Slow Open Directory on OS X Server

Ever since I've been playing with my Mac mini with OS X server 10.6.4 I have had on-and-off problems in the authentication/Open Directory area.

  • Some accounts authenticate really quick, while others take minutes to authenticate.
  • Accessing the Open Directory through the Workgroup Manager is as slow as a slow boat to China. Changing users (just by selecting them) takes another boat along the Pacific.

So it was time to start digging into the phenomenon called 'Open Directory'.

The manual from Apple isn't much help in troubleshooting a slow Open Directory, so it was time to search the interwebs and start experimenting. If it didn't work, I can always reinstall the entire server from scratch.

First hint I found was to backup the configuration, 'demote' the Open Directory to a Standalone instance, reboot and promote the Open Directory to Master. This resulted in nothing but errors. A reboot of the system did start the Open Directory as a Master, but the system was still slow.

 Open Directory Archive and Restore pane

After that I found that Single-Sign-On and/or Kerberos might have something to do with it. Seemed logically, since I got a warning every time I tried to create a Master Open Directory Server from the Standalone edition.
A tip I found was related to DNS (something Kerberos relies on heavily);

Open Terminal and type;

nslookup <hostname>
(e.g. nslookup server.local)

This should result in a piece of output containing the actual IP address of the server. After that type;

nslookup <IP ADDRESS>
(e.g. nslookup 192.168.0.1)

This should return the name of the server. If it doesn't, you need to alter your DNS (magic word here is reverse-lookup).

An (excellent) alternative is using the changeip command:

server:~ administrator$ sudo changeip -checkhostname

Primary address     = 192.168.0.1

Current HostName    = server.local
DNS HostName        = server.local

The names match. There is nothing to change.
dirserv:success = "success"

In my case this al worked fine, so DNS wasn't the issue. Having no other real options I decided to look for the actual configuration files of the Open Directory on the file system. A quick Google query revealed that they are located in;

/etc/openldap/

There are several config files located in this directory, but the ones that seem to matter are;

  • slapd.conf
  • slapd_macosxserver.conf

Before I renamed these files I demoted the Open Directory to Standalone, since I didn't know what effect it might have. After the demotion I renamed these files to;

  • slapd.conf.old
    Terminal command: sudo mv slapd.conf slapd.conf.old
  • slapd_macosxserver.conf.old
    Terminal command: sudo mv slapd_macosxserver.conf slapd_macosxserver.conf.old

*) sudo is needed if you don't have any permission to move or rename files in this directory.

A reboot of the server makes sure that the Open Directory is no longer running as a Master.

After the reboot, promote the Open Directory to Master by using the Server Admin tool. This takes a while, and might even through an error in the end (happened to me anyway). After this, the Open Directory wizard recreated the config files in the /etc/openldap/ directory, and you're good to go (at least I was). Just restore the backup you made earlier and everything is as it should be (as shown below).

All is well on the Open Directory front

Posted on July 12, 2010 and filed under Annoying, Apple, Tips'n Tricks.