People who have managed Open Directory and will be moving to Synology will note that directory services really aren’t nearly as complicated was we’ve made them out to be for years. This is because Apple was protecting us from doing silly things to break our implementations. It was also because Apple bundled a number of seemingly disparate technologies into ldap. It’s worth mentioning that LDAP on a Synology is LDAP. We’re not federating services, we’re not kerberizing services, we’re not augmenting schemas, etc. We can leverage the directory service to provide attributes though, and have that central phone book of user and group memberships we’ve come to depend on directory…
-
-
Export data from Open Directory for migrating users and groups
Before we have this conversation, I want to give you some bad news. Your passwords aren’t going to migrate. The good news is that you only do directory services migrations every decade or two. The better news is that I’m not actually sure you need a directory service in the traditional sense that you’ve built directory services. With Apple’s Enterprise Connect and Nomad, we no longer need to bind in order to get Kerberos functionality. With MCX long-dead(ish) you’re now better off doing policies through configuration profiles. So where does that leave us? There are some options. On Prem Active Directory. I can setup Active Directory in about 10 minutes.…
-
Manage Groups in OS X Server 5
There are a number of ways to create groups in OS X Server 5, running on Yosemite or El Capitan. The first is using the Server app, the second is using Workgroup Manager (which requires a little work to get working in El Capitan), the third is using the Users & Groups System Preference pane and the fourth is using the command line. In this article we will look at creating groups in the Server app. Once a server has been an Open Directory Master all user and group accounts created will be in the Local Network Group when created in Server app. Before that, all user and group objects…
-
Demote Open Directory Servers In OS X Server 5 Using The Command Line
The command to create and tear down an Open Directory environment is slapconfig. When you disable Open Directory from the Server app you aren’t actually removing users. To do so, you’d use slapconfig along with the -destroyldapserver. When run, you get a little insight into what’s happening behind the scenes. This results in the following: bash-3.2# slapconfig -destroyldapserver The logs are as follows: 2015-09-08 04:17:58 +0000 slapconfig -destroyldapserver 2015-09-08 04:17:58 +0000 Deleting Cert Authority related data 2015-09-08 04:17:58 +0000 Removed directory at path /var/root/Library/Application Support/Certificate Authority/Krypted Open Directory Certificate Authority. 2015-09-08 04:17:58 +0000 command: /usr/sbin/xscertadmin add –reason 5 –issuer Krypted Open Directory Certificate Authority –serial 3449505949 2015-09-08 04:18:19 +0000 command:…
-
Promote an Open Directory Master in OS X Server 5
Open Directory has never been so easy to setup for a basic environment as it is in OS X Server 5 (for OS X 10.11 El Capitan and OS X 10.10 Yosemite). It’s also never been so annoyingly simple to use that to do anything cool requires a bunch of command line foo. No offense to the developers, but this whole idea that the screens that were being continually refined for a decade just need to be thrown out and started fresh seems to have led to a few babies thrown out along with them. Not often as I’m kinda’ digging most of the new config screens in OS X Server…
-
Directory Utility in Yosemite. I’m not Dead Yet… Mapping Attributes 101
The Directory Utility application has moved to /System/Library/CoreServices/Applications. Once open, you can use it to bind to directory services, change search policies and even dink around with NIS if you still rock the flannel with your ripped up jeans. But, the thing that I tend to do in Directory Utility the most is look at user and group attributes. To do so, open Directory Utility and click on the Directory Editor tab. In the bar directly below, you’ll see Viewing and In Node. The Viewing option is what type of object you’re going to look at. The In Node option shows the directory domain you’re viewing. Below, we show the local users in…
-
Setting Up An Open Directory Replica In Yosemite Server
Previously, we looked at setting up an Open Directory Master in OS X Server. An Open Directory Replica keeps a copy of the Open Directory database available for users even when the Master goes offline. But it can also take a part of the load from the Open Directory Master and when using the new Locales feature, balance network traffic. To get started with an Open Directory Replica, first enable SSH, now disabled by default. Next, use the changeip to check the host name. While the Server app is cool, it caches stuff and I’ve seen it let things go threat shouldn’t be let go. Therefore, in order to make…
-
Recovering Open Directory Databases
Every now and then I see an Open Directory database that’s gotten corrupt for one reason or another. To be more specific, while I see Kerberos get wonky and password server issues from time to time, every now and then I see the actual LDAP database throw errors like this one, when checked with slapd: /usr/libexec/slapd -Tt Corruption usually looks a little something like this: 51890ba0 ldif_read_file: checksum error on "/var/db/openldap/openldap-data/cn.bdb" 51890ba0 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable config file testing succeeded If the bdb (Berkeley Database) files can’t be read in properly then you can do a sanity check with slaptest to see if there are other…
-
Querying ldapsearch
Need to perform lookups on Open Directory from Linux? Need to determine a search base to use an LDAP plug-in for a third party with Active Directory? Determining the layout of a directory service can be important for a number of tasks. Most of these have to do with connecting systems of different platforms with one another. In OS X, there are a number of tools that will look up directory service information. Most are based on ldapsearch. Using ldapsearch, you can determine whether a search base is good, whether a directory service responds to a given request and validate some assumptions you may have about an LDAP environment. Let’s…
-
Installing phpLDAPadmin
phpLDAPadmin is a tool that can be used to walk LDAP trees and view attributes of objects located within them using a web browser. This isn’t to say that it’s the prettiest tool out there but it works really well and is portable between various flavors of LDAP. Before you can use phpLDAPadmin you will need Apache. In Ubuntu, Apache can be installed using apt-get: apt-get install apache2 Once you have Apache installed, downloading phpLDAPadmin and installing it in Ubuntu Server 10 couldn’t be easier, just apt-get the package: apt-get install phpldapadmin Now you have the pieces, let’s copy phpLDAPadmin into your web root directory: cp -R /usr/share/phpldapadmin /var/www/myphpldapadmin In that…