Our thinking


Fix a broken Open Directory

Edit: November 2021

People seem to still be hitting this story, and by and large these steps usually work. If you are still relying on macOS Server however, you need to migrate to another platform with some degree of urgency.

This post was originally written six years ago, when Apple were still promoting the use of Server with Open Directory.

Server has been pretty much deprecated since then, with Apple pulling out all the useful features (like DHCP, DNS and even robust File Sharing) and reducing it to nothing more than Xsan and Profile Manager.
Profile Manager is not a suitable MDM solution for production use, so you really should not be relying on Server for anything at all these days.

Synology is a far more suitable platform for file services and directory services (via its built-in file sharing and LDAP server). Synology can also provide many of the other network services that Server previously supplied – DHCP, DNS etc. These network services can likely also be handled via your router/firewall. For a robust and scalable MDM solution, do not use Profile Manager, instead I recommend using something like Mosyle as a good MDM solution.
Long story short however, you need to migrate away from macOS Server.

Back to the original article:

I don’t know why the databases that OpenLDAP uses are so fragile, and therefore why Open Directory looses it’s shit nearly every single time you have to force a server to restart, but they are and it does.

In the majority of cases, it’s pretty straightforward to fix – and again I’ve got no idea why this isn’t part of the startup process for OpenLDAP if something goes wrong…

Anyway, if Open Directory won’t load, or isn’t showing you any users, nine times out of ten, it’s one or the other of the OpenLDAP databases that are corrupt.

Fix them like so:

sudo launchctl unload /System/Library/LaunchDaemons/org.openldap.slapd.plist
sudo /usr/libexec/slapd -Tt
sudo db_recover -cv -h /var/db/openldap/openldap-data/
sudo db_recover -cv -h /var/db/openldap/authdata/
sudo /usr/libexec/slapd -Tt
sudo launchctl load /System/Library/LaunchDaemons/org.openldap.slapd.plist

If this sequence of commands doesn’t fix it, then you will need to restore the LDAP databases from backup, which can generally be done with the following command:

sudo slapconfig -restoredb /private/var/backups/ServerBackup_OpenDirectoryMaster.sparseimage

Edit: September 2018 – I’ve rolled these steps into an AppleScript app that you can download and run to run the db_recover repair automatically.

26 thoughts on “Fix a broken Open Directory

  1. Thanks a million !! Works great now !!
    In fact, I only used the last line of code instead of typing in the top six rows of code.
    Now, I can keep this handy for when the Open Directory disappears again !!

  2. THANK YOU SO MUCH!!!! This scared the crap out of me. The OD issue broke XSAN showing the volumes in Server app, yet they were mounting. However, I was unable to deploy to any more clients without fixing this first.

    1. Thank you!!! After performing an update to macOS 10.12.6 on my Mac Mini Server all my network accounts disappeared. I thought I was hosed. Your instructions worked flawlessly and saved the day. Feeling very appreciative you took the time to make this post.

  3. I’m glad these instructions are helping people. I’ve lost count of the number of times I’ve looked this up to repair a client’s broken OD.
    It’s such a common issue – I don’t know why Apple don’t have something in place to detect this issue and automatically run the repairs…

  4. really saved my skin there. thought i was going to have to manual reentera hundred accounts plus mobility settings in WGM. Onenoted all that. Much props. Any good resources for learning all the server mgmt commands besides the man pages?

  5. I noticed Open Directory after initial configuration or after restoration might stay in high-performance but unsafe state with fullsync mode disabled.

    My database fails very rarely after I make sure fullsync is enabled with this command:
    slapconfig -setfullsyncmode yes

  6. Worked for me also. OD Failed after the latest Sierra Security update. Followed the instructions and voila back in business

  7. I just want to say THANKS! These instructions got our server back up and running without having to restore from a backup. Saving our bacon one view at a time…

  8. This is like the best blog post for mac sysadminns on the internet. Thank you thank you.

    I just know I’ve started our entire OD directory from scratch a couple of times due to this simple problem which stings a bit, but at least these days this is known and fixable so consistently. Did I mention Thank You?

    1. Glad to help – I don’t know why OD is so fragile on some systems. Some servers seem to never have a problem with it all. One or two servers I was looking after seemed to need this done after. every. single. reboot.
      I’m glad it’s sorted things out for you.

    1. I have no idea why it tweaks out like this, but I’m glad this fix worked. You really should consider migrating to something more stable however as Apple have pretty much abandoned Open Directory by now…

    1. I’m glad this has helped you, however as I said to the last poster, you really need to look at migrating away from OD as Apple are pushing everyone towards a more BYOD/MDM style solution… Or, if you need directory services, using Active Directory.

  9. It worked for me. But couple of issues.
    asking Open Directory Admin Password (diradmin) for user account creation.
    No users cant login to their accounts. Saying Password wrong.
    Is any body could help me?

  10. I seemed to have lost my open directory all together after attempting this fix? I know it has worked for me in the past but now when I turn on OD it just asks to start a new, join or recover. I inherited this set up from the previous guy who set this network up. So I’m not sure what to do now? We have just had a ton of problems with apple server.

    1. This post was originally written six years ago, when Apple were still promoting the use of Server with Open Directory.
      Server has been pretty much deprecated since then, with Apple pulling out all the useful features (like DHCP, DNS and even robust File Sharing) and reducing it to nothing more than Xsan and Profile Manager.
      Profile Manager is not a suitable MDM solution for production use, so people really should not be relying on Server these days.
      My recommendation to you is to migrate away from Server app as soon as you possibly can. Synology is a far more suitable platform for file services and directory services (via its built-in LDAP server). For other services that were in Server, I recommend something like Mosyle as a good MDM solution.
      Synology can also provide many of the other network services that Server previously comprised – DHCP, DNS etc, or this can be handled via your router/firewall.
      Long story short however, you need to migrate away from macOS Server.

Leave a Reply