Search the Site

My Social
Meta
Powered by Squarespace
« Splunk> Making Sense of Logfiles | Main | The Problems with Apple OS X (10.6.4) Server »
Monday
Jul122010

Slow Open Directory on OS X Server

Ever since I've been playing with my Mac mini with OS X server 10.6.4 I have had on-and-off problems in the authentication/Open Directory area.

  • Some accounts authenticate really quick, while others take minutes to authenticate.
  • Accessing the Open Directory through the Workgroup Manager is as slow as a slow boat to China. Changing users (just by selecting them) takes another boat along the Pacific.

So it was time to start digging into the phenomenon called 'Open Directory'.

The manual from Apple isn't much help in troubleshooting a slow Open Directory, so it was time to search the interwebs and start experimenting. If it didn't work, I can always reinstall the entire server from scratch.

First hint I found was to backup the configuration, 'demote' the Open Directory to a Standalone instance, reboot and promote the Open Directory to Master. This resulted in nothing but errors. A reboot of the system did start the Open Directory as a Master, but the system was still slow.

 Open Directory Archive and Restore pane

After that I found that Single-Sign-On and/or Kerberos might have something to do with it. Seemed logically, since I got a warning every time I tried to create a Master Open Directory Server from the Standalone edition.
A tip I found was related to DNS (something Kerberos relies on heavily);

Open Terminal and type;

nslookup <hostname>
(e.g. nslookup server.local)

This should result in a piece of output containing the actual IP address of the server. After that type;

nslookup <IP ADDRESS>
(e.g. nslookup 192.168.0.1)

This should return the name of the server. If it doesn't, you need to alter your DNS (magic word here is reverse-lookup).

An (excellent) alternative is using the changeip command:

server:~ administrator$ sudo changeip -checkhostname

Primary address     = 192.168.0.1

Current HostName    = server.local
DNS HostName        = server.local

The names match. There is nothing to change.
dirserv:success = "success"

In my case this al worked fine, so DNS wasn't the issue. Having no other real options I decided to look for the actual configuration files of the Open Directory on the file system. A quick Google query revealed that they are located in;

/etc/openldap/

There are several config files located in this directory, but the ones that seem to matter are;

  • slapd.conf
  • slapd_macosxserver.conf

Before I renamed these files I demoted the Open Directory to Standalone, since I didn't know what effect it might have. After the demotion I renamed these files to;

  • slapd.conf.old
    Terminal command: sudo mv slapd.conf slapd.conf.old
  • slapd_macosxserver.conf.old
    Terminal command: sudo mv slapd_macosxserver.conf slapd_macosxserver.conf.old

*) sudo is needed if you don't have any permission to move or rename files in this directory.

A reboot of the server makes sure that the Open Directory is no longer running as a Master.

After the reboot, promote the Open Directory to Master by using the Server Admin tool. This takes a while, and might even through an error in the end (happened to me anyway). After this, the Open Directory wizard recreated the config files in the /etc/openldap/ directory, and you're good to go (at least I was). Just restore the backup you made earlier and everything is as it should be (as shown below).

All is well on the Open Directory front

References (1)

References allow you to track sources for this article, as well as articles that were written in response to this article.
  • Response
    Response: All about server
    [...]Slow Open Directory on OS X Server - Blog - Everything within Reason[...]

Reader Comments (7)

sounds like a similar issue i've had with 10.6 servers running a .local domain. Apparently Bonjour tries to grab all traffic on .local and you doman should be .lan, .private, etc. After a lengthy DNS reset to .lan, I was able to get past these lengthy login and authentication times

July 13, 2010 | Unregistered Commentermike

Hi Mike,

my problem was probably the polluted config files. I still run a .local domain @ home, and it performs excellent (at the moment).

July 13, 2010 | Registered CommenterWillem

Mike: I wonder if by "moving" your domain from .local to .lan you basically did the same thing as Willem has recommended.

I am having the same issues myself and will most likely pursue the troubleshooting steps you have indicated.

One odd thing though... in my case, ssh logins work just fine? I first noticed the issue when attempting to login to the Server GUI as a LDAP-based user. It was then validated when I could no longer VPN (L2TP) in to the server. I figured out that I could connect as "root" via VPN with no issue. Also noticed that if I logged into the GUI as my admin user (local account) everything is fine. So, I had come to the conclusion that Open Directory must be the culprit which lead me here ;-)

Thanks for the write-up. I certainly hope this works. As I literally only have 1 share and 2 users on my Mac Mini, I may rebuild the whole thing and avoid using .local - even though this probably isn't necessary, I would rather not confuse the issue in the future (now that I realize the existing dependency)

Thanks again Willem

July 25, 2010 | Unregistered CommenterJames Radtke

Can you clarify what you mean by "restore the backup" , I don't see any place in ServerAdmin to do this.

Thanks.

December 23, 2010 | Unregistered CommenterDavid

You were probably thinking LDAP module but actually in the DNS or other module.
Make sure you are in the LDAP module and you will see the archive tab.

December 24, 2010 | Unregistered Commentergooglehead

@David: What Googlehead is saying.
Open the Server Admin app, expand the appropriate server and select 'Open Directory'. In the right part of the window you get the options: 'Overview', 'Logs', 'Archive', and 'Settings'.
Backup (it's actually called 'Archive') and restore is done through the 'Archive' option.

Hope it helps.

Willem

December 24, 2010 | Registered CommenterWillem

I even have this problem, but I don't have those files in /etc/openldap/ only a slapd.conf.default is there... so I have a lot of question marks...is there another Place for them? I'm on 10.6.3.
Thanks and regards
Michael

April 26, 2011 | Unregistered CommenterMichael Kraft

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>