Tiny Deathstars of Foulness

Every now and then I see an Open Directory database that’s gotten corrupt for one reason or another. To be more specific, while I see Kerberos get wonky and password server issues from time to time, every now and then I see the actual LDAP database throw errors like this one, when checked with slapd: /usr/libexec/slapd -Tt Corruption usually looks a little something like this: 51890ba0 ldif_read_file: checksum error on "/var/db/openldap/openldap-data/cn.bdb" 51890ba0 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable config file testing succeeded If the bdb (Berkeley Database) files can’t be read in properly then you can do a sanity check with slaptest to see if there are other issues as well: slaptest -f /private/etc/openldap/slapd.conf -v Provided that your problems are with the bdb files and not ldif files, which can easily be grabbed from another OD box, you can then recover the database using db_recover, along with the -h option to define the directory your bdb files reside in (/var/db/openldap/openldap-data in OS X Server): db_recover -h /var/db/openldap/openldap-data/ Note, always backup. If errors continue then you can also run with a -c option, which performs a “catastrophic” recovery. Also, before you do a db_recover OD will need to be stopped. Chances are, if you have corruption then the database will be stopped; however, check first: serveradmin fullstatus dirserv If it’s running, stop it: serveradmin stop dirserv Once you’re done, there’s no longer the need to reboot each time you do this kind of thing, which is actually a huge time saver, so just swap the stop with start and you’re good: serveradmin start dirserv

May 7th, 2013

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , , , , , ,