data/cn.bdb.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/openldap-data/DB_CONFIG.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/openldap-data/dn2id.bdb.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/openldap-data/entryCSN.bdb.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/openldap-data/entryUUID.bdb.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/openldap-data/gidNumber.bdb.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/openldap-data/givenName.bdb.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/openldap-data/id2entry.bdb.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/openldap-data/ipHostNumber.bdb.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/openldap-data/log.0000000001.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/openldap-data/macAddress.bdb.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/openldap-data/memberUid.bdb.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/openldap-data/objectClass.bdb.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/openldap-data/ou.bdb.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/openldap-data/sn.bdb.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/openldap-data/uid.bdb.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/openldap-data/uidNumber.bdb.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/authdata/__db.001.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/authdata/__db.002.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/authdata/__db.003.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/authdata/__db.004.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/authdata/__db.005.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/authdata/__db.006.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/authdata/alock.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/authdata/authGUID.bdb.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/authdata/DB_CONFIG.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/authdata/dn2id.bdb.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalAliases.bdb.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalName.bdb.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/authdata/entryCSN.bdb.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/authdata/entryUUID.bdb.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/authdata/id2entry.bdb.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/authdata/log.0000000001.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/openldap/authdata/objectClass.bdb.
2012-09-10 18:50:36 +0000 Removed directory at path /var/db/openldap/authdata.
2012-09-10 18:50:36 +0000 Removed file at path /etc/openldap/slapd_macosxserver.conf.
2012-09-10 18:50:36 +0000 Removed file at path /etc/openldap/slapd.conf.
2012-09-10 18:50:36 +0000 Removed file at path /var/db/dslocal/nodes/Default/groups/com.apple.access_dsproxy.plist.
2012-09-10 18:50:36 +0000 Removed directory at path /etc/openldap/slapd.d/cn=config.
2012-09-10 18:50:36 +0000 Removed file at path /etc/openldap/slapd.d/cn=config.ldif.
2012-09-10 18:50:36 +0000 Removed directory at path /etc/openldap/slapd.d.
2012-09-10 18:50:36 +0000 Removed directory at path /etc/openldap/slapd.d.backup/cn=config.
2012-09-10 18:50:36 +0000 Removed file at path /etc/openldap/slapd.d.backup/cn=config.ldif.
2012-09-10 18:50:36 +0000 Removed directory at path /etc/openldap/slapd.d.backup.
2012-09-10 18:50:36 +0000 Stopping password server
2012-09-10 18:50:36 +0000 Removed file at path /Library/Preferences/com.apple.openldap.plist.
2012-09-10 18:50:36 +0000 Removed file at path /var/run/slapconfig.lock.
2012-09-10 18:53:43 +0000 Success. Master creation is possible.
2012-09-10 18:53:49 +0000 Success. Master creation is possible.
2012-09-10 18:53:51 +0000 slapconfig -createldapmasterandadmin
2012-09-10 18:53:51 +0000 command: /usr/bin/sntp -s time.apple.com.
2012-09-10 18:53:51 +0000 Success. Master creation is possible.
2012-09-10 18:53:51 +0000 Starting LDAP server (slapd)
2012-09-10 18:53:51 +0000 Waiting for slapd to start
2012-09-10 18:53:53 +0000 slapd started
2012-09-10 18:53:53 +0000 command: /usr/bin/ldapadd -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
2012-09-10 18:54:06 +0000 command: /usr/sbin/slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
2012-09-10 18:54:07 +0000 Stopping LDAP server (slapd)
2012-09-10 18:54:16 +0000 Starting LDAP server (slapd)
2012-09-10 18:54:16 +0000 Waiting for slapd to start
2012-09-10 18:54:16 +0000 slapd started
2012-09-10 18:54:16 +0000 Save of LDAP configuration failed with error 2100
2012-09-10 18:54:16 +0000 command: /usr/bin/ldapmodify -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
2012-09-10 18:54:16 +0000 adding new entry "olcOverlay=unique,olcDatabase={1}bdb,cn=config"
adding new entry "olcOverlay=dynid,olcDatabase={1}bdb,cn=config"
adding new entry "olcOverlay=dynid,olcDatabase={1}bdb,cn=config"
adding new entry "olcOverlay=dynid,olcDatabase={1}bdb,cn=config"
adding new entry "olcOverlay=dynid,olcDatabase={1}bdb,cn=config"
adding new entry "olcOverlay=dynid,olcDatabase={1}bdb,cn=config"
adding new entry "olcOverlay=dynid,olcDatabase={1}bdb,cn=config"
adding new entry "olcOverlay=nestedgroup,olcDatabase={1}bdb,cn=config"
adding new entry "olcOverlay={0}odusers,olcDatabase={-1}frontend,cn=config"
adding new entry "olcOverlay=syncprov,olcDatabase={1}bdb,cn=config"
adding new entry "olcOverlay=syncprov,olcDatabase={2}bdb,cn=config"
2012-09-10 18:54:16 +0000 command: /usr/bin/ldapadd -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
2012-09-10 18:54:16 +0000 adding new entry "cn={9}customSchema,cn=schema,cn=config"
2012-09-10 18:54:16 +0000 command: /usr/bin/ldapmodify -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
2012-09-10 18:54:16 +0000 command: /usr/bin/ldapsearch -x -LLL -H ldapi://%2Fvar%2Frun%2Fldapi -b cn=config -s base olcServerID
2012-09-10 18:54:16 +0000 command: /usr/bin/ldapmodify -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
2012-09-10 18:54:16 +0000 Setting SASL realm to <DANDYBOX.NET>
2012-09-10 18:54:16 +0000 command: /usr/sbin/mkpassdb -setrealm DANDYBOX.NET
2012-09-10 18:54:17 +0000 command: /usr/sbin/mkpassdb -o -u diradmin -p -q
2012-09-10 18:54:18 +0000
2012-09-10 18:54:18 +0000 command: /usr/sbin/mkpassdb -setadmin 0xebf131c6fb7811e188913c07545a924d 0
2012-09-10 18:54:18 +0000 Admin's entry UUID is: dd9b2d61-725e-4e55-9692-844e7d923f90
2012-09-10 18:54:18 +0000 Starting password server
2012-09-10 18:54:19 +0000 Stopping LDAP server (slapd)
2012-09-10 18:54:22 +0000 Starting LDAP server (slapd)
2012-09-10 18:54:22 +0000 Waiting for slapd to start
2012-09-10 18:54:22 +0000 slapd started
2012-09-10 18:54:22 +0000 Configuring Kerberos server, realm is DANDYBOX.NET
2012-09-10 18:54:22 +0000 command: /usr/sbin/kdcsetup -a diradmin -p **** -v 1 DANDYBOX.NET
2012-09-10 18:54:27 +0000 Opening ldapi connection to the LDAP user data
Opening ldapi connection to the LDAP auth data
Creating KDC for OD Master
Creating Kerberos directory
Creating KDC Config File
Creating Kerberos ACL file
Adding KDC config data to the KerberosKDC config record
Adding KDC config data to the KerberosClient config record
Creating KDC database
Using existing master key file
Creating Kerberos principal for 'diradmin'
Creating Kerberos auth authority for 'diradmin'
Creating Kerberos alt security identity for 'diradmin'
Successfully created KDC for OD Master
2012-09-10 18:54:27 +0000 command: /usr/sbin/sso_util configure -x -r DANDYBOX.NET -f /LDAPv3/ldapi://%2Fvar%2Frun%2Fldapi -a diradmin -p **** -v 1 all
2012-09-10 18:54:27 +0000 command: /usr/sbin/mkpassdb -kerberize
2012-09-10 18:54:29 +0000 Updating user records and principals
2012-09-10 18:54:52 +0000 Asking OpenDirectoryConfig to bind to server: 127.0.0.1
2012-09-10 18:54:55 +0000 Attempting to open /LDAPv3/127.0.0.1 node
2012-09-10 18:54:55 +0000 Verified /LDAPv3/127.0.0.1 node is available
2012-09-10 18:54:57 +0000 command: /usr/sbin/sso_util info -r /LDAPv3/127.0.0.1 -p
2012-09-10 18:54:58 +0000 Creating root CA with DandyBox Open Directory Certification Authority
2012-09-10 18:55:00 +0000 Creating intermediate CA with IntermediateCA_DANDYBOX.NET_1
2012-09-10 18:55:00 +0000 ***Error creating intermediate CA. Error - The specified item already exists in the keychain.
