Professional Documents
Culture Documents
Get started
Get started
Screen Sharing
Observe and control your server from another computer on the network. You can open Screen Sharing from the T ools menu in the Server app.
Server
Manage users and groups. Monitor server status. Start, stop, and customize services. View and change system, network, and storage settings. Manage an AirPort device.
Monitor server activity from any Mac with Mac OS X Lion. Configure T ime Machine backup of the server. Set up sharing for a directly connected USB or FireWire printer.
For more information about Screen Sharing, Server, and System Preferences, open the application and use the Help menu. For more information about the Server Status widget, s ee Use the Server Status widget. Advanced administration tools
Bes ides the Server app and the other bas ic tools , you can use the applications des cribed below. All except Directory Utility and Xsan Admin are located in the Server folder in Launchpad. If your server doesnt have that folder with the advanced tools in it, you can ins tall them as des cribed in Use advanced tools for more services.
Directory Utility
Configure advanced connections to directory servers. You can open Directory Utility from the Tools menu in the Server app.
Podcast Composer
Follow a structured, graphical process to create workflows that control how Podcast Producer generates and distributes podcasts.
Change advanced service settings and configure advanced services. Remotely monitor and manage one or more Xserve systems. Create NetBoot, NetInstall, and NetRestore images for Mac computers. Manage users, groups, computers, and computer groups in advanced server deployments. Manage preferences for Mac OS X Lion users.
Xgrid Admin
Remotely manage clusters, monitor controller and agent activity, and check job status on the grid.
Xsan Admin
Set up and manage a storage area network (SAN) to provide fast, shared storage among Macs connected to a Fibre Channel network. Located in the Utilities folder in Launchpad.
For more information about an advanced application, open it and use the Help menu. Command-line tools You can also use UNIX tools in the Terminal app to administer services, manage users, and perform most other server administration tas ks. For more information, s ee About the command-line environment of Lion Server.
RELATED TOPICS
Get started
Services
Lion Server can provide s ervices to Macintosh, Windows , and UNIX computers, and to iOS devices such as iPhone, iPod touch, and iPad. You use the Server app to turn on the s ervice you want to provide, cus tomize service s ettings, and turn off services you dont need. Services include:
File sharing lets users store and share folders and files on the server.
iCal service provides shared calendars, so users can check each others availability, book conference rooms, and schedule meetings and events.
iChat Instant messaging service lets users collaborate by chatting and sharing information.
Mail service lets users send and receive email on your local network and the Internet using any email application or, optionally, a web browser.
Podcast service lets users publish audio and video podcasts they record and edit using the Podcast Publisher app on their Macs with Mac OS X Lion.
Profile Manager service lets you manage mobile devices and distribute configuration profiles that set up users' Macs and iOS devices to use your server.
A T ime Machine destination lets users back up their Macs on your servers disk. VPN service gives users secure remote access to your server and network via the Internet.
Wiki service lets users share information using wikis, blogs, and web calendars.
Get started
Server information
While Lion Server is providing accounts and services to users, you can check server system information and change server system s ettings. Track s erver alerts Monitor s erver stats View server information Allow remote login to your server via SSH Allow s creen s haring and remote management Allow remote adminis tration Improve performance as a dedicated server Use push notification Manage the servers SSL identity certificates Find the servers network address and host name Manage server storage
Get started
Disk preparation
If youre going to ins tall Lion Server on an existing computer and want a clean installation rather than an upgrade, use the Disk Utility app to erase the disk youll ins tall on. With Disk Utility, you can also partition the servers dis k into multiple volumes or set up a RAID set. You can us e Dis k Utility when you begin ins talling Lion Server. For instructions, search Mac Help for Erase and reinstall Mac OS X. You can also use Disk Utility after installing Lion Server. Dis k Utility is in the Utilities folder of Launchpad. Formats for server disks When you erase a dis k before installing Lion Server on it, select one of these formats : Mac OS Extended (Journaled): This format is recommended, and is the most common format for Mac and Mac server s tartup disks . Mac OS Extended (Case-sensitive, Journaled): This format is worth considering if youre planning to have your server hos t a cus tom website with static web content instead of or in addition to wikis. A case-s ensitive disk can host s tatic web content with a more direct mapping between files and URLs. You can erase other dis ks using one of the formats above, or a non-journaled variant: Mac OS Extended or Mac OS Extended (Case-sensitive). If the server has a disk formatted using the UNIX File System (UFS) format by an earlier version of Mac OS X or Mac OS X Server, do not use the UFS dis k for a Lion Server s tartup dis k. Volumes on a partitioned disk
Partitioning a hard dis k creates a volume for Lion Server and one or more volumes for service data and other software. The volume you install Lion Server on s hould be at leas t 10 GB. This volume should be larger if you plan to store shared folders, wikis, and other service data on it. The volumes on a partitioned disk are often s imply called disks . Each volume appears as a disk in the Finder, and you use each volume as if it were a separate dis k. RAID sets If youre installing Lion Server on a computer with multiple internal hard disk drives, you can create a RAID (Redundant Array of Independent Disks) s et to optimize storage capacity, improve performance, and increase reliability in cas e of a disk failure. For example, a mirrored RAID set increases reliability by writing your data to two or more disks at once. If one dis k fails, your server automatically continues using other disks in the RAID set. You can set up RAID mirroring or another type of RAID set when you begin ins talling Lion Server. After ins talling, you can set up RAID mirroring on a dis k that isnt partitioned. To prevent data los s, you should set up RAID mirroring as early as possible. For information about setting up a RAID set, s earch Disk Utility Help for Using RAID sets . If you choose a RAID set, you won't get a recovery partition or FileVault full disk encryption. A recovery partition allows you to reinstall Mac OS X or recover your entire system from a Time Machine backup. Full disk encryption isnt recommended for a Lion Server startup disk or any dis k that s tores s ervice data. If thes e disks are encrypted, the server cant restart until you go to the s erver and enter the pass word at the s ervers keyboard. If you use Lion Server to share an encrypted disk, the disk isnt available to users until you enter the password at the servers keyboard.
Get started
1. Obtain an Internet domain name like example.com. You can purchas e one from a public domain name regis trar. For information about domain name regis trars, search the web. 2. Regis ter a unique hos t name for this s erver, such as s erver.example.com, with your domain name registrar. 3. Have a DNS hos ting s ervice add records for this server to its DNS s ervers. Your DNS registrar might provide DNS hosting service, or you can s earch the web for a provider.
RELATED TOPIC
Get started
servers for your Mac s erver. If you don't have a DHCP server, you can set up Lion Servers DHCP service. For information, see DHCP setup overview.
Get started
_xmpp-server._tcp 86400 IN SRV 0 1 5269 server.example.com Another record controls iChat and other XMPP client connections to your server. It maps _xmpp-client._tcp for port 5222 to your servers hos t name. For example: _xmpp-client._tcp 86400 IN SRV 0 1 5222 server.example.com These SRV records let users have an iChat address like mchen@example.com. Without these SRV records, iChat addresses must include your servers full hos t name (for example, mchen@server.example.com).
Get started
Router port mapping Manage AirPort port mapping and Wi-Fi login Register the servers Internet host name About VPN
Get started
Get started
Get started
change it on your AirPort device. Services that arent in the Public Services list can get incoming connections only from the servers intranet. Allow user name and password login over Wi-Fi You can let users log in to your wireless network with their user name and pass word ins tead of the Wi-Fi network pas sword. In this cas e, your server provides Remote Authentication Dial In User Service (RADIUS) for your AirPort device and authorizes all user accounts on the server to access your wireless network. For more information, see About RADIUS for AirPort. 1. In the Server app s idebar, s elect your AirPort device. The AirPort device is listed in the Hardware section of the sidebar. 2. If you want users to log in to your wireles s network with their user account credentials , select Allow user name and password login over Wi-Fi. Important: Your server will lose its connection to the AirPort device, unless the two are connected via a wired Ethernet network. Dont select this option if you want to let users log in to your wireless network with the Wi-Fi network pass word. You can turn off RADIUS using the AirPort Utility app (in the Utilities folder in Launchpad). 3. To apply your changes, restart your AirPort device by entering its pass word and clicking Set. Important: Restarting your AirPort device interrupts its services for all computers on your intranet for up to a minute. AirPort device services may include Internet access , DHCP service, and a shared disk for Time Machine backup or other us es. When entering the pass word to authorize restarting the AirPort device, us e the pass word for the device, not the pass word for your Wi-Fi network. Lion Server remembers this password, so you dont have to enter it again unless your change it on your AirPort device. Selecting this option starts RADIUS on your s erver, registers the selected AirPort device with RADIUS, and authorizes all user accounts on the server to access your wireless network.
Get started
Get started
forward only those ports to your servers IP address. Some Internet routers may you to specify TCP or UDP for each port, while other routers dont. For specific information about how to configure port forwarding on your router, s ee its documentation. If your router is an AirPort Extreme Base Station (802.11n) or a Time Caps ule, you can use the Server app to configure port forwarding. For information, see Manage AirPort port mapping and WiFi login. If your intranet has a s eparate firewall device, and you want to allow access to s ome services outside your intranet, as k the firewall administrator to open the firewall for the communications ports and protocols that your services use. Use the following table to determine the port numbers you need to have open on the firewall.
Serv ice Address Book Server Address Book Server SSL iCal Server iCal Server SSL iChat Server iChat Server SSL iChat server-to-server iChat Server file transfer iChat local iChat audio/video RTP and RTCP File sharing SMB File sharing AFP Mail service SMTP standard Mail service POP3 Mail service IMAP Mail service SMTP submission Mail clients IMAP SSL Mail clients POP3 SSL Remote login SSH (Secure Shell) Screen sharing VNC Web service HTT P Web service HTT PS Web service custom website Note: Exposing web service also exposes wiki, web calendar, webmail, and Profile Manager services. Port 8008 8443 8008 8443 5222 5223 5269 7777 5678 1638416403 139 548 25 110 143 587 993 995 22 5900 80 443 YourPortNumber TCP or UDP T CP T CP T CP T CP T CP T CP T CP T CP UDP UDP T CP T CP T CP T CP T CP T CP T CP T CP T CP T CP T CP T CP T CP
VPN L2TP ISAKMP/IKE VPN L2TP VPN L2TP IKE NAT Traversal VPN L2TP ESP (firewall only) VPN PPTP
Get started
Server app on a Mac that is nt a server, making it an administrator computer. If you have more than one server, they already have the Server app ins talled, and you can us e them as administrator computers. As illus trated below, you us e the Server app on the administrator computer to check server s tatus, manage accounts and services, and view or change server system s ettings. The remote server doesnt need a display.
1. Install the Server app on a Mac you want to be an administrator computer by doing either of the following: Copy from your s erver. You can copy the Server app from your s erver to a Mac that you want to be an adminis trator computer. Install from the Mac App Store. After purchas ing Lion Server from the App Store on your server, you can install it free of charge on a Mac you want to be an administrator computer. You open the App Store on the pros pective adminis trator computer, find Lion Server in the App Store, click Buy, and provide the Apple ID you used to purchas e Lion Server. The Server app is downloaded to the administrator computer. 2. Open the Server app you installed in step 1, and then choose Manage > Connect to Server. The Choose a Mac dialog appears. If the Welcome to Server dialog appears instead, choos e Manage > Connect to Server again. 3. You can now select another Mac to manage, or select a Mac that's ready for server s etup, and then click Continue. For additional instructions , see Manage Lion Server remotely or Set up a server remotely. Note: If you select This Mac (that is, the Mac youre working on) and click Continue, the Server app makes the Mac a server.
Get started
To add the adminis tration tools to your server, download the Server Admin Tools for Mac OS X Lion Server from the AppleCare Support Downloads website at www.apple.com/support/downloads /, and then install the downloaded software.
Get started
More information
For more information, s ee thes e res ources .
Lion Server website (www.apple.com/macosx/server/) Enter the gateway to extensive product and technology information.
Lion Server Support website (www.apple.com/support/lionserver/) Access hundreds of articles from Apples support organization. Apple Training and Certification website (www.apple.com/training/) Hone your server administration skills with instructor-led or self-paced training, and differentiate yourself with certification. Apple Discussions website (discussions.apple.com) Share questions, knowledge, and advice with other administrators. Apple Mailing Lists website (www.lists.apple.com) Subscribe to mailing lists so you can communicate with other administrators using email.
1. If neces sary, install the Server app on the Mac you want to use for administering your server. For instructions, see Prepare an administrator computer. 2. In the Server app, choos e Manage > Connect to Server. 3. Select the server you want to manage, and then click Continue.
If you want to manage a server that isnt listed, such as a s erver outside your intranet, select Other Mac, click Continue, and then enter its host name or IP address . 4. Enter an administrator name and password for the server you selected, and then click Connect.
1. Select the server in the Server app sidebar, and click Settings. 2. Select Enable screen s haring and remote management. Selecting this option in the Server app only allows screen sharing and Apple Remote Desktop access by the administrator account created when the s erver was initially set up. If you want to s pecify who can share your screen and what capabilities Apple Remote Desktop users have, use the Sharing pane of System Preferences.
If you use the Server app to allow remote administration, your server can be administered by the Server app on another Mac.
1. Select the server in the Server app sidebar and click Settings. 2. Select Allow remote adminis tration using Server.
RELATED TOPICS
1. Select the server in the Server app sidebar, and click Settings. 2. Select Dedicate sys tem resources to server services. This change takes effect when the server restarts.
1. To find your s ervers computer name, select the server in the Server app sidebar and click Network. 2. To find the local hostname and optionally change the computer name or the local hos tname, click Edit next to the computer name. You can s ee and change the computer name and the local hostname in the dialog that appears. The computer name can be 63 Roman characters or fewer. It can include spaces, but avoid using =, :, or @.
RELATED TOPIC
The host name is the full, unique name that identifies the server on your intranet and (optionally) on the Internetfor example, server.mycompany.com or server.mycompany.private. The DNS s erver for your intranet must be configured to map the host name to the servers intranet IP address. If another server on your intranet provides DNS service, as k the DNS server administrator for help. If you want Internet us ers to access your server by using its hos t name, an Internet DNS hos ting s ervice mus t configure its DNS servers to map the host name to your servers Internet IP address.
1. To find your s ervers host name, select the server in the Server app sidebar and click Network. 2. To change the hos t name, click Edit next to the host name, and proceed through the Change Host Name ass is tant. For information about settings in a Change Host Name as sistant pane, click the Help button in the pane. After changing your servers host name, the DNS s erver for your network must be updated so that the new hos t name points to your servers IP addres s. Als o, a revers e lookup of the IP addres s must point to the new host name. If your DNS s ervice is provided by a DNS hosting service, your ISP, or another server on your network, ask the provider to update your servers DNS records. If your server provides its own DNS service, you can use Server Admin to update it. For information about Server Admin, s ee Lion Server tools. Users who have ins talled profiles from your s erver can update their Macs to use the servers new host name by getting new profiles and installing them. Lion Server automatically creates a new profile each time a user downloads one, and uses the servers current hos t name in the new profiles. Changing your s ervers host name may dis rupt the connections of users computers that have Mac OS X Lion. If this happens, users need to remove your server from their list of network account s ervers and then add it again. For information, search Mac Help for Join your Mac to a network account server.
RELATED TOPIC
To find your s ervers IP address, select the server in the Server app sidebar and click Network. The numeric IP address appears below the Interfaces heading, to the right of network interface name. If your server has multiple interfaces , each is listed. To change the IP address , open System Preferences , click Network, select the network s ervice listed on the left, and enter an IP addres s on the right. You cant change the IP addres s if the Configure IPv4 setting is Using DHCP. In this case, the DHCP server for your network as signs an IP address to your server. The DHCP server should be configured to assign your s erver the same IP address all the time. This feature is called static mapping or DHCP reservations. If you have an Internet router, its probably your DHCP server, and you s hould see its documentation for instructions. If the IP addres s cant be edited, you can enable editing by changing the Configure IPv4 s etting to Manually or Using DHCP with manual address. After changing your servers IP addres s, the DNS s erver for your network must be updated so that your servers host name points to the new IP address . Also, a reverse lookup of the new IP address must point to your servers hos t name. If your DNS s ervice is provided by your ISP or another server on your network, ask your ISP or the DNS server administrator to update your servers DNS records. If your server provides its own DNS service, you can use Server Admin to update it. For information about Server Admin, see Lion Server tools . Changing your s ervers IP address may dis rupt the connections of users computers that have Mac OS X Lion. If this happens, users need to remove your server from their list of network account s ervers and then add it back. For more information, search Mac
1. In the Server app s idebar, s elect the server, and then click Storage. 2. Choose how you want to brows e disk contents by clicking a View button in the lower left corner of the Storage pane. To view dis ks, folders, and files in a lis t, click the List View button. Lis t view s hows the amount of available space as a number and a graph. You can show or hide disk and folder contents by clicking disclos ure triangles in lis t view. To view dis ks, folders, and files in columns, click the Column View button. You can resize or expand columns as follows: To resize columns , drag the bottom of a column divider (where two vertical lines appear) To resize all columns at once, hold down the Option key as you drag To expand a column to reveal its longes t item, double-click the column divider To expand all columns to reveal their longest items , Option-double-click any column divider To expand all columns equally to reveal the longes t item, hold down Shift-Option while double-clicking any column divider To resize columns , Control-click a column divider and choose from the s hortcut menu 3. To create a new folder, select the dis k or folder you want to contain it, and then choose New Folder from the Action pop-up menu. 4. To change an items access permissions , select the item and choos e Edit Permissions from the Action pop-up menu. For detailed instructions , see Set folder access permiss ions. 5. To propagate a folders access permiss ion to the items it contains, s elect the folder and choose Propagate Permissions from the Action pop-up menu. Important: Propagation begins as soon as you click OK, and you cant undo propagation. Before clicking OK, make sure you select the folder and permiss ion settings you intend.
In the Server s idebar, look for a green s tatus indicator next to each service icon. A service with a status indicator is turned on and operating normally. A s ervice without an indicator is turned off.
RELATED TOPIC
1. In the Server app s idebar, s elect the server by name, and then click Overview. 2. To s ee more information about the s tartup disk and any other disks connected to the server, click the arrow next to the startup disk name. Youll see the Storage pane, which highlights the startup dis k in the list of available disks .
RELATED TOPIC
Choose a type of activity and a time period from the pop-up menus. Processor Usage: Monitor the workload of the servers processor or process ors. Memory Usage: See how much memory the s erver has been using. Network Traffic: Track how much incoming and outgoing data the server transfers over the network. You can also monitor server activity by using the Server Status widget on the server or on another computer. For information, see Use the Server Status widget. If the server has a display, you can use Activity Monitor (in the Utilities folder in Launchpad) on the server. Activity Monitor shows the proces ses and applications currently open on the computer. You can us e Activity Monitor to monitor short-term processor workload, disk activity, and network activity. For information, see Activity Monitor Help.
1. Select Alerts in the Server sidebar. 2. Choose Configure Email Addresses from the Action pop-up menu. 3. Enter the email address you want alerts sent to, or enter multiple email address es separated by commas.
1. Open Dashboard, and look for the Server Status widget. You can open Das hboard by clicking its icon in Launchpad or pressing its keyboard s hortcut, which is usually the F12 key. If you dont see the Server Status widget in Dashboard, click Dashboards Open button (+), and then click or drag the Server Status widget from the widget bar. You can us e multiple Server Status widgets to see more than one as pect of a servers status at once or to monitor other s ervers on the network. For more information, search Mac Help for Dashboard and widgets. 2. If you see the Server, Us er Name, and Pass word fields, enter the servers DNS name or IP address followed by an administrator name and password, and then click Done. 3. When the Server Status widget is connected to a server, it displays a graph and other status information about the server and its s ervices . You can: Monitor proces sor usage, network load, or disk usage by clicking an icon below the graph. Change the process or or network graphs time period to one hour, day, or week by clicking the graph. If your s erver has more than one disk, view the status of each disk in turn by clicking the dis k usage graph. Check the status indicator and activity statis tics for the listed s ervices . A green indicator means the service is running. Connect to a different server by moving the mouse to the upper-left corner of the widget and clicking the Info button (i).
RELATED TOPICS
You can close the Server app connections by doing any of the following: Close the Server app window. Choos e Manage > Close. Quit the Server app.
1. Create a standard user account in the Users & Groups pane of Sys tem Preferences on the s erver. 2. In the servers login window, use a s tandard us er account instead of an administrator account. 3. Use your administrator account with any application that requires administrator privileges. For example, use your adminis trator name and pass word with the Server app when you need to manage users, groups, or services. The new user account also appears in the Users pane of the Server app, and it can be used to acces s services provided by your server from a us ers computer on the network.
Serv er Admin
Server list T his shows servers, groups, smart groups, and if needed, administered services for each server. You select a group to view a status summary for grouped computers. You select a computer for its overview and server settings. You select a servers service to control and configure the service.
T ool bar T his shows available context buttons for configuration panes. If a button is grayed out or cant be clicked, you do not have administrative permissions to access it. Main work area T his shows status and configuration options. T his looks different for each service and for each context button selected.
All servers T his shows computers added to Server Admin, regardless of status.
Available servers T his lists the local-network scanner, which you can use to discover servers to add to your server list. Server T his shows the hostname of the managed server. Select to show asummary that includes a hardware, operating system, active service, and system status.
Service T his shows an administered service for a server. Select to get service status, logs, and configuration options. Green indicates a running service.
Group T his shows an administrator-created group of servers. Select to view a status summary for grouped computers. For more information, see Add a server group.
Smart group T his shows an automatic group, populated with servers that meet a predetermined criteria. For more information, see Add a smart group.
Add button T his shows a pop-up menu of items to add to the Server list: servers, groups, and smart groups. Action button T his shows a pop-up menu of actions possible for a selected service or server, including disconnect server, share the servers screen, and so forth. Refresh button T his allows you to send a status request to computers in the Server list. Service start/stop button When a service is selected, this button allows you to start or stop the service, as relevant.
Serv er Admin
Server list T his shows servers, groups, smart groups, and if needed, the administered services for each server. You select a group to view a status summary for grouped computers. You select a computer for its overview and server settings. You select a servers service to control and configure the service.
Status list T his shows available information that includes: Host name OS version CPU load Network throughput Approximate disk usage Uptime Number of connected file sharing users
All servers T his shows computers added to Server Admin, regardless of status.
Available servers T his lists the local-network scanner, which you can use to discover servers to add to your server list. Server T his shows the hostname of the managed server. Select to show a summary that includes a hardware, operating system, active service, and system status.
Service T his shows an administered service for a server. Select to get service status, logs, and configuration options. Green indicates a running service.
Group T his shows an administrator created group of servers. Select to view a status summary for grouped computers. For more information, see Add a server group.
Smart group T his shows an automatic group, populated with servers that meet a predetermined criteria. For more information, see Add a smart group.
Add button T his shows a pop-up menu of items to add to the Server list: servers, groups, and smart groups. Action button T his shows a pop-up menu of actions possible for a selected service, or server, including disconnect server, share the servers screen, and so forth. Refresh button T his allows you to send a status request to computers in the Server list.
Serv er Admin
Default
Description T his ensures that the server uses a valid SSL certificate for encryption.
On
T his performs a DNS lookup for IP addresses. T his uses the Mac OS computer name instead of the host name.
On
T his shows all services enabled for administration in the server list.
In the Sharing pane, this shows the icon and the file name.
T his shows users and groups that are hidden because they belong to operating system
processes. Don't warn if a service port is blocked by firewall On T his skips a check on the IP firewall when saving service port number preferences. Alert user on server errors On T his provides additional information for basic server errors. Auto-refresh status every ___ seconds List a maximum of ___ users or groups 60 100 T his sets the poll frequency for status updates. T his limits the number of users or groups shown in the user and group drawer.
Serv er Admin
RELATED INFORMATION
Control access to services Import and export Server Admin preferences Import and export service s ettings Add or remove s ervices in the server view
Serv er Admin
Serv er Admin
Click Add (+) in the bottom action bar and choose Add Server. Choose Server > Add Server from the menu bar. Add a server group Server Admin displays computers in groups in the Server List s ection of the application's window. The default s erver group is called All Servers. This is a list of administered computers that you have added and authenticated to. You can create other groups to organize the computers on your network. You can make more s pecific, targeted groups of servers from your All Servers list. First, create blank lis ts and then add servers from the All Servers list. You can do the following with s erver groups : Create as many groups as you want Add s ervers to more than one lis t Group lis ts according to geographic region, functionality, hardware configuration, and even color You can click a group name to see a s tatus overview of servers in the group. 1. Under the Server list at the bottom of the Server Admin window, click Add (+). 2. Select Add Group and name the group. To rename groups , click the group and let the mouse hover over the name for a few seconds . When the name becomes editable, rename the group. 3. Drag the servers from the All Servers group to the new group.
RELATED INFORMATION
Serv er Admin
1. Under the Server list at the bottom of the Server Admin window, click Add (+). 2. Select Add Smart Group. 3. Name the smart group. 4. Define the criteria for servers to appear in the list and click OK. The group appears in the Server list.
RELATED INFORMATION
Serv er Admin
1. Select the item to remove. 2. If it's a s erver, disconnect from the server: Click the Perform Action button in the bottom action bar and choose Disconnect. Choose Server > Disconnect from the menu bar. 3. Remove the item you've selected: If it's a server, click the Perform Action button in the bottom action bar and choos e Remove Server, or choos e Server > Remove Server from the menu bar. If it's a group or server group, click the Perform Action button in the bottom action bar and choose Remove Group, or press Delete on the keyboard.
RELATED INFORMATION
Serv er Admin
To rename groups , us e the normal Mac file renaming method: 1. Click the group and let the mous e hover over the name for a few seconds. 2. When the name becomes editable, rename the group. To add servers to the group, drag the servers from the All Servers group to the new group. To remove servers from the group, select the servers and press Delete. To rearrange s ervers in a group, drag a server in the list and drag it to a new place in the list.
RELATED INFORMATION
Serv er Admin
1. Double-click the smart group to edit. 2. Rename the smart group, if needed. 3. Edit the criteria that orders how s ervers appear in the list and click OK. The group appears in the Server list.
RELATED INFORMATION
Serv er Admin
Add s ervers and s erver groups Add a s mart group Remove servers , server groups, and smart groups Edit a s erver group Edit a s mart group
Serv er Admin
1. In Server Admin, select a server. 2. Click the Settings button in the toolbar and then click the Services tab. 3. To add a service, s elect the checkbox for the service. 4. To remove a service, deselect the checkbox for the service.
RELATED INFORMATION
Serv er Admin
You can also control us er access to several services us ing the Server app. For example, only the Server app can control user access to Podcas t and Time Machine services. For information, see Control a users access to services.
1. Select a s erver in the Servers list. 2. Click Settings, then click Access. 3. Click Services. 4. Choose a service and then choose whether to allow everyone access to it or whether to allow specified users to access the service. 5. If you have chosen to specify users , add the users and groups as needed.
RELATED INFORMATION
Serv er Admin
RELATED INFORMATION
Serv er Admin
2. From the menu bar, choose Server > Export > Service Settings . 3. Select the services whose settings you want to copy. 4. Click Save. The file that is created contains s ervice configuration information as a plist XML document.
RELATED INFORMATION
To open Terminal, click the Terminal icon in the dock or in the Utilities folder in Launchpad. Each window in Terminal repres ents another ins tance of a shell process. Terminal pres ents a prompt when its ready to accept a command. The prompt you s ee depends on your Terminal and shell preferences , but it often includes the name of the host youre logged in to, your current working folder, your user name, and a prompt symbol. For example, if a us er named mariah is using the default bas h shell, the prompt appears as: server1:~ mariah$ This indicates that she is logged in to a computer named server1 as the user named mariah, and her current folder is her home folder, indicated by the tilde (~).
Terminate commands
To terminate the current command, press Control-C. This keyboard shortcut sends an abort signal to the command. In mos t cases this causes the command to terminate, although
commands can install signal handlers to trap this signal and res pond differently.
. -list
/Users. Most of these users arent traditional user accounts with home
directories, but you should be able to find the short name of known users on the computer.
File and folder names can include letters, numbers, a period, or the underscore character. Avoid mos t other characters, including space characters. Although s ome Mac OS X file systems permit the us e of these other characters , including spaces, you might need to add single or double quotation marks around pathnames that contain them. For individual characters, you can also escape the characterthat is, put a backslash character immediately before the character in your string. For example, the pathname My Dis k is My Disk or My\ Dis k.
For more information about the sudo and su commands, see their man pages.
Installation
Check your DHCP s ervers configuration Register an Internet host name Cons ider disk preparation options
1. On the Mac you want to make a s erver, open the Mac App Store, and get Mac OS X Lion Server. The Server app is installed and opens automatically. 2. Click Configure in the Welcome to Server window, and then follow the onscreen instructions to begin installing and setting up Lion Server s oftware. After you enter the name and pas sword of an administrator account on your Mac, the Server app downloads additional Lion Server software, installs it, and configures your Mac as a s erver.
RELATED TOPIC
Installation
Types of installation
There are three ways to ins tall Lion Server. Install Server components on Lion This method works after Lion is installed over a client vers ion of Snow Leopard. If you need Lion Server-compatible versions of the advanced administration tools, you can download them from AppleCare support. Install Lion Server over Snow Leopard Server If you have an exis ting Snow Leopard Server installation, you can purchase and install Lion from the Mac App Store. The Mac App Store allows you to install both Lion and the Server components as a s ingle unit. After Lion Server is installed over Snow Leopard Server, the Snow Leopard Server advanced administration tools (Server Admin, Workgroup Manager, and others) are deleted. If you need Lion Server-compatible versions of advanced adminis tration tools, download them from AppleCare support. Clean Installation This method begins with starting a Lion Server installation. Instead of choosing a dis k partition with an existing operating system on it, you install Lion Server on a blank disk partition. You get a clean ins tall of Lion Server and you can configure the s erver from scratch.
Setup
1. Prepare your DHCP server for the new s erver, and if you have a DNS server, prepare it also. If you have an Internet router, its probably your DHCP server. Your DNS s erver may be adminis tered by your Internet service provider or a DNS hos ting s ervice, or it may be another s erver on your intranet. For more information, see DHCP server configuration for your server and Register the servers Internet host name. 2. Make sure the new server has an active connection to the same network as the administrator computer youre using. 3. If the server is off, turn it on. When the s erver starts up, the server s etup ass istant opens and waits for setup to begin. 4. On your administrator computer, open the Server app, choose Manage > Connect to Server, select the new server in the
Choose a Mac dialog, and click Continue. The new server may be listed with a name generated from the computer model and the Ethernet hardware addres s (the MAC address), or with a name from your DNS s erver. If the server you want to set up is listed in the Server app sidebar, you can begin setup by selecting it and clicking Set Up This Mac. 5. Enter the new servers complete hardware serial number. You can find the serial number on the case of the product, on the original product packaging, and on the original product receipt or invoice. For more information about finding the s erial number, see the Apple Support article at support.apple.com/kb/HT1349. Match the capitalization of the s erial number when you type it. 6. Click Continue, and proceed through the s erver setup as sistant panes. After server s etup is complete, you can take additional steps to enhance the s ecurity, accessibility, and overall usefulness of your new server. For information, see After setting up Lion Server.
RELATED TOPIC
Setup
About AutoServerSetup.plist
Automatic server setup is not s upported in Lion Server. WARNING: Your existing AutoServerSetup.plist may continue to function normally, or it may cause unintentional configuration. If you perform a clean installation, Server Ass is tant finds and tries to apply the s ettings in the plist file. If you perform a clean installation and run the Server Assistant locally, a file at /System/Library/ServerSetup/AutoServerSetup.plist contains the setup data for the server. This file can be reused only with other clean installations of Lion Server. WARNING: This method of server configuration is not supported, and may not function as intended.
Setup
Setup
Port number and type 22 T CP 311 TCP 626 UDP 625 TCP ICMP incoming and outgoing 53 UDP
Serv ice SSH command-line shell Server Admin (with SSL) Serial number support Remote Directory Access standard ping host name resolution
Setup
Setting up a planning team Identifying servers to set up Unders tanding physical infrastructure requirements Determining services to host on each server Ens uring proper operational conditions Minimize the need to relocate s ervers after setup About load balancing
Minimize the time the server is in its temporary location s o the amount of information to change is limited. Pos tpone configuring services that depend on network s ettings until the server is in its final location. Such services include Open Directory replication, Apache settings (such as virtual domains), DHCP, and other network infrastructure s ettings that other computers depend on. Wait to import final user accounts. Limit accounts to test accounts s o you minimize the us er-specific network information (such as home folder location) that you must change after the move. After you move the server, you can change its IP address in the Network pane of Sys tem Preferences (or us e the networksetup tool). You probably will need to manually adjust service and system settings. For more information on how to do this, s ee Understanding changes to the server IP addres s or network identity. Reconfigure the search policy of computers (such as user computers and DHCP servers ) that are configured to use the server in its original location.
Configure ACLs as needed. Use ACLs to control who can access share points and their contents . Protect any account with root or system administrator privileges by following recommended pas sword practices using strong pas swords. Do not use adminis trator (UNIX admin group) accounts for daily use. Restrict the us e of adminis tration privileges by keeping the admin login and pass word separate from daily use. Back up critical data on the s ys tem regularly, with a copy s tored at a secure off-site location. Backup media is of little us e in recovery if it is destroyed with the computer during a fire. Test your backup and recovery contingency plans to ensure that recovery actually works . Review s ystem audit logs regularly and inves tigate unusual traffic. Dis able services that are not required on your system. A vulnerability that occurs in any service on your system can compromise the entire s ys tem. In s ome cases, the default configuration (out of the box) of a s ystem leads to exploitable vulnerabilities in s ervices that were enabled implicitly. Turning on a s ervice opens up a port that users can access your sys tem from. Although enabling Firewall service helps avoid unauthorized access, an inactive s ervice port remains a vulnerability that an attacker might exploit. Enable firewall service on servers, especially at the network frontier and DMZ. Your servers firewall is the firs t line of defense agains t unauthorized access. Cons ider also a third-party hardware firewall as an additional line of defens e if your server is highly prone to attack. If needed, install a local firewall on critical or sensitive servers. Implementing a local firewall protects the sys tem from an attack that might originate in the organizations network or from the Internet. For additional protection, implement a local Virtual Private Network (VPN) that provides a s ecure encrypted tunnel for communication between a client computer and your server application. Some network devices provide a combination of functions : firewall, intrusion detection, and VPN. Administer s ervers remotely. Manage your s ervers remotely using applications like Server app, Server Admin, Server Monitor, RAID Admin, and Apple Remote Des ktop. Minimizing phys ical access to the sys tems reduces the pos sibility of mischief. Use secure pas swords . Many applications and services require that you create passwords to authenticate. Mac OS X includes applications that help create complex passwords (using Password Assistant), and securely store your pas swords (using Keychain Acces s).
Serv er monitoring
Use server s tatus notification in Server Admin Other monitoring help topics Using remote kernel core dumps About Simple Network Management Protocol (SNMP) About Logging About notification and event monitoring daemons View running daemons Planning a monitoring policy Gathering data about your systems is a basic function of good administration. Different types of data-gathering are us ed for different purposes : His torical data collection His torical data is gathered for analysis. This could be used for IT planning, budgeting, and getting a baseline for normal server conditions and operations. What kinds of data do you need for thes e purpos es? How long does it need to be kept? How often does it need to be updated? How far in the pas t does it need to be collected? Real-time monitoring Real-time monitoring is for alerts and detecting problems as they happen. What are you monitoring? How often? Does that data tell you what you need to know? Are some of thes e real-time collections for historical purpos es? Debugging Recurring problems can be analyzed and fixed if properly tracked. Even if you dont control source code, good debugging logs and data can increase the ability of the developer to address your iss ues. How can you capture what is going wrong? How often? Does that data tell you what you need to know? Are they problems you can fix on your end, or do you need vendor support? Planning monitoring response The respons e to your monitoring is as important as the data collection. In the same way a backup policy is pointless without a restore s trategy, a monitoring policy makes little sense without a response policy. Several factors can be considered for a monitoring respons e: What are relevant response methods? In other words, how will the res ponse take place? What is the time to response? What is an acceptable interval between failure and res pons e? What are the s caling considerations ? Can the response plan work with all expected (and even unexpected) frequencies of failure? Are there tes ting monitoring systems in place? How do you know the monitoring policy is catching the data you need, and how do you know the res pons es are timely and appropriate? Have you tested the monitoring system recently?
Serv er monitoring
In the Server s idebar, look for a green s tatus indicator next to each service icon. A service with a status indicator is turned on and operating normally. A s ervice without an indicator is turned off.
RELATED TOPIC
Serv er monitoring
1. In the Server app s idebar, s elect the server by name, and then click Overview. 2. To s ee more information about the s tartup disk and any other disks connected to the server, click the arrow next to the startup disk name. Youll see the Storage pane, which highlights the startup dis k in the list of available disks .
RELATED TOPIC
Serv er monitoring
Choose a type of activity and a time period from the pop-up menus. Processor Usage: Monitor the workload of the servers processor or process ors. Memory Usage: See how much memory the s erver has been using. Network Traffic: Track how much incoming and outgoing data the server transfers over the network. You can also monitor server activity by using the Server Status widget on the server or on another computer. For information, see Use the Server Status widget. If the server has a display, you can use Activity Monitor (in the Utilities folder in Launchpad) on the server. Activity Monitor shows the proces ses and applications currently open on the computer. You can us e Activity Monitor to monitor short-term processor workload, disk activity, and network activity. For information, see Activity Monitor Help.
Serv er monitoring
Select Alerts in the Server sidebar, and then choose Clear All from the Action pop-up menu.
Serv er monitoring
1. Select Alerts in the Server sidebar. 2. Choose Configure Email Addresses from the Action pop-up menu. 3. Enter the email address you want alerts sent to, or enter multiple email address es separated by commas.
Serv er monitoring
1. Open Dashboard, and look for the Server Status widget. You can open Das hboard by clicking its icon in Launchpad or pressing its keyboard s hortcut, which is usually the F12 key. If you dont see the Server Status widget in Dashboard, click Dashboards Open button (+), and then click or drag the Server Status widget from the widget bar. You can us e multiple Server Status widgets to see more than one as pect of a servers status at once or to monitor other s ervers on the network. For more information, search Mac Help for Dashboard and widgets. 2. If you see the Server, Us er Name, and Pass word fields, enter the servers DNS name or IP address followed by an administrator name and password, and then click Done. 3. When the Server Status widget is connected to a server, it displays a graph and other status information about the server and its s ervices . You can: Monitor proces sor usage, network load, or disk usage by clicking an icon below the graph. Change the process or or network graphs time period to one hour, day, or week by clicking the graph. If your s erver has more than one disk, view the status of each disk in turn by clicking the dis k usage graph. Check the status indicator and activity statis tics for the listed s ervices . A green indicator means the service is running. Connect to a different server by moving the mouse to the upper-left corner of the widget and clicking the Info button (i).
RELATED TOPICS
Backup policy
All storage sys tems can fail eventually. Either through equipment wear and tear, accident, or dis aster, your data and configuration settings are vulnerable to los s. You should have a backup plan in place to prevent or minimize your data loss. For an expanded introduction, see About backup and restore policies.
Backup strategies
There are many types of backup files, and within each type are many formats and methods . Each backup type serves a unique purpose and has its own considerations. These backup types are not mutually exclusive. They exemplify different approaches to copying data for backup purposes . For example, Time Machine us es a full file-level copy as a base backup; then it us es incremental backups to create snapshots of a computers data on a given day. Full images Full images are byte-level copies of data. They capture the state of the hard disk down to the most basic storage unit. These backups also keep copies of the dis k filesystem and the unused or eras ed portion of the dis k in question.They can be us ed for forensic study of the s ource disk medium. Such detail often makes file res toration unwieldy. Full Image backups are often compress ed and are only decompressed to res tore the entire file set. Full file-level copies Full file-level copies are backups that are kept as duplicates. They do not capture the finest detail of unus ed portions of the source disk, but they do provide a full record of the files as they exis ted at the time of backup. If a file changes , the next full file-level backup copies the entire data s et in addition to the file that changed. Incremental backups Incremental backups start with file-level copies , but they only copy files changed s ince the last backup. This saves s torage space and captures changes as they happen. Snapshots Snapshots are copies of data as it was in the past. You can make snapshots from collections of files, or more often from links to other files in a backup file s et. Snapshots are useful for making backups of volatile data (data that changes quickly), like databases in use or mail servers s ending and receiving mail.
Backup media
Several factors help you determine what type of backup media to choose. Cost Use cost per GB to determine what media to choose. For example, if your storage needs are limited, you can justify higher cost per GB, but if you need a large amount of storage, cost becomes a big factor in your decision. One of the most cost-effective storage s olutions is a hard disk RAID. It provides a low cost per GB, and it doesnt require the special handling needed by other cos t-effective s torage types , such as tape drives. Capacity If you back up only a s mall amount of data, low-capacity storage media can do the job. But to back up large amounts of data, use high-capacity devices, such as a RAID. Speed When your goal is to keep your s erver available mos t of the time, restoration s peed becomes a big factor in deciding which media to choose. Tape backup systems can be very cost effective, but they are much slower than RAID. Reliability Succes sful restoration is the goal of a good backup strategy. If you cant restore los t data, the effort and cost you spent in backing up data is wasted and the availability of your s ervices is compromis ed. Therefore, its important that you choose highly reliable media to prevent data loss. For example, tapes are more reliable than hard disks because they dont contain moving parts. Archive life You never know when youll need your backed up data. Therefore, choos e media that is designed to last for a long time. Dust, humidity, and other factors can damage s torage media and res ult in data loss.
Backup scheduling
Backing up files requires time and res ources . Before deciding on a backup plan, cons ider the following questions: How much data will be backed up?
How much time will the backup take? When does the backup need to happen? What else is the computer doing during that time? What sort of resource allocation is necessary? For example, how much network bandwidth is necess ary to accommodate the load? How much space on backup drives, or how many backup tapes are required? What sort of drain on computing resources will occur during backup? What personnel are necessary for the backup? Different kinds of backup require different answers to thes e ques tions. For example, an incremental file copy might take less time and copy les s data than a full file copy (because only a fraction of any given data s et will have changed since the las t backup). Therefore an incremental backup might be scheduled during a normal use period because the impact to users and s ystems may be very low. However, a full image backup might have a very s trong impact for users and sys tems, if done during the normal use period.
Backup verification
You s hould have a strategy for regularly conducting test restorations. Some third-party software providers s upport this functionality. However, if youre using your own backup s olution, develop the necessary tes t procedures .
Data restoration
No backup policy or solution is complete without having accompanying plans for data restoration. Depending on what is being restored, you may have different practices and procedures . For example, your organization may have specific tolerances for how long critical systems can be out of use while the data is restored. Cons ider the following questions: How long will it take to restore data at each level of granularity? For example, how long will a deleted file or email take to restore? How long will a full hard disk image take to restore? How long would it take to return the whole network to its s tate three days ago? What proces s is mos t effective for each type of restore? For example, why would you roll back the entire s erver for a single lost file? How much administrator action is necessary for each type of restore? How much automation must be developed to best use administrators time? Under what circumstances are restores initiated? Who and what can start a res tore and for what reasons? Restore practices and procedures must be tes ted regularly. A backup data set that does not res tore correctly cannot be considered a trus tworthy backup. Backup integrity is measured by restore fidelity.
You may improve performance of a portable computer by turning off Time Machine local snapshots. If your server is a portable computer, Time Machine may use the internal dis k to s tore local s naps hots of files that have changed. Storing these local snapshots may degrade server performance. You can turn off saving of local s naps hots by using the tmutil command-line tool.
Open Terminal (located in Launchpad's Utility folder), and enter: $ sudo tmutil disablelocal
Until the servers host name matches the name with the DNS s ervice provider, several services will not function. Changing your hos t name can have significant unintended cons equences, depending on the s ervices your server provides. For information on the effects of changing the host name, see Understanding IP address or network identity changes on infras tructure services. Note: If you choose not to use Server App to change the hos t name, the changeip command-line tool is still available, but not recommended.
Use Server App to change the servers host name. See Find or change your servers host name If you choose not to us e Server App, use scutil to change the host name. sudo scutil --set (ComputerName|LocalHostName|HostName) <NewName.domain.tld>
Use scutil to change the computer name and local hos tname. sudo scutil --set ComputerName <newComputertitle> sudo scutil --set LocalHostName <newLocalHosttitle>
DHCP
If your organization has more clients than IP addresses, you can benefit from using Dynamic Host Configuration Protocol (DHCP) service. IP addres ses are as signed as needed, and when theyre not needed, they can be used by other clients. You can use a combination of static and dynamic IP addresses for your network. DHCP service lets you administer and distribute IP address es to computers from your server. When you configure the DHCP server, you assign a block of IP address es that can be made available to clients. Each time a computer configured to use DHCP s tarts up, it looks for a DHCP server on your network. If it finds a DHCP server, the client computer then requests an IP addres s. The DHCP server checks for an available IP addres s and s ends it to the computer with a lease period (the length of time the client computer can use the address) and configuration information. Organizations can benefit from the features of DHCP service, such as the ability to set Domain Name System (DNS) and Lightweight Directory Access Protocol (LDAP) options for computers without needing to configure each client. You can us e the DHCP module in Server Admin to: Configure and administer DHCP s ervice Create and adminis ter subnets Configure DNS, LDAP, and Windows Internet Naming Service (WINS) options for client computers View DHCP address leases Creating subnets Subnets are groupings of computers on a network that simplify administration. You can organize subnets any way that is useful to you. For example, you can create s ubnets for groups in your organization or for floors of a building. After you group computers into subnets, you can configure options for all computers on a s ubnet at one time ins tead of setting options for individual computers. Each subnet needs a way to connect to other subnets. A hardware device called a router typically connects subnets. Assigning IP addresses dynamically With dynamic address allocation, an IP address is assigned for a limited period of time (the lease time) or until the computer doesnt need the IP addres s, whichever comes first. By us ing short leases , DHCP can reass ign IP addresses on networks that have more computers than IP address es. Leases are renewed if the addres s is nt needed by another computer. Addresses allocated to VPN clients are distributed much like DHCP addresses , but they dont come out of the same range of addresses as DHCP. If you plan on using VPN, leave some address es unallocated by DHCP for us e by VPN. Using static IP addresses Static IP addresses are assigned to a computer or device once and then dont change. You can assign s tatic IP addres ses to computers that mus t have a continuous Internet presence, such as web servers. Other devices that must be continuously available to network users, such as printers , can also benefit from static IP address es. Static IP addresses can be s et up manually by entering the IP address on the computer (or other device) that is as signed the address, or by configuring DHCP to provide the s ame addres s to a s pecific computer or device on each request. Manually configured s tatic IP addres ses avoid potential issues that s ome services can have with DHCP-ass igned addresses, and they dont suffer from the delay that DHCP requires to as sign an address. DHCP-ass igned addresses permit address configuration changes at the DHCP server rather than at each client. Dont include manually ass igned static IP address ranges in the range distributed by DHCP. You can set up DHCP to always serve the s ame address to the s ame computer. For more information, see Use DHCP to assign static IP addresses. Locating the DHCP server When a computer looks for a DHCP server, it broadcasts a mess age. If your DHCP s erver is on a different subnet from the computer, make s ure the routers that connect your s ubnets can forward client broadcasts and DHCP s erver responses . A relay agent or router on your network that can relay BootP communications works for DHCP. If you dont have a means to relay BootP communications , place the DHCP server on the s ame subnet as your client. Interacting with other DHCP servers You might already have DHCP servers on your network, such as AirPort Bas e Stations.
Lion Server can coexist with other DHCP servers as long as each DHCP s erver uses a unique pool of IP addres ses . If AirPort Bas e Stations are on separate subnets, configure your routers to forward client broadcasts and DHCP server responses as described in Locating the DHCP server. Using multiple DHCP servers on a network You can have multiple DHCP s ervers on the same network. However, they must be configured properly to prevent interference with each other. Each server needs a unique pool of IP addres ses to distribute. Assigning reserved IP addresses Some IP addres ses cant be assigned, including address es reserved for loopback and broadcas ting. Your ISP wont assign these addresses to you. If you try to configure DHCP to use these addresses , youre warned that the address es are invalid and you must enter valid addres ses .
DHCP
Set up DHCP
DHCP
Set up DHCP
1. Open Server Admin and connect to the s erver. 2. Click Settings. 3. Click Services. 4. Select the DHCP checkbox. 5. Click Save.
DHCP
Set up DHCP
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DHCP. 4. Click Subnets. 5. Click the Add button (+). 6. Enter a des criptive name for the new s ubnet. 7. Enter a starting and ending IP address for this subnet range. Addresses must be contiguous and they cant overlap other subnet ranges. 8. Enter the subnet mask for the network addres s range. 9. From the pop-up menu, choose the network interface to hos t DHCP s ervice. 10. Enter the IP address of the router for this s ubnet. If the server youre configuring is the router for the s ubnet, enter this s ervers internal LAN IP address as the routers address. 11. Define a leas e time in hours, days, weeks , or months. 12. If you want to set DNS, LDAP, or WINS information for this subnet, enter thes e now. For more information, see Set the DNS server for a DHCP subnet, Set LDAP options for a s ubnet, and Set WINS options for a subnet. 13. Click Save. 14. To enable the subnet, select the Enable checkbox. 15. Click Save.
DHCP
Set up DHCP
subnetID
For information about setting DHCP subnet parameters, s ee serveradmin man pages. For information about serveradmin, see its man page.
To create a DHCP subnet: Note: Include the s pecial first setting (ending with = create). This is how you tell serveradmin to create the s ettings array with the s pecified subnet ID. $ sudo serveradmin settings
dhcp:subnets:_array_id:subnetID = create dhcp:subnets:_array_id:subnetID:descriptive_name = description dhcp:subnets:_array_id:subnetID:net_range_start = start-address dhcp:subnets:_array_id:subnetID:net_range_end = end-address dhcp:subnets:_array_id:subnetID:net_mask = mask dhcp:subnets:_array_id:subnetID:selected_port_name = port dhcp:subnets:_array_id:subnetID:dhcp_router = router dhcp:subnets:_array_id:subnetID:lease_time_secs = lease-time dhcp:subnets:_array_id:subnetID:dhcp_enabled = (yes|no) Control-D To view DHCP configurations s ettings: $ sudo serveradmin settings dhcp
DHCP
Set up DHCP
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DHCP. 4. Click Settings. 5. From the Log Level pop-up menu, choose the logging option you want. 6. Click Save.
DHCP
Set up DHCP
To set up the log detail level: $ sudo serveradmin set dhcp:logging_level = value For information about serveradmin, see its man page.
DHCP
Set up DHCP
You s tart DHCP service to provide IP address es to users. You mus t have at least one subnet created and enabled.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DHCP. 4. Click the Start DHCP button (below the Servers list). If the Firewall s ervice is running, a warning appears as king you to verify that all ports us ed by DHCP are open. Click OK. The s ervice runs until you s top it. It res tarts when your server is restarted.
DHCP
Set up DHCP
To start DHCP service: $ sudo serveradmin start dhcp For information about serveradmin, see its man page.
DHCP
Manage DHCP
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DHCP. 4. Click Stop Now.
DHCP
Manage DHCP
To stop DHCP service: $ sudo serveradmin stop dhcp For information about serveradmin, see its man page.
DHCP
Manage DHCP
lease time.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DHCP. 4. Click Subnets. 5. Select a s ubnet. 6. Make your changes. Changes can include adding DNS, LDAP, or WINS information. You can also redefine address ranges or redirect the network interface that res ponds to DHCP reques ts . 7. Click Save. If DHCP is running, you are prompted to res tart DHCP for changes to take effect. Otherwise, changes take effect the next time you start DHCP.
DHCP
Manage DHCP
setting value
For information about setting DHCP subnet parameters, s ee serveradmin man pages. For information about serveradmin, see its man page.
DHCP
Manage DHCP
2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DHCP. 4. Click Subnets. 5. Select a s ubnet. 6. Click the Delete button (). 7. Click Save. If DHCP is running, you are prompted to res tart DHCP for changes to take effect. Otherwise, changes take effect the next time you start DHCP.
DHCP
Manage DHCP
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DHCP. 4. Click Subnets. 5. Des elect the Enable checkbox next to the subnet to dis able. 6. Click Save. If DHCP is running, you are prompted to res tart DHCP for changes to take effect. Otherwise, changes take effect the next time you start DHCP.
DHCP
Manage DHCP
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DHCP. 4. Click Subnets. 5. Select a s ubnet. 6. From the Lease Time pop-up menu, choose a time s cale (hours, days, weeks , or months). 7. In the Lease Time field, enter a number. 8. Click Save. If DHCP is running, you are prompted to res tart DHCP for changes to take effect. Otherwise, changes take effect the next time you start DHCP.
DHCP
Manage DHCP
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DHCP. 4. Click Subnets. 5. Select a s ubnet. 6. Click DNS. 7. Enter the primary and secondary name server IP addresses you want DHCP clients to us e. 8. Enter the default domain of the subnet. If DHCP is running, you are prompted to res tart DHCP for changes to take effect. Otherwise, changes take effect the next time you start DHCP. 9. Click Save.
DHCP
Manage DHCP
subnetID
dns-server-n
dhcp_name_server settings,
Other parameters
To set DNS options for a subnet: $ sudo serveradmin settings dhcp:subnets:_array_id:subnetID:dhcp_domain_name_server:_array_index:0 = dns-server-1 dhcp:subnets:_array_id:subnetID:dhcp_domain_name_server:_array_index:1 = dns-server-2 dhcp:subnets:_array_id:subnetID:dhcp_domain_name = domain Control-D For information about serveradmin, see its man page.
DHCP
Manage DHCP
to the LDAP server. The order in which the LDAP servers appear in the list determines their search order in the automatic Open Directory search policy. If you are using this Mac server as an LDAP master, LDAP options are populated with the neces sary configuration information. If your LDAP master s erver is another computer, you must know the domain name or IP address of the LDAP databas e to use, and you must know the LDAP search base.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DHCP. 4. Click Subnets. 5. Select a s ubnet. 6. Click LDAP. 7. Enter the domain name or IP addres s of the LDAP server for this subnet. 8. Enter the search base for LDAP searches. 9. If youre using a nonstandard port, enter the LDAP port number. 10. If neces sary, select LDAP over SSL. Use this option to secure LDAP communication. 11. Click Save. If DHCP is running, you are prompted to res tart DHCP for changes to take effect. Otherwise, changes take effect the next time you start DHCP.
DHCP
Manage DHCP
subnetID
To set LDAP options for a subnet: $ sudo serveradmin settings dhcp:subnets:_array_id:subnetID:dhcp_ldap_url:_array_index:0 = ldap-server Control-D For information about serveradmin, see its man page.
DHCP
Manage DHCP
primary and secondary servers (usually the IP address of the DHCP server), and the NetBIOS over TCP/IP (NBT) node type. The following are pos sible node types : Hybrid (h-node): Checks the WINS s erver and then broadcasts. Peer (p-node): Checks the WINS s erver for name resolution. Broadcast (b-node): Broadcasts for name resolution (most commonly used). Mixed (m-node): Broadcasts for name res olution and then checks the WINS s erver. The NetBIOS Datagram Distribution (NBDD) server works with NBNS to route datagrams to computers on another subnet. The NetBIOS Scope ID isolates NetBIOS communication on a network. The NetBIOS Scope ID is appended to the NetBIOS name of the computer. Computers that have the s ame NetBIOS Scope ID can communicate. NBDD Server and the NetBIOS Scope ID are typically not used, but you might need them depending on your Windows clients configuration and Windows network infrastructure.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DHCP. 4. Click Subnets. 5. Select a s ubnet. 6. Click WINS. 7. Enter the domain name or IP addres s of the WINS/NBNS primary and secondary servers for this s ubnet. 8. Enter the domain name or IP addres s of the NBDD s erver for this subnet. 9. From the pop-up menu, choose the NBT node type. 10. Enter the NetBIOS Scope ID. 11. Click Save. If DHCP is running, you are prompted to res tart DHCP for changes to take effect. Otherwise, changes take effect the next time you start DHCP.
DHCP
Manage DHCP
subnetID
To set WINS options for a subnet: $ sudo serveradmin settings dhcp:subnets:_array_id:subnetID:WINS_secondary_server = wins-server-2 dhcp:subnets:_array_id:subnetID:WINS_primary_server = wins-server-1 dhcp:subnets:_array_id:subnetID:WINS_NBDD_server = nbdd-server dhcp:subnets:_array_id:subnetID:WINS_node_type = node-type
dhcp:subnets:_array_id:subnetID:WINS_scope_id = scope-ID Control-D For information about serveradmin, see its man page.
DHCP
Manage DHCP
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DHCP. 4. Click Static Maps . 5. Click Add Computer. 6. Enter the name of the computer. 7. In the Network Interfaces lis t, click the column to enter the following information: MAC address of the computer that needs a static addres s IP addres s to as sign to the computer 8. If your computer has other network interfaces that require static IP address es, click the Add button (+) and enter the IP address to ass ign for each interface. 9. Click OK. 10. Click Save. If DHCP is running, you are prompted to res tart DHCP for changes to take effect. Otherwise, changes take effect the next time you start DHCP.
DHCP
Manage DHCP
mapID
dhcp:static_maps:_array_id:examplehost/mapID = create dhcp:static_maps:_array_id:examplehost/mapID:ip_address = "1.2.3.4" dhcp:static_maps:_array_id:examplehost/mapID:name = "examplehost" dhcp:static_maps:_array_id:examplehost/mapID:en_address = "00:30:a1:a2:a1:23" Control-D For information about static map IDs, see serveradmin man pages. For information about serveradmin, see its man page.
DHCP
Manage DHCP
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DHCP. 4. Click Static Maps . 5. Select a mapping to Edit or Remove. 6. Click Edit or Remove. If you are editing the mapping, make changes you want, then click OK. 7. Click Save. If DHCP is running, you are prompted to res tart DHCP for changes to take effect. Otherwise, changes take effect the next time you start DHCP.
DHCP
Monitor DHCP
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DHCP. 4. Click Overview to view whether the service is running, when it started, the number of s tatic maps, the number of clients connected, and when the last databas e update occurred.
DHCP
Monitor DHCP
DHCP
Monitor DHCP
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DHCP. 4. Click Log. 5. To s earch for s pecific entries, use the Filter field (upper right corner).
DHCP
Monitor DHCP
DHCP
Monitor DHCP
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears .
3. From the expanded Servers list, select DHCP. 4. Click Clients. To s ort the list by different criteria, click a column heading.
DHCP
Monitor DHCP
dhcp:subnets:_array_id:498D8E6D-88A8-4048-8B3C-14D96F317447:dhcp_ldap_ url:_array_index:0 = "lda dhcp:subnets:_array_id:498D8E6D-88A8-4048-8B3C-14D96F317447:dhcp_ldap_ url:_array_index:1 = "lda Note: Array indexes start with 0. The old URL entry must be pres ent even though you are adding a second one. The entries must be in order. 3. Use the s erveradmin tool to apply the settings from the file by entering: $ sudo serveradmin settings < filename Example result (the settings are confirmed): dhcp:subnets:_array_id:498D8E6D-88A8-4048-8B3C-14D96F317447:dhcp_ldap_ url:_array_index:0 = "lda dhcp:subnets:_array_id:498D8E6D-88A8-4048-8B3C-14D96F317447:dhcp_ldap_ url:_array_index:1 = "lda 4. If DHCP is running, restart DHCP s ervice so it can pick up the revised configuration by entering: $ sudo serveradmin stop DHCP $ sudo serveradmin start DHCP
DHCP
Monitor DHCP
DHCP service for Mac OS X clients using DHCP with a manual address
The DHCP s ection of Server Admin permits each s ubnet address range to be enabled or disabled. When the subnet is enabled, the DHCP server allocates addres ses in its range and dis pens es other network information to clients that are configured as Using DHCP. When the subnet is disabled, the DHCP server does not allocate addres ses from the subnet address range pool but it does dispense other network information (s uch as DNS and LDAP server addresses ) to clients that are configured as Using DHCP with manual addres s (static maps), as long as the client addres s is in the subnet range. Enabling and disabling the s ubnet dis ables automatic address allocation for the addres s range but it does not disable DHCP server responses to a client whose address is in the subnet range.
DHCP
Monitor DHCP
1. Choose Apple > Sys tem Preferences and then click Network. 2. From the Services list, s elect the network connection service for your account (such as Built-in Ethernet) 3. From the Configure pop-up menu, select Using DHCP.
DHCP
Monitor DHCP
1. Choose Apple > Sys tem Preferences and then click Network. 2. From the Services list, s elect the network connection service for your account (such as Built-in Ethernet). 3. From the Configure pop-up menu, choose one of the following methods: Manually: enter the IP address, subnet mas k, router, and DNS information in the relevant fields. Using DHCP with manual address : enter the IP address and DNS information in the relevant fields.
If your DHCP s erver is using static mapping, configure client computers to use DHCP. When your client computers connect to your network they will always obtain the s ame IP address . The static mapping us es the MAC address of the client computer to determine the IP address the client gets as signed to.
DHCP
Monitor DHCP
RADIUS
About RADIUS
Wireless networking gives companies greater network flexibility, seamlessly connecting laptop users to the network and giving them the freedom to move within the company while staying connected to the network. You use RADIUS to authorize Open Directory users and groups s o they can access AirPort Base Stations on a network. By configuring RADIUS and Open Directory you can control who has access to your wireless network. RADIUS works with Open Directory and Pass word Server to grant authorized us ers access to the network through an AirPort Base Station. When a user attempts to access an AirPort Base Station, AirPort communicates with the RADIUS s erver using Extensible Authentication Protocol (EAP) to authenticate and authorize the user. Users are given access to the network if their user credentials are valid and they are authorized to use the AirPort Bas e Station. If a user is not authorized, he or she cannot access the network through the AirPort Base Station.
RADIUS
Set Up RADIUS
RADIUS
Set Up RADIUS
Enable RADIUS
Before you can configure RADIUS settings, turn on RADIUS service in Server Admin.
1. Open Server Admin and connect to the s erver. 2. Click Settings, then click Services. 3. Select the RADIUS checkbox. 4. Click Save.
RADIUS
Set Up RADIUS
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Overview. 5. Click Configure RADIUS Service. 6. In the RADIUS Server Certificate pane, s elect one of the following: If you select Choose an existing certificate, choos e the certificate from the pop-up menu and click Continue. If you want to create a self-s igned certificate, us e Certificate Ass is tant. For more information, see Server Admin Help. 7. From the Available Base Stations list, select the Base Station you want and click Add. 8. Enter the pas sword of the Base Station in the Base Station Password field, then click Add. To remove a Bas e Station from the Selected Base Stations lis t, select it and click Remove. 9. Click Continue. 10. In the RADIUS Allow Users pane, you can restrict user access : If you select Allow all users , all users access to the Base Stations you select. If you select Restrict to members of group, only users of a group can acces s the Base Stations you select. 11. Click Continue. 12. In the RADIUS setting confirmation pane, verify your s ettings . You can also print or s ave you RADIUS configuration settings. 13. Click Confirm.
RADIUS
Set Up RADIUS
To view RADIUS settings: $ sudo radiusconfig -appleversion -getconfig -getconfigxml -nascount -naslist -naslistxml -ver - To configure RADIUS parameters: $ sudo radiusconfig -setconfig key value [key value E]
Parameter
Description The name of the key to configure in the radiusd.conf or eap.conf files. The value of the key.
Key value
For information about RADIUS server settings, see RADIUS command-line settings. For information about radiusconfig, see its man page.
RADIUS
Set Up RADIUS
1. On the management computer, open Server Admin. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. In the expanded Servers list, click RADIUS. 4. Click Bas e Stations. 5. Below the AirPort Base Stations lis t, click the Add button (+) . 6. Enter the following AirPort Base Station information: Name: Specify the name of the AirPort Base Station. Type: Specify the model of the AirPort Base Station. IP Addres s: Specify the IP address of the AirPort Base Station. Shared Secret and Verify: Specify a s hared secret. The shared s ecret is not a password for authentication, nor does it generate encryption keys to establish secure tunnels between nodes . It is a token that key management systems use to trust each other. You mus t enter the shared secret on the server as well as a client. 7. Click Add.
RADIUS
Set Up RADIUS
1. On the management computer, open Server Admin. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. In the expanded Servers list, click RADIUS. 4. Click Bas e Stations. 5. Below the AirPort Base Stations lis t, click Browse. A lis t of AirPort Bas e Stations found through Bonjour appears. It shows all AirPort Bas e Stations on the server's local subnet and all Wide-Area Bonjour domains known to the s erver. This includes s earch domains lis ted in Network Preferences that have AirPort Base Stations and AirPort Base Stations you added to a MobileMe account as a Back to My Mac (BTMM) enabled server. 6. From the list of AirPort Base Stations , choos e an AirPort Bas e Station to add to your RADIUS server.
7. In the Base station pas sword field, enter the pass word for the AirPort Base Station. 8. Click Add. When the base s tation is added it is configured to us e WPA2 Enterprise for client authentication through TTLS. It also sets a random s hared secret for communication between the Base Station and RADIUS on the server. The shared s ecret is not a password for authentication, nor does it generate encryption keys to establis h secure tunnels between nodes. It is a token that key management systems use to trus t each other.
RADIUS
Set Up RADIUS
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Bas e Stations. 5. In the AirPort Base Stations list, highlight the AirPort Base Station and then click Edit. If prompted, enter the AirPort administrator password. 6. Click OK.
RADIUS
Set Up RADIUS
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Settings 5. From the RADIUS Certificate pop-up menu, choose a certificate. If you dont have a certificate and want to create one, click Manage Certificates. For more information about creating certificates, s ee Server Admin Help. 6. Click Save.
RADIUS
Set Up RADIUS
To configure RADIUS certificates: $ sudo radiusconfig -installcerts private-key certificate [trusted-ca-list [yes | no [common-name
Parameter
Description T he file path to the clients private key to use in the certificate T he file path to the certificate T he file path to the trusted CA list A request to check a certificate revocation list A request to not check a certificate revocation list T he common name
This command changes eap.conf to contain an active TLS section and configures the certificates. This command also replaces the random file and creates the dh file if absent. For information about radiusconfig, s ee its man page.
RADIUS
Set Up RADIUS
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Settings. 5. Select the Archive radiusd log for the past __ days checkbox and enter the number of days to archive. 6. Click Save.
RADIUS
Set Up RADIUS
To configure the rotation of RADIUS service logs: $ sudo radiusconfig -rotatelog [-n file-count] base-file To configure the automatic rotation of RADIUS service logs: $ sudo radiusconfig -autorotatelog [on | off] [-n file-count]
Parameter Description Specifies the number of log files to preserve. Specifies the name of the log file. Enables automatic log rotation. Disables automatic log rotation.
RADIUS
Set Up RADIUS
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Below the Servers list, click Start RADIUS or Stop RADIUS. The service can take a few seconds to s tart or s top.
RADIUS
Set Up RADIUS
To s tart the RADIUS server: $ sudo radiusconfig -start To s top the RADIUS server: $ sudo radiusconfig -stop
RADIUS
Set Up RADIUS
-appleversion -getconfig
-getconfigxml
Displays configuration data stored in the radiusd.conf and eap.conf files in xml plist format.
Displays the number of RADIUS clients. Displays the list of RADIUS clients formatted for the clients.conf file. Displays the list of RADIUS clients in xml plist format. Displays a specific build version. Displays usage information.
-q
Suppresses prompts.
RADIUS
Set Up RADIUS
To enable TLS: $ sudo radiusconfig -enable-tls To dis able TLS: $ sudo radiusconfig -disable-tls
RADIUS
Manage RADIUS
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Overview to s ee whether the service is running, the number of client base stations , and when it was s tarted.
RADIUS
Manage RADIUS
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Logs. 5. Choose a log to view (radiusconfig or radiusd).
RADIUS
Manage RADIUS
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server.
The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Settings, then click Edit Allowed Users . 5. Select For selected services below, then s elect RADIUS. 6. Click Services. 7. Select Allow only us ers and groups below. 8. Click the Add button (+). 9. From the Users & Groups window, drag users or groups to the Allow only users and groups below list. If you dont see a recently created user, click the Refresh button (below the Servers lis t). If you want to remove us ers from the Allow only users and groups below lis t, select the us ers or us er groups and click the Delete button (). Only users in the list can us e RADIUS service.
RADIUS
Manage RADIUS
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Bas e Stations. 5. In the AirPort Base Station list, highlight a Bas e Station and click Remove. 6. Verify you want to remove the Base Station by clicking Remove again.
RADIUS
Manage RADIUS
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Bas e Stations. 5. In the AirPort Base Station list, highlight the Bas e Station to modify and click the Edit button. 6. Modify the Base Station information and click Save.
RADIUS
Manage RADIUS
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Bas e Stations. 5. In the AirPort Base Station list, highlight the bas e station. 6. Click Save Internet Connect File. 7. In the Save As field, enter the name. 8. From the Where pop-up menu, choose the location to save the file. 9. In the Wireless Network Name (SSID) field, enter the wireless network name. 10. Click Save.
RADIUS
Manage RADIUS
To add RADIUS clients: $ sudo radiusconfig -addclient nas-name shortname [type] To import RADIUS clients: $ sudo radiusconfig -importclients xml-plist-file To remove RADIUS clients: $ sudo radiusconfig -removeclient nas-name [nas-name ...] To assign an access control group to a client of the RADIUS s ervice: $ sudo radiusconfig -setgroup nas-namegroup-name
Parameter
Description The name of the client The shortname of the client (Optional) T he type of the client The name of the file, including the path, to import clients from The name of the access control group
1. Verify that an .s sh folder exists in your home folder by entering the command: ls -ld ~/.ssh If .ssh is listed in the output, move to step 2. If .ssh is not listed in the output, run mkdir -m 700 ~/.ssh and continue to step 2. 2. Change directories in the shell to the hidden .ssh directory by entering the following command: cd ~/.ssh 3. Generate the public and private keys by entering the following command: ssh-keygen -b 1024 -t rsa -f id_rsa -P '' The -b flag sets the length of the keys to 1,024-bits, -t indicates to use the RSA hashing algorithm, -f sets the file name as id_rsa, and -P followed by two single-quote marks sets the private key pas sword to be null. The null private key password allows for automated SSH connections. Keys are equivilant to pas swords , so keep them private and protected. 4. Copy the public key into the authorized key file by entering the following command: cat id_rsa.pub >> authorized_keys2 5. Set the permissions on the private key s o the file can only be changed by the owner: chmod go-rwx ~/.ssh/.id_rsa 6. Copy the public key and the authorized key lists to the specified users home folder on the remote computer by entering the following command: scp authorized_keys2 username@remotemachine:~/.ssh/ To establish two-way communication between servers , repeat this process on the second computer.
