1. Backing up the OD Master with Bash

#!/bin/sh
 
NOW=$(date +"%m-%d-%Y")
 
# Path to recovery directory (permissions should be 700 -- read-only root or admin)
recover="/Volumes/ODBackup"
 
# Backup Open Directory
day=`date ''+%u''`
 
od_backup="$recover/od_backup - "$NOW""
ts=`date ''+%F''`
echo "dirserv:backupArchiveParams:archivePassword = 908239032" > $od_backup
echo "dirserv:backupArchiveParams:archivePath = $recover/od_$ts" >> $od_backup
echo "dirserv:command = backupArchive" >> $od_backup
 
serveradmin command < $od_backup

The above script when run on a daily basis through CRON or LAUNCHD will create a recoverable sparse disk image of your OD Master that you can use to restore from, it saves each master with a date time stamp so you can see which one is which and the instructions to restore are logged to a separate file. The two variables you must change are

# Path to recovery directory (permissions should be 700 -- read-only root or admin)
recover="/Volumes/ODBackup"

This should be the location you want your OD Master backups to live, and

echo "dirserv:backupArchiveParams:archivePassword = 908239032" > $od_backup

the password must be changed as well in the above example the password is 908239032 you can change it to anything you want, this is required to restore when you attempt to restore your OD Master backup in Server Admin you will be prompted for this password.

2. Create an OD Master Replica

Before you start the firewall on the OD Master, the Firewall on the OD Replica server and the Firewall on your router must all have the following ports open, and or port forwarded to their appropriate destination. Open Ports 389, 636, 625, 22, 3659, 106, and 88.

1. Make sure the master, the prospective replica, and every firewall between them is configured to permit SSH communications (port 22).
   You can enable SSH for Mac OS X Server in Server Admin. Select the server in the Servers list, click Settings, click General, then select the Remote Login (SSH) option.

   Make sure that SSH access is not restricted to certain users or groups (using SACLs) on the prospective master. This will cause Server Admin to not have the necessary permissions during creation of the replica. You can temporarily disable SACLs in Server Admin under Settings > Access.

2. Open Server Admin and connect to the server.
3. Click the triangle to the left of the server.
   The list of services appears.
4. From the expanded Servers list, select Open Directory.
5. Click Settings, then click General.
6. Click Change.
   The Service Configuration Assistant opens.
7. Choose Open Directory Replica, then click Continue.
8. Enter the following requested information:
• IP address or DNS name of Open Directory master: Enter the IP address or DNS name of the server that is the Open Directory master.
• Root password on Open Directory master: Enter the password of the Open Directory master system’s root user (user name system administrator).
• Domain administrator’s short name: Enter the name of an LDAP directory domain administrator account.
• Domain administrator’s password: Enter the password of the administrator account whose name you entered.
9. Click Continue.
10. Confirm the Open Directory configuration settings, then click Continue.
11. Click Close.
12. Make sure the date, time, and time zone are correct on the replica and the master.
    The replica and the master should use the same network time service so their clocks remain in sync.

Again the point here is to have a place for your users to authenticate against that can easily be fixed if any issues arise, in my setup I use the replicas to bind clients to for computer authentication, bind my Mail server to for account information and also use it as the basis for my LDAP environment. Replicas are great because they also reduce the response time, and since each server is synced as the users change their passwords or information its virtually instant. If a client is bound to my replica and the replica has a problem it will search for the next nearest replica, connect and authenticate against that which means almost no downtime as well.

3. Carbon Copy Cloner
I am a huge fan of this software which can be found at Carbon Copy Cloners website. I use this software to do a full, incremental clone of my server, which is great because at any given time I can boot off of the backup drive and or restore directly to my server.

I am not going to write another how to on using Carbon Copy Cloner except to link to their own how to section which goes over it in so much more detail than I could here.

Scheduling Tasks in Carbon Copy Cloner >>
Backup Options for Carbon Copy Cloner >>
A more granular approach to Backup (Must Read!!!) >>

If you find their software useful I urge you to donate.

Wrapping things up a bit, I am a big fan of backups and these three options will keep you covered in the event of an Open Directory nightmare! If you have comments or other solutions I am always happy to hear from you and let me know how you approach backups with your systems!

