Lion Server_ Advanced Administration

Lion Server: Advanced Administration

Lion server fundamentals ► Get started

Mac OS X Lion Server has processor, memory, disk, and network requirements.

To install Lion Server on a Mac, the Mac must have:

A 64-bit Intel processor

At least 2 gigabytes (GB) of random access memory (RAM)

At least 10 gigabytes (GB) of disk space available

Your server needs significantly more disk space—such as a high-capacity external hard drive—if you want to allow Lion, SnowLeopard, and Leopard users to back up their Macs on the server. A server needs even more disk space if you want to back upthe server using Time Machine.

An Internet connection, if you’re installing Lion Server from the Mac App Store

An Internet connection isn’t required after installation.

Desktop or server hardware is recommended.

An active connection to a secure network is recommended for server setup, but isn’t required. After setup, your server must have anetwork connection for users to access its services.

Some podcast encoding operations require a compatible graphics card. Some features have additional system requirements orrequire additional purchases. For details, see the Lion Server website at www.apple.com/macosx/server/.

A Mac server can be set up and used without a display and can be located where you don’t have constant physical access to it. Youcan use another Mac to set up and administer a Mac server remotely. For information, see Prepare an administrator computer.


You can administer servers in a small to medium organization with the basic tools included in Lion Server. If you need to configureLion Server in a large organization, or if you have special configuration requirements, you can use advanced administration toolsthat you may need to install separately. You can also use command-line tools to perform server administration tasks.

Basic tools

You can manage users and groups, start and stop services, change service settings, and perform other essential serveradministration tasks using the applications and utilities included with Lion Server and described below.

Screen Sharing Observe and control your server from another computer on the network.You can open Screen Sharing from the Tools menu in the Server app.

Server Manage users and groups. Monitor server status. Start, stop, andcustomize services. View and change system, network, and storagesettings. Manage an AirPort device.

Server Status widget for Dashboard Monitor server activi ty from any Mac with Mac OS X Lion.

System Preferences Configure T ime Machine backup of the server. Set up sharing for adirectly connected USB or FireWire printer.

For more information about Screen Sharing, Server, and System Preferences, open the application and use the Help menu. Formore information about the Server Status widget, see Use the Server Status widget.

Advanced administration tools

Lion Server requirements

Lion Server tools

http://www.apple.com/macosx/server/

Besides the Server app and the other basic tools, you can use the applications described below. All except Directory Utility andXsan Admin are located in the Server folder in Launchpad. If your server doesn’t have that folder with the advanced tools in it, youcan install them as described in Use advanced tools for more services.

Directory Uti l ity Configure advanced connections to directory servers. You can openDirectory Uti li ty from the Tools menu in the Server app.

Podcast Composer Follow a structured, graphical process to create workflows that control howPodcast Producer generates and distributes podcasts.

Server Admin Change advanced service settings and configure advanced services.

Server Monitor Remotely monitor and manage one or more Xserve systems.

System Image Util i ty Create NetBoot, NetInstall , and NetRestore images for Mac computers.

Workgroup Manager Manage users, groups, computers, and computer groups in advancedserver deployments. Manage preferences for Mac OS X Lion users.

Xgrid Admin Remotely manage clusters, monitor control ler and agent activi ty, andcheck job status on the grid.

Xsan Admin Set up and manage a storage area network (SAN) to provide fast, sharedstorage among Macs connected to a Fibre Channel network. Located inthe Util i ties folder in Launchpad.

For more information about an advanced application, open it and use the Help menu.

Command-line tools

You can also use UNIX tools in the Terminal app to administer services, manage users, and perform most other serveradministration tasks. For more information, see About the command-line environment of Lion Server.

RELATED TOPICS

Command line tools used in Lion Server administration


Lion Server can provide services to Macintosh, Windows, and UNIX computers, and to iOS devices such as iPhone, iPod touch,and iPad. You use the Server app to turn on the service you want to provide, customize service settings, and turn off services youdon’t need.

Services include:

Address Book service provides .

Fi le sharing lets users store and share folders and files on the server.

iCal service provides shared calendars, so users can check each other’s availabi li ty, book conference rooms, and schedule meetings and events.

iChat Instant messaging service lets users col laborate by chatting and sharing information.

