Archive for October, 2007

Leopard Server: Introduction to Wikis

Sunday, October 28th, 2007

Leopard Server and wiki. It’s cool and it works. But when you’re first looking into it, it might seem a little confusing. So let’s do a simple walkthrough. Here we’re going to enable a wiki in advanced mode for a group called testgroup and we’re going to give a user called testadmin access to edit the wikis and create new ones. To get access to the wiki we’re going to assume a hostname of

First, let’s go into Workgroup Manager and create a new group called testgroup. To do this, open Workgroup Manager, authenticate to Open Directory and click on the New Group icon in the toolbar. Enter a name for the group (testgroup for this example) and check the box for “wiki and blog.” Select the website to publish the wiki to in the Enable the following services for this group on field. Choose who can view and who can write to the wiki and click on the Save button.

Now let’s create a user called testuser. In Workgroup Manager, click on the User list and click on New User. Now enter a name for the user and a password. Then use the Groups tab to put the user into the testgroup group. Now click on Save.

Now that we have a user and group to give access to the wiki let’s go ahead and create a wiki. To do this open Server Admin. If the Web Service has not been enabled yet, click on the server name, click on Settings in the toolbar and then click on the Services tab and place a check in the box for Web. Now click on the web icon and click on the Settings tab. Select a theme for your site and click on Save. Now click on the Sites icon in the toolbar and click on the site you’d like to publish your wiki on. From here click on the Web Services tab and put a checkmark in the Wiki and blog box. Now click on Save. Then Start the web service.

Now you should be able to open up a web browser and go to URL of the server. Remember, do this by host name and not IP. At this point, you’ll see the Groups tab along the top navbar. From here you can click on Groups and then click on the group you want to create the wiki for (testgroup for our test wiki). Now you’ll be asked for a username and password. Enter the testuser you created and the password that you gave to testuser. Now you can click on the + icon to create your first entry into the wiki. Let’s call it testpost.

That’s it. You’ve now created your first wiki article on your new wiki server. Notice that if you enabled calendars and blogs that there will be icons for these in the top nav bar. You can customize everything you see on the screen to give it a more organizational look and feel. For example if you click on the pencil icon you will be able to rename the blog and customize the prebuilt information listed in the Welcome to your Wiki page.

Leopard Server: Introduction to Ruby on Rails

Sunday, October 28th, 2007

So Ruby on Rails… What does this mean for me and what exactly is Ruby on Rails from a systems administration standpoint? Ruby on Rails was created by David Heinemeier Hansson from his work on Basecamp, a web-based project-management tool, by the company 37signals. Ruby on Rails was first released to the public in July 2004. Ruby on Rails is a web application framework designed to support the development of dynamic websites. To see some sites built using Ruby on Rails check out

Ruby is an object-oriented program language that Rails is built on.  To access rails, you can use the rails command.

The Ruby on Rails framework is built into Leopard Server and can be started up using the mongrel_rails start command. It can be stopped using the mongrel_rails command. Mongrel is a fast HTTP library and server for Ruby. Mongrel_rails is a command line tool that can be used to control the Mongrel webserver.

Some options to the mongrel_rails command include the following: -d daemonize -p assign a custom port -a assign an address for the HTTP listener -l assign a log file to use -t customize the timeout variable -m use additional MIME types -r change the document root -B enable debugging -C use a configuration file -S define an additional config script -h access the help libraries -G generate a config file –user define who the server will run as –version get the version information for Mongrel

But that’s not all you can do with mongrel_rails. The actual file is not compiled so you can read it in clear text and learn more about what it is doing behind the scenes. Just cd into the /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/gems/1.8/gems/mongrel-1.0.1/bin/ folder to find it. One item of note is the inclusion of mongrel_rails_persist, a wrapper for mongrel_rails that allows admins to register the Mongrel Server with Bonjour and create a launchd plist to run Mongrel (/Library/LaunchAgents/

So let’s say that you have a Ruby application that lives at the following location /Library/WebServer/MyRubyApp. You can run the following command to launch it over port 8001 in a persistent manner: mongrel_rails_persist start -p 8001 -c /Library/WebServer/MyRubyApp

To access it from a web browser you would enter the address

From here you’ll be able to daemonize Mongrel and provide the Rails development framework to developers in your environment. There are already a lot of projects for using Ruby with FileMaker and other database systems, so keep an eye out for more information about this piece of Leopard Server!

