Xerox Accounting in an Open Directory

Similar Messages

• Help needed to log into an Open Directory account which has the same username as the local account

  Hello,
  I have successfully setup a Mac OS X Lion Server and it is an Open Directory Master. On the server Ihave created an account with the name 'Connor'. I have numerous Macs (allrunning OS X 10.7 Lion) connected to this server but on one of the Macs thereis a local account with the name 'Connor' too (the local and networked accountshave different passwords). I want to log into the Open Directory account onthat mac. So, I have done an authenticated bind to the server, but when I go tolog in the password box shakes. I think the computer thinks I am trying to loginto the local account and not the Open Directory account. On Windows, I canlog into either the local accounts or the networked accounts by typing\LOCAL-COMPUTER-NAME\Connor. So, I was wondering if there was a similar commandto do this on Mac.
  I don't think I haveworded this very well, so if someone doesn't understand please ask me somequestion about the problem and I will try and explain it better.
  Any help would be greatlyappreciated,
  Connor

  Maybe I didn't make myself clear. I have used directory utility to do an authenticated bind to my server. I also have no problem logging into other accounts in the Open Directory. But, I just can't log into the account which has the same name both in the Open Directory and locally.
  Was there something I missed in Directory Utility? Could you please help me if this is so.
  Thanks for replying so quickly

• Creating User Acct's in Open Directory from External Source

  Hello,
  I am trying to find a way to automate the creation of user accounts in OpenDirectory. I have a MS SQL database that has the usernames and passwords in it now, and I'm looking to export those out of there and have an automatic way to create matching accounts in the OpenDirectory service on OSX Server.
  Gary

  It's unfortunate that there's no better way to do this. We're using ssh with a pre-shared key to our Open Directory server to run a script which runs dsimport to create the accounts on the Open Directory.
  This works fine for importing/creating accounts, but it doesn't help us change passwords that we are pushing down to Open Directory from our metadirectory solution.
  Here's the python we use to generate the dsimport entries:
  dsimport_base = '0x0A 0x5C 0x3A 0x2C dsRecTypeStandard:Users 11 dsAttrTypeStandard:RecordName dsAttrTypeStandard:GeneratedUID dsAttrTypeStandard:AuthMethod dsAttrTypeStandard:Password dsAttrTypeStandard:UniqueID dsAttrTypeStan\
  dard:PrimaryGroupID dsAttrTypeStandard:RealName dsAttrTypeStandard:UserShell dsAttrTypeStandard:HomeDirectory dsAttrTypeStandard:EMailAddress dsAttrTypeNative:postOfficeBox'
  dsimport_entry = '%s:%s:dsAuthMethodStandard\\:dsAuthClearText:%s:%s:%s:%s:%s:%s:%s:Ganymede managed [%s]'
  params = (obj.Username,
  obj.Global_UID,
  obj.Password.plaintext,
  obj.UID,
  self.getPrimaryGID(obj),
  obj.Full_Name,
  obj.Login_Shell,
  '/Users/' + obj.Username,
  obj.Username + '@arlut.utexas.edu',
  obj._oid)
  new_entry = dsimport_base + '\n' + dsimport_entry % tuple([str(value).replace(':', '\\:') for value in params]) + '\n' # not handling signature aliases yet
  and here's the Perl that is run on the far end of the ssh pipeline which
  reads the list of 'new_entry' lines generated by our Python:
  #!/usr/bin/perl
  # This script receives files on STDIN and runs dsimport on them.
  # Jonathan Abbey
  # 22 October 2009
  use File::Temp qw/ tempfile tempdir /;
  $adminuser = 'diradmin';
  $adminpass = 'seekret';
  ($fh, $filename) = tempfile();
  @users = ();
  while () {
  if (/^([^0][^:]+):/) {
  push(@users, $1);
  print $_;
  print $fh $_;
  close($fh);
  system('/usr/bin/dsimport', '-g', $filename, '/LDAPv3/127.0.0.1', 'O', '-u', $adminuser, '-p', $adminpass, '-v');
  unlink($filename);
  foreach $user (@users) {
  system('/usr/bin/pwpolicy', '-a', $adminuser, '-p', $adminpass, '-u', $user, '-setpolicy', 'canModifyPasswordforSelf=0');
  We've been trying to use kadmin to change passwords, but it seems flaky, with occasional 'policy reject' complaints breaking the sync.

