krypted.com

Tiny Deathstars of Foulness

macOS Server 5.2 running on Sierra can have problems with Open Directory. Sometimes, you just need to reset your directory service. You can demote and restore the server if needed. But buyer beware, you may end up screwing things up while the directory server is being demoted and you’re restoring a backup. Or if you haven’t built out the directory server, you may end up just demoting the server and starting over. In this article, we’ll look at demoting the server.

To get started demoting the Open Directory master, first open the Server app and click on Open Directory.

screen-shot-2016-09-25-at-10-58-00-pm

From the Open Directory screen, click on the minus button in the Servers section. When prompted to Delete the directory service, click on the Delete button.

screen-shot-2016-09-25-at-10-58-41-pm

Once the process is complete, you’ll be able to setup a new directory server, back at the initial Open Directory screen. The process takes awhile, so be patient.

Screen Shot 2015-09-07 at 11.41.58 PM

Note: This process can fail on Open Directory replicas. Make sure you can ssh into the master from the replica, and that you can access all required slurpd services.

The logs will then show the following:

2016-09-08 04:41:24 +0000 slapconfig -destroyldapserver
2016-09-08 04:41:24 +0000 Deleting Cert Authority related data
2016-09-08 04:41:24 +0000 Removed directory at path /var/root/Library/Application Support/Certificate Authority/Krypted Open Directory Certificate Authority.
2016-09-08 04:41:24 +0000 command: /usr/sbin/xscertadmin add –reason 5 –issuer Krypted Open Directory Certificate Authority –serial 2842025604
2016-09-08 04:41:44 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd.plist
2016-09-08 04:41:44 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd-helper.plist
2016-09-08 04:41:44 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertadmin.plist
2016-09-08 04:41:44 +0000 Stopping LDAP server (slapd)
2016-09-08 04:41:46 +0000 Stopping password server
2016-09-08 04:41:51 +0000 Removed all service principals from keytab for realm OSXSERVER.KRYPTED.COM
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/__db.001.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/__db.002.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/__db.003.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/__db.004.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/__db.005.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/__db.006.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/altSecurityIdentities.bdb.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/apple-config-realname.bdb.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/apple-generateduid.bdb.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-memberguid.bdb.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-nestedgroup.bdb.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-realname.bdb.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/apple-hwuuid.bdb.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/cn.bdb.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/DB_CONFIG.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/dn2id.bdb.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/entryCSN.bdb.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/entryUUID.bdb.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/gidNumber.bdb.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/givenName.bdb.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/id2entry.bdb.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/ipHostNumber.bdb.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/log.0000000001.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/macAddress.bdb.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/memberUid.bdb.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/objectClass.bdb.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/ou.bdb.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/sn.bdb.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/uid.bdb.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/uidNumber.bdb.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/__db.001.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/__db.002.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/__db.003.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/__db.004.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/__db.005.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/__db.006.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/alock.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/authGUID.bdb.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/DB_CONFIG.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/dn2id.bdb.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalAliases.bdb.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalName.bdb.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/entryCSN.bdb.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/entryUUID.bdb.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/id2entry.bdb.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/log.0000000001.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/objectClass.bdb.
2016-09-08 04:41:51 +0000 Removed directory at path /var/db/openldap/authdata.
2016-09-08 04:41:51 +0000 Removed file at path /etc/openldap/slapd_macosxserver.conf.
2016-09-08 04:41:51 +0000 Removed file at path /etc/openldap/slapd.conf.
2016-09-08 04:41:51 +0000 Removed file at path /etc/openldap/rootDSE.ldif.
2016-09-08 04:41:51 +0000 Removed file at path /var/db/dslocal/nodes/Default/groups/com.apple.access_dsproxy.plist.
2016-09-08 04:41:51 +0000 Removed directory at path /etc/openldap/slapd.d/cn=config.
2016-09-08 04:41:51 +0000 Removed file at path /etc/openldap/slapd.d/cn=config.ldif.
2016-09-08 04:41:51 +0000 Removed directory at path /etc/openldap/slapd.d.
2016-09-08 04:41:51 +0000 Removed directory at path /etc/openldap/slapd.d.backup/cn=config.
2016-09-08 04:41:51 +0000 Removed file at path /etc/openldap/slapd.d.backup/cn=config.ldif.
2016-09-08 04:41:51 +0000 Removed directory at path /etc/openldap/slapd.d.backup.
2016-09-08 04:41:55 +0000 Stopping password server
2016-09-08 04:41:55 +0000 Removed file at path /Library/Preferences/com.apple.openldap.plist.
Sep 7 23:43:23 osxserver com.apple.WebKit.WebContent[1064]: [23:43:23.061] <<<< VideoMentor >>>> videoMentorThreadForwardPlayback: (0x7fea1d938e40) startCursor PTS 0.033 > target startPTS 0.000; sending timestamp interval for that gap

October 6th, 2016

Posted In: Mac OS X Server

Tags: , , ,

The directory services options in macOS has quietly been going through some slow changes over the past couple of years. Many of the tools we use to manage accounts look similar on the outside but sometimes work a little differently under the hood. Account information is still stored in the /var/db/dslocal/nodes directory. Here, the local directory service pulls files from within directories recursively when accountsd loads. You can still create a second instance of the local directory service by copying the Default directory. For example, here we’ll copy the Default directory node to a directory node called NEW:

sudo cp -prnv /var/db/dslocal/nodes/Default /var/db/dslocal/nodes/NEW

If you killall accountsd then wait (this is slower than doing a killall of DirectoryService was), you’ll then see and be able to use this new directory node:

