Mac OS X,  Mac OS X Server,  Mac Security

Setting Up Open Directory Replicas With Lion Server

In Lion Server, Open Directory can be managed in one of three ways: using the Server application the Server Admin application or using the command line utilities. Configuring Open Directory has never been easier than it is in the Server application, though. As we looked at in a previous article, setting up an Open Directory master should be done using the Server application. But setting up an Open Directory replica should be done using the Server Admin application. The Server Admin application is not installed when you buy OS X Server on the App Store and so it can be obtained here.

But first (or while that’s downloading even), open the Server application. If this is the first time that you’ve opened the Server application then you’re in for a bit of a wait. This is a nice time to grab yourself the first shot of Jäger of the day. According to your internet speed, you could end up with 3 or 4 of these. That’s fine though, the new Open Directory makes much more sense afterwards.

When you first open and start using the Server application, you’re creating local users. The Server application automatically creates local users until you setup Open Directory. Before you set up Open Directory as a Replica on the system, it should have a static IP address and a name in the DNS servers that the server uses (forward and reverse lookups for said address). The Server application has a Next Steps drawer. Clicking on the drawer and then the Configure Network button brings up a screen that will complain if your DNS has any problems. If DNS is working great, then the Configure Network section of the Next Steps drawer will appear as follows:

Not to get off topic on the hostname/dns/etc thing, but when you click on Network, if you decide to change names before you promote to an Open Directory Master/Replica, clicking on Edit for the Host Name, you should almost always click on the third option, Host Name for Internet…

While the Server app is cool, it caches stuff and I’ve seen it let things go threat shouldn’t be let go. Therefore, in order to make sure that the server has such an address, I still recommend using changeip, but I also recommend using the Server application. In Lion, I’ve seen each find things that other misses. To use changeip:

sudo changeip -checkhostname

The address and host names should look correct and match what you see in the Server application’s Next Steps drawer.

Primary address = 10.0.0.1

Current HostName = mdm.krypted.com
DNS HostName = mdm.krypted.com

The names match. There is nothing to change.
dirserv:success = “success”

Provided everything is cool with the hostname, open the Server Admin application from /Applications/Server. Then click on Settings in the application’s toolbar. At the Settings screen, click on Services. Click on the checkbox for the Open Directory Service and click Save to see the Open Directory service appear in the Server Admin sidebar. Then, click on Open Directory in the Server Admin sidebar and then click on the Change… button to bring up the Open Directory Assistant.

At the Choose Directory Role screen, click on Set up an Open Directory replica and then click on the Continue button.

At the Replica and Certificate Authority screen, provide the name or IP address of the Open Directory master in the IP address or DNS name of master field. Actually, just use the name. If you can’t find the Open Directory Master by name, then you should really fix that before moving forward. Also provide the Open Directory administrative user name in the Domain administrator’s short name field and that account’s password in the Domain administrator’s password field. If you have any problems, make sure you can ssh into the Open Directory master using this account.

Also, new in Lion, there’s a CA administrator’s email address field. Put in here, what you put into the Organization Information field back when you promoted the master (screen shown for posterity).

If you’ve lost track of the email address you used, keep in mind that the SSL certificate can be used to grab that information. Open Keychain Access, click on Certificates, search for the host name of the Master (this is all from the master, btw) and then do a Get Info and you’ll see the Email Address used.

Anyway, back to the Open Directory Assistant on the new Replica. Click on the Continue button and finish the wizard to complete promoting the replica. That’s it. Don’t forget to check your logs when the promotion is complete.

I’ve been finding that there are a lot of issues with promoting Replicas in Lion so far. This has meant bad directory data (import + export), bad DNS, security policies, using a bad username and password combination (not the systems fault) and other issues. To fix the bad directory data, you have to import and export (in my experience not an archive and restore but an actual export and import, losing all passwords in the process). The Next Steps drawer can guide you through the host names/DNS issues. For security policies, I’ve found the following command to work for me (run on the master):

slapconfig -setmacosxodpolicy -binding enabled

For the username and password issues (the errors don’t always tell you what is or is not a password problem) I have found using dscl or even Workgroup Manager to test the login is an important step.

You can also still use slapconfig for Open Directory replicas, a great way to get a lot of detailed information. For example, one time, the replica promotion was failing because the server was a member server in a domain; however, using slapconfig -getstyle the server simply reported as Standalone. To promote a replica, you will define want to make sure to include the new –certAdminEmail option, followed by the email address on that certificate of the master. This is then followed with the address and the admin username of the master. For example:

slapconfig -createreplica --certAdminEmail krypted@me.com odm.pretendco.com diradmin

When slapconfig runs, it will give you a detailed account of where it failed and why.

Finally, I have noticed that some machines fail in the Server Admin GUI and Server Admin simply doesn’t show that the machine failed, but instead just makes the system a member to the server. When this happens, I have always had to clean install the system in order to get it to promote to a replica again, properly. To make sure a replica is indeed a replica, consult slapconfig:

slapconfig -getstyle

Now is when you get to have a little more Jäger. This whole process hopefully only took about 5 to 10 minutes, so it’s about time anyways. If the process took longer, then I hope you didn’t wait until now for round 2. Later, we’ll discuss directory trees and using those as a means of building sites. For that, you might want to move onto something a bit stronger, like mescaline.