The following Perl s cript is a trivial scripting example that should not be implemented, but it demonstrates connecting over an SSH tunnel to servers defined in the variable serverList, running softwareupdate, installing available updates, and restarting the computer if neces sary. The s cript as sumes that key-based SSH was s et up for an admin user on all servers to be updated. #!/usr/bin/perl # \@ is the escape sequence for the "@" symbol. my @serverList = ('admin\@exampleserver1.example.com', 'admin\@exampleserver2.example.com'); foreach $server (@serverList) { open SBUFF, "ssh $server -x -o batchmode=yes 'softwareupdate -i -a' |"; while(<SBUFF>) { my $flag = 0; chop($_); #check for restart text in $_ my $match = "Please restart immediately"; $count = @{[$_ =~ /$match/g]}; if($count > 0) { $flag = 1; } } close SBUFF; if($flag == 1) { "ssh $server -x -o batchmode=yes shutdown -r now" } }
DNS
DNS
DNS zones
Zones are the bas ic organizational unit of DNS. Zones contain records and are defined by how they acquire thos e records and how they respond to DNS requests. There are three bas ic zones: Primary Secondary Forward Other kinds of zones are not covered here. Primary zones A primary zone has the master copy of the zones records and provides authoritative answers to lookup requests. Secondary zones A secondary zone is a copy of a primary zone and is stored on a s econdary name server. It has the following characteristics: Each secondary zone has a lis t of primary s ervers that it contacts for updates to records in the primary zone. Secondaries must be configured to request the copy of the primary zone data. Secondary zones use zone trans fers to get copies of the primary zone data. Secondary name servers can take lookup requests like primary s ervers. By us ing several s econdary zones linked to one primary, you can distribute DNS query loads across several computers and make sure lookup requests are answered if the primary name s erver is down. Secondary zones also have a refresh interval. This interval determines how often the secondary zone checks for changes from the primary zone. You can change the zone refresh interval by using the BIND configuration file. For more information, see www.is c.org/sw/bind. Forward Zones A forward zone directs lookup requests for that zone to other DNS s ervers. Forward zones dont zone transfers. Often, forward zone servers are us ed to provide DNS s ervice to a private network behind a firewall. In this case, the DNS server must have access to the Internet and a DNS server outs ide the firewall. Forward zones also cache responses to queries they pas s on. This can improve the performance of lookups by clients that use the forward zone. Server Admin does not support creation or modification of a forward zone. To create a forward zone, you mus t configure BIND manually at the command line. For details, see the BIND documentation.
DNS
canonical name of MailSrv473.apple.com. Mail Exchanger (MX) Name Server (NS) Pointer (PTR) Text (TXT) Service (SRV) Hardware Info (HINFO) Stores the domain name of the computer used for mail in a zone. Stores the authoritative name server for a zone. Stores the domain name of an IP address (reverse lookup). Stores a text string as a response to a DNS query. Stores information about the services a computer provides. Stores information about a computers hardware and software.
Lion Server simplifies the creation of thes e records by focusing on the computer being added to the zone, rather than the records. When you add a computer record to a zone, Lion Server creates the zone records that resolve to a computer address. With this model, you can focus on what your computers do in your domain, rather than which record types apply to its functions. If you need access to other kinds of records , you must edit the BIND configuration files manually. For details, s ee www.is c.org/sw/bind.
DNS
DNS
After a name s erver is provided with the name/address pair of a host in another domain (outside the domain it s erves ), the information is cached, ensuring that IP addresses for recently resolved names are stored for later use. DNS information is usually cached on your name server for a set time, referred to as a time-to-live (TTL) value. When the TTL value for a domain name/IP address pair has expired, the entry is deleted from the name servers cache and your server requests the information as needed.
DNS
controls { inet 127.0.0.1 port 54 allow {any;} keys { "rndc-key"; }; }; Important: In Mac OS X Server v10.6 or later, the configuration and zone files used by Server Admin have changed. If you edit named.conf and zone files manually from Terminal, the information is used by DNS. However, the information does not appear in the DNS zones pane of Server Admin. Also, changes made in Server Admin are not made to named.conf. Turn DNS service on Before configuring DNS s ervice, turn on DNS. See Turn on DNS service. Create a DNS zone and add machine records Use Server Admin to set up DNS zones. See Configure DNS service primary zone s ettings . After adding a primary zone, Server Admin creates a name server record with the same name as the Source of Authority (SOA). For each zone you create, Mac OS X Server creates a reverse lookup zone. Reverse lookup zones trans late IP addresses to domain names. (Compare with normal lookups, which translate domain names to IP addresses.) Use Server Admin to add records to your zone. Create an Address record for every computer or device (such as a printer or file server) that has a static IP address and needs a name. Various DNS zone records are created from DNS machine entries. Configure secondary zones If necess ary, use Server Admin to configure s econdary zones. See Configure DNS service secondary zone settings. Configure Bonjour Use Server Admin to configure Bonjour settings. See Configure DNS s ervice Bonjour s ettings. Configure logging Use Server Admin to specify the information that gets logged by DNS s ervice and to s pecify the location of the log file. See Change DNS log detail levels. (Optional) Set up a mail exchange (MX) record If you provide mail s ervice over the Internet, set up an MX record for your server. See Configure DNS for Mail s ervice. Configure your firewall Configure your firewall to make sure DNS s ervice is protected from attack and accessible to your clients. See Defend against server mining. Start DNS service Lion Server includes a simple interface for starting and stopping DNS service. See Start DNS service.
DNS
DNS
Set up DNS
1. Open Server Admin and connect to the s erver. 2. Click Settings. 3. Click Services. 4. Select the DNS checkbox. 5. Click Save.
DNS
Set up DNS
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DNS. 4. Click Zones. 5. Click Add Zone, then choose Add Primary Zone (Master). 6. Select a new zone. 7. In the Primary Zone Name field, enter the zone name. This is the domain name of the primary server. 8. Enter the mail address of the zones administrator. 9. Select Allows zone transfer to permit secondary zones to get copies of the primary zone data. 10. Add name servers for this zone by clicking the Add button (+) and entering the name in the Name Servers field. 11. Add mail exchangers for this zone by clicking the Add button (+) and entering the name in the Mail Exchangers field. This field is the basis for the computers MX record. 12. In the Priority field, specify a mail server precedence number . Delivering mail s ervers try to deliver mail at lower numbered mail servers first. 13. Click Expiration and enter the number of hours for each setting Enter the amount of time the zone is valid. This is the zones time to live (TTL) value. It determines how long query response information can remain cached in remote DNS systems before requerying the authoritative server. Enter the interval of time that the secondary zones should refres h from the primary zone. Enter the interval of time between each retry if the refresh of the secondary zone fails. Enter the amount of time after refreshing before the zone data expires. 14. Click Add Record, then choos e Add Alias (CNAME).
To s ee a list of records for a zone, click the triangle at the left of the zone. 15. Select newAlias lis ted under the primary zone. You can add as many aliases as you want. 16. In the Alias Name field, enter the alternate name for your computer. To use the fully qualified name for the Alias, select the Fully Qualified checkbox and enter the fully qualified domain name. This field is the basis for CNAME records of the computer. Revers e lookup Pointer records are created for the computer. 17. In the Destination field, enter the computer name you are creating the alias for. To use the fully qualified name for the Des tination, select the Fully Qualified checkbox and enter the fully qualified domain name. 18. Click Add Record, then choos e Add Machines (A). 19. Under the primary zone, s elect newMachine, then enter the following machine information. In the Machine Name field, enter the hostname of the computer. This field is the basis for the A record of the computer. Revers e lookup Pointer records are created for the computer. Click the Add button (+), then enter the IP address of the computer. Enter information about the hardware and s oftware of the computer in the relevant text boxes. These are the bas is for the HINFO record of the computer. Enter comments about the computer in the Comments text box. This field is the basis for the TXT record of the computer. You can store almos t any text string in the comments text box up to 255 ASCII characters. For example, you can include the phys ical location of the computer (Upstairs s erver closet B) or the computers owner (Johns Computer) or any other information about the computer. 20. Click Add Record, then choos e Add Service (SRV). The DNS SRV record is an entry that informs client computers that a service is on a domain. These records help computers with the location of a s ervice on a domain. For more information, see Add a service record to a DNS zone. 21. Under the primary zone, s elect a service type and enter the s ervice information. 22. Click Save.
DNS
Set up DNS
1. Make sure the primary s erver is correctly configured and that zone transfers are enabled on the primary server; then open Server Admin and connect to the server. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DNS. 4. Click Zones. 5. Click Add Zone, then choose Add Secondary Zone (Slave).
6. Select the new zone. 7. In the Secondary Zone Name field, enter a zone name. The zone name is the same as the primary zone defined on the primary name server. 8. Below the Primary DNS Servers lis t, click the Add button (+). 9. Enter the IP address es for each primary server in this secondary zone. 10. Click Save.
DNS
Set up DNS
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DNS. 4. Click Bonjour. 5. Select the Enable automatic client Bonjour browsing for domain checkbox and enter the Fully Qualified Domain Name (FQDN) of the domain used for Bonjour browsing (for example, b onjour.company.com ). This s ets a default Bonjour browsing domain for primary zones. 6. Click Save.
DNS
Set up DNS
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DNS.
4. Click Settings. 5. From the Log Level pop-up menu, choose the detail level as follows: Choose Critical to record only critical errors, such as hardware errors . Choose Error to record errors not including warning mess ages. Choose Warning to record warnings and errors . Choose Notice to record only important messages , warnings, and errors . Choose Information to record mos t mes sages. Choose Debug to record all mes sages. The log location is /Library/Logs/named.log. 6. Below the Accept recursive queries from the following networks list, click the Add button (+) to add networks that recursive queries are accepted from, then enter the network address in the list. 7. Below the Forwarder IP Address es list, click the Add button (+) to add networks that unauthorized queries get forwarded to, then enter the network address in the lis t. 8. Click Save.
DNS
Set up DNS
To view a setting: $ sudo serveradmin settings dns:setting To view a group of settings: $ sudo serveradmin settings dns:zone:_array_id:localhost:* Enter as much of the name as you want, s topping at a colon (:), and then entering an asterisk (*) as a wildcard for the remaining parts of the name. To view all service configuration settings : $ sudo serveradmin settings dns To modify your servers DNS configuration, us e serveradmin. However, it is more straightforward to work with DNS and BIND us ing the standard tools and techniques described in the many books on the subject. (For an example, see DNS and BIND by Paul Albitz and Cricket Liu.)
DNS
Set up DNS
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DNS. 4. Click Start DNS (below the Servers list).
DNS
Set up DNS
To start the service: $ sudo serveradmin start dns For information about serveradmin, see its man page.
DNS
Manage DNS
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DNS 4. Click Overview to s ee whether the service is running, when it was started, and the number of zones allocated. 5. Click Log to review the s ervice log. Use the Filter field above the log to search for specific entries.
DNS
Manage DNS
To s ee summary s tatus of the service: $ sudo serveradmin status dns To s ee detailed status of the service: $ sudo serveradmin fullstatus dns
DNS
Manage DNS
1. Open Server Admin and connect to the s erver 2. Click the triangle at the left of the server.
The list of s ervices appears . 3. From the expanded Servers list, select DNS. 4. Click Log and us e the Filter field above the log to search for specific entries.
DNS
Manage DNS
DNS
Manage DNS
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DNS. 4. Click Settings. 5. Choose the detail level from the Log Level pop-up menu as follows : Choose Critical to record only critical errors, such as hardware errors . Choose Error to record errors not including warning mess ages. Choose Warning to record warnings and errors . Choose Notice to record only important messages , warnings, and errors . Choose Information to record mos t mes sages. Choose Debug to record all mes sages. 6. Click Save.
DNS
Manage DNS
Enter the following from the command line in Terminal: $ sudo serveradmin command dns:command = getStatistics The computer responds with output similar to the following:
dns:queriesArray:_array_index:0:name = "NS_QUERIES" dns:queriesArray:_array_index:0:value = -1 dns:queriesArray:_array_index:1:name = "A_QUERIES" dns:queriesArray:_array_index:1:value = -1 dns:queriesArray:_array_index:2:name = "CNAME_QUERIES" dns:queriesArray:_array_index:2:value = -1 dns:queriesArray:_array_index:3:name = "PTR_QUERIES" dns:queriesArray:_array_index:3:value = -1 dns:queriesArray:_array_index:4:name = "MX_QUERIES" dns:queriesArray:_array_index:4:value = -1 dns:queriesArray:_array_index:5:name = "SOA_QUERIES" dns:queriesArray:_array_index:5:value = -1 dns:queriesArray:_array_index:6:name = "TXT_QUERIES" dns:queriesArray:_array_index:6:value = -1 dns:nxdomain = 0 dns:nxrrset = 0 dns:reloadedTime = "" dns:success = 0 dns:failure = 0 dns:recursion = 0 dns:startedTime = "2003-09-10 11:24:03 -0700" dns:referral = 0 For information about serveradmin, see its man page.
DNS
Manage DNS
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DNS. 4. Click Stop DNS (below the Servers list). 5. Click Stop Now.
DNS
Manage DNS
To stop the service: $ sudo serveradmin stop dns For information about serveradmin, see its man page.
DNS
Manage DNS
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DNS. 4. Click Zones. 5. Select the primary zone to change. 6. Click General. 7. Select or des elect Allows zone transfer to permit secondary zones to get copies of the primary zone data. 8. Click Save.
DNS
Manage DNS
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DNS. 4. Click Settings. 5. Below the Accept recursive queries from the following networks list, click the Add button (+). 6. Enter the IP address es for the servers that DNS will accept recurs ive queries from. You can also enter IP address ranges. 7. Click Save. If you enable recursion, cons ider dis abling it for external IP addresses but enabling it for LAN IP addres ses by editing the BIND named.conf file. However, edits you make to named.conf do not s how up in the DNS section of Server Admin. To completely disable recurs ion, remove all entries from the network list. For more information about BIND, see www.is c.org/s w/bind.
DNS
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DNS. 4. Click Zones. 5. Click Add Zone, then choose Add Primary Zone (Master). 6. Select the new zone. 7. In the Primary Zone Name field, enter the zone name. This is the fully qualified domain name of the primary s erver. 8. Enter the mail address of the zones administrator. 9. Select Allows zone transfer to permit secondary zones to get copies of the primary zone data. 10. Add names ervers for this zone by clicking the Add button (+) and entering the name in the Nameservers field. 11. Add mail exchangers for this zone by clicking the Add button (+) and entering the name in the Mail Exchangers field. This field is the basis for the computers MX record. 12. In the Priority field, specify a mail server precedence number. Delivering mail s ervers try to deliver mail at lower numbered mail servers first. 13. Click Expiration and enter the number of hours for each setting: Enter the amount of time the zone is valid. This is the zones time to live (TTL) setting. It determines how long query response information can remain cached in remote DNS systems before requerying the authoritative server. Enter the interval of time that the secondary zones should refres h from the primary zone. Enter the interval of time between each retry if the refresh of the secondary zone fails. Enter the amount of time after refreshing before the zone data expires. 14. Click Save.
DNS
1. Make sure the primary s erver is correctly configured and that zone transfers are enabled on the primary server. 2. On the secondary server, open Server Admin and connect to the s econdary s erver. 3. Click the triangle at the left of the server. The list of s ervices appears . 4. From the expanded Servers list, select DNS. 5. Click Zones. 6. Click Add Zone, then click Add Secondary Zone (Slave). 7. Select a new zone.
8. In the Secondary Zone Name field, enter a zone name. The zone name is the same as the primary zone defined on the primary name server. 9. Below the Primary Zone address es lis t, click the Add button (+). 10. Enter the IP address es for each primary server in the s econdary zone. 11. Click Save.
DNS
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DNS. 4. Click Settings. 5. Below the Forwarder IP Addres ses list, click the Add button (+). 6. Enter the IP address es for the DNS server that will receive forwarded unresolved DNS queries. 7. Click Save.
DNS
Change a zone
Use Server Admin to change zone settings. You might need to change the administrator mail address or domain name of a zone.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DNS. 4. Click Zones. 5. Select the zone to change. 6. Change the zone information as needed. 7. Click Save.
DNS
Delete a zone
When you delete a zone, all records ass ociated with it are deleted.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server.
The list of s ervices appears . 3. From the expanded Servers list, select DNS. 4. Click Zones. 5. Select the zone to delete. 6. Below the Zones list, click Remove. 7. Click Save.
DNS
1. Verify that you have root privileges. 2. Add the zone directive to the BIND configuration file, /etc/named.conf. For example, for zone xyz.com described in zone file db.xyz.com in the working zone folder/var/named/, the zone directive might look like this: zone "xyz.com" IN { // Forward lookup zone for xyz.com type master; // It's a primary zone file "db.xyz.com"; // Zone info stored in /var/named/db.xyz.com allow-update { none; }; }; 3. Confirm that the zone file is added to the /var/named/ working zone folder. 4. Res tart DNS service using Server Admin.
DNS
2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DNS. 4. Click Zones. 5. Select the zone this record is to be added to. 6. Click Add Record, then choos e Add Alias (CNAME). This adds the alias record to the zone. 7. Select newAlias lis ted under the primary zone, then enter the alias information. In the Alias Name field, enter the alternate name for your computer. To use the fully qualified name for the Alias, select the Fully Qualified checkbox and enter the fully qualified domain name. This field is the basis for CNAME records of the computer. Revers e lookup Pointer records are created for the computer. Add as many alias es as you want. 8. In the Destination field, enter the computer name you are creating the alias for. To use the fully qualified name for the Des tination, select the Fully Qualified checkbox and enter the fully qualified domain name. 9. Click Save. Add as many alias es as you want by adding additional alias records.
DNS
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DNS. 4. Click Zones. 5. Select the zone this record is to be added to. 6. Click Add Record, then choos e Add Machine (A). This adds the machine record to the zone. 7. Select newMachine lis ted under the zone, then enter the following machine information. In the Machine Name field, enter the hostname of the computer. This field is the basis for the A record of the computer. Revers e lookup Pointer records are created for the computer. Click the Add button (+), then enter the IP address of the computer. Enter information about the hardware and s oftware of the computer in the relevant text boxes. These are the basis for the HINFO record of the computer. Enter comments about the computer in the Comment text box. This field is the basis for the TXT record of the computer. You can store up to 255 ASCII characters in the comments text box. You can include the phys ical location of the computer (for example, Upstairs s erver closet B), the computers owner (for example, Johns Computer), or other information about
DNS
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DNS. 4. Click Zones. 5. Select the zone this record is to be added to. 6. Click Add Record, then choos e Add Service (SRV). This adds the service record to the zone. 7. In the Service Name field, enter the well-known name of the service. 8. From the Service Type pop-up menu, select a s ervice type. If the service type for the s ervice you are providing is not lis ted, enter the name in the Service Type field. The s ervice you are providing should use a syntax similar to _application protocol name._tcp | _udp. 9. In the Host field, enter the DNS name of the server that is providing the service. 10. To use the fully qualified domain name of the domain server, select the Fully Qualified checkbox. 11. In the Port field, enter the port number for the service you are providing. For example, if you are providing http s ervice, use port 80. 12. In the Priority field, enter priority number. The priority number is used when multiple hosts are configured for the same service. The priority determines which host is tried firs t. 13. In the Weight field, enter a weight number. The weight number is used as a relative weight for records with the s ame priority. 14. In the TXT field, enter additional information about the service. This creates a TXT record for the service. 15. Click Save.
DNS
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears .
3. From the expanded Servers list, select DNS. 4. Click Zones. 5. Click the triangle at the left of the zone that has the computer record to be edited. The list of records appears. 6. Select the record to be edited and make changes in the fields below the lis t. 7. Click Save.
DNS
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DNS. 4. Click Zones. 5. Click the triangle at the left of the zone that has the computer record to be deleted. The list of records appears. 6. Select the record to be deleted and click Remove below the lis t. 7. Click Save.
DNS
Secure DNS
DNS spoofing
DNS spoofing is adding false data to the DNS servers cache. This enables hackers to: Redirect real domain name queries to alternative IP addres ses . For example, a falsified A record for a bank could point a computer users browser to a different IP address that is controlled by the hacker. A duplicate webs ite could fool users into giving their bank account numbers and pass words to the hacker. Also, a fals ified mail record could enable a hacker to intercept mail s ent to or from a domain. If the hacker then forwards that mail to the correct mail server after copying the mail, this can go undetected. Prevent proper domain name resolution and access to the Internet. This is the most benign of DNS spoof attacks. It merely makes a DNS server appear to be malfunctioning. The mos t effective method to guard against these attacks is vigilance. This includes maintaining up-to-date software and auditing DNS records regularly. If exploits are found in the current vers ion of BIND, the exploits are patched and a security update is made available for Lion Server. Apply all such security patches . Regular audits of your DNS records can help prevent these attacks.
DNS
Secure DNS
To defend against this attack, specify which IP addresses have permis sion to request zone transfers (your secondary zone servers ) and deny all others. Zone trans fers are accomplished over TCP on port 53. To limit zone transfers, block zone transfer requests from anyone but your secondary DNS servers . To specify zone transfer IP addresses:
1. Create a firewall filter that permits only IP addresses that are inside your firewall to acces s TCP port 53. 2. Follow the instructions for configuring firewall rules , us ing the following s ettings: Packet: Allow Port: 53 Protocol: TCP Source IP: the IP address of your s econdary DNS s erver Des tination IP: the IP address of your primary DNS server
DNS
Secure DNS
1. Open a command-line text editor (for example vi, emacs, or pico). 2. Open named.conf for editing. 3. To the options brackets of the configuration file, add the following: version "[your text, maybe 'we're not telling!']"; 4. Save named.conf.
DNS
Secure DNS
options { ... allow-recursion{ 127.0.0.0/8; [your internal IP range of addresses, like 192.168.1.0/27]; }; }; For more information, s ee the BIND documentation.
DNS
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DNS. 4. Click Zones. 5. Select the zone this record is to be added to. 6. Click the triangle at the left of the zone. The list of records appear. 7. Click Add Record, then choos e Add Machine (A). This adds a machine record to the zone. 8. In the Machine Name field, enter the hos tname of the computer. To use the fully qualified name of the computer, select the Fully Qualified checkbox and enter the fully qualified domain name of the computer. This field is the basis for the A record of the computer. Reverse lookup pointer records are created for the computer. 9. Click the Add button (+) and enter the IP addres ses for the computer. 10. In the relevant text boxes, enter information about the hardware and s oftware of the computer. 11. In the Comment text box, enter comments about the computer. This field is the basis for the TXT record of the computer. You can s tore up to 255 ASCII characters in the comments text box. You can include the phys ical location of the computer (for example, Upstairs server closet B), the computers owner (for example, Johns Computer), or any other information about the computer. 12. Click Save. 13. To add other names that you want this computer to have, click Add Record and choos e Add Alias (CNAME). Add as many alias es as you want for your server. 14. In the Alias Name field, enter the alternate name for your computer. To use the fully qualified name for the Alias, select the Fully Qualified checkbox and enter the fully qualified domain name. This field is the basis for the CNAME records of the computer. Revers e lookup pointer records are created for the computer
15. In the Destination field, enter the computer name you are creating the alias for. To use the fully qualified name for the Des tination, select the Fully Qualified checkbox and enter the fully qualified domain name. 16. Click Save 17. From the expanded Servers list, select Mail. 18. Click Settings, then click Advanced. 19. Click Hos ting. 20. Next to the Local Host Aliases Field, click the Add button (+). 21. In the Local Host Alias field, enter the alias name you created earlier. 22. Click OK, then click Save. 23. Repeat Steps 7 through 22 for each mail server.
DNS
DNS
DNS
DNS
DNS
1. Choose Apple > Sys tem Preferences, and then click Network. 2. From the services list, s elect the network connection services you use to connect to the Internet (such as Ethernet). 3. In the DNS Server field, enter the IP address for the primary DNS server you want to use. To enter addresses for several servers enter a comma between addresses. To find out which DNS s erver you s hould be using, check with your network adminis trator. DNS server address es are provided by DHCP service.
DNS
DNS and BIND, 5th edition, by Paul Albitz and Cricket Liu (OReilly and Associates, 2006) The International Software Cons ortium website: www.is c.org and www.isc.org/sw/bind Request for Comments (RFC) documents provide an overview of a protocol or service and explain how the protocol should behave. If youre a novice s erver administrator, youll probably find some of the background information in an RFC helpful. If youre an experienced s erver administrator, you can find technical details about a protocol in its RFC document. You can search for RFC documents by number at http://www.ietf.org/rfc.html. A, PTR, CNAME, MX. (For more information, s ee RFC 1035.) AAAA. (For more information, s ee RFC 1886.)
When a packet arrives at a network interface and the firewall is enabled, the packet is compared to each rule, starting with the lowest-numbered (highest-priority) rule. When a rule matches the packet, the action specified in the rule (s uch as permit or deny) is taken. Then, depending on the action, more rules can be applied. The rules you set are applied to TCP packets and UDP packets . In addition, you can set up rules for restricting Internet Control Mess age Protocol (ICMP) or Internet Group Management Protocol (IGMP) using advanced rule creation. Important: When you start Firewall s ervice the first time, only ports ess ential to remote administration of the server are open, including s ecure shell (22) and several others. Other ports are dynamically opened to permit specific res ponses to queries initiated from the server. To permit remote access to other s ervices on your computer, open more ports using the Services section of the Settings pane. If you plan to share data over the Internet and you dont have a dedicated router or firewall to protect your data from unauthorized access , us e Firewall service. This service works well for s mall to medium businesses , schools , and small or home offices. Large organizations with a firewall can us e Firewall service to exercise a greater degree of control over their servers . For example, workgroups in a large busines s, or schools in a school system, can use Firewall service to control access to their own servers. Firewall service also provides stateful packet inspection, which determines whether an incoming packet is a legitimate response to an outgoing reques t or part of an ongoing session. This permits packets that would otherwise be denied.
Understanding IP addressing
Unders tanding firewall rules requires unders tanding how IP addressing works. IP address IP address es consist of four segments with values between 0 and 255 (the range of an 8-bit number), separated by dots (for example, 192.168.12.12). The s egments in IP addres ses go from general to specific. For example, the first segment might belong to all computers in a company and the last segment might belong to a specific computer on one floor of a building. Address ranges When you create an address group using Server Admin, you enter an IP addres s and a s ubnet mas k. The three types of address notations permitted are: A single address: 192.168.2.1 A range express ed with CIDR notation: 192.168.2.1/24 A range express ed with netmask notation: 192.168.2.1:255.255.255.0 Server Admin shows the resulting addres s range. You can change the range by changing the subnet mask. When you indicate a range of potential values for any s egment of an address, that s egment is called a wildcard. The following table gives examples of address ranges created to achieve specific goals.
Goal Create a rule that specifies a single IP address. Example IP address 10.221.41.33 Enter this in the address field 10.221.41.33 or 10.221.41.33/32 Address range affected 10.221.41.33 (single address) 10.221.41.33 10.221.41.33/24 10.221.41.0 to 10.221.41.255
Create a rule that leaves the fourth segment as a wildcard. Create a rule that leaves part of the third segment and all of the fourth segment as a wildcard. Create a rule that applies to all incoming addresses.
10.221.41.33
10.221.41.33/22
10.221.40.0 to 10.221.43.255
Select Any
All IP addresses
Multiple IP addresses A server can support multiple homed IP addres ses, but Firewall service applies one set of rules to all s erver IP addresses. If you create multiple alias IP addres ses , the rules you create apply to all of thos e IP address es.
Create a rule that leaves the fourth segment as a wildcard. Create a rule that leaves part of the third segment and all of the fourth segment as a wildcard. Create a rule that applies to all incoming addresses.
10.221.41.33
10.221.41.33/24
10.221.41.0 to 10.221.41.255
10.221.41.33
10.221.41.33/22
10.221.40.0 to 10.221.43.255
Select Any
All IP addresses
Adaptive firewall
Lion Server us es an adaptive firewall that dynamically generates a firewall rule if a us er or an IP addres s generates 10 consecutive failed login attempts. About the adaptive firewall The adaptive firewall helps to prevent your computer from being attacked by unauthorized us ers. The adaptive firewall does not require configuration and is active when you turn on your firewall. When too many network requests are made of the server in too short a time period, the adaptive firewall creates a temporary rule for ipfw and ip6fw that blocks the network activity. After a s et time period, the temporary firewall rules is removed and ipfw and ip6fw are returned to their normal s et or rules. By default, the generated rule blocks the offending IP address for 15 minutes, preventing access . Although the adaptive firewall automatically engages , an adminis trator can customize the firewall's reaction by: Adding an IP number or address range permanently to a whitelis t Adding an IP number or address range permanently to a blacklis t Changing the blocking time period Changing the adaptive firewall's reporting behavior Adaptive firewall files and utilities The adaptive firewall consists of the following parts:
Utility or file /usr/libexec/afctl /etc/af.plist /System/Library/LaunchDaemons/com.apple.afctl.plist /var/db/af/whitelist Purpose T he executable T he plist format config file for afctl T he launchd plist for afctl T he file used to store the whitelist
/var/db/af/blacklist
For more information see the man pages for afctl and hb_summary.
You can disable P2P networking by blocking incoming and outgoing traffic on the port number used by the P2P application. You must determine the port us ed for each P2P network in ques tion. By default, Lion Servers firewall blocks ports not specifically opened. You can limit P2P network us age to IP address es behind the firewall. To do so, open the P2P port for your LAN interface but continue to block the port on the interface connected to the Internet (the WAN interface). To learn how to make a firewall rule, see Configure advanced firewall rules (CLI) or Configure advanced firewall rules . Controlling or enabling network game usage Sometimes network adminis trators must control the use of network games. The games might us e network bandwidth and resources improperly or disproportionately. You can disable network gaming by blocking traffic incoming and outgoing on the port number used by the game. You must determine the port used for each network game in question. By default, Lion Servers firewall blocks all ports not s pecifically opened. You can limit network game us age to IP address es behind the firewall. To do so, open the relevant port on your LAN interface but continue to block the port on the interface connected to the Internet (the WAN interface). Some games require a connection to a gaming service for play, s o this might not be effective. You can open the firewall to specific games , permitting network games to connect to other players and game services outside the firewall. To do this , open up the relevant port on your LAN and WAN interface. Some games require more than one port to be open. For networking details, consult the games documentation. Blocking Junk Mail This section describes how to reject mail from a junk mail s ender with an IP address of 17.128.100.0 (for example) and accept all other Internet mail. Important: To block incoming SMTP mail, s et up specific address ranges in rules you create. For example, if you set a rule on port 25 to deny mail from all addres ses, you prevent mail from being delivered to users.
21 T CP 22 T CP, UDP
RFC 959
23 T CP, UDP 25 T CP, UDP 53 T CP, UDP 67 UDP 68 UDP 69 UDP 79 T CP, UDP 80 T CP 88 T CP, UDP 106 TCP, UDP 110 TCP, UDP 111 TCP, UDP 113 TCP, UDP 115 TCP 119 TCP 123 TCP, UDP 137 TCP, UDP 138 TCP, UDP 139 TCP 143 TCP 161 UDP 192 UDP 201208 TCP 311 TCP
Telnet Mail: SMTP DNS DHCP server (BootP), NetBoot server DHCP client Trivial File Transfer Protocol (T FTP) Finger HTTPweb Kerberos V5 KDC Open Directory Password Server (with 3659) Mail: POP3 Remote Procedure Call (RPC) Authentication service Simple File Transfer Protocol (SFT P) Network News Transfer Protocol (NNTP) Network Time Protocol Windows Name Service (WINS) Windows NETBIOS browsing Windows file and print service (SMB/CIFS) Mail: IMAP Simple Network Management Protocol (SNMP) AirPort administration AppleTalk Server Admin over SSL, AppleShare IP remote web administration, Server Monitor, Server Admin (servermgrd), Workgroup Manager (DirectoryService)
389 TCP 407 TCP, UDP 427 TCP, UDP 443 TCP 445 TCP 465 TCP 497 TCP, UDP
LDAP (directory) Timbuktu SLP (Service Location Protocol) HTTPSsecure web over SSL Microsoft Domain Server Mail: SMTP Dantz Retrospect
RFC 2251
5003999
Port 500 UDP Description VPN ISAKMP/IKE Reference
513 UDP 514 TCP 514 UDP 515 TCP 532 TCP 548 TCP 554 TCP, UDP 587 TCP 591 TCP 6001023 TCP, UDP 625 TCP 626 UDP
Who Shell, syslog Syslog LPR print spooling NetNews AFP (Apple Filing Protocol) QTSS RTSP streaming Mail: SMTP submission FileMaker web access Mac OS X RPC-based services Remote Directory Access Serial number support for Snow Leopard Server and earlier RFC 2326 RFC 1179
631 TCP, UDP 636 TCP 660 TCP 687 TCP 749 TCP, UDP
IPP printer sharing LDAP over SSL Server administration using Server Settings Server administration using Server Admin Kerberos administration and changepw using the kadmind command-line tool
985 TCP 993 TCP 995 TCP, UDP 1099, 8043 TCP 1220 TCP 1694 TCP 1701 UDP 1723 TCP 2000 TCP 2049 TCP, UDP 2336 TCP 2399 TCP 3004 TCP 3031 TCP, UDP 3283 TCP, UDP 3306 TCP 3632 TCP 3659 TCP, UDP 3689 TCP 3690 TCP
NetInfo static port Mail: IMAP over SSL Mail: POP3 over SSL Remote RMI and RMI/IIOP access to JBoss QTSS administration IP Failover VPN L2TP VPN PPTP Mail: Custom filtering (sieve) Network File System (NFS) Mobile account sync FileMaker data access layer iSync Program Linking, remote AppleEvents Apple Remote Desktop (with 5900) MySQL XCode distributed compiler Open Directory Password Server (with 106) iT unes music sharing Subversion version control RFC 2637
400050999
Port 4111 TCP 4500 UDP 5003 TCP, UDP 5060 UDP 5100 TCP 5190 TCP UDP Description Xgrid VPN IKE NAT traversal FileMaker name binding and transport iChat session initiation Camera and scanner sharing iChat, AOL Instant Messenger, and iChat file transfer 5222 TCP 5223 TCP 5269 TCP 5297 UDP 5298 TCP, UDP 5678 UDP 5353 UDP 5432 TCP 5900 TCP, UDP iChat Server (Jabber/XMPP) iChat Server (Jabber/XMPP) over SSL iChat Server to server (Jabber/XMPP) iChat local subnet iChat local subnet iChat AV behind NAT Multicast DNS (Bonjour, mDNSResponder) Apple Remote Desktop 2.0 database VNC (Mac OS X screen sharing, Apple Remote Desktop 2.0) 5988, 5989 TCP 69706999 UDP 7070 TCP, UDP Apple Remote Desktop 2.0 CIM/OpenWBEM QTSS RTP streaming QTSS RTSP Automatic Router Configuration Protocol (ARCP) 7777 TCP 80008999 TCP 80008001 TCP 8005 TCP 8008, 8443 TCP 8080 TCP iChat Serverfile transfer proxy Web service QTSS MP3 streaming Tomcat remote shutdown iCal Server and iCal Server SSL HTTPweb service alternative (Apache 2 default) 8088 TCP 8080, 8443, 9006 TCP 8800, 8843 TCP Software Update server Tomcat standalone and JBoss Address Book Server and Address Book Server SSL 9007 TCP 1638416403 UDP 4200042999 TCP 4915265535 TCP 50003 T CP, UDP Tomcat remote web server access to AIP port iChat audio/video RTP and RT CP iT unes radio streams FTP service PASV port range FileMaker Server service (Windows) or daemon (Mac OS X) Reference
AZ by service
Port 548 TCP 192 UDP 3283 TCP, UDP 5988, 5989 TCP 5432 TCP 201208 TCP 113 TCP, UDP 5100 TCP 497 TCP, UDP 68 UDP 67 UDP 53 T CP, UDP 7 TCP, UDP 2399 TCP 5003 TCP, UDP 50006 T CP, UDP 50003 T CP, UDP 591 TCP 79 T CP, UDP 21 T CP 20 T CP 4915265535 TCP 443 TCP 80 T CP 8080 TCP 1638416403 UDP 5678 UDP 5297 UDP 5298 TCP, UDP 5222 TCP 5223 TCP 5269 TCP 7777 TCP 5060 UDP 5190 TCP UDP Serv ice AFP (Apple Filing Protocol) AirPort administration Apple Remote Desktop (with 5900) Apple Remote Desktop 2.0 CIM/OpenWBEM Apple Remote Desktop 2.0 database AppleTalk Authentication service Camera and scanner sharing Dantz Retrospect DHCP client DHCP server (BootP), NetBoot server DNS Echo FileMaker data access layer FileMaker name binding and transport FileMaker Server Helper service (Windows) or daemon (Mac OS) FileMaker Server service (Windows) or daemon (Mac OS X) FileMaker web access Finger FTP control FTP data FTP service PASV port range HTTPSsecure web over SSL HTTPweb HTTPweb service alternative (Apache 2 default) iChat audio/video RTP and RT CP iChat AV behind NAT iChat local subnet iChat local subnet iChat Server (Jabber/XMPP) iChat Server (Jabber/XMPP) over SSL iChat Server to server (Jabber/XMPP) iChat Serverfile transfer proxy iChat session initiation iChat, AOL Instant Messenger, and iChat file transfer
1694 TCP 631 TCP, UDP 3004 TCP 3689 TCP 4200042999 TCP 749 TCP, UDP
IP failover IPP printer sharing iSync iTunes music sharing iTunes radio streams Kerberos administration and changepw using the kadmind command-line tool
88 T CP, UDP 389 TCP 636 TCP 515 TCP 6001023 TCP, UDP 2000 TCP 143 TCP 993 TCP 110 TCP, UDP 995 TCP, UDP 25 T CP, UDP 587 TCP 445 TCP 2336 TCP 5353 UDP 3306 TCP 985 TCP 532 TCP 2049 TCP, UDP 119 TCP 123 TCP, UDP 3659 TCP, UDP 106 TCP, UDP 3031 TCP, UDP 1220 TCP 80008001 TCP 69706999 UDP 7070 TCP, UDP 554 TCP, UDP 625 TCP 111 TCP, UDP 1099, 8043 TCP
Kerberos V5 KDC LDAP (directory) LDAP over SSL LPR print spooling Mac OS X RPC-based services Mail: Custom filtering (sieve) Mail: IMAP Mail: IMAP over SSL Mail: POP3) Mail: POP3 over SSL Mail: SMTP Mail: SMTP submission Microsoft Domain Server Mobile account sync Multicast DNS (Bonjour, mDNSResponder) MySQL NetInfo static port NetNews Network File System (NFS) Network News Transfer Protocol (NNTP) Network T ime Protocol Open Directory Password Server (with 106) Open Directory Password Server (with 3659) Program linking, remote AppleEvents QTSS administration QTSS MP3 streaming QTSS RT P streaming QTSS RT SP Automatic Router Configuration Protocol (ARCP) QTSS RT SP streaming Remote directory access Remote procedure call (RPC) Remote RMI and RMI/IIOP access to JBoss
Secure shell (SSH) Serial number support for Snow Leopard Server Server Admin over SSL, AppleShare IP remote web administration, Server Monitor, Server Admin (servermgrd), Workgroup Manager (DirectoryService)
687 TCP 660 TCP 514 TCP 115 TCP 161 UDP 427 TCP, UDP 8088 TCP 3690 TCP 514 UDP 23 T CP, UDP 407 TCP, UDP 8005 TCP 9007 TCP 8080, 8443, 9006 TCP 69 UDP 5900 TCP, UDP 4500 UDP 500 UDP 1701 UDP 1723 TCP 80008999 TCP 513 UDP 139 TCP 137 TCP, UDP 138 TCP, UDP 3632 TCP 4111 TCP
Server administration using Server Admin Server administration using Server Settings Shell, syslog Simple File Transfer Protocol (SFT P) Simple Network Management Protocol (SNMP) SLP (Service Location Protocol) Software Update server Subversion version control Syslog T elnet T imbuktu T omcat remote shutdown T omcat remote web server access to AIP port T omcat standalone and JBoss T rivial File Transfer Protocol (TFTP) VNC (Mac OS X screen sharing, Apple Remote Desktop 2.0) VPN IKE NAT traversal VPN ISAKMP/IKE VPN L2TP VPN PPTP Web service Who Windows file and print service (SMB/CIFS) Windows Name Service (WINS) Windows NETBIOS browsing XCode distributed compiler Xgrid
If you create multiple rules in the Advanced pane, the precedence for a rule is determined by the rule number. This number corresponds to the order of the rule in the Advanced pane. Rules can be reordered by dragging them in the list in the Firewall Settings Advanced pane. For most normal us es, opening access to designated s ervices in the Advanced pane is sufficient. If necessary, add more rules using the Advanced pane.
/22 /23 /24 /25 /26 /27 /28 /29 /30 /31 /32
255.255.252.0 255.255.254.0 255.255.255.0 255.255.255.128 255.255.255.192 255.255.255.224 255.255.255.240 255.255.255.248 255.255.255.252 255.255.255.254 255.255.255.255
Step 7: Turn Firewall service on You turn Firewall service on us ing Server Admin. Important: If you add or change a rule after starting Firewall service, the new rule affects connections established with the server. For example, if you deny all access to your FTP server after starting Firewall service, computers connected to your FTP server are disconnected.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Below the Servers list, click the Start Firewall button.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Click Stop Firewall. 5. Click Stop Now.
2. Click Settings. 3. Click Services. 4. Select the Firewall checkbox. 5. Click Save.
Other parameters
Add a rule: $ sudo serveradmin settings ipfilter:rules:_array_id:rule= create ipfilter:rules:_array_id:rule:source = source ipfilter:rules:_array_id:rule:protocol = protocol ipfilter:rules:_array_id:rule:destination = destination ipfilter:rules:_array_id:rule:action = action ipfilter:rules:_array_id:rule:enableLocked = (yes|no) ipfilter:rules:_array_id:rule:enabled = (yes|no) ipfilter:rules:_array_id:rule:log = (yes|no) ipfilter:rules:_array_id:rule:readOnly = (yes|no) ipfilter:rules:_array_id:rule:source-port = port Control-D
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Click Settings, then click Advanced.
5. Click the Add button (+). Alternatively, you can s elect a rule similar to the one you want to create, click Duplicate, and then click Edit. 6. In the Action pop-up menu, select whether this rule permits or denies access. If you choose Other, enter the action des ired (for example, log). 7. From the Protocol pop-up menu, choose a protocol. If you choose Other, enter the protocol des ired (for example, icmp, es p, ipencap). 8. From the Service pop-up menu, choos e a service. To s elect a nons tandard service port, choos e Other. 9. If needed, choos e to log all packets that match the rule. 10. For the source of filtered traffic, choose an address group from the Source:Addres s pop-up menu. If you dont want to use an existing addres s group, choose Other and enter the s ource IP addres s range (using CIDR notation) to filter. If you want it to apply to any addres s, choose any from the pop-up menu. 11. If you selected a nonstandard s ervice port, enter the source port number. 12. For the des tination of filtered traffic, choose an address group from the Destination:Address pop-up menu. If you dont want to use an existing addres s group, choose Other and enter the destination IP address range (using CIDR notation). If you want it to apply to any addres s, choose any from the pop-up menu. 13. If you selected a nonstandard s ervice port, enter the destination port number. 14. From the Interface pop-up menu that this rule will apply to, choose In or Out. In refers to the packets being sent to the s erver. Out refers to the packets being sent from the server. 15. If you select Other, enter the interface name (en0, en1, fw1, and so on). 16. Click OK. 17. Click Save to apply the rule immediately.
You can remove or edit advanced firewall rules. If you think youll use a rule again and only want to disable it, you can des elect the rule rather than deleting it. If you edit a rule after turning on Firewall service, your changes affect connections established with the server. For example, if computers are connected to your web server and you change the rule to deny all access to the server, connected computers are disconnected.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Click Settings, then click Advanced. 5. To edit the services lis t, click the Edit button (/) below the Advanced Rules lis t, edit the rule as needed, and then click OK. 6. To delete a rule, click the Delete button () below the Advanced Rules list. Default rules, designated by the lock icon, cannot be edited or deleted. 7. Click Save.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Click Settings, then click Services. 5. Select the service you want to change, then do the following: a. To edit the service list, click the Edit button (/) below the services list. b. To delete the s ervice list, click the Delete button () below the s ervices list. 6. Edit the name, port, or protocol as needed, and click OK. 7. Click Save.
DNS/Multicast DNS ICMP Echo Reply (incoming pings ) IGMP PPTP VPN L2TP VPN iTunes Music Sharing Important: If you add or change a rule after starting Firewall service, the new rule affects connections established with the server. For example, if you deny all access to your FTP server after starting Firewall service, computers connected to your FTP server are disconnected.
Parameter setting value Description An
To view a setting: $ sudo serveradmin settings ipfilter: setting To view a group of settings: $ sudo serveradmin settings ipfilter:ipAddressGroups:* Enter as much of the name as you want, s topping at a colon (:), and then entering an asterisk (*) as a wildcard for the remaining parts of the name. To view all service configuration settings : $ sudo serveradmin settings ipfilter To change a setting: $ sudo serveradmin settings ipfilter: setting= value To change several s ettings: $ sudo serveradmin settingsipfilter: setting= valueipfilter: setting= valueipfilter: setting= value[...]Control-D
Important: If you add or change a rule after starting Firewall service, the new rule affects connections established with the server. For example, if you deny all access to your FTP server after starting Firewall service, computers connected to your FTP server are disconnected.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Click Settings, then click Services. 5. From the Editing Services for pop-up menu, select an address group. 6. For the address group, choose to permit all traffic from any port or to permit traffic on designated ports . 7. For each service you want the address group to use, select Allow. If you dont see the s ervice you need, add a port and des cription to the services lis t. To create a custom rule, s ee Configure advanced firewall rules (CLI) or Configure advanced firewall rules . 8. Click Save.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Click Settings, then click Services. 5. Below the services list, click the Add button (+). 6. Enter a rule name for the service. 7. Enter a single port (for example, 22) or a port range (for example, 650-750). 8. Choose a protocol. If you want a protocol other than TCP or UDP, use the Advanced s ettings to create a cus tom rule. 9. Click OK 10. Click Save.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Click Settings, then click Advanced. 5. Select Enable for TCP, Enable for UDP, or both, as needed. 6. Click Save.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Click Settings, then click Advanced. 5. Drag the rules to reorder them in the needed sequence. Default rules, which are designated by the lock icon, cannot be reordered. 6. Click Save.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Click Settings, then click Address Groups. 5. Below the Address Group pane, click the Add button (+). 6. In the Group name field, enter a group name. 7. Use the Add (+) and Delete button ()s to the enter the IP addres ses you want the rules to affect. To indicate any IP address, use the word any. 8. Click OK. 9. Click Save.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Click Settings, then click Address Groups. 5. Below the IP Address Groups list, click the Add button (+). 6. In the Group name field, enter a group name. 7. Use the Add (+) and Delete button ()s to enter the address es and s ubnet mas k you want the rules to affect. To indicate any IP address, use the word any. 8. Click OK. 9. Click Save.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Click Settings, then click Address Groups. 5. From the IP Address Groups list, select the group name. 6. Below the IP Address Groups list, click the Duplicate button. 7. Make the required modifications and click OK. 8. Click Save.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server.
The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Click Settings, then click Address Groups. 5. From the IP Address Groups list, select the group name. 6. To edit an IP address group, click the Edit button (/) below the list, edit the Group name or address es as needed, and then click OK. 7. To delete an IP address group, click the Delete button () below the list. 8. Click Save.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Click Settings, then click Logging. 5. Select the Enable logging checkbox and choose to log permitted packets , denied packets , or a designated number of packets . 6. Click Save.
See s ummary status of the service: sudo serveradmin status ipfilter See detailed status of the service, including rules: sudo serveradmin fullstatus ipfilter
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Click Overview to s ee whether the service is running, the number of active static and dynamic rules configured, the number of matching packets, and the number of bytes in matching packets handled by the firewall. 5. Click Log to review the Firewall service log. To s earch for s pecific entries, use the Filter field above the log. 6. To view a list of active firewall rules , click Active Rules. A lis t of rules appears, with a des cription of each rule in ipfw code format, the priority, packet count, and total bytes handled.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Click Active Rules. A lis t of the rules appears, with a description of each rule in ipfw code format, the priority, packet count, and total bytes handled.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Click Settings, then click Logging.
5. Make sure Log all denied packets is selected. If you have not turned on logging for a rule, s ee Edit or delete advanced firewall rules. 6. To view log entries , click Log. 7. In the text filter box, enter the word unreach.
See where the ipfilter service log is located. sudo serveradmin command ipfilter:command = getLogPathsipfilter:systemLog = "/var/log/ipfw.log" View the latest entries in the log: sudo taillog-file
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Click Log. To s earch for s pecific entries, use the Filter field above the log. You can refine the view using the text filter box.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Click Settings, then click Logging. 5. Make sure Log all allowed packets is s elected. If you have not turned on logging for a rule, s ee Edit or delete advanced firewall rules. 6. To view log entries , click Log.
1. Read the error message in the log. 2. Wait a few minutes for Server Admin to s how the active rules in the Firewall Overview pane. 3. Compare the list of active rules in the Firewall Overview pane with the rule lis t in the Settings section. 4. Inspect the contents of /etc/ipfilter/ipfw.conf.apple file to s ee which rules Server Admin tried to load in the firewall. The first rule in the file that is not present in the Firewall Overview pane is likely the invalid one. However, there might be more invalid rules after that one. 5. If the rule corresponds to one from the Advanced Settings pane, dis able it or correct it. Disabled rules appear in the /etc/ipfilter/ipfw.conf.apple file preceded by a comment character so they are not processed by the ipfw tool.
In Terminal, enter the following at the command line: sudo /usr/sbin/sysctl -w net.inet.ip.fw.enable=0
1. Disconnect the s erver from the Internet. 2. Res tart the server in s ingle-user mode by holding down the Commands keys during s tartup. 3. Remove or rename the address groups file found at /etc/ipfilter/ip_address_groups .plist. 4. Remove or rename the ipfw configuration file found at /etc/ipfilter/ipfw.conf. 5. Force-flush the firewall rules by entering the following in Terminal: sudo ipfw -f flush 6. Edit the /etc/hostconfig file and set IPFILTER=-YES-. 7. Complete the startup sequence in the login window by entering exit: The computer starts up with the default firewall rules and firewall enabled. Use Server Admin to refine the firewall configuration. 8. Log in to your s ervers local administrator account to confirm that the firewall is restored to its default configuration. 9. Reconnect your host to the Internet.
Enables network address translation (NAT) on the internal network and adds a NAT divert rule to the IP firewall to direct network traffic to the correct computer. This als o protects the internal network from uns olicited external connections . Enables DNS on the server, configured to cache lookups, to improve DNS res pons e for internal clients. When configuring these settings , you can review the propos ed changes before committing to them and overwriting exis ting settings. You can make further changes to the service configuration us ing Server Admin. For network services, s ee the relevant s ection in this book for information. If you run the Gateway Setup Ass is tant again, it overwrites manual settings you made. To us e the Setup As sistant, see Run Gateway Setup Assistant.
1. Open Server Admin and connect to the s erver. 2. Click Settings, then click Services. 3. Select the NAT checkbox, then click Save. 4. Click the triangle at the left of the server. The list of s ervices appears . 5. From the expanded Servers list, select NAT. 6. Click Overview 7. Click Gateway Setup Assistant. 8. Follow the directions in the ass is tant, click Continue after each page, read the final configuration s ummary carefully, and make sure you approve of the s ettings before finalizing the configuration. WARNING: Although you can us e the Gateway Setup Ass is tant to configure remote servers, you can accidentally cut off your administrator access to the remote server after the gateway is complete. This can happen becaus e the firewall is enabled and may deny remote access to the server. To prevent this , make sure your firewall is configured to permit remote access.
Wireless clients must be able to connect to the AirPort Base Stations wireless network to be linked to the gateway. After this process, computers connected to the AirPort Base Station: Can get IP addres ses and network settings configured us ing DHCP Can acces s the Internet if the gateway is connected to the Internet Cant be access ed by unauthorized network connections originating from the wired connection to the Internet Can be accessed over the Internet by authorized VPN clients (if VPN is configured) Can benefit from DNS lookup caching in the gateway, which speeds DNS resolution
1. Plug the connection to the Internet into the Ethernet 1 (en0) port. 2. Connect the AirPort Bas e Station port (the WAN port, if there are two) to the Ethernet 2 (en1) port. 3. Connect the AirPort Bas e Station port (the WAN port, if there are two) to the Ethernet 2 (en1) port. You can open it from the /Applications/Utilities / folder. 4. Select a Base Station and then choose Manual Setup from the Base Station menu. 5. Enter the Base Station password if necessary. 6. Click Internet in the toolbar, then click Internet Connection. 7. From the Connect Using pop-up menu, choose Ethernet. 8. From the Configure IPv4 pop-up menu, choos e Using DHCP. 9. From the Connection Sharing pop-up menu, choos e Off (Bridge Mode). 10. To change Bas e Station s ettings, click Update. 11. Open Server Admin and connect to the s erver. 12. Click Settings, then click Services. 13. Select the NAT checkbox. 14. Click Save. 15. Click the triangle at the left of the server. The list of s ervices appears . 16. From the expanded Servers list, select NAT. 17. Click Overview, then click Gateway Setup As sistant. 18. Click Continue. 19. For your WAN (Internet) interface, designate Built-In Ethernet 1. 20. For your LAN (sharing) interface, des ignate Built-In Ethernet 2. Your LAN interface is the one connected to your local network. Computers on the LAN s hare the servers Internet connection through the s ervers WAN interface. If your s erver has more than one interface available (Ethernet port 2, Ethernet port 3, and so on), choose thos e you want to enable. 21. Choose whether to make this gateway a VPN entry point to your LAN. If you enable VPN, you need a shared secret. A shared s ecret is a passphrase that users mus t provide to s ecurely connect to the VPN gateway. It should be a very secure passphrase, not a password of a user or administrator on the gateway server. To s et a very secure pass phrase, us e Pass word Ass istant in Account Preferences. 22. Inspect and confirm the changes . You can fine-tune the settings from this bas e configuration but you perform additional configuration in Server Admin. For example, you can use Server Admin to as sign IP address es to specific computers. To do this, add static addres s mappings in
the DHCP sections Settings tab. For more information, see Us e DHCP to assign s tatic IP addres ses. You can also change firewall s ettings to permit connections from the Internet to the LAN. To do this, change the firewall settings, opening up IP ports as needed, and configure port forwarding in the NAT pane to des ignate which computer on the LAN is to accept incoming traffic.
1. Plug the connection to the Internet into the Ethernet 1 (en0) port. 2. Plug the connection to your LAN into the Ethernet 2 (en1) port. 3. Open Server Admin and connect to the s erver. 4. Click Settings, then click Services. 5. Select the NAT checkbox. 6. Click Save. 7. Click the triangle at the left of the server. The list of s ervices appears . 8. From the expanded Servers list, select NAT. 9. Click Overview, then click Gateway Setup As sistant. 10. Click Continue. If your s erver has existing DHCP, DNS, NAT, and VPN configurations, you are prompted to overwrite those configurations. To overwrite configurations , click Overwrite to continue. 11. From the Gateway WAN Interface pop-up menu, choose Ethernet 1 (en0) for your WAN interface, then click Continue. 12. From the list of network interfaces, select the Ethernet 2 checkbox for you LAN interface and click Continue. Your LAN interface is the one connected to your local network. Computers on the LAN s hare the servers Internet connection through the s ervers WAN interface. If your s erver has more than one interface available (Ethernet port 2, Ethernet port 3, and so on), choose thos e you want to enable. 13. (Optional) To make your gateway s erver a VPN entry point to your LAN, select Enable VPN for this server. If you enable VPN, you need a shared secret. A shared s ecret is a passphrase that users provide to connect to the VPN gateway. It should be a very secure passphrase, not the pas sword of a user or adminis trator on the gateway server. To s et a very secure pass phrase, us e Pass word Ass istant in Account Preferences. For more information, s ee Mac OS X Server Security Configuration.
14. Click Continue. 15. Inspect and confirm your setup. 16. Click Continue. NAT and all dependent services will be configured and s tarted. 17. Click Close.
1. Plug the connection to the Internet into the Ethernet 1 (en0) port. 2. Plug the connection to your LAN into the Ethernet 2 (en1) port. 3. Connect the AirPort Bas e Station port (the WAN port, if there are two) to the wired network. 4. Using AirPort Utility, configure the Base Station to connect using Ethernet and to get its address using DHCP. You can open it from the /Applications/Utilities / folder. 5. Select the Base Station and then choose Manual Setup from the Base Station menu. 6. Enter the Base Station password if necessary. 7. Click Internet in the toolbar, then click Internet Connection. 8. From the Connect Using pop-up menu, choose Ethernet. 9. From the Configure IPv4 pop-up menu, choos e Using DHCP. 10. From the Connection Sharing pop-up menu, choos e Off (Bridge Mode). 11. To change Bas e Station s ettings, click Update. 12. Open Server Admin and connect to the s erver. 13. Click Settings, then click Services. 14. Select the NAT checkbox. 15. Click Save. 16. Click the triangle at the left of the server. The list of s ervices appears . 17. From the expanded Servers list, select NAT. 18. Click Overview, then click Gateway Setup As sistant. 19. Click Continue.
20. For your WAN (Internet) interface, designate Ethernet 1. 21. For your LAN (sharing) interface, des ignate Ethernet 2. Your LAN interface is the one connected to your local network. Computers on the LAN s hare the servers Internet connection through the s ervers WAN interface. If your s erver has more than one interface available (Ethernet port 2, Ethernet port 3, and so on), choose thos e you want to enable. 22. Choose whether to make this gateway a VPN entry point to your LAN. If you enable VPN, you need a shared secret. A shared s ecret is a passphrase that users mus t provide to s ecurely connect to the VPN gateway. It should be a very secure passphrase, not a password of a user or administrator on the gateway server. To s et a very secure pass phrase, us e Pass word Ass istant in Account Preferences. 23. Inspect and confirm the changes .
NAT
About NAT
Network Address Trans lation (NAT) is a protocol you use to give multiple computers acces s to the Internet using only one ass igned public or external IP address. NAT permits you to create a private network that acces ses the Internet through a NAT router or gateway. NAT is sometimes referred to as IP masquerading. The NAT router takes traffic from your private network and remembers internal address es that have made requests. When the NAT router receives a response to a request, it forwards it to the originating computer. Traffic that originates from the Internet does not reach computers behind the NAT router unless port forwarding is enabled. Enabling NAT on a Lion Server often requires detailed control over DHCP, so DHCP is configured s eparately in Server Admin. To learn more about DHCP, see DHCP s etup overview. Enabling NAT also creates a divert rule in the firewall configuration. Server Admin permits NAT s ervice and Firewall service to be enabled and dis abled independently. However for NAT service to function, NAT service and Firewall s ervice mus t be enabled. This is because an essential part of NAT is the packet divert rule. That rule is added to the firewall when NAT service is enabled, but Firewall service must be turned on for the packet divert rule, or any firewall rule, to have effect. The natd daemon process controls NAT service. For information about how to acces s natd features and implement them, see the natd man page. Request for Comments (RFC) documents provide an overview of a protocol or service and details about how the protocol should behave. If youre a novice s erver administrator, youll probably find some of the background information in an RFC helpful. If youre an experienced s erver administrator, you can find the technical details about a protocol in its RFC document. You can search for RFC documents by number at www.ietf.org/rfc.html. For NAT descriptions, s ee: RFC 1631 RFC 3022
NAT
Choose your NAT gateway and interface functions You mus t locate the NAT gateway on a Lion Server computer with at leas t two network interfaces: one to connect to the Internet (the WAN port), and one to connect to your private network segment (the LAN port). Decide how NAT LAN clients get IP addresses You can as sign your own s tatic IP address in the approved ranges for private LANs or you can use Lion Servers DHCP feature to ass ign addres ses for you. Configure the gateways network settings You assign your public IP address to the WAN port and you ass ign your internal gateways addres s to the LAN port. Enable NAT service Before configuring NAT service, you must turn NAT on. See Enable NAT service. Configure NAT settings Use the NAT s ettings to s et the network interface. See Configure NAT service. Configure port forwarding settings Use the Terminal application to direct incoming traffic to your NAT network to a specific IP address behind the NAT gateway. See Configure port forwarding. Start NAT service After you configure NAT, s tart the s ervice to make it available. See Start or stop NAT service. Start Firewall service For NAT service to operate, you mus t enable NAT service and Firewall service. See Enable firewall administration. (Conditional) Configure and start DHCP service If clients have their addresses dynamically ass igned, configure DHCP and start it now. See DHCP setup overview.
NAT
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select NAT. 4. Click the Start NAT button below the Servers list. When the s ervice is running, the Stop NAT button is available.
NAT
getLogPaths
updateNATRuleInIpfw
writeSettings
NAT
(nat:)
Description
deny_incoming
yes|no
Default =
no
log_denied
yes|no
Default =
no
clamp_mss
yes|no
Default =
yes
reverse
yes|no
Default =
no
log
yes|no
Default =
yes
proxy_only
yes|no
Default =
no
dynamic
yes|no
Default =
yes
use_sockets
yes|no
Default =
yes
interface
yes|no
Default =
en0
unregistered_only
yes|no
Default =
no
same_ports
yes|no
Default =
yes
NAT
Configure NAT
Before you can configure NAT settings , you must enable NAT service in Server Admin.
1. Open Server Admin and connect to the s erver. 2. Click Settings. 3. Click Services. 4. Select the NAT checkbox. 5. Click Save.
NAT
Configure NAT
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select NAT. 4. Click Settings. 5. Select IP Forwarding and Network Address Translation (NAT). 6. From the External network interface pop-up menu, choos e the network interface that connects to the Internet or external network. 7. Click Save.
NAT
Configure NAT
1. If the file /etc/nat/natd.plist does nt exis t, make a copy of the default NAT daemon plist. $ sudo cp /etc/nat/natd.plist.default /etc/nat/natd.plist 2. Using a Terminal editor, add the following block of XML text to /etc/nat/natd.plis t before the two lines at the end the file (</dict> and </plis t>), s ubs tituting your settings where indicated by italics: <key>redirect_port</key> <array> <dict>
<key>proto</key> <string>tcp or udp</string> <key>targetIP</key> <string>LAN_ip</string> <key>targetPortRange</key> <string>LAN_ip_range</string> <key>aliasIP</key> <string>WAN_ip</string> <key>aliasPortRange</key> <string>WAN_port_range</string> </dict> </array> 3. Save your file changes. 4. Enter the following commands in Terminal: $ sudo serveradmin stop nat $ sudo serveradmin start nat 5. Verify that your changes remain by inspecting the /etc/nat/natd.conf.apple file. The changes made, except for comments and thos e settings that Server Admin can change, are used by server configuration tools (Server Admin, Gateway Setup Ass is tant, and serveradmin). 6. Configure NAT service in Server Admin as needed. For more information, see Configure NAT service. 7. Click Save. 8. Start NAT service.
NAT
Configure NAT
<string>17.128.128.128</string> <key>aliasPortRange</key> <string>80</string> </dict> </array> Multiple port forwarding This example shows the setting to forward TCP and UDP ports 600-1023 (NetInfo, full range) connections on the WAN address 17.128.128.128 to corresponding ports on the private LAN address 192.168.1.1. Add the following to the /etc/nat/natd.plis t file: <key>redirect_port</key> <array> <dict> <key>proto</key> <string>tcp</string> <key>targetIP</key> <string>192.168.1.1</string> <key>targetPortRange</key> <string>600-1023</string> <key>aliasIP</key> <string>17.128.128.128</string> <key>aliasPortRange</key> <string>600-1023</string> </dict> </array> <array> <dict> <key>proto</key> <string>udp</string> <key>targetIP</key> <string>192.168.1.1</string> <key>targetPortRange</key> <string>600-1023</string> <key>aliasIP</key> <string>17.128.128.128</string> <key>aliasPortRange</key> <string>60-1023</string> </dict> </array> Testing port forwarding rules After you configure port forwarding rules you can test them by access ing the service from the public IP address of your NAT router. If you success fully access the services, you have properly configured and tested your port forwarding rule. For example, if you have a website hosted on a computer with the private IP address of 192.168.1.10 and your NAT router has a public IP addres s of 219.156.13.13 and a port forwarding rule that forwards port 80 to IP address 192.168.1.10, you would access the webs ite by entering the public IP address (http://219.156.13.13) into your web browser. If your port forwarding rules are correct, your port is forwarded to the computer that is hos ting the website (192.168.1.10).
NAT
Configure NAT
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select NAT. 4. Click Settings. 5. Select IP Forwarding only. 6. Click Save.
NAT
Configure NAT
enable_natportmap
yes|no
Default =
yes
interface
"en0"
For more information about command-line parameters for NAT, s ee NAT service settings. For information about serveradmin, see its man page.
NAT
Configure NAT
You use serveradmin to s tart and stop NAT service on your default network interface.
To s tart NAT service: $ sudo serveradmin start nat To s top NAT service: $ sudo serveradmin stop nat
NAT
Configure NAT
To view NAT status overview: $ sudo serveradmin status nat To s ee detailed NAT s tatus overview: $ sudo serveradmin fullstatus nat
NAT
Monitor NAT
To view the lates t entries in the log: $ tail log-file To view the log path: $ sudo serveradmin command nat:command = getLogPaths The computer responds with the following output: nat:natLog = nat-log
Value
nat-log
/var/log/alias.log
For more information about NAT commands, see NAT s ervice settings . For information about tail and cat, s ee their man pages.
NAT
Monitor NAT
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select NAT. 4. Click Overview to s ee whether the service is running, when it s tarted, and the number of TCP, UDP, and ICMP links.
NAT
1. On the gateway server, open the Network pane of System Preferences. 2. In the active Network s creen, make s ure the interface Built-in Ethernet is at the top of the lis t of interfaces; if not, drag it to the top of the list. This s ets the default gateway in the routing table. The top interface is always configured for the Internet or WAN. 3. Make sure the IP address and settings for Ethernet 1 are your public address settings from your ISP. In this example they are: IP addres s: 17.254.0.3 Netmask: 255.255.252.0 DNS: 17.254.1.6 4. Make sure the IP address and settings for Ethernet 2 or PCI Ethernet Slot 1 are your local address s ettings. In this example, they are: IP addres s: 192.168.0.1 Netmask: 255.255.255.0 DNS: 17.254.1.6 5. If neces sary, click Apply Now.
6. Open Server Admin and connect to the s erver. 7. Click the triangle at the left of the server. The list of s ervices appears . 8. From the expanded Servers list, select DHCP. 9. Click Subnets and create a subnet for the internal LAN with the following configuration parameters : Subnet name: whatever you want Starting IP address: 192.168.0.2 Ending IP address : 192.168.0.254 Subnet mask: 255.255.255.0 Network interface: en1 Router: 192.168.0.1 Lease time: whatever you want DNS: 17.254.1.6 For detailed information about configuring DHCP, s ee Create DHCP subnets. 10. To s tart DHCP service, click the Start DHCP button below the Servers list. 11. In Server Admin, choose NAT from the expanded Servers list. 12. Configure NAT using the following setting: External network interface: en0 13. If neces sary, click Save. 14. To s tart NAT service, click the Start NAT button below the Servers lis t. 15. In Server Admin, choose Firewall from the expanded Servers list. 16. Create firewall rules to permit access to and from your private network. For example, create an IP addres s group named Private LAN for the addresses 192.168.0.0/16. For more information, see Create an address group. 17. To s tart Firewall service, click the Start Firewall button below the Servers list. 18. Start any services you want the private LAN to access (web, SSH, file sharing, and s o on) using the Private LAN group. 19. Start any services you want the Internet to access on your private LAN (web, SSH, file sharing, and so on) using the any address group. 20. Click Save.
NAT
Virtual servers require three service configurations: NAT: NAT service must be configured with port forwarding of the virtual port. DNS: The DNS record for the s erver should accept a few aliases of common services and res olve them to the same IP addres s. Firewall: The firewall must permit traffic on specific ports to have access to the NAT LAN. In this example, you s et up a NAT gateway and route two domain names and services to different computers behind the gateway firewall. As sume the following configuration details: Ethernet interface names and functions : Ethernet Built-in (connected to Internet), PCI Ethernet Slot 1 (connected to internal network) Internet or public IP addres s: 17.100.0.1 (example only, your IP number and netmask information will be provided by your ISP) Private network IP addres s range and netmask: 192.168.0.0192.168.0.255 (also express ed as 192.168.0.0/24 or 192.168.0.0:255.255.255.0) Gateway servers private network IP addres s: 192.168.0.1 Web servers private network IP address: 192.168.0.2 Mail servers private network IP address : 192.168.0.3 Web and mail servers IP address s ettings: Configure IPv4 Using DHCP This last setting is not required because NAT can be used with static IP addresses ins tead of DHCP. However, configuring this setting makes it easier to configure computers. Now all web traffic to www.example.com is forwarded to the internal server at 192.168.0.2, and incoming mail traffic sent to mail.example.com is delivered to the internal server at 192.168.0.3. To change the servers behind the NAT (for example, to perform a hardware upgrade), change the DHCP static IP address to the Ethernet addresses of the new s ervers. The new s ervers are ass igned the existing internal IP addres ses designated for web and mail, and the gateway forwards the traffic to the new servers s eamless ly.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select DHCP. 4. Click Subnets and create an address group for the internal LAN with the following configuration parameters: Subnet name: whatever you want Starting IP address: 192.168.0.2 Ending IP address : 192.168.0.254 Subnet mask: 255.255.255.0 Network interface: en1 Router: 192.168.0.1 Lease time: whatever you want DNS: provided b y ISP Static mapping (web): web servers Ethernet address mapped to 192.168.0.2 Static mapping (mail): mail servers Ethernet address mapped to 192.168.0.3 For more information, see Create DHCP s ubnets and Use DHCP to as sign static IP addresses. 5. To s tart DHCP service, click the Start DHCP button (below the Servers lis t). 6. In Server Admin, choose NAT from the expanded Servers list. 7. Configure NAT using the following settings:
External network interface: en0 Port forwarding: TCP port 80 (web) to 192.168.0.2 Port forwarding: TCP port 25 (mail) to 192.168.0.3 For more information about configuring port forwards , see Configure port forwarding. 8. Click Save. 9. To s tart NAT service, click the Start NAT button below the Servers lis t. 10. In Server Admin, choose Firewall from the expanded Servers list. 11. Create Firewall rules to permit access to your private network. For more information, see Create an address group. 12. Enable the two s ervices you want the Internet to access on your private LAN (web and SMTP mail) using the any address group. 13. Click Save. 14. To s tart Firewall service, click the Start Firewall button (below the Servers list). 15. Contact your DNS provider (usually your ISP) to add two aliases to your gateway servers DNS record. Request an A record with the name www.example.com to the IP address 17.100.0.1. Request an MX record with the name mail.example.com to the same IP address. These records are in addition to exis ting A and CNAME records for your domain.