<code>sudo killall accountsd</code>

This is one way to go about forklifting large collections of accounts from one system to another. The dsmemberutil account can still be used to obtain certain information from accounts. For example, you can check group membership by feeding in a uid with the -u option (here using the uid of 509) and a gid with the -g (here a gid of 10) option:

<code>dsmemberutil checkmembership -u 509 -g 10</code>

Each account still has a uuid. This can be obtained with -u for a user or -g for a group (ids):

<code>dsmemberutil getuuid -u 509</code>

And, you can use dsmemberutil to flush the directory services cache resolver, using the flushcache verb:

<code>dsmemberutil flushcache</code>

The files that comprise accounts can also be viewed and changed manually. Here, we’re going to just look at an account called charles:

<code>sudo defaults read /var/db/dslocal/nodes/Default/users/charles.plist</code>

If we used a tool like defaults, plistbuddy or plutil to manually augment one of these accounts, we’d also need to kill accountsd as we did earlier.

October 3rd, 2016

Posted In: Mac OS X, Mac OS X Server

Tags: , , , , , , ,

OS X running the Server app has a lot of scripts used for enabling services, setting states, changing hostnames and the like. Once upon a time there was a script for OS X Server called server setup. It was a beautiful but too simplistic kind of script. Today, much of that logic has been moved out into more granular scripts, kept in /Applications/Server.app/Contents/ServerRoot/System/Library/ServerSetup, used by the server to perform all kinds of tasks. These scripts are, like a lot of other things in OS X Server. Some of these include the configuration of amavisd, docecot and alerts. These scripts can also be used for migrating services and data. Sometimes the scripts are in bash, sometimes ruby, sometimes perl and other times even python. And the scripts tend to change year over year/release over release. The easiest way to view logs is to use the Server app, clicking on Logs in the sidebar. The dropdown at the bottom of the screen provides quick access to service-based logs.

Screen Shot 2015-09-25 at 8.47.29 PM

One of the things that can can be useful about the scripts scattered throughout the Server app is to learn how the developers of OS X Server intend for certain tasks to occur. However, you can also use the Console app from /Applications/Utilities, as with any other Mac, to look at standard logs.

Screen Shot 2015-09-25 at 8.48.50 PM

Looking At Services

This is also where I learned that Apple had put an Open Directory backup script in /Applications/Server.app/Contents/ServerRoot/usr/libexec/server_backup/opendirectorybackup (that still requires a password). But what I haven’t seen in all of these logs is bumping up the logging level for services before performing tasks, so that you can see a verbose output of what’s going on. To do this, it looks like we’re going service-by-service. So let’s look alphabetically, starting with Address Book:

sudo serveradmin settings addressbook:DefaultLogLevel = “warn”

This by defualt logs to /var/log/caldavd/error.log, which is built based on the following, which sets the base:

sudo serveradmin settings addressbook:LogRoot=/var/log/caldavd

And the following, which sets the file name in that directory:

sudo serveradmin settings addressbook:ErrorLogFile=error.log

You can change either by changing what comes after the = sign. Next is afp. This service logs output to two places. The first is with errors to the service, using /Library/Logs/AppleFileService/AppleFileServiceError.log, the path designated in the following:

sudo serveradmin settings afp:errorLogPath = “/Library/Logs/AppleFileService/AppleFileServiceError.log”

The second location logs activities (open file, delete file, etc) rather than errors and is /Library/Logs/AppleFileService/AppleFileServiceAccess.log, defined using:

sudo serveradmin settings afp:activityLogPath = “/Library/Logs/AppleFileService/AppleFileServiceAccess.log”

The activity log is disabled by default and enabled using the command:

sudo serveradmin settings afp:activityLog = yes

The events that trigger log entries are in the afp:loggingAttributes array and are all enabled by default. There are no further controls for the verbosity of the afp logs. The next service is calendar. Similar to address book, the caldav server uses DefaultLogLevel to set how much data gets placed into logs:

sudo serveradmin settings calendar:DefaultLogLevel = “warn”

This by defualt logs to /var/log/caldavd/error.log, which is built based on the following, which sets the base:

sudo serveradmin settings calendar:LogRoot=/var/log/caldavd

And the following, which sets the file name in that directory:

sudo serveradmin settings calendar:ErrorLogFile=error.log

You can changing either by changing what comes after the = sign.
Profile Manager is called devicemgr in the serveradmin interface and I’ve found no way to augment the logging levels. Nor does its migration script ( /Applications/Server.app/Contents/ServerRoot/System/Library/ServerSetup/MigrationExtras/80-devicemgrmigration.sh ) point to any increased logging during migration.

The dirserv (aka Open Directory) uses the slapconfig back-end, so I use slapconfig to increase logging:

sudo slapconfig -enableslapdlog

The DNS service uses named.conf, located in /etc to set log levels and has no serveradmin settings for doing so. Here, use the logging section and look for both the file setting (by default /Library/Logs/named.log) for where the log is stored as well as the severity setting, which can set the logging levels higher or lower.

By default Messages, or iChat Server, logs a lot. See the following for what is logged:

sudo serveradmin settings jabber:logLevel = “ALL”

Adding the -D option to the LaunchDaemon that invokes jabber will increase the logs. Logging long-term is handled in each of the xml files that make up the features of jabber. See the Logconfiguration section of the c2s file via:

cat /Applications/Server.app/Contents/ServerRoot/private/etc/jabberd/c2s.xml

The mail service has a number of options for logging, much of which has to do with the fact that it’s a patchy solution made up of postfix, etc. Global log locations are controlled using the mail:global:service_data_path key, which indicates a path that logs are stored in (as usual many of these are in /Library/Server):

sudo serveradmin settings mail:global:service_data_path = "/Library/Server/Mail"

To see the virus database logging levels (which should usually be set to warn):

sudo serveradmin settings mail:postfix:virus_db_log_level

To see the spamassassin logging levels:

sudo serveradmin settings mail:postfix:spam_log_level

To see the actual postfix logging level:

sudo serveradmin settings mail:postfix:log_level

To enable timestamps on logs:

sudo serveradmin settings mail:imap:logtimestamps = yes

To set the dovecot logging to info:

sudo serveradmin settings mail:imap:log_level = “info”

To set increased logging per function that dovecot performs, see the config files in /Applications/Server.app/Contents/ServerRoot/private/etc/dovecot/default/conf.d, each of which has a logging section to do so.

The NetBoot service is simple to configure logging for, simply set the netboot:logging_level to HIGH (by default it’s MEDIUM):

sudo serveradmin settings netboot:logging_level = “HIGH”

The Postgres service uses a log directory, configured with postgres:log_directory:

sudo serveradmin settings postgres:log_directory = “/Library/Logs/PostgreSQL”

The /private/etc/raddb/radiusd.conf has a section (log {}) dedicated to configuring how the radius service logs output.

The Xsan service logs output per volume to both the System Log and volume-based log files, stored in /Library/Preferences/Xsan/data.

The smb service has a file /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist with a key for log level that can be used for more verbose output of the service.

The PPTP VPN service logs output to the file specified in vpn:Servers, configured with these:

sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:Server:LogFile = “/var/log/ppp/vpnd.log”
sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:PPP:LogFile = “/var/log/ppp/vpnd.log”
sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:Server:LogFile = “/var/log/ppp/vpnd.log”
sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:PPP:LogFile = “/var/log/ppp/vpnd.log”

By default, verbose logging is enabled, which you can see with:

sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:Server:VerboseLogging
sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:PPP:VerboseLogging
sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:Server:VerboseLogging
sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:PPP:VerboseLogging

The last service is web (Apache). The default access logs are per-site, with a key called customLogPath existing for each. The defaultSite uses the following for its logs:

sudo serveradmin settings web:defaultSite:customLogPath

Swap out the defaultSite with another site to see its log paths. There’s also a key for errorLogPath that shows errors. These are per-site so that administrators can provide access to logs for the owners of each site and not fear them having access to logs for other users. Global error logs are stored in /private/var/log/apache2/error_log as defined in /private/etc/apache2/httpd.conf. Find LogLevel in this file and set it to configure how in depth the logs will be, using debug for the most verbose and info, notice, warn, error, crit, alert, and emerg to get incrementally less information.

Additionally the log formats can be set in /private/etc/apache2/httpd.conf, allowing administrators to configure OS X  Server’s built-in web service to conform to the standards of most modern web log analyzers.

Conclusion

Overall, there’s a lot of information in these logs and administrators can spend as much time reviewing logs as they want. But other than standard system logs, the output is typically configured on a service-by-service basis. Some services offer a lot of options and others offering only a few. Some services also offer options within the serveradmin environment while others use their traditional locations in their configuration files. I’ll end this with a warning. There can also be a lot of output in these logs. Therefore, if you set the logging facilities high, make sure to keep a watchful eye on the capacity of the location you’re writing logs out to. The reason I looked at paths to logs where applicable was because you might want to consider redirecting logs to an external volume when debugging so as not to fill up a boot volume and cause even more problems than what you’re likely parsing through logs looking to fix…

October 8th, 2015

Posted In: Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , ,

There are four ways to create users in OS X Server 5, running on El Capitan or Yosemite. The first is using the Server app, the second is using Workgroup Manager (which barely works in OS X El Capitan and won’t install in El Capitan by default), the third is using the Users & Groups System Preference pane and the fourth is using the command line. In this article we will look at creating users in the Server app.

To do so, open the Server app and connect to your server. Then click on the Users entry in the ACCOUNTS list. The list of users is displayed, based on the directory domain(s) being browsed. A directory domain is a repository of account data, which can include local users, local network users and users in a shared directory service such as Open Directory and Active Directory.

Screen Shot 2015-09-07 at 11.51.54 PM

The drop-down list allows you to see objects that are stored locally as well as on a shared directory server. Therefore, clicking All Users will show all of the accounts accessible by the system. Click on the plus sign to create a new account. At this point, if the server has been promoted to an Open Directory Master, the account will be a local network account, with no way of choosing a different location to store the account in the Server app.

Screen Shot 2013-10-05 at 8.52.44 PM

When prompted, provide the following information about the new user:

  • Full Name: Usually the first and last name of the user.
  • Account Name: A shorter representation of that name with no spaces or special characters.
  • Email address: The email address to use if the account is going over quotas, has calendar invitations sent, or used for email hosted on the server, etc.
  • Password: The password the user will use to access services on the server.
  • Verify: The password a second time to make sure there are no spelling errors.
  • Allow user to administer this server: Optional field that grants the user administrative access to the server.
  • Home Folder: Optional field that by default creates local home directories for users that use the account but that also allows you to select a directory shared using the File Sharing service as a location for home folders. Each user in OS X has a home folder, this option defines whether that folder will reside on their computer or on a central server.
  • Limit Disk Usage To: Define the amount of space an account can take up on servers.
  • Keywords: Keywords, or tags, for the user.
  • Notes: Any notes you want to enter into the user record.

