Tiny Deathstars of Foulness

Mac OS X Server uses the slapconfig command to promote Open Directory Masters and Replicas. In Lion, there is less and less dependency on slapconfig as not all of the aspects of an Open Directory environment are known throughout the system when performing LDAP operations through the command line (e.g. using -createldapmasterandadmin or -create. For example, if you use the tried and true -destroyldapserver option, the will no longer be able to promote a new Master and you’ll need to use Server Admin to create and then destroy that Master again in order for to be OK with your configuration changes. But there are things we’ll still want to use slapconfig for. One of the better things is to actually check the environment to make sure that it is suitable for being an Open Directory server. For starters, let’s check the version of slapconfig: /usr/sbin/slapconfig -ver The version should be 1.2 or higher. However, as with Apache and a few other services, Apple has forked the build from the open source community, so let’s also look at the Apple Version of slapconfig. This is done using a hidden option: -appleversion. To run this, just run the option with slapconfig as follows: /usr/sbin/slapconfig -appleversion Then, let’s look at running slapconfig to check that the machine is suitable to be a Master. The command to do so is another hidden option, -preflightmaster. The -preflightmaster option uses the same syntax as -createldapmasterandadmin (and should at this point always be used as a sanity check prior to running -createldapmasterandadmin). Syntax as follows, where positions 1, 2 and 3 are the short name, long name and UID of the initial directory admin account: /usr/sbin/slapconfig -preflightmaster diradmin "Directory Administrator" 1050 The slapconfig command can also be used to preflight a replica prior to promotion. The syntax there is the same as the -createreplica syntax, used as follows, assuming the master has an IP address of /usr/sbin/slapconfig -preflightreplica diradmin Additionally, there are other hidden options for handling all of the certificates that get created, deleted and managed as part of the Open Directory creation process (e.g. -addcaforreplica and -restorerootca), Kerberos (e.g. -cankerberize) as well as handling relays (e.g. -getrelayconfig).

January 31st, 2012

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, Network Infrastructure