Demote Open Directory Servers Using The Command Line in macOS Server

The command to create and tear down an Open Directory environment is slapconfig. When you disable Open Directory from the Server app you aren’t actually removing users. To do so, you’d use slapconfig along with the -destroyldapserver. When run, you get a little insight into what’s happening behind the scenes. This results in the following:

bash-3.2# sudo slapconfig -destroyldapserver

The logs are as follows:

2017-09-09 20:59:31 +0000 slapconfig -destroyldapserver 2017-09-09 20:59:31 +0000 Deleting Cert Authority related data 2017-09-09 20:59:31 +0000 Removed directory at path /var/root/Library/Application Support/Certificate Authority/krypted Open Directory Certificate Authority. 2017-09-09 20:59:31 +0000 command: /usr/sbin/xscertadmin add –reason 5 –issuer krypted Open Directory Certificate Authority –serial 1339109282 2017-09-09 20:59:51 +0000 Could not find matching identity in system keychain 2017-09-09 20:59:51 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd.plist 2017-09-09 20:59:51 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd-helper.plist 2017-09-09 20:59:51 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertadmin.plist 2017-09-09 20:59:51 +0000 Stopping LDAP server (slapd) 2017-09-09 20:59:53 +0000 Stopping password server 2017-09-09 20:59:56 +0000 Removed all service principals from keytab for realm MACOSSERVER.KRYPTED.COM 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/entryCSN.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/apple-config-realname.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/memberUid.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/__db.004. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/__db.003. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/apple-hwuuid.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/entryUUID.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/dn2id.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-memberguid.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/sn.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/__db.002. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/__db.005. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/uid.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/objectClass.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/macAddress.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-nestedgroup.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/log.0000000001. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/ipHostNumber.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/ou.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/givenName.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/uidNumber.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/apple-generateduid.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/id2entry.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/DB_CONFIG. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/mail.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/__db.006. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/__db.001. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-realname.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/cn.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/gidNumber.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/altSecurityIdentities.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/entryCSN.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/__db.004. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/__db.003. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/entryUUID.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/dn2id.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/__db.002. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/__db.005. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/objectClass.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/authGUID.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/log.0000000001. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/id2entry.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/DB_CONFIG. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/__db.006. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/__db.001. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalAliases.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalName.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/alock. 2017-09-09 20:59:56 +0000 Removed directory at path /var/db/openldap/authdata. 2017-09-09 20:59:56 +0000 Removed file at path /etc/openldap/slapd_macosxserver.conf. 2017-09-09 20:59:56 +0000 Removed file at path /etc/openldap/slapd.conf. 2017-09-09 20:59:56 +0000 Removed file at path /etc/openldap/rootDSE.ldif. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/dslocal/nodes/Default/groups/com.apple.access_dsproxy.plist. 2017-09-09 20:59:56 +0000 Removed directory at path /etc/openldap/slapd.d/cn=config. 2017-09-09 20:59:56 +0000 Removed file at path /etc/openldap/slapd.d/cn=config.ldif. 2017-09-09 20:59:56 +0000 Removed directory at path /etc/openldap/slapd.d. 2017-09-09 20:59:56 +0000 Removed directory at path /etc/openldap/slapd.d.backup/cn=config. 2017-09-09 20:59:56 +0000 Removed file at path /etc/openldap/slapd.d.backup/cn=config.ldif. 2017-09-09 20:59:56 +0000 Removed directory at path /etc/openldap/slapd.d.backup. 2017-09-09 20:59:59 +0000 Stopping password server 2017-09-09 20:59:59 +0000 Removed file at path /etc/ntp_opendirectory.conf. 2017-09-09 20:59:59 +0000 Removed file at path /Library/Preferences/com.apple.openldap.plist.

Server.app and Open Directory Rebuilds in Lion

Server.app in Lion is a pretty good app for most tasks. But I find myself frequently doing things that I don’t think developers intended me to do. One such item is setting up and tearing down Open Directory to test various iterations of enabling a master. I frequently use slapconfig to destroyldapserver: slapconfig -destroyldapserver Doing so almost immediately allows me to demote an Open Directory master to a stand-alone server and then repromote the server to a master or replica for testing purposes. If you do this, then Open Directory  cannot be set back up using Server.app. The fix is to use Server Admin to repromote your server back to an Open Directory master and then use Server Admin to more graciously demote the server back to stand-alone. Until you do this, the Server.app will error out on Open Directory promotions that the server is already an Open Directory master. A change I’ve made to my workflow when nukin’ and pavin’ OD is to just use Server Admin for the paving part. If you demote with Server Admin you won’t have these issues. Hope this helps someone who finds similar wonkiness.