Note: Optionally, you can also drag an image onto the image shown in the New User screen if you’d like the user to have an avatar.

Once the account details are as you would like, click on the Done button. The account will then be displayed in the list of available accounts. You can still create local accounts but must do so in the Users & Groups System Preference pane, through Workgroup Manager or through the command line. If the server has not been made an Open Directory server then you would be creating local users through the Server app.

Once the account is created, highlight it and click on the cog wheel icon below the list of accounts. Here, you have the option to edit the account you just created, edit their access to services hosted on the server, configure email information and change their password.

Screen Shot 2015-09-07 at 11.55.01 PM

Click Edit User. Here, you have two new features. You can add the user to groups and use the checkbox for “log in” to disable the account.

Screen Shot 2015-09-07 at 11.55.41 PM

Click Cancel and then using the cog wheel menu again, click on Edit Access to Services. Here, uncheck each service that the user should not have access to. If the service isn’t running then it’s not a big deal. You can highlight multiple accounts concurrently and then use this option to disable services for users en masse.

September 30th, 2015

Posted In: Mac OS X Server

Tags: , , , , , , ,

Previously, we looked at setting up an Open Directory Master in OS X Server. An Open Directory Replica keeps a copy of the Open Directory database available for users even when the Master goes offline. But it can also take a part of the load from the Open Directory Master and when using the new Locales feature, balance network traffic. To get started with an Open Directory Replica, first enable SSH, now disabled by default. If SSH is not enabled, you will not be able to create an Open Directory Replica. SSH is enabled on a server by opening the Server app, clicking on the name of the server and then clicking on the Settings tab. here, check the box for “Secure shell connections (SSH)”.

Screen Shot 2015-09-24 at 10.00.02 PM

Next, use the changeip to check the host name. While the Server app is cool, it caches stuff and I’ve seen it let things go threat shouldn’t be let go. Therefore, in order to make sure that the server has such an address, I still recommend using changeip, but I also recommend using the Server application. In OS X Server, I’ve seen each find things that other misses. Additionally, in Yosemite and above, OS X Server now requires to be able to lookup whatever the hostname is set to in order to actually promote either to a replica or a master. To use changeip to verify the hostname is set appropriately:

sudo changeip -checkhostname

The address and host names should look correct and match what you see in the Server application’s Next Steps drawer.

Primary address = 192.168.0.26
Current HostName = odr.krypted.com
DNS HostName = krypted.com
The names match. There is nothing to change.
dirserv:success = “success”

Provided everything is cool with the hostname, use the slapconfig command to preflight a replica prior to promotion. The syntax there is the same as the -createreplica syntax, used as follows, assuming the master has an IP address of 192.168.0.250:

/usr/sbin/slapconfig -preflightreplica 192.168.0.250 diradmin

Provided that the server is ready, open the Server app on a freshly installed computer you want to be your Open Directory replica.

Screen Shot 2015-09-24 at 9.15.38 PM

Then, click on the Open Directory service.

Screen Shot 2015-09-24 at 9.44.33 PM
Then, use the ON button to start the configuration process. When prompted, click on “Join an existing Open Directory domain as a replica” and click on the Next button.

Screen Shot 2015-09-24 at 9.45.06 PM
When prompted, enter the parent Open Directory server’s host name (likely the name of the Open Directory Master), directory admin user name (the diradmin or custom username provided when Open Directory was configured), and then the directory admin password.

Screen Shot 2015-09-24 at 9.45.35 PM

Then click on the Next button again to setup the services.

Screen Shot 2015-09-24 at 9.56.29 PM

At the Confirm settings screen, click on the Set Up button and the replica is completed provided there are no issues with the configuration. Check Server app on both the Replica and the Master and verify that the server is displayed under the Master.

Screen Shot 2015-09-24 at 9.58.43 PM

Once you’ve created your first replica, you can then start to define replica trees, where each replica looks at one above it, which then looks at another. I’ll do another article later on replica trees.

Note: If there are any problems during promotion, I start over every time using slapconfig along with the -destroyldapserver option to nuke everything in OD:

sudo slapconfig -destroyldapserver

Use the logs to help if you’re having replica creation problems. These can be added using the -enableslapdlog option:

sudo slapconfig -enableslapdlog

You can use the -addreplica option to add replicas manually while running tail on the slapd logs:

sudo tail -f /var/log/slapd.log

Once the replica has been created, you can add more and more until you exceed 32. At that point, you have a fairly large Open Directory environment and you go to add the 33rd replica but you get a funny error that dserr doesn’t have listed. The reason is likely that a single Open Directory Master can only have 32 replicas – and the fact that you’ve made it that far means you get a cookie. Cookie or no, you can have 32 replicas on each replica (thus having a replica tree), ergo allowing for a total of 1,024 replicas and a master. So rather than bind that 33rd replica to a master, move to a replica tree model, trying to offload replicas in as geographically friendly a fashion as possible (thus reducing slap traffic on your WAN links) by repositioning replicas per site. Similar to how Active Directory infrastructures often have a global catalog at each site, if you’ve got a large number of Open Directory Replicas then you should likely try and limit the number that connects back to each master per site to 1.