2012-09-10 18:55:00 +0000 Intermediate CA creation failed with error - -25299
2012-09-10 18:55:00 +0000 Destroying OD master as CA creation failed with error 75
2012-09-10 18:55:00 +0000 Logging slapd container data to /var/run/slapconfig_error_1347303300
2012-09-10 18:55:00 +0000 Stopping LDAP server (slapd)
2012-09-10 18:55:03 +0000 command: /usr/sbin/slapcat -l /var/run/slapconfig_error_1347303300/user.ldif
2012-09-10 18:55:03 +0000 command: /usr/sbin/slapcat -b cn=authdata -l /var/run/slapconfig_error_1347303300/authdata.ldif
2012-09-10 18:55:03 +0000 Error retrieving kerberos realm
2012-09-10 18:55:03 +0000 CopyReplicaArray: ldap_search_ext_s failed
2012-09-10 18:55:03 +0000 Error retrieving replica array
2012-09-10 18:55:03 +0000 Deleting Cert Authority related data
2012-09-10 18:55:03 +0000 Removed directory at path /var/root/Library/Application Support/Certificate Authority/DandyBox Open Directory Certification Authority.
2012-09-10 18:55:03 +0000 No intCAIdentity, not removing int CA from keychain
2012-09-10 18:55:03 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd.plist
2012-09-10 18:55:03 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd-helper.plist
2012-09-10 18:55:03 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertadmin.plist
2012-09-10 18:55:03 +0000 void _destroyLDAPServer(const char *): Failed to find computer record named dandybox.net$: 2100 Connection failed to the directory server.
2012-09-10 18:55:03 +0000 Updating ldapreplicas on primary master
2012-09-10 18:55:03 +0000 CopyPrimaryMaster: CopyLdapReplicas failed
2012-09-10 18:55:03 +0000 Unable to locate primary master
2012-09-10 18:55:03 +0000 Primary master node is nil!
2012-09-10 18:55:03 +0000 Unable to locate ldapreplicas record: 0 (null)
2012-09-10 18:55:03 +0000 Error setting read ldap replicas array: 0 (null)
2012-09-10 18:55:03 +0000 Error setting write ldap replicas array: 0 (null)
2012-09-10 18:55:03 +0000 ODRecord *_getODRecord(ODNode *, NSString *, NSString *, NSArray *): ODNodeRef parameter error
2012-09-10 18:55:03 +0000 int _removeReplicaFromConfigRecord(ODNode *, NSString *): ODRecord not found
2012-09-10 18:55:03 +0000 Error synchronizing ldapreplicas: 0 (null)
2012-09-10 18:55:03 +0000 Removing self from the database
2012-09-10 18:55:03 +0000 Warning: An error occurred while re-enabling GSSAPI.
