krypted.com

Tiny Deathstars of Foulness

People who have managed Open Directory and will be moving to Synology will note that directory services really aren’t nearly as complicated was we’ve made them out to be for years. This is because Apple was protecting us from doing silly things to break our implementations. It was also because Apple bundled a number of seemingly disparate technologies into ldap. It’s worth mentioning that LDAP on a Synology is LDAP. We’re not federating services, we’re not kerberizing services, we’re not augmenting schemas, etc. We can leverage the directory service to provide attributes though, and have that central phone book of user and group memberships we’ve come to depend on directory services to provide.

To get started, open the Package Center and search for Directory. Click Install for the Directory Server and the package will be installed on the Synology.

When the setup is complete, open the Directory Server from the launcher available in the upper right hand corner of the screen. 

The LDAP server isn’t yet running as you need to configure a few settings before starting. At the Settings screen, you can enable the LDAP service by checking the box to “Enable LDAP Service” and providing the hostname (FQDN) of the service along with a password.


Once the service is configured, you’ll have a base DN and a bind DN. These are generated based on the name provided in that FQDN field. For example, if the FQDN is “synology.krypted.com”, its Base DN will be “dc=synology,dc=krypted,dc=com”. And the Bind DN would add a lookup starting a root, then moving into the users container and then the hostname: uid=root,cn=users,dc=synology,dc=krypted,dc=com

If this is for internal use, then it’s all setup. If you’ll be binding external services to this LDAP instance, make sure to open ports 389 (for LDAP) and/or 636 (for LDAP over SSL) as well. 

Once you have information in the service, you’ll want to back it up. Click on Backup and Restore. Then click on Configure.

At the Configure screen, choose a destination.

I prefer using a directory I can then backup with another tool. Once you have defined a place to store your backups using the Destination field, choose a maximum number of backups and configure a schedule for the backups to run (by default backups run at midnight). Then click OK. You now have a functional LDAP service. To create Groups, click on the Group in the left sidebar. 

Here, you can easily create groups by clicking on the Create button. At the wizard, provide a group name and then enter the name of a group (accounting in this example).

Click Next, then Apply to finish creating the group. One you have created your groups, click on User to start entering your users. Click Create. At the User Information screen, enter the name, a description if needed, and the password for a user. You can also restrict password changes and set an expiration for accounts. Click Next to create the user. 

At the next screen, choose what groups the new user will be in and click Next.

Enter any extended attributes at the next screen, if you so choose (useful for directories).

Click Next and then Apply.

For smaller workgroups, you now have a functional LDAP service! If you’d like a nice gui to access more options, look at FUM ( 

https://github.com/futurice/futurice-ldap-user-manager ), LAM ( https://www.ldap-account-manager.org/lamcms/ ), LinID ( http://www.linid.org/welcome/index.html )or other tools. I wrote an article on LDAP SACLs awhile back, so I’ll try and track that down and update it for Synology soon!

April 5th, 2018

Posted In: Mac OS X Server, Synology

Tags: , , , , , , , , ,

Leave a Comment

Before we have this conversation, I want to give you some bad news. Your passwords aren’t going to migrate. The good news is that you only do directory services migrations every decade or two. The better news is that I’m not actually sure you need a directory service in the traditional sense that you’ve built directory services. With Apple’s Enterprise Connect and Nomad, we no longer need to bind in order to get Kerberos functionality. With MCX long-dead(ish) you’re now better off doing policies through configuration profiles. 

So where does that leave us? There are some options.
  • On Prem Active Directory. I can setup Active Directory in about 10 minutes. And I can be binding Mac clients to it. They’ll get their Kerberos TGTs and authenticate into services and the 90s will be as alive on your server as they are in Portland. Here’s the thing, and I kinda’ hate to say it, but no one ever got fired for doing things the old reliable way. 
  • OpenLDAP. There are some easy builds of OpenLDAP to deploy. You can build a new instance from scratch on a Mac (probably a bad idea) or on a very small Linux box. This is pretty easy, but to get all the cool stuff working, you might need some tweaking.
  • Appliances. I’m already working on an article for installing OpenLDAP on a Synology.
  • Microsoft Azure Active Directory. If you’re a primarily Microsoft shop, and one that is trying to go server-less, then this is probably for you. Problem is, I can’t guide you through binding a client to Active Directory in Azure just yet. 
  • Okta/Ping/other IAMs. Some of these can act as a directory service of sorts ( https://help.okta.com/en/prod/Content/Topics/Directory/About_Universal_Directory.htm ). As with Azure, you’re likely not going to bind to them (although Nomad has some interesting stuff if you feel like digging into that).
  • A hosted directory service provider (Directory as a Service) like Jumpcloud.
There are probably dozens of other options as well (please feel free to add them in the comments section of this article). No matter what you do, if you have more than a dozen or two users and groups, you’re going to want to export them. So let’s check out what that process looks like. The easy way to export data is to dump all of the services out with one quick command:

sudo slapconfig -backupdb ~/Desktop/slapexport/

This process produces the exact same results as exporting Open Directory from the Server App. To do so, open the Server app and click on the Open Directory entry. From there, click on the cog-wheel icon and choose the option to Archive Open Directory Master. 

When prompted, enter your directory administrator (e.g. diradmin) credentials.

Once you have authenticated, provide a path and a password to export the data.

Now you’ll see a sparse image in your export path. Open it to see the backup.ldif file.

That’s the main thing you’re looking for. The ldif file can be imported into another openldap system, or once you have an ldif file, you can also get that over into csv. To help with this, I wrote a little ldif to csv converter and posted it here.

Finally, you could export just users or groups, or specific objects from the Server App.

That option is more built for importing into other macOS servers, but if you’d like to try, click on Users in the left sidebar and then click on Export Users from the cog wheel icon towards the bottom of the screen.

Then select what to export and where to export the file to. 

You can also repeat this process for Groups, if needed.

April 4th, 2018

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , , ,

There are a number of ways to create groups in OS X Server 5, running on Yosemite or El Capitan. The first is using the Server app, the second is using Workgroup Manager (which requires a little work to get working in El Capitan), the third is using the Users & Groups System Preference pane and the fourth is using the command line. In this article we will look at creating groups in the Server app. Once a server has been an Open Directory Master all user and group accounts created will be in the Local Network Group when created in Server app. Before that, all user and group objects are stored locally when created in Server app. Once promoted to an Open Directory server, local groups must be created in Workgroup Manager, the Users & Groups System Preference pane or using a command line tool appropriate for group management.
 To create a new group, open the Server app and then click on Groups in the ACCOUNTS list of the Server app sidebar. From here, you can switch between the various directory domains accessible to the server using the drop-down list available. Click on the plus sign to create a local network group.
Screen Shot 2015-09-07 at 11.59.07 PM
At the New Group screen, provide a name for the group in the Full Name field. This can have spaces. Then create a short name for the group in the Group Name field. This should not have spaces.
Screen Shot 2015-09-07 at 11.59.07 PM
Click Done when you have supplied the appropriate information and the group is created. Once done, double-click on the group to see more options.
 Screen Shot 2015-09-08 at 12.00.18 AM
Here, use the plus sign (“+”) to add members to the group or highlight members and use the minus sign (“-“) to remove users from the group. You can also choose to use the following options:
  • Mailing Lists: Lists that are connected to the group.
  • Members: The users that are part of the group
  • Give this group a shared folder: Creates a shared directory for the group, or a group with an ACL that grants all group members access.
  • Make group members Messages buddies: Adds each group member to each other group members buddy list in the Messages client.
  • Enable group mailing list: Enables a list using the short name of the group where all members receive emails to that address.
  • Create Group Wiki: Opens the Wiki interface for creating a wiki for the group.
  • Keywords: Keywords/tags to help locate users.
  • Notes: Notes about users.
Once changes have been made, click Done to commit the changes.