** Note
I was not able to get the above script to run properly with Cron, but it does however with LaunchD. Here is my LaunchD script, I named it com.odbackup.plist and placed it in the /Library/LaunchDaemons/ folder on my server, the script is set to run the backup every morning at 7:45am

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC -//Apple Computer//DTD PLIST 1.0//EN http://www.apple.com/DTDs/PropertyList-1.0.dtd >
<plist version="1.0">
    <dict>
        <key>Label</key>
        <string>com.odbackup</string>
        <key>ProgramArguments</key>
	<array>
	<string>/bin/sh</string> 
        <string>/path/to/backup/script/backup.sh</string>
        </array>
        <key>StartCalendarInterval</key>
        <dict>
            <key>Hour</key>
            <integer>7</integer>
            <key>Minute</key>
            <integer>45</integer>
        </dict>
    </dict>
</plist>

then you start the proceess by running load ctl /Library/LaunchDaemons/com.odbackup.plist or whatever you named it to see if its in the list run launchctl list.

To start with you must enable Sieve on your server to do this, start Server Admin, Mail > Settings > Advanced: Tick “PLAIN” on IMAP/POP and save it. Mail > Settings > Filters: Tick “Enable Server Side mail rules”, save it and restart the mail service. once your done here you will be able to use the built in web based interface for handling server side rules. However you can also install your own!

SquirrelMail is the default webmailer in SLS. You can use the plugin avelsieve to manage server side mail rules. Download avelsieve (I recommend version 1.9.9) and unpack in directory /usr/share/squirrelmail/plugins (so that directory avelsieve is within the plugins dir).

Note that you also need to download javascript_libs plugin, if you use a recent version (>=1.9.8) of avelsieve. If you need the javascript_libs plugin, also unpack it in squirrelmail’s plugins dir. Then edit the file plugins/avelsieve/config/config.php (copy config_sample.php to config.php if not exisiting).

Change the authentication mechanism to

$sieve_preferred_sasl_mech = 'PLAIN';

Edit file /usr/share/squirrelmail/config/config.php and register the plugin(s)

$plugins[0] = 'avelsieve'; $plugins[1] = 'javascript_libs'; //

 
only if using a newer version of avelsieve. See avelsieve page Access the Webmailer (http://<SLS_server_name>/webmail/ and check the filter connection.

SquirrelMail is the default webmailer in SLS. You can use the plugin avelsieve to manage server side mail rules. Download avelsieve (I recommend version 1.9.9) and unpack in directory /usr/share/squirrelmail/plugins (so that directory avelsieve is within the plugins dir).Note that you also need to download javascript_libs plugin, if you use a recent version (>=1.9.8) of avelsieve.If you need the javascript_libs plugin, also unpack it in squirrelmail’s plugins dir.

Then edit the file plugins/avelsieve/config/config.php (copy config_sample.php to config.php if not exisiting).Change the authentication mechanism to

$sieve_preferred_sasl_mech = 'PLAIN';

Edit file /usr/share/squirrelmail/config/config.php and register the

plugin(s):$plugins[0] = 'avelsieve';$plugins[1] = 'javascript_libs'; //

only if using a newer version of avelsieve. See avelsieve page Access the Webmailer (http://<SLS_server_name>/webmail/ and check the filter connection.

Roundcube: Sorrily Apple decided to use the old-fashioned, ugly SquirrelMail webmailer and not RoundCube. RoundCube is much nicer and also the “managesieve” plugin available for it is much better than avelsieve in SquirrelMail. Luckily you can install RoundCube on your SLS without harming the default installation.

Enable managesieve plugin ManageSieve plugin comes with RoundCube. To enable it, edit file roundcube/config/main.inc.php:

$rcmail_config['plugins'] = array('managesieve');

Then edit file plugins/managesieve/lib/Net/Sieve.php comment line

var $supportedAuthMethods=.... (comment with //)

uncomment line

var $supportedAuthMethods=array( 'PLAIN' , 'Login' );

Set timezone:

date.timezone = Europe/Berlin

Now test roundcube by accessing http:///roundcube/ Login as a user you like to change server side rules for. Click on “Settings” in the upper right corner, then on Filter. If you see the page and no error occurs, you are successfully connected to the sieve backend of IMAP! You now can create your rules.

The good thing is, that every rule managing application (Apple web rule management, SquirrelMail, RoundCube) you use, store its own file. So one app is not overwriting the others config file. This is of importance if you enable the apple built-in crippled rule management and store the rules, there. This creates an own file “wiki_server_rules.sieve” in your sieve script dir and enables it by the link dovecot.sieve -> wiki_server_rules.sieve

I found Roundcube to be extremely easy to setup, however sort of hard to configure and tweak for use on an OSX Server. The biggest drawback to the old mail system was that while everyone had email accounts they were local accounts meaning their was no LDAP database at work so there was no way to have an auto complete or global LDAP address book that most of the people at our organization really craved. I decided that when moving to 10.6.2 we would have to get this feature established and I am documenting this here clearly as I found there was limited documentation for and I know there are many people using 10.6.2 and Roundcube together.

