bash-3.2# changeip -checkhostname dirserv:success = "success"To set up the Open Directory Master, open the Server app and click on the Open Directory service (might need to Show under Advanced in the Server app sidebar). From here, click on the ON button. For the purposes of this example, we’re setting up an entirely new Open Directory environment. At the “Configure Network Users and Groups” screen, click on “Create a new Open Directory Domain” and click on the Next button. Note: If you are restoring an archive of an existing Open Directory domain, you would select the bottom option from this list. At the Directory Administrator screen, enter a username and password for the directory administrator account. The default account is sufficient, although it’s never a bad idea to use something a bit less generic. Once you’ve entered the username and password, click on the Next button. Then we’re going to configure the SSL information. At the Organization Information screen, enter a name for the organization in the Organization Name field and an Email Address to be used in the SSL certificate in the Admin Email Address field. Click on Next. At the Confirm Settings screen, make sure these very few settings are OK with you and then click on the Set Up button to let slapconfig (the command that runs the OD setup in the background, kinda’ like a cooler dcpromo) do its thing. When the Open Directory master has been configured, there’s no need to reboot or anything, the indicator light for the Open Directory service should appear. If the promotion fails then look to the preflight options I wrote up awhile back. Clicking on the minus (“-”) button while a server is highlighted runs a slapconfig -destroyldapserver on the server and destroys the Open Directory domain if it is the only server. All domain information is lost when this happens. Click on the Edit… button and then the plus sign (“+”). It’s probably best not to use the IP address at this point as the master will have an SSL certificate tied to the name. Click OK to accept the certificate (if it’s self-signed) and then the system should finish binding. Once bound, I like to use either id or dscl to verify that directory accounts are properly resolving before I try logging in as an Open Directory user. Provided everything works that’s it. The devil is of course in the details. There is very little data worth having if it isn’t backed up. Notice that you can archive by clicking on the cog wheel icon in the Open Directory service pane, much like you could in Server Admin. Or, because this helps when it comes to automating backups (with a little expect), to run a backup from the command line, run the slapconfig command along with the -backupdb option followed by a path to a folder to back the data up to:
sudo slapconfig -backupdb /odbackupsThe result will be a request for a password then a bunch of information about the backup:
bash-3.2# sudo slapconfig -backupdb /odbackups 2014-09-23 00:26:01 +0000 slapconfig -backupdb Enter archive password: 2014-09-23 00:26:06 +0000 1 Backing up LDAP database 2014-09-23 00:26:06 +0000 popen: /usr/sbin/slapcat -l /tmp/slapconfig_backup_stage57244NLmNnX/backup.ldif, "r" 5420be1e bdb_monitor_db_open: monitoring disabled; configure monitor database to enable 2014-09-23 00:26:06 +0000 popen: /usr/sbin/slapcat -b cn=authdata -l /tmp/slapconfig_backup_stage57244NLmNnX/authdata.ldif, "r" 5420be1e bdb_monitor_db_open: monitoring disabled; configure monitor database to enable 2014-09-23 00:26:06 +0000 popen: /bin/cp /var/db/openldap/openldap-data/DB_CONFIG /tmp/slapconfig_backup_stage57244NLmNnX/DB_CONFIG, "r" 2014-09-23 00:26:06 +0000 popen: /bin/cp /var/db/openldap/authdata//DB_CONFIG /tmp/slapconfig_backup_stage57244NLmNnX/authdata_DB_CONFIG, "r" 2014-09-23 00:26:06 +0000 popen: /bin/cp -r /etc/openldap /tmp/slapconfig_backup_stage57244NLmNnX/, "r" 2014-09-23 00:26:06 +0000 popen: /bin/hostname > /tmp/slapconfig_backup_stage57244NLmNnX/hostname, "r" 2014-09-23 00:26:06 +0000 popen: /usr/sbin/sso_util info -pr /LDAPv3/127.0.0.1 > /tmp/slapconfig_backup_stage57244NLmNnX/local_odkrb5realm, "r" 2014-09-23 00:26:06 +0000 popen: /usr/bin/tar czpf /tmp/slapconfig_backup_stage57244NLmNnX/krb5backup.tar.gz /var/db/krb5kdc/kdc.conf /var/db/krb5kdc/acl_file.* /var/db/krb5kdc/m_key.* /etc/krb5.keytab , "r" tar: Removing leading '/' from member names 2014-09-23 00:26:06 +0000 2 Backing up Kerberos database 2014-09-23 00:26:06 +0000 popen: /bin/cp /var/db/dslocal/nodes/Default/config/KerberosKDC.plist /tmp/slapconfig_backup_stage57244NLmNnX/KerberosKDC.plist, "r" 2014-09-23 00:26:06 +0000 popen: /bin/cp /Library/Preferences/com.apple.openldap.plist /tmp/slapconfig_backup_stage57244NLmNnX/, "r" 2014-09-23 00:26:06 +0000 3 Backing up configuration files 2014-09-23 00:26:06 +0000 popen: /usr/bin/sw_vers > /tmp/slapconfig_backup_stage57244NLmNnX/version.txt, "r" 2014-09-23 00:26:06 +0000 popen: /bin/cp -r /var/db/dslocal /tmp/slapconfig_backup_stage57244NLmNnX/, "r" 2014-09-23 00:26:06 +0000 Backed Up Keychain 2014-09-23 00:26:06 +0000 4 Backing up CA certificates 2014-09-23 00:26:06 +0000 5 Creating archive 2014-09-23 00:26:06 +0000 command: /usr/bin/hdiutil create -ov -plist -puppetstrings -layout UNIVERSAL CD -fs HFS+ -volname ldap_bk -srcfolder /tmp/slapconfig_backup_stage57244NLmNnX -format SPARSE -encryption AES-256 -stdinpass /odbackups 2014-09-23 00:26:12 +0000 Removed directory at path /tmp/slapconfig_backup_stage57244NLmNnX. 2014-09-23 00:26:12 +0000 Removed file at path /var/run/slapconfig.lock.To restore a database (such as from a previous version of the operating system where such an important option was actually present) use the following command (which just swaps backupdb with -restoredb)
sudo slapconfig -restoredb /odbackupsBoth commands ask you for a password to encrypt and decrypt the disk image created by them.
krypted October 16th, 2014