October 3rd, 2015

Posted In: Mac OS X Server

Tags: , , , , ,

The command to create and tear down an Open Directory environment is slapconfig. When you disable Open Directory from the Server app you aren’t actually removing users. To do so, you’d use slapconfig along with the -destroyldapserver. When run, you get a little insight into what’s happening behind the scenes. This results in the following: bash-3.2# slapconfig -destroyldapserver The logs are as follows: 2015-09-08 04:17:58 +0000 slapconfig -destroyldapserver 2015-09-08 04:17:58 +0000 Deleting Cert Authority related data 2015-09-08 04:17:58 +0000 Removed directory at path /var/root/Library/Application Support/Certificate Authority/Krypted Open Directory Certificate Authority. 2015-09-08 04:17:58 +0000 command: /usr/sbin/xscertadmin add –reason 5 –issuer Krypted Open Directory Certificate Authority –serial 3449505949 2015-09-08 04:18:19 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd.plist 2015-09-08 04:18:19 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd-helper.plist 2015-09-08 04:18:19 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertadmin.plist 2015-09-08 04:18:19 +0000 Stopping LDAP server (slapd) 2015-09-08 04:18:20 +0000 Stopping password server 2015-09-08 04:18:24 +0000 Removed all service principals from keytab for realm OSXSERVER.KRYPTED.COM 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/__db.001. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/__db.002. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/__db.003. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/__db.004. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/__db.005. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/__db.006. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/altSecurityIdentities.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/apple-config-realname.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/apple-generateduid.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-memberguid.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-nestedgroup.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-realname.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/apple-hwuuid.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/cn.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/DB_CONFIG. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/dn2id.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/entryCSN.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/entryUUID.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/gidNumber.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/givenName.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/id2entry.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/ipHostNumber.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/log.0000000001. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/macAddress.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/mail.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/memberUid.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/objectClass.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/ou.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/sn.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/uid.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/uidNumber.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/__db.001. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/__db.002. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/__db.003. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/__db.004. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/__db.005. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/__db.006. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/alock. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/authGUID.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/DB_CONFIG. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/dn2id.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalAliases.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalName.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/entryCSN.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/entryUUID.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/id2entry.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/log.0000000001. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/objectClass.bdb. 2015-09-08 04:18:24 +0000 Removed directory at path /var/db/openldap/authdata. 2015-09-08 04:18:24 +0000 Removed file at path /etc/openldap/slapd_macosxserver.conf. 2015-09-08 04:18:24 +0000 Removed file at path /etc/openldap/slapd.conf. 2015-09-08 04:18:24 +0000 Removed file at path /etc/openldap/rootDSE.ldif. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/dslocal/nodes/Default/groups/com.apple.access_dsproxy.plist. 2015-09-08 04:18:24 +0000 Removed directory at path /etc/openldap/slapd.d/cn=config. 2015-09-08 04:18:24 +0000 Removed file at path /etc/openldap/slapd.d/cn=config.ldif. 2015-09-08 04:18:24 +0000 Removed directory at path /etc/openldap/slapd.d. 2015-09-08 04:18:24 +0000 Removed directory at path /etc/openldap/slapd.d.backup/cn=config. 2015-09-08 04:18:24 +0000 Removed file at path /etc/openldap/slapd.d.backup/cn=config.ldif. 2015-09-08 04:18:24 +0000 Removed directory at path /etc/openldap/slapd.d.backup. 2015-09-08 04:18:27 +0000 Stopping password server 2015-09-08 04:18:27 +0000 Removed file at path /etc/ntp_opendirectory.conf. 2015-09-08 04:18:27 +0000 Removed file at path /Library/Preferences/com.apple.openldap.plist.

