Tiny Deathstars of Foulness

Mac OS X Server uses the slapconfig command to promote Open Directory Masters and Replicas. In Lion, there is less and less dependency on slapconfig as not all of the aspects of an Open Directory environment are known throughout the system when performing LDAP operations through the command line (e.g. using -createldapmasterandadmin or -create. For example, if you use the tried and true -destroyldapserver option, the will no longer be able to promote a new Master and you’ll need to use Server Admin to create and then destroy that Master again in order for to be OK with your configuration changes.

But there are things we’ll still want to use slapconfig for. One of the better things is to actually check the environment to make sure that it is suitable for being an Open Directory server. For starters, let’s check the version of slapconfig:

/usr/sbin/slapconfig -ver

The version should be 1.2 or higher. However, as with Apache and a few other services, Apple has forked the build from the open source community, so let’s also look at the Apple Version of slapconfig. This is done using a hidden option: -appleversion. To run this, just run the option with slapconfig as follows:

/usr/sbin/slapconfig -appleversion

Then, let’s look at running slapconfig to check that the machine is suitable to be a Master. The command to do so is another hidden option, -preflightmaster. The -preflightmaster option uses the same syntax as -createldapmasterandadmin (and should at this point always be used as a sanity check prior to running -createldapmasterandadmin). Syntax as follows, where positions 1, 2 and 3 are the short name, long name and UID of the initial directory admin account:

/usr/sbin/slapconfig -preflightmaster diradmin "Directory Administrator" 1050

The slapconfig command can also be used to preflight a replica prior to promotion. The syntax there is the same as the -createreplica syntax, used as follows, assuming the master has an IP address of

/usr/sbin/slapconfig -preflightreplica diradmin

Additionally, there are other hidden options for handling all of the certificates that get created, deleted and managed as part of the Open Directory creation process (e.g. -addcaforreplica and -restorerootca), Kerberos (e.g. -cankerberize) as well as handling relays (e.g. -getrelayconfig).

January 31st, 2012

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, Network Infrastructure

There aren’t any options in Lion Server’s Profile Manager to remove applications. There are a number of environments where this can be annoying. For example, if you are upgrading or maybe just accidentally upload an app that you don’t want people to see for the rest of the existence of the Profile Manager server. To see which applications have been installed and which have each id:

psql -U krypted -d device_management -c "select * from public.ios_applications limit 1000 offset 0;"

The above command is a standard psql command, as shown in a previous article I worked on in a previous post. But this time I’m injecting the SQL query into the psql command using the -c option. This expands to output a list of each row in the iOS_applications table. Once you see which apps have which unique id’s, you can then remove entries using their ¬†identifiers (this time we’re throwing in a delete instead of select using the -c):

psql -U krypted -d device_management -c "delete from public.ios_applications where id=2;"

Simply re-run without any constraints around your SQL query to clear out all of the application. For example:

psql -U krypted -d device_management -c “delete from public.ios_applications”

This works for most of the tables within Profile Manager. This allows you to clear out any information stored in its own table, such as printers, tasks, sessions, widgets, etc.

Note: you’re not going to remove apps from devices just because you cleared them from the table.

January 29th, 2012

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , ,

Watching this trailer the past week makes me very happy, so I thought I’d share!

January 15th, 2012

Posted In: personal

January 14th, 2012

Posted In: Articles and Books, Mac OS X, Mac OS X Server, Mac Security


As usual, there are a lot of great events going on at MacWorld | iWorld. If you’re interested in joining us in a couple of weeks in San Francisco for what I’m sure will be a great conference, then you can use my speaker codes to do so. To do so, during the registration process enter a PRIORITY CODE of: BNB35106

This will give 100 FREE Exhibit Only Passes OR $15.00 OFF an iFan Pass. This code is unique to me, so other speakers have codes as well. The code will stop offering free exhibit passes once the 100th person registers for this. The $15.00 savings off an iFan pass will continue through the show.

I hope to see you there!

January 12th, 2012

Posted In: public speaking

Tags: , , , ,

Strunk & White’s Elements of Style is one of the best works explaining the rules of writing in the English language that has ever existed (and I’m pretty sure that sentence broke at least five of those rules). I’ve given this book to many a budding writer over the years. I’ve also recently noticed that it’s now all over the Internet, for free. For example, Bartleby has posted the 1918 edition of Elements of Style here.

XKCD's Elements of Style

If you haven’t read Elements of Style then I strongly recommend it. It’s short, concise and explains why that apostrophe goes in that one spot as opposed to the other. If you want to be a writer, this is one of your first stops on your journey.

January 11th, 2012

Posted In: Articles and Books

Tags: , , , , , ,

When you are searching Google, you can restrict your search to a specific domain. For example, if you would like to find a page with the pattern “man touch” on then you can constrain a Google search using the site: operator. The search dialog box would then read:

"man touch"

But if you don’t find my posts helpful then you can remove the domain name from your Google searches, done by running the same, but with a “-” in front of the domain name, which given the above search inverted would be:

"man touch"

The resultant URL is then: To take this a step further, you could also use this awesome application called glims from to actually change your default search site from the standard search to the above URL and eliminate a given domain name from all future searches.

For more on the the available operators:

January 10th, 2012

Posted In: sites

Tags: , , , , , , , ,

The lsregister command is used to query and manage the Launch Services database, or the database that is used to determine the default application used to open files of various types. lsregister is part of Core Services, and stored in /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support. To see the options available to lsregister, run the command with no operators:


You can dump the database to the screen using the -dump option:

/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -dump

You can then grep the database or redirect the output into a text file for parsing:

/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -dump > dump.txt

Sometimes applications don’t open with a given file type. When this happens, you can quickly and easily check if the problem has to do with the launchservices database. To do so run the open command and define the application (using the -a option) followed by the app and then the file. For example, to open an XML file called daneel.xml in TextWrangler (assuming your working directory contains bob.xml):

open -a bob.xml

You can force an application to re-register file types for that application using the -f option followed by the application path. For example, to re-register Xcode:

/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -f /Developer/Applications/

You can also unregister a specific application using the -u option. To unregister Xcode you would use the -u option:

/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -u /Developer/Applications/

The lsregister command is actually just a front-end management tool for the ~/Library/Preferences/ file. The file’s contents can be read (in an unparsed form) using defaults:

defaults read ~/Library/Preferences/

The launchservices database is also responsible for determining whether a file type is quarantined by default (and those files that are quarantined throw a message to users when opened for the first time). To disable such a feature:

defaults write LSQuarantine -bool NO

The database can become pretty large and unwieldy. There are applications registered in the local domain, system domain and each user’s domain. You can always clear these out using the following command, which also recursively rebuilds based on the output of a -lint option:

/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -kill -r -domain local -domain system -domain user

To check the progress:

/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -v

To set a specific application to open a file type, use the application’s domain out of the -dump output in an LSHandlerRoleAll and the file extension in an LSHandlerContentType in the LSHandlers array of, as follows (to change txt for Text Edit – aka

defaults write LSHandlers -array '{ LSHandlerContentType = "txt"; LSHandlerRoleAll = ""; }';

You can also set the default application for a network protocol (e.g. smb://, rdp://, vnc://, http:// and https://). Because the options for lsregister leave one wanting in some ways (the commands to set file types to a specific application are a bit overly complicated one could argue), there is an awesome front end app from Andrew Mortensen, aptly called duti, available at With duti installed, the command to set the default browser for http would be:

/usr/local/bin/duti -s http

Note: When working with lsregister, one should first clear the state for that application:

Finally, there’s a lot that Launch Services does and is involved in. For more information on LaunchServices, check out the Apple developer library information here.

January 9th, 2012

Posted In: Mac OS X, Mac Security

Tags: , , , , , , , , , , , ,

January 8th, 2012

Posted In: personal

Tags: , , , ,

The default, self-signed certificate that comes on a SonicWALL causes alerts during a Nessus scan. This is because the device uses a certificate that comes on the device and isn’t signed by a valid CA. Chances are, there are limits around who can load the SonicWALL web interface in the first place. But, if you don’t want Nessus to continue alerting, or if you just want to use a certificate signed by a valid CA because it’s a good security practice, you might want to add a new certificate.

The first step is to generate a new CSR. To do so, open the SonicWALL web interface and then click on System in the SonicWALL sidebar. Then click on Certificates and scroll to the bottom of the screen until you see the New Signing Request button.

At the resultant Certificate Signing Request screen, fill out the fields with your information.

Click on the Generate button to bring up the Export Certificate screen. Click Export and then choose where to save the CSR.

Once you receive the certificate, you’ll want to install it. The easiest way to do so is to go back to the Certificates screen (under System in the SonicWALL sidebar) and then scroll down to the bottom, clicking on Import… Here, use Choose File to pick the cert, provide a name for it and the password for it and click on Import.

Next, click on Administration (also under System in the SonicWALL sidebar). Scroll down to the Web Management Settings section of the screen and use the Certificate Selection field to select the newly installed certificate.

And that’s it. I’ve had to restart the device to get it to work properly, but overall, a pretty straight forward process.

January 7th, 2012

Posted In: Network Infrastructure

Tags: , , , , , ,

Next Page »