2012-09-10 18:55:03 +0000 Stopping LDAP server (slapd)
2012-09-10 18:55:03 +0000 Stopping password server
2012-09-10 18:55:04 +0000 cleanKeytab: unable to retrieve default realm
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/openldap-data/__db.001.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/openldap-data/__db.002.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/openldap-data/__db.003.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/openldap-data/__db.004.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/openldap-data/__db.005.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/openldap-data/__db.006.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/openldap-data/altSecurityIdentities.bdb.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/openldap-data/apple-config-realname.bdb.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/openldap-data/apple-generateduid.bdb.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-memberguid.bdb.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-realname.bdb.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/openldap-data/cn.bdb.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/openldap-data/DB_CONFIG.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/openldap-data/dn2id.bdb.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/openldap-data/entryCSN.bdb.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/openldap-data/entryUUID.bdb.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/openldap-data/gidNumber.bdb.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/openldap-data/givenName.bdb.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/openldap-data/id2entry.bdb.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/openldap-data/ipHostNumber.bdb.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/openldap-data/log.0000000001.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/openldap-data/macAddress.bdb.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/openldap-data/memberUid.bdb.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/openldap-data/objectClass.bdb.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/openldap-data/ou.bdb.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/openldap-data/sn.bdb.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/openldap-data/uid.bdb.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/openldap-data/uidNumber.bdb.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/authdata/__db.001.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/authdata/__db.002.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/authdata/__db.003.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/authdata/__db.004.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/authdata/__db.005.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/authdata/__db.006.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/authdata/alock.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/authdata/authGUID.bdb.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/authdata/DB_CONFIG.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/authdata/dn2id.bdb.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalAliases.bdb.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalName.bdb.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/authdata/entryCSN.bdb.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/authdata/entryUUID.bdb.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/authdata/id2entry.bdb.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/authdata/log.0000000001.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/openldap/authdata/objectClass.bdb.
2012-09-10 18:55:04 +0000 Removed directory at path /var/db/openldap/authdata.
2012-09-10 18:55:04 +0000 Removed file at path /etc/openldap/slapd_macosxserver.conf.
2012-09-10 18:55:04 +0000 Removed file at path /etc/openldap/slapd.conf.
2012-09-10 18:55:04 +0000 Removed file at path /var/db/dslocal/nodes/Default/groups/com.apple.access_dsproxy.plist.
2012-09-10 18:55:04 +0000 Removed directory at path /etc/openldap/slapd.d/cn=config.
2012-09-10 18:55:04 +0000 Removed file at path /etc/openldap/slapd.d/cn=config.ldif.
2012-09-10 18:55:04 +0000 Removed directory at path /etc/openldap/slapd.d.
2012-09-10 18:55:04 +0000 Removed directory at path /etc/openldap/slapd.d.backup/cn=config.