September 28th, 2015

Posted In: Mac OS X Server

Tags: , , , , ,

Open Directory has never been so easy to setup for a basic environment as it is in OS X Server 5 (for OS X 10.11 El Capitan and OS X 10.10 Yosemite). It’s also never been so annoyingly simple to use that to do anything cool requires a bunch of command line foo. No offense to the developers, but this whole idea that the screens that were being continually refined for a decade just need to be thrown out and started fresh seems to have led to a few babies thrown out along with them. Not often as I’m kinda’ digging most of the new config screens in OS X Server 5, but with Open Directory, it’s just too easy. Features mean buttons. Buttons make things a tad bit more complicated to use than an ON/OFF switch… Anyway, rant over. Moving on. As with almost any previous version of OS X Server and Open Directory, once you’ve installed the Server app, run the changeip command along with the -checkhostname option to verify that the IP, DNS and hostname match. If (and only if as it will fail if you try anyway) you get an indication of “Success.” bash-3.2# changeip -checkhostname dirserv:success = "success" To set up the Open Directory Master, open the Server app and click on the Open Directory service (might need to Show under Advanced in the Server app sidebar). From here, click on the ON button. Screen Shot 2015-09-07 at 11.24.01 PM For the purposes of this example, we’re setting up an entirely new Open Directory environment. At the “Configure Network Users and Groups” screen, click on “Create a new Open Directory Domain” and click on the Next button. Screen Shot 2015-09-07 at 11.24.30 PM Note: If you are restoring an archive of an existing Open Directory domain, you would select the bottom option from this list. At the Directory Administrator screen, enter a username and password for the directory administrator account. The default account is sufficient, although it’s never a bad idea to use something a bit less generic. Screen Shot 2015-09-07 at 11.25.07 PM Once you’ve entered the username and password, click on the Next button. Then we’re going to configure the SSL information. Screen Shot 2015-09-07 at 11.25.27 PM At the Organization Information screen, enter a name for the organization in the Organization Name field and an Email Address to be used in the SSL certificate in the Admin Email Address field. Click on Next. Screen Shot 2015-09-07 at 11.25.57 PM At the Confirm Settings screen, make sure these very few settings are OK with you and then click on the Set Up button to let slapconfig (the command that runs the OD setup in the background, kinda’ like a cooler dcpromo) do its thing. When the Open Directory master has been configured, there’s no need to reboot or anything, the indicator light for the Open Directory service should appear. If the promotion fails then look to the preflight options I wrote up awhile back. Screen Shot 2015-09-07 at 11.27.33 PM Clicking on the minus (“-”) button while a server is highlighted runs a slapconfig -destroyldapserver on the server and destroys the Open Directory domain if it is the only server. All domain information is lost when this happens. Screen Shot 2015-09-07 at 11.28.11 PM Next, let’s bind a client. Binding clients can be done in a few different ways. You can use a script, a Profile, the Users & Groups System Preference pane or build binding into the imaging process. For the purpose of this example, we’ll use the System Preference pane. To get started, open up the System Preference pane and then click on Users & Groups. From here, click on Login Options and then unlock the lock in the lower left corner of the screen, providing a username and password when prompted. Screen Shot 2015-09-07 at 11.29.46 PM Click on the Edit… button and then the plus sign (“+”). Screen Shot 2015-09-07 at 11.30.12 PM Then, enter the name of the Open Directory Master (the field will expand with options when you enter the