• Use Open Directory for intranet web acces

  Is it possible to tap in to Open Directory user information from other services than those build into the server? And that way use the Open Directory authentication for our own home-made service?
  We plan to setup an intranet on our OS X 10.6 server. We're still not sure whether to use one of the popular Open Source cms/portal platforms such as Drupal or maybe even WordPress.
  1. I would like to use the users accounts in our Open Directory to authenticate to the intranet. Is that possible in any way?
  2. Or does anyone know of a way to modify e.g. the build in blog function and integrate that with another system such as Drupal or WordPress?
  I'm guessing there are blocks of code in the blog that handle user authentication. And if I keep them where they are on the server and include them in other Drupal files, it may be possible? Is the build in blog build on an open source system like some of the other services on Mac OS X server? A system I can read about anywhere?
  +Note: The build in blog or wiki service does not match our needs for an intranet. We need to customize it a lot to make i suit our needs.+
  3. Plan B could be to export our 100 users and passwords from Open Directory and import them in the intranet system. But as far as I know it's impossible to export the passwords. Right?
  +New users would then have to be added to both Open Directory and the separate intranet system in the future. That would be okay for working but not perfect Plan B.+

  ryanowich wrote:
  Is it possible to tap in to Open Directory user information from other services than those build into the server?
  Yes.
  And that way use the Open Directory authentication for our own home-made service?
  Sure. I have HP OpenVMS systems that are authenticating to Mac OS X Server boxes. LDAP has a callable interface for applications written in most any active programming language, and many packages already have LDAP support.
  We plan to setup an intranet on our OS X 10.6 server. We're still not sure whether to use one of the popular Open Source cms/portal platforms such as Drupal or maybe even WordPress.
  You need to narrow your requirements and your ideas somewhat, and work toward a list of features.
  I have some discussions posted of what I went through when I ended up picking Drupal.
  1. I would like to use the users accounts in our Open Directory to authenticate to the intranet. Is that possible in any way?
  Network servers (Apache, DHCP, etc) can authenticate to LDAP, but (once granted access via DHCP and RADIUS, or analogous) clients don't usually further authenticate.
  Within Drupal, the [Drupal|http://drupal.org] module [ldapauth|http://drupal.org/node/118092] would be worth a test. That's an available connection into LDAP. (Haven't prototyped that module, though.)
  2. Or does anyone know of a way to modify e.g. the build in blog function and integrate that with another system such as Drupal or WordPress?
  You're apparently not familiar with Drupal. You might want to learn more about it, and particularly its extensibility. Drupal can be connected to some refrigerators, if you were inclined to do so.
  I'm guessing there are blocks of code in the blog that handle user authentication. And if I keep them where they are on the server and include them in other Drupal files, it may be possible? Is the build in blog build on an open source system like some of the other services on Mac OS X server? A system I can read about anywhere?
  Including random blocks of code isn't a strategy for success. Understanding the basics of how the pieces fit together tends to be a better strategy. For Drupal, there's always the [Drupal documentation|http://drupal.org/documentation], or the available books on the CMS. Or you can call in somebody that's done this stuff.
  +Note: The build in blog or wiki service does not match our needs for an intranet. We need to customize it a lot to make i suit our needs.+
  The built-in services are limited, yes. I've been running Drupal on Mac OS X Server for years now.
  3. Plan B could be to export our 100 users and passwords from Open Directory and import them in the intranet system. But as far as I know it's impossible to export the passwords. Right?
  I would sincerely hope you don't get the passwords out of your authentication system. That would be bad. Cleartext passwords are bad news. You don't want that ability.
  +New users would then have to be added to both Open Directory and the separate intranet system in the future. That would be okay for working but not perfect Plan B.+
  That would be a hassle.
  And I've tested with Wordpress on Mac OS X Server, but haven't deployed it in production. I'll leave discussions of its features and capabilities to others. That written, you might try the [Wordpress web site|http://Wordpress.org], as I'd expect there would be discussions of LDAP there.
  I'd suggest determining your requirements, otherwise you're going to flail around given the numbers of options an alternatives here. If you have your requirements, then you have a framework to pick your tools. [Here is what I looked at when I picked Drupal|http://labs.hoffmanlabs.com/node/100].

