krypted.com

Tiny Deathstars of Foulness

Open Directory has never been this easy to setup for a basic environment as it is in macOS Server 5.2 (for macOS 10.12 on Sierra). It’s also never been so annoyingly simple to use that to do anything cool requires a bunch of command line foo. And never has removing replicas been so difficult. No offense to the developers, but this whole idea that the screens and concepts that were being continually refined for a decade just need to be thrown out seems to have led to a few babies thrown out along with that OD bathwater. Features mean buttons. Buttons make things a tad bit more complicated to use than an ON/OFF switch… Anyway, rant over. Moving on. As with almost any previous version of macOS Server and Open Directory, once you’ve installed the Server app, run the changeip command along with the -checkhostname option to verify that the IP, DNS and hostname match. If (and only if as it will fail if you try anyway) you get an indication of “Success.” I know, I know, you’ve been told that you didn’t have to do this kind of stuff any more. But really, you should – and if you don’t believe me, check out the contents of the attributes in the OD database… bash-3.2# changeip -checkhostname dirserv:success = "success" To set up the Open Directory Master, open the Server app and click on the Open Directory service (might need to Show under Advanced in the Server app sidebar). From here, click on the ON button. screen-shot-2016-09-25-at-9-58-14-pm For the purposes of this example, we’re setting up an entirely new Open Directory environment. At the “Configure Network Users and Groups” screen, click on “Create a new Open Directory Domain” and click on the Next button. screen-shot-2016-09-25-at-9-58-59-pm Note: If you are restoring an archive of an existing Open Directory domain, you would select the bottom option from this list. At the Directory Administrator screen, enter a username and password for the directory administrator account. The default account is sufficient, although it’s never a bad idea to use something a bit less generic. screen-shot-2016-09-25-at-9-59-34-pm Once you’ve entered the username and password, click on the Next button. Then we’re going to configure the SSL information. screen-shot-2016-09-25-at-10-00-17-pm At the Organization Information screen, enter a name for the organization in the Organization Name field and an Email Address to be used in the SSL certificate in the Admin Email Address field. Click on Next. screen-shot-2016-09-25-at-10-00-40-pm At the Confirm Settings screen, make sure these very few settings are OK with you and then click on the Set Up button to let slapconfig (the command that runs the OD setup in the background, kinda’ like a cooler dcpromo) do its thing. When the Open Directory master has been configured, there’s no need to reboot or anything, the indicator light for the Open Directory service should appear. If the promotion fails then look to the preflight options I wrote up awhile back. screen-shot-2016-09-25-at-10-01-20-pm Clicking on the minus (“-”) button while a server is highlighted runs a slapconfig -destroyldapserver on the server and destroys the Open Directory domain if it is the only server. All domain information is lost when this happens. screen-shot-2016-09-25-at-10-01-55-pm Next, let’s bind a client. Binding clients can be done in a few different ways. You can use a script, a Profile, the Users & Groups System Preference pane or build binding into the imaging process. For the purpose of this example, we’ll use the System Preference pane. To get started, open up the System Preference pane and then click on Users & Groups. From here, click on Login Options and then unlock the lock in the lower left corner of the screen, providing a username and password when prompted. screen-shot-2016-09-25-at-10-02-44-pm Click on the Edit… button and then the plus sign (“+”). screen-shot-2016-09-25-at-10-03-15-pm Then, enter the name of the Open Directory Master (the field