Six hours of my life. That's about how much time I spent chasing this solution.
My GoalAutomatically back up my OS X 10.6 Snow Leopard Server's Open Directory database weekly, using launchd.
The ProblemI found an excellent script that does exactly what I needed. But when I ran it and looked at the backup folder it created, I noticed the OD archive didn't exist. At first I thought this was a Leopard vs Snow Leopard issue (the directions were a couple years old), but then after I tried archiving through the Server Admin GUI, I found the archive still wasn't created (even though no error gets presented to the user).
Problem-SolvingGoogling somehow lead me to this command line:
sudo slapconfig -backupdb /path/to/backup
which as far as I can tell, is what the Server Admin.app GUI (and also
serveradminCLI used in the awesome script) call under the hood.
Well that still failed with this error (which also appears in the
Error in backing up keychain -25300
Error: Unable to create archive image as keychain could not be read
It was another clue to the puzzle, but not a solution.
I found this page: http://armagons-isles.blogspot.com/2009/03/od-archive-fails-due-to-keychain-25300.html and tried some of the steps he suggested. My
com.apple.opendirectorykeychain item wasn't missing, though, so instead I tried renaming it, creating a new one with identical settings, no-go.
Found this page, built a test server (twice!) exactly like my production server, tried copying the keychain item over but couldn't get the system keychain unlocked.
Finally went back to Armagon's Isles site and re-read some of the comments, remembering there were other ideas there I hadn't fully tried. A combination of these two solved the problem for me:
MAY 17, 2010 7:39 AM
Same issue, finally resolved. In 10.6.3 I got the same problem as listed above. All efforts to use the above directions failed. After much mind bending, I realized that the server was referring to itself as "blankety-blank.local" in the Server Admin and "blankety-blank.blah.com" in the LDAP reference. Poking into the com.apple.opendirectory keychain showed that it was pointed to the blah.com$ name in Account Name, not the .local$. I changed the Account Name to point to .local$, allowed all programs access, fired it up, and BAM, worked as expected. Yay.
MAY 18, 2010 1:47 PM
Thomas Orona said...
My server already had the keychain entry and was already set to allow all programs.
I ran hostname and compared entries. In my case the case was wrong in the keychain entry.
Once i changed the keychain to SERVERone.company.com everything worked.
The SolutionIn Terminal I ran
hostnameand confirmed my server is named with a capital letter, so I needed to rename the keychain item's Account from
Servername.local$. Then I ran the
sudo slapconfig -backupdb /path/to/backupline and IT WORKED!!! Now I'm documenting it all in case this can help anyone else.
Of course, it'll probably all change when Lion lands. Now to go pack for WWDC :)