• New open directory account doesn't create mail account

  Hi All
       I have a Mac Mini with lion server, Fresh out of the box i messed with it a few times to learn and then i did a clean (internet) install and started with the settings i wanted (hostname, etc) with no mistakes. (It seems Lion doesn't like applhying most changes)
  When i set it up i created one local admin user that won't be in the open directory.
  Anyway, I've set up the following :
  * Address Book
  * File Sharing
  * iCal
  * Mail
  * Profile Manager
  * and VPN
  The first open directory user i added was myself and that user managed to get assigned an email account.
  Susiquent users i've added have not been registered with the mail subsystem.
  I've checked this using the "Server Admin" additional download management tool. (Mail service on the left, Maintenance up the top and then accounts uder that)
  There is only one mail account and thats the first one i've added.
  I havn't played with the settings so other than switching things on it should "just work" but it doesn't.
  I've prevously setup vmail servers using mysql to store the accounts with postfix and courioer imap but that was in some ways simpler as nothing was under the covers. I havn't dug too much into the dovecot config files, etc as i believe there is an all knowing server configuration engine at work here that isn't doing its job (which i havn't dug into)
  Has anyone had this issue of the mail accounts not being created?
  Or can anyone point me to a fix?

  It seems to have something to do with profile manager.
  I get stack traces in the "system messages" logs for the "Server" application, grrrr.
  I'll get that info and attempt to submit a but report tonight.

• Convert Open Directory mobile accounts to Active Directory mobile accounts

  We have 200 or so Macs using OD mobile accounts.
  Implementing Active Directory, getting rid of Open Directory.
  How do I change the mobile accounts from OD accounts to AD accounts so that it authenticates against the AD Domain Controller and thus change compter login password when it's changed in AD?
  I can convert accounts this way:
  a.    Delete users’ user account in User preferences pane of System Preferences, but choose to not change the home directory.
  b.    Log into users’ account by choosing the other option, thus creating a mobile account.
  c.    Log out, log into admin account, delete the newly created home directory, rename the home directory from the deleted users account to match the name of the deleted home directory and do a chown –R on the directory for that user.
  Obviously doing above 200x times is tedious and I'd like to avoid this if possible!
  Any other ideas?  Preferably a script I can deploy to all computers?

  I am also testing Leopard in my Active Directory domain and here is what I have found so far. The wireless networks in Leopard seem to be a combination of Panther and Tiger. Each 'Location' that you set has its own list of preferred networks. I have one location for when I am locally on the domain network and others for my bench network and all others under 'Automatic'. The one problem with what you are talking about is that if people change locations and forget to change it back before they log in, it will not find the network, however, adding the other networks all in one location is fine as long as the AD network is on top. You also have to wait about 20 - 30 seconds after you reach the login prompt before proceeding or it will log in without being connected and the AD resources will not be available. I am also finding that Panther knew when it was not on the AD network and did not give any errors, however Leopard squawks when I log in on a different network.
  Cheers,
  Rob

• Can't login to open directory accounts unless using server machine

  I cannot login to any network accounts from my macbook on my local network i have tried bindind the machine to the open directory with local ip, local address and domain and all appear to be working but i cant login to any of the accounts although the passwords are correct.

