13 Feb 2011

Open Directory Demotion: Just Don't

I've been having this problem recently where I try to use Workgroup Manager and I get authentication errors. It affects all computers bound to my open directory so its a server issue, except I can still get kerberos tickets and all other services function as expected. I can even work with Server Admin.

After a good googling I found this little gem. (among others)

The two pieces of advice I gleaned from the internet were:

  1. Fiddle around with the security options in the binding pane
  2. Demote and re-promote your open directory, effectively restoring to defaults
I have a problem with "solutions" that consist of tossing everything and starting again from system defaults. Yes it will probably work but I didn't make computer science my profession to take the easy route and go back to the defaults every time a niggling issue crops up. I couldn't administer the directory but at least the services were all up.

Anyway being a bit time poor this week I fiddled around with the binding options until I could log in again and left it.
This doesn't show the options that worked, but read on to find out why that probably doesn't matter anyway...
The only problem was that the authentication issue kept cropping up over the week and to top it off I was annoyed that suddenly the security options that I had been using for ages were apparently no longer usable.

Come the weekend and with non critical time to work on the server I set about trying to solve the problem once and for all. Out of frustration I decided to go with option 2 above. It would mean a lot of work but I was at the end of my tether. So I backed up the directory and demoted the server to a stand alone directory. The server was re-promoted to Open Directory Master and I tried to merge the backup back into the directory. 

It failed repeatedly. (You know how that feels)

The backup kept failing on merge so I decided to try importing and replacing the directory, in spite of the fact that this step would probably re-introduce the problem. When you import the directory, however, users that had admin rights have those rights stripped. I assume thats a security thing. I then had a directory with no admin user in it.

So another demotion and re-promotion was required, but this time I gave the diradmin user a different UID and a different short name. The idea is to have an admin user that won't clash with users that are in your directory backup. The hunch paid off and the directory merged this time and after restoring admin rights to my original diradmin user I was back where I started.

At this point reading the fine manual seemed like a good idea.

Page 87 talks about authenticated binding. While this is a nice idea it also causes a world of hurt when used with DHCP and...
Important: If you choose “Encrypt all packets (requires SSL or Kerberos)” and “Enable authenticated directory binding,”make sure your users are using one or the other for binding and not both.
I made the decision that authenticated binding wasn't needed on my network and then proceeded to turn on all the other security measures. Also from the manual:
Note: If you change the security policy for the LDAP directory of an Open Directory master, you must disconnect and reconnect (unbind and rebind) every computer connected (bound) to this LDAP directory
So then if you change these settings without rebinding your clients then you may end up with strange issues, perhaps issues such as authentication issues with workgroup manager (maybe). I imagine the authentication started to work when I changed the settings back to what they were originally when the directory was first set up and clients initially bound.

So with the lesson that the Snow Leopard Server manuals are actually pretty good learned and sane options chosen all thats left is to rebind all the clients(!)

No comments: