After upgrade open directory fails to load and server only has local users

Question

Level 1

11 points

After upgrade open directory fails to load and server only has local users

i have a server v5.0.4 running on Yosemite and lost all my users after upgrading from previous version. open directory does not stay up. I have fix the dns issues that might of caused this (made sure all the pointers and hosts were correct on that end) but still no luck.

i have a backup of the pre upgraded config offsite and a time machine backup.

here is the system error log:

Sep 26 13:49:03 com.apple.xpc.launchd[1] (org.openldap.slapd[10484]): Service exited with abnormal code: 1

Sep 26 13:49:03 com.apple.xpc.launchd[1] (org.openldap.slapd): Service only ran for 0 seconds. Pushing respawn out by 10 seconds.

Sep 26 13:49:08 xscertd-helper[10491]: ldap_search_ext_s returned -1 - Can't contact LDAP server when searching for bdb suffix, exiting

Sep 26 13:49:08 com.apple.xpc.launchd[1] (com.apple.xscertd-helper[10491]): Service exited with abnormal code: 1

Sep 26 13:49:08 com.apple.xpc.launchd[1] (com.apple.xscertd-helper): Service only ran for 0 seconds. Pushing respawn out by 10 seconds.

Sep 26 13:49:13 slapd[10494]: unable to open LA file: /usr/lib/sasl2/openldap//libcrammd5.la

Sep 26 13:49:14 com.apple.xpc.launchd[1] (org.openldap.slapd[10494]): Service exited with abnormal code: 1

Sep 26 13:49:14 com.apple.xpc.launchd[1] (org.openldap.slapd): Service only ran for 0 seconds. Pushing respawn out by 10 seconds.

Sep 26 13:49:18 xscertd-helper[10498]: ldap_search_ext_s returned -1 - Can't contact LDAP server when searching for bdb suffix, exiting

Sep 26 13:49:18 com.apple.xpc.launchd[1] (com.apple.xscertd-helper[10498]): Service exited with abnormal code: 1

Sep 26 13:49:18 com.apple.xpc.launchd[1] (com.apple.xscertd-helper): Service only ran for 0 seconds. Pushing respawn out by 10 seconds.

Sep 26 13:49:22 configd[70]: inet_set_autoaddr(en1, 1) failed, Resource busy (16)

Sep 26 13:49:24 slapd[10503]: unable to open LA file: /usr/lib/sasl2/openldap//libcrammd5.la

Sep 26 13:49:24 com.apple.xpc.launchd[1] (org.openldap.slapd[10503]): Service exited with abnormal code: 1

Sep 26 13:49:24 com.apple.xpc.launchd[1] (org.openldap.slapd): Service only ran for 0 seconds. Pushing respawn out by 10 seconds.

Sep 26 13:49:28 xscertd-helper[10507]: ldap_search_ext_s returned -1 - Can't contact LDAP server when searching for bdb suffix, exiting

Sep 26 13:49:28 com.apple.xpc.launchd[1] (com.apple.xscertd-helper[10507]): Service exited with abnormal code: 1

Sep 26 13:49:28 com.apple.xpc.launchd[1] (com.apple.xscertd-helper): Service only ran for 0 seconds. Pushing respawn out by 10 seconds.

Sep 26 13:49:34 slapd[10531]: unable to open LA file: /usr/lib/sasl2/openldap//libcrammd5.la

Sep 26 13:49:35 com.apple.xpc.launchd[1] (org.openldap.slapd[10531]): Service exited with abnormal code: 1

Sep 26 13:49:35 com.apple.xpc.launchd[1] (org.openldap.slapd): Service only ran for 0 seconds. Pushing respawn out by 10 seconds.

Sep 26 13:49:35 collabd[10506]: [main.m:322 71e44300 +1ms] Configured to exit after about 360 seconds idle

Sep 26 13:49:37 certadmin[10543]: Connected to the Notify Service

Sep 26 13:49:37 servermgr_certs[442]: validating connection from 0 : 100000

Sep 26 13:49:37 certadmin[10545]: Connected to the Notify Service

Sep 26 13:49:37 servermgr_certs[442]: validating connection from 0 : 100000

Sep 26 13:49:38 sandboxd[333] ([302]): clamd(302) deny file-write-create /Library/Logs/Mail/clamav.log-20150926_134938

Sep 26 13:49:39 xscertd-helper[10567]: ldap_search_ext_s returned -1 - Can't contact LDAP server when searching for bdb suffix, exiting

Sep 26 13:49:39 com.apple.xpc.launchd[1] (com.apple.xscertd-helper[10567]): Service exited with abnormal code: 1

Sep 26 13:49:39 com.apple.xpc.launchd[1] (com.apple.xscertd-helper): Service only ran for 0 seconds. Pushing respawn out by 10 seconds.

