I recently had an instance in which a client company was insisting that all email communications between our servers being encrypted with TLS. We're using Leopard Server 10.5.5 (which includes Postfix 4.3.1), but it took some extra tweaking to make it work, so I thought I'd pass it on in case anyone else here ever needs it.
This hint assumes that you have a Leopard Server running Mail Service which needs to be able to receive email from servers out on the Internet, and a security certificate for your mail server. (In Server Admin GUI for Mail Service, that would translate to having SSL set to Use (not Require) for SMTP with the correct certificate selected.) You will need a certificate for this to work, and preferably one issued by a certificate authority.
When we're done, you'll be using Opportunistic TLS (offers TLS but doesn't require it, since most ISP email servers don't use it) for the internet at large and Mandatory TLS just for your specified host(s). Launch Terminal and here we go...
This is more of a workaround than a hint, but will hopefully save some folks the hours of annoyance I've had to deal with.
The problem can be summarized as follows: In the Server Admin application, installed with Apple's Server Admin Tools, you can manage many of Mac OS X Server's features, including Netboot and Netinstall images. Once you have created a Netinstall image, you have the option in Server Admin to specify what types of Apple hardware are allowed to boot the image over the network. I refer to these filters as hardware model type filters, though I'm not sure of their official name. Anyway, once a model type filter is set for a given Netinstall image, a workaround is required to make future edits to the same filter in the GUI.
Steps to Reproduce the bug:
Create a netinstall image.
Edit the hardware model type filter by clicking the pencil button, then click OK, then Save.
Try again to edit the same hardware model type filter, click Okay, then Save.
Look at the filter a third time and the changes made in step three will not have been applied
Steps to work around the bug:
Toggle the Enable checkbox. Note it does not matter what state the checkbox is in, so it can be toggled to either the enabled or disabled position.
Edit the model type filter by clicking the pencil button. Important: do not click the Save button between this step and the prior step.
After editing, click OK, then click Save.
Look at the filter again, and the changes made will have held this time. It appears that the state change of Enable is what triggers a write operation to the plist once the Save button is clicked. That is, nothing gets written when Save is clicked unless the state of the Enable checkbox has changed.
An interesting request came in today from a coworker. She wanted to create a spreadsheet that contained all of our intranet's wiki pages (which uses the Apple WikiServer), presumably because Apple doesn't provide an easy way to "list all pages" in the wiki itself. Along with the page title, she also wanted to extract its internal ID, its URL, and the time the page was created as well as the time it was last modified.
I spent about an hour looking into this this afternoon, and it turns out that much of this information is readily available on the filesystem in the Apple WikiServer's data store. I whipped up the following shell script to extract this information in CSV format, exactly as requested. I'm submitting this script here in case someone else wants similar "export a list of WikiServer pages to a comma-separated values (CSV) file" functionality, but isn't sure how to go about getting it.
To use this script, just edit the line that reads http://my-server.example.com/groups/wiki/ so that it refers to the wiki base URI of your own server, make it executable (chmod a+x script_name), and then run it.
#!/bin/sh -
#
# Script to extract data from an Apple WikiServer's data store by querying the
# filesystem itself. Creates a 'wikipages.csv' file that's readable by any
# spreadsheeting application, such as Numbers.app or Microsoft Excel.app.
#
# USAGE: To use this script, change to the WikiServer's pages directory, then
# just run this script. A file named wikipages.csv will be created in
# your current directory. For instance:
#
# cd /Library/Collaboration/Groups/mygroup/wiki # dir to work in
# wikipages2csv.sh # run the script
# cp wikipages.csv ~/Desktop # save output
#
# WARNING: Since the WikiServer's files are only accessible as root, this script
# must be run as root to function. Additionally, this is not extremely
# well tested, so use at your own risk.
#
# Author: Meitar Moscovitz
# Date: Mon Sep 22 15:03:54 EST 2008
##### CONFIGURE HERE ########
# The prefix to append to generated links. NO SPACES!
WS_URI_PREFIX=http://my-server.example.com/groups/wiki/
##### END CONFIGURATION #####
# DO NOT EDIT PAST THIS LINE
#############################
# debugging
set -e
WS_CSV_OUTFILE=wikipages.csv
WS_PAGE_IDS_FILE=`mktemp ws-ids.tmp.XXXXXX`
function extractPlistValueByKey () {
head -n \
$(expr 1 + `grep -n "<key>$1</key>" page.plist | cut -d ':' -f 1`) page.plist | \
tail -n 1 | cut -d '>' -f 2 | cut -d '<' -f 1
}
function linkifyWikiServerTitle () {
echo $1 | sed -e 's/ /_/g' -e 's/&amp;/_/g' -e 's/&gt;/_/g' -e 's/&lt;/_/g' -e 's/\?//g'
}
function formatISO8601date () {
echo $1 | sed -e 's/T/ /' -e 's/Z$//'
}
function csvQuote () {
echo $1 | grep -q ',' >/dev/null
if [ $? -eq 0 ]; then
echo '"'$1'"'
else
echo $1
fi
}
ls -d [^w]*.page | \
sed -e 's/^\([a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]\)\.page$/\1/' > $WS_PAGE_IDS_FILE
echo "Title,ID,Date Created,Last Modified,URI" > $WS_CSV_OUTFILE
while read id; do
cd $id.page
title=$(extractPlistValueByKey title)
created_date="$(formatISO8601date $(extractPlistValueByKey createdDate))"
modified_date="$(formatISO8601date $(extractPlistValueByKey modifiedDate))"
link=$WS_URI_PREFIX"$id"/`linkifyWikiServerTitle "$title"`.html
cd ..
echo `csvQuote "$title"`,$id,$created_date,$modified_date,`csvQuote "$link"` >>>< $WS_CSV_OUTFILE
done < $WS_PAGE_IDS_FILE
rm $WS_PAGE_IDS_FILE
Many system administrators are using Munin to monitor and make graphs of many details about their servers. However, there is no official plug-in for Mac OS X Server and Xserve to monitor temperature, power, or voltage.
Aqua Ray, however, provides some of them; that page has download links for G4, G5, and Intel Xserves, along with explanations on how to install them on a current version of Munin.
[robg adds: These plug-ins appear to be free, but I haven't tested them to see how well they work.]
Well, if you're like me and already have backup solutions running in your Open Directory, you may not want your users using Time Machine, for whatever reasons you may have. In Work Group Manager (WGM), select your groups (or your parent group) and select the Details tab. Then add the following to the details list:
/System/Library/CoreServices/ManagedClient.app
Once you add that in to the Details part of WGM, you can select the menu items and click on the pencil icon to add a string to disable Time Machine from the menu bar. So, click on the pencil icon and a new window should pop up. It should display Once, Often, Always. Select and expand the arrow key on Always, and then click on the New Key button. Select Edit from the drop-box, and name it TimeMachine.menu, then for Type, select boolean, and for Value, select false. Attached is a screen shot. It should look like this when you're done.
The next time your client updates the MCX, it will no longer have Time Machine in the Menu Bar. This is sort of a backwards way of going about things, so I put in a feature request for OS X Server to just manage these things through WGM by a menu or items list. I need to thank Jeff from our Apple mailing list to helped me figure this out.
I was looking to set up .htaccess on Leopard server, and as I was testing the .htpasswd file I set up for the user (myself), I tried the wrong password and it let me in! It turns out I had used my regular password that's set up through Open Directory. So I deleted the .htpasswd file, and I removed all references to it in the .htaccess file to further test. This is the resulting .htaccess file:
Just by using the above .htaccess file, I am able to login with any user that has an Open Directory account. Nice treat, for me anyway. I'm guessing others will have to add restrictions for users they don't want to have access.
VPN in Mac OS X Server (all versions, I think) allows users to have as many sessions from as many different computers as they want to the VPN server. I didn't like this, so I tried to find a way to restrict them to only one session. I tried looking at plists, thinking maybe Apple had some hidden option for this, but I couldn't find it. I then dug around in man files for vpn and pppd and such, and found something of interest in pppd's man page:
/etc/ppp/auth-up
A program or script which is executed after the remote system successfully authenticates itself. It is executed with the parameters:
interface-namepeer-nameuser-nametty-device speed
Note that this script is not executed if the peer doesn't authenticate itself, for example when the noauth option is used.
Great! All I need now is some code and a way to find out which users are currently online.
This is actually a hint for both OS X Server 10.5 and iCal. I was trying to implement the calendaring feature in OS X Server and hit a wall when Apple's documentation did not explain how to set up multiple calendars for a single group, and how to manage them in iCal. After much searching, I found the answer (not supported by Apple) in this Apple Discussions thread.
In order to create a group calendar, you have create a group and enable calendars for that group. This is reasonably well explained in the "iCal Service administration guide for Version 10.5 Leopard" guide. In order to view the group calendars, open iCal (it has to be iCal 3), open its Preferences, and click on the Accounts tab.
Having a pressing need to access a Cisco router via the console cable, and not having a PC with a serial port laying around anywhere, I decided to look into how to access the serial port on an Xserve that's running Leopard Server. Previous hints targeted at Tiger Server and below, however, do not work any more as the serial support files are no longer found in /System » Library » StartupItems/. Through some digging, I found the solution to the problem and can now access the router via the serial port at any time, even from my iPhone (through Terminal, of course)!
Leopard Server moved the SerialTerminalSupport shell script to /usr » libexec » serial. The syntax for launching it remains the same, though, just the location has changed. Thinking that was all it took, I stopped the SerialTerminalSupport service with this command (run all these commands as superuser):
/usr/libexec/serial/SerialTerminalSupport stop
And tried to launch the screen program to open a connection via the serial port with screen /dev/cu.serial. No luck. I see bits and pieces of the Cisco's console prompt in my Terminal window, but the screen session keeps sending garbage -- to the point where I'd have to close the Terminal window and issue a kill command to let go of /dev/cu.serial and the screen session.
It turns out that by default, OS X Server sets the baud rate of the serial port to 57600, which is too fast for the Cisco console port.
Squirrelmail as included with Mac OS X Server lets you remotely access your Inbox via a web-browser. It also automatically creates sub-folders to store drafts, sent, and trashed emails as done during a Squirrelmail session. These have a folder structure like this:
Inbox
Drafts
Sent
Trash
When you look at this in Apple Mail, you will see a triangle next to your Inbox, and turning it down reveals the same sub-folders. The purpose of this posting is that this structure is not the same as the default Apple Mail structure, and as such, Apple Mail and Squirrelmail will not automatically be using the same IMAP folders to store drafts, sent, and trash.
It is possible in Apple Mail to select one of these Squirrelmail-created folders, and go to the Mailbox menu and select the "Use This Mailbox For..." command to make it the folder to use for that purpose. It is also possible to edit the Squirrelmail config.php file to adjust its settings which as default will be:
I have worked out what to set Squirrelmail to use so that it will then use the same folders that Apple Mail uses as standard. The benefit would be that rather each and every user having to alter the Apple Mail setup, I could do one edit of the config file for Squirrelmail and this would then apply forever for all users.
Well, if you're like me and already have backup solutions running in your Open Directory, you may not want your users using Time Machine, for whatever reasons you may have. In Work Group Manager (WGM), select your groups (or your parent group) and select the Details tab. Then add the following to the details list:
