Tag Archives: Mac OS X Server

Mac OS X Mac OS X Server Mac Security

Recovering Open Directory Databases

May 7, 2013 – 6:00 am

Every now and then I see an Open Directory database that’s gotten corrupt for one reason or another. To be more specific, while I see Kerberos get wonky and password server issues from time to time, every now and then I see the actual LDAP database throw errors like this one, when checked with slapd:

/usr/libexec/slapd -Tt

Corruption usually looks a little something like this:

51890ba0 ldif_read_file: checksum error on "/var/db/openldap/openldap-data/cn.bdb"
51890ba0 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
config file testing succeeded

If the bdb (Berkeley Database) files can’t be read in properly then you can do a sanity check with slaptest to see if there are other issues as well:

slaptest -f /private/etc/openldap/slapd.conf -v

Provided that your problems are with the bdb files and not ldif files, which can easily be grabbed from another OD box, you can then recover the database using db_recover, along with the -h option to define the directory your bdb files reside in (/var/db/openldap/openldap-data in OS X Server):

db_recover -h /var/db/openldap/openldap-data/

Note, always backup. If errors continue then you can also run with a -c option, which performs a “catastrophic” recovery. Also, before you do a db_recover OD will need to be stopped. Chances are, if you have corruption then the database will be stopped; however, check first:

serveradmin fullstatus dirserv

If it’s running, stop it:

serveradmin stop dirserv

Once you’re done, there’s no longer the need to reboot each time you do this kind of thing, which is actually a huge time saver, so just swap the stop with start and you’re good:

serveradmin start dirserv

Tags , , , , , , , , , , | Permalink | Comments Off
Mac OS X Mac OS X Server Mac Security Mass Deployment

Remove the Delay For the Dock To Pop Up

April 7, 2013 – 6:00 am

I recently started hiding my Dock. I haven’t done that in over a decade, but I was ready for a change. But I’m not the most patient person in the world and waiting for the Dock to pop back up became a bit of a drag. So I looked around in com.apple.Dock and found an autohide-delay option. Setting that to -float 0 restored some sanity back into an already hectic enough world:

defaults write com.apple.Dock autohide-delay -float 0

Then restart the Dock:

killall Dock

When you kill the Dock, it’s gonna’ reopen all the stuff you might have minimized down there. Well, this was close, but then this turned out to make me much happier (turns out I’m not as impatient as I thought):

defaults write com.apple.dock autohide-time-modifier -float 0.1

Hope you find this useful! If not, to undo all of this:

defaults delete com.apple.dock autohide-delay
defaults delete com.apple.dock autohide-time-modifier
killall Dock

Tags , , , , | Permalink | Comments Off
Mac OS X Mac OS X Server Xsan

Installing Final Cut Server on Lion & Mountain Lion Server

September 6, 2012 – 5:00 am

Thanks to Allan Sanderson for the following submission, which outlines how to install Final Cut Server in Lion and Mountain Lion Server.

In Server.app

————-
Websites:
Check “Enable PHP web applications”

Install Java
————
Open /Applications/Utilities/Java Preferences.app
You’ll be prompted by Software Update service to install Java, click “Continue”, provide admin credentials when promopted.

Install Final Cut Server
————————
Run Final Cut Server installer.
Then run Software Update to get ProApplications 2010-02 & Final Cut Server v1.5.2 updates.

Check Configuration
——————-
1)
Check fcsvr user has been created:
dscl /Local/Default -search /Users RecordName fcsvr
Output should look something like this:
fcsvr RecordName = (
fcsvr
)

2)
Check “fcsvr” user’s home folder location is set to “/Library/Application Support/Final Cut Server”
dscl /Local/Default -read /Users/fcsvr NFSHomeDirectory
Output should look something like this:
NFSHomeDirectory: /Library/Application Support/Final Cut Server
If it doesn’t, caorrect it with this command:
sudo dscl /Local/Default -create /Users/fcsvr NFSHomeDirectory “/Library/Application Support/Final Cut Server”

Customisations To Make It Work
——————————
A word to the wise, I personally take a backup before making any changes to system files, Time Machine is nice ‘n all, but I’d prefer not to have to go there in the first place.

1)
An out the box FCSvr install doesn’t set an “AUTH_TYPE” key/value pair in the com.apple.FinalCutServer.settings.plist file. Under 10.5 & 10.6 this didn’t cause any issues, but 10.7+ does seem to be an issue. So for Local and Open Directory authentication, this command will do the job:
sudo defaults write /Library/Preferences/com.apple.FinalCutServer.settings “AUTH_TYPE” -int 2
If you’re being more daring and trying to work with an Active Directory, then you’ll want the following:
sudo defaults write /Library/Preferences/com.apple.FinalCutServer.settings “AUTH_TYPE” -int 1

2)
Because of how things have changed between 10.6 and 10.7 & 10.8, its necessary to manually copy the apache site config into a users apache space.
sudo cp “/Library/Application Support/Final Cut Server/Final Cut Server.bundle/Contents/Resources/share/conf/client_apache2.conf” “/etc/apache2/users/fcsvr.conf”

3)
Now in order for the apache site config to be read by apache, we need to add in the necessary direction for httpd.
Append “UserDir Sites” to end of “/etc/apache/httpd.conf”, this can be done as a one-liner if you like:
sudo echo “UserDir Sites” >>/etc/apache2/httpd.conf

4)
Lastly we have to add in the redirection settings for 10.7+ as the installers isn’t able to do this due to file path changes between the OS revisions.
So, in your /etc/apache2/sites/0000_any_80_.conf file, paste in the following lines after the IfModule for mod_ssl.c:
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteEngine On
RewriteRule .* – [F]
RewriteRule ^/FinalCutServer$ /~fcsvr/Sites/webstart/index.php [NC,L]
RewriteRule ^/FinalCutServer/FinalCutServer_mac.jnlp$ /~fcsvr/Sites/webstart/macJnlp.php [NC,L]
RewriteRule ^/FinalCutServer/FinalCutServer_windows.jnlp$ /~fcsvr/Sites/webstart/windowsJnlp.php [NC,L]
RewriteRule ^/FinalCutServer/FinalCutServer_other.jnlp$ /~fcsvr/Sites/webstart/jnlp.php [NC,L]
</IfModule>
ORIGINAL_SOURCES: http://www.linkedin.com/groups/Has-anyone-been-able-get-138082%2ES%2E67319989?view=&srchtype=discussedNews&gid=138082&item=67319989&type=member&trk=eml-anet_dig-b_pd-ttl-cn&ut=2M3_ri588Lslo1

SPECIAL_MENTIONS: Matt Geller, David Colville

Tags , , , , , , , , , , , , | Permalink | Comments (2)
Mac OS X Server Mac Security

Creating Users In Mountain Lion Server

September 1, 2012 – 7:00 am

There are four ways to create users in Mountain Lion Server. The first is using the Server app, the second is using Workgroup Manager, the third is using the Users & Groups System Preference pane and the fourth is using the command line. In this article we will look at creating users in the Server app.

To do so, open the Server app and connect to your server. Then click on the Users entry in the ACCOUNTS list. The list of users is displayed, based on the directory domain(s) being browsed. A directory domain is a repository of account data, which can include local users, local network users and users in a shared directory service such as Open Directory and Active Directory.

The drop-down list allows you to see objects that are stored locally as well as on a shared directory server. Therefore, clicking All Users will show all of the accounts accessible by the system. Click on the plus sign to create a new account. At this point, if the server has been promoted to an Open Directory Master, the account will be a local network account, with no way of choosing a different location to store the account in the Server app.

When prompted, provide the following information about the new user:

  • Full Name: Usually the first and last name of the user.
  • Account Name: A shorter representation of that name with no spaces or special characters.
  • Email address: The email address to use if the account is going over quotas, has calendar invitations sent, or used for email hosted on the server, etc.
  • Password: The password the user will use to access services on the server.
  • Verify: The password a second time to make sure there are no spelling errors.
  • Allow user to administer this server: Optional field that grants the user administrative access to the server.
  • Home Folder: Optional field that by default creates local home directories for users that use the account but that also allows you to select a directory shared using the File Sharing service as a location for home folders. Each user in OS X has a home folder, this option defines whether that folder will reside on their computer or on a central server.
  • Disk Quota: Define the amount of space an account can take up on servers.

Note: Optionally, you can also drag an image onto the image shown in the New User screen if you’d like the user to have an avatar.

Once the account details are as you would like, click on the Done button. The account will then be displayed in the list of available accounts. You can still create local accounts but must do so in the Users & Groups System Preference pane, through Workgroup Manager or through the command line. If the server has not been made an Open Directory server then you would be creating local users through the Server app.

Once the account is created, highlight it and click on the cog wheel icon below the list of accounts. Here, you have the option to edit the account you just created, edit their access to services hosted on the server, configure email information and change their password.

Click Edit User. Here, you have two new features. You can add the user to groups and use the checkbox for “log in” to disable the account.

Click Cancel and then using the cog wheel menu again, click on Edit Access to Services. Here, uncheck each service that the user should not have access to. If the service isn’t running then it’s not a big deal. You can highlight multiple accounts concurrently and then use this option to disable services for users en masse.

Tags , , , , , , , , , , , , , | Permalink | Comments (6)
Mac OS X Server Mac Security

A Guide To Using Mountain Lion Server (OS X 10.8)

August 28, 2012 – 5:00 am

I’ve been doing a number of postings on how to use various features of the latest version of OS X Server. Given that WordPress is pretty much a reverse chronological listing of articles I’ve written, I thought I’d put together a listing of the pages that I’ve done for OS X Server 10.8 (Mountain Lion Server) in order to offer a more pedagogically aligned way of reading these posts. As such, here is the Table of Contents for these posts:

Introduction

Managing the Server

Configuring Services

Troubleshooting

Command Line

Misc

Tags , , , , , , , , , , , , , | Permalink | Comments (5)
Mac OS X Server Mac Security Mass Deployment Xsan

Using The serverinfo Command To Get, Well, Server Info In Mountain Lion Server

August 25, 2012 – 5:00 am

OS X Mountain Lion Server comes with the /usr/sbin/serverinfo command. The serverinfo command can be pretty useful when you’re looking to programmatically obtain information about the very basic state of an OS X Server.

The first option indicates whether the Server app has been downloaded from the app store, which is the –software option:

serverinfo --software

When used, this option reports the following if the Server.app can be found:

This system has server software installed.

Or if the software cannot be found, the following is indicated:

This system does NOT have server software installed.

The –productname option can be used to determine the name of the software app:

serverinfo --productname

If you change the name of the app from Server then the serverinfo won’t work any longer, so the output should always be the following:

Server

The –shortversion command returns the version of the Server app being used:

serverinfo --shortversion

The output will not indicate a build number, but instead the version of the app on the computer the command is run on:

2.0.23

To see the build, use the –buildversion option:

serverinfo --buildversion

The output shows the build of server, which doesn’t necessarily match the OS X build number:

12S307

Just because the Server app has been downloaded doesn’t mean the Server setup assistant has been run. To see if it has, use the –configured option:

serverinfo --configured

The output indicates whether the system is running as a server or just has the app installed (e.g. if you’re using it to connect to another server:

This system has server software configured.

You can also output all of the information into a single, easy to script against property list using the –plist option:

serverinfo --plist

The output is a list of each of the other options used:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>IsOSXServerVolume</key>
<true/>
<key>IsOSXServerVolumeConfigured</key>
<true/>
<key>IsServerHardware</key>
<false/>
<key>LocalizedServerProductName</key>
<string>Server</string>
<key>ServerBuildVersion</key>
<string>12S307</string>
<key>ServerPerformanceModeEnabled</key>
<true/>
<key>ServerVersion</key>
<string>2.0.23</string>
</dict>
</plist>

The Server Root can reside in a number of places. To see the path (useful when scripting commands that are relative to the ServerRoot:

serverinfo --prefix

By default, the output is as follows:

/Applications/Server.app/Contents/ServerRoot

You can also see whether the system is running on actual hardware desgnated by Apple for servers using the –hardware option:

serverinfo --hardware

The output simply indicates if the hardware shipped with OS X Server on it from Apple:

This system is NOT running on server hardware.

The –perfmode option indicates whether or not the performance mode has been enabled, dedicating resources to binaries within the Server app:

serverinfo --perfmode

If the performance mode has not been enabled then the output will be as such:

Server performance mode is NOT enabled.

To enable performance mode, you can also use serverinfo. This is the only task that the command does that can make any changes to the system and as such is the only time you need to elevate privileges:

sudo serverinfo --setperfmode 1

Finally, set the boolean value to 0 to disable.

sudo serverinfo --setperfmode 0

Tags , , , , , , , , , , | Permalink | Comment (1)
Mac OS X Mac OS X Server

10 Features I Miss From Mountain Lion & Mountain Lion Server

August 23, 2012 – 5:00 am

Apple’s not going to slow down innovation just to make me happy. I get that. But what have I noticed most about the differences between Mountain Lion and Mountain Lion Server and their predecessors, and maybe what to do to get some of them back?

