Setup An Open Directory Master In macOS Server 5.2 On Sierra (10.12)

Open Directory has never been this easy to setup for a basic environment as it is in macOS Server 5.2 (for macOS 10.12 on Sierra). It’s also never been so annoyingly simple to use that to do anything cool requires a bunch of command line foo. And never has removing replicas been so difficult. No offense to the developers, but this whole idea that the screens and concepts that were being continually refined for a decade just need to be thrown out seems to have led to a few babies thrown out along with that OD bathwater. Features mean buttons. Buttons make things a tad bit more complicated to use than an ON/OFF switch… Anyway, rant over. Moving on. As with almost any previous version of macOS Server and Open Directory, once you’ve installed the Server app, run the changeip command along with the -checkhostname option to verify that the IP, DNS and hostname match. If (and only if as it will fail if you try anyway) you get an indication of “Success.” I know, I know, you’ve been told that you didn’t have to do this kind of stuff any more. But really, you should – and if you don’t believe me, check out the contents of the attributes in the OD database… bash-3.2# changeip -checkhostname dirserv:success = "success" To set up the Open Directory Master, open the Server app and click on the Open Directory service (might need to Show under Advanced in the Server app sidebar). From here, click on the ON button. screen-shot-2016-09-25-at-9-58-14-pm For the purposes of this example, we’re setting up an entirely new Open Directory environment. At the “Configure Network Users and Groups” screen, click on “Create a new Open Directory Domain” and click on the Next button. screen-shot-2016-09-25-at-9-58-59-pm Note: If you are restoring an archive of an existing Open Directory domain, you would select the bottom option from this list. At the Directory Administrator screen, enter a username and password for the directory administrator account. The default account is sufficient, although it’s never a bad idea to use something a bit less generic. screen-shot-2016-09-25-at-9-59-34-pm Once you’ve entered the username and password, click on the Next button. Then we’re going to configure the SSL information. screen-shot-2016-09-25-at-10-00-17-pm At the Organization Information screen, enter a name for the organization in the Organization Name field and an Email Address to be used in the SSL certificate in the Admin Email Address field. Click on Next. screen-shot-2016-09-25-at-10-00-40-pm At the Confirm Settings screen, make sure these very few settings are OK with you and then click on the Set Up button to let slapconfig (the command that runs the OD setup in the background, kinda’ like a cooler dcpromo) do its thing. When the Open Directory master has been configured, there’s no need to reboot or anything, the indicator light for the Open Directory service should appear. If the promotion fails then look to the preflight options I wrote up awhile back. screen-shot-2016-09-25-at-10-01-20-pm Clicking on the minus (“-”) button while a server is highlighted runs a slapconfig -destroyldapserver on the server and destroys the Open Directory domain if it is the only server. All domain information is lost when this happens. screen-shot-2016-09-25-at-10-01-55-pm Next, let’s bind a client. Binding clients can be done in a few different ways. You can use a script, a Profile, the Users & Groups System Preference pane or build binding into the imaging process. For the purpose of this example, we’ll use the System Preference pane. To get started, open up the System Preference pane and then click on Users & Groups. From here, click on Login Options and then unlock the lock in the lower left corner of the screen, providing a username and password when prompted. screen-shot-2016-09-25-at-10-02-44-pm Click on the Edit… button and then the plus sign (“+”). screen-shot-2016-09-25-at-10-03-15-pm Then, enter the name of the Open Directory Master (the field will expand with options when you enter the host name. screen-shot-2016-09-25-at-10-03-43-pm It’s probably best not to use the IP address at this point as the master will have an SSL certificate tied to the name. Click OK to accept the certificate (if it’s self-signed) and then the system should finish binding. Once bound, I like to use either id or dscl to verify that directory accounts are properly resolving before I try logging in as an Open Directory user. Provided everything works that’s it. The devil is of course in the details. There is very little data worth having if it isn’t backed up. Notice that you can archive by clicking on the cog wheel icon in the Open Directory service pane, much like you could in Server Admin. Or, because this helps when it comes to automating backups (with a little expect), to run a backup from the command line, run the slapconfig command along with the -backupdb option followed by a path to a folder to back the data up to: sudo slapconfig -backupdb /odbackups The result will be a request for a password then a bunch of information about the backup: bash-3.2# sudo slapconfig -backupdb /odbackups 2016-09-08 04:31:13 +0000 slapconfig -backupdb Enter archive password: 2016-09-08 04:31:17 +0000 1 Backing up LDAP database 2016-09-08 04:31:17 +0000 popen: /usr/sbin/slapcat -l /tmp/slapconfig_backup_stage1769HtaFE7/backup.ldif, "r" 55ee6495 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable 2016-09-08 04:31:17 +0000 popen: /usr/sbin/slapcat -b cn=authdata -l /tmp/slapconfig_backup_stage1769HtaFE7/authdata.ldif, "r" 55ee6495 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable 2016-09-08 04:31:17 +0000 popen: /bin/cp /var/db/openldap/openldap-data/DB_CONFIG /tmp/slapconfig_backup_stage1769HtaFE7/DB_CONFIG, "r" 2016-09-08 04:31:17 +0000 popen: /bin/cp /var/db/openldap/authdata//DB_CONFIG /tmp/slapconfig_backup_stage1769HtaFE7/authdata_DB_CONFIG, "r" 2016-09-08 04:31:17 +0000 popen: /bin/cp -r /etc/openldap /tmp/slapconfig_backup_stage1769HtaFE7/, "r" 2016-09-08 04:31:17 +0000 popen: /bin/hostname > /tmp/slapconfig_backup_stage1769HtaFE7/hostname, "r" 2016-09-08 04:31:17 +0000 popen: /usr/sbin/sso_util info -pr /LDAPv3/127.0.0.1 > /tmp/slapconfig_backup_stage1769HtaFE7/local_odkrb5realm, "r" 2016-09-08 04:31:18 +0000 popen: /usr/bin/tar czpf /tmp/slapconfig_backup_stage1769HtaFE7/krb5backup.tar.gz /var/db/krb5kdc/kdc.conf /var/db/krb5kdc/acl_file.* /var/db/krb5kdc/m_key.* /etc/krb5.keytab , "r" tar: Removing leading '/' from member names 2016-09-08 04:31:18 +0000 2 Backing up Kerberos database 2016-09-08 04:31:18 +0000 popen: /bin/cp /var/db/dslocal/nodes/Default/config/KerberosKDC.plist /tmp/slapconfig_backup_stage1769HtaFE7/KerberosKDC.plist, "r" 2016-09-08 04:31:18 +0000 popen: /bin/cp /Library/Preferences/com.apple.openldap.plist /tmp/slapconfig_backup_stage1769HtaFE7/, "r" 2016-09-08 04:31:18 +0000 3 Backing up configuration files 2016-09-08 04:31:18 +0000 popen: /usr/bin/sw_vers > /tmp/slapconfig_backup_stage1769HtaFE7/version.txt, "r" 2016-09-08 04:31:18 +0000 popen: /bin/cp -r /var/db/dslocal /tmp/slapconfig_backup_stage1769HtaFE7/, "r" 2016-09-08 04:31:18 +0000 Backed Up Keychain 2016-09-08 04:31:18 +0000 4 Backing up CA certificates 2016-09-08 04:31:18 +0000 5 Creating archive 2016-09-08 04:31:18 +0000 command: /usr/bin/hdiutil create -ov -plist -puppetstrings -layout UNIVERSAL CD -fs HFS+ -volname ldap_bk -srcfolder /tmp/slapconfig_backup_stage1769HtaFE7 -format SPARSE -encryption AES-256 -stdinpass /odbackups 2016-09-08 04:31:25 +0000 Removed directory at path /tmp/slapconfig_backup_stage1769HtaFE7. 2016-09-08 04:31:25 +0000 Removed file at path /var/run/slapconfig.lock. To restore a database (such as from a previous version of the operating system where such an important option was actually present) use the following command (which just swaps backupdb with -restoredb) sudo slapconfig -restoredb /odbackups Both commands ask you for a password to encrypt and decrypt the disk image created by them.

Use serverinfo in macOS Server 5.2 for Sierra

macOS Server 5.2 (for Sierra)  comes with the /usr/sbin/serverinfo command (introduced in Mountain Lion Server). The serverinfo command is useful when programmatically obtaining information about the very basic state of an Apple Server. The first option indicates whether the Server app has been downloaded from the app store, which is the –software option: serverinfo --software When used, this option reports the following if the Server.app can be found:
This system has server software installed.
Or if the software cannot be found, the following is indicated:
This system does NOT have server software installed.
The –productname option determines the name of the software app: serverinfo --productname If you change the name of the app from Server then the server info command won’t work any longer, so the output should always be the following: Server The –shortversion command returns the version of the Server app being used: serverinfo --shortversion The output will not indicate a build number, but instead the version of the app on the computer the command is run on:
5.2
To see the build number (which should iterate with each update to the Server app from the Mac App Store, use the –buildversion option: serverinfo --buildversion The output shows the build of server, which doesn’t necessarily match the OS X build number:
16S1195
Just because the Server app has been downloaded doesn’t mean the Server setup assistant has been run. To see if it has, use the –configured option: serverinfo --configured The output indicates whether the system is running as a server or just has the app installed (e.g. if you’re using it to connect to another server:
This system has server software configured.
You can also output all of the information into a single, easy to script against property list using the –plist option: serverinfo --plist The output is a list of each of the other options used: <?xml version=”1.0″ encoding=”UTF-8″?> <!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”> <plist version=”1.0″> <dict> <key>IsOSXServerVolume</key> <true/> <key>IsOSXServerVolumeConfigured</key> <true/> <key>IsServerHardware</key> <false/> <key>LocalizedServerProductName</key> <string>Server</string> <key>MinimumServerVersionAllowed</key> <string>5.0.19</string> <key>ServerBuildVersion</key> <string>16S1195</string> <key>ServerPerformanceModeEnabled</key> <false/> <key>ServerVersion</key> <string>5.2</string> </dict> </plist> The Server Root can reside in a number of places. To see the path (useful when scripting commands that are relative to the ServerRoot: serverinfo –prefix By default, the output is as follows, which is basically like a dirname of the ServerRoot:
/Applications/Server.app/Contents/ServerRoot
You can also see whether the system is running on actual hardware desgnated by Apple for servers using the –hardware option: serverinfo --hardware The output simply indicates if the hardware shipped with OS X Server on it from Apple:
This system is NOT running on server hardware.
The –perfmode option indicates whether or not the performance mode has been enabled, dedicating resources to binaries within the Server app: serverinfo --perfmode If the performance mode has not been enabled then the output will be as such:
Server performance mode is NOT enabled.
To enable performance mode, you can also use serverinfo. This is the only task that the command does that can make any changes to the system and as such is the only time you need to elevate privileges: sudo serverinfo —setperfmode 1 Note: This isn’t really working for me right now, but I filed a radar and guessing it will shortly. Or set the boolean value back to 0 to disable. sudo serverinfo —setperfmode 0 Note: This isn’t really working for me right now, but I filed a radar and guessing it will shortly.