2012-09-10 18:55:04 +0000 Removed file at path /etc/openldap/slapd.d.backup/cn=config.ldif.
2012-09-10 18:55:04 +0000 Removed directory at path /etc/openldap/slapd.d.backup.
2012-09-10 18:55:05 +0000 Stopping password server
2012-09-10 18:55:05 +0000 Removed file at path /Library/Preferences/com.apple.openldap.plist.
2012-09-10 18:55:05 +0000 Removed file at path /var/run/slapconfig.lock.
Any help would be much apreciated!new problem. here's the output of the config log:
2012-09-11 00:21:04 +0000 slapconfig -backupdb
2012-09-11 00:21:04 +0000 command: /usr/sbin/sso_util info -r /LDAPv3/127.0.0.1 -p
2012-09-11 00:21:04 +0000 1 Backing up LDAP database
2012-09-11 00:21:04 +0000 popen: /usr/sbin/slapcat -l /tmp/slapconfig_backup_stage17861ihVwZK/backup.ldif, "r"
2012-09-11 00:21:04 +0000 popen: /usr/sbin/slapcat -b cn=authdata -l /tmp/slapconfig_backup_stage17861ihVwZK/authdata.ldif, "r"
2012-09-11 00:21:04 +0000 popen: /bin/cp /var/db/openldap/openldap-data/DB_CONFIG /tmp/slapconfig_backup_stage17861ihVwZK/DB_CONFIG, "r"
2012-09-11 00:21:04 +0000 popen: /bin/cp /var/db/openldap/authdata//DB_CONFIG /tmp/slapconfig_backup_stage17861ihVwZK/authdata_DB_CONFIG, "r"
2012-09-11 00:21:04 +0000 popen: /bin/cp -r /etc/openldap /tmp/slapconfig_backup_stage17861ihVwZK/, "r"
2012-09-11 00:21:04 +0000 popen: /usr/sbin/mkpassdb -list > /tmp/slapconfig_backup_stage17861ihVwZK/sasl-plugin-list, "r"
2012-09-11 00:21:05 +0000 popen: /bin/hostname > /tmp/slapconfig_backup_stage17861ihVwZK/hostname, "r"
2012-09-11 00:21:05 +0000 popen: /usr/sbin/sso_util info -pr /LDAPv3/127.0.0.1 > /tmp/slapconfig_backup_stage17861ihVwZK/local_odkrb5realm, "r"
2012-09-11 00:21:05 +0000 2 Backing up Kerberos database
2012-09-11 00:21:05 +0000 popen: /usr/bin/tar czpf /tmp/slapconfig_backup_stage17861ihVwZK/krb5backup.tar.gz /var/db/krb5kdc/kdc.conf /var/db/krb5kdc/acl_file.* /var/db/krb5kdc/m_key.* /etc/krb5.keytab , "r"
2012-09-11 00:21:05 +0000 popen: /bin/cp /var/db/dslocal/nodes/Default/config/KerberosKDC.plist /tmp/slapconfig_backup_stage17861ihVwZK/KerberosKDC.plist, "r"
2012-09-11 00:21:05 +0000 3 Backing up configuration files
2012-09-11 00:21:05 +0000 popen: /bin/cp /Library/Preferences/com.apple.openldap.plist /tmp/slapconfig_backup_stage17861ihVwZK/, "r"
2012-09-11 00:21:05 +0000 popen: /usr/bin/sw_vers > /tmp/slapconfig_backup_stage17861ihVwZK/version.txt, "r"
2012-09-11 00:21:05 +0000 popen: /bin/cp -r /var/db/dslocal /tmp/slapconfig_backup_stage17861ihVwZK/, "r"
2012-09-11 00:21:05 +0000 Backed Up Keychain
2012-09-11 00:21:05 +0000 4 Backing up CA certificates
2012-09-11 00:21:05 +0000 Failed to backup CA data as Root/ Intermediate CA were not found
2012-09-11 00:21:05 +0000 5 Creating archive
2012-09-11 00:21:05 +0000 command: /usr/bin/hdiutil create -ov -plist -puppetstrings -layout UNIVERSAL CD -fs HFS+ -volname ldap_bk -srcfolder /tmp/slapconfig_backup_stage17861ihVwZK -format SPARSE /var/backups/ServerBackup_OpenDirectoryMaster
2012-09-11 00:21:14 +0000 Removed directory at path /tmp/slapconfig_backup_stage17861ihVwZK.
2012-09-11 00:21:14 +0000 Removed file at path /var/run/slapconfig.lock.
2012-09-11 00:26:03 +0000 slapconfig -updateaddresses
2012-09-11 00:26:04 +0000 _updateaddresses: successfully completed
2012-09-11 00:26:54 +0000 slapconfig -updateaddresses
2012-09-11 00:26:55 +0000 _updateaddresses: successfully completed
2012-09-11 00:27:34 +0000 slapconfig -updateaddresses
2012-09-11 00:27:35 +0000 _updateaddresses: successfully completed
2012-09-11 00:29:33 +0000 slapconfig -updateaddresses
2012-09-11 00:29:34 +0000 _updateaddresses: successfully completed
2012-09-11 01:40:20 +0000 Migrating OD master
2012-09-11 01:40:20 +0000 Removed file at path /Volumes/Server HD/var/db/openldap/openldap-data/DB_CONFIG.example.
2012-09-11 01:40:20 +0000 /private/var/db/openldap not preserved from previous system. Nothing to upgrade.
2012-09-11 01:40:20 +0000 Removed file at path /Volumes/Server HD/Library/Preferences/com.apple.openldap.plist.
2012-09-11 16:25:30 +0000 Success. Master creation is possible.
2012-09-11 16:25:36 +0000 Success. Master creation is possible.
2012-09-11 16:25:38 +0000 slapconfig -createldapmasterandadmin
2012-09-11 16:25:38 +0000 command: /usr/bin/sntp -s time.apple.com.
2012-09-11 16:25:38 +0000 Success. Master creation is possible.
2012-09-11 16:25:38 +0000 Starting LDAP server (slapd)
2012-09-11 16:25:38 +0000 Waiting for slapd to start
2012-09-11 16:25:41 +0000 slapd started
2012-09-11 16:25:41 +0000 command: /usr/bin/ldapadd -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
2012-09-11 16:25:58 +0000 command: /usr/sbin/slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
2012-09-11 16:25:58 +0000 Stopping LDAP server (slapd)
2012-09-11 16:26:06 +0000 Starting LDAP server (slapd)
2012-09-11 16:26:06 +0000 Waiting for slapd to start
2012-09-11 16:26:06 +0000 slapd started
2012-09-11 16:26:06 +0000 Save of LDAP configuration failed with error 2100
2012-09-11 16:26:06 +0000 command: /usr/bin/ldapmodify -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
2012-09-11 16:26:06 +0000 adding new entry "olcOverlay=unique,olcDatabase={1}bdb,cn=config"
adding new entry "olcOverlay=dynid,olcDatabase={1}bdb,cn=config"
adding new entry "olcOverlay=dynid,olcDatabase={1}bdb,cn=config"
adding new entry "olcOverlay=dynid,olcDatabase={1}bdb,cn=config"
adding new entry "olcOverlay=dynid,olcDatabase={1}bdb,cn=config"
adding new entry "olcOverlay=dynid,olcDatabase={1}bdb,cn=config"
adding new entry "olcOverlay=dynid,olcDatabase={1}bdb,cn=config"
adding new entry "olcOverlay=nestedgroup,olcDatabase={1}bdb,cn=config"
adding new entry "olcOverlay={0}odusers,olcDatabase={-1}frontend,cn=config"
adding new entry "olcOverlay=syncprov,olcDatabase={1}bdb,cn=config"
adding new entry "olcOverlay=syncprov,olcDatabase={2}bdb,cn=config"
2012-09-11 16:26:06 +0000 command: /usr/bin/ldapadd -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
2012-09-11 16:26:06 +0000 adding new entry "cn={9}customSchema,cn=schema,cn=config"
2012-09-11 16:26:06 +0000 command: /usr/bin/ldapmodify -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
2012-09-11 16:26:06 +0000 command: /usr/bin/ldapsearch -x -LLL -H ldapi://%2Fvar%2Frun%2Fldapi -b cn=config -s base olcServerID
2012-09-11 16:26:07 +0000 command: /usr/bin/ldapmodify -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
2012-09-11 16:26:07 +0000 Setting SASL realm to <SERVIN.DANDYBOX.NET>
2012-09-11 16:26:07 +0000 command: /usr/sbin/mkpassdb -setrealm SERVIN.DANDYBOX.NET
2012-09-11 16:26:07 +0000 command: /usr/sbin/mkpassdb -o -u diradmin -p -q
2012-09-11 16:26:08 +0000
2012-09-11 16:26:09 +0000 command: /usr/sbin/mkpassdb -setadmin 0x63c3d88efc2d11e1b45a3c07545a924d 0
2012-09-11 16:26:09 +0000 Admin's entry UUID is: d407cf7d-b3df-43bf-bc65-f6a3321fb30f
2012-09-11 16:26:09 +0000 Starting password server
2012-09-11 16:26:10 +0000 Stopping LDAP server (slapd)
2012-09-11 16:26:13 +0000 Starting LDAP server (slapd)
2012-09-11 16:26:13 +0000 Waiting for slapd to start
2012-09-11 16:26:13 +0000 slapd started
2012-09-11 16:26:13 +0000 dsproxy group already exists, reusing
2012-09-11 16:26:13 +0000 Configuring Kerberos server, realm is SERVIN.DANDYBOX.NET
2012-09-11 16:26:13 +0000 command: /usr/sbin/kdcsetup -a diradmin -p **** -v 1 SERVIN.DANDYBOX.NET
2012-09-11 16:26:19 +0000 Opening ldapi connection to the LDAP user data
Opening ldapi connection to the LDAP auth data
Creating KDC for OD Master
Creating Kerberos directory
Creating KDC Config File
Creating Kerberos ACL file
Adding KDC config data to the KerberosKDC config record
Adding KDC config data to the KerberosClient config record
Creating KDC database
Creating new random master key
Creating Kerberos principal for 'diradmin'
Creating Kerberos auth authority for 'diradmin'
Creating Kerberos alt security identity for 'diradmin'
Successfully created KDC for OD Master
2012-09-11 16:26:19 +0000 command: /usr/sbin/sso_util configure -x -r SERVIN.DANDYBOX.NET -f /LDAPv3/ldapi://%2Fvar%2Frun%2Fldapi -a diradmin -p **** -v 1 all
2012-09-11 16:26:20 +0000 command: /usr/sbin/mkpassdb -kerberize
2012-09-11 16:26:22 +0000 Updating user records and principals
2012-09-11 16:26:42 +0000 Asking OpenDirectoryConfig to bind to server: 127.0.0.1
2012-09-11 16:26:42 +0000 Could not bind - The operation couldn\u2019t be completed. (com.apple.OpenDirectory error 4102.)