Leopard: The New

Saturday, October 27th, 2007

Apple has been slowly winning over a lot of traditional Unix and Linux converts. This new breed of switcher is after a cool shell environment. In Leopard, Apple has upgraded to provide a whole slew of new features that are sure to continue winning new converts. Let’s just take a look at a few of them: Secure Keyboard Entry – Prevent other applications from detecting keystrokes used in terminal. Enable this using the Terminal menu. Tabbed Interface – I always have 3 shell windows open. That’s how I roll. But with the new tabbed interface (which you can access using the Command-T keystroke) I find that I’m using two shell windows with 3 tabs each. This gives me the ability to have a man page or process list on one side of my screen while being able to run other commands on the other side. You can fire up 2 shell windows and then open as many tabs as you like. Export Settings – This isn’t new in Leopard, but what is new in Leopard is that the tabs get exported along with window positions, layouts, themes and backgrounds. Themes – Glass, Homebrew, Novel, Red Sands – these themes allow you to use prebuilt templates for how you view your shell. These include background, text color, transparency. Can you imagine Steve sitting in his office at Apple dinking around with the Homebrew theme? Window Groups – A group of windows with a saved location, tabbed layout, shell configuration and settings. Terminal Inspector – Switch themes on the fly, view running process and increase the columns and rows of a shell environment. Titles – Set titles for your terminal windows so you can remember what was where.

Leopard Server: Using Directory to Update LDAP Entries

Saturday, October 27th, 2007

If you’re migrating to Leopard and Leopard Server then you’ve likely noticed the welcome addition of a new program in /Applications/Utilities called Directory. Directory allows users bound into an Open Directory environment to update LDAP records provided they have access to do so. Using LDAP ACLs it’s possible to give users access to update their own directory information using an LDAP directory browser such as Directory.

When you open Directory you should see a listing of all of the directory information that has been created. From here you can create Shared Contacts, Groups, Locations and Resources. Each of these can be connected to a calendar. Groups can have multiple members and get a Mailing List, Calendar or Blog connected to them.

Resource types include Automobiles, Conference Phones, Copiers, Digital Cameras, Notebooks, Printers, Projection Screens, Projectors, Scanners and Video Cameras. Resources can be reserved in an iCal Server Calendar and can have a delegate. Delegates are users that are able to manage particular resources.

The fact that there are a lot of objects in the LDAP database that can be managed means that it’s important to have a tool for configuring who can manage them. Workgroup Manager has basic permissioning built it but it isn’t as granular as a lot of organizations will need. To get more granular it might be required to dip into the command line and configure LDAP using the configuration files. To get started with this, see the article from a couple of days ago about LDAP ACLs.

Leopard Server: Troubleshooting iCal Server

Saturday, October 27th, 2007

So you installed your new server and you’re having a few problems. Let’s look at the common issues and a few simple fixes for them.

iCal will not start, with log entries that it is unable to create a virtual host: Check your host name. iCal is going to need the host name to be correct in order to start. Use scutil --get HostName and then make sure that the host name listed in the iCal Server settings is identical to this value.

You setup a user, check the box in Workgroup Manager for Enable Calendaring and then save your settings but you get the following error in your logs: Oct 12 15:51:26 cedge Workgroup Manager[2282]: +[WPUser userWithGUID::] returned nil!

This is likely caused by the fact that you are enabling a calendar for a local user. Try using an OD based user and see if you get the same error.

You got everything started and the account was created for the user but when you add an account in iCal it fails to connect. Make sure that the port that iCal server is using is located at the tail end of the host name for the iCal Server. One issue that we see here is that unless you are using managed accounts then iCal Server is not likely going to append the port number for you iCal Server. Also verify that you can connect to the remote server, and remember that you can always open the URL of the server followed by a : and then the port number and get a login prompt. If you can authenticate to this as the user whose calendar that you are trying to setup then you can use the information in this screen to determine ACL information and other security settings that could be keeping calendars from working. Also keep in mind that while your default port might be 8008 your default port if you are using SSL is actually 8443.

Once you get this far, you should be able to create an event and see data listed in the Overview tab for iCal. If so then you should be able to about anything you want in the iCal server.

If you prefer to use the serveradmin CLI to control your services, you can also use the serveradmin settings calendar:ServerHostName = "SomeHostName" variable to change your host name. You can also use the calendar:HTTPPort to change the port number you are using for connectivity.

Happy Calendaring!!!

Leopard: New Certification Track

Saturday, October 27th, 2007

The Tiger Apple Certified Systems Administrator (ACSA) track allowed certification candidates to accomplish the ACSA by getting an Apple Certified Technical Coordinator (ACTC) and then obtaining 7 points. Points were obtained by taking a variety of exams whose point values were based on the number of days of the corresponding class.

