Publishers of technology books, eBooks, and videos for creative people

Home > Articles > Apple > Operating Systems

  • Print
  • + Share This
This chapter is from the book


Because Open Directory includes several services, there are several log files used for tracking status and errors. You can use Server Admin to view status information and logs for Open Directory services. For example, you can use the password-service logs to monitor failed login attempts for suspicious activity, or use the Open Directory logs for all failed authentication attempts, including IP addresses that generate them. Periodically review the logs to determine whether there are numerous failed trials for the same password ID, indicating that somebody might be generating login guesses. It is therefore imperative that you understand where to look first when troubleshooting Open Directory issues.

Accessing Open Directory Log Files

Generally, the first place to look when Open Directory issues arise is log files. Recall that Open Directory comprises three main components: the OpenLDAP database, the Password Server database, and the Kerberos Key Distribution Center. Mac OS X Server’s Server Admin tool allows for easy viewing of all server-related Open Directory log files with respect to these three components.

The main log files are:

  • Directory Service Server Log
  • Directory Service Error Log
  • Configuration Log
  • Kerberos Administration Log
  • Kerberos Server Log
  • LDAP Log
  • Password Service Server Log
  • Password Service Error Log
  • Password Service Replication Log

To access these log files:

  1. Open the Server Admin tool and select Open Directory in the service list on the left.
  2. Select the Logs icon from the toolbar, then choose the Password Service Server Log in the pop-up menu at the bottom of the window.
  3. Type the word john in the search box at the upper right of the window to confirm that john’s password was changed in the earlier exercise.

Interpreting log files can be a difficult task, and you may need the help of a more experienced system administrator. You can email the appropriate log file to the administrator. To find out where in the system the log file is stored, choose the log file from the View pop-up menu in Server Admin. The path to the log file will be displayed below the toobar.

Troubleshooting Directory Services

If Mac OS X or Mac OS X Server experiences a startup delay and a message about LDAP or directory services appears above the progress bar, the computer could be trying to access an LDAP directory that is not available on your network.

There are several ways to begin troubleshooting when you are unable to connect to a directory service. These include the following:

  • Use Directory Utility to make sure the LDAP and other configurations are correct.
  • Use the Network pane of System Preferences to make sure the computer’s network location and other network settings are correct.
  • Inspect the physical network connection for faults.

If you can’t modify the password of a user whose password is authenticated by Open Directory, or if you can’t modify a user account to use Open Directory authentication, one of two things might be wrong:

  • Check to make sure you are authenticated as that particular directory administrator.
  • Your administrator user account might not be configured for Open Directory authentication. If you have upgraded from an earlier version of Mac OS X Server, the account might have a crypt or shadow password rather than an Open Directory password.

Troubleshooting Kerberos

When a user or service that uses Kerberos experiences authentication failures, try these techniques:

  • Ensure that DNS is resolving addresses correctly. This is especially important at the time you are promoting a server to Open Directory master. If the DNS doesn’t resolve addresses correctly, the incorrect address will be written to the Kerberos configuration files. Kerberos tickets won’t be usable.
  • Kerberos authentication is based on encrypted timestamps. If there’s more than a five-minute difference between the KDC, client, and service computers, authentication may fail. Make sure that the clocks for all computers are synchronized using the NTP service of Mac OS X Server or another network time server.
  • Make sure that Kerberos authentication is enabled for the service in question.
  • Refer to the password service and password error logs for information that can help you solve problems. You can sometimes detect incorrect setup information, such as wrong configuration filenames, using the logs.
  • View the user’s Kerberos ticket. The Kerberos tickets are visible in the Kerberos application, which is found in /System/Library/CoreServices.
  • + Share This
  • 🔖 Save To Your Account