Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Changing LDAP Search Base After Updating DNS

After initial setup, I needed to update my DNS domain and server name to prepare for a cutover to our pre-existing domain that is currently remote hosted. So I converted from myserver.private to myserver.mydomain.com. After running changeip to get the server and DNS names fixed, and redoing the Open Directory master setup so that Kerberos now uses the correct Realm (MYSERVER.MYDOMAIN.COM), everything seems to be fine EXCEPT that the LDAP Search Base is still "dc=myserver, dc=private". I have searched all over for an answer on how to change the LDAP Search Base and all I find are other people with my exact same issue.

Does anyone know how to update the LDAP Search Base when you update the DNS domain?

Thanks in advance!

MacBook, Mac Mini with Snow Leopard Server, Mac OS X (10.6.2)

Posted on Mar 27, 2010 8:13 PM

Reply
10 replies

Apr 4, 2010 8:51 AM in response to MorrisZwick

A call to Apple support helped solve this problem, especially to deal with a typo in the Apple Snow Leopard Server documentation:

1. Export all of your users, groups, etc. to files. Passwords will be reset but everything else will work.

2. In OD, change the server to be "stand alone" (basically turning off OD).

3. From the command line run the following command, noting that you literally put the string "HostName" in the position specified, not the old host name specified in the documentation:

sudo scutil --set HostName <fully qualified domain name>

4. Reboot

5. Restart Server Admin and recreate the OD master using the fully qualified name.

6. Go to KeyChain and look for the entries for system -> com.apple.opendirectory. One should point to your server and one should be blank. Delete the bank entry.

Done!

May 27, 2010 9:32 AM in response to Corbywan

Blessed are the pessimists, for they hath made back ups.

Yesterday, I accidentally deleted a group. Don't ever do that. Can't be undone, and the permissions on the sharepoints have to be re-built because the group name in the access control list is gone.

If you delete users but still have groups and group permissions, you can re-populate the group with new users and the group permissions in the ACL are fine.

Learned that the hard way. 🙂

Jun 30, 2010 5:27 AM in response to James Nennemann

James

The problem with restoring an Archived LDAP Database is you'll be restoring the previous Domain/Realm with all references to it into a different Domain/Realm. I'm not saying this won't work but if you do you'll in all likelihood introduce potentially major problems.

FWIW restoring a damaged/corrupted LDAP Database is not a good idea either.

Tony

Jun 30, 2010 6:30 AM in response to Antonio Rocco

I have to say if that is the case then it is really f@#$ up. I have run every version of OS X Server since version 1 and the server OS has always seemed a little unfinished with too much margin for error... very un-apple like. They kind of treat it like the red headed stepchild.

I am going to image the SSD before I try so that I can still regress if need be. I will be giving it a shot in about 4 hours and I will try to remember to come back here and report progress.

Jun 30, 2010 7:10 AM in response to James Nennemann

Hi James

I'm not sure I entirely agree with you, but you do have a point. However making a backup of the server either as a cloned .dmg or on a bootable external drive is regarded generally by Apple as "Best Practice'. This has been known for some time as of course you already knew. I make this point because a lot of posters on these boards fail to realise this and invariably end up posting because of some problem they've had after running a major update. It comes as a shock to some of them when they realise there's no 'rollback' or 'undo' as their is in Windows.

Tony

Jun 30, 2010 7:54 PM in response to Antonio Rocco

Yes... I had to export users, groups, computers and computer groups, demote to stand-alone, re-promote then reimport users, groups, computers and computer groups, loosing passwords for the 300+ users. *****, but such is life.

Thanks for the input, Tony; You were right on. BTW - Archive and Restore worked just fine in 10.6. I performed that operation two or three times as I experimented. The only problem was that it brought over EVERYTHING including the LDAP search base.

****... if Snow Leopard was perfect, who would want to buy 10.7, right? (;-)

Changing LDAP Search Base After Updating DNS

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.