Israel Brewster

Q: Restore users and passwords in OD?

Is there a way to backup and restore just the users and passwords for an open directory setup? I'm having the issue described in a couple of other threads where I can not add a replica to my OD setup (running lion 10.7.4). The "solution" posted in every case I can find is to blow away the directory master and set it up again from scratch. Of course, in any real world setup this is not an option. Asside from the shear number of users to deal with setting up again (no, I am not going to force them all to change their passwords) there is the whole issue of getting new GUIDs, which would (presumably) break the link to their mail stores. Doing an archive and restore doesn't fix the issue, asside from also restore some things that I want to be different than the current setup, such as the kerberos domain (the hostname of the machine has changed since we first set up the system) - apparently whatever is causing the problem is restored from the archive. If there was a way to just back up and restore the user accounts (with GUID) and passwords, then I could set up as a new OD master from scratch without issue. Is this possible?

Posted on Jun 7, 2012 7:50 AM

Close

Q: Restore users and passwords in OD?

  • All replies
  • Helpful answers

  • by lylehm,

    lylehm lylehm Jun 7, 2012 2:12 PM in response to Israel Brewster
    Level 1 (0 points)
    Jun 7, 2012 2:12 PM in response to Israel Brewster

    Hello Israel,

     

    I can't comment on the cause of your inability to add a replica. Going on the assumption that demoting/promoting your master is the solution, I can offer a possible solution for you. I've used this method to repair problems on a 10.6.x OD master and to clone my OD database to a 10.7.x test server (with a different IP and host name).

     

    I'm going to just copy/paste this from my internal KB article, so there's going to be some references to our Kerio Connect server - you can just ignore those steps. I highly recommend you read the man pages for slapconfig - especially the portions on -mergedb and -kerberize. If you chose to try this, PLEASE PLEASE backup everything and operate on the assumption that I don't know anything about Open Directory.

     

    Constructive feedback is absolutely welcome.

    -------------

    This article was written for Mac OS X 10.6.x Server, but should work similarly with other versions (10.5-10.7). We're assuming here that your REALM is NOT changing.

     

    WARNING: All resources using Open Directory for authentication may be affected.

    Make sure to test bound servers, email, vpn, ssl-vpn, FileMaker, <more?>

     

    These steps will correct most odd behaviors in Open Directory:  Problems saving new or edited OD accounts; New accounts not creating proper password/kerberos entries; Deleting users etc.

     

    Before starting, take screen shots of the existing Open Directory settings in Server Admin and CLONE all OD members. Also, make sure you have the latest Kerio OD Extensions installer handy.

     

    1. Check OD:Settings:General and note all listed replica servers.

    2. In Server Admin, go to each replica server OD:Settings:General and change role to stand alone (demote).

    3. Go to any Server Admin and archive Open Directory (OD). This backup will be merged back into the database later.

    4. (optional) From Server Admin, export service settings from the File menu.

    5. In Workgroup Manager, make note of the UIDs for any generic admin accounts (diradmin, etc).

    6. Take a deep breath.

    7. In Server Admin, for the master OD server, go to OD:Settings:General and change the role to stand alone (this will terminate all OD services and delete the directory).

    8. Using your screen shots, change the server's role back to OD master and restore all your settings. Make sure the diradmin account doesn't conflict with an existing account or UID.

    9. Install the Kerio OD extensions.

    10. In the terminal on the OD master, sudo slapconfig -mergedb (archive-path) - it's ok to simply drag the sparseimage file created in step 3 to the terminal to complete "archive-path"

    11. Use Workgroup Manager to clean up admin accounts (re-enable previous admins, delete unneeded admins).

    12. Test pw server and Kerberos (su user, Ticket Viewer app, kinit).

    13. In Workgroup Manager, delete user named _ldap_replicator (299). A new _ldap_replicator is created when restoring the replica servers.

    14. Promote replica servers in Server Admin.

    15. Test/restart/rebind OD member servers/services if needed.

    16. Add bdb equality and bdb substring candidates for Kerio schema if needed (see "slapd.log index_param failed notices" in this KB).

    ------------------

    Regards,

    Lyle Millander

  • by Israel Brewster,

    Israel Brewster Israel Brewster Jun 7, 2012 2:25 PM in response to lylehm
    Level 1 (21 points)
    Mac OS X
    Jun 7, 2012 2:25 PM in response to lylehm

    Well, that sounds just about perfect. Unfortunately, it would appear the -mergedb  command was removed from slapconfig in 10.7. At any rate, I can't find it in the 10.7 man page, and when I try running it on the command line (test machine of course ) it just spits the usage info back at me, which does not mention anything about a mergedb option .

  • by lylehm,

    lylehm lylehm Jun 7, 2012 3:07 PM in response to Israel Brewster
    Level 1 (0 points)
    Jun 7, 2012 3:07 PM in response to Israel Brewster

    EGAD! It is gone! That choice must have been part of Apple's 'new cruelty.'

     

    I went over my 10.7 test server setup notes. I indeed started with 10.6, did the -mergedb, then upgraded to 10.7 (after cloning to a single HD as the installer didn't work with mirrored drives). Now I have to research why -mergedb was removed and what is intended to be the alternative (like I have nothing else to do).

     

    More and more I'm leaning towards staying on 10.6 for our production servers. I dread the release of 10.8 as it will likely mean the end of support for 10.6.

     

    If I learn anything new, I'll post back.

  • by lylehm,

    lylehm lylehm Jun 8, 2012 7:30 AM in response to Israel Brewster
    Level 1 (0 points)
    Jun 8, 2012 7:30 AM in response to Israel Brewster

    I'm getting the impression for Lion that importing an archive with Server.app AFTER promoting to a master acts like a slapconfig -mergedb.

     

    I'm going to read through http://krypted.com/mac-os-x/upgrading-open-directory-from-snow-leopard-server-to -lion-server/ and then try a backup-demote-promote-restore on my Lion test server. I'll change some config options (other than IP and host name) to see if the restore overwrites those options (acting like an import vs a merge).

    Hopefully a glance at slapconfig.log may offer some clues too. That is, if Apple hasn't removed that too.

    I'll try to get to this before the weeknd is out.

  • by fkick1,

    fkick1 fkick1 Jul 8, 2013 10:43 AM in response to lylehm
    Level 1 (73 points)
    Servers Enterprise
    Jul 8, 2013 10:43 AM in response to lylehm

    Hi Lylehm

     

    Did you ever figure out a way to merge open directories? I'm having issues with my mountain lion open directory (specifically the self creationd OD certificates) and I've got over 200 users that I don't want to have to manually reset a password. I'd like to create a new OD and then import the users and passwords (or merge them rather with the new OD), but using the slapconfig -restoredb after creating a new OD just replaces the new OD, rather then merging the old and new.

     

    Thanks!

  • by lylehm,

    lylehm lylehm Jul 8, 2013 2:43 PM in response to fkick1
    Level 1 (0 points)
    Jul 8, 2013 2:43 PM in response to fkick1

    Hi Fkick1,

     

    I never got the chance to try. We deceided to stick with 10.6 for our directory servers for now. Fortunately, 10.7 and 10.8 seem to work fine being bound to 10.6 for our purposes. If I didn't have so many open projects right now I'd take another stab at this.

     

    I prefer to keep my OS's up to date for the latest security patches. However, Apple made so many (seemingly) enterprise-unfriendly changes in 10.7/10.8 that it felt a bit risky to upgrade the OD boxes.

     

    I'm hoping to squeeze in a 10.8 admin class this year - that is, if we're not forced to eliminate Apple from the server room. If I go, I'll add this question to my hit list.

     

    So, sorry I can't offer anything more at this time. If you get anywhere, please consider posting back.

     

    All the best,

    Lyle

  • by lylehm,

    lylehm lylehm Jul 25, 2013 6:33 AM in response to fkick1
    Level 1 (0 points)
    Jul 25, 2013 6:33 AM in response to fkick1

    It'll be a while before I get to try this, but I wanted to share in case someone else has the time. From what I can tell, slapconfig -mergedb is really a trigger for a bunch of other commands. If you look at the slapconfig.log in /Library/Logs you'll see all the activity that follows a slapconfig -mergedb execution.

    Don't expect to be able to just enter the commands below and have it work. For instance /usr/sbin/kdb5_util doesn't exist after 10.6 as Apple is doing Kerberos differently now. This is likely why the -mergedb and -kerberize mods are no longer present. So, the big question is, are there any Kerberos tools in 10.7/10.8 that can provide similar functionality?

    The bigger question is, what's really the right way to accomplish a clean OD master with imported users that don't lose their passwords? I feel like I'm barking up the wrong tree here.

     

    From slapconfig.log (each leading "-" is a new line from the log file):

     

    - slapconfig -mergedb

    - command: /usr/bin/hdiutil attach /Volumes/Archives/odbu-2_071413.sparseimage -readonly

    - Disk name disk4

    - command: /usr/bin/defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server SuspendServices -bool YES

    - command: /usr/libexec/samba/synchronize-preferences --force-sync

    - 1 Merging Kerberos database

    -   popen: cd /tmp/slapconfig_restore_stage1393rXXeM6;/usr/bin/tar xzpf /Volumes/ldap_bk/krb5backup.tar.gz, "r"

    - command: /usr/sbin/sso_util info -r /LDAPv3/127.0.0.1 -p

    - command: /usr/sbin/kdb5_util -r OD.MYCOMPANY.LAN dump -new_mkey_file /tmp/slapconfig_restore_stage1393rXXeM6/var/db/krb5kdc/.k5.OD.MYCOMPANY.LAN /tmp/slapconfig_restore_stage1393rXXeM6/kdb5backup.bak

    - Copied directory from /var/db/krb5kdc to /var/db/krb5kdc.pre-merge.

    - command: /bin/cp /tmp/slapconfig_restore_stage1393rXXeM6/var/db/krb5kdc/.k5.OD.MYCOMPANY.LAN /var/db/krb5kdc/

    - command: /usr/sbin/kdb5_util -r OD.MYCOMPANY.LAN load -update /tmp/slapconfig_restore_stage1393rXXeM6/kdb5dump.OD.MYCOMPANY.LAN.bak

    - Error: command failed with exit code 1: /usr/sbin/kdb5_util load /Volumes/ldap_bk/kdb5dump.OD.MYCOMPANY.LAN.bak

    - command: /usr/sbin/kdb5_util -r OD.MYCOMPANY.LAN load -update /tmp/slapconfig_restore_stage1393rXXeM6/kdb5backup.bak

    - 2 Merging Password Server data

    - command: /usr/sbin/mkpassdb -mergeparent /Volumes/ldap_bk/passwordserver_backup/ /Volumes/ldap_bk/id_omitfile

    - 3 Merging LDAP database

    - Stopping LDAP server (slapd)

    -   popen: /usr/sbin/slapadd -c -l /tmp/slapconfig_stage1393eJIK41/backup1393.ldif, "w"

    - Starting LDAP server (slapd)

    -   popen: cd /;/usr/bin/tar xzpf /Volumes/ldap_bk/sambabackup.tar.gz, "w"

    - Error: command failed with exit code 256: /usr/bin/tar xzpf /Volumes/ldap_bk/sambabackup.tar.gz

    - command: /bin/launchctl load /System/Library/LaunchDaemons/smbd.plist

    - command: /usr/bin/defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server SuspendServices -bool NO

    - command: /usr/libexec/samba/synchronize-preferences --force-sync

    - Removed directory at path /tmp/slapconfig_restore_stage1393rXXeM6.

    - Removed directory at path /tmp/slapconfig_stage1393eJIK41.

    - command: /usr/bin/hdiutil detach disk4

    - Removed file at path /var/run/slapconfig.lock.