Open Directory Problem

Similar Messages

• Can't complete initial setup - Open Directory problems

  "Easy to set up, easy to run" my big ***. On initial bootup, the automatic setup failed. "There may be a problem with the Open Directory." A few days later, it was suddenly working. So I set up and enjoyed one, count em, one user account. Then it stopped working again. I can't set up a Group. I can't use Workgroup Manager successfully, either. The whole server has been one big mess of fail.
  Is this a common problem? Is there a fix? A workaround? Do I need to take this thing back??

  Check this site out for starters
  http://www.wazmac.com/serversnetwork/fileservers/osxserversetup/index.htm
  It's not just for schools, and it offers a lot of info on setting up OS X server.
  It is possible that there is some hardware problem, but it's more likely that you need to setup the server correctly. If you're not familiar with OS X Server, it's not necessarily easy.

• Initial setup and Open Directory problem

  Hi,
  I'm new to the MAC OS X server system and trying to get one up and running on a G5.
  Unfortunately I can’t get the configuration up and running, and I have the feeling it already goes wrong during the initial setup. I was hoping you guys could help me out.
  The purpose of the server is providing network user accounts (DNS + Open Dir.) and providing sharepoints.
  I go trough following steps while installing from scratch:
  - Install MAC OS X and run the Server install package from the OS X Server DVD (as you know, OSX Server is'n installing directly on G5)
  - Choose keyboard layout, enter license and create an account "admin"
  - Define static IP "192.168.1.1", add this IP as the first in the list of DNS Servers, add "company.local" in the search domain
  - Install as a standalone server (so I can configure dns & other network services after basic setup)
  - Check "network time server" (so time will be synced for Kerberos)
  - Proceed, install and reboot
  OSX Server seems to be installed fine and I can login with "admin". Next step I take is configuring DNS.
  - create a zone "companyname.local.", use my IP as server address (192.168.1.1) and use "server" as the server name.
  - add a machine record for DNS-testing (called "gateway", with the IP of "192.168.1.254")
  Start the DNS service and reboot
  - perform an nslookup with a second MAC with 192.168.1.1 as the nameserver and verify that DNS is resolving correctly.
  DNS seems to be working fine, now I would like to get the Open Directory service to work:
  - change "Standalone" to "Open directory master" in the server configuration panel
  - provide a password for the directory admin
  - use "SERVER.COMPANYNAME.LOCAL" as kerberos realm, and "dc=server,dc=companyname,dc=local" as the search base
  - Save & start the service and perform a reboot to be sure all the new settings are in use
  Unfortunately after this install open directory doesn't seem to work fine and also Kerberos doesn't start.
  Concerning Kerberos: I get following output in the "Slapconfig log" Open Directory log file:
  Starting LDAP server (slapd)
  command: /usr/bin/ldapadd -c -x -D uid=root,cn=users,dc=maggie,dc=interesourcegroup,dc=local -w **
  Hostname server.companyname.local is from Rendezvous
  Skipping Kerberos configuration
  Sorry to bother you with the entire walkthrough of the installation, but I have the feeling that I'm missing something while performing the basic install or DNS setup .. ?
  Regards,
  Seppe
  G5 Mac OS X (10.4.6) /

  We currently have a static IP and a public dns hosted
  by MediaTemple, so I think I can create a subdomain
  on MediaTemple and link it to our fixed IP address
  ("private.companyname.com" >> static ip) instead of
  using dydns.. ?
  Of course.
  I suppose I can then use "private.companyname.com" as
  the zone name on my G5 server and use
  "server.private.companyname.com" for my local DNS?
  Sounds reasonable.
  If using this DNS, what will be the Kerberos REALM
  and Search Base? And do I still need to specify
  private.companyname.com as the Search Base in the
  Network Settings of the clients and server?
  Well, REALM and LDAP Search Base can set to whatever you like. On the other hand I've seen tools contacting kerberos servers break when the REALM is not part of the kerberos server fqdn.
  So I'd stick with the usual recomandations and set kerberos REALM to your domain name (if there is no other kerberos server alread running and using this).
  For the LDAP search domain I'd also follow the road of using domain name space as search base.
  When dns will finally be setup properly, these setting will be autopopulated for you in the GUI. So test, test, test you dns with
  host $ip and host $fqdn and then go on promoting "Standalone Server" to "Open Directory Master".
  HTH
  -Ralph

• Server 3 / SSL Certificate / Open Directory - Problem!

  We've updated from Server 2 to Server 3 / OS X 10.9.
  We have an SSL certificate for server from Comodo.
  Under Server 2, all worked just fine, with the SSL certificate being used to secure all services (configure via Server app).
  Under Server 3, all works just fine, but Open Directory will not accept certificate - so Certificates / Settings in Server 3 app shows "Custom Configuration" for Settings - and on inspecting this it is because Open Directory set to be not secured but everything else is using SSL.
  I've tried setting the Open Directory to use the SSL, but when ever I do it simply bounces back to being unsecured.
  Does this matter?  Presumably it should be possible (as the standard setting appears to try and set Open Directory to use the SSL certificate), but not sure whether trying to fix is simply a fools errand.
  Anyone got any clues as to whether to fix or not, and if to fix, how?
  Thanks in advance.

  Have you check to see that the certificate is indeed "Trusted" by your server?
  Above, you stated that they're in the etc/certificates folder, but that doesn't mean that the server likes them.  You can create a "Self Signed" Certificate and still have certificates in there.  That doesn't mean that anyone else on the planet has to trust them.
  Open Keychain Access in your utilities folder.  Depending on how you have it configured, you may have to look around to find the certificate in question.  It may be under login, or System. 
  When you select your Certificate, if it's there, does it show as trusted?
  Another thing you can check...  Often times Certificate authories, use Intermdeiate certificates.  Since anyone can sell a certificate, in order to have it trusted, you need to have it signed by someone else.  A good example is Godaddy.  They sell both SSL and Code signing certificates of all flavours.  In order to get them to be trusted, the "Intermediate Certificate" needs to also be installed in the keychain.  My Godaddy cert looks to be trusted by Verisign via an intermediate.
  Have a look here...  https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid =1182
  Not sure if it's directly relevant, but there it is.
  The point is, I think you need to verify that your certificate is trusted by your server.  OD won't use an untrusted certificate. 
  --an afterthought--  Anything in the logs?
  Open up your server window where you try to select the certificate for OD.  Also, in another window open up the terminal.  In terminal, type:
  tail -f /var/log/system.log
  In the server window try to select the certificate and click done.  See what the output in terminal says.

• Reconfigure Open Directory in Yosemite Server

  Is it possible to delete and reconfigure Open Directory in Yosemite server?
  The host name and configuration were modified after Open Directory was activated and I get the message "Unable to load replica list" in the Settings Tab of Open Directory on the Server App (Server 4.0.3 (Build 14S350)). I think the best way would be to start over the automatic configuration.

  Many Open Directory problems can be resolved by taking the following steps. Test after each one, and back up all data before making any changes.
  1. The OD master must have a static IP address on the local network, not a dynamic address. It must not be connected to the same network with more than one interface; e.g., Ethernet and Wi-Fi.
  2. You must have a working DNS service, and the server's hostname must match its fully-qualified domain name. To confirm, select the server by name in the sidebar of the Server application window, then select the Overview tab. Click the Edit button on the Host Name line. On the Accessing your Server sheet, Domain Name should be selected. Change the Host Name, if necessary. The server must have at least a three-level name (e.g. "server.yourdomain.com"), and the name must not be in the ".local" top-level domain, which is reserved for Bonjour.
  3. The primary DNS server used by the server must be itself, unless you're using another server for internal DNS. The only DNS server set on the clients should be the internal one, which they should get from DHCP if applicable.
  4. Only if you're still running Mavericks server, follow these instructions to rebuild the Kerberos configuration on the server.
  5. If you use authenticated binding, check the validity of the master's certificate. The common name must match the hostname and domain name. Deselecting and then reselecting the certificate in Server.app has been reported to have an effect in some cases. Otherwise delete all certificates and create new ones.
  6. Unbind and then rebind the clients in the Users & Groups preference pane. Use the fully-qualified domain name of the master.
  7. Reboot the master and the clients.
  8. Don't log in to the server with a network user's account.
  9. Disable any internal firewalls in use, including third-party "security" software.
  10. If you've created any replica servers, delete them.
  11. If OD has only recently stopped working when it was working before, you may be able to restore it from the automatic backup in /var/db/backups, or from a Time Machine snapshot of that backup.
  12. As a last resort, export all OD users. In the Open Directory pane of Server, delete the OD server. Then recreate it and import the users. Ensure that the UID's are in the 1001+ range.
  If you get this far without solving the problem, then you'll need to examine the logs in the Open Directory section of the log list in the Server app, and also the system log on the clients.