will expand with options when you enter the host name. screen-shot-2016-09-25-at-10-03-43-pm It’s probably best not to use the IP address at this point as the master will have an SSL certificate tied to the name. Click OK to accept the certificate (if it’s self-signed) and then the system should finish binding. Once bound, I like to use either id or dscl to verify that directory accounts are properly resolving before I try logging in as an Open Directory user. Provided everything works that’s it. The devil is of course in the details. There is very little data worth having if it isn’t backed up. Notice that you can archive by clicking on the cog wheel icon in the Open Directory service pane, much like you could in Server Admin. Or, because this helps when it comes to automating backups (with a little expect), to run a backup from the command line, run the slapconfig command along with the -backupdb option followed by a path to a folder to back the data up to: sudo slapconfig -backupdb /odbackups The result will be a request for a password then a bunch of information about the backup: bash-3.2# sudo slapconfig -backupdb /odbackups 2016-09-08 04:31:13 +0000 slapconfig -backupdb Enter archive password: 2016-09-08 04:31:17 +0000 1 Backing up LDAP database 2016-09-08 04:31:17 +0000 popen: /usr/sbin/slapcat -l /tmp/slapconfig_backup_stage1769HtaFE7/backup.ldif, "r" 55ee6495 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable 2016-09-08 04:31:17 +0000 popen: /usr/sbin/slapcat -b cn=authdata -l /tmp/slapconfig_backup_stage1769HtaFE7/authdata.ldif, "r" 55ee6495 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable 2016-09-08 04:31:17 +0000 popen: /bin/cp /var/db/openldap/openldap-data/DB_CONFIG /tmp/slapconfig_backup_stage1769HtaFE7/DB_CONFIG, "r" 2016-09-08 04:31:17 +0000 popen: /bin/cp /var/db/openldap/authdata//DB_CONFIG /tmp/slapconfig_backup_stage1769HtaFE7/authdata_DB_CONFIG, "r" 2016-09-08 04:31:17 +0000 popen: /bin/cp -r /etc/openldap /tmp/slapconfig_backup_stage1769HtaFE7/, "r" 2016-09-08 04:31:17 +0000 popen: /bin/hostname > /tmp/slapconfig_backup_stage1769HtaFE7/hostname, "r" 2016-09-08 04:31:17 +0000 popen: /usr/sbin/sso_util info -pr /LDAPv3/127.0.0.1 > /tmp/slapconfig_backup_stage1769HtaFE7/local_odkrb5realm, "r" 2016-09-08 04:31:18 +0000 popen: /usr/bin/tar czpf /tmp/slapconfig_backup_stage1769HtaFE7/krb5backup.tar.gz /var/db/krb5kdc/kdc.conf /var/db/krb5kdc/acl_file.* /var/db/krb5kdc/m_key.* /etc/krb5.keytab , "r" tar: Removing leading '/' from member names 2016-09-08 04:31:18 +0000 2 Backing up Kerberos database 2016-09-08 04:31:18 +0000 popen: /bin/cp /var/db/dslocal/nodes/Default/config/KerberosKDC.plist /tmp/slapconfig_backup_stage1769HtaFE7/KerberosKDC.plist, "r" 2016-09-08 04:31:18 +0000 popen: /bin/cp /Library/Preferences/com.apple.openldap.plist /tmp/slapconfig_backup_stage1769HtaFE7/, "r" 2016-09-08 04:31:18 +0000 3 Backing up configuration files 2016-09-08 04:31:18 +0000 popen: /usr/bin/sw_vers > /tmp/slapconfig_backup_stage1769HtaFE7/version.txt, "r" 2016-09-08 04:31:18 +0000 popen: /bin/cp -r /var/db/dslocal /tmp/slapconfig_backup_stage1769HtaFE7/, "r" 2016-09-08 04:31:18 +0000 Backed Up Keychain 2016-09-08 04:31:18 +0000 4 Backing up CA certificates 2016-09-08 04:31:18 +0000 5 Creating archive 2016-09-08 04:31:18 +0000 command: /usr/bin/hdiutil create -ov -plist -puppetstrings -layout UNIVERSAL CD -fs HFS+ -volname ldap_bk -srcfolder /tmp/slapconfig_backup_stage1769HtaFE7 -format SPARSE -encryption AES-256 -stdinpass /odbackups 2016-09-08 04:31:25 +0000 Removed directory at path /tmp/slapconfig_backup_stage1769HtaFE7. 2016-09-08 04:31:25 +0000 Removed file at path /var/run/slapconfig.lock. To restore a database (such as from a previous version of the operating system where such an important option was actually present) use the following command (which just swaps backupdb with -restoredb) sudo slapconfig -restoredb /odbackups Both commands ask you for a password to encrypt and decrypt the disk image created by them.

