Tiny Deathstars of Foulness

Open Directory has never been so easy to setup for a basic environment as it is in OS X Mountain Lion Server. It’s also never been so annoyingly simple to use that to do anything cool requires a bunch of command line foo. No offense to the developers, but this whole idea that the screens that were being continually refined for a decade just need to be thrown out and started fresh seems to have led to a few babies thrown out along with them. Not often as I’m kinda’ digging most of the new config screens in OS X Mountain Lion Server, but with Open Directory, it’s just too easy. Features mean buttons. Buttons make things a tad bit more complicated to use than an ON/OFF switch…

Anyway, rant over. Moving on. As with almost any previous version of OS X Server and Open Directory, once you’ve installed the Server app, run the changeip command along with the -checkhostname option to verify that the IP, DNS and hostname match. If (and only if as it will fail if you try anyway) you get an indication that “The names match. There is nothing to change.” then you can move on to setting up the service.

Note: There’s this thing called the Next Steps Drawer. No matter what it says, I still won’t proceed until changeip checks clean. 

To set up the Open Directory Master, open the Server app and click on the Open Directory service. From here, click on the ON button.

For the purposes of this example, we’re setting up an entirely new Open Directory environment. At the “Configure Network Users and Groups” screen, click on “Create a new Open Directory Domain” and click on the Next button.

At the Directory Administrator screen, enter a username and password for the directory administrator account. The default account is sufficient, although it’s never a bad idea to use something a bit less generic.

Once you’ve entered the username and password, click on the Next button. Then we’re going to configure the SSL information.

At the Organization Information screen, enter a name for the organization in the Organization Name field and an Email Address to be used in the SSL certificate in the Admin Email Address field. Click on Next.

At the Confirm Settings screen, make sure these very few settings are OK with you and then click on the Set Up button to let slapconfig (the command that runs the OD setup in the background, kinda’ like a cooler dcpromo) do its thing. When the Open Directory master has been configured, there’s no need to reboot or anything, the indicator light for the Open Directory service should appear. If the promotion fails then look to the preflight options I wrote up awhile back.

Once the promotion is complete, you’ll also see the server listed in the Servers list. Here, click on the server and click on the Global Password Policy option in the cog-wheel menu. This is where you can configure the parameters that passwords must meet in order to be usable on the system.

Clicking on the minus (“-“) button while a server is highlighted runs a slapconfig -destroyldapserver on the server and destroys the Open Directory domain if it is the only server. All domain information is lost when this happens.

Next, let’s bind a client. Binding clients can be done in a few different ways. You can use a script, a Profile, the Users & Groups System Preference pane or build binding into the imaging process. For the purpose of this example, we’ll use the System Preference pane.

To get started, open up the System Preference pane and then click on Users & Groups. From here, click on Login Options and then unlock the lock in the lower left corner of the screen, providing a username and password when prompted.

Click on the Edit… button and then the plus sign (“+”). Then, enter the name of the Open Directory Master (the field will expand with options when you enter the host name.

It’s probably best not to use the IP address at this point as the master will have an SSL certificate tied to the name. Click OK to accept the certificate (if it’s self-signed) and then the system should finish binding. Once bound, I like to use either id or dscl to verify that directory accounts are properly resolving before I try logging in as an Open Directory user.

Provided everything works that’s it. The devil is of course in the details. There is very little data worth having if it isn’t backed up. Notice that the old Archive and Restore options are gone. To run a backup, run the slapconfig command along with the -backupdb option followed by a path to a folder to back the data up to:

sudo slapconfig -backupdb /odbackups

To restore a database (such as from a previous version of the operating system where such an important option was actually present) use the following command (which just swaps backupdb with -restoredb)

sudo slapconfig -restoredb /odbackups

Both commands ask you for a password to encrypt and decrypt the disk image created by them.

August 10th, 2012

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , , , ,

  • As always, great stuff!

  • Jay

    Do you have a recommended strategy for automating the backup of OD with:

    slapconfig -backupdb /odbackups

    Obviously, that’s an interactive prompt, and the old method of serveradmin command dirserv etc. doesn’t seem to work any more.

  • hydro

    > Click OK to accept the certificate (if it’s self-signed)
    > and then the system should finish binding.

    I have a MacBook Air running Mountain Lion, on the same LAN. A user account is capable of binding to my Mountain Lion Server. However, in doing so, even after electing to trust the server when it presents the client with the cert, the client soon after presents another alert panel to the effect of “This server does not provide a secure (SSL) connection”. I’m able to select Continue and then bind. However, I don’t understand why this panel appears. On my Mountain Lion Server I’ve got a self signed cert (whose CN is the host name of the server along with an email address which is the same that I used when first instantiating a new OD Master). My system is a clean build (not an upgrade). Any suggestions?

    • Are you choosing to permanently accept the certificate?

  • hb

    You have a substantial omission (and I don’t know if your omission was intentional or unintentional). Case in point:

    For a relatively simple 10.8 OS X Server config for those who desire initialize the server to provision on a private LAN with VPN (the middle radio button option on one of the first panels to appear in Server app when inaugurating it, titled “Accessing your Server”) … when instantiating a new Open Directory Master in this context, and using the default self-signed SSL cert that Server app creates upon its inauguration, the default self-signed SSL cert changes its name to include “OD Intermediate CA” (apparently by adding the org name and email address in the OD Master creation process, this require a modification of the default SSL cert, so its details then toggle to “This certificate was signed by an untrusted issuer”.

    Upon searching the PDF version of your O’Reilly book on OS X Lion Server, for the word “intermediate” (hoping to find a suggestion as to how to resolve this), I get zero search results.


    • Other than trusting the cert on clients before using it, I have been manually generating a CSR (the stock cert doesn’t have enough details), installing the publicly signed cert and then choosing that with slap config to set up the Master. Been meaning to do a post on that…

  • Pingback: OS X Server 10.8 Tutorials - a bottle rocket()

  • Kim has some of the best Mac OS X docs I’ve found. Thank you for sharing!

    I have a question about something that’s been bugging me:

    When OS X Server is installed and/or DNS is setup, it creates a primary zone named after the hostname (e.g., rather than the domain name (e.g. When one creates an Open Directory Server, the open directory is named after the host name, rather than the domain–same story.

    Wouldn’t it make more sense to have the OD be with a primary DNS zone to match?

    Presently, I end up creating a second primary zone for along with to get stuff working.

    How do you do it for krypted?



    • Jay

      I, too, have always found it annoying. In the Server Admin days, you could specify the REALM and LDAP base when creating the OD master (after fixing the DNS). This isn’t possible with, and in Lion, while you could still use Server to create an OD Master / realm, it seemed to miss some of the secret sauce needed to make Profile Manager work correctly. I even tried using to initially create the OD / realm, then used sso_util to destroy and rebuild the realm with the correct REALM name, but it never quite worked out well for me, so I conceded, and just deal with a realm of HOST.EXAMPLE.COM, and a base of dc=host, d=example, dc=com.

  • Darryl

    What if DNS hostname is indicating not available you must repair DNS and rerun the tool. How exactly is that repaired?