2012-09-11 16:26:42 +0000 Logging slapd container data to /var/run/slapconfig_error_1347380802
2012-09-11 16:26:42 +0000 Stopping LDAP server (slapd)
2012-09-11 16:26:46 +0000 command: /usr/sbin/slapcat -l /var/run/slapconfig_error_1347380802/user.ldif
2012-09-11 16:26:46 +0000 command: /usr/sbin/slapcat -b cn=authdata -l /var/run/slapconfig_error_1347380802/authdata.ldif
2012-09-11 16:26:46 +0000 Error retrieving kerberos realm
2012-09-11 16:26:46 +0000 CopyReplicaArray: ldap_search_ext_s failed
2012-09-11 16:26:46 +0000 Error retrieving replica array
2012-09-11 16:26:46 +0000 Deleting Cert Authority related data
2012-09-11 16:26:46 +0000 No intCAIdentity, not removing int CA from keychain
2012-09-11 16:26:46 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd.plist
2012-09-11 16:26:46 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd-helper.plist
2012-09-11 16:26:46 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertadmin.plist
2012-09-11 16:26:46 +0000 void _destroyLDAPServer(const char *): Failed to find computer record named servin.dandybox.net$: 2100 Connection failed to the directory server.
2012-09-11 16:26:46 +0000 Updating ldapreplicas on primary master
2012-09-11 16:26:46 +0000 CopyPrimaryMaster: CopyLdapReplicas failed
2012-09-11 16:26:46 +0000 Unable to locate primary master
2012-09-11 16:26:46 +0000 Primary master node is nil!
2012-09-11 16:26:46 +0000 Unable to locate ldapreplicas record: 0 (null)
2012-09-11 16:26:46 +0000 Error setting read ldap replicas array: 0 (null)
2012-09-11 16:26:46 +0000 Error setting write ldap replicas array: 0 (null)
2012-09-11 16:26:46 +0000 ODRecord *_getODRecord(ODNode *, NSString *, NSString *, NSArray *): ODNodeRef parameter error
2012-09-11 16:26:46 +0000 int _removeReplicaFromConfigRecord(ODNode *, NSString *): ODRecord not found
2012-09-11 16:26:46 +0000 Error synchronizing ldapreplicas: 0 (null)
2012-09-11 16:26:46 +0000 Removing self from the database
2012-09-11 16:26:46 +0000 Stopping LDAP server (slapd)
2012-09-11 16:26:46 +0000 Stopping password server
2012-09-11 16:26:47 +0000 cleanKeytab: unable to retrieve default realm
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/openldap-data/__db.001.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/openldap-data/__db.002.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/openldap-data/__db.003.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/openldap-data/__db.004.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/openldap-data/__db.005.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/openldap-data/__db.006.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/openldap-data/altSecurityIdentities.bdb.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/openldap-data/apple-config-realname.bdb.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/openldap-data/apple-generateduid.bdb.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-memberguid.bdb.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-nestedgroup.bdb.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-realname.bdb.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/openldap-data/cn.bdb.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/openldap-data/DB_CONFIG.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/openldap-data/dn2id.bdb.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/openldap-data/entryCSN.bdb.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/openldap-data/entryUUID.bdb.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/openldap-data/gidNumber.bdb.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/openldap-data/givenName.bdb.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/openldap-data/id2entry.bdb.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/openldap-data/ipHostNumber.bdb.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/openldap-data/log.0000000001.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/openldap-data/macAddress.bdb.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/openldap-data/memberUid.bdb.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/openldap-data/objectClass.bdb.