  1. Podcast Producer: I am going to just put it out there. I liked Podcast Producer. I hope it shows back up in the future, even though I’m controlling my expectations. As someone who deals with a lot of video, there are a number of features that were really helpful to me, with or without Xgrid. I’ve replaced the command line aspects with tools such as ffmpeg, which we used in addition to at times, but some of the ways that pcastaction did things were really elegant comparably. On the graphical side, much of the functionality is available in the various sites that produce video streams and of course, there’s always YouTube. Either way, in regards to Mountain Lion Server, this represents one of the most substantial changes for those of us that deal with video.
  2. DHCP: I know, I know… I wrote an article on how to keep using DHCP. That doesn’t mean that the lack of GUI options is any less irritating. Every time I manually edit a config file that should have a GUI front-end it makes me ornery. Not that I’m not always ornery, but that’s not the point here…
  3. RSS: This is more of a client thing. But Mail.app and Safari used to give me the ability to quickly and easily look at RSS feeds and handled them in a way that was very streamlined with my experience across the rest of the operating system. I am now using more and more Google Reader along with tools like Reeder, but I liked the fact that everything I needed for RSS madness was installed on even the test systems I used
  4. X11: I know, I know… Use XQuartz. It was nice having it built in though…
  5. Web Sharing: I guess the answer here is to just buy OS X Server. You can still fire up the LaunchDaemon and use Apache, but it’s a bit of a challenge. And the version in Server isn’t identical to Apache in Mountain Lion. There are two ways I’ve handled this. The first is to install Mountain Lion Server and then use the command `webpromotion demote` to switch the Apache configuration back to that of a client computer. The second is to fire up the LaunchDaemon directly using launchctl. If you’d like, there are also a number of free and/or 3rd party web servers, such as MAMP.
  6. Negative Mode: Well, I covered this already, and while the keystroke was gone, the feature never was – but here’s how to fix. Also, @sacrilicious turned me on to nocturne, which is pretty cool as well!
  7. iCal, Address Book and NetBoot: Actually, they’re now called Calendar, Contacts and NetInstall respectively. But still there. I actually like the renaming a lot, so I guess I don’t really miss any of them.
  8. Radius: OK, it’s there. Just command line only (unless you’re using an Apple AirPort). Maybe I should write an article about radius…
  9. The Server command line options: Actually, they just moved to a relative path to /Applications/Server.app/Contents/ServerRoot, as I mentioned here.
  10. Server Admin: I was going to say FTP, then I remembered it’s back. And then I remembered I never missed it in the first place. But dropping the remainder of the GUI tools for servers represents a bit of a challenge, mostly in figuring out how to do a few of the minor things, like enabling Server Side File Tracking, etc.
Tags , , , , , , , , , , , , , | Permalink | Comments (5)
Mac OS X Server

Server Admin Web Modules, curl & You

August 20, 2012 – 5:00 am

Since the early days, OS X Server has supported performing the serveradmin commands through a web interface. This interface was accessible at the address of the server followed by a colon and then 311 in a web browser. This feature was disabled by default in Mountain Lion. But fear causes hesitation, and hesitation will cause your worst fears to come true, so we’re going to turn it back on. To enable, use the following command:

sudo defaults write /Library/Preferences/com.apple.servermgrd requireUserAgent -bool false

Once done, open https://127.0.0.1:311 in a web browser, or replace 127.0.0.1 with the address of the server if accessing from another location. This is stimulating, but we’re out of here. So, authenticate to be greeted with a list of services.

Lawyers don’t surf.

At the Server Admin Modules page, each service output from `serveradmin list` appears. Clicking each produces the ability to run the commands you can supply using `serveradmin command` along with the service name. For example, to get a list of all of the connected AFP users in OS X Mountain Lion Server, run the following command:

sudo serveradmin command afp:command = getConnectedUsers

Now, to get the same list, click on the servermgr_afp.html link and then click on getConnectedUsers.

Life sure has a sick sense of humor, doesn’t it?

Click on Send Command to see the output.

Peace, through superior firepower.

