krypted.com

Tiny Deathstars of Foulness

macOS Server 5.4 (for High Sierra)  comes with the /usr/sbin/serverinfo command (which was originally introduced in Mountain Lion Server). The serverinfo command is useful when programmatically obtaining information about the very basic state of an Apple Server. The first option indicates whether the Server app has been downloaded from the app store, which is the –software option:

serverinfo --software

When used, this option reports the following if the Server.app can be found:
This system has server software installed.
Or if the software cannot be found, the following is indicated:
This system does NOT have server software installed.
The –productname option determines the name of the software app: serverinfo --productname If you change the name of the app from Server then the server info command won’t work any longer, so the output should always be the following: Server The –shortversion command returns the version of the Server app being used:

serverinfo --shortversion

The output will not indicate a build number, but instead the version of the app on the computer the command is run on:
5.4
To see the build number (which should iterate with each update to the Server app from the Mac App Store, use the –buildversion option:

serverinfo --buildversion

The output shows the build of server, which doesn’t necessarily match the macOS build number:
17S1180a
Just because the Server app has been downloaded doesn’t mean the Server setup assistant has been run. To see if it has, use the –configured option:

serverinfo --configured

The output indicates whether the system is running as a server or just has the app installed (e.g. if you’re using it to connect to another server:
This system has server software configured.
You can also output all of the information into a single, easy to script against property list using the –plist option:

serverinfo --plist

The output is a list of each of the other options used: <?xml version=”1.0″ encoding=”UTF-8″?> <!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”> <plist version=”1.0″> <dict> <key>IsOSXServerVolume</key> <true/> <key>IsOSXServerVolumeConfigured</key> <true/> <key>IsServerHardware</key> <false/> <key>LocalizedServerProductName</key> <string>Server</string> <key>MinimumServerVersionAllowed</key> <string>5.3.55</string> <key>ServerBuildVersion</key> <string>17S1180a</string> <key>ServerPerformanceModeEnabled</key> <false/> <key>ServerVersion</key> <string>5.3</string> </dict> </plist>

The Server Root can reside in a number of places. To see the path (useful when scripting commands that are relative to the ServerRoot:

serverinfo –prefix

By default, the output is as follows, which is basically like a dirname of the ServerRoot:
/Applications/Server.app/Contents/ServerRoot
You can also see whether the system is running on actual hardware desgnated by Apple for servers using the –hardware option:

serverinfo --hardware

The output simply indicates if the hardware shipped with OS X Server on it from Apple:
This system is NOT running on server hardware.
The –perfmode option indicates whether or not the performance mode has been enabled, dedicating resources to binaries within the Server app:

serverinfo --perfmode

If the performance mode has not been enabled then the output will be as such:
Server performance mode is NOT enabled.
Note: Performance mode doesn’t seem to be support any longer, as none of the options will actually enable the service.

September 27th, 2017

Posted In: Mac OS X Server

Tags: , , , , , , ,

A wiki is a repository of dynamically created and managed content, or content created or edited by multiple users collaboratively. This article is about using the wiki service in macOS Server 5.4 (the Apple Server app running on 10.13/High Sierra). I reference file services with WebDAV because it is a very nice integration piece that I think a lot of people will find pretty beneficial.

To get started with the Wiki service, first turn it on. This one isn’t heavily dependent on host names (other than being able to access the server from a browser) or directory services (other than being able to authenticate users, but local accounts are perfectly functional) and it doesn’t require the Websites service to be running as well. One should always have good working directory services and host names, still…

To enable the service, open the Server app and click on Wiki in the list of SERVICES in the List Pane.

There are two configuration options. The first is to select who is able to create wikis. Use the “Wikis can be created by” drop-down list to select “all users” if anyone with an account on the server should be able to create a wiki or “only some users” to bring up the Wiki Creators screen.

If only some users can create new wikis, use the plus sign (“+”) at the Wiki Creators screen to add users and/or groups to the list of users that can create wikis. Click on OK when all users and groups that can create wikis are added. In a school I would imagine that only teachers or IT staff would be able to create wikis. Once a wiki is created, pages inside the wiki can still be created by non-wiki creators.

The other option available is the handy dandy WebDAV interface to the wikis. When you enable this option, you can connect to a server from macOS or iOS via WebDAV and access files in each wikis document repository. To be clear, this option doesn’t provide access to the user documents, but does provide access to the wiki documents. We’re going to check the box for “Enable WebDAV access to Wiki files” and then click the ON button.

Once the service starts, click on the View Wiki link in the Wiki workspace in Server app.



Here, click on the Log in button and enter a user with access to the server, preferably one who can create wikis.

At the Wikis page, you will then see a list of all wikis you have access to. Note that the previous screen showed one wiki and now we see two. That’s because one of the wikis has permissions that allow “All unauthenticated users” access to the wiki, which we’ll describe shortly. The first thing most administrators will do is create a wiki. To do so, click on the plus sign (“+”) icon on the web page and at the resultant screen, click on New Wiki.



At the “Create a new wiki” prompt, provide a name for the wiki and a brief description for it.

Click on Continue.



At the Set permissions screen, enter each user or group to provide access to edit and view wiki pages. Here, you’ll have the options for Read & Write (users can view and edit pages in the wiki), Read only (users can only view the contents of your pages) and No access (users have no access to the wiki). There is a group for All logged in users, which includes every user with access to the server and another for All unauthorized users, which includes guests to the server. Once you’ve given the appropriate permissions, click on Continue.

Note: You don’t have to get this perfect now as you can always edit these later.



At the Set Appearance screen, you can choose an icon for the wiki (shown in the wiki list and when you open the wiki) as well as a color scheme for the wiki. Choose the appropriate appearance for your wiki (again, you can always change this later) and then click on the Create button.



Once the setup is finished, you’ll see the Setup complete modal. Here, you can click on Go to Wiki button.

Once you’ve created your first wiki, let’s edit it and customize the content. To do so, click on it from the list of available wikis. Click on the cog-wheel icon and then Wiki Settings… to bring up the Wiki Settings page.

Here, you’ll see the previously entered name and description as well as options to enable Calendar (only available if Calendar Server is running on the server) and Blog, which enables  a blog service for the wiki (wiki administrators can post blog entries to the wiki). Click on Appearance.

Here, you will have the previous two options as well as the ability to upload a banner (which should be 62 pixels high) and background for each wiki.



Click on Permissions. Here, you’ll see the permissions previously configured as well as options to configure who can comment on articles (nobody disables comments completely) in the wiki and whether comments require approval (moderation).

Click on Save. Now, let’s edit the splash page. To do so, click the pencil icon in the top navigation bar.



At the edit screen, the top nav bar is replaced by a WYSIWIG editor for managing the page. Here you can justify, link, insert media and of course edit the text you see on the screen. I recommend spending some time embedding links, inserting tables, making text look like you want it to and editing the content to reflect the purpose of the wiki. Click Save when you’re done. Click the pencil again to edit it, and let’s create a new wiki page. Keep in mind that link wikipedia, each page should be linked to from other pages in the order they should be read. Unlike most wikis, there’s actually an index page of all the articles, which can come in handy.



From the edit page, to create a new page and link to it, enter some text (or lasso some) that you’ll use as the link to access the new page you’re creating. Then click on the arrow and select “New page.”

Note: Use Enter URL to link to an existing page or an external website, instead of creating a new page.



At the New Page screen, provide a name for the new page (the lasso’d text automatically appears as the Page Title) and click on the Add button.

Click Save and then click on the newly created link. You can now edit the new page the same way you edited the previous pages. Click on the disclosure triangles in the right sidebar to Comment on articles, link articles to related articles, tag articles and view editing history.

Now for the fun part. Click on Documents. Here, you’ll see the pages you already created. Click on the plus sign and select the option to Upload File to the wiki.



At the Upload File dialog, click on Choose File and then select a file to upload.

Click Upload when selected.

Then from the Finder of a macOS client, use the Go menu to select “Connect to Server”. Enter the name or IP of the server and then click on Connect.

Assuming you can access the server, you should then be prompted for a username and password. Enter it and click Connect. Eventually, the file(s) will display (it can take awhile according to your network speeds and how many files are in the directory). You can connect to this same screen through an iPad using a 3rd party WebDAV client or the build in options in Pages.

Managing wikis is as easy as its ever been, with the new options for appearance being a nice add-on. Active Directory integration is as easy as binding the server to Active Directory and using the accounts listed in Permissions of pages.

Now that iOS devices can edit wikis and many of the traditional word processing options are available in the wiki editor, consider what the Wiki can be. Could it replace text editing apps for iOS? Could the Wiki allow for more collaborative documents than a Word or other document editor? Could it keep from getting eaten like the rest of the homework? Could the comments in the Wiki be a good way for teachers to have students write responses to materials? Could the Wiki and the document management features allow your workers to access human resources documents and employee manuals? I know plenty of tech firms that use wikis to track information about the systems they manage.

Once you have all of this information, upgrading can seem downright scary. But fear not, there’s Carbon Copy Cloner. And once you’ve cloned, there’s wikiadmin. When doing an upgrade in place, the Wiki service is pretty straight forward to upgrade, but in many cases, due to aging hardware, wiki services are moving from an older computer to a newer computer. This can be done in one of two ways. The first is to “migrate” the data by copying the Collaboration folder onto the new system. The second is to “export” and “import” the data. I usually recommend doing a migrate where possible, so we’ll start with that method.

Note: Before getting started, make sure that the directory services side of things is good. If a user or group lookup for an object that owns, edits or has commented on a wiki fails then that wiki probably shouldn’t be migrated. Use the dscl or id commands to confirm that lookups are functioning as intended.

To migrate wikis from one server to another, first copy the Collaboration directory to the new server. In this example, the directory has been dropped onto the desktop of the currently logged in user. To migrate the data once copied, use the wikiadmin command, along with the migration option. The option requires the path to the Collaboration folder, defined with -r, as follows:

sudo /Applications/Server.app/Contents/ServerRoot/usr/bin/wikiadmin migrate -r ~/Desktop/Collaboration

When moving wikis, you can take the opportunity to get rid of a few you don’t want (such as that test wiki from way back when). Or administrators may just choose to move a single wiki to a new server in order to split the load across multiple hosts. When doing so, use the same command as earlier, along with the name of each wiki that is being moved, along with the -g option. For example, if moving the Legal wiki:

sudo /Applications/Server.app/Contents/ServerRoot/usr/bin/wikiadmin migrate -r ~/Desktop/Collaboration -g Legal

The second way of moving wikis around is to export and then import them. To do so, first export wikis on the old server, using the wikiadmin command along with the export option, which requires an –exportPath option and needs to be done, on a wiki-by-wiki basis. So to export that Legal wiki to a file called LegalWikiTMP on the desktop:

sudo /Applications/Server.app/Contents/ServerRoot/usr/bin/wikiadmin export -g Legal --exportPath ~/Desktop/LegalWikiTMP

Next, copy the wiki to the new server and import it, using the import option along with –importPath to identify where the file being imported is located. Using the same location, the command would then be:

sudo /Applications/Server.app/Contents/ServerRoot/usr/bin/wikiadmin import -g Legal --importPath ~/Desktop/LegalWikiTMP

Note: The ability to import a wiki also allows for an API of sorts, as you can programmatically create wikis from other sources. The ability to export also provides a way to move into another wiki tool if you happen to outgrow the options provided in Server and need to move to something more robust.

There is another way to move wikis, using pg_dump, copying the data and then using pg_restore to import the data once you’ve created the tables.  This way is, in my opinion, the last resort if the standard wikiadmin commands aren’t working. In my experience, if I’m doing the migration this way then I’ve got other, bigger issues that I need to deal with as well.

These commands work best when the wiki service has been started so that the databases are fully built out. To start the wiki service from the command line, use the serveradmin command instead of the wikiadmin command. The serveradmin command is used with the start option and then wiki is used to indicate the wiki service, as follows:

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin start wiki

The service can also be stopped, swapping out the start option with a stop option:

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin stop wiki

In a few cases (this is the main reason I’m writing this article), the attachments to wikis don’t come over during a migration. To migrate the files that are used for QuickLook, downloading attachments, etc, use the serveradmin command to locate the directory that these objects are stored in:

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings wiki:FileDataPath

The output identifies the directory where these objects are stored. Placing the contents in the same relative path as they are to the output of the same command on the target server usually results in restoring them. Once moved, use the fixPermissions option to repair the permissions of any files from the source (if any changes to account IDs are encountered such as an export/import rather than an archive/restore in OD this can lead to odd issues:

sudo /Applications/Server.app/Contents/ServerRoot/usr/bin/wikiadmin fixPermissions

Also use the rebuildSearchIndex option with the wikiadmin command to fix any indexing, once the permissions have been repaired:

sudo /Applications/Server.app/Contents/ServerRoot/usr/bin/wikiadmin rebuildSearchIndex

And finally use resetQuicklooks to clear any cached Quicklook representations of objects that have been inserted into a wiki and might not display properly using Quicklook (you know you might need to do this if they look fine when downloaded but look bad with Quicklook even though QuickLook on the server can view the files just fine):

sudo /Applications/Server.app/Contents/ServerRoot/usr/bin/wikiadmin resetQuicklooks

When done properly the migration can take awhile. Keep in mind that every tag, every article, every edit to every article and basically everything else is tracked inside the tables that you’re moving. While there might not be a ton of data in the Collaboration directory or in an export, all of the data needs to go to the right location. This can take a little time in environments that have a lot of articles, even if they’re really short articles…

September 26th, 2017

Posted In: Mac OS X, Mac OS X Server

Tags: , , , , , , , , , ,

The changes in the Server app are pretty minimal in the macOS Server 5.4 version that we’re now looking at. All of the options from previous versions are still there and the dnsconfig command line interface for managing the service are basically unchanged. The DNS service in macOS Server, as with previous versions, is based on bind 9 (BIND 9.9.7-P3 to be exact). This is very much compatible with practically every DNS server in the world, including those hosted on Windows, macOS, Linux and even Zoe-R. The first time you open the DNS Service click on the DNS service in the ADVANCED section of the list of SERVICES.
 
Then, click on the cog wheel icon below the list of records and click on Show All Records.
 
At the Records screen, you’ll now see forward and reverse record information. Click the Edit… button for the Forwarding Servers field. Here, you’ll be able to enter a Forwarders, or DNS servers that resolve names that the server you’re using can’t resolve using its own DNS records.

 

Click the plus sign to enter the IP address of any necessary Forwarders. Enter the IP address of any Forwarding servers, then click OK to save your changes.

 

Once back at the main DNS service control screen, click the Edit… button for Perform lookups for to configure what computers the DNS server you are setting up can use the DNS service that the server is hosting.


At the Perform Lookups screen, provide any additional subnets that should be used. If the server should be accessible by anyone anywhere, just set the “Perform lookups for” field at the DNS service screen to “all clients”.

Managing Records

All you have to do to start the DNS is click on the ON button (if it\u2019s not already started, that is). There\u2019s a chance that you won\u2019t want all of the records that are by default entered into the service. But leave it for now, until we\u2019ve covered what everything is. To list the various types of records:

","engine":"visual"}” data-block-type=”2″>
All you have to do to start the DNS is click on the ON button (if it’s not already started, that is). There’s a chance that you won’t want all of the records that are by default entered into the service. But leave it for now, until we’ve covered what everything is. Next, click on the cog wheel icon below the records list, and you’ll see a list of all the records and record types that are currently running on the server.

To list the various types of records:

Then, when you click on the plus sign, you can create additional records. Double-clicking on records (including the Zones) brings up a screen to edit the record. The settings for a zone can be seen below.
 

These include the name for the zone. As you can see, a zone was created with the hostname rather than the actual domain name. This is a problem if you wish to have multiple records in your domain that point to the same host name. Theoretically you could create a zone and a machine record for each host in the domain, but the right way to do things is probably going to be to create a zone for the domain name instead of the host name. So for the above zone, the entry should be krypted.com rather than mavserver.krypted.com (the hostname of the computer). Additionally, the TTL (or Time To Live) can be configured, which is referenced here as the “Zone data is valid for” field. If you will be making a lot of changes this value should be as low as possible (the minimum value here is 5 minutes).
“Note: To make sure your zone name and TLD don’t conflict with data that already exists on the Internet, check here to make sure you’re not using a sponsored TLD.” — http://krypted.com/mac-os-x/dont-go-near-there-sponsored-top-level-domain-names/

Note: The above screen has the domain in the zone field and the name of a record, such as www for the zone called, for example, krypted.lan.

Click Done to commit the changes or create the new record. Next, let’s create a MX record for the domain. To create the MX for the domain, click on the plus sign at the list of records.


Select the appropriate zone in the Zone field (if you have multiple zones). Then type the name of the A record that you will be pointing mail to. Most likely, this would be a machine record called simply mail, in this case for krypton.lan, so mail.krypted.lan. If you have multiple MX records, increment the priority number for the lower priority servers.

As a full example, let’s create a zone and some records from scratch. Let’s setup this zone for an Xsan metadata network, called krypted.xsan. Then, let’s create our metadata controller record as starbuck.krypted.xsan to point to 10.0.0.2 and our backup metadata controller record as apollo.krypted.xsan which points to 10.0.0.3. First, click on the plus sign and select Add Primary Zone.


At the zone screen, enter the name of the domain you’re setting up (e.g. krypted.com, also known as the zone), check the box for Allow zone transfers (there will be a second server) and click on the Done button. Click on the plus sign and then click on Add Machine record.


