OD network users cannot authenticate

[Truffy]

I recently had a lot of errors on two ML servers acting as OD Master/Replica, so decided to reinstall from scratch. One is running OS X 10.8.2, the other 10.8. Both are vanilla installs (going so far as to recreate the RAID), and both have the latest version of server.app installed.

Network users cannot authenticate.

Running slapconfig -ver gives the following errors on both machines:

bubbles:~ administrator$ sudo slapconfig -ver
2012-11-27 20:17:31 +0000 command: /usr/libexec/slapd -T cat -c -f /etc/openldap/slapd.conf -s ou=macosxodconfig,cn=config,dc=test249,dc=home
2012-11-27 20:17:31 +0000 Error execing slapcat: 50b51fdb /etc/openldap/slapd_macosxserver.conf: line 303: unknown directive <TLSCertificatePassphrase> inside backend database definition.
          slapcat: bad configuration file!
LDAP Setup Tool (slapconfig), Apple, Inc.,  Version 1.2

Obviously ou=macosxodconfig,cn=config,dc=test249,dc=home is wrong, but I don't know where this setting is held to correct it to ou=macosxodconfig,cn=config,dc=server,dc=domain,dc=tld

Opening slapd_macosxserver.conf shows the last four lines to be:

TLSCertificateFile      /etc/certificates/server.mydomain.LONGHASH.cert.pem
TLSCACertificateFile    /etc/certificates/server.mydomain.LONGHASH.chain.pem
TLSCertificateKeyFile   /etc/certificates/server.mydomain.LONGHASH.key.pem
TLSCertificatePassphrase        "Mac OS X Server certificate management.LONGHASH"

I can 'fix' the second error by commenting out that last line. But that just results in a new and exciting error:

bubbles:~ administrator$ sudo slapconfig -ver
2012-11-27 20:43:00 +0000 command: /usr/libexec/slapd -T cat -c -f /etc/openldap/slapd.conf -s ou=macosxodconfig,cn=config,dc=test249,dc=home
2012-11-27 20:43:00 +0000 Error execing slapcat: slapcat: slap_init no backend for "ou=macosxodconfig,cn=config,dc=test249,dc=home"
LDAP Setup Tool (slapconfig), Apple, Inc.,  Version 1.2

Incidentally, all this is being run on the Master, but identical errors on the Replica.

 

[motorboating]

Before you go anywhere, is your DNS configured correctly on both boxes?

sudo changeip -checkhostname

90% of the time it's DNS with authentication problems.

However, you're showing errors in the LDAP configuration. If you absolutely want to change that yourself, at the command line, you're going to need to delve in to LDAP admin. You should hopefully also be able to change it in Server Admin, but you absolutely have to have DNS functioning fully before LDAP or it's just not gonna play ball.

 

[Truffy]

Before you go anywhere, is your DNS configured correctly on both boxes?

sudo changeip -checkhostname

90% of the time it's DNS with authentication problems.

I checked DNS before starting OD, but just to make sure I just double-checked and both hosts resolve correctly.

However, you're showing errors in the LDAP configuration. If you absolutely want to change that yourself, at the command line, you're going to need to delve in to LDAP admin. You should hopefully also be able to change it in Server Admin, but you absolutely have to have DNS functioning fully before LDAP or it's just not gonna play ball.

I only have server.app installed, and it seems to be pretty rudimentary in what can actually be configured. Unless I've missed something, server.app seems to be limited to switching OD on/off and creating a replica. Actual configuration seems to be hamstrung.

Which leaves me with the command line. Where should I start looking (I've already tried /etc/openldap/slapd.conf and /etc/openldap/slapd_macosxserver.conf)?

 

[motorboating]

I checked DNS before starting OD, but just to make sure I just double-checked and both hosts resolve correctly.

Rather than slow you down, it can help to just check DNS before every step. You never know when it might decide to screw itself up and cause you untold pain. It's a sadist on OS X Server.

I only have server.app installed, and it seems to be pretty rudimentary in what can actually be configured. Unless I've missed something, server.app seems to be limited to switching OD on/off and creating a replica. Actual configuration seems to be hamstrung.

Which leaves me with the command line. Where should I start looking (I've already tried /etc/openldap/slapd.conf and /etc/openldap/slapd_macosxserver.conf)?

LDAP configuration isn't held in flat files, you need to edit via the database connection using the relevant command line tools. Extract and create a backup of your config first!

 

[Truffy]

LDAP configuration isn't held in flat files, you need to edit via the database connection using the relevant command line tools. Extract and create a backup of your config first!

Thanks. Is there a primer on this, or a guide to the CLI tools that I should use (slapconfig?)?

 

[motorboating]

Thanks. Is there a primer on this, or a guide to the CLI tools that I should use (slapconfig?)?

There's no specific primers I know for OS X Server, but I haven't looked. I'd get a book, or at least a trial of Safari Books to get access to their LDAP admin books.