krypted.com

Tiny Deathstars of Foulness

View Your Old Settings

The first step to moving services from macOS Server for pretty much all services is to check out the old settings. The second step is to probably ask if where you’re going to put the service is a good idea. For example, these days I prefer to run DHCP services on a network appliance. But it can absolutely be run on a Mac. And so let’s look at how to do that. Here, we’ll use the serveradmin command to view the settings of the DHCP service:

/Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings dhcp

The output is an array of subnets with different settings per subnet.

dhcp:static_maps = _empty_array
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:WINS_primary_server = ""
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:dhcp_router = "10.15.40.1"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:WINS_secondary_server = ""
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:net_range_start = "10.15.40.2"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:net_range_end = "10.15.43.253"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:dhcp_domain_name = "clients.msp.jamfsw.corp"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:dhcp_domain_name_server:_array_index:0 = "8.8.8.8"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:dhcp_domain_name_server:_array_index:1 = "4.4.4.4"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:lease_max = 36000
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:net_mask = "255.255.252.0"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:dhcp_ldap_url = _empty_array
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:WINS_node_type = "NOT_SET"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:dhcp_enabled = yes
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:WINS_NBDD_server = ""
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:net_address = "10.15.40.0"
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:WINS_scope_id = ""
dhcp:subnets:_array_id:22217FF5-4DDB-4841-A731-EF5DA080E672:selected_port_name = "en1"
dhcp:subnet_defaults:logVerbosity = "MEDIUM"
dhcp:subnet_defaults:routers:en0 = "10.15.40.1"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:0 = "BROADCAST_B_NODE"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:1 = "HYBRID_H_NODE"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:2 = "NOT_SET"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:3 = "PEER_P_NODE"
dhcp:subnet_defaults:WINS_node_type_list:_array_index:4 = "MIXED_M_NODE"
dhcp:subnet_defaults:WINS_node_type = "NOT_SET"
dhcp:subnet_defaults:dhcp_domain_name = "krypted.com"
dhcp:subnet_defaults:logVerbosityList:_array_index:0 = "LOW"
dhcp:subnet_defaults:logVerbosityList:_array_index:1 = "MEDIUM"
dhcp:subnet_defaults:logVerbosityList:_array_index:2 = "HIGH"
dhcp:subnet_defaults:dhcp_domain_name_server:_array_index:0 = "8.8.8.8"
dhcp:subnet_defaults:dhcp_domain_name_server:_array_index:1 = "4.4.4.4"
dhcp:subnet_defaults:selected_port_key = "en0"
dhcp:subnet_defaults:selected_port_key_list:_array_index:0 = "en0"
dhcp:subnet_defaults:selected_port_key_list:_array_index:1 = "bridge0"
dhcp:logging_level = "MEDIUM"

Configure DHCP Settings

The easy thing is to configure a DHCP server is using Internet Sharing from the Sharing System Preference pane. To do so, simply open System Preferences, click on Sharing and then Internet Sharing. But wait, where do you configure a scope, or the DNS Server or… The answer is “the command line” but don’t be put off by that. In this case I prefer it. 

Now, let’s go hacking around in your bootp.plist. This file is stored at /private/etc/bootpd.plist and you’ll need to sudo in order to edit the file. First, back it up. Next, let’s cat the file and cover a few basic examples of migrating the settings:

<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”>
<plist version=”1.0″>
<dict>
<key>NetBoot</key>
<dict/>
<key>Subnets</key>
<array>
<dict>
<key>allocate</key>
<true/>
<key>dhcp_domain_name</key>
<string>krypted.com</string>
<key>dhcp_domain_name_server</key>
<array>
<string>8.8.8.8</string>
<string>4.4.4.4</string>
</array>
<key>dhcp_router</key>
<string>10.15.40.1</string>
<key>lease_max</key>
<integer>36000</integer>
<key>name</key>
<string>10.15.42/22 Wi-Fi</string>
<key>net_address</key>
<string>10.15.40.0</string>
<key>net_mask</key>
<string>255.255.252.0</string>
<key>net_range</key>
<array>
<string>10.15.40.2</string>
<string>10.15.43.253</string>
</array>
<key>selected_port_name</key>
<string>en1</string>
<key>uuid</key>
<string>22217FF5-4DDB-4841-A731-EF5DA080E672</string>
</dict>
</array>
<key>netboot_disabled</key>
<array>
<string>en8</string>
</array>
</dict>
</plist>

Let’s start with a simple example of copying the range from one of these to another. First, locate the net_range_startand the net_range_endkeys in your serveradmin output. Then find the net_range array in your bootp.plist. They’re the same in my two examples because the macOS Server app was just hacking the bootp.plist (OK it was doing more but that was the main thing it was doing). On a fresh new server you might have a very different plist, so you can borrow the above if ya’ need to. Replace the two values in the two strings with those in your server if needed. 

 Next, find the dhcp_routersetting for that subnet and match it to the same in the bootp.plist. Then, the net_mask. These are all that are required for DHCP to work (technically, the router isn’t required, but it’s super-weird on Apple stuff when there’s not a router, so it’s best to have one when possible. If you need WINS, domain names, DNS Servers, etc, simply repeat the process. You can also copy and paste the code block between the <dict> sections if you need multiple subnets. Or you could move the service to a network appliance more capable, if needed.

The settings for bootp  include the following, many of which can be seen in the above output:
  • dhcp_enabled – Used to enable dhcp for each network interface. Replace the <false/> immediately below with <array> <string>en0</string> </array>. For additional entries, duplice the string line and enter each from ifconfig that you’d like to use dhcp on.
  • bootp_enabled – This can be left as Disabled or set to an array of the adapters that should be enabled if you wish to use the bootp protocol in addition to dhcp. Note that the server can do both bootp and dhcp simultaneously.
  • allocate – Use the allocate key for each subnet in the Subnets array to enable each subnet once the service is enabled.
  • Subnets – Use this array to create additional scopes or subnets that you will be serving up DHCP for. To do so, copy the entry in the array and paste it immediately below the existing entry. The entry is a dictionary so copy all of the data between and including the <dict> and </dict> immediately after the <array> entry for the subnet itself.
  • lease_max and lease_min – Set these integers to the time for a client to retain its dhcp lease
  • name – If there are multiple subnet entries, this should be unique and reference a friendly name for the subnet itself.
  • net_address – The first octets of the subnet followed by a 0. For example, assuming a /24 and 172.16.25 as the first three octets the entry would be 172.16.25.0.
  • net_mask – The subnet mask clients should have
  • net_range – The first entry should have the first IP in the range and the last should have the last IP in the range. For example, in the following example the addressing is 172.16.25.2 to 172.16.25.253.
  • dhcp_domain_name_server – There should be a string for each DNS server supplied by dhcp in this array
  • dhcp_domain_search – Each domain in the domain search field should be suppled in a string within this array, if one is needed. If not, feel free to delete the key and the array if this isn’t needed.
  • dhcp_router – This entry should contain the router or default gateway used for clients on the subnet, if there is one. If not, you can delete the key and following string entries.

Configure DHCP Reservations

To configure reservations, use the /etc/bootptab file. This file should have a column for the name of a computer, the hardware type (1), the hwaddr (the MAC address) and ipaddr for the desired IP address of each entry:

%%
# hostname hwtype hwaddr ipaddr bootfile
a.pretendco.com 1 00:00:00:aa:bb:cc 172.16.25.25
b.pretendco.com 1 00:00:00:aa:bb:cc 172.16.25.29

Starting and Stopping the Service

Once everything is configured, fire it up using the following command:

sudo /bin/launchctl load -w /System/Library/LaunchDaemons/bootps.plist

And terminate using the following command:

sudo /bin/launchctl unload -w /System/Library/LaunchDaemons/bootps.plist

Once configured, configure the service to start automatically. To do so, open /System/Library/LaunchDaemons/bootps.plist. Here, just change the Disabled key to False, by changing the word True in line 6 to False.

Troubleshooting: Inspect Leases on Clients

I did an article some time ago about how DHCP leases work. Once you have clients using the DHCP server, you can also renew and view their leases from the command line, which does not usually show you a new lease in the GUI immediately. To reset the DHCP lease from the command line, use ipconfig:

ipconfig set en0 BOOTP
ipconfig set en0 DHCP


If the information is displayed on the screen, then it has to be stored somewhere, right? When your system sends an acceptance for a lease, the leases are then stored in /var/db/dhcpclient/leases. These are stored in standard property list form using the interface, followed by the MAC address of the interface followed by .plist. For example, if your MAC address is en0-1,10:9a:cc:ab:5d:ac then the lease would cat as follows:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>IPAddress</key>
<string>192.168.210.94</string>
<key>LeaseLength</key>
<integer>86400</integer>
<key>LeaseStartDate</key>
<date>2018-02-31T15:36:59Z</date>
<key>PacketData</key>
<data>
AgEGAMHrfCMAAAAAAAAAAMCo0l4AAAAAAAAAABCa3atdrAAAAAAAAAAAAAD/AAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAA/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEFNgTAqNIBAQT///8A
MwQAAVGANAEDAwTAqNIBBghEV02CRFdIgv8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
</data>
<key>RouterHardwareAddress</key>
<data>
AAaxLwVA
</data>
<key>RouterIPAddress</key>
<string>192.168.210.1</string>
</dict>
</plist>

The keys in this file make it easier to script figuring out a few things about your active leases, such as when they’re going to expire, when the lease was accepted or even whether or not the system has a lease (especially when it shouldn’t have a lease). But they can cause misreporting. If the information seems “stuck” in the System Preferences pane you can then rm the dhcp lease file.

Note: If the RouterIPAddress cannot be reached, the lease will be delayed in processing, causing the lease to appear to take a long time to be obtained even though it’s looping to hopefully find a more appropriate lease with a RouterIPAddress that can be reached.

