User profile for user: victorp_sg
victorp_sg Author
User level: Level 1
28 points

Does Open Directory Archive/Restore or slapconfig backupdb/restoredb reconstructs the OD databases?

I am having occasional issue when I can't do a network login because OD / Password Service complains:


-[AuthDBFile getPasswordRec:putItHere:unObfuscate:]: user with slot XXXXX not found. Result: -5 Timed out

pwsf_CopySearchBase: ldap_search_ext_s returned -5 Timed out

pwsf_isMember: searchbase not found


If I wait for anywhere from a few minutes to less than half-an-hour, it will resolve itself, or if I am impatient, I just toggle off and then on the Directory services. I have tried "db_recover" both "authdata" and "openldap-data" directories but it doesn't seem to work. Also, slapd -Tt doesn't report any data corruption on the databases.


So I am thinking of doing a Open Directory Archive/Restore or slapconfig backupdb/restoredb on the OD databases. My question is during the Restore phase, does the OD databases get reconstructed record-by-record, or it just simply a whole file restore? Also, do I need to do a slapconfig destroyldapserver before the Restore? Will the Restore completely restore all the settings correctly for all server services (e.g. Certificates, Mail, Web, etc.) to function normally, assuming of course there is no data corruption?

Mac mini, OS X Server, OS X 10.10.5 / OS X Server 4.1.5

Posted on Sep 30, 2015 9:04 PM

Reply
3 replies
User profile for user: victorp_sg
victorp_sg Author
User level: Level 1
28 points

Mar 27, 2016 3:18 AM in response to victorp_sg

It seems that I may have solved my issue of having daily authentication errors in "/var/log/opendirectoryd.log", "/Library/Logs/PasswordService/ApplePasswordServer.Server.log" and "/Library/Logs/PasswordService/ApplePasswordServer.Error.log". My symptom is that Apple Mail or services using Open Directory cannot log in a few days after turning off and on Driectory Services to reset it. Also, I am using IP aliases in my system ethernet interface--one IP for the actual interface and two virtuals (xxx.xxx.xxx.66, xxx.xxx.xxx.67, xxx.xxx.xxx.68) but in the Open Directory service panel, my Master was listing xxx.xxx.xxx.68, xxx.xxx.xxx.66, xxx.xxx.xxx.67 that was out-of-sequence.


What I did to solve the problem are the following steps (I am not sure if all the steps are necessary):


(1) Use Server.app to archive Open Directory Master

(2) Delete / destroy the Open Directory Master via Server.app

(3) In Terminal, "sudo slapconfig -destroyldapserver" to make sure all related files and folders are cleared

(4) Reboot system, wait a while for the system to stabilise and continue to next step

(5) Use Server.app to restore Open Directory Master from the archive done in Step (1) above

(6) In my System keychain, my MACHINE_IDENTITY identity preference wasn't pointing to the correct SSL file; so I corrected it

(7) Reboot system


So far, all the related Open Directory logs do not have any errors reported and my Open Directory service Master is listing the correct ...66, ...67, ...68 IP addresses in sequence.

Reply
User profile for user: victorp_sg
victorp_sg Author
User level: Level 1
28 points

Mar 27, 2016 4:31 AM in response to victorp_sg

I forgot to add some additional steps...


Step 1.5: Disable all services except DNS in Server.app as well as any launchd scripts you may have for daemons requiring Directory services


Step 8: Enable your launchd scripts disabled in Step (1.5)


Step 9: Enable Server.app services disabled in Step (1.5); check each service settings are correct especially those that uses SSL Certificates--use Server.app Certificates panel to check them

Reply
User profile for user: victorp_sg
victorp_sg Author
User level: Level 1
28 points

Mar 29, 2016 11:41 PM in response to victorp_sg

I spoke too soon...after over 2 days of blissful absence of error messages in the Directory Service logs, they came back with a vengeance. The error is always a "Policy test failed for ..." in /var/log/opendirectoryd.log and at the same exact time a "pws_policyEval: Cannot create container" and/or "pws_policyEval: Cannot create authdata container" in /Library/Logs/PasswordService/ApplePasswordServer.Error.log".


I had used "pwpolicy" to clear global and user account policies, and reimplement global account policies on the structure and format of the password, but without any policy to affect the age and expiry of the password. So some passwords are pretty old (some over 2 years or more)...could it be this problem? On the other hand, why does it choose after 2 days of blissful quiet to complain about the password age?


The other possibility is that my Open Directory Master is on a Mac mini Server with two IP address aliases besides the "real" one on a physical ethernet interface. Is it possible Open Directory does not like IP addresses alias? But again, why does it complain now?


So maybe I need to write a script to restart Directory Service after the above error messages appear in the log...

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Does Open Directory Archive/Restore or slapconfig backupdb/restoredb reconstructs the OD databases?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up