At the New Machine Record screen, select the appropriate zone as the Zone and then enter starbuck as the Host Name and click on the plus sign for IP Addresses and type in the appropriate IP. Click on Done to commit the changes. Repeat the process for each host that needs an address and then click Done to create the records.

Setting Up Secondary Servers

Now let\u2019s setup a secondary server by leveraging a secondary zone running on a second computer. On the second Mountain Lion Server running on the second server, click on the plus sign for the DNS service and select Add Secondary Zone.

","engine":"visual"}” data-block-type=”2″>

Setting Up Secondary Servers

Now let’s setup a secondary server by leveraging a secondary zone running on a second computer. On the second macOS Server, click on the plus sign for the DNS service and select Add Secondary Zone.



Managing DNS From The Command Line

Now, all of this is pretty straight forward. Create a zone, create some records inside the zone and you\u2019re good to go. But there are a lot of times when DNS just needs a little more than what the Server app can do for you. For example, round robin DNS records, bind views, etc. Therefore, getting used to the command line is going to be pretty helpful for anyone with more than a handful of records. The first thing to know about the DNS command line in OS X Mountain Lion Server is to do everything possible using the serveradmin command. To start the service, use the start option:

","engine":"visual"}” data-block-type=”2″> At the Secondary Zone screen, enter krypted.com as the name of the zone and then the IP address of the DNS server hosting that domain in the Primary Servers field (actually, enter your domain name, not mine). Click Done and the initial zone transfer should begin once the DNS service is turned on (if it hasn’t already been enabled).

Managing DNS From The Command Line

Now, all of this is pretty straight forward. Create a zone, create some records inside the zone and you’re good to go. But there are a lot of times when DNS just needs a little more than what the Server app can do for you. For example, round robin DNS records, bind views, etc. Therefore, getting used to the command line is going to be pretty helpful for anyone with more than a handful of records. The first thing to know about the DNS command line in macOS Server is to do everything possible using the serveradmin command for global management and dnsconfig for record and zone management. Once you start editing configuration files, the user interface can become unstable and other updates may or may not override the updates you make in those configuration files. To start the service, use the start option:

sudo serveradmin start dns
http://krypted.com/?p=45195. In /private/var/named are a collection of each zone the server is configured for. Secondary zones are flat and don’t have a lot of data in them, but primary zones contain all the information in the Server app and the serveradmin outputs. To see the contents of our test zone we created, let’s view the /Library/Server/named/db.krypted.xsan file (each file name is db. followed by the name of the zone):

cat /var/named/db.krypted.xsan
http://krypted.com/mac-os-x-server/os-x-server-forcing-dns-propagation for information on forcing DNS propagation if you are having issues with zone transfers. Finally, you can manage all records within the DNS service using the new /Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig command line tool. I’ve written an article on managing DNS using this tool, available here.

Share:

September 26th, 2017

Posted In: Mac OS X, Mac OS X Server, Uncategorized

Tags: , , , , , , ,

Web Services in macOS Server, Linux and most versions of Unix are provided by Apache, an Open Source project that much of the Internet owes its origins to. Apache owes its name to the fact that it’s “a patchy” service. These patches are often mods, or modules. Configuring web services is as easy in macOS Server 5.2, running on Sierra (10.12), as it has ever been. To set up the default web portal, simply open the Server app, click on the Websites service and click on the ON button. screen-shot-2016-09-29-at-10-53-42-pm After a time, the service will start. Once running, click on the View Server Website link at the bottom of the pane. screen-shot-2016-09-29-at-10-54-07-pm Provided the stock macOS Server page loads, you are ready to use macOS Server as a web server. screen-shot-2016-09-29-at-10-54-49-pm Before we setup custom sites, there are a few things you should know. The first is, the server is no longer really designed to remove the default website. So if you remove the site, your server will exhibit inconsistent behavior. Also, don’t remove the files that comprise the default site. Instead just add sites, which is covered next. Webmail is gone. You don’t have to spend a ton of time looking for it as it isn’t there. Also, Mountain Lion Server added web apps, which we’ll briefly review later in this article as well, as those continue in Mavericks Server, Yosemite Server, El Capitan Server and ultimately macOS Server 5.2 for Sierra.  Finally, enabling PHP and Python on sites is done globally, so this setting applies to all sites hosted on the server. screen-shot-2016-09-29-at-10-56-17-pm Now that we’ve got that out of the way, let’s add our first custom site. Do so by clicking on the plus sign. At the New Web Site pane, you’ll be prompted for a number of options. The most important is the name of the site, with other options including the following: screen-shot-2016-09-29-at-10-56-43-pm The Advanced Option include the following: Once you’ve configured all the appropriate options, click on Done to save your changes. The site should then load. Sites are then listed in the list of Websites. The Apache service is most easily managed from the Server app, but there are too many options in Apache to really be able to put into a holistic graphical interface. The easiest way to manage the Websites service in OS X Yosemite Server is using the serveradmin command. Apache administrators from other platforms will be tempted to use the apachectl command to restart the Websites service. Instead, use the serveradmin command to do so. To start the service: sudo serveradmin start web To stop the service(s): sudo serveradmin stop web And to see the status: sudo serveradmin fullstatus web Fullstatus returns the following information:
web:health = _empty_dictionary web:readWriteSettingsVersion = 1 web:apacheVersion = “2.2” web:servicePortsRestrictionInfo = _empty_array web:startedTime = “2016-09-26 02:38:57 +0000” web:apacheState = “RUNNING” web:statusMessage = “” web:ApacheMode = 2 web:servicePortsAreRestricted = “NO” web:state = “RUNNING” web:setStateVersion = 1
While the health option typically resembles kiosk computers in the Computer Science departments of most major universities, much of the rest of the output can be pretty helpful including the Apache version, whether the service is running, any restrictions on ports and the date/time stamp that the service was started. To see all of the settings available to the serveradmin command, run it, followed by settings and then web, to indicate the Websites service: sudo serveradmin settings web The output is pretty verbose and can be considered in two sections, the first includes global settings across sites as well as the information for the default sites that should not be deleted:
web:defaultSite:documentRoot = “/Library/Server/Web/Data/Sites/Default” web:defaultSite:serverName = “” web:defaultSite:realms = _empty_dictionary web:defaultSite:redirects = _empty_array web:defaultSite:enableServerSideIncludes = no web:defaultSite:networkAccesses = _empty_array web:defaultSite:customLogPath = “&quot;/var/log/apache2/access_log&quot;” web:defaultSite:webApps = _empty_array web:defaultSite:sslCertificateIdentifier = “” web:defaultSite:fullSiteRedirectToOtherSite = “https://%{SERVER_NAME}” web:defaultSite:allowFolderListing = no web:defaultSite:serverAliases = _empty_array web:defaultSite:errorLogPath = “&quot;/var/log/apache2/error_log&quot;” web:defaultSite:fileName = “/Library/Server/Web/Config/apache2/sites/0000_127.0.0.1_34580_.conf” web:defaultSite:aliases = _empty_array web:defaultSite:directoryIndexes:_array_index:0 = “index.html” web:defaultSite:directoryIndexes:_array_index:1 = “index.php” web:defaultSite:directoryIndexes:_array_index:2 = “default.html” web:defaultSite:allowAllOverrides = no web:defaultSite:identifier = “67127006” web:defaultSite:port = 34580 web:defaultSite:allowCGIExecution = no web:defaultSite:serverAddress = “127.0.0.1” web:defaultSite:requiresSSL = no web:defaultSite:proxies = _empty_dictionary web:defaultSite:errorDocuments = _empty_dictionary
The second section is per-site settings, with an array entry for each site:
web:customSites:_array_index:0:documentRoot = “/Library/Server/Web/Data/Sites/blog.krypted.com” web:customSites:_array_index:0:serverName = “blog.krypted.com” web:customSites:_array_index:0:realms = _empty_dictionary web:customSites:_array_index:0:redirects = _empty_array web:customSites:_array_index:0:enableServerSideIncludes = no web:customSites:_array_index:0:networkAccesses = _empty_array web:customSites:_array_index:0:customLogPath = “/var/log/apache2/access_log” web:customSites:_array_index:0:webApps = _empty_array web:customSites:_array_index:0:sslCertificateIdentifier = “” web:customSites:_array_index:0:fullSiteRedirectToOtherSite = “” web:customSites:_array_index:0:allowFolderListing = no web:customSites:_array_index:0:serverAliases = _empty_array web:customSites:_array_index:0:errorLogPath = “/var/log/apache2/error_log” web:customSites:_array_index:0:fileName = “/Library/Server/Web/Config/apache2/sites/0000_127.0.0.1_34580_blog.krypted.com.conf” web:customSites:_array_index:0:aliases = _empty_array web:customSites:_array_index:0:directoryIndexes:_array_index:0 = “index.html” web:customSites:_array_index:0:directoryIndexes:_array_index:1 = “index.php” web:customSites:_array_index:0:directoryIndexes:_array_index:2 = “default.html” web:customSites:_array_index:0:allowAllOverrides = no web:customSites:_array_index:0:identifier = “67127002” web:customSites:_array_index:0:port = 34580 web:customSites:_array_index:0:allowCGIExecution = no web:customSites:_array_index:0:serverAddress = “127.0.0.1” web:customSites:_array_index:0:requiresSSL = no web:customSites:_array_index:0:proxies = _empty_dictionary web:customSites:_array_index:0:errorDocuments = _empty_dictionary web:dataLocation = “/Library/Server/Web/Data”
The next section (the largest by far) includes array entries for each defined web app. The following shows the entry for a Hello World Python app:
web:definedWebApps:_array_index:0:requiredWebAppNames = _empty_array web:definedWebApps:_array_index:0:includeFiles:_array_index:0 = “/Library/Server/Web/Config/apache2/httpd_ACSServer.conf” web:definedWebApps:_array_index:0:requiredModuleNames:_array_index:0 = “mod_rewrite.so” web:definedWebApps:_array_index:0:startCommand = “” web:definedWebApps:_array_index:0:sslPolicy = 1 web:definedWebApps:_array_index:0:requiresSSL = no web:definedWebApps:_array_index:0:requiredByWebAppNames = _empty_array web:definedWebApps:_array_index:0:launchKeys:_array_index:0 = “com.apple.AccountsConfigService” web:definedWebApps:_array_index:0:proxies:/AccountsConfigService/api/:path = “/AccountsConfigService/api/” web:definedWebApps:_array_index:0:proxies:/AccountsConfigService/api/:urls:_array_index:0 = “http://localhost:31415/AccountsConfigService/api” web:definedWebApps:_array_index:0:preflightCommand = “” web:definedWebApps:_array_index:0:stopCommand = “” web:definedWebApps:_array_index:0:name = “com.apple.webapp.ACSServer” web:definedWebApps:_array_index:0:displayName = “” web:definedWebApps:_array_index:1:requiredWebAppNames:_array_index:0 = “com.apple.webapp.collabd” web:definedWebApps:_array_index:1:includeFiles:_array_index:0 = “/Library/Server/Web/Config/apache2/httpd_corecollaboration_webauth.conf” web:definedWebApps:_array_index:1:requiredModuleNames:_array_index:0 = “proxy_module” web:definedWebApps:_array_index:1:requiredModuleNames:_array_index:1 = “headers_module” web:definedWebApps:_array_index:1:startCommand = “” web:definedWebApps:_array_index:1:sslPolicy = 4 web:definedWebApps:_array_index:1:requiresSSL = no web:definedWebApps:_array_index:1:requiredByWebAppNames = _empty_array web:definedWebApps:_array_index:1:launchKeys = _empty_array web:definedWebApps:_array_index:1:proxies:/auth:path = “/auth” web:definedWebApps:_array_index:1:proxies:/auth:urls:_array_index:0 = “http://localhost:4444/auth” web:definedWebApps:_array_index:1:preflightCommand = “” web:definedWebApps:_array_index:1:stopCommand = “” web:definedWebApps:_array_index:1:name = “com.apple.webapp.auth” web:definedWebApps:_array_index:1:displayName = “” web:definedWebApps:_array_index:2:requiredWebAppNames:_array_index:0 = “com.apple.webapp.auth” web:definedWebApps:_array_index:2:includeFiles:_array_index:0 = “/Library/Server/Web/Config/apache2/httpd_corecollaboration_webcalssl.conf” web:definedWebApps:_array_index:2:requiredModuleNames:_array_index:0 = “proxy_module” web:definedWebApps:_array_index:2:requiredModuleNames:_array_index:1 = “headers_module” web:definedWebApps:_array_index:2:startCommand = “” web:definedWebApps:_array_index:2:sslPolicy = 1 web:definedWebApps:_array_index:2:requiresSSL = no web:definedWebApps:_array_index:2:requiredByWebAppNames = _empty_array web:definedWebApps:_array_index:2:launchKeys = _empty_array web:definedWebApps:_array_index:2:proxies = _empty_dictionary web:definedWebApps:_array_index:2:preflightCommand = “” web:definedWebApps:_array_index:2:stopCommand = “” web:definedWebApps:_array_index:2:name = “com.apple.webapp.calendar” web:definedWebApps:_array_index:2:displayName = “” web:definedWebApps:_array_index:3:requiredWebAppNames:_array_index:0 = “com.apple.webapp.auth” web:definedWebApps:_array_index:3:includeFiles:_array_index:0 = “/Library/Server/Web/Config/apache2/httpd_corecollaboration_changepassword.conf” web:definedWebApps:_array_index:3:requiredModuleNames:_array_index:0 = “proxy_module” web:definedWebApps:_array_index:3:requiredModuleNames:_array_index:1 = “headers_module” web:definedWebApps:_array_index:3:startCommand = “” web:definedWebApps:_array_index:3:sslPolicy = 4 web:definedWebApps:_array_index:3:requiresSSL = no web:definedWebApps:_array_index:3:requiredByWebAppNames = _empty_array web:definedWebApps:_array_index:3:launchKeys = _empty_array web:definedWebApps:_array_index:3:proxies:/changepassword:path = “/changepassword” web:definedWebApps:_array_index:3:proxies:/changepassword:urls:_array_index:0 = “http://localhost:4444/changepassword” web:definedWebApps:_array_index:3:preflightCommand = “” web:definedWebApps:_array_index:3:stopCommand = “” web:definedWebApps:_array_index:3:name = “com.apple.webapp.changepassword” web:definedWebApps:_array_index:3:displayName = “” web:definedWebApps:_array_index:4:requiredWebAppNames = _empty_array web:definedWebApps:_array_index:4:includeFiles:_array_index:0 = “/Library/Server/Web/Config/apache2/httpd_corecollaboration_shared.conf” web:definedWebApps:_array_index:4:requiredModuleNames:_array_index:0 = “proxy_module” web:definedWebApps:_array_index:4:requiredModuleNames:_array_index:1 = “xsendfile_module” web:definedWebApps:_array_index:4:requiredModuleNames:_array_index:2 = “headers_module” web:definedWebApps:_array_index:4:requiredModuleNames:_array_index:3 = “expires_module” web:definedWebApps:_array_index:4:requiredModuleNames:_array_index:4 = “deflate_module” web:definedWebApps:_array_index:4:startCommand = “” web:definedWebApps:_array_index:4:sslPolicy = 0 web:definedWebApps:_array_index:4:requiresSSL = no web:definedWebApps:_array_index:4:requiredByWebAppNames = _empty_array web:definedWebApps:_array_index:4:launchKeys:_array_index:0 = “com.apple.collabd.expire” web:definedWebApps:_array_index:4:launchKeys:_array_index:1 = “com.apple.collabd.notifications” web:definedWebApps:_array_index:4:proxies:/collabdproxy:path = “/collabdproxy” web:definedWebApps:_array_index:4:proxies:/collabdproxy:urls:_array_index:0 = “http://localhost:4444/svc” web:definedWebApps:_array_index:4:proxies:/__collabd/streams/activity:path = “/__collabd/streams/activity” web:definedWebApps:_array_index:4:proxies:/__collabd/streams/activity:urls:_array_index:0 = “http://localhost:4444/streams/activity” web:definedWebApps:_array_index:4:preflightCommand = “” web:definedWebApps:_array_index:4:stopCommand = “” web:definedWebApps:_array_index:4:name = “com.apple.webapp.collabd” web:definedWebApps:_array_index:4:displayName = “” web:definedWebApps:_array_index:5:requiredWebAppNames:_array_index:0 = “com.apple.webapp.auth” web:definedWebApps:_array_index:5:includeFiles = _empty_array web:definedWebApps:_array_index:5:requiredModuleNames = _empty_array web:definedWebApps:_array_index:5:startCommand = “” web:definedWebApps:_array_index:5:sslPolicy = 0 web:definedWebApps:_array_index:5:requiresSSL = no web:definedWebApps:_array_index:5:requiredByWebAppNames = _empty_array web:definedWebApps:_array_index:5:launchKeys:_array_index:0 = “com.apple.DeviceManagement.dmrunnerd” web:definedWebApps:_array_index:5:launchKeys:_array_index:1 = “com.apple.DeviceManagement.php-fpm” web:definedWebApps:_array_index:5:proxies = _empty_dictionary web:definedWebApps:_array_index:5:preflightCommand = “” web:definedWebApps:_array_index:5:stopCommand = “” web:definedWebApps:_array_index:5:name = “com.apple.webapp.devicemgr” web:definedWebApps:_array_index:5:displayName = “” web:definedWebApps:_array_index:6:requiredWebAppNames = _empty_array web:definedWebApps:_array_index:6:includeFiles = _empty_array web:definedWebApps:_array_index:6:requiredModuleNames:_array_index:0 = “php5_module” web:definedWebApps:_array_index:6:startCommand = “” web:definedWebApps:_array_index:6:sslPolicy = 0 web:definedWebApps:_array_index:6:requiresSSL = no web:definedWebApps:_array_index:6:requiredByWebAppNames = _empty_array web:definedWebApps:_array_index:6:launchKeys = _empty_array web:definedWebApps:_array_index:6:proxies = _empty_dictionary web:definedWebApps:_array_index:6:preflightCommand = “” web:definedWebApps:_array_index:6:stopCommand = “” web:definedWebApps:_array_index:6:name = “com.apple.webapp.php” web:definedWebApps:_array_index:6:displayName = “” web:definedWebApps:_array_index:7:requiredWebAppNames = _empty_array web:definedWebApps:_array_index:7:includeFiles:_array_index:0 = “/Library/Server/Web/Config/apache2/httpd_webdavsharing.conf” web:definedWebApps:_array_index:7:requiredModuleNames:_array_index:0 = “rewrite_module” web:definedWebApps:_array_index:7:requiredModuleNames:_array_index:1 = “bonjour_module” web:definedWebApps:_array_index:7:startCommand = “” web:definedWebApps:_array_index:7:sslPolicy = 0 web:definedWebApps:_array_index:7:requiresSSL = no web:definedWebApps:_array_index:7:requiredByWebAppNames = _empty_array web:definedWebApps:_array_index:7:launchKeys = _empty_array web:definedWebApps:_array_index:7:proxies = _empty_dictionary web:definedWebApps:_array_index:7:preflightCommand = “” web:definedWebApps:_array_index:7:stopCommand = “” web:definedWebApps:_array_index:7:name = “com.apple.webapp.webdavsharing” web:definedWebApps:_array_index:7:displayName = “” web:definedWebApps:_array_index:8:requiredWebAppNames:_array_index:0 = “com.apple.webapp.collabd” web:definedWebApps:_array_index:8:requiredWebAppNames:_array_index:1 = “com.apple.webapp.auth” web:definedWebApps:_array_index:8:includeFiles:_array_index:0 = “/Library/Server/Web/Config/apache2/httpd_corecollaboration_wiki.conf” web:definedWebApps:_array_index:8:requiredModuleNames:_array_index:0 = “proxy_module” web:definedWebApps:_array_index:8:requiredModuleNames:_array_index:1 = “headers_module” web:definedWebApps:_array_index:8:startCommand = “” web:definedWebApps:_array_index:8:sslPolicy = 0 web:definedWebApps:_array_index:8:requiresSSL = no web:definedWebApps:_array_index:8:requiredByWebAppNames = _empty_array web:definedWebApps:_array_index:8:launchKeys:_array_index:0 = “com.apple.collabd.preview” web:definedWebApps:_array_index:8:launchKeys:_array_index:1 = “com.apple.collabd.quicklook” web:definedWebApps:_array_index:8:proxies:/__collabd/preview:path = “/__collabd/preview” web:definedWebApps:_array_index:8:proxies:/__collabd/preview:urls:_array_index:0 = “http://localhost:4444/preview” web:definedWebApps:_array_index:8:proxies:/wiki/files/upload:path = “/wiki/files/upload” web:definedWebApps:_array_index:8:proxies:/wiki/files/upload:urls:_array_index:0 = “http://localhost:4444/upload_file” web:definedWebApps:_array_index:8:proxies:/wiki/files/download:path = “/wiki/files/download” web:definedWebApps:_array_index:8:proxies:/wiki/files/download:urls:_array_index:0 = “http://localhost:4444/files” web:definedWebApps:_array_index:8:proxies:/wiki/ipad:path = “/wiki/ipad” web:definedWebApps:_array_index:8:proxies:/wiki/ipad:urls = _empty_array web:definedWebApps:_array_index:8:proxies:/wiki:path = “/wiki” web:definedWebApps:_array_index:8:proxies:/wiki:urls:_array_index:0 = “http://localhost:4444/app-context/wiki” web:definedWebApps:_array_index:8:preflightCommand = “” web:definedWebApps:_array_index:8:stopCommand = “” web:definedWebApps:_array_index:8:name = “com.apple.webapp.wiki” web:definedWebApps:_array_index:8:displayName = “” web:definedWebApps:_array_index:9:requiredWebAppNames = _empty_array web:definedWebApps:_array_index:9:includeFiles:_array_index:0 = “/Library/Server/Web/Config/apache2/httpd_wsgi.conf” web:definedWebApps:_array_index:9:requiredModuleNames:_array_index:0 = “wsgi_module” web:definedWebApps:_array_index:9:startCommand = “” web:definedWebApps:_array_index:9:sslPolicy = 0 web:definedWebApps:_array_index:9:requiresSSL = no web:definedWebApps:_array_index:9:requiredByWebAppNames = _empty_array web:definedWebApps:_array_index:9:launchKeys = _empty_array web:definedWebApps:_array_index:9:proxies = _empty_dictionary web:definedWebApps:_array_index:9:preflightCommand = “” web:definedWebApps:_array_index:9:stopCommand = “” web:definedWebApps:_array_index:9:name = “com.apple.webapp.wsgi” web:definedWebApps:_array_index:9:displayName = “Python &quot;Hello World&quot; app at /wsgi” web:definedWebApps:_array_index:10:requiredWebAppNames = _empty_array web:definedWebApps:_array_index:10:includeFiles:_array_index:0 = “/Library/Developer/XcodeServer/CurrentXcodeSymlink/Contents/Developer/usr/share/xcs/httpd_xcs.conf” web:definedWebApps:_array_index:10:requiredModuleNames = _empty_array web:definedWebApps:_array_index:10:startCommand = “” web:definedWebApps:_array_index:10:sslPolicy = 4 web:definedWebApps:_array_index:10:requiresSSL = no web:definedWebApps:_array_index:10:requiredByWebAppNames = _empty_array web:definedWebApps:_array_index:10:launchKeys = _empty_array web:definedWebApps:_array_index:10:proxies = _empty_dictionary web:definedWebApps:_array_index:10:preflightCommand = “” web:definedWebApps:_array_index:10:stopCommand = “” web:definedWebApps:_array_index:10:name = “com.apple.webapp.xcode” web:definedWebApps:_array_index:10:displayName = “” web:definedWebApps:_array_index:11:requiredWebAppNames:_array_index:0 = “com.example.webapp.myotherwebapp” web:definedWebApps:_array_index:11:includeFiles:_array_index:0 = “/Library/Server/Web/Config/apache2/httpd_myinclude.conf” web:definedWebApps:_array_index:11:requiredModuleNames:_array_index:0 = “mystuff_module” web:definedWebApps:_array_index:11:startCommand = “/usr/local/bin/startmywebapp” web:definedWebApps:_array_index:11:sslPolicy = 0 web:definedWebApps:_array_index:11:requiresSSL = no web:definedWebApps:_array_index:11:requiredByWebAppNames = _empty_array web:definedWebApps:_array_index:11:launchKeys:_array_index:0 = “com.example.mywebapp” web:definedWebApps:_array_index:11:proxies:/mywebapp:path = “/mywebapp” web:definedWebApps:_array_index:11:proxies:/mywebapp:urls:_array_index:0 = “http://localhost:3000” web:definedWebApps:_array_index:11:proxies:/mywebapp:urls:_array_index:1 = “http://localhost:3001” web:definedWebApps:_array_index:11:preflightCommand = “/usr/local/bin/preflightmywebapp” web:definedWebApps:_array_index:11:stopCommand = “/usr/local/bin/stopmywebapp” web:definedWebApps:_array_index:11:name = “com.example.mywebapp” web:definedWebApps:_array_index:11:displayName = “MyWebApp”
The final section defines the settings used for the default sites as well as a couple of host based settings:
web:defaultSecureSite:documentRoot = “/Library/Server/Web/Data/Sites/Default” web:defaultSecureSite:serverName = “” web:defaultSecureSite:realms = _empty_dictionary web:defaultSecureSite:redirects = _empty_array web:defaultSecureSite:enableServerSideIncludes = no web:defaultSecureSite:networkAccesses = _empty_array web:defaultSecureSite:customLogPath = “&quot;/var/log/apache2/access_log&quot;” web:defaultSecureSite:webApps = _empty_array web:defaultSecureSite:sslCertificateIdentifier = “odr.krypted.com.32A9706448BDB45B120A91470FA866A5C61BD342” web:defaultSecureSite:fullSiteRedirectToOtherSite = “” web:defaultSecureSite:allowFolderListing = no web:defaultSecureSite:serverAliases = _empty_array web:defaultSecureSite:errorLogPath = “&quot;/var/log/apache2/error_log&quot;” web:defaultSecureSite:fileName = “/Library/Server/Web/Config/apache2/sites/0000_127.0.0.1_34543_.conf” web:defaultSecureSite:aliases = _empty_array web:defaultSecureSite:directoryIndexes:_array_index:0 = “index.html” web:defaultSecureSite:directoryIndexes:_array_index:1 = “index.php” web:defaultSecureSite:directoryIndexes:_array_index:2 = “default.html” web:defaultSecureSite:allowAllOverrides = no web:defaultSecureSite:identifier = “67127004” web:defaultSecureSite:port = 34543 web:defaultSecureSite:allowCGIExecution = no web:defaultSecureSite:serverAddress = “127.0.0.1” web:defaultSecureSite:requiresSSL = yes web:defaultSecureSite:proxies = _empty_dictionary web:defaultSecureSite:errorDocuments = _empty_dictionary web:mainHost:keepAliveTimeout = 15.000000 web:mainHost:maxClients = “256”
Each site has its own configuration file defined in the array for each section. By default these are stored in the /Library/Server/Web/Config/apache2/sites directory, with /Library/Server/Web/Config/apache2/sites/0000_any_80_blog.krypted.com.conf being the file for the custom site we created previously. As you can see, many of the options available in the Server app are also available in these files:
ServerName www2.krypted.com
ServerAdmin admin@example.com
DocumentRoot "/Library/Server/Web/Data/Sites/blog.krypted.com"
DirectoryIndex index.html index.php /wiki/ default.html
CustomLog /var/log/apache2/access_log combinedvhost
ErrorLog /var/log/apache2/error_log SSLEngine Off SSLCipherSuite “ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM” SSLProtocol -ALL +SSLv3 +TLSv1 SSLProxyEngine On SSLProxyProtocol -ALL +SSLv3 +TLSv1 Options All -Indexes -ExecCGI -Includes +MultiViews AllowOverride None DAV Off Deny from all ErrorDocument 403 /customerror/websitesoff403.html
The serveradmin command can also be used to run commands. For example, to reset the service to factory defaults, delete the configuration files for each site and then run the following command: sudo serveradmin command web:command=restoreFactorySettings The final tip I’m going to give in this article is when to make changes with each app. I strongly recommend making all of your changes in the Server app when possible. When it isn’t, use serveradmin and when you can’t make changes in serveradmin, only then alter the configuration files that come with the operating system by default. For example, in this article I look at overriding some ports for some virtual sites that might conflict with other sites on your systems. I also recommend keeping backups of all configuration files that are altered and a log of what was altered in each, in order to help piece the server back together should it become unconfigured miraculously when a softwareupdate -all is run next.

October 18th, 2016

Posted In: Mac OS X Server

Tags: , , , , ,

SSH allows administrators to connect to another computer using a secure shell, or command line environment. ARD (Apple Remote Desktop) allows screen sharing, remote scripts and other administrative goodness. You can also connect to a server using the Server app running on a client computer. To enable any or all of these, open the Server app (Server 5.2 for Sierra), click on the name of the server, click the Settings tab and then click on the checkbox for what you’d like to enter. screen-shot-2016-09-25-at-11-31-10-pm All of these can be enabled and managed from the command line as well. The traditional way to enable Apple Remote Desktop is using the kickstart command. But there’s a simpler way in macOS Server 5.2 on Sierra. To do so, use the serveradmin command. To enable ARD using the serveradmin command, use the settings option, with info:enableARD to set the payload to yes: sudo serveradmin settings info:enableARD = yes Once run, open System Preferences and click on Sharing. The Remote Management box is then checked and the local administrative user has access to ARD into the host. screen-shot-2016-09-25-at-11-32-17-pm There are also a few other commands that can be used to control settings. To enable SSH for administrators: sudo serveradmin settings info:enableSSH = yes When you enable SSH from the serveradmin command you will not see any additional checkboxes in the Sharing System Preferences; however, you will see the box checked in the Server app. To enable SNMP: sudo serveradmin settings info:enableSNMP = yes Once SNMP is enabled, use the /usr/bin/snmpconf interactive command line environment to configure SNMP so you can manage traps and other objects necessary. Note: You can’t have snmpd running while you configure SNMPv3. Once SNMPv3 is configured snmpd can be run.  To allow other computers to use the Server app to connect to the server, use the info:enableRemoteAdministration key from serveradmin: sudo serveradmin settings info:enableRemoteAdministration = yes To enable the dedication of resources to Server apps (aka Server Performance Mode): sudo serveradmin settings info:enableServerPerformanceMode = yes

September 16th, 2016

Posted In: Mac OS X Server, Mac Security

Tags: , , , , ,

Any time I need to get a bunch of cruft out of Software Update Server on OS X Server, I just reset it real quick. To do so, simply remove /Library/Server/Software Update. But first, it’s important to stop the service, and once removed, set the port back up (which isn’t done automatically), and then start the service (swupdate). As this has become somewhat routine, I made a micro-script of it here. Screen Shot 2016-04-14 at 10.22.32 PM

April 14th, 2016

Posted In: Mac OS X, Mac OS X Server, Mass Deployment

Tags: , , , ,

I’ve written a couple of articles about the Caching service in OS X Server 5 for El Capitan. As of OS X Server 5, the Caching service now caches local copies on the computer running the Caching service of iCloud content. This allows you to cache content once and then have it accessed by multiple devices faster. I’m torn on this option. On the one hand, I love the fact that I can cache things and on the other hand I find it frightening that a random user can cache things I might not want them to cache on behalf of another user. I know, I know, they’re encrypted with a device key. But when you have data on disk, it can always be decrypted. I almost feel like there should be a plist on machines that whitelists allowed caching servers. Maybe I should make a feature request on that. Either way, as it stands now, I might be disabling this option in larger offices. To do so, I can write an AllowPersonalCaching key into the Config.plist file at /Library/Server/Caching/Config/. The most graceful way to do this is using the serveradmin command, followed by the settings verb and then caching:AllowPersonalCaching option, setting that equals no, as follows: sudo serveradmin settings caching:AllowPersonalCaching = no To turn it back on: sudo serveradmin settings caching:AllowPersonalCaching = yes This can also be done by dropping a Config.plist file into the correct location for new server installations. I’ll have an article out shortly on doing so, as you’d want to normalize a few options in the file before deploying en masse (e.g. if you have a large contingent of Caching servers to manage.