Assuming that each replica can sustain a good 350 clients on a bad day (and we always plan for bad days), even the largest pure Mac OS X deployments will have plenty of LDAP servers to authenticate to. However, you’re likely going to have issues with clients being able to tell which Open Directory server is the most appropriate to authenticate through. Therefore, cn=config will need to be customized per group that leverages each replica, or divert rules used with ipfw to act as a traffic cop. Overall, the replica trees seem to be working fairly well in Snow Leopard, netting a fairly scalable infrastructure for providing LDAP services.

You can also get pretty granular with the slurpd (the daemon that manages Open Directory replication) logs by invoking slurpd with a -d option followed by a number from 4 to 65535, with intensity of logs getting more as the number gets higher. You can also use the -r option to indicate a specific log file. If you have more than 32 replicas then it stands to reason that you also have a large number of objects in Open Directory, a fair amount of change occurring to said objects and therefore a fair amount of replication IO. In order to offload this you can move your replication temp directory onto SSD drives, by specifying the -t option when invoking slurpd.

The slurpd replication occurs over port 389 (by default). Therefore, in a larger environment you should be giving priority to network traffic. If you choose to custom make/install slurpd then you’ll also need to go ahead and build your Kerberos principles manually. In this case you would get a srvtab file for the slurpd server and then configure slapd to accept Kerberos Authentication for slaves. Having said this, I haven’t seen an environment where I had to configure slurpd in this fashion.

September 30th, 2015

Posted In: Mac OS X Server

Tags: , , , , ,

The serveradmin command has an option to run commands. I’ve talked about these in past articles, for doing tasks like asking how many concurrent NFS connections are open on a host. Well, here’s another, and it’s a simple command. Here, we’re going to look at whether the Open Directory server has a CA. To do so, we’ll use the serveradmin command, along with the command verb. Then, we’ll add the certs option, followed by command= and then the payload of the command. In this case that’s isODCAPresent:

sudo serveradmin command certs:command = isODCAPresent

This is a simple, informational command, similar to the web:command of getSites or the mail:command of getConnectedUsers. Enjoy!

July 8th, 2015

Posted In: Mac OS X, Mac OS X Server, Mass Deployment

Tags: , , , , , , ,

You can destroy an LDAP server using the Server app (and still using slapconfig -destroyldapserver). To do so, open the Server app and click on Open Directory. Then click on the Open Directory server in the list of servers.

Screen Shot 2015-01-16 at 11.22.15 PM

When prompted to destroy the LDAP Master, click on Next.

Screen Shot 2014-12-15 at 10.09.56 PM

When asked if you’re sure, click Continue.

Screen Shot 2014-12-15 at 10.10.00 PM

When asked if you’re really, really sure, click Destroy.

Screen Shot 2014-12-15 at 10.10.03 PM

Wait.

January 19th, 2015

Posted In: Active Directory, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , ,

The command to create and tear down an Open Directory environment is slapconfig. When you disable Open Directory from the Server app you aren’t actually removing users. To do so, you’d use slapconfig along with the -destroyldapserver. When run, you get a little insight into what’s happening behind the scenes. This results in the following:

bash-3.2# slapconfig -destroyldapserver

The logs are as follows:

2014-09-18 14:42:02 +0000 slapconfig -destroyldapserver
2014-09-18 14:42:02 +0000 CopyReplicaArray: ldap_search_ext_s failed
2014-09-18 14:42:02 +0000 Error retrieving replica array
2014-09-18 14:42:02 +0000 Deleting Cert Authority related data
2014-09-18 14:42:03 +0000 Removed directory at path /var/root/Library/Application Support/Certificate Authority/Take Control Books Open Directory Certification Authority.
2014-09-18 14:42:03 +0000 command: /usr/sbin/xscertadmin add --reason 5 --issuer Take Control Books Open Directory Certification Authority --serial 2127185704
CopyCARecordByName: get ldapi node code = 2100 description = Connection failed to node '/LDAPv3/ldapi://%2Fvar%2Frun%2Fldapi'
No such issuer - failed to revoke certificate
2014-09-18 14:42:23 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd.plist
/System/Library/LaunchDaemons/com.apple.xscertd.plist: Could not find specified service
2014-09-18 14:42:23 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd-helper.plist
/System/Library/LaunchDaemons/com.apple.xscertd-helper.plist: Could not find specified service
2014-09-18 14:42:23 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertadmin.plist
/System/Library/LaunchDaemons/com.apple.xscertadmin.plist: Could not find specified service
2014-09-18 14:42:23 +0000 void _destroyLDAPServer(const char *): Failed to find computer record named YosemiteSam.krypted.com$: 0 (null)
2014-09-18 14:42:23 +0000 Updating ldapreplicas on primary master
2014-09-18 14:42:23 +0000 CopyLdapReplicas: Unable to create DSLDAPContainer: 77014 Can't contact LDAP server (-1)
2014-09-18 14:42:23 +0000 CopyPrimaryMaster: CopyLdapReplicas failed
2014-09-18 14:42:23 +0000 Unable to locate primary master
2014-09-18 14:42:23 +0000 Primary master node is nil!
2014-09-18 14:42:23 +0000 Unable to locate ldapreplicas record: 0 (null)
2014-09-18 14:42:23 +0000 Error setting read ldap replicas array: 0 (null)
2014-09-18 14:42:23 +0000 Error setting write ldap replicas array: 0 (null)
2014-09-18 14:42:23 +0000 ODRecord *_getODRecord(ODNode *, NSString *, NSString *, NSArray *): ODNodeRef parameter error
2014-09-18 14:42:23 +0000 int _removeReplicaFromConfigRecord(ODNode *, NSString *): ODRecord not found
2014-09-18 14:42:23 +0000 Error synchronizing ldapreplicas: 0 (null)
2014-09-18 14:42:23 +0000 Removing self from the database
2014-09-18 14:42:23 +0000 Stopping LDAP server (slapd)
2014-09-18 14:42:23 +0000 Stopping password server
2014-09-18 14:42:23 +0000 Removed all service principals from keytab for realm YOSEMITESAM.KRYPTED.COM
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/__db.001.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/__db.002.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/__db.003.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/__db.004.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/__db.005.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/__db.006.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/altSecurityIdentities.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/apple-config-realname.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/apple-generateduid.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-memberguid.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-nestedgroup.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-realname.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/apple-hwuuid.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/cn.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/DB_CONFIG.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/dn2id.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/entryCSN.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/entryUUID.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/gidNumber.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/givenName.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/id2entry.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/ipHostNumber.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/log.0000000001.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/macAddress.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/mail.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/memberUid.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/objectClass.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/ou.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/sn.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/uid.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/uidNumber.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/authdata/__db.001.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/authdata/__db.002.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/authdata/__db.003.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/authdata/__db.004.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/authdata/__db.005.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/authdata/__db.006.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/authdata/alock.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/authdata/authGUID.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/authdata/DB_CONFIG.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/authdata/dn2id.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalAliases.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalName.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/authdata/entryCSN.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/authdata/entryUUID.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/authdata/id2entry.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/authdata/log.0000000001.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/authdata/objectClass.bdb.
2014-09-18 14:42:23 +0000 Removed directory at path /var/db/openldap/authdata.
2014-09-18 14:42:23 +0000 Removed file at path /etc/openldap/slapd_macosxserver.conf.
2014-09-18 14:42:23 +0000 Removed file at path /etc/openldap/slapd.conf.
2014-09-18 14:42:23 +0000 Removed file at path /etc/openldap/rootDSE.ldif.
2014-09-18 14:42:23 +0000 Removed directory at path /etc/openldap/slapd.d/cn=config.
2014-09-18 14:42:23 +0000 Removed file at path /etc/openldap/slapd.d/cn=config.ldif.
2014-09-18 14:42:23 +0000 Removed directory at path /etc/openldap/slapd.d.
2014-09-18 14:42:23 +0000 Removed directory at path /etc/openldap/slapd.d.backup/cn=config.
2014-09-18 14:42:23 +0000 Removed file at path /etc/openldap/slapd.d.backup/cn=config.ldif.
2014-09-18 14:42:23 +0000 Removed directory at path /etc/openldap/slapd.d.backup.
2014-09-18 14:42:26 +0000 Stopping password server
2014-09-18 14:42:26 +0000 Removed file at path /etc/ntp_opendirectory.conf.
2014-09-18 14:42:26 +0000 Removed file at path /Library/Preferences/com.apple.openldap.plist.

October 21st, 2014

Posted In: Mac OS X Server

Tags: , , , , ,

Getting started with Messages Server couldn’t really be easier. Messages Server in the OS X Yosemite version of the Server app uses the open source jabber project as their back-end code base (and going back, OS X has used jabber since the inception of iChat Server all the way through Server 3). The sqlite setup file is located at /Applications/Server.app/Contents/ServerRoot/private/var/jabberd directory and the autobuddy binary is at /Applications/Server.app/Contents/ServerRoot/usr/bin/jabber_autobuddy. The actual jabberd binary is also stored at /Applications/Server.app/Contents/ServerRoot/usr/libexec/jabberd, where there are a couple of perl scripts used to migrate the service between various versions as well.

Setting up the Messages service is simple. Open the Server app and click on Messages in the Server app sidebar.

Messages1

Click on the Edit… button for the Permissions. Here, define which users and interfaces are allowed to use the service.

Once open, click on the checkbox for “Enable server-to-server federation” if you have multiple iChat, er, I mean, Messages servers and then click on the checkbox for “Archive all chat messages” if you’d like transcripts of all Messages sessions that route through the server to be saved on the server. You should use an SSL certificate with the Messages service. If enabling federation so you can have multiple Messages servers, you have to. Before enabling the service, click on the name of the server in the sidebar of Server app and then click on the Settings tab. From here, click on Edit for the SSL Certificate (which should be plural btw) entry to bring up a screen to select SSL Certificates.

Messages2

At the SSL Certificates screen (here it’s plural!), select the certificate the Messages service should use from the available list supplied beside that entry and click on the OK button. If you need to setup federation, click back on the Messages service in the sidebar of Server app and then click on the Edit button. Then, click on the checkbox for Require server-to-server federation (making sure each server has the other’s SSL certificate installed) and then choose whether to allow any server to federate with yours or to restrict which servers are allowed. I have always restricted unless I was specifically setting up a server I wanted to be public (like public as in everyone in the world can federate to it, including the gorram reavers that want to wear your skin).