Demote Open Directory Servers Using The Command Line

The command to create and tear down an Open Directory environment is slapconfig. When you disable Open Directory from the Server app you aren’t actually removing users. To do so, you’d use slapconfig along with the -destroyldapserver. When run, you get a little insight into what’s happening behind the scenes. This results in the following:

bash-3.2# slapconfig -destroyldapserver

Note: Currently the system is not working as intended on replicas. The replica will remove, but the Open Directory Master will not remove the replica from the Open Directory list. The process will fail in 10.12 and above. I’ve filed a radar on this. You can archive and restore the master and then rebuilt the Open Directory tree. The logs are as follows: 2016-09-08 04:17:58 +0000 slapconfig -destroyldapserver 2016-09-08 04:17:58 +0000 Deleting Cert Authority related data 2016-09-08 04:17:58 +0000 Removed directory at path /var/root/Library/Application Support/Certificate Authority/Krypted Open Directory Certificate Authority. 2016-09-08 04:17:58 +0000 command: /usr/sbin/xscertadmin add –reason 5 –issuer Krypted Open Directory Certificate Authority –serial 3449505949 2016-09-08 04:18:19 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd.plist 2016-09-08 04:18:19 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd-helper.plist 2016-09-08 04:18:19 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertadmin.plist 2016-09-08 04:18:19 +0000 Stopping LDAP server (slapd) 2016-09-08 04:18:20 +0000 Stopping password server 2016-09-08 04:18:24 +0000 Removed all service principals from keytab for realm OSXSERVER.KRYPTED.COM 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/__db.001. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/__db.002. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/__db.003. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/__db.004. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/__db.005. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/__db.006. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/altSecurityIdentities.bdb. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/apple-config-realname.bdb. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/apple-generateduid.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-memberguid.bdb. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-nestedgroup.bdb. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-realname.bdb. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/apple-hwuuid.bdb. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/cn.bdb. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/DB_CONFIG. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/dn2id.bdb. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/entryCSN.bdb. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/entryUUID.bdb. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/gidNumber.bdb. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/givenName.bdb. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/id2entry.bdb. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/ipHostNumber.bdb. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/log.0000000001. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/macAddress.bdb. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/mail.bdb. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/memberUid.bdb. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/objectClass.bdb. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/ou.bdb. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/sn.bdb. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/uid.bdb. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/uidNumber.bdb. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/__db.001. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/__db.002. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/__db.003. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/__db.004. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/__db.005. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/__db.006. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/alock. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/authGUID.bdb. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/DB_CONFIG. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/dn2id.bdb. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalAliases.bdb. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalName.bdb. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/entryCSN.bdb. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/entryUUID.bdb. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/id2entry.bdb. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/log.0000000001. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/objectClass.bdb. 2016-09-08 04:18:24 +0000 Removed directory at path /var/db/openldap/authdata. 2016-09-08 04:18:24 +0000 Removed file at path /etc/openldap/slapd_macosxserver.conf. 2016-09-08 04:18:24 +0000 Removed file at path /etc/openldap/slapd.conf. 2016-09-08 04:18:24 +0000 Removed file at path /etc/openldap/rootDSE.ldif. 2016-09-08 04:18:24 +0000 Removed file at path /var/db/dslocal/nodes/Default/groups/com.apple.access_dsproxy.plist. 2016-09-08 04:18:24 +0000 Removed directory at path /etc/openldap/slapd.d/cn=config. 2016-09-08 04:18:24 +0000 Removed file at path /etc/openldap/slapd.d/cn=config.ldif. 2016-09-08 04:18:24 +0000 Removed directory at path /etc/openldap/slapd.d. 2016-09-08 04:18:24 +0000 Removed directory at path /etc/openldap/slapd.d.backup/cn=config. 2016-09-08 04:18:24 +0000 Removed file at path /etc/openldap/slapd.d.backup/cn=config.ldif. 2016-09-08 04:18:24 +0000 Removed directory at path /etc/openldap/slapd.d.backup. 2016-09-08 04:18:27 +0000 Stopping password server 2016-09-08 04:18:27 +0000 Removed file at path /etc/ntp_opendirectory.conf. 2016-09-08 04:18:27 +0000 Removed file at path /Library/Preferences/com.apple.openldap.plist.