OD network users cannot authenticate

Discussion in 'Mac OS X Server, Xserve, and Networking' started by Truffy, Nov 27, 2012.

  1. macrumors 6502a

    Truffy

    Joined:
    May 9, 2005
    Location:
    somewhere outside your window...
    #1
    I recently had a lot of errors on two ML servers acting as OD Master/Replica, so decided to reinstall from scratch. One is running OS X 10.8.2, the other 10.8. Both are vanilla installs (going so far as to recreate the RAID), and both have the latest version of server.app installed.

    Network users cannot authenticate.

    Running slapconfig -ver gives the following errors on both machines:
    Code:
    bubbles:~ administrator$ sudo slapconfig -ver
    2012-11-27 20:17:31 +0000 command: /usr/libexec/slapd -T cat -c -f /etc/openldap/slapd.conf -s ou=macosxodconfig,cn=config,dc=test249,dc=home
    2012-11-27 20:17:31 +0000 Error execing slapcat: 50b51fdb /etc/openldap/slapd_macosxserver.conf: line 303: unknown directive <TLSCertificatePassphrase> inside backend database definition.
              slapcat: bad configuration file!
    LDAP Setup Tool (slapconfig), Apple, Inc.,  Version 1.2
    Obviously ou=macosxodconfig,cn=config,dc=test249,dc=home is wrong, but I don't know where this setting is held to correct it to ou=macosxodconfig,cn=config,dc=server,dc=domain,dc=tld

    Opening slapd_macosxserver.conf shows the last four lines to be:
    Code:
    TLSCertificateFile      /etc/certificates/server.mydomain.LONGHASH.cert.pem
    TLSCACertificateFile    /etc/certificates/server.mydomain.LONGHASH.chain.pem
    TLSCertificateKeyFile   /etc/certificates/server.mydomain.LONGHASH.key.pem
    TLSCertificatePassphrase        "Mac OS X Server certificate management.LONGHASH"
    I can 'fix' the second error by commenting out that last line. But that just results in a new and exciting error:
    Code:
    bubbles:~ administrator$ sudo slapconfig -ver
    2012-11-27 20:43:00 +0000 command: /usr/libexec/slapd -T cat -c -f /etc/openldap/slapd.conf -s ou=macosxodconfig,cn=config,dc=test249,dc=home
    2012-11-27 20:43:00 +0000 Error execing slapcat: slapcat: slap_init no backend for "ou=macosxodconfig,cn=config,dc=test249,dc=home"
    LDAP Setup Tool (slapconfig), Apple, Inc.,  Version 1.2
    Incidentally, all this is being run on the Master, but identical errors on the Replica.
     
  2. macrumors newbie

    Joined:
    Nov 28, 2012
    #2
    Before you go anywhere, is your DNS configured correctly on both boxes?

    Code:
    sudo changeip -checkhostname
    90% of the time it's DNS with authentication problems.

    However, you're showing errors in the LDAP configuration. If you absolutely want to change that yourself, at the command line, you're going to need to delve in to LDAP admin. You should hopefully also be able to change it in Server Admin, but you absolutely have to have DNS functioning fully before LDAP or it's just not gonna play ball.
     
  3. thread starter macrumors 6502a

    Truffy

    Joined:
    May 9, 2005
    Location:
    somewhere outside your window...
    #3
    I checked DNS before starting OD, but just to make sure I just double-checked and both hosts resolve correctly.
    I only have server.app installed, and it seems to be pretty rudimentary in what can actually be configured. Unless I've missed something, server.app seems to be limited to switching OD on/off and creating a replica. Actual configuration seems to be hamstrung.

    Which leaves me with the command line. Where should I start looking (I've already tried /etc/openldap/slapd.conf and /etc/openldap/slapd_macosxserver.conf)?
     
  4. macrumors newbie

    Joined:
    Nov 28, 2012
    #4
    Rather than slow you down, it can help to just check DNS before every step. You never know when it might decide to screw itself up and cause you untold pain. It's a sadist on OS X Server.

    LDAP configuration isn't held in flat files, you need to edit via the database connection using the relevant command line tools. Extract and create a backup of your config first!
     
  5. thread starter macrumors 6502a

    Truffy

    Joined:
    May 9, 2005
    Location:
    somewhere outside your window...
    #5
    Thanks. Is there a primer on this, or a guide to the CLI tools that I should use (slapconfig?)?
     
  6. macrumors newbie

    Joined:
    Nov 28, 2012
    #6
    There's no specific primers I know for OS X Server, but I haven't looked. I'd get a book, or at least a trial of Safari Books to get access to their LDAP admin books.
     

Share This Page