You then see an XML output that shows who’s connected (since I’m on a flight right now, luckily no one is connected to mine). Now you also have a URL in the toolbar, which should look something like this:

https://127.0.0.1:311/commands/servermgr_afp?input=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22%3F%3E%0D%0A%3Cplist+version%3D%220.9%22%3E%0D%0A%3Cdict%3E%0D%0A%09%3Ckey%3Ecommand%3C%2Fkey%3E%0D%0A%09%3Cstring%3EgetConnectedUsers%3C%2Fstring%3E%0D%0A%3C%2Fdict%3E%0D%0A%3C%2Fplist%3E%0D%0A&send=Send+Command

Rad, unicode. I guess spaces aren’t really compliant in URLs. Before we look at that, let’s take a look at what we can do with these. If you follow what I write, you have probably noticed that I use curl for tinkering with URLs a lot. In many cases, this is not the right tool. But I usually start there and move on if need be. Six seconds. We’re going to be meat waffles.

Because we’re going to assume the server is using a self-signed cert that we don’t yet trust, we’re gonna’ use a -k along with curl. Then we’re going to follow that with the link. However, since we need to auth, we’re going to also go ahead and embed the username (in this case johhny) followed by a : and then the password (in this example, bodhi), followed by an @ in between the https:// and the server address, as follows:

curl -k https://johhny:bodhi@127.0.0.1:311/commands/servermgr_afp?input=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22%3F%3E%0D%0A%3Cplist+version%3D%220.9%22%3E%0D%0A%3Cdict%3E%0D%0A%09%3Ckey%3Ecommand%3C%2Fkey%3E%0D%0A%09%3Cstring%3EgetConnectedUsers%3C%2Fstring%3E%0D%0A%3C%2Fdict%3E%0D%0A%3C%2Fplist%3E%0D%0A&send=Send+Command

The output includes the afp:usersArray which shows active connections. The most interesting options, other than those for services you run in your environment, ar those under servermgr_info. Here, you can get PIDs for processes, kill PIDs, view logs, check file sizes, delete data and even reboot servers. Overall, this option has some security concerns, but provides some good insight into how the Server Admin tool worked under the hood in Mac OS X Lion Server and below while also serving as a functional option as an API for the  product, especially given that output is in XML, similar to the output of most other modern APIs.

Vaya con Dios, Brah.

Tags , , , , , , , , , , , , , , , | Permalink | Comments (5)
Mac OS X Mac OS X Server Mass Deployment

Enable Server Side File Tracking in OS X Mountain Lion Server

August 16, 2012 – 5:00 am

Mobile Home Directory synchronizing in OS X Server environments is used to synchronize the home folder of clients with a copy that lives on the server, so users can roam between computers with their desktop, documents and preferences following them from machine to machine. Server Side File Tracking creates and keeps a copy of the sync database on client machines and servers, comparing the two databases when synchronizing rather than scanning directories for all the synced files each time a synchronization occurs. In environments with synchronizing Mobile Home Directories, Server Side File Tracking (SSFT) can help reduce the amount of time required for syncs. Server Side File Tracking is disabled by default in OS X Mountain Lion Server and cannot be enabled from the Server app. To enable Server Side File Tracking (aka – FileSyncAgent), use the following command:

sudo serveradmin settings info:enableFileSyncAgent = yes

To then turn it back off, if you so choose:

sudo serveradmin settings info:enableFileSyncAgent = no

Logs are then stored in ~/Library/Logs/FileSyncAgent/FileSyncAgentVerbose.log if you need further information. Note that TCP port 2336 needs to be open for the FileSync Agent to connect over ssh on port 2336 to the server; however, ssh doesn’t need to be enabled on the standard port 22 but mobile users must have access to the SSH SACL.

Tags , , , , , , , , , , | Permalink | Comments Off
Mac OS X Mac OS X Server

Setting Up And Using Web Services in OS X Mountain Lion Server

August 15, 2012 – 5:00 am

Configuring web services is as easy in OS X Mountain Lion Server (10.8) as it has ever been. To set up the default web portal, simply open the Server app, click on the Websites service and click on the ON button.

After a time, the service will start. Once running, click on the View Server Website link at the bottom of the pane.

Provided the stock OS X Server page loads, you are ready to use OS X Server as a web server.

Before we setup custom sites, there are a few things you should know. The first is, the server is no longer really designed to remove the default website. So if you remove the site, your server will exhibit inconsistent behavior. Also, don’t remove the files that comprise the default site. Instead just add sites, which is covered next. Webmail is gone. You don’t have to spend a ton of time looking for it as it isn’t there. Also, Mountain Lion Server adds web apps, which we’ll briefly review later in this article as well.  Finally, enabling PHP and Python on sites is done globally, so this setting applies to all sites hosted on the server.