• 10.9.2 machines having issues connecting to open directory

  So i've set up a new mac mini with 10.9.2 and the most recent Server App.  I managed to bind a 10.8.5 macbook air 11" and have had no issues, but when I started testing on the new machines (brand new iMac 27") with 10.9.2 im having issues, tested on my machine running 10.9.2 and another 10.8.5 machine to replicate,  only the 10.9 machines are having issues.  This is what im seeing in the console when i try to log in (names changed for security)
  4/16/14 7:29:08.266 PM SecurityAgent[1568]: User info context values set for new.user
  4/16/14 7:29:08.337 PM opendirectoryd[22]: GSSAPI Error:  Miscellaneous failure (see text (Server (krbtgt/[email protected]) unknown (negative cache))
  4/16/14 7:29:08.338 PM authorizationhost[1622]: Failed to authenticate user <new.user> (error: 9).
  ive done a permissons check, this mac mini is only running profile manager and open directory, no other services...
  Please Help!

  Many, if not most, Open Directory problems can be resolved by taking the following steps. Test after each one, and back up all data before making any changes.
  1. The OD master must have a static IP address on the local network, not a dynamic address.
  2. You must have a working DNS service, and the master's hostname must match its fully-qualified domain name. To confirm, select the server by name in the sidebar of the Server application window, then select the Overview tab. Click the Edit button on the Host Name line. On the Accessing your Server sheet, Domain Name should be selected. On the Accessing your Server sheet, change the Host Name, if necessary. The server must have at least a three-level name (e.g. "server.yourdomain.com"), and the name must not be in the ".local" top-level domain, which is reserved for Bonjour.
  3. The primary DNS server used by the master must be 127.0.0.1 (that is, itself) unless you're using another server for internal DNS. The only DNS server set on the clients should be the internal one, which they should get from DHCP if applicable.
  4. Follow these instructions to rebuild the Kerberos configuration on the master.
  5. If you use authenticated binding, check the validity of the master's certificate. The common name must match the hostname and domain name. Deselecting and then reselecting the certificate in Server.app has been reported to have an effect in some cases.
  6. Unbind and then rebind the clients in the Users & Groups preference pane. Use the fully-qualified domain name of the master.
  7. Reboot the master and the clients.
  8. Don't log in to the server with a network user's account.
  9. Export all OD users, delete them, turn off OD, turn it back on, and import. Ensure that the UID's are in the 1001+ range.

• Open Directory not Pushing Printer Settings

  When i setup a printer on my 10.6.8 server and apply it to a group the printer gets added to the client fine but any settings on the printer (aka RAM or Duplex) does not get pushed to the 10.6.8 clients.
  This is currently happening with my HP Color Laserjet 9500 with the new drivers that were released today (18.4), but has been a problem for a month or so now.
  The server is on driver version 18.1 im not sure that that is what is causing the problem? But this was working in the past so im not sure what has caused this problem...

  Many Open Directory problems can be resolved by taking the following steps. Test after each one, and back up all data before making any changes.
  1. The OD master must have a static IP address on the local network, not a dynamic address.
  2. You must have a working DNS service, and the server's hostname must match its fully-qualified domain name. To confirm, select the server by name in the sidebar of the Server application window, then select the Overview tab. Click the Edit button on the Host Name line. On the Accessing your Server sheet, Domain Name should be selected. Change the Host Name, if necessary. The server must have at least a three-level name (e.g. "server.yourdomain.com"), and the name must not be in the ".local" top-level domain, which is reserved for Bonjour.
  3. The primary DNS server used by the server must be 127.0.0.1 (that is, itself) unless you're using another server for internal DNS. The only DNS server set on the clients should be the internal one, which they should get from DHCP if applicable.
  4. Follow these instructions to rebuild the Kerberos configuration on the master.
  5. If you use authenticated binding, check the validity of the master's certificate. The common name must match the hostname and domain name. Deselecting and then reselecting the certificate in Server.app has been reported to have an effect in some cases.
  6. Unbind and then rebind the clients in the Users & Groups preference pane. Use the fully-qualified domain name of the master.
  7. Reboot the master and the clients.
  8. Don't log in to the server with a network user's account.
  9. As a last resort, export all OD users. In the Open Directory pane of Server, delete the OD server. Then recreate it and import the users. Ensure that the UID's are in the 1001+ range.

• Open directory

  I know that this is discussed in more threads but have not found anything that helped me. I have set up a server name Home.private and managed to connect my macbook air with the server and have a green light. I have set up DNS on client and server so this is right (I have done som reading). When I log in, I see the "network account not available". I've read around and tried everything. The last I found was to look in the password log on OD and sure enough, I see something strange there.
  6 2014 19:08:55 792872us Registration is finished error: (10, -72 000).
  6 Jul 2014 20:51:34 432090us Registration is finished error: (10, -72 000).
  6 Jul 2014 20:51:35 174808us Registration is finished error: (10, -72 000).
  6 Jul 2014 23:42:01 408301us Registration is finished error: (10, -72 000).
  6 Jul 2014 23:42:01 408459us Registration is finished error: (10, -72 000).
  7 Jul 2014 20:01:27 693907us Registration is finished error: (10, -72 000).
  7 Jul 2014 20:01:27 786271us Registration is finished error: (10, -72 000).
  What does this mean and can it be the problem?

  Many Open Directory problems can be resolved by taking the following steps. Test after each one, and back up all data before making any changes.
  1. The OD master must have a static IP address on the local network, not a dynamic address.
  2. You must have a working DNS service, and the master's hostname must match its fully-qualified domain name. To confirm, select the server by name in the sidebar of the Server application window, then select the Overview tab. Click the Edit button on the Host Name line. On the Accessing your Server sheet, Domain Name should be selected. On the Accessing your Server sheet, change the Host Name, if necessary. The server must have at least a three-level name (e.g. "server.yourdomain.com"), and the name must not be in the ".local" top-level domain, which is reserved for Bonjour.
  3. The primary DNS server used by the master must be 127.0.0.1 (that is, itself) unless you're using another server for internal DNS. The only DNS server set on the clients should be the internal one, which they should get from DHCP if applicable.
  4. Follow these instructions to rebuild the Kerberos configuration on the master.
  5. If you use authenticated binding, check the validity of the master's certificate. The common name must match the hostname and domain name. Deselecting and then reselecting the certificate in Server.app has been reported to have an effect in some cases.
  6. Unbind and then rebind the clients in the Users & Groups preference pane. Use the fully-qualified domain name of the master.
  7. Reboot the master and the clients.
  8. Don't log in to the server with a network user's account.
  9. As a last resort, export all OD users. In the Open Directory pane of Server, delete the OD server. Then recreate it and import the users. Ensure that the UID's are in the 1001+ range.

• Public Domain Open Directory Help

  We are trying to bind network computers to our OS X Server (3.1.2) open directory and it works correctly when we type in server.local (it also automatically fills in server.local). However, we are looking to be able to bind computers when they aren't in the local network and use a full public domain. When we try to bind to the public domain, it gives us the error,
  "Connection failed to the directory server.
  (2100)"
  Any help would be appreciated.