Sep 26 13:49:45 slapd[10577]: unable to open LA file: /usr/lib/sasl2/openldap//libcrammd5.la

Sep 26 13:49:46 com.apple.xpc.launchd[1] (org.openldap.slapd[10577]): Service exited with abnormal code: 1

Sep 26 13:49:46 com.apple.xpc.launchd[1] (org.openldap.slapd): Service only ran for 0 seconds. Pushing respawn out by 10 seconds.

Sep 26 13:49:46 servermgr_accounts[10429]: -[AccountsRequestHandler(AccountsOpenDirectoryHelpers) openLocalLDAPNodeIfNeeded]: dsLocalLDAP = (null), error = Error Domain=com.apple.OpenDirectory Code=2100 "Connection failed to node '/LDAPv3/127.0.0.1'" UserInfo=0x7fd069701710 {NSLocalizedDescription=Connection failed to node '/LDAPv3/127.0.0.1', NSLocalizedFailureReason=Connection failed to the directory server.}

Mac mini, OS X Yosemite (10.10.5), Server v5.0.4

Posted on Sep 26, 2015 1:59 PM

Reply

Answer 1

cdhw

Level 4

3,588 points

Sep 26, 2015 6:01 PM in response to eisenmanj

Try using the combo updater to reapply the update. Disk FirstAid to start with, of course. It looks as though a library file is missing or has wrong permissions.

C.

Reply

Answer 2

eisenmanj Author

Level 1

11 points

Sep 27, 2015 10:01 AM in response to cdhw

combo updater as in 10.11os updater when it comes out, or the server.app updater?

Reply

Answer 3

eisenmanj Author

Level 1

11 points

Sep 27, 2015 10:07 AM in response to eisenmanj

I have successfully repaired the permissions on the drive. the system log is still very similar, but i have additional info on the ldap.log.

System.log:

Sep 27 08:24:27 slapd[75445]: unable to open LA file: /usr/lib/sasl2/openldap//libcrammd5.la

LDAP.log

Sep 27 09:57:10 slapd[2676]: bdb(cn=authdata): the log files from a database environment

Sep 27 09:57:10 slapd[2676]: bdb(cn=authdata): /var/db/openldap/authdata/id2entry.bdb: unexpected file type or format

Sep 27 09:57:10 slapd[2676]: bdb_db_open: database "cn=authdata": db_open(/var/db/openldap/authdata/id2entry.bdb) failed: Invalid argument (22).

Sep 27 09:57:10 slapd[2676]: backend_startup_one (type=bdb, suffix="cn=authdata"): bi_db_open failed! (22)

Sep 27 09:57:10 slapd[2676]: bdb_db_close: database "cn=authdata": alock_close failed

Sep 27 09:57:10 slapd[2676]: slapd stopped.

Sep 27 09:57:20 slapd[2679]: @(#) $OpenLDAP: slapd 2.4.28 (Feb 24 2015 21:45:59) $

root@osx202.apple.com:/BinaryCache/OpenLDAP/OpenLDAP-499.32.4~1/Objects/servers/slapd

Sep 27 09:57:20 slapd[2679]: daemon: SLAP_SOCK_INIT: dtblsize=8192

Sep 27 09:57:20 slapd[2679]: TLS: OPENDIRECTORY_SSL_IDENTITY identity preference overrode configured olcTLSIdentity "APPLE:"

Sep 27 09:57:20 slapd[2679]: slap_add_listener: opened additional listener 'ldaps:///'

Sep 27 09:57:20 slapd[2679]: bdb_monitor_db_open: monitoring disabled; configure monitor database to enable

Sep 27 09:57:20 slapd[2679]: bdb(cn=authdata): file id2entry.bdb has LSN 2818/2185797, past end of log at 2818/829213

Sep 27 09:57:20 slapd[2679]: bdb(cn=authdata): Commonly caused by moving a database from one database environment

Sep 27 09:57:20 slapd[2679]: bdb(cn=authdata): to another without clearing the database LSNs, or by removing all of

Sep 27 09:57:20 slapd[2679]: bdb(cn=authdata): the log files from a database environment

Sep 27 09:57:20 slapd[2679]: bdb(cn=authdata): /var/db/openldap/authdata/id2entry.bdb: unexpected file type or format

Sep 27 09:57:20 slapd[2679]: bdb_db_open: database "cn=authdata": db_open(/var/db/openldap/authdata/id2entry.bdb) failed: Invalid argument (22).

