krypted.com

Tiny Deathstars of Foulness

Startup profiles configure profiles to install at the next boot, rather than immediately. Useful in a number of scenarios. Use the -s to define a startup profile and take note that if it fails, the profile will attempt to install at each subsequent reboot until installed. To use the command, simply add a -s then the -F for the profile and the -f to automatically confirm, as follows (and I like to throw in a -v usually for good measure):

profiles -s -F /Profiles/SuperAwesome.mobileconfig -f -v

And that’s it. Nice and easy and you now have profiles that only activate when a computer is started up.

September 15th, 2017

Posted In: Mac OS X

Tags: , , , , ,

Leave a Comment

The command to create and tear down an Open Directory environment is slapconfig. When you disable Open Directory from the Server app you aren’t actually removing users. To do so, you’d use slapconfig along with the -destroyldapserver. When run, you get a little insight into what’s happening behind the scenes. This results in the following:

bash-3.2# sudo slapconfig -destroyldapserver

The logs are as follows:

2017-09-09 20:59:31 +0000 slapconfig -destroyldapserver 2017-09-09 20:59:31 +0000 Deleting Cert Authority related data 2017-09-09 20:59:31 +0000 Removed directory at path /var/root/Library/Application Support/Certificate Authority/krypted Open Directory Certificate Authority. 2017-09-09 20:59:31 +0000 command: /usr/sbin/xscertadmin add –reason 5 –issuer krypted Open Directory Certificate Authority –serial 1339109282 2017-09-09 20:59:51 +0000 Could not find matching identity in system keychain 2017-09-09 20:59:51 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd.plist 2017-09-09 20:59:51 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd-helper.plist 2017-09-09 20:59:51 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertadmin.plist 2017-09-09 20:59:51 +0000 Stopping LDAP server (slapd) 2017-09-09 20:59:53 +0000 Stopping password server 2017-09-09 20:59:56 +0000 Removed all service principals from keytab for realm MACOSSERVER.KRYPTED.COM 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/entryCSN.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/apple-config-realname.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/memberUid.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/__db.004. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/__db.003. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/apple-hwuuid.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/entryUUID.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/dn2id.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-memberguid.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/sn.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/__db.002. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/__db.005. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/uid.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/objectClass.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/macAddress.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-nestedgroup.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/log.0000000001. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/ipHostNumber.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/ou.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/givenName.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/uidNumber.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/apple-generateduid.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/id2entry.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/DB_CONFIG. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/mail.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/__db.006. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/__db.001. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-realname.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/cn.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/gidNumber.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/openldap-data/altSecurityIdentities.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/entryCSN.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/__db.004. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/__db.003. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/entryUUID.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/dn2id.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/__db.002. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/__db.005. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/objectClass.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/authGUID.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/log.0000000001. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/id2entry.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/DB_CONFIG. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/__db.006. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/__db.001. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalAliases.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalName.bdb. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/openldap/authdata/alock. 2017-09-09 20:59:56 +0000 Removed directory at path /var/db/openldap/authdata. 2017-09-09 20:59:56 +0000 Removed file at path /etc/openldap/slapd_macosxserver.conf. 2017-09-09 20:59:56 +0000 Removed file at path /etc/openldap/slapd.conf. 2017-09-09 20:59:56 +0000 Removed file at path /etc/openldap/rootDSE.ldif. 2017-09-09 20:59:56 +0000 Removed file at path /var/db/dslocal/nodes/Default/groups/com.apple.access_dsproxy.plist. 2017-09-09 20:59:56 +0000 Removed directory at path /etc/openldap/slapd.d/cn=config. 2017-09-09 20:59:56 +0000 Removed file at path /etc/openldap/slapd.d/cn=config.ldif. 2017-09-09 20:59:56 +0000 Removed directory at path /etc/openldap/slapd.d. 2017-09-09 20:59:56 +0000 Removed directory at path /etc/openldap/slapd.d.backup/cn=config. 2017-09-09 20:59:56 +0000 Removed file at path /etc/openldap/slapd.d.backup/cn=config.ldif. 2017-09-09 20:59:56 +0000 Removed directory at path /etc/openldap/slapd.d.backup. 2017-09-09 20:59:59 +0000 Stopping password server 2017-09-09 20:59:59 +0000 Removed file at path /etc/ntp_opendirectory.conf. 2017-09-09 20:59:59 +0000 Removed file at path /Library/Preferences/com.apple.openldap.plist.

September 14th, 2017

Posted In: Mac OS X Server

Tags: , , , , ,

Leave a Comment

Server comes with a command called RoomsAdminTool located at /Applications/Server.app/Contents/ServerRoot/usr/bin/RoomsAdminTool. This tool can list available rooms using a -l flag:

RoomsAdminTool -l

You can also create new rooms, using the following format, where krypted is the name of the room, the persistent option means the room is, er, persistent. The description option indicates a description used for the room.

RoomsAdminTool -n krypted -c persistent yes description "This room is for friends of krypted only”

To then delete the room, use the -d option:

RoomsAdminTool -n krypted -d

Add the -v to do it all verbosely. There are lots of other options as well, as follows (from the man page): Valid Configuration Keys and Values:
KEYVALID VALUESDESCRIPTION
descriptionstringA short description for the room
passwordstringDefine a password for room entry. An empty string implies no password required.
membersOnlyyes | noOnly room members are allowed to enter the room.
subjectLockedyes | noAre non-moderators and non-admins prevented from setting the room subject
logFormatDisabled | Text | XHTMLDisable room logging, or enable it using Text or XHTML.
maxUsersinteger; 0 for unlimitedSet the maximum allowed occupants for the room.
moderatedyes | no Make the room "moderated".
nonAnonymousyes | noIf "yes", only moderators/owners can discover occupants' real JIDs.
persistentyes | noPersistent rooms stay open until they are explicitly destroyed and their configuration survives service restarts, unlike non-persistent rooms.
privateMessagesAllowedyes | no Whether or not occupants can exchange private messages within the room.
roomPublicyes | no Defines whether the room be discovered by anyone
subjectstringSet a room subject/topic
usersCanInviteyes | no Defines whether occupants can invite other users to enter the room
addOwnervalid JabberIDMake the specified user a room owner (ex.: admin@krypted.com). Rooms can have multiple owners.
removeOwnervalid JabberIDRemove the specified user from the room owner list
addAdminvalid JabberIDMake the specified user a room admin
removeAdminvalid JabberIDRemove the specified user from the room admin list
addMembervalid JabberIDMake the specified user a room member
removeMembervalid JabberIDRemove the specified user from the room member list
addOutcastvalid JabberIDMake the specified user a room outcast (banned from public rooms)
removeOutcastvalid JabberIDRemove the specified user from the room outcast list
Ultimately, if you’d like to do Student Information System (SIS) integration, or wait for an AD/OD group and then programmatically generate rooms, this is how you’d do it. Also, it’s worth noting that Messages (and so Jabber if you’re running your own server) is a very basic instant messaging tool. There are more modern ways of interacting with others these days, including Slack and Confluence. Additionally, the Messages app can just use the phone number of people to let address books become a way of managing groups you’d like to message. These do not require a dedicated server, but most strategies will require a monthly fee that’s typically per-user.

September 9th, 2017

Posted In: Mac OS X Server

Tags: , , , , ,

Leave a Comment

In the following example script, I’m going to pull a list of just the usernames from fdesetup. sudo fdesetup list The output would be as follows:
charlesedge,F4D8B61D-1234-1234-98F4-103470EE1234 emerald,2E1203EA-1234-4E0D-1234-717D27221234 admin,50058FCF-88DF-1234-1234-91FCF28C0488
I’ll then pipe them into sed and use the , as a delimiter, pulling * or everything before it: sudo fdesetup list | sed 's;,.*;;' As follows:
charlesedge emerald admin

August 29th, 2017

Posted In: bash, Mac OS X, Mac OS X Server

Tags: , , ,

Wordpress has an app. That means there’s an API to normalize communication using a predictable programmatic interface. In this case, as with many others, that’s done using a standard REST interface to communicate. The easiest way to interact with any API is to just read some stuff from the server via curl. You can feed curl the URL to the API by using your URL followed by /wp-json – as follows, assuming a URL of http://www.krypted.com: curl http://www.krypted.com/wp-json To view header information: curl -s -D - http://www.krypted.com -o /dev/null In the below example we’ll ask for a list of posts by adding /wp/v2/posts to the URL: curl http://www.krypted.com/wp-json/wp/v2/posts You’ll see a list of some posts in the output along with a little metadata about the posts. You can then grab an ID and ask for just that post, using a post ID of 48390: curl http://www.krypted.com/wp-json/wp/v2/posts/48390 You can also see revisions that have been made to a post by appending the URL with /revisions curl http://www.krypted.com/wp-json/wp/v2/posts/48390/revisions You can see comments with the comments route: curl http://www.krypted.com/wp-json/wp/v2/comments Or pages with the pages route: curl http://www.krypted.com/wp-json/wp/v2/pages Or users with the users route: curl http://www.krypted.com/wp-json/wp/v2/users Or media that has been uploaded with the media route: curl http://www.krypted.com/wp-json/wp/v2/media And the output of each can be constrained to a single item in that route by providing the ID of the item, which shows additional metadata about the specified item. And there are routes for categories, tags, etc. There’s also some good stuff at https://github.com/WP-API such as https://github.com/WP-API/Basic-Auth which is a plugin that allows you to auth against the API. curl --user admin:krypted http://www.krypted.com/wp-json/users/me Not only can you look at user information, you can also add and remove posts. You would add by doing a -X followed by a POST and then feeding a file with the –data option curl --user admin:password -X POST http://www.krypted.com/wp-json/posts --data @post.json The output would then include the ID of your new post to wordpress. In the following example, we’ll get rid of the post we were looking at earlier using -X and DELETE in the URL, assuming a username of admin, a password of krypted, and a post ID of 48390: curl --user admin:krypted -X DELETE http://www.krypted.com/wp-json/posts/48390 If successfully deleted the response would be as follows:
{ “message”:”Deleted post” }
To dig in deeper, check out http://v2.wp-api.org/reference/posts/ where the whole schema is documented. You can also use the https://github.com/WP-API GitHub site to access a command called wp (as well as PHP, node, and java clients) that can be run at the command line for simple scripting interfaces. This could allow you to, for example, simply backup posts to json files, etc. Also, it’s worth noting that various plugins will require their own interface (note there’s no themes or plugins route), such as woocommerce, interfacing with http://gerhardpotgieter.com/2014/02/10/woocommerce-rest-api-client-library/ or https://woocommerce.github.io/woocommerce-rest-api-docs/.

July 14th, 2017

Posted In: WordPress

Tags: , , , , , , , ,

Tomcat logs events into the system log. You can use the get-wmiobject commandlet to see events. Here, we’ll look at a JSS and view only system events: Get-WmiObject Win32_NTLogEvent -ComputerName $jss -Filter "LogFile='system' We can then use AND to further constrain to specific messages, in this case those containing Tomcat: Get-WmiObject Win32_NTLogEvent -ComputerName $jss -Filter "LogFile='system' AND (Message like '%Tomcat%') We can then further constrain output to those with a specific EventCode with another compound statement: Get-WmiObject Win32_NTLogEvent -ComputerName $jss -Filter "LogFile='system' AND (Message like '%Tomcat%') AND (EventCode=1024) For a comprehensive list of Windows event codes, see https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx. You could instead use get-eventlog to see system logs. For example, the following will list the latest 100 entries in the system log: Get-Eventlog -LogName system -Newest 1000 And the following lists the number of unique entries in descending order using Sort-Object, along with the -Property option set to count: Get-Eventlog -LogName system -Newest 1000 | Sort-Object -Property count -Descending And the following would additionally constrain the output to entries with the word Tomcat using the -Message option: Get-Eventlog -LogName system -Newest 1000 -Message "*Tomcat*" | Sort-Object -Property count -Descending And to focus on a server called jss, use the -ComputerName option: Get-Eventlog -LogName system -Newest 1000 -Message "*Tomcat*" -ComputerName "localhost" | Sort-Object -Property count -Descending

July 11th, 2017

Posted In: JAMF, Windows Server

Tags: , , , , , , ,

My latest inc.com piece is available at https://www.inc.com/charles-edge/your-employees-want-extra-training-but-youre-going-to-have-to-help-them-get-star.html. It starts off like this, if it’s your kinda’ thing:
Employee engagement is dipping, according to a new study by human resources consultancy Aon Hewitt, but as an manager, you can make the workplace more appealing through positive initiatives such as employee training and development. Indeed, I’ve often had people I manage ask for more training. My answer is always an emphatic “yes.” But then something funny often happens: nothing. Giving staff approval for trainingdoesn’t necessarily mean that they’ll do it unless you follow up methodically and even micromanage the process. Why does this happen and what does it show about how employers and employees alike can do a better job to make sure development happens? I have five theories.

July 7th, 2017

Posted In: Articles and Books

Tags: , , , , ,

June 21st, 2017

Posted In: MacAdmins Podcast

Tags: , , , , ,

Clients discover the Apple Caching service bundled with macOS Server (and in the future macOS) automatically. You can create a text recored for _aaplcache._tcp on your DNS server. That would look
_aaplcache._tcp 518400 IN TXT “prs=192.168.50.100”
Name: _aaplcache._tcp with a type of TXT and a TTL of 518400 seconds. The prs is the address to be used and is set to a value using prs=192.168.50.100.

June 15th, 2017

Posted In: Mac OS X Server

Tags: , , , ,

June 2nd, 2017

Posted In: Mac OS X, Mac OS X Server, Mac Security, MacAdmins Podcast

Tags: , , , , ,

Next Page »