  Many Open Directory problems can be resolved by taking the following steps. Test after each one, and back up all data before making any changes.
  1. The OD master must have a static IP address on the local network, not a dynamic address.
  2. You must have a working DNS service, and the server's hostname must match its fully-qualified domain name. To confirm, select the server by name in the sidebar of the Server application window, then select the Overview tab. Click the Edit button on the Host Name line. On the Accessing your Server sheet, Domain Name should be selected. Change the Host Name, if necessary. The server must have at least a three-level name (e.g. "server.yourdomain.com"), and the name must not be in the ".local" top-level domain, which is reserved for Bonjour.
  3. The primary DNS server used by the server must be 127.0.0.1 (that is, itself) unless you're using another server for internal DNS. The only DNS server set on the clients should be the internal one, which they should get from DHCP if applicable.
  4. Follow these instructions to rebuild the Kerberos configuration on the master.
  5. If you use authenticated binding, check the validity of the master's certificate. The common name must match the hostname and domain name. Deselecting and then reselecting the certificate in Server.app has been reported to have an effect in some cases.
  6. Unbind and then rebind the clients in the Users & Groups preference pane. Use the fully-qualified domain name of the master.
  7. Reboot the master and the clients.
  8. Don't log in to the server with a network user's account.
  9. As a last resort, export all OD users. In the Open Directory pane of Server, delete the OD server. Then recreate it and import the users. Ensure that the UID's are in the 1001+ range.

• Open Directory or LDAP Problem with 10.5 Client and 10.4 Server

  Yesterday, the client-server setup we've been using successfully FOR YEARS decided not to work on a v10.5.8 MacBook Pro client. Did not do anything to the v10.5 client recently (other than to boot it up). Not sure if any software was updated on the server recently (where do I check for this?). Curiously, a v10.4.11 client running on a Mac Pro (tower) continues to work fine/as though nothing's changed. It appears as though the only difference is v10.4 client (working) vs. v10.5 client (not working).
  Here is what IS working:
  1) Network Home Directories on dedicated drive partition of Mac running OS X Server v10.4.11. AFP, DNS, and Open Directory are all up and running (normally, I think) as shown in Server Admin application.
  2) Mac Pro (tower) client running v10.4.11 binds to and authenticates at v10.4.11 server. Any valid user can access their home directory on the server seamlessly when logging in at this v10.4.11 client Mac.
  3) That same v10.4.11 client Mac also contains a LOCAL admin user with its home directory on the local hard drive. That LOCAL admin account is used to update software on a per machine basis (and preclude users from adding unauthorized software, needing to use a specific machine, etc.).
  Here is what IS NOT working:
  4) On a MacBook Pro client running v10.5.8, the LOCAL admin account looses access to the partition containing its local home directory. The drive partition literally disappears. The only "solution" I've been able to find (and it's not truly a solution) is to turn off the Open Directory/LDAP binding (using the Directory Utility application). With binding turned off, the LOCAL admin user has no problem accessing their home directory on the local hard drive partition. Turn binding on again (using Directory Utility application), and the LOCAL admin user can no longer see its local home directory.
  Again, binding is necessary to allow regular users to use the v10.5 MacBook Pro with Network Home Directories (as in items 1-3 above). Binding should be turned on for this reason. However, with binding on, the LOCAL admin user cannot manage the computer because the local partition containing the admin home directory disappears/is inaccessible. Turn binding off, and the partition containing the admin home directory reappears.
  Perhaps there's something in the sever logs that will help. I don't really know how to read these, so if your help involves the logs, please refer to them explicitly (e.g., "in Server Admin, go to Open Directory->Logs->LDAP log" or similar).
  Any help greatly appreceated.