Apple has now posted the ACSA requirements for 10.5. There is no longer a point system, which was a unique approach in the IT industry for achieving certifications. Instead, for the Leopard ACSA, Apple has now trimmed down the number of courses that are provided and require that all exams be completed to accomplish the ACSA. For now, the certificates listed include: Mac OS X Server Essentials v10.5 Directory Services v10.5 Deployment v10.5 Advanced Administration v10.5

Notice that there are no workstation oriented exams listed. The Support Essentials exam is all that is required to achieve an Apple Certified Help Desk Specialist (ACHDS) for Tiger. The ACHDS certification has been retired and replaced with the Apple Certified Support Professional for Leopard, which replaces the ACHDS and only requires the Support Essentials exam.

More information on the new certification program can be found here:

Leopard Server: Documentation Released

Saturday, October 27th, 2007

To answer all those questions like “How do I create a share point now?” Apple has been kind enough to post the documentation for Leopard Server at:

All of the new services are documented per Apple standards, so happy reading!

Leopard Server: Advanced Setup with Server Admin

Friday, October 26th, 2007

So you selected Advanced Setup during the wizard while you were installing Mac OS X Server and now you’re looking at this new Server Admin screen that you’ve never seen before. You see the server name but there are no services in the list. This is because Apple has gone the extra step to make Server Admin less confusing and more user friendly than ever before. When you click on the Settings icon at the top of the Server Admin screen you will see the tab for Services. Here, you can enable or disable any service by checking its box and clicking on the Save button.

Once a service has been enabled then it will appear under the server in the Servers list (notice it no longer says Sites and Services). From here, you’ll notice that the old chicklets from the bottom screen are gone. Now they have been replaced with an icon set in the toolbar that changes as you click between the services. For example, the AFP Service shows Overview, Logs, Graphs, Connections and Settings. Clicking through these icons, you’ll notice that they provide the same experience that the chicklets at the bottom of the screen provided. However, by placing them at the top the user interface makes more sense. One thing that is a bit strange is the decision to move the Start and Stop buttons to the bottom of the screen. When you enable a service it will not start by default so if you want to begin using it look to the bottom of the list and click on the Start button for the service.

When you enable and then click on each service you will notice that many have the same options that they’ve had in the past. There are exceptions (like a more granular logging tab for the FTP service), as there are with every version. But for the most part many of the settings have stayed the same through a few versions of the OS because they just make sense in how they are laid out.

New Services added are Radius, Podcast Producer, MySQL (which actually existed in its own stand-alone application before) and iCal. Each of these has a great purpose and will hopefully be explored in detail as time goes on. You might notice that one service, Applications, is gone from the list. Tomcat has now been moved into the Web Service as a checkbox (Enable Tomcat).

So that’s the quick and dirty tour of the new Server Admin application. It’s sleeker and has a (in our opinion) much improved interface over the old Server Admin.

Leopard: Advanced Network Interface Management (GUI)

Friday, October 26th, 2007

Slight change from how things were done in Tiger/Tiger Server, but all the old options are there if you look. The first change is that now there is a wizard that you can use to configure your network interface. Since this is on more advanced topics we’ll skip that but it’s worth noting.

Another shift is that a network interface is now referred to as a Service. So when you go to add a interface you will associate it with a Service Name. If you remove a Service using the – icon in the list you can always readd it by clicking on the + in the services list, selecting the interface and assigning it a Service Name. If you check ifconfig you will find that if you remove a service and readd it then it will come back up with the BSD name that it originally had. For example, remove the Firewire Service, Apply your changes, readd the Firewire Service and in ifconfig it will still show as fw0 in the list. If you add a second service for fw0 and assign it unique IP stack information then it too will show as a second IP address under the same BSD interface as can be seen below: inet netmask 0xffffff00 broadcast inet netmask 0xffff0000 broadcast

In order to setup a second IP address for one NIC using the GUI for Leopard: Open System Preferences and go to the Network Preference Pane. Click on the interface you would like to run a second IP address on. Click on the cog wheel at the bottom of the list. Click on Duplicate Service. Type the name for your new Interface and click OK. Click on the New Interface and click the Advanced button. Click on TCP/IP and enter the appropriate IP information. If needed, enter information for DNS, WINS and Proxies under their respective tabs. Click on OK. Click on Apply.

Now, rather than use one NIC you might want to use two NICs as one, or use Link Aggregation. Assuming the switch supports it and you have that side of things configured, here’s where you configure Link Aggregation: Open System Preferences and go to the Network Preference Pane. Click on the cog wheel at the bottom of the list. Click on Manage Virtual Interfaces… Click on the + icon. Click on New Link Aggregate. Enter the name for the new Link Aggregate “bond”. Check the boxes for the interfaces that support Link Aggregation in the list. Open Terminal and run ifconfig. Find bond in the list and verify that the correct MAC addresses for your aggregated NICs are in the list of MAC addresses for bond0 (or whatever BSD name was given to your bond when it was created).