  Hi Salda,
  I'm currently experiencing a similar problem to yours.
  My situation is that I have just created a new user account which is part of our media users group.
  This group is in the list of allowed users for our mac pro client host, but when I attempt to login using their credentials I get the same error you had, namely that their home directory is located on a afp or smb server (which is of course the case).
  I hope you can tell me a resolution that doesn't require a re-installation of the OS.
  Thanks for your help.
  Rich

• When i integrate Mac client to the domain open directory, he don't ask me account DirAdmin, Why ?

  When i integrate Mac client to the domain open directory, he don't ask me account DirAdmin, Why ?
  I don't want all people can integrate mac client to the open directoy without authentification
  I want he ask me account diradmin for integrate client mac os x to the domain open directory of Lion Server
  I have made a magic triangle
  Thanks

  Malik-O wrote:
  When i integrate Mac client to the domain open directory, he don't ask me account DirAdmin, Why ?
  I don't want all people can integrate mac client to the open directoy without authentification
  1 ) I want he ask me account diradmin for integrate client mac os x to the domain open directory of Lion Server
  Authentication (with open directory admin username & password) is off by default. In Mountain Lion there is no longer a GUI to manage that and some of the other binding options. In Lion, I think you could use Server Admin (or was it Workgroup Manager) -- I can't remember, but there were little checkboxes.
  To make authentication mandatory in Mountain Lion, you can use this on the Server:
  sudo slapconfig -setmacosxodpolicy -binding required
  Use the following to check the binding policies:
  slapconfig -getmacosxodpolicy
  You might want to check the slapconfig man page, you'll find some of the other options that were in Server Admin in Lion, e.g. disable cleartext, block man-in-middle, etc.
  Edit, I just saw you're still using Lion Server, not Mountain Lion. I'm pretty sure the above commands will work on Lion Server as well.

• How to transfer user accounts from Active Directory to Open Directory

  Please help me , want to tranfer user accounts from Active Directory (Windows server 2012 ) to Open Directory (OS X server 10..2.9)

  Hi,
  Go to the advanced administration for the OSX Server:
  https://help.apple.com/advancedserveradmin/mac/3.1/#apd6D7FE39D-32AA-400C-91E1-5 0ABC15655C8
  This pretty easy way of connecting your server to the Windows server should give AD users access to OD services. That will be a good start.
  Read up on this as well:
  http://support.apple.com/kb/PH15469
  Do you want to import them all or just the Mac users?
  Goodluck!
  Jeffrey

• Possible to convert ordinary accounts to Open Directory accounts?

  This might be a naive question. But I need to set up accounts for users on this Mac Pro configured with Leopard Server and they may need to be Open Directory accounts, i.e. we may decide to create portable accounts for the whole cluster and have them hosted on this server. I won't know for sure until we have fully discussed the intended uses of the machine, which could take some time. So I am wondering if I can just give users ordinary accounts using System Preferences and then convert them at a later date to Open Directory accounts. I tried to do this with the first account I created for myself on the system and found that the name spaces of the two kinds of accounts conflict, and it's especially hard/dangerous to change a short name (is this really true??)
  It would be confusing for users and a headache for me if everyone has two distinct and unrelated accounts. Thanks in advance for any help.