Sep 27 09:57:21 slapd[2679]: backend_startup_one (type=bdb, suffix="cn=authdata"): bi_db_open failed! (22)

Sep 27 09:57:21 slapd[2679]: bdb_db_close: database "cn=authdata": alock_close failed

Sep 27 09:57:21 slapd[2679]: slapd stopped.

.

still unable to retrieve users, but with OD down, clients are locally resolving from cache until i update the os (i suspect)

Reply

Answer 4

cdhw

Level 4

3,588 points

Sep 27, 2015 10:38 AM in response to eisenmanj

I misunderstood - I thought you meant you updated to OS X 10.10.5 from an earlier version... Anyway, I've done some checking and /usr/lib/sasl2/openldap//libcrammd5.la seems to be an obsolete library that is missing on my servers, which are running fine. My guess is it contained some last resort function that shouldn't normally be needed.

I have never had much luck restoring Open Directory on OS X server once it's become corrupt. These days I don't usually even bother trying; I keep good backups and export users so that a nuke and pave solution a relatively quick and easy job. This thread:

Re: Mac OS Server Open Directory Will Not Turn On

has instructions and discussion if you haven't been down this path before.

If you can afford to wait a day or two, someone with stronger OD-fu than me may happen by and have some suggestions.

C.

Reply

Answer 5

eisenmanj Author

Level 1

11 points

Sep 27, 2015 1:30 PM in response to cdhw

I Do have a server file level backup from crashplan. otherwise I just have to recreate a few users. How to match the id (uid/Gid) or migrate the users on the clients. Or any help on getting it from the backup?

Reply

Answer 6

cdhw

Level 4

3,588 points

Oct 4, 2015 11:07 AM in response to eisenmanj

I've never used 'crashplan' but straightforward copying of files is not a reliable way to backup a live OD database.

If you have only got a few users and know what UID/GIDs you want them to end up with then you can create them manually. I'd start by switching off OD, making sure my backups were sound, rebooting in recovery mode and using Disk Utility to verify/repair the disk. Then reboot and nuke OD to start from scratch. Use.

Server.app > Accounts > Users

to create your users and then ctrl+mouseDown (i.e. 'right-click') on each user and select the 'Advance Options...' from the contextual menu. This will allow you to set the UID. (I'd leave the GID for now.) Then

Server.app > Accounts > Groups

to create the groups and again ctrl+mouseDown to set the GID number.

Assign the users to their groups or vice versa.

Finally, do some serious Googling and learn how to backup OD in a manner that actually allows you to restore it. 🙂

C.

P.S. migrating user accounts to new UIDs on the clients is not the straightforward process you might hope/imagine. Avoid. It'll be much easier to get the UID/GIDs right on the server.

Reply

Answer 7

Sep 27, 2015 7:26 PM in response to eisenmanj

UIDs show in WorkGroup Manager in the list by Account. Last time I had to rebuild mine, I took a screenshot of that and used it to enter the accounts in UID order.

Reply

Answer 8

eisenmanj Author

Level 1

11 points

Sep 28, 2015 8:24 PM in response to cdhw

Right now i can't even get OD to come up. is there a way to get the UID and GID from the command line. IE. on the client is the UID and GID in the ls the same as in OD?

on the second note. how to blow away the messed up OD and recreate once i get the UID and GID of my admin users. (i.e. it would be nice to get my other users back, it would really suck recreating my user data from backup.)

Reply

Answer 9

eisenmanj Author

Level 1

11 points

Oct 4, 2015 11:18 AM in response to eisenmanj

SO update. I started down the path suggested in the thwart. Repairing permissions and following the thread from cdhw to repair opendirectory. Well I ran out of time before deleting od and starting over, but that was a good thing. after a few reboots and letting the server sit for a week in a bad state od decided to come back online with all the users intact. will have to figure out a way to export my od every week so I can just blow it away and start from a good backup. Anyone have suggestions on that.? The

cdhw. Thanks for the help.

Reply