To reorder services, click on a service and use the cog wheel to select the Set Service Order… option. From here you will be able to drag services up or down the list. The first service in the Service Order is still the default service that traffic will reply to. Therefore, if you want to actually use the additional services to respond to traffic you will still need to use the route command as has been used in *nix for a long time.

Kerberos Pruning Script

Friday, October 26th, 2007

I have noticed that over time inconsistancies can arise where a machine entry will be deleted from LDAP but the relevant kerberos principals remain in the KDC. Here’s a small script that I wrote up to help prune out unwanted/stale kerberos principals. Obviously great care must be taken when running this script; if you delete a principal that is still in use, things ARE going to break. So, think before you type. That being said, if you’re not interested in typing 20 delprinc commands, this script is for you.

Usage: query

pruneKerb will then list all principals matching “query” (standard case-sensitive grep match)

It takes a single argument query and outputs a list of matching kerberos principals, presenting the user with the option to delete individual principals, all principles or simply print a list of matching principals.

Please read the scripts’ comments for more information.

New 318 Tech Journal Widget

Friday, October 26th, 2007

A new CMS means a new widget to view the new CMS. Check out this dashboard widget to stay updated on the latest 318 TechJournal posts!!!

Leopard: Disable the Glass Shelf Look in the Dock

Friday, October 26th, 2007

For early Leopard adopters that don’t like the new look and feel of the dock, here’s a command to disable that Glass shelf look in your dock:

defaults write no-glass -boolean YES killall Dock

If you would like to revert the setting:

defaults write no-glass -boolean NO killall Dock

click on the code and choose run to activate or deactivate this setting

Leopard Server: Using ACLs with Open Directory

Friday, October 26th, 2007

In Leopard, Workgroup Manager supports rudimentary ACLs for the LDAP database. We’re all familiar with Access Control Lists by now. Especially in the Mac OS X Server community. However, we might not all be familiar with ACLs as they’re implemented in LDAP. But we should be, because LDAP is being used more and more as an address book, and with the new Directory application being shipped in Leopard it is conceivable that environments aren’t just going to use ACLs to secure LDAP but they’re also going to use them to allow users to self update their information in the directory. So in the interest of security and making the most out of the technologies build into LDAP, let’s cover LDAP ACLs for a bit. So to push beyond what you can do in Workgroup Manager, let’s take a look at building out more finely grained ACLs manually.

First, like with most things in LDAP ACLs are configured using the /etc/openldap/slapd.conf file. Below is the pertinent portion of this file that we will be looking at:

# Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap:// # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! Now, if we remove the commented out portions of the file or add more lines we can start to limit who has access to read and/or change what information in the LDAP database. Keep in mind that you always want to back up your slapd.conf file prior to doing so.

You can control access to each element in the database. Each ACL has an “access to” which is the elements in the LDAP database that you are granting or denying access for and then a “by” portion that lists who can do what to that portion of the database. An entire ACL can be listed on one line, as is done with policies that have only one user or group associated to them. For example, the following line gives anyone and everyone read access to the database: access to dn.base=”" by * read

For ease of use and reviewing, we typically put the “access to” on one line and the subsequent users or groups with access in their own “by” lines for more complicated ACL rule sets. Slapd parses the file in such a way that it realizes that “access to” means the beginning of a new ACL. The following is an example of some more complicated ACLs: access to attrs=userPassword by dn="cn=users,dc=318,dc=com" write by self write by * compare access to * by dn="cn=computers,dc=318,dc=com" write by users read by * auth Access levels in ACLs are hierarchical. Levels that are used are none, auth, compare, search, read and write. None is the lowest level of access and write is the highest. Each level includes the rights of all lower levels. In the above example, a user is able to write to their own userPassword record. This means that the user is also able to auth, compare, search and read that record.

ACLs are prosessed from top to bottom. This makes it important to put specific ACLs and by statements above more general ones. ACLs that restrict access to the userPassword attribute, followed by one applicable to *, that is, the entire LDAP database. In the above example, placing the userPassword ACL first causes the rule that allows users to change their own passwords to process before the wildcard that specifies everyone. When a * is used as a wildcard in the access to line of slapd.conf it means the entire database or tree of the LDAP database. When the * is used in the by line it typically denotes all users.

