9 Replies Latest reply: Jul 11, 2013 5:24 AM by Chuck Gentry
Erich Wetzel Level 2 Level 2 (315 points)

Open Directory Master with 1 replica, both on 10.6.7 server on Mac Pros.


I cannot get an archive created.  I did the usual Server Admin > appropriate server > Open Directory > Archive > Choose location for archive to be saved > Name archive and create.


I am not getting a datafile created after Server Admin indicates the process is finished.


I have rebooted.  I have changed to a variety of locations for placement of the archive.  I have used Server Admin on the server itself.  I have used Server Admin on a remote client.  I have decommissioned the replica and tried Server Admin both on and off of the server itself.  All attempts resulted in no change and no database archive file.


We have some new users and our database is getting away from the last backup we made.  I am assuming some type of corruption.  I cannot find anything relevant in the logs but I bet I am looking in the wrong place.




Thanks - Erich

Mac Pro, Mac OS X (10.6.7)
  • Erich Wetzel Level 2 Level 2 (315 points)

    Any ideas?  I am hoping not to have to redo the entire directory from scratch.

  • Erich Wetzel Level 2 Level 2 (315 points)

    Found a log item in Open Directory > Configuration Log saying :

    Error: Unable to create archive image as keychain could not be read



    Will try to reset passwords in keychains on the server itself and try again.

  • Erich Wetzel Level 2 Level 2 (315 points)

    No luck with playing around in the system and admin user keychains.  Anyone have any idea what keychain the system might be having trouble with during the Archive process and how I might go about fixing it?

  • Antonio Rocco Level 6 Level 6 (10,400 points)



    In my experience - and opinion - the archiving tools available in Server Admin don't work. Even if you managed to actually save an archive and wanted to restore from it you'll either find it won't restore properly or, if it does, the database will be mangled. This has been the case since 10.6 and up to 10.6.5. I've not tried it since because it became clear it was a waste of time. Seeing as you're at 10.6.7 it does not look like Apple have made any real efforts at fixing this 'feature' - that worked perfectly well in previous versions - yet.


    Who knows perhaps in 10.7 this facility might start working again? I would not hold your breath though.


    In my experience exporting relevant files using the command line has been the most reliable.


    The most reliable way I've found of 'backing' up LDAP data, using the Interface, is via WorkGroup Manager's Export feature. I don't mind losing the ability to export passwords as I can export and re-import those using the command line or not depending on what I want to achieve.


    As ever YMMV.





  • Erich Wetzel Level 2 Level 2 (315 points)



    Thanks for looking at this.


    I have had Server Admin actually do pretty well with all of this in the past.  I believe that the problem started when I moved the server to another IP.  I assume I did the damage then.  I have been able to get users in and out using export, I'd like to avoid losing the passwords. 


    We have less than 20 users but I would still like to avoid the work of manually recreating the entire database from scratch.


    Clearly I'd like to do what Server Admin did automatically, save users, groups, computers, passwords, sharing privileges, and user and computer preferences.


    I have always depended on Server Admin.  My Unix is modest at best.  Do you have suggestions or know of a tutorial somewhere?



  • Antonio Rocco Level 6 Level 6 (10,400 points)

    Hi Erich


    Changing the IP address or Hostname on a mature OD Master is always going to have repercussions one way or another. Especially if you've archived the Database first, made the change and then restored it again. There is no easy and quick way of knowing how many references to the old IP address or hostname you need to change before restoring the database. I tried it once, it took ages and I would have spent less time in getting the Server operational again if I'd rebuilt from scratch. By that I mean reformatting, reinstalling and keying in all the Users etc again. However YMMV?


    I've learnt over the years to not depend too much on Server Admin for anything! It has to be one of the flakiest applications Apple have ever offered, although - to be fair - it has improved a little recently.


    Is 20 Users all you have? I've not bothered with passwords for databases containing hundreds of Users. A Password Policy prompting users to change their passwords at next login achieves a reliable result IMO. However it's your Server and you do what you feel is best.


    Apart from the Passwords all of the database that is of any use is preserved when exporting from WorkGroup Manager. If you want to go down the command line AFP548.com had an article that worked (I used to use it years ago) that went through how to export passwords using relevant command line tools. They may still have it available if you care to look?





  • Erich Wetzel Level 2 Level 2 (315 points)


    That helps thanks.  I know 20 users is no big deal, but I do the IT work here after my full time job is finished so it can be a real challenge to find the time to get these things done properly.



  • Erich Wetzel Level 2 Level 2 (315 points)

    The correction for this problem is simple and can be found in a link posted by Dave_Tech in this discussion https://discussions.apple.com/message/16013583#16013583


    The solution in the linked page solved this problem for me.

  • Chuck Gentry Level 1 Level 1 (0 points)

    Hi, I know this is an old thread but I feel the need to update for anyone else unfortunate enough to waste their time with such a silly error.


    The above hints to fix the issue are correct but the entry that needs to be changed in Keychain Access is different for 10.7+. What you want to make sure is correct is the entry "/LDAPv3/" not com.apple.opendirectory as this isn't created in 10.7 on.


    Hope this saves someone's time if they stumble upon this!