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/openldap-data/ou.bdb.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/openldap-data/sn.bdb.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/openldap-data/uid.bdb.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/openldap-data/uidNumber.bdb.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/authdata/__db.001.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/authdata/__db.002.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/authdata/__db.003.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/authdata/__db.004.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/authdata/__db.005.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/authdata/__db.006.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/authdata/alock.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/authdata/authGUID.bdb.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/authdata/DB_CONFIG.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/authdata/dn2id.bdb.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalAliases.bdb.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalName.bdb.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/authdata/entryCSN.bdb.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/authdata/entryUUID.bdb.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/authdata/id2entry.bdb.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/authdata/log.0000000001.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/openldap/authdata/objectClass.bdb.
2012-09-11 16:26:47 +0000 Removed directory at path /var/db/openldap/authdata.
2012-09-11 16:26:47 +0000 Removed file at path /etc/openldap/slapd_macosxserver.conf.
2012-09-11 16:26:47 +0000 Removed file at path /etc/openldap/slapd.conf.
2012-09-11 16:26:47 +0000 Removed file at path /var/db/dslocal/nodes/Default/groups/com.apple.access_dsproxy.plist.
2012-09-11 16:26:47 +0000 Removed directory at path /etc/openldap/slapd.d/cn=config.
2012-09-11 16:26:47 +0000 Removed file at path /etc/openldap/slapd.d/cn=config.ldif.
2012-09-11 16:26:47 +0000 Removed directory at path /etc/openldap/slapd.d.
2012-09-11 16:26:47 +0000 Removed directory at path /etc/openldap/slapd.d.backup/cn=config.
2012-09-11 16:26:47 +0000 Removed file at path /etc/openldap/slapd.d.backup/cn=config.ldif.
2012-09-11 16:26:47 +0000 Removed directory at path /etc/openldap/slapd.d.backup.
2012-09-11 16:26:47 +0000 Stopping password server
2012-09-11 16:26:48 +0000 Removed file at path /etc/ntp_opendirectory.conf.
2012-09-11 16:26:48 +0000 Removed file at path /Library/Preferences/com.apple.openldap.plist.
2012-09-11 16:26:48 +0000 Removed file at path /var/run/slapconfig.lock.
Thanks again for any help. DNS is correct, certs are not present, using FQDN.
Maybe you are looking for
-
I keep getting an error message that reads Attempting to copy to the disk "IPOD" failed. The disk could not be read from or written to. can someone help me fix this I only have 40 songs on the Ipod and 353 in my itunes
-
Apple Video Trailers not working/Memory Hog
Hello, When I go to apple.com/trailers, the trailers do not display I keep seeing that grey wheel turn endlessly. When I try to view it in Firefox, it works perfectly fine. Anyone know why Safari would be doing this? Another issue that I have is that
-
Question on service userid - for RFC call
Hi In XI 3.0 SP18 , we are making a RFC call from XI mapping runtime - to XI's ABAP stack - RFC function module . In the RFC receiver communication channel , I tried using service user XIISUSER , XIAPPLUSER for this RFC call - I got short dumps on
-
hello all, I am trying to fix the code below. For some reason the code hangs at "Starting waits...". I have no clue what is going on. I can only see the "Finish lines" after I comment the preceding waitFor();. Obviosly if I remove these waitFor(), th
-
I just installed new updates for Mavericks, not the OS itself, just the automatic updates. Now my airplay won't mirror from my computer. It will not allow me to change from "extend desktop" to "mirror". I am getting sound on my TV from whatever I am