NetBoot
You use System Image Utility to create Mac OS X Lion NetBoot or NetInstall images , us ing a Mac OS X Lion installation volume or an existing s ys tem volume as the source. For information about creating images, s ee System Image Utility help. NetBoot Share Points NetBoot service sets up share points to make images and shadow files available to clients. Shadow files are used for NetBoot clients that dont use their local hard dis ks to write out data when booted. NetBoot service creates share points for storing NetBoot and NetInstall images in /Library/NetBoot/ on each volume you enable and names them NetBootSPn, where n is 0 for the first share point and increases by 1 for each extra share point. For example, if you decide to store images on three server disks, NetBoot service s ets up three share points named NetBootSP0, NetBootSP1, and NetBootSP2. The s hare points for client shadow files are als o created in /Library/NetBoot/ and are named NetBootClients n, where n is the share point number. You can create and enable NetBootSPn and NetBootClients n s hare points on other server volumes using the NetBoot Service General settings in Server Admin. WARNING: Dont rename a NetBoot share point or the volume it resides on. Dont s top sharing a NetBoot s hare point unless you first deselect the s hare point for images and shadow files in Server Admin. Use NetBoot and NetInstall Images on Other Servers You can also s pecify the path of a NetBoot image residing on a different NFS server. When creating image files, you can specify which server the image will res ide on. See Use images stored on remote servers . Client Information File NetBoot service gathers information about a client the first time a client s elects a NetBoot or NetInstall volume to s tart from the Startup Dis k. NetBoot service s tores this information in the /var/db/bs dpd_clients file. Shadow Files Many clients can read from the same NetBoot image, but when a client mus t write back to its startup volume (such as print jobs and other temporary files), NetBoot service redirects the written data to the clients shadow files, which are separate from regular system and application software. Shadow files pres erve the unique identity of each client while it is running from a NetBoot image. NetBoot service transparently maintains changed user data in shadow files while reading unchanged data from the shared system image. Shadow files are recreated at startup, s o changes made to a users startup volume are lost at restart. For example, if a user s aves a document to the s tartup volume, after a restart that document is gone. This behavior preserves the condition of the environment the administrator set up. Therefore us ers must have accounts on a file s erver on the network to save documents. Balance the Shadow File Load NetBoot service creates an AFP share point on each server volume you specify (s ee Choose where s hadow files are stored) and distributes client s hadow files acros s them as a way of balancing the load for NetBoot clients. There is no performance gain if the volumes are partitions on the s ame disk. See Distribute s hadow files. Allocation of Shadow Files for Mac OS X Lion NetBoot Clients When a client computer s tarts from a Mac OS X Lion NetBoot image, it creates shadow files on a server NetBootClients n share point or, if no s hare point is available, on a drive local to the client. For information about changing this behavior, see Choose where shadow files are s tored. NetBoot Image Folder When you create a Mac OS X Lion NetBoot image with Sys tem Image Utility, the utility creates a NetBoot image folder whose name ends with .nbi and s tores in it the NetBoot image with other files (see the following table) required to start a client computer over the network.
File booter mach.macosx mach.macosx.mkext System.dmg Description Startup file that the firmware uses to begin the startup process UNIX kernel Drivers Startup image file (can include application software)
NBImageInfo.plist
Sys tem Image Utility stores the folder whos e name ends with .nbi on the NetBoot s erver in /Library/NetBoot/NetBootSPn/image.nbi (where n is the volume number and image is the name of the image). You can save directly to this folder or you can create the image elsewhere (even on another computer) and copy it to the /Library/NetBoot/NetBootSPn folder later. Files for PowerPC-based Macintosh computers are stored in the ppc folder for Mac OS X Server v10.5 images, while previous images might storePowerPC files in the root of the .nbi folder. Files for Intel-bas ed Macintosh computers are s tored in the i386 folder. Mac OS X Server v10.6 and later do not s upport imaging of PowerPC-bas ed computers. You use System Image Utility to set up NetBoot image folders . The utility lets you: Name the image Choose the image type (NetBoot or NetInstall) Provide an image ID Choose the default language Choose the computer models the image supports Create unique s haring names Specify a default user name and pass word Enable automatic installation for ins tallation images Add package or preinstalled applications For information about creating images, see Create NetBoot images. Property List File The property list file NBImageInfo.plist s tores image properties. The following table gives more information about the property list file for Mac OS X Lion image files.
Property Architectures Type Array Description An array of strings of the architectures the image supports. BootFile Index String Integer Name of boot file: booter. 14095 indicates a local image unique to the server. 409665535 is a duplicate, identical image stored on multiple servers for load balancing. IsDefault Boolean True specifies this image file as the default boot image on the subnet IsEnabled Boolean Sets whether the image is available to NetBoot (or Network Image) clients. IsInstall Boolean True specifies a Network Install image; False specifies a NetBoot image. Name String Name of the image as it appears in the Mac OS X Lion Preferences pane. RootPath String Specifies the path to the disk image on the server, or the path to an image on another server. See Use images stored on remote servers. Type SupportsDiskless String Boolean NFS or HTT P. True directs the NetBoot server to allocate space for the shadow files needed by diskless clients. Description String T ext describing the image.
Language
String
A code specifying the language to be used while starting from the image.
Initial values in NBImageInfo.plist are set by System Image Utility and you usually dont need to change the property list file directly. Some values are set by Server Admin. If you mus t edit a property list file, you can us e TextEdit or Property List Editor, found in the Utilities folder on the Server Adminis tration Tools image. Boot Server Discovery Protocol (BSDP) NetBoot service uses an Apple-developed protocol based on DHCP known as Boot Server Discovery Protocol (BSDP). This protocol provides a way of discovering NetBoot servers on a network. NetBoot clients obtain their IP information from a DHCP server and their NetBoot information from BSDP. BSDP offers built-in support for load balancing. See Performance and load balancing. BootP Server NetBoot service uses a BootP server (bootpd) to provide necessary information to client computers when they try to start from an image on the server. If BootP clients on your network request an IP address from the NetBoot BootP server, this reques t fails because the NetBoot BootP server doesnt have addresses to offer. To prevent the NetBoot BootP s erver from responding to reques ts for IP addresses, use the dscl command-line tool to open the local folder on the NetBoot server and add a key named bootp_enabled with no value to the /config/dhcp/ folder Boot Files When you create a Mac OS X Lion NetBoot image with Sys tem Image Utility, the utility generates the following boot files and stores them on the NetBoot server in /Library/NetBoot/NetBootSPn/image.nbi (where n is the volume number and image is the name of the image): booter mach.macosx mach.macosx.mkext Note: If you turn on NetBoot s ervice when installing Mac OS X Lion, the ins taller creates the NetBootSP0 share point on the server boot volume. Otherwise, you can s et up NetBootSPn share points by choosing where to store NetBoot images from the list of volumes in the General pane of NetBoot Service settings in Server Admin. Trivial File Transfer Protocol (TFTP) NetBoot service uses Trivial File Transfer Protocol (TPTP) to send boot files from the server to the client. When you start a NetBoot client, the client sends a request for startup s oftware. The NetBoot server then delivers the booter file to the client us ing TFTP default port 69. Client computers acces s the s tartup s oftware on the NetBoot server from the location where the image was saved. These files are typically stored in the /private/tftpboot/NetBoot/NetBootSPn/ folder. This path is a symbolic link to Library/NetBoot/NetBootSPn/image.nbi (where n is the volume number and image is the name of the image). Using Images Stored on Other Servers You can store Mac OS X Lion NetBoot or NetIns tall images on NFS s ervers other than the NetBoot s erver. For more information, see Us e images stored on remote servers. Security You can restrict acces s to NetBoot s ervice on a case-by-case basis by listing the hardware addresses (als o known as the Ethernet or MAC addres ses) of computers that you want to permit or deny access to. The hardware addres s of a client computer is added to the NetBoot Filtering list when the client starts up using NetBoot and is, by default, enabled to us e NetBoot service. You can specify other services. See Restrict NetBoot clients by filtering addresses. NetInstall Images A NetInstall image is an image that starts up the client computer long enough to install s oftware from the image. The client can then start up from its own hard dis k. In the same way that a NetBoot image replaces the role of a hard disk, a NetIns tall image is a replacement for an installation DVD. Like a bootable CD, NetIns tall is a convenient way to reins tall the operating system, applications, or other software onto the local
hard disk. For system administrators deploying large numbers of computers with the s ame version, NetInstall can be very useful. NetInstall does not require the insertion of a CD into each NetBoot client because s tartup and installation information is delivered over the network. When you create a NetInstall image with System Image Utility, you can automate the installation proces s by limiting interaction at the client computer. Because an automatic network installation can be configured to eras e the contents of the local hard disk before installation, data loss can occur. You must control access to this type of NetIns tall image and must communicate the implications of using them to those using these images. Before using automatic network ins tallations , it is always wis e to inform users to back up critical data. You can perform s oftware installations through NetInstall using a collection of packages or an entire disk image (depending on the source used to create the image). For more information about preparing NetInstall images to install s oftware over the network, see System Image Utility help Create NetInstall images. Application for setting up and managing images You use the following Lion Server applications to s et up and manage NetBoot, NetInstall, and NetRestore: Sys tem Image Utility, to create Mac OS X Lion NetBoot, NetInstall, and NetRes tore disk images. This utility is ins talled with Lion Server software in the /Applications/Server/ folder. Server Admin, to enable and configure NetBoot s ervice and supporting s ervices . You can download Server Admin Tools at http://support.apple.com/downloads /. The Server Admin Tools are installed in the /Applications/Server/ folder. PackageMaker, to create package files you use to add s oftware to disk images. Property List Editor, to edit property lis ts s uch as NBImageInfo.plist. Note: To create an image, you must have valid Mac OS X Lion image sources or volumes. You cannot create an image of the startup disk you are running on.
NetBoot
NetBoot is supported only over built-in Ethernet connections. Multiple Ethernet ports are not supported on client computers. Clients must have at least 100-Mbit Ethernet adapters. Network hardware requirements The type of network connections you must us e depends on the number of clients you expect to boot over the network: For booting fewer than 10 clients (100-Mbit Ethernet) For booting 1050 clients (100-Mbit switched Ethernet) For booting more than 50 clients (Gigabit Ethernet) These are estimates for the number of clients supported. Network service requirements Depending on the types of clients you want to boot or install, your NetBoot server must also provide the following s upporting services.
Serv ice prov ided by NetBoot serv er For booting Mac computers w ith hard disks For booting Mac computers w ithout hard disks DHCP NFS AFP HTT P TFT P Optional Required if no HTTP Not required Required if no NFS Required Optional Required if no HT TP Required Required if no NFS Required
Note: DHCP service is lis ted as optional because although it is required for NetBoot it can be provided by a server other than the NetBoot server. Services marked required mus t be running on the NetBoot server. NetBoot and AirPort The use of AirPort wireless technology to boot clients us ing NetBoot is not s upported by Apple and is discouraged. Capacity planning The number of NetBoot client computers your s erver can support depends on how your server is configured, when your clients routinely start, the servers hard disk s pace, and a number of other factors. When planning for your server and network needs, consider these factors: Ethernet speed: 100Base-T or faster connections are required for client computers and the server. As you add clients , you might need to increas e the s peed of your servers Ethernet connections. Ideally you want to take advantage of the Gigabit Ethernet capacity built in to your Mac s erver hardware to connect to a Gigabit s witch. From the switch, connect Gigabit Ethernet or 100-Mbit Ethernet to each NetBoot client. Hard disk capacity and number of images: Boot and installation images occupy hard dis k space on s erver volumes , depending on the size and configuration of the sys tem image and the number of images being stored. Images can be distributed across multiple volumes or multiple servers. For more information, see Performance and load balancing. Hard disk capacity and number of users: If you have a large number of dis kless clients , consider adding a separate file server to your network to store temporary user documents. Becaus e the s ys tem software for a disk image is written to a shadow image for each client booting from the dis k image, you can get a rough estimate for the required hard dis k capacity required by multiplying the s ize of the s hadow image by the number of clients. Number of Ethernet ports on the switch: Distributing NetBoot clients over multiple Ethernet ports on your switch offers a performance advantage. Each port mus t serve a distinct s egment.
NetBoot
The number of client computers you can support using NetBoot is determined by the number of servers you have, how theyre configured, hard dis k storage capacity, and other factors . See NetBoot considerations and requirements. Depending on the res ults of this evaluation, you might want to add servers or hard disks, add Ethernet ports to your server, or make other changes to your servers . You might also want to set up more subnets for BootP clients, depending on the number of clients you support. You might also want to implement s ubnets on this s erver (or other servers ) to take advantage of NetBoot filtering. To provide authentication and personalized work environments for NetBoot client users by using Workgroup Manager, set up workgroups and import users from the Mac s erver Users & Groups databas e before you create disk images. Make sure you have at least one administrator us er assigned to the Workgroup Manager for Mac OS X Lion client. Create disk images for client computers You can set up Mac OS X Lion disk images for client computers to start from. To create Mac OS X Lion disk images, you use Sys tem Image Utility. See System Image Utility Help. You might also want to restrict access to NetBoot images by us ing Model Filtering. See System Image Utility Help. To create application packages that you can add to an image, use PackageMaker. Application software packages can be installed by thems elves or with Mac OS X Lion system software. See Sys tem Image Utility Help. Set up DHCP NetBoot requires a DHCP server running on the local server or on another s erver on the network. Make sure you have a range of IP addresses s ufficient to accommodate the number of clients that will use NetBoot at the same time. For more information about configuring DHCP, see Server Admin Help. If your NetBoot s erver also supplies DHCP service, you might get better performance if you configure your server as a gateway. That is, configure your s ubnets to us e the s ervers IP address as the router IP address . Configure and turn on NetBoot service You use the NetBoot settings in Server Admin to configure NetBoot on your server. You turn on NetBoot s ervice us ing Server Admin. See Start NetBoot and related services and Enable images . (Optional) Set up Ethernet address filtering NetBoot filtering is performed based on the client computer hardware address. Each clients hardware addres s is registered when the client s elects a NetBoot or NetInstall volume from the startup disk. You can permit or deny specific clients by addres s. See Restrict NetBoot clients by filtering address es. Test your NetBoot setup Because there is a ris k of data los s or bringing down the network (by misconfiguring DHCP), test your NetBoot s etup before implementing it. Test each Macintos h model you support to verify that there are no problems booting into the image on a specified hardware type. Set up client computers to use NetBoot When youre satis fied that NetBoot is working on all types of client computers, s et up the client computers to start from the NetBoot disk images. You can us e the client computers Startup Disk System Preference pane to select a s tartup disk image from the server and then restart the computer. See Select a NetBoot boot image. You can also restart the client computer and hold down the N key until the NetBoot icon s tarts flas hing on the screen. The client starts from the default image on the NetBoot server. See Start up using the N key.
NetBoot
NetBoot
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select NetBoot. 4. Click Settings, then click General. 5. In the Enable column, click the checkbox next to the network ports you want to use for serving images. 6. In the Images column, click the checkbox to choose where to store images . 7. In the Client Data column, click the checkbox for each local dis k volume where you want to store shadow files used by Mac OS X Lion dis kless clients. 8. Click Save.
NetBoot
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select NetBoot. 4. Click Settings, then click Images. 5. Enable the images you want clients to use, specify if they are available for diskless clients, and choos e the protocol for delivering them. If youre not s ure which protocol to use, choos e NFS. 6. In the Default column, click the checkbox to select the default image. You must s elect separate default images for Intel-based and PowerPC-based Macintosh clients . 7. Click Save.
NetBoot
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select NetBoot. 4. Click Settings, then click Filters . 5. Select Enable NetBoot/DHCP filtering. 6. Select Allow only clients lis ted below (deny others) or Deny only clients listed below (allow others). 7. Use the Add button (+) and Delete button () to set up the lis t of client addres ses, and click OK. To look up a MAC address, enter the clients DNS name or IP address in the Host Name field and click Find. To find the hardware address for a computer using Mac OS X Lion, look on the TCP/IP pane of the computers Network preference or run Apple Sys tem Profiler. 8. Click Save. Note: You can also restrict acces s to a NetBoot image by selecting the name of the image in the Images pane of NetBoot service settings in Server Admin, clicking the Edit (/) button, and providing the required information.
NetBoot
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select NetBoot. 4. Click Settings, then click Logging. 5. From the pop-up menu, choose the log detail level (Low, Medium, or High). 6. Click Save.
NetBoot
To configure a NetBoot service setting: $ sudo serveradmin settings netboot:logging_level = value To view NetBoot service configuration settings: $ sudo serveradmin settings netboot
Parameter
Description
logging_level
Default = Medium
Possible values are
For information about command-line parameters , see NetBoot service s ettings. For information about serveradmin, s ee its man page.
NetBoot
Enter the following: $ sudo dscl . create /config/dhcp old_netboot_enabled port_list $ sudo killall bootpd
Parameter
Description List of ports you want to enable for NetBoot 1.0, formatted like
port_list
en0M
en1
en2.
NetBoot
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. If you boot diskless Mac OS X Lion clients, s tart AFP service in the Server app by s electing File Sharing and then turn it on. 4. If your s erver is providing DHCP service, make sure the DHCP service is configured and running; otherwise, DHCP service must be supplied by another server on your network. If your NetBoot server is also supplying DHCP service, you might get better performance if you configure your server as a gateway. That is, configure your s ubnets to us e the servers IP address as the router IP addres s. 5. From the expanded Servers list, select NetBoot. 6. Click Settings, then click General. 7. Select which network ports to use for providing NetBoot service. You can s elect one or more network ports to serve NetBoot images . For example, if you have a s erver with two network interfaces , each connected to a network, you can choose to serve NetBoot images on both networks . 8. Click Images . 9. Select the images to s erve. 10. Click Save. 11. Click the Start NetBoot button (below the Servers list).
NetBoot
To start NetBoot and supporting s ervices : $ sudo serveradmin start netboot If you get the following respons e, you have not enabled NetBoot on a network port: $ netboot:state = "STOPPED" $ netboot:status = 5000 For information about serveradmin, see its man page.
NetBoot
Parameter
Description
netBootImagesRecordsArray:_array_index:n:IsEna
Default = no
Sets whether the image is available to NetBoot.
Specifies the array index number of the volume you want to set as the default image.
For information about command-line parameters , see NetBoot service s ettings. For information about serveradmin, s ee its man page.
NetBoot
Manage images
the server with the fewest number of clients that started from it.
NetBoot
Manage images
Enable images
You mus t enable disk images on your s erver to make the images available to client computers for NetBoot s tartups .
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select NetBoot. 4. Click Settings, then click Images. 5. For each image you want your clients to see, click the checkbox in the Enable column. 6. Click Save.
NetBoot
Manage images
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select NetBoot. 4. Click Settings, then click General. 5. In the list of volumes (in the lower half of the pane), click the checkbox in the Images column for each volume you want to store image files on. 6. Click Save.
NetBoot
Manage images
To specify a volume to store image files: $ sudo serveradmin settings netboot:netBootStorageRecordsArray:_array_index:n:sharepoint = value netboot:netBootStorageRecordsArray:_array_index:n:clients = value netboot:netBootStorageRecordsArray:_array_index:n:ignorePrivs = value netboot:netBootStorageRecordsArray:_array_index:n:volType = value netboot:netBootStorageRecordsArray:_array_index:n:path = value netboot:netBootStorageRecordsArray:_array_index:n:volName = value
Parameter (netboot:)
Description
First parameter in an array describing a volume available to serve netBootStorageRecordsArray:_array_index:n:sharepoint images. Default =
"no"
"hfs" "/"
netBootStorageRecordsArray:_array_index:n:path
Default =
NetBoot
Manage images
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears 3. From the expanded Servers list, select NetBoot. 4. Click Settings, then click General. 5. In the list of volumes (in the lower half of the pane), click the checkbox in the Client Data column for the volumes to store shadow files on. 6. Click Save.
NetBoot
Manage images
You can us e serveradmin to specify which s erver volumes are used to store shadow files.
To specify a volume to store shadow files : $ sudo serveradmin settings netboot:netBootStorageRecordsArray:_array_index:n:sharepoint = value netboot:netBootStorageRecordsArray:_array_index:n:clients = yes netboot:netBootStorageRecordsArray:_array_index:n:ignorePrivs = value netboot:netBootStorageRecordsArray:_array_index:n:volType = value netboot:netBootStorageRecordsArray:_array_index:n:path = value netboot:netBootStorageRecordsArray:_array_index:n:volName = value netboot:netBootStorageRecordsArray:_array_index:n:volIcon = value netboot:netBootStorageRecordsArray:_array_index:n:okToDeleteClients = value netboot:netBootStorageRecordsArray:_array_index:n:okToDeleteSharepoint = value ControlD
Parameter (netboot:)
Description
First parameter in an array describing a volume available to serve netBootStorageRecordsArray:_array_index:n:sharepoint images. Default =
"no"
"hfs" "/"
netBootStorageRecordsArray:_array_index:n:path
Default =
NetBoot
Manage images
1. Copy the image.nbi folder from the NetBoot server to the remote s erver on a NetBoot sharepoint (/Library/NetBoot/NetBootSPn ). If the image is on the remote server, you can create the .nbi folder on the NetBoot server by duplicating an existing .nbi folder and adjusting the values in its NBImageInfo.plist file.
2. Open Server Admin and connect to the remote server. 3. Click the triangle at the left of the server. The list of s ervices appears . 4. From the expanded Servers list, select NetBoot. 5. Click Settings, then click Images. 6. For each image you want your clients to see from the remote server, click the checkbox in the Enable column. 7. Select the protocol you want NetBoot to us e when s erving your image (NFS or HTTP). 8. Click Save.
NetBoot
Manage images
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select NetBoot. 4. Click Settings, then click Images. 5. In the Default column, click the checkbox next to the image. You can s elect separate default images for Intel-based and PowerPC-based Macintosh computers. The architecture column shows the image type. Mac OS X Lion images can boot Intel-based Macintosh computers only. 6. Click Save.
NetBoot
Manage images
Parameter (netboot:)
Description
netBootImagesRecordsArray:_array_index:n:IsDefault yes
Specifies this image file as the default boot image on the subnet. n Specifies the array index number of the volume you want to set as the default image.
NetBoot
Manage images
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select NetBoot. 4. Click Settings, then click Images. 5. In the Dis kless column, click the box next to the image in the list. 6. Click Save. Important: If you have dis kless clients , set their NetBoot image as the default image. For help specifying where the clients shadow files are s tored, see Choose where shadow files are s tored.
NetBoot
Manage images
To set an image for a dis kless boot: $ sudo serveradmin settings netboot:netBootImagesRecordsArray:_array_index:n:SupportsDiskless = yes
Parameter (netboot:) netBootImagesRecordsArray:_array_index:n :SupportsDiskless Description
yes
Directs the NetBoot server to allocate space for shadow files needed by diskless clients.
Specifies the array index number of the volume you want to set as the default image.
NetBoot
Manage images
1. Open Server Admin and connect to the s erver 2. Click the triangle at the left of the server. The list of s ervices appears .
3. From the expanded Servers list, select NetBoot. 4. Click Settings, then click Filters . 5. Select Enable NetBoot/DHCP filtering. 6. Select Allow only clients lis ted below (deny others) or Deny only clients listed below (allow others). 7. Use the Add button (+) and Delete button () to set up the lis t of client addres ses, and click OK. To look up a MAC address, enter the clients DNS name or IP address in the Host Name field and click Find. To find the hardware address for a computer using Mac OS X Lion, look on the TCP/IP pane of the computers Network preference or run Apple Sys tem Profiler. 8. Click Save. Note: You can also restrict acces s to a NetBoot image by selecting the name of the image in the Images pane of NetBoot service settings in Server Admin, clicking the Edit (/) button, and providing the required information.
NetBoot
Manage images
To enable disk images : $ sudo serveradmin settings netboot:netBootFiltersRecordsArray:_array_index:n:hostName = value netboot:netBootFiltersRecordsArray:_array_index:n:filterType = value netboot:netBootFiltersRecordsArray:_array_index:n:hardwareAddress = value ControlD
Description T he host name of the filtered computer, if available. Whether the specified computer is allowed or denied access. Options:
"allow" "deny"
netBootFiltersRecordsArray:_array_index:n :hardwareAddress n T he Ethernet hardware (MAC) address of the filtered computer. T he array index number of the volume you want to set as the default image.
For information about command-line parameters , see NetBoot service s ettings. For information about serveradmin, s ee its man page.
NetBoot
Manage images
NetBoot
NetBoot
1. In Sys tem Preferences, select Startup Disk. 2. Select the network volume to start the computer with. 3. Click Res tart. The NetBoot icon appears and the computer starts from the selected image.
NetBoot
To s tart a multicas t server for a specified image: $ asr -source compressed image -server configuration.plist The image does not s tart multicasting on the network until a client attempts to start a restore. The server continues to multicast the image until the process is terminated. To configure a client to receive a multicast s tream: $ sudo asr -source asr://hostname -target targetvol -erase The client receives the multicast stream from hostname and s aves it to the client.
To overwrite an existing image, add -erase. Using -erase with -target indicates an image should be overwritten when doing a multicas t.
NetBoot
1. In Sys tem Preferences, select Startup Disk. 2. Select the network volume to start the computer with. 3. Click Res tart. The NetBoot icon appears, the computer starts from the selected image, and the installer runs .
NetBoot
1. Start up (or res tart) the client computer and hold down the N key immediately after you hear the s tartup tone (while the screen is still black). You can releas e the N key when the NetBoot icon appears in the center of the screen. 2. If a login window appears , enter your name and password. The network disk image has an icon typical of s erver volumes.
NetBoot
-NETWORK_ONLY-
T ry to use a server NetBootClientsn share point for storing shadow files. If no server share point is available, dont boot.
-LOCAL-
T ry to use a local drive for storing shadow files. If no local drive is available, use a server NetBootClientsn share point.
-LOCAL_ONLY-
T ry to use a local drive for storing shadow files. If no local drive is available, dont boot.
NetBoot
Create NetBoot images that can be booted to the Finder. Create NetInstall images from a DVD or existing Mac OS X Lion partition. Create NetRestore images from an existing volume. Ass emble a workflow that creates cus tomized NetBoot and NetInstall images . For instructions on us ing Sys tem Image Utility, see System Image Utility help. Sys tem Image Utility is installed in /Applications/Server/. Command-line tools A full range of command-line tools is available for administrators who prefer to us e command-driven server administration. For remote s erver management, submit commands in a secure shell (SSH) s ession. You can enter commands on a Mac computer using the Terminal application, located in the /Applications/Utilities/ folder.
NetBoot
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select NetBoot. 4. Click the Stop NetBoot button (below the Servers list) and perform one of the following tasks: To s top s ervice on a s pecific Ethernet port, click Settings , click General, and des elect the Enable checkbox for the port. To s top s erving a specific image, click Settings, click Images, and deselect the Enable checkbox for the image. To s top s ervice to a client, click Settings, click Filters, s elect Enable NetBoot Filtering, choose Deny only clients listed below, and add the clients hardware address to the list.
NetBoot
To stop NetBoot s ervice or dis able images : $ sudo serveradmin stop netboot For information about serveradmin, see its man page.
NetBoot
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select NetBoot.
4. Click Settings, then click Images. 5. In the Enable column, deselect the checkbox for the image. 6. Click Save.
NetBoot
To stop NetBoot s ervice or dis able images : $ sudo serveradmin stop netboot For information about serveradmin, see its man page.
NetBoot
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select NetBoot. 4. Click Clients. 5. To update the lis t, click the Refresh button (below the Servers list). Note: This is a cumulative lis ta list of all clients that have connectednot a lis t of connected clients. The last boot time is shown for each client.
NetBoot
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select NetBoot. 4. Click Connections. 5. To update the lis t, click the Refresh button (below the Servers list).
NetBoot
You can us e Server Admin to check the status of NetBoot service and the services (such as NFS and HTTP) it uses.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select NetBoot. 4. Click Overview to s ee if the service is running, when the last client update occurred, and which related s ervices are running for an image type. 5. To review the event log, click Log. 6. To s ee a list of NetBoot clients that have booted from the s erver, click Clients . 7. To s ee a list of connected users, click Connections . The list includes the client computer name, IP address , the percentage complete, and the status .
NetBoot
To s ee if the service is running: $ sudo serveradmin status netboot To s ee the complete s ervice status : $ sudo serveradmin fullstatus netboot
NetBoot
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select NetBoot. 4. Click Log, then use the Filter field to search for specific entries .
NetBoot
To view the lates t entries in a log: $ tail log-file To s ee where service logs are located:
NetBoot
NetBoot
1. Locate the image file on the s erver where the original image is stored. 2. If the image index ID is 4095 or lower, recreate the image and modify the index ID using the Create Image action in a workflow, then ass ign the image an index ID in the range 409665535. For more information, see System Image Utility Help The image ID can be changed from Server Admin by double-clicking the Image ID field and entering the new ID. 3. Create copies or move image files to other servers. 4. On each server, us e Server Admin to enable the image for NetBoot service. Clients still s ee the image listed only once in Startup Dis k preferences, but the server that delivers its copy of the image is selected bas ed on s erver activity. Smaller improvements can be achieved by distributing NetBoot images across multiple disk drives on a single s erver.
NetBoot
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select NetBoot. 4. Click Settings, then click General. 5. In the Images column, s elect the checkbox for each volume to store images on. Choose volumes on different physical disk drives . 6. Click Save, then click Images. 7. If the images index is 4095 or lower, double-click the ID, enter an index in the range 409665535, and save the change. 8. Open Terminal and use the scp secure copy tool to copy the image to the NetBootSPn share points on the other volumes. For example: $ scp /Library/NetBoot/NetBootSP0/image.nbi [admin_name]@[ip_address]:/Volumes/Drive2/Library/Ne where [admin_name] is an admin login and [ip_address] is the correct IP address for that server. You are prompted for the password of the admin login.
NetBoot
NetBoot
filterEnabled
"no"
netBootStorageRecordsArray... netBootFiltersRecordsArray...
installation images. For a description, see T he storage record array. An array of values for each computer explicitly allowed or disallowed access to images. For a description, see T he filters record array.
netBootImagesRecordsArray...
An array of values for each boot or installation image stored on the server. For a description, see The image record array.
netBootPortsRecordsArray...
An array of values for each server network port used to deliver boot or installation images. For a description, see T he port record array.
The storage record array An array of the following values appears in NetBoot service settings for each volume on the server used to store boot or installation images.
Parameter (netboot:) Description T he first parameter in an array describing a volume available to serve images. Default =
netBootStorageRecordsArray:_array_ index:n:sharepoint
"no" "no"
Default =
Default =
"false"
Default =
"voltype"
netBootStorageRecordsArray:_array_ index:n:path netBootStorageRecordsArray:_array_ index:n:volName netBootStorageRecordsArray:_array_ index:n:volIcon netBootStorageRecordsArray:_array_ index:n:okToDeleteClients netBootStorageRecordsArray:_array_ index:n:okToDeleteSharepoint
"/" "name"
Default =
Default =
"icon"
Default =
"yes"
Default =
"yes"
The filters record array An array of the following values appears in NetBoot service settings for each computer explicitly allowed or denied access to images stored on the server.
Parameter (netboot:) Description T he host name of the filtered computer, if available.
The image record array An array of the following values appears in NetBoot service settings for each image s tored on the server.
Parameter (netboot:) Description T he name of the image as it appears in the Startup Disk control panel (Mac OS 9) or Preferences pane (Mac OS X).
netBootImagesRecordsArray:_array_ index:n:Name
netBootImagesRecordsArray:_array_ index:n:IsDefault netBootImagesRecordsArray:_array_ index:n:RootPath netBootImagesRecordsArray:_array_ index:n:isEdited netBootImagesRecordsArray:_array_ index:n:BootFile netBootImagesRecordsArray:_array_ index:n:Description netBootImagesRecordsArray:_array_ index:n:SupportsDiskless
yes
Specifies this image file as the default boot image on the subnet. T he path to the .dmg file.
booter.
yes
Directs the NetBoot server to allocate space for shadow files needed by diskless clients.
NFSM or HTTP
T he path to the parameter list file in the .nbi folder on the server describing the image.
14095
Indicates a local image unique to the server.
Sets whether the image is available to NetBoot (or Network Image) clients.
yes
Specifies a network installation image.
no
Specifies a NetBoot image.
The port record array An array of the following items is included in the NetBoot s ervice settings for each network port on the s erver set to deliver images.
Parameter (netboot:) Description T he first parameter in an array describing a network interface available for responding to netboot requests. Default =
netBootPortsRecordsArray:_array_ index:m:isEnabledAtIndex
netBootPortsRecordsArray:_array_ index:m:nameAtIndex
Default = Example:
netBootPortsRecordsArray:_array_
Default =
index:m:deviceAtIndex
Example:
"en0"
NetBoot
NetBoot
NetBoot
1. Mount the image in Finder by opening the .nbi folder containing the image and double-clicking it. 2. Open Terminal and enter the following command to rename the image: $ sudo diskutil rename /Volumes/imagenew_name Replace image with the name of the image to rename and new_name with the new name of the image. 3. When prompted, enter your administrator pas sword. The name of the image changes. 4. Unmount the image. 5. Remount the image to verify that it is renamed. Change the name of a compressed image
1. Mount the image in Finder by opening the .nbi folder containing the image and double-clicking it. 2. Open Dis k Utility.
3. Select the image and click Convert. 4. In the Save As field, enter a name. 5. Select a different location to s ave the image to. For example, s ave the image on the Desktop folder. 6. From the Image Format menu, choose read/write. 7. Click Save. 8. Unmount the image. 9. Mount the new image in the Finder. 10. Open a Terminal window and enter the following to rename the image: $ sudo diskutil rename /Volumes/imagenew_name Replace image with the name of the image to rename and new_name with the new name of the image. 11. When prompted, enter your administrator pas sword. The name of the image changes. 12. Unmount the image. 13. Remount the image to verify that the image is renamed. 14. Unmount the image. 15. Remove the original image from the .nbi folder and s tore it s omewhere els e. 16. In Dis k Utility, s elect the new image and click Convert. 17. Give the image the s ame name as the one it had inside the .nbi folder. 18. In the Where field, select the .nbi folder. 19. From the Format menu, choose Compres sed. 20. Click Save. 21. Test the new image to make sure it mounts properly. 22. Discard the old image.
About NTP
Using NTP s ervice for time synchronization is important for reducing confusion that can be caus ed if time s tamps are out of sync. From shared file s ystems to billing services, correct timekeeping is a neces sity. However, clocks on computers throughout a network can have widely different time s tamps. Network Time Protocol (NTP) synchronizes the clocks in networked computers to a reference clock. NTP helps make sure that all computers on a network report the same time. If an isolated network (or even a computer) is unsynchronized, services that use time and date s tamps (s uch as Mail service, or Web service with timed cookies) s end wrong time and date stamps and are out of sync with other computers across the Internet. For example, a mail message could arrive minutes or years before it was sent (according to the time stamp), and a reply to that mess age could come before the original was sent. How NTP works NTP us es Univers al Time Coordinated (UTC) as its reference time. UTC is bas ed on an atomic res onance, and clocks that run according to UTC are often referred to as atomic clocks. On the Internet, authoritative NTP servers (known as Stratum 1 servers ) track the current UTC time. Other s ubordinate s ervers (known as Stratum 2 and 3 s ervers) regularly query Stratum 1 s ervers and estimate the time taken to send and receive the query. They then factor this estimate with the query result to s et the Stratum 2 or 3 servers time. The estimates are correct to the nanosecond.
Your LAN can then query Stratum 3 servers for the time. An NTP client computer on your network then takes the UTC time reference and converts it using its own time zone setting to local time, and sets its internal clock accordingly. NTP on your network Lion Server can act as an NTP client, receiving authoritative time from an Internet time server, and as an authoritative time server for a network. Your local clients can query your server to set their clocks. If you set your server to ans wer time queries, set it to als o query an authoritative time server on the Internet. Find more information about NTP The working group, documentation, and FAQ for NTP can be found at www.ntp.org. Listings of publicly accessible NTP servers and their use policies can be found at s upport.ntp.org/bin/view/Servers/WebHome. Request for Comments (RFC) documents provide an overview of a protocol or service and details about how the protocol should behave. If youre a novice s erver administrator, youll probably find some of the background information in an RFC helpful. If youre an experienced s erver administrator, you can find all technical details about a protocol in its RFC document. You can search for RFC documents by number at www.ietf.org/rfc.html. The official s pecification of NTP is RFC 1305.
RELATED TOPICS
1. Open Sys tem Preferences. 2. Click Date & Time. 3. Select the Set date & time automatically checkbox. 4. Select and delete the text in the field rather than using the pop-up menu. 5. Enter the hos t name of your time server. Your host name can be a domain name (such as time.example.com) or an IP addres s. 6. Close System Preferences.
RELATED TOPIC
About NTP
2. Click Settings, then click Date & Time. 3. Make sure your s erver is configured to Set date & time automatically. 4. From the pop-up menu, choose the server to act as a time s erver. 5. Click General. 6. Select the Network Time Server (NTP) checkbox. 7. Click Save.
RELATED TOPIC
About NTP
SSL Certificates
Replace certificates
If you've as signed a certificate to a particular service, or to all services as a group, you can replace those certificates. You might replace the default self-signed certificate with one that's been s igned by a third-party, or you might need to replace an expired certificate. See Obtaining a Signed Certificate . If you receive a s igned certificate from a third-party, it should have an extension of .cer, .crt, or .p12.
RELATED INFORMATION
SSL Certificates
1. Select the server under Hardware in the Server app s idebar. 2. Click Settings and then click the Edit button at the right of SSL Certificate. 3. From the Action pop-up menu, choose Manage Certificates. 4. Click the Add button (+) and choose Create Self-Signed Certificate from the pop-up menu. 5. In the Name field of the Certificate Ass is tant, enter your s erver's fully qualified host name (for example, server.example.com) and click Continue. Leave the other settings unchanged. Identity Type s hould be Self Signed Root, Certificate Type s hould be SSL Server, and Let me override defaults s hould be deselected. You can choos e the new self-s igned certificate for the server. For information, see Using an SSL certificate. You can also use the new self-signed certificate to reques t a signed certificate from a certificate authority. For instructions, see Obtain a signed certificate.
SSL Certificates
1. In the Finder, locate the files containing the certificate and matching private key, and put the files where you can s ee them while using Server Preferences (for example, on the des ktop). 2. In the Server app, select your server's name under Hardware in the Server app s idebar. 3. In the Settings pane, click the Edit button at the right of SSL Certificate. 4. From the Action pop-up menu, choose Manage Certificates. 5. Click + and then choose Import a Certificate Identity from the menu. 6. Drag the files containing the certificate and private key to the middle of the dialog. 7. Click the Import button and if prompted, enter the private key pass phrase.
SSL Certificates
1. Select the server under Hardware in the Server app s idebar. 2. Click Settings and then click the Edit button at the right of SSL Certificate. 3. From the Action pop-up menu, choose Manage Certificates. 4. In the Manage Certificates s heet, s elect the self-s igned certificate you want to use to generate the CSR. 5. From the Action pop-up menu, choose Generate Certificate Signing Request (CSR). 6. Save the CSR file. Some certificate authorities ask you to enter the CSR text in a field on a webpage instead of uploading a file. In that case, you can copy and paste the text to the CA's website. 7. Upload the CSR file to a CA following the instructions on their webs ite. On the CA's website, look for SSL Certificates. You can use the CA of your choice. Here are a few CAs : Thawte, Inc. (www.thawte.com) VeriSign, Inc. (www.verisign.com) Comodo Group, Inc. (www.comodo.com) After receiving your signed certificate from the CA, you can use it to replace your self-signed certificate. For information, see Use an SSL certificate.
SSL Certificates
applications on users computers. You can us e the s elf-signed certificate created for your s erver when you set it up, or a s elf-signed certificate you created, but users applications wont trust these and will display mes sages asking if the user trus ts your certificate. Using a signed certificate relieves us ers from the uncertainty and tedium of manually accepting your certificate in these mess ages. A man-in-the-middle spoofing attack is pos sible with a self-s igned certificate, but not with a signed certificate, and that means users can trust the services they access.
1. Select the server under Hardware in the Server app s idebar. 2. Click Settings and then click the Edit button at the right of SSL Certificate. 3. From the Action pop-up menu, choose an available certificate. If the pop-up menu doesnt contain certificates, create a self-s igned certificate. For instructions , see Create a s elf-signed certificate. To use a previously generated SSL certificate, import it.
RELATED INFORMATION
VPN
About VPN
About VPN
VPN (virtual private network) service lets remote us ers connect to your intranet over the Internet. VPN (virtual private network) service lets us ers connect to your intranet from home or other remote locations over the Internet. Users make a secure VPN connection to acces s services you havet made public on the Internet. For example, organizations typically make file s haring available only on their own intranets, requiring their remote users to connect using VPN to access s hared files . VPN service and your servers firewall can both allow access to s ervices from outside your intranet. The difference is that VPN service requires authentication for access, but allowing access through the firewall does nt require authentication. If VPN service is on, you dont need to expos e some services to the Internet through your firewall. For example, you might set the firewall to expose only your web services to the Internet, so the public can view your wikis and custom websites (subject to authentication and access restrictions you impose). Your servers us ers can acces s other servicesfile sharing, Address Book, iCal, iChat, and mail through a VPN connection. To ensure confidentiality, authentication, and communications integrity, VPN s ervice us es the L2TP protocol with a shared secret. The s hared secret is like a pas sphras e, but it isnt used to authenticate client computer us ers for a VPN connection. Instead, it allows the server to trus t client computers that have the shared secret, and it allows client computers to trust the s erver that has the secret. Both server and client computers must have the shared secret. Users computers must be configured to make VPN connections. Us ers computers with Mac OS X Lion can be configured automatically. For information, see Provide secure remote access with VPN. If you want to allow acces s to VPN service on the Internet and you have a cable router, DSL router, or other network router: Your router mus t have port forwarding (port mapping) configured for VPN service. For information about port forwarding, see Port mapping for network and server protection. Your router and VPN us ers routers must be configured so that they dont as sign conflicting IP addres ses. For information, see Provide VPN s ervice through an Internet router. If you want to allow acces s to VPN service outside your intranet and your intranet has a separate firewall device, ask the firewall administrator to open the firewall for the ports and protocols that VPN service uses. For a list of ports, s ee Services and ports.
VPN
About VPN
The following sections contain information about each s upported transport and authentication method.
Transport protocols
There are two encrypted transport protocols : Layer Two Tunneling Protocol, Secure Internet Protocol (L2TP/IPSec), and Pointto Point Tunneling Protocol (PPTP). You can enable either or both protocols. Each has its own strengths and requirements. L2TP/IPSec L2TP/IPSec us es strong IPSec encryption to tunnel data to and from network nodes . It is bas ed on Ciscos L2F protocol. IPSec requires security certificates (self-s igned or signed by a certificate authority s uch as Veris ign) or a predefined shared secret between connecting nodes . The s hared secret mus t be entered on the server and the client. The s hared secret is not a pas sword for authentication, nor does it generate encryption keys to es tablish s ecure tunnels between nodes. It is a token that the key management sys tems use to trus t each other. L2TP is Mac OS X Servers preferred VPN protocol becaus e it has superior transport encryption and can be authenticated using Kerberos . PPTP PPTP is a commonly used Windows standard VPN protocol. PPTP offers good encryption (if s trong pass words are used) and supports a number of authentication s chemes. It uses the us er-provided password to produce an encryption key. By default, PPTP s upports 128-bit (s trong) encryption. PPTP als o supports the 40-bit (weak) security encryption. PPTP is neces sary if you have Windows clients with versions earlier than Windows XP or if you have Mac OS X v10.2.x clients or earlier.
Authentication method
Mac OS X Server L2TP VPN uses Kerberos v5 or Microsofts Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) for authentication. Mac OS X Server PPTP VPN exclusively uses MS-CHAPv2 for authentication. Kerberos is a secure authentication protocol that uses a Kerberos Key Distribution Server as a trusted third party to authenticate a client to a server. MS-CHAPv2 authentication encodes passwords when theyre s ent over the network, and s tores them in a scrambled form on the server. This method offers good security during network trans mis sion. It is also the s tandard Windows authentication s cheme for VPN. A Mac OS X Server PPTP VPN can also use other authentication methods. Each method has its own strengths and requirements. These other authentication methods for PPTP are not available in Server Admin.
VPN
About VPN
For PPTP description, s ee RFC 2637. For Kerberos vers ion 5, s ee RFC 1510.
VPN
Manage VPN
Change the IP address range for VPN You can us e the Server app to change the range of address es you want the server to res erve for assigning to remote computers when they make a VPN connection to the server. For example, you might make the range larger to make more IP addresses available for VPN connections. 1. In the VPN pane of the Server app, change the first or las t IP addres s in the range. Important: These addresses on the servers network mus t not be used by other computers or devices on the network. This range of addresses must not include any static IP addresses in use on the network and must not overlap the range of IP addresses that the DHCP s erver assigns. The range of addres ses needs to be large enough for the maximum number of remote computers with concurrent VPN connections. VPN service assigns an IP address to a remote computer for the duration of a VPN connection. When the remote computer disconnects, VPN service reclaims the IP address. 2. If you have an Internet router that provides DHCP service, such as an AirPort Extreme Base Station (802.11n) or Time Capsule, you may need to adjust its IP address range so that the DHCP and VPN addres s ranges dont overlap. To configure an AirPort Base Station, use AirPort Utility (in the Utilities folder in Launchpad). For information about changing the settings of an Internet router, see its documentation. The IP address that VPN service assigns to a remote computer for its VPN connection doesnt replace the IP address that the remote computer is already us ing to connect to the Internet. The remote computer keeps this IP addres s and any other IP addresses its using, and adds the IP addres s assigned to it for VPN. Create a VPN configuration profile You can us e the Server app to create a configuration profile that s ets up Macs and iOS devices for your VPN service. After users open the profile, they can make a VPN connection to your server and intranet via the Internet. 1. In the Server app s idebar, s elect VPN, and then click Save Configuration Profile. 2. Specify a filename and location for the configuration profile, enter the hos t name or IP addres s of your server on the Internet, and then click Save. The host name is the full, unique name that you registered with your domain name registrar, such as server.example.com. For more information, see Register the servers Internet hos t name. After you create a profile, you can have users install it on Macs and on iOS devices such as iPhone, iPad, and iPod touch. Distribute the profile to users by email, or post it to a webs ite. When us ers open the email attachment or the downloaded profile, they're prompted to start the installation proces s. You can also distribute profiles over the network directly to iOS devices and Macs by us ing Profile Manager. For information, see Provide user configuration profiles .
Note: While VPN s ervice is turned on, make s ure the server is nt configured to use the Back to My Mac option of MobileMe. The server isnt using this option unles s its signed in to a MobileMe account and Back to My Mac is turned on in the MobileMe pane of Sys tem Preferences. VPN service and "Back to My Mac" conflict because both need to us e UDP port 4500.
RELATED TOPICS
About VPN Provide VPN service through an Internet router Stop VPN service from the command line Control a users access to services
VPN
Manage VPN
You can ask VPN us ers to change the IP addresses on their home networks to not begin with the same three numbers as the IP addres ses on your intranet. For example, if your intranet IP addresses begin 192.168.1, ask VPN users to use IP addresses beginning with 192.168.2 on their home networks . Private networks can use addresses beginning with 192.168.0 through 192.168.254, 10.0.0 through 10.254.254, and 172.16.0 through 172.31.254. In all cases, use subnet mask 255.255.255.0. Change your intranet addresses To avoid conflicts with VPN users IP address es, you can use an uncommon IP addres s range on your intranet. Change the IP addresses of your s erver and all other devices on your intranet to not use the most common defaults on Internet routers , which are 10.0.1, 192.168.0, and 192.168.1. You can s imply pick a different number between 2 and 254 for the third number of your intranet IP addresses. For example, if your intranet IP addres ses begin with 192.168.1, change them to begin with 192.168.58 or 192.168.177. If your intranet IP addresses begin with 10.0.1, change them to begin with 10.0.29 or 10.0.103. You can als o use 172.16.0 through 172.31.255. In all cases , us e subnet mask 255.255.255.0. Be s ure to change the IP addresses that your Internet router or other DHCP server assigns to computers on your intranet. If you have an AirPort Extreme Base Station (802.11n) or a Time Capsule, us e AirPort Utility (located in the Utilities folder in Launchpad). For instructions, s ee AirPort Utility Help. For information about configuring another kind of Internet router, see its documentation.
RELATED TOPICS
VPN
Manage VPN
1. Open Terminal (located in /Applications/Utilities /), and enter: $ sudo serveradmin settings Authenticate if requested. When you run this command, you no longer see the command-line prompt, but you can enter server settings to change them. 2. Enter the following: vpn:Servers:com.apple.ppp.l2tp:enabled = yes vpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:_array_index:0 = value vpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:_array_index:1 = value vpn:Servers:com.apple.ppp.l2tp:Server:LoadBalancingEnabled = value vpn:Servers:com.apple.ppp.l2tp:Server:LoadBalancingAddress = value vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorProtocol:_array_ index:0 = value vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorPlugins:_array_index:0 = value vpn:Servers:com.apple.ppp.l2tp:Radius:Server:_array_index:0:Address = value
vpn:Servers:com.apple.ppp.l2tp:Radius:Server:_array_ index:0:SharedSecret = value vpn:Servers:com.apple.ppp.l2tp:Radius:Server:_array_index:1:Address = value vpn:Servers:com.apple.ppp.l2tp:Radius:Server:_array_ index:1:SharedSecret = value vpn:Servers:com.apple.ppp.l2tp:IPSec:AuthenticationMethod = value vpn:Servers:com.apple.ppp.l2tp:L2TP:IPSecSharedSecretValue = value vpn:Servers:com.apple.ppp.l2tp:IPSec:LocalCertificate = value The settings you entered follow:
Setting (in v pn:Serv ers:com.apple.ppp.l2tp:) Default Set this to
no _empty_array 0 1.2.3.4
yes
value value value value
PPP:AuthenticatorProtocol:_array_ "MSCHAP2" index:n PPP:AuthenticatorPlugins:_array_ "DSAuth" index:n Radius:Server:_array_ index:0:Address Radius:Server:_array_ index:0:SharedSecret Radius:Server:_array_ index:0:Address Radius:Server:_array_ index:0:SharedSecret IPSec:AuthenticationMethod L2TP:IPSecSharedSecretValue IPSec:LocalCertificate "SharedSecret" "" "" 2 2.2.2.2 1 1.1.1.1
value
value
value
value
value
3. When you finish changing s ettings, hold down the Control key and press D.
VPN
Manage VPN
1. Open Terminal (located in /Applications/Utilities /), and enter: $ sudo serveradmin settings Authenticate if requested. When you run this command, you no longer see the command-line prompt, but you can enter server settings to change them. 2. Enter the following: vpn:Servers:com.apple.ppp.pptp:enabled = yes vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:0 = value vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:1 = value vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorProtocol:_array_ index:0 = value vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorPlugins:_array_index:0 = value vpn:Servers:com.apple.ppp.pptp:Radius:Server:_array_index:0:Address = value vpn:Servers:com.apple.ppp.pptp:Radius:Server:_array_ index:0:SharedSecret = value vpn:Servers:com.apple.ppp.pptp:Radius:Server:_array_index:1:Address = value vpn:Servers:com.apple.ppp.pptp:Radius:Server:_array_ index:1:SharedSecret = value vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeysize40 = value vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeysize128 = value The settings you entered follow:
Setting (in v pn:Serv ers:com.apple.ppp.pptp:) Default Set this to
enabled IPv4:DestAddressRanges
no _empty_array
yes
value value
PPP:AuthenticatorProtocol:_array_ MSCHAP2 index:n PPP:AuthenticatorPlugins:_array_ DSAuth index:n Radius:Server:_array_ index:0:Address Radius:Server:_array_ index:0:SharedSecret Radius:Server:_array_ index:0:Address Radius:Server:_array_ index:0:SharedSecret PPP:MPPEKeysize40 PPP:MPPEKeysize128 0 0 2 2.2.2.2 1 1.1.1.1
value
value
value
value
value
value value
3. When you finish changing s ettings, hold down the Control key and press D.
VPN
Manage VPN
When configuring the firewall for L2TP and PPTP, you must configure GRE, ESP, and IKE to permit VPN access through the firewall. By default, Firewall service blocks incoming VPN connections , but you can provide limited VPN acces s to s pecific IP addresses for security or eas e of adminis tration.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Firewall. 4. Click Settings. 5. Select Advanced, then click the Add button (+). 6. From the Action pop-up menu, choose Allow. 7. From the Protocol pop-up menu, choose an option. If you use L2TP for VPN access , choose UDP. If you use PPTP for VPN access, choose TCP. 8. From the Service pop-up menu, choos e VPN L2TP or VPN PPTP. The relevant des tination port is added to the Port field. 9. (Optional) Select the Log all packets matching this rule checkbox. 10. From the addres s pop-up menu of the Source section, choose Other and enter the source IP address range (using CIDR notation) that you want to give access to the VPN. You can also s pecify a port in the Port field of the Source section. Computers that have an IP address in the IP address range that you specified in the source IP address field, communicating on the s ource port you s pecified, can connect to the VPN s ervice. 11. From the Destination Address pop-up menu, choose the address group that contains the VPN s erver (for the destination of filtered traffic). If you dont want to use an existing addres s group, select Other and enter the destination IP address range (with CIDR notation). You can also s pecify a port in the Port field of the Source section. 12. From the Interface pop-up menu that this rule applies to, choose In. In refers to the packets coming into the s erver. 13. Click OK. 14. Click the Add button (+). 15. From the Action pop-up menu, choose Allow. 16. From the Protocol pop-up menu, choose a protocol or Other: If you are adding GRE or ESP, choos e Other and enter any in the field. If you are adding VPN ISAKMP/IKE, choose UDP. 17. From the Service pop-up menu, choos e a service: If you are adding GRE, choos e GRE - Generic Routing Encapsulation protocol. If you are adding ESP, choose ESP - Encapsulating Security Payload protocol. If you are adding VPN ISAKMP/IKE, choose VPN ISAKMP/IKE. Destination port 500 is added to the Port field. 18. From the Addres s pop-up menu of the Source section, choose any. 19. In the Port field of the Source section, enter any.
20. From the Addres s pop-up menu of the Destination section, choos e any. 21. In the Port field of the Des tination s ection, enter a port number. If you are adding VPN ISAKMP/IKE, enter 500 if it is not shown. 22. From the Interface pop-up menu, choose Other and enter any in the Other field of the Interface section. 23. Click OK. 24. Repeat steps 14 through 23 for GRE, ESP, and VPN ISAKMP/IKE. 25. Click Save to apply the filter immediately.
VPN
Manage VPN
View detailed VPN status Open Terminal (located in /Applications/Utilities /), and enter: $ sudo serveradmin fullstatus vpn
VPN
Manage VPN
View the log path Open Terminal (located in /Applications/Utilities /), and enter: $ sudo serveradmin command vpn:command = getLogPaths
VPN
Manage VPN
When two networks are linked they can interact as if they are physically connected. Each site must have its own connection to the Internet but the private data is sent encrypted between the s ites . This type of link is useful for connecting satellite offices to an organizations main office LAN. Linking multiple remote LAN sites to a main LAN requires using the s2svpnadmin command-line utility to administer s ite-to-site VPN. To us e s2svpnadmin you need root privilege access through sudo. For more about s2svpnadmin, see the s2svpnadmin man page. Linking multiple remote LAN sites to a main LAN can require the creation of a security certificate. The s2svpnadmin tool can create links using s hared-secret authentication (both sites have a pas sword in their configuration files) or certificate authentication. To use certificate authentication, you must create the certificate before running s2svpnadmin. You can only make site-to-site VPN connections using L2TP/IPSec VPN connections. You cannot link two sites us ing PPTP and these ins tructions . This example uses the following s ettings:
Setting Desired VPN type Authentication Shared secret Internet or public IP address of the VPN main LAN gateway (Site 1) Internet or public IP address of the VPN remote LAN gateway (Site 2) Private IP address of site 1 Private IP address of site 2 Private network IP address range and netmask for site 1 Description or example L2T P Using shared secret prDwkj49fd!254 A.B.C.D W.X.Y.Z 192.168.0.1 192.168.20.1 192.168.0.0192.168.0.255 (also expressed as 192.168.0.0/16 or 192.168.0.0:255.255.0.0) Private network IP address range and netmask for site 2 192.168.20.0 192.168.20.255 (also expressed as 192.168.20.0/24 or 192.168.0.0:255.255.0.0) Organizations DNS IP address 192.168.0.2
The result of this configuration is an auxiliary, remote LAN, connected to a main LAN using L2TP. Run s2svpnadmin on both site gateways 1. Open Terminal (located in /Applications/Utilities /), and enter: $ sudo s2svpnadmin 2. Enter the relevant number for Configure a new site-to-site s erver. 3. Enter an identifying configuration name (no spaces ). For this example, you could enter site_1 on site 1s gateway, and so on. 4. Enter the gateways public IP addres s. For this example, enter A.B.C.D on site 1s gateway and W.X.Y.Z on site 2s gateway. 5. Enter the other sites public IP address. For this example, enter W.X.Y.Z on site 1s gateway and A.B.C.D on site 2s gateway. 6. Enter s for shared secret authentication, and enter the shared secret prDwkj49fd!254. If you are using certificate authentication, enter c and choose the ins talled certificate you want to us e. 7. Enter at least one addressing policy for the configuration. 8. Enter a local subnet network address (for example, 192.168.0.0 for site 1 and 192.168.20.0 for s ite 2).
9. For the address range, enter the prefix bits in CIDR notation. In this example, the CIDR notation for the subnet range is 192.168.2.0/24 for s ite 1, so you enter 24. 10. Enter a remote s ubnet network addres s (for example, 192.168.20.0 for site 1 and 192.168.0.0 for site 2). 11. For the address range, enter the prefix bits in CIDR notation. In this example, the CIDR notation for the subnet range is 192.168.2.0/24 for s ite 1, so you enter 24. 12. If you have more addres sing policies, enter them now; otherwise, press Return. If you had more sites to connect or a more complex address s etup (linking only parts of your main LAN and the remote LAN), you would make more address ing policies for this site configuration now. Repeat steps 7 through 12 for each new address ing policy. 13. Press y to enable the site configuration. You can verify your settings by choos ing to s how the configuration details of the server and entering the configuration name (in this example, site_1). 14. Exit s2svpnadmin. Configure the firewall on both site gateways 1. Create an address group for each server with only the servers public IP address. In this example, name the firs t group Site 1 and enter the public IP address of the server. Then name the second group Site 2 and enter the public IP address of the other server. 2. Open the firewall to external VPN connections by enabling L2TP (port 1701) connections and IKE NAT Traversal (port 4500) in the any address group. 3. Create the following Advanced IP filter rules on both site gateways:
Filter Rule 1 Action: Protocol: Source Address: Destination Address: Interface: Setting Allow UDP Site 1 Site 2 Other; enter isakmp
Setting Allow
These rules permit the encrypted traffic to be passed to both hosts. 4. Save your changes. 5. Start or restart the firewall, as needed. Start VPN service on both site gateways 1. For both VPN gateways, open Server Admin and connect to the server. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. Select VPN from the expanded Servers list. If you used s2svpnadmin correctly, the Start button should be enabled and ready to use. 4. Click Start VPN. You should now be able to acces s a computer on the remote LAN from the local LAN. To verify the link, use ping or some other means.
Push Notification
Start pus h notification s ervice Change a push certificates Apple ID Revoke push notification connection permiss ion Renew a push notification certificate Pus h notification certificate
Push Notification
Password
This is the password associated with the Apple ID, not the administrator password for the server.
jCvuZvRMIvTTY1
Click to continue enabling push notifications. Click to open Safari to a webpage for creating or retrieving an Apple ID.
After enabling push notification Once you enable push notification, you can change the Apple ID as sociated with the certificate, renew the certificate, or revoke the certificate.
Item Apple ID Description This is the user name registered with Apple. Action Click Change to reissue a certificate under a different Apple ID. Expires The certificate is good until the listed date. You must renew the certificate to avoid interrupted service. Manage your certificates This is a link to the Apple Push Certificates Portal. Click Renew to reissue a certificate with the same Apple ID, but with an extended expiration date. You revoke compromised certificates using the portal. Click the phrase to open the correct URL in Safari.
RELATED TOPICS
About push notification Start pus h notification s ervice Change a push certificates Apple ID Revoke push notification connection permiss ion Renew a push notification certificate
Push Notification
1. Log in to the Apple Push Certificates Portal. Sign in with the Apple ID you us ed to reques t the certificate. 2. In the Mac OS X Server Certificates section, locate the certificate for the des ired server. 3. Click Revoke in the Actions column, and confirm the action. 4. When you finish, sign out.
RELATED TOPICS
About push notification Start pus h notification s ervice Change a push certificates Apple ID Renew a push notification certificate Pus h notification certificate
Push Notification
1. Select the server in the Hardware s ection of the Server app sidebar. 2. Select Enable Apple push notifications . 3. Enter the Apple ID and password. If you dont have an Apple ID for your organization, follow the link to create one. 4. Click Get certificate.
RELATED TOPICS
About push notification Change a push certificates Apple ID Revoke push notification connection permiss ion Renew a push notification certificate Pus h notification certificate
Push Notification
1. Select the server in the Hardware s ection of the Server app sidebar. 2. Next to Enable Apple push notifications, click Edit 3. Next to the expiration date, click Renew. 4. Supply the Apple ID and pass word. 5. Click Renew certificate.
RELATED TOPICS
About push notification Start pus h notification s ervice Change a push certificates Apple ID Revoke push notification connection permiss ion Pus h notification certificate
Push Notification
1. Select the server in the Hardware s ection of the Server app sidebar.
2. Next to Enable Apple push notifications, click Edit. 3. Next to the Apple ID, click Change. A warning states that changing the Apple ID dis rupts existing push notifications until us ers reregis ter their devices with the service. 4. Read the warning and click Continue. 5. Supply the Apple ID and pass word. 6. Click Renew certificate.
RELATED TOPICS
About push notification Start pus h notification s ervice Revoke push notification connection permiss ion Renew a push notification certificate Pus h notification certificate
About accounts
By default, Mac OS X Lion includes a local directory, but doesnt enable a network account server, which manages network accounts . In the Server app, you can enable a network account server. If your server has a network account server, the s erver also has a directory administrator account. This account has the password you entered during setup, but its name is Directory Administrator and its short name is diradmin. If you migrated to Mac OS X Lion from Mac OS X Server v10.6, the name and short name of the directory administrator account is migrated over. The directory adminis trator account is stored in the network account server, along with user accounts you create in the Users pane of the Server app. If a malfunction makes the primary adminis trator account unusable, you can use the server's directory administrator account to authenticate in the Server app and manage the server locally or remotely. By default, the directory administrator account isnt shown in the Users pane of the Server app. You can view the directory administrator and all other administrator and sys tem accounts by choos ing View > Show System Accounts . Primary and directory administrator accounts compared The following table compares the primary administrator account and the directory administrator account.
Feature Name and short name Stored in the servers local directory Stored in the servers network account server Can be used from an administrator computer Primary administrator Specified during setup Yes No Yes Directory administrator Directory administrator and diradmin No Yes Yes
Administrators on an upgraded server If your server was previously upgraded or migrated from a standard or workgroup configuration of Mac OS X Server v10.5 Leopard, you have different administrator accounts. Your primary administrator account is in your servers directory. This is a directory administrator account, and it has the name and short name s pecified during Leopard Server setup. You also have an administrator account s tored on your server, and it has the name Local Adminis trator and short name localadmin. For more information about these accounts, s ee Getting Started for Mac OS X Server v10.5. Its available on the Apple Manuals website at support.apple.com/manuals/. Administrator account security To keep your s erver secure: Dont s hare an adminis trator name or pass word with anyone. Log out when you leave your server, or set up a locked s creen saver using the Security pane of System Preferences . If you leave your server while youre logged in and the screen is unlocked, someone could make changes us ing your administrator privileges. Turn off Automatic login in the Users & Groups pane, under Login Options of System Preferences . If the server logs in as an administrator, someone can res tart the server to gain access as an administrator. For added security, routinely log in on the server using a s tandard us er account. Us e your administrator name and password when you open the Server app or another application that requires administrator privileges .
RELATED TOPICS
About accounts
Importing existing accounts, if your organization has a network account server (also known as a directory s erver) that your server is connected to Importing from a file You can import us er accounts individually. You can also automatically import all user accounts that are members of a group. The Us ers pane of the Server app lists local us er accounts (including us er accounts created in System Preferences), network accounts s tored in your servers network account s erver, and imported user accounts. Local user accounts Users with administrator privileges on their Macs can create local us er accounts using the Us ers & Groups pane of System Preferences. These local user accounts are stored on the users computer. Local us er accounts have home folders on the computer and can be used to log in to the computer. Users cant use their computers local user accounts to access the server over the network. Users can us e the s erver's local user accounts to access the server over the network. Like us ers Macs, your server has local accounts in addition to server accounts and, possibly, imported accounts. Your servers local accounts can be used to log in to the server, and a local account with adminis trator privileges can be used to administer the server. For information about administrator privileges, see About administrator accounts. Network accounts Network accounts are s tored in your s ervers network account s erver or in a connected network account server. You can use Server app or Server Admin to enable a network account server on your server. If you dont enable the network account server, then all accounts you create on the server are stored in the s ervers local directory. Accounts stored in the servers local directory can be used to authenticate to services hos ted by the server but they cant be us ed to log in. Imported user accounts Imported user accounts remain in your organizations network account s erver. Imported user accounts can access your servers services. You can let imported users adminis ter your server, or be a member of groups stored on your server. When someone uses an imported user account, your server combines the account information stored in the network account server with additional privileges given by your s erver. Types of user accounts compared Your server can have its own network accounts or us e accounts from an existing network server. You can als o import accounts, which stores a s ynced copy of the network account from another network s erver on your network s erver. Heres a comparison of the four types of accounts:
Feature Local accounts Netw ork accounts on your serv er Where the account is stored: Local directory Local network server Netw ork accounts from an existing netw ork serv er Another network server Another network server, synced to local network server Who creates this: A user with an administrator account on the computer using System Preferences, or using the Server app if the servers network account server is disabled, or Workgroup Manager Membership in network groups: System Preferences support: Allows editing (including changing the password), local group membership Local access to servers services: Remote access to servers services: Access to group shared folders: Full access Full access Full access Full access Full access Full access Wiki only Full access Full access Full access Wiki only Full access Can change password Can change password Can change password Allowed Allowed Allowed Allowed You (a server administrator), using the Server app or Workgroup Manager T he network account servers administrator The network account servers administrator Imported accounts
Yes
Yes
No
No
RELATED TOPICS
About adminis trator accounts Create a user account Import users from another network account s erver Import users and groups from a file
1. If your s erver is not s et up to host network accounts , set it up to do s o. When you're viewing the Server app, if the Manage > Manage Network Accounts option is listed, your s erver is not set up to host network accounts. For information about setting up your server to host network accounts, see Host network accounts. 2. In the Server app, choos e Manage > Import Accounts from File. 3. Select the file to import and then click Open.
RELATED TOPICS
Use advanced tools for more s ervices Host network accounts Reset a us ers password Change a us ers account s ettings Create a user account Create groups
1. In the Users pane of the Server app, select the user account to delete. 2. Click the Delete button ().
RELATED TOPIC
3. Click Done to s ave your changes to the us er account. Change advanced user account settings 1. In the Users pane of the Server app, Control-click a user account and choose Advanced Options. The following s ettings are available:
Setting User ID Group Description This numerical ID is used for folder and file permissions. This is the UNIX group the user belongs to. Typically, this should be the "staff" group. Account Name Aliases This is the user's account name. These are other account names the user can use to log in.
This is the user's UNIX shell. By default, this is /bin/bash. This is the location of the user's home folder.
RELATED TOPICS
Reset a us ers password Enable s hared home folders Control a users access to services Change a us ers or groups name Change a us ers or groups picture Create a user account Import users from another network account s erver
1. If you havent done s o, s et up your server to hos t network accounts. For information, see Host network accounts . 2. Enable a shared home folder if you havent done so. For information, see Enable shared home directory folders. 3. In the Users pane of the Server app, double-click a user account. 4. Choose a folder from the Home Folder pop-up menu and then click Done. If the Home Folder pop-up menu does nt appear, you dont have a shared home folder enabled. If you choose Local Only, the user wont have a home folder on the server and cant log in using the account information stored on the s erver.
1. In the Server app, click Us ers. 2. Control-click the user and choose Edit Acces s to Services . 3. In the dialog that appears, s elect the checkboxes for services you want the user to access, then click OK.
RELATED TOPICS
Publish a website
1. In the Users pane of the Server app, control-click a user and then choose Reset Pass word. 2. Enter the users new password in the New Pas sword and Verify fields and then click Change Password. You can use Pas sword Ass is tant to help you choose a pass word. Click the button next to the New Pass word field to see how secure the pas sword is. The user can change this pas sword in the Us ers & Groups pane of System Preferences on the us ers computer.
RELATED TOPICS
Change a us ers account s ettings Set the global pas sword policy
1. In the Users pane of the Server app, choose Edit Global Pas sword Policy from the Action pop-up menu. 2. Select the options to enable and then click OK.
RELATED TOPIC
1. In the Users pane of the Server app, double-click a user account. 2. Click Wipe or Lock next to a device.
RELATED TOPIC
Imported account
Hosting network accounts on your server is als o known as setting up an Open Directory master.
1. In the Server app, choos e Manage > Manage Network Accounts. If Manage Network Accounts isnt listed, your server hosts network accounts. 2. In the ass istant that appears, click Next. 3. In the Directory Administrator step, enter a name and pass word for the directory administrator account, then click Next. The directory administrator account can manage the network server, server services, and adminis ter the computer. Choose a strong password. 4. In the Organization Information step, enter the name of your organization and a valid email address, then click Next. The information you provide is us ed to s et up the certificate server. 5. In the Confirm Settings step, make s ure the information you enter is correct, and then click Set Up.
RELATED TOPICS
About user accounts Create a user account Import users from another network account s erver Import a group from another network account s erver
Create groups
You can create groups with the Server app.
1. In the Groups pane of the Server app, click the Add button (+).
2. In the Full Name field, enter the group name. The name can be up to 255 characters (or as few as 85 Japanese characters), and can include spaces . 3. In the Group Name field, enter the groups s hort name. If you dont want to use the generated short name, enter a different short name. After the account is created, you cant change the short name. The short name typically is eight or fewer characters, but can be up to 255 Roman characters. Use only the characters a through z, A through Z, 0 through 9, . (period), _ (underscore), or - (hyphen). 4. To associate a picture with the group account, click the s ilhouette and select a s tandard picture, or click Edit Picture for a customized picture. When you click Edit Picture, you can take a picture with your computers camera or choos e a graphic file on your computer. After taking or choos ing a picture, you can drag the picture to pan it or use the slider to zoom it. When you finish customizing the picture, click Set. 5. Click Done to create the group account.
RELATED TOPICS
Choose group s ervices Add or remove group members Change a us ers or groups name Change a us ers or groups picture Delete a group
Delete a group
You can us e the Server app to delete group accounts that are no longer needed.
1. In the Groups pane of the Server app, select a group. 2. Click the Delete button ().
RELATED TOPIC
Create groups
3. Select a user name to add the us er to the group. 4. Click Done to s ave your changes to the group account. Add several group members 1. In the Groups pane of the Server app, double-click a group name, or select a group and click Edit (pencil). The groups account information is s hown. 2. Click Add (+) and enter a us er name. 3. Select Brows e in the list that appears. A window listing all local and network us ers and groups appears. The lis t also includes us ers and groups in the external network account server, if your server is connected to one. If there are too many accounts to list in the window, you wont see accounts until you search for them. 4. Drag us ers and groups from the window to the Members list. To s elect a range of users and groups , hold down the Shift key while selecting users and groups. To select or des elect them, hold down the Command key while clicking. 5. Click Done to s ave changes to the group account. Remove a group member 1. In the Groups pane of the Server app, double-click a group name or s elect a group and click Edit (pencil). The groups account information is s hown. 2. Select a group member and click Remove (). 3. Click Done to s ave changes to the group account.
RELATED TOPICS
Change a us ers group membership Change a us ers or groups name Change a us ers or groups picture Choose group s ervices Create groups
1. In the Users pane of the Server app, double-click a user. 2. Do any of the following: To add a group, click the Add button (+) and then enter the name of the group. The name autocompletes as you type. If the name doesnt autocomplete, make sure you spelled the groups name correctly. This looks up local and network account names, including in the external network account server (als o known as a directory server), if your server is connected to one. To remove a group, select the group and then click Remove ().
RELATED TOPICS
1. Do one of the following: To change a users name, in the Users pane of the Server app, double-click a user. To change a groups name, in the Users pane of the Server app, double-click a group. 2. Edit the Full Name field and then click Done.
RELATED TOPICS
Change a us ers account s ettings Change a us ers or groups picture Reset a us ers password Choose group s ervices
1. Do one of the following: To change a users picture, in the Users pane of the Server app, double-click a us er. To change a groups picture, in the Groups pane of the Server app, double-click a group. 2. Do one of the following: To use an included picture, click the picture area and choose a picture from the pop-up menu. To use a picture from your computer, find the picture in Finder and drag the picture to the picture area. 3. To edit the picture, do any of the following:
To do this Replace the picture with a picture youve used recently. Replace the picture with a picture from your computer. T ake a picture using a video camera attached to your computer. Move the picture. Crop the picture. Apply a visual effect. Do this Click Recent Pictures, then click a picture. Click Choose. Click the camera button. Drag it up, down, or sideways. Drag the slider. Click the Visual Effects button (swirl), scroll through the available effects, and select the effect you want.
RELATED TOPICS
Change a us ers or groups name Change a us ers account s ettings Choose group s ervices
1. In the Groups pane of the Server app, double-click a group name, or select a group and click Edit (pencil). The groups account information is s hown. 2. Enable or dis able the following s ervices :
Option Give this group a shared folder. Description Select this option to create a shared folder for the group in /Groups/ groupname / on the server. When group members log in, they can access this folder by connecting to afp:// servername /Groups/ groupname / in the Finder, and then upload files to it. Make group members iChat buddies. Select this option to include group members as iChat buddies. When group members open iChat, the server is included as an iChat server, and group members are included in the list. Create Group Wiki. Click this button to create a private wiki for the group. Group members can create and edit content in the wiki.
RELATED TOPICS
Add or remove group members Control a users access to services Make all group members iChat buddies Set up a group file s haring folder
1. In the Groups pane of the Server app, double-click a group. 2. Select Make group members iChat buddies.
RELATED TOPIC
1. In the Groups pane of the Server app, double-click a group. 2. Select Give this group a shared folder and then click Done. After the s hared folder is created, you can click the arrow button next to the option to view the contents of the s hared folder.
RELATED TOPICS
Add or remove group members Choose group s ervices Control a users access to services Make all group members iChat buddies
1. In the Server app, choos e Manage > Connect to Directory. If your s erver is n't set up to host network accounts, the "Configure Network Users and Groups" assistant appears. After you complete this as sistant, the "Connect to Directory" ass is tant appears . For information about setting up your s erver to host network accounts , see Host network accounts . 2. Proceed through the assistant that appears, then when the as sistant asks you to enter the server address of the directory server that has the accounts to import, enter it and click Next. 3. If the dialog expands to show fields for Client Computer ID, User Name, and Password, enter the name and pas sword of a us er account on the directory server. For an Open Directory server, you can enter the name and pass word of a s tandard us er account; you dont need to use a directory administrator account. Depending on the network account s erver settings, you might be able to connect without authentication by leaving thes e fields blank, although this is less secure. For an Active Directory s erver, you can enter the name and pass word of an Active Directory administrator account or a standard user account that has the Add workstations to domain privilege. 4. In the Confirm Settings step, make s ure all settings are correct and then click Set Up. When you connect to another network server, the Manage menu no longer lists Connect to Directory. When you create users or groups, you can now import accounts. Connect to your first network account server using the Server app, and connect to additional network account s ervers using System Preferences. You can also disconnect from network account servers using System Preferences . For information about joining network account s ervers in Sys tem Preferences, see System Preferences Help.
RELATED TOPICS
Import users from another network account s erver Import a group from another network account s erver
1. If your s erver is not s et up to host network accounts , set it up to do s o. When you're viewing the Server app, if the Manage > Manage Network Accounts option is listed, your s erver is not set up to host network accounts. For information about setting up your server to host network accounts, see Host network accounts. 2. In the Users pane of the Server app, click the Add button (+). A New Us er dialog appears . 3. From the Type pop-up menu, choose Imported user from directory. If you dont see the Type pop-up menu, your server is nt connected to a network account server in your organization. For information on connecting to a network account s erver, s ee Connect to another network account server. If your organization doesnt have a network account s erver (other than your server), you cant import us ers but you can create us er accounts. 4. Type part or all of the us ers name in the s earch field; then, when you see the name, select it and click Import. 5. When you finish importing user accounts, click Done.
Connect to another network account s erver About user accounts Import a group from another network account s erver
1. If your s erver is not s et up to host network accounts , set it up to do s o. When you're viewing the Server app, if the Manage > Manage Network Accounts option is listed, your s erver is not set up to host network accounts. For information about setting up your server to host network accounts, see Host network accounts. 2. In the Groups pane of the Server app, click the Add button (+). The New Group dialog appears. 3. From the Type pop-up menu, choose Imported group from directory. If you dont see the Type pop-up menu, your server is nt connected to a network account server in your organization.
If your organization doesnt have a network account s erver (other than your server), you cant import groups but you can create group accounts. 4. Type part or all of the group name in the search field; then, when you see the name, s elect it and click Import. 5. When you finish importing user accounts, click Done.
Connect to another network account s erver About user accounts Import users from another network account s erver
In the Us ers or Groups pane of the Server app, Control-click a us er or group, choose Arrange By, and then choose an option.
RELATED TOPIC
In the Server app, choose View > Show Sys tem Accounts. If youre already showing sys tem accounts, hide them by choos ing View > Hide Sys tem Accounts.
RELATED TOPIC
Profile Manager
Self-Service User Portal Profile Manager's user portal is an easy to us e, s ecure website for distributing settings you define using the administration tool. Users connect to the web-based portal us ing their device then. Then, after they log in, the s ettings that you as signed to them are available for download and installation. Us ers also utilize this site to enroll devices for mobile device management, if you're us ing Profile Manager as a mobile device management server. Mobile Device Management Server Profile Manager also provides a device management (MDM) server that lets you remotely manage enrolled Mac OS X Lion and iOS devices. After a device is enrolled with Profile Manager, you can update its configuration over the network without user interaction, as well as execute tasks s uch as reporting or locking and wiping the device. Understanding user and device groups Each user, user group, device, and device group can have a default group of s ettings . This allows you to eas ily s hare bas e settings for devices or people that need them. For example, to configure a teacher's iPad, create a us er account for the teacher then place that user in the "teachers " and "iPad" groups. This assigns them two collections of default s ettingsone from each groupand you can then create ass ign additional settings that are tailored to the user. Other types of user and device groups that you might find useful are "lab Mac," "field sales iPhone," and "student notebooks." For the latter group, for example, the default s ettings might include restrictions or specific network settings. Understanding configuration profiles Behind the s cenes, Profile Manager works by creating and distributing configuration profiles . Configuration profiles are XML files (.mobileconfig) that contain payloads that define groups of settings . When the profile is ins talled on a Mac OS X Lion or iOS device, the settings it defines are applied. Each user, device, and group have default configuration profiles so you can quickly provide a base level of settings, then you can further ass ign additional configuration profiles to customize the s ettings to meet your organizational requirements . For example, to enforce restrictions and configure user's devices to us e your VPN, create a configuration profile with a restrictions payload and a VPN payload. Becaus e both payloads are in the same profile, the user must ins tall both. If they remove the configuration profile to avoid the res trictions, their VPN acces s is als o removed. Distributing configuration profiles After you defined the s ettings for users and their devices , you can dis tribute the configuration profiles to users in the following ways: Manual dis tribution You can download configuration profiles (.mobileconfig files) from Profile Manager's administration tool, then send them to your us ers via email or pos t them to a website you create. When users receive or download the file, they can install them on their device. User self-service Users can download and ins tall the settings from Profile Manager's built-in user portal. The user portal ensures that users receive the configuration profiles you as sign to them or their group. Remote Device management You can enable Profile Manager's mobile device management server, which allows you to remotely ins tall, remove, and update configuration profiles on enrolled devices . Managing a Mac lab You can us e Profile Manager to maintain a student laboratory of Macs, ens uring that they're configured identically. When you build the network system image for the lab, include configuration profiles that enroll the computers for remote device management by Profile Manager. Managing policies on devices In addition to general configuration settings , Profile Manager allows you to enforce organization policies. For example, you can specify pass code policies, define the types of networks devices can connect to, and enforce res trictions such as preventing the use of cameras on iOS devices. If you're managing the devices remotely, you can install updated policies , without user action or notification. Remotely locking or wiping a lost device Devices that you remotely manage can be locked or wiped us ing Profile Manager's administration tool. For Mac OS X Lion devices, locking s huts down the computer and installs an EFI passcode s o it cannot be started up without providing the passcode. On iOS devices, locking invokes the lock s creen and enforces the pass code, if any, installed on the device.
Wiping a device removes all user data. On iOS devices, the device is res tored to factory defaults . For iOS devices, you can also reset a user's passcode when they've forgotten it. This temporarily removes the device pas scode (for 60 minutes). When the user unlocks the device, they are immediately required to enter a new passcode that meets the criteria specified by the configuration profiles installed on the device.
Profile Manager
Profile Manager
1. Open Server, log in to a server, and in the Services list, click Profile Manager. 2. Click the On button. Wait a moment while Profile Manager service starts. 3. To s end the URL of the Profile Manager server to a user so they can log in and download the configuration profiles you as signed to them, click User Portal, then copy the URL from the browser window that opens. For information about how us ers interact with Profile Manager, click Open Profile Manager and choose Help from the user menu. 4. To enable Profile Manager to act as a mobile device management server, click the Configure button in the Device Management s ection of the pane. For information about mobile device management, click Open Profile Manager and choose Help from the user menu. 5. To create configuration profiles and as sign them to users, click Open Profile Manager.
When the Profile Manager webapp opens in your web brows er, log in with your adminis trator account.
Open Directory can access information in one or several directory domains. A directory domain stores information in a specialized database that is optimized to handle many requests for information and to find and retrieve information quickly. Processes running on Mac computers can use Open Directory services to s ave information in directory domains. For example, when you create a user account with Workgroup Manager, Open Directory stores user name and other account information in a directory domain. You can then review user account information in Workgroup Manager, which uses Open Directory to retrieve the user information from a directory domain. Other application and sys tem software processes can als o use the us er account information stored in directory domains . When someone attempts to log in to a Mac, the login process us es Open Directory services to validate the us er name and password.
A historical perspective
Like Mac OS X Lion, Open Directory has a UNIX heritage. Open Directory provides access to administrative data that UNIX systems generally keep in configuration files, which require painstaking work to maintain. (Some UNIX sys tems still rely on configuration files.) Open Directory consolidates the data and distributes it for ease of access and maintenance. Data consolidation For years , UNIX systems have stored administrative information in a collection of files located in the /etc directory, as show in the following illustration.
This scheme requires each UNIX computer to have its own set of files, and processes that are running on a UNIX computer read its files when they need administrative information. If youre experienced with UNIX, you probably know about the files in the /etc directorygroup, hos ts , hosts.equiv, master.passwd, and s o forth. For example, a UNIX process that needs a users pas sword consults the /etc/master.passwd file. The /etc/master.passwd file contains a record for each user account. A UNIX proces s that needs group information cons ults the /etc/group file. Open Directory consolidates administrative information, simplifying the interaction between processes and the administrative data they create and us e:
Processes no longer need to know how and where administrative data is stored. Open Directory gets the data for them. If a process needs the location of a users home folder, the proces s has Open Directory retrieve the information. Open Directory finds the requested information and then returns it, insulating the process from the details of how the information is stored, as shown in the following illus tration.
If you set up Open Directory to acces s administrative data from more than one directory domain, Open Directory consults the domains as needed. Some data s tored in a directory domain is identical to data stored in UNIX configuration files. For example, the home folder location, real name, user ID, and group ID are stored in user records of a directory domain ins tead of the standard /etc/passwd file. However, a directory domain stores much more data to support functions that are unique to Mac OS X Lion, s uch as s upport for managing Mac client computers. Data distribution A characteris tic of UNIX configuration files is that the administrative data they contain is available only to the computer they are stored on. Each computer has its own UNIX configuration files. With UNIX configuration files, each computer that s omeone wants to use mus t have that persons user account settings stored on it, and each computer must s tore the account s ettings for every person who can use the computer. To set up a computers network settings, the administrator must to go to the computer and enter the IP addres s and other information that identifies the computer on the network. Similarly, when us er or network information must be changed in UNIX configuration files, the adminis trator must make the changes on the computer where the files reside. Some changes, s uch as network settings, require the adminis trator to make the same changes on multiple computers. This approach becomes unwieldy as networks grow in size and complexity. Open Directory solves this problem by letting you s tore adminis trative data in a directory domain that can be managed by a network administrator from one location. Open Directory lets you distribute the information s o it is visible on a network to the computers that need it and the adminis trator who manages it, as shown in the following illustration.
Login: Workgroup Manager can create us er records in a directory domain, and thes e records can be used to authenticate users who log in to Mac and Windows computers. When a us er specifies a name and a pas sword in the login window, the login proces s asks Open Directory to authenticate the name and pass word. Open Directory uses the name to find the users account record in a directory domain and uses other data in the user record to validate the pass word. Folder and file access: After logging in, a user can access files and folders. Mac OS X Lion uses other data from the user record to determine the users access privileges for each file or folder. Home folders: Each user record in a directory domain stores the location of the users home folder. This is where the user keeps personal files, folders , and preferences. A users home folder can be located on a computer the user always uses or it can be located on a network file server. Automount s hare points: Share points can be configured to automount (appear automatically) in the /Network folder (the Network globe) in the Finder windows of client computers . Information about thes e automount share points is stored in a directory domain. Share points are folders, disks , or disk partitions you make access ible over the network. Mail account s ettings: Each us ers record in a directory domain s pecifies whether the user has mail service, which mail protocols to use, how to pres ent incoming mail, whether to alert the us er when mail arrives, and so forth. Resource usage: Dis k, print, and mail quotas can be stored in each user record of a directory domain. Managed client information: The administrator can manage the Mac OS X environment of us ers whos e account records are stored in a directory domain. The adminis trator makes mandatory preference settings that are s tored in the directory domain and override users personal preferences . Group management: In addition to user records, a directory domain also stores group records. Each group record affects all users who are in the group. Information in group records specifies preference settings for group members . Group records also determine access to files , folders, and computers. Managed network views: The adminis trator can set up custom views that us ers s ee when they select the Network icon in the sidebar of a Finder window. Becaus e these managed network views are stored in a directory domain, theyre available when a user logs in. Access to directory services Open Directory can access directory domains for the following kinds of directory s ervices : Lightweight Directory Access Protocol (LDAP), an open standard common in mixed environments of Macintosh, UNIX, and Windows systems. LDAP is the native directory s ervice for s hared directories in Lion Server. Local directory domain, the local directory s ervice for Mac OS X and Mac OS X Server v10.6 or later. Active Directory, the directory service of Microsoft Windows 2000 and 2003 s ervers and later. Network Information System (NIS), the directory service of many UNIX servers. BSD flat files , the legacy directory service of UNIX s ystems.
user attributes . The inetOrgPers on clas s is a standard LDAP class defined by RFC 2798. Other s tandard LDAP object class es and attributes are defined by RFC 2307. Open Directorys default object clas ses and attributes are based on these RFCs . A collection of attributes and record types or object class es provides a blueprint for the information in a directory domain. This blueprint is named the schema of the directory domain. However, Open Directory uses a directory-based s chema that is different from a locally based s tored s chema. Using a locally based s chema configuration file can be complex. The issue with an Open Directory master that services replica servers is that if you change or add an attribute to the locally based s chema of a Open Directory master, you must also make that change to each replica. Depending on the number of replicas you have, the manual update process can take an enormous amount of time. If you dont make the same s chema change locally on each replica, your replica s ervers generate errors and fail when values for the newly added attribute are s ent to replica s ervers. To eliminate this possibility of failure, Mac OS X Lion uses a directory-based s chema that is stored in the directory database and is updated for each replica server from the replicated directory database. This keeps the schema for replicas synchronized and provides greater flexibility to make changes to the schema. About the structure of LDAP entries In an LDAP directory, entries are arranged in a hierarchical treelike structure. In some LDAP directories , this structure is based on geographic and organizational boundaries. More commonly, the structure is based on Internet domain names . In a s imple directory organization, entries representing us ers, groups, computers , and other object class es are immediately below the root level of the hierarchy, as shown here:
An entry is referenced by its dis tinguis hed name (DN), which is cons tructed by taking the name of the entry, referred to as the relative dis tinguished name (RDN), and concatenating the names of its ancestor entries . For example, the entry for Anne Johnson could have an RDN of uid=anne and a DN of uid=anne, cn=us ers, dc=example, dc=com. The LDAP service retrieves data by searching the hierarchy of entries . The search can begin at any entry. The entry where the search begins is the search bas e. You can designate a search bas e by specifying the distinguis hed name of an entry in the LDAP directory. For example, the search bas e cn=users, dc=example, dc=com s pecifies that the LDAP service begin s earching at the entry whose cn attribute has a value of us ers . You can also s pecify how much of the LDAP hierarchy to s earch below the s earch base. The s earch scope can include all subtrees below the search base or the first level of entries below the s earch base. If you use command-line tools to s earch an LDAP directory, you can als o restrict the search s cope to include only the s earch base entry.
directory domain contains the us ers record (and if the user entered the correct pas sword), the login process proceeds and the user gets access to the computer. After login, the user could choose Connect to Server from the Go menu and connect to a Mac s erver for file service. In this case, Open Directory on the s erver searches for the users record in the servers local directory domain. If the servers local directory domain has a record for the user (and if the user enters the correct pas sword), the server grants the user acces s to file s ervices , as shown below:
When you set up a Mac, its local directory domain is created and populated with records. For example, a user record is created for the user who performed the installation. It contains the user name and password entered during setup and other information, such as a unique ID for the user and the location of the us ers home folder. About shared directory domains Although, Open Directory on any Mac can store administrative data in the computers local directory domain, the real power of Open Directory is that it lets multiple Mac computers share adminis trative data by storing the data in shared directory domains. When a computer is configured to use a shared domain, administrative data in the shared domain is als o visible to applications and s ystem software running on that computer. If Open Directory does not find a users record in the local directory domain of a Mac computer, Open Directory can s earch for the users record in any s hared domains the computer has access to. In the following example, the user can access both computers becaus e the shared domain access ible from both computers contains a record for the us er.
Shared domains generally reside on servers because directory domains store extremely important data, such as the data for authenticating users. Access to servers is usually tightly res tricted to protect the data on them. In addition, directory data mus t always be available. Servers often have extra hardware features that enhance their reliability, and s ervers can be connected to uninterruptible power sources. Shared data in existing directory domains Some organizations s uch as universities and worldwide corporationsmaintain user information and other administrative data in directory domains on UNIX or Windows s ervers. Open Directory can search these non-Apple domains and shared Open Directory domains of Lion Server s ystems, as shown in the illustration below.
The order in which Mac OS X Lion searches directory domains is configurable. A search policy determines the order in which Mac OS X Lion searches directory domains. Search policies are explained in Open Directory search policies.
When the us er attempts to access the file s ervice, the file server acces ses the shared directory domain to verify the user account. Because the user computer and the file server are connected to the shared directory domain, the user account on the shared directory domain is used to access a computer and the file service without needing a local account on each computer. The user logs in to the local directory domain of the Mac and then uses a different account to log in to the local directory domain of the file services server. To share information among Mac computers and servers, you mus t set up at least one s hared directory domain. With this arrangement, each user needs an account only in the shared directory domain. With this one account, the us er can log in to Mac OS X Lion on any computer thats configured to access the shared directory domain. The user can also use this same account to acces s services of any Mac server thats configured to access the s hared directory domain.
The following figure illustrates a configuration with a shared directory domain. The figure s hows a user logging in to a Mac using a shared directory domain account. Then the shared directory domain account is also us ed to access a file service.
In many organizations , a single shared directory domain is adequate. It can handle hundreds of thousands of users and thous ands of computers sharing the same res ources, s uch as printer queues, share points for home directories, s hare points for applications, and share points for documents. Replicating the shared directory domain can increas e the capacity or performance of the directory sys tem by configuring multiple servers to handle the directory sys tem load for the network. Larger, more complex organizations can benefit from extra shared directory domains. The following figure shows how one such complex organization might organize its directory domains.
If you have a large organization and you want to increase the performance and capacity of your network directory domain, you can add multiple directory domains to your network. Also, by using multiple directory domains you can load-balance your corporate directory domain. There are different methods of configuring multiple directory domains. By analyzing your network topology you can determine the bes t method for your network. The following are optional configurations of multiple directory domains: Open Directory with an exis ting domain. You can configure an Open Directory server on a network that has an exis ting directory domain such as an Active Directory or Open Directory domain. For example, if your organization has an existing Active Directory server that supports Windows and Mac client computers, you can add an Open Directory server to better support Mac users . The two s ervers can exist on the same network and provide redundant directory domains for Windows and Mac clients. You als o configure Lion Server to handle cross -domain authorization if a Kerberos realm exists. If you have an exis ting Active Directory server, you can connect an Open Directory server to it and you can eas ily add users from the Active Directory server into your Open Directory server. Thes e users are referred to as augment users . For more information about augment records , see Integrate with exis ting directory domains. For more information about adding augments to user records, see Us er Management. Open Directory Master Server with replicas. You can also create an Open Directory master server with replicas . The replica servers have a copy of the Open Directory masters directory domain for load balancing and redundancy.
For example, your organization could have an Open Directory master at your headquarters and place replicas of that server at each remote location. This prevents users at remote locations from experiencing delayed logins. Cascading replication. You can also use cascading replication, where replicas of an Open Directory master have replicas. If a replica is a direct member of the Open Directory master and it has replicas it is called a relay. For example, If your organization has 32 replicas and you must add another replica, you can reorganize your network topology and have your replicas become relays by adding replicas to a replica (or relay). Cascading replication load-balances the Open Directory mas ter by minimizing the number of replicas it mus t directly manage. Estimating directory and authentication requirements In addition to cons idering how to dis tribute directory data among multiple domains, you mus t also consider the capacity of each directory domain. The s ize of your directory domain depends on your network requirements. One factor is the performance of the database that stores directory information. The LDAP directory domain of a Mac s erver uses the Berkeley DB database, which remains efficient with 200,000 records . A server hosting a directory domain of that size must have sufficient hard disk space to store all the records . The number of connections a directory service can handle is harder to measure because directory service connections occur in the context of the connections of all services the server provides. With Lion Server, a server dedicated to Open Directory has a limit of 1,000 s imultaneous client computer connections . The Open Directory server can provide LDAP and authentication services to more client computers, because not all computers need these services at the same time. Each computer connects to the LDAP directory for up to two minutes, and connections to the Open Directory Password Server are even more brief. Determining what the fraction isthe percentage of computers that make connections at the same timecan be difficult. For example, computers that have a single user who spends all day working on graphics files need Open Directory services relatively infrequently. In contrast, computers in a lab have many users logging in throughout the day, each with a different set of managed client preference s ettings, and these computers place a relatively high load on Open Directory services. In general, you can correlate Open Directory us age with login and logout. These activities generally dominate directory and authentication services for any sys tem. The more frequently users log in and out, the fewer computers an Open Directory server (or any directory and authentication server) can s upport. You need more Open Directory servers if users log in frequently. You can get by with fewer Open Directory servers if work ses sions are long and login is infrequent. Identifying servers for hosting shared domains If you need more than one shared domain, identify the servers where the s hared domains should res ide. Shared domains affect many users, so they s hould reside on Mac servers that have the following characteristics : Restricted physical access Limited network access High-availability technologies, such as uninterruptible power supplies Select computers that are not replaced frequently and that have adequate capacity for expanding directory domains. Although you can move a shared domain after it is set up, it might be necess ary to reconfigure the search policies of computers that connect to the shared domain so us ers can continue to log in.
server is referred to as an Open Directory master. Each Open Directory replica is a separate server with a copy of the masters LDAP directory, Open Directory Password Server, and Kerberos KDC. An Open Directory s erver can have up to 32 replicas. Each replica can have 32 replicas of its elf, providing 1,056 replicas in a twotier hierarchy. Access to the LDAP directory on a replica is read only. Changes to user records and other account information in the LDAP directory can be made only on the Open Directory master. The Open Directory master updates its replicas when there are changes to the LDAP directory. The master can update replicas every time a change occurs , or you can set up a schedule so updates occur at regular intervals. The fixed s chedule option is best if replicas are connected to the mas ter by a s low network link. Pas swords and pass word policies can be changed on any replica. If a users pass word or password policy are changed on more than one replica, the mos t recent change prevails. The updating of replicas relies on the clocks of the master and replicas being in sync. If replicas and the master have different times , updating could be arbitrary. The date, time, and time zone information mus t be correct on the master and replicas, and they should use the same network time service to keep their clocks in s ync. Avoid having only one replica on either s ide of a slow network link. If a replica is separated from other replicas by a slow network link and the one replica fails, clients of the replica will fail over to a replica on the other side of the slow network link. As a result, their directory services can slow markedly. If your network has a mix of Mac OS X Server v10.6 and Lion Server, one version cant be a replica of a mas ter of the other version. An Open Directory master of Lion Server wont replicate to v10.6, nor will an Open Directory mas ter of v10.6 replicate to Lion Server:
Replica v ersion Lion Server replica Mac OS X Server v10.6 replica Lion Serv er master yes No Mac OS X Serv er v 10.6 master no Yes
Replica sets A replica set is an automatic configuration that requires each service that Open Directory manages (LDAP, Pass word Server, and Kerberos ) to look for and use the same replica server. This helps ensure that client computers choose the s ame replica server when using Open Directory s ervices and helps prevent slow login. Cascading replication Mac OS X v10.4 used a hub-spoke model for replicating Open Directory master servers . This required each Open Directory master to maintain a transaction record for each replica server. The following illus tration shows the hub-spoke model used in Mac OS X v10.4.
In addition, there was no predefined limit to how many replica s ervers an Open Directory master could manage. If an Open Directory master had 1,000 replicas to manage, it could have performance issues if replicas continued to be added. This is similar to having one manager for 1,000 employees, which is an unmanageable situation. Mac OS X Server v10.5 and later use cascading replication to improve scalability and resolve performance issues with the older hub-s poke model of replication. The use of cas cading replication helps limit the number of replica servers that can be supported by a s ingle Open Directory master server.
A single Open Directory master server can have up to 32 replicas and each replica can have up to 32 replicas, which gives you 1,056 replicas of a single Open Directory master server. This creates a two-tier hierarchy of replica s ervers. The first tier of replicas, which are the direct members of the Open Directory master, are called relays if they have replicas , because they relay the data to the s econd tier of replicas. Also, cas cading replication does not require that a single Open Directory mas ter server maintain a transaction record of each replica server. The mas ter server only keeps a maximum of 32 replica transaction records, which improves performance. The following illus tration shows the two-tier hierarchy of the cas cading replication model.
Planning the upgrade of multiple Open Directory replicas If your Open Directory master manages more than 32 replicas, your organization must migrate to a cas cading replication. The cas cading replication model will improve your Open Directory s erver performance. When planning for your migration, consider the locations of your replica servers and your network topology to help determine how to reorganize your replicas into a hierarchal s tructure. For example, you do not want to have an Open Directory master on the West coas t replicating to a replica on the East coast. Note: If your Open Directory master has fewer than 32 replicas, migration is not necessary. Load balancing in small, medium, and large environments Do not use s ervice load-balancing s oftware from third parties with Open Directory s ervers. Load-balancing software can cause unpredictable problems for Open Directory computers. It can interfere with the automatic load balancing and failover behavior of Open Directory in Mac OS X Lion and Lion Server. Mac computers seek the nearest available Open Directory s ervermaster or replica. A computers nearest Open Directory master or replica is the one that responds most quickly to the computers request for an Open Directory connection. Replication in a multibuilding campus A network that spans multiple buildings might have slower network links between buildings than the link within each building. The network links between buildings might also be overloaded. These conditions can advers ely affect the performance of computers that get Open Directory s ervices from a server in another building. As a result, you may want to set up an Open Directory replica in each building. Depending on need, you may even want to set up an Open Directory replica on each floor of a multistory building. Each replica provides efficient directory and authentication s ervices to client computers in its vicinity. The computers do not need to make connections with an Open Directory server across the slow, crowded network link between buildings. Having more replicas has a disadvantage. Replicas communicate with each other and with the master over the network. This network communication overhead increases as you add replicas . Adding too many replicas can add more network traffic between buildings in the form of replication updates than it removes in the form of Open Directory client communications. When deciding how many replicas to deploy, consider how heavily the computers use Open Directory s ervices . If the computers are relatively light users of Open Directory s ervices and your buildings are connected by fairly fast network links (such as 100 Mbps Ethernet), you probably do not need a replica in each building. You can reduce the communication overhead between Open Directory replicas and the mas ter by s cheduling how often the Open Directory master updates the replicas. You might not need the replicas updated every time a change occurs in the master. Scheduling less frequent updates of replicas improves network performance.
Using an Open Directory master, replica, or relay with NAT If your network has an Open Directory server on the private network s ide of a network addres s translation (NAT) router (or gateway), including the NAT router of Mac server, only computers on the private network side of the NAT router can connect to the Open Directory servers LDAP directory domain. Computers on the public network side of the NAT router cant connect to the LDAP directory domain of an Open Directory master or replica thats on the private network side. If an Open Directory server is on the public network s ide of a NAT router, computers on the private network and the public network sides of the NAT router can connect to the Open Directory servers LDAP directory. If your network supports mobile clients such as MacBooks that move between the private LAN of your NAT gateway and the Internet, you can s et up VPN service for mobile users so they can use VPN to connect to the private network and the Open Directory domain. Open Directory master and replica compatibility The Open Directory master and its replicas must use the same version of Lion Server. In addition: An Open Directory master us ing Lion Server wont replicate to Mac OS X Server v10.6. Mac OS X Server v10.6 or later cant be a replica of an Open Directory mas ter us ing Lion Server. An Open Directory master us ing Lion Server can replicate to an Open Directory replica using Lion Server. If you have an Open Directory mas ter and replicas that use Mac OS X Server v10.6, upgrade them to Lion Server at the s ame time. Firs t, upgrade the master; then, upgrade the replicas. Clients of the mas ter and replicas continue to receive directory and authentication services during the upgrade. While you are upgrading the master, its clients fail over to the neares t replica. When you upgrade replicas one at a time, clients fail back to the upgraded master. Upgrading an Open Directory mas ter from Mac OS X Server v10.6 or later severs ties to existing replicas. After upgrading each Open Directory replica to Lion Server, it is a standalone directory service and you must make it a replica again. Mixing Active Directory and Open Directory master and replica services There are some s pecial considerations when introducing Open Directory Servers into an Active Directory environment. If precautions are not taken, mixed results will occur on client and server functionality. Also, avoid mixing Authenticated Directory Binding and Active Directory on the same client or server. Authenticated binding makes use of Kerberos as does Active Directory. Using both will cause unexpected behavior or nonfunctioning authentication services unles s care is taken, as detailed below. When mixing Open Directory and Active Directory, you can only us e Kerberos credentials from one s ystem or another for single sign-on purposes . You cannot have users exist in Active Directory and Open Directory and use both Kerberos credentials to use single sign-on to acces s a server that is Kerberized. In other words, you cannot sign into an Active Directory account and expect to us e single sign-on with a server that is part of the Open Directory Kerberos realm. Kerberos is us ed in Active Directory and Open Directory environments. Kerberos makes ass umptions about determining the realm of a s erver when Kerberos tickets are used. The following is an example of mixing an Active Directory Kerberos realm with an Open Directory master Kerberos realm: Active Directory Domain = example.com Active Directory Kerberos realm = EXAMPLE.COM Open Directory Server mas ter = server1.example.com Open Directory Kerberos realm = SERVER1.EXAMPLE.COM When Kerberos attempts to obtain a ticket-granting-ticket (TGT) for using LDAP with server1.example.com, it reques ts ldap/server1.example.com@EXAMPLE.COM unles s the domain_realm entity is present in the configuration. The domain_realm entity for Open Directory assumes that all example.com entities belong to SERVER1.EXAMPLE.COM. This prevents connectivity to the Active Directory domain named example.com. To mix Authenticated Directory Binding and Active Directory, your Active Directory Domain and Open Directory realms and servers must be in a different hierarchy. For example: Active Directory Domain = example.com
Active Directory Kerberos realm = EXAMPLE.COM Open Directory Server mas ter = server1.od.example.com Open Directory Server realm = OD.EXAMPLE.COM Or Active Directory Domain = ads.example.com Active Directory Kerberos realm = ADS.EXAMPLE.COM Open Directory Server mas ter = server1.od.example.com Open Directory Kerberos realm = OD.EXAMPLE.COM In both examples, a new DNS domain zone must be created, and forward and reverse DNS entries must exist for the servers so that if an IP address is us ed for the Open Directory s erver, it gets the expected name. For example, IP addres s server1.od.example.com = 10.1.1.1, so a lookup of 10.1.1.1 should be equal to server1.od.example.com, not server1.example.com.
A magic triangle, also referred to as the golden triangle, is the connecting of two directory domains where one controls the authentication and the other manages Mac OS X Lion settings. Mac OS X Lion s upports the connection of an Active Directory server to an Open Directory s erver or two Open Directory s ervers connected together. This creates a magic triangle that is made up of three parts : the directory server providing authentication, the second directory s erver, and the Mac client computers. When configuring a magic triangle, one server must be the primary s erver and the other the secondary server. The s econdary server must join the primary server and its Kerberos realm. There can only be one Kerberos realm in a magic triangle. For example, you can configure an Active Directory server as a primary server to host the Kerberos Distribution Center (KDC) and contain user and group records. Then you can configure an Open Directory server as a s econdary s erver and connect it to the Active Directory server and its Kerberos realm. The Active Directory server manages authentication requests while the Open Directory server manages preference and policy settings of client computers. All services of your Open Directory servers can be Kerberized through the Kerberos realm of the Active Directory server. Client computers are connected to the Active Directory and Open Directory servers. Integrating with augment records If you integrate with an existing directory domain using a magic triangle, you can augment us er records from the primary directory domain to the secondary directory domain. When you augment user records from a primary directory domain to a secondary directory domain, you can add data to these records. These us er records are labeled as augmented in Workgroup Manager. The augmented record information is us ed by the secondary directory domain and is not viewable from the primary directory domain server where the original records reside. For example, if you configure a magic triangle with an Active Directory s erver as the primary s erver and an Open Directory server as the secondary server, you can augment user records from the Active Directory server to the Open Directory server. After you augment these records you can add information, s uch as setting a login picture. Augments do not affect the original us er record. Augments provide additional information s pecific to the directory domain the augment user logs in to. By keeping the users in the Active Directory domain and augmenting them into the Open Directory domain, users can us e Mac server-specific features. Als o, it prevents us ers from needing two pass words or accounts. Integrating without schema changes Mac OS X Lion integrates with most LDAP-based directories without needing to change the schema of your directory server. However, s ome record types might not be recognized or maintained by your servers directory schema. When you integrate Mac computers with your directory server, you might want to add a record type or object class to the directory schema to better manage and support Mac client computers. For example, by default there may not be a Picture record type in your directory s chema for Mac us ers, but you can add it to your directory schema so Picture records can be s tored in the directory database. To add records or attributes to your directory schema, consult your directory domain adminis trator for instructions. Integrating with schema changes If you are adding Mac computers to a directory domain, you can make schema changes to the directory domain server to better support Mac client computers. When you add a record type or attribute to the directory s chema, investigate whether you have a record type or attribute that can map to it in the existing schema. If you dont have a s imilar record type or attribute that you can map to, add the record type or attribute to your schema. This is referred to as extending your schema. When you extend your s chema you might need to change the default access control lis t (ACL) of s pecific attributes s o computer accounts can read the us er properties . For example, you can configure a Mac to access basic user account information in an Active Directory domain of a Windows 2000 or Windows 2003 or later server. Avoiding Kerberos conflicts with multiple directories If you set up an Open Directory master on a network that has an Active Directory domain, your network will have two Kerberos realms: An Open Directory Kerberos realm and an Active Directory Kerberos realm. For practical purpos es, other s ervers on the network can us e only one Kerberos realm. When you s et up a file server, mail server, or other server that can use Kerberos authentication, you must choose one Kerberos realm. A Mac server must belong to the same Kerberos realm as its client users. The realm has only one authoritative Kerberos server,
which is responsible for all Kerberos authentication in the realm. The Kerberos server can only authenticate clients and servers in its realm. The Kerberos s erver cant authenticate clients or services that are part of a different realm. Only us er accounts in the chos en Kerberos realm will have single sign-on abilities. Us er accounts in the other realm can still authenticate, but they wont have s ingle sign-on. If youre configuring a server to access multiple directory s ystems and each have a Kerberos realm, plan carefully for the user accounts that will use Kerberized services. You mus t know the intent of having access to two directory services. You must join the server to the realm whose companion directory domain contains the user accounts that must use Kerberos and s ingle sign-on. For example, you might want to configure access to an Active Directory realm for its user records and an Open Directory LDAP directory for the Mac OS X Lion records and attributes that arent in Active Directory, such as group and computer records. Other s ervers could join the Active Directory Kerberos realm or the Open Directory Kerberos realm. In this case, the other servers should join the Active Directory Kerberos realm s o Active Directory us er accounts have single sign-on. If you also have user accounts in the Open Directory servers LDAP directory, us ers can still authenticate to them, but the Open Directory user accounts wont us e Kerberos or have single sign-on. Theyll us e Open Directory Password Server authentication methods . You could put all Mac users in the Open Directory domain and all Windows us ers in the Active Directory domain, and they could all authenticate, but only one population could use Kerberos. Do not configure an Open Directory master or replica to also acces s an Active Directory domain (or any other directory domain with a Kerberos realm). If you do, the Open Directory Kerberos realm and the Active Directory Kerberos realm will try to use the same configuration files on the Open Directory server, which disrupts Open Directory Kerberos authentication. To avoid a Kerberos configuration file conflict, dont use an Open Directory s erver as a works tation for managing users in another Kerberos s ervers directory domain, such as an Active Directory domain. Ins tead, use an administrator computer (a Mac computer with s erver administration tools installed) thats configured to access the related directory domains. If you must use an Open Directory server to manage users in another servers directory domain, make sure the other directory domain is not part of the Open Directory s ervers authentication s earch policy. To further avoid a Kerberos configuration file conflict, dont use an Open Directory server to provide services that access a different Kerberos s ervers directory domain. For example, if you configure AFP file service to access Open Directory and Active Directory, dont us e an Open Directory server to provide the file s ervice. Use another server and join it to the Kerberos realm of one directory service or the other. Theoretically, servers or clients can belong to two Kerberos realms , such as an Open Directory realm and an Active Directory realm. Multiple-realm Kerberos authentication requires very advanced configuration, which includes setting up Kerberos servers and clients for cross-realm authentication, and revising Kerberized s ervice software so it can belong to multiple realms. To configure your network to use one Kerberos realm providing s ingle sign-on for two directory domains, s uch as Active Directory and Open Directory, dis able Kerberos on your Open Directory master and connect it to the Active Directory domain. This provides a Kerberos realm for both directory domains and Kerberized services . Also, users on either domain can us e single sign-on authentication. For more information about dis abling Kerberos on an Open Directory mas ter, see Disable Kerberos after setting up an Open Directory master.
SACLs provide greater control when s pecifying the administrators that have access to monitor and manage the service. Only users and groups lis ted in an SACL have access to its corresponding s ervice. For example, to give adminis trator access to users or groups for the Open Directory service on your s erver, add them to the Open Directory SACL as an ACE.
Set up and manage user accounts, group accounts, and computer groups. Manage share points for file services and user home folders. Control what Mac OS X users see when they select the Network globe in a Finder s idebar. View directory entries in raw form by using the Inspector. For information about using Workgroup Manager, see Workgroup Manager Help. Workgroup Manager is installed in /Applications/Server/. Command-line tools A full range of command-line tools is available for administrators who prefer to us e command-driven server administration. For remote s erver management, s ubmit commands in an SSH sess ion. You can enter commands on Mac servers and computers using Terminal, located in /Applications /Utilities/.
Set up Open Directory relays for cascading replication To set up a s erver to be a replica or relay of an Open Directory mas ter so it can provide directory information and authentication information to computers, see Replicate Open Directory services. Set up servers that connect to other directory systems If you have file servers or other servers that access directory and authentication services, s ee Configure access to an Open Directory server. Set up single sign-on Kerberos authentication If you have an Open Directory mas ter, you can configure other s ervers to join its Kerberos realm. If you set up an Open Directory master without Kerberos, you can set up Kerberos later. For more information, see Set up single sign-on Kerberos authentication. Set up client computers to connect to directory services If you have an Open Directory mas ter, you must configure client computers to acces s its directory domain. You can also configure computers to acces s other directory services such as Microsoft Active Directory. See Configure acces s to an Open Directory server and Configure access to an Active Directory domain.
1. Open Server Admin and connect to the s erver. 2. Click Settings. 3. Click Services. 4. Select the Open Directory checkbox. 5. Click Save.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server.
The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. 4. Click Settings, then click General. 5. Click Change. The Open Directory As sistant opens. 6. Choose from the following: If your s erver is an Open Directory master, s elect "Destroy Master and set up s tandalone directory," then click Continue. If your s erver is an Open Directory replica, select "Decommiss ion replica and set up standalone directory," click Continue, enter the root password for the Open Directory master, enter the domain administrator's login credentials , and then click Continue. 7. Confirm the configuration setting, then click Continue. 8. If you are sure that users and s ervices no longer need access to the directory data stored in the shared directory domain that the server has been hosting or is connected to, click Done.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. 4. Click Settings, then click General. If the Role option is set to Open Directory Replica and you want to make a new Open Directory master, change the server role to Standalone. For more information, s ee Setting Up a Standalone Directory Service.
If you want to change an Open Directory replica to a mas ter, promote the replica to be a master instead of making a new master. For more information, see Promote an Open Directory replica. 5. Click Change. This opens the Open Directory Ass is tant. 6. Select "Set up an Open Directory Master," then click Continue. If your DNS Server is not configured, a message about s ingle sign-on being unavailable appears. To use s ingle sign-on, clos e the assistant and configure your DNS. If you dont want to use s ingle s ign-on, click Continue to configure your Open Directory master without s ingle s ign-on. 7. Enter the following Master Directory Adminis trator information, then click Continue: Name, Short Name, User ID, Pass word: You must create a user account for the primary administrator of the LDAP directory. This account is not a copy of the administrator account in the servers local directory domain. Make the names and us er ID of the LDAP directory administrator different from the names and user IDs of us er accounts in the local directory domain. Also, to prevent the directory adminis trator account from being listed in the login window, ass ign the directory administrator account a user ID below 100. Accounts with user IDs below 100 are not lis ted in the login window. Note: To connect your Open Directory Mas ter to other directory domains, specify a unique name and user ID for each domain. Dont use the s uggested diradmin user ID. Use a name that helps you distinguish the directory domain that the directory administrator controls . 8. Enter the following Master Domain information, then click Continue: Kerberos Realm: This field is s et to the servers DNS name, converted to capital letters . This is the convention for naming a Kerberos realm. You can enter a different name if necessary. Search Base: This field is s et to a search base suffix for the new LDAP directory, derived from the domain portion of the servers DNS name. You can enter a different search base suffix or leave it blank. If you leave this field blank, the LDAP directorys default search bas e suffix is us ed. 9. Confirm s ettings , then click Continue. 10. Confirm that the Open Directory mas ter is functioning by clicking Overview (near the top of the Server Admin window, with Open Directory s elected in the Servers list). The status of items lis ted in the Open Directory overview pane s hould say Running. If Kerberos remains stopped and you want it running, s ee If Kerberos is stopped on an Open Directory mas ter or replica. After s etting up a Mac server to be an Open Directory master, you can change its binding policy, security policy, pas sword policy, replication frequency, and LDAP protocol options. For more information, see Set a binding policy for an Open Directory server, Set the search timeout interval for LDAP service, and Set a s ecurity policy for an Open Directory s erver. You can configure other computers with Mac OS X Lion or Mac OS X Lion Server to access the servers shared LDAP directory domain. For more information, see Configure access to an LDAP directory.
1. Log in to Windows 2000 using a local administrator account. 2. Open the Control Panel, then open System. 3. Click Network Identification, then click Properties. 4. Enter a computer name, click Domain, enter the domain name of the Open Directory Lion Server, and click OK. To look up the domain name of the s erver, open Server Admin on the server or an administrator computer, select Open
Directory in the Servers lis t, click Settings, then click General. 5. Enter the name and pas sword of an LDAP directory adminis trator and click OK.
1. Log in to Windows XP using a local adminis trator account. 2. Open the Control Panel, then open System. 3. Click Computer Name, then click Change. 4. Enter a computer name, click Domain, enter the domain name of the Open Directory Lion Server, and click OK. To look up the domain name of the s erver, open Server Admin on the server or an administrator computer, select Open Directory in the Servers lis t, click Settings, then click General. 5. Enter the name and pas sword of an LDAP directory adminis trator and click OK.
1. Log in to Windows Vis ta using a local administrator account. 2. Open the Control Panel, then open System and Maintenance (Windows Vista) or System and Security (Windows 7). 3. Click System, then click Change Settings. 4. Click Computer Name, then click Change. 5. Enter a computer name, click Domain, enter the domain name of the Open Directory Lion Server, and click OK. To look up the domain name of the s erver, open Server Admin on the server or an administrator computer, select Open Directory in the Servers lis t, click Settings, then click General. 6. Enter the name and pas sword of an LDAP directory adminis trator and click OK.
Open Directory replicas or relays provide these benefits: In a wide area network (WAN) of local area networks (LANs) interconnected by slow links, replicas on the LANs provide servers and client computers with fast access to us er accounts and other directory information. A replica provides redundancy. If the Open Directory master fails, computers connected to it switch to a nearby replica. This automatic failover behavior is a feature of Mac OS X and Mac OS X Server v10.4 and 10.5 or later. Note: If your network has a mix of Mac OS X Server versions 10.6 and Lion Server, one vers ion cant be a replica of a master of the other version. An Open Directory master of Lion Server wont replicate to Mac OS X Server v10.6, nor will an Open Directory master of Mac OS X Server v10.6 replicate to Lion Server. When you set up an Open Directory replica, all directory and authentication data must be copied to it from the Open Directory master. Replication can take several seconds or several minutes , depending on the size of the directory domain. Replication over a slow network link can take a long time. During replication, the mas ter cannot provide directory or authentication services. You cant us e user accounts in the master LDAP directory to log in or authenticate for services until replication is finished. To minimize the disruption of directory s ervice, set up a replica before the master LDAP directory is fully populated or at a time of day when the directory service is not needed. Having another replica set up will insulate clients of directory service from problems if the master becomes unavailable. To make more than one server a replica of an Open Directory master, create the replicas one at a time. If you try to create two replicas simultaneously, one attempt succeeds and the other fails. A s ubs equent attempt to establish the second replica should succeed. You can have up to 32 replicas of an Open Directory master. These direct members of the Open Directory mas ter server are known as relays . Each relay can have up to 32 replicas of itself, giving you 1056 replicas in a two-tier hierarchy. If you change a Mac server that was connected to another directory sys tem to be an Open Directory replica, the s erver remains connected to the other directory system. The server searches for user records and other information in its shared LDAP directory domain before s earching in other directory systems it is connected to.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. Click Settings, then click General. 4. Click Change. The Open Directory As sistant opens. 5. Choose Set up an Open Directory Replica, then click Continue. 6. Enter the following requested information: IP addres s or DNS name of Open Directory master: Enter the IP address or DNS name of the server that is the Open Directory master. Root password on Open Directory master: Enter the pas sword of the Open Directory master sys tems root user (user name s ystem administrator). Domain adminis trators s hort name: Enter the name of an LDAP directory domain adminis trator account. Domain adminis trators pass word: Enter the pas sword of the administrator account whose name you entered. 7. Click Continue. 8. Confirm the Open Directory configuration settings , then click Continue. 9. Click Close. 10. Make sure the date, time, and time zone are correct on the replica and the master. The replica and the master should use the same network time service so their clocks remain in sync. After you set up an Open Directory replica, other computers will connect to it as needed.
Computers with v10.3 or v10.4 of Mac OS X or Mac OS X Server maintain a list of Open Directory replicas. If one of these computers cant contact the Open Directory master for directory and authentication s ervices , the computer connects to the neares t replica of the master. You can configure Macs to connect to an Open Directory replica ins tead of the Open Directory master for directory and authentication services. On each Mac computer, you can use Users & Groups preferences to create an LDAPv3 configuration for access ing the replicas LDAP directory. The Open Directory master updates the replica. You can configure the master to update its replicas at a specific interval or whenever the master directory changes.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. 4. Click Settings, then click General. 5. Click Change.
The Open Directory As sistant opens. 6. Choose Connected to another directory, then click Continue. 7. Confirm the configuration settings, then click Continue. 8. If the server was an Open Directory mas ter and you are sure that us ers and services no longer need acces s to the directory data s tored in the shared directory domain that the server has been hosting, click Done. 9. Click the Open Directory Utility button to configure access to directory sys tems. 10. If the server youre configuring has access to a directory system that also hosts a Kerberos realm, you can join the s erver to the Kerberos realm. To join the Kerberos realm, you need the name and password of a Kerberos adminis trator or a us er who has been delegated the authority to join the realm. For more information, see Join a server to a Kerberos realm.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. 4. Click Settings, then click General. 5. Click Change. The Open Directory As sitant opens . 6. Choose Connected to another directory, then click Continue. 7. Confirm the Open Directory configuration settings , then click Continue. 8. Click Done. 9. To configure advanced settings for your Active Directory connection, click Open Directory Utility. For more information about advanced connections to an Active Directory server, see Configure access to an Active Directory domain. Begin at s tep 4. 10. Open Sys tem Preferences and click Accounts . 11. In the lower left corner of System Preferences, click the lock and authenticate when prompted. 12. Click Login Options. 13. Click Directory Services. 14. Click the Add button (+). 15. From the Add a new directory of type pop-up menu, choose Active Directory, then enter the following: Active Directory Domain: Specify the DNS name of the Active Directory s erver. Computer ID: Optionally edit the ID you want Active Directory to use for your s erver. This is the servers NetBIOS name. The name s hould contain no more than 15 characters, no special characters , and no punctuation. If practical, make the s erver name match its unqualified DNS host name. For example, if your DNS s erver has an entry for your s erver as s erver.example.com, give your server the name server.
AD Administrator Us ername and Pass word: Enter the user name and password of a user that has authorization to add computers to Active Directory. 16. Click OK and then click Done. 17. Close System Preferences. 18. Open Server Admin and connect to the s erver. 19. Click the triangle at the left of the server. The list of s ervices appears . 20. From the expanded Servers list, select Open Directory. 21. Click Setting, then click General. 22. Click Join Kerberos to join the server to the Active Directory Kerberos realm. 23. Enter the following information: Administrator Name: Enter the Kerberos s erver administrators user name. Pas sword: Enter the Kerberos server administrator password. Realm Name: Enter the realm name of the Kerberos s erver. DNS/Bonjour Name of KDC: Enter the DNS or Bonjour name of the Kerberos server. 24. Click OK. 25. From the Servers list, select SMB. 26. Click Settings, then click General. 27. Verify that the s erver is now a member of the Active Directory domain. You can change the servers optional description, which appears in the Network Places window on Windows computers. After setting up an Active Directory domain member, you might want to change access restrictions , logging detail level, code page, domain brows ing, or WINS regis tration. Then if Windows services arent running, you can start them.
After Kerberos is running and has generated its configuration file, it no longer completely depends on DNS and changes to DNS do not affect Kerberos . The individual services of Lion Server do not require configuration for s ingle sign-on or Kerberos. The following services are ready for single sign-on Kerberos authentication on every server with Lion Server that has joined or is an Open Directory master or replica: Login window Mail service AFP FTP SMB (as a member of an Active Directory Kerberos realm) iChat s ervice Print service NFS Xgrid service VPN Apache web service LDAPv3 directory service (on an Open Directory mas ter or replica). Setting up an open directory Kerberos realm You can provide single sign-on Kerberos authentication on your network by setting up an Open Directory master. You can set up an Open Directory master during initial configuration that follows ins tallation of Lion Server, but if you s et up a Mac server to have a different Open Directory role, you can change its role to that of Open Directory master by us ing Server Admin. For more information, s ee Set up an Open Directory master and Start Kerberos after setting up an Open Directory master. A server that is an Open Directory master requires no other configuration to support s ingle sign-on Kerberos authentication for Kerberized s ervices that the server provides. The s erver can also s upport single sign-on Kerberos authentication for Kerberized services of other servers on the network. The other servers mus t be s et up to join the Open Directory Kerberos realm. For more information, s ee Delegate authority to join an Open Directory Kerberos realm, and Join a server to a Kerberos realm. Important: An Open Directory mas ter requires DNS to be properly configured so it can provide Kerberos and s ingle sign-on authentication. In addition: DNS service must be configured to resolve the fully qualified DNS names of all servers (including the Open Directory master) to their IP addres ses and to provide the corresponding reverse lookups. For more information about s etting up DNS s ervice, see Network Services Administration. The Open Directory master s ervers Network preferences must be configured to us e the DNS server that res olves the servers name. (If the Open Directory master server provides its own DNS s ervice, its Network preferences mus t be configured to use itself as a DNS server.)
1. Make sure the server you want to join to the Kerberos realm is configured to access the s hared directory domain of the Kerberos server. To confirm, open Directory Utility (located under Account preferences) on the server you want to join to the Kerberos realm, or connect to the server us ing Directory Utility on another computer. Click Search Policy, then click Authentication and make sure the Kerberos s ervers directory domain is listed. If it is not listed, see Directory s erver connections for instructions on configuring access to the directory. 2. Open Server Admin and connect to the s erver you want to join to the Kerberos realm. 3. Click the triangle at the left of the server. The list of s ervices appears . 4. From the expanded Servers list, select Open Directory. 5. Click Settings, then click General. 6. Confirm that the role is connected to a directory server, then click Join Kerberos and enter the following information: For an Open Directory Kerberos realm or an Active Directory Kerberos realm, choos e the realm from the pop-up menu and enter the name and pas sword of a Kerberos administrator or a user with delegated Kerberos authority for the server. For an MIT-bas ed Kerberos realm, enter the name and password of a Kerberos administrator, the Kerberos realm name, and the DNS name of the Kerberos KDC server.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. 4. Click Refresh (or choose View > Refresh) and verify the status of Kerberos as reported in the Overview pane. If Kerberos is running, theres nothing more to do. 5. Use Network Utility (in /Applications/Utilities/) to do a DNS lookup of the Open Directory masters DNS name and a reverse lookup of the IP address. If the servers DNS name or IP address doesnt res olve correctly: In the Network pane of System Preferences, look at the TCP/IP settings for the s ervers primary network interface (usually built-in Ethernet). Make sure the first DNS server lis ted is the one that res olves the Open Directory servers name. Check the configuration of DNS and make s ure its running. 6. In Server Admin, select Open Directory for the master s erver, click Settings, then click General. 7. Click Kerberize, then enter the following information: Administrator Name and Pas sword: You mus t authenticate as an administrator of the Open Directory masters LDAP directory. Realm Name: This field is set to be the servers DNS name converted to capital letters. This is the convention for naming a Kerberos realm. If necessary, enter a different name.
1. Open Terminal. 2. Enter the following command: $ sudo sso_util remove -k -a username -p password -r NAME.OF.KERBEROSREALM Replace us ername, pass word, and NAME.OF.KERBEROSREALM with the user name and pass word of the Open Directory administrator and the name of the Kerberos realm that was created when you configured your Open Directory Master. The Open Directory Overview pane of Server Admin s hould s how the Kerberos s ervice status as stopped.
1. In Workgroup Manager, create a computer group in the LDAP directory domain of the Open Directory master server, or select an existing computer group in this directory: To s elect an exis ting computer group, click Accounts or choos e View > Accounts , click the Computer Group button (above the accounts list), and select the computer group to use. If the LDAP server doesnt have a computer group that you want to add the dependent server to, you can create one: a. Click Accounts, then click the Computers button (above the accounts list). b. Click the small globe icon above the list of accounts and use the pop-up menu to open the Open Directory masters LDAP directory. c. Click the lock and authenticate as an adminis trator of the LDAP directory. d. Click the Computers Group button (above the accounts list), then click New Computer Group or choose Server > New Computer Group. e. Enter a list name (for example, Kerberized Servers). 2. Click Members , then click the Add button (+) to open the computer drawer. 3. Drag computers and computer groups from the drawer to the members lis t. 4. Click Save to save changes to the computer group. 5. Click Preferences and make sure the computer group has no managed preference settings. If any item in the array of preference categories has a s mall arrow next to its icon, the item has managed preference settings. To remove managed preferences from an item, click the item, select Not Managed, and click Apply Now. If the item has multiple panes , select Not Managed in each pane, then click Apply Now.
6. To delegate Kerberos authority to user accounts, create the accounts : a. Make sure you are working in the LDAP directory of the Open Directory master server. If neces sary, click the small globe icon and use the pop-up menu to open this directory, then click the lock and authenticate as an adminis trator of this directory. b. Click the Users button (on the left), then click New User or choose Server > New Us er. c. Enter a name, short name, and password. d. Make sure User can acces s account or User may administer this s erver are not selected. You can change settings in other panes, but do not change the User Pas sword Type setting in the Advanced pane. A user with delegated Kerberos authority must have an Open Directory pass word. 7. Click Save to save the new user account. 8. Open Server Admin and connect to the Open Directory master server. 9. Click the triangle at the left of the server. The list of s ervices appears . 10. From the expanded Servers list, select Open Directory. 11. Click Settings, then click General 12. Confirm that the Role is Open Directory Mas ter, then click Add Kerberos Record and enter the following information: Administrator Name: Enter the name of an LDAP directory administrator on the Open Directory master s erver. Administrator Password: Enter the pass word of the adminis trator account you entered. Configuration Record Name: Enter the fully qualified DNS name. Delegated Administrators : Enter a short or long name for each us er account to which you want to delegate Kerberos authority for the specified server. 13. Click Add, then click Save to delegate Kerberos authority as specified. To delegate authority for more than one dependent server, repeat this procedure for each one.
Search policies
Two-level search policies If one s erver on the network hosts a shared directory, all computers on the network can include the shared directory in their search policies. In this case, Open Directory looks for us er information and other administrative data first in the local directory domain. If Open Directory doesnt find the information it needs in the local directory domain, it looks in the shared directory. The following illus tration shows two computers and a shared directory domain on a network. The computers are connected to the shared directory domain and have it in their s earch policy.
Each class (English, math, s cience) has its own computer. The s tudents in each class are defined as users in the local domain of that classs computer. All three of thes e local domains have the s ame shared domain, in which all instructors are defined. Instructors, as members of the s hared domain, can log in to all class computers. The students in each local domain can log in to only the computer where their local account res ides. Local domains reside on their respective computers but a s hared domain res ides on a server accessible from the local domains computer. When an instructor logs in to any of the three class computers and cannot be found in the local domain, Open Directory searches the shared domain. In the following example, there is only one shared domain, but in more complex networks, there may be more shared domains.
Multilevel search policies If more than one s erver on the network hosts a shared directory, the computers on the network can include two or more s hared directories in their s earch policies. As with s impler search policies, Open Directory looks for us er information and other administrative data first in the local directory domain. If Open Directory does not find the information it needs in the local directory domain, it searches each s hared directory in the sequence specified by the search policy. Heres a scenario in which more than one shared directory might be used:
Each class (English, math, s cience) has a server that hos ts a s hared directory domain. Each clas sroom computers search policy specifies the computers local domain, the class s s hared domain, and the schools shared domain. The s tudents in each class are defined as us ers in the shared domain of that classs server, so each student can log in to any computer in the class . Because the instructors are defined in the shared domain of the s chool server, they can log in to any class room computer. You can affect an entire network or a group of computers by choosing the domain in which to define administrative data. The higher the administrative data resides in a search policy, the fewer places it must to be changed as users and s ystem resources change. Probably the most important aspect of directory s ervices for administrators is planning directory domains and search policies. These should reflect the resources to share, the users to share them among, and the way you want to manage your directory data. Automatic search policies Mac computers can be configured to s et search policies automatically. An automatic search policy consists of two parts , one of which is optional: Local directory domain Shared LDAP directory (optional)
A computers automatic s earch policy always begins with the computers local directory domain. If a Mac is not connected to a network, the computer searches its local directory domain for user accounts and other administrative data. The automatic search policy then determines whether the computer is configured to connect to a shared local directory domain. The computer can be connected to a shared local directory domain, which can in turn be connected to another s hared local directory domain, and s o on. A local directory domain connection, if any, constitutes the second part of the automatic s earch policy. For more information, see Inside a directory domain. An automatic s earch policy offers convenience and flexibility, es pecially for mobile computers. If a computer with an automatic search policy is disconnected from the network, connected to a different network, or moved to a different subnet, the automatic search policy can change. If the computer is disconnected from the network, it us es its local directory domain. If the computer is connected to a different network or subnet, it can change its local directory domain connection. With an automatic s earch policy, a computer doesnt need to be reconfigured to get directory and authentication services in its new location. Custom search policies For example, a custom search policy could specify that an Active Directory domain be s earched before an Open Directory servers shared directory domain. Users can configure their computer to log in using their user records from the Active Directory domain and have their preferences managed by group and computer records from the Open Directory domain. A cus tom s earch policy generally does not work in multiple network locations or while not connected to a network becaus e it relies on the availability of specific directory domains on the network. If a portable computer is disconnected from its usual network, it no longer has access to the s hared directory domains on its cus tom s earch policy. However, the disconnected computer s till has access to its local directory domain because it is the first directory domain on every s earch policy. The portable computer user can log in using a user record from the local directory domain, which can include mobile user accounts . These mirror user accounts from the s hared directory domain that the portable computer accesses when its connected to its usual network. Search policies for authentication and contacts A Mac computer has a search policy for finding authentication information and it has a separate search policy for finding contact information: Open Directory us es the authentication search policy to locate and retrieve user authentication information and other administrative data from directory domains. Open Directory us es the contacts search policy to locate and retrieve name, addres s, and other contact information from directory domains . Address Book uses this contact information, and other applications can be programmed to use it as well. Each search policy can be automatic, cus tom, or local directory domain only.
Authentication
You experience authentication and authorization when you us e a credit card. The merchant authenticates you by comparing your signature on the s ales slip to the signature on your credit card. Then the merchant submits your authorized credit card account number to the bank, which authorizes payment based on your account balance and credit limit. Open Directory authenticates user accounts, and s ervice acces s control lists (SACLs ) authorize use of services. If Open Directory authenticates you, the SACL for login window determines whether you can log in, then the SACL for AFP service determines whether you can connect for file service, and so on. Some services also determine whether a user is authorized to access s pecific resources. This authorization can require retrieving other user account information from the directory domain. For example, AFP s ervice needs the user ID and group membership information to determine which folders and files the user is authorized to read from and write to. Open Directory passwords When a us ers account has a password type of Open Directory, the user can be authenticated by Kerberos or the Open Directory Pas sword Server. Kerberos is a network authentication system that us es credentials iss ued by a trusted s erver. Open Directory Pas sword Server supports the traditional pas sword authentication methods that some clients of network s ervices require. Kerberos and Open Directory Password Server do not store the password in the us ers account. Instead, they store pass words in secure databases apart from the directory domain, and pas swords can never be read. Pass words can only be set and verified. Malicious us ers might attempt to log in over the network hoping to gain access to Kerberos and Open Directory Pas sword Server. Open Directory logs can alert you to uns uccess ful login attempts. (See View Open Directory status and logs.) Open Directory passwords are required for domain login from a Windows workstation to a Mac server and can be used to authenticate for Windows file s ervice. This type of password can be validated using many authentication methods, including NTLMv2 and NTLMv1. Open Directory pas swords are stored in a secure database, not in user accounts. User accounts in the following directory domains can have Open Directory pass words: The LDAP directory of a Mac server The local directory domain of a Mac server Shadow passwords Shadow pas swords s upport similar authentication methods as Open Directory Pass word Server depending on the hash types that are enabled. A shadow password is stored as several has hes in the user account. The attribute which contains the pas sword is protected so it can only be read only by the root user account. Only us er accounts that are s tored in a computers local directory domain can have a s hadow pas sword. Crypt passwords A crypt pas sword is stored in a hash in the user account. This s trategy, his torically named bas ic authentication, is most compatible with s oftware that must access us er records directly. Crypt authentication s upports a maximum password length of eight bytes (eight ASCII characters). If a longer password is entered in a user account, only the first eight bytes are us ed for crypt pass word validation. Shadow pass words and Open Directory pas swords are not subject to this length limit. For secure trans miss ion of passwords over a network, crypt supports the DHX authentication method. Crypt pass words are not stored in clear text; they are concealed and made unreadable by encryption. A crypt pas sword is encrypted by supplying the clear text pass word with a random number to a mathematical function, known as a one-way hash function. A one-way has h function always generates the same encrypted value from particular input but cannot be used to recreate the original password from the encrypted output it generates. To validate a pass word using the encrypted value, Mac OS X Lion applies the function to the pas sword entered by the user and compares it with the value stored in the user account or shadow file. If the values match, the pass word is cons idered valid. Determine which authentication options to use To authenticate a user, Open Directory mus t determine which authentication option to us eKerberos, Open Directory Password Server, or shadow pass word. The users account contains information that specifies which authentication option to use. This information is named the authentication authority attribute. Open Directory us es the name provided by the user to locate the users account in the directory domain. Then Open Directory consults the authentication authority attribute in the users account and learns which authentication option to use. You can change a users authentication authority attribute by changing the pass word type in the Advanced pane of Workgroup
Manager, as shown in the following table. For more information, see Change the pas sword type to shadow password.
Passw ord type Open Directory Authentication authority Open Directory Password Server and Kerberos1 Attribute in user record Either or both: ;ApplePasswordServer; ;Kerberosv5; Shadow password Password file for each user, readable only by the root user account Either: ;ShadowHash; ShadowHash;HASHLIST :<list of hash types> Crypt password Encoded password in user record Either: ;basic; no attribute at all
You enable single s ign-on Kerberos authentication for a user account in an LDAP directory of Lion Server by setting the accounts pas sword type to Open Directory in the Advanced pane of Workgroup Manager. If the attribute in the user record is ;ShadowHash; without a list of enabled authentication methods, default authentication methods are enabled. The lis t of default authentication methods is different for Mac OS X Lion. The authentication authority attribute can specify multiple authentication options . For example, a user account with an Open Directory pass word type normally has an authentication authority attribute that s pecifies both Kerberos and Open Directory Pas sword Server. A user account doesnt need to include an authentication authority attribute. If a users account contains no authentication authority attribute, a Mac server assumes a crypt pas sword is stored in the us ers account. Offline attacks on passwords Because crypt pass words are stored in user accounts , they are potentially s ubject to attack. User accounts in a shared directory domain are acces sible on the network. Anyone on the network who has Workgroup Manager or knows how to use command-line tools can read the contents of user accounts , including crypt pas swords stored in them. Open Directory passwords and shadow passwords arent stored in us er accounts, s o these passwords cant be read from directory domains . A malicious attacker, or cracker, could use Workgroup Manager or UNIX commands to copy user records to a file. The cracker can then transport this file to a system and use various techniques to decode crypt passwords stored in user records. After decoding a crypt pas sword, the cracker can log in unnoticed with a legitimate user name and crypt pass word. This form of attack is known as an offline attack because it does not require succes sive login attempts to gain access to a system. An effective way to thwart pas sword cracking is to us e good pass words and avoid using crypt pas swords . A pas sword should contain letters, numbers, and symbols in combinations that cant be eas ily guess ed by unauthorized users. Good pass words should not cons is t of actual words . They can include digits and symbols (such as # or $), or they can consist of the first letter of all words in a phrase. Use both uppercase and lowercase letters. Shadow pas swords and Open Directory passwords are far less sus ceptible to offline attack because they are not stored in user records. Shadow pas swords are stored in separate files that can be read only by someone who knows the password of the root user account (also known as the system administrator). Open Directory passwords are s tored securely in the Kerberos KDC and in the Open Directory Password Server databas e. A users Open Directory password cant be read by other us ers, not even by a user with adminis trator rights for Open Directory authentication. (This adminis trator can change only Open Directory pass words and password policies.) Crypt pass words are not considered secure. They should be used only for user accounts that must be compatible with UNIX clients that require them. Being stored in user accounts, theyre too accessible and therefore subject to offline attack. Although stored in an encoded form, theyre relatively easy to decode.
Authentication
pervasive adoption across a suite of network protocols, platforms , and clients is virtually impossible. For example, s uppose you want to deploy s mart cards as a network authentication method. Without Kerberos, you mus t change every client/s erver protocol to s upport the new method. The list of protocols includes SMTP, POP, IMAP, AFP, SMB, HTTP, FTP, IPP, SSH, QuickTime Streaming, DNS, LDAP, local directory domain, RPC, NFS, AFS, WebDAV, and LPR, and goes on and on. Cons idering all the software that does network authentication, deploying a new authentication method acros s the entire suite of network protocols would be a daunting task. Although this might be feas ible for software from one vendor, youd be unlikely to get all vendors to change their client s oftware to us e your new method. Further, youd probably als o want your authentication to work on multiple platforms (such as Mac OS X Lion, Windows, and UNIX). Due to the des ign of Kerberos, a client/server binary protocol that supports Kerberos doesnt even know how the user proves identity. Therefore you only need to change the Kerberos client and the Kerberos server to accept a new proof of identity s uch as a smart card. As a res ult, your entire Kerberos network has now adopted the new proof-of-identity method, without deploying new versions of client and server software. Kerberos provides a central authentication authority for the network. All Kerberos-enabled services and clients use this central authority. Administrators can centrally audit and control authentication policies and operations. Kerberos can authenticate users for the following services of a Mac server: Login window Mail service AFP file s ervice FTP file s ervice SMB file service (as a member of an Active Directory Kerberos realm) VPN service Apache web service LDAP directory s ervice iChat s ervice Print service NFS file service Xgrid service These services have been Kerberized whether they are running or not. Only services that are Kerberized can use Kerberos to authenticate a user. Lion Server includes command-line tools for Kerberizing other services that are compatible with MIT-based Kerberos . Breaking the barriers to Kerberos deployment Until recently Kerberos was a technology for universities and government sites. It wasnt more widely deployed because adoption barriers needed to be taken down. Mac OS X Lion and Mac OS X Server v10.3 or later eliminate the following historical barriers to adoption of Kerberos: An Administrator had to s et up a Kerberos KDC. This was difficult to deploy and administer. There was no standard integration with a directory sys tem. Kerberos only does authentication. It doesnt store user account data such as us er ID (UID), home folder location, or group members hip. The administrator had to determine how to integrate Kerberos with a directory sys tem. Servers had to be regis tered with the Kerberos KDC. This added an extra step to the server setup proces s. After setting up a Kerberos server, the administrator had to visit all client computers and configure each one to use Kerberos. This was time consuming and required editing configuration files and using command-line tools. You needed a suite of Kerberized applications (s erver and client software). Some of the basics were available but porting them and adapting them to work with your environment was difficult. Not all network protocols used for client-s erver authentication are Kerberos-enabled. Some network protocols still require traditional challenge-response authentication methods and there is no standard way to integrate Kerberos with these legacy network authentication methods.
Kerberos client supports failover s o if one KDC is offline it can us e a replica, but the administrator had to figure out how to set up a Kerberos replica. Administration tools were never integrated. Tools for creating and editing us er accounts in the directory domain didnt know anything about Kerberos, and the Kerberos tools knew nothing about us er accounts in directories . Setting up a us er record was a site-specific operation based on how the KDC was integrated with the directory system. Single sign-on experience Kerberos is a credential or ticket-based sys tem. The user logs in once to the Kerberos s ys tem and is iss ued a ticket with a life span. During the life s pan of this ticket the us er doesnt need to authenticate again to access a Kerberized service. The users Kerberized client software, s uch as the Mail application, pres ents a valid Kerberos ticket to authenticate the user for a Kerberized s ervice. This provides a single sign-on experience. A Kerberos ticket is like a press pas s to a jazz festival held at multiple nightclubs over a three-day weekend. You prove your identity once to get the pass. Until the pas s expires , you can s how it at any nightclub to get a ticket for a performance. All participating nightclubs accept your pass without seeing your proof of identity again.
Authentication
1. Open Server Admin and connect to the upgraded server. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. 4. Click Settings, then click General. 5. Click Kerberize Services , then enter the name and password of an LDAP directory administrator account. Services that were already configured to use Kerberos are not affected.
Authentication
Kerberos authentication process 1. The client authenticates to a Kerberos KDC, which interacts with realms to access authentication data. This is the only s tep in which pas swords and associated password policy information are checked. 2. The KDC is sues a ticket-granting ticket to the client. The ticket is the credential needed when the client wants to us e Kerberized services and is good for a configurable period of time, but it can be revoked before expiration. It is cached on the client until it expires. 3. The client contacts the KDC with the ticket-granting ticket when it wants to us e a Kerberized s ervice. 4. The KDC is sues a ticket for that service. 5. The client pres ents the ticket to the s ervice. 6. The service authenticates the client by verifying that the ticket is valid. After authenticating the client, the s ervice determines if the client is authorized to use the service. Kerberos only authenticates clients; it does not authorize them to use services. For example, many services use Mac servers service access control lis ts (SACLs) to determine whether a client is authorized to us e the service. Kerberos never sends a password or pass word policy information to a s ervice. After a ticket-granting ticket is obtained, no pas sword information is provided. Time is very important with Kerberos. If the client and the KDC are out of sync by more than a few minutes, the client fails to achieve authentication with the KDC. The date, time, and time zone information must be correct on the KDC server and clients , and the server and clients should all use the s ame network time s ervice to keep their clocks in sync. For more information about Kerberos, go to the MIT Kerberos website at web.mit.edu/kerberos/www/index.html.
Authentication
About Open Directory password server and shadow password authentication methods
For compatibility with various s ervices , Lion Server can us e several authentication methods to validate Open Directory passwords and s hadow pass words. For Open Directory passwords , Lion Server uses the s tandard Simple Authentication and Security Layer (SASL) mechanism to negotiate an authentication method between a client and a service. For shadow pas swords , the use of SASL depends on the network protocol. The following authentication methods are s upported:
Method APOP CRAM-MD5 DHX Netw ork security Encrypted, with clear text fallback Encrypted, with clear text fallback Encrypted Storage security Clear text Encrypted Encrypted Uses POP mail service IMAP mail service, LDAP service AFP file service, Open Directory administration Digest-MD5 MS-CHAPv2 Encrypted Encrypted Encrypted Encrypted Login window, mail service VPN service
Encrypted
Encrypted
WebDAV-Digest
Encrypted
Clear text
Open Directory supports many authentication methods because each service that requires authentication us es some methods but not others. For example, AFP s ervice us es one set of authentication methods, web services use another set of methods, mail service uses another set, and so on. Some authentication methods are more secure than others . The more s ecure methods use s tronger algorithms to encode the information they trans mit between client and server. The more secure authentication methods als o store hashes, which cant eas ily be recovered from the server. Les s s ecure methods store a recoverable, clear-text password. Open Directory does not provide a mechanism for reading or retrieving a user's existing password, but an administrator can use Workgroup Manager to set a users pas sword. If you connect Mac OS X Server v10.4 or later to a directory domain of Mac OS X Server v10.3 or earlier, users defined in the older directory domain cannot be authenticated with the NTLMv2 method. This method may be required to securely authenticate some Windows users for the Windows s ervices of Mac OS X Server v10.4 or later. Open Directory Password Server in Mac OS X Server v10.4 or later supports NTLMv2 authentication, but Password Server in Mac OS X Server v10.3 or earlier does not support NTLMv2. If you connect Mac OS X Server v10.3 or later to a directory domain of Mac OS X Server v10.2 or earlier, users defined in the older directory domain cannot be authenticated with the MS-CHAPv2 method. This method may be required to securely authenticate users for the VPN service of Mac OS X Server v10.3 or later. Open Directory Password Server in Mac OS X Server v10.3 or later supports MS-CHAPv2 authentication, but Password Server in Mac OS X Server v10.2 does not support MS-CHAPv2. Disable Open Directory authentication methods To make Open Directory password storage on the server more secure, you can selectively disable authentication methods. For example, if no clients are going to use Windows services, you can disable the NTLMv1, NTLMv2, and LAN Manager authentication methods to prevent storing pass words on the server us ing these methods. Then s omeone who gains unauthorized access to the servers password databas e cant exploit weaknes ses in these authentication methods to crack pass words. Important: If you dis able an authentication method, its hash is removed from the pas sword database the next time the user authenticates. If you enable an authentication method that was disabled, every Open Directory pass word must be reset to add the newly enabled methods has h to the password databas e. Us ers can reset their own pas swords, or a directory adminis trator can do it. Disabling an authentication method makes the Open Directory Pass word Server database more secure if an unauthorized user gains phys ical access to an Open Directory s erver (mas ter or replica) or to media containing a backup of the Open Directory master. Someone who gains access to the password databas e can try to crack a us ers password by attacking the hash or recoverable text stored in the pass word database by any authentication method. Nothing is stored in the pas sword database by a disabled authentication method, leaving one less avenue of attack open to a cracker who has physical acces s to the Open Directory server or a backup of it. Some hashes stored in the password databas e are easier to crack than others . Recoverable authentication methods s tore clear (plainly readable) text. Disabling authentication methods that store clear text or weaker hashes increas es password database security more than disabling methods that store stronger has hes . If you believe your Open Directory mas ter, replicas, and backups are secure, select all authentication methods . If youre concerned about the phys ical s ecurity of any Open Directory server or its backup media, disable some methods. Note: Dis abling authentication methods does not increase the security of pas swords while they are transmitted over the network. Only password databas e s ecurity is affected. In fact, disabling some authentication methods might require clients to configure their software to send pass words over the network in clear text, thereby compromis ing pas sword security in a different way. Disable shadow password authentication methods You can selectively disable authentication methods to make passwords stored in s hadow pass word files more secure. For example, if a user does nt us e mail service or web s ervices, you can disable the WebDAV-Digest and APOP methods for the user. Then someone who gains access to the shadow password files on a server cant recover the users pas sword. Important: If you dis able a shadow password authentication method, its hash is removed from a users shadow password file the
next time the user authenticates. If you enable an authentication method that was disabled, the newly enabled methods hash is added to the users shadow pas sword file the next time the user authenticates for a service that can us e a clear-text password, such as a login window or AFP. Alternatively, you can reset the us ers password to add the newly enabled methods hash. The user can res et the pass word, or a directory administrator can do it. Disabling an authentication method makes the s hadow pass word more s ecure if a malicious user gains physical acces s to a servers shadow password files or to media containing a backup of the shadow password files. Someone who gains access to the pas sword files can try to crack a users pas sword by attacking the hash or recoverable text s tored by any authentication method. Nothing is stored by a dis abled authentication method, leaving one les s avenue of attack open to a cracker who has phys ical access to a servers s hadow pass word files or a backup of them. Hashes stored by some authentication methods are easier to crack than others . With recoverable authentication methods, original clear-text pass words can be reconstructed from what is stored in the file. Disabling the authentication methods that store recoverable or weaker hashes increases shadow pas sword file security more than dis abling methods that store stronger hashes. If you believe a s ervers shadow pas sword files and backups are s ecure, select all authentication methods. If youre concerned about the phys ical s ecurity of the s erver or its backup media, disable unus ed methods. Note: Dis abling authentication methods does not increase the security of pas swords while they are transmitted over the network. Only password storage security is affected. Dis abling some authentication methods might require clients to configure their software to s end passwords over the network in clear text, thereby compromising pass word security in a different way. Contents of the Open Directory password server database Open Directory Password Server maintains an authentication database separate from the directory domain. Open Directory tightly restricts acces s to the authentication database. Open Directory Password Server s tores the following information in its authentication databas e for each user account that has a pas sword type of Open Directory: The users pass word ID, a 128-bit value as signed when the password is created. It is also stored in the users record in the directory domain and is used as a key for finding a users record in the Open Directory Pass word Server database. The password, stored in recoverable (clear text) or hashed (encrypted) forms. The form depends on the authentication method. A recoverable pas sword is stored for the APOP and WebDAV authentication methods . For all other methods, the record stores a has hed (encrypted) pass word. If no authentication method requiring a clear-text password is enabled, the Open Directory authentication database stores only hashes of pass words. The users s hort name, for use in log mess ages viewable in Server Admin. Pass word policy data. Time stamps and other usage information, such as last login time, last failed validation time, count of failed validations, and replication information. LDAP bind authentication For user accounts that reside in an LDAP directory on a non-Apple server, Open Directory attempts to use LDAP bind authentication. Open Directory sends the LDAP directory s erver the name and pass word supplied by the authenticating user. If the LDAP s erver finds a matching user record and pas sword, authentication s ucceeds. If the LDAP directory s ervice and the client computers connection to it are configured to s end clear text pas swords over the network, LDAP bind authentication can be ins ecure. Open Directory tries to us e a secure authentication method with the LDAP directory. If the directory doesnt support s ecure LDAP bind and the clients LDAPv3 connection permits sending a clear-text password, Open Directory reverts to simple LDAP bind. To prevent clear-text authentication, make s ure your LDAP s ervers dont accept clear-text pass words. In this case, you can secure simple LDAP bind authentication by setting up acces s to the LDAP directory through the Secure Sockets Layer (SSL) protocol. SSL makes access secure by encrypting all communications with the LDAP directory. For more information, s ee Change the security policy for an LDAP connection and Change the connection settings for an LDAP or Open Directory server.
Authentication
1. Open Server Admin and connect to an Open Directory mas ter server. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. 4. Click Settings, then click Policies . 5. Click Authentication, s elect the authentication methods you want enabled, and deselect the authentication methods you want disabled. 6. Click Save. Replicas of the Open Directory master inherit the authentication method settings for Open Directory pass words in the LDAP directory You can also use pwpolicy to enable and disable authentication methods for a us er with an Open Directory password. For more information about pwpolicy, s ee its man page.
Authentication
1. In Workgroup Manager, open the account you want to work with (if it is not open). To open an account, click the Accounts button, then click the Users button. Click the small globe icon above the list of users and choose from the pop-up menu to open the local directory domain where the users account resides . Click the lock and authenticate as a directory domain administrator, then select the user in the list. 2. Click Advanced, then click Security.
You can click Security only if the password type is Shadow Pass word. 3. Select the authentication methods you want enabled, deselect the authentication methods you want dis abled, then click OK. 4. Click Save.
You can also use pwpolicy to enable and disable authentication methods for a us er with an Shadow password. For more information about pwpolicy, s ee its man page.
1. Open Workgroup Manager (located /Applications/Server/), click the Accounts button, and then click the User button. 2. Open the directory domain that contains the user account whose pas sword you want to change, and authenticate as an administrator of the domain. To open a directory domain, click the s mall globe icon above the lis t of users and choose from the pop-up menu. If the us ers password type is Open Directory, you mus t authenticate as an administrator whos e pass word type is Open Directory. 3. Select the account whose pass word needs to be changed. 4. Enter a pas sword in the Basic pane, then click Save. 5. Tell the user the new password so he or s he can log in. After the user logs in to a Mac with the new password, the user can change the password by clicking Accounts in System Preferences. If you change the password of an account whose password type is Open Directory and the account resides in the LDAP directory of an Open Directory replica or master, the change becomes synchronized with the master and its replicas. The Mac s erver synchronizes changes to Open Directory passwords among a master and its replicas.
1. Open Workgroup Manager (located /Applications/Server/), click the Accounts button, and then click the User button. 2. Open the directory domain that contains the user account whose pas sword types and passwords you want to reset and authenticate as an administrator of the domain. To open a directory domain, click the s mall globe icon above the lis t of users and choose from the pop-up menu. To s et the password type to Open Directory, you mus t authenticate as an administrator whos e pass word type is Open Directory. 3. Commandclick or Shiftclick us er accounts to select accounts whose pass word type must be changed.
4. Enter a pas sword in the Basic pane, then set the User Pass word Type option in the Advanced pane. 5. Click Save. 6. Tell the users the temporary password so they can log in. After logging in with the temporary pas sword, users can change the password by clicking Accounts in System Preferences. If you change the password of accounts whose password type is Open Directory and the accounts reside in the LDAP directory of an Open Directory replica or master, the change becomes synchronized with the master and its replicas. A Mac server synchronizes changes to Open Directory passwords among a master and its replicas.
Composing a Password
The password associated with a users account must be entered by the user when he or s he authenticates for login or other services. The password is cas e sensitive (except for SMB-LAN Manager pass words) and is masked on the screen as it is entered. Regardless of the pass word type you choose for a user, here are guidelines for compos ing a pas sword for Lion Server user accounts : A pas sword should contain letters , numbers, and symbols in combinations that wont be easily gues sed by unauthorized users. Pas swords should not consist of words . Good pas swords include digits and symbols (s uch as # or $), or they consist of the firs t letter of all words in a phras e. Us e both uppercas e and lowercase letters. Avoid s paces and Option-key combinations . Avoid characters that cant be entered on computers the user will use or that might require knowing a s pecial keystroke combination to enter correctly on different keyboards and platforms . Some network protocols do not support pass words that contain leading spaces, embedded s paces, or trailing spaces. A zero-length password is not recommended. Open Directory and some s ystems (such as LDAP bind) do not support a zerolength password. For maximum compatibility with computers and services your users might access, use only ASCII characters for passwords. Password Types You can set password types for us ers in the Advanced pane of Workgroup Manager. You can choos e any of the following pas sword types: Open Directory: Enables multiple legacy authentication methods and also enables single sign-on Kerberos authentication if the users account is in the LDAP directory of an Open Directory mas ter or replica. Open Directory pass words are stored separately from the directory domain in the Open Directory Password Server databas e and the Kerberos KDC. Shadow pas sword: Enables multiple legacy authentication methods for user accounts in the local directory domain. Shadow pas swords are stored separately from the directory domain in files readable only by the root user account. Crypt pass word: Provides basic authentication for a user account in a shared directory domain. A crypt pas sword is stored in the user account record in the directory domain. A crypt password is required to log in to Mac OS X v10.1 or earlier. For more information about password types, see About pas sword types.
Pas sword Server, which offers Simple Authentication and Security Layer (SASL) authentication protocols, including APOP, CRAMMD5, DHX, Digest-MD5, MS-CHAPv2, NTLMv2, NTLM (also referred to as Windows NT or SMB-NT), and WebDAV-Diges t. Note: To set a user accounts password type to Open Directory, you mus t have administrator rights for Open Directory authentication in the directory domain that contains the us er account. This means you must authenticate as a directory domain administrator whose password type is Open Directory. For more information, see Assign adminis trator rights for Open Directory authentication.
1. Make sure the users account resides in a directory domain that s upports Open Directory authentication. The directory domains that support Open Directory authentication are listed earlier in this topic. 2. In Workgroup Manager (located /Applications/Server/), open the account to work with (if it is not open). To open an account, click the Accounts button, then click the Users button. Click the small globe icon above the list of users and choose from the pop-up menu to open the directory domain where the users account resides. Click the lock and authenticate as a directory domain administrator whos e pass word type is Open Directory, then select the us er in the list 3. Click Advanced. 4. From the User Pass word Type pop-up menu, choose Open Directory. 5. When prompted, enter and verify a new password, then click Ok. The pass word must contain no more than 512 bytes (512 characters or fewer, depending on the language), although the network authentication protocol can impose different limits (for example, 128 characters for NTLMv2 and NTLM). For guidelines on choos ing pass words, see Composing a Password. 6. In the Advanced pane, click Options to set up the users password policy, and click OK after you finis h specifying options. If you select Disable login: on specific date, use the up and down arrows to s et the date. If you select an option that requires resetting (changing) the pas sword, remember that not all protocols support changing passwords . For example, users cant change their pas swords when authenticating for IMAP mail service. The pass word ID is a unique 128-bit number assigned when the pas sword is created in the Open Directory Pas sword Server database. It can be helpful for troubles hooting, becaus e it appears in the Password Server log when a problem occurs. For more information, see View Open Directory status and logs. 7. Click Save.
1. In Workgroup Manager (located /Applications/Server/), open the account to work with (if it is not open). To open an account, click the Accounts button, then click the Users button. Click the small globe icon above the list of users and choose from the pop-up menu to open the local directory domain where the users account resides . Click the lock and authenticate as a directory domain administrator, then select the user in the list. 2. Click Advanced. 3. From the User Pass word Type pop-up menu, choose Shadow Password. 4. When prompted, enter and verify a pas sword, then click Ok. A long password is truncated for some authentication methods. Up to 128 characters of the password are us ed for NTLMv2 and NTLM, and the first 14 characters are used for LAN Manager. For guidelines on choosing pass words, s ee Composing a Password. 5. In the Advanced pane, click Options to set up the users password policy, then click OK after you finish s pecifying options.
If you select Disable login: on specific date, use the up and down arrows to s et the date. If you use a policy that requires user pas sword changing, remember that not all protocols support changing passwords. For example, users cant change their pas swords when authenticating for IMAP mail service. 6. In the Advanced pane, click Security to enable or disable authentication methods for the user, then click OK after you finish. For more information, see Set password policies for users. 7. Click Save.
To change the password policy: $ pwpolicy -a authenticator -setglobalpolicy "option=value..." For example, to require that an authenticators pas sword be a minimum of 12 characters and have no more than 3 failed login attempts , enter the following in a Terminal window, where authenticator is the authenticators name. $ pwpolicy -a authenticator -setglobalpolicy "minChars=12 maxFailedLoginAttempts=3" For more information about pwpolicy, see its man page.
1. In Workgroup Manager, open the account to work with (if it is not open). To open an account, click the Accounts button, then click the Users button. Click the small globe icon above the list of users and choose from the pop-up menu to open the directory domain where the users account resides. Click the lock and authenticate as a directory domain administrator whos e pass word type is Open Directory, then select the us er in the list. 2. Click Advanced, then click Options. You can click Options only if the password type is Open Directory or Shadow Pass word.
3. Change password policy options , then click OK. If you select an option that requires resetting (changing) the pas sword, remember that some s ervice protocols dont permit us ers to change pass words. For example, us ers cant change their passwords when authenticating for IMAP mail service. 4. Click Save.
To change the password policy of a user account: $ pwpolicy -a authenticator -setpolicy -u user "option=value..." For example, to require that an authenticators pas sword be a minimum of 12 characters and have no more than 3 failed login attempts , enter the following in a Terminal window, where authenticator is the authenticators name and user is the users name. $ pwpolicy -a authenticator -setpolicy -u user "minChars=12 maxFailedLoginAttempts=3" For information about pwpolicy, see its man page.
1. In Workgroup Manager (located /Applications/Server/), open the account, click Advanced, and make sure Password Type is set to Open Directory password. For more information, see Changing the Password Type to Open Directory. 2. Click Privileges and choose Full in the Administration capabilities pop-up menu. To restrict the adminis tration capabilities, choose Limited. 3. Click Save.
1. Open Server Admin and connect to the s erver. 2. Click Setting, then click Acces s. 3. Click Services. 4. Select For selected services below and select Login Window in the list on the left. 5. Select Allow only us ers and groups below and edit the list of users and groups that you want to log in using the s ervers login window: Add users or groups that can use the login window by clicking the Add button (+) and dragging users or groups from the User & Groups window to the list. Remove us ers or groups from the list by s electing them and clicking the Remove button (). 6. Click Save. If Allow all users and groups is s elected when you select For selected s ervices below in step 4, all s ervices except login window permit access to all us ers and groups. If you want to restrict who can access a listed s ervice in addition to the login window, select the service in the list, select Allow only users and groups below, and add us ers and groups to the list. If you want all us ers to log in using the s ervers login window, s elect Login Window, then s elect Allow all users and groups.
1. Open Server Admin and connect to the s erver. 2. Click Setting, then click Acces s. 3. Click Services. 4. Select For selected services below and select SSH in the list on the left. 5. Select Allow only us ers and groups below and edit the list of users and groups that need SSH access to the server: Add users or groups that can open SSH connections by clicking the Add button (+) and dragging users or groups from the User & Groups window to the list. Remove us ers or groups from the list by s electing one or more and clicking the Remove button (). 6. Click Save. If Allow all users and groups is s elected when you select For selected s ervices below in step 4, all s ervices except SSH will permit acces s to all users and groups . If you want to restrict who can access a listed s ervice besides SSH, select the s ervice in the list, s elect Allow only users and groups below, and add us er and groups to the list. If you want all us ers to be able to open an SSH connection to the server, select SSH, then select Allow all us ers and groups.
1. Open Server Admin and connect to the s erver. 2. Click Setting, then click Acces s. 3. Click Administrator. 4. Select the level of restriction you want for the services : To restrict acces s to all services, s elect For all services. To s et access permissions for individual services, select For s elected s ervices below and then select Open Directory from the Service list. 5. Click the Add button (+) to open the Us ers & Groups window. 6. Drag us ers and groups from the Users & Groups window to the list. 7. Set user permissions: To grant administrator access, choose Adminis trator from the Permiss ion pop-up menu next to the user name. To grant monitoring access , choos e Monitor from the Permission pop-up menu next to the user name. 8. Click Save.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. 4. Click Overview. 5. Make sure the status of all items listed in the Open Directory overview pane is Running. If any item is stopped, click Refresh (or choos e View > Refresh). If Kerberos remains stopped, see If Kerberos is s topped on an Open Directory master or replica.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears .
3. From the expanded Servers list, select Open Directory. 4. Click Settings, then click General, to see a list of replicas and the status of each one. The status for a new replica indicates whether it was created successfully. Thereafter, the status indicates whether the most recent replication attempt was successful.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. 4. Click Overview to s ee status information. 5. Click Logs and use the View pop-up menu to choose the log you want to see. The path to the log file appears above the log. 6. Optionally, enter text in the filter field and press Return to s how only lines containing the text you entered.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. 4. Click Logs and choose the kdc log or a pas sword service log from the View pop-up menu.
Import records
Workgroup Manager can import all types of records into the LDAP directory of an Open Directory master. This includes us ers, groups, computer groups , computers, and all other standard Mac OS X record types. Important: If you import user or group records from a file exported by Mac OS X Server v10.3 or earlier, each imported record is ass igned a globally unique ID (GUID). To make sure that GUIDs and their relationships to specific users and groups remain the same (if you need to reimport the same users and groups ), create an export file using Workgroup Manager in Lion Server. Us e the Lion Server export file ins tead of the export file created using the earlier s erver version. For a list of record types and attributes that can be imported, see the following file: /System/Library/Frameworks/OpenDirectory.framework/Frameworks/CFOpenDirectory.framework/Headers /CFOpenDirectoryConstants.h For more information about exporting users and groups using Workgroup Manager and on importing records of any type, see Workgroup Manager Help.
1. Open Server Admin and connect to the Open Directory master server. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. 4. Click Settings, then click Policies . 5. Click Binding, then s et the directory binding options you want: To permit trusted binding, s elect Enable authenticated directory binding. 6. Click Save. Important: If you choose Encrypt all packets (requires SSL or Kerberos) and Enable authenticated directory binding, make sure your us ers are using one or the other for binding and not both.
(unbind and rebind) every computer connected (bound) to this LDAP directory.
1. Open Server Admin and connect to the Open Directory master server. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. 4. Click Settings, then click Policies . 5. Click Binding, then s et the s ecurity options you want: Disab le clear text passwords determines whether clients can send pas swords as clear text if the passwords cant be validated using any authentication method that sends an encrypted pass word. For more information, see Select authentication methods for shadow password us ers and Select authentication methods for Open Directory passwords. Encrypt all packets (requires SSL or Kerb eros) requires the LDAP s erver to encrypt directory data us ing SSL or Kerberos before sending it to client computers . Digitally sign all packets (requires Kerb eros) certifies that directory data from the LDAP server wont be intercepted and modified by another computer while en route to client computers. Block man-in-the-middle attacks (requires Kerb eros) protects agains t a rogue s erver posing as the LDAP server. This is best us ed with the Digitally s ign all packets option. Disab le client-side caching prevents client computers from caching LDAP data locally. Allow users to edit their own contact information permits users to change contact information on the LDAP s erver. 6. Click Save. Important: If you choose Encrypt all packets (requires SSL or Kerberos) and Enable authenticated directory binding, make sure your us ers are using one or the other for binding and not both. Bas ed on the settings here, the security options can also be configured on each client of an Open Directory mas ter or replica. If an option is selected here, it cant be des elected for a client. For more information about configuring these options on a client, see Change the security policy for an LDAP connection.
1. Open Server Admin and connect to the Open Directory master or an Open Directory replica server. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. 4. Click Settings, then click LDAP. 5. Enter the maximum number of returned search res ults in the Return a maximum of __ search results field. 6. Click Save.
Setting a search timeout prevents a malicious us er from tying up the server by s ending it an exceptionally complex LDAP search request.
1. Open Server Admin and connect to the Open Directory master or an Open Directory replica server. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. 4. Click Settings, then click LDAP. 5. Enter a search timeout interval in the Search times out in __ field. Set the time interval using the pop-up menu. 6. Click Save.
1. Open Server Admin and connect to the Open Directory master or an Open Directory replica server. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. 4. Click Settings, then click LDAP. 5. Select the Enable SSL checkbox. 6. Use the Certificate pop-up menu to choos e an SSL certificate that you want LDAP service to us e. The menu lis ts all SSL certificates installed on the server. To us e a certificate not lis ted, choos e Manage Certificates from the pop-up menu. For more information about certificates, see Server Admin Help. 7. Click Save. For more information about exporting users and groups using Workgroup Manager and on importing records of any type, see Workgroup Manger Help.
1. Generate a private key for the server in the /us r/share/certs / folder:
If the /usr/share/certs folder does not exist, create it. $ sudo openssl genrsa -out ldapserver.key 2048 2. Generate a certificate signing request (CSR) for the certificate authority (CA) to sign: $ sudo openssl req -new -key ldapserver.key -out ldapserver.csr 3. Fill out the following fields as completely as possible, making certain that the Common Name field matches the domain name of the LDAP server exactly, and leaving the challenge password and optional company name blank: Country Name: State or Province Name: Locality Name (city): Organization Name: Organizational Unit Name: Common Name: Email Address: 4. Sign the ldapserver.cs r request with the openssl command. $ sudo openssl ca -in ldapserver.csr -out ldapserver.crt 5. When prompted, enter the CA passphrase to continue and complete the process. The certificate files needed to enable SSL on the LDAP s erver are now in the /us r/share/certs / folder. 6. Click the triangle at the left of the server. The list of s ervices appears . 7. From the expanded Servers list, select Open Directory. 8. Click Settings, then click LDAP. 9. Select the Enable SSL checkbox. 10. Use the Certificate pop-up menu to choos e an SSL certificate that you want LDAP service to us e. The menu lis ts all SSL certificates that have been ins talled on the s erver. To use a certificate not listed, choose Manage Certificates from the pop-up menu. For more information about certificates , see Server Admin Help. 11. Click Save.
Configure locales
When a client connects to an Open Directory server, it may connect to an Open Directory master or to its replica. These
connections can become unbalanced, meaning you have more connections to your OD mas ter server than its replica. If you have replicas on your network, you can configure locales to specify which Open Directory s ervers clients should use and you can load balance your client connection between your Open Directory mas ter and its replicas. Locales are groups of s ervers that s ervice a specified subnet. These s ervers are given a locale name similar to an Active Directory forest name. After configuring an Open Directory mas ter and its replicas, two locales are configured by default. The firs t locale includes all of the Open Directory master's replicas, even those outside the s ubnet. This is created as a failsafe for the client if no locales are available for connection on the client's subnet. The s econd locale is bas ed on the subnet of the Open Directory master. This can include some of its replicas if they are on the same subnet. Servers and clients on the same s ubnet us e that Open Directory master and its replicas for directory service.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. 4. Click Settings, then click Locales . 5. From the Locale list, click the Add button (+). 6. Enter a name in the Name field for the locale. This named is similar to an Active Directory forest name and is used by clients to connect to the locale. 7. (Optional) In the Comment field, enter a comment about the locale. 8. Click the Add button (+) below the Server list. 9. From the list of Open Directory servers , choos e the Open Directory servers you want in your locale by selecting the checkbox next to the server and then click OK. 10. Click the Add button (+) below the Subnets list. 11. Enter the subnet or subnets that will use the locale servers and click OK. You can enter multiple s ubnets . 12. Click Save.
1. Open Server Admin and connect to the replica s erver you want to promote to a master. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. 4. Click Settings, then click General. 5. Click Change.
This opens the Open Directory Ass is tant. 6. Select Promote replication to an Open Directory Master, then click Continue. 7. Enter the following Master Domain Administrator information, then click Continue. Short Name, Pass word: You must create a user account for the primary administrator of the LDAP directory. This account is not a copy of the administrator account in the servers local directory domain. Make the short names of the LDAP directory administrator different from names of us er accounts in the local directory domain. Note: If you plan to connect your Open Directory master to other directory domains , pick a unique name and user ID for each domain. Dont use the s uggested diradmin user ID. Use a name that helps you identify the directory domain that the directory administrator controls . 8. Enter the following Master Domain information, then click Continue. Kerberos Realm: This field is pres et to be the s ame as the servers DNS name, converted to capital letters. This is the convention for naming a Kerberos realm. You can enter a different name if necessary. Search Base: This field is preset to a search base suffix for the new LDAP directory, derived from the domain portion of the servers DNS name. You can enter a different search base suffix or leave it blank. If you leave this field blank, the LDAP directorys default search bas e suffix is us ed. 9. Confirm s ettings , then click Continue. This s aves your settings and restarts the service. 10. Click Done. 11. In Server Admin, connect to another replica of the old master. 12. Click the triangle at the left of the server. The list of s ervices appears . 13. From the expanded Servers list, select Open Directory. 14. Click Settings, then click General. 15. Click Change. The Open Directory As sistant opens. 16. Choose Set up a Standalone Directory, then click Continue. 17. Confirm the Open Directory configuration setting, then click Continue. 18. If you are sure that users and s ervices no longer need access to the directory data stored in the shared directory domain that the server has been hosting or was connected to, click Close. This s aves your settings and restarts the service. 19. Click Change. The Open Directory As sistant opens. 20. Choose Set up an Open Directory Replica, then click Continue. 21. Enter the following information: IP addres s or DNS name of Open Directory master: Enter the IP address or DNS name of the server that is the Open Directory master. Root password on Open Directory master: Enter the pas sword of the Open Directory master sys tems root user (user name s ystem administrator). Domain adminis trators s hort name: Enter the name of an LDAP directory domain adminis trator account. Domain adminis trators pass word: Enter the pas sword of the administrator account whose name you entered. 22. Click Continue. 23. Confirm the Open Directory configuration settings , then click Continue. 24. Click Done. This s aves your settings and restarts the service.
25. For each replica of the old mas ter, repeat steps 1123. 26. Make sure the date, time, and time zone are correct on the replicas and the mas ter. The replicas and the mas ter should use the s ame network time s ervice so their clocks remain in sync. If other computers were connected to the old Open Directory mas ters LDAP directory, reconfigure their connections to us e the new masters LDAP directory. Each Mac and Mac server with a cus tom search policy that included the old masters LDAP directory mus t be reconfigured to connect to the new mas ters LDAP directory. Use the Services and Authentication panes of Directory Utility (located in Users & Groups preferences ). For more information, s ee Reconfigure LDAP directory access.
1. Verify that the network connection is working between the Open Directory master and the replica you want to decommission. Port 389 or 636 mus t be open between master and replica while decommissioning the replica. LDAP uses port 389 if SSL is disabled or port 636 if SSL is enabled on the master. Important: If you decommis sion a replica while there is no network connectivity between it and the master, the decommissioned replica remains in the masters lis t of replicas. The mas ter tries to replicate to the decommiss ioned replica as s pecified in the General settings pane for Open Directory s ervice on the master server. 2. In Server Admin, connect to the replica you want to decommission. 3. Click the triangle at the left of the server. The list of s ervices appears . 4. From the expanded Servers list, select Open Directory. 5. Click Settings, then click General. 6. Click Change. The Open Directory As sistant opens. 7. Choose Decommission replica and set up a standalone directory or Decommis sion replica and connect to another directory and enter the following information. Root password on Open Directory master: Enter the pas sword of the Open Directory master sys tems root user (user name s ystem administrator). Domain adminis trators s hort name: Enter the name of an LDAP directory domain adminis trator account. Domain adminis trators pass word: Enter the pas sword of the administrator account whose name you entered. 8. Click Continue. 9. Confirm the Open Directory configuration setting, then click Continue. 10. If you are sure that users and s ervices no longer need access to the directory data stored in the shared directory domain that the server has been hosting or was connected to, click Done. This s aves your setting and res tarts the service. As suming there is a network connection between the Open Directory master and the replica, the master is updated to no longer connect to the replica. 11. If you chose Decommiss ion replica and connect to another directory from the Open Directory Assistant, click the Open Directory Utility button to configure acces s to directory systems. For more information about configuring acces s to a directory s ervice, see Directory Utility Help.
1. Open Server Admin and connect to Open Directory master server. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. 4. Click Archive. 5. In the Archive in field, enter the path to the folder where you want the Open Directory data archived, then click the Archive button. You can enter the folder path or click Choose to s elect it. 6. Enter a name and pas sword to use in encrypting the archive, then click OK.
export from the source directory and import to the target directory. For more information about exporting and importing directory data, see Workgroup Manager Help.
1. Open Server Admin and connect to the Open Directory master server. The target server mus t have the same Kerberos realm name as the mas ter that the archive was created from. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Open Directory. 4. Click Archive. 5. In the Restore from field, enter the path to the Open Directory archive file, then click the Res tore button. You can enter the path or click Choose to select the archive file. 6. Enter the pas sword that was used to encrypt the archive when it was created, then click OK. 7. When the res tore operation finishes, check the slapconfig log for information about conflicts or other events that occurred while restoring. 8. Convert existing Open Directory replica servers to Open Directory standalone servers and then make them replicas of the new master. For more information, see Set up a s tandalone directory service and Set up an Open Directory replica or relay.
To replace the directory and authentication data on a standalone s erver with data from an Open Directory archive, enter: $ sudo slapconfig -restoredb archive-path Replace archive-path with the path to the archive file.
Manage OpenLDAP
To provide directory services for mixed-platform environments , Open Directory uses OpenLDAP, the open source implementation of LDAP. A common language for directory acces s lets you consolidate information from different platforms and define a single name space for network resources. Whether you have Mac, Windows, or Linux computers on your network, you can set up and manage a single directory, eliminating the need to maintain a separate directory or s eparate us er records for each platform.
Configure OpenLDAP The OpenLDAP server daemon is slapd, in /usr/libexec/. The primary configuration files for OpenLDAP are located in /etc/openldap/. There you find the slapd.conf and slapd_macos xs erver.conf files, which contains configuration information. slapd reads and writes configuration information to the config backend database /etc/openldap/s lapd.d, which is another database, by the s earch base cn=config. The old /etc/openldap/slapd.conf and slapd_macosxserver.conf files are created by slapd but are not read by slapd and should only be used for a reference to the one-to-one corresponding configurations in the olcGlobal object class under the config entry. The attributes and object classes have a prefix of olc. The directory adminis trator can modify configuration settings such as ACL or schema settings by using Workgroup Manager with the inspector mode turned on or using dscl. Also, some sizelimit, timelimit, and SSL s ettings s hould only be set using Server Admin. Use slapd and slurpd Daemons to configure LDAP To configure the slapd and slurpd LDAP daemons and related search policies, use the slapconfig tool. For more information, see the slapconfig man page. Standard distribution tools Two types of tools come with OpenLDAP: Tools that operate directly on the LDAP databasesthese tools begin with slap. Tools that go through the LDAP protocolthese tools begin with ldap. You mus t run the slap tools on the computer hosting the LDAP databas e. When using the slap tools, shut down the LDAP service. If you dont, your database can get out of sync. These tools are included in the standard OpenLDAP dis tribution:
Tool /usr/bin/ldapadd /usr/bin/ldapcompare /usr/bin/ldapdelete /usr/bin/ldapmodify /usr/bin/ldapmodrdn /usr/bin/ldappasswd Used to Add entries to the LDAP directory. Compare a directory entrys actual attributes with known attributes. Delete entries from the LDAP directory. Change an entrys attributes. Change an entrys relative distinguished name (RDN). Set the password for an LDAP user. Apple recommends using information, see the /usr/bin/ldapsearch /usr/bin/ldapwhoami /usr/sbin/slapadd /usr/sbin/slapcat /usr/sbin/slapindex /usr/sbin/slappasswd
Search the LDAP directory. Obtain the primary authorization identity associated with a user. Add entries to the LDAP directory. Export LDAP Directory Interchange Format files. Regenerate directory indexes. Generate user password hashes
increas e this value to prevent continuous reconnection attempts. <key>Delay Rebind Try in seconds </key> <integer>n</integer> You can find this parameter in the DSLDAPv3PlugInConfig.plist file near <key>OpenClose Timeout in seconds</key>. If not, add it there. Idle timeout This parameter specifies how long the LDAP plug-in s its idle before disconnecting from the server. You can adjus t this value to reduce overloading the servers connections from remote clients. <key>Idle Timeout in minutes</key> <integer>n</integer> If this parameter does nt exis t in the DSLDAPv3PlugInConfig.plist file, add it near <key>OpenClose Timeout in seconds</key>
Enter the following command, replacing the example search bas e (cn=us ers, dc=example, dc=com) with an actual search base: $ ldapsearch -H ldap://127.0.0.1 -b cn=users,dc=example,dc=com By default, ldapsearch tries to connect to the LDAP s erver using the Simple Authentication and Security Layer (SASL) method. If the server doesnt s upport this method, you s ee this error message: ldap_sasl_interactive_bind_s: No such attribute (16) To avoid this error, include the -x option when you enter the command. For example: $ ldapsearch -h 192.168.100.1 -b "dc=example,dc=com" -x The -x option forces ldapsearch to us e simple authentication instead of SASL. The -x option also works on other LDAP tools . You can also us e ldapsearch for debugging issues with LDAP, independent of the directory services LDAPv3 plug-in. For example, you can read the root directory server entry (DSE) like the following (where -LLL omits some output, -x means no SASL, -h specifies the hostname, -b specifies the search bas e and -s specifies the type of search): $ ldapsearch -LLL -x -h ldap.psu.edu -b "" -s base dn: namingcontexts: CN=SCHEMA namingcontexts: CN=LOCALHOST namingcontexts: CN=PWDPOLICY namingcontexts: CN=IBMPOLICIES namingcontexts: DC=PSU,DC=EDU subschemasubentry: cn=schema supportedextension: 1.3.18.0.2.12.1 supportedextension: 1.3.18.0.2.12.3 supportedextension: 1.3.18.0.2.12.5 supportedextension: 1.3.18.0.2.12.6 supportedextension: 1.3.18.0.2.12.15 supportedextension: 1.3.18.0.2.12.16
supportedextension: 1.3.18.0.2.12.17 supportedextension: 1.3.18.0.2.12.19 supportedextension: 1.3.18.0.2.12.44 supportedextension: 1.3.18.0.2.12.24 supportedextension: 1.3.18.0.2.12.22 supportedextension: 1.3.18.0.2.12.20 supportedextension: 1.3.18.0.2.12.28 supportedextension: 1.3.18.0.2.12.30 supportedextension: 1.3.18.0.2.12.26 supportedextension: 1.3.6.1.4.1.1466.20037 supportedextension: 1.3.18.0.2.12.35 supportedextension: 1.3.18.0.2.12.40 supportedextension: 1.3.18.0.2.12.46 supportedextension: 1.3.18.0.2.12.37 supportedcontrol: 2.16.840.1.113730.3.4.2 supportedcontrol: 1.3.18.0.2.10.5 supportedcontrol: 1.2.840.113556.1.4.473 supportedcontrol: 1.2.840.113556.1.4.319 supportedcontrol: 1.3.6.1.4.1.42.2.27.8.5.1 supportedcontrol: 1.2.840.113556.1.4.805 supportedcontrol: 2.16.840.1.113730.3.4.18 supportedcontrol: 1.3.18.0.2.10.15 supportedcontrol: 1.3.18.0.2.10.18 security: none port: 389 supportedsaslmechanisms: CRAM-MD5 supportedsaslmechanisms: DIGEST-MD5 supportedldapversion: 2 supportedldapversion: 3 ibmdirectoryversion: 5.2 ibm-ldapservicename: tr17n01.aset.psu.edu ibm-serverId: 0f876740-64d2-102b-8f0b-8ab9d7eaa702 ibm-supportedacimechanisms: 1.3.18.0.2.26.3 ibm-supportedacimechanisms: 1.3.18.0.2.26.4 ibm-supportedacimechanisms: 1.3.18.0.2.26.2 vendorname: International Business Machines (IBM) vendorversion: 5.2 ibm-sslciphers: N/A ibm-slapdisconfigurationmode: FALSE ibm-slapdSizeLimit: 200 ibm-slapdTimeLimit: 900 ibm-slapdDerefAliases: always ibm-supportedAuditVersion: 2 ibm-sasldigestrealmname: tr17n01.aset.psu.edu If the server is an OpenLDAP server, specify + for operational attributes or specify the attributes of interes t: $ ldapsearch -LLL -x -h xtra.apple.com -b "" -s base +
dn: structuralObjectClass: OpenLDAProotDSE namingContexts: dc=apple,dc=com supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 1.3.6.1.4.1.4203.1.10.1 supportedControl: 1.2.840.113556.1.4.1413 supportedControl: 1.2.840.113556.1.4.1339 supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.826.0.1.334810.2.3 supportedExtension: 1.3.6.1.4.1.1466.20037 supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedExtension: 1.3.6.1.4.1.4203.1.11.3 supportedFeatures: 1.3.6.1.4.1.4203.1.5.1 supportedFeatures: 1.3.6.1.4.1.4203.1.5.2 supportedFeatures: 1.3.6.1.4.1.4203.1.5.3 supportedFeatures: 1.3.6.1.4.1.4203.1.5.4 supportedFeatures: 1.3.6.1.4.1.4203.1.5.5 supportedLDAPVersion: 3 supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: GSSAPI subschemaSubentry: cn=Subschema Usually the namingContexts value is the first thing you want to determine: $ ldapsearch -LLL -x -h xtra.apple.com -b "" -s base namingContexts dn: namingContexts: dc=apple,dc=com After you determine the value, search for a record with a command, like this: $ ldapsearch -LLL -x -h xtra.apple.com -b "dc=apple,dc=com" uid=ajohnson uid cn dn: uid=ajohnson,cn=users,dc=apple,dc=com uid: ajohnson cn: Anne Johnson
cn: Anne Johnsone cn: A Johnson objectclass: person sn: Johnson dn: cn=Tom Clark,dc=example,dc=com cn: Tom Clark cn: T Clark objectclass: person sn: Clark WARNING: LDAP tools can modify or add entries to the LDAP directory. Changing raw data in a directory can have unexpected and undesirable consequences. You could inadvertently incapacitate users or computers , or you could unintentionally authorize users to access more resources.
To load an LDIF file into the LDAP directory: $ ldapadd -H ldap://appleserver.example.com -f myusers.ldif Replace appleserver.example.com with the location of the LDAP directory and myusers.ldif with the name of your LDIF file.
Enter the following command to Kerberize your s ervices with an Active Directory s erver: $ sudo dsconfigad -enablesso
To verify that you can access an LDAPv3 directory: $ dscl localhost > cd /LDAPv3/directory.example.com/Users > ls You should see a list of the servers network user accounts .
To view the attributes of a group in the local directory domain: $ dseditgroup -o read groupname To create a group in a domain: $ dseditgroup -o create -n /LDAPv3/ldap.example.com -u diradmin_name -P diradmin_password -r "Gr To create a Windows group in a domain and set the domain group relative identifier (RID): $ dseditgroup -o create -n /LDAPv3/ldap.example.com -u diradmin_name -P diradmin_password -r "Gr $ dscl -u diradmin_name -P diradmin_password /LDAPv3/ldap.example.com -create /Groups/groupname To delete a group from a domain: $ dseditgroup -o delete -n /LDAPv3/ldap.example.com -u diradmin_name -P diradmin_password groupn
Parameter
Description Name of the directory administrator Password of the directory administrator Real name to add or replace Comment or add or replace T ime-to-live, in seconds, to add or replace Keyword to add Group name
To add an LDAP server: $ dsconfigldap -v -a myldap.example.com To remove an LDAP server: $ dsconfigldap -v -r myldap.example.com
Parameter
Description
computerid administrator
T he computer ID to add to the domain. T he user name of a network account that has administrator privileges.
CN=Computers,OU=Engineering,DC=ads,DC=demo,DC=com T he LDAP domain name of the container used for adding the computer.
If this is not specified, it defaults to the container.
domain
T he fully-qualified domain name of the domain used when adding the computer to the directory.
1. Make sure DNS service is configured to resolve fully qualified DNS names and provide corresponding revers e lookups. DNS mus t resolve fully qualified DNS names and provide reverse lookups for the master s erver, replica s ervers, and other servers that are members of the Kerberos realm. To perform a DNS lookup of a servers DNS name and a reverse lookup of the s ervers IP address, you can use the Lookup pane of Network Utility (in /Applications/Utilities). For more information about setting up DNS service, see Server Admin Help. 2. Make sure the Open Directory mas ter servers host name is the correct fully qualified DNS name, not the servers local hostname. For example, the host name might be ods .example.com but should not be ods.local. You can s ee the hos t name by opening Terminal and entering hostname. If the Open Directory s ervers hos t name isnt its fully qualified DNS name, temporarily clear the lis t of DNS servers and click Apply in the Open Directory servers Network preferences. Then re-enter DNS server IP addres ses , starting with the primary DNS server that resolves the Open Directory servers name, and click Apply in Network Preferences. If the Open Directory s ervers hos t name s till isnt its fully qualified DNS name, res tart the s erver. 3. Make sure the Open Directory mas ter servers Network preferences are configured to use the DNS server that resolves the servers name. If the Open Directory master server provides its own DNS service, the s ervers Network preferences must be configured to us e itself as a DNS server. 4. After confirming the correct DNS configuration for the server, start Kerberos . See Start Kerberos after s etting up an Open Directory mas ter.
If you can't join an Open Directory replica to an Open Directory that's a subordinate of an Active Directory server
Before you try to turn the server into a replica of the subordinate Open Directory server, make s ure you connect the server to the same Active Directory server as the Open Directory master server you are attempting to connect to. Your replicas must have access to the Active Directory server for Kerberos to work.
To enable affected us ers to log in, move their user accounts to a server with Mac OS X Server v10.310.6 or Lion Server. Alternatively, if pos sible, upgrade the older server to Lion Server or later.
For more information, s ee Change the connection settings for an LDAP or Open Directory server. To check the LDAP directorys search base s etting, open Server Admin and look in the Protocols pane of the Settings pane for Open Directory s ervice. For information that can help you s olve problems , see the KDC log. Also s ee View Open Directory s tatus and logs . If Kerberos was not running when user records were created, imported, or updated from an earlier Mac OS X version, they might not be enabled for Kerberos authentication: A record is nt enabled for Kerberos if its authentication authority attribute lacks the ;Kerberosv5; value. Use the Directory Editor in Directory Utility to see the values of a us er records authentication authority attribute. For more information, see Directory Utility Help. Enable Kerberos for a us er record by changing its pas sword type. Set the pas sword type to Shadow Pas sword, then set it to Open Directory. For more information, see Change the pas sword type to shadow password and Change the password type to Open Directory. If users cant authenticate us ing single sign-on or Kerberos for services provided by a server that is joined to an Open Directory masters Kerberos realm, the servers computer record might be incorrectly configured in the Open Directory masters LDAP directory. The servers name in the computer group account mus t be the s ervers fully qualified DNS name, not just the servers hos t name. For example, the name could be server2.example.com but not jus t server2.
1. Delete the server from the computer group account in the LDAP directory. For more information about this and the next step, see Workgroup Manager Help. 2. Add the server to the computer group again. 3. Delegate authority again for joining the s erver to the Open Directory masters Kerberos realm. For more information, see Delegate authority to join an Open Directory Kerberos realm. 4. Rejoin the server to the Open Directory Kerberos realm. For more information, see Join a server to a Kerberos realm.
1. Delete the server from the computer group account in the LDAP directory For more information about this and the next step, see Workgroup Manager Help. 2. Add the server to the computer group again. 3. Delegate authority again for joining the s erver to the Open Directory masters Kerberos realm. Skip this step if you can use a Kerberos administrator account (LDAP directory adminis trator account) to rejoin the server to the Kerberos realm. For more information, see Delegate authority to join an Open Directory Kerberos realm. 4. Rejoin the server to the Open Directory Kerberos realm. For more information, see Join a server to a Kerberos realm.
Open Directory service settings To change settings for the Open Directory s ervice, use the following parameters with the serveradmin tool. Be sure to add dirserv: to the beginning of any parameter you use.
Parameter replicationUnits replicaLastUpdate LDAPSettings:LDAPDataBasePath replicationPeriod LDAPSettings:LDAPSearchBase passwordOptionsString Description Default = "days" Default = "" Default = "" Default = 4 Default = "" Default =
"usingHistory=0 usingExpirationDate=0
usingHardExpirationDate=0 requiresAlpha=0 requiresNumeric=0 expirationDateGMT=12/31/69 hardExpireDateGMT=12/31/69 maxMinutesUntilChangePassword=0 maxMinutesUntilDisabled=0 maxMinutesOfNonUse=0 maxFailedLoginAttempts=0 minChars=0 maxChars=0 passwordCannotBeName=0"
LDAPSettings:LDAPSSLCertificatePath masterServer LDAPServerType replicationWhen LDAPSettings:useSSL LDAPDefaultPrefix LDAPSettings:LDAPTimeoutUnits LDAPSettings:LDAPServerBackend Default = "" Default = "" Default = "standalone" Default = "periodic" Default = "YES" Default = "dc=domain,dc=com" Default = "minutes" Default = "BerkeleyDB"
OpenLDAP standard distribution tools Two types of tools come with OpenLDAP: Tools that operate directly on the LDAP databasesthese tools begin with slap. Tools that go through the LDAP protocolthese tools begin with ldap. You mus t run the slap tools on the computer hosting the LDAP databas e. When using slap tools, shut down the LDAP service. If you dont, your database can get out of sync. These tools are included in the standard OpenLDAP dis tribution.
Tool /usr/bin/ldapadd /usr/bin/ldapcompare /usr/bin/ldapdelete /usr/bin/ldapmodify /usr/bin/ldapmodrdn /usr/bin/ldappasswd Used to Add entries to the LDAP directory. Compare a directory entrys actual attributes with known attributes Delete entries from the LDAP directory. Change an entrys attributes. Change an entrys relative distinguished name (RDN). Set the password for an LDAP user. Apple recommends using instead of page.
passwd
Search the LDAP directory. Obtain the primary authorization identity associated with a user. Add entries to the LDAP directory. Export LDAP Directory Interchange Format files. Regenerate directory indexes. Generate user password hashes.
Directory Utility
Get started
Directory Utility
Get started
When you add or delete a s erver in the Directory Servers list, the entries ass ociated with that directory s erver are added or deleted from the Services, Authentication, and Contacts list. However, if you remove the ass ociated entries in the Services, Authentication, and Contacts lis t, the directory server is not removed from the Directory Servers list. For more information about using Users & Groups preferences to add directory servers, search Mac Help for network account server. A Mac computer can connect to an Open Directory, Active Directory, or LDAP directory server. If you dont know which server to connect to, ask your network administrator. Important: If your computer name contains a hyphen, you might not be able to join or bind to a directory domain such as LDAP or Active Directory. To es tablis h binding, use a computer name that does not contain a hyphen.
Directory Utility
Get started
1. Open Sys tem Preferences and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Join or Edit. If you see an Edit button, your computer has at leas t one connection to a directory server. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Services. 7. In the list of s ervices , select LDAPv3 and click the Edit button (/). 8. Click New, then click Edit. By default, the new directory connection is enabled. For more information about enabling or disabling a directory connection, see Enable or disable directory s ervice. 9. Enter a name in the Configuration Name field. 10. Enter the server name or IP addres s of the Open Directory server in the Server Name or IP Address field. 11. Select Encrypt using SSL if you want Open Directory to use Secure Sockets Layer (SSL) for connections. Before you select this, ask your Open Directory administrator to determine if SSL is needed. If Directory Utility cant contact the Open Directory server, you might need to adjust your configuration access settings. For more information, see Change the connection settings for an LDAP or Open Directory s erver. 12. Click Search & Mappings. 13. From the Access this LDAPv3 server us ing pop-up menu, choos e Open Directory and enter a s earch base. You must enter a s earch base suffix or the computer cant find information in the Open Directory. Typically, the search base suffix is derived from the s ervers DNS host name. For example, the s earch base suffix could be dc=ods,dc=example,dc=com for a server whose DNS host name is ods.example.com. For more information about setting up searches and mappings for an LDAP server, see Configure LDAP Searches & Mappings . 14. If the directory server s upports trusted binding, click Bind and enter the name of the computer and the name and password of a directory administrator. The binding might be optional. Trusted binding is mutual: each time the computer connects to the LDAP directory, they authenticate each other. If trusted
binding is set up or the LDAP directory does nt support trusted binding, the Bind button does not appear. Make sure you supplied the correct computer name. If you see an alert saying that a computer record exists, try again us ing a different computer name, or click Overwrite to replace the exis ting computer record. The existing computer record might be abandoned, or it might belong to another computer. If you replace an existing computer record, notify the LDAP directory administrator in case replacing the record disables another computer. In this case, the LDAP directory administrator mus t give the dis abled computer a different name and add it back to the computer group it belonged to. For more information, see Set up trusted binding for an LDAP directory. 15. Click Security. If Open Directory requires authentication to connect, select Use authentication when connecting and enter the distinguished name and password of a user account in the directory. An authentication connection is not mutual: the LDAP s erver authenticates the client but the client doesnt authenticate the server. The distinguished name can specify any user account that has permission to see data in the directory. For example, a user account whose s hort name is dirauth on an LDAP server and whos e addres s is ods.example.com would have the distinguis hed name uid=dirauth,cn=users ,dc=ods,dc=example,dc=com. For more information, see Change the s ecurity policy for an LDAP connection. Important: If the distinguished name or pas sword are incorrect, you can log in to the computer using a user account from the LDAP directory. 16. Click OK to finish creating the Open Directory connection. 17. Click OK to finish configuring LDAPv3 options. If you want the computer to access the LDAP directory you created a configuration for, add the directory to a custom search policy in the Authentication pane and the Contacts pane of Search Policy in Directory Utility, then make sure it is enabled in Services. For information about creating search policies, see Define s earch policies . For information about enabling a directory service, see Enable or disable directory service. Important: If you change the IP address and computer name of your Mac server using changeip while you are connected to a directory server, you must dis connect and reconnect to the directory server to update the directory with the new computer name and IP address . If you do not disconnect and reconnect to the directory server, the directory does not update and continues to use the old computer name and IP addres s.
Directory Utility
Get started
1. Open Sys tem Preferences on your computer and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Join or Edit. If you see an Edit button, your computer has at leas t one connection to a directory server. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. From the File menu, choose Connect. 7. Enter the following connection and authentication information for the server you want to configure. Address: Enter the DNS host name or IP address of the server you want to configure. User Name: Enter the user name of an administrator on the s erver.
Pas sword: Enter the password for the user name. 8. Click Connect. 9. Click the Services, Search Policy, and Directory Editor tabs and change s ettings as needed. Changes you make affect the remote server you connected to in the previous s teps. 10. From the File menu on your computer, choose Disconnect.
Directory Utility
Get started
Root account
The root account is an unrestricted adminis trator account used to perform changes to critical system files. You can enable the root account and change its pass word using Directory Utility. Enable the root account You can us e Directory Utility to enable the root account. If you enable the root account, us e a complex pas sword that contains alphanumeric and s pecial characters, to prevent the pass word from being compromised. WARNING: The root account is an unres tricted administrator account used to perform changes to critical system files. Even if you are logged in as an administrator, you mus t us e the root account or sudo to perform critical system tasks . Avoid using the root account to log in to a computer remotely or locally. Instead, use the sudo command-line tool to perform tasks that require root user privileges. You can restrict access to sudo by adding users to the /etc/sudoers/ file. If you log in us ing the root account, log out as soon as you finish performing tasks that require root user privileges. 1. Open Sys tem Preferences and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Join or Edit. If you see an Edit button, your computer has at leas t one connection to a directory server. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Choose Edit > Enable Root User. Change the root account password You can us e Directory Utility (located in Users & Groups preferences ) to change the root account password. When changing the root password, us e a complex pass word that contains alphanumeric and special characters, to prevent the password from being compromised. WARNING: The root account is an unres tricted administrator account used to perform changes to critical system files. Even if you are logged in as an administrator, you mus t us e the root account or sudo to perform critical system tasks . Avoid using the root account to log in to a computer remotely or locally. Instead, use the sudo command-line tool to perform tasks that require root user privileges. You can restrict access to sudo by adding users to the /etc/sudoers/ file. If you log in us ing the root account, log out as soon as you finish performing tasks that require root user privileges. 1. Open Sys tem Preferences and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Join or Edit. If you see an Edit button, your computer has at leas t one connection to a directory server. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Choose Edit > Change Root Pas sword
7. When prompted, enter the new root password in the Pas sword and Verify fields. 8. Click OK.
Directory Utility
LDAP directories
1. Open Sys tem Preferences on your computer and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Join or Edit. If you see an Edit button, your computer has at leas t one connection to a directory server. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Services. 7. In the list of s ervices , select LDAPv3 and click the Edit button (/). 8. Click New, then click Edit. By default, the new directory connection is enabled. For more information about enabling or disabling a directory connection, see Enable or disable directory s ervice. 9. Enter a name in the Configuration Name field. 10. Enter the LDAP s ervers DNS host name or IP address in the Server Name or IP Address field. 11. Select Encrypt using SSL if you want Open Directory to use Secure Sockets Layer (SSL) for connections with the LDAP directory. Before you select this, ask your Open Directory administrator to determine if SSL is needed. If Directory Utility cant contact the LDAP server, you might need to adjust your configuration access settings . For more information, see Change the connection s ettings for an LDAP or Open Directory server. 12. Click Search & Mappings. 13. From the "Access this LDAPv3 server us ing" pop-up menu, choos e Open Directory and enter a s earch base. Typically, the search base s uffix is derived from the servers DNS hos t name. For example, the search base suffix could be dc=ods,dc=example,dc=com for a server whose DNS host name is ods.example.com.
14. If the directory server s upports trusted binding, click Bind and enter the name of the computer and the name and password of a directory administrator. The binding might be optional. Trusted binding is mutual: each time the computer connects to the LDAP directory, they authenticate each other. If trusted binding is set up or the LDAP directory does nt support trusted binding, the Bind button does not appear. Make sure you supply the correct computer name. If you see an alert saying that a computer record exists, try again us ing a different computer name, or click Overwrite to replace the exis ting computer record. The existing computer record might be abandoned, or it might belong to another computer. If you replace an existing computer record, notify the LDAP directory administrator in case replacing the record disables another computer. In this case, the LDAP directory administrator mus t give the dis abled computer a different name and add it back to the computer group it belonged to. 15. Click Security. If the Active Directory requires authentication to connect, select Use authentication when connecting and enter the distinguis hed name and password of a user account in the directory. An authentication connection is not mutual: the LDAP s erver authenticates the client but the client doesnt authenticate the server. The distinguished name can specify any user account that has permission to see data in the directory. For example, a user account whose s hort name is dirauth on an LDAP server and whos e addres s is ods.example.com would have the distinguis hed name uid=dirauth,cn=users ,dc=ods,dc=example,dc=com. Important: If the distinguished name or pas sword are incorrect, you can log in to the computer using a user account from the LDAP directory. 16. Click OK to finish creating the LDAP connection. 17. Click OK to finish configuring LDAPv3 options. If you want the computer to access the LDAP directory you created a configuration for, add the directory to a custom search policy in the Authentication pane and the Contacts pane of Search Policy in Directory Utility, then make sure it is enabled in Services. For information about creating search policies, see Define s earch policies . For information about enabling a directory service, see Enable or disable directory service.
Directory Utility
LDAP directories
6. Click Services. 7. In the list of s ervices , select LDAPv3 and click the Edit button (/). 8. If the lis t of server configurations is hidden, click Show Options. 9. Make changes as needed to the following settings: Enable: Click a checkbox to enable or disable access to an LDAP directory s erver. Configuration Name: Double-click a configuration name to edit it. Server Name or IP Address : Double-click a server name or IP addres s to change it. LDAP Mapping: From the pop-up menu, choose a template, enter the s earch base suffix for the LDAP directory, and click OK. If you choose a template, you must enter a search base suffix or the computer cant find information in the LDAP directory. Typically, the search base s uffix is derived from the s ervers DNS hos t name. For example, for a server whose DNS host name is ods.example.com, the s earch base suffix is dc=ods,dc=example,dc=com. If you choose From Server instead of a template, a search base s uffix is not needed. In this case, Open Directory as sumes the search base suffix is the firs t level of the LDAP directory. If you choose Custom, you must set up mappings between the Mac OS X record types and attributes and the classes and attributes of the LDAP directory youre connecting to. For more information, s ee Configure LDAP Searches & Mappings. SSL: Click the checkbox to enable or dis able encrypted communications using the SSL protocol. Before you select the SSL checkbox, ask your Open Directory administrator if SSL is needed. 10. To change the following default s ettings for this LDAP configuration, click Edit to display the options for the selected LDAP configuration, make changes, and click OK when you finish editing the LDAP configuration options : Click Connection to set timeout options, s pecify a custom port, ignore server referrals , or force use of the LDAPv2 (readonly) protocol. For more information, see Change the connection settings for an LDAP or Open Directory server. Click Search & Mappings to s et up searches and mappings for an LDAP server. For more information, see Set up trusted binding for an LDAP directory. Click Security to set up an authenticated connection (instead of trus ted binding) and other security policy options. For more information, see Change the security policy for an LDAP connection. Click Bind to set up trusted binding, or click Unbind to stop trusted binding. (You might not see these buttons if the LDAP directory doesnt permit trusted binding.) For more information, see Set up trusted binding for an LDAP directory. 11. To finish changing the configuration to access an LDAP directory, click OK. Duplicate a configuration for accessing an LDAP directory You can us e Directory Utility to duplicate a configuration that s pecifies how Mac OS X access es an LDAPv3 or LDAPv2 directory. After duplicating an LDAP directory configuration, you can change its settings to make it different from the original configuration. 1. On your computer, open System Preferences and click Users & Groups. 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Join or Edit. If you see an Edit button, your computer has at leas t one connection to a directory server. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Services. 7. In the list of s ervices , select LDAPv3 and click the Edit button (/). 8. If the lis t of server configurations is hidden, click Show Options. 9. In the list, s elect a server configuration and then click Duplicate. 10. Change the duplicate configurations settings : Enable: Click a checkbox to enable or disable access to an LDAP directory s erver.
Configuration Name: Double-click a configuration name to edit it. Server Name or IP Address : Double-click a server name or IP addres s to change it. LDAP Mapping: Choose a template from the pop-up menu, then enter the search bas e suffix for the LDAP directory and click OK. If you choose a template, you must enter a search base suffix or the computer cant find information in the LDAP directory. Typically, the search base s uffix is derived from the s ervers DNS hos t name. For example, for a server whose DNS host name is ods.example.com, the s earch base suffix is dc=ods,dc=example,dc=com. If you choose From Server instead of a template, a search base s uffix is not needed. In this case, Open Directory as sumes the search base suffix is the firs t level of the LDAP directory. If you choose Custom, you must set up mappings between the Mac OS X record types and attributes and the classes and attributes of the LDAP directory youre connecting to. For more information, s ee Configure LDAP Searches & Mappings. SSL: Click the checkbox to enable or dis able encrypted communications using the SSL protocol. Before you select the SSL checkbox, ask your Open Directory administrator if SSL is needed. 11. To change the following default s ettings for the duplicate LDAP configuration, click Edit to dis play the options, make changes, and click OK when you finish editing them: Click Connection to set up trusted binding (if the LDAP directory supports it), set timeout options, s pecify a custom port, ignore server referrals , or force use of the LDAPv2 (read-only) protocol. For more information, see Change the connection settings for an LDAP or Open Directory server. Click Search & Mappings to s et up searches and mappings for an LDAP server. For more information, see Set up trusted binding for an LDAP directory. Click Security to set up an authenticated connection (instead of trus ted binding) and other security policy options. For more information, see Change the security policy for an LDAP connection. Click Bind to set up trusted binding, or click Unbind to stop trusted binding. (You might not see these buttons if the LDAP directory doesnt permit trusted binding.) For more information, see Set up trusted binding for an LDAP directory. 12. To finish changing the duplicate configuration, click OK. 13. If you want the computer to acces s the LDAP directory specified by the duplicate configuration you created, add the directory to a custom search policy in the Authentication or Contacts pane of Search Policy in Directory Utility and make s ure LDAPv3 is enabled in the Services pane. For more information, s ee Enable or dis able directory service, and Define search policies. Delete a configuration for accessing an LDAP or Open Directory server You can us e Directory Utility to delete a configuration that specifies how the computer accesses an LDAPv3 or LDAPv2 directory. If the LDAP configuration was provided by DHCP, it cant be changed, so this configuration option is dimmed in the LDAP configurations list. 1. Open Sys tem Preferences on your computer and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Join or Edit. If you see an Edit button, your computer has at leas t one connection to a directory server. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Services. 7. In the list of s ervices , select LDAPv3 and click the Edit button (/). 8. If the lis t of server configurations is hidden, click Show Options. 9. In the list, s elect a server configuration and click Delete, then click OK. 10. Choose from the following: If you see an alert saying the computer is bound to the LDAP directory and you want to stop trusted binding, click OK and
then enter the name and password of an LDAP directory administrator (not a local computer administrator). If you see an alert saying the computer cant contact the LDAP s erver, you can click OK to forcibly s top trus ted binding. If you forcibly stop trus ted binding, this computer still has a computer record in the LDAP directory. Notify the LDAP directory administrator so the administrator knows to remove the computer from the computer group. The deleted configuration is removed from the custom search policies for authentication and contacts .
Directory Utility
LDAP directories
1. Open Sys tem Preferences on your computer and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Edit. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Services. 7. In the list of s ervices , select LDAPv3 and click the Edit button (/). 8. If the lis t of server configurations is hidden, click Show Options. 9. In the list, s elect a server configuration and click Edit. Several options appear, including the Bind button. If the Bind button does nt appear, the LDAP directory doesnt s upport trusted binding. 10. Click Bind, then enter the following credentials and click OK. Enter the name of the computer and the name, and password of an LDAP directory domain adminis trator. The computer name cant be in use by another computer for trusted binding or other network services. 11. Verify that you supplied the correct computer name. If you see an alert saying that a computer record exists, click Cancel to go back and change the computer name, or click Overwrite to replace the existing computer record. The existing computer record might be abandoned or it might belong to another computer. If you replace an existing computer record, notify the LDAP directory adminis trator s o that replacing the record won't disable another computer. In such a situation, the LDAP directory administrator must give the disabled computer another name and add it to the computer group it belonged to, using a different name for that computer.
Directory Utility
LDAP directories
1. Open Sys tem Preferences on your computer and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Join or Edit. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Search Policy. 7. Click Authentication and make sure the LDAPv3 directory you want is listed in the search policy. For more information about adding the LDAPv3 directory to the authentication search policy, see Define search policies. 8. Click Services. 9. In the list of s ervices , select LDAPv3 and click the Edit button (/). 10. If the lis t of server configurations is hidden, click Show Options. 11. Select the configuration for the directory you want, then click Edit. 12. Click Security and then change any of the following settings. Note: The s ecurity settings here and on the corresponding LDAP server are determined when the LDAP connection is set up. The settings arent updated when server s ettings are changed. If any of the las t four options are selected but disabled, the LDAP directory requires them. If any of these options are unselected and disabled, the LDAP server doesnt support them. Use authentication when connecting: Determines whether the LDAPv3 connection authenticates itself with the LDAP directory by s upplying the specified dis tinguished name and password. This option is not vis ible if the LDAPv3 connection us es trus ted binding with the LDAP directory. Bound to the directory as: Specifies the credentials the LDAPv3 connection uses for trusted binding with the LDAP directory. This option and the credentials cant be changed here. Instead, you can unbind and then bind again with different credentials. For more information, see Stop trus ted binding with an LDAP directory and Set up trus ted binding for an LDAP directory. This option is not visible unless the LDAPv3 connection uses trusted binding. Disable clear text passwords : Determines whether the password is to be sent as clear text if it cant be validated using an authentication method that sends an encrypted pass word. Digitally s ign all packets (requires Kerberos ): Certifies that directory data from the LDAP server hasnt been intercepted and modified by another computer while en route to your computer. Encrypt all packets (requires SSL or Kerberos ): Requires the LDAP s erver to encrypt directory data using SSL or Kerberos before sending it to your computer. Before you select Encrypt all packets (requires SSL or Kerberos ), as k your Open Directory administrator if SSL is needed.
Block man-in-the-middle attacks (requires Kerberos): Protects against a rogue server posing as the LDAP server. Best if us ed with the Digitally sign all packets option.
Directory Utility
LDAP directories
1. Make sure the Mac computer that needs to authenticate the us er account has a connection to the LDAP directory where the us er account res ides and that the computers s earch policy includes the LDAP directory connection. For information about configuring LDAP server connections and the s earch policy, s ee Configure acces s to an LDAP directory. If you configure an LDAP connection that doesnt map the password and authentication authority attributes, bind authentication occurs automatically. For more information, s ee Configure LDAP Searches & Mappings. 2. If you configure the connection to permit clear-text passwords, als o configure it to use SSL to protect the clear-text password while it is in transit. For more information, s ee Change the security policy for an LDAP connection and Change the connection settings for an LDAP or Open Directory server.
Directory Utility
Activ e Directory
volume and the local Mac home folder. The Active Directory connector can als o create mobile accounts for users. A mobile account has a local home folder on the startup volume of the Mac client computer. (The user also has a network home folder as specified in the us ers Active Directory account.) A mobile account caches the users Active Directory authentication credentials on the Mac client computer. The cached credentials permit the user to log in using the Active Directory name and password when the client computer is dis connected from the Active Directory server. A mobile account has a local home folder on the startup volume of the Mac client computer. (The us er also has a network home folder as specified in the users Active Directory account.) If the Active Directory schema is extended to include Mac OS X record types (object clas ses) and attributes, the Active Directory connector detects and acces ses them. For example, the Active Directory s chema could be changed using Windows adminis tration tools to include Mac OS X managed client attributes. This schema change enables the Active Directory connector to support managed client settings made using the Server app. Mac clients assume full read access to attributes that are added to the directory. Therefore, it might be neces sary to change the ACL of those attributes to permit computer groups to read these added attributes. The Active Directory connector discovers all domains in an Active Directory fores t. You can configure the plug-in to permit users from any domain in the forest to authenticate on a Mac computer. Alternatively, you can permit only s pecific domains to be authenticated on the client. The Active Directory connector fully s upports Active Directory replication and failover. It dis covers multiple domain controllers and determines the clos est one. If a domain controller becomes unavailable, the plug-in falls back to another nearby domain controller. The Active Directory connector uses LDAP to access Active Directory user accounts and Kerberos to authenticate them. The Active Directory connector does not use Microsofts proprietary Active Directory Services Interface (ADSI) to get directory or authentication services.
Directory Utility
Activ e Directory
1. Open Sys tem Preferences on your computer and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Join or Edit. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Services. 7. In the list of s ervices , select Active Directory and click the Edit button (/). 8. Enter the DNS hos t name of the Active Directory domain you want to bind to the computer youre configuring. The administrator of the Active Directory domain can tell you the DNS host name to enter.
9. If neces sary, edit the Computer ID. The Computer ID is the name the computer is known by in the Active Directory domain, and its pres et to the name of the computer. You might change this to conform to your organizations es tablished scheme for naming computers in the Active Directory domain. If youre not s ure, as k the Active Directory domain administrator. 10. (Optional) Set advanced options. If the advanced options are hidden, click Show Advanced Options and set options in the Us er Experience, Mappings , and Administrative panes. You can also change advanced option settings later. 11. Click Bind, use the following to authenticate as a user who has rights to bind a computer to the Active Directory domain, select the search policies you want Active Directory added to (see below), and click OK: Username and Password: You might be able to authenticate by entering the name and pass word of your Active Directory us er account, or the Active Directory domain adminis trator might need to provide a name and password. Computer OU: Enter the organizational unit (OU) for the computer youre configuring. Use for authentication: Use to determine whether Active Directory is added to the computers authentication search policy. Use for contacts: Us e to determine whether Active Directory is added to the computers contacts search policy. When you click OK, Directory Utility sets up trusted binding between the computer youre configuring and the Active Directory server. The computers search policies are set according to the options you selected when you authenticated, and Active Directory is enabled in Directory Utilitys Services pane. With the default settings for Active Directory advanced options, the Active Directory forest is added to the computers authentication search policy and contacts search policy if you selected Us e for authentication or Use for contacts. However, if you deselect Allow authentication from any domain in the forest in the Administrative advanced options pane before clicking Bind, the nearest Active Directory domain is added ins tead of the fores t. You can change search policies later by adding or removing the Active Directory forest or individual domains. For more information, see Define search policies. 12. (Optional) Join the server to the Active Directory Kerberos realm: a. On the server or an administrator computer that can connect to the server, open Server Admin and s elect Open Directory for the server. b. Click Settings, then click General. c. Click Join Kerberos, then choose the Active Directory Kerberos realm from the pop-up menu and enter credentials for a local administrator on this server. For more information, s ee Join a s erver to a Kerberos realm.
Directory Utility
Activ e Directory
1. Open Sys tem Preferences on your computer and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Join or Edit.
4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Services. 7. In the list of s ervices , select Active Directory and click the Edit button (/). 8. If the advanced options are hidden, click Show Advanced Options. 9. Click User Experience, then click Create mobile account at login, and optionally click Require confirmation before creating a mobile account. Note the following: If both options are selected, each us er decides whether to create a mobile account during login. When a user logs in to Mac OS X using an Active Directory user account, or when logging in as a network user, the user s ees a dialog with controls for creating a mobile account immediately. If the first option is selected and the second option is unselected, mobile accounts are created when users log in. If the first option is not selected, the second option is dis abled. 10. Click OK.
Directory Utility
Activ e Directory
1. Open Sys tem Preferences on your computer and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Join or Edit. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Services. 7. In the list of s ervices , select Active Directory and click the Edit button (/). 8. If the advanced options are hidden, click Show Advanced Options. 9. Click User Experience. 10. If you want Active Directory user accounts to have local home folders in the computers /Users folder, click Force local home folder on startup disk. This option is not available if Create mobile account at login is s elected. 11. To use the Active Directory standard attribute for the home folder location, select Use UNC path from Active Directory to derive network home location and then choose from the following protocols for accessing the home folder: To use the standard Windows protocol SMB, choose s mb from the Network protocol to be used pop-up menu. To use the standard Macintosh protocol AFP, choose afp from the Network protocol to be us ed pop-up menu. 12. To use the Mac OS X attribute for the home folder location, deselect Use UNC path from Active Directory to derive network
home location. To use the Mac OS X attribute, the Active Directory s chema must be extended to include it. 13. Click OK. If you change the name of a us er account in the Active Directory domain, the server creates a home folder (and s ubfolders) for the user account the next time it is used for logging in to a Mac OS X computer. The user can s till navigate to the old home folder and see its contents in the Finder. You can prevent creation of a home folder by renaming the old folder before the user next logs in.
Directory Utility
Activ e Directory
1. Open Sys tem Preferences on your computer and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Edit. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Services. 7. In the list of s ervices , select Active Directory and click the Edit button (/). 8. If the advanced options are hidden, click Show Advanced Options. 9. Click Administrative. 10. Select Prefer this domain s erver and enter the DNS host name of the Active Directory server. 11. Click OK.
Directory Utility
Activ e Directory
Change the Active Directory groups that can administer the computer
On a computer thats configured to use Directory Utilitys Active Directory connector, you can identify Active Directory group accounts whos e members you want to have adminis trator privileges for the computer. Users that are members of these Active Directory group accounts can perform adminis trative tasks such as installing s oftware on the Mac computer you are configuring.
1. Open Sys tem Preferences on your computer and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Edit. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Services. 7. In the list of s ervices , select Active Directory and click the Edit button (/).
8. If the advanced options are hidden, click Show Advanced Options. 9. Click Administrative. 10. Select Allow administration by and change the list of Active Directory group accounts whose members you want to have administrator privileges: Add a group by clicking the Add button (+) and entering the Active Directory domain name, a backslash, and the group account name (for example, ADS\Domain Admins, IL2\Domain Admins ). Delete a group by selecting it in the list and then clicking the Delete button (). 11. Click OK.
Directory Utility
Activ e Directory
1. Open Sys tem Preferences on your computer and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Edit. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Services. 7. In the list of s ervices , select Active Directory and click the Edit button (/). 8. Click Unbind, authenticate as a user who has rights to terminate a connection to the Active Directory domain, and click OK. If you see an alert saying the credentials werent accepted or the computer cant contact Active Directory, click Force Unbind to forcibly break the connection. If you forcibly unbind, Active Directory s till contains a computer record for this computer. Notify the Active Directory administrator s o the administrator knows to remove the computer record.
Directory Utility
1. Open Sys tem Preferences on your computer and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Join or Edit. If you see an Edit button, your computer has at leas t one connection to a directory server. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Services.
7. In the list of s ervices , select LDAPv3 and click the Edit button (/). 8. Next to Active Directory connection, select or deselect the Enable checkbox and click OK.
Directory Utility
1. Open Sys tem Preferences on your computer and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Join or Edit. If you see an Edit button, your computer has at leas t one connection to a directory server. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Services. 7. In the list of s ervices , select LDAPv3 and click the Edit button (/). 8. Next to LDAPv3, select or des elect the Enable checkbox and click OK.
Directory Utility
Search policies
The /BSD/local folder is always included in the search path, and is always grayed out.
Directory Utility
Search policies
5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Search Policy and choose a search policy. Authentication: Shows the s earch policy used for authentication and mos t other administrative data. Contacts: Shows the search policy used for contact information in applications such as Address Book. 7. From the Search pop-up menu, choos e Custom path. 8. Add directory domains as needed by clicking Add, selecting directories, and clicking Add again. 9. Change the order of the listed directory domains as needed by dragging them up or down the lis t. 10. Remove lis ted directory domains that you dont want in the s earch policy by selecting them and clicking the Delete button (). 11. Confirm the removal by clicking OK, then click Apply. Define local directory search policies Using Directory Utility, you can configure a Mac computers authentication and contacts s earch policies to us e only the computers local directory. A search policy that uses only the local directory limits the access a computer has to authentication information and other administrative data. If you res trict a computers authentication search policy to use only the local directory, only users with local accounts can log in. After changing the s earch policy in the Authentication pane or the Contacts pane of Directory Utility, wait 10 or 15 seconds for the change to take effect. Attempts to log in using an account from a directory domain that us es the authentication search policy are uns uccess ful until changes to it take effect. 1. Open Sys tem Preferences on your computer and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Join or Edit. If you see an Edit button, your computer has at leas t one connection to a directory server. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Search Policy and choose a search policy: Authentication: Shows the s earch policy used for authentication and mos t other administrative data. Contacts: Shows the search policy used for contact information in applications such as Address Book. 7. From the Search pop-up menu, choos e Local directory, then click Apply.
Directory Utility
1. Open Sys tem Preferences on your computer and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Edit.
4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Directory Editor. 7. From the Viewing pop-up menu, choose the record type to modify. 8. From the in-node pop-up menu, choose the directory domain or local directory to modify, and authenticate as an administrator of the domain or local directory. To authenticate, click the Lock button next to the directory that you chose. 9. To add a record, click the Add button (+) (below the list of records) and enter a name for the record in the value pane. Depending on the record you add, you might need to make changes to the attribute values of the record. 10. To delete a record, s elect the record to delete, then click the Delete (-) button (below the list of records ). You cannot revert the deleting of a record. If you are sure this is the record you want to delete, click Delete. 11. Click Save.
Directory Utility
1. Open Sys tem Preferences on your computer and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Edit. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Directory Editor. 7. From the Viewing pop-up menu, choose the record type to edit. 8. From the in-node pop-up menu, choose the directory domain or local directory to edit, and authenticate as an administrator of the domain or local directory. To authenticate, click the Lock button next to the directory that you chose. 9. From the records list, select the record to edit. You can also s earch the record type you've selected by using the search field above the record list. 10. Add an attribute to a record: a. Click the Add button (+) (below the list of attributes), choos e an attribute from the New attributes of type pop-up menu, and click OK. b. Enter a value for the new attribute. If you choose Native from the New attribute of type pop-up menu, enter the name of a native record in the box that appears below the pop-up menu, then click OK. 11. To delete a record attribute, select the record attribute to delete, then click the Delete button (-) (below the list of records). 12. Click Save.
Directory Utility
1. Open Sys tem Preferences on your computer and click Users & Groups . 2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 3. Click Login Options, then click Edit. 4. Click Open Directory Utility. 5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator. 6. Click Directory Editor. 7. From the Viewing pop-up menu, choose the record type to view or edit. 8. From the in-node pop-up menu, choose the directory domain or local directory to view or edit, and authenticate as an administrator of the domain or local directory. To authenticate, click the Lock button next to the directory you chose. 9. From the records list, select the record to view or edit. You can also s earch the record type you chose by using the search field above the record list. 10. From the attributes list (next to the records list), select the attribute name to view or edit. The value of the attribute you select appears in the value pane (below the attribute list). You can modify the attribute value in the value pane. Depending on the attribute you select, you can change how the value appears in the value pane by clicking Image, Text, or Data. Some attribute values are grayed out and cannot be modified. 11. To s ave your changes to the record, click Save.
Security
RADIUS
About RADIUS
Wireless networking gives companies greater network flexibility, seamlessly connecting laptop users to the network and giving them the freedom to move within the company while staying connected to the network. You use RADIUS to authorize Open Directory users and groups s o they can access AirPort Base Stations on a network. By configuring RADIUS and Open Directory you can control who has access to your wireless network. RADIUS works with Open Directory and Pass word Server to grant authorized us ers access to the network through an AirPort Base Station. When a user attempts to access an AirPort Base Station, AirPort communicates with the RADIUS s erver using Extensible Authentication Protocol (EAP) to authenticate and authorize the user. Users are given access to the network if their user credentials are valid and they are authorized to use the AirPort Bas e Station. If a user is not authorized, he or she cannot access the network through the AirPort Base Station.
Security
RADIUS
Set Up RADIUS
Before you can configure the service, turn RADIUS on. see Enable RADIUS. Add AirPort Base Stations to a RADIUS server Decide which AirPort Bas e Stations to add to the RADIUS server. See Add AirPort Base Stations to a RADIUS server. Remotely configure an AirPort Base Station Use Server Admin to configure AirPort Base Stations . See Remotely configure AirPort Base Stations . Configure RADIUS to use certificates Use Server Admin to configure RADIUS to use certificates to trust Base Stations . See Configure RADIUS to use certificates. Start RADIUS To start RADIUS, see Start or s top RADIUS.
Security
RADIUS
Set Up RADIUS
Enable RADIUS
Before you can configure RADIUS settings, turn on RADIUS service in Server Admin.
1. Open Server Admin and connect to the s erver. 2. Click Settings, then click Services. 3. Select the RADIUS checkbox. 4. Click Save.
Security
RADIUS
Set Up RADIUS
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Overview. 5. Click Configure RADIUS Service. 6. In the RADIUS Server Certificate pane, s elect one of the following: If you select Choose an existing certificate, choos e the certificate from the pop-up menu and click Continue. If you want to create a self-s igned certificate, us e Certificate Ass is tant. For more information, see Server Admin Help. 7. From the Available Base Stations list, select the Base Station you want and click Add. 8. Enter the pas sword of the Base Station in the Base Station Password field, then click Add. To remove a Bas e Station from the Selected Base Stations lis t, select it and click Remove. 9. Click Continue. 10. In the RADIUS Allow Users pane, you can restrict user access : If you select Allow all users , all users access to the Base Stations you select. If you select Restrict to members of group, only users of a group can acces s the Base Stations you select. 11. Click Continue.
12. In the RADIUS setting confirmation pane, verify your s ettings . You can also print or s ave you RADIUS configuration settings. 13. Click Confirm.
Security
RADIUS
Set Up RADIUS
To view RADIUS settings: $ sudo radiusconfig -appleversion -getconfig -getconfigxml -nascount -naslist -naslistxml -ver - To configure RADIUS parameters: $ sudo radiusconfig -setconfig key value [key value E]
Parameter Description The name of the key to configure in the radiusd.conf or eap.conf files. The value of the key.
Key value
For information about RADIUS server settings, see RADIUS command-line settings. For information about radiusconfig, see its man page.
Security
RADIUS
Set Up RADIUS
1. On the management computer, open Server Admin. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. In the expanded Servers list, click RADIUS. 4. Click Bas e Stations. 5. Below the AirPort Base Stations lis t, click the Add button (+) . 6. Enter the following AirPort Base Station information: Name: Specify the name of the AirPort Base Station. Type: Specify the model of the AirPort Base Station. IP Addres s: Specify the IP address of the AirPort Base Station. Shared Secret and Verify: Specify a s hared secret. The shared s ecret is not a password for authentication, nor does it generate encryption keys to establish secure tunnels between nodes . It is a token that key management systems use to trust each other. You mus t enter the shared secret on the server as well as a client. 7. Click Add.
Security
RADIUS
Set Up RADIUS
1. On the management computer, open Server Admin. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. In the expanded Servers list, click RADIUS. 4. Click Bas e Stations. 5. Below the AirPort Base Stations lis t, click Browse. A lis t of AirPort Bas e Stations found through Bonjour appears. It shows all AirPort Bas e Stations on the server's local subnet and all Wide-Area Bonjour domains known to the s erver. This includes s earch domains lis ted in Network Preferences that have AirPort Base Stations and AirPort Base Stations you added to a MobileMe account as a Back to My Mac (BTMM) enabled server. 6. From the list of AirPort Base Stations , choos e an AirPort Bas e Station to add to your RADIUS server. 7. In the Base station pas sword field, enter the pass word for the AirPort Base Station. 8. Click Add. When the base s tation is added it is configured to us e WPA2 Enterprise for client authentication through TTLS. It also sets a random s hared secret for communication between the Base Station and RADIUS on the server. The shared s ecret is not a password for authentication, nor does it generate encryption keys to establis h secure tunnels between nodes. It is a token that key management systems use to trus t each other.
Security
RADIUS
Set Up RADIUS
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Bas e Stations. 5. In the AirPort Base Stations list, highlight the AirPort Base Station and then click Edit. If prompted, enter the AirPort administrator password. 6. Click OK.
Security
RADIUS
Set Up RADIUS
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server.
The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Settings 5. From the RADIUS Certificate pop-up menu, choose a certificate. If you dont have a certificate and want to create one, click Manage Certificates. For more information about creating certificates, s ee Server Admin Help. 6. Click Save.
Security
RADIUS
Set Up RADIUS
To configure RADIUS certificates: $ sudo radiusconfig -installcerts private-key certificate [trusted-ca-list [yes | no [common-name
Parameter
Description T he file path to the clients private key to use in the certificate T he file path to the certificate T he file path to the trusted CA list A request to check a certificate revocation list A request to not check a certificate revocation list T he common name
This command changes eap.conf to contain an active TLS section and configures the certificates. This command also replaces the random file and creates the dh file if absent. For information about radiusconfig, s ee its man page.
Security
RADIUS
Set Up RADIUS
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Settings. 5. Select the Archive radiusd log for the past __ days checkbox and enter the number of days to archive. 6. Click Save.
Security
RADIUS
Set Up RADIUS
To configure the rotation of RADIUS service logs: $ sudo radiusconfig -rotatelog [-n file-count] base-file To configure the automatic rotation of RADIUS service logs: $ sudo radiusconfig -autorotatelog [on | off] [-n file-count]
Parameter Description Specifies the number of log files to preserve. Specifies the name of the log file. Enables automatic log rotation. Disables automatic log rotation.
Security
RADIUS
Set Up RADIUS
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Below the Servers list, click Start RADIUS or Stop RADIUS. The service can take a few seconds to s tart or s top.
Security
RADIUS
Set Up RADIUS
To s tart the RADIUS server: $ sudo radiusconfig -start To s top the RADIUS server: $ sudo radiusconfig -stop
Security
RADIUS
Set Up RADIUS
-appleversion -getconfig
-getconfigxml
Displays configuration data stored in the radiusd.conf and eap.conf files in xml plist format.
Displays the number of RADIUS clients. Displays the list of RADIUS clients formatted for the clients.conf file. Displays the list of RADIUS clients in xml plist format. Displays a specific build version. Displays usage information. Suppresses prompts.
Security
RADIUS
Set Up RADIUS
To enable TLS: $ sudo radiusconfig -enable-tls To dis able TLS: $ sudo radiusconfig -disable-tls
Security
RADIUS
Manage RADIUS
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Overview to s ee whether the service is running, the number of client base stations , and when it was s tarted.
Security
RADIUS
Manage RADIUS
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Logs. 5. Choose a log to view (radiusconfig or radiusd).
Security
RADIUS
Manage RADIUS
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Settings, then click Edit Allowed Users . 5. Select For selected services below, then s elect RADIUS. 6. Click Services. 7. Select Allow only us ers and groups below. 8. Click the Add button (+). 9. From the Users & Groups window, drag users or groups to the Allow only users and groups below list. If you dont see a recently created user, click the Refresh button (below the Servers lis t). If you want to remove us ers from the Allow only users and groups below lis t, select the us ers or us er groups and click the Delete button (). Only users in the list can us e RADIUS service.
Security
RADIUS
Manage RADIUS
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Bas e Stations. 5. In the AirPort Base Station list, highlight a Bas e Station and click Remove. 6. Verify you want to remove the Base Station by clicking Remove again.
Security
RADIUS
Manage RADIUS
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Bas e Stations. 5. In the AirPort Base Station list, highlight the Bas e Station to modify and click the Edit button. 6. Modify the Base Station information and click Save.
Security
RADIUS
Manage RADIUS
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select RADIUS. 4. Click Bas e Stations. 5. In the AirPort Base Station list, highlight the bas e station. 6. Click Save Internet Connect File. 7. In the Save As field, enter the name. 8. From the Where pop-up menu, choose the location to save the file. 9. In the Wireless Network Name (SSID) field, enter the wireless network name. 10. Click Save.
Security
RADIUS
Manage RADIUS
To add RADIUS clients: $ sudo radiusconfig -addclient nas-name shortname [type] To import RADIUS clients: $ sudo radiusconfig -importclients xml-plist-file To remove RADIUS clients: $ sudo radiusconfig -removeclient nas-name [nas-name ...] To assign an access control group to a client of the RADIUS s ervice:
Parameter
Description The name of the client The shortname of the client (Optional) T he type of the client The name of the file, including the path, to import clients from The name of the access control group
Security
Security
1. Verify that an .s sh folder exists in your home folder by entering the command: ls -ld ~/.ssh If .ssh is listed in the output, move to step 2. If .ssh is not listed in the output, run mkdir -m 700 ~/.ssh and continue to step 2. 2. Change directories in the shell to the hidden .ssh directory by entering the following command: cd ~/.ssh 3. Generate the public and private keys by entering the following command: ssh-keygen -b 1024 -t rsa -f id_rsa -P '' The -b flag sets the length of the keys to 1,024-bits, -t indicates to use the RSA hashing algorithm, -f sets the file name as
id_rsa, and -P followed by two single-quote marks sets the private key pas sword to be null. The null private key password allows for automated SSH connections. Keys are equivilant to pas swords , so keep them private and protected. 4. Copy the public key into the authorized key file by entering the following command: cat id_rsa.pub >> authorized_keys2 5. Set the permissions on the private key s o the file can only be changed by the owner: chmod go-rwx ~/.ssh/.id_rsa 6. Copy the public key and the authorized key lists to the specified users home folder on the remote computer by entering the following command: scp authorized_keys2 username@remotemachine:~/.ssh/ To establish two-way communication between servers , repeat this process on the second computer.
Security
Security
Administrator permissions
You can determine which s ervices other admin group users can modify. To do this, the adminis trator making the determination must have full, unmodified access .
Security
Administrator permissions
launchd.
Configure network settings in System Preferences. Run AppleScripts from the command line. Get and set password policy. Configure the RADIUS services via
radiusd.
T rain SpamAssassin's Baysian filter. Manipulate keychains and the Security framework. Configure
Many additional standard UNIX tools are available like: chmod, mkdir, chown, sudo, tar, pax, rsync, cp, scp, ditto, gzip, tail, syslog,
Security
Administrator permissions
1. Open Server Admin. 2. Select a s erver, click the Settings button in the toolbar, and then click the Access tab. 3. Click the Administrators tab. 4. Select whether to define adminis trative permissions for all s ervices on the server or for select services. 5. If you define permissions by service, s elect the related checkbox for each s ervice you want to turn on. If you define permissions by service, be sure to assign adminis trators to all the active s ervices on the server. 6. Click the Add button (+) to add a us er or group from the users and group window. To remove administrative permis sions, select a us er or group and click the Remove (-) button. 7. For each user or group, select the permissions level next to the user or group name. You can choos e Monitor or Administer. The capabilities of Server Admin to administer the s erver are limited by this s etting when the server is added to the Server list.
Security
Administrator permissions
Security
Administrator permissions
the Settings pane is dimmed when you can only monitor that service. Because the feature is enforced on the server side, the permissions also impact the usage of s erveradmin, dscl, dsimport, and pwpolicy command-line tools because these tools are limited to the permis sions configured for the adminis trator in us e.
Security
Security
You can also control us er access to several services us ing the Server app. For example, only the Server app can control user access to Podcas t and Time Machine services. For information, see Control a users access to services.
1. Select a s erver in the Servers list. 2. Click Settings, then click Access. 3. Click Services. 4. Choose a service and then choose whether to allow everyone access to it or whether to allow specified users to access the service.
5. If you have chosen to specify users , add the users and groups as needed.
RELATED INFORMATION
Security
1. In the Server app, click Us ers. 2. Control-click the user and choose Edit Acces s to Services . 3. In the dialog that appears, s elect the checkboxes for services you want the user to access, then click OK.
RELATED TOPICS
Security
File permissions
About permissions
Security
File permissions
About permissions
Kinds of permissions
Mac OS X Lion s upports two kinds of file and folder permiss ions: Standard Portable Operating System Interface (POSIX) permissions Access Control Lists (ACLs) Standard POSIX permis sions let you control acces s to files and folders based on three categories of users: Owner, Group, and Others. Although thes e permis sions give you s ome control over who can acces s a file or a folder, they lack the flexibility and granularity that many organizations require in dealing with complex user environments. This is where ACLs come in handy. An ACL provides an extended set of permis sions for a file or folder, and lets you s et multiple users and groups as owners . ACLs are als o compatible with Windows Server 2003, Windows XP, Windows Vis ta, and Windows 7 giving you added flexibility in a multiplatform environment.
Security
File permissions
About permissions
Standard permissions
There are four types of standard POSIX access permiss ions that you can as sign to a s hare point, folder, or file: Read & Write, Read Only, Write Only, and None. The following table shows how these permissions affect user access to shared items (files, folders, and share points).
Users can Open a shared file Copy a shared file Edit a shared file Move items to a shared folder or share point Move items from a shared folder or share point Yes No No No Read & Write Yes Yes Yes Yes Read Only Yes Yes No No Write Only No No No Yes None No No No No
Note: WebDAV has separate permis sions settings . Explicit permissions Share points and the shared items they contain (including folders and files) have separate permiss ions. If you move an item to a different folder, it keeps its permissions and doesnt adopt the permissions of the folder where you moved it. In the following illus tration, the second folder (Designs) and the third folder (Documents) were assigned permis sions different from those of their parent folders :
The user categories Owner, Group, and Others You can as sign standard POSIX access permiss ions separately to three categories of users: OwnerA user who creates an item (file or folder) on the file server is its owner and automatically has Read & Write permis sions for that folder. By default, the owner of an item and the s erver administrator are the only us ers who can change its access privileges (but you can enable a group or others to us e the item). The administrator can also transfer ownership of the shared item to another user. Note: When you copy an item to a drop box on a Mac file server, ownership of the item doesnt change. Only the owner of the
drop box or root has access to its contents. GroupYou can put us ers who need the same access to files and folders in group accounts. Only one group can be assigned access permiss ions to a shared item. For more information about creating groups, s earch Help for Us ers & Groups. OthersOthers is any us er (registered user or gues t) who can log in to the file server. Hierarchy of permissions If a user is included in more than one category of users, each of which has different permiss ions, these rules apply: Group permissions override Others permis sions. Owner permis sions override Group permis sions . For example, when a user is the owner of a s hared item and a member of the group ass igned to it, the user has the permissions ass igned to the owner. The more restrictive permiss ions always take precedence. For example, if a user belongs to a group that has No Acces s assigned to an item while the Others permis sions are set to Read & Write acces s, the item with No Acces s privilege overrides the Others setting, denying the user access to the item. Client users and permissions Users of AppleShare Client s oftware can set access privileges for files and folders they own. Users who use Windows file sharing services can als o set access privileges. Standard permission propagation The Server app lets you s pecify which standard permiss ions to propagate. For example, you can propagate only the permission for Others to all des cendants of a folder and leave the permis sions for Owner and Group unchanged. For more information, see Propagate access permiss ions.
Security
File permissions
About permissions
permissions using the Get Info or T erminal commands. Write Attributes Write User can change the files or folders standard attributes. Write Extended Attributes Write User can change the files or folders other attributes. Create Files (Write Data) Create Folder (Append Data) Delete Delete Subfolders and Files Write Write Write Write User can create files and change files. User can create subfolders and add data to files. User can delete file or folder. User can delete subfolders and files.
In addition to these permissions , the Apple ACL model defines four types of inheritance that specify how these permiss ions are propagated: Apply to this folder: Apply (Adminis tration, Read, and Write) permissions to this folder. Apply to child folders: Apply permiss ions to subfolders . Apply to child files: Apply permissions to the files in this folder. Apply to all descendants: Apply permiss ions to descendants. To learn how this option works with the previous two, see Access control entries (ACEs). The ACL use model The ACL use model focuses on access control at the folder level, with most ACLs applied to files as the result of inheritance. Folder-level control determines which users have acces s to the contents of a folder. Inheritance determines how a defined set of permissions and rules pas s from the container to the objects in it. Without this model, administration of acces s control would quickly become a nightmare, because you would need to create and manage ACLs on thous ands or millions of files. Controlling access to files through inheritance also frees applications from maintaining extended attributes or explicit ACEs when saving a file, because the s ystem applies inherited ACEs to files. For information about explicit ACEs, s ee Access control entries (ACEs). ACLs and standard permissions You can set ACL permiss ions for files and folders in addition to s tandard permissions. For more information about how Mac OS X Lion us es ACL and standard permiss ions to determine what users can and cannot do to a file or folder, see Access control entries (ACEs). ACL management In Mac OS X Lion, you create and manage ACLs in the Server app. The Get Info window in the Finder displays the logged-in users effective permissions. For information about setting up and managing ACLs , see Set folder acces s permis sions and Control access to a shared folder. In addition to using the Server app to set and view ACL permiss ions, you can also us e the ls and chmod command-line tools. For information, see their man pages. You define ACLs for s hare points, files, and folders using the Server app.
Security
File permissions
About permissions
User or Group. An ACE stores a univers ally unique ID for a group or us er, which permits unambiguous res olution of identity. Type. An ACE supports two permiss ion types , Allow and Deny, which determine whether permiss ions are granted or denied. In the Server app, you can only set the Allow permiss ions type. You can us e the ls and chmod command-line tools to set the deny permis sions type. For information, s ee their man pages . Permission. This field s tores the s ettings for the 13 permissions supported by the Apple ACL model. Inherited. This field specifies whether the ACE is inherited from the parent folder. Applies To. This field specifies what the ACE permis sion is for. Explicit and inherited ACEs The Server app supports two types of ACEs : Explicit ACEs, which are thos e you create in an ACL. See Set folder access permissions. Inherited ACEs, which are ACEs you created for a parent folder that were inherited by a descendant file or folder. Note: Inherited ACEs cannot be edited unless you make them explicit. Understanding inheritance ACL inheritance lets you specify how permissions pass from a folder to its descendants. The Apple ACL inheritance model The Apple ACL inheritance model defines four options that you select or deselect in the Server app to control the application of ACEs (in other words, how to propagate permiss ions through a folder hierarchy):
Inheritance option Apply to this folder Apply to child folders Apply to child files Apply to all descendants Description Apply (Administration, Read, and Write) permissions to this folder Apply permissions to subfolders Apply permissions to the files in this folder Apply permissions to all descendants Note: If you want an ACE to apply to all descendants without exception, you must select the Apply to child folders and Apply to child files options in addition to this option.
Mac OS X Lion propagates ACL permissions at two well-defined times : At file or folder creation timewhen you create a file or folder, the kernel determines what permissions the file or folder inherits from its parent folder. When initiated by administrator toolsfor example, when using the Propagate Permissions option in the Server app. The following figure shows how the Server app propagates two ACEs (managers and design_team) after ACE creation. Bold text represents an explicit ACE and regular text represents an inherited ACE.
ACL inheritance combination When you set inheritance options for an ACE in the Server app, you can choos e from 12 unique inheritance combinations for propagating ACL permissions.
Inheritance Apply to this folder Apply to child files Apply to child files Apply to all descendants
Inheritance Apply to this folder Apply to child folders Apply to child files Apply to all descendants
Inheritance Apply to this folder Apply to child folders Apply to child files Apply to all descendants
Inheritance Apply to this folder Apply to child folders Apply to child files Apply to all descendants
Inheritance Apply to this folder Apply to child folders Apply to child files Apply to all descendants
Inheritance
Apply to this folder Apply to child folders Apply to child files Apply to all descendants
Inheritance Apply to this folder Apply to child folders Apply to child files Apply to all descendants
Inheritance Apply to this folder Apply to child folders Apply to child files Apply to all descendants
Inheritance Apply to this folder Apply to child folders Apply to child files Apply to all descendants
Inheritance Apply to this folder Apply to child folders Apply to child files Apply to all descendants
Inheritance Apply to this folder Apply to child folders Apply to child files Apply to all descendants
Inheritance Apply to this folder Apply to child folders Apply to child files Apply to all descendants
ACL permission propagation The Server app lets you force the propagation of ACLs. Although this is done automatically by the Server app, there are cases when you might want to manually propagate permiss ions: You can propagate permissions to handle exceptions. For example, you might want ACLs to apply to all descendants except for a subtree of your folder hierarchy. In this case, you define ACEs for the root folder and s et them to propagate to descendants. Then, you select the root folder of the subtree and propagate permissions to remove the ACLs from descendants of that subtree. In the following example, the items in white had their ACLs removed by manually propagating ACLs .
You can propagate permissions in order to reapply inheritance in cases where you removed a folders ACLs and decided to reapply them. You can propagate permissions to clear all ACLs at once instead of going through a folder hierarchy and manually removing ACEs . When you propagate permissions , the permissions of bundles and root-owned files and folders arent changed. For more information about how to manually propagate permissions , see Propagate access permissions. Rules of precedence Mac OS X Lion uses the following rules to control access to files and folders : Without ACEs, POSIX permis sions apply. If a file or folder has no ACEs defined for it, Mac OS X Lion applies standard POSIX permis sions . With ACEs, order is important. If a file or folder has ACEs defined for it, Mac OS X Lion starts with the first ACE in the ACL and works its way down the list until the requested permission is satisfied or denied. You can change the ACE order from the command line us ing the chmod command. Allow permiss ions are cumulative. When evaluating Allow permiss ions for a us er in an ACL, Mac OS X Lion defines the users permis sions as the union of all permissions assigned to the user, including standard POSIX permissions . After evaluating ACEs, Mac OS X Lion evaluates the standard POSIX permissions defined for the file or folder. Then, based on the evaluation of ACL and s tandard POSIX permissions, Mac OS X Lion determines the type of access a user has to a s hared file or folder.
Security
File permissions
About permissions
Permissions in practice
Mac OS X Lion combines traditional POSIX permissions with ACLs . This combination provides great flexibility and fine granularity in controlling access to files and folders . However, if youre not careful in how you assign privileges, it may be hard for you to keep track of how permissions are assigned. With 17 permiss ions, you can choose from a staggering 98,304 combinations. Add to that a sophis ticated folder hierarchy, many users and groups , and many exceptions, and you have a recipe for cons iderable confusion. The following are useful tips and advice to help you get the most out of access control in Mac OS X Lion. Manage permissions at the group level Ass ign permis sions to groups firs t, and assign permiss ions to individual users only when there is an exception. For example, you can assign all teachers in a s chool district Read and Write permissions to a s pecific share point, but deny Anne Johnson, a temporary teacher, permis sion to read a specific folder in the share points folder hierarchy. Using groups is the most efficient way of ass igning permissions. After creating groups and ass igning them permissions , you can add or remove users without reassigning permis sions. Gradually add permissions Ass ign only neces sary permissions and then add permissions only when needed. As long as you us e Allow permiss ions, Mac OS X Lion combines the permiss ions.
For example, you can assign the Students group partial reading permissions on an entire share point. Then, where needed in the folder hierarchy, you can give the group more read and write permiss ions. Use the deny rule only when necessary When Mac OS X Lion encounters a Deny permission, it stops evaluating other permiss ions the user might have for a file or folder and applies the Deny permis sion. Therefore, use Deny permissions only when absolutely necessary. Keep a record of these Deny permissions s o you can delete them when they arent needed. Always propagate permissions Inheritance is a powerful feature, s o take advantage of it. By propagating permis sions down a folder hierarchy, you s ave yourself the time and effort required to manually ass ign permis sions to des cendants. Protect applications from being modified If you share applications, make sure you set their permiss ions so that no one except a trusted few can change them. This is a vulnerability that attackers can exploit in order to introduce viruses or Trojan horses in your environment. Keep it simple You can complicate file access management unnecess arily, if youre not careful. Keep it simple. If s tandard POSIX permissions do the job, use those, but if you must use ACLs, avoid customizing permiss ions if you dont need to. Use simple folder hierarchies if feasible. A little s trategic planning can help you create effective and manageable shared hierarchies.
Security
File permissions
About permissions
Security considerations
The mos t effective method of s ecuring your network is to assign correct privileges for each file, folder, and share point you create. Restricting access to file services You can us e the Server app to restrict which us ers or groups have acces s to files, folders, and s hare points. Restricting access to everyone Be careful when creating and granting access to share points , es pecially if youre connected to the Internet. Granting access to Everyone could expos e your data to anyone on the Internet. Restricting guest access When you configure any file s ervice, you can turn on guest access. Gues ts are us ers who connect to the server anonymously without entering a user name or pas sword. Users who connect anonymous ly are res tricted to files and folders that have privileges set to Everyone. To protect your information from unauthorized access, and to prevent people from introducing software that might damage your information or equipment, take the following precautions by using File Sharing in the Server app: Depending on the controls you want to place on guest access to a share point, consider the following options: Set privileges for Everyone to None for files and folders that gues ts s houldnt access . Items with this privilege setting can be acces sed only by the items owner or group. Put all files available to gues ts in one folder or set of folders and then as sign the Read Only privilege to the Everyone category for that folder and each file in it. Ass ign Read & Write privileges to the Everyone category for a folder only if gues ts must be able to change or add items in the folder. Make sure you keep a backup copy of information in this folder. Dis able acces s to guests or anonymous users over AFP and SMB. Share individual folders instead of entire volumes. The folders should contain only those items you want to s hare.
Security
File permissions
Manage permissions
folders: s tandard permissions and ACL permiss ions. Standard permiss ions provide basic control. ACL permissions provide more flexibility and control, but are more complex. Set standard permissions You can us e the Server app to set standard permiss ionsRead & Write, Read Only, Write Only, or Noneto control access to a folder and its contents. You can set different permissions for one user (the owner), one group, and all other us ers who log in. You can als o set standard permiss ions on individual files. Standard permissions are als o called POSIX permissions. 1. In the Server app s idebar, s elect the server and then click Storage. 2. Select the folder whos e access permiss ions you want to change, and then choos e Edit Permissions from the Action pop-up menu. 3. To grant acces s to a different user, double-click the current us er name and enter a different user account name. As you type, the Server app looks up matching user accounts and dis plays them in lis t. Clicking a lis ted user grants access permissions to that user. 4. To grant acces s to a different group, double-click the current group name and type the name of the new group. As you type, the Server app looks up matching group accounts and displays them in a list. Clicking a listed group grants acces s permis sions to it. 5. To change the permis sion level for the user, group, or others, click the current setting in the Permission column and choose a setting from the pop-up menu. The permis sion level you set for Others applies to any user who logs in but isnt the s pecified us er or a member of the specified group. Set ACL permissions You can us e the Server app to set ACL permissions for a folder or a file. An ACL cons is ts of Acces s Control Entries (ACEs), which you can add and change. Each entry applies to a specific us er or group. For each entry, you can set 13 permissions, giving you much finer control over access than you have with standard permis sions. For example, entries in an ACL can grant delete permission s eparately from write permission, so a us er can edit a file but cant delete it. The firs t entry in the list takes precedence over the second, which takes precedence over the third, and so on. For example, if the first entry denies a user the right to edit a file, other entries that allow the same us er editing permissions are ignored. The entries in the ACL also take precedence over standard permiss ions. 1. In the Server app s idebar, s elect the server and then click Storage. 2. Select the folder or file whose access permissions you want to change, then choose Edit Permiss ions from the Action pop-up menu. 3. To add an entry, click the Add button (+) and enter the name of the user or group you want to set specific access permissions for. As you type, the Server app looks up matching user and group accounts and dis plays them in a lis t. Clicking a user or group grants acces s permis sions to the user or group. 4. To change the permis sion level for an entry, click the current s etting in the Permission column and choos e a setting from the pop-up menu.
Choice Full Control Read & Write: Read: Write: Custom: Description Has full administration, read, write, and inheritance permissions. Has full read, write, and inheritance permissions. Has full read and inheritance permissions. Has full write and inheritance permissions. Doesnt have full administration, read, write, or inheritance permissions.
By default, each new entry has full read and inheritance permissions. 5. To change detailed permission s ettings for an entry, click the disclosure triangle next to the entry, optionally click the additional disclosure triangles that appear, and s elect or deselect permission s ettings. For information about the detailed permission settings , see Access control lists (ACLs) and Access control entries (ACEs).
RELATED TOPIC
Security
File permissions
Manage permissions
1. In the Server app s idebar, s elect the server and then click Storage. 2. Select the folder whos e access permiss ions you want to propagate, and then choose Propagate Permissions from the Action pop-up menu. 3. Select the permiss ions you want to propagate, and then click OK. Important: Propagation begins as soon as you click OK, and you cant undo propagation. Before clicking OK, make sure you select the folder and permiss ion settings you intend.
RELATED TOPICS
Security
File permissions
Manage permissions
1. In the Server app s idebar, s elect the server and then click Storage. 2. Select the folder or file whose access permissions you want to change, and then choose Edit Permissions from the Action pop-up menu. 3. To remove an entry from the permission list, select the entry and click the Delete button ().
RELATED TOPIC
Security
File permissions
Manage permissions
1. In the Server app s idebar, s elect the server, and then click Storage. 2. Select the folder or file whose ACL list you want to sort, and then choos e Edit Permissions from the Action pop-up menu. 3. Choose Sort Access Control Lis t Canonically from the Action pop-up menu in the Edit Permis sions dialog.
RELATED TOPIC
Security
File permissions
Manage permissions
1. In the Server app s idebar, s elect the server and then click Storage. 2. Select the folder or file whose access permissions you want to change, and then choose Edit Permissions from the Action pop-up menu. 3. Choose Remove Inherited Entries from the Action pop-up menu in the Edit Permis sions dialog.
RELATED TOPICS
Apply ACL inheritance to folders and files Make inherited ACL entries explicit Set folder access permissions
Security
File permissions
Manage permissions
1. In the Server app s idebar, s elect the server and then click Storage. 2. Select the folder or file whose access permissions you want to change, and then choose Edit Permissions from the Action pop-up menu. 3. Choose Make Inherited Entries Explicit from the Action pop-up menu in the Edit Permissions dialog. You can now edit the ACL entries.
RELATED TOPICS
Security
File permissions
Manage permissions
1. In the Server sidebar, select the server and then click Storage. 2. Select the parent folder of the item whos e ACL inheritance you want to restore, and then choos e Propagate Permiss ions from the Action pop-up menu.
3. Select the Access Control Lis t option, deselect all other options, and then click OK. Important: Propagation begins as soon as you click OK, and you cant undo propagation. Before clicking OK, make sure you select the folder and permiss ion settings you intend.
RELATED TOPIC
Security
File permissions
Manage permissions
Owner: read, write, execute Group: read, write, execute Other: no permissions
Home folder
Permission Type: Deny Delete Apply to this folder Apply to all descendants
Security
SSL Certificates
Replace certificates
If you've as signed a certificate to a particular service, or to all services as a group, you can replace those certificates. You might replace the default self-signed certificate with one that's been s igned by a third-party, or you might need to replace an expired certificate. See Obtaining a Signed Certificate . If you receive a s igned certificate from a third-party, it should have an extension of .cer, .crt, or .p12.
RELATED INFORMATION
Security
SSL Certificates
1. Select the server under Hardware in the Server app s idebar. 2. Click Settings and then click the Edit button at the right of SSL Certificate. 3. From the Action pop-up menu, choose Manage Certificates. 4. Click the Add button (+) and choose Create Self-Signed Certificate from the pop-up menu. 5. In the Name field of the Certificate Ass is tant, enter your s erver's fully qualified host name (for example, server.example.com) and click Continue. Leave the other settings unchanged. Identity Type s hould be Self Signed Root, Certificate Type s hould be SSL Server, and Let me override defaults s hould be deselected. You can choos e the new self-s igned certificate for the server. For information, see Using an SSL certificate. You can also use the new self-signed certificate to reques t a signed certificate from a certificate authority. For instructions , see Obtain a signed certificate.
Security
SSL Certificates
1. In the Finder, locate the files containing the certificate and matching private key, and put the files where you can s ee them while using Server Preferences (for example, on the des ktop). 2. In the Server app, select your server's name under Hardware in the Server app s idebar. 3. In the Settings pane, click the Edit button at the right of SSL Certificate. 4. From the Action pop-up menu, choose Manage Certificates. 5. Click + and then choose Import a Certificate Identity from the menu. 6. Drag the files containing the certificate and private key to the middle of the dialog. 7. Click the Import button and if prompted, enter the private key pass phrase.
Security
SSL Certificates
1. Select the server under Hardware in the Server app s idebar. 2. Click Settings and then click the Edit button at the right of SSL Certificate.
3. From the Action pop-up menu, choose Manage Certificates. 4. In the Manage Certificates s heet, s elect the self-s igned certificate you want to use to generate the CSR. 5. From the Action pop-up menu, choose Generate Certificate Signing Request (CSR). 6. Save the CSR file. Some certificate authorities ask you to enter the CSR text in a field on a webpage instead of uploading a file. In that case, you can copy and paste the text to the CA's website. 7. Upload the CSR file to a CA following the instructions on their webs ite. On the CA's website, look for SSL Certificates. You can use the CA of your choice. Here are a few CAs : Thawte, Inc. (www.thawte.com) VeriSign, Inc. (www.verisign.com) Comodo Group, Inc. (www.comodo.com) After receiving your signed certificate from the CA, you can use it to replace your self-signed certificate. For information, see Use an SSL certificate.
Security
SSL Certificates
1. Select the server under Hardware in the Server app s idebar. 2. Click Settings and then click the Edit button at the right of SSL Certificate. 3. From the Action pop-up menu, choose an available certificate. If the pop-up menu doesnt contain certificates, create a self-s igned certificate. For instructions , see Create a s elf-signed certificate. To use a previously generated SSL certificate, import it.
RELATED INFORMATION
computers within a workgroup, a s mall bus iness , or a large corporation. Address Book Server is the Lion Serverhosted contact management solution for your organizations needs. It provides the following: Access to client addres s books anywhere there's a Web connection Integration with Address Book, Mail, iCal, and iChat in Mac OS X vers ion 10.6 and later Compatibility with any applications that use the s tandard Address Book framework vCard caching for offline acces s Address Book Server provides secure, centralized storage for contact infomation. The server uses the CardDAV protocol, based on the widely us ed WebDAV protocol. It stores contacts as standard vCards for easy sharing. For more information about which clients can access Address Book Server, see Address Book Server client applications. Address Book Server also lets you access contact information in your organization's directory by including directory us ers in your Address Book search res ults . Before starting Address Book service, you may need to update your network's DNS records, if needed. Start Address Book service 1. In the Server app s idebar, s elect the service you want to start. 2. Click the On/Off switch to turn on the service. 3. If a dialog asks whether you want to allow Internet acces s to the s ervice you turned on, click Allow to configure your AirPort device and make the service acces sible to Internet users. Click Dont Allow if you dont want the service to be access ible to computers on the Internet, or if youre not sure. You can change Internet acces s to s ervices later by selecting your AirPort device in the Server sidebar. For more information, see Manage AirPort port mapping and Wi-Fi login. The dialog appears only if your AirPort device is listed in the Server sidebar and you turned on a service that the Server app can manage on your AirPort device.Thes e services include Address Book, iCal, iChat, Mail, and Web. If you have an Internet router that is nt lis ted in the Server s idebar, you can configure it to allow Internet access to services. This process is called port forwarding or port mapping. For Information, see Router port mapping. Add users, if needed 1. In the Users pane of the Server app, click the Add button (+). 2. In the Full Name field, enter the users name. The name can be up to 255 characters (or as few as 85 Japanese characters), and can include spaces . 3. In the Account Name field, enter the us ers short name. If you dont want to use the generated short name, enter a different short name. After the account is created, you cant change this s hort name. The short name typically is eight or fewer characters, but can be up to 255 Roman characters. Use only the characters a through z, A through Z, 0 through 9, . (period), _ (underscore), or - (hyphen). Note: If a user has a s hort name on a Mac, try to use the same short name for the users account on the s erver. Having the same s hort name helps with the users access to services. 4. Enter the users pas sword in the Pass word and Verify fields . You can use Pas sword Ass is tant to help you choose a pass word. Click the button at the right of the Pass word field to see how s ecure the password is. The us er can change this password in the Users & Groups pane of System Preferences on the us ers computer. 5. To associate a picture with the user account, click the silhouette and select a standard picture, or click Edit Picture for a customized picture. When you click Edit Picture, you can take a picture with your computers camera or choos e a graphic file on your computer. After taking or choos ing a picture, you can drag the picture to pan it, or us e the slider to zoom it. When you finish customizing
the picture, click Set. 6. Click Done to create the user account. Allow directory searches Directory contact s earching lets Address Book Server clients search the directory services Addres s Book Server is bound to. This can include Lion Serverbased computers that are configured to us e Open Directory. It can als o include existing LDAP or Active Directory implementation. When directory searches are enabled, Address Book Server us ers can s earch their own contacts, the directory of us ers , and other shared directory contacts with a single search. 1. In the Server app, select the Address Book pane. 2. Select Include directory contacts in s earch.
Configuration tools
Address Book Server uses two front-end tools for configuration. serveradmin Server App In each case, the front-end tools reads from a configuration plis t file (/etc/caldavd/carddavd.plist) to set service parameters. The plis t file is an XML property list that s pecifies server options such as: The network TCP port to bind to Whether to use SSL The names and locations of support files
T o change this setting, see Change the Address Book server host name. SSL T his determines whether or not to use SSL encryption of network traffic. T o change this setting, see Enable secure network traffic for Address Book server. HTT P Port Number T his is the port that Address Book Server uses for connections. The default port is 8800. T o change this setting, see Change the Address Book server port number. Log Level T his is the degree of granularity with which Address Book Server logs are recorded. The default log level is Info. T o change this setting, see Change the Address Book server logging level.
Directory searching lets Address Book service clients search the directory services that Address Book service is bound to. This can include Mac OS X Server v10.5 implementations that are configured with the Directory application. It can als o include any existing LDAP or Active Directory implementations .
1. Use serveradmin via the Terminal app to change the EnableSearchAddres sBook flag from false to true. sudo serveradmin settings addressbook:EnableSearchAddressBook = "<true>" The default value for <setting> is false. 2. Enable either (or both) s earching of us er accounts available available to Address Book Server or public shared contacts (as designated in Mac OS X Server v10.5). a. To s hare the the user accounts , enter: sudo serveradmin settings addressbook:DirectoryAddressBook:params:queryUserRecords = "true" b. To s hare the contacts, enter: sudo serveradmin settings addressbook:DirectoryAddressBook:params:queryPeopleRecords = "true" 3. Res tart Addres s Book s ervice. sudo serveradmin stop addressbook sudo serveradmin start addressbook
1. Use serveradmin via the Terminal app to change the setting. sudo serveradmin settings addressbook:ServerHostName = "<hostname>" The default value for <hostname> is blank, meaning it is the hostname of the current server. Command example: sudo serveradmin settings addressbook:ServerHostName = "chatter.example.com" 2. Res tart Addres s Book s ervice. sudo serveradmin stop addressbook sudo serveradmin start addressbook
1. Use serveradmin via the Terminal app to change the setting. sudo serveradmin settings addressbook:HTTPPort = "<PortNumber>" The default value for <PortNumb er> is 8800. Command example: sudo serveradmin settings addressbook:HTTPPort = "8841"
2. Res tart Addres s Book s ervice. sudo serveradmin stop addressbook sudo serveradmin start addressbook
1. Use serveradmin via the Terminal app to set the quota limits . sudo serveradmin set addressbook:MaxCollectionsPerHome = "<Number>" sudo serveradmin set addressbook:MaxResourcesPerCollection = "<Number>" sudo serveradmin set addressbook:MaxResourceSize = "<FileSize>"
Key MaxCollectionsPerHome
Default v alue 50
MaxResourcesPerCollection
the maximum number of contacts that a user can create in each address book.
10000
MaxResourceSize
1048576
Command example: sudo serveradmin set addressbook:MaxCollectionsPerHome = "100" sudo serveradmin set addressbook:MaxResourcesPerCollection = "12000" sudo serveradmin set addressbook:MaxResourceSize = "209715200" 2. Res tart Addres s Book s ervice. sudo serveradmin stop addressbook sudo serveradmin start addressbook
Use serveradmin via the Terminal app to enable MD5 Diges t authentication.
sudo serveradmin set addressbook:Authentication:Digest:Enabled = "<setting>" The default value for <setting> is yes. Command example: sudo serveradmin set addressbook:Authentication:Digest:Enabled = "yes" Use serveradmin via the Terminal app to enable Kerberos authentication. sudo serveradmin set addressbook:Authentication:Kerberos:Enabled = "<setting>" The default value for <setting> is yes. Command example: sudo serveradmin set addressbook:Authentication:Kerberos:Enabled = "yes" If you choose Kerberos authentication, make sure you set the Kerberos principal via the Terminal app. sudo serveradmin set addressbook:Authentication:Kerberos:ServicePrincipal = "<hostname>" The default value for <hostname> is blank, meaning it is set for the localhost. Command example: sudo serveradmin set addressbook:Authentication:Kerberos:ServicePrincipal = "SAMPLE.REALM.EXAMPL Use serveradmin via the Terminal app to enable plain text authentication. sudo serveradmin set addressbook:Authentication:Basic:Enabled = "<setting>" The default value for <setting> is no. Command example: sudo serveradmin set addressbook:Authentication:Basic:Enabled = "yes" Res tart Addres s Book s ervice. sudo serveradmin stop addressbook sudo serveradmin start addressbook
Use serveradmin via the Terminal app to change the SSL port number. sudo serveradmin set addressbook:SSLPort = "<PortNumber>" The default value for <PortNumb er> is 8443. Command example: sudo serveradmin set addressbook:SSLPort = "8882" Use serveradmin via the Terminal app to set the pem SSL certificate source location. sudo serveradmin set addressbook:SSLCertificate = "<CertLocation>" The default value for <CertLocation > is /etc/certificates /. Command example: sudo serveradmin set addressbook:SSLCertificate = "/etc/certificates/"
Use serveradmin via the Terminal app to set the pem private key source location. sudo serveradmin set addressbook:SSLPrivateKey = "<PrivateKeyLoc>" The default value for <PrivateKeyLoc> is /etc/certificates /. Command example: sudo serveradmin set addressbook:SSLPrivateKey = "/etc/certificates/" Use serveradmin via the Terminal app to set the pem authority chain file source location. sudo serveradmin set addressbook:SSLAuthorityChain = "<ChainFile>" The default value for <ChainFile> is /etc/certificates/. Command example: sudo serveradmin set addressbook:SSLAuthorityChain = "/etc/certificates/" Use serveradmin via the Terminal app to redirect insecure reques ts to the SSL port, if needed. sudo serveradmin set addressbook:RedirectHTTPToHTTPS = "<setting>" The default value for <setting> is no. Command example: sudo serveradmin set addressbook:RedirectHTTPToHTTPS = "yes" Res tart Addres s Book s ervice. sudo serveradmin stop addressbook sudo serveradmin start addressbook
1. Use serveradmin via the Terminal app to change the log level. sudo serveradmin set addressbook:DefaultLogLevel = "<LogLevel>" The default value for <Level > is warn. Replace LogLevel with one of the following: error warn info debug Command example: sudo serveradmin set addressbook:DefaultLogLevel = "debug" 2. Res tart Addres s Book s ervice. sudo serveradmin stop addressbook sudo serveradmin start addressbook
Use one of the following command-line tool to read the log files: less or cat to view the logs, or use tail to actively watch changes to a log file. For example, to track the error log: tail -f /var/log/carddavd/error.log For more information about using these command-line tools, s ee their man pages.
Use serveradmin via the Terminal app to see vital statis tics about the service. sudo serveradmin status addressbook
Understanding Calendar
Start iCal service 1. In the Server app s idebar, s elect the service you want to start. 2. Click the On/Off switch to turn on the service. 3. If a dialog asks whether you want to allow Internet acces s to the s ervice you turned on, click Allow to configure your AirPort device and make the service acces sible to Internet users. Click Dont Allow if you dont want the service to be access ible to computers on the Internet, or if youre not sure. You can change Internet acces s to s ervices later by selecting your AirPort device in the Server sidebar. For more information, see Manage AirPort port mapping and Wi-Fi login. The dialog appears only if your AirPort device is listed in the Server sidebar and you turned on a service that the Server app can manage on your AirPort device.Thes e services include Address Book, iCal, iChat, Mail, and Web. If you have an Internet router that is nt lis ted in the Server s idebar, you can configure it to allow Internet access to services. This process is called port forwarding or port mapping. For Information, see Router port mapping. Add users, if needed 1. In the Users pane of the Server app, click the Add button (+). 2. In the Full Name field, enter the users name. The name can be up to 255 characters (or as few as 85 Japanese characters), and can include spaces . 3. In the Account Name field, enter the us ers short name. If you dont want to use the generated short name, enter a different short name. After the account is created, you cant change this s hort name. The short name typically is eight or fewer characters, but can be up to 255 Roman characters. Use only the characters a through z, A through Z, 0 through 9, . (period), _ (underscore), or - (hyphen). Note: If a user has a s hort name on a Mac, try to use the same short name for the users account on the s erver. Having the same s hort name helps with the users access to services. 4. Enter the users pas sword in the Pass word and Verify fields . You can use Pas sword Ass is tant to help you choose a pass word. Click the button at the right of the Pass word field to see how s ecure the password is. The us er can change this password in the Users & Groups pane of System Preferences on the us ers computer. 5. To associate a picture with the user account, click the silhouette and select a standard picture, or click Edit Picture for a customized picture. When you click Edit Picture, you can take a picture with your computers camera or choos e a graphic file on your computer. After taking or choos ing a picture, you can drag the picture to pan it, or us e the slider to zoom it. When you finish customizing the picture, click Set. 6. Click Done to create the user account. Create iCal resources and locations Users and groups arent the only parts of a calendaring system. Res ources like projectors , microscopes , or cameras , and locations like conference rooms or buildings, must be s cheduled, but they cant keep their own calendar. These res ources and locations are like us ers and groups. They accept event invitations , and they have scheduling cons traints. Therefore, they exist as principal entities on the calendar s erver for other users and groups to include in event invitations. Using the Server app, you can make a calendar for each resource and location in your organization. To have a delegate (or proxy) manage a location or resource calendar, the user of the iCal service mus t already exis t before ass igning delegate roles. Created locations and resources are reservable and can be set to accept event invitations automatically or through a delegate. 1. Click Add (+) to add a location or resource. 2. Enter the calendar type:
Location Res ource 3. Enter a name for the location or resource. 4. Choose how the location or res ource will accept event invitations and mark the event as Busy. Automatically Makes the calendar accept all invitations in which theyre received. With Delegate Approval Holds event invitations until the designated delegate approves the invitation. You must provide a delegate. 5. Choose a delegate for the location or resource. Delegates are required, if the location or res ource is set to accept invitations with delegate approval. Delegates can also view and edit the resource calendar, even if they dont approve invitations. The delegate must be an existing iCal Server user or group. Only one delegated user or group can be assigned. Enable email invitations Attendees can be invited via email if they dont have an iCal Server account. When us ing the mail service on the same s erver as iCal s ervice, iCal Server is already configured to send email notifications. All you have to do is to turn on mail notifications and mail service. When an event attendee is added by email address and the host name of the email address isnt the s ame hos t name as the calendar server, iCal Server can send a message to the attendee with the event information. iCal Server must have its mail account in the mail system. iCal Server must be able to s end mail to an outgoing mail s erver (an SMTP server) for relay, so you need the SMTP server host name and listening port. You must als o make sure there are no firewalls blocking acces s to the mail server from the calendar server. The SMTP server must be configured to relay mail from the calendar server as well. iCal Server als o requires access to an incoming mail server, POP or IMAP, for invitation notifications. These instructions as sume the mail s ervers are configured and functioning. Email notifications can only be exchanged with external users . Users with an account on your iCal Server will receive a standard invitation in their calendar client software. 1. Create an email user account in the mail system, and note the mail address , account name, and password. For example, the iCal Server could access the account ical_s erver@example.com. If you need help creating a us er account and giving it mail access , see Create a user account. 2. If you aren't using the same s erver to s end mail and server calendars , get the following settings for the incoming Mail server from the mail adminis trator:
Setting information Server protocol Email address Host name Listening port Does mail service use SSL? User name and password Example POP or IMAP ical_server@example.com mail.example.com 143 yes or no a user name like ical_server@example.com
3. If you aren't using the same s erver to s end mail and server calendars , get the following settings for the outgoing (SMTP) Mail server from the mail administrator:
Setting information Host name Listening port Example smtp.example.com 25
Does mail service use SSL? User name and password Required authentication method, if any
4. In the Server app, select the iCal Server pane. 5. Select Allow invitations us ing email addresses. 6. If you aren't using the same s erver to s end mail and server calendars , click Edit to configure the settings. 7. Enter the Mail server information, and then click Next.
RELATED TOPICS
About calendar resources and locations Delete iCal resources and locations
Understanding Calendar
serveradmin
caldavd
calendarserver_manage_principals
A command-line tool used to add locations and resources to your iCal server.
calendarserver_purge_principals
A command-line tool used to remove locations and resources to your iCal server.
Understanding Calendar
This domain name is the fully qualified domain name of the calendar server (for example, cal.example.com). You can use only the domain name (for example, example.com) if the domain has an SRV DNS record for calendar service. The iCal Server port number This is the TCP port that the iCal Server is listen on. Whether the iCal Server uses SSL encryption or not The calendar account location for account creation If automatic discovery fails, the account URL is http://server:port/principals/users/username/ If the calendar client doesnt support automatic dis covery (like Mac OS X v10.5 iCal 3.0), the account URL is http://server:port/calendars/__uids__/<<GUID>> where GUID is the users globally unique identifier. Optional The user GUID The user GUID is a Dis tributed Computing Environment (DCE) compatible universally unique identifier string created by the directory service for a user when his or her directory record is created. It usually looks something like this : 95432C72-0035-4399-9447-8531601AA699.
Understanding Calendar
Understanding Calendar
Administer iCal Server us ing the Server app, or serveradmin. If the Server app, or serveradmin are unavailable, you can configure and run iCal Server from the command-line, using built-in tools. The following files are used to run iCal Server: /etc/caldavd/caldavd.plist: The main configuration file for caldavd The file contains an XML property lis t of server options and provides information s uch as the port to bind to and whether to use SSL. You can specify the names of other files . /var/log/caldavd/access .log: The servers main log file /var/run/caldavd.pid: The servers process ID file /usr/s hare/caldavd: Implementation and s upport files
Understanding Calendar
Understanding the data store and file hierarchy for iCal Server
Calendar event data is stored in a pos tgres databas e, with some s upport files in the file system. This is different from Snow Leopard Server, where all calendar data files were s tored on the file sys tem. Now only attachments and the proxy database are stored on the file system. All other calendar data is s tored in a databas e. When backing up calendar server files, make s ure to back up the /Library/Server/Calendar and Contacts/ directory and the pos tgres databases. Database files iCal Server uses databas e files for various purposes. It uses a postgres databas e to s tore calendar data. It us es sqlite files to store proxy relations hips. To troubleshoot or resolve problems, an administrator needs to use postgres database queries. Teaching postgres database manipulation is beyond the scope of this topic. To acces s the database, you need to us e postgres and pg_ctl command-line tools. File system files By default, the root data store location is /Library/Server/Calendar and Contacts/, but you can s pecify another location us ing the serveradmin command-line tool. When setting this path in the command line tool, it is an absolute path. The Calendar and Contacts folder contains 2 folders : Data and Documents. When setting the location of these two folders in the command line tool, the paths are relative to the root data s tore location. The Data folder contains the sqlite databas es for proxies, and an xml list of resources and locations in the calendar s ystem. The Document folder contains event attachments. To acces s the files, you need root access to the /Library/Server/Calendar and Contacts / folder and its subfolders (or whatever path you configured using serveradmin).
Understanding Calendar
Configure Calendar
sudo serveradmin set calendar:ServerHostName = "hostname" Use a fully qualified domain name for hostname . sudo serveradmin s et calendar:ServerHostName = "cal.example.com"
Configure Calendar
Use serveradmin via the Terminal app to change the unencrypted connection setting. sudo serveradmin set calendar:HTTPPort = "<PortNumber>" The default value for <PortNumb er> is 8008. Command example: sudo serveradmin set calendar:HTTPPort = "9009"
Use serveradmin via the Terminal app to change the SSL connection setting. sudo serveradmin set calendar:HTTPPort = "<SSLPortNumber>" The default value for <SSLPortNumb er> is 8443. Command example: sudo serveradmin set calendar:HTTPPort = "8484"
Configure Calendar
Configure Calendar
iCal Server must be able to s end mail to an outgoing mail s erver (an SMTP server) for relay, so you need the SMTP server host name and listening port. You must als o make sure there are no firewalls blocking acces s to the mail server from the calendar server. The SMTP server must be configured to relay mail from the calendar server as well. iCal Server als o requires access to an incoming mail server, POP or IMAP, for invitation notifications. These instructions as sume the mail s ervers are configured and functioning. Email notifications can only be exchanged with external users . Users with an account on your iCal Server will receive a standard invitation in their calendar client software.
1. Create an email user account in the mail system, and note the mail address , account name, and password. For example, the iCal Server could access the account ical_s erver@example.com. If you need help creating a us er account and giving it mail access , see Create a user account. 2. If you aren't using the same s erver to s end mail and server calendars , get the following settings for the incoming Mail server from the mail adminis trator:
Setting information Server protocol Email address Host name Listening port Does mail service use SSL? User name and password Example POP or IMAP ical_server@example.com mail.example.com 143 yes or no a user name like ical_server@example.com
3. If you aren't using the same s erver to s end mail and server calendars , get the following settings for the outgoing (SMTP) Mail server from the mail administrator:
Setting information Host name Listening port Does mail service use SSL? User name and password Required authentication method, if any Example smtp.example.com 25 yes or no a user name like ical_server@example.com CRAM-MD5 or Kerberos
4. In the Server app, select the iCal Server pane. 5. Select Allow invitations us ing email addresses. 6. If you aren't using the same s erver to s end mail and server calendars , click Edit to configure the settings. 7. Enter the Mail server information, and then click Next.
Configure Calendar
move the files, s ee Unders tanding the data s tore and file hierarchy for iCal Server.
1. Create new directory, if needed. sudo mkdir new_path The default value for <new_path> is the new location of the data s tore. Command example: sudo mkdir /Volumes/NetworkDrive/CalendarData/ 2. Give the target directory the right permissions. sudo chown _calendar:_calendar new_path sudo chmod 740 new_path The value for <new_path> is the new location of the data store. Command example: sudo chown _calendar:_calendar /Volumes/NetworkDrive/CalendarData/ sudo chmod 740 /Volumes/NetworkDrive/CalendarData/ 3. Use serveradmin via the Terminal app to set the location. sudo serveradmin set calendar:ServerRoot = "<NewLocation>" Command example: sudo serveradmin set calendar:ServerRoot = "/Volumes/NetworkDrive/CalendarData/"
Configure Calendar
Use serveradmin via the Terminal app to change the file size in bytes. sudo serveradmin set calendar:MaximumAttachmentSize = "<file_size>" The default value for <file_size > is 1048576. Command example: sudo serveradmin set calendar:MaximumAttachmentSize = "2097152"
Configure Calendar
total of all your users' quotas to exceed the storage capacity of the data s tore
Use serveradmin via the Terminal app to set the quota limits. sudo serveradmin set calendar:UserQuota = "<FileSize>" sudo serveradmin set calendar:MaxCollectionsPerHome = "<Number>" sudo serveradmin set calendar:MaxResourcesPerCollection = "<Number>" sudo serveradmin set calendar:MaxResourceSize = "<FileSize>"
Description the maximum size in bytes for all attachments the maximum number of calendars a user can create
MaxResourcesPerCollection
the maximum number of events and tasks that a user can create in each calendar
10000
MaxResourceSize
1048576
Command example: sudo serveradmin set calendar:UserQuota = "209715200" sudo serveradmin set calendar:MaxCollectionsPerHome = "100" sudo serveradmin set calendar:MaxResourcesPerCollection = "12000" sudo serveradmin set calendar:MaxResourceSize = "209715200"
Configure Calendar
Use calendarserver_manage_principals via the Terminal app to add a resource or location. sudo calendarserver_manage_principals --add {locations|resources} 'full name' --set-auto-schedul Command example: sudo calendarserver_manage_principals --add locations 'Conference Room' --set-auto-schedule=true Use calendarserver_manage_principals via the Terminal app to remove a resource or location. sudo calendarserver_manage_principals --remove {locations|resources} 'full name' Command example:
Configure Calendar
1. Set the following parameters using the Terminal. sudo serveradmin set calendar:Scheduling:iMIP:Enabled = "yes" 2. If you aren't using the same s erver for mail service, set the following parameters : sudo serveradmin set calendar:Scheduling:iMIP:Receiving:Server = "<mail server host name>" sudo serveradmin set calendar:Scheduling:iMIP:Receiving:UseSSL = <yes or no> sudo serveradmin set calendar:Scheduling:iMIP:Receiving:Username = "<iCal Servers user name>" sudo serveradmin set calendar:Scheduling:iMIP:Receiving:Type = "<POP or IMAP>" sudo serveradmin set calendar:Scheduling:iMIP:Receiving:Password = "<plaintext password>" sudo serveradmin set calendar:Scheduling:iMIP:Receiving:Port = <POP or IMAP port number> sudo serveradmin set calendar:Scheduling:iMIP:MailGatewayServer = "localhost" sudo serveradmin set calendar:Scheduling:iMIP:MailGatewayPort = 62310 sudo serveradmin set calendar:Scheduling:iMIP:Sending:Server = "<SMTP hostname>" sudo serveradmin set calendar:Scheduling:iMIP:Sending:Port = <SMTP port number> sudo serveradmin set calendar:Scheduling:iMIP:Sending:Address = "<iCal Servers user name>" sudo serveradmin set calendar:Scheduling:iMIP:Sending:Port = "<SMTP port number>"
Configure Calendar
1. Choose iCal > Preferences and then click Accounts. 2. In the bottom-left corner of the preferences pane, click the Add button (+) to add an account. 3. From the Account type pop-up menu, s elect Automatic. 4. Enter the user short name and calendar s erver addres s. For example, John Doe (with a user short name of johndoe enters johndoe@cal.example.com. The calendar s erver addres s is the fully qualified domain name of the calendar server (for example, cal.example.com). You
can use only the domain name (for example, example.com) if the domain has an SRV DNS record for calendar s ervice. 5. Click Create. You return to the Account Information pane of the account. 6. In the Refresh Calendars pop-up menu, s pecify how often you want your computer to update the information it shares with the server (for example, to look for meeting invitations or update changes youve made to your calendar). 7. Set the general times you want to be available for meetings and events . For example, if you work part time and want coworkers to s chedule meetings with you only on weekdays between noon and 5:00 p.m., select Weekdays and enter the times in the adjacent fields . If your availability includes weekends or only some weekdays, s elect Custom, click Edit, and then make s elections to set your availability.
Configure Calendar
Use serveradmin via the Terminal app to change the setting. sudo serveradmin set calendar:Authentication:Wiki:Enabled = "<setting>" The default value for <setting> is no. The other poss ible value is yes. Command example: sudo serveradmin set calendar:Authentication:Wiki:Enabled = "yes" Use serveradmin via the Terminal app to designate the Wiki server. sudo serveradmin set calendar:Authentication:Wiki:Hostname = "<DNSWikiServer>" The default value for <DNSWikiServer> is the Wiki server's fully qualified domain name. Command example: sudo serveradmin set calendar:Authentication:Wiki:Hostname = "wikiweb.example.com" Use serveradmin via the Terminal app to encrypt the connection. sudo serveradmin set set calendar:Authentication:Wiki:UseSSL = "(yes|no)" The default value is no. Command example: sudo serveradmin set set calendar:Authentication:Wiki:UseSSL = "yes"
Configure Calendar
1. Select File > New Calendar > Your CalDAV calendar. If you do not select a calendar under the CalDAV account, the calendar is created locally, not on the iCal s erver. 2. Enter a name for your calendar and pres s the Return key.
Calendar Security
Calendar Security
Use serveradmin via the Terminal app to enable Diges t MD5 authentication. sudo serveradmin set calendar:Authentication:Digest:Enabled = "(yes|no)" The default value is yes . Command example: sudo serveradmin set calendar:Authentication:Digest:Enabled = "yes" Use serveradmin via the Terminal app to enable Kerberos. sudo serveradmin set calendar:Authentication:Kerberos:Enabled = (yes|no) The default value is no. Command example: sudo serveradmin set calendar:Authentication:Kerberos:Enabled = "yes" Use serveradmin via the Terminal app to set the Kerberos Principle hostname. sudo serveradmin set calendar:Authentication:Kerberos:ServicePrincipal = "<Hostname>" The default value for <setting> is blank, meaning the localhost. Command example: sudo serveradmin set calendar:Authentication:Kerberos:ServicePrincipal = "REALM.EXAMPLE.COM" Use serveradmin via the Terminal app to change the setting for Bas ic authentication. sudo serveradmin set calendar:Authentication:Basic:Enabled = "(yes|no)" The default value is no. Command example: sudo serveradmin set calendar:Authentication:Basic:Enabled = "no"
Calendar Security
Use serveradmin via the Terminal app to change the SSL port number. sudo serveradmin set calendar:SSLPort = "<PortNumber>" The default value for <PortNumb er> is 8443. Command example: sudo serveradmin set calendar:SSLPort = "8882" Use serveradmin via the Terminal app to set the pem SSL certificate source location. sudo serveradmin set calendar:SSLCertificate = "<CertLocation>" The default value for <CertLocation > is /etc/certificates /. Command example:
sudo serveradmin set calendar:SSLCertificate = "/etc/certificates/" Use serveradmin via the Terminal app to set the pem private key source location. sudo serveradmin set calendar:SSLPrivateKey = "<PrivateKeyLoc>" The default value for <PrivateKeyLoc> is /etc/certificates /. Command example: sudo serveradmin set calendar:SSLPrivateKey = "/etc/certificates/" Use serveradmin via the Terminal app to set the pem authority chain file source location. sudo serveradmin set calendar:SSLAuthorityChain = "<ChainFile>" The default value for <ChainFile> is /etc/certificates/. Command example: sudo serveradmin set calendar:SSLAuthorityChain = "/etc/certificates/" Use serveradmin via the Terminal app to redirect insecure reques ts to the SSL port, if needed. sudo serveradmin set calendar:RedirectHTTPToHTTPS = "<setting>" The default value for <setting> is no. Command example: sudo serveradmin set calendar:RedirectHTTPToHTTPS = "yes"
Calendar Security
1. Select the server under Hardware in the Server app s idebar. 2. Click Settings and then click the Edit button at the right of SSL Certificate. 3. From the Action pop-up menu, choose an available certificate. If the pop-up menu doesnt contain certificates, create a self-s igned certificate. For instructions , see Create a s elf-signed certificate. To use a previously generated SSL certificate, import it.
Calendar Security
1. Use calendarserver_manage_principals via the Terminal app to list the locations or res ources . sudo calendarserver_manage_principals --list-principals (users|groups|locations|resources) Use us ers , groups, locations , or resources as des ired. Command example: sudo calendarserver_manage_principals --list-principals locations This lists all locations or resources, including the name of the location/resource, the record name, and the UUID of the record. Full name --------SampleLocation Record name ----------7697ca41-4d75-40a2-9c57-c507ceea5f9f UUID ---7697ca41-4d75-40a2-9c57-c507ceea5f9f
2. Use calendarserver_purge_principals via the Terminal app to delete the events as sociated with the UUID. sudo calendarserver_purge_principals UUID UUID is the UUID of the desired record. Command example: sudo calendarserver_purge_principals 7697ca41-4d75-40a2-9c57-c507ceea5f9f
Monitor Calendar
sudoserveradmin set calendar:DefaultLogLevel = "log_level_key" The default log level key is 'info' sudo serveradmin set calendar:DefaultLogLevel = "debug"
Monitor Calendar
Use serveradmin via the Terminal app to monitor the access log. tail -F /var/log/caldavd/access.log Use serveradmin via the Terminal app to monitor the error log. tail -F /var/log/caldavd/error.log
Monitor Calendar
Manage Calendar
1. Add a user to the group. You must provide the directory administrator pass word. dseditgroup -o edit -n /LDAPv3/LDAP_server_hostname -u directory_admin_username -p -a username - dseditgroup -o edit -n /LDAPv3/directory.example.com -u diradmin -p -a john_appleseed -t user co 2. Add a group to the group. You mus t provide the directory administrator pas sword. dseditgroup -o edit -n /LDAPv3/LDAP_server_hostname -u directory_admin_username -p -a group_to_b dseditgroup -o edit -n /LDAPv3/directory.example.com -u diradmin -p -a staff -t group com.apple.
Manage Calendar
If you manage users us ing Workgroup Manager and want to add calendar permis sions to a user, you mus t add the user to the iCal SACL list. If you manage users with Server App and add calendar permissions to a user, the us er gets the correct s ervice acces s control list (SACL) s etting for calendar use automatically.
1. Open Server Admin and s elect the server from the Servers list. 2. Click Acces s. 3. From the Service list, make sure For all services or iCal Server is selected. For all services makes changes to all services. Selecting iCal Server only changes the SACL for iCal Server. 4. To provide unres tricted acces s to iCal Server, click Allow all users and groups. 5. To restrict access to s pecific users and groups: a. Select Allow only users and groups below. b. Click the Add button (+) to open the Us ers & Groups drawer. c. Drag users and groups from the Users & Groups drawer to the list. 6. To provide pus h notification, repeat thes e steps for iChat s erver as well.
Create iCal resources and locations Delete iCal resources and locations
1. Before deleting the location or resource, delete the events ass ociated with them. a. Use calendarserver_manage_principals via the Terminal app to list the locations or resources . sudo calendarserver_manage_principals --list-principals (locations|resources) Use locations or resources as desired. Command example: sudo calendarserver_manage_principals --list-principals locations This lists all locations or resources, including the name of the location/resource, the record name, and the UUID of the record. Full name --------Test Room 1 Record name ----------7697ca41-4d75-40a2-9c57-c507ceea5f9f UUID ---7697ca41-4d75-40a2-9c57-c507ceea5
c. Use calendarserver_purge_principals via the Terminal app to delete the locations or resources us ing the UUID of the record. sudo calendarserver_purge_principals UUID UUID is the UUID of the desired record. Command example: sudo calendarserver_purge_principals 7697ca41-4d75-40a2-9c57-c507ceea5f9f 2. In the iCal Server pane of Server app, select a location or resource. 3. Click Remove ().
RELATED TOPICS
About calendar resources and locations Create iCal resources and locations
1. Click Add (+) to add a location or resource. 2. Enter the calendar type: Location Res ource 3. Enter a name for the location or resource. 4. Choose how the location or res ource will accept event invitations and mark the event as Busy. Automatically Makes the calendar accept all invitations in which theyre received. With Delegate Approval Holds event invitations until the designated delegate approves the invitation. You must provide a delegate. 5. Choose a delegate for the location or resource. Delegates are required, if the location or res ource is set to accept invitations with delegate approval. Delegates can also view and edit the resource calendar, even if they dont approve invitations. The delegate must be an existing iCal Server user or group. Only one delegated user or group can be assigned.
RELATED TOPICS
About calendar resources and locations Delete iCal resources and locations
A read-only delegate is another us er who can s ee your calendar items , including free-busy times, but not change them. Sometimes this is called a proxy user. This setting is useful for locations and resources . If you make a user or group a read-only delegate for the resource, the delegate can s ee the details of the res ources us e, rather than whether the resource is busy. Delegates can als o be made to read and write to your calendar. You might have another person add or delete events on your calendar. This is a good feature for us ers with administrative ass is tants. Delegates can only be chosen from users with iCal Server in the same authentication directory as you. For example, if your user credentials are stored in a directory like Open Directory, the delegate must als o be a user in your Open Directory s ystem.
1. In iCal, open Preferences > Accounts. 2. Select the account to share with the delegate. 3. Select the Delegation tab. 4. Click the Edit button next to Manage access to my account. 5. In the sheet that drops down, click the Add button (+). 6. Enter the account name to designate as a delegate. If you want the delegate to change your calendar, check Allow Write. 7. Click Done.
Understanding iChat
This process is called port forwarding or port mapping. For Information, see Router port mapping. Create a user account You can create a us er account for each person who uses the services provided by your s erver. 1. In the Users pane of the Server app, click the Add button (+). 2. In the Full Name field, enter the users name. The name can be up to 255 characters (or as few as 85 Japanese characters), and can include spaces . 3. In the Account Name field, enter the us ers short name. If you dont want to use the generated short name, enter a different short name. After the account is created, you cant change this s hort name. The short name typically is eight or fewer characters, but can be up to 255 Roman characters. Use only the characters a through z, A through Z, 0 through 9, . (period), _ (underscore), or - (hyphen). Note: If a user has a s hort name on a Mac, try to use the same short name for the users account on the s erver. Having the same s hort name helps with the users access to services. 4. Enter the users pas sword in the Pass word and Verify fields . You can use Pas sword Ass is tant to help you choose a pass word. Click the button at the right of the Pass word field to see how s ecure the password is. The us er can change this password in the Users & Groups pane of System Preferences on the us ers computer. 5. To associate a picture with the user account, click the silhouette and select a standard picture, or click Edit Picture for a customized picture. When you click Edit Picture, you can take a picture with your computers camera or choos e a graphic file on your computer. After taking or choos ing a picture, you can drag the picture to pan it, or us e the slider to zoom it. When you finish customizing the picture, click Set. 6. Click Done to create the user account. Allow iChat Buddies From Other Servers iChat service can let your chat server communicate with other s ervers us ing iChat s ervice, allowing buddies from other servers bes ides your own. Server-to-server chat communication is called federation. If you want to control which servers can be federated with your own, see Approve s erver-to-server chat connections . To es tablis h communication between s ervers on different networks, administrators mus t configure domain name s erver (DNS), network address translation (NAT), and firewalls, as needed. 1. In the Server app, select the iChat service pane. 2. Click Enable server-to-s erver federation. If this is the firs t time you've enabled federation, a configuration sheet appears . Otherwise, click Edit to get the configuration sheet. 3. Select Require s ecure s erver-to-server federation to restrict communication to SSL encrypted connections. Secure federation requires the federated server to accept SSL encrypted connections. You can change which SSL certificate is used for encryption by using the certificate managment feature of Server app. For more information, s ee Use an SSL certificate. Save chat transcripts An iChat client can be configured to record its own chat transcripts. The iChat Server can also be configured to record all chat messages. The client recording capability is useful to the individual iChat user, while the server mes sage logging capability is intended for administrative and auditing purposes. Chat transcripts are s aved at /Library/Server/iChat/Data/mess age_archives. 1. In the Server app, select the iChat service pane.
RELATED TOPICS
Change a us ers account s ettings Change a us ers group membership Change a us ers or groups name Change a us ers or groups picture Delete a user account Import users from another network account s erver
RELATED TOPICS
Provide ins tant mes saging Approve server-to-server chat connections Save chat transcripts About iChat Server technologies About s ecure connections for iChat Server
RELATED TOPICS
Provide ins tant mes saging Allow iChat Buddies From Other Servers Approve server-to-server chat connections About iChat Server technologies About s ecure connections for iChat Server
Understanding iChat
Understanding iChat
Understanding iChat
Understanding iChat
Understanding iChat
Understanding iChat
C2S (client-to-server communications) S2S (server-to-server communications) Multi-user chat room configuration
Understanding iChat
Understanding iChat
Understanding iChat
Configuring iChat
Use SSL encryption with iChat service You can maximize the privacy of chats by implementing SSL with iChat s ervice. SSL us es a digital certificate to validate the identity of the s erver and to establish s ecure, encrypted data exchanges for client-to-s erver and server-to-server connections. iChat uses SSL to encrypt chat messages that are s ent over the network. However, if your iChat Server is logging chat messages, the messages are stored on the s erver in an unencrypted format. These unencrypted chat messages can be easily viewed by your server administrator. For information about message logging, see Set iChat s ervice error log levels . The digital certificate can be a self-s igned certificate or a certificate imported from a certificate authority. For information about defining, obtaining, and ins talling certificates on your s erver, see Use an SSL certificate. Use serveradmin via the Terminal app to set the certificate locations to require encryption. sudo serveradmin settings jabber:sslCAFile = "Certificate authority pem file location" sudo serveradmin settings jabber:sslKeyFile = "Key file pem location" The default locations for Certificate authority pem file location and Key file pem location are /etc/certificates /cert.chain.pem and /etc/certificates/cert.concat.pem.
Command example: sudo serveradmin settings jabber:sslCAFile = "/etc/certificates/example.private.2413CD435CEA9484 sudo serveradmin settings jabber:sslKeyFile = "/etc/certificates/example.private.2413CD435CEA948 Use serveradmin via the Terminal app to set the network ports for SSL traffic. sudo serveradmin settings jabber:jabberdClientPortSSL = "port" The default value for <port> is 5223. Command example: sudo serveradmin settings jabber:jabberdClientPortSSL = "15223" Set up iChat service on virtually hosted domains You can provide iChat s ervice to users of virtual domains on the server. iChat requires that your host have a hos t name to be used as the Jabber realm by the iChat Server that is resolvable us ing DNS. This host name is used as the Jabber realm by the iChat Server, and clients us e this realm to connect to the s ervice. Clients use a Jabber Identifier (JID) to authenticate and interact with the server. The JID us es the format us er@realm (for example, chatuser@chats erver.example.com). In this example, your iChat Server would be configured to host the realm chats erver.example.com. DNS resolution directs clients to your server when they resolve that host name. To support multiple realms , DNS should be configured appropriately. For more information, s ee Overview of DNS s etup. Use serveradmin via the Terminal app to add hos ted chat domains. sudo serveradmin settings jabber:hostsCommaDelimitedString = "FQDN,FQDN2" The default value for FQDN is the iChat server's host name. The other poss ible values are fully qualified domain names separated by commas. Command example: sudo serveradmin settings jabber:hostsCommaDelimitedString = "chatserver.example.com,chat.exampl
Set up server-to-server iChat communication When S2S federation is enabled, communication with most other XMPP-compliant chat servers is enabled, including the ability to federate with other jabber s ervices like Google Talk. Using serveradmin, you can take advantage of additional options for securing S2S communications . These options include limiting domains you can connect to. To es tablis h communication between s ervers on different networks, administrators mus t configure domain name s erver (DNS), network address translation (NAT), and firewalls, as needed. 1. Use serveradmin via the Terminal app to define the network port for federation. sudo serveradmin settings jabber:jabberdS2SPort = "port" The default value for setting is 5269. Command example: sudo serveradmin settings jabber:jabberdS2SPort = "15269" 2. Use serveradmin via the Terminal app to require SSL connections for federation. sudo serveradmin settings jabber:requireSecureS2S = "setting" The default value for setting is no. The other poss ible value is yes. If you need to s et SSL certificate information, see Use SSL encryption with iChat s ervice.
Command example: sudo serveradmin settings jabber:requireSecureS2S = "yes" 3. Use serveradmin via the Terminal app to limit domains your server connects to. a. First, set the domain restriction flag. sudo serveradmin settings jabber:s2sRestrictDomains = "setting" The default value for setting is no. The other possible value is yes. Command example: sudo serveradmin settings jabber:s2sRestrictDomains = "yes" b. Create the lis t of allowed domains. sudo serveradmin set jabber:s2sAllowedDomains:_array_id:0 = create sudo serveradmin set jabber:s2sAllowedDomains:_array_id:0 = "domain name" sudo serveradmin set jabber:s2sAllowedDomains:_array_id:1 = create sudo serveradmin set jabber:s2sAllowedDomains:_array_id:1 = "domain name" Command example: sudo serveradmin set jabber:s2sAllowedDomains:_array_id:0 = create sudo serveradmin set jabber:s2sAllowedDomains:_array_id:0 = "otherserver.example.com" sudo serveradmin set jabber:s2sAllowedDomains:_array_id:1 = create sudo serveradmin set jabber:s2sAllowedDomains:_array_id:1 = "onemore.example.com"
Configuring iChat
1. Use serveradmin via the Terminal app to change the setting. sudo serveradmin settings jabber:enableSavedChats = "setting" The default value for <setting> is yes. The other poss ible value is no. Command example: sudo serveradmin settings jabber:enableSavedChats = "yes" 2. Use serveradmin via the Terminal app to set the mes sage archive location. sudo serveradmin settings jabber:savedChatsLocation = "filepath" The default value for filepath is /Library/Server/iChat/Data/mess age_archives. Command example: sudo serveradmin settings jabber:savedChatsLocation = "/Volumes/StorageArray/iChat/Data/message_ 3. Use serveradmin via the Terminal app to define how often the messages are archived.
sudo serveradmin settings jabber:savedChatsArchiveInterval = "day_interval" The default value for day_interval is 7. Command example: sudo serveradmin settings jabber:savedChatsArchiveInterval = "14"
Configuring iChat
Use serveradmin via the Terminal app to set the certificate locations to require encryption. sudo serveradmin settings jabber:sslCAFile = "Certificate authority pem file location" sudo serveradmin settings jabber:sslKeyFile = "Key file pem location" The default locations for Certificate authority pem file location and Key file pem location are /etc/certificates /cert.chain.pem and /etc/certificates/cert.concat.pem. Command example: sudo serveradmin settings jabber:sslCAFile = "/etc/certificates/example.private.2413CD435CEA9484 sudo serveradmin settings jabber:sslKeyFile = "/etc/certificates/example.private.2413CD435CEA948 Use serveradmin via the Terminal app to set the network ports for SSL traffic. sudo serveradmin settings jabber:jabberdClientPortSSL = "port" The default value for <port> is 5223. Command example: sudo serveradmin settings jabber:jabberdClientPortSSL = "15223"
Configuring iChat
Use serveradmin via the Terminal app to change the setting. sudo serveradmin settings jabber:authLevel = "METHOD" The default value for <METHOD> is ANYMETHOD.
The other pos sible values are STANDARD and KERBEROS. Command example: sudo serveradmin settings jabber:authLevel = "STANDARD"
Configuring iChat
Use serveradmin via the Terminal app to change the setting. sudo serveradmin settings jabber:enableAutoBuddy = "setting" The default value for <setting> is yes. The other pos sible value is no. Command example: sudo serveradmin settings jabber:enableAutoBuddy = "yes"
Configuring iChat
Use serveradmin via the Terminal app to change the log level. sudo serveradmin settings jabber:logLevel = "level" The default value for level is ERROR. The other pos sible values are EMERGENCY, ALERT, CRITICAL, WARNING, NOTICE, INFO, and DEBUG. Command example: sudo serveradmin settings jabber:logLevel = "DEBUG"
Configuring iChat
Use serveradmin via the Terminal app to change the hosted domain. sudo serveradmin settings jabber:hostsCommaDelimitedString = "FQDN" The default value for FQDN is the iChat server's hos t name. Command example: sudo serveradmin settings jabber:hostsCommaDelimitedString = "newchatservername.example.com"
1. Use serveradmin via the Terminal app to define the network port for federation. sudo serveradmin settings jabber:jabberdS2SPort = "port" The default value for setting is 5269. Command example: sudo serveradmin settings jabber:jabberdS2SPort = "15269" 2. Use serveradmin via the Terminal app to require SSL connections for federation. sudo serveradmin settings jabber:requireSecureS2S = "setting" The default value for setting is no. The other poss ible value is yes. If you need to s et SSL certificate information, see Use SSL encryption with iChat s ervice. Command example: sudo serveradmin settings jabber:requireSecureS2S = "yes" 3. Use serveradmin via the Terminal app to limit domains your server connects to. a. First, set the domain restriction flag. sudo serveradmin settings jabber:s2sRestrictDomains = "setting" The default value for setting is no. The other possible value is yes.
Command example: sudo serveradmin settings jabber:s2sRestrictDomains = "yes" b. Create the lis t of allowed domains. sudo serveradmin set jabber:s2sAllowedDomains:_array_id:0 = create sudo serveradmin set jabber:s2sAllowedDomains:_array_id:0 = "domain name" sudo serveradmin set jabber:s2sAllowedDomains:_array_id:1 = create sudo serveradmin set jabber:s2sAllowedDomains:_array_id:1 = "domain name" Command example: sudo serveradmin set jabber:s2sAllowedDomains:_array_id:0 = create sudo serveradmin set jabber:s2sAllowedDomains:_array_id:0 = "otherserver.example.com" sudo serveradmin set jabber:s2sAllowedDomains:_array_id:1 = create sudo serveradmin set jabber:s2sAllowedDomains:_array_id:1 = "onemore.example.com"
1. If SSL encryption hasn't been enabled yet, use serveradmin via the Terminal app to set the certificate locations to require encryption. sudo serveradmin settings jabber:sslCAFile = "Certificate authority pem file location" sudo serveradmin settings jabber:sslKeyFile = "Key file pem location" The default locations for Certificate authority pem file location and Key file pem location are /etc/certificates /cert.chain.pem and /etc/certificates/cert.concat.pem. Command example: sudo serveradmin settings jabber:sslCAFile = "/etc/certificates/example.private.2413CD435CEA9484 sudo serveradmin settings jabber:sslKeyFile = "/etc/certificates/example.private.2413CD435CEA948 2. Use serveradmin via the Terminal app to require encrypted server-to-server communication. sudo serveradmin settings jabber:requireSecureS2S = "setting" The default value for setting is no. The other poss ible value is yes. Command example: sudo serveradmin settings jabber:requireSecureS2S = "yes"
Use serveradmin via the Terminal app to add hosted chat domains. sudo serveradmin settings jabber:hostsCommaDelimitedString = "FQDN,FQDN2" The default value for FQDN is the iChat server's hos t name. The other pos sible values are fully qualified domain names separated by commas . Command example: sudo serveradmin settings jabber:hostsCommaDelimitedString = "chatserver.example.com,chat.example
1. Open Server Admin and connect to the s erver. 2. Click Acces s. 3. Click Administrators. 4. Select the level of restriction you want for the services . To restrict acces s to all services, s elect For all services. To s et access permissions for individual services, select For s elected s ervices below and select the services from the Service list. 5. Click the Add button (+) to open the Us ers & Groups window. 6. Drag us ers and groups to the list from the Users & Groups window. 7. Set the users permission. To grant administrator access, choose Adminis ter from the Permission pop-up menu next to the user name. To grant monitoring access , choos e Monitor from the Permission pop-up menu next to the user name. 8. Click Save.
File Sharing
These are indicated in the main File Sharing window of Server app.
1. To add a new shared folder, click plus (+) at the bottom of the window. 2. Navigate to your chosen volume or folder. 3. Click Choose. The folder you selected is now enabled as a shared folder. If File Sharing is off when you add a new shared folder, File Sharing will be turned on.
RELATED INFORMATION
Control access to a shared folder Choose which kinds of computers and devices can acces s file shares Enable s hared home folders
File Sharing
1. In the File Sharing pane of the Server app, s elect the shared folder in the list. 2. Double-click the selected folder or click the pencil icon. 3. To change the access users or groups have to a shared folder and its contents, s elect "Read & Write," "Read Only," "Write Only," or "No Access " next to that user or group name, then change it to the needed access level. You can also add or delete users and groups that have access to a s hared folder by clicking Add (+) or Delete (). 4. To let users acces s a folder without logging in, select the checkbox labeled "Allow guest users to acces s this s hare." The access level changes the next time the user or group connects to the shared folder.
RELATED INFORMATION
File Sharing
Choose which kinds of computers and devices can access file shares
File s haring service in Lion Server lets you specify a protocol that other computers or devices us e to access your file s hares. Disabling or enabling certain protocols lets you determine which kinds of computer devices connect to your server. Enable file sharing if it isnt already enabled.
1. In the File Sharing pane of the Server app, s elect the shared folder in the list. 2. Double-click the selected folder or click the pencil icon. 3. Click to select the checkboxes for s haring with Mac, Windows, or iOS devices. To us e a file share as a home folder, enable Mac or Windows as needed for the s hare. You can s elect one or all three file sharing protocols for any share. If you don't select a protocol, the file share becomes unavailable. Users need to log out and log in again before using the shared folder as their home folder.
RELATED INFORMATION
File Sharing
1. In the File Sharing pane of the Server app, s elect the shared folder in the list. 2. Double-click the folder or click the pencil icon. 3. Click to select "Make available for home directories ." 4. Choose "AFP for Mac computers only" or "SMB for Mac and Windows computers ," depending on the computer the users use to connect to your file sharing s erver. Users must log out and log in again before using the shared folder as their home folder.
RELATED INFORMATION
Choose which kinds of computers and devices can acces s file shares
File Sharing
File permissions
About permissions
File Sharing
File permissions
About permissions
Kinds of permissions
Mac OS X Lion s upports two kinds of file and folder permiss ions: Standard Portable Operating System Interface (POSIX) permissions
Access Control Lists (ACLs) Standard POSIX permis sions let you control acces s to files and folders based on three categories of users: Owner, Group, and Others. Although thes e permis sions give you s ome control over who can acces s a file or a folder, they lack the flexibility and granularity that many organizations require in dealing with complex user environments. This is where ACLs come in handy. An ACL provides an extended set of permis sions for a file or folder, and lets you s et multiple users and groups as owners . ACLs are als o compatible with Windows Server 2003, Windows XP, Windows Vis ta, and Windows 7 giving you added flexibility in a multiplatform environment.
File Sharing
File permissions
About permissions
Standard permissions
There are four types of standard POSIX access permiss ions that you can as sign to a s hare point, folder, or file: Read & Write, Read Only, Write Only, and None. The following table shows how these permissions affect user access to shared items (files, folders, and share points).
Users can Open a shared file Copy a shared file Edit a shared file Move items to a shared folder or share point Move items from a shared folder or share point Yes No No No Read & Write Yes Yes Yes Yes Read Only Yes Yes No No Write Only No No No Yes None No No No No
Note: WebDAV has separate permis sions settings . Explicit permissions Share points and the shared items they contain (including folders and files) have separate permiss ions. If you move an item to a different folder, it keeps its permissions and doesnt adopt the permissions of the folder where you moved it. In the following illus tration, the second folder (Designs) and the third folder (Documents) were assigned permis sions different from those of their parent folders :
The user categories Owner, Group, and Others You can as sign standard POSIX access permiss ions separately to three categories of users: OwnerA user who creates an item (file or folder) on the file server is its owner and automatically has Read & Write permis sions for that folder. By default, the owner of an item and the s erver administrator are the only us ers who can change its access privileges (but you can enable a group or others to us e the item). The administrator can also transfer ownership of the shared item to another user. Note: When you copy an item to a drop box on a Mac file server, ownership of the item doesnt change. Only the owner of the drop box or root has access to its contents. GroupYou can put us ers who need the same access to files and folders in group accounts. Only one group can be assigned access permiss ions to a shared item. For more information about creating groups, s earch Help for Us ers & Groups. OthersOthers is any us er (registered user or gues t) who can log in to the file server.
Hierarchy of permissions If a user is included in more than one category of users, each of which has different permiss ions, these rules apply: Group permissions override Others permis sions. Owner permis sions override Group permis sions . For example, when a user is the owner of a s hared item and a member of the group ass igned to it, the user has the permissions ass igned to the owner. The more restrictive permiss ions always take precedence. For example, if a user belongs to a group that has No Acces s assigned to an item while the Others permis sions are set to Read & Write acces s, the item with No Acces s privilege overrides the Others setting, denying the user access to the item. Client users and permissions Users of AppleShare Client s oftware can set access privileges for files and folders they own. Users who use Windows file sharing services can als o set access privileges. Standard permission propagation The Server app lets you s pecify which standard permiss ions to propagate. For example, you can propagate only the permission for Others to all des cendants of a folder and leave the permis sions for Owner and Group unchanged. For more information, see Propagate access permiss ions.
File Sharing
File permissions
About permissions
attributes. Create Files (Write Data) Create Folder (Append Data) Delete Delete Subfolders and Files Write Write Write Write User can create files and change files. User can create subfolders and add data to files. User can delete file or folder. User can delete subfolders and files.
In addition to these permissions , the Apple ACL model defines four types of inheritance that specify how these permiss ions are propagated: Apply to this folder: Apply (Adminis tration, Read, and Write) permissions to this folder. Apply to child folders: Apply permiss ions to subfolders . Apply to child files: Apply permissions to the files in this folder. Apply to all descendants: Apply permiss ions to descendants. To learn how this option works with the previous two, see Access control entries (ACEs). The ACL use model The ACL use model focuses on access control at the folder level, with most ACLs applied to files as the result of inheritance. Folder-level control determines which users have acces s to the contents of a folder. Inheritance determines how a defined set of permissions and rules pas s from the container to the objects in it. Without this model, administration of acces s control would quickly become a nightmare, because you would need to create and manage ACLs on thous ands or millions of files. Controlling access to files through inheritance also frees applications from maintaining extended attributes or explicit ACEs when saving a file, because the s ystem applies inherited ACEs to files. For information about explicit ACEs, s ee Access control entries (ACEs). ACLs and standard permissions You can set ACL permiss ions for files and folders in addition to s tandard permissions. For more information about how Mac OS X Lion us es ACL and standard permiss ions to determine what users can and cannot do to a file or folder, see Access control entries (ACEs). ACL management In Mac OS X Lion, you create and manage ACLs in the Server app. The Get Info window in the Finder displays the logged-in users effective permissions. For information about setting up and managing ACLs , see Set folder acces s permis sions and Control access to a shared folder. In addition to using the Server app to set and view ACL permiss ions, you can also us e the ls and chmod command-line tools. For information, see their man pages. You define ACLs for s hare points, files, and folders using the Server app.
File Sharing
File permissions
About permissions
Inherited. This field specifies whether the ACE is inherited from the parent folder. Applies To. This field specifies what the ACE permis sion is for. Explicit and inherited ACEs The Server app supports two types of ACEs : Explicit ACEs, which are thos e you create in an ACL. See Set folder access permissions. Inherited ACEs, which are ACEs you created for a parent folder that were inherited by a descendant file or folder. Note: Inherited ACEs cannot be edited unless you make them explicit. Understanding inheritance ACL inheritance lets you specify how permissions pass from a folder to its descendants. The Apple ACL inheritance model The Apple ACL inheritance model defines four options that you select or deselect in the Server app to control the application of ACEs (in other words, how to propagate permiss ions through a folder hierarchy):
Inheritance option Apply to this folder Apply to child folders Apply to child files Apply to all descendants Description Apply (Administration, Read, and Write) permissions to this folder Apply permissions to subfolders Apply permissions to the files in this folder Apply permissions to all descendants Note: If you want an ACE to apply to all descendants without exception, you must select the Apply to child folders and Apply to child files options in addition to this option.
Mac OS X Lion propagates ACL permissions at two well-defined times : At file or folder creation timewhen you create a file or folder, the kernel determines what permissions the file or folder inherits from its parent folder. When initiated by administrator toolsfor example, when using the Propagate Permissions option in the Server app. The following figure shows how the Server app propagates two ACEs (managers and design_team) after ACE creation. Bold text represents an explicit ACE and regular text represents an inherited ACE.
ACL inheritance combination When you set inheritance options for an ACE in the Server app, you can choos e from 12 unique inheritance combinations for propagating ACL permissions.
Inheritance Apply to this folder Apply to child files Apply to child files Apply to all descendants
Inheritance Apply to this folder Apply to child folders Apply to child files Apply to all descendants
Inheritance Apply to this folder Apply to child folders Apply to child files Apply to all descendants
Inheritance Apply to this folder Apply to child folders Apply to child files Apply to all descendants
Inheritance Apply to this folder Apply to child folders Apply to child files Apply to all descendants
Inheritance Apply to this folder Apply to child folders Apply to child files Apply to all descendants
Inheritance Apply to this folder Apply to child folders Apply to child files Apply to all descendants
Inheritance Apply to this folder Apply to child folders Apply to child files Apply to all descendants
Inheritance
Apply to this folder Apply to child folders Apply to child files Apply to all descendants Inheritance Apply to this folder Apply to child folders Apply to child files Apply to all descendants
Inheritance Apply to this folder Apply to child folders Apply to child files Apply to all descendants
Inheritance Apply to this folder Apply to child folders Apply to child files Apply to all descendants
ACL permission propagation The Server app lets you force the propagation of ACLs. Although this is done automatically by the Server app, there are cases when you might want to manually propagate permiss ions: You can propagate permissions to handle exceptions. For example, you might want ACLs to apply to all descendants except for a subtree of your folder hierarchy. In this case, you define ACEs for the root folder and s et them to propagate to descendants. Then, you select the root folder of the subtree and propagate permissions to remove the ACLs from descendants of that subtree. In the following example, the items in white had their ACLs removed by manually propagating ACLs .
You can propagate permissions in order to reapply inheritance in cases where you removed a folders ACLs and decided to reapply them. You can propagate permissions to clear all ACLs at once instead of going through a folder hierarchy and manually removing ACEs . When you propagate permissions , the permissions of bundles and root-owned files and folders arent changed. For more information about how to manually propagate permissions , see Propagate access permissions. Rules of precedence Mac OS X Lion uses the following rules to control access to files and folders :
Without ACEs, POSIX permis sions apply. If a file or folder has no ACEs defined for it, Mac OS X Lion applies standard POSIX permis sions . With ACEs, order is important. If a file or folder has ACEs defined for it, Mac OS X Lion starts with the first ACE in the ACL and works its way down the list until the requested permission is satisfied or denied. You can change the ACE order from the command line us ing the chmod command. Allow permiss ions are cumulative. When evaluating Allow permiss ions for a us er in an ACL, Mac OS X Lion defines the users permis sions as the union of all permissions assigned to the user, including standard POSIX permissions . After evaluating ACEs, Mac OS X Lion evaluates the standard POSIX permissions defined for the file or folder. Then, based on the evaluation of ACL and s tandard POSIX permissions, Mac OS X Lion determines the type of access a user has to a s hared file or folder.
File Sharing
File permissions
About permissions
Permissions in practice
Mac OS X Lion combines traditional POSIX permissions with ACLs . This combination provides great flexibility and fine granularity in controlling access to files and folders . However, if youre not careful in how you assign privileges, it may be hard for you to keep track of how permissions are assigned. With 17 permiss ions, you can choose from a staggering 98,304 combinations. Add to that a sophis ticated folder hierarchy, many users and groups , and many exceptions, and you have a recipe for cons iderable confusion. The following are useful tips and advice to help you get the most out of access control in Mac OS X Lion. Manage permissions at the group level Ass ign permis sions to groups firs t, and assign permiss ions to individual users only when there is an exception. For example, you can assign all teachers in a s chool district Read and Write permissions to a s pecific share point, but deny Anne Johnson, a temporary teacher, permis sion to read a specific folder in the share points folder hierarchy. Using groups is the most efficient way of ass igning permissions. After creating groups and ass igning them permissions , you can add or remove users without reassigning permis sions. Gradually add permissions Ass ign only neces sary permissions and then add permissions only when needed. As long as you us e Allow permiss ions, Mac OS X Lion combines the permiss ions. For example, you can assign the Students group partial reading permissions on an entire share point. Then, where needed in the folder hierarchy, you can give the group more read and write permiss ions. Use the deny rule only when necessary When Mac OS X Lion encounters a Deny permission, it stops evaluating other permiss ions the user might have for a file or folder and applies the Deny permis sion. Therefore, use Deny permissions only when absolutely necessary. Keep a record of these Deny permissions s o you can delete them when they arent needed. Always propagate permissions Inheritance is a powerful feature, s o take advantage of it. By propagating permis sions down a folder hierarchy, you s ave yourself the time and effort required to manually ass ign permis sions to des cendants. Protect applications from being modified If you share applications, make sure you set their permiss ions so that no one except a trusted few can change them. This is a vulnerability that attackers can exploit in order to introduce viruses or Trojan horses in your environment. Keep it simple You can complicate file access management unnecess arily, if youre not careful. Keep it simple. If s tandard POSIX permissions do the job, use those, but if you must use ACLs, avoid customizing permiss ions if you dont need to. Use simple folder hierarchies if feasible. A little s trategic planning can help you create effective and manageable shared hierarchies.
File Sharing
File permissions
About permissions
Security considerations
The mos t effective method of s ecuring your network is to assign correct privileges for each file, folder, and share point you create. Restricting access to file services You can us e the Server app to restrict which us ers or groups have acces s to files, folders, and s hare points. Restricting access to everyone Be careful when creating and granting access to share points , es pecially if youre connected to the Internet. Granting access to Everyone could expos e your data to anyone on the Internet. Restricting guest access When you configure any file s ervice, you can turn on guest access. Gues ts are us ers who connect to the server anonymously without entering a user name or pas sword. Users who connect anonymous ly are res tricted to files and folders that have privileges set to Everyone. To protect your information from unauthorized access, and to prevent people from introducing software that might damage your information or equipment, take the following precautions by using File Sharing in the Server app: Depending on the controls you want to place on guest access to a share point, consider the following options: Set privileges for Everyone to None for files and folders that gues ts s houldnt access . Items with this privilege setting can be acces sed only by the items owner or group. Put all files available to gues ts in one folder or set of folders and then as sign the Read Only privilege to the Everyone category for that folder and each file in it. Ass ign Read & Write privileges to the Everyone category for a folder only if gues ts must be able to change or add items in the folder. Make sure you keep a backup copy of information in this folder. Dis able acces s to guests or anonymous users over AFP and SMB. Share individual folders instead of entire volumes. The folders should contain only those items you want to s hare.
File Sharing
File permissions
Manage permissions
setting from the pop-up menu. The permis sion level you set for Others applies to any user who logs in but isnt the s pecified us er or a member of the specified group. Set ACL permissions You can us e the Server app to set ACL permissions for a folder or a file. An ACL cons is ts of Acces s Control Entries (ACEs), which you can add and change. Each entry applies to a specific us er or group. For each entry, you can set 13 permissions, giving you much finer control over access than you have with standard permis sions. For example, entries in an ACL can grant delete permission s eparately from write permission, so a us er can edit a file but cant delete it. The firs t entry in the list takes precedence over the second, which takes precedence over the third, and so on. For example, if the first entry denies a user the right to edit a file, other entries that allow the same us er editing permissions are ignored. The entries in the ACL also take precedence over standard permiss ions. 1. In the Server app s idebar, s elect the server and then click Storage. 2. Select the folder or file whose access permissions you want to change, then choose Edit Permiss ions from the Action pop-up menu. 3. To add an entry, click the Add button (+) and enter the name of the user or group you want to set specific access permissions for. As you type, the Server app looks up matching user and group accounts and dis plays them in a lis t. Clicking a user or group grants acces s permis sions to the user or group. 4. To change the permis sion level for an entry, click the current s etting in the Permission column and choos e a setting from the pop-up menu.
Choice Full Control Read & Write: Read: Write: Custom: Description Has full administration, read, write, and inheritance permissions. Has full read, write, and inheritance permissions. Has full read and inheritance permissions. Has full write and inheritance permissions. Doesnt have full administration, read, write, or inheritance permissions.
By default, each new entry has full read and inheritance permissions. 5. To change detailed permission s ettings for an entry, click the disclosure triangle next to the entry, optionally click the additional disclosure triangles that appear, and s elect or deselect permission s ettings. For information about the detailed permission settings , see Access control lists (ACLs) and Access control entries (ACEs).
RELATED TOPIC
File Sharing
File permissions
Manage permissions
1. In the Server app s idebar, s elect the server and then click Storage. 2. Select the folder whos e access permiss ions you want to propagate, and then choose Propagate Permissions from the Action
pop-up menu. 3. Select the permiss ions you want to propagate, and then click OK. Important: Propagation begins as soon as you click OK, and you cant undo propagation. Before clicking OK, make sure you select the folder and permiss ion settings you intend.
RELATED TOPICS
File Sharing
File permissions
Manage permissions
1. In the Server app s idebar, s elect the server and then click Storage. 2. Select the folder or file whose access permissions you want to change, and then choose Edit Permissions from the Action pop-up menu. 3. To remove an entry from the permission list, select the entry and click the Delete button ().
RELATED TOPIC
File Sharing
File permissions
Manage permissions
1. In the Server app s idebar, s elect the server, and then click Storage. 2. Select the folder or file whose ACL list you want to sort, and then choos e Edit Permissions from the Action pop-up menu. 3. Choose Sort Access Control Lis t Canonically from the Action pop-up menu in the Edit Permis sions dialog.
RELATED TOPIC
File Sharing
File permissions
Manage permissions
1. In the Server app s idebar, s elect the server and then click Storage. 2. Select the folder or file whose access permissions you want to change, and then choose Edit Permissions from the Action pop-up menu.
3. Choose Remove Inherited Entries from the Action pop-up menu in the Edit Permis sions dialog.
RELATED TOPICS
Apply ACL inheritance to folders and files Make inherited ACL entries explicit Set folder access permissions
File Sharing
File permissions
Manage permissions
1. In the Server app s idebar, s elect the server and then click Storage. 2. Select the folder or file whose access permissions you want to change, and then choose Edit Permissions from the Action pop-up menu. 3. Choose Make Inherited Entries Explicit from the Action pop-up menu in the Edit Permissions dialog. You can now edit the ACL entries.
RELATED TOPICS
File Sharing
File permissions
Manage permissions
1. In the Server sidebar, select the server and then click Storage. 2. Select the parent folder of the item whos e ACL inheritance you want to restore, and then choos e Propagate Permiss ions from the Action pop-up menu. 3. Select the Access Control Lis t option, deselect all other options, and then click OK. Important: Propagation begins as soon as you click OK, and you cant undo propagation. Before clicking OK, make sure you select the folder and permiss ion settings you intend.
RELATED TOPIC
File Sharing
File permissions
Manage permissions
folder-sharing settings.
Folder Drop box ACL (Ev eryone) Permission Type: Allow Select the following checkboxes: Traverse Folder Create Files Create Folder All inheritance options Backup share Permission Type: Allow Select the following checkboxes: List Folder Contents Create Files Create Folder Set the owner to root and set the group to admin. Owner: read, write, execute Group: read only Other: read only POSIX Owner: read, write, execute Group: read, write, execute Other: write Set the owner to root and set the group to admin.
Owner: read, write, execute Group: read, write, execute Other: no permissions
Home folder
Permission Type: Deny Delete Apply to this folder Apply to all descendants
Mail screening
After a mail delivery connection is made and the message is accepted for local delivery (relayed mail is not s creened), the mail server can screen it before delivery. Mac OS X Lion uses SpamAss ass in (from spamass assin.apache.org) to analyze the text of a message, and gives it a probability rating for being junk mail. No junk mail filter is 100% accurate in identifying unwanted mail. For this reason the junk mail filter in Mac OS X Lion does nt delete or remove junk mail from being delivered. Instead, it marks the mail as potential junk mail. The user can then decide if its really unsolicited commercial mail and deal with it accordingly. Many mail clients use the ratings that SpamAs sass in adds as a guide in class ifying mail for the us er. Mac OS X Lion uses ClamAV (from www.clamav.net) to scan mail mes sages for viruses. If a s uspected virus is found, you can deal with it in s everal ways. The virus definitions are kept up to date (if enabled) via the Internet us ing a proces s called freshclam.
RELATED INFORMATION
Dovecot us es the configuration files /etc/dovecot/dovecot.conf and /etc/dovecot/conf.d/*. Server Admin uses the files in /etc/dovecot/default/. Dovecot logs its events in /var/log/mailacces s.log. The Dovecot mail store is located in /Library/Server/Mail/Data/mail/. The Dovecot delivery application receives mail from the Pos tfix delivery agent and stores the mail in user spool files in /Library/Server/Mail/Data/mail/GUID where GUID is the Globally Unique ID (GUID) of the mail user. The user can then use IMAP or POP to retrieve mes sages. After receiving mail from external MTAs, you can apply virus filtering or junk mail filtering to the mess ages . Mac OS X Lion uses ClamAV and Spam Ass ass in for these tasks. Internet Message Access Protocol (IMAP) IMAP is the s olution for people who us e more than one computer to receive mail. IMAP is a client-server mail protocol that allows users to acces s mail from anywhere on the Internet. With IMAP, a users mail is delivered to the server and stored in a remote mailbox on the server. To users , mail appears as if it were on the local computer. A key difference between IMAP and POP is that with IMAP the mail isnt removed from the s erver until the us er deletes it. The IMAP users computer can ask the server for message headers, ask for the bodies of specified messages, or s earch for mess ages that meet certain criteria. These messages are downloaded as the user opens them. IMAP connections are persistent and remain open, maintaining a load on the server and poss ibly the network as well. Post Office Protocol (POP) POP is used only for receiving mail, not for sending mail. The POP s ervice is like a post office, s toring mail and delivering it to a specific address . Mail s ervice stores incoming POP mail until us ers connect to Mail service and download their waiting mail. After a us ers computer downloads POP mail, the mail is stored only on the users computer. The users computer disconnects from Mail s ervice, and the user can read, organize, and reply to the received POP mail. An advantage of using POP is that your server doesnt need to store mail that users have downloaded. Therefore, your server doesnt need as much storage s pace as it would us ing IMAP. However, because the mail is removed from the server, if the users computer s ustains damage and loses mail files, theres no way to recover these files without us ing data backups. Another advantage of POP is that POP connections are transitory. After mail is trans ferred, the connection is dropped and the load on the network and mail server is removed. POP isnt the best choice for users who access mail from more than one computer, such as a home computer, an office computer, and a laptop while on the road. When a user retrieves mail via POP, the mail is downloaded to the users computer and is usually removed from the server. If the user logs in later from a different computer, the user cant s ee previously downloaded mail.
RELATED INFORMATION
Mail s creening
Before sending mail, your Mail service will probably have a DNS service determine the Internet Protocol (IP) address of the des tination. The DNS s ervice is necess ary because people typically addres s their outgoing mail by using a domain name, s uch as example.com, rather than an IP address, such as 198.162.12.12. To send an outgoing message, Mail service must know the IP address of the destination. Mail service relies on a DNS s ervice to look up domain names and determine the corresponding IP addresses . The DNS service can be provided by your ISP or by Lion Server. Additionally, a mail exchange (MX) record can provide redundancy by listing an alternate mail host for a domain. If the primary mail hos t isnt available, the mail can be sent to the alternate mail hos t. An MX record can list several mail hos ts , each with a priority number. If the lowest priority hos t is bus y, mail can be sent to the host with the next lowest priority, and so on. Without a properly configured MX record in DNS, mail might not reach your intended server. How Mail service uses DNS The s ending s erver reads the mail recipients domain name (what comes after the @ in the To address). The s ending s erver looks up the MX record for that domain name to find the receiving s erver. If the MX record is found, the mess age is sent to the receiving s erver. If the lookup fails to find an MX record for the domain name, the s ending server ass umes that the receiving s erver has the same name as the domain name, s o the sending server does an Address (A) lookup on that domain name and attempts to send the file there.
Use network s ervices with Mail s ervice Provide SMTP authentication Provide IMAP and POP authentication Secure Mail service with SSL
Configuring DNS for Mail service entails enabling MX records with your DNS s erver. If you have an ISP that provides DNS service, contact the ISP so they can enable your MX records. Follow these s teps if you provide your own DNS service using Lion Server.
1. In Server Admin, choose a server, then s elect DNS. 2. Click the Zones button in the toolbar. 3. Select the zone that the MX record will be added to. 4. If there are no zones , create one. 5. If the mail s erver does not have a machine record (A), add one. 6. Click the + button in the Mail Exchangers list. 7. Enter the mail servers hostname. 8. Set a mail server precedence number. Mail s ervers try to deliver mail at lower numbered mail servers firs t. 9. Click OK to Save. To set up multiple s ervers for redundancy, add MX records with different precedence numbers .
2. Select a s erver, click the Settings button in the toolbar, and then click the Services tab. 3. Select the checkbox for Mail s ervice. You can now configure and control Mail service using Server Admin.
be wanted or even possible. You might then need to relay outbound mess ages through a specific s erver. You might need to use this method to deliver outgoing mail through the firewall set up by your organization. In this cas e, your organization must designate a server for relaying mail through the firewall. This method can be useful if your server has slow or intermittent connections to the Internet. Do not attempt to relay mail through a mail server outs ide your organizations control without the relay administrators permission. Trying to do so will label you as a Mail service abuser. 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the General tab. 4. Click Relay outgoing mail through host and enter the DNS name or IP address of the server that provides SMTP relay. 5. Click Save. Saving mail messages for monitoring and archival purposes You can configure Mail service to s end a blind carbon copy (Bcc) of each incoming or outgoing mes sage to a us er or group. You might want to do this to monitor or archive mes sages. Senders and receivers of mail dont know that copies of their mail are being archived. You can set up the us er or group to receive Bccs using POP, then set up a client mail application to log in periodically and clean out the account by retrieving all new messages . Otherwise, you might want to periodically copy and archive the messages from the des tination directory using automated s hell commands. You can set up filters in the mail client to highlight types of messages. Additionally, you can archive all mes sages for legal reasons. 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the General tab. 4. Click the Copy all mail to checkbox and enter a us er or group name. 5. Click Save.
RELATED INFORMATION
Click the Add button (+) to add a host to the lis t. Click the Remove button (-) to delete the s elected host on the list. Click the Edit button (/) to change a host on the list. When adding to the lis t, Server Admin accepts a variety of notations. You can: Enter a single IP address or the network/netmask pattern, such as 192.168.40.0/21. Enter a hos t name, such as mail.example.com. Enter an Internet domain name, such as example.com. The following table describes the results of using restricted SMTP relay and SMTP authentication in various combinations.
SMTP requires authentication On Restricted SMTP relay Off Result All mail servers must authenticate before Mail service accepts mail for relay. Your local mail users must also authenticate to send mail out. On On Approved mail servers can relay without authentication. Servers you havent approved can relay after authenticating with Mail service. Off On Mail service cant be used for open relay. Approved mail servers can relay (without authenticating). Servers that you havent approved cant relay unless they authenticate, but they can deliver to your local mail users. Your local mail users dont need to authenticate to send mail. This is the most common configuration.
Rejecting SMTP connections from specific servers Mail s ervice can reject unauthorized SMTP connections from hosts on a disapproved hosts lis t that you create. Mail from hosts on this list is denied and the SMTP connections are clos ed after posting a 554 SMTP connection refused error. 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the Relay tab. 4. Click the Refuse all messages from thes e hos ts and networks checkbox. 5. Edit the list of hosts by choosing one of the following: Click the Add button (+) to add a host to the lis t. Click the Remove button (-) to delete a host on the lis t. Click the Edit button (/) to change a host on the list. When adding to the lis t, Server Admin accepts a variety of notations. You can: Enter a single IP address or the network/netmask pattern, such as 192.168.40.0/21. Enter a hos t name, such as mail.example.com. Enter an Internet domain name, such as example.com. Rejecting mail from blacklisted senders Mail s ervice can reject mail from SMTP servers that are blacklis ted as open relays by a Real-time Blacklist (RBL) Server. Mail service uses an RBL server that you s pecify. RBLs are s ometimes called b lack -hole servers. Blocking uns olicited mail from blacklisted s enders might not be completely accurate. Sometimes it prevents valid mail from being received.
1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the Relay tab. 4. Click the Use these junk mail rejection servers checkbox. 5. Edit the list of s ervers by adding the DNS name of an RBL server: Click the Add button (+) to add a server to the lis t, then enter the domain name of a RBL s erver, s uch as rbl.example.com. Click the Remove button (-) to delete the s erver from the list. Click the Edit button (/) to change the s erver. When adding to the lis t, Server Admin accepts a variety of notations. You can: Enter a single IP address or the network/netmask pattern, such as 192.168.40.0/21. Enter a hos t name, such as mail.example.com. Enter an Internet domain name, such as example.com. Filtering SMTP connections You can us e Lion Server Firewall service to allow or deny acces s to your SMTP Mail s ervice from s pecific IP address es. Filtering disallows communication between an originating host and your mail server. Mail service does nt receive the incoming connection and no SMTP error is generated or sent back to the client. 1. In Server Admin, select Firewall in the Computers & Services pane. 2. Create a firewall IP filter using the instructions in Network Services Administration, us ing the following s ettings: Acces s: denied Port number :25 (or your incoming SMTP port, if you us e a nonstandard port) Protocol: TCP Source: the IP address or address range you want to block Des tination: your mail servers IP address 3. If you want, log the packets to monitor the SMTP abuse. 4. Add more filters for the SMTP port to allow or deny acces s from other IP address es or address ranges.
Make your users authenticate with their mail client before accepting mail to send. Frustrate mail server abusers who are trying to s end mail through your s ystem without your consent. Enabling multiple methods allows a client to use any of the enabled methods . To require any of these authentication methods, enable only one method. To allow secure SMTP authentication 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the Advanced tab. 4. Select Security. 5. Click the CRAM-MD5 or Kerberos checkbox in the SMTP section. 6. Click Save. To allow less secure authentication 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the Advanced tab. 4. Select Security. 5. In the SMTP section, click the Plain or Login checkbox. 6. Click Save. If you use the Server Setup Ass istant and make your server an Open Directory Master, Kerberos and CRAM-MD5 are enabled. To force only one method to be us ed for authentication, des elect the one you do not want us ed.
7. Continue and configure security for IMAP authentication and trans port. Enable POP access POP is used for receiving mail. The POP Mail s ervice stores incoming POP mail until users have their computers connect to Mail service and download their waiting mail. After a users computer downloads POP mail, the mail is s tored only on the us ers computer. An advantage of using POP is that your server doesnt need to store mail that users have downloaded. POP isnt the best choice for users who access mail from more than one computer, such as a home computer, an office computer, and a laptop while on the road because after messages are acces sed by one computer, they are deleted from the s erver. 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the General tab. 4. Click Enable POP. 5. Click Save. 6. Continue and configure security for IMAP authentication and trans port. Choose no incoming mail retrieval You can choos e SMTP Mail s ervice but not supply POP or IMAP service for incoming mail retrieval. If neither POP nor IMAP is enabled, incoming mail from other mail s ervers is still delivered to users but they cant access their mail with their mail client applications. Mail accepted for local delivery is queued until POP or IMAP services are enabled, delivery to /var/mail/ is enabled, or the message expires and a Non Delivery Receipt (NDR) is sent to the sender (after 72 hours by default). If delivery to /var/mail/ is enabled, us ers can s till acces s mail using UNIX mail tools s uch as PINE or ELM. Mes sages delivered to /var/mail/ are not available for delivery to users with Dovecot if POP or IMAP are enabled again. If POP and IMAP are dis abled, you can change where incoming mail is s tored from its default location at /Library/Server/Mail/Data/mail/GUID to /var/mail/username. 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the General tab. 4. Click the Deliver to /var/mail/ checkbox. 5. Click Save. Save mail messages for monitoring and archival purposes You can configure Mail service to s end a blind carbon copy (Bcc) of each incoming or outgoing mes sage to a us er or group. You might want to do this to monitor or archive mes sages. Senders and receivers of mail dont know that copies of their mail are being archived. You can set up the us er or group to receive Bccs using POP, then set up a client mail application to log in periodically and clean out the account by retrieving all new messages . Otherwise, you might want to periodically copy and archive the messages from the des tination directory using automated s hell commands. You can set up filters in the mail client to highlight types of messages. Additionally, you can archive all mes sages for legal reasons. 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the General tab. 4. Click the Copy all mail to checkbox and enter a us er or group name. 5. Click Save.
RELATED INFORMATION
Provide IMAP and POP authentication Secure Mail service with SSL
RELATED INFORMATION
Replace certificates Create a self-s igned certificate Import a certificate identity Obtain a CAs igned certificate Use an SSL certificate
Enable Webmail
WebMail is a web-based mail user agent (MUA). It allows a web brows er such as Apples Safari to compose, read, and forward mail like any other mail client. Lion Servers WebMail functionality is provided by a s oftware package called Roundcube at roundcube.net. WebMail relies on your mail server to provide the Mail service. WebMail cannot provide Mail s ervice independent of the mail server. WebMail uses the Mail service of your Lion Server computer.
WebMail uses standard mail protocols and requires your mail server to support them. These protocols are: IMAP, for retrieving incoming mail SMTP, for exchanging mail with other mail servers (sending outgoing mail and receiving incoming mail) WebMail doesnt support retrieving incoming mail via POP. Even if your mail s erver has POP enabled, WebMail doesnt use it.
1. Enable and configure your mail s erver. 2. Launch Server App from the Launchpad. 3. In the Server app s idebar, s elect Mail 4. Check Enable WebMail.
1. In Server Admin, select a computer in the Servers list, then s elect Mail.
2. Click Settings. 3. Select the Mailing Lists tab. 4. Under the Lists pane, click the Add button (+). 5. Enter the lists name. The list name is the mail account name that mailing list users s end their mail to. The name isnt case s ensitive and cannot contain spaces. 6. Enter the list administrators mail address , then click Edit. If you only enter a name, it mus t be a username on the s erver. If you enter us ername@domain, the administrator doesnt need to be a local user. 7. Click Users May Self Subscribe, if desired. 8. Choose the default language for the list. You can choos e English, French, German, Japanese, Korean, Russian, or Spanish. This s etting encodes the text generated by the list for the default language. 9. Choose additional languages to be supported by the list. This s etting also encodes the text generated by the list for the default language. 10. Click OK. 11. Click Save. You can now add subscribers to the list. If you allow users to self-s ubs cribe, they can s ubscribe using mail or the web administration page. Set a list's maximum message length a mailing list You can set the maximum size message that the list accepts. You can disallow large attachments by setting a s mall maximum size, or you can allow file collaboration by setting an unlimited mes sage size. 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the Mailing Lists tab. 4. Select the list whose mes sage length you want to set. 5. Under the Lists pane, click the Edit button (/). 6. Enter the maximum mess age length (in KB). If you enter 0, the maximum length is unlimited. 7. Click OK. 8. Choose the default language for the list. You can choos e English, French, German, Japanese, Korean, Russian, or Spanish. This s etting encodes the text generated by the list for the default language. 9. Choose additional languages to be supported by the list. This s etting also encodes the text generated by the list for the default language. 10. Click OK. 11. Click Save. Create a mailing list description You use the web interface to set the mailing list description. Web services must be enabled to access the web-based interface. Sometimes its difficult to know the scope and subject matter of a mailing list from the short list name. The list information page contains a des cription of the list, the s ubject matter it covers , and (optionally) who is permitted to subscribe. These details are especially good for self-subs cription lists. A potential subscriber can decide whether to s ubscribe based on the lists des cription.
1. In a web brows er, enter the URL of the list administration page. This is us ually server.domain.tld/mailman/admin/listname . 2. Enter the master list pass word and click Let me in. This is not the users login pas sword. The mas ter lis t password was s et when mailing lists were enabled on the server. It was mailed to lis t administrators designated at that time. 3. Make sure that General Options is selected from the Configuration Categories link section. 4. Enter a short phrase in the des cription text box. 5. In the info text box, enter information about the list, its rules , and its content expectations. 6. Click Submit Your Changes . Customize the mailing list welcome message You use the web interface to set the mailing list welcome mess age. Web services must be enabled to access the web interface. When subscribers join a mailing list, by assignment or self-subs cription, they receive an automated welcome message. The mess age explains where to find the list archives and how to unsubscribe. You can cus tomize it by adding text, describing the list culture and rules, or including other information for the s ubscribers . 1. In a web brows er, enter the URL of the list administration page. This is us ually server.domain.tld/mailman/admin/listname . 2. Enter the master list pass word. This is not the users login pas sword. The mas ter lis t password was s et when mailing lists were enabled on the server. It was mailed to lis t administrators designated at that time. 3. Make sure that General Options is selected from the Configuration Categories link section. 4. Enable Send welcome message to newly subscribed members. 5. Enter the text to include in the List-specific text prepended text box. 6. Click Submit Your Changes . Customize the mailing list unsubscribe message You use the web interface to set the mailing list unsubscribe mess age. Web services must be enabled to access the web interface. When a us er is unsubs cribed from a mailing list, by the list administrator or by unsubs cribing, the user receives an automated uns ubscribe message. The mess age confirms the unsubs cribing. You can customize it by adding information you want users to have upon leaving the list. 1. In a web brows er, enter the URL of the list administration page. This is us ually server.domain.tld/mailman/admin/listname . 2. Enter the master list pass word and click Let me in. This is not the users login pas sword. The mas ter lis t password was s et when mailing lists were enabled on the server. It was mailed to lis t administrators designated at that time. 3. Make sure that General Options is selected from the Configuration Categories link section. 4. Enable Send goodbye mess age to members. 5. Enter the text to include in the Text sent to people leaving the lis t text box. 6. Click Submit Your Changes . Enable a mailing list moderator You use the web interface to set mailing list moderation. Web s ervices must be enabled to access the web interface. You can create a moderated list where the posts must be approved by a list administrator before the pos t is sent. You designate list moderators who have limited adminis trative privileges . They cant change list options but they can approve or reject subscription reques ts and pos tings.
When moderators enter their pass word in the list adminis tration page, they get a page with their own moderating tasks available. 1. In a web brows er, enter the URL of the list administration page. This is us ually server.domain.tld/mailman/admin/listname . 2. Enter the master list pass word. This is not the users login pas sword. The mas ter lis t password was s et when mailing lists were enabled on the server. It was mailed to lis t administrators designated at that time. 3. Make sure that General Options is selected from the Configuration Categories link section. 4. Enter the list moderator addres ses to include in the The list moderator mail address es text box. 5. Click Submit Your Changes . 6. In the Configuration Categories link section, s elect Pass word Options. 7. Enter a pas sword in the moderator password field and confirm it. 8. Click Submit Your Changes . Set mailing list bounce options You use the web interface to set mailing list bounce options . Web services mus t be enabled to acces s the web interface. When a list mes sage bounces and returns to the list server, you can choose how the list s erver handles the resulting bounce mess age. 1. In a web brows er, enter the URL of the list administration page. This is us ually server.domain.tld/mailman/admin/listname . 2. Enter the master list pass word. This is not the users login pas sword. The mas ter lis t password was s et when mailing lists were enabled on the server. It was mailed to lis t administrators designated at that time. 3. In the Configuration Categories link section, s elect Bounce Processing. 4. Select bounce processing options. Each option section has a link to a help page that explains the option s etting. 5. Click Submit Your Changes . Designate a mailing list as private You use the web-based interface to set a lists privacy options. Web services must be enabled to access the web-based interface. You might not want to show some lists on the web list access page. To designate a lis t as private s o it is nt shown, see server.domain.tld/mailman/listinfo. 1. In a web brows er, enter the URL of the list administration page. This is us ually server.domain.tld/mailman/admin/listname . 2. Enter the master list pass word. This is not the users login pas sword. The mas ter lis t password was s et when mailing lists were enabled on the server. It was mailed to lis t administrators designated at that time. 3. In the Configuration Categories link section, s elect Bounce Processing. 4. Select bounce processing options. Each option has a link to a help page that explains the option. 5. Click Submit Your Changes . Add subscribers Use Server Admin to add mailing lis t subscribers to a list. Mailing list s ubscribers do not need an account (mail or file access) on the lists server. Any mail addres s can be added to the list. You must have an existing list to add a s ubs criber.
1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the Mailing Lists tab. 4. Select the list to add a s ubs criber to. 5. Under the Members pane, click the Add button (+). 6. Enter the recipients mail address. If youre entering multiple subscribers, enter the recipient mail address es or drop a text list into the User Identifiers box. If the subscribers are users on the mail server, you can us e the Users and Groups button to add local groups to the list. 7. Choose from the following subscriber privileges: Users sub scrib ed to list: This means the us er will receive mail sent to the list address. Users may post to list: This means the list will accept mail from the user. Users can administer list: This means the user has administrative privileges for the list. 8. Click OK.
Bounced
Sends the message back to the sender. You can optionally send a mail notification of the bounce to a mail account, probably the
postmaster.
Deleted
Deletes the message without delivery. You can optionally send a mail notification of the bounce to a mail account, probably the postmaster.
Delivered
Delivers the message even though its probably junk mail. You can optionally add text to the subject line, indicating that the message is probably junk mail, or encapsulate the junk mail as a MIME attachment.
Redirected
7. Choose how often to update the junk mail database. 8. Click Save. Training the junk mail filter with user help 1. Enable junk mail filtering. 2. Create two local accounts : junkmail and notjunkmail. 3. Use Sever app to enable them to receive mail. 4. Instruct mail users to redirect junk mail mes sages that have not previously been tagged as junk mail to junkmail@<yourdomain>. 5. Instruct mail users to redirect real mail mes sages that were wrongly tagged as junk mail to notjunkmail@<yourdomain>. Each day at 2:15 am, the junk mail filter will learn what is junk and what was mistaken for junk. 6. Delete the mess ages in the junkmail and notjunkmail accounts daily. Training the junk mail filter without user interaction You can also train the junk mail filter by giving it known junk and good mail mes sages. Accurate training requires a large sample, so a minimum of 200 messages of each type is advised. 1. Choose a mailbox of 200 messages made of only junk mail. 2. Use Terminal and the filters command-line training tool to analyze and remember junk mail using the following command: sa-learn --showdots --spam sample junk mail directory/* 3. Choose a mailbox of 200 messages made of only good mail. 4. Use Terminal and the filters command-line training tool to analyze and remember good mail us ing the following command: sa-learn --showdots --ham sample good mail directory/*
If the junk mail filter fails to identify a junk mail mes sage, train it again so it can do better next time. Us e sa-learn again with the -spam argument on the mislabeled message. Likewise, if you get a false pos itive (a good message marked as junk mail), use sa-learn again with the --ham argument to further train the filter. Filtering mail by language and locale You can filter incoming mail based on locales or languages . Mail messages composed in foreign text encodings are often erroneously marked as junk mail. You can configure your mail server to not mark messages from designated originating countries or languages as junk mail. 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the Filters tab. 4. Select Scan Email for Junk Mail. 5. Click the Edit (/) button next to Accepted Languages to change the list, select the language encodings to allow as non-junk mail, and click OK. 6. Click the Edit (/) button next to Accepted Locales to change the list, select the country codes to allow as non-junk mail, and click OK.
7. Click Save. Enabling Virus Screening Before you can benefit from mail s creening, it must be enabled. While enabling screening, you configure screening parameters. Lion Server us es ClamAV (from www.clamav.net) to scan mail mess ages for viruses . If a suspected virus is found, you can deal with it s everal ways, described below. The virus definitions are kept up to date (if enabled) via the Internet using a process called fres hclam. 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the Filters tab. 4. Select Scan Email for Viruses. 5. Choose from the following to deal with junk mail mess ages.
Choice Bounced Description Sends the message back to the sender. You can optionally send a mail notification of the bounce to a mail account (probably the domains postmaster) and notify the intended recipient. Deleted Deletes the message without delivery. You can optionally send a mail notification to a mail account, probably the postmaster, as well as the intended recipient. Redirected Delivers the message to a designated address for further analysis.
6. Choose whether to notify the intended recipient if the message was filtered. 7. Choose how often to update the virus database. A minimum of twice a day is suggested. Some administrators choose eight times a day. 8. Click Save.
3. Select the Filters tab. 4. Select Enable server side mail rules.
RELATED INFORMATION
Configure quota violation responses When a mail user has more mail in storage than is allowed for his or her quota, the mail s erver recognizes a quota violation. There are typically two responses to quota violation: a violation notice, and suspension of mail service. 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the Quotas tab. 4. Click Enable Quota Warnings . 5. To customize the quota violation notification, click Edit Quota Warning Message, then cus tomize the message. 6. To s uspend mail s ervice for us ers who exceed their quotas, s elect Disable a users incoming mail when they exceed 100% of quota. 7. To customize the over-quota mess age, click Edit Over Quota Error Message and then customize the mes sage. 8. Click Save.
You can configure your mail server to join an exis ting mail cluster as a new member of the cluster, or you can migrate a mail servers mail s tore to another server that is a member of the cluster. If Xsan software is ins talled, you can als o create a cluster, with the current server becoming the clusters first member.
1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Advanced. 3. Click Clustering. 4. Click the Change button, then follow the ons creen instructions that appear. After a s erver has joined a cluster, changes to mail server settings, such as SMTP, POP, IMAP, and logging, affect all servers in the cluster. When you remove the las t member of a cluster, you must des ignate a server to take over as a standard mail server.
Lev el
Description
All debugging information Connection transactions, delivery attempts, authentication attempts Authentication failures Errors that require prompt administration attention All warnings and errors All errors
You can choos e log detail for each s ervice category (outgoing, incoming, or junk mail filter). Set the Mail service log detail 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Settings. 3. Select the Logging tab. 4. Select the service whose log detail you want to set:
Serv ice Description
Outgoing mail and connections from external mail servers Incoming mail retrieval for users The junk Mail service
5. From the Log Detail Level pop-up menu, choos e a detail level. 6. Click Save. Archiving Mail service logs by schedule
Lion Server archives Mail service logs after a specified time. Each archive log is compressed and us es less disk s pace than the original log file. You can customize the s chedule to archive the logs after a s et period of time, meas ured in days. 1. In Server Admin, select Mail in the Computer & Services lis t. 2. Click Settings. 3. Select the Logging tab. 4. Click Archive Logs Every ____ Days. 5. Enter the number of days. 6. Click Save.
To view a group of settings You can view a group of s ettings that have part of their names in common by entering as much of the name as you want, stopping at a colon (:), and entering an asterisk (*) as a wildcard for the remaining parts of the name. Example: $ sudo serveradmin settings mail:imap:*
To see a detailed status of Mail service from the command line $ sudo serveradmin fullstatus mail
To view a Mail service log 1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click the Logs button. 3. From the View pop-up menu, choose a log type. 4. Click Save. From the command line You can us e tail or another file-listing tool to view the contents of Mail service logs. 1. Use the serveradmin getLogPaths command to see where Mail s ervice logs are located: $ sudo serveradmin command mail:command = getLogPaths 2. View the latest entries in your s elected log with the tail command. a. To view the las t 10 entries in the Junk Mail/Virus Scanning log: $ tail /var/log/amavis.log b. To view any number of entries: $ tail -n lines /var/log/amavis.log Replace lines with the number of lines you want to view. c. To watch new additions to the log file: $ tail -f /var/log/amavis.log Control-C s tops the tail command from watching the log file and returns your command prompt. Reclaim disk space used by Mail service log archives Lion Server reclaims disk s pace used by Mail s ervice logs when they reach a specified s ize or age. You can use the diskspacemonitor command-line tool to monitor disk space when you want, and delete or move the log archives. For additional information, see the diskspacemonitor man page. To search for specific entries , us e the text filter box in the window.
1. In Server Admin, select Mail in the Computer & Services lis t. 2. Click the Connections button.
1. In Server Admin, select a computer in the Servers list, then s elect Mail. 2. Click Maintenance. 3. Click the Accounts button.
4. Select the mes sage to retry sending. To s elect more than one mes sage, hold down the Shift or Command keys. 5. Click Retry. While doing this you can monitor the logs to see what might be caus ing the problem.
RELATED INFORMATION
1. In Terminal, enter the following: $ sudo serveradmin command The serveradmin command prompt appears. 2. Enter the following in the serveradmin command prompt: mail:command = getHistory mail:variant = statistic mail:timeScale = scale Replace statistic and scale with the following:
Parameter statistic Description The value you want to display. Valid values include:
v1 - Number of connected users (average during sampling period) v2 - Data throughput (bytes/sec)
scale The length of time in seconds, ending with the current time you want to see samples for. For example, to see 24 hours of data, you would specify mail:timeScale
= 86400.
The computer responds with the following output: mail:nbSamples = <samples> mail:v2Legend = "throughput" mail:samplesArray:_array_index:0:vn = <sample> mail:samplesArray:_array_index:0:t = <time> mail:samplesArray:_array_index:1:vn = <sample> mail:samplesArray:_array_index:1:t = <time> [...] mail:samplesArray:_array_index:i:vn = <sample> mail:samplesArray:_array_index:i:t = <time> mail:v1Legend = "connections" afp:currentServerTime = <servertime>
Parameter Description
<samples> <sample>
T he total number of samples listed. T he numerical value of the sample. For connections (v1), this is integer average number of users. For throughput, (v2), this is integer bytes per second.
<time>
T he time when the sample was measured. A standard UNIX time (number of seconds since September 1, 1970). Samples are taken every 60 seconds.
Improve performance
Mail s ervice must act very fas t for a s hort period of time. It sits idle until a user reads or sends a message, then it transfers the mess age immediately. Therefore, it puts intense but brief demands on the server. As long as other s ervices do not place heavy continuous demands on a server (for example, as a QuickTime s treaming server would), the mail server can typically handle several hundred connected us ers. As the number of connected mail us ers increases, the demand of Mail s ervice on the s erver increases. If Mail service performance needs improvement, try the following: Move the mail storage location to its own hard disk or hard disk partition. Run other services on a different s erver, especially s ervices that place frequent heavy demands on the server.
If mail is undeliverable
Mail mes sages might be undeliverable for several reasons. Incoming mail might be undeliverable becaus e it has a misspelled address or is addressed to a deleted user account. Outgoing mail might be undeliverable because its misaddress ed or the des tination mail s erver is nt working. You can configure Mail service to: Forward undeliverable incoming mail. Mail service can forward messages that arrive for unknown local users to another local person or a group in your organization. Whoever receives forwarded mail thats incorrectly addressed (with a typo in the addres s, for example) can forward it to the correct recipient. If forwarding of thes e undeliverable messages isnt explicitly enabled, the messages are returned to sender. Limit the number of attempts to deliver problematic outgoing mail. Report failed delivery attempts. Use a different timeout value to increase the chance of connection succes s.
1. Log in to your s erver as the administrator. 2. In Terminal, enter the following command: sudo postconf -e disable_mime_output_conversion=yes.
This disables the special process ing of Content-Type headers while delivering mail.
Podcast
Podcast
1. Open the Server app and select the Podcast service on the left, under Services. If you have more than one s erver, s elect Podcast for the server that will hos t the podcas t library. 2. Use the "Podcas t library is viewable by" pop-up menu to choose who can access the library: Anyone: Allows all users to view podcast epis odes in the library. Authenticated Users : Allows only users in the server's user lis t to view episodes . Podcas t Owners : Allows only users in the Administrators lis t to view library content. 3. Optionally, add users to the Administrators lis t. Click the Add button (+) below the list, then choose a user from the lis t that appears. Podcast library administrators can delete other people's podcas ts from the podcast library. 4. Click the On/Off button at the top of the pane to enable the library. Users can share their podcasts with a podcast library from Podcas t Publisher by specifying the addres s of the podcast library server in Podcast Publisher Preferences and then choosing Podcast Library from the Share menu.
Podcast
iTunes on your computer, dis tribute them via email, save them to your des ktop, or publish them to a Podcast Library where others can s ubs cribe to and view them using iTunes. If you already use a Podcast Library hos ted by the Podcas t Producer service in Mac OS X Server v10.6 or later, you can publish there too.
RELATED INFORMATION
Podcast
Podcast
Podcast
Create a podcast
1. Open Podcast Publisher (in Applications/Utilities) and click New Podcast in the lower-left corner of the window. If you're opening Podcast Publisher for the first time, there's a new podcast ready for you. 2. Enter a podcas t title, then click the "(+) Add a new episode" note. This title is for the entire podcast series. Each episode in the podcast has its own title, which you can set later. 3. Add content by recording from a camera attached to your computer or from audio or movie files you have. For more information, see Record content for an epis ode and Add existing content to a podcas t. 4. Add episode information that your podcast s ubscribers can see in iTunes (or other applications they us e to view your podcast). For more information, see Add information about your podcasts. 5. Preview the episode. Click the Play (right-facing triangle) button in the timeline below the podcas t episode. 6. Share the episode. Choose how to s hare the episode from the Share menu, or click the Share button. For information, see Publish a podcast.
RELATED INFORMATION
Record content for an episode Add existing content to a podcast Publish a podcast
Podcast
1. Select a podcast. If you have more than one podcast, use the Right Arrow and Left Arrow keys to navigate between them. If you're in the recording s creen for an episode, click All Podcasts to return to the epis ode preview pane. 2. Add content us ing one of the following: Record video from camera: Click the New Video Episode button below the epis ode preview pane. When the recording pane appears, move the toggle at the lower left to the left to select the film strip icon. When you're ready, click the record button and click it again when you finis h recording. Record your computer screen: Click the New Video Epis ode button below the episode preview pane. When the recording pane appears, move the toggle at the lower left to the right to select the s creen icon. Us e the record button to start and stop recording. Speak as you record your actions to provide narration. The Podcast Publisher window does not appear in the recording. You can minimize it to get it out of the way or leave it open during recording. Record audio: Click the New Audio Epis ode button below the episode preview pane. Use the record button to start and stop recording. If the wrong New Audio Episode or New Video Epis ode button appears , click the arrow at the right of the button that is showing and s elect the action you want.
Podcast
If you have an audio or video file that must be converted to a valid media type, try using Quicktime Player. The Pages app (available on the Mac App Store) lets you save documents as PDFs or ePub files. You can us e audio and video files and s ome documents that you have on your computer to make podcasts.
1. From the File menu, s elect Import Media. 2. Navigate to your content and select Import.
Podcast
1. If you haven't already, open the episode in the editing pane of Podcas t Publisher. If you just opened Podcas t Publisher, navigate to the podcast and the episode. If you're in the recording screen for the epis ode, click Cancel to return to the episode view. 2. Click on an item in the episode view. 3. Click the Info button at the top left. 4. Enter a title, the author's name, and text to describe the basic information about the episode. You can enter more information and find out the URL to that episode by clicking the Show Advanced button. 5. When you finish annotating, click the Info button again, or click outside of the Info panel to dis miss it. Viewers can see the information you provide by clicking the Info button in iTunes when they watch the episode.
Podcast
Publish a podcast
To share a finished podcast episode, you can open the episode in iTunes on the computer where it was created, email the episode to others, put a copy of the epis ode on your des ktop, or publis h the episode to a Podcast Library.
1. In Podcast Publisher, select the epis ode to share. The Share button appears at the right, below the episode preview. If you don't see the Share button, try again to s elect the epis ode or, if you're in the recording pane, click Cancel. 2. Click the Share menu or the Share button and choos e how to share the epis ode. iTunes: Adds the episode to the iTunes library. Audio and video files are added to Music and Movies , PDF and ePubs documents are added to Books. Mail: Creates an email mes sage with the episode as an attachment. Recipients of your email can use iTunes to view your podcas t epis ode. Podcas t Library: Publishes the episode in the Podcast Library on the server you choose. A confirmation message appears when the episode is published. A button in the mess age lets you announce the episode in email. Anyone with acces s to the library can view the episode, and it appears in iTunes for users who s ubscribe to the podcast.
RELATED INFORMATION
Podcast
Bind a Mac to a Podcas t Producer server Configure general Podcast Capture preferences Configure audio/visual Podcas t Capture preferences Use Podcast Capture Log in Record and upload audio from a s ingle source Record and upload video from a single source Record and upload video from dual sources Record and upload a screen recording Monitor transfers Upload files Browse epis odes Log out About workflows
Podcast
Send content us ing file trans fer protocols Send content to the Watch folder of Final Cut Server Send content to a shared folder Send content to a workflow The Notify stage Use different technologies to notify others about your podcast. Add email notifications Add iChat notifications Add iTunes podcast directory notifications Add iTunes U notifications Add third-party s ervice notifications
Web
Ov erv iew
Publish a website
Web
Ov erv iew
Web
Ov erv iew
About PostgreSQL
Pos tgreSQL provides a relational database management solution for your web server. With this open source s oftware, you can link data in different tables or databases and provide the information on your website.
Wiki and Device Manager s ervices require a PostgreSQL server, so it starts when either of these services are turned on. For information about PostgreSQL, view its documentation at http://www.example.com /postgresql/ (replace www.example.com with your servers URL). For PostgreSQL documentation, s ee www.postgresql.org/docs /.
Web
Stop web service in the Server app Use the Server app to s top web service. 1. In the Server app, click Web. If web s ervice is already turned off, an Enable Service dialog appears . 2. Choose Off in the pop-up menu under the service name. Stop web service from the command line You can stop web service from the command line. Enter the following command in Terminal:
Web
Web
out. T imeouts occur when a user is viewing web pages but not interacting with the site. MinSpareServers 1 MaxSpareServers 10 Enter the minimum and maximum number of spare server processes. T hese settings regulate the creation of idle spare server processes. Keep in mind the following: For minimum spare servers processes, if there are fewer than the required minimum spare servers processes, the server adds spare servers processes at a rate of one per second. For maximum spare servers processes, if more than the maximum number of spare servers processes are idle, the server stops adding spare servers processes beyond the maximum limit.
Enter the number of spare servers that get created at startup. Enter the maximum number of persistent connections to the server. The range is 1 to 2,048 connections.
KeepAliveTimeout 15
Enter the amount of time that can pass between requests before the session is disconnected by the web server. The range for connection timeout is 0 to 9,999 seconds
Web
Create w ebsites
Publish a website
You can create a website using web development software of your choice, or have someone do it for you, and then copy the webs ite files to your s erver. Then us e the Server app to publis h your websites . You can secure your website by enabling Secure Sockets Layer (SSL). You can create a self-s igned SSL certificate in the Server app, or use one from a certificate authority (CA). When you turn on web service, a default website is created and custom websites you create are enabled. This website responds to all server IP addres ses and hos t names on port 80. If you enable SSL, the default website responds to port 443, and a website on port 80 redirects everything to port 443. The webs ite initially us es a placeholder page that you can replace with your own. If you need a website to use a specific IP address, or if you want to change settings s uch as the host name, port, or access control, you can create custom websites. For example, you can create multiple custom websites with different hostnames , serving the same content by s haring the same document root folder. The websites you publish with the Server app are also known as virtual hosts. Create a custom website Use the Server app to publish a website. 1. In the Web pane of the Server app, click the Add button (+). A dialog with options appears. 2. Cus tomize your website using the following.
Setting Domain Name IP Address Description Enter the websites fully qualified domain name. If your server has multiple IP addresses, choose the IP address used to access the website. Store Site Files In Choose a folder on your local computer to store your website files. This folder should include an index.html or index.php file to act as your website homepage. To view the folder contents, click View Document Root Contents at the bottom of the setup dialog. Who Can Access Choose who can access folders in the website. By default, everyone
can access all folders. If you choose Customize, you can restrict access to subfolders of your website to groups you create in the Server app.
3. Click Done. 4. If web s ervice isnt turned on, click the On/Off switch to turn on the service. To change website settings after creating a custom website, select the website in the Web pane of the Server app and click the Edit button (pencil). You cant change the hos t name or document root folder settings . Add or change webpages on your website To change whats available on the website, change the files in your websites document root folder. Use the Server app to find your websites document root. The default document root is /Library/Server/Web/Data/Sites/domainname/. 1. In the Web pane of the Server app, select the website and click the Edit button (pencil). A dialog with options appears. The document root is shown in the Store Site Files In pop-up menu. 2. Click View Document Root Contents. The Finder opens to the document root location. Change the files in this folder to change whats available on the website.
RELATED TOPICS
Web
Create w ebsites
1. In the Server app, select your server (below Hardware on the left s ide of the Server application). 2. Click Settings, and then click the Edit button at the right of SSL Certificate. 3. Choose one of the following:
To do this Use an SSL certificate for iCal, Address Book, iChat, Mail, and web services Use an SSL certificate for just web service Choose Custom in the Certificate pop-up menu. In the list that appears, choose an SSL certificate from pop-up menu at the right of web service. Do this Choose a certificate from the Certificate pop-up menu.
RELATED TASKS
Web
Create w ebsites
Web
Create w ebsites
1. In the Web pane of the Server app, select a website and click Edit (pencil). 2. Select "Allow users to change their pass word." If "Allow users to change their password" is deactivated, you don't have an SSL certificate associated with web service. For information about using SSL certificates , see Using an SSL certificate. 3. Click Done. 4. If web s ervice isnt turned on, click the On/Off switch to turn on the service.
RELATED TASKS
Web
Mac OS X Lion runs Apache web s erver v2.2 as a 64-bit process on 64-bit computers . In a clean installation of Mac OS X Lion Server, Apache v2.2 is ins talled. If you are using Apache v1.3 on Mac OS X Server v10.5 and you upgrade to Mac OS X Lion, Apache 2.2 is installed using its default configuration, and your Apache v1.3 configuration files are preserved in the /etc/httpd-1.3/ folder. You can migrate Apache us ing one of the following methods: Use the apache1_config_helper s cript to help automate the Apache v1.3 to v2.2 migration. Use a text editor to customize the Apache configuration. The locations of key Apache files and folders are listed in the following table.
File or folder Web service configuration files Main web service configuration file Website configuration files Template for new websites created in the Server app Web application configuration files Executable file Web modules Error log Location /etc/apache2/ /etc/apache2/httpd.conf /etc/apache2/sites/ /etc/apache2/sites_disabled/ uid _default_default.conf /etc/apache2/webapps/ /usr/sbin/httpd /usr/libexec/apache2/ /var/log/apache2/ (with a symlink that lets the folder be viewed as /Library/Logs/WebServer/) Temporarily disabled websites Static content CGI files /etc/apache2/sites_disabled/ /Library/Server/Web/Data/Sites/Default/ (default) /Library/WebServer/CGI-Executables/
Files in /etc/apache2/sites/ are read and process ed by Apache when it performs a hard or soft (graceful) restart. You disable sites by moving them from /etc/apache2/s ites / to /etc/apache2/sites_disabled/ and restarting web s ervice. Each time you save changes , the server restarts. If you edit a file using a text editor that creates a temporary or backup copy, the server restart might fail becaus e two files with almost identical names are present. To avoid this problem, delete temporary or backup files created when editing files in this folder. For information about important Apache configuration files , see the ReadMe.txt file in /etc/apache2/. For Apache web s erver v2.2 documentation, see http://httpd.apache.org/docs/2.2/. For information about web application configuration files , enter man webapp.plist in Terminal.
Web
1. In the Web pane of the Server app, select "Enable PHP web applications" to enable PHP or deselect "Enable PHP web applications" to disable PHP. If webmail is turned on, PHP is enabled and can't be disabled. 2. If web s ervice isnt turned on, click the On/Off switch to turn on the service.
RELATED TASKS
Enable Webmail
Web
1. Open Terminal. 2. Enter the following command: $ sudo serveradmin command web:command=restoreFactorySettings
Web
Web
Manage w eb modules
example, if your server is named example.com and the us ers short name is refuser, the content of the Sites folder can no longer be acces sed at http://example.com/~refus er. mod_userdir and mod_userdir_apple mus t never be enabled simultaneously. mod_bonjour is disabled by default, but requires at leas t one of the two mod_userdir modules for full functionality.
Web
Manage w eb modules
EncodingEngine [ on | off ]
AddClientEncoding directive Although WebDAV clients are expected to send data in UTF-8 or any other properly detectable style, some clients send data in non autodetectable platform-local encoding, thus requiring this directive, which maps encoding names to client types. This directive specifies encodings expected from each client type. The clients are identified by agent name. The agent name can be specified as a pattern using extended regexp. Never use .* for agent name. Ins tead, use DefaultClientEncoding. This module uses CoreFoundations CFString and supports all encoding supported by it. In general, IANA-regis tered encoding names are s upported.
Syntax Default None
DefaultClientEncoding directive This directive tells the default s et of encodings what to expect from various clients . You dont need to specify UTF-8 because it is the default.
Syntax Default UTF-8
NormalizeUsername directive This directive is introduced to s upport the behavior of Windows XP when accessing a password-protected resource. Windows XP clients prepend hostname\ to the real username. Enabling this option strips off the hostname\ part, so only real username is pas sed to the authentication module.
Syntax Default Off
NormalizeUsername [ on | off ]
Web
Manage w eb modules
Web
Manage w eb modules
This module adds WebDAV support for non-ASCII file names. This module is disabled by default. For more information about mod_encoding, see About the mod_encoding module. mod_xsendfile This module is a small Apache2 module that proces ses X-SENDFILE headers registered by the original output handler. If it encounters the pres ence of such a header, it discards all output and s ends the file specified by that header instead, us ing Apache internals and including all optimizations like caching-headers and sendfile or mmap if configured. It is useful for process ing script output of PHP, Perl, or other CGI programs. This module is disabled by default, but is enabled when Wiki starts. For additional information about mod_xsendfile, download a vers ion and read additional documentation provided in the source distribution from tn123.org/mod_xsendfile/. mod_python This module allows you to write web-based applications in Python that run much faster than traditional CGI scripts. It also provides the ability to retain database connections and other data between hits and access to Apache internals. For additional information about mod_python, download your own vers ion and read additional documentation provided in the source distribution from www.modpython.org/.
Wiki
Wiki
With a few clicks , you can create wikis , choos e who can view and edit them, and create and edit wiki pages. Configure wiki service In the Server app, you can set up your server to host wikis.
You can allow all us ers in your directory and connected directories to create wikis or you can res trict wiki creation. Users who create wikis can s et access privileges , including who's allowed to own, edit, or just view their wikis. 1. In the Wiki pane of the Server app, choose an option from the "Wikis can be created by" pop-up menu. To allow all users in your local directory, on your network s erver, and on connected network s ervers to create wikis, choose "all users" from the "Wikis can be created by" pop-up menu. Click the On/Off switch the service, and you're done. To restrict who can create wikis , choose "only s ome users ," and continue following this tas k. 2. If you chose "only some users," use the dialog to give or remove access for us ers and groups.
To do this Give access to a user or group Do this Click the Add button . Enter the name of a user or group in the new
entry that appears. As you type, the Server app searches for a matching user or group. If the user or group you want to give access to appears, select the name from the list. Remove access from a user or group
3. Click OK. 4. If wiki service isnt turned on, click the On/Off switch Create a wiki 1. If you're not logged in to the wiki server, click the Log In button 2. Click the Create pop-up menu and choose New Wiki. , enter your user name and password, and then click Log In. next to Wiki to turn on the s ervice.
3. In the "Create a new wiki" dialog, enter a name for the wiki and a description. You can later change the name of the wiki. The des cription is shown when users click the Info button name in the Wikis page. next to the wiki's
4. Click Upload Image, and then select an image that represents the wiki. The icon is shown next to the wiki name, and in the Wikis page. The image you upload is res ized and stretched. Choose a 48 by 48 pixel image if you don't want the image to change. 5. Click Next. 6. In the "Set wiki access " dialog, give people or groups access to the wiki by entering their names in the field above the list of us ers and groups. As you type, the wiki server s earches for matching names. Click a name to add it to the acces s list. 7. Use the pop-up menus to change acces s permissions as sociated with each person or group. Here are the options you can choose:
Option Owner Read & write Read No access Description Can change wiki settings, and read and write content. Can read and write content. Can read content. Can't read or write content. By default, anyone not in the access list has no access.
8. Click Create. Create a wiki page 1. While viewing a wiki, click the Create pop-up menu , and then choose "New Page in 'wiki name.'"
If "New Page in 'wiki name'" does n't appear, you don't have permission to create pages in the wiki you're viewing. If you're viewing one of your My Page pages , instead of "New Page in 'wiki name'," a "New Page in My Documents" link appears. Click this link to create a s tandalone document. 2. Enter the name of the page, and then click Add. Edit a wiki page 1. If you're not logged in to the wiki server, click the Log In button , enter your user name and password, and then click Log In.
2. If you're viewing a blog and not a single blog post, click the title of a blog post to view it. You can't edit a blog post while viewing the entire blog. 3. While viewing the wiki page or blog post you want to edit, click the Edit button in the navigation toolbar.
If you don't have permission to edit the wiki page or blog pos t, the Edit button is deactivated. After you click the Edit button, the editing toolbar replaces the navigation toolbar. 4. To change the page's title, click the page's title and edit it. 5. Enter text in the body of the wiki page or blog post, and use the editing toolbar. The editing toolbar includes the following:
Click this To do this Insert a file.
Insert a picture.
Insert a table.
Insert a block of HTML, in which you can embed elements of other sites, like YouTube.
Change the paragraph style for the paragraph the pointer is in.
Change alignment for the selected paragraphs to left, center, right, or justified. Change whether selected paragraphs are a bulleted or numbered list.
6. When you finish editing the page, click the Save button.
Wiki
You can allow all us ers in your directory and connected directories to create wikis or you can res trict wiki creation. Users who create wikis can s et access privileges , including whos allowed to own, edit, or view their wikis. They can grant access privileges to users in your local directory, on your network server, and on connected network servers .
1. In the Wiki pane of the Server app, choose an option from the "Wikis can be created by" pop-up menu. To allow all users in your local directory, on your network s erver, and on connected network s ervers to create wikis, choose "all users" from the "Wikis can be created by" pop-up menu. Click the On/Off switch the service, and you're done. To restrict who can create wikis , choose "only s ome users ," and continue following this tas k. 2. If you chose "only some users," use the dialog to give or remove access for us ers and groups.
To do this Give access to a user or group Do this Click the Add button . Enter the name of a user or group in the new
entry that appears. As you type, the Server app searches for a matching user or group. If the user or group you want to give access to appears, select the name from the list. Remove access from a user or group
3. Click OK. 4. If wiki service isnt turned on, click the On/Off switch next to Wiki to turn on the s ervice.
RELATED TOPICS
Wiki
Key
Default
Description
default_redirect_url_path
/wiki
Change /wiki to the location in http://wikiserverurl / you want to send users to.
Security requirements Wiki service includes several s ecurity options . The s ecurity_requires list includes these options :
Key
Default
Description
security_requires
You can enable any or all of the following options by adding them to the security_requires lis t:
Option
Description
logout_requires_token
T o log out, the wiki needs to provide a logout_token with a value that is a hash of the user's unique identifier with a shared secret.
same_host
Requires that the redirect goes to the same host that the login or logout request came from.
web_scheme whitelist_only
Requires that the redirect can only go to http:// or https://. Requires that the redirect can only go to a list of top level URLs defined in /etc/collabd/redirect_whitelist.plist.
Login expiration Several s ettings are related to how long users stay logged in before being logged out. When users log in, they're pres ented with a
Remember Me checkbox, which when s elected can save the users login credentials for a customizable period of time. If users clear the browser's cookies, their login credential timers are reset. Change login expiration settings by editing these keys:
Key
Default
Description
loginExpirySeconds
1209600
Set this to how long a user stays logged in if the user selects the Remember Me checkbox. T he default is 2 weeks (entered in seconds).
forgetMeExpirySeconds
86399
Set this to how long a user stays logged in if the user doesn't select the Remember Me checkbox. T he default is 2 weeks (entered in seconds).
enableRememberMe
true
Set this to true to enable the Remember Me checkbox. Set this to false to disable the Remember Me checkbox.
rememberOnByDefault
true
Set this to true to select the Remember Me checkbox by default. Set this to false to deselect the Remember Me checkbox by default.
Authentication You can choos e what kind of authentication is us ed by editing this key:
Key Default Description
authenticator
digest
You can set this to: digest plaintext Digest authentication is more secure than plain text authentication.
Wiki
Key
Default
Description
Set this to the server running collabd. Set this to the server running webauth. Set this to true to use an inline dialog for authentication. Set this to false to redirect the browser to the webauth URL.
use_sandbox_server
true
Set this to true to use a sandbox server. Set this to false to bypass the sandbox server. Setting this to false is a security risk due to XSS issues.
sandbox_path quicklook_conf_path
/cc-sandbox /etc/collabd/quicklook.plist
Set this to the location of sandbox downloads. T his plist file lists all file extensions can users can use the Quick Look feature on.
disable_people_view
false
Set this to true to disable the People page in the wiki. Set this to false to enable the People
page in the wiki. disable_projects_view false Set this to true to disable the Wikis page in the wiki. Set this to false to enable the Wikis page in the wiki. max_attachment_file_size 524288000 Set this to the number of bytes allowed for uploaded files and media. T he default is 500 MB (in bytes).
Key
Default
Description
LogFilePath LogLevel
/var/log/collabd/collabd.log warning
Set this to where collabd writes its log to. Set this to the level of items being logged. You can set this to any of the following: emergency alert critical error warning notice info debug Setting this to debug provides the most information, but it can use a lot of hard disk space.
FileDataPath
/Library/Server/Wiki/FileData
Set this to where uploaded files are stored. This path must have read and write access by the _teamsserver user and read access by the _www user.
FiltersEnabled
true
Set this to true to filter potentially malicious HTML. Set this to false to allow use of all HTML. Allowing all HTML is a large security risk.
AutolinkEnabled
true
Set this to true to link URLs in wiki pages. Set this to false to disable automatic linking.
1. In the Server app s idebar, s elect Time Machine. 2. Click the On/Off switch to turn on Time Machine service. 3. Select a disk to use as the destination for users backups, and then click Use for Backup. Time Machine service creates the Backups shared folder on the dis k you s elect.
4. To choose a different disk as the backup destination, click Edit. If you turn on Time Machine s ervice when file sharing service is off, file sharing service turns on automatically. If you change the backup disk, users Time Machine preferences that were set to use the s erver for backup s torage will automatically begin using the Backups folder in its new location. After selecting a different backup dis k, advise users that their first backup will take longer because its a full backup. Time Machine service does nt copy us ers backup data from the old Backups folder to the new Backups folder. You can control each users acces s to the servers Time Machine backup storage in the Users pane of the Server app.
RELATED TOPIC
Software Update
Software Update offers you ways to manage Macintosh software updates from Apple on your network. In an uncontrolled environment, users might connect to Apple Software Update servers at any time and update their computers with software that is not approved by your IT group. Using local Software Update servers, your client computers access only the s oftware updates you permit from s oftware lists that you control, improving your ability to manage computer s oftware updates . For example you can: Download software updates from Apple Software Update servers to a local server for s haring with local network clients and reduce the amount of bandwidth used outside your network. Direct us ers, groups, and computers to specific local Software Update s ervers using managed preferences. Manage the software update packages users can access by enabling and dis abling packages at the local server. Mirror updates between Apple Software Update servers and your server to make sure you have the most current updates. Note: Software Update does not update s oftware on the server. For information about keeping your server software current, see Server Admin Help. Note: You cant us e Software Update to provide third-party s oftware updates . The process that starts Software Update is swupd_syncd. When you s tart Software Update, it contacts Apples Software Update server and reques ts a list of available software to download locally. You can copy (store packages locally) and enab le (make the packages available to users) any files in the lis t. You can also limit user bandwidth for updates and choose to automatically copy and enable newer updates from the Apple server. Note: Software Update stores its configuration information in the /etc/swupd/s wupd.conf file. Catalogs When Software Update starts, your Software Update server receives a list of available software updates from the Apple Software Update s ervice. Your server synchronizes the contents of the software catalog with Apples Software Update server when you restart your s erver or when you enter the following command:
$ sudo -u _softwareupdate /usr/sbin/swupd_syncd -sync WARNING: It is not recommended to refresh the service using the swupd_syncd daemon directly. Doing so can change the file permissions of downloaded updates, making future sync operations fail. If you must sync us ing swupd_syncd directly, use the -u option with the _softwareupdate user name to prevent the changing of file permiss ions. To manually update the catalog, select the Refresh button in the Updates pane of Software Update settings. Changes in the Apple published catalog are immediately reflected on your local s erver. Deprecated s oftware packages are disabled when a replacement package for that update is enabled. An adminis trator can disable the new software package and continue offering the deprecated package. Installation packages Software Update supports pkm.en and .tar file types, recognized only by Mac OS X v10.4 and later. As you copy updates on your server, your server downloads and s tores update packages in the /var/db/swupd/ folder. This path can be modified to store the packages in an alternate location. Note: Lion Server supports only Apple-s pecific software packages for us e with your update s erver. Modified Apple and third-party update software packages cannot be shared. After packages are copied locally, you can enable them for us ers to update their s oftware. Mac clients running Software Update see only enabled packages in the list of available software for their computer. Deprecated software packages are disabled when a replacement package for that update is enabled. An adminis trator can disable the new software package and continue offering the deprecated package. Stay up-to-date with the Apple Server To keep your s ervice synchronized with the most current information, your Software Update s erver must always remain in contact with the Apple server. Software Update service regularly checks with Apple Software Update to update us age information and send lists of newly available software to the updates catalog on your server as they become available. The Apple Software Update s erver executes the swupd_syncd synchronization daemon to make sure the latest update packages are available. The scheduled execution of swupd_syncd is controlled by launchd by means of the StartCalendarInterval setting at /System/Library/LaunchDaemons/com.apple.swupdate.sync.plist. Limit user bandwidth Software Update lets you limit the bandwidth that client computers can use when downloading software updates from your Software Update server. Setting a limit on the bandwidth enables you to control traffic on your network and prevents Software Update clients from slowing the network. For example, if you limit the bandwidth to 56 Kbps, each s oftware update client can download updates at 56 Kbps. If five clients connect simultaneously to the server, the total bandwidth used by the clients will be 280 Kbps (56 Kbps x 5). Limit Software Update server bandwidth A new feature in Lion Server Software Update s erver is the syncBandwidth. This feature can be used to limit the server's bandwidth back to Apple. Similar to the user bandwidth limit s etting, it's value is expres sed in KBytes/second (for example, 1024 = 1048576 Bytes/second). Setting a limit on the server's bandwidth enable you to minimize impact of the Software Update server on your organizations limited external bandwidth. Revoked files On a rare occasion Apple might provide a s oftware update and want to revoke or deprecate a package from circulation. If Apple revokes the update package, the package is removed from your catalog and stored packages , making it unavailable to clients. If Apple deprecates a software package and provides a replacement package, the older software package is dis abled, making it unavailable to clients. The package remains in your catalog and stored packages until you remove it. An administrator can disable the new software package and continue offering the deprecated package. Software Update package format You cant make your own Software Update packages. For security considerations and to protect from attackers faking packages, the Software Update package installer wont install a package unless it is signed by Apple.
In addition, Software Update works only with the package format supported in Mac OS X Server v10.4 or later. Log files The log files for Software Update are located in the /var/log/swupd/ folder. The log files record Software Update events as they occur. The log files for Software Update include the following: swupd_s yncd_log: logs the swupd_syncd daemon swupd_error_log: reports mes sages from the httpd daemon controlled by Software Update swupd_access_log: reports mess ages from the httpd daemon controlled by Software Update The logs can be viewed in Server Admin in the Software Update Logs panel or us ing the Cons ole application located in the /Applications /Utilities/ folder. Collected information The Apple Software Update s erver collects the following information from client Software Update servers: Language Type Browser
remote s erver management, submit commands in a secure shell (SSH) s ession. You can enter commands using the Terminal application, located in the /Applications/Utilities / folder.
use Software Update to update Apple software. Network hardware requirements The type of network connections to use depends on the number of clients you expect to s erve software updates to: To provide regular updates to fewer than 10 clients , use 100-Mbit Ethernet. To provide regular updates to 1050 clients , use 100-Mbit s witched Ethernet. To provide regular updates to more than 50 clients, us e Gigabit Ethernet. These are estimates for the number of clients supported. Note: In Lion Server, Software Update operates across all network interfaces that TCP/IP is configured for. Capacity planning The number of client computers your server can support when acces sing Software Update depends on how your server is configured, when and how often your clients check for updates, the s ize of the updates, and a number of other factors. When planning for your server and network needs, cons ider these main factors: Ethernet speed: 100Base-T or faster connections are required for client computers and the server. As you add clients , you might need to increas e the s peed of the Ethernet connections of your server. Ideally you want to take advantage of the Gigabit Ethernet capacity built in to your Mac server hardware to connect to a Gigabit switch. From the s witch, connect Gigabit Ethernet or 100-Mbit Ethernet to each Macintosh client. Hard disk capacity and number of packages: Software Update packages can occupy considerable hard disk s pace on server volumes, depending on the size and configuration of the package and the number of packages being s tored. Number of Ethernet ports on the switch: Distributing Macintos h clients over multiple Ethernet ports on your switch offers a performance advantage. Each port mus t serve a distinct s egment. Number of Software Update servers on the network: You might want to provide different software updates to various groups of users. By configuring directory services you can offer different update s ervices by network or hardware type, each targeting a different Software Update s erver on the network. Note: You cant configure Software Update servers to talk to one another. Software Update storage Software updates can easily take a large amount of disk s pace over time and cause problems with sys tem resources . In a production environment, it is important to prevent the system disk from becoming full and causing ins tability. To eliminate the poss ibility of s oftware updates filling a volume, s ystem administrators normally limit the type of data being stored on the root partition and place data that could grow s ubs tantially in size on other partitions. For example, you could use an Xserve RAID to s tore software updates. By default, software updates are stored in the /var/db/s wupd/ folder. To s tore s oftware updates in another location, choose a different partition or volume in the Software Update General settings pane. Consider which Software Update packages to offer Before you set up Software Update, consider whether to provide all or only part of Apples s oftware updates . Your client computers might run application software that requires a s pecific version of Apple s oftware for the application to operate correctly. You can configure your Software Update server to serve only Software Update packages you approve. Restricting acces s to update packages might help prevent maintenance and compatibility problems with your computers. You can restrict client access in a Software Update s erver by disabling automatic mirror-and-enable functions in the General Settings pane. You manage specific updates in the Updates pane of the Software Update server. Organize your enterprise client computers You might have individuals, groups, or groups of computers with common needs for only a few software update packages, while others might need unrestricted access to all software updates. To provide varied acces s to s oftware update packages, you must s et up multiple Software Update s ervers. Use managed preferences to configure these computers to access a s pecific Software Update server. For more information about how to configure managed preferences for the Software Update server, see Workgroup Manager Help.
1. Open Server Admin and connect to the s erver. 2. Open Server Admin and connect to the s erver. The list of s ervices appears . 3. From the expanded Servers list, select Software Update. 4. If Software Update is started, click the Stop Software Update button. 5. Click General. 6. Click Choose and select the location to store downloaded software updates. 7. Click Save. 8. (Optionally) If s oftware updates were previous ly downloaded, use Terminal to copy the default software update folder to the new location: $ sudo cp -p /private/var/db/swupd/html /Volumes/My_Volume/My_Software_Updates_Folder/ 9. Click the Start Software Update button to confirm the operation. 10. (Optionally) Us e Terminal to delete the previous storage location to reclaim startup volume s pace: $ sudo rm -rf /private/var/db/swupd/html
1. Open Server Admin and connect to the s erver. 2. Click Settings. 3. Click Services. 4. Select the Software Update checkbox. 5. Click Save.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Software Update. 4. Click Settings.
5. To limit client user bandwidth, select Limit user bandwidth for updates to and enter the maximum rate of update bandwidth per user. 6. From the pop-up menu, choose KB/second or MB/second. 7. Click Choose and select where the Software Update catalog and downloads will be s tored. The default location is /var/db/s wupd/. 8. To s pecify a port that s oftware updates are provided through, enter a port number in the Provide updates using port field. 9. To keep a copy of the software updates on your server, s elect Copy __ updates from Apple and choose from the following options. If you want all updates copied from the Apple update server, choose all in the pop-up menu. If you want only new updates copied from the Apple update server, choos e all new in the pop-up menu. 10. To immediately enable all s oftware updates for client users, s elect Automatically enable copied updates. Enabling this feature retrieves all Apple published catalog updates and dis ables deprecated s oftware packages that have a replacement package available. An adminis trator can disable the new software package and continue offering the deprecated package. If this feature is not selected and an administrator manually enables updates, disabling of deprecated software packages is performed as individual replacement packages are enabled. 11. To remove obs olete software updates from the Software Update storage location, s elect the Delete outdated software update packages checkbox. Enabling this feature does not remove obsolete or deprecated software updates from the local Software Update catalog. 12. Click Save.
8. Click Save.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Software Update. 4. Click the Start Software Update button (below the Servers lis t).
1. On the internal Software Update server, open Terminal. 2. Enter the following command: $ sudo vi /etc/swupd/swupd.plist 3. Locate the following metaIndexURL key: ... <key>metaIndexURL</key> <string>http://swscan.apple.com/content/meta/mirror-config-1.plist</string> 4. Change the URL in the tags <s tring></string> to the location of your s elected Software Update server. For example: <key>metaIndexURL</key> <string>http://myserver.example.com:8088/catalogs.sucatalog</string> 5. Save the changes and exit Terminal.
To point unmanaged clients to a Software Update server 1. Make a backup copy of the /Library/Preferences/com.apple.SoftwareUpdate.plist file, if it exists. 2. On the unmanaged client, open Terminal. 3. Enter the following command: $ sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL URL Replace URL with the URL of the Software Update server, including the port number and the name of the catalog file for the specific version of Mac OS X. For example, for Mac OS X v10.5: http://su.domain_name.com:8088/index-leopard.merged-1.sucatalog You can verify your change us ing the following command: $ defaults read /Library/Preferences/com.apple.SoftwareUpdate CatalogURL To point the unmanaged client computer back to the Apple Software Update server, use the following command: $ sudo defaults delete /Library/Preferences/com.apple.SoftwareUpdate CatalogURL You can revert these changes by replacing the /Library/Preferences /com.apple.SoftwareUpdate.plis t file with the backup copy you made in step 1.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Software Update. 4. Click Updates. 5. Click the Refresh button.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Software Update. 4. To s ee whether the service is running, when it started, when it las t checked for updates , the number of updates that are copied or enabled, and whether auto-copy and auto-enable are turned on, click Overview. 5. To review the Software Update service log, click Log.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Software Update. 4. Click the Stop Software Update button (below the Servers lis t).
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Software Update. 4. Click General. 5. Select Limit user bandwidth for updates to. 6. Enter the maximum rate of update bandwidth per user. 7. From the pop-up menu, choose KB/second or MB/second. 8. Click Save.
To set the Software Update server's bandwidth: $ sudo serveradmin settings swupdate:syncBandwith = 1024 Note: This value s ets an average rate limit and instantaneous transfer rates may slightly exceed the cap for short durations.
Use Server Admin to copy and enable software updates automatically from Apple. Enabling this feature retrieves all Apple published catalog updates and disables deprecated software packages that have a replacement package available. An administrator can disable the new software package and continue offering the deprecated package. If this feature is not selected and an administrator manually enables updates, dis abling of deprecated software packages is performed as individual replacement packages are enabled.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Software Update. 4. Click General. 5. Select Copy __ updates from Apple and choose from the pop-up menu: If you want all updates copied from the Apple update server, choose all. If you want only new updates copied from the Apple update server, choos e all new. 6. Select Automatically enable copied updates. 7. Click Save.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Software Update. 4. Click General. 5. Make sure Copy __ updates from Apple is deselected. 6. Make sure Automatically enable copied updates is des elected. 7. Click Save. 8. Click Updates. 9. Click Copy Now to copy software updates to your server. This copies software updates to your server. 10. To enable individual s oftware updates , select the checkbox in the Enable column of the update. 11. Click Save.
Enabling this feature does not remove obsolete or deprecated software updates from the local Software Update catalog.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Software Update. 4. Click General. 5. Select the Delete outdated software update packages checkbox. 6. Click Save.
1. Open Server Admin and connect to the s erver. 2. Click the triangle at the left of the server. The list of s ervices appears . 3. From the expanded Servers list, select Software Update. 4. Click Updates. 5. Select the software update from the lis t. The software update product ID is displayed below the description field.
Get started
Get started
1. Log in as an administrator us er. 2. Open Sys tem Image Utility (in the /Applications/Server/ folder). 3. In the left sidebar, select the image source. If no image s ources are listed, mount a valid Mac OS X Lion installation image or a valid Mac OS X Lion boot volume. To create an image, you must have valid Mac OS X Lion image sources or volumes. If you download Mac OS X Lion install
as sistant from the App Store and ins tall it, a valid Mac OS X Lion image s ource appears in the source list. You cannot create an image of the startup disk you are running on. 4. Select NetBoot Image and click Continue. 5. In the Network Disk field, enter a name for your image. This name identifies the image in the Startup Dis k preferences pane on client computers . 6. (Optional) In the Description field, enter notes or other information to help you characterize the image. Clients cant see the description information. 7. If the image is served from more than one s erver, s elect the checkbox below the description field. This option generates an index ID for NetBoot s erver load balancing. 8. Click Create. 9. In the Save As dialog, choose where to save the image. If NetBoot s ervice is configured on a network port and Server Admin is set to serve images from a volume, the Netboot service share point folder NetBootSPn appears in the pop-up menu. Important: Do not attempt to edit content in the image des tination folder while the image is being created.
Get started
1. Log in as an administrator us er. 2. Open Sys tem Image Utility (in the /Applications/Server/ folder). 3. In the left sidebar, select the image source. 4. Select NetIns tall Image and click Continue. 5. In the Network Disk field, enter a name for your image. This name identifies the image in the Startup Dis k preferences pane on client computers . 6. (Optional) In the Description field, enter notes or other information to help you characterize the image. Clients cant see the description information. 7. If the image is served from more than one s erver, s elect the checkbox below the description field. This assigns an index ID to the image for NetBoot service load balancing. 8. Click Create. 9. In the Save As dialog, choose where to save the image. If you dont want to use the image name you entered earlier, change it by entering a name in the Save As field. If youre creating the image on the same s erver that will serve it, choose a volume from the Serve from NetBoot share point on pop-up menu. For this option to appear in the pop-up menu, NetBoot service must be configured on a network port and Server Admin must be s et to serve images from a volume. To s ave the image s omewhere els e, choose a location from the Where pop-up menu or click the triangle next to the Save As field and navigate to a folder.
Important: Do not attempt to edit content in the image des tination folder while the image is being created.
Get started
1. Log in as an administrator us er. 2. Open Sys tem Image Utility (in the /Applications/Server/ folder). 3. In the left sidebar, select the image source. If no image s ources are listed, mount a valid Mac OS X Lion installation image or a valid Mac OS X Lion boot volume. 4. Select NetRestore Image and click Continue. 5. In the Network Disk field, enter a name for your image. This name identifies the image in the Startup Disk preferences pane on client computers . 6. (Optional) In the Description field, enter notes or other information to help you characterize the image. Clients cant see the description information. 7. If the image is served from more than one s erver, s elect the checkbox below the description field. This assigns an index ID to the image for NetBoot service load balancing. 8. Click Create. 9. In the Save As dialog, choose where to save the image. If you dont want to use the image name you entered earlier, change it by entering a name in the Save As field. If youre creating the image on the same s erver that will serve it, choose a volume from the Serve from NetBoot share point on pop-up menu. For this option to appear in the pop-up menu, NetBoot service must be configured on a network port and Server Admin must be s et to serve images from a volume. To s ave the image s omewhere els e, choose a location from the Where pop-up menu or click the triangle next to the Save As field and navigate to a folder. 10. Click Save and authenticate if prompted. Important: Do not attempt to edit content in the image des tination folder while the image is being created.
Get started
1. Start up the computer from a partition other than the one youre imaging. 2. Install System Image Utility on the client computer. 3. Open Sys tem Image Utility on the client computer (in the /Applications/Server/ folder). 4. In the left sidebar, select the image source. 5. From the expanded lis t, select the image source. 6. Select the type of image you want to create and click Continue: If your client computers will start up from this image, select NetBoot. If your image will be installed on a hard disk, Select NetInstall. If your image is a clone of a volume, Select NetRes tore. 7. In the Image Name field, enter a name for your image. This name identifies the image in the Startup Dis k preferences pane on client computers . 8. (Optional) In the Description field, enter notes or other information to help you characterize the image. Clients cant see the description information. 9. If the image is served from more than one s erver, s elect the checkbox below the description field. This option generates an index ID for NetBoot s erver load balancing. 10. For NetBoot images, if your source volume is a Mac OS X Lion Ins tallation image, enter a user name, short name, and password (in the Password and Verify fields ) for the administrator account in Create Adminis trator Account. You can log in to a booted client us ing this account. 11. Click Create. 12. In the Save As dialog, choose where to save the image. If you dont want to use the image name you entered earlier, change it by entering a name in the Save As field. To s ave the image s omewhere els e, choose a location from the Where pop-up menu or click the triangle next to the Save As field and navigate to a folder. 13. Click Save and authenticate if prompted. Important: Do not attempt to edit content in the image destination folder while the image is being created. 14. After the image is created on the client computer, copy it to the /Library/NetBoot/NetBootSPn share point on the server for use by NetBoot service. Images s hould be stored in this folder.
Workflow s
About workflows
Sys tem Image Utility harnesses the power of Automator to help you create custom images by ass embling workflows. The basic building block of a workflow is an automator action. You define the image customization by assembling automator actions into a
workflow. Instead of being a do-it-all tool, an action is purpos e-designed to perform a single task well. By combining several actions into a workflow, you can quickly accomplis h a specific task that no one action can accomplish on its own. Each action performs a single task, such as customizing a software package or adding a us er account. You use workflows to create customized NetInstall or NetBoot images depending on the goals of your task: Workflows that create custom NetInstall images ass emble an image that installs the OS onto the computer, either originating from installation DVDs or from an installed OS volume. This image boots into the ins taller environment or similar shell environment and performs the workflow s teps you define. Workflows that create custom NetBoot images assemble a bootable image from installation DVDs or from an installed OS volume. This image can be directly installed onto a target volume using the asr command-line tool or NetBoot. For more information, s ee As semble workflows.
Workflow s
Assemble workflows
To as semble a workflow from a set of actions, drag and drop the actions from the Automator Library in the sequence you want them to run. Each action in the workflow corresponds to a step you must perform manually. Each action has options and settings you can configure. System Image Utility connects these action components with the types of data that are flowing from one action to another. You can save your assembled workflows to reuse later.
Workflow s
Add workflows
You can update or modify workflows by adding them to System Image Utility.
1. Open Sys tem Image Utility. 2. Click the Add button (+) and s elect Add Existing Workflow. 3. Select the workflow to add to System Image Utility. Workflows have the .workflow file extens ion. 4. Click Open.
Workflow s
Remove workflows
You can remove workflows from Sys tem Image Utility.
1. Log in as an administrator us er and open System Image Utility. 2. In the left sidebar, click the triangle next to Workflows. The list of workflows appears . 3. Select the workflow to remove and click File > Remove Workflow. 4. Click Remove to confirm the action. The workflow is removed from System Image Utility but is not deleted from your computer.
Workflow s
1. Log in as an administrator us er. 2. Open Sys tem Image Utility (in the /Applications/Server/ folder). 3. In the image source list, click the triangle at the left of Sources . The list of s ources appears . 4. From the expanded lis t, select the image source. When you select the s ource, this action chooses a default image type based on the contents of the selected source. 5. Choose which type of image you are creating (NetIns tall, NetBoot, or NetRes tore image). 6. Click Cus tomize for advanced image creation options. This opens the workflow pane and Automator Library. The Define Image Source action is present as the first component in the workflow. 7. Configure the Define Image Source action for your image. This action is required at the beginning of all image workflows . See Configure the Define Image Source action. 8. From Automator Library, choose additional actions that your cus tomized image requires and drag them into the Workflow pane between the Define Image Source action and the Create Image action. 9. As semble the actions in the order you like, configuring each action as you go. For more information on configuring the actions , see About workflows. 10. Add the Create Image action to the end of your workflow. This action is required at the end of image workflows . See Configure the Create Image action. 11. Save the workflow by clicking Save, then enter the name of your workflow in the Save As field and choose where to save the workflow. To s ave the workflow somewhere else, choose a location from the Where pop-up menu or click the triangle next to the Save As field and navigate to a folder. 12. Click Save. 13. To s tart the workflow, click Run and authenticate if prompted. Important: Do not attempt to edit content in the image destination folder while the image is being created.
Workflow s
The following command runs a workflow with somevariab le set to somevalue in the myworkflow.workflow file. $ automator -D somevariable=somevalue myworkflow.workflow For more information, s ee the automator man pages .
Xgrid
Flexible architecture based on open s tandards Support for the UNIX security model, including Kerberos s ingle sign-on or regular password authentication Choice between a command-line interface or an API-based model for grid interaction Common types of grids and grid computing styles Xgrid can be used in tightly coupled clusters, worldwide grids , and everything in between. This immens e flexibility enables you to deploy grids of almos t any nature. Three topologies are commonly used for Xgrid deployments.
Xgrid clusters
Computational clusters are s ets of systems dedicated to computation. In a clus ter, sys tems are typically colocated in a rack, connected using gigabit Ethernet or another high-performance network, and s trictly managed for maximum performance. Cluster s ystems are often entirely homogeneous : their operating sys tems are the s ame versions, they have the same software installed, and they generally have the same process or, disk, and RAM configurations. Xgrid enables administrators to eas ily configure the distributed res ource management functionality of the cluster. Each server in the system runs the agent software, and the head node in the cluster runs the controller software. Xgrid distributes tas ks across the cluster. In clus ters , failure rates are generally very low. Systems are rarely, if ever, offline, and their resources are not shared with general user tas ks. Clusters are the most efficient but most expensive model of dis tributed computing.
Local grids
Sys tems that are under common adminis tration in a company, univers ity computer lab, or other managed environment can often be easily assembled into a grid for desktop recovery. These s ystems are often on a local area network (LAN) and they are generally managed by a single organization. As a result, they provide good network performance and offer substantial manageability. Because these systems are often also used as day-to-day works tations, users can easily interrupt grid tas ks by moving the mous e, resetting the system, or even accidentally disconnecting the system from the network. In such cases , a task might fail as part of an Xgrid job. The Xgrid controller eventually reass igns the failed tas k to another agent, and the job completes s uccessfully. In local grids , performance is limited by such situations and by the varying performance of any given agent on the grid.
Distributed grids
When a system is permitted to donate its time, a distributed grid is formed. The Xgrid agent enables a user to specify any IP addres s or host name for its controller. By specifying a grid, a user can dedicate his or her CPU time to that grid no matter where the controller is located. The manager of the controller has no direct management control or knowledge of the agent system but is nonetheles s able to harness its CPU time. Distributed grids have very high failure rates for jobs but place a very low burden for the grid administrator. With very, very large jobs, high task failure rates might not substantially affect the performance of the grid if such failures can be rapidly reassigned to other available agents. Network performance can also be a consideration because data is s ent over the Internet, rather than over a local network, to agents connected to a grid. The monetary cost of s uch dis tributed grids is extremely low.
Xgrid
Xgrid components
The Xgrid three-tier architecture simplifies the distribution of complicated tasks. Its user clients, grid controllers, and computational agents work together to s treamline the process of assembling nodes, submitting jobs, and retrieving res ults . The primary components of a computational grid perform the following functions: An agent runs one task at a time per CPU; therefore, a multiproces sor computer can run multiple tasks s imultaneously. A controller queues tasks , distributes those tasks to agents , and handles task reass ignment.
Animators can render images using Mac systems across multiple corporate locations. A client s ubmits jobs to the Xgrid controller in the form of multiple tas ks. (A client can be any computer running Mac OS X v10.4 or later or Mac OS X Server v10.4 or later.) In principle, the agent, controller, and client can run on the s ame server, but it is often more efficient to have a dedicated controller node.
Client
Any sys tem can be an Xgrid client if it is running Mac OS X v10.4 or later and has a network connection to the Xgrid controller system. In general, the client can connect to only a single controller. Depending on how a controller is configured, the client mus t supply a password or be authenticated by Kerberos (single sign-on) before submitting a job to the grid. A user submits a job to the controller from a system running the Xgrid client software, usually a command-line tool acces sed with the Terminal application. The job can specify the controller or use multicast DNS (mDNS) to dynamically discover the first available controller. When the job is complete, the controller notifies the client and the client can retrieve the results of the job.
Controller
The Xgrid controller manages communications among the computational res ources of a grid. The controller requires Mac OS X Server v10.4 or later. The controller accepts network connections from clients and agents. It receives job submis sions from clients, divides the jobs into tas ks, dispatches tasks to agents, and returns results to clients. Although there can be more than one Xgrid controller running on a subnet, there can only be one controller per logical grid. Each controller can have an arbitrary number of agents connected, but Apple has tested 128 agents per controller. However, there is no software limitation on the number of agents , and users of Xgrid can choos e to exceed 128 agents on a controller at their own risk, with a theoretical maximum equal to the number of available s ockets on the controller s ystem.
Agent
Xgrid agents run the computational tasks of a job. In Lion Server, the agent is turned off by default. When an agent is turned on and becomes active at startup, it registers with a controller. (An agent can be connected to only one controller at a time.) The controller s ends instructions and data to the agent as needed for the controllers jobs. After it receives instructions from the controller, the agent performs its as signed tas ks and sends the results back to the controller. By default, agents seek to bind to the first available controller on the LAN. Alternatively, you can s pecify that it bind to a specific controller. You can also s pecify whether an agent is always available or is available only when the computer is idle. A computer is considered idle when it has no mous e or keyboard input and ignores CPU and network activity. If a user returns to a computer that is running a grid tas k, the computer continues to run the tas k until it is finished. By default, the agent on a Mac Server is dedicated and the agent on a Mac OS X computer (not a s erver) is configured to accept tasks only when the computer has had no us er input for 15 minutes.
Xgrid
Xgrid
Setup Xgrid
Using Server Admin you can configure Xgrid to set up computer groups (grids or clus ters ) and allow us ers to easily submit complex computations to these grids (local, remote, or both), as an ad hoc grid or a centrally managed cluster. Setup overview Here is an overview of the steps for setting up the Xgrid service: Identify the Xgrid environment you need. Before configuring Xgrid, you mus t define the grid environment youll create. In particular, you must decide the following: The kind of authentication to use. See Authentication methods for Xgrid. Where to host your controller. See Host the grid controller. How you will manage the controller. See Manage Xgrid and Monitor grid activity. Prior to configuring, enable Xgrid s ervice. See Enable Xgrid service. Optionally, configure Xgrid using the Xgrid s ervice configuration assistant. This ass is tant helps with Xgrid configuration by automating many settings. See Configure Xgrid with the Xgrid s ervice configuration assistant. Configure your s erver as an Xgrid controller using Server Admin. See Configure controller settings. Start Xgrid on the server us ing Server Admin. See Start Xgrid. Configure your s erver as an Xgrid agent. See Configure an Xgrid agent (server). Configure your Mac OS X computers as Xgrid agents . See Configure an Xgrid agent (Lion client). Determine and implement a plan for redundency. See About Xgrid redundancy and Set up Xgrid redundancy.
Xgrid
Setup Xgrid
You s ubmit jobs to a grid using the command-line tool and Terminal. Example code is available on the Apple developer website (developer.apple.com) for alternative methods of submitting jobs. Also, If you have Developer Tools installed you can view the examples located in /Developer/Examples/Xgrid/. When you submit a job to a grid make s ure you use a univers al binary. This ass ures that your job has the correct architecture no matter what architecture the grid agents provide. Also, make s ure you set your deployment target correctly. For example, if you are building a tool for Mac OS X v10.6 you must build with Mac OS X v10.6 as your deployment target. For more information about the syntax and options for the Xgrid command-line tool, s ee the xgrid man pages . Some developers and organizations offer s pecialized applications for submitting jobs to a grid. Or you can create an application using Apples developer tools for Xgrid. When determining whether to us e the xgrid command-line tool or another method for s ubmitting jobs , consider these points: If the job is s imple, use the command-line tool. If you use a shell script, use the command-line tool. If you want to use Xgrid as part of an application with a graphical user interface (GUI), use the Xgrid API to create the GUI or incorporate it in an existing application. For more information about the API, see Xgrid Reference at developer.apple.com/documentation/. Examples of Xgrid job submission and results retrieval The following Terminal commands are examples of jobs a client can s ubmit to the controller. $ xgrid -h <controller> -p <password> -job submit /bin/echo "Hello, World!" This job runs /bin/echo on the controller and agent systems with the Hello, World! parameter. $ xgrid -h <controller> -p <password> -job results -id <id> This command shows the results of the job with the id indicated. For an executable shell script marked hello.s h: #!/bin/sh /bin/echo "Hello, World!" The following command copies the shell script hello.s h to the Xgrid controller and agent sys tems and runs the script. bin/echo/ must be installed on the agent sys tem. The hello.s h script mus t have its executable bit s et before it can execute. xgrid -h <controller> -p <password> -job submit hello.sh
RELATED INFORMATION
View job status from the command line Retrieving job results from the command line
Xgrid
Manage Xgrid
Add or remove agents in a grid See a list of jobs in a grid, the date and time each job was s ubmitted, its progress, and the active CPU power for the job Remove jobs in a grid Stop a job in progress Restart a job that was s topped or is complete Xgrid Admin provides controls in its graphical interface and menu commands for all of its options. You can also use the Xgrid command-line tool to perform these tasks.
RELATED INFORMATION
Manage controllers Manage agents Manage jobs Manage grids Status indicators in Xgrid Admin Use Xgrid from the command line
Xgrid
Manage Xgrid
4. Click Administrators. 5. Select the level of restriction you want for the services : To restrict acces s to all services, s elect For all services. To s et access permissions for individual services, select For s elected s ervices below, then select a s ervice from the Service list. 6. Open the Users and Groups window by clicking the Add button (+). 7. From the Users and Groups window, drag users and groups to the list. 8. Set user permissions: To grant administrator access, choose Adminis ter from the Permission pop-up menu next to the user name. To grant monitoring access , choos e Monitor from the Permission pop-up menu next to the user name. 9. Click Save.
Xgrid
Xgrid
Xgrid
Xgrid
Xgrid
Xgrid
Xgrid
Xgrid
Xgrid
# delete the next two lines # autogenerated from : /LDAPv3/xgridtest.apple.com # generation_id : 1637891359 [libdefaults] default_realm = XGRIDTEST.APPLE.COM [realms] XGRIDTEST.APPLE.COM = { kdc = xgridtest.apple.com admin_server = xgridtest.apple.com } [domain_realm] apple.com = XGRIDTEST.APPLE.COM .apple.com = XGRIDTEST.APPLE.COM
Link aggregation
Link aggregation
Link aggregation
You create a link aggregate on your computer in the Network pane of System Preferences. To set up your Lion Server for link aggregation, you need a Mac with two or more IEEE 802.3ad-compliant Ethernet ports. In addition, you need at least one IEEE 802.3ad-compliant switch or another Lion Server computer with the same number of ports . By default, the sys tem gives the link aggregate the interface name bond <num>,where <num> is a number indicating precedence. For example, the first link aggregate is named bond0, the second is bond1, and the third is bond2. The interface name bond <num> as signed by the system is different from the name you give to the link aggregate port configuration. The interface name is for use at the command line, but the port configuration name is for use in the Network pane of Sys tem Preferences. For example, if you enter the command ifconfig -a, the output refers to the link aggregate using the interface name and not the port configuration name: bond0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500inet6 fe80::2e0:edff:fe08:3ea6 pre You do not delete or remove a link bond from the Network Pane of System Preferences . You remove the bond through the Manage Virtual Interfaces sheet used to create the bond.
1. Log in to the server as an administrative user. 2. Open Sys tem Preferences. 3. Click Network. 4. Click the Gear button and choose Manage Virtual Interfaces in the pop-up menu. 5. Click the Add button (+) and s elect New Link Aggregate in the pop-up menu. Note: You only see this option if you have two or more Ethernet interfaces on your system. 6. In the Name field, enter the name of the link aggregate. 7. Select the ports to aggregate from the list. 8. Click Create. 9. Click Done.
Link aggregation
1. Open Sys tem Preferences. 2. Click Network. 3. From the list of network interfaces on the left, choose the link aggregate port virtual interface. 4. Click Advanced in the lower right side of the window. 5. Select the Bond Status tab. The Sending and Receiving s tatus indicators are color-coded. Green means the link is active (turned on) and connected. Yellow means the link is active but not connected. Red means the link can't send or receive traffic. The Status pane displays a lis t containing a row for each physical link in the link aggregate. For each link, you can view the name of the network interface, its s peed, its duplex setting, the status indicators for incoming and outgoing traffic, and an overall ass ess ment of the status. 6. To view more information about a link, click the corresponding entry in the lis t.
Link aggregation
In this scenario, you connect the servers directly using the phys ical links of the link aggregate. This allows the two servers to communicate at a higher speed without the need for a switch. This configuration is ideal for ens uring back-end redundancy. Computer to switch In this scenario, you connect your server to a switch configured for 802.3ad link aggregation. The s witch s hould have bandwidth for handling incoming traffic equal to or greater than that of the link aggregate (logical link) you define on your server. For example, if you create an aggregate of four 1-Gbit/s links, use a s witch that can handle incoming traffic (from clients) at 4 Gbit/s or more. Otherwis e, the increased bandwidth advantage in the link aggregate won't be fully realized. Note: For information about how to configure your switch for 802.3ad link aggregation, see the documentation provided by the switch manufacturer. Computer to switch-pair In this scenario, you improve on the computer-to-switch scenario by us ing two s witches to eliminate the switch as a s ingle point of failure. For example, you can connect two links to the master switch and the remaining links to the backup switch. As long as the master switch is active, the backup s witch remains inactive. If the master s witch fails, the backup switch takes over transparently. Although this s cenario adds redundancy that protects the server from becoming unavailable if the switch fails, it results in decreased bandwidth.