For anyone who uses a shell script to reset their IP address, I recommend using the following as the full script, rather than the two lines most commonly used (where $leasefile is the name of your lease file):

ipconfig set en0 BOOTP
ipconfig set en0 DHCP
rm /var/db/dhcpclient/leases/$leasefile


Being the nerd I am, I called mine ipcfg.exe and end with an echo of the IP:

ipconfig getifaddr en0

Finally, a very effective way I’ve seen people reset leases that are seriously stuck is to swap locations and then swap back. Let’s say your users generally use the “Automatic” location and you have one called “TEMP”. You can use the scselect command to see locations and switch between them. So to switch to TEMP, we would simply:

scselect TEMP

And then to select Automatic again:

scselect Automatic

Now be careful with this last little tidbit. As if you have TEMP and don’t have any interfaces active and are running remotely then you might have some walking (or driving) around to do…

Configure DHCP Options

The DHCP Service also has a number of DHCP options available; most notably the options available in the GUI. But what about options that aren’t available in the GUI, such as NTP. Well, using /etc/bootpd.plist, the same file we used to define servers allowed to relay, you can also define other options. These begin with the following keys that can be added into your property list:
  • dhcp_time_offset (option 2)
  • dhcp_router (option 3)
  • dhcp_domain_name_server (option 6)
  • dhcp_domain_name (option 15)
  • dhcp_network_time_protocol_servers (option 42)
  • dhcp_nb_over_tcpip_name_server (option 44)
  • dhcp_nb__over_tcpip_dgram_dist_server (option 45)
  • dhcp_nb_over_tcpip_node_type (option 46)
  • dhcp_nb_over_tcpip_scope (option 47)
  • dhcp_smtp_server (option 69)
  • dhcp_pop3_server (option 70)
  • dhcp_nntp_server (option 71)
  • dhcp_ldap_url (option 95)
  • dhcp_netinfo_server_address (option 112)
  • dhcp_netinfo_server_tag (option 113)
  • dhcp_url (option 114)
  • dhcp_domain_search (option 119)
  • dhcp_proxy_auto_discovery_url (option 252)
But you can also add options by their numerical identifier. To add them, add the following into your /etc/bootpd.plist file and then restart the DHCP service:

<string>dhcp_option_120</string> <data> 192.168.210.7 </data>

In the above, you’d replace the option 120 (SIP) with the option you wish to use. Numbers correspond to options as follows:
0 – Pad
1 – Subnet Mask
3 – Router
4 – Time Server
5 – Name Server
6 – Domain Name Server
7 – Log Server
8 Quote Server
9 – LPR Server
10 – Impress Server
11 – Resource Location Server
12 – Host Name
13 – Boot File Size
14 – Merit Dump File
15 – Domain Name
16 – Swap Server
17 – Root Path
18 – Extensions Path
19 – IP Forwarding
20 – WAN Source Routing
21 – Policy Filter
22 – Maximum Datagram Reassembly Size
23 – Default IP Time-to-live
24 – Path MTU Aging Timeout
25 – Path MTU Plateau Table
26 – Interface MTU
27 – All Subnets are Local
28 – Broadcast Address
29 – Perform Mask Discovery
30 – Mask supplier
31 – Perform router discovery
32 – Router solicitation address
33 – Static routing table
34 – Trailer encapsulation.
35 – ARP cache timeout
36 – Ethernet encapsulation
37 – Default TCP TTL
38 – TCP keep alive interval
39 – TCP keep alive garbage
40 – Network Information Service Domain
41 – Network Information Servers
42 – NTP servers
43 – Vendor specific information
44 – NetBIOS over TCP/IP name server
45 – NetBIOS over TCP/IP Datagram Distribution Server
46 – NetBIOS over TCP/IP Node Type
47 – NetBIOS over TCP/IP Scope
48 – X Window System Font Server
49 – X Window System Display Manager
50 – Requested IP Address
51 – IP address lease time
52 – Option overload
53 – DHCP message type
54 – Server identifier
55 – Parameter request list
56 – Message
57 – Maximum DHCP message size
58 – Renew time value
59 – Rebinding time value
60 – Class-identifier
61 – Client-identifier
62 – NetWare over IP Domain Name
63 – NetWare over IP information
64 – Network Information Service Domain
65 – Network Information Service Servers
66 – TFTP server name
67 – Bootfile name
68 – Mobile IP Home Agent
69 – Simple Mail Transport Protocol Server
70 – Post Office Protocol Server
71 – Network News Transport Protocol Server
72 – Default World Wide Web Server
73 – Default Finger Server
74 – Default Internet Relay Chat Server
77 – User Class Information
78 – SLP Directory Agent
79 – SLP Service Scope
80 – Rapid Commit
81 – Fully Qualified Domain Name
82 – Relay Agent Information
83 – Internet Storage Name Service
85 – NDS servers
86 – NDS tree name
87 – NDS context
88 – BCMCS Controller Domain Name list
89 – BCMCS Controller IPv4 address list
90 – Authentication
91 – Client Last Transaction Time
92 – Associated IP
93 – Client System Architecture Type
94 – Client Network Interface Identifier
95 – LDAP, Lightweight Directory Access Protocol
97 – Client Machine Identifier
98 – Open Group User Authentication
100 – IEEE 1003.1 TZ String
101 – Reference to the TZ Database
112 – NetInfo Parent Server Address
113 – NetInfo Parent Server Tag
114- URL
116 – Auto-Configure
117 – Name Service Search
118 – Subnet Selection
119 – DNS domain search list
120 – SIP Servers DHCP Option
121 – Classless Static Route Option
123 – GeoConfiguration
124 – Vendor-Identifying Vendor Class
125 – Vendor-Identifying Vendor Specific
128 – TFPT Server IP address
129 – Call Server IP address
130 – Discrimination string
131 – Remote statistics server IP address
132 – 802.1P VLAN ID
133 – 802.1Q L2 Priority
134 – Diffserv Code Point
135 – HTTP Proxy for phone-specific applications
136 – PANA Authentication Agent
139 – IPv4 MoS
140 – IPv4 Fully Qualified Domain Name MoS
150 – TFTP server address
176 – IP Telephone
220 – Subnet Allocation
221 – Virtual Subnet Selection
252 – Proxy auto-discovery
254 – Private use
255 – End
And that’s it. This whole thing can take 5-10 minutes. In fact, if you were using macOS Server then just backup your bootp.plist and copy it to another machine, assuming the network interface (en0, en1, etc) hasn’t changed. Or change it if it has. But, for all the other weird stuff that was in the UI (or even the stuff that was never in the UI), here’s a pretty lengthy explanation of how to manage all of it from the command line. Building a GUI to configure these wouldn’t be that hard either, assuming you have bootp built into the Mac for awhile (and I think you need it for Internet sharing). Oh, that reminds me, Internet sharing is likely to overwrite any custom settings, so once you hack the plist, don’t go back to System Preferences-based management.

March 20th, 2018

Posted In: Mac OS X, Mac OS X Server

Tags: , , , , , , , , , ,

macOS Server 5.4 (for High Sierra)  comes with the /usr/sbin/serverinfo command (which was originally introduced in Mountain Lion Server). The serverinfo command is useful when programmatically obtaining information about the very basic state of an Apple Server. The first option indicates whether the Server app has been downloaded from the app store, which is the –software option:

serverinfo --software

When used, this option reports the following if the Server.app can be found:
This system has server software installed.
Or if the software cannot be found, the following is indicated:
This system does NOT have server software installed.
The –productname option determines the name of the software app: serverinfo --productname If you change the name of the app from Server then the server info command won’t work any longer, so the output should always be the following: Server The –shortversion command returns the version of the Server app being used:

serverinfo --shortversion

The output will not indicate a build number, but instead the version of the app on the computer the command is run on:
5.4
To see the build number (which should iterate with each update to the Server app from the Mac App Store, use the –buildversion option:

serverinfo --buildversion

The output shows the build of server, which doesn’t necessarily match the macOS build number:
17S1180a
Just because the Server app has been downloaded doesn’t mean the Server setup assistant has been run. To see if it has, use the –configured option:

serverinfo --configured

The output indicates whether the system is running as a server or just has the app installed (e.g. if you’re using it to connect to another server:
This system has server software configured.
You can also output all of the information into a single, easy to script against property list using the –plist option:

serverinfo --plist

The output is a list of each of the other options used: <?xml version=”1.0″ encoding=”UTF-8″?> <!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”> <plist version=”1.0″> <dict> <key>IsOSXServerVolume</key> <true/> <key>IsOSXServerVolumeConfigured</key> <true/> <key>IsServerHardware</key> <false/> <key>LocalizedServerProductName</key> <string>Server</string> <key>MinimumServerVersionAllowed</key> <string>5.3.55</string> <key>ServerBuildVersion</key> <string>17S1180a</string> <key>ServerPerformanceModeEnabled</key> <false/> <key>ServerVersion</key> <string>5.3</string> </dict> </plist>

The Server Root can reside in a number of places. To see the path (useful when scripting commands that are relative to the ServerRoot:

serverinfo –prefix

By default, the output is as follows, which is basically like a dirname of the ServerRoot:
/Applications/Server.app/Contents/ServerRoot
You can also see whether the system is running on actual hardware desgnated by Apple for servers using the –hardware option:

serverinfo --hardware

The output simply indicates if the hardware shipped with OS X Server on it from Apple:
This system is NOT running on server hardware.
The –perfmode option indicates whether or not the performance mode has been enabled, dedicating resources to binaries within the Server app:

serverinfo --perfmode

If the performance mode has not been enabled then the output will be as such:
Server performance mode is NOT enabled.
Note: Performance mode doesn’t seem to be support any longer, as none of the options will actually enable the service.

September 27th, 2017

Posted In: Mac OS X Server

Tags: , , , , , , ,

A wiki is a repository of dynamically created and managed content, or content created or edited by multiple users collaboratively. This article is about using the wiki service in macOS Server 5.4 (the Apple Server app running on 10.13/High Sierra). I reference file services with WebDAV because it is a very nice integration piece that I think a lot of people will find pretty beneficial.

To get started with the Wiki service, first turn it on. This one isn’t heavily dependent on host names (other than being able to access the server from a browser) or directory services (other than being able to authenticate users, but local accounts are perfectly functional) and it doesn’t require the Websites service to be running as well. One should always have good working directory services and host names, still…

To enable the service, open the Server app and click on Wiki in the list of SERVICES in the List Pane.

There are two configuration options. The first is to select who is able to create wikis. Use the “Wikis can be created by” drop-down list to select “all users” if anyone with an account on the server should be able to create a wiki or “only some users” to bring up the Wiki Creators screen.

If only some users can create new wikis, use the plus sign (“+”) at the Wiki Creators screen to add users and/or groups to the list of users that can create wikis. Click on OK when all users and groups that can create wikis are added. In a school I would imagine that only teachers or IT staff would be able to create wikis. Once a wiki is created, pages inside the wiki can still be created by non-wiki creators.

The other option available is the handy dandy WebDAV interface to the wikis. When you enable this option, you can connect to a server from macOS or iOS via WebDAV and access files in each wikis document repository. To be clear, this option doesn’t provide access to the user documents, but does provide access to the wiki documents. We’re going to check the box for “Enable WebDAV access to Wiki files” and then click the ON button.

Once the service starts, click on the View Wiki link in the Wiki workspace in Server app.



Here, click on the Log in button and enter a user with access to the server, preferably one who can create wikis.

At the Wikis page, you will then see a list of all wikis you have access to. Note that the previous screen showed one wiki and now we see two. That’s because one of the wikis has permissions that allow “All unauthenticated users” access to the wiki, which we’ll describe shortly. The first thing most administrators will do is create a wiki. To do so, click on the plus sign (“+”) icon on the web page and at the resultant screen, click on New Wiki.



At the “Create a new wiki” prompt, provide a name for the wiki and a brief description for it.

Click on Continue.



At the Set permissions screen, enter each user or group to provide access to edit and view wiki pages. Here, you’ll have the options for Read & Write (users can view and edit pages in the wiki), Read only (users can only view the contents of your pages) and No access (users have no access to the wiki). There is a group for All logged in users, which includes every user with access to the server and another for All unauthorized users, which includes guests to the server. Once you’ve given the appropriate permissions, click on Continue.

Note: You don’t have to get this perfect now as you can always edit these later.



At the Set Appearance screen, you can choose an icon for the wiki (shown in the wiki list and when you open the wiki) as well as a color scheme for the wiki. Choose the appropriate appearance for your wiki (again, you can always change this later) and then click on the Create button.



Once the setup is finished, you’ll see the Setup complete modal. Here, you can click on Go to Wiki button.

Once you’ve created your first wiki, let’s edit it and customize the content. To do so, click on it from the list of available wikis. Click on the cog-wheel icon and then Wiki Settings… to bring up the Wiki Settings page.

Here, you’ll see the previously entered name and description as well as options to enable Calendar (only available if Calendar Server is running on the server) and Blog, which enables  a blog service for the wiki (wiki administrators can post blog entries to the wiki). Click on Appearance.

Here, you will have the previous two options as well as the ability to upload a banner (which should be 62 pixels high) and background for each wiki.



Click on Permissions. Here, you’ll see the permissions previously configured as well as options to configure who can comment on articles (nobody disables comments completely) in the wiki and whether comments require approval (moderation).

Click on Save. Now, let’s edit the splash page. To do so, click the pencil icon in the top navigation bar.



At the edit screen, the top nav bar is replaced by a WYSIWIG editor for managing the page. Here you can justify, link, insert media and of course edit the text you see on the screen. I recommend spending some time embedding links, inserting tables, making text look like you want it to and editing the content to reflect the purpose of the wiki. Click Save when you’re done. Click the pencil again to edit it, and let’s create a new wiki page. Keep in mind that link wikipedia, each page should be linked to from other pages in the order they should be read. Unlike most wikis, there’s actually an index page of all the articles, which can come in handy.



From the edit page, to create a new page and link to it, enter some text (or lasso some) that you’ll use as the link to access the new page you’re creating. Then click on the arrow and select “New page.”

Note: Use Enter URL to link to an existing page or an external website, instead of creating a new page.



At the New Page screen, provide a name for the new page (the lasso’d text automatically appears as the Page Title) and click on the Add button.

Click Save and then click on the newly created link. You can now edit the new page the same way you edited the previous pages. Click on the disclosure triangles in the right sidebar to Comment on articles, link articles to related articles, tag articles and view editing history.

Now for the fun part. Click on Documents. Here, you’ll see the pages you already created. Click on the plus sign and select the option to Upload File to the wiki.



At the Upload File dialog, click on Choose File and then select a file to upload.

Click Upload when selected.

Then from the Finder of a macOS client, use the Go menu to select “Connect to Server”. Enter the name or IP of the server and then click on Connect.

Assuming you can access the server, you should then be prompted for a username and password. Enter it and click Connect. Eventually, the file(s) will display (it can take awhile according to your network speeds and how many files are in the directory). You can connect to this same screen through an iPad using a 3rd party WebDAV client or the build in options in Pages.

Managing wikis is as easy as its ever been, with the new options for appearance being a nice add-on. Active Directory integration is as easy as binding the server to Active Directory and using the accounts listed in Permissions of pages.

Now that iOS devices can edit wikis and many of the traditional word processing options are available in the wiki editor, consider what the Wiki can be. Could it replace text editing apps for iOS? Could the Wiki allow for more collaborative documents than a Word or other document editor? Could it keep from getting eaten like the rest of the homework? Could the comments in the Wiki be a good way for teachers to have students write responses to materials? Could the Wiki and the document management features allow your workers to access human resources documents and employee manuals? I know plenty of tech firms that use wikis to track information about the systems they manage.

Once you have all of this information, upgrading can seem downright scary. But fear not, there’s Carbon Copy Cloner. And once you’ve cloned, there’s wikiadmin. When doing an upgrade in place, the Wiki service is pretty straight forward to upgrade, but in many cases, due to aging hardware, wiki services are moving from an older computer to a newer computer. This can be done in one of two ways. The first is to “migrate” the data by copying the Collaboration folder onto the new system. The second is to “export” and “import” the data. I usually recommend doing a migrate where possible, so we’ll start with that method.

Note: Before getting started, make sure that the directory services side of things is good. If a user or group lookup for an object that owns, edits or has commented on a wiki fails then that wiki probably shouldn’t be migrated. Use the dscl or id commands to confirm that lookups are functioning as intended.

To migrate wikis from one server to another, first copy the Collaboration directory to the new server. In this example, the directory has been dropped onto the desktop of the currently logged in user. To migrate the data once copied, use the wikiadmin command, along with the migration option. The option requires the path to the Collaboration folder, defined with -r, as follows:

sudo /Applications/Server.app/Contents/ServerRoot/usr/bin/wikiadmin migrate -r ~/Desktop/Collaboration

When moving wikis, you can take the opportunity to get rid of a few you don’t want (such as that test wiki from way back when). Or administrators may just choose to move a single wiki to a new server in order to split the load across multiple hosts. When doing so, use the same command as earlier, along with the name of each wiki that is being moved, along with the -g option. For example, if moving the Legal wiki:

sudo /Applications/Server.app/Contents/ServerRoot/usr/bin/wikiadmin migrate -r ~/Desktop/Collaboration -g Legal

The second way of moving wikis around is to export and then import them. To do so, first export wikis on the old server, using the wikiadmin command along with the export option, which requires an –exportPath option and needs to be done, on a wiki-by-wiki basis. So to export that Legal wiki to a file called LegalWikiTMP on the desktop:

sudo /Applications/Server.app/Contents/ServerRoot/usr/bin/wikiadmin export -g Legal --exportPath ~/Desktop/LegalWikiTMP

Next, copy the wiki to the new server and import it, using the import option along with –importPath to identify where the file being imported is located. Using the same location, the command would then be:

sudo /Applications/Server.app/Contents/ServerRoot/usr/bin/wikiadmin import -g Legal --importPath ~/Desktop/LegalWikiTMP

Note: The ability to import a wiki also allows for an API of sorts, as you can programmatically create wikis from other sources. The ability to export also provides a way to move into another wiki tool if you happen to outgrow the options provided in Server and need to move to something more robust.

There is another way to move wikis, using pg_dump, copying the data and then using pg_restore to import the data once you’ve created the tables.  This way is, in my opinion, the last resort if the standard wikiadmin commands aren’t working. In my experience, if I’m doing the migration this way then I’ve got other, bigger issues that I need to deal with as well.

These commands work best when the wiki service has been started so that the databases are fully built out. To start the wiki service from the command line, use the serveradmin command instead of the wikiadmin command. The serveradmin command is used with the start option and then wiki is used to indicate the wiki service, as follows:

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin start wiki

The service can also be stopped, swapping out the start option with a stop option:

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin stop wiki

In a few cases (this is the main reason I’m writing this article), the attachments to wikis don’t come over during a migration. To migrate the files that are used for QuickLook, downloading attachments, etc, use the serveradmin command to locate the directory that these objects are stored in:

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings wiki:FileDataPath

The output identifies the directory where these objects are stored. Placing the contents in the same relative path as they are to the output of the same command on the target server usually results in restoring them. Once moved, use the fixPermissions option to repair the permissions of any files from the source (if any changes to account IDs are encountered such as an export/import rather than an archive/restore in OD this can lead to odd issues:

sudo /Applications/Server.app/Contents/ServerRoot/usr/bin/wikiadmin fixPermissions

Also use the rebuildSearchIndex option with the wikiadmin command to fix any indexing, once the permissions have been repaired:

sudo /Applications/Server.app/Contents/ServerRoot/usr/bin/wikiadmin rebuildSearchIndex

And finally use resetQuicklooks to clear any cached Quicklook representations of objects that have been inserted into a wiki and might not display properly using Quicklook (you know you might need to do this if they look fine when downloaded but look bad with Quicklook even though QuickLook on the server can view the files just fine):

sudo /Applications/Server.app/Contents/ServerRoot/usr/bin/wikiadmin resetQuicklooks

When done properly the migration can take awhile. Keep in mind that every tag, every article, every edit to every article and basically everything else is tracked inside the tables that you’re moving. While there might not be a ton of data in the Collaboration directory or in an export, all of the data needs to go to the right location. This can take a little time in environments that have a lot of articles, even if they’re really short articles…

September 26th, 2017

Posted In: Mac OS X, Mac OS X Server

Tags: , , , , , , , , , ,

The changes in the Server app are pretty minimal in the macOS Server 5.4 version that we’re now looking at. All of the options from previous versions are still there and the dnsconfig command line interface for managing the service are basically unchanged. The DNS service in macOS Server, as with previous versions, is based on bind 9 (BIND 9.9.7-P3 to be exact). This is very much compatible with practically every DNS server in the world, including those hosted on Windows, macOS, Linux and even Zoe-R. The first time you open the DNS Service click on the DNS service in the ADVANCED section of the list of SERVICES.
 
Then, click on the cog wheel icon below the list of records and click on Show All Records.
 
At the Records screen, you’ll now see forward and reverse record information. Click the Edit… button for the Forwarding Servers field. Here, you’ll be able to enter a Forwarders, or DNS servers that resolve names that the server you’re using can’t resolve using its own DNS records.

 

Click the plus sign to enter the IP address of any necessary Forwarders. Enter the IP address of any Forwarding servers, then click OK to save your changes.

 

Once back at the main DNS service control screen, click the Edit… button for Perform lookups for to configure what computers the DNS server you are setting up can use the DNS service that the server is hosting.


At the Perform Lookups screen, provide any additional subnets that should be used. If the server should be accessible by anyone anywhere, just set the “Perform lookups for” field at the DNS service screen to “all clients”.

Managing Records

All you have to do to start the DNS is click on the ON button (if it\u2019s not already started, that is). There\u2019s a chance that you won\u2019t want all of the records that are by default entered into the service. But leave it for now, until we\u2019ve covered what everything is. To list the various types of records:

","engine":"visual"}” data-block-type=”2″>
All you have to do to start the DNS is click on the ON button (if it’s not already started, that is). There’s a chance that you won’t want all of the records that are by default entered into the service. But leave it for now, until we’ve covered what everything is. Next, click on the cog wheel icon below the records list, and you’ll see a list of all the records and record types that are currently running on the server.

To list the various types of records:

Then, when you click on the plus sign, you can create additional records. Double-clicking on records (including the Zones) brings up a screen to edit the record. The settings for a zone can be seen below.
 

These include the name for the zone. As you can see, a zone was created with the hostname rather than the actual domain name. This is a problem if you wish to have multiple records in your domain that point to the same host name. Theoretically you could create a zone and a machine record for each host in the domain, but the right way to do things is probably going to be to create a zone for the domain name instead of the host name. So for the above zone, the entry should be krypted.com rather than mavserver.krypted.com (the hostname of the computer). Additionally, the TTL (or Time To Live) can be configured, which is referenced here as the “Zone data is valid for” field. If you will be making a lot of changes this value should be as low as possible (the minimum value here is 5 minutes).
“Note: To make sure your zone name and TLD don’t conflict with data that already exists on the Internet, check here to make sure you’re not using a sponsored TLD.” — http://krypted.com/mac-os-x/dont-go-near-there-sponsored-top-level-domain-names/

Note: The above screen has the domain in the zone field and the name of a record, such as www for the zone called, for example, krypted.lan.

Click Done to commit the changes or create the new record. Next, let’s create a MX record for the domain. To create the MX for the domain, click on the plus sign at the list of records.


Select the appropriate zone in the Zone field (if you have multiple zones). Then type the name of the A record that you will be pointing mail to. Most likely, this would be a machine record called simply mail, in this case for krypton.lan, so mail.krypted.lan. If you have multiple MX records, increment the priority number for the lower priority servers.

As a full example, let’s create a zone and some records from scratch. Let’s setup this zone for an Xsan metadata network, called krypted.xsan. Then, let’s create our metadata controller record as starbuck.krypted.xsan to point to 10.0.0.2 and our backup metadata controller record as apollo.krypted.xsan which points to 10.0.0.3. First, click on the plus sign and select Add Primary Zone.


At the zone screen, enter the name of the domain you’re setting up (e.g. krypted.com, also known as the zone), check the box for Allow zone transfers (there will be a second server) and click on the Done button. Click on the plus sign and then click on Add Machine record.


At the New Machine Record screen, select the appropriate zone as the Zone and then enter starbuck as the Host Name and click on the plus sign for IP Addresses and type in the appropriate IP. Click on Done to commit the changes. Repeat the process for each host that needs an address and then click Done to create the records.

Setting Up Secondary Servers

Now let\u2019s setup a secondary server by leveraging a secondary zone running on a second computer. On the second Mountain Lion Server running on the second server, click on the plus sign for the DNS service and select Add Secondary Zone.

","engine":"visual"}” data-block-type=”2″>

Setting Up Secondary Servers

Now let’s setup a secondary server by leveraging a secondary zone running on a second computer. On the second macOS Server, click on the plus sign for the DNS service and select Add Secondary Zone.



Managing DNS From The Command Line

Now, all of this is pretty straight forward. Create a zone, create some records inside the zone and you\u2019re good to go. But there are a lot of times when DNS just needs a little more than what the Server app can do for you. For example, round robin DNS records, bind views, etc. Therefore, getting used to the command line is going to be pretty helpful for anyone with more than a handful of records. The first thing to know about the DNS command line in OS X Mountain Lion Server is to do everything possible using the serveradmin command. To start the service, use the start option:

","engine":"visual"}” data-block-type=”2″> At the Secondary Zone screen, enter krypted.com as the name of the zone and then the IP address of the DNS server hosting that domain in the Primary Servers field (actually, enter your domain name, not mine). Click Done and the initial zone transfer should begin once the DNS service is turned on (if it hasn’t already been enabled).

Managing DNS From The Command Line

Now, all of this is pretty straight forward. Create a zone, create some records inside the zone and you’re good to go. But there are a lot of times when DNS just needs a little more than what the Server app can do for you. For example, round robin DNS records, bind views, etc. Therefore, getting used to the command line is going to be pretty helpful for anyone with more than a handful of records. The first thing to know about the DNS command line in macOS Server is to do everything possible using the serveradmin command for global management and dnsconfig for record and zone management. Once you start editing configuration files, the user interface can become unstable and other updates may or may not override the updates you make in those configuration files. To start the service, use the start option:

sudo serveradmin start dns
http://krypted.com/?p=45195. In /private/var/named are a collection of each zone the server is configured for. Secondary zones are flat and don’t have a lot of data in them, but primary zones contain all the information in the Server app and the serveradmin outputs. To see the contents of our test zone we created, let’s view the /Library/Server/named/db.krypted.xsan file (each file name is db. followed by the name of the zone):

cat /var/named/db.krypted.xsan
http://krypted.com/mac-os-x-server/os-x-server-forcing-dns-propagation for information on forcing DNS propagation if you are having issues with zone transfers. Finally, you can manage all records within the DNS service using the new /Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig command line tool. I’ve written an article on managing DNS using this tool, available here.

Share:

September 26th, 2017

Posted In: Mac OS X, Mac OS X Server, Uncategorized

Tags: , , , , , , ,

Web Services in macOS Server, Linux and most versions of Unix are provided by Apache, an Open Source project that much of the Internet owes its origins to. Apache owes its name to the fact that it’s “a patchy” service. These patches are often mods, or modules. Configuring web services is as easy in macOS Server 5.2, running on Sierra (10.12), as it has ever been. To set up the default web portal, simply open the Server app, click on the Websites service and click on the ON button. screen-shot-2016-09-29-at-10-53-42-pm After a time, the service will start. Once running, click on the View Server Website link at the bottom of the pane. screen-shot-2016-09-29-at-10-54-07-pm Provided the stock macOS Server page loads, you are ready to use macOS Server as a web server. screen-shot-2016-09-29-at-10-54-49-pm Before we setup custom sites, there are a few things you should know. The first is, the server is no longer really designed to remove the default website. So if you remove the site, your server will exhibit inconsistent behavior. Also, don’t remove the files that comprise the default site. Instead just add sites, which is covered next. Webmail is gone. You don’t have to spend a ton of time looking for it as it isn’t there. Also, Mountain Lion Server added web apps, which we’ll briefly review later in this article as well, as those continue in Mavericks Server, Yosemite Server, El Capitan Server and ultimately macOS Server 5.2 for Sierra.  Finally, enabling PHP and Python on sites is done globally, so this setting applies to all sites hosted on the server. screen-shot-2016-09-29-at-10-56-17-pm Now that we’ve got that out of the way, let’s add our first custom site. Do so by clicking on the plus sign. At the New Web Site pane, you’ll be prompted for a number of options. The most important is the name of the site, with other options including the following: screen-shot-2016-09-29-at-10-56-43-pm The Advanced Option include the following: Once you’ve configured all the appropriate options, click on Done to save your changes. The site should then load. Sites are then listed in the list of Websites. The Apache service is most easily managed from the Server app, but there are too many options in Apache to really be able to put into a holistic graphical interface. The easiest way to manage the Websites service in OS X Yosemite Server is using the serveradmin command. Apache administrators from other platforms will be tempted to use the apachectl command to restart the Websites service. Instead, use the serveradmin command to do so. To start the service: sudo serveradmin start web To stop the service(s): sudo serveradmin stop web And to see the status: sudo serveradmin fullstatus web Fullstatus returns the following information:
web:health = _empty_dictionary web:readWriteSettingsVersion = 1 web:apacheVersion = “2.2” web:servicePortsRestrictionInfo = _empty_array web:startedTime = “2016-09-26 02:38:57 +0000” web:apacheState = “RUNNING” web:statusMessage = “” web:ApacheMode = 2 web:servicePortsAreRestricted = “NO” web:state = “RUNNING” web:setStateVersion = 1
While the health option typically resembles kiosk computers in the Computer Science departments of most major universities, much of the rest of the output can be pretty helpful including the Apache version, whether the service is running, any restrictions on ports and the date/time stamp that the service was started. To see all of the settings available to the serveradmin command, run it, followed by settings and then web, to indicate the Websites service: sudo serveradmin settings web The output is pretty verbose and can be considered in two sections, the first includes global settings across sites as well as the information for the default sites that should not be deleted:
web:defaultSite:documentRoot = “/Library/Server/Web/Data/Sites/Default” web:defaultSite:serverName = “” web:defaultSite:realms = _empty_dictionary web:defaultSite:redirects = _empty_array web:defaultSite:enableServerSideIncludes = no web:defaultSite:networkAccesses = _empty_array web:defaultSite:customLogPath = “&quot;/var/log/apache2/access_log&quot;” web:defaultSite:webApps = _empty_array web:defaultSite:sslCertificateIdentifier = “” web:defaultSite:fullSiteRedirectToOtherSite = “https://%{SERVER_NAME}” web:defaultSite:allowFolderListing = no web:defaultSite:serverAliases = _empty_array web:defaultSite:errorLogPath = “&quot;/var/log/apache2/error_log&quot;” web:defaultSite:fileName = “/Library/Server/Web/Config/apache2/sites/0000_127.0.0.1_34580_.conf” web:defaultSite:aliases = _empty_array web:defaultSite:directoryIndexes:_array_index:0 = “index.html” web:defaultSite:directoryIndexes:_array_index:1 = “index.php” web:defaultSite:directoryIndexes:_array_index:2 = “default.html” web:defaultSite:allowAllOverrides = no web:defaultSite:identifier = “67127006” web:defaultSite:port = 34580 web:defaultSite:allowCGIExecution = no web:defaultSite:serverAddress = “127.0.0.1” web:defaultSite:requiresSSL = no web:defaultSite:proxies = _empty_dictionary web:defaultSite:errorDocuments = _empty_dictionary
The second section is per-site settings, with an array entry for each site:
web:customSites:_array_index:0:documentRoot = “/Library/Server/Web/Data/Sites/blog.krypted.com” web:customSites:_array_index:0:serverName = “blog.krypted.com” web:customSites:_array_index:0:realms = _empty_dictionary web:customSites:_array_index:0:redirects = _empty_array web:customSites:_array_index:0:enableServerSideIncludes = no web:customSites:_array_index:0:networkAccesses = _empty_array web:customSites:_array_index:0:customLogPath = “/var/log/apache2/access_log” web:customSites:_array_index:0:webApps = _empty_array web:customSites:_array_index:0:sslCertificateIdentifier = “” web:customSites:_array_index:0:fullSiteRedirectToOtherSite = “” web:customSites:_array_index:0:allowFolderListing = no web:customSites:_array_index:0:serverAliases = _empty_array web:customSites:_array_index:0:errorLogPath = “/var/log/apache2/error_log” web:customSites:_array_index:0:fileName = “/Library/Server/Web/Config/apache2/sites/0000_127.0.0.1_34580_blog.krypted.com.conf” web:customSites:_array_index:0:aliases = _empty_array web:customSites:_array_index:0:directoryIndexes:_array_index:0 = “index.html” web:customSites:_array_index:0:directoryIndexes:_array_index:1 = “index.php” web:customSites:_array_index:0:directoryIndexes:_array_index:2 = “default.html” web:customSites:_array_index:0:allowAllOverrides = no web:customSites:_array_index:0:identifier = “67127002” web:customSites:_array_index:0:port = 34580 web:customSites:_array_index:0:allowCGIExecution = no web:customSites:_array_index:0:serverAddress = “127.0.0.1” web:customSites:_array_index:0:requiresSSL = no web:customSites:_array_index:0:proxies = _empty_dictionary web:customSites:_array_index:0:errorDocuments = _empty_dictionary web:dataLocation = “/Library/Server/Web/Data”
The next section (the largest by far) includes array entries for each defined web app. The following shows the entry for a Hello World Python app:
web:definedWebApps:_array_index:0:requiredWebAppNames = _empty_array web:definedWebApps:_array_index:0:includeFiles:_array_index:0 = “/Library/Server/Web/Config/apache2/httpd_ACSServer.conf” web:definedWebApps:_array_index:0:requiredModuleNames:_array_index:0 = “mod_rewrite.so” web:definedWebApps:_array_index:0:startCommand = “” web:definedWebApps:_array_index:0:sslPolicy = 1 web:definedWebApps:_array_index:0:requiresSSL = no web:definedWebApps:_array_index:0:requiredByWebAppNames = _empty_array web:definedWebApps:_array_index:0:launchKeys:_array_index:0 = “com.apple.AccountsConfigService” web:definedWebApps:_array_index:0:proxies:/AccountsConfigService/api/:path = “/AccountsConfigService/api/” web:definedWebApps:_array_index:0:proxies:/AccountsConfigService/api/:urls:_array_index:0 = “http://localhost:31415/AccountsConfigService/api” web:definedWebApps:_array_index:0:preflightCommand = “” web:definedWebApps:_array_index:0:stopCommand = “” web:definedWebApps:_array_index:0:name = “com.apple.webapp.ACSServer” web:definedWebApps:_array_index:0:displayName = “” web:definedWebApps:_array_index:1:requiredWebAppNames:_array_index:0 = “com.apple.webapp.collabd” web:definedWebApps:_array_index:1:includeFiles:_array_index:0 = “/Library/Server/Web/Config/apache2/httpd_corecollaboration_webauth.conf” web:definedWebApps:_array_index:1:requiredModuleNames:_array_index:0 = “proxy_module” web:definedWebApps:_array_index:1:requiredModuleNames:_array_index:1 = “headers_module” web:definedWebApps:_array_index:1:startCommand = “” web:definedWebApps:_array_index:1:sslPolicy = 4 web:definedWebApps:_array_index:1:requiresSSL = no web:definedWebApps:_array_index:1:requiredByWebAppNames = _empty_array web:definedWebApps:_array_index:1:launchKeys = _empty_array web:definedWebApps:_array_index:1:proxies:/auth:path = “/auth” web:definedWebApps:_array_index:1:proxies:/auth:urls:_array_index:0 = “http://localhost:4444/auth” web:definedWebApps:_array_index:1:preflightCommand = “” web:definedWebApps:_array_index:1:stopCommand = “” web:definedWebApps:_array_index:1:name = “com.apple.webapp.auth” web:definedWebApps:_array_index:1:displayName = “” web:definedWebApps:_array_index:2:requiredWebAppNames:_array_index:0 = “com.apple.webapp.auth” web:definedWebApps:_array_index:2:includeFiles:_array_index:0 = “/Library/Server/Web/Config/apache2/httpd_corecollaboration_webcalssl.conf” web:definedWebApps:_array_index:2:requiredModuleNames:_array_index:0 = “proxy_module” web:definedWebApps:_array_index:2:requiredModuleNames:_array_index:1 = “headers_module” web:definedWebApps:_array_index:2:startCommand = “” web:definedWebApps:_array_index:2:sslPolicy = 1 web:definedWebApps:_array_index:2:requiresSSL = no web:definedWebApps:_array_index:2:requiredByWebAppNames = _empty_array web:definedWebApps:_array_index:2:launchKeys = _empty_array web:definedWebApps:_array_index:2:proxies = _empty_dictionary web:definedWebApps:_array_index:2:preflightCommand = “” web:definedWebApps:_array_index:2:stopCommand = “” web:definedWebApps:_array_index:2:name = “com.apple.webapp.calendar” web:definedWebApps:_array_index:2:displayName = “” web:definedWebApps:_array_index:3:requiredWebAppNames:_array_index:0 = “com.apple.webapp.auth” web:definedWebApps:_array_index:3:includeFiles:_array_index:0 = “/Library/Server/Web/Config/apache2/httpd_corecollaboration_changepassword.conf” web:definedWebApps:_array_index:3:requiredModuleNames:_array_index:0 = “proxy_module” web:definedWebApps:_array_index:3:requiredModuleNames:_array_index:1 = “headers_module” web:definedWebApps:_array_index:3:startCommand = “” web:definedWebApps:_array_index:3:sslPolicy = 4 web:definedWebApps:_array_index:3:requiresSSL = no web:definedWebApps:_array_index:3:requiredByWebAppNames = _empty_array web:definedWebApps:_array_index:3:launchKeys = _empty_array web:definedWebApps:_array_index:3:proxies:/changepassword:path = “/changepassword” web:definedWebApps:_array_index:3:proxies:/changepassword:urls:_array_index:0 = “http://localhost:4444/changepassword” web:definedWebApps:_array_index:3:preflightCommand = “” web:definedWebApps:_array_index:3:stopCommand = “” web:definedWebApps:_array_index:3:name = “com.apple.webapp.changepassword” web:definedWebApps:_array_index:3:displayName = “” web:definedWebApps:_array_index:4:requiredWebAppNames = _empty_array web:definedWebApps:_array_index:4:includeFiles:_array_index:0 = “/Library/Server/Web/Config/apache2/httpd_corecollaboration_shared.conf” web:definedWebApps:_array_index:4:requiredModuleNames:_array_index:0 = “proxy_module” web:definedWebApps:_array_index:4:requiredModuleNames:_array_index:1 = “xsendfile_module” web:definedWebApps:_array_index:4:requiredModuleNames:_array_index:2 = “headers_module” web:definedWebApps:_array_index:4:requiredModuleNames:_array_index:3 = “expires_module” web:definedWebApps:_array_index:4:requiredModuleNames:_array_index:4 = “deflate_module” web:definedWebApps:_array_index:4:startCommand = “” web:definedWebApps:_array_index:4:sslPolicy = 0 web:definedWebApps:_array_index:4:requiresSSL = no web:definedWebApps:_array_index:4:requiredByWebAppNames = _empty_array web:definedWebApps:_array_index:4:launchKeys:_array_index:0 = “com.apple.collabd.expire” web:definedWebApps:_array_index:4:launchKeys:_array_index:1 = “com.apple.collabd.notifications” web:definedWebApps:_array_index:4:proxies:/collabdproxy:path = “/collabdproxy” web:definedWebApps:_array_index:4:proxies:/collabdproxy:urls:_array_index:0 = “http://localhost:4444/svc” web:definedWebApps:_array_index:4:proxies:/__collabd/streams/activity:path = “/__collabd/streams/activity” web:definedWebApps:_array_index:4:proxies:/__collabd/streams/activity:urls:_array_index:0 = “http://localhost:4444/streams/activity” web:definedWebApps:_array_index:4:preflightCommand = “” web:definedWebApps:_array_index:4:stopCommand = “” web:definedWebApps:_array_index:4:name = “com.apple.webapp.collabd” web:definedWebApps:_array_index:4:displayName = “” web:definedWebApps:_array_index:5:requiredWebAppNames:_array_index:0 = “com.apple.webapp.auth” web:definedWebApps:_array_index:5:includeFiles = _empty_array web:definedWebApps:_array_index:5:requiredModuleNames = _empty_array web:definedWebApps:_array_index:5:startCommand = “” web:definedWebApps:_array_index:5:sslPolicy = 0 web:definedWebApps:_array_index:5:requiresSSL = no web:definedWebApps:_array_index:5:requiredByWebAppNames = _empty_array web:definedWebApps:_array_index:5:launchKeys:_array_index:0 = “com.apple.DeviceManagement.dmrunnerd” web:definedWebApps:_array_index:5:launchKeys:_array_index:1 = “com.apple.DeviceManagement.php-fpm” web:definedWebApps:_array_index:5:proxies = _empty_dictionary web:definedWebApps:_array_index:5:preflightCommand = “” web:definedWebApps:_array_index:5:stopCommand = “” web:definedWebApps:_array_index:5:name = “com.apple.webapp.devicemgr” web:definedWebApps:_array_index:5:displayName = “” web:definedWebApps:_array_index:6:requiredWebAppNames = _empty_array web:definedWebApps:_array_index:6:includeFiles = _empty_array web:definedWebApps:_array_index:6:requiredModuleNames:_array_index:0 = “php5_module” web:definedWebApps:_array_index:6:startCommand = “” web:definedWebApps:_array_index:6:sslPolicy = 0 web:definedWebApps:_array_index:6:requiresSSL = no web:definedWebApps:_array_index:6:requiredByWebAppNames = _empty_array web:definedWebApps:_array_index:6:launchKeys = _empty_array web:definedWebApps:_array_index:6:proxies = _empty_dictionary web:definedWebApps:_array_index:6:preflightCommand = “” web:definedWebApps:_array_index:6:stopCommand = “” web:definedWebApps:_array_index:6:name = “com.apple.webapp.php” web:definedWebApps:_array_index:6:displayName = “” web:definedWebApps:_array_index:7:requiredWebAppNames = _empty_array web:definedWebApps:_array_index:7:includeFiles:_array_index:0 = “/Library/Server/Web/Config/apache2/httpd_webdavsharing.conf” web:definedWebApps:_array_index:7:requiredModuleNames:_array_index:0 = “rewrite_module” web:definedWebApps:_array_index:7:requiredModuleNames:_array_index:1 = “bonjour_module” web:definedWebApps:_array_index:7:startCommand = “” web:definedWebApps:_array_index:7:sslPolicy = 0 web:definedWebApps:_array_index:7:requiresSSL = no web:definedWebApps:_array_index:7:requiredByWebAppNames = _empty_array web:definedWebApps:_array_index:7:launchKeys = _empty_array web:definedWebApps:_array_index:7:proxies = _empty_dictionary web:definedWebApps:_array_index:7:preflightCommand = “” web:definedWebApps:_array_index:7:stopCommand = “” web:definedWebApps:_array_index:7:name = “com.apple.webapp.webdavsharing” web:definedWebApps:_array_index:7:displayName = “” web:definedWebApps:_array_index:8:requiredWebAppNames:_array_index:0 = “com.apple.webapp.collabd” web:definedWebApps:_array_index:8:requiredWebAppNames:_array_index:1 = “com.apple.webapp.auth” web:definedWebApps:_array_index:8:includeFiles:_array_index:0 = “/Library/Server/Web/Config/apache2/httpd_corecollaboration_wiki.conf” web:definedWebApps:_array_index:8:requiredModuleNames:_array_index:0 = “proxy_module” web:definedWebApps:_array_index:8:requiredModuleNames:_array_index:1 = “headers_module” web:definedWebApps:_array_index:8:startCommand = “” web:definedWebApps:_array_index:8:sslPolicy = 0 web:definedWebApps:_array_index:8:requiresSSL = no web:definedWebApps:_array_index:8:requiredByWebAppNames = _empty_array web:definedWebApps:_array_index:8:launchKeys:_array_index:0 = “com.apple.collabd.preview” web:definedWebApps:_array_index:8:launchKeys:_array_index:1 = “com.apple.collabd.quicklook” web:definedWebApps:_array_index:8:proxies:/__collabd/preview:path = “/__collabd/preview” web:definedWebApps:_array_index:8:proxies:/__collabd/preview:urls:_array_index:0 = “http://localhost:4444/preview” web:definedWebApps:_array_index:8:proxies:/wiki/files/upload:path = “/wiki/files/upload” web:definedWebApps:_array_index:8:proxies:/wiki/files/upload:urls:_array_index:0 = “http://localhost:4444/upload_file” web:definedWebApps:_array_index:8:proxies:/wiki/files/download:path = “/wiki/files/download” web:definedWebApps:_array_index:8:proxies:/wiki/files/download:urls:_array_index:0 = “http://localhost:4444/files” web:definedWebApps:_array_index:8:proxies:/wiki/ipad:path = “/wiki/ipad” web:definedWebApps:_array_index:8:proxies:/wiki/ipad:urls = _empty_array web:definedWebApps:_array_index:8:proxies:/wiki:path = “/wiki” web:definedWebApps:_array_index:8:proxies:/wiki:urls:_array_index:0 = “http://localhost:4444/app-context/wiki” web:definedWebApps:_array_index:8:preflightCommand = “” web:definedWebApps:_array_index:8:stopCommand = “” web:definedWebApps:_array_index:8:name = “com.apple.webapp.wiki” web:definedWebApps:_array_index:8:displayName = “” web:definedWebApps:_array_index:9:requiredWebAppNames = _empty_array web:definedWebApps:_array_index:9:includeFiles:_array_index:0 = “/Library/Server/Web/Config/apache2/httpd_wsgi.conf” web:definedWebApps:_array_index:9:requiredModuleNames:_array_index:0 = “wsgi_module” web:definedWebApps:_array_index:9:startCommand = “” web:definedWebApps:_array_index:9:sslPolicy = 0 web:definedWebApps:_array_index:9:requiresSSL = no web:definedWebApps:_array_index:9:requiredByWebAppNames = _empty_array web:definedWebApps:_array_index:9:launchKeys = _empty_array web:definedWebApps:_array_index:9:proxies = _empty_dictionary web:definedWebApps:_array_index:9:preflightCommand = “” web:definedWebApps:_array_index:9:stopCommand = “” web:definedWebApps:_array_index:9:name = “com.apple.webapp.wsgi” web:definedWebApps:_array_index:9:displayName = “Python &quot;Hello World&quot; app at /wsgi” web:definedWebApps:_array_index:10:requiredWebAppNames = _empty_array web:definedWebApps:_array_index:10:includeFiles:_array_index:0 = “/Library/Developer/XcodeServer/CurrentXcodeSymlink/Contents/Developer/usr/share/xcs/httpd_xcs.conf” web:definedWebApps:_array_index:10:requiredModuleNames = _empty_array web:definedWebApps:_array_index:10:startCommand = “” web:definedWebApps:_array_index:10:sslPolicy = 4 web:definedWebApps:_array_index:10:requiresSSL = no web:definedWebApps:_array_index:10:requiredByWebAppNames = _empty_array web:definedWebApps:_array_index:10:launchKeys = _empty_array web:definedWebApps:_array_index:10:proxies = _empty_dictionary web:definedWebApps:_array_index:10:preflightCommand = “” web:definedWebApps:_array_index:10:stopCommand = “” web:definedWebApps:_array_index:10:name = “com.apple.webapp.xcode” web:definedWebApps:_array_index:10:displayName = “” web:definedWebApps:_array_index:11:requiredWebAppNames:_array_index:0 = “com.example.webapp.myotherwebapp” web:definedWebApps:_array_index:11:includeFiles:_array_index:0 = “/Library/Server/Web/Config/apache2/httpd_myinclude.conf” web:definedWebApps:_array_index:11:requiredModuleNames:_array_index:0 = “mystuff_module” web:definedWebApps:_array_index:11:startCommand = “/usr/local/bin/startmywebapp” web:definedWebApps:_array_index:11:sslPolicy = 0 web:definedWebApps:_array_index:11:requiresSSL = no web:definedWebApps:_array_index:11:requiredByWebAppNames = _empty_array web:definedWebApps:_array_index:11:launchKeys:_array_index:0 = “com.example.mywebapp” web:definedWebApps:_array_index:11:proxies:/mywebapp:path = “/mywebapp” web:definedWebApps:_array_index:11:proxies:/mywebapp:urls:_array_index:0 = “http://localhost:3000” web:definedWebApps:_array_index:11:proxies:/mywebapp:urls:_array_index:1 = “http://localhost:3001” web:definedWebApps:_array_index:11:preflightCommand = “/usr/local/bin/preflightmywebapp” web:definedWebApps:_array_index:11:stopCommand = “/usr/local/bin/stopmywebapp” web:definedWebApps:_array_index:11:name = “com.example.mywebapp” web:definedWebApps:_array_index:11:displayName = “MyWebApp”
The final section defines the settings used for the default sites as well as a couple of host based settings:
web:defaultSecureSite:documentRoot = “/Library/Server/Web/Data/Sites/Default” web:defaultSecureSite:serverName = “” web:defaultSecureSite:realms = _empty_dictionary web:defaultSecureSite:redirects = _empty_array web:defaultSecureSite:enableServerSideIncludes = no web:defaultSecureSite:networkAccesses = _empty_array web:defaultSecureSite:customLogPath = “&quot;/var/log/apache2/access_log&quot;” web:defaultSecureSite:webApps = _empty_array web:defaultSecureSite:sslCertificateIdentifier = “odr.krypted.com.32A9706448BDB45B120A91470FA866A5C61BD342” web:defaultSecureSite:fullSiteRedirectToOtherSite = “” web:defaultSecureSite:allowFolderListing = no web:defaultSecureSite:serverAliases = _empty_array web:defaultSecureSite:errorLogPath = “&quot;/var/log/apache2/error_log&quot;” web:defaultSecureSite:fileName = “/Library/Server/Web/Config/apache2/sites/0000_127.0.0.1_34543_.conf” web:defaultSecureSite:aliases = _empty_array web:defaultSecureSite:directoryIndexes:_array_index:0 = “index.html” web:defaultSecureSite:directoryIndexes:_array_index:1 = “index.php” web:defaultSecureSite:directoryIndexes:_array_index:2 = “default.html” web:defaultSecureSite:allowAllOverrides = no web:defaultSecureSite:identifier = “67127004” web:defaultSecureSite:port = 34543 web:defaultSecureSite:allowCGIExecution = no web:defaultSecureSite:serverAddress = “127.0.0.1” web:defaultSecureSite:requiresSSL = yes web:defaultSecureSite:proxies = _empty_dictionary web:defaultSecureSite:errorDocuments = _empty_dictionary web:mainHost:keepAliveTimeout = 15.000000 web:mainHost:maxClients = “256”
Each site has its own configuration file defined in the array for each section. By default these are stored in the /Library/Server/Web/Config/apache2/sites directory, with /Library/Server/Web/Config/apache2/sites/0000_any_80_blog.krypted.com.conf being the file for the custom site we created previously. As you can see, many of the options available in the Server app are also available in these files:
ServerName www2.krypted.com
ServerAdmin admin@example.com
DocumentRoot "/Library/Server/Web/Data/Sites/blog.krypted.com"
DirectoryIndex index.html index.php /wiki/ default.html
CustomLog /var/log/apache2/access_log combinedvhost
ErrorLog /var/log/apache2/error_log SSLEngine Off SSLCipherSuite “ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM” SSLProtocol -ALL +SSLv3 +TLSv1 SSLProxyEngine On SSLProxyProtocol -ALL +SSLv3 +TLSv1 Options All -Indexes -ExecCGI -Includes +MultiViews AllowOverride None DAV Off Deny from all ErrorDocument 403 /customerror/websitesoff403.html
The serveradmin command can also be used to run commands. For example, to reset the service to factory defaults, delete the configuration files for each site and then run the following command: sudo serveradmin command web:command=restoreFactorySettings The final tip I’m going to give in this article is when to make changes with each app. I strongly recommend making all of your changes in the Server app when possible. When it isn’t, use serveradmin and when you can’t make changes in serveradmin, only then alter the configuration files that come with the operating system by default. For example, in this article I look at overriding some ports for some virtual sites that might conflict with other sites on your systems. I also recommend keeping backups of all configuration files that are altered and a log of what was altered in each, in order to help piece the server back together should it become unconfigured miraculously when a softwareupdate -all is run next.

October 18th, 2016

Posted In: Mac OS X Server

Tags: , , , , ,

SSH allows administrators to connect to another computer using a secure shell, or command line environment. ARD (Apple Remote Desktop) allows screen sharing, remote scripts and other administrative goodness. You can also connect to a server using the Server app running on a client computer. To enable any or all of these, open the Server app (Server 5.2 for Sierra), click on the name of the server, click the Settings tab and then click on the checkbox for what you’d like to enter. screen-shot-2016-09-25-at-11-31-10-pm All of these can be enabled and managed from the command line as well. The traditional way to enable Apple Remote Desktop is using the kickstart command. But there’s a simpler way in macOS Server 5.2 on Sierra. To do so, use the serveradmin command. To enable ARD using the serveradmin command, use the settings option, with info:enableARD to set the payload to yes: sudo serveradmin settings info:enableARD = yes Once run, open System Preferences and click on Sharing. The Remote Management box is then checked and the local administrative user has access to ARD into the host. screen-shot-2016-09-25-at-11-32-17-pm There are also a few other commands that can be used to control settings. To enable SSH for administrators: sudo serveradmin settings info:enableSSH = yes When you enable SSH from the serveradmin command you will not see any additional checkboxes in the Sharing System Preferences; however, you will see the box checked in the Server app. To enable SNMP: sudo serveradmin settings info:enableSNMP = yes Once SNMP is enabled, use the /usr/bin/snmpconf interactive command line environment to configure SNMP so you can manage traps and other objects necessary. Note: You can’t have snmpd running while you configure SNMPv3. Once SNMPv3 is configured snmpd can be run.  To allow other computers to use the Server app to connect to the server, use the info:enableRemoteAdministration key from serveradmin: sudo serveradmin settings info:enableRemoteAdministration = yes To enable the dedication of resources to Server apps (aka Server Performance Mode): sudo serveradmin settings info:enableServerPerformanceMode = yes

September 16th, 2016

Posted In: Mac OS X Server, Mac Security

Tags: , , , , ,

Any time I need to get a bunch of cruft out of Software Update Server on OS X Server, I just reset it real quick. To do so, simply remove /Library/Server/Software Update. But first, it’s important to stop the service, and once removed, set the port back up (which isn’t done automatically), and then start the service (swupdate). As this has become somewhat routine, I made a micro-script of it here. Screen Shot 2016-04-14 at 10.22.32 PM

April 14th, 2016

Posted In: Mac OS X, Mac OS X Server, Mass Deployment

Tags: , , , ,

I’ve written a couple of articles about the Caching service in OS X Server 5 for El Capitan. As of OS X Server 5, the Caching service now caches local copies on the computer running the Caching service of iCloud content. This allows you to cache content once and then have it accessed by multiple devices faster. I’m torn on this option. On the one hand, I love the fact that I can cache things and on the other hand I find it frightening that a random user can cache things I might not want them to cache on behalf of another user. I know, I know, they’re encrypted with a device key. But when you have data on disk, it can always be decrypted. I almost feel like there should be a plist on machines that whitelists allowed caching servers. Maybe I should make a feature request on that. Either way, as it stands now, I might be disabling this option in larger offices. To do so, I can write an AllowPersonalCaching key into the Config.plist file at /Library/Server/Caching/Config/. The most graceful way to do this is using the serveradmin command, followed by the settings verb and then caching:AllowPersonalCaching option, setting that equals no, as follows: sudo serveradmin settings caching:AllowPersonalCaching = no To turn it back on: sudo serveradmin settings caching:AllowPersonalCaching = yes This can also be done by dropping a Config.plist file into the correct location for new server installations. I’ll have an article out shortly on doing so, as you’d want to normalize a few options in the file before deploying en masse (e.g. if you have a large contingent of Caching servers to manage.