Mail service lets users send and receive email on your local network and the Internet using any email application or, optionally, a web browser.

Podcast service lets users publish audio and video podcasts they record and edit using the Podcast Publisher app on their Macs with Mac OS XLion.

Profile Manager service lets you manage mobile devices and distribute configuration profiles that set up users' Macs and iOS devices to use yourserver.

Services

central ized contact information

A T ime Machine destination lets users back up their Macs on your server’s disk.

VPN service gives users via the Internet.

Web service lets you publish custom websites.

Wiki service lets users , blogs, and web calendars.


While Lion Server is providing accounts and services to users, you can check server system information and change serversystem settings.

Track server alerts

Monitor server stats

View server information

Allow remote login to your server via SSH

Allow screen sharing and remote management

Allow remote administration

Improve performance as a dedicated server

Use push notification

Manage the server’s SSL identity certificates

Find the server’s network address and host name

Manage server storage


If you’re going to install Lion Server on an existing computer and want a clean installation rather than an upgrade, use the DiskUtility app to erase the disk you’ll install on. With Disk Utility, you can also partition the server’s disk into multiple volumes or set upa RAID set.

You can use Disk Utility when you begin installing Lion Server. For instructions, search Mac Help for “Erase and reinstallMac OS X.”

You can also use Disk Utility after installing Lion Server. Disk Utility is in the Utilities folder of Launchpad.

Formats for server disks

When you erase a disk before installing Lion Server on it, select one of these formats:

This format is recommended, and is the most common format for Mac and Mac server startupdisks.

This format is worth considering if you’re planning to have your server host acustom website with static web content instead of or in addition to wikis. A case-sensitive disk can host static web content with amore direct mapping between files and URLs.

You can erase other disks using one of the formats above, or a non-journaled variant: Mac OS Extended or Mac OS Extended(Case-sensitive).

If the server has a disk formatted using the UNIX File System (UFS) format by an earlier version of Mac OS X or Mac OS X Server, donot use the UFS disk for a Lion Server startup disk.

Volumes on a partitioned disk

secure remote access to your server and network

share information using wikis

Server information

Disk preparation

Mac OS Extended (Journaled):

Mac OS Extended (Case-sensitive, Journaled):

Partitioning a hard disk creates a volume for Lion Server and one or more volumes for service data and other software. The volumeyou install Lion Server on should be at least 10 GB. This volume should be larger if you plan to store shared folders, wikis, andother service data on it.

The volumes on a partitioned disk are often s imply called disks. Each volume appears as a disk in the Finder, and you use eachvolume as if it were a separate disk.

RAID sets

If you’re installing Lion Server on a computer with multiple internal hard disk drives, you can create a RAID (Redundant Array ofIndependent Disks) set to optimize storage capacity, improve performance, and increase reliability in case of a disk failure. Forexample, a mirrored RAID set increases reliability by writing your data to two or more disks at once. If one disk fails, your serverautomatically continues using other disks in the RAID set.

You can set up RAID mirroring or another type of RAID set when you begin installing Lion Server. After installing, you can set upRAID mirroring on a disk that isn’t partitioned. To prevent data loss, you should set up RAID mirroring as early as possible. Forinformation about setting up a RAID set, search Disk Utility Help for “Using RAID sets.”

If you choose a RAID set, you won't get a recovery partition or FileVault full disk encryption. A recovery partition allows you to reinstallMac OS X or recover your entire system from a Time Machine backup. Full disk encryption isn’t recommended for a Lion Serverstartup disk or any disk that stores service data. If these disks are encrypted, the server can’t restart until you go to the server andenter the password at the server’s keyboard. If you use Lion Server to share an encrypted disk, the disk isn’t available to users untilyou enter the password at the server’s keyboard.

Lion server fundamentals ► Get started ► Network preparation

To allow users to access the server by using its host name on the Internet, you must register the server’s host name.

1. Obtain an Internet domain name like example.com.

You can purchase one from a public domain name registrar. For information about domain name registrars, search the web.

2. Register a unique host name for this server, such as server.example.com, with your domain name registrar.

3. Have a DNS hosting service add records for this server to its DNS servers.

Your DNS registrar might provide DNS hosting service, or you can search the web for a provider.

