Our thinking

Fix a broken Open Directory

I don’t know why the databases that OpenLDAP uses are so fragile, and therefore why Open Directory looses it’s shit nearly every single time you have to force a server to restart, but they are and it does.

In the majority of cases, it’s pretty straightforward to fix – and again I’ve got no idea why this isn’t part of the startup process for OpenLDAP if something goes wrong…

Anyway, if Open Directory won’t load, or isn’t showing you any users, nine times out of ten, it’s one or the other of the OpenLDAP databases that are corrupt.

Fix them like so:

sudo launchctl unload /System/Library/LaunchDaemons/org.openldap.slapd.plist
sudo /usr/libexec/slapd -Tt
sudo db_recover -cv -h /var/db/openldap/openldap-data/
sudo db_recover -cv -h /var/db/openldap/authdata/
sudo /usr/libexec/slapd -Tt
sudo launchctl load /System/Library/LaunchDaemons/org.openldap.slapd.plist

If this sequence of commands doesn’t fix it, then you will need to restore the LDAP databases from backup, which can generally be done with the following command:

sudo slapconfig -restoredb /private/var/backups/ServerBackup_OpenDirectoryMaster.sparseimage

Edit: September 2018 – I’ve rolled these steps into an AppleScript app that you can download and run to run the db_recover repair automatically.

24 thoughts on “Fix a broken Open Directory

  1. Thanks a million !! Works great now !!
    In fact, I only used the last line of code instead of typing in the top six rows of code.
    Now, I can keep this handy for when the Open Directory disappears again !!

  2. THANK YOU SO MUCH!!!! This scared the crap out of me. The OD issue broke XSAN showing the volumes in Server app, yet they were mounting. However, I was unable to deploy to any more clients without fixing this first.

    1. Thank you!!! After performing an update to macOS 10.12.6 on my Mac Mini Server all my network accounts disappeared. I thought I was hosed. Your instructions worked flawlessly and saved the day. Feeling very appreciative you took the time to make this post.

  3. I’m glad these instructions are helping people. I’ve lost count of the number of times I’ve looked this up to repair a client’s broken OD.
    It’s such a common issue – I don’t know why Apple don’t have something in place to detect this issue and automatically run the repairs…

  4. really saved my skin there. thought i was going to have to manual reentera hundred accounts plus mobility settings in WGM. Onenoted all that. Much props. Any good resources for learning all the server mgmt commands besides the man pages?

  5. I noticed Open Directory after initial configuration or after restoration might stay in high-performance but unsafe state with fullsync mode disabled.

    My database fails very rarely after I make sure fullsync is enabled with this command:
    slapconfig -setfullsyncmode yes

  6. Worked for me also. OD Failed after the latest Sierra Security update. Followed the instructions and voila back in business

  7. I just want to say THANKS! These instructions got our server back up and running without having to restore from a backup. Saving our bacon one view at a time…

  8. This is like the best blog post for mac sysadminns on the internet. Thank you thank you.

    I just know I’ve started our entire OD directory from scratch a couple of times due to this simple problem which stings a bit, but at least these days this is known and fixable so consistently. Did I mention Thank You?

    1. Glad to help – I don’t know why OD is so fragile on some systems. Some servers seem to never have a problem with it all. One or two servers I was looking after seemed to need this done after. every. single. reboot.
      I’m glad it’s sorted things out for you.

    1. I have no idea why it tweaks out like this, but I’m glad this fix worked. You really should consider migrating to something more stable however as Apple have pretty much abandoned Open Directory by now…

    1. I’m glad this has helped you, however as I said to the last poster, you really need to look at migrating away from OD as Apple are pushing everyone towards a more BYOD/MDM style solution… Or, if you need directory services, using Active Directory.

  9. It worked for me. But couple of issues.
    asking Open Directory Admin Password (diradmin) for user account creation.
    No users cant login to their accounts. Saying Password wrong.
    Is any body could help me?

Leave a Reply to Fred Soneya Cancel reply