October 16th, 2015

Posted In: Mac OS X Server

Tags: , , , , , , ,

Configuring Calendar Server in OS X Server 5 (running on El Capitan or Yosemite) is a fairly simple and straight forward process. The Calendar Server is a CalDAV Server, leveraging HTTP and HTTPS, running on ports 8008 and 8443 respectively. To enable the Calendar service in OS X Server (Server 5), open the Server application and click on Calendar in the SERVICES section of the sidebar. Screen Shot 2015-09-10 at 8.46.34 AM Once open, click on Enable invitations by email to enable email notifications of invitations in the Calendar Server. Provide the email address and then click on the Next button. Screen Shot 2015-09-10 at 8.47.49 AM At the Configure Server Email Address screen, provide the type of incoming mail service in use, provide the address of the mail server and then the port number used, if not a standard port for HTTPS-based IMAP (or POP if you’d prefer), the user name and the valid password for the account. Then click on the Next button. Screen Shot 2015-09-10 at 8.48.19 AM At the outgoing mail server screen, provide the Outgoing Mail Server address, the port, whether or not SSL is in use (it should be if possible), the password protocol, the user name and the password. Then click on the Next button. Screen Shot 2015-09-10 at 8.48.58 AM At the Mail Account Summary screen, review the settings and if correct, click Finish. Back at the service configuration screen, click on the plus sign (“+”) and provide a type of location, an address, a delegate, a name for the location, whether or not invitations to the resource are accepted and then enter the account name for any accounts that can manage the location’s calendar (they will auto-complete, so there’s no need to remember users and groups exactly). Click Done to complete the setup. Use the Resource setting in type to configure a resource instead of a location. The two are the same, except the Type field. Screen Shot 2015-09-10 at 8.50.07 AM There are a number of settings that can also be configured. But those are exposed only at the command line. To configure them, open the command line and then review the list of Calendar service settings using the list option of the serveradmin command: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings calendar There are a number of settings for the Calendar service, including the following: calendar:DefaultLogLevel = “info” calendar:EnableAPNS = yes calendar:EnableSSL = yes calendar:DirectoryAddressBook:params:queryUserRecords = yes calendar:DirectoryAddressBook:params:queryPeopleRecords = yes calendar:EnableSearchAddressBook = yes calendar:HTTPPort = 80 calendar:AccountingCategories:HTTP = no calendar:AccountingCategories:Implicit Errors = no calendar:AccountingCategories:iTIP = no calendar:AccountingCategories:migration = no calendar:AccountingCategories:AutoScheduling = no calendar:AccountingCategories:iSchedule = no calendar:AccountingCategories:iTIP-VFREEBUSY = no calendar:Authentication:Digest:Enabled = yes calendar:Authentication:Digest:AllowedOverWireUnencrypted = yes calendar:Authentication:Kerberos:Enabled = yes calendar:Authentication:Kerberos:AllowedOverWireUnencrypted = yes calendar:Authentication:Wiki:Enabled = yes calendar:Authentication:Basic:Enabled = yes calendar:Authentication:Basic:AllowedOverWireUnencrypted = no calendar:EnableCardDAV = no calendar:Scheduling:iMIP:Sending:UseSSL = yes calendar:Scheduling:iMIP:Sending:Server = “osxserver.krypted.com” calendar:Scheduling:iMIP:Sending:Address = “com.apple.calendarserver@osxserver.krypted.com” calendar:Scheduling:iMIP:Sending:Username = “com.apple.calendarserver” calendar:Scheduling:iMIP:Sending:Password = “79PreYsZSFfZZC6v” calendar:Scheduling:iMIP:Sending:Port = 587 calendar:Scheduling:iMIP:Enabled = yes calendar:Scheduling:iMIP:Receiving:UseSSL = yes calendar:Scheduling:iMIP:Receiving:Server = “osxserver.krypted.com” calendar:Scheduling:iMIP:Receiving:Type = “imap” calendar:Scheduling:iMIP:Receiving:Username = “com.apple.calendarserver” calendar:Scheduling:iMIP:Receiving:Password = “79PreYsZSFfZZC6v” calendar:Scheduling:iMIP:Receiving:Port = 993 calendar:SSLPrivateKey = “” calendar:LogLevels = _empty_dictionary calendar:DataRoot = “/Library/Server/Calendar and Contacts/Data” calendar:ServerRoot = “/Library/Server/Calendar and Contacts” calendar:SSLCertificate = “” calendar:EnableCalDAV = no calendar:Notifications:Services:APNS:Enabled = yes calendar:SSLPort = 443 calendar:RedirectHTTPToHTTPS = yes calendar:SSLAuthorityChain = “” calendar:ServerHostName = “osxserver.krypted.com” One of the more common settings to configure is the port number that CalDAV runs on. To configure HTTP: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings calendar:HTTPPort = 8008 For HTTPS: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings calendar:SSLPort = 8443 You can then start the service using the start option: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin start calendar Or to stop it: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin stop calendar Or to get the status: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin fullstatus calendar Full status indicates that the three services are running: calendar:readWriteSettingsVersion = 1
calendar:setStateVersion = 1
calendar:state = "RUNNING"
calendar:contactsState = "RUNNING"
calendar:calendarState = "RUNNING" Once the Calendar server is configured, use the Calendar application to communicate with the server. Open the Calendar application and click on the Calendar menu and select Add Account. From the Add Account screen, click on Add CalDAV Account radio button and click Continue. Screen Shot 2015-09-10 at 10.47.30 AM CalDAV from the Account Type menu and then enter the User Name and password configured on the server, and add the address of the server if you don’t have any service records pointing to the server. The User Name is usually the name provided in Server app, followed by @ and then the address of the server. Screen Shot 2015-09-10 at 10.50.48 AM Once the server is configured it appears in the list of accounts in the sidebar of the Calendar app. Create calendars in the account and then to share a calendar, right-click on the calendar and click on Share Calendar… Screen Shot 2015-09-10 at 10.58.02 AM At the Share Calendar screen, provide the name the calendar should appear as to others and anyone with whom you’d like to share your calendar with. Screen Shot 2015-09-10 at 10.59.05 AM Back at the Calendar Settings screen, use the settings to configure Availability and refresh rate of calendars, as seen above. Click on Server Settings to assign custom port numbers. Screen Shot 2015-09-10 at 11.00.46 AM Click on the Delegation tab to view any accounts you’ve been given access to. Screen Shot 2015-09-10 at 11.01.10 AM Use the Edit button to configure who has delegated access to calendars, as opposed to configuring subscriptions. Overall, the Calendar service in El Capitan Server is one of the easiest to configure. Most of the work goes into settings configured on client systems. This, as with Exchange, dedistributes administration, often making administration more complicated than with many other tools. But that’s a good thing; no one wants to access other peoples accounts, for calendars or mail for that matter, without those users knowing that it was done, as will happen when resetting passwords…

October 1st, 2015

Posted In: Mac OS X Server

Tags: , , , , , , , , , , ,

OS X has an application called Contacts. OS X Server 5, running on Yosemite or El Capitan, has a service called Contacts. While the names might imply very different things that they do, you’ll be super-surprised that the two are designed to work with one another. The Contacts service is based on CardDAV, a protocol for storing contact information on the web, retrievable and digestible by client computers. However, there is a layer of Postgres-based obfuscation between the Contacts service and CardDAV. The Contacts service is also a conduit with which to read information from LDAP and display that information in the Contacts client, which is in a way similar to how the Global Address List (GAL) works in Microsoft Exchange. I know I’ve said this about other services in OS X Server, but the Contacts service couldn’t be easier to configure. First, you should be running Open Directory and you should also have configured Apple Push Notifications. To setup Push Notifications, have an Apple ID handy and click on the Contacts entry in the SERVICES section of Server app. Screen Shot 2015-09-10 at 8.13.53 AM Click the Edit Notifications button to configure the Apple Push Notification settings for the computer. When prompted, click on Enable Push Notifications. Screen Shot 2015-09-10 at 8.15.49 AM If prompted, provide the username and password for the Apple ID and then click on Finish. To enable the Contacts service, open the Server app and then click on Contacts in the SERVICES section of the List Pane. From here, use the “Include directory contacts in search” checkbox to publish LDAP contacts through the service, or leave this option unchecked and click on the ON button to enable the service. Screen Shot 2015-09-10 at 8.19.12 AM The Contacts service then starts and once complete, a green light appears beside the Contacts entry in the List Pane. To configure a client open the Contacts application on a client computer and use the Preferences entry in the Contacts menu to bring up the Preferences screen. From here, click the Accounts menu and then click on Add Accounts. Screen Shot 2015-09-10 at 8.19.36 AM At the Add Account screen, scroll down and click Add Other Account… to bring up an expanded menu of account types. Screen Shot 2015-09-10 at 8.20.32 AM Click Add a CardDAV account. Screen Shot 2015-09-10 at 8.21.10 AM At the “Add a CardDAV Account” screen, enter the email address and password of the user. Auto discovery doesn’t always work, so you might end up using the manual button to add the account using the server’s address. Alternatively, if you’ve mapped CardDAV to custom ports, you may use the advanced option to have paths and ports available. Screen Shot 2015-09-10 at 8.24.03 AM When the account is finished creating, you can click on the account again to see the settings used. Otherwise, close the Preferences/Accounts screen and then view the list of Contacts. Click on View and then Show Groups. This will show you the name of the servers that you’re connected to in the sidebar. There won’t be any contacts yet, so click on the plus sign to verify you have write access to the server. Screen Shot 2015-09-10 at 8.27.44 AM Next, let’s get access to the LDAP-based contacts. To do so, bring up the Add Account screen again and this time select LDAP Account from the Account Type field. Screen Shot 2015-09-10 at 8.29.02 AM Provide the name or IP address of the server and then the port that LDAP contacts are available over (the defaults, 389 and 636 with SSL are more than likely the settings that you’ll use. Then click on the Continue button. At the Account Settings screen, provide the name that will appear in the Contacts app for the account in the Description field and then enter the search base in the Search base field. To determine the search base, use the serveradmin command. The following command will output the search base: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings dirserv:LDAPSettings:LDAPSearchBase Then set Authentication to simple and provide the username and password to access the server for the account you are configuring. The list then appears. The default port for the Contacts service is 8443, as seen earlier in the configuration of the client. To customize the port, use the serveradmin command to set addressbook settings for BindSSLPorts to edit the initial array entry, as follows: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings addressbook:SSLPort = 8443 The default location for the files used by the Contacts service is in the /Library/Server/Calendar and Contacts directory. To change that to a folder called /Volumes/Pegasys/CardDAV, use the following command: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings addressbook:ServerRoot = "/Volumes/Pegasys/CardDAV" When changing the ServerRoot, you’ll likely need to change the DataRoot, which is usually the Data directory immediately underneath the ServerRoot. To do so, run serveradmin and put the DataRoot entry under the addressbook settings: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings addressbook:DataRoot = "/Volumes/Pegasys/CardDAV/Data" The service is then stopped with the serveradmin command: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin stop addressbook And started with the serveradmin command: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin start addressbook And whether the service is running, along with the paths to the logs can be obtained using the fullstatus command with serveradmin: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin fullstatus addressbook The output of which should be as follows: status addressbook addressbook:state = “RUNNING” addressbook:setStateVersion = 1 addressbook:readWriteSettingsVersion = 1 If you’re easily amused, run the serveradmin settings for calendar and compare them to the serveradmin settings for addressbook: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings calendar By default, the Contacts server allows basic authentication. We’ll just turn that off real quick: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings addressbook:Authentication:Basic:Enabled = no And then let’s see what it is in addressbook: /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings addressbook:Authentication:Basic:Enabled

