krypted.com

Tiny Deathstars of Foulness

I originally posted this at http://www.318.com/TechJournal

Customizing the welcome message to new users of your iChat server is a fairly simple task. For this, we’ll look into the jabber configuration because jabber is the Open Source package that iChat Server is built on.

When you first setup jabber the /etc/jabber directory will be created. Inside this folder will be a file called jabber.xml. If you open the jabber xml file and look for the “welcome” tag then anything between the "welcome" and"/welcome" will be the information that is shown in a welcome screen when a new user signs onto the iChat server. Before you edit the /etc/jaber/jabber.xml file make sure to back it up.

For this example we will have all new users receive a message that says Welcome to the 318 iChat Server. To do this, delete or comment out the information between the existing welcome tags and add the following information:

"welcome"
"subject"318 iChat Server"/subject"
"body"Welcome to the 318 iChat Server"/body"
"/welcome"

Save the jabber.xml file and you’ve now customized the welcome message for your iChat server.

Note, for the purpose of this article the < and > have been replaced with quotes (”). However, you will need to use the < and > in your environment while using the Jabber.xml file.

November 21st, 2007

Posted In: Mac OS X Server

Tags: , , , , , ,

I originally posted this at http://www.318.com/TechJournal

So you selected Advanced Setup during the wizard while you were installing Mac OS X Server and now you’re looking at this new Server Admin screen that you’ve never seen before. You see the server name but there are no services in the list. This is because Apple has gone the extra step to make Server Admin less confusing and more user friendly than ever before. When you click on the Settings icon at the top of the Server Admin screen you will see the tab for Services. Here, you can enable or disable any service by checking its box and clicking on the Save button.

Once a service has been enabled then it will appear under the server in the Servers list (notice it no longer says Sites and Services). From here, you’ll notice that the old chicklets from the bottom screen are gone. Now they have been replaced with an icon set in the toolbar that changes as you click between the services. For example, the AFP Service shows Overview, Logs, Graphs, Connections and Settings. Clicking through these icons, you’ll notice that they provide the same experience that the chicklets at the bottom of the screen provided. However, by placing them at the top the user interface makes more sense. One thing that is a bit strange is the decision to move the Start and Stop buttons to the bottom of the screen. When you enable a service it will not start by default so if you want to begin using it look to the bottom of the list and click on the Start button for the service.

When you enable and then click on each service you will notice that many have the same options that they’ve had in the past. There are exceptions (like a more granular logging tab for the FTP service), as there are with every version. But for the most part many of the settings have stayed the same through a few versions of the OS because they just make sense in how they are laid out.

New Services added are Radius, Podcast Producer, MySQL (which actually existed in its own stand-alone application before) and iCal. Each of these has a great purpose and will hopefully be explored in detail as time goes on. You might notice that one service, Applications, is gone from the list. Tomcat has now been moved into the Web Service as a checkbox (Enable Tomcat).

So that’s the quick and dirty tour of the new Server Admin application. It’s sleeker and has a (in our opinion) much improved interface over the old Server Admin.

November 16th, 2007

Posted In: Mac OS X Server

Tags: , , , , , ,

I originally posted this at http://www.318.com/TechJournal

So Ruby on Rails… What does this mean for me and what exactly is Ruby on Rails from a systems administration standpoint? Ruby on Rails was created by David Heinemeier Hansson from his work on Basecamp, a web-based project-management tool, by the company 37signals. Ruby on Rails was first released to the public in July 2004. Ruby on Rails is a web application framework designed to support the development of dynamic websites. To see some sites built using Ruby on Rails check out http://happycodr.com

Ruby is an object-oriented program language that Rails is built on.  To access rails, you can use the rails command.

The Ruby on Rails framework is built into Leopard Server and can be started up using the mongrel_rails start command. It can be stopped using the mongrel_rails command. Mongrel is a fast HTTP library and server for Ruby. Mongrel_rails is a command line tool that can be used to control the Mongrel webserver.

Some options to the mongrel_rails command include the following:
-d daemonize
-p assign a custom port
-a assign an address for the HTTP listener
-l assign a log file to use
-t customize the timeout variable
-m use additional MIME types
-r change the document root
-B enable debugging
-C use a configuration file
-S define an additional config script
-h access the help libraries
-G generate a config file
–user define who the server will run as
–version get the version information for Mongrel

But that’s not all you can do with mongrel_rails. The actual file is not compiled so you can read it in clear text and learn more about what it is doing behind the scenes. Just cd into the /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/gems/1.8/gems/mongrel-1.0.1/bin/ folder to find it. One item of note is the inclusion ofmongrel_rails_persist, a wrapper for mongrel_rails that allows admins to register the Mongrel Server with Bonjour and create a launchd plist to run Mongrel (/Library/LaunchAgents/com.apple.persist.portnnnn.mongrel_rails_server.plist).

So let’s say that you have a Ruby application that lives at the following location /Library/WebServer/MyRubyApp. You can run the following command to launch it over port 8001 in a persistent manner:
mongrel_rails_persist start -p 8001 -c /Library/WebServer/MyRubyApp

To access it from a web browser you would enter the address http://servername.domainname.com:8001

From here you’ll be able to daemonize Mongrel and provide the Rails development framework to developers in your environment. There are already a lot of projects for using Ruby with FileMaker and other database systems, so keep an eye out for more information about this piece of Leopard Server!

November 12th, 2007

Posted In: Mac OS X Server

Tags: , , , , , ,

I originally posted this at http://www.318.com/TechJournal

So you installed your new server and you’re having a few problems. Let’s look at the common issues and a few simple fixes for them.

iCal will not start, with log entries that it is unable to create a virtual host:
Check your host name. iCal is going to need the host name to be correct in order to start. Use scutil --get HostName and then make sure that the host name listed in the iCal Server settings is identical to this value.

You setup a user, check the box in Workgroup Manager for Enable Calendaring and then save your settings but you get the following error in your logs:
Oct 12 15:51:26 cedge Workgroup Manager[2282]: +[WPUser userWithGUID::] returned nil!

This is likely caused by the fact that you are enabling a calendar for a local user. Try using an OD based user and see if you get the same error.

You got everything started and the account was created for the user but when you add an account in iCal it fails to connect. Make sure that the port that iCal server is using is located at the tail end of the host name for the iCal Server. One issue that we see here is that unless you are using managed accounts then iCal Server is not likely going to append the port number for you iCal Server. Also verify that you can connect to the remote server, and remember that you can always open the URL of the server followed by a : and then the port number and get a login prompt. If you can authenticate to this as the user whose calendar that you are trying to setup then you can use the information in this screen to determine ACL information and other security settings that could be keeping calendars from working. Also keep in mind that while your default port might be 8008 your default port if you are using SSL is actually 8443.

Once you get this far, you should be able to create an event and see data listed in the Overview tab for iCal. If so then you should be able to about anything you want in the iCal server.

If you prefer to use the serveradmin CLI to control your services, you can also use the serveradmin settings calendar:ServerHostName = "SomeHostName" variable to change your host name. You can also use the calendar:HTTPPort to change the port number you are using for connectivity.

Happy Calendaring!!!

November 10th, 2007

Posted In: Mac OS X Server

Tags: , , , ,

I originally posted this at http://www.318.com/TechJournal

Remote Authentication Dial In User Service (RADIUS) can help to take the security of your wireless network to the next level beyond standard WPA authentication. Prior to Leopard RADIUS communications could be obtained using Elektron or OpenRADIUS running on OS X – but in Leopard no 3rd party software is required beyond Leopard Server. So how difficult is it to setup RADIUS on Leopard? You be the judge after reading this quick walkthrough. For the purpose of this walkthrough we are going to assume that you are using the Advanced Mac OS X Server style.

Before you begin this walkthrough, make sure that the server is running Open Directory and that the forward and reverse DNS information for the server is correct.

The first step to using RADIUS is to enable it. To do this, open Server Admin, click on the name of the server in the SERVERS list and click on the Services tab. Find RADIUS in the services list and place a checkmark in the box to the left of it. When you click on Save then you should see RADIUS in the SERVERS list.

Now that RADIUS has been enabled, let’s select a certificate. For the use of this walkthrough we’re going to use the default certificate that comes with OS X Server. Click on RADIUS under the SERVERS list and then click on the Settings button. Click on the RADIUS Certificate drop-down menu and select the Default certificate. Click on the Edit Allowed Users… button.

By default all users of the OS X Server will have access to authenticate to the wireless network setup, so here we are going to click on the For Selected Services below Radio Button. Then click on RADIUS in the Service list. Now click on Allow Only Users and Groups Below and then click on the + sign. Now drag the users and groups into the Name list from the Users and Groups window. Once all users that should have access to your new wireless environment have been enabled, click on the Save button.

From here, click on RADIUS and click on the Start RADIUS button in the bottom left hand corner of the screen. RADIUS is now ready to accept authentication. The next step is to configure an AirPort to work with RADIUS. To do this, click on the Base Stations button in the toolbar at the top of the screen. Now click on Browse and select the first base station of your new wireless environment from the list of found base stations. Enter the password for the AirPort and click on Save. Wait for the AirPort to complete its restart and then you should be able to log in from a client.

To log in from a client, select the name of the wireless network from the wireless networks list and enter the username and password to the environment. The first time you do so you will get a second dialog asking you to enter the 802.1x username and password. Enter the same username and password and click on OK. If you click on the “Use this Password Once” checkbox then this password will not be saved for future use.

That’s it, you’re done. Now this setup may be a little more complicated than WPA personal or WEP 128, but it’s far more secure and should be considered for any AirPort environment that has an OS X Server. While the default certificate will work for clients, things are often easier from a deployment and interoperability perspective if you purchase a certificate from a CA such as Thawte. Also, this has all been tested in a pure Mac OS X Leopard environment, not with an OD structure based on Tiger. More on that as time goes on…

October 30th, 2007

Posted In: Mac OS X Server, Mac Security

Tags: , ,

I originally posted this at http://www.318.com/TechJournal

If you’re migrating to Leopard and Leopard Server then you’ve likely noticed the welcome addition of a new program in /Applications/Utilities called Directory. Directory allows users bound into an Open Directory environment to update LDAP records provided they have access to do so. Using LDAP ACLs it’s possible to give users access to update their own directory information using an LDAP directory browser such as Directory.

When you open Directory you should see a listing of all of the directory information that has been created. From here you can create Shared Contacts, Groups, Locations and Resources. Each of these can be connected to a calendar. Groups can have multiple members and get a Mailing List, Calendar or Blog connected to them.

Resource types include Automobiles, Conference Phones, Copiers, Digital Cameras, Notebooks, Printers, Projection Screens, Projectors, Scanners and Video Cameras. Resources can be reserved in an iCal Server Calendar and can have a delegate. Delegates are users that are able to manage particular resources.

The fact that there are a lot of objects in the LDAP database that can be managed means that it’s important to have a tool for configuring who can manage them. Workgroup Manager has basic permissioning built it but it isn’t as granular as a lot of organizations will need. To get more granular it might be required to dip into the command line and configure LDAP using the configuration files. To get started with this, see the article from a couple of days ago about LDAP ACLs.

October 27th, 2007

Posted In: Mac OS X Server

Tags: , , , , ,