Rebuilding Xsan Open Directory while keeping Xsan config

17 Oct 2022

In a previous article we covered rebuilding your Xsan completely by saving the /Library/Preferences/Xsan directory and using that to populate rebuilt MDCs.  We recently had a situation where a backup MDC would not rejoin the Open Directory as a replica after a software update.  As this was supposed to be a quick, safe update we really didn’t want to have to erase and reinstall everything.  We found a new solution to rebuilding Open Directory while leaving Xsan in place. This process is only relevant if your Open Directory is hosting Xsan data only as all existing Open Directory data will be removed and only Xsan information will be restored.  

We ran into this issue after a software update.  For a few recent versions of macOS, after software updates Open Directory Replicas seem to be reset to clients and need to be recreated with either xsanctl or slapconfig.  If you have another reason to use this, be sure to clean up any left over replica bits.  sudo slapconfig -destroyldapserver should reset the system to standalone (confirm with sudo slapconfig -getstyle).

Also on the backup MDC, we need to clean up leftover Xsan configuration as well.  First sudo xsanctl unloadProfile will remove the xsan profile.  Then if anything is left in /Library/Preferences/Xsan/, sudo xsanctl wipeConfig will clean that up.

On the Open Directory Master, currently both Open Directory and Xsan should still be running.  Now we are going to destroy the Open Directory Master and rebuild it.  Again sudo slapconfig -destroyldapserver will remove the Open Directory that is running.  Again we can confirm with sudo slapconfig -getstyle that the system is now standalone or a directory client.  The volume is still running and clients should be unaffected.

Now we can create our new Open Directory with:

sudo slapconfig -createldapmasterandadmin --certAuthName <certAuthName> --certAdminEmail <certAdminEmail> --certOrgName <certOrgName> <new admin> <new fullname> <new uid>

The actual command will look something like this:

sudo slapconfig -createldapmasterandadmin --certAuthName XsanCert --certAdminEmail xsansupport@domain.tld --certOrgName domain diradmin "Directory Administrator" 1000

After that we will see the Open Directory setup output.  You will see a GUI prompt for local administrator authentication to trust the new certificates being generated.  Then you will be prompted at the CLI for the new diradmin account password. At the end we see Verified /LDAPv3/ node is available.

If we try to push the Xsan configuration into the LDAP directory now, there will be an error (ERROR: no UUID in LDAP for IP address in fsnameservers file: <bmdc ip>).  This is because the Xsan configuration files still reference the Open Directory Replica that we manually removed.  To clean this up, we need to remove the references to it in /Library/Preferences/Xsan/config.plist.  Use whatever text editor that can edit files as root you are comfortable with (I use sudo nano /Library/Preferences/Xsan/config.plist)  to remove the lines in the controllerIPMap and sanConfigURLs that reference the Replica/Backup MDC.  Then also edit /Library/Preferences/Xsan/fsnameservers to remove the reference to the Backup MDC.

Now we are able to push the Xsan configuration up into the directory with sudo xsanctl pushConfigUpdate. You will see the configuration printed out and then something like xsanctl[7399:1416548] Pushing update change, '009CB70C-30EC-4A15-8ECE-3DFA479C485E'.

Finally, the backup MDC can be rejoined to the SAN with something like

sudo xsanctl joinSan TestSan --controller-name xsantest-mdc.testsan.priv --controller-user admin --controller-pass 'password' createReplica --master xsantest-mdc.testsan.priv --account diradmin --pass 'dirpassword'

You will see a GUI prompt to trust the certificates and then look for create OD replica succeed and SAN successfully joined in the output.

Our SAN should be back to normal with 2 MDCs and 2 Open Directory servers.  Even better since the volume never went down, our clients were not interrupted.


Eric Hemmeter