On Wed, Nov 26, 2008 at 11:21 AM, Nathan Hruby <[EMAIL PROTECTED]> wrote: > On Wed, Nov 26, 2008 at 10:12 AM, Gilbert Wilson <[EMAIL PROTECTED]> wrote: >> >> I'm having a problem with persistent corruption in Apple's Open >> Directory. I believe this corruption is related to OpenLDAP and the >> BerkeleyDB. I was hoping that folks here might be able to help me >> track down whether this is the problem or not. > > Last time I ran OpenDirectory (10.3-ish) passwords were stored in a > separate facility called PasswordServer, which LDAP, etc.. used by way > of some Apple Magic Smoke. If that's how they still do it, you may > want to check that password server is operating normally and that it's > databases are fine as well.
10.5 still uses PasswordServer (PasswordService). My understanding is that the passwords aren't *in* PasswordServer; rather PasswordServer is the *gateway* to where passwords are stored. This lets the administrator store account passwords in a myriad of formats as-needed without OpenLDAP needing to know where the passwords are or how to access them. I've noticed in the logs that OD states that the accounts continue to authenticate successfully, but the client says access refused/denied/wrong. I suppose that's an important piece of information I should have stated in the first email... > > Additionally, enable debugging in slapd, Thankfully, I save a copy of OD in it's corrupted state. So, it's conceivable to restore it to a different server and bump up logging without having to wait for the live server to screw up again. > check the expiration of the > SSL certs and SSL CA certs you're using with OpenDirectory Certs are good. They don't expire until next year. Or are you referring to something else about the certs? > as well as > any replication setups you may have No replication at this time > and/or any kerberos setups that > you may have created. I'm no expert when it comes to kerberos. Do you have any suggestions on the kinds of problems I should look for in the kerberos setup? _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
