Tiny Deathstars of Foulness

A wiki is a repository of dynamically created and managed content, or content created or edited by multiple users collaboratively. This article is about using the wiki service in OS X Server (the Apple Server app running on 10.10 and 10.11). I reference file services with WebDAV because it is a very nice integration piece that I think a lot of people will find pretty beneficial.

To get started with the Wiki service, first turn it on. This one isn’t heavily dependent on host names (other than being able to access the server from a browser) or directory services (other than being able to authenticate users, but local accounts are perfectly functional) and it doesn’t require the Websites service to be running as well. One should always have good working directory services and host names, still…

To enable the service, open the Server app and click on Wiki in the list of SERVICES in the List Pane.

Screen Shot 2015-09-25 at 9.57.06 PM

There are two configuration options. The first is to select who is able to create wikis. Use the “Wikis can be created by” drop-down list to select “all users” if anyone with an account on the server should be able to create a wiki or “only some users” to bring up the Wiki Creators screen.

Screen Shot 2015-09-25 at 9.57.51 PM

If only some users can create new wikis, use the plus sign (“+”) at the Wiki Creators screen to add users and/or groups to the list of users that can create wikis. Click on OK when all users and groups that can create wikis are added. In a school I would imagine that only teachers or IT staff would be able to create wikis. Once a wiki is created, pages inside the wiki can still be created by non-wiki creators.

The other option available is the handy dandy WebDAV interface to the wikis. When you enable this option, you can connect to a server from OS X or iOS via WebDAV and access files in each wikis document repository. To be clear, this option doesn’t provide access to the user documents, but does provide access to the wiki documents. We’re going to check the box for “Enable WebDAV access to Wiki files” and then click the ON button.

Once the service starts, click on the View Wiki link in the Wiki workspace in Server app.

Screen Shot 2015-09-25 at 10.00.51 PM

Here, click on the Log in button and enter a user with access to the server, preferably one who can create wikis.

Screen Shot 2015-09-25 at 10.01.43 PM

At the Wikis page, you will then see a list of all wikis you have access to. Note that the previous screen showed one wiki and now we see two. That’s because one of the wikis has permissions that allow “All unauthenticated users” access to the wiki, which we’ll describe shortly. The first thing most administrators will do is create a wiki. To do so, click on the plus sign (“+”) icon on the web page and at the resultant screen, click on New Wiki.

Screen Shot 2015-09-25 at 10.02.35 PM

At the “Create a new wiki” prompt, provide a name for the wiki and a brief description for it.

Screen Shot 2015-09-25 at 10.03.12 PM

Click on Continue.

Screen Shot 2015-09-25 at 10.03.53 PM

At the Set permissions screen, enter each user or group to provide access to edit and view wiki pages. Here, you’ll have the options for Read & Write (users can view and edit pages in the wiki), Read only (users can only view the contents of your pages) and No access (users have no access to the wiki). There is a group for All logged in users, which includes every user with access to the server and another for All unauthorized users, which includes guests to the server. Once you’ve given the appropriate permissions, click on Continue.
Note: You don’t have to get this perfect now as you can always edit these later.

Screen Shot 2015-09-25 at 10.04.23 PM

At the Set Appearance screen, you can choose an icon for the wiki (shown in the wiki list and when you open the wiki) as well as a color scheme for the wiki. Choose the appropriate appearance for your wiki (again, you can always change this later) and then click on the Create button.

Screen Shot 2015-09-25 at 10.04.53 PM

Once the setup is finished, you’ll see the Setup complete modal. Here, you can click on Go to Wiki button.

Screen Shot 2015-09-25 at 10.05.33 PM

Once you’ve created your first wiki, let’s edit it and customize the content. To do so, click on it from the list of available wikis. Click on the cog-wheel icon and then Wiki Settings… to bring up the Wiki Settings page.

Screen Shot 2015-09-25 at 10.05.59 PM

Here, you’ll see the previously entered name and description as well as options to enable Calendar (only available if Calendar Server is running on the server) and Blog, which enables  a blog service for the wiki (wiki administrators can post blog entries to the wiki). Click on Appearance.

Screen Shot 2015-09-25 at 10.06.26 PM

Here, you will have the previous two options as well as the ability to upload a banner (which should be 62 pixels high) and background for each wiki.

Screen Shot 2015-09-25 at 10.07.02 PM

Click on Permissions. Here, you’ll see the permissions previously configured as well as options to configure who can comment on articles (nobody disables comments completely) in the wiki and whether comments require approval (moderation).

Click on Save. Now, let’s edit the splash page. To do so, click the pencil icon in the top navigation bar.

Screen Shot 2015-09-25 at 10.07.45 PM

At the edit screen, the top nav bar is replaced by a WYSIWIG editor for managing the page. Here you can justify, link, insert media and of course edit the text you see on the screen. I recommend spending some time embedding links, inserting tables, making text look like you want it to and editing the content to reflect the purpose of the wiki. Click Save when you’re done. Click the pencil again to edit it, and let’s create a new wiki page. Keep in mind that link wikipedia, each page should be linked to from other pages in the order they should be read. Unlike most wikis, there’s actually an index page of all the articles, which can come in handy.

Screen Shot 2015-09-25 at 10.08.34 PM

From the edit page, to create a new page and link to it, enter some text (or lasso some) that you’ll use as the link to access the new page you’re creating. Then click on the arrow and select “New page.”

Note: Use Enter URL to link to an existing page or an external website, instead of creating a new page.

Screen Shot 2015-09-25 at 10.09.03 PM

At the New Page screen, provide a name for the new page (the lasso’d text automatically appears as the Page Title) and click on the Add button.

Screen Shot 2015-09-25 at 10.09.40 PM

Click Save and then click on the newly created link. You can now edit the new page the same way you edited the previous pages. Click on the disclosure triangles in the right sidebar to Comment on articles, link articles to related articles, tag articles and view editing history.

Screen Shot 2015-09-25 at 10.12.44 PM

Now for the fun part. Click on Documents. Here, you’ll see the pages you already created. Click on the plus sign and select the option to Upload File to the wiki.

Screen Shot 2015-09-25 at 10.13.48 PM

At the Upload File dialog, click on Choose File and then select a file to upload.

Screen Shot 2015-09-25 at 10.14.36 PM

Click Upload when selected.

Screen Shot 2015-09-25 at 10.15.35 PM

Then from the Finder of an OS X client, use the Go menu to select “Connect to Server”. Enter the name or IP of the server and then click on Connect.

Assuming you can access the server, you should then be prompted for a username and password. Enter it and click Connect. Eventually, the file(s) will display (it can take awhile according to your network speeds and how many files are in the directory). You can connect to this same screen through an iPad using a 3rd party WebDAV client or the build in options in Pages.

Managing wikis is as easy as its ever been, with the new options for appearance being a nice add-on. Active Directory integration is as easy as binding the server to Active Directory and using the accounts listed in Permissions of pages. Overall, the ability to edit, upload and view documents from the Wiki is a great new feature in OS X Yosemite Server, worthy of checking out if you haven’t already!

Now that iOS devices can edit wikis and many of the traditional word processing options are available in the wiki editor, consider what the Wiki can be. Could it replace text editing apps for iOS? Could the Wiki allow for more collaborative documents than a Word or other document editor? Could it keep from getting eaten like the rest of the homework? Could the comments in the Wiki be a good way for teachers to have students write responses to materials? Could the Wiki and the document management features allow your workers to access human resources documents and employee manuals? I know plenty a tech firm that use wikis to track information about the systems they manage.

Once you have all of this information, upgrading can seem downright scary. But fear not, there’s Carbon Copy Cloner. And once you’ve cloned, there’s wikiadmin. When doing an upgrade in place, the Wiki service is pretty straight forward to upgrade, but in many cases, due to aging hardware, wiki services are moving from an older computer to a newer computer. This can be done in one of two ways. The first is to “migrate” the data by copying the Collaboration folder onto the new system. The second is to “export” and “import” the data. I usually recommend doing a migrate where possible, so we’ll start with that method.

Note: Before getting started, make sure that the directory services side of things is good. If a user or group lookup for an object that owns, edits or has commented on a wiki fails then that wiki probably shouldn’t be migrated. Use the dscl or id commands to confirm that lookups are functioning as intended.

To migrate wikis from one server to another, first copy the Collaboration directory to the new server. In this example, the directory has been dropped onto the desktop of the currently logged in user. To migrate the data once copied, use the wikiadmin command, along with the migration option. The option requires the path to the Collaboration folder, defined with -r, as follows:

sudo wikiadmin migrate -r ~/Desktop/Collaboration

When moving wikis, you can take the opportunity to get rid of a few you don’t want (such as that test wiki from way back when). Or administrators may just choose to move a single wiki to a new server in order to split the load across multiple hosts. When doing so, use the same command as earlier, along with the name of each wiki that is being moved, along with the -g option. For example, if moving the Legal wiki:

sudo wikiadmin migrate -r ~/Desktop/Collaboration -g Legal

The second way of moving wikis around is to export and then import them. To do so, first export wikis on the old server, using the wikiadmin command along with the export option, which requires an –exportPath option and needs to be done, on a wiki-by-wiki basis. So to export that Legal wiki to a file called LegalWikiTMP on the desktop:

sudo wikiadmin export -g Legal --exportPath ~/Desktop/LegalWikiTMP

Next, copy the wiki to the new server and import it, using the import option along with –importPath to identify where the file being imported is located. Using the same location, the command would then be:

sudo wikiadmin import -g Legal --importPath ~/Desktop/LegalWikiTMP

Note: The ability to import a wiki also allows for an API of sorts, as you can programmatically create wikis from other sources. The ability to export also provides a way to move into another wiki tool if you happen to outgrow the options provided in OS X Server and need to move to something more robust.

There is another way to move wikis, using pg_dump, copying the data and then using pg_restore to import the data once you’ve created the tables.  This way is, in my opinion, the last resort if the standard wikiadmin commands aren’t working. In my experience, if I’m doing the migration this way then I’ve got other, bigger issues that I need to deal with as well.

These commands work best when the wiki service has been started so that the databases are fully built out. To start the wiki service from the command line, use the serveradmin command instead of the wikiadmin command. The serveradmin command is used with the start option and then wiki is used to indicate the wiki service, as follows:

sudo serveradmin start wiki

The service can also be stopped, swapping out the start option with a stop option:

sudo serveradmin stop wiki

In a few cases (this is the main reason I’m writing this article), the attachments to wikis don’t come over during a migration. To migrate the files that are used for QuickLook, downloading attachments, etc, use the serveradmin command to locate the directory that these objects are stored in:

sudo serveradmin settings wiki:FileDataPath

The output identifies the directory where these objects are stored. Placing the contents in the same relative path as they are to the output of the same command on the target server usually results in restoring them. Once moved, use the fixPermissions option to repair the permissions of any files from the source (if any changes to account IDs are encountered such as an export/import rather than an archive/restore in OD this can lead to odd issues:

sudo wikiadmin fixPermissions

Also use the rebuildSearchIndex option with the wikiadmin command to fix any indexing, once the permissions have been repaired:

sudo wikiadmin rebuildSearchIndex

And finally use resetQuicklooks to clear any cached Quicklook representations of objects that have been inserted into a wiki and might not display properly using Quicklook (you know you might need to do this if they look fine when downloaded but look bad with Quicklook even though QuickLook on the server can view the files just fine):

sudo wikiadmin resetQuicklooks

When done properly the migration can take awhile. Keep in mind that every tag, every article, every edit to every article and basically everything else is tracked inside the tables that you’re moving. While there might not be a ton of data in the Collaboration directory or in an export, all of the data needs to go to the right location. This can take a little time in environments that have a lot of articles, even if they’re really short articles…

October 9th, 2015

Posted In: Mac OS X Server

Tags: , , , , , ,

OS X running the Server app has a lot of scripts used for enabling services, setting states, changing hostnames and the like. Once upon a time there was a script for OS X Server called server setup. It was a beautiful but too simplistic kind of script. Today, much of that logic has been moved out into more granular scripts, kept in /Applications/, used by the server to perform all kinds of tasks. These scripts are, like a lot of other things in OS X Server. Some of these include the configuration of amavisd, docecot and alerts. These scripts can also be used for migrating services and data. Sometimes the scripts are in bash, sometimes ruby, sometimes perl and other times even python. And the scripts tend to change year over year/release over release. The easiest way to view logs is to use the Server app, clicking on Logs in the sidebar. The dropdown at the bottom of the screen provides quick access to service-based logs.

Screen Shot 2015-09-25 at 8.47.29 PM

One of the things that can can be useful about the scripts scattered throughout the Server app is to learn how the developers of OS X Server intend for certain tasks to occur. However, you can also use the Console app from /Applications/Utilities, as with any other Mac, to look at standard logs.

Screen Shot 2015-09-25 at 8.48.50 PM

Looking At Services

This is also where I learned that Apple had put an Open Directory backup script in /Applications/ (that still requires a password). But what I haven’t seen in all of these logs is bumping up the logging level for services before performing tasks, so that you can see a verbose output of what’s going on. To do this, it looks like we’re going service-by-service. So let’s look alphabetically, starting with Address Book:

sudo serveradmin settings addressbook:DefaultLogLevel = “warn”

This by defualt logs to /var/log/caldavd/error.log, which is built based on the following, which sets the base:

sudo serveradmin settings addressbook:LogRoot=/var/log/caldavd

And the following, which sets the file name in that directory:

sudo serveradmin settings addressbook:ErrorLogFile=error.log

You can change either by changing what comes after the = sign. Next is afp. This service logs output to two places. The first is with errors to the service, using /Library/Logs/AppleFileService/AppleFileServiceError.log, the path designated in the following:

sudo serveradmin settings afp:errorLogPath = “/Library/Logs/AppleFileService/AppleFileServiceError.log”

The second location logs activities (open file, delete file, etc) rather than errors and is /Library/Logs/AppleFileService/AppleFileServiceAccess.log, defined using:

sudo serveradmin settings afp:activityLogPath = “/Library/Logs/AppleFileService/AppleFileServiceAccess.log”

The activity log is disabled by default and enabled using the command:

sudo serveradmin settings afp:activityLog = yes

The events that trigger log entries are in the afp:loggingAttributes array and are all enabled by default. There are no further controls for the verbosity of the afp logs. The next service is calendar. Similar to address book, the caldav server uses DefaultLogLevel to set how much data gets placed into logs:

sudo serveradmin settings calendar:DefaultLogLevel = “warn”

This by defualt logs to /var/log/caldavd/error.log, which is built based on the following, which sets the base:

sudo serveradmin settings calendar:LogRoot=/var/log/caldavd

And the following, which sets the file name in that directory:

sudo serveradmin settings calendar:ErrorLogFile=error.log

You can changing either by changing what comes after the = sign.
Profile Manager is called devicemgr in the serveradmin interface and I’ve found no way to augment the logging levels. Nor does its migration script ( /Applications/ ) point to any increased logging during migration.

The dirserv (aka Open Directory) uses the slapconfig back-end, so I use slapconfig to increase logging:

sudo slapconfig -enableslapdlog

The DNS service uses named.conf, located in /etc to set log levels and has no serveradmin settings for doing so. Here, use the logging section and look for both the file setting (by default /Library/Logs/named.log) for where the log is stored as well as the severity setting, which can set the logging levels higher or lower.

By default Messages, or iChat Server, logs a lot. See the following for what is logged:

sudo serveradmin settings jabber:logLevel = “ALL”

Adding the -D option to the LaunchDaemon that invokes jabber will increase the logs. Logging long-term is handled in each of the xml files that make up the features of jabber. See the Logconfiguration section of the c2s file via:

cat /Applications/

The mail service has a number of options for logging, much of which has to do with the fact that it’s a patchy solution made up of postfix, etc. Global log locations are controlled using the mail:global:service_data_path key, which indicates a path that logs are stored in (as usual many of these are in /Library/Server):

sudo serveradmin settings mail:global:service_data_path = "/Library/Server/Mail"

To see the virus database logging levels (which should usually be set to warn):

sudo serveradmin settings mail:postfix:virus_db_log_level

To see the spamassassin logging levels:

sudo serveradmin settings mail:postfix:spam_log_level

To see the actual postfix logging level:

sudo serveradmin settings mail:postfix:log_level

To enable timestamps on logs:

sudo serveradmin settings mail:imap:logtimestamps = yes

To set the dovecot logging to info:

sudo serveradmin settings mail:imap:log_level = “info”

To set increased logging per function that dovecot performs, see the config files in /Applications/, each of which has a logging section to do so.

The NetBoot service is simple to configure logging for, simply set the netboot:logging_level to HIGH (by default it’s MEDIUM):

sudo serveradmin settings netboot:logging_level = “HIGH”

The Postgres service uses a log directory, configured with postgres:log_directory:

sudo serveradmin settings postgres:log_directory = “/Library/Logs/PostgreSQL”

The /private/etc/raddb/radiusd.conf has a section (log {}) dedicated to configuring how the radius service logs output.

The Xsan service logs output per volume to both the System Log and volume-based log files, stored in /Library/Preferences/Xsan/data.

The smb service has a file /Library/Preferences/SystemConfiguration/ with a key for log level that can be used for more verbose output of the service.

The PPTP VPN service logs output to the file specified in vpn:Servers, configured with these:

sudo serveradmin settings = “/var/log/ppp/vpnd.log”
sudo serveradmin settings = “/var/log/ppp/vpnd.log”
sudo serveradmin settings = “/var/log/ppp/vpnd.log”
sudo serveradmin settings = “/var/log/ppp/vpnd.log”

By default, verbose logging is enabled, which you can see with:

sudo serveradmin settings
sudo serveradmin settings
sudo serveradmin settings
sudo serveradmin settings

The last service is web (Apache). The default access logs are per-site, with a key called customLogPath existing for each. The defaultSite uses the following for its logs:

sudo serveradmin settings web:defaultSite:customLogPath

Swap out the defaultSite with another site to see its log paths. There’s also a key for errorLogPath that shows errors. These are per-site so that administrators can provide access to logs for the owners of each site and not fear them having access to logs for other users. Global error logs are stored in /private/var/log/apache2/error_log as defined in /private/etc/apache2/httpd.conf. Find LogLevel in this file and set it to configure how in depth the logs will be, using debug for the most verbose and info, notice, warn, error, crit, alert, and emerg to get incrementally less information.

Additionally the log formats can be set in /private/etc/apache2/httpd.conf, allowing administrators to configure OS X  Server’s built-in web service to conform to the standards of most modern web log analyzers.


Overall, there’s a lot of information in these logs and administrators can spend as much time reviewing logs as they want. But other than standard system logs, the output is typically configured on a service-by-service basis. Some services offer a lot of options and others offering only a few. Some services also offer options within the serveradmin environment while others use their traditional locations in their configuration files. I’ll end this with a warning. There can also be a lot of output in these logs. Therefore, if you set the logging facilities high, make sure to keep a watchful eye on the capacity of the location you’re writing logs out to. The reason I looked at paths to logs where applicable was because you might want to consider redirecting logs to an external volume when debugging so as not to fill up a boot volume and cause even more problems than what you’re likely parsing through logs looking to fix…

October 8th, 2015

Posted In: Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , ,

OS X Server 5 (for El Capitan and Yosemite)  comes with the /usr/sbin/serverinfo command (introduced in Mountain Lion Server). The serverinfo command is useful when programmatically obtaining information about the very basic state of an Apple Server.

The first option indicates whether the Server app has been downloaded from the app store, which is the –software option:

serverinfo --software

When used, this option reports the following if the can be found:

This system has server software installed.

Or if the software cannot be found, the following is indicated:

This system does NOT have server software installed.

The –productname option determines the name of the software app:

serverinfo --productname

If you change the name of the app from Server then the server info command won’t work any longer, so the output should always be the following:


The –shortversion command returns the version of the Server app being used:

serverinfo --shortversion

The output will not indicate a build number, but instead the version of the app on the computer the command is run on:


To see the build number (which should iterate with each update to the Server app from the Mac App Store, use the –buildversion option:

serverinfo --buildversion

The output shows the build of server, which doesn’t necessarily match the OS X build number:


Just because the Server app has been downloaded doesn’t mean the Server setup assistant has been run. To see if it has, use the –configured option:

serverinfo --configured

The output indicates whether the system is running as a server or just has the app installed (e.g. if you’re using it to connect to another server:

This system has server software configured.

You can also output all of the information into a single, easy to script against property list using the –plist option:

serverinfo --plist

The output is a list of each of the other options used:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “”>
<plist version=”1.0″>

The Server Root can reside in a number of places. To see the path (useful when scripting commands that are relative to the ServerRoot:

serverinfo –prefix

By default, the output is as follows, which is basically like a dirname of the ServerRoot:


You can also see whether the system is running on actual hardware desgnated by Apple for servers using the –hardware option:

serverinfo --hardware

The output simply indicates if the hardware shipped with OS X Server on it from Apple:

This system is NOT running on server hardware.

The –perfmode option indicates whether or not the performance mode has been enabled, dedicating resources to binaries within the Server app:

serverinfo --perfmode

If the performance mode has not been enabled then the output will be as such:

Server performance mode is NOT enabled.

To enable performance mode, you can also use serverinfo. This is the only task that the command does that can make any changes to the system and as such is the only time you need to elevate privileges:

sudo serverinfo —setperfmode 1

Or set the boolean value back to 0 to disable.

sudo serverinfo —setperfmode 0

September 22nd, 2015

Posted In: Mac OS X Server

Tags: , , , ,

OS X Server 5 (El Capitan 10.11 or Yosemite 10.10) has an adaptive firewall built in, or a firewall that controls incoming access based on clients attempting to abuse the server. The firewall automatically blocks incoming connections that it considers to be dangerous. For example, if a client attempts too many incorrect logins then a firewall rule restricts that user from attempting to communicate with the server for 15 minutes. If you’re troubleshooting and you accidentally tripped up one of these rules then it can be a bit frustrating. Which is why Apple gives us afctl, a tool that interacts with the adaptive firewall.

The most basic task you can do with the firewall is to disable all of the existing rules. To do so, simply run afctl (all afctl options require sudo) with a -d option:

/Applications/ -d

When run, the adaptive firewall’s rules are disabled. To re-enable them, use the -e option:

/Applications/ -e

Turning off the rules seems a bit much for most troubleshooting tasks. To remove a specific IP address that has been blacklisted, use the -r option followed by the IP address (rules are enforced by IP):

/Applications/ -r

To add an IP to the blacklist, use the -a option, also followed by the IP:

/Applications/ -a

To permanently add a machine to the whitelist, use -w with the IP:

/Applications/ -w

And to remove a machine, use -x. To understand what is going on under the hood, consider this. The blacklisted computers are stored in plain text in /var/db/af/blacklist and the whitelisted computers are stored in the same path in a file called whitelist. The afctl binary itself is stored in /usr/libexec/afctl and the service is enabled by /System/LIbrary/LaunchDaemons/, meaning to stop the service outright, use launchctl:

launchctl unload


The configuration file for afctl is at /etc/af.plist. Here you can change the path to the blacklist and whitelist files, change the interval with which it is run, etc. Overall, the adaptive firewall is a nice little tool for Mac OS X Server security, but also something a number of open source tools can do as well. But for something built-in and easy, worth using.

There’s a nice little command called hb_summary located in /Applications/ that provides statistics for blocked hosts. To see statistics about how much the Adaptive Firewall is being used, just run the command with no options:


The output provides the following information (helpful if plugging this information into a tool like Splunk):

  • Date
  • Date statistics start
  • Number of hosts blocked
  • Addresses blocked
  • Number of times each address was blocked
  • Last time a host was blocked
  • Total number of times a block was issued

September 22nd, 2015

Posted In: Mac OS X Server

Tags: , , , , , , ,

Verbose logging can help you isolate a number of problems with Profile Manager. Turn on verbose logging by writing a debugOutput key with a value of 3 into /Library/Preferences/ using the defaults command:

defaults write /Library/Preferences/ debugOutput 3

Once set, restart the daemon using killall:

killall -u _devicemgr

To disable, just write the key with a blank value:

defaults delete /Library/Preferences/ debugOutput

Then restart the daemon again:

killall -u _devicemgr

May 1st, 2015

Posted In: iPhone, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , ,

OS X Yosemite, running the Server app comes complete with lots of awesome features to help you get up and running, started and owning the configuration of Apple Servers. One such is the built-in options to help manage your servers. Open Server, click Help, then click Server Help. You can then search and browse for information about things you’d like to accomplish using the Help Center.

Screen Shot 2014-10-27 at 9.53.11 PM

Now, click the arrow for each service for information about configuring that service. You will see an arrow for each service.

Click the arrow for more information on that specific service.

And just like that, simple and easy-to-use documentation, available live on OS X Server. You will, of course, need to be online to use it effectively.

November 3rd, 2014

Posted In: Mac OS X Server

Tags: , , , ,

The command to create and tear down an Open Directory environment is slapconfig. When you disable Open Directory from the Server app you aren’t actually removing users. To do so, you’d use slapconfig along with the -destroyldapserver. When run, you get a little insight into what’s happening behind the scenes. This results in the following:

bash-3.2# slapconfig -destroyldapserver

The logs are as follows:

2014-09-18 14:42:02 +0000 slapconfig -destroyldapserver
2014-09-18 14:42:02 +0000 CopyReplicaArray: ldap_search_ext_s failed
2014-09-18 14:42:02 +0000 Error retrieving replica array
2014-09-18 14:42:02 +0000 Deleting Cert Authority related data
2014-09-18 14:42:03 +0000 Removed directory at path /var/root/Library/Application Support/Certificate Authority/Take Control Books Open Directory Certification Authority.
2014-09-18 14:42:03 +0000 command: /usr/sbin/xscertadmin add --reason 5 --issuer Take Control Books Open Directory Certification Authority --serial 2127185704
CopyCARecordByName: get ldapi node code = 2100 description = Connection failed to node '/LDAPv3/ldapi://%2Fvar%2Frun%2Fldapi'
No such issuer - failed to revoke certificate
2014-09-18 14:42:23 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/
/System/Library/LaunchDaemons/ Could not find specified service
2014-09-18 14:42:23 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/
/System/Library/LaunchDaemons/ Could not find specified service
2014-09-18 14:42:23 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/
/System/Library/LaunchDaemons/ Could not find specified service
2014-09-18 14:42:23 +0000 void _destroyLDAPServer(const char *): Failed to find computer record named$: 0 (null)
2014-09-18 14:42:23 +0000 Updating ldapreplicas on primary master
2014-09-18 14:42:23 +0000 CopyLdapReplicas: Unable to create DSLDAPContainer: 77014 Can't contact LDAP server (-1)
2014-09-18 14:42:23 +0000 CopyPrimaryMaster: CopyLdapReplicas failed
2014-09-18 14:42:23 +0000 Unable to locate primary master
2014-09-18 14:42:23 +0000 Primary master node is nil!
2014-09-18 14:42:23 +0000 Unable to locate ldapreplicas record: 0 (null)
2014-09-18 14:42:23 +0000 Error setting read ldap replicas array: 0 (null)
2014-09-18 14:42:23 +0000 Error setting write ldap replicas array: 0 (null)
2014-09-18 14:42:23 +0000 ODRecord *_getODRecord(ODNode *, NSString *, NSString *, NSArray *): ODNodeRef parameter error
2014-09-18 14:42:23 +0000 int _removeReplicaFromConfigRecord(ODNode *, NSString *): ODRecord not found
2014-09-18 14:42:23 +0000 Error synchronizing ldapreplicas: 0 (null)
2014-09-18 14:42:23 +0000 Removing self from the database
2014-09-18 14:42:23 +0000 Stopping LDAP server (slapd)
2014-09-18 14:42:23 +0000 Stopping password server
2014-09-18 14:42:23 +0000 Removed all service principals from keytab for realm YOSEMITESAM.KRYPTED.COM
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/__db.001.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/__db.002.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/__db.003.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/__db.004.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/__db.005.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/__db.006.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/altSecurityIdentities.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/apple-config-realname.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/apple-generateduid.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-memberguid.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-nestedgroup.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-realname.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/apple-hwuuid.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/cn.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/DB_CONFIG.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/dn2id.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/entryCSN.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/entryUUID.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/gidNumber.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/givenName.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/id2entry.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/ipHostNumber.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/log.0000000001.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/macAddress.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/mail.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/memberUid.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/objectClass.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/ou.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/sn.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/uid.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/openldap-data/uidNumber.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/authdata/__db.001.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/authdata/__db.002.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/authdata/__db.003.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/authdata/__db.004.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/authdata/__db.005.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/authdata/__db.006.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/authdata/alock.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/authdata/authGUID.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/authdata/DB_CONFIG.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/authdata/dn2id.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalAliases.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalName.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/authdata/entryCSN.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/authdata/entryUUID.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/authdata/id2entry.bdb.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/authdata/log.0000000001.
2014-09-18 14:42:23 +0000 Removed file at path /var/db/openldap/authdata/objectClass.bdb.
2014-09-18 14:42:23 +0000 Removed directory at path /var/db/openldap/authdata.
2014-09-18 14:42:23 +0000 Removed file at path /etc/openldap/slapd_macosxserver.conf.
2014-09-18 14:42:23 +0000 Removed file at path /etc/openldap/slapd.conf.
2014-09-18 14:42:23 +0000 Removed file at path /etc/openldap/rootDSE.ldif.
2014-09-18 14:42:23 +0000 Removed directory at path /etc/openldap/slapd.d/cn=config.
2014-09-18 14:42:23 +0000 Removed file at path /etc/openldap/slapd.d/cn=config.ldif.
2014-09-18 14:42:23 +0000 Removed directory at path /etc/openldap/slapd.d.
2014-09-18 14:42:23 +0000 Removed directory at path /etc/openldap/slapd.d.backup/cn=config.
2014-09-18 14:42:23 +0000 Removed file at path /etc/openldap/slapd.d.backup/cn=config.ldif.
2014-09-18 14:42:23 +0000 Removed directory at path /etc/openldap/slapd.d.backup.
2014-09-18 14:42:26 +0000 Stopping password server
2014-09-18 14:42:26 +0000 Removed file at path /etc/ntp_opendirectory.conf.
2014-09-18 14:42:26 +0000 Removed file at path /Library/Preferences/

October 21st, 2014

Posted In: Mac OS X Server

Tags: , , , , ,

Getting started with Messages Server couldn’t really be easier. Messages Server in the OS X Yosemite version of the Server app uses the open source jabber project as their back-end code base (and going back, OS X has used jabber since the inception of iChat Server all the way through Server 3). The sqlite setup file is located at /Applications/ directory and the autobuddy binary is at /Applications/ The actual jabberd binary is also stored at /Applications/, where there are a couple of perl scripts used to migrate the service between various versions as well.

Setting up the Messages service is simple. Open the Server app and click on Messages in the Server app sidebar.


Click on the Edit… button for the Permissions. Here, define which users and interfaces are allowed to use the service.

Once open, click on the checkbox for “Enable server-to-server federation” if you have multiple iChat, er, I mean, Messages servers and then click on the checkbox for “Archive all chat messages” if you’d like transcripts of all Messages sessions that route through the server to be saved on the server. You should use an SSL certificate with the Messages service. If enabling federation so you can have multiple Messages servers, you have to. Before enabling the service, click on the name of the server in the sidebar of Server app and then click on the Settings tab. From here, click on Edit for the SSL Certificate (which should be plural btw) entry to bring up a screen to select SSL Certificates.


At the SSL Certificates screen (here it’s plural!), select the certificate the Messages service should use from the available list supplied beside that entry and click on the OK button. If you need to setup federation, click back on the Messages service in the sidebar of Server app and then click on the Edit button. Then, click on the checkbox for Require server-to-server federation (making sure each server has the other’s SSL certificate installed) and then choose whether to allow any server to federate with yours or to restrict which servers are allowed. I have always restricted unless I was specifically setting up a server I wanted to be public (like public as in everyone in the world can federate to it, including the gorram reavers that want to wear your skin).


To restrict the service, then provide a list of each server address capable of communicating with your server. Once all the servers are entered, click the OK button.
Obviously, if you only have one server, you can skip that. Once the settings are as you wish them to be, click on the ON/OFF switch to light up the service. To see the status of the service, once started, use the fullstatus option with serveradmin followed by the jabber indicator:

sudo serveradmin fullstatus jabber

The output includes whether the service is running, the location of jabber log files, the name of the server as well as the time the service was started, as can be seen here:

jabber:state = "RUNNING"
jabber:roomsState = "RUNNING"
jabber:logPaths:PROXY_LOG = "/private/var/jabberd/log/proxy65.log"
jabber:logPaths:MUC_STD_LOG = "/var/log/system.log"
jabber:logPaths:JABBER_LOG = "/var/log/system.log"
jabber:proxyState = "RUNNING"
jabber:currentConnections = "0"
jabber:currentConnectionsPort1 = "0"
jabber:currentConnectionsPort2 = "0"
jabber:pluginVersion = "10.8.211"
jabber:servicePortsAreRestricted = "NO"
jabber:servicePortsRestrictionInfo = _empty_array
jabber:hostsCommaDelimitedString = "mavserver.pretendco.lan"
jabber:hosts:_array_index:0 = "mavserver.pretendco.lan"
jabber:setStateVersion = 1
jabber:startedTime = ""
jabber:readWriteSettingsVersion = 1

There are also a few settings not available in the Server app. One of these that can be important is the port used to communicate between the Messages client and the Messages service on the server. For example, to customize this to 8080, use serveradmin followed by settings and then jabber:jabberdClientPortSSL = 8080, as follows:

sudo serveradmin settings jabber:jabberdClientPortSSL = 8080

To change the location of the saved Messages transcripts (here, we’ll set it to /Volumes/Pegasus/Book:

sudo serveradmin settings jabber:savedChatsLocation = “/Volumes/Pegasus/Book”

To see a full listing of the options, just run settings with the jabber service:

sudo serveradmin settings jabber

The output lists each setting configurable:

jabber:dataLocation = "/Library/Server/Messages"
jabber:s2sRestrictDomains = no
jabber:jabberdDatabasePath = "/Library/Server/Messages/Data/sqlite/jabberd2.db"
jabber:sslCAFile = "/etc/certificates/mavserver.pretendco.lan.10E6CDF9F6E84992B97360B6EE7BA159684DCB75.chain.pem"
jabber:jabberdClientPortTLS = 5222
jabber:sslKeyFile = "/etc/certificates/mavserver.pretendco.lan.10E6CDF9F6E84992B97360B6EE7BA159684DCB75.concat.pem"
jabber:initialized = yes
jabber:enableXMPP = no
jabber:savedChatsArchiveInterval = 7
jabber:authLevel = "STANDARD"
jabber:hostsCommaDelimitedString = "mavserver.pretendco.lan"
jabber:jabberdClientPortSSL = 5223
jabber:requireSecureS2S = no
jabber:savedChatsLocation = "/Library/Server/Messages/Data/message_archives"
jabber:enableSavedChats = no
jabber:enableAutoBuddy = no
jabber:s2sAllowedDomains = _empty_array
jabber:logLevel = "ALL"
jabber:hosts:_array_index:0 = "mavserver.pretendco.lan"
jabber:eventLogArchiveInterval = 7
jabber:jabberdS2SPort = 0

To stop the service:

sudo serveradmin stop jabber

And to start it back up:

sudo serveradmin start jabber

It’s also worth noting something that’s completely missing in this whole thing: Apple Push Notifications… Why is that important? Well, you use the Messages application to communicate not only with Mac OS X and other jabber clients, but you can also use Messages to send text messages. Given that there’s nothing in the server that has anything to do with texts, push or anything of the sort, it’s worth noting that these messages don’t route through the server and therefore still require an iCloud account. Not a huge deal, but worth mentioning that Messages server doesn’t have the same updates built into the Messages app. Because messages don’t traverse the server, there’s no transcripts.

October 19th, 2014

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , ,

The Server app, when run on OS X Yosemite, comes with a few new alerting options previously unavailable in versions of OS X. The alerts are sent to administrators via servermgrd and configured in the Server app (Server 3.5). To configure alerts in Yosemite Server, open the Server app and then click on Alerts in the Server app sidebar. Next, click on the Delivery tab.


At the Delivery screen, click on the Edit button for Email Addresses and enter every email address that should receive alerts sent from the server. Then click on the Edit button for Push Notifications. Here, check the box for each administrator of the server. The email address on file for the user then receives push notifications of events from the server.

Click on OK when you’ve configured all of the appropriate administrators for alerting. Click on the Edit… button for Push and if Push notifications are not already enabled you will run through the Push Notification configuration wizard.
Then, check the boxes for Email and Push for each of the alerts you want to receive (you don’t have to check both for each entry). Alerts have changed in OS X Server, they are no longer based on the SMART status of drives or capacity; instead Delivery is now based on service settings.

Finally, as with previous versions of OS X Server, Mavericks Server has snmp built in. The configuration file for which is located in the /private/etc/snmp/snmpd.conf and the built-in LaunchDaemon is, where the actual binary being called is /usr/sbin/snmpd (and by default it’s called with a -f option). Once started, the default community name should be COMMUNITY (easily changed in the conf file) and to test, use the following command from a client (the client is in the following example):

snmpwalk -On -v 1 -c COMMUNITY

October 17th, 2014

Posted In: Mac OS X, Mac OS X Server

Tags: , , , , , ,

Yosemite Sam Server (Server 3.5 running on OS X Yosemite) sees little change with the FTP Service. Instead of sharing out each directory the new incantation of the FTP service allows administrators to share a single directory out. This directory can be any share that has previously been configured in the File Sharing service or a website configured in the Websites service.


To setup FTP, first open the Server app and then click on the FTP service.


Once open, use the Share: drop-down list to select a share that already exists (output of sharing -l basically) and click on one of the shares or Custom to create a new share for FTP. Then, set the permissions as appropriate on the share and hit the ON button for the FTP service.

Now, let’s test from a client. I like to use the ftp command line interface built into OS X. To test, type ftp followed by the address of the site (and I like to put the username followed by @ before the hostname, as follows:

ftp robin@mavserver.krypted.lan

When prompted, provide a password. Then, assuming your get the following, you’re in:

230 User robin logged in.
Remote system type is UNIX
Using binary mode to transfer files.

Here, type ls to see a list of the directories contents. Or pwd to see what directory you are in (relative to the root of the ftp share). And of course, type get followed by the name of a file to transfer it locally:

get myfile.txt

Open a terminal window on the server and let’s look at the few options you have to configure FTP from the command line. We already discussed sharing -l to see a list of the available shares. Additionally, you can use the serveradmin command, where ftp is the name of the service. Let’s look at the status of the service, first:

sudo serveradmin fullstatus ftp

Now let’s look at status:

sudo serveradmin status ftp

Same thing, right? Let’s look at all the settings:

sudo serveradmin settings ftp

If you have spaces in the name of a share that you configure from the Server app the thing will fail. Good stuff, so use serveradmin to manually set shares with spaces or other special characters in the names:

sudo serveradmin settings ftp:DocumentRoot = “/Shared Items/Krypted”

Overall, this ftp implementation is meant for users who just need to access their web server where all the files live in a web root of some sort. Otherwise, I’d still recommend most people use a third party tool. But if you just need to log into one share and you don’t need a lot of fancy features on top of your protocols that haven’t changed much since 1985 then this implementation will still work for ya’ without any extra work.

Since we mentioned 1985, let’s look at some other things that are as old, although perhaps not as dated, as the FTP Protocol. Things from the year 1985:

  • Back To the Future is Released
  • Coke introduces one of the largest marketing fails of all time, New Coke. It is so bad it opens a hole in the Ozone, also discovered in this year by Al Gore
  • Rambo Part II and Rocky Part IV come out, Sly doesn’t come out
  • Mad Max Beyond Thunderdome teaches us that Tina Turner’s still got it – Bill Schroeder doesn’t have it, no relation to Ricky, he leaves the hospital part-cyborg with the first artificial heart.
  • A View To A Kill finally ends the Roger Moore era of James Bond. Computer nerds, keep in mind, he saved Silicon Valley. This movie had Christopher Walken and Duran Duran. What more could you ask for? Oh, right – Tanya Roberts! Oh, and Thomas Patrick Cavanaugh actually gets life for being a real spy.
  • Since Police Academy was a hit, the producers figured they’d screw it up by making a second movie: Police Academy 2 comes out
  • After watching Cocoon I now know I’ll never have to grow old, so I can treat my body however I want…
  • The unabomber is at the half way point of his career with 2 bombings this year, The Rainbow Warrior sinks (no known relation to the unabomber, unless he was a French antieco-terrorist), flight 847 is hijacked and Gorbachev becomes the leader of the largest pain in President Reagan’s bung hole: Russia (OMG Commies – Run!!!). In order to pay for the tail end of the cold war, Reagan lowers taxes and sends America into debt for the first time since 1914, a debt we are still in (evil Democrats, always incurring more American debt!). Meanwhile, Margaret Thatcher has shoulder pads surgically implanted because health care is free in Great Britain and all. Actually, National Health Service contributes little to England’s national debt, which was about as low in percentage of GDP as it had been since before WWI under her and due to her terms as PM. It was at its highest in the early 1800s, far before shoulder pads were in fashion… Having said that, the US, who went into debt for the first time had to sell Reagan’s autobiography rights in order to pay for his colon surgery since there’s not NHS here… He could have asked Gotti, who became the leader of the Gambinos in 1985 for a loan, but I hear he was too busy playing Tetris, which also came out in 1985…
  • British Telecom phases out red telephone boxes – almost as a result a single season of Dr. Who airs on TV.
  • In 1985, Paul Simon, Stevie Wonder, Ray Charles, Bob Dylan, Michael Jackson, Billy Joel, Cyndi Lauper, Willie Nelson, Lionel Richie, Smokey Robinson, Kenny Rogers, Diana Ross, Paul Simon, Bruce Springsteen, Tina Turner, Daryl Hall, Kenny Loggins, Huey Lewis and of course Al Jarreau sang We Are The World. Prince wouldn’t show and Waylon Jennings stormed out. Jane Fonda hosted a HBO special in between workout videos. Live Aid happens too, and is far cooler. But, at least Rich Ramirez (the Night Stalker) got nabbed in LA.Top singles on the charts include Madonna, Wham!, Simple Minds, Duran Duran, Phil Collins, Dire Straits, Starship, Lionel Richie, Foreigner and REO Speedwagon.
  • Top TV shows include the sweaters from the Cosby Show, Family Ties, Murder She Wrote, Dynasty, The Golden Girls, Miami Vice, Cheers, Knots Landing, Growing Pains and of course, DALLAS
  • The Ford Taurus and the Mercury Sable bring a new low point to American automobile engineering – luckily The Nintendo came out and no one cared for a decade or more…
  • The Commodore Amiga is launched.
  • The Free Software Foundation is founded by rms, author of great cookie recipes, tips on women and GNU Manifestos.
  • And most importantly, Steve Jobs starts NeXT

October 17th, 2014

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , , , ,

Next Page »