Open Directory has never been so easy to setup for a basic environment as it is in OS X Server 5 (for OS X 10.11 El Capitan and OS X 10.10 Yosemite). It’s also never been so annoyingly simple to use that to do anything cool requires a bunch of command line foo. No offense to the developers, but this whole idea that the screens that were being continually refined for a decade just need to be thrown out and started fresh seems to have led to a few babies thrown out along with them. Not often as I’m kinda’ digging most of the new config screens in OS X Server 5, but with Open Directory, it’s just too easy. Features mean buttons. Buttons make things a tad bit more complicated to use than an ON/OFF switch… Anyway, rant over. Moving on. As with almost any previous version of OS X Server and Open Directory, once you’ve installed the Server app, run the changeip command along with the -checkhostname option to verify that the IP, DNS and hostname match. If (and only if as it will fail if you try anyway) you get an indication of “Success.” bash-3.2# changeip -checkhostname dirserv:success = "success" To set up the Open Directory Master, open the Server app and click on the Open Directory service (might need to Show under Advanced in the Server app sidebar). From here, click on the ON button. Screen Shot 2015-09-07 at 11.24.01 PM For the purposes of this example, we’re setting up an entirely new Open Directory environment. At the “Configure Network Users and Groups” screen, click on “Create a new Open Directory Domain” and click on the Next button. Screen Shot 2015-09-07 at 11.24.30 PM Note: If you are restoring an archive of an existing Open Directory domain, you would select the bottom option from this list. At the Directory Administrator screen, enter a username and password for the directory administrator account. The default account is sufficient, although it’s never a bad idea to use something a bit less generic. Screen Shot 2015-09-07 at 11.25.07 PM Once you’ve entered the username and password, click on the Next button. Then we’re going to configure the SSL information. Screen Shot 2015-09-07 at 11.25.27 PM At the Organization Information screen, enter a name for the organization in the Organization Name field and an Email Address to be used in the SSL certificate in the Admin Email Address field. Click on Next. Screen Shot 2015-09-07 at 11.25.57 PM At the Confirm Settings screen, make sure these very few settings are OK with you and then click on the Set Up button to let slapconfig (the command that runs the OD setup in the background, kinda’ like a cooler dcpromo) do its thing. When the Open Directory master has been configured, there’s no need to reboot or anything, the indicator light for the Open Directory service should appear. If the promotion fails then look to the preflight options I wrote up awhile back. Screen Shot 2015-09-07 at 11.27.33 PM Clicking on the minus (“-”) button while a server is highlighted runs a slapconfig -destroyldapserver on the server and destroys the Open Directory domain if it is the only server. All domain information is lost when this happens. Screen Shot 2015-09-07 at 11.28.11 PM Next, let’s bind a client. Binding clients can be done in a few different ways. You can use a script, a Profile, the Users & Groups System Preference pane or build binding into the imaging process. For the purpose of this example, we’ll use the System Preference pane. To get started, open up the System Preference pane and then click on Users & Groups. From here, click on Login Options and then unlock the lock in the lower left corner of the screen, providing a username and password when prompted. Screen Shot 2015-09-07 at 11.29.46 PM Click on the Edit… button and then the plus sign (“+”). Screen Shot 2015-09-07 at 11.30.12 PM Then, enter the name of the Open Directory Master (the field will expand with options when you enter the host name. Screen Shot 2015-09-07 at 11.30.43 PM It’s probably best not to use the IP address at this point as the master will have an SSL certificate tied to the name. Click OK to accept the certificate (if it’s self-signed) and then the system should finish binding. Once bound, I like to use either id or dscl to verify that directory accounts are properly resolving before I try logging in as an Open Directory user. Provided everything works that’s it. The devil is of course in the details. There is very little data worth having if it isn’t backed up. Notice that you can archive by clicking on the cog wheel icon in the Open Directory service pane, much like you could in Server Admin. Or, because this helps when it comes to automating backups (with a little expect), to run a backup from the command line, run the slapconfig command along with the -backupdb option followed by a path to a folder to back the data up to: sudo slapconfig -backupdb /odbackups The result will be a request for a password then a bunch of information about the backup: bash-3.2# sudo slapconfig -backupdb /odbackups 2015-09-08 04:31:13 +0000 slapconfig -backupdb Enter archive password: 2015-09-08 04:31:17 +0000 1 Backing up LDAP database 2015-09-08 04:31:17 +0000 popen: /usr/sbin/slapcat -l /tmp/slapconfig_backup_stage1769HtaFE7/backup.ldif, "r" 55ee6495 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable 2015-09-08 04:31:17 +0000 popen: /usr/sbin/slapcat -b cn=authdata -l /tmp/slapconfig_backup_stage1769HtaFE7/authdata.ldif, "r" 55ee6495 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable 2015-09-08 04:31:17 +0000 popen: /bin/cp /var/db/openldap/openldap-data/DB_CONFIG /tmp/slapconfig_backup_stage1769HtaFE7/DB_CONFIG, "r" 2015-09-08 04:31:17 +0000 popen: /bin/cp /var/db/openldap/authdata//DB_CONFIG /tmp/slapconfig_backup_stage1769HtaFE7/authdata_DB_CONFIG, "r" 2015-09-08 04:31:17 +0000 popen: /bin/cp -r /etc/openldap /tmp/slapconfig_backup_stage1769HtaFE7/, "r" 2015-09-08 04:31:17 +0000 popen: /bin/hostname > /tmp/slapconfig_backup_stage1769HtaFE7/hostname, "r" 2015-09-08 04:31:17 +0000 popen: /usr/sbin/sso_util info -pr /LDAPv3/127.0.0.1 > /tmp/slapconfig_backup_stage1769HtaFE7/local_odkrb5realm, "r" 2015-09-08 04:31:18 +0000 popen: /usr/bin/tar czpf /tmp/slapconfig_backup_stage1769HtaFE7/krb5backup.tar.gz /var/db/krb5kdc/kdc.conf /var/db/krb5kdc/acl_file.* /var/db/krb5kdc/m_key.* /etc/krb5.keytab , "r" tar: Removing leading '/' from member names 2015-09-08 04:31:18 +0000 2 Backing up Kerberos database 2015-09-08 04:31:18 +0000 popen: /bin/cp /var/db/dslocal/nodes/Default/config/KerberosKDC.plist /tmp/slapconfig_backup_stage1769HtaFE7/KerberosKDC.plist, "r" 2015-09-08 04:31:18 +0000 popen: /bin/cp /Library/Preferences/com.apple.openldap.plist /tmp/slapconfig_backup_stage1769HtaFE7/, "r" 2015-09-08 04:31:18 +0000 3 Backing up configuration files 2015-09-08 04:31:18 +0000 popen: /usr/bin/sw_vers > /tmp/slapconfig_backup_stage1769HtaFE7/version.txt, "r" 2015-09-08 04:31:18 +0000 popen: /bin/cp -r /var/db/dslocal /tmp/slapconfig_backup_stage1769HtaFE7/, "r" 2015-09-08 04:31:18 +0000 Backed Up Keychain 2015-09-08 04:31:18 +0000 4 Backing up CA certificates 2015-09-08 04:31:18 +0000 5 Creating archive 2015-09-08 04:31:18 +0000 command: /usr/bin/hdiutil create -ov -plist -puppetstrings -layout UNIVERSAL CD -fs HFS+ -volname ldap_bk -srcfolder /tmp/slapconfig_backup_stage1769HtaFE7 -format SPARSE -encryption AES-256 -stdinpass /odbackups 2015-09-08 04:31:25 +0000 Removed directory at path /tmp/slapconfig_backup_stage1769HtaFE7. 2015-09-08 04:31:25 +0000 Removed file at path /var/run/slapconfig.lock. To restore a database (such as from a previous version of the operating system where such an important option was actually present) use the following command (which just swaps backupdb with -restoredb) sudo slapconfig -restoredb /odbackups Both commands ask you for a password to encrypt and decrypt the disk image created by them.