Messages3

To restrict the service, then provide a list of each server address capable of communicating with your server. Once all the servers are entered, click the OK button.
Obviously, if you only have one server, you can skip that. Once the settings are as you wish them to be, click on the ON/OFF switch to light up the service. To see the status of the service, once started, use the fullstatus option with serveradmin followed by the jabber indicator:

sudo serveradmin fullstatus jabber

The output includes whether the service is running, the location of jabber log files, the name of the server as well as the time the service was started, as can be seen here:

jabber:state = "RUNNING"
jabber:roomsState = "RUNNING"
jabber:logPaths:PROXY_LOG = "/private/var/jabberd/log/proxy65.log"
jabber:logPaths:MUC_STD_LOG = "/var/log/system.log"
jabber:logPaths:JABBER_LOG = "/var/log/system.log"
jabber:proxyState = "RUNNING"
jabber:currentConnections = "0"
jabber:currentConnectionsPort1 = "0"
jabber:currentConnectionsPort2 = "0"
jabber:pluginVersion = "10.8.211"
jabber:servicePortsAreRestricted = "NO"
jabber:servicePortsRestrictionInfo = _empty_array
jabber:hostsCommaDelimitedString = "mavserver.pretendco.lan"
jabber:hosts:_array_index:0 = "mavserver.pretendco.lan"
jabber:setStateVersion = 1
jabber:startedTime = ""
jabber:readWriteSettingsVersion = 1

There are also a few settings not available in the Server app. One of these that can be important is the port used to communicate between the Messages client and the Messages service on the server. For example, to customize this to 8080, use serveradmin followed by settings and then jabber:jabberdClientPortSSL = 8080, as follows:

sudo serveradmin settings jabber:jabberdClientPortSSL = 8080

To change the location of the saved Messages transcripts (here, we’ll set it to /Volumes/Pegasus/Book:

sudo serveradmin settings jabber:savedChatsLocation = “/Volumes/Pegasus/Book”

To see a full listing of the options, just run settings with the jabber service:

sudo serveradmin settings jabber

The output lists each setting configurable:

jabber:dataLocation = "/Library/Server/Messages"
jabber:s2sRestrictDomains = no
jabber:jabberdDatabasePath = "/Library/Server/Messages/Data/sqlite/jabberd2.db"
jabber:sslCAFile = "/etc/certificates/mavserver.pretendco.lan.10E6CDF9F6E84992B97360B6EE7BA159684DCB75.chain.pem"
jabber:jabberdClientPortTLS = 5222
jabber:sslKeyFile = "/etc/certificates/mavserver.pretendco.lan.10E6CDF9F6E84992B97360B6EE7BA159684DCB75.concat.pem"
jabber:initialized = yes
jabber:enableXMPP = no
jabber:savedChatsArchiveInterval = 7
jabber:authLevel = "STANDARD"
jabber:hostsCommaDelimitedString = "mavserver.pretendco.lan"
jabber:jabberdClientPortSSL = 5223
jabber:requireSecureS2S = no
jabber:savedChatsLocation = "/Library/Server/Messages/Data/message_archives"
jabber:enableSavedChats = no
jabber:enableAutoBuddy = no
jabber:s2sAllowedDomains = _empty_array
jabber:logLevel = "ALL"
jabber:hosts:_array_index:0 = "mavserver.pretendco.lan"
jabber:eventLogArchiveInterval = 7
jabber:jabberdS2SPort = 0

To stop the service:

sudo serveradmin stop jabber

And to start it back up:

sudo serveradmin start jabber

It’s also worth noting something that’s completely missing in this whole thing: Apple Push Notifications… Why is that important? Well, you use the Messages application to communicate not only with Mac OS X and other jabber clients, but you can also use Messages to send text messages. Given that there’s nothing in the server that has anything to do with texts, push or anything of the sort, it’s worth noting that these messages don’t route through the server and therefore still require an iCloud account. Not a huge deal, but worth mentioning that Messages server doesn’t have the same updates built into the Messages app. Because messages don’t traverse the server, there’s no transcripts.

October 19th, 2014

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , ,

Open Directory has never been so easy to setup for a basic environment as it is in OS X Yosemite Server (OS X 10.10, Server app 4). It’s also never been so annoyingly simple to use that to do anything cool requires a bunch of command line foo. No offense to the developers, but this whole idea that the screens that were being continually refined for a decade just need to be thrown out and started fresh seems to have led to a few babies thrown out along with them. Not often as I’m kinda’ digging most of the new config screens in OS X Yosemite Server, but with Open Directory, it’s just too easy. Features mean buttons. Buttons make things a tad bit more complicated to use than an ON/OFF switch…

Anyway, rant over. Moving on. As with almost any previous version of OS X Server and Open Directory, once you’ve installed the Server app, run the changeip command along with the -checkhostname option to verify that the IP, DNS and hostname match. If (and only if as it will fail if you try anyway) you get an indication of “Success.”

bash-3.2# changeip -checkhostname
dirserv:success = "success"

To set up the Open Directory Master, open the Server app and click on the Open Directory service (might need to Show under Advanced in the Server app sidebar). From here, click on the ON button.

ODM1

For the purposes of this example, we’re setting up an entirely new Open Directory environment. At the “Configure Network Users and Groups” screen, click on “Create a new Open Directory Domain” and click on the Next button.

ODM2

Note: If you are restoring an archive of an existing Open Directory domain, you would select the bottom option from this list.

At the Directory Administrator screen, enter a username and password for the directory administrator account. The default account is sufficient, although it’s never a bad idea to use something a bit less generic.

ODM3

Once you’ve entered the username and password, click on the Next button. Then we’re going to configure the SSL information.

ODM4

At the Organization Information screen, enter a name for the organization in the Organization Name field and an Email Address to be used in the SSL certificate in the Admin Email Address field. Click on Next.

ODM5

At the Confirm Settings screen, make sure these very few settings are OK with you and then click on the Set Up button to let slapconfig (the command that runs the OD setup in the background, kinda’ like a cooler dcpromo) do its thing. When the Open Directory master has been configured, there’s no need to reboot or anything, the indicator light for the Open Directory service should appear. If the promotion fails then look to the preflight options I wrote up awhile back.