September 28th, 2015

Posted In: Mac OS X Server

Tags: , , , , , , , ,

Mail is one of the hardest services to manage. Actually, mail is pretty simple in and of itself: there’s protocols people use to access their mail (such as IMAP and POP), protocols used to communicate between mail servers and send mail (SMTP, SMTPS) and then there’s a database of mail and user information. In OS X Server 5 for El Capitan and Yosemite, all of these are represented by a single ON button, so it really couldn’t be easier. But then there’s the ecoysystem and the evil spammers. As a systems administrator of a large number of mail servers, I firmly believe that there is a special kind of hell where only spam is served at every meal for spammers. Here, the evil spammers must also read every piece of spam ever sent for eternity. By the end (aka Ragnarok), they should have the chemically induced stamina of a 16 year old with the latest Sports Illustrated Swimsuit issue, enough pills of other types to not be able to use that stamina, plenty of African princes looking to donate large sums of money if only they can be helped out of their country (which should cost about 100,000 compared to a 5,000,000 payout, not a bad ROI, right?!?!?), have their conflicting stamina situation at the top of the search engines and of course, have lost all of the money made from their African princes due to getting their credit card hijacked by about 9,000 phishing scams. All in all, a special kind of hell…  But back to the point of the article, setting up mail. The things that mail administrators need to focus on to keep that mail server flowing mail to and from everyone else in the world: Once all of that is taken care of (I’ll add more as I think about it) then it’s time to enable the mail service in the Server app running on Yosemite. Actually, first let’s setup our SSL certificates. To do so, open the Server app and click on Certificates in the SERVER section of the sidebar. Here, use the “Secure services using” drop-down list and click on Custom… for each protocol to select the appropriate certificate to be used for the service. Screen Shot 2015-09-22 at 11.16.20 PM Click OK when they’re all configure. Now let’s enable the mail service (or outsource mail). To do so, open the Server app and click on Mail in the SERVICES list in the sidebar. Mail2 At the configuration screen is a sparse number of settings: Once you’ve configured the settings for the Mail service, click on the ON slider to enable the service. At this point, you should be able to telnet into port 25 of the host to verify that SMTP is listening, preferably from another mail server: telnet mail.krypted.com 25 You can also check that the mail services are running using the serveradmin command along with the fullstatus option for the mail service: sudo serveradmin fullstatus mail Which returns with some pretty verbose information about the service, including state, connections, running protocols and the rest of the following: mail:startedTime = ""
mail:setStateVersion = 1
mail:state = "STOPPED"
mail:protocolsArray:_array_index:0:status = "ON"
mail:protocolsArray:_array_index:0:kind = "INCOMING"
mail:protocolsArray:_array_index:0:protocol = "IMAP"
mail:protocolsArray:_array_index:0:state = "STOPPED"
mail:protocolsArray:_array_index:0:service = "MailAccess"
mail:protocolsArray:_array_index:0:error = ""
mail:protocolsArray:_array_index:1:status = "ON"
mail:protocolsArray:_array_index:1:kind = "INCOMING"
mail:protocolsArray:_array_index:1:protocol = "POP3"
mail:protocolsArray:_array_index:1:state = "STOPPED"
mail:protocolsArray:_array_index:1:service = "MailAccess"
mail:protocolsArray:_array_index:1:error = ""
mail:protocolsArray:_array_index:2:status = "ON"
mail:protocolsArray:_array_index:2:kind = "INCOMING"
mail:protocolsArray:_array_index:2:protocol = "SMTP"
mail:protocolsArray:_array_index:2:state = "STOPPED"
mail:protocolsArray:_array_index:2:service = "MailTransferAgent"
mail:protocolsArray:_array_index:2:error = ""
mail:protocolsArray:_array_index:3:status = "ON"
mail:protocolsArray:_array_index:3:kind = "OUTGOING"
mail:protocolsArray:_array_index:3:protocol = "SMTP"
mail:protocolsArray:_array_index:3:state = "STOPPED"
mail:protocolsArray:_array_index:3:service = "MailTransferAgent"
mail:protocolsArray:_array_index:3:error = ""
mail:protocolsArray:_array_index:4:status = "OFF"
mail:protocolsArray:_array_index:4:kind = "INCOMING"
mail:protocolsArray:_array_index:4:protocol = ""
mail:protocolsArray:_array_index:4:state = "STOPPED"
mail:protocolsArray:_array_index:4:service = "ListServer"
mail:protocolsArray:_array_index:4:error = ""
mail:protocolsArray:_array_index:5:status = "ON"
mail:protocolsArray:_array_index:5:kind = "INCOMING"
mail:protocolsArray:_array_index:5:protocol = ""
mail:protocolsArray:_array_index:5:state = "STOPPED"
mail:protocolsArray:_array_index:5:service = "JunkMailFilter"
mail:protocolsArray:_array_index:5:error = ""
mail:protocolsArray:_array_index:6:status = "ON"
mail:protocolsArray:_array_index:6:kind = "INCOMING"
mail:protocolsArray:_array_index:6:protocol = ""
mail:protocolsArray:_array_index:6:state = "STOPPED"
mail:protocolsArray:_array_index:6:service = "VirusScanner"
mail:protocolsArray:_array_index:6:error = ""
mail:protocolsArray:_array_index:7:status = "ON"
mail:protocolsArray:_array_index:7:kind = "INCOMING"
mail:protocolsArray:_array_index:7:protocol = ""
mail:protocolsArray:_array_index:7:state = "STOPPED"
mail:protocolsArray:_array_index:7:service = "VirusDatabaseUpdater"
mail:protocolsArray:_array_index:7:error = ""
mail:logPaths:Server Error Log = "/Library/Logs/Mail/mail-err.log"
mail:logPaths:IMAP Log = "/Library/Logs/Mail/mail-info.log"
mail:logPaths:Server Log = "/Library/Logs/Mail/mail-info.log"
mail:logPaths:POP Log = "/Library/Logs/Mail/mail-info.log"
mail:logPaths:SMTP Log = "/var/log/mail.log"
mail:logPaths:List Server Log = "/Library/Logs/Mail/listserver.log"
mail:logPaths:Migration Log = "/Library/Logs/MailMigration.log"
mail:logPaths:Virus Log = "/Library/Logs/Mail/clamav.log"
mail:logPaths:Amavisd Log = "/Library/Logs/Mail/amavis.log"
mail:logPaths:Virus DB Log = "/Library/Logs/Mail/freshclam.log"
mail:imapStartedTime = ""
mail:postfixStartedTime = ""
mail:servicePortsRestrictionInfo = _empty_array
mail:servicePortsAreRestricted = "NO"
mail:connectionCount = 0
mail:readWriteSettingsVersion = 1
mail:serviceStatus = "DISABLED" To stop the service: sudo serveradmin stop mail And to start it back up: sudo serveradmin start mail To configure some of the settings no longer in the GUI from previous versions, let’s look at the full list of options: sudo serveradmin settings mail One that is commonly changed is the subject line added to messages that are marked as spam by spam assassin. This is stored in mail:postfix:spam_subject_tag, so changing would be: sudo serveradmin settings mail:postfix:spam_subject_tag = "***DIEEVILSPAMMERSDIE*** " A number of admins also choose to disable greylisting, done using the mail:postfix:greylist_disable option: sudo serveradmin settings mail:postfix:greylist_disable = no To configure an email address for quarantined mail to go, use mail:postfix:virus_quarantine: sudo serveradmin settings mail:postfix:virus_quarantine = "diespammersdie@krypted.com" The administrator, by default, doesn’t get an email when an email containing a file infected with a virus is sent through the server. To enable this option: sudo serveradmin settings mail:postfix:virus_notify_admin = yes I also find a lot of Mac environments want to accept email of pretty much any size. By default, message size limits are enabled. To disable: sudo serveradmin settings mail:postfix:message_size_limit_enabled = yes Or even better, just set new limit: sudo serveradmin settings mail:postfix:message_size_limit = 10485760 And to configure the percentage of someone’s quota that kicks an alert (soft quota): sudo serveradmin settings mail:imap:quotawarn = 75 Additionally, the following arrays are pretty helpful, which used to have GUI options: The client side of the mail service is straight forward enough. If you are wondering where in this article we discuss using webmail, er, that’s not installed by default any longer. But the open source project previously used, roundcube, is still available for download and easily installed (the pre-reqs are all there, already). Check out the roundcube wiki installation page here for more info on that. Also, mail groups. I hope to have a post about that soon enough. Unless, of course, I get sidetracked with having a life. Which is arguably not very likely…

September 24th, 2015

Posted In: Mac OS X Server

Tags: , , , , , , , , , , , , ,

Next Page »