October 4th, 2016

Posted In: Mac OS X Server

Tags: , , , , ,

You’ve got Open Directory running and humming beautifully in OS X Server 5 (running on OS X Yosemite or OS X El Capitan). You show up to work and the hard drive has died on that perfectly configured Open Directory Master. Luckily, you have a replica and you have an archive of your Master. You can restore or you can promote your Replica to a Master. What to do? Well, I can’t tell you what you should do, but I can tell you that Apple has planned for this. Here, we’re going to look at promoting that Replica to a Master. Because after all, hard drives fail. Let’s look at what all this looks like.

Create An Open Directory Archive
In order to properly restore an Open Directory Master or promote a Replica to a Master, you’ll need the SSL keys. You should also just keep archives of your Open Directory environment around (albeit in a secure location) because you really never know. To create an Open Directory Archive, which has the keys in it as well as data needed to restore a Master, first open the Server app. From within the Server app, click on the Open Directory service.
Screen Shot 2015-09-24 at 10.28.01 PM
Towards the bottom of the screen, click on the cog wheel icon.
Screen Shot 2015-09-24 at 10.28.22 PM
At the menu, click Archive Open Directory Master…
Screen Shot 2015-09-24 at 10.28.49 PM
When prompted, provide the username and password to the Open Directory environment shown in the Server field and then click on the Connect button. At the Archive Open Directory Master screen, choose a location to create your archive. Also, provide a password for the archive. Click the Archive button when you’re ready to proceed. At the Confirm Settings screen, click Archive. The archive is then created. Keep this safe as it has all your base are belong to us in it. You have to do this proactively. Once the hard drive in that Open Directory Master craps out, you’ll need the Archive to put the pieces of Humpty Dumpty back together again.

Promote A Replica To A Master Provided you have a Replica and an Archive, promoting a Replica to a Master couldn’t be easier in OS X Server. To do so, open the Server app from the Replica and then use the cog wheel icon to bring up the menu.
Screen Shot 2015-09-24 at 10.29.40 PM
Here, click Promote Replica to Master.
Screen Shot 2015-09-24 at 10.29.19 PM
At the “Promote Open Directory replica to master” screen, provide an Open Directory username and password (e.g. diradmin with the appropriate password). Also, choose the archive you created previously. Then click Next. The Replica will become an archive. Once finished, remove any other replicas and repromote them.

Stop Open Directory
Another option is to stop Open Directory on the replicas until you can get your Master back up and running. To stop Open Directory, open the Server app and click on the Open Directory service. Click on the OFF button. You’ll then be prompted to verify that you really want to stop directory services on the server. Click OK (which should probably read a bit more ominous, like “OMG, OK”. The server is then stopped. To completely remove Open Directory from the old server, run the slapconfig command, followed by -destroyldapserver:

slapconfig -destroyldapserver

Also, don’t forget to go to the Master and remove any servers from there as well, once they’ve been fully demoted. View the logs using cat for any other weirdness:

cat /Library/Logs/slapconfig.log

October 1st, 2015

Posted In: Mac OS X Server

Tags: , , , , , , ,

There are a number of ways to create groups in OS X Mavericks Server (Server 3). The first is using the Server app, the second is using Workgroup Manager (which could be running on an older operating system and connecting to the Mavericks Server in question), the third is using the Users & Groups System Preference pane and the fourth is using the command line. In this article we will look at creating groups in the Server app. Once a server has been an Open Directory Master all user and group accounts created will be in the Local Network Group when created in Server app. Before that, all user and group objects are stored locally when created in Server app. Once promoted to an Open Directory server, local groups must be created in Workgroup Manager, the Users & Groups System Preference pane or using a command line tool appropriate for group management.
 To create a new group, open the Server app and then click on Groups in the ACCOUNTS list of the Server app sidebar. From here, you can switch between the various directory domains accessible to the server using the drop-down list available. Click on the plus sign to create a local network group.
Screen Shot 2013-10-05 at 8.40.26 PM
At the New Group screen, provide a name for the group in the Full Name field. This can have spaces. Then create a short name for the group in the Group Name field. This should not have spaces.
Screen Shot 2013-10-05 at 8.41.54 PM
Click Done when you have supplied the appropriate information and the group is created. Once done, double-click on the group to see more options.
Screen Shot 2013-10-05 at 8.47.05 PM
Here, use the plus sign (“+”) to add members to the group or highlight members and use the minus sign (“-“) to remove users from the group. You can also choose to use the following options:
  • Give this group a shared folder: Creates a shared directory for the group, or a group with an ACL that grants all group members access.
  • Make group members Messages buddies: Adds each group member to each other group members buddy list in the Messages client.
  • Enable group mailing list: Enables a list using the short name of the group where all members receive emails to that address.
  • Create Group Wiki: Opens the Wiki interface for creating a wiki for the group.
  • Keywords: Keywords/tags to help locate users.
  • Notes: Notes about users.
Once changes have been made, click Done to commit the changes.