ODM6

Clicking on the minus (“-”) button while a server is highlighted runs a slapconfig -destroyldapserver on the server and destroys the Open Directory domain if it is the only server. All domain information is lost when this happens.

ODM7

Next, let’s bind a client. Binding clients can be done in a few different ways. You can use a script, a Profile, the Users & Groups System Preference pane or build binding into the imaging process. For the purpose of this example, we’ll use the System Preference pane.

To get started, open up the System Preference pane and then click on Users & Groups. From here, click on Login Options and then unlock the lock in the lower left corner of the screen, providing a username and password when prompted.

ODM8

Click on the Edit… button and then the plus sign (“+”).

ODM9

Then, enter the name of the Open Directory Master (the field will expand with options when you enter the host name.

ODM10

It’s probably best not to use the IP address at this point as the master will have an SSL certificate tied to the name. Click OK to accept the certificate (if it’s self-signed) and then the system should finish binding. Once bound, I like to use either id or dscl to verify that directory accounts are properly resolving before I try logging in as an Open Directory user.
Provided everything works that’s it. The devil is of course in the details. There is very little data worth having if it isn’t backed up. Notice that you can archive by clicking on the cog wheel icon in the Open Directory service pane, much like you could in Server Admin. Or, because this helps when it comes to automating backups (with a little expect), to run a backup from the command line, run the slapconfig command along with the -backupdb option followed by a path to a folder to back the data up to:

sudo slapconfig -backupdb /odbackups

The result will be a request for a password then a bunch of information about the backup:

bash-3.2# sudo slapconfig -backupdb /odbackups
2014-09-23 00:26:01 +0000 slapconfig -backupdb
Enter archive password:
2014-09-23 00:26:06 +0000 1 Backing up LDAP database
2014-09-23 00:26:06 +0000 popen: /usr/sbin/slapcat -l /tmp/slapconfig_backup_stage57244NLmNnX/backup.ldif, "r"
5420be1e bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
2014-09-23 00:26:06 +0000 popen: /usr/sbin/slapcat -b cn=authdata -l /tmp/slapconfig_backup_stage57244NLmNnX/authdata.ldif, "r"
5420be1e bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
2014-09-23 00:26:06 +0000 popen: /bin/cp /var/db/openldap/openldap-data/DB_CONFIG /tmp/slapconfig_backup_stage57244NLmNnX/DB_CONFIG, "r"
2014-09-23 00:26:06 +0000 popen: /bin/cp /var/db/openldap/authdata//DB_CONFIG /tmp/slapconfig_backup_stage57244NLmNnX/authdata_DB_CONFIG, "r"
2014-09-23 00:26:06 +0000 popen: /bin/cp -r /etc/openldap /tmp/slapconfig_backup_stage57244NLmNnX/, "r"
2014-09-23 00:26:06 +0000 popen: /bin/hostname > /tmp/slapconfig_backup_stage57244NLmNnX/hostname, "r"
2014-09-23 00:26:06 +0000 popen: /usr/sbin/sso_util info -pr /LDAPv3/127.0.0.1 > /tmp/slapconfig_backup_stage57244NLmNnX/local_odkrb5realm, "r"
2014-09-23 00:26:06 +0000 popen: /usr/bin/tar czpf /tmp/slapconfig_backup_stage57244NLmNnX/krb5backup.tar.gz /var/db/krb5kdc/kdc.conf /var/db/krb5kdc/acl_file.* /var/db/krb5kdc/m_key.* /etc/krb5.keytab , "r"
tar: Removing leading '/' from member names
2014-09-23 00:26:06 +0000 2 Backing up Kerberos database
2014-09-23 00:26:06 +0000 popen: /bin/cp /var/db/dslocal/nodes/Default/config/KerberosKDC.plist /tmp/slapconfig_backup_stage57244NLmNnX/KerberosKDC.plist, "r"
2014-09-23 00:26:06 +0000 popen: /bin/cp /Library/Preferences/com.apple.openldap.plist /tmp/slapconfig_backup_stage57244NLmNnX/, "r"
2014-09-23 00:26:06 +0000 3 Backing up configuration files
2014-09-23 00:26:06 +0000 popen: /usr/bin/sw_vers > /tmp/slapconfig_backup_stage57244NLmNnX/version.txt, "r"
2014-09-23 00:26:06 +0000 popen: /bin/cp -r /var/db/dslocal /tmp/slapconfig_backup_stage57244NLmNnX/, "r"
2014-09-23 00:26:06 +0000 Backed Up Keychain
2014-09-23 00:26:06 +0000 4 Backing up CA certificates
2014-09-23 00:26:06 +0000 5 Creating archive
2014-09-23 00:26:06 +0000 command: /usr/bin/hdiutil create -ov -plist -puppetstrings -layout UNIVERSAL CD -fs HFS+ -volname ldap_bk -srcfolder /tmp/slapconfig_backup_stage57244NLmNnX -format SPARSE -encryption AES-256 -stdinpass /odbackups
2014-09-23 00:26:12 +0000 Removed directory at path /tmp/slapconfig_backup_stage57244NLmNnX.
2014-09-23 00:26:12 +0000 Removed file at path /var/run/slapconfig.lock.

To restore a database (such as from a previous version of the operating system where such an important option was actually present) use the following command (which just swaps backupdb with -restoredb)

sudo slapconfig -restoredb /odbackups

Both commands ask you for a password to encrypt and decrypt the disk image created by them.

October 16th, 2014

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , ,

Next Page »