  Hi Liz
  +I do get a warning if I launch Server Preferences: it says "Server Preferences can't be used with advanced configurations of Mac OS X Server." Doesn't that confirm that I chose Advanced?+
  I guess it does?
  I'm thinking you might be getting System Preferences and Server Preferences confused? Your original post was about converting ordinary accounts to Open Directory ones? Provided you've configured the Server as an Open Directory Master with all that that entails then you can install a clean OS on your clients. Provided the DHCP Server is handing out the correct information then after the OS has been installed and at the point the Setup Assistant asks you to create the initial account you should be given a choice to either create one locally or use one that is from Open Directory. If you choose the latter option then a generic local admin account gets created anyway. This is how its supposed to work. However you could forego all of this and simply create a secure local admin account. Join the client to the ODM using the well established method. The same result is achieved.
  If you had chosen Standard instead of Advanced a lot of the auto-discovery bit comes into play. To be honest I don't really know although judging by the documentation and what some have posted here this is what happens.
  You might find this useful?
  http://discussions.apple.com/message.jspa?messageID=8940512#8940512
  Tony

• Scripts for adding/deleting/modifying Open Directory accounts?

  I think I have searched high and low for an answer to this question, but if I missed it please point me in the right direction. Where can I find information on scripts for adding/deleting/modifying open directory accounts? At the very least, a command line utility with some syntax guidelines! Any help would be greatly appreciated.

  Hi
  I personally don't know if any scripts although you can use the command line to do pretty much anything you want with the Open Directory. Consult the manual: man dscl. If you launch terminal and issue dscl you should see something like this:
  my-Laptop:~ me$ dscl
  dscl (v20.4)
  usage: dscl [options] [<datasource> [<command>]]
  datasource:
  localhost (default) or
  <hostname> (requires DS proxy support, >= DS-158) or
  <nodename> (Directory Service style node name) or
  <domainname> (NetInfo style domain name)
  options:
  -u <user> authenticate as user (required when using DS Proxy)
  -P <password> authentication password
  -p prompt for password
  -raw don't strip off prefix from DS constants
  -url print record attribute values in URL-style encoding
  -q quiet - no interactive prompt
  commands:
  -read <path> [<key>...]
  -create <record path> [<key> [<val>...]]
  -delete <path> [<key> [<val>...]]
  -list <path> [<key>]
  -append <record path> <key> <val>...
  -merge <record path> <key> <val>...
  -change <record path> <key> <old value> <new value>
  -changei <record path> <key> <value index> <new value>
  -search <path> <key> <val>
  -auth [<user> [<password>]]
  -authonly [<user> [<password>]]
  -passwd <user path> [<new password> | <old password> <new password>]
  Entering interactive mode...
  The above is for 10.4 and should server equally as well for 10.5.
  Hope this helps, Tony

• **want to create a user account from "Crypted Password" to "Open Directory"

  I have create a user account with "user password type: Crypted Password"
  is there any way I can script it to "user password type: open directory"
  I've use perl-ldap to create user account but I don't know how to change user password type to open directory,
  because my script will add a new node in the directory, I just need a way to make the "user password type" to "Open Directory" AT CREATION TIME, not modifing it after a have a user account, the script below will generate a node in the directory with "Crypted Password" as User Password Type,
  is there any attribute I need to add to make it "Open Directory" or perl command, applescript, bash, objective c(hopefully not)....
  thank for reading...
  $res = $c->add(dn => 'uid=testing,cn=users,dc=microsoft,dc=info',
  attr => [
  'cn' => 'testing',
  'gidNumber' => '20',
  'homeDirectory' => '99',
  'objectclass' => 'inetOrgPerson', 'posixAccount', 'shadowAccount', 'apple-user', 'extensibleObject','organizationalPerson','top','person',
  'sn' => 'testing',
  'uid' => 'testing',
  'uidNumber' => '5000',
  1. 'apple-generateduid' => '27318931-B341-4364-91B4-84E4AAAD1234', #026F",
  'givenName' => 'testing',
  1. 'loginShell' => '/bin/bash',
  'userPassword' => 'testing' ,
  1. 'homePhone' => '555-2020',
  2. 'mail' => '[email protected]'
  die "unable to add, errorcode #".$res->code().$res->error if $res->code( );
  thanks