Almost wrote this up again and then realized I already did once (sure it was a few years ago but luckily not much changes with some of the command line stuff). Check it out here: http://krypted.com/mac-os-x/using-openssl-to-test-connectivity If you want to see more on openssl check this one out too: http://krypted.com/unix/openssl-and-signatures

A hashing function is used to calculate a hash value.  If you insert a file into a hashing function then it should produce a value that is almost certain to be unique (there’s always the remote likelihood that no matter how good your function, you may end up with a duplicate).   The openssl command is used to access a number of functions/ciphers including sha1, base64, md5, rc4/rc5 and of course des/des3.  It is a very simple command to use, simply provide the cipher, followed by the path to the file you would like to get a hash value (aka digest) for.  So if I have a file called myfile.txt and I would like to get a digest for it I could just use the following command: openssl md5 myfile.txt At its most basic level, we’re just leveraging openssl to grab digests quickly and easily.

When you’re testing connectivity to servers and you’re using SSL on those servers then your traditional ways of testing connectivity may been a little augmentation. For starters, you’re going to use the openssl to test connections. For example, if you have a web server you might traditionally attempt to telnet into port 80 and check you banners; however, if you have an SSL certificate on it then you might be better served connecting to port 443 using the openssl command. In the following example we’ll tell openssl to be a generic client (s_client)  and connect (-connect) to krypted.com over port 443:
openssl s_client -connect krypted.com:443
The output would then look similar to the following:
CONNECTED(00000003) depth=3 /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://CERTAUTHORITY.com//
We could test smtp using the same, whether you’re using port 25 and requiring a certificate or another port. To test with port 25, assuming we can use a generic client again we’re going to change the port number and because SSL can work with smtp directly we’re going to use starttls to do so:
openssl s_client -connect  www.krypted.com:25 -starttls smtp
A valid connection would result in similar output to the following:
CONNECTED(00000003) depth=3 /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://MYCERTAUTHORITY.com//emailAddress=krypted@mac.com
You could also initiate a new instance of an SSL listener, using s_server or just test the connection timer using s_time. Overall, openssl is a pretty invaluable toolkit that we’ll probably look at more and more on this site.

A checksum can be used to determine if a file has been tampered with at a later date.  To run a checksum use the following command:
openssl dgst -HASHTYPE path_to_file
HASHTYPE would then be md2, md4, md5, mdc2, rmd160, sha or sha1.  Let’s go ahead and do a checksum of our smb.conf file:
openssl dgst -md5 /var/db/smb.conf
You should then see output similar to the following:
MD5(/var/db/smb.conf)= e4b58a63c6682b298aeca3ad40734c1e
MD5(/var/db/smb.conf)= e4b58a63c6682b298aeca3ad40734c1e