Every now and then I see an Open Directory database that’s gotten corrupt for one reason or another. To be more specific, while I see Kerberos get wonky and password server issues from time to time, every now and then I see the actual LDAP database throw errors like this one, when checked with slapd:
/usr/libexec/slapd -Tt
Corruption usually looks a little something like this:
51890ba0 ldif_read_file: checksum error on "/var/db/openldap/openldap-data/cn.bdb"
51890ba0 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
config file testing succeeded
If the bdb (Berkeley Database) files can’t be read in properly then you can do a sanity check with slaptest to see if there are other issues as well:
slaptest -f /private/etc/openldap/slapd.conf -v
Provided that your problems are with the bdb files and not ldif files, which can easily be grabbed from another OD box, you can then recover the database using db_recover, along with the -h option to define the directory your bdb files reside in (/var/db/openldap/openldap-data in OS X Server):
db_recover -h /var/db/openldap/openldap-data/
Note, always backup. If errors continue then you can also run with a -c option, which performs a “catastrophic” recovery. Also, before you do a db_recover OD will need to be stopped. Chances are, if you have corruption then the database will be stopped; however, check first:
serveradmin fullstatus dirserv
If it’s running, stop it:
serveradmin stop dirserv
Once you’re done, there’s no longer the need to reboot each time you do this kind of thing, which is actually a huge time saver, so just swap the stop with start and you’re good:
serveradmin start dirserv