host name. Screen Shot 2015-09-07 at 11.30.43 PM It’s probably best not to use the IP address at this point as the master will have an SSL certificate tied to the name. Click OK to accept the certificate (if it’s self-signed) and then the system should finish binding. Once bound, I like to use either id or dscl to verify that directory accounts are properly resolving before I try logging in as an Open Directory user. Provided everything works that’s it. The devil is of course in the details. There is very little data worth having if it isn’t backed up. Notice that you can archive by clicking on the cog wheel icon in the Open Directory service pane, much like you could in Server Admin. Or, because this helps when it comes to automating backups (with a little expect), to run a backup from the command line, run the slapconfig command along with the -backupdb option followed by a path to a folder to back the data up to: sudo slapconfig -backupdb /odbackups The result will be a request for a password then a bunch of information about the backup: bash-3.2# sudo slapconfig -backupdb /odbackups 2015-09-08 04:31:13 +0000 slapconfig -backupdb Enter archive password: 2015-09-08 04:31:17 +0000 1 Backing up LDAP database 2015-09-08 04:31:17 +0000 popen: /usr/sbin/slapcat -l /tmp/slapconfig_backup_stage1769HtaFE7/backup.ldif, "r" 55ee6495 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable 2015-09-08 04:31:17 +0000 popen: /usr/sbin/slapcat -b cn=authdata -l /tmp/slapconfig_backup_stage1769HtaFE7/authdata.ldif, "r" 55ee6495 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable 2015-09-08 04:31:17 +0000 popen: /bin/cp /var/db/openldap/openldap-data/DB_CONFIG /tmp/slapconfig_backup_stage1769HtaFE7/DB_CONFIG, "r" 2015-09-08 04:31:17 +0000 popen: /bin/cp /var/db/openldap/authdata//DB_CONFIG /tmp/slapconfig_backup_stage1769HtaFE7/authdata_DB_CONFIG, "r" 2015-09-08 04:31:17 +0000 popen: /bin/cp -r /etc/openldap /tmp/slapconfig_backup_stage1769HtaFE7/, "r" 2015-09-08 04:31:17 +0000 popen: /bin/hostname > /tmp/slapconfig_backup_stage1769HtaFE7/hostname, "r" 2015-09-08 04:31:17 +0000 popen: /usr/sbin/sso_util info -pr /LDAPv3/127.0.0.1 > /tmp/slapconfig_backup_stage1769HtaFE7/local_odkrb5realm, "r" 2015-09-08 04:31:18 +0000 popen: /usr/bin/tar czpf /tmp/slapconfig_backup_stage1769HtaFE7/krb5backup.tar.gz /var/db/krb5kdc/kdc.conf /var/db/krb5kdc/acl_file.* /var/db/krb5kdc/m_key.* /etc/krb5.keytab , "r" tar: Removing leading '/' from member names 2015-09-08 04:31:18 +0000 2 Backing up Kerberos database 2015-09-08 04:31:18 +0000 popen: /bin/cp /var/db/dslocal/nodes/Default/config/KerberosKDC.plist /tmp/slapconfig_backup_stage1769HtaFE7/KerberosKDC.plist, "r" 2015-09-08 04:31:18 +0000 popen: /bin/cp /Library/Preferences/com.apple.openldap.plist /tmp/slapconfig_backup_stage1769HtaFE7/, "r" 2015-09-08 04:31:18 +0000 3 Backing up configuration files 2015-09-08 04:31:18 +0000 popen: /usr/bin/sw_vers > /tmp/slapconfig_backup_stage1769HtaFE7/version.txt, "r" 2015-09-08 04:31:18 +0000 popen: /bin/cp -r /var/db/dslocal /tmp/slapconfig_backup_stage1769HtaFE7/, "r" 2015-09-08 04:31:18 +0000 Backed Up Keychain 2015-09-08 04:31:18 +0000 4 Backing up CA certificates 2015-09-08 04:31:18 +0000 5 Creating archive 2015-09-08 04:31:18 +0000 command: /usr/bin/hdiutil create -ov -plist -puppetstrings -layout UNIVERSAL CD -fs HFS+ -volname ldap_bk -srcfolder /tmp/slapconfig_backup_stage1769HtaFE7 -format SPARSE -encryption AES-256 -stdinpass /odbackups 2015-09-08 04:31:25 +0000 Removed directory at path /tmp/slapconfig_backup_stage1769HtaFE7. 2015-09-08 04:31:25 +0000 Removed file at path /var/run/slapconfig.lock. To restore a database (such as from a previous version of the operating system where such an important option was actually present) use the following command (which just swaps backupdb with -restoredb) sudo slapconfig -restoredb /odbackups Both commands ask you for a password to encrypt and decrypt the disk image created by them.