Access levels in ACLs are hierarchical. Levels that are used are none, auth, compare, search, read and write. None is the lowest level of access and write is the highest. Each level includes the rights of all lower levels. These two points, the first match wins rule and the inclusive nature of access levels, are crucial to understanding how ACLs are parsed. They also are important for making sure your ACLs don’t lead to either greater or lesser levels of access than you intend in a given situation.

It can be time consuming to go through every possible attribute by group and determine who has access to what. However, if you want to have users updating their own addresses, phone numbers, and other information, as can be done with the Directory application, this is often one way to accomplish this goal. You could also provide help desk users the ability to update the database using the Directory application but not allow them to access other records in the LDAP database, such as group memberships. Having a very granular ACL environment for records can also allow you to obtain a maximum level of security.

This can also be put into the schema in order to force replication between hosts. Keep an eye out for that article at a later date. ;)

For what it’s worth, at 318 we’ve found that commenting out each ACL helps us to keep track of who did what, why and what they were thinking when they did it. Happy OD everyone!!!

Leopard: Custom Installations

Thursday, October 25th, 2007

Installing Mac OS X is a fairly simple task to complete and can typically take up to an hour or more depending on the installation options you choose. However, you should review all of your options in the installer as many items are not needed unless you have a specific need for them. Installing any operating system involves choices, which we will reveal throughout this chapter. If you are reinstalling your operating system, just make sure to have a valid backup before you continue on with this chapter.

The Installation Process Installing Mac OS X requires little of a user other than agreeging to the license agreement, known as an EEULA and being able to click on continue. Many of the choices available during installation can be left at their default settings. The system will simply guide you in many cases allowing you to click Continue or Agree at most of the dialog boxes and obtain a default installing. But the power user knows better and wants to be up and running as quickly as possible. The power user wants to leave out any of the items from the operating system that they’re not going to use and the power user is going to want a level of control over what is on their system that can’t be had by doing a default installation.

Also, until the system starts the Checking Disk process, which it will do in order to verify your installation media, you can stop the installation and go back to the operating system you had before. Of course, if you reformat a drive going back to your operating system will no longer be an option. Note: You can access Disk Utility while booted to the CD in order to partition your hard drive, but if you plan on using Boot Camp to install Windows onto a partition then you will need to leave your system with one partition.

The installation process takes users through a variety of steps to help choose which parts of the operating system to install. At most of the stages, you will be able to click on the default value and proceed without actually customizing anything. However, you will see a Customize button at many of the screens that can be used to

Note: Each version of OS X will have a slightly different installation process. This article is written for OS X 10.5. However, if you are using a previous version then while some of the screens will be similar do not expect them all to be the same.

Installing an Operating System onto an External Drive
When you install OS X you can choose to install it on any drive that is visible to your computer. This can be a USB jump drive, a FireWire hard drive or an Xserve RAID. There are a variety of reasons why you would use any of these as a boot medium rather than your internal drive. Whether the reason is portability, drive size, redundancy or performance, Apple has given us a lot of options by allowing the installation of the operating system on any medium the computer can access that doesn’t require special drivers. • USB jump drive: Placing a customized and very trimmed down operating system onto a USB jump drive can provide you with the ability to have a quick and easy way to troubleshoot any computer in your pocket at any time. The size of a USB jump drive makes it a good choice for people just looking to • FireWire: Firewire hard drives are becoming more and more inexpensive with each passing year. These portable drives can allow you to take your files with you anywhere. But they’re not as good for using as a full time operating system. They are great for carting around installers, using as targets for your backups and it never hurts to an operating system on to use for troubleshooting. • Internal RAID 0: A RAID is a random array of independent disks, or disks that have been combined for a specified outcome. RAID 0 disks are particularly helpful with increasing performance and obtaining a larger drive than what is possible without using a RAID. Computers with an operating system installed on a RAID 0 will receive a slight speed increase, but if either drive fails then you risk loosing all of the data on the volume. • Internal RAID 1: A RAID 1 disk set is also known as a mirror. In a mirrored disk set, if any single drive fails then all of the data is also located on the second drive. There is a slight reduction in speed for RAID 1 volumes. • Internal RAID 5: Apple recently released a card that allows for using 3 internal drives to create a RAID 5 volume. RAID 5 allows for redundancy as is found with RAID 1 and a larger volume as is found in RAID 0 with an offset in the speed decrease. • Xserve RAID: The Xserve RAID can be connected to a computer through a fibre cable and allows for a single volume size of up to 10 terabytes.

Once you have your drives ready to install onto you will want to choose whether to do an upgrade or a new installation. If you are coming from a previous version of Mac OS X or having problems with your existing installation then you will likely want to do an Archive and Install. If you are working on Mac OS X Server you will likely need to do a format prior to installation. Once you have chosen which of these you will be doing then click on the Next and get ready to customize your installation. At this point you will be able to click on the Custom… icon and choose which parts of the OS to install. Don’t worry, if you leave anything out that you later decide you would like you can always go to the installation CD and install it as a package manually.

Now, click Install and you’re off to the races.

Using the JAMF Binary with the Casper Suite

Thursday, October 25th, 2007

Casper is an incredibly useful tool for package deployment, maintaining records of the systems in your environment and policy management. But for those of you already using Casper (or considering it) you’ll be glad to know that you can use the jamf binary to do all kinds of fun stuff that can help with troubleshooting computers in your environment. For example:

The following command will setup a hidden SSH user and restrict SSH access to be allowed by only that user: jamf createAccount -username casperadmin -realname "Casper Admin" -password casperadmin -home /Users/casperadmin -hiddenUser -admin -secureSSH

This command can be used to display a popup on the system it’s run on that says “Hello Minnesota”: jamf displayMessage -message "Hello Minnesota"

The following command will unmount a mounted server called mainserver: jamf unmountServer -mountPoint /Volumes/mainserver

The following command can be used to change a users home page in all of their web browsers: jamf setHomePage -homepage

The following command can be used to fire up the SSH daemon: jamf startSSH

The following command can be used to fix the By Host files on the local machine: jamf fixByHostFiles -target

The following command can be used to run a Fix Permissions on the local machine: jamf fixPermissions /

The following can be used to flush all of the caches on your local system: jamf flushCaches -flushSystem

The following can be used to bless the drive externaldrive: jamf bless -target /Volumes/externaldrive

The following can be used to run a software update on the local system: jamf runSoftwareUpdate

The following can be used to bind to an AD environment (rather than dsconfigad if for some reason you just didn’t like using dsconfigad), but would need all the parameters for your environment put in as flags: jamf bindAD

The following can be used to enable OpenFirmware passwords on your computer to secretpass: jamf setOFP -mode full -password secretpass

Most of these options are available inside the Casper suite, but the ability to do some simple tasks very quickly from the terminal is yet another reason to fall in love with Casper.

Leopard Server: CalDAV Event Formatting

Thursday, October 25th, 2007

A key aspect of any groupware solution is the ability to share calendars. Leopard server brings the long-awaited ability to share calendars to the Mac OS X Server platform. Leopard uses CalDAV as the back end protocol for Calendar sharing. CalDAV is currently supported by Facebook, Novell Evolution, Zimbra, Drupal, Microsoft Exchange, Kerio and now Mac OS X Server.

CalDAV looks at each event as an HTTP resource, giving users the ability to view events in a web browser. Each event is stored in the iCalendar format.

A typical event in the iCalendar format: BEGIN:VCALENDAR VERSION:2.0 PRODID:-//Apple Calendar//Calendar1//Charles Edge BEGIN:VTODO DTSTAMP:19980130T134500Z SEQUENCE:2 ATTENDEE; DUE:19980415T235959 STATUS:NEEDS-ACTION SUMMARY:Random Music File BEGIN:VALARM ACTION:AUDIO TRIGGER:19980403T120000 ATTACH;FMTTYPE=audio/basic: files/file.mp3 REPEAT:3 DURATION:PT1H END:VALARM END:VTODO END:VCALENDAR Parsing this data can help you to imbed data from Leopard Server into your 3rd party web services. One difference between CalDAV events in Mac OS X Server and other types of event handlers is how they are presented over the wire. For example, Kerio, a popular Mac-based groupware solution presents CalDAV in the form of an ICS file so it can be viewed through iCal in pre-Leopard computers.

A Brief History of Cryptography

Tuesday, October 23rd, 2007

Cryptology is derived from the Greek words kryptos, which stands for “hidden” and grafein, which stands for to “write”. Through history, cryptography has meant the process of concealing the contents of a message from all except those who know the key. Cryptography is used to protect e-mail messages, credit card information, and corporate data. Cryptography has been used for centuries to hide messages when they are submitted through means where they might be intercepted, such as the Internet.

But encrypting email messages as they traverse the Internet is not the only reason to understand or use various cryptographic methods. Every time you check your email, your password is being sent over the wire. Many ISPs or corporate environments use no encryption on their mail servers and the passwords used to check mail are submitted to the network in clear text (with no encryption). When a password is put into clear text on a wire it can easily be intercepted. This is especially dangerous when you are on the road, at hotels, on wireless hotspots, or at an internet café. However, it is often simple to also obtain another users password for email, payroll systems and file servers while at work and on the same network. Applications such as WireShark, Ethereal and many others and have existed for a long time and are now fairly advanced, allowing the user to possibly replay the password or a stream of packets that resemble credentials to a server in order to gain entry.

To aid in protecting communications between computers, there are a wide variety of cryptographic implementations in use. They are typically provided for one of two reasons: to protect data on the computer or to protect data as it is being transferred. Most cryptographic techniques rely heavily on the exchange of cryptographic keys.

Symmetric-key cryptography refers to encryption methods where both senders and receivers of data share the same key and data is encrypted and decrypted with algorithms based on those keys. The modern study of symmetric-key ciphers revolves around block ciphers and stream ciphers and how these ciphers are applied. Block ciphers take a block of plaintext and a key, then output a block of ciphertext of the same size. DES and AES are block ciphers. AES, also called Rijndael, is a designated cryptographic standard by the US government. AES usually uses a key size of 128, 192 or 256 bits. DES is no longer an approved method of encryption triple-DES, its variant, remains popular. Triple-DES uses three 56-bit DES keys and is used across a wide range of applications from ATM encryption to e-mail privacy and secure remote access. Many other block ciphers have been designed and released, with considerable variation in quality.

Stream ciphers create an arbitrarily long stream of key material, which is combined with a plaintext bit by bit or character by character, somewhat like the one-time pad encryption technique. In a stream cipher, the output stream is based on an internal state, which changes as the cipher operates. That state’s change is controlled by the key, and, in some stream ciphers, by the plaintext stream as well. RC4 is an example of a well-known stream cipher.

Cryptographic hash functions do not use keys but take data and output a short, fixed length hash in a one-way function. For good hashing algorithms, collisions (two plaintexts which produce the same hash) are extremely difficult to find, although they do happen.

Symmetric-key cryptosystems typically use the same key for encryption and decryption. A disadvantage of symmetric ciphers is that a complicated key management system is necessary to use them securely. Each distinct pair of communicating parties must share a different key. The number of keys required increases with the number of network members. This requires very complex key management schemes in large networks. It is also difficult to establish a secret key exchange between two communicating parties when a secure channel doesn’t already exist between them.

Whitfield Diffie and Martin Hellman are considered the inventors of public-key cryptography. They proposed the notion of public-key (also called asymmetric key) cryptography in which two different but mathematically related keys are used: a public key and a private key. A public key system is constructed so that calculation of the private key is computationally infeasible from knowledge of the public key, even though they are necessarily related. Instead, both keys are generated secretly, as an interrelated pair.

In public-key cryptosystems, the public key may be freely distributed, while its paired private key must remain secret. The public key is typically used for encryption, while the private or secret key is used for decryption. Diffie and Hellman showed that public-key cryptography was possible by presenting the Diffie-Hellman key exchange protocol. Ronald Rivest, Adi Shamir, and Len Adleman invented RSA, another public-key system. Later, it became publicly known that asymmetric cryptography had been invented by James H. Ellis at GCHQ, a British intelligence organization and that both the Diffie-Hellman and RSA algorithms had been previously developed. Diffie-Hellman and RSA, in addition to being the first public examples of high quality public-key cryptosystems are among the most widely used.

In addition to encryption, public-key cryptography can be used to implement digital signature schemes. A digital signature is somewhat like an ordinary signature; they have the characteristic that they are easy for a user to produce, but difficult for anyone else to forge. Digital signatures can also be permanently tied to the content of the message being signed as they cannot be ‘moved’ from one document to another as any attempt will be detectable. In digital signature schemes, there are two algorithms: one for signing, in which a secret key is used to process the message (or a hash of the message or both), and one for verification, in which the matching public key is used with the message to check the validity of the signature. RSA and DSA are two of the most popular digital signature schemes. Digital signatures are central to the operation of public key infrastructures and to many network security schemes (SSL/TLS, many VPNs, etc). Digital signatures provide users with the ability to verify the integrity of the message, thus allowing for non-repudiation of the communication.

Public-key algorithms are most often based on the computational complexity of “hard” problems, often from number theory. The hardness of RSA is related to the integer factorization problem, while Diffie-Hellman and DSA are related to the discrete logarithm problem. More recently, elliptic curve cryptography has developed in which security is based on number theoretic problems involving elliptic curves. Because of the complexity of the underlying problems, most public-key algorithms involve operations such as modular multiplication and exponentiation, which are much more computationally expensive than the techniques used in most block ciphers, especially with typical key sizes. As a result, public-key cryptosystems are commonly “hybrid” systems, in which a fast symmetric-key encryption algorithm is used for the message itself, while the relevant symmetric key is sent with the message, but encrypted using a public-key algorithm. Hybrid signature schemes are often used, in which a cryptographic hash function is computed, and only the resulting hash is digitally signed.

OpenSSL is one of the main applications used in Linux and Mac OS X to access the various encryption mechanisms supported by the operating systems. OpenSSL supports Diffie-Hellman and various versions of RSA, MD5, AES, Base, sha, DES, cast and rc. OpenSSL allows you to create ciphers, decrypt information and set the various parameters required to encrypt and decrypt data.

THIS ARTICLE IS A REPRINT FROM: Foundations of Mac OS X Security, from Apress Written by Charles Edge, William Barker and Zack Smith of 318

RDC 6: Saving Files to Your Computer from an RDC Session

Friday, October 12th, 2007

TITLE Save/Copy files to local hard disk while in an RDC Session

TOPIC Remote Desktop Connection

DISCUSSION To save files to a local hard drive from an RDC session follow these steps.

1. To enable copying files between computers, launch the Remote Desktop Connection on the machine you are connecting from.

2. Click the Options button to expand the list of Options tabs.

3. Click the Local Resources tab.

4. Check the box next to Disk drives. Checking the box next to Printers also enables you to print files from your remote computer to a printer connected to the local computer.

5. Click the Connect button.

Note: transfers can take some time to complete using Vista.

Restart FileMaker Server from the Command Line

Friday, October 12th, 2007

If you’ve got a misbehavin’ FileMaker Server and you need to force restart the daemon without restartin’ the box:

Open Terminal:


ps aux

Look for fmserver services still running and kill those processes

then go to Directory:

/Library/FileMaker Server/Tools/


Terminal command is fmserverd START

You should be up and running : )

Troubleshooting KDC setup in 10.4

Wednesday, October 10th, 2007

During the Apple Open Directory Master creation process scripts start up the Kerberos Key Distribution Center [ KDC ] and creates the necessary encryption keys or “principles” for all the services that can be Kerberized and used with single sign on.

The KDC creation process is triggered automatically by “promoting” an OD server to the role of “Master” in the Open Directory section of the Server Admin application.

You can normally tell if this scripted creation process completed successfully by:

Checking the overview tab of the OD section of server admin and check that kerberos is running ( not “stopped” )

The definitive way however is to check whether the process completed successfully by looking to see if the local Kerberos principals where created in the “/etc/krb5.keytab” binary file you can do this by issuing the following:

$ sudo kadmin.local -q “listprincs”

and also

$ sudo klist -kt

you should see all the principals for services such as afpserver , imap, pop etc. The lowercase names after the service name (i.e. imap/ ) listed conform to the fully qualified domain name a.k.a DNS hostname of the servers primary network interface. the uppercase names should conform also to the fully qualified domain name, but theoretically could have been changed in advanced configurations (perhaps by you at the promotion creation in server admin, thought normally there is no need)

If what you see does not match what’s normal ( as listed above ), you should attempt to repair the kerberos configurations using the following procedures.

Before you do anything else check DNS, and then check DNS again. As a quick fix as well you should not use a password with a space in it for the diradmin user, doing this has known issues with kerberos KDC creation.

The values that are automatically filled in to Server Admin for KERBEROS.REALM and the dc=ldap,dc=search,dc=base are derived from the systems hostname. i.e.

hostname = default keberos realm = MAIL.318.COM default searchbase = dc=mail,dc=318,dc=com

So when you promote the server you should have a good idea that something is not correctly configured by the values that are automatically filled in. The 2 most commonly seen incorrect values are something like mail.local or but in rare circumstances you may also see localhost. NOTE: in 10.3 these values where tied to the “Search Domains” section of System Preferences but in 10.4 they come from the systems hostname.

The systems hostname is pulled using the following:

dhcp hostname ( the server is hopefully not using DHCP ).

the reverse DNS record or PTR record for the primary network interface i.e. the top of the active list under “Network Port configurations” in system preferences. or the “default” route when using $ netstat -rn

You can verify the PTR record by determining this IP and running the host command on it.

$ host

which will show output such as: domain name pointer

this information should match the output of the hostname command:

$ hostname

Using BackupExec 11d with Removable Drives

Thursday, October 4th, 2007

Connect all of the drives you will use. In many cases, you will have 2-3 Drives. It is important that each disk be assigned its own drive letter – If for some reason the mount with the same drive letter, backup exec will not properly identify it, nor will it properly track the sets on the disks when they are disconnected.

add them as removable backup-to-disk folders

backupexec will then create several folders on the root level of the disk. it is important that you properly size it.

when the jobs are told to use any device in the storage pool, it will automatically select the availalble media. Unlike retrospect, there is no need to create seperate scripts per drive.