  Nope. Never used sso_util.
  I try to use Apple's GUI server management tools unless absolutely necessary/at the end of my rope (i.e., last step before re-install etc.). I figure there's just too many things going on under the hood: using the command line may fix one setting, but not re-configure the two or three others that Apple NEEDS in order to have the whole thing working in harmony. Unless you really know what's going on with all the configuration files, it's best to let the GUI manage the settings.
  In my particular circumstance, I've now got ALL Leopard clients, one Leopard v10.5 server, and one Tiger v10.4 server. Everything is working fine now, but it was not a simple matter getting the Tiger v10.4 server re-integrated into the otherwise ALL Leopard environment. OD/Kerberos is on the Leopard v10.5 server. Home directories are still on the Tiger v10.4 server.
  Two keys to getting THIS/MY set-up working:
  1) Tiger v10.4 server needs to have Open Directory set to "Connected to a Directory System" and has to be joined to the Kerberos realm that was set-up on the Leopard v10.5 server (use Server Admin to do all of this).
  2) Sharepoint on Tiger v10.4 server has to have SOME, but NOT ALL checkboxes for guest access enables/checked. See:
  http://discussions.apple.com/message.jspa?messageID=10903468#10903468
  Number 2 immediately above is contrary to what Apple manual for User Management reads, but this is what worked for me/my set up, after pulling my hair out following the manual's instructions to the letter and not getting the thing to work!

• Strange login problem with Open Directory

  Hi,
  I created a web tool that calls dscl to create users in Open Directory from a bound web server.
  Most of the accounts work fine. A couple do not. The particular account in question could login to machines in one computer group, but not on others, using the login window. But it could login on the command-line via su.
  Now here's the kicker. I deleted the user completely and re-created the user account with the same login name, and assigned it to the same groups as other new accounts that work fine. The problem persists.
  The only thing I've found that indicates a problem is the following from the ldap log:
  Sep 17 10:36:14 poseidon slapd[61]: Entry (uid=<username changed>,cn=users,dc=<redacted>,dc=<redacted>,dc=<redacted>): object class 'posixAccount' requires attribute 'homeDirectory'
  (note the redactions and username were put in by me...paranoia etc)
  I used 'Inspector' in Workgroup Manager and verified that the account does in fact have the required homeDirectory attribute, and the account is not unlike other accounts that work fine, save the username and unique ID.
  I hope this provides enough info for someone to give some guidance...this is certainly a strange problem.
  Thanks ahead of time!
  -Matt

  Hi,
  I created a web tool that calls dscl to create users in Open Directory from a bound web server.
  Most of the accounts work fine. A couple do not. The particular account in question could login to machines in one computer group, but not on others, using the login window. But it could login on the command-line via su.
  Now here's the kicker. I deleted the user completely and re-created the user account with the same login name, and assigned it to the same groups as other new accounts that work fine. The problem persists.
  The only thing I've found that indicates a problem is the following from the ldap log:
  Sep 17 10:36:14 poseidon slapd[61]: Entry (uid=<username changed>,cn=users,dc=<redacted>,dc=<redacted>,dc=<redacted>): object class 'posixAccount' requires attribute 'homeDirectory'
  (note the redactions and username were put in by me...paranoia etc)
  I used 'Inspector' in Workgroup Manager and verified that the account does in fact have the required homeDirectory attribute, and the account is not unlike other accounts that work fine, save the username and unique ID.
  I hope this provides enough info for someone to give some guidance...this is certainly a strange problem.
  Thanks ahead of time!
  -Matt

• Problems with Active Directory Users showing as not found in Open Directory work group manager

  I’m running a golden triangle setup with Open directory assigning group policy and authentication provide by active directory. In workgroup manager I can search through the AD and add users or computers to groups in OD workgroup manager. However when I save and refresh the users or computer appear as ‘not found’. Is there a reason for this?

  Hi Zero
  It's very reassuring to know im not the only one having issues with this..
  Im on my second re install of the server.. I like you have no wish to do another clean install as everything else is connected and it seems like the answer is probably very simple.
  So today im going to re- run the terminal commands as layed out in the online guides.
  However i was kinda hoping someone would be able to supply us with an answer.
  thanks
  J

• "My Page" login problem, open directory issue I think

  I'm able to log into the My Page web portal for a local server account user, but not any of the user's in the Open Directory (LDAP) node. Anyone know what might be causing that? Thanks in advance.