  Since this question isn't Xserve specific a better place to get an answer is probably in the Directory Services forum: http://discussions.apple.com/forum.jspa?forumID=1353
  That being said if you are trying to migrate Crypt accounts to OD accounts then the short answer is no. You need an unencrypted password to put the password into OD via a script do short of cracking the encrypted password, inserting it in plain text into the OD user account creation process then I don't think you can.
  You should be able to dictate the password (and any other settings you can do from the GUI) but the password is the missing piece. Under really old OS X systems I actually suspect you can get passwords to export (hinted at by an Apple engineer I discussed this with) but there is probably a faster and more straightforward solution.
  What I have done is export from NetInfo, clean the accounts via script and then reimport the accounts into the new system. I usually assign a password and dictate "Must change password at next login" and then email people the temporary passwords. It's been a while but I believe you can mass select and then dictate password settings so if that works for you create accounts with all the same password and then you can select by group and make changes - eg Must change password at login.
  Good luck,
  =Tod

• Some Open Directory accounts will not log in

  At the school where I work, the Open Directory master is running 10.6.8 Server and the clients are running 10.7.4. I am preparing images to update all the clients to 10.8.3, and I've run into a curious issue.
  In our setup, we have a single Open Directory account for each classroom. They are set up for simultaneous login, and their home folders are created in /Users rather than on a network share. We have 20 or so unique room accounts, and the text boxes I'm working with now can log into almost all of them. However, there are a few that simply refuse.
  When I attempt to log into one of those accounts, the login window immediately shakes as if I've put in the wrong password. However, I've confirmed that the password is correct. I've also checked through the settings of those accounts to make sure they're in line with all the rest of them. I know that they work because our lab Macs, which are currently running 10.7.4 are able to log into them just fine.
  I've tried unbinding and rebinding the clients to the OD server, as well as manually creating a home folder in /Users, neither of which works. I have found a little bit of voodoo that seems to work sometimes. I have to bind to the OD server, then check "Allow Network Users at Login Window", then select "Only These Users", then add all of the available network users to the list. Then, I delete them all, restart the computer, and sometimes that works. Not always though.
  Has anybody run into this before?

  As far as I can tell, the server isn't logging much with regard to the passwords being refused. I have tried attempting to log in to the accounts that don't work and then checking the Open Directory logs within Server Admin, but I don't see anything either relating to that user or with a timestamp that's close to the time to log in.
  On the client side, the log entry I see that relates to that user trying to log in is:
  5/30/13 10:03:28.001 AM SecurityAgent[147]: User info context values set for r364epson
  Which log in the Server Admin app would errors like this be likely to be logged in?

• Recently cerated Open Directory user accounts not able to login.

  Hello Everyone,
  I recently updated our companies Maverick server to version 3.2.1 and now some of my users are unable to login to our Open Directory server. Our server is currently running OS X 10.9.5 Build 13F34. The server log out put is the following when a user attempts to login to Open Directory.
  12/8/14 11:35:46.995 AM kdc[3049]: AS-REQ [email protected] from 192.168.15.95:59274 for krbtgt/[email protected]
  12/8/14 11:35:47.003 AM kdc[3049]: AS-REQ [email protected] from 192.168.15.95:59274 for krbtgt/[email protected]
  12/8/14 11:35:47.004 AM kdc[3049]: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
  12/8/14 11:35:47.011 AM kdc[3049]: AS-REQ [email protected] from 192.168.15.95:50783 for krbtgt/[email protected]
  12/8/14 11:35:47.016 AM kdc[3049]: AS-REQ [email protected] from 192.168.15.95:50783 for krbtgt/[email protected]
  12/8/14 11:35:47.017 AM kdc[3049]: Client sent patypes: ENC-TS
  12/8/14 11:35:47.017 AM kdc[3049]: ENC-TS pre-authentication succeeded -- [email protected]
  12/8/14 11:35:47.019 AM kdc[3049]: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
  12/8/14 11:35:47.019 AM kdc[3049]: Requested flags: forwardable
  12/8/14 11:35:47.282 AM kdc[3049]: TGS-REQ [email protected] from 192.168.15.95:50911 for host/[email protected] [canonicalize, forwardable]
  12/8/14 11:35:47.283 AM kdc[3049]: Searching referral for mbpe-0c4de9abba49.local
  12/8/14 11:35:47.284 AM kdc[3049]: Server not found in database: krbtgt/[email protected]: no such entry found in hdb
  12/8/14 11:35:47.285 AM kdc[3049]: Failed building TGS-REP to 192.168.15.95:50911
  12/8/14 11:35:47.289 AM kdc[3049]: TGS-REQ [email protected] from 192.168.15.95:64376 for krbtgt/[email protected] [forwardable]
  12/8/14 11:35:47.290 AM kdc[3049]: Server not found in database: krbtgt/[email protected]: no such entry found in hdb
  12/8/14 11:35:47.290 AM kdc[3049]: Failed building TGS-REP to 192.168.15.95:64376
  Note: I have rebuild Open Directory and still see the message above when users attempt to login. Also, I have not changed the name of the server, all server certificates are valid and for some reason time machine restores is not working. I have tried to restore the server back to June and it made the issue worse.
  Any help would be appreciated.

