OS X SERVER OPEN DIRECTORY DATABASE REPAIR
 

Symptom: Users cannot log into OD accounts.

If DNS, TCP-IP, physical connections, etc are OK…

Check these items:

1) Go to Directory Utility: See If OD entry shows “Server Unavailable”

2) Go to Server Admin>Open Directory>LDAP: See If Server shows STOPPED

If YES for both you may have OD database corruption.

———————————

To Check Database for corruption:

sudo /usr/libexec/slapd -Tt

If this command returns “config file testing succeeded” then the database is not corrupt, you should attempt to troubleshoot elsewhere.

If this command returns an error (i.e.,”run recovery”), then the db is possibly corrupt.

To Repair Database corruption:

sudo db_recover -h /var/db/openldap/openldap-data/

If this command returns ‘succeeded’ status then rebuild was successful.
After reboot of OD Master and Replicas, Kerberos and LDAP should show RUNNING in Server Admin.  Network accounts should be available and clients able to log into OD accounts.

———————————

If the commands above do not help, and you continue to get errors like:
“slapd73: bdb(dc=xxx,dc=xxx,dc=com): PANIC: fatal region error detected; run recovery”

You can attempt the following:

1) sudo to root

sudo -i

2) shutdown the open directory server

service org.openldap.slapd stop

3) dump a copy of the Open Directory database to an LDIF format text file

mkdir /var/root/opendirectory
cd /var/root/opendirectory
slapcat -l dir.ldif

4) move the old (corrupt) database files out of the way (or remove them).

cd /var/db/openldap/openldap-data
mkdir SAVE
mv *.bdb SAVE/

be sure you don’t move, rename or delete the file named DB_CONFIG. It’s needed.

5) recreate the database from the LDIF format file

cd /var/root/opendirectory
slapadd -l dir.ldif
slapindex

You will see some harmless warnings during slapadd. Ignore them.

6) restart open directory

service org.openldap.slapd start

-Your OD should be running again.
-Check OD for “stray” objects as the corruption may have left some fragments behind.