I was mucking about on the server installing a new version of mysql. At one point I restarted the server. This morning all the client accounts are locked out. Server shows LDAP service is unavailable with the LDAP server stopped. Lookupd, Password Server, and Kerberos are running, and NeiInfo Server is Local only.
About that time I had been in server config and deselected an option to disable login after so many failed attempts at log-in which I thought was an innocuous change.
All this is most bizarre. I fixed the problem thanks to AFP548 and Google. Solution follows.
Continuing from the above, the day the server died my secretary had logged in that morning. I had later changed a policy on password lockout in Server Admin and after that no one could log in. I recall now that the microwave in my office showed evidence of a power loss that morning. Another thing that was going on was I was doing a program install and I restarted the server to check all would work from a reboot. A user had been left logged in at the reboot. I logged off that user after initiating the reboot, and the reboot may have hung until that user was logged out, but I’m a bit fuzzy on the details there.
Anyway, the error that got me to a solution was reported in workgroup manager:
[i]The node /LDAPv3/127.0.0.1 couldn’t be opened because an unexpected error of type -14002 occurred. [/i]
Essentially, I used slapcat to retrieve configuration data from the openldap database, created a new openldap database, then repopulated the openldap database from my corrupted data. All is now fine.
The details:
slapd is not running for this to work. Had it been running and non-functional killing slapd would have been needed, I guess.
[code]
mkdir ~/ldap-rescue # create convenient directory
sudo slapcat -l ldif # create text file from slapd database
cd /var/db/openldap # move to openldap directory
sudo su
mv openldap-data openldap-data-old # srchive old data
mkdir openldap-data # new directory
chmod go-rx openldap-data # fix permissions, don’t know if needed.
/usr/libexec/slapd # test to see if slapd will run. This didn’t work before, with slapd exiting.
cat /var/run/slapd.pid # This resulted in a return value of 18691 on my system, so now slapd will run.
kill -INT `cat /var/run/slapd.pid` # kill slapd anticipating use of slapadd.
exit # get out of root. I’m dangerous.
cd ~/ldap_rescue # back to the rescue directory.
sudo slapadd -l ldif # reload the data. I’m lucky I got away with this.
sudo slapcat -l ldifnew # diff reports no differences in ldif and ldifnew
sudo /usr/libexec/slapd # start up slapd. Now all is well.
[/code]
and all was well. Looking at the two directories, openldap-data and openldap-data-old in /var/db/openldap showed a couple of interesting differences. __db.002 was 20meg in the old directory, and dn2id.bdb shrunk a bit, and
[QUOTE][u]Quote by: MacTroll[/u][p]Glad you were able to fix it. Can’t say this happens often, but if the power does go out the LDAP db could be put away dirty.
Are you now doing nightly OD backups? 😀 [/p][/QUOTE]
Well, that is a fine question. I have just gotten started in the Server world with migration from a peer to peer topology to a server setup. I was pleased to have everything working. I do keep my clinical data backed up, and mysql files are backed up as well. (I own a medical practice.) The crash here shows me I need to get my backup plans in order, pronto, before too much more time goes by.
I have backed up my configuration data by saving the .plist files you get when you drag the icon out of server administrator. Reviewing those files shows they do not constitute a full backup of the server software. I saw that there is a backup script for Open Directory available here at afp548 for doing that, which archives the slap directory, Kerberos, and another servive. These findings beg the question: just what does one do to back up the server?
I always set the following locations to be backed up on Mac servers and sometimes workstations:
* /Users – optional, but most useful on workstations.
* /System
* /Library – the apache document root is contained within this location
* /private – this is the important one on Mac servers as it encompasses most of the system configuration (/etc) and working data (/var)
It’s similar to my linux server backup policy, which is always at least:
* /etc
* /var
* /home
* /opt – if I have any custom software installed.[/list]
[QUOTE][u]Quote by: kd4ttc[/u][p][QUOTE][u]Quote by: MacTroll[/u][p]Glad you were able to fix it. Can’t say this happens often, but if the power does go out the LDAP db could be put away dirty.
Are you now doing nightly OD backups? 😀 [/p][/QUOTE]
Well, that is a fine question. I have just gotten started in the Server world with migration from a peer to peer topology to a server setup. I was pleased to have everything working. I do keep my clinical data backed up, and mysql files are backed up as well. (I own a medical practice.) The crash here shows me I need to get my backup plans in order, pronto, before too much more time goes by.
I have backed up my configuration data by saving the .plist files you get when you drag the icon out of server administrator. Reviewing those files shows they do not constitute a full backup of the server software. I saw that there is a backup script for Open Directory available here at afp548 for doing that, which archives the slap directory, Kerberos, and another servive. These findings beg the question: just what does one do to back up the server?
Steve[/p][/QUOTE]
Well for me I have two raided external disks that backup up my OD Master on alternating days with the application Super Duper! (only cavit is that it can’t backup ACLs, small price to pay for creating a startup disk of my current server on an external disk). I always make sure I create an archive of my OD Master every month and back that up to my portable external disk, just in case of a fire or anything crazie like that (nothing a 128mb flash drive can’t hold).
In the above script I modified the permissions with the line
[code]
chmod go-rx openldap-data
[/code]
Well, this isn’t a good idea. On server restarts the system is unable to read the directory and slapd isn’t running. I thought root was mucking around there, so restrictive permissions were not going to be a problem. I dropped the chmod command and not the server starts. No I can reboot and everything works.
Could someone check their setup and report the user and group ids for the directory and the permissions? What process is reading the openldap-data directory that I excluded with those permissions?
Comments are closed