  Thank you for you reply Linc. Unfortunately I tried this already and it did not fix my issue. I checked the Open directory startup log and found a possible issue with the domain name in the startup file and the signing certificate. The domain name has a $ and it can find the signing certifiate with a public key. Please take a look below and let me know what you think?
  12/8/14 11:02:42.961 PM kdc[13708]: AS-REQ [email protected] from 127.0.0.1:63580 for krbtgt/[email protected]
  12/8/14 11:02:42.975 PM kdc[13708]: UNKNOWN -- [email protected]: no such entry found in hdb
  12/8/14 11:02:43.082 PM kdc[13708]: AS-REQ [email protected] from 127.0.0.1:52257 for krbtgt/[email protected]
  12/8/14 11:02:43.093 PM kdc[13708]: UNKNOWN -- [email protected]: no such entry found in hdb
  12/8/14 11:02:43.621 PM kdc[13708]: AS-REQ [email protected] from 127.0.0.1:64357 for krbtgt/[email protected]
  12/8/14 11:02:43.633 PM kdc[13708]: UNKNOWN -- [email protected]: no such entry found in hdb
  12/8/14 11:02:43.893 PM kdc[13708]: AS-REQ [email protected] from 127.0.0.1:64619 for krbtgt/[email protected]
  12/8/14 11:02:43.904 PM kdc[13708]: UNKNOWN -- [email protected]: no such entry found in hdb
  12/8/14 11:02:44.191 PM kdc[13708]: AS-REQ [email protected] from 127.0.0.1:61095 for krbtgt/[email protected]
  12/8/14 11:02:44.210 PM kdc[13708]: UNKNOWN -- [email protected]: no such entry found in hdb
  12/8/14 11:02:44.560 PM kdc[13708]: AS-REQ [email protected] from 127.0.0.1:52115 for krbtgt/[email protected]
  12/8/14 11:02:44.576 PM kdc[13708]: UNKNOWN -- [email protected]: no such entry found in hdb
  12/8/14 11:02:45.016 PM UserEventAgent[18]: Registered Workstation service - wdpmosx [68:5b:35:ca:f7:4b]._workstation._tcp.
  12/8/14 11:02:45.193 PM kdc[13708]: AS-REQ [email protected] from 127.0.0.1:54745 for krbtgt/[email protected]
  12/8/14 11:02:45.208 PM kdc[13708]: UNKNOWN -- [email protected]: no such entry found in hdb
  12/8/14 11:02:45.554 PM kdc[13723]: label: WDPMOSX.XYZ.ORG
  12/8/14 11:02:45.554 PM kdc[13723]: dbname: od:/LDAPv3/ldapi://%2Fvar%2Frun%2Fldapi
  12/8/14 11:02:45.554 PM kdc[13723]: mkey_file: /var/db/krb5kdc/m_key.WDPMOSX.XYZ.ORG
  12/8/14 11:02:45.555 PM kdc[13723]: acl_file: /var/db/krb5kdc/acl_file.WDPMOSX.XYZ.ORG
  12/8/14 11:02:45.568 PM kdc[13723]: PKINIT: failed to find a signing certifiate with a public key
  12/8/14 11:02:45.618 PM kdc[13723]: KDC started
  Thanks again.