Now that we’ve got that out of the way, let’s add our first custom site. Do so by clicking on the plus sign. At the New Web Site pane, you’ll be prompted for a number of options. The most important is the name of the site, with other options including the following:

  • Domain Name: The name the site is accessible from. The default sites do not have this option as they are accessible from all names that resolve to the server.
  • IP Address: The IP address the site listens on. Any means the site is available from every IP address the server is configured to use. The default websites do not have this option as they are accessible from all addresses automatically
  • Port: By default, sites without SSL run on port 80 on all network interfaces, and sites with SSL run on port 443 on all network interfaces. Use the Port field to use custom ports (e.g., 8080). The default sites do not have this option as they are configured to use 80 and 443 for default and SSL-based communications respectively.
  • SSL Certificate: Loads a list of SSL certificates installed using Keychain or the SSL Certificate option in the Settings pane of the Server application
  • Store Site Files In: The directory that the files that comprise the website are stored in. These can be placed into the correct directory using file shares or copying using the Finder. Click on the drop-down menu and then select Other to browse to the directory files are stored in.
  • Who Can Access: By default Anyone (all users, including unauthenticated guests) can access the contents of sites. Clicking on Anyone and then Customize… brings up the “Restrict access to the following folders to a chosen group” screen, where you can choose web directories and then define groups of users who can access the contents.
  • Additional Domains: Click on the Edit… button to bring up a simple list of domain names the the site also responds for (e.g. in addition to krypted.com, add www.krypted.com).
  • Redirects: Click on the Edit… button to bring up a list of redirects within the site. This allows configuring redirects to other sites. For example, use /en to load english.krypted.com or /cn to load china.krypted.com).
  • Aliases: Click on the Edit… button to load a list of aliases. This allows configuring redirects to folders within the same server. For example, /en loads /Library/Server/Web/Data/Sites/Default
  • Index Files: Click on the Edit… button to bring up a list of pages that are loaded when a page isn’t directly indicated. For example, when visiting krypted.com, load the wp.php page by default.
  • Advanced Options: The remaining options are available by clicking on the “Edit Advanced Settings…” button.
  • Enable Server Side Includes: Allows administrators to configure leveraging includes in web files, so that pieces of code can be used across multiple pages in sites.
  • Allow overrides using .htaccess files: Using a .htaccess file allows administrators to define who is able to access a given directory, defining custom user names and passwords in the hidden .htaccess file. These aren’t usually required in an OS X Server web environment as local and directory-based accounts can be used for such operations. This setting enables using custom .htaccess files instead of relying on Apple’s stock web permissions.
  • Allow folder listing: Enables folder listings on directories of a site that don’t have an Index File (described in the non-Advanced settings earlier).
  • Allow CGI execution: Enables CGI scripts for the domain being configured.
  • Use custom error page: Allows administrators to define custom error pages, such as those annoying 404 error pages that load when a page can’t be found
  • Make these web apps available on this website: A somewhat advanced setting, loads items into the webapps array, which can be viewed using the following command:  sudo serveradmin settings web:definedWebApps

Once you’ve configured all the appropriate options, click on Done to save your changes. The site should then load. Sites are then listed in the list of Websites.

The Apache service is most easily managed from the Server app, but there are too many options in Apache to really be able to put into a holistic graphical interface. The easiest way to manage the Websites service in OS X Mountain Lion server is using the serveradmin command. Apache administrators from other platforms will be tempted to use the apachectl command to restart the Websites service. Instead, use the serveradmin command to do so. To start the service:

sudo serveradmin start web

To stop the service(s):

sudo serveradmin stop web

And to see the status:

sudo serveradmin fullstatus web

Fullstatus returns the following information:

web:health = _empty_dictionary
web:readWriteSettingsVersion = 1
web:apacheVersion = "2.2"
web:servicePortsRestrictionInfo = _empty_array
web:startedTime = "2012-08-13 23:01:42 +0000"
web:apacheState = "RUNNING"
web:statusMessage = ""
web:ApacheMode = 2
web:servicePortsAreRestricted = "NO"
web:state = "RUNNING"
web:setStateVersion = 1

While the health option typically resembles kiosk computers in the Computer Science departments of most major universities, much of the rest of the output can be pretty helpful including the Apache version, whether the service is running, any restrictions on ports and the date/time stamp that the service was started.

To see all of the settings available to the serveradmin command, run it, followed by settings and then web, to indicate the Websites service:

sudo serveradmin settings web

The output is pretty verbose and can be considered in two sections, the first includes global settings across sites as well as the information for the default sites that should not be deleted:

web:defaultSite:documentRoot = "/Library/Server/Web/Data/Sites/Default"
web:defaultSite:serverName = ""
web:defaultSite:realms = _empty_dictionary
web:defaultSite:redirects = _empty_array
web:defaultSite:enableServerSideIncludes = no
web:defaultSite:customLogPath = "&quot;/var/log/apache2/access_log&quot;"
web:defaultSite:webApps = _empty_array
web:defaultSite:sslCertificateIdentifier = ""
web:defaultSite:fullSiteRedirectToOtherSite = ""
web:defaultSite:allowFolderListing = no
web:defaultSite:serverAliases = _empty_array
web:defaultSite:errorLogPath = "&quot;/var/log/apache2/error_log&quot;"
web:defaultSite:fileName = "/Library/Server/Web/Config/apache2/sites/0000_any_80_.conf"
web:defaultSite:aliases = _empty_array
web:defaultSite:directoryIndexes:_array_index:0 = "index.html"
web:defaultSite:directoryIndexes:_array_index:1 = "index.php"
web:defaultSite:directoryIndexes:_array_index:2 = "/wiki/"
web:defaultSite:directoryIndexes:_array_index:3 = "default.html"
web:defaultSite:allowAllOverrides = no
web:defaultSite:identifier = "37502141"
web:defaultSite:port = 80
web:defaultSite:allowCGIExecution = no
web:defaultSite:serverAddress = "*"
web:defaultSite:requiresSSL = no
web:defaultSite:proxies = _empty_dictionary
web:defaultSite:errorDocuments = _empty_dictionary
web:defaultSecureSite:documentRoot = "/Library/Server/Web/Data/Sites/Default"
web:defaultSecureSite:serverName = ""
web:defaultSecureSite:realms = _empty_dictionary
web:defaultSecureSite:redirects = _empty_array
web:defaultSecureSite:enableServerSideIncludes = no
web:defaultSecureSite:customLogPath = "&quot;/var/log/apache2/access_log&quot;"
web:defaultSecureSite:webApps = _empty_array
web:defaultSecureSite:sslCertificateIdentifier = "com.apple.systemdefault.9912650B09DE94ED160146A3996A45EB3E39275B"
web:defaultSecureSite:fullSiteRedirectToOtherSite = ""
web:defaultSecureSite:allowFolderListing = no
web:defaultSecureSite:serverAliases = _empty_array
web:defaultSecureSite:errorLogPath = "&quot;/var/log/apache2/error_log&quot;"
web:defaultSecureSite:fileName = "/Library/Server/Web/Config/apache2/sites/0000_any_443_.conf"
web:defaultSecureSite:aliases = _empty_array
web:defaultSecureSite:directoryIndexes:_array_index:0 = "index.html"
web:defaultSecureSite:directoryIndexes:_array_index:1 = "index.php"
web:defaultSecureSite:directoryIndexes:_array_index:2 = "/wiki/"
web:defaultSecureSite:directoryIndexes:_array_index:3 = "default.html"
web:defaultSecureSite:allowAllOverrides = no
web:defaultSecureSite:identifier = "37502140"
web:defaultSecureSite:port = 443
web:defaultSecureSite:allowCGIExecution = no
web:defaultSecureSite:serverAddress = "*"
web:defaultSecureSite:requiresSSL = yes
web:defaultSecureSite:proxies = _empty_dictionary
web:defaultSecureSite:errorDocuments = _empty_dictionary
web:dataLocation = "/Library/Server/Web/Data"
web:mainHost:keepAliveTimeout = 15.000000
web:mainHost:maxClients = "50%"

The second section is per-site settings, with an array entry for each site:

web:customSites:_array_index:0:documentRoot = "/Library/Server/Web/Data/Sites/www2.krypted.com"
web:customSites:_array_index:0:serverName = "www2.krypted.com"
web:customSites:_array_index:0:realms = _empty_dictionary
web:customSites:_array_index:0:redirects = _empty_array
web:customSites:_array_index:0:enableServerSideIncludes = no
web:customSites:_array_index:0:customLogPath = "/var/log/apache2/access_log"
web:customSites:_array_index:0:webApps = _empty_array
web:customSites:_array_index:0:sslCertificateIdentifier = ""
web:customSites:_array_index:0:fullSiteRedirectToOtherSite = ""
web:customSites:_array_index:0:allowFolderListing = no
web:customSites:_array_index:0:serverAliases = _empty_array
web:customSites:_array_index:0:errorLogPath = "/var/log/apache2/error_log"
web:customSites:_array_index:0:fileName = "/Library/Server/Web/Config/apache2/sites/0000_any_80_www2.krypted.com.conf"
web:customSites:_array_index:0:aliases = _empty_array
web:customSites:_array_index:0:directoryIndexes:_array_index:0 = "index.html"
web:customSites:_array_index:0:directoryIndexes:_array_index:1 = "index.php"
web:customSites:_array_index:0:directoryIndexes:_array_index:2 = "/wiki/"
web:customSites:_array_index:0:directoryIndexes:_array_index:3 = "default.html"
web:customSites:_array_index:0:allowAllOverrides = no
web:customSites:_array_index:0:identifier = "41179886"
web:customSites:_array_index:0:port = 80
web:customSites:_array_index:0:allowCGIExecution = no
web:customSites:_array_index:0:serverAddress = "*"
web:customSites:_array_index:0:requiresSSL = no
web:customSites:_array_index:0:proxies = _empty_dictionary
web:customSites:_array_index:0:errorDocuments = _empty_dictionary

The final section (the largest by far) includes array entries for each defined web app. The following shows the entry for a Hello World Python app:

web:definedWebApps:_array_index:15:requiredWebAppNames = _empty_array
web:definedWebApps:_array_index:15:includeFiles:_array_index:0 = "/Library/Server/Web/Config/apache2/httpd_wsgi.conf"
web:definedWebApps:_array_index:15:requiredModuleNames:_array_index:0 = "wsgi_module"
web:definedWebApps:_array_index:15:startCommand = ""
web:definedWebApps:_array_index:15:sslPolicy = 0
web:definedWebApps:_array_index:15:requiresSSL = no
web:definedWebApps:_array_index:15:requiredByWebAppNames = _empty_array
web:definedWebApps:_array_index:15:launchKeys = _empty_array
web:definedWebApps:_array_index:15:proxies = _empty_dictionary
web:definedWebApps:_array_index:15:preflightCommand = ""
web:definedWebApps:_array_index:15:stopCommand = ""
web:definedWebApps:_array_index:15:name = "com.apple.webapp.wsgi"
web:definedWebApps:_array_index:15:displayName = "Python &quot;Hello World&quot; app at /wsgi"

Each site has its own configuration file defined in the array for each section. By default these are stored in the /Library/Server/Web/Config/apache2/sites directory, with /Library/Server/Web/Config/apache2/sites/0000_any_80_www2.krypted.com.conf being the file for the custom site we created previously. As you can see, many of the options available in the Server app are also available in these files:

<VirtualHost *:80>
ServerName www2.krypted.com
ServerAdmin admin@example.com
DocumentRoot "/Library/Server/Web/Data/Sites/www2.krypted.com"
DirectoryIndex index.html index.php /wiki/ default.html
CustomLog /var/log/apache2/access_log combinedvhost
ErrorLog /var/log/apache2/error_log

<IfModule mod_ssl.c>
SSLEngine Off
SSLCipherSuite "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM"
SSLProtocol -ALL +SSLv3 +TLSv1
SSLProxyEngine On
SSLProxyProtocol -ALL +SSLv3 +TLSv1
</IfModule>

<Directory "/Library/Server/Web/Data/Sites/www2.krypted.com">
Options All -Indexes -ExecCGI -Includes +MultiViews
AllowOverride None
<IfModule mod_dav.c>
DAV Off
</IfModule>
<IfDefine !WEBSERVICE_ON>
Deny from all
ErrorDocument 403 /customerror/websitesoff403.html
</IfDefine>
</Directory>

</VirtualHost>

The serveradmin command can also be used to run commands. For example, to reset the service to factory defaults, delete the configuration files for each site and then run the following command:

sudo serveradmin command web:command=restoreFactorySettings

The final tip I’m going to give in this article is when to make changes with each app. I strongly recommend making all of your changes in the Server app when possible. When it isn’t, use serveradmin and when you can’t make changes in serveradmin, only then alter the configuration files that come with the operating system by default. I also recommend keeping backups of all configuration files that are altered and a log of what was altered in each, in order to help piece the server back together should it become unconfigured miraculously when a softwareupdate -all is run next.

Tags , , , , , , , , , , , , , , , , , , , , , , , , , , , , | Permalink | Comments (14)

Next Page »

Next Page »