October 16th, 2015

Posted In: Mac OS X Server

Tags: , , , , , , ,

Configuring Calendar Server in OS X Server 5 (running on El Capitan or Yosemite) is a fairly simple and straight forward process. The Calendar Server is a CalDAV Server, leveraging HTTP and HTTPS, running on ports 8008 and 8443 respectively. To enable the Calendar service in OS X Server (Server 5), open the Server application and click on Calendar in the SERVICES section of the sidebar. Screen Shot 2015-09-10 at 8.46.34 AM Once open, click on Enable invitations by email to enable email notifications of invitations in the Calendar Server. Provide the email address and then click on the Next button. Screen Shot 2015-09-10 at 8.47.49 AM At the Configure Server Email Address screen, provide the type of incoming mail service in use, provide the address of the mail server and then the port number used, if not a standard port for HTTPS-based IMAP (or POP if you’d prefer), the user name and the valid password for the account. Then click on the Next button. Screen Shot 2015-09-10 at 8.48.19 AM At the outgoing mail server screen, provide the Outgoing Mail Server address, the port, whether or not SSL is in use (it should be if possible), the password protocol, the user name and the password. Then click on the Next button. Screen Shot 2015-09-10 at 8.48.58 AM At the Mail Account Summary screen, review the settings and if correct, click Finish. Back at the service configuration screen, click on the plus sign (“+”) and provide a type of location, an address, a delegate, a name for the location, whether or not invitations to the resource are accepted and then enter the account name for any accounts that can manage the location’s calendar (they will auto-complete, so there’s no need to remember users and groups exactly). Click Done to complete the setup. Use the Resource setting in type to configure a resource instead of a location. The two are the same, except the Type field. Screen Shot 2015-09-10 at 8.50.07 AM There are a number of settings that can also be configured. But those are exposed only at the command line. To configure them, open the command line and then review the list of Calendar service settings using the list option of the serveradmin command: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings calendar There are a number of settings for the Calendar service, including the following: calendar:DefaultLogLevel = “info” calendar:EnableAPNS = yes calendar:EnableSSL = yes calendar:DirectoryAddressBook:params:queryUserRecords = yes calendar:DirectoryAddressBook:params:queryPeopleRecords = yes calendar:EnableSearchAddressBook = yes calendar:HTTPPort = 80 calendar:AccountingCategories:HTTP = no calendar:AccountingCategories:Implicit Errors = no calendar:AccountingCategories:iTIP = no calendar:AccountingCategories:migration = no calendar:AccountingCategories:AutoScheduling = no calendar:AccountingCategories:iSchedule = no calendar:AccountingCategories:iTIP-VFREEBUSY = no calendar:Authentication:Digest:Enabled = yes calendar:Authentication:Digest:AllowedOverWireUnencrypted = yes calendar:Authentication:Kerberos:Enabled = yes calendar:Authentication:Kerberos:AllowedOverWireUnencrypted = yes calendar:Authentication:Wiki:Enabled = yes calendar:Authentication:Basic:Enabled = yes calendar:Authentication:Basic:AllowedOverWireUnencrypted = no calendar:EnableCardDAV = no calendar:Scheduling:iMIP:Sending:UseSSL = yes calendar:Scheduling:iMIP:Sending:Server = “osxserver.krypted.com” calendar:Scheduling:iMIP:Sending:Address = “com.apple.calendarserver@osxserver.krypted.com” calendar:Scheduling:iMIP:Sending:Username = “com.apple.calendarserver” calendar:Scheduling:iMIP:Sending:Password = “79PreYsZSFfZZC6v” calendar:Scheduling:iMIP:Sending:Port = 587 calendar:Scheduling:iMIP:Enabled = yes calendar:Scheduling:iMIP:Receiving:UseSSL = yes calendar:Scheduling:iMIP:Receiving:Server = “osxserver.krypted.com” calendar:Scheduling:iMIP:Receiving:Type = “imap” calendar:Scheduling:iMIP:Receiving:Username = “com.apple.calendarserver” calendar:Scheduling:iMIP:Receiving:Password = “79PreYsZSFfZZC6v” calendar:Scheduling:iMIP:Receiving:Port = 993 calendar:SSLPrivateKey = “” calendar:LogLevels = _empty_dictionary calendar:DataRoot = “/Library/Server/Calendar and Contacts/Data” calendar:ServerRoot = “/Library/Server/Calendar and Contacts” calendar:SSLCertificate = “” calendar:EnableCalDAV = no calendar:Notifications:Services:APNS:Enabled = yes calendar:SSLPort = 443 calendar:RedirectHTTPToHTTPS = yes calendar:SSLAuthorityChain = “” calendar:ServerHostName = “osxserver.krypted.com” One of the more common settings to configure is the port number that CalDAV runs on. To configure HTTP: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings calendar:HTTPPort = 8008 For HTTPS: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings calendar:SSLPort = 8443 You can then start the service using the start option: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin start calendar Or to stop it: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin stop calendar Or to get the status: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin fullstatus calendar Full status indicates that the three services are running: calendar:readWriteSettingsVersion = 1
calendar:setStateVersion = 1
calendar:state = "RUNNING"
calendar:contactsState = "RUNNING"
calendar:calendarState = "RUNNING" Once the Calendar server is configured, use the Calendar application to communicate with the server. Open the Calendar application and click on the Calendar menu and select Add Account. From the Add Account screen, click on Add CalDAV Account radio button and click Continue. Screen Shot 2015-09-10 at 10.47.30 AM CalDAV from the Account Type menu and then enter the User Name and password configured on the server, and add the address of the server if you don’t have any service records pointing to the server. The User Name is usually the name provided in Server app, followed by @ and then the address of the server. Screen Shot 2015-09-10 at 10.50.48 AM Once the server is configured it appears in the list of accounts in the sidebar of the Calendar app. Create calendars in the account and then to share a calendar, right-click on the calendar and click on Share Calendar… Screen Shot 2015-09-10 at 10.58.02 AM At the Share Calendar screen, provide the name the calendar should appear as to others and anyone with whom you’d like to share your calendar with. Screen Shot 2015-09-10 at 10.59.05 AM Back at the Calendar Settings screen, use the settings to configure Availability and refresh rate of calendars, as seen above. Click on Server Settings to assign custom port numbers. Screen Shot 2015-09-10 at 11.00.46 AM Click on the Delegation tab to view any accounts you’ve been given access to. Screen Shot 2015-09-10 at 11.01.10 AM Use the Edit button to configure who has delegated access to calendars, as opposed to configuring subscriptions. Overall, the Calendar service in El Capitan Server is one of the easiest to configure. Most of the work goes into settings configured on client systems. This, as with Exchange, dedistributes administration, often making administration more complicated than with many other tools. But that’s a good thing; no one wants to access other peoples accounts, for calendars or mail for that matter, without those users knowing that it was done, as will happen when resetting passwords…

October 1st, 2015

Posted In: Mac OS X Server

Tags: , , , , , , , , , , ,

OS X has an application called Contacts. OS X Server 5, running on Yosemite or El Capitan, has a service called Contacts. While the names might imply very different things that they do, you’ll be super-surprised that the two are designed to work with one another. The Contacts service is based on CardDAV, a protocol for storing contact information on the web, retrievable and digestible by client computers. However, there is a layer of Postgres-based obfuscation between the Contacts service and CardDAV. The Contacts service is also a conduit with which to read information from LDAP and display that information in the Contacts client, which is in a way similar to how the Global Address List (GAL) works in Microsoft Exchange. I know I’ve said this about other services in OS X Server, but the Contacts service couldn’t be easier to configure. First, you should be running Open Directory and you should also have configured Apple Push Notifications. To setup Push Notifications, have an Apple ID handy and click on the Contacts entry in the SERVICES section of Server app. Screen Shot 2015-09-10 at 8.13.53 AM Click the Edit Notifications button to configure the Apple Push Notification settings for the computer. When prompted, click on Enable Push Notifications. Screen Shot 2015-09-10 at 8.15.49 AM If prompted, provide the username and password for the Apple ID and then click on Finish. To enable the Contacts service, open the Server app and then click on Contacts in the SERVICES section of the List Pane. From here, use the “Include directory contacts in search” checkbox to publish LDAP contacts through the service, or leave this option unchecked and click on the ON button to enable the service. Screen Shot 2015-09-10 at 8.19.12 AM The Contacts service then starts and once complete, a green light appears beside the Contacts entry in the List Pane. To configure a client open the Contacts application on a client computer and use the Preferences entry in the Contacts menu to bring up the Preferences screen. From here, click the Accounts menu and then click on Add Accounts. Screen Shot 2015-09-10 at 8.19.36 AM At the Add Account screen, scroll down and click Add Other Account… to bring up an expanded menu of account types. Screen Shot 2015-09-10 at 8.20.32 AM Click Add a CardDAV account. Screen Shot 2015-09-10 at 8.21.10 AM At the “Add a CardDAV Account” screen, enter the email address and password of the user. Auto discovery doesn’t always work, so you might end up using the manual button to add the account using the server’s address. Alternatively, if you’ve mapped CardDAV to custom ports, you may use the advanced option to have paths and ports available. Screen Shot 2015-09-10 at 8.24.03 AM When the account is finished creating, you can click on the account again to see the settings used. Otherwise, close the Preferences/Accounts screen and then view the list of Contacts. Click on View and then Show Groups. This will show you the name of the servers that you’re connected to in the sidebar. There won’t be any contacts yet, so click on the plus sign to verify you have write access to the server. Screen Shot 2015-09-10 at 8.27.44 AM Next, let’s get access to the LDAP-based contacts. To do so, bring up the Add Account screen again and this time select LDAP Account from the Account Type field. Screen Shot 2015-09-10 at 8.29.02 AM Provide the name or IP address of the server and then the port that LDAP contacts are available over (the defaults, 389 and 636 with SSL are more than likely the settings that you’ll use. Then click on the Continue button. At the Account Settings screen, provide the name that will appear in the Contacts app for the account in the Description field and then enter the search base in the Search base field. To determine the search base, use the serveradmin command. The following command will output the search base: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings dirserv:LDAPSettings:LDAPSearchBase Then set Authentication to simple and provide the username and password to access the server for the account you are configuring. The list then appears. The default port for the Contacts service is 8443, as seen earlier in the configuration of the client. To customize the port, use the serveradmin command to set addressbook settings for BindSSLPorts to edit the initial array entry, as follows: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings addressbook:SSLPort = 8443 The default location for the files used by the Contacts service is in the /Library/Server/Calendar and Contacts directory. To change that to a folder called /Volumes/Pegasys/CardDAV, use the following command: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings addressbook:ServerRoot = "/Volumes/Pegasys/CardDAV" When changing the ServerRoot, you’ll likely need to change the DataRoot, which is usually the Data directory immediately underneath the ServerRoot. To do so, run serveradmin and put the DataRoot entry under the addressbook settings: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings addressbook:DataRoot = "/Volumes/Pegasys/CardDAV/Data" The service is then stopped with the serveradmin command: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin stop addressbook And started with the serveradmin command: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin start addressbook And whether the service is running, along with the paths to the logs can be obtained using the fullstatus command with serveradmin: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin fullstatus addressbook The output of which should be as follows: status addressbook addressbook:state = “RUNNING” addressbook:setStateVersion = 1 addressbook:readWriteSettingsVersion = 1 If you’re easily amused, run the serveradmin settings for calendar and compare them to the serveradmin settings for addressbook: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings calendar By default, the Contacts server allows basic authentication. We’ll just turn that off real quick: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings addressbook:Authentication:Basic:Enabled = no And then let’s see what it is in addressbook: /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings addressbook:Authentication:Basic:Enabled

September 28th, 2015

Posted In: Mac OS X Server

Tags: , , , , , , , ,

Next Page »