• Open Directory: "Unable to load replica list"

  I'm currently running Mavericks Server 3.1 on my Mac Mini at the home network. I had some issues with the client logins and went for local accounts on the clients instead. Today I finally wanted to fix the problem and go all Open Directory. But the Open Directory service was shut off when I opened the server software. I tried to turn it on but got a message saying "Unable to load replica list". I updated the software to the latest 3.1 but are still having the same issue. I never had any replica list, I only had a standard one from the start, but it seems I can't do anyhing there now.
  LDAP log:
  Mar 21 22:48:38 xxYY.com slapd[172]: @(#) $OpenLDAP: slapd 2.4.28 (Nov 12 2013 12:02:47) $
  [email protected]:/private/var/tmp/OpenLDAP/OpenLDAP-491.1~1/servers/slapd
  Mar 21 22:48:38 xxYY.com.com slapd[172]: daemon: SLAP_SOCK_INIT: dtblsize=8192
  Mar 21 22:48:39 xxYY.com.com slapd[172]: TLS: found identity in keychain using identity preference.
  Mar 21 22:48:42 xxYY.com.com slapd[172]: slap_add_listener: opened additional listener 'ldaps:///'
  Mar 21 22:48:42 xxYY.com.com slapd[172]: bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
  Mar 21 22:48:44 xxYY.com.com slapd[172]: slapd starting
  Mar 21 22:48:44 xxYY.com.com slapd[172]: daemon: posting com.apple.slapd.startup notification
  Mar 21 22:48:54 xxYY.com.com slapd[172]: => bdb_idl_delete_key: c_del id failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30994)
  Mar 21 22:48:54 xxYY.com.com slapd[172]: conn=1022 op=3: attribute "entryCSN" index delete failure
  Mar 21 22:50:02 xxYY.com.com slapd[172]: => bdb_idl_delete_key: c_get failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30994)
  Mar 21 22:50:02 xxYY.com.com slapd[172]: conn=1042 op=3: attribute "entryCSN" index delete failure
  I don't understand any of this other than the obvious failure words. Can anyone understand this and help me here?

  This procedure is a diagnostic test. It makes no changes to your data. If you have more than one user account, you must be logged in as an administrator to carry out these instructions.
  Please triple-click anywhere in the line below on this page to select it:
  sudo /usr/libexec/slapd -Tt | pbcopy
  Copy the selected text to the Clipboard by pressing the key combination command-C.
  Launch the built-in Terminal application in any of the following ways:
  ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
  ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
  ☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.
  Paste into the Terminal window by pressing the key combination command-V. I've tested these instructions only with the Safari web browser. If you use another browser, you may have to press the return key after pasting. You'll be prompted for your login password. Nothing will be displayed when you type it. If you don’t have a login password, you’ll need to set one before you can run the command. You may get a one-time warning to be careful. Confirm. You don't need to post the warning.
  If you see a message that your username "is not in the sudoers file," then you're not logged in as an administrator. Log in as one and start over.
  Wait for a new line ending in a dollar sign ($) to appear below what you entered.
  The output of the command will be automatically copied to the Clipboard. If the command produced no output, the Clipboard will be empty. Paste into a reply to this message.
  The Terminal window doesn't show the output. Please don't copy anything from there.