October 23rd, 2013

Posted In: Mac OS X Server

Tags: , , , , , , , , , , , , , ,

You’ve got Open Directory running and humming beautifully in Mavericks Server (Server 10.9). You show up to work and the hard drive has died on that perfectly configured Open Directory Master. Luckily, you have a replica and you have an archive of your Master. You can restore or you can promote your Replica to a Master. What to do? Well, I can’t tell you what you should do, but I can tell you that Apple has planned for this. Here, we’re going to look at promoting that Replica to a Master. Because after all, hard drives fail. Let’s look at what all this looks like. Create An Open Directory Archive In order to properly restore an Open Directory Master or promote a Replica to a Master, you’ll need the SSL keys. You should also just keep archives of your Open Directory environment around (albeit in a secure location) because you really never know. To create an Open Directory Archive, which has the keys in it as well as data needed to restore a Master, first open the Server app. From within the Server app, click on the Open Directory service. Screen Shot 2013-10-08 at 10.28.11 PM Towards the bottom of the screen, click on the cog wheel icon. At the menu, click Archive Open Directory Master… Screen Shot 2013-10-08 at 10.28.23 PMWhen prompted, provide the username and password to the Open Directory environment shown in the Server field and then click on the Connect button. Screen Shot 2013-10-08 at 10.29.03 PMAt the Archive Open Directory Master screen, choose a location to create your archive. Also, provide a password for the archive. Click the Next button when you’re ready to proceed. Screen Shot 2013-10-08 at 10.29.06 PM At the Confirm Settings screen, click Archive. The archive is then created. Keep this safe as it has all your base are belong to us in it. You have to do this proactively. Once the hard drive in that Open Directory Master craps out, you’ll need the Archive to put the pieces of Humpty Dumpty back together again. Promote A Replica To A Master Provided you have a Replica and an Archive, promoting a Replica to a Master couldn’t be easier in Mavericks Server. To do so, open the Server app from the Replica and then use the cog wheel icon to bring up the menu. Screen Shot 2013-10-08 at 10.28.11 PM Here, click Promote Replica to Master. Screen Shot 2013-10-08 at 10.29.37 PMAt the “Promote Open Directory replica to master” screen, provide an Open Directory username and password (e.g. diradmin with the appropriate password). Also, choose the archive you created previously. Then click Next. The Replica will become an archive. Once finished, remove any other replicas and repromote them. Stop Open Directory Another option is to stop Open Directory on the replicas until you can get your Master back up and running. To stop Open Directory, open the Server app and click on the Open Directory service. Screen Shot 2013-10-08 at 10.29.57 PMClick on the OFF button. You’ll then be prompted to verify that you really want to stop directory services on the server. Click OK (which should probably read a bit more ominous, like “OMG, OK”. Screen Shot 2013-10-08 at 10.30.00 PMThe server is then stopped. To completely remove Open Directory from the server, run the slapconfig command, followed by -destroyldapserver: slapconfig -destroyldapserver Also, don’t forget to go to the Master and remove any servers from there as well, once they’ve been fully demoted.

October 22nd, 2013

Posted In: Mac OS X Server

Tags: , , , , , , , , , , , ,