September 22nd, 2015

Posted In: Mac OS X Server

Tags: , , , , , , ,

The Directory Utility application has moved to /System/Library/CoreServices/Applications. Once open, you can use it to bind to directory services, change search policies and even dink around with NIS if you still rock the flannel with your ripped up jeans. But, the thing that I tend to do in Directory Utility the most is look at user and group attributes. To do so, open Directory Utility and click on the Directory Editor tab. In the bar directly below, you’ll see Viewing and In Node. The Viewing option is what type of object you’re going to look at. The In Node option shows the directory domain you’re viewing. Below, we show the local users in /Local/Default. Screen Shot 2014-10-30 at 9.02.04 AM Click on a user and you will see all of the attributes that exist for that user. Not all users are created equal when it comes to attributes, so if you’re looking for a specific attribute then you can go through different users to see what they have. Screen Shot 2014-10-30 at 9.12.18 AM Change the In Node option to /LDAPV3/127.0.0.1 (or the name of your directory service such as your Active Directory) to see all the attributes available there. You can then note the names and use them in scripts, etc. Screen Shot 2014-10-30 at 9.04.11 AM You can also access this information via dscl, but I’ve covered that enough times in the past to be bored with myself for even making the reference. Enjoy.

November 6th, 2014

Posted In: Mac OS X, Mac OS X Server, Mac Security, Network Infrastructure

Tags: , , , ,

Previously, we looked at setting up an Open Directory Master in OS X Server. An Open Directory Replica keeps a copy of the Open Directory database available for users even when the Master goes offline. But it can also take a part of the load from the Open Directory Master and when using the new Locales feature, balance network traffic. To get started with an Open Directory Replica, first enable SSH, now disabled by default. Next, use the changeip to check the host name. While the Server app is cool, it caches stuff and I’ve seen it let things go threat shouldn’t be let go. Therefore, in order to make sure that the server has such an address, I still recommend using changeip, but I also recommend using the Server application. In OS X Server, I’ve seen each find things that other misses. Additionally, in Yosemite and above, OS X Server now requires to be able to lookup whatever the hostname is set to in order to actually promote either to a replica or a master. To use changeip to verify the hostname is set appropriately: sudo changeip -checkhostname The address and host names should look correct and match what you see in the Server application’s Next Steps drawer. Primary address = 10.0.0.1 Current HostName = odr.krypted.com DNS HostName = krypted.com The names match. There is nothing to change. dirserv:success = “success” Provided everything is cool with the hostname, use the slapconfig command to preflight a replica prior to promotion. The syntax there is the same as the -createreplica syntax, used as follows, assuming the master has an IP address of 172.16.2.23: /usr/sbin/slapconfig -preflightreplica 172.16.2.23 diradmin Provided that the server is ready, open the Server app on a freshly installed computer you want to be your Open Directory replica. odr1Then, click on the Open Directory service. odr2Then, use the ON button to start the configuration process. When prompted, click on “Join an existing Open Directory domain as a replica” and click on the Next button. odr3When prompted, enter the parent Open Directory server’s host name (likely the name of the Open Directory Master), directory admin user name (the diradmin or custom username provided when Open Directory was configured), and then the directory admin password. odr4 Then click on the Next button again to setup the services.

odr5

At the Confirm settings screen, click on the Set Up button and the replica is completed provided there are no issues with the configuration. Check Server app on both the Replica and the Master and verify that the server is displayed under the Master.

