More computer ranting ahead… this just gets better and better…

Dear Apple:

I’d like to offer my gratitude for your organization’s recent push of a new “security patch” for OSX 10.5.x Servers.

With this newly released, long awaited patch, finally, all of those really annoying traits in that older, unpatched, and less secure operating system have been addressed. Frankly, they were becoming incredibly tiresome: stability, manageability, predictability, and being able to, you know, log in to my computers.

This security patch has also demonstrated a peculiar and rarely used feature of being so secure, in fact, that it dutifully refuses to allow any restoration of my old, unsecure, Open Directory contents into the new directory. Thank you! Thank you so very much for protecting my network from itself!

I do find it most disagreeable that I have, once again, procrastinated patching the OSX Servers at the office for the past several months. I could have, after all, discovered this new “feature” a few months ago.

I really am delighted that you’ve given me something to do over the weekend!
And this really is excellent timing, too. As I’ve only just recently been thinking how wonderful it would be to cultivate a case of Tourette’s.

Again, thank you from the bottom of my cold, dark, skeevy, little black heart for all you’ve done.

I then spent the next six hours trying to rebuild my very simple, but enterprise-class, home network’s directory from hand. User accounts and groups, hardware accounts and groups, permissions and preferences, RADIUS configs for wireless… the lot.

It sucked.

Bad.

But, ultimately, I did get Open Directory is running. I just have a few passwords to reset and a couple minor permissions issues to sort out.

For some strange reason, I had this Chicago song in my head while working on this — and found a video that pretty well describes the rest of what was in my head while I was sorting this mess out… yes, you’ll want to turn this up. It might have a few, uh, minor vulgarities in it.

http://www.youtube.com/watch?v=BqI3xsPrtq0

Actually, this isn’t really as much of a knock against Apple, per se, as much as it is against complacency around management of complex systems. My most recent backup of my directory was from February. Unfortunately, on my network, I don’t have a secondary domain controller that I can wipe, restore the directory to, and test. And, all of my testing while attempting the restore indicated that it should’ve worked just fine, but it didn’t. A few lessons learned. Again.

Some large enterprises face the same sort of risk of losing an entire Active Directory database. Instead of, say, 20 network clients like I have at home, they can have tens or hundreds of thousands of objects in their directories.

Many of them don’t have a backup plan run or tested.

“We DO have a backup plan!” they’ll exclaim. “We have multiple sites set up and replication between them!”

Replication isn’t a backup. Replication only guards against hardware failures and doesn’t allow a roll-back of changes that were erroneously made to a directory.

What’s needed is regular, periodic exports of the entire directory in case something more catastrophic happens — like, say, an accidental deletion of the contents of the entire directory.

“But that’s never happened!”

I think that’s a rather limited view.

Just because somebody hasn’t directly experienced it, doesn’t mean that it can’t happen. What matters is that it has happened to others and that it’s technically capable of occurring.

They’ll get defensive, very, “No! It’s never happened! What makes you think that it can?”

It’s quite simple, really: Is it possible for somebody to delete objects out of the directory?

Yes.

Are those deletions replicated immediately across the databases to all other nodes?

Yes.

Is it possible for somebody to make a mistake?

Yes.

Then those accidental deletions are gone instantly and forever. So the question is, “How do you get them back?”

“But that’s never happened!”

Repeat ad infinitum.

So, for those who don’t want to go through this wonderful little exercise of madness:

• The MS Active Directory backup procedure
• The Apple solution is to use ‘sudo slapconfig -backupdb’ or the ServerBackup utility in conjunction with TimeMachine (some info here, too)
• The straight LDAP solution is to use ‘slapcat’.