  Is there a specific group that gets access to the web portal tools (wiki, blog, etc) that the users in the network node need to be in?

• Strange Permissions problem when creating new Open Directory user

  I just set up a mac lab to authenticate to an Open Directory server which also stores home folders. All of the initial users I created work fine, there were about 50 users that I set up. When I added a new user this morning though, it would not allow him to access anything within his home folder (i.e. nothing worked)
  I went back to the server and took a look at the Users share and noticed that when his accound was created, instead of setting the owner of the folder to his username (xxx123) it was set to his userid number (1024). I did a chown on his directory to his username and he was then able to access his home directory from the clients.
  I realize I found a fix, but I would prefer to not have to do this every time I create a new user. Why is this happening?

  Have you used the "Role" drop-down to "SYSDBA"? - if not, you get the ORA-01017 error.

• Open Directory: "Unable to load replica list"

  I'm currently running Mavericks Server 3.1 on my Mac Mini at the home network. I had some issues with the client logins and went for local accounts on the clients instead. Today I finally wanted to fix the problem and go all Open Directory. But the Open Directory service was shut off when I opened the server software. I tried to turn it on but got a message saying "Unable to load replica list". I updated the software to the latest 3.1 but are still having the same issue. I never had any replica list, I only had a standard one from the start, but it seems I can't do anyhing there now.
  LDAP log:
  Mar 21 22:48:38 xxYY.com slapd[172]: @(#) $OpenLDAP: slapd 2.4.28 (Nov 12 2013 12:02:47) $
  [email protected]:/private/var/tmp/OpenLDAP/OpenLDAP-491.1~1/servers/slapd
  Mar 21 22:48:38 xxYY.com.com slapd[172]: daemon: SLAP_SOCK_INIT: dtblsize=8192
  Mar 21 22:48:39 xxYY.com.com slapd[172]: TLS: found identity in keychain using identity preference.
  Mar 21 22:48:42 xxYY.com.com slapd[172]: slap_add_listener: opened additional listener 'ldaps:///'
  Mar 21 22:48:42 xxYY.com.com slapd[172]: bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
  Mar 21 22:48:44 xxYY.com.com slapd[172]: slapd starting
  Mar 21 22:48:44 xxYY.com.com slapd[172]: daemon: posting com.apple.slapd.startup notification
  Mar 21 22:48:54 xxYY.com.com slapd[172]: => bdb_idl_delete_key: c_del id failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30994)
  Mar 21 22:48:54 xxYY.com.com slapd[172]: conn=1022 op=3: attribute "entryCSN" index delete failure
  Mar 21 22:50:02 xxYY.com.com slapd[172]: => bdb_idl_delete_key: c_get failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30994)
  Mar 21 22:50:02 xxYY.com.com slapd[172]: conn=1042 op=3: attribute "entryCSN" index delete failure
  I don't understand any of this other than the obvious failure words. Can anyone understand this and help me here?

  This procedure is a diagnostic test. It makes no changes to your data. If you have more than one user account, you must be logged in as an administrator to carry out these instructions.
  Please triple-click anywhere in the line below on this page to select it:
  sudo /usr/libexec/slapd -Tt | pbcopy
  Copy the selected text to the Clipboard by pressing the key combination command-C.
  Launch the built-in Terminal application in any of the following ways:
  ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
  ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
  ☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.
  Paste into the Terminal window by pressing the key combination command-V. I've tested these instructions only with the Safari web browser. If you use another browser, you may have to press the return key after pasting. You'll be prompted for your login password. Nothing will be displayed when you type it. If you don’t have a login password, you’ll need to set one before you can run the command. You may get a one-time warning to be careful. Confirm. You don't need to post the warning.
  If you see a message that your username "is not in the sudoers file," then you're not logged in as an administrator. Log in as one and start over.
  Wait for a new line ending in a dollar sign ($) to appear below what you entered.
  The output of the command will be automatically copied to the Clipboard. If the command produced no output, the Clipboard will be empty. Paste into a reply to this message.
  The Terminal window doesn't show the output. Please don't copy anything from there.