odr6 Once you’ve created your first replica, you can then start to define replica trees, where each replica looks at one above it, which then looks at another. I’ll do another article later on replica trees. Note: If there are any problems during promotion, I start over every time using slapconfig along with the -destroyldapserver option to nuke everything in OD: sudo slapconfig -destroyldapserver Use the logs to help if you’re having replica creation problems. These can be added using the -enableslapdlog option: sudo slapconfig -enableslapdlog You can use the -addreplica option to add replicas manually while running tail on the slapd logs: sudo tail -f /var/log/slapd.log Once the replica has been created, you can add more and more until you exceed 32. At that point, you have a fairly large Open Directory environment and you go to add the 33rd replica but you get a funny error that dserr doesn’t have listed. The reason is likely that a single Open Directory Master can only have 32 replicas – and the fact that you’ve made it that far means you get a cookie. Cookie or no, you can have 32 replicas on each replica (thus having a replica tree), ergo allowing for a total of 1,024 replicas and a master. So rather than bind that 33rd replica to a master, move to a replica tree model, trying to offload replicas in as geographically friendly a fashion as possible (thus reducing slap traffic on your WAN links) by repositioning replicas per site. Similar to how Active Directory infrastructures often have a global catalog at each site, if you’ve got a large number of Open Directory Replicas then you should likely try and limit the number that connects back to each master per site to 1. Assuming that each replica can sustain a good 350 clients on a bad day (and we always plan for bad days), even the largest pure Mac OS X deployments will have plenty of LDAP servers to authenticate to. However, you’re likely going to have issues with clients being able to tell which Open Directory server is the most appropriate to authenticate through. Therefore, cn=config will need to be customized per group that leverages each replica, or divert rules used with ipfw to act as a traffic cop. Overall, the replica trees seem to be working fairly well in Snow Leopard, netting a fairly scalable infrastructure for providing LDAP services. You can also get pretty granular with the slurpd (the daemon that manages Open Directory replication) logs by invoking slurpd with a -d option followed by a number from 4 to 65535, with intensity of logs getting more as the number gets higher. You can also use the -r option to indicate a specific log file. If you have more than 32 replicas then it stands to reason that you also have a large number of objects in Open Directory, a fair amount of change occurring to said objects and therefore a fair amount of replication IO. In order to offload this you can move your replication temp directory onto SSD drives, by specifying the -t option when invoking slurpd. The slurpd replication occurs over port 389 (by default). Therefore, in a larger environment you should be giving priority to network traffic. If you choose to custom make/install slurpd then you’ll also need to go ahead and build your Kerberos principles manually. In this case you would get a srvtab file for the slurpd server and then configure slapd to accept Kerberos Authentication for slaves. Having said this, I haven’t seen an environment where I had to configure slurpd in this fashion.

October 16th, 2014

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , , ,

Every now and then I see an Open Directory database that’s gotten corrupt for one reason or another. To be more specific, while I see Kerberos get wonky and password server issues from time to time, every now and then I see the actual LDAP database throw errors like this one, when checked with slapd: /usr/libexec/slapd -Tt Corruption usually looks a little something like this: 51890ba0 ldif_read_file: checksum error on "/var/db/openldap/openldap-data/cn.bdb" 51890ba0 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable config file testing succeeded If the bdb (Berkeley Database) files can’t be read in properly then you can do a sanity check with slaptest to see if there are other issues as well: slaptest -f /private/etc/openldap/slapd.conf -v Provided that your problems are with the bdb files and not ldif files, which can easily be grabbed from another OD box, you can then recover the database using db_recover, along with the -h option to define the directory your bdb files reside in (/var/db/openldap/openldap-data in OS X Server): db_recover -h /var/db/openldap/openldap-data/ Note, always backup. If errors continue then you can also run with a -c option, which performs a “catastrophic” recovery. Also, before you do a db_recover OD will need to be stopped. Chances are, if you have corruption then the database will be stopped; however, check first: serveradmin fullstatus dirserv If it’s running, stop it: serveradmin stop dirserv Once you’re done, there’s no longer the need to reboot each time you do this kind of thing, which is actually a huge time saver, so just swap the stop with start and you’re good: serveradmin start dirserv