RELATED TOPIC

DNS records for your server


Before you set up your Mac server, configure your DHCP server to supply important network addresses to computers on yourintranet.

The DHCP server can provide each computer with its own IP address, the IP address of your network router, and the IP addressesof DNS servers for your network.

When configuring your DHCP server, be sure to do the following:

Configure your network’s DHCP server to assign a fixed (static) IP address to your server. This feature is called static mappingor DHCP reservations. With a fixed IP address, your server always has the same IP address, so other computer users canconnect to it reliably.

Configure your DHCP server to provide your server’s IP address as the DNS server address, unless your intranet has a DNSserver. If your intranet doesn’t have a DNS server, your server is configured as a DNS server during initial server setup.

If your intranet connects to the Internet through a router supplied by your Internet service provider or purchased from a computerretailer, the router is usually your DHCP server. For information about configuring your router, see its documentation.

If your intranet and Internet connection are managed by your organization, ask the DHCP administrator to configure the DHCP

Register the server’s Internet host name

DHCP server configuration for your server

servers for your Mac server.

If you don't have a DHCP server, you can set up Lion Server’s DHCP service. For information, see DHCP setup overview.


Before you set up your server, have your DNS server administrator add records for your server. After these records are added to aDNS server, users can access your server by using its host name, such as server.mycompany.com.

Users can use your server’s host name on your intranet if the DNS server administrator for your intranet adds DNS records for yourserver. If your intranet doesn’t have a DNS server, users can access your server by using its local hostname, such as server.local.

Users can use your server’s host name on the Internet, if a DNS hosting service adds the records described below to its DNSservers. These records must point your server’s host name to the public IP address of your Internet router, if you have one. TheDNS registrar you obtained a domain name from might provide DNS hosting service, or you can search the web for a provider.

A (address)

An A record is required. It maps your server’s host name to its IP address. If you have an Internet router, your server has a unique,private IP address on your intranet, but on the Internet it uses the router’s public IP address.

PTR (pointer)

A PTR record is required. It provides a reverse lookup by mapping the server’s IP address to its host name. If you have an Internetrouter, your server has a unique private IP address on your intranet, but on the Internet it uses the router’s public IP address.

MX (mail exchange)

If your server provides mail service, the optional MX record specifies that your server is a mail server for your domain. An MX recordlets users have an email address like [email protected]. Without an MX record, email addresses must include your server’sfull host name (for example, [email protected]).

CNAME (alias)

One or more optional CNAME records provide convenient access to services your server provides, such as mail.example.com andwww.example.com.

SRV for Address Book service

If your server provides Address Book service, you can add an optional SRV record for Address Book Server’s CardDAV protocol.

If you have an SSL certificate for Address Book service, add a record that maps _carddavs._tcp for port 8443 to your server’shost name. For example:

_carddavs._tcp 86400 IN SRV 0 1 8443 server.example.com

If you don’t have an SSL certificate for Address Book service, add a record that maps _carddav._tcp for port 8008 to yourserver’s host name. For example:

_carddav._tcp 86400 IN SRV 0 1 8008 server.example.com

SRV for iCal service

If your server provides iCal calendar service, you can add an optional SRV record for iCal Server’s CalDAV protocol.

If you have an SSL certificate for iCal service, you can add an optional record that maps _carddavs._tcp for port 8443 to yourserver’s host name. For example:

_caldavs._tcp 86400 IN SRV 0 1 8443 server.example.com

If you don’t have an SSL certificate for iCal service. add a record that maps _caldav._tcp for port 80008 to your server’s hostname. For example:

_caldav._tcp 86400 IN SRV 0 1 80008 server.example.com

SRV (service locator) for iChat service

If your server provides iChat instant messaging service, you can add two optional SRV (service locator) records for iChat Server’sXMPP (Jabber) protocol.

One record controls connections between your server and other XMPP servers. It maps _xmpp-server._tcp for port 5269 to yourserver’s host name. For example:

DNS records for your server

mailto:[email protected]

mailto:[email protected])

http://www.example.com

_xmpp-server._tcp 86400 IN SRV 0 1 5269 server.example.com

Another record controls iChat and other XMPP client connections to your server. It maps _xmpp-client._