Once Roundcube is installed head over to main.inc.php in the Roundcube config directory. I wanted the user to have access to the LDAP address book and also have the ability to have their own so on this line make sure that SQL is chosen as the primarty type of address book if this is your intent.

1

$rcmail_config['address_book_type'] = 'sql';

in the main.inc.php file the LDAP settings are kind of tricky. It gives you an example of a functional LDAP setup below for an organization named Verisign locate these lines in the main.inc.php file

1
2
3

// In order to enable public ldap search, configure an array like the Verisign
// example further below. if you would like to test, simply uncomment the example.
$rcmail_config['ldap_public'] = array(Verisign);

Notice that the third line is un-commented meaning that it is an active setting. Which means that what we are about to do below will not register until we comment out this line otherwise there will be two active configurations and neither will work this really tripped me up and had me stumped for days until I realized that I had two

1

 $rcmail_config['ldap_public']

attributes at work at the same time so next comment this out as below.

1
2
3

// In order to enable public ldap search, configure an array like the Verisign
// example further below. if you would like to test, simply uncomment the example.
// $rcmail_config['ldap_public'] = array(Verisign);

Once this is done go down to the example below and start uncommenting the LDAP configuration lines one by one and filling out the information as you go here is an example of my configuration for the Name use whatever name you want the address book to show up as in the roundcube address book area. Your host name should be the fully qualified domain name of your directory server. Your default port on an ODM is 389. Only use TLS if you are using a secure SSL connection and always use User Specific so that the user is what is causing the OD Bind during lookups rather than the Directory Admin.

1
2
3
4
5
6

$rcmail_config['ldap_public']['Verisign'] = array(
  'name'          => 'Company Name',
  'hosts'         => array('fullyqualified.domainofdirectoryserver.com'),
  'port'          => 389,
  'use_tls'	    => false,
  'user_specific' => true,

Next you must define the Base Search DN which is always your fully qualified domain name split up using dc= so if your directory name was directory.verisign.com then your base dn would be dc=directory, dc=verisign, dc=com. Here is what is not documented in many places it took me a long time to figure out that the Bind DN must have an active user or the directory admins UID here as well as cn=users, so that it knows how to find that user. I also configured mine to be non writable because I was unsure how safe this would be with the ODM.

1
2
3
4

  'base_dn'       => 'dc=fullyqualified,dc=domainofdirectoryserver,dc=com',
  'bind_dn'       => 'uid=DirAdmin,cn=users,dc=fullyqualified,dc=domainofdirectoryserver,dc=com',
  'bind_pass'     => 'DirAdmin_Password',
  'writable'      => false,

In order to get an actual accurate listing in the address book you must tweak the settings to include the specific user settings int he ODM LDAP directory.

1
2
3
4
5
6
7
8
9
10
11
12
13

  'LDAP_Object_Classes' => array("top","person","inetOrgPerson","abxldapPerson"), 
  'required_fields'     => array("givenName", "cn", "sn", "mail"),    
  'LDAP_rdn'      => 'mail', 
  'ldap_version'  => 3,      
  'search_fields' => array('givenName', 'cn', 'sn', 'mail'),  // fields to search in
  'name_field'    => 'cn',    
  'email_field'   => 'mail',  
  'surname_field' => 'sn',   
  'firstname_field' => 'givenName', 
  'sort'          => 'givenName',    
  'scope'         => 'sub',  
  'filter'        => 'givenName=*',     
  'fuzzy_search'  => true);

These settings will help you establish the correct mappings to Last Name, First Name, Email Address and Full Name or Given Name. These settings were very hard to find as there was limited documentation on both Apples part and on the Roundcube forums. Once done here I set it up to auto complete from the sql address book first and then to default over to the LDAP address book.

1
2
3

// An ordered array of the ids of the addressbooks that should be searched
// when populating address autocomplete fields server-side. ex: array('sql','Verisign');
$rcmail_config['autocomplete_addressbooks'] = array('sql','Verisign');

In parting my only piece of advice is to use the configuration here and remove the term Verisign and replace that variable with one that makes sense for you and your organization. Lastly if this does not work make sure that you have the correct domain name of the server and also ensure that you have enabled users to access the LDAP directory in Workgroup Manager.