May 7th, 2013

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , , , , , ,

Need to perform lookups on Open Directory from Linux? Need to determine a search base to use an LDAP plug-in for a third party with Active Directory? Determining the layout of a directory service can be important for a number of tasks. Most of these have to do with connecting systems of different platforms with one another. In OS X, there are a number of tools that will look up directory service information. Most are based on ldapsearch. Using ldapsearch, you can determine whether a search base is good, whether a directory service responds to a given request and validate some assumptions you may have about an LDAP environment. Let’s take a basic task: searching Open Directory for the diradmin account; the attribute would be uid. Then let’s say that odm.krypted.com is your Open Directory master (the hostname of your server is defined using the -h option) and that the search base used the default setting (the base is defined using the -b option), which would be dc=odm,dc=krypted,dc=com. Your query using ldapsearch would be: ldapsearch -h odm.krypted.com -x -b "dc=odm,dc=krypted,dc=com" "uid=diradmin" The response is going to let you know that uid diradmin exists in cn=users. The final option for the above command is the attribute within Open Directory that you are searching for. Let’s say you wanted to limit your search to users in the users cn: ldapsearch -h odm.krypted.com -x -b "cn=users,dc=odm,dc=krypted,dc=com" "uid=diradmin" You can also search for items in a different cn. Let’s look in computers for any computer with a specific MAC address: ldapsearch -h odm.krypted.com -x -b "cn=computers,dc=odm,dc=krypted,dc=com" "macAddress=00:00:00:00:00:00" Or Hostname: ldapsearch -h odm.krypted.com -x -b "cn=computers,dc=odm,dc=krypted,dc=com" "Hostname=someclient.krypted.com" When I’m troubleshooting latency issues, I’ll often automate a query for a known element from within a directory service and use the -l option, specifying as the parameter for that option a number of seconds for a search to be able to complete. It’s a quick and dirty latency check (you could also time a query). Also, if you aren’t running LDAP on the default port (389) then you can specify a port using the -p option. The -x option sorts results on servers. If the server is fairly taxed it might be better to have a client sort the results, but if not then it’s always going to be faster to sort server-side. You can use the -z option to limit the number of results to a finite set. Finally, you can choose to export results into LDIF. Using one -L uses LDIF v1, two (-LL) uses LDIF and disables comments while 3 (-LLL) also disable the version of LDIF being printed, meaning the results can be piped into an actual LDIF file: ldapsearch -LLL -h ldap://odm.krypted.com -b "cn=users,dc=odm,dc=krypted,dc=com" > kryptedusers.ldif

July 18th, 2011

Posted In: Mac OS X Server

Tags: , , , , , , , , , , , ,

phpLDAPadmin is a tool that can be used to walk LDAP trees and view attributes of objects located within them using a web browser. This isn’t to say that it’s the prettiest tool out there but it works really well and is portable between various flavors of LDAP. Before you can use phpLDAPadmin you will need Apache. In Ubuntu, Apache can be installed using apt-get:
apt-get install apache2
Once you have Apache installed, downloading phpLDAPadmin and installing it in Ubuntu Server 10 couldn’t be easier, just apt-get the package:
apt-get install phpldapadmin
Now you have the pieces, let’s copy phpLDAPadmin into your web root directory:
cp -R /usr/share/phpldapadmin /var/www/myphpldapadmin
In that new directory you will see a config file. Here, you’ll see some lines that appear as follows:
$ldapservers->SetValue($i,’server’,’name’,’My LDAP Server’);  // The name to display $ldapservers->SetValue($i,’server’,’host’,’127.0.0.1′);  // Address of the LDAP server $ldapservers->SetValue($i,’server’,’port’,’389′);   // Port number $ldapservers->SetValue($i,’server’,’base’,array(‘dc=example,dc=com’));  // Base dn $ldapservers->SetValue($i,’login’,’string’,’uid=<username>,ou=People,dc=example,dc=com’);
You’ll want to provide the address, port number (if the port isn’t 389) and DN information of your server and then connected by visiting the website created via Apache (if the server name were ldapserver.local, this might be http://ldapserver.local/phpLDAPadmin). Provide the username and password and you should be able to use phpLDAPadmin. Happy LDAP’ing!

November 17th, 2010

Posted In: Active Directory, Ubuntu

Tags: , , , , , , , , , ,

Next Page »