Today we had the need to set up an OS X 10.5 server outside our LAN that needed to authenticate users - the same users that have accounts inside our LAN. We decided the best way to achieve this was to replicate the master Open Directory onto this new server.
The tools to do this are built in to Apple’s Server Admin GUI tool so it should be easy. Right? Wrong!
To be fair it is actually really easy if you know about a couple of gotchas.
The first time we tried to create the replica it would get so far through and then Server Admin would stick at the following step:
Establishing Replica
Enabling password server replication
We found the solution to this the hard way, so hopefully this blog post will help others avoid these pitfalls in the future.
The first thing to think about is DNS. Although we had no problems, there are numerous posts on the internet that say that DNS must be working 100% for the Open Directory to function correctly. This means both forward and reverse DNS lookups need to resolve correctly. You can check using this command on both the master and replica servers:
changeip -checkhostname
Replication happens via SSH. You can think of creating the replica as pulling down a copy of the directory from the master. Once the replica has been created it works the other way round - changes are pushed from the master to the replica.
During the creation of the replica SSH must be allowed in both directions. This means opening port 22 in both directions on any firewalls between the two servers. Once the replica has been created the incoming SSH port to the master can be closed to help protect the master if required.
The crucial point to note is that the replica server needs root access via SSH to the master. This is NOT enabled by default on OS X 10.5 server so you’ll have to temporally enable it. Add the following three lines to the bottom of the /etc/ssh_config file:
PermitRootLogin yes
PasswordAuthentication yes
PubkeyAuthentication no
These lines can be removed once the replica has been created.
(Thanks to this post on Apple Discussions for pointing this out)
From here it really is just a case of following these instructions from Apple.
