Tag Archives: server

Articles and Books Mac OS X Mac OS X Server Mac Security Mass Deployment

My Take Control Of OS X Server Book Now Available!

Thanks to all the awesome work from Adam and Tanya Engst, Tidbits announced today that my Take Control of OS X Server is now available! To quote some of the Tidbits writeup:

Some projects turn out to be harder than expected, and while Charles Edge’s “Take Control of OS X Server” was one of them, we’re extremely pleased to announce that the full 235-page book is now available in PDF, EPUB, and Mobipocket versions to help anyone in a home or small office environment looking to get started with Apple’s OS X Server.

As you’ll likely remember, we published this book chapter by chapter for TidBITS members, finishing it in early September (see “‘Take Control of OS X Server’ Streaming in TidBITS,” 12 May 2014). Doing so got the information out more quickly, broke up the writing and editing effort, and elicited reader comments that helped us refine the text.

Normally, we would have moved right into final editing and published the book quickly, but from mid-September on, our attention has been focused on OS X 10.10 Yosemite, iOS 8, and our new Take Control Crash Course series. We were working non-stop, and while we wanted to release “Take Control of OS X Server,” we felt it was more important to finish the books about Apple’s new operating systems for the thousands of people who rely on Take Control for technical assistance.

During that time, we had the entire book copyedited by Caroline Rose, who’s best known for writing and editing Inside Macintosh Volumes I through III at Apple and being the editor in chief at NeXT. Plus, we went over the book carefully to ensure that it used consistent terminology and examples, optimized the outline, and improved many of the screenshots.

The main problem with this delay was that Apple has now updated OS X Server from version 3.2.2 (Mavericks Server, which is what we used when writing the book) to 4.0 (Yosemite Server, which is all that works in Yosemite). Updating the book for Yosemite Server would delay it even longer. Luckily for us, veteran system administrators say that you should never upgrade OS X Server on a production machine right away. And even luckier, the changes in Yosemite Server turn out to be extremely minor (a sidebar in the Introduction outlines them), so those who want to get started now can use the instructions in the book with no problem. It’s also still possible to buy Mavericks Server and install it on a Mac running Mavericks, as long as you have the right Mac App Store link from the book. We are planning to update the book for Yosemite Server (which mostly involves retaking screenshots and changing the “mavserver” name used in examples) in early 2015 — it will be a free update for all purchasers.

Screen Shot 2014-11-24 at 7.59.44 PM

You can find out more about the book at http://www.takecontrolbooks.com/osx-server. An update will be due out in early 2015, so stay tuned for more!

Mac OS X Mac OS X Server Mac Security Mass Deployment

Configure The Calendar Service In Mac OS X Yosemite Server

Configuring Calendar Server in Yosemite Server is a fairly simple and straight forward process. The Calendar Server is a CalDAV Server, leveraging HTTP and HTTPS, running on ports 8008 and 8443 respectively. To enable the Calendar service in Yosemite Server, open the Server application and click on Calendar in the SERVICES section of the sidebar.

Calendar1

Once open, click on Edit to enable email notifications of invitations in the Calendar Server. Provide the email address and then click on the Next button.

Calendar2

At the Configure Server Email Address screen, provide the type of incoming mail service in use, provide the address of the mail server and then the port number used, if not a standard port for HTTPS-based IMAP (or POP if you’d prefer), the user name and the valid password for the account. Then click on the Next button.

Calendar3

At the outgoing mail server screen, provide the Outgoing Mail Server address, the port, whether or not SSL is in use (it should be if possible), the password protocol, the user name and the password. Then click on the Next button.

Calendar4

At the Mail Account Summary screen, review the settings and if correct, click Finish. Back at the service configuration screen, click on the plus sign (“+”) and provide a type of location, an address, a delegate, a name for the location, whether or not invitations to the resource are accepted and then enter the account name for any accounts that can manage the location’s calendar (they will auto-complete, so there’s no need to remember users and groups exactly). Click Done to complete the setup. Use the Resource setting in type to configure a resource instead of a location. The two are the same, except the Type field.

Calendar5

There are a number of settings that can also be configured. But those are exposed only at the command line. To configure them, open the command line and then review the list of Calendar service settings using the list option of the serveradmin command:

sudo serveradmin settings calendar

There are a number of settings for the Calendar service, including the following:

calendar:SSLCertificate = "/etc/certificates/Server Fallback SSL Certificate.11C002258ECABBFB37846C9B0CEA59391D4759AD.cert.pem"
calendar:EnableCalDAV = yes
calendar:Notifications:Services:APNS:CardDAV:CertificatePath = "/Library/Server/Calendar and Contacts/Config/Certificates/apns:com.apple.contact.cert.pem"
calendar:Notifications:Services:APNS:CardDAV:PrivateKeyPath = "/Library/Server/Calendar and Contacts/Config/Certificates/apns:com.apple.contact.key.pem"
calendar:Notifications:Services:APNS:CardDAV:AuthorityChainPath = "/Library/Server/Calendar and Contacts/Config/Certificates/apns:com.apple.contact.chain.pem"
calendar:Notifications:Services:APNS:CalDAV:CertificatePath = "/Library/Server/Calendar and Contacts/Config/Certificates/apns:com.apple.calendar.cert.pem"
calendar:Notifications:Services:APNS:CalDAV:PrivateKeyPath = "/Library/Server/Calendar and Contacts/Config/Certificates/apns:com.apple.calendar.key.pem"
calendar:Notifications:Services:APNS:CalDAV:AuthorityChainPath = "/Library/Server/Calendar and Contacts/Config/Certificates/apns:com.apple.calendar.chain.pem"
calendar:Notifications:Services:APNS:Enabled = yes
calendar:SSLAuthorityChain = "/etc/certificates/Server Fallback SSL Certificate.11C002258ECABBFB37846C9B0CEA59391D4759AD.chain.pem"
calendar:DefaultLogLevel = "warn"
calendar:Authentication:Digest:Enabled = yes
calendar:Authentication:Digest:AllowedOverWireUnencrypted = yes
calendar:Authentication:Kerberos:Enabled = yes
calendar:Authentication:Kerberos:AllowedOverWireUnencrypted = yes
calendar:Authentication:Wiki:Enabled = yes
calendar:Authentication:Basic:Enabled = yes
calendar:Authentication:Basic:AllowedOverWireUnencrypted = no
calendar:ServerHostName = "mavserver.takecontrolbooks.com"
calendar:Scheduling:iMIP:Sending:UseSSL = yes
calendar:Scheduling:iMIP:Sending:Server = "mail.krypted.com"
calendar:Scheduling:iMIP:Sending:Address = "com.apple.calendarserver@calendar.krypted.com"
calendar:Scheduling:iMIP:Sending:Username = "admin"
calendar:Scheduling:iMIP:Sending:Password = "Mitroae123"
calendar:Scheduling:iMIP:Sending:Port = 465
calendar:Scheduling:iMIP:Enabled = yes
calendar:Scheduling:iMIP:Receiving:UseSSL = yes
calendar:Scheduling:iMIP:Receiving:Server = "mail.krypted.com"
calendar:Scheduling:iMIP:Receiving:Type = "imap"
calendar:Scheduling:iMIP:Receiving:Username = "krypted"
calendar:Scheduling:iMIP:Receiving:Password = "Mitroae123"
calendar:Scheduling:iMIP:Receiving:Port = 993
calendar:DataRoot = "/Library/Server/Calendar and Contacts/Data"
calendar:EnableCardDAV = no
calendar:SSLPort = 8443
calendar:LogLevels = _empty_dictionary
calendar:DirectoryAddressBook:params:queryUserRecords = no
calendar:DirectoryAddressBook:params:queryPeopleRecords = no
calendar:SSLPrivateKey = "/etc/certificates/Server Fallback SSL Certificate.11C002258ECABBFB37846C9B0CEA59391D4759AD.key.pem"
calendar:EnableSSL = yes
calendar:RedirectHTTPToHTTPS = yes
calendar:EnableAPNS = yes
calendar:EnableSearchAddressBook = no
calendar:HTTPPort = 8008

One of the more common settings to configure is the port number that CalDAV runs on. To configure HTTP:

sudo serveradmin settings calendar:HTTPPort = 8008

For HTTPS:

sudo serveradmin settings calendar:SSLPort = 8443

You can then start the service using the start option:

sudo serveradmin start calendar

Or to stop it:

sudo serveradmin stop calendar

Or to get the status:

sudo serveradmin fullstatus calendar

Full status indicates that the three services are running:

calendar:readWriteSettingsVersion = 1
calendar:setStateVersion = 1
calendar:state = "RUNNING"
calendar:contactsState = "RUNNING"
calendar:calendarState = "RUNNING"

Once the Calendar server is configured, use the Calendar application to communicate with the server. Open the Calendar application and click on the Calendar menu and select Preferences. From the Preferences screen, click on Accounts to bring up a list of accounts. Here, click on the plus sign (“+”) to bring up the “Add an Account” screen.

Calendar6

At the “Add an Account” screen, select Add CalDAV Account.

Calendar7

CalDAV from the Account Type menu and then enter the User Name and password configured on the server, and add the address of the server if you don’t have any service records pointing to the server. The User Name is usually the name provided in Server app, followed by @ and then the address of the server.

Calendar8

Once the server is configured it appears in the list of accounts in the sidebar of the Calendar app. Create calendars in the account and then to share a calendar, right-click on the calendar and click on Share Calendar…

Calendar9

At the Share Calendar screen, provide the name the calendar should appear as to others and click on the plus sign (“+”) and enter any accounts to delegate administration to.

Calendar10

Back at the Calendar Settings screen, use the settings to configure Availability and refresh rate of calendars, as seen above. Click on Server Settings to assign custom port numbers.

Calendar11

Click on the Delegation tab to view any accounts you’ve been given access to.

Calendar12

Use the Edit button to configure who has delegated access to calendars, as opposed to configuring subscriptions.

Overall, the Calendar service in Yosemite Server is one of the easiest to configure. Most of the work goes into settings configured on client systems. This, as with Exchange, dedistributes administration, often making administration more complicated than with many other tools. But that’s a good thing; no one wants to access other peoples accounts, for calendars or mail for that matter, without those users knowing that it was done, as will happen when resetting passwords…

Uncategorized

Setup NetInstall On OS X Yosemite Running the Server app

The NetBoot service allows administrators of OS X computers to leverage images hosted on a server to boot computers to a central location and put a new image on them, upgrade them and perform automations based on upgrades and images. Since the very first versions of OS X, the service has been called NetBoot. In the Server app, Apple provides a number of options surrounding the NetInstall service, based on Automator-style actions, now calling the service NetInstall.

The first step to configuring the NetInstall service is to decide what you want the service to do. There are three options available in System Image Utility (available under the Tools menu of the Server app in OS X Server):

  • Create a NetBoot Image: Allows Macs to boot over the network to a disk image hosted on a server.
  • Create a NetInstall Image: Leverage NetBoot as a boot disk so that an image hosted on a server can be used to run an OS X installer.
  • Create a NetRestore Image: Leverage NetBoot as a boot disk so that you can restore a computer that has been configured over a network. Use this option to restore an image that has been prepared.

For the purposes of this example, we’re going to use an OS X Yosemite (10.10) installer running Server 3 to boot an OS X computer over the network. The first step in doing so is to create a Network Disk Image of 10.10, or the 10.10 installation media (which is the Install OS X Yosemite bundle for this example). Before setting it up, download the Install OS X Yosemite installer app into the /Applications directory from the App Store.

To then set up the NetBoot disk image (you can’t start the NetInstall service until you give it an image to serve), often referred to as the NetBoot set, open the Server app and then click on System Image Utility from the Tools menu of OS X.

netinstall1

When System Image Utility opens, click on the Install OS X Yosemite entry in the list of available sources. Then, in the list of options, click on NetInstall Image and then click on the Continue button.

netinstall2

At the Image Settings screen, enter the name the NetBoot set will have in the Network Disk field. Then, enter a description of what is on the NetBoot set in the Description field. If the image will be served from multiple servers, check the box for “Image will be served from more than one server.”
Then provide an account name, short name and password in the Image Settings screen. Once provided, click Create to generate the Network Disk Image.

netinstall3

When prompted, click on the Agree button to accept the licensing agreement.

netinstall4

Then, when prompted, select a location to store the Disk Image, provide any tags to be applied to the files that comprise the image and click on Save.

Netinstall5

The computer will then start creating the NetBoot set. Once finished, it’s time to set up the NetInstall service in OS X Yosemite Server. To get started, go back to the Server app.

Netinstall6

First, define which disk will host NetBoot Images. To do so, click on the Edit Storage Settings button. At the Storage Settings overlay, select the volume that Images will be hosted as well as the volume that Client Data will be hosted. The Image is what you are creating and the Client Data is dynamic data stored in images.

netinstall7

If you only have one disk, as in this example, click on “Images & Client Data” for that disk. Then click on the OK button. Once you’ve selected a disk to store your image, we need to copy the disk image into the Library/NetBoot/NetBootSP0 folder of the disk used for images. Once in the appropriate folder, click on the Edit button for the Enable NetInstall on: field

netinstall8

Check the box for the interface you want to serve images over (if you only have one then it’s pretty obvious which interface this will be. Click on the OK button to save your settings. Then, click on the Images tab.

netinstall9

Each server can host multiple images. The Images tab displays a list of NetBoot images stored in the Library/NetBoot/NetBootSP0 directory. By default, images have a red indicator light. This means they’re not being served over any specific protocol yet. Double-click on an image.

netinstall10

At the image settings screen, check the box for “Make available over” and for many environments, select NFS as the protocol. Note, you can also restrict access to the image to certain models of Apple computers and/or certain MAC addresses by using the “Image is visible to” and “Restrict access to this images” options respectively. Additionally, use the Make this image available for diskless booting option to allow computers without hard drives to boot to the image.

netinstall11

Click on the Done button and the image will appear as green in the list of images. Click on the image and then click on the cog-wheel icon. Click on “Use as Default Boot Image” to set an image to be the default images computers boot to when booting to NetBoot. Now, it’s as easy as clicking on the ON button. Do so to start the service.

netinstall12

Once started, open a Terminal window. Here, let’s get a status of the service using the serveradmin fullstatus option (along with the service name, which is still netboot from the command line):

sudo serveradmin fullstatus netboot

The output of which shows the various components, logs and states of components:

netboot:state = “RUNNING”
netboot:stateTFTP = “RUNNING”
netboot:readWriteSettingsVersion = 1
netboot:netBootConnectionsArray = _empty_array
netboot:logPaths:netBootLog = “/var/log/system.log”
netboot:dhcpLeasesArray = _empty_array
netboot:stateDHCP = “STOPPED”
netboot:stateHTTP = “RUNNING”
netboot:serviceCanStart = 0
netboot:timeOfSnapshot = “2014-10-07 18:39:33 +0000″
netboot:stateNFS = “RUNNING”
netboot:stateImageArray:_array_index:0:_array_index:0 = 0
netboot:stateImageArray:_array_index:0:_array_index:1 = 0
netboot:stateImageArray:_array_index:0:_array_index:2 = 0
netboot:stateImageArray:_array_index:0:_array_index:3 = 0
netboot:stateImageArray:_array_index:0:_array_index:4 = 2
netboot:stateImageArray:_array_index:1:_array_index:0 = 0
netboot:stateImageArray:_array_index:1:_array_index:1 = 0
netboot:stateImageArray:_array_index:1:_array_index:2 = 0
netboot:stateImageArray:_array_index:1:_array_index:3 = 0
netboot:stateImageArray:_array_index:1:_array_index:4 = 2
netboot:stateImageArray:_array_index:2:_array_index:0 = 0
netboot:stateImageArray:_array_index:2:_array_index:1 = 0
netboot:stateImageArray:_array_index:2:_array_index:2 = 0
netboot:stateImageArray:_array_index:2:_array_index:3 = 0
netboot:stateImageArray:_array_index:2:_array_index:4 = 2
netboot:stateImageArray:_array_index:3:_array_index:0 = 0
netboot:stateImageArray:_array_index:3:_array_index:1 = 0
netboot:stateImageArray:_array_index:3:_array_index:2 = 0
netboot:stateImageArray:_array_index:3:_array_index:3 = 0
netboot:stateImageArray:_array_index:3:_array_index:4 = 2
netboot:servicePortsRestrictionInfo = _empty_array
netboot:netBootClientsArray = _empty_array
netboot:servicePortsAreRestricted = “NO”
netboot:setStateVersion = 1
netboot:startedTime = “”
netboot:stateAFP = “RUNNING”

And to start the service when not running:

sudo serveradmin start netboot

There are also a number of settings available at the command line that are not in the graphical interface. For example, to allow writing to the NetBoot share:

sudo serveradmin settings netboot:netBootStorageRecordsArray:_array_index:0:readOnlyShare = no

Or to get more verbose logs:

sudo serveradmin settings netboot:logging_level = “HIGH”

To stop the service:

sudo serveradmin stop netboot

In the beginning of this article, I mentioned that ways to configure NetInstall images. I’ll cover NetInstall and NetRestore in later articles as they tend to be more involved workflow-wise than copying a volume into a Network Disk Image. But to end this one, many an old-school admin might wonder where all the settings went that used to be in the GUI. Well, serveradmin still maintains a lot of the older stuff. To see a list of all available settings, run serveradmin with the settings verb and then netboot:

sudo serveradmin settings netboot

If there was a feature you want to use (e.g. maximum users), you should see it in the resultant list:

netboot:netBootFiltersRecordsArray = _empty_array
netboot:netBootStorageRecordsArray:_array_index:0:sharepoint = yes
netboot:netBootStorageRecordsArray:_array_index:0:clients = yes
netboot:netBootStorageRecordsArray:_array_index:0:volType = “hfs”
netboot:netBootStorageRecordsArray:_array_index:0:okToDeleteSharepoint = no
netboot:netBootStorageRecordsArray:_array_index:0:readOnlyShare = no
netboot:netBootStorageRecordsArray:_array_index:0:path = “/”
netboot:netBootStorageRecordsArray:_array_index:0:okToDeleteClients = yes
netboot:netBootStorageRecordsArray:_array_index:0:volName = “Yos”
netboot:netBootStorageRecordsArray:_array_index:1:sharepoint = yes
netboot:netBootStorageRecordsArray:_array_index:1:clients = yes
netboot:netBootStorageRecordsArray:_array_index:1:volType = “hfs”
netboot:netBootStorageRecordsArray:_array_index:1:okToDeleteSharepoint = yes
netboot:netBootStorageRecordsArray:_array_index:1:readOnlyShare = no
netboot:netBootStorageRecordsArray:_array_index:1:path = “/Volumes/Base_Image”
netboot:netBootStorageRecordsArray:_array_index:1:okToDeleteClients = yes
netboot:netBootStorageRecordsArray:_array_index:1:volName = “Base_Image”
netboot:netBootStorageRecordsArray:_array_index:2:sharepoint = yes
netboot:netBootStorageRecordsArray:_array_index:2:clients = yes
netboot:netBootStorageRecordsArray:_array_index:2:volType = “hfs”
netboot:netBootStorageRecordsArray:_array_index:2:okToDeleteSharepoint = yes
netboot:netBootStorageRecordsArray:_array_index:2:readOnlyShare = no
netboot:netBootStorageRecordsArray:_array_index:2:path = “/Volumes/New Volume 1″
netboot:netBootStorageRecordsArray:_array_index:2:okToDeleteClients = yes
netboot:netBootStorageRecordsArray:_array_index:2:volName = “New Volume”
netboot:netBootPortsRecordsArray:_array_index:0:deviceAtIndex = “en3″
netboot:netBootPortsRecordsArray:_array_index:0:isEnabledAtIndex = yes
netboot:netBootPortsRecordsArray:_array_index:0:nameAtIndex = “USB Ethernet”
netboot:logging_level = “MEDIUM”
netboot:filterEnabled = no
netboot:netBootImagesRecordsArray:_array_index:0:imageType = “netboot”
netboot:netBootImagesRecordsArray:_array_index:0:IsInstall = no
netboot:netBootImagesRecordsArray:_array_index:0:Kind = “1”
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:0 = “iMac10,1″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:1 = “iMac11,1″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:2 = “iMac11,2″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:3 = “iMac11,3″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:4 = “iMac12,1″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:5 = “iMac12,2″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:6 = “iMac13,1″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:7 = “iMac13,2″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:8 = “iMac13,3″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:9 = “iMac7,1″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:10 = “iMac8,1″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:11 = “iMac9,1″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:12 = “Mac-031B6874CF7F642A”
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:13 = “Mac-27ADBB7B4CEE8E61″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:14 = “Mac-50619A408DB004DA”
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:15 = “Mac-77EB7D7DAF985301″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:16 = “MacBook5,1″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:17 = “MacBook5,2″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:18 = “MacBook6,1″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:19 = “MacBook7,1″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:20 = “MacBookAir2,1″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:21 = “MacBookAir3,1″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:22 = “MacBookAir3,2″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:23 = “MacBookAir4,1″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:24 = “MacBookAir4,2″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:25 = “MacBookAir5,1″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:26 = “MacBookAir5,2″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:27 = “MacBookAir6,1″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:28 = “MacBookAir6,2″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:29 = “MacBookPro10,1″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:30 = “MacBookPro10,2″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:31 = “MacBookPro3,1″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:32 = “MacBookPro4,1″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:33 = “MacBookPro5,1″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:34 = “MacBookPro5,2″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:35 = “MacBookPro5,3″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:36 = “MacBookPro5,4″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:37 = “MacBookPro5,5″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:38 = “MacBookPro6,1″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:39 = “MacBookPro6,2″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:40 = “MacBookPro7,1″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:41 = “MacBookPro8,1″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:42 = “MacBookPro8,2″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:43 = “MacBookPro8,3″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:44 = “MacBookPro9,1″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:45 = “MacBookPro9,2″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:46 = “Macmini3,1″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:47 = “Macmini4,1″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:48 = “Macmini5,1″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:49 = “Macmini5,2″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:50 = “Macmini5,3″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:51 = “Macmini6,1″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:52 = “Macmini6,2″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:53 = “MacPro3,1″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:54 = “MacPro4,1″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:55 = “MacPro5,1″
netboot:netBootImagesRecordsArray:_array_index:0:DisabledSystemIdentifiers:_array_index:56 = “Xserve3,1″
netboot:netBootImagesRecordsArray:_array_index:0:Description = “NetBoot of OS X 10.10 (13A598) Install (7.14 GB).”
netboot:netBootImagesRecordsArray:_array_index:0:Name = “NetBoot of Install OS X Yosemite”
netboot:netBootImagesRecordsArray:_array_index:0:pathToImage = “/Library/NetBoot/NetBootSP0/NetBoot of Install OS X Yosemite.nbi/NBImageInfo.plist”
netboot:netBootImagesRecordsArray:_array_index:0:Index = 1280
netboot:netBootImagesRecordsArray:_array_index:0:osVersion = “10.10”
netboot:netBootImagesRecordsArray:_array_index:0:BackwardCompatible = no
netboot:netBootImagesRecordsArray:_array_index:0:SupportsDiskless = no
netboot:netBootImagesRecordsArray:_array_index:0:EnabledSystemIdentifiers = _empty_array
netboot:netBootImagesRecordsArray:_array_index:0:Language = “Default”
netboot:netBootImagesRecordsArray:_array_index:0:BootFile = “booter”
netboot:netBootImagesRecordsArray:_array_index:0:IsDefault = no
netboot:netBootImagesRecordsArray:_array_index:0:Type = “HTTP”
netboot:netBootImagesRecordsArray:_array_index:0:Architectures = “4”
netboot:netBootImagesRecordsArray:_array_index:0:IsEnabled = yes
netboot:netBootImagesRecordsArray:_array_index:0:RootPath = “NetBoot.dmg”
netboot:afpUsersMax = “50”

Active Directory Windows Server Windows XP

Use Syslog on Windows

There are a number of tools available for using Syslog in a Windows environment. I’ll look at Snare as it’s pretty flexible and easy to configure. First download the snare installation executable from http://sourceforge.net/projects/snare. Once downloaded run the installer and simply follow all of the default options, unless you’d like to password protect the admin page, at which point choose that. Note that the admin page is by default only available to localhost.

Once installed, run the “Restore Remote Access to Snare for Windows” script.

Screen Shot 2014-04-10 at 10.56.43 AM

Then open http://127.0.0.1:6161 and click on Network Configuration in the red sidebar. There, we can define the name that will be used in syslog (or leave blank to use the hostname), the port of your syslog server (we used 514 here) and the address of your syslog server (we used logger here but it could be an IP or fqdn).

Screen Shot 2014-04-08 at 10.58.04 AM

 

Once you have the settings you’d like to use, scroll down and save your configuration settings. Then, open Services and restart the Snare service.

Screen Shot 2014-04-08 at 10.56.22 AM

Then run the Disable Remote Access to Snare for Windows option and you’re done. Now, if you’re deploying Snare across a lot of hosts, you might find that scripting the config is faster. You can send the Destination hostname (here listed as meh) and Destination Port (here 514) via regedit commands (Destination and DestPort respectively) and then restart the service.

Screen Shot 2014-04-08 at 10.56.51 AM

I’ll do another article at some point on setting up a logstash server to dump all these logs into. Logstash can also parse the xml so you can search for each attribute in the logs and with elasticsearch/hadoop/Kibana makes for an elegant interface for parsing through these things.

Microsoft Exchange Server

Selectively Import PST Files Into Outlook

I’ve written plenty about exporting mailboxes from Exchange. But what if you need to perform a selective import into Outlook? This is helpful for importing mail in date ranges, using an import to search for terms (common with litigation holds) and importing contacts and calendars.

To get started, click Open from the File ribbon.

Screen Shot 2014-02-03 at 10.51.01 AM

When prompted, click on Import/Export.

Screen Shot 2014-02-03 at 10.51.11 AM

At the Import and Export Wizard screen, click on “Import from another program or file”

Screen Shot 2014-02-03 at 10.51.27 AM

At the “Import a File” screen, click on “Outlook Data File (pst)”

Screen Shot 2014-02-03 at 10.51.41 AM

 

At the Import Outlook Data File screen, choose the mailbox to import into and then click on the Filter button. Using the filtering options, you can choose to import based on date ranges, using search terms, selecting specific folders or a combination of all of these.

Mac OS X Server

Using the Help Options in OS X Server

Open Server, click Help, then click Server Help. You can then search and browse for information about things you’d like to accomplish using the Help Center.

Screen Shot 2013-11-05 at 4.16.18 PM

Now, click the arrow for each service for information about configuring that service. You will see an arrow for each service.

Screen Shot 2013-11-05 at 4.17.19 PM

Click the arrow for more information on that specific service.

Mac OS X Mac OS X Server Xsan

Installing Final Cut Server on Lion & Mountain Lion Server

Thanks to Allan Sanderson for the following submission, which outlines how to install Final Cut Server in Lion and Mountain Lion Server.

In Server.app

————-
Websites:
Check “Enable PHP web applications”

Install Java
————
Open /Applications/Utilities/Java Preferences.app
You’ll be prompted by Software Update service to install Java, click “Continue”, provide admin credentials when promopted.

Install Final Cut Server
————————
Run Final Cut Server installer.
Then run Software Update to get ProApplications 2010-02 & Final Cut Server v1.5.2 updates.

Check Configuration
——————-
1)
Check fcsvr user has been created:
dscl /Local/Default -search /Users RecordName fcsvr
Output should look something like this:
fcsvr RecordName = (
fcsvr
)

2)
Check “fcsvr” user’s home folder location is set to “/Library/Application Support/Final Cut Server”
dscl /Local/Default -read /Users/fcsvr NFSHomeDirectory
Output should look something like this:
NFSHomeDirectory: /Library/Application Support/Final Cut Server
If it doesn’t, caorrect it with this command:
sudo dscl /Local/Default -create /Users/fcsvr NFSHomeDirectory “/Library/Application Support/Final Cut Server”

Customisations To Make It Work
——————————
A word to the wise, I personally take a backup before making any changes to system files, Time Machine is nice ‘n all, but I’d prefer not to have to go there in the first place.

1)
An out the box FCSvr install doesn’t set an “AUTH_TYPE” key/value pair in the com.apple.FinalCutServer.settings.plist file. Under 10.5 & 10.6 this didn’t cause any issues, but 10.7+ does seem to be an issue. So for Local and Open Directory authentication, this command will do the job:
sudo defaults write /Library/Preferences/com.apple.FinalCutServer.settings “AUTH_TYPE” -int 2
If you’re being more daring and trying to work with an Active Directory, then you’ll want the following:
sudo defaults write /Library/Preferences/com.apple.FinalCutServer.settings “AUTH_TYPE” -int 1

2)
Because of how things have changed between 10.6 and 10.7 & 10.8, its necessary to manually copy the apache site config into a users apache space.
sudo cp “/Library/Application Support/Final Cut Server/Final Cut Server.bundle/Contents/Resources/share/conf/client_apache2.conf” “/etc/apache2/users/fcsvr.conf”

3)
Now in order for the apache site config to be read by apache, we need to add in the necessary direction for httpd.
Append “UserDir Sites” to end of “/etc/apache/httpd.conf”, this can be done as a one-liner if you like:
sudo echo “UserDir Sites” >>/etc/apache2/httpd.conf

4)
Lastly we have to add in the redirection settings for 10.7+ as the installers isn’t able to do this due to file path changes between the OS revisions.
So, in your /etc/apache2/sites/0000_any_80_.conf file, paste in the following lines after the IfModule for mod_ssl.c:
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteEngine On
RewriteRule .* – [F]
RewriteRule ^/FinalCutServer$ /~fcsvr/Sites/webstart/index.php [NC,L]
RewriteRule ^/FinalCutServer/FinalCutServer_mac.jnlp$ /~fcsvr/Sites/webstart/macJnlp.php [NC,L]
RewriteRule ^/FinalCutServer/FinalCutServer_windows.jnlp$ /~fcsvr/Sites/webstart/windowsJnlp.php [NC,L]
RewriteRule ^/FinalCutServer/FinalCutServer_other.jnlp$ /~fcsvr/Sites/webstart/jnlp.php [NC,L]
</IfModule>
ORIGINAL_SOURCES: http://www.linkedin.com/groups/Has-anyone-been-able-get-138082%2ES%2E67319989?view=&srchtype=discussedNews&gid=138082&item=67319989&type=member&trk=eml-anet_dig-b_pd-ttl-cn&ut=2M3_ri588Lslo1

SPECIAL_MENTIONS: Matt Geller, David Colville

Mac OS X Mac OS X Server Mac Security Mass Deployment

Enable Push Notifications In OS X Mountain Lion Server

Push Notifications can be used in most every service OS X Mountain Lion Server can run. Any service that requires Push Notifications will provide the ability to setup APNS during the configuration of the service. But at this point, I usually just set up Push Notifications when I setup a new server.

To enable Push Notifications for services, you’ll first need to have a valid AppleID. Once you have an AppleID, open the Server app and then click on the name of the server. At the Overview screen, click on Settings.

At the Settings screen for your server, click on the check-box for “Enable Apple push notifications.”

At the Apple Push Notification Services certificate screen, enter an AppleID if you have not yet configured APNS and click on OK. The Apple Push Notification Service certificate will then be configured.

The certificate is valid for one year, by default. Administrators receive an alert when the certificate is due to expire. To renew, open the same screen and click on the Renew button.

Enter the credentials for the AppleID again and then click on Renew Certificate button. The certificate will then be valid for another year.

Mac OS X Mac OS X Server

Setting Up And Using Web Services in OS X Mountain Lion Server

Configuring web services is as easy in OS X Mountain Lion Server (10.8) as it has ever been. To set up the default web portal, simply open the Server app, click on the Websites service and click on the ON button.

After a time, the service will start. Once running, click on the View Server Website link at the bottom of the pane.

Provided the stock OS X Server page loads, you are ready to use OS X Server as a web server.

Before we setup custom sites, there are a few things you should know. The first is, the server is no longer really designed to remove the default website. So if you remove the site, your server will exhibit inconsistent behavior. Also, don’t remove the files that comprise the default site. Instead just add sites, which is covered next. Webmail is gone. You don’t have to spend a ton of time looking for it as it isn’t there. Also, Mountain Lion Server adds web apps, which we’ll briefly review later in this article as well.  Finally, enabling PHP and Python on sites is done globally, so this setting applies to all sites hosted on the server.

Now that we’ve got that out of the way, let’s add our first custom site. Do so by clicking on the plus sign. At the New Web Site pane, you’ll be prompted for a number of options. The most important is the name of the site, with other options including the following:

  • Domain Name: The name the site is accessible from. The default sites do not have this option as they are accessible from all names that resolve to the server.
  • IP Address: The IP address the site listens on. Any means the site is available from every IP address the server is configured to use. The default websites do not have this option as they are accessible from all addresses automatically
  • Port: By default, sites without SSL run on port 80 on all network interfaces, and sites with SSL run on port 443 on all network interfaces. Use the Port field to use custom ports (e.g., 8080). The default sites do not have this option as they are configured to use 80 and 443 for default and SSL-based communications respectively.
  • SSL Certificate: Loads a list of SSL certificates installed using Keychain or the SSL Certificate option in the Settings pane of the Server application
  • Store Site Files In: The directory that the files that comprise the website are stored in. These can be placed into the correct directory using file shares or copying using the Finder. Click on the drop-down menu and then select Other to browse to the directory files are stored in.
  • Who Can Access: By default Anyone (all users, including unauthenticated guests) can access the contents of sites. Clicking on Anyone and then Customize… brings up the “Restrict access to the following folders to a chosen group” screen, where you can choose web directories and then define groups of users who can access the contents.
  • Additional Domains: Click on the Edit… button to bring up a simple list of domain names the the site also responds for (e.g. in addition to krypted.com, add www.krypted.com).
  • Redirects: Click on the Edit… button to bring up a list of redirects within the site. This allows configuring redirects to other sites. For example, use /en to load english.krypted.com or /cn to load china.krypted.com).
  • Aliases: Click on the Edit… button to load a list of aliases. This allows configuring redirects to folders within the same server. For example, /en loads /Library/Server/Web/Data/Sites/Default
  • Index Files: Click on the Edit… button to bring up a list of pages that are loaded when a page isn’t directly indicated. For example, when visiting krypted.com, load the wp.php page by default.
  • Advanced Options: The remaining options are available by clicking on the “Edit Advanced Settings…” button.
  • Enable Server Side Includes: Allows administrators to configure leveraging includes in web files, so that pieces of code can be used across multiple pages in sites.
  • Allow overrides using .htaccess files: Using a .htaccess file allows administrators to define who is able to access a given directory, defining custom user names and passwords in the hidden .htaccess file. These aren’t usually required in an OS X Server web environment as local and directory-based accounts can be used for such operations. This setting enables using custom .htaccess files instead of relying on Apple’s stock web permissions.
  • Allow folder listing: Enables folder listings on directories of a site that don’t have an Index File (described in the non-Advanced settings earlier).
  • Allow CGI execution: Enables CGI scripts for the domain being configured.
  • Use custom error page: Allows administrators to define custom error pages, such as those annoying 404 error pages that load when a page can’t be found
  • Make these web apps available on this website: A somewhat advanced setting, loads items into the webapps array, which can be viewed using the following command:  sudo serveradmin settings web:definedWebApps

Once you’ve configured all the appropriate options, click on Done to save your changes. The site should then load. Sites are then listed in the list of Websites.

The Apache service is most easily managed from the Server app, but there are too many options in Apache to really be able to put into a holistic graphical interface. The easiest way to manage the Websites service in OS X Mountain Lion server is using the serveradmin command. Apache administrators from other platforms will be tempted to use the apachectl command to restart the Websites service. Instead, use the serveradmin command to do so. To start the service:

sudo serveradmin start web

To stop the service(s):

sudo serveradmin stop web

And to see the status:

sudo serveradmin fullstatus web

Fullstatus returns the following information:

web:health = _empty_dictionary
web:readWriteSettingsVersion = 1
web:apacheVersion = "2.2"
web:servicePortsRestrictionInfo = _empty_array
web:startedTime = "2012-08-13 23:01:42 +0000"
web:apacheState = "RUNNING"
web:statusMessage = ""
web:ApacheMode = 2
web:servicePortsAreRestricted = "NO"
web:state = "RUNNING"
web:setStateVersion = 1

While the health option typically resembles kiosk computers in the Computer Science departments of most major universities, much of the rest of the output can be pretty helpful including the Apache version, whether the service is running, any restrictions on ports and the date/time stamp that the service was started.

To see all of the settings available to the serveradmin command, run it, followed by settings and then web, to indicate the Websites service:

sudo serveradmin settings web

The output is pretty verbose and can be considered in two sections, the first includes global settings across sites as well as the information for the default sites that should not be deleted:

web:defaultSite:documentRoot = "/Library/Server/Web/Data/Sites/Default"
web:defaultSite:serverName = ""
web:defaultSite:realms = _empty_dictionary
web:defaultSite:redirects = _empty_array
web:defaultSite:enableServerSideIncludes = no
web:defaultSite:customLogPath = "&quot;/var/log/apache2/access_log&quot;"
web:defaultSite:webApps = _empty_array
web:defaultSite:sslCertificateIdentifier = ""
web:defaultSite:fullSiteRedirectToOtherSite = ""
web:defaultSite:allowFolderListing = no
web:defaultSite:serverAliases = _empty_array
web:defaultSite:errorLogPath = "&quot;/var/log/apache2/error_log&quot;"
web:defaultSite:fileName = "/Library/Server/Web/Config/apache2/sites/0000_any_80_.conf"
web:defaultSite:aliases = _empty_array
web:defaultSite:directoryIndexes:_array_index:0 = "index.html"
web:defaultSite:directoryIndexes:_array_index:1 = "index.php"
web:defaultSite:directoryIndexes:_array_index:2 = "/wiki/"
web:defaultSite:directoryIndexes:_array_index:3 = "default.html"
web:defaultSite:allowAllOverrides = no
web:defaultSite:identifier = "37502141"
web:defaultSite:port = 80
web:defaultSite:allowCGIExecution = no
web:defaultSite:serverAddress = "*"
web:defaultSite:requiresSSL = no
web:defaultSite:proxies = _empty_dictionary
web:defaultSite:errorDocuments = _empty_dictionary
web:defaultSecureSite:documentRoot = "/Library/Server/Web/Data/Sites/Default"
web:defaultSecureSite:serverName = ""
web:defaultSecureSite:realms = _empty_dictionary
web:defaultSecureSite:redirects = _empty_array
web:defaultSecureSite:enableServerSideIncludes = no
web:defaultSecureSite:customLogPath = "&quot;/var/log/apache2/access_log&quot;"
web:defaultSecureSite:webApps = _empty_array
web:defaultSecureSite:sslCertificateIdentifier = "com.apple.systemdefault.9912650B09DE94ED160146A3996A45EB3E39275B"
web:defaultSecureSite:fullSiteRedirectToOtherSite = ""
web:defaultSecureSite:allowFolderListing = no
web:defaultSecureSite:serverAliases = _empty_array
web:defaultSecureSite:errorLogPath = "&quot;/var/log/apache2/error_log&quot;"
web:defaultSecureSite:fileName = "/Library/Server/Web/Config/apache2/sites/0000_any_443_.conf"
web:defaultSecureSite:aliases = _empty_array
web:defaultSecureSite:directoryIndexes:_array_index:0 = "index.html"
web:defaultSecureSite:directoryIndexes:_array_index:1 = "index.php"
web:defaultSecureSite:directoryIndexes:_array_index:2 = "/wiki/"
web:defaultSecureSite:directoryIndexes:_array_index:3 = "default.html"
web:defaultSecureSite:allowAllOverrides = no
web:defaultSecureSite:identifier = "37502140"
web:defaultSecureSite:port = 443
web:defaultSecureSite:allowCGIExecution = no
web:defaultSecureSite:serverAddress = "*"
web:defaultSecureSite:requiresSSL = yes
web:defaultSecureSite:proxies = _empty_dictionary
web:defaultSecureSite:errorDocuments = _empty_dictionary
web:dataLocation = "/Library/Server/Web/Data"
web:mainHost:keepAliveTimeout = 15.000000
web:mainHost:maxClients = "50%"

The second section is per-site settings, with an array entry for each site:

web:customSites:_array_index:0:documentRoot = "/Library/Server/Web/Data/Sites/www2.krypted.com"
web:customSites:_array_index:0:serverName = "www2.krypted.com"
web:customSites:_array_index:0:realms = _empty_dictionary
web:customSites:_array_index:0:redirects = _empty_array
web:customSites:_array_index:0:enableServerSideIncludes = no
web:customSites:_array_index:0:customLogPath = "/var/log/apache2/access_log"
web:customSites:_array_index:0:webApps = _empty_array
web:customSites:_array_index:0:sslCertificateIdentifier = ""
web:customSites:_array_index:0:fullSiteRedirectToOtherSite = ""
web:customSites:_array_index:0:allowFolderListing = no
web:customSites:_array_index:0:serverAliases = _empty_array
web:customSites:_array_index:0:errorLogPath = "/var/log/apache2/error_log"
web:customSites:_array_index:0:fileName = "/Library/Server/Web/Config/apache2/sites/0000_any_80_www2.krypted.com.conf"
web:customSites:_array_index:0:aliases = _empty_array
web:customSites:_array_index:0:directoryIndexes:_array_index:0 = "index.html"
web:customSites:_array_index:0:directoryIndexes:_array_index:1 = "index.php"
web:customSites:_array_index:0:directoryIndexes:_array_index:2 = "/wiki/"
web:customSites:_array_index:0:directoryIndexes:_array_index:3 = "default.html"
web:customSites:_array_index:0:allowAllOverrides = no
web:customSites:_array_index:0:identifier = "41179886"
web:customSites:_array_index:0:port = 80
web:customSites:_array_index:0:allowCGIExecution = no
web:customSites:_array_index:0:serverAddress = "*"
web:customSites:_array_index:0:requiresSSL = no
web:customSites:_array_index:0:proxies = _empty_dictionary
web:customSites:_array_index:0:errorDocuments = _empty_dictionary

The final section (the largest by far) includes array entries for each defined web app. The following shows the entry for a Hello World Python app:

web:definedWebApps:_array_index:15:requiredWebAppNames = _empty_array
web:definedWebApps:_array_index:15:includeFiles:_array_index:0 = "/Library/Server/Web/Config/apache2/httpd_wsgi.conf"
web:definedWebApps:_array_index:15:requiredModuleNames:_array_index:0 = "wsgi_module"
web:definedWebApps:_array_index:15:startCommand = ""
web:definedWebApps:_array_index:15:sslPolicy = 0
web:definedWebApps:_array_index:15:requiresSSL = no
web:definedWebApps:_array_index:15:requiredByWebAppNames = _empty_array
web:definedWebApps:_array_index:15:launchKeys = _empty_array
web:definedWebApps:_array_index:15:proxies = _empty_dictionary
web:definedWebApps:_array_index:15:preflightCommand = ""
web:definedWebApps:_array_index:15:stopCommand = ""
web:definedWebApps:_array_index:15:name = "com.apple.webapp.wsgi"
web:definedWebApps:_array_index:15:displayName = "Python &quot;Hello World&quot; app at /wsgi"

Each site has its own configuration file defined in the array for each section. By default these are stored in the /Library/Server/Web/Config/apache2/sites directory, with /Library/Server/Web/Config/apache2/sites/0000_any_80_www2.krypted.com.conf being the file for the custom site we created previously. As you can see, many of the options available in the Server app are also available in these files:

<VirtualHost *:80>
ServerName www2.krypted.com
ServerAdmin admin@example.com
DocumentRoot "/Library/Server/Web/Data/Sites/www2.krypted.com"
DirectoryIndex index.html index.php /wiki/ default.html
CustomLog /var/log/apache2/access_log combinedvhost
ErrorLog /var/log/apache2/error_log

<IfModule mod_ssl.c>
SSLEngine Off
SSLCipherSuite "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM"
SSLProtocol -ALL +SSLv3 +TLSv1
SSLProxyEngine On
SSLProxyProtocol -ALL +SSLv3 +TLSv1
</IfModule>

<Directory "/Library/Server/Web/Data/Sites/www2.krypted.com">
Options All -Indexes -ExecCGI -Includes +MultiViews
AllowOverride None
<IfModule mod_dav.c>
DAV Off
</IfModule>
<IfDefine !WEBSERVICE_ON>
Deny from all
ErrorDocument 403 /customerror/websitesoff403.html
</IfDefine>
</Directory>

</VirtualHost>

The serveradmin command can also be used to run commands. For example, to reset the service to factory defaults, delete the configuration files for each site and then run the following command:

sudo serveradmin command web:command=restoreFactorySettings

The final tip I’m going to give in this article is when to make changes with each app. I strongly recommend making all of your changes in the Server app when possible. When it isn’t, use serveradmin and when you can’t make changes in serveradmin, only then alter the configuration files that come with the operating system by default. I also recommend keeping backups of all configuration files that are altered and a log of what was altered in each, in order to help piece the server back together should it become unconfigured miraculously when a softwareupdate -all is run next.

Mac OS X Server

Using Wikis & WebDAV in OS X Mountain Lion

A wiki is a repository of dynamically created and managed content, or content created or edited by multiple users collaboratively. This article is about using the wiki service in Mountain Lion. I reference file services with WebDAV because it is a very nice integration piece that I think a lot of people will find pretty beneficial.

To get started with the Wiki service, first turn it on. This one isn’t heavily dependent on host names (other than being able to access the server from a browser) or directory services (other than being able to authenticate users, but local accounts are perfectly functional) and it doesn’t require the Websites service to be running as well. One should always have good working directory services and host names, still…

To enable the service, open the Server app and click on Wiki in the list of SERVICES in the List Pane.

There are two configuration options. The first is to select who is able to create wikis. Use the “Wikis can be created by” drop-down list to select “all users” if anyone with an account on the server should be able to create a wiki or “only some users” to bring up the Wiki Creators screen.

If only some users can create new wikis, use the plus sign (“+”) at the Wiki Creators screen to add users and/or groups to the list of users that can create wikis. Click on OK when all users and groups that can create wikis are added. In a school I would imagine that only teachers or IT staff would be able to create wikis. Once a wiki is created, pages inside the wiki can still be created by non-wiki creators.

The other option available is the handy dandy WebDAV interface to the wikis. When you enable this option, you can connect to a server from OS X or iOS via WebDAV and access files in each wikis document repository. To be clear, this option doesn’t provide access to the user documents, but does provide access to the wiki documents. We’re going to check the box for “Enable WebDAV access to Wiki files” and then click the ON button.

Once the service starts, click on the View Wiki link in the Wiki workspace in Server app.

Here, click on the Log in button and enter a user with access to the server, preferably one who can create wikis.

At the Wikis page, you will then see a list of all wikis you have access to. Note that the previous screen showed one wiki and now we see two. That’s because one of the wikis has permissions that allow “All unauthenticated users” access to the wiki, which we’ll describe shortly.

The first thing most administrators will do is create a wiki. To do so, click on the plus sign (“+”) icon on the web page and at the resultant screen, click on New Wiki.

At the “Create a new wiki” prompt, provide a name for the wiki and a brief description for it.

Click on Continue.

At the Set permissions screen, enter each user or group to provide access to edit and view wiki pages. Here, you’ll have the options for Read & Write (users can view and edit pages in the wiki), Read only (users can only view the contents of your pages) and No access (users have no access to the wiki). There is a group for All logged in users, which includes every user with access to the server and another for All unauthorized users, which includes guests to the server. Once you’ve given the appropriate permissions, click on Continue.

Note: You don’t have to get this perfect now as you can always edit these later.

At the Set Appearance screen, you can choose an icon for the wiki (shown in the wiki list and when you open the wiki) as well as a color scheme for the wiki. Choose the appropriate appearance for your wiki (again, you can always change this later) and then click on the Create button.

Once you’ve created your first wiki, let’s edit it and customize the content. To do so, click on it from the list of available wikis. Click on the cog-wheel icon and then Wiki Settings… to bring up the Wiki Settings page.

Here, you’ll see the previously entered name and description as well as options to enable Calendar (only available if Calendar Server is running on the server) and Blog, which enables  a blog service for the wiki (wiki administrators can post blog entries to the wiki). Click on Appearance.

Here, you will have the previous two options as well as the ability to upload a banner (which should be 62 pixels high) and background for each wiki.

Click on Permissions. Here, you’ll see the permissions previously configured as well as options to configure who can comment on articles (nobody disables comments completely) in the wiki and whether comments require approval (moderation).

Click on Save. Now, let’s edit the splash page. To do so, click the pencil icon in the top navigation bar.

At the edit screen, the top nav bar is replaced by a WYSIWIG editor for managing the page. Here you can justify, link, insert media and of course edit the text you see on the screen. I recommend spending some time embedding links, inserting tables, making text look like you want it to and editing the content to reflect the purpose of the wiki. Click Save when you’re done. Click the pencil again to edit it, and let’s create a new wiki page. Keep in mind that link wikipedia, each page should be linked to from other pages in the order they should be read. Unlike most wikis, there’s actually an index page of all the articles, which can come in handy.

From the edit page, to create a new page and link to it, enter some text (or lasso some) that you’ll use as the link to access the new page you’re creating. Then click on the arrow and select “New page.”

Note: Use Enter URL to link to an existing page or an external website.

At the New Page screen, provide a name for the new page (the lasso’d text automatically appears as the Page Title) and click on the Add button.

Click Save and then click on the newly created link. You can now edit the new page the same way you edited the previous pages. Click on the disclosure triangles in the right sidebar to Comment on articles, link articles to related articles, tag articles and view editing history.

Now for the fun part. Click on Documents. Here, you’ll see the pages you already created. Click on the plus sign and select the option to Upload File to the wiki.

At the Upload File dialog, click on Choose File and then select a file to upload. Click Upload when selected.

Then from the Finder of an OS X client, use the Go menu to select “Connect to Server”. Enter the name or IP of the server and then click on Connect.

Assuming you can access the server, you should then be prompted for a username and password. Enter it and click Connect.

Eventually, the file(s) will display. You can connect to this same screen through an iPad using a 3rd party WebDAV client or the build in options in Pages.

Managing wikis is as easy as its ever been, with the new options for appearance being a nice add-on. Active Directory integration is as easy as binding the server to Active Directory and using the accounts listed in Permissions of pages. Overall, the ability to edit, upload and view documents from the Wiki is a great new feature in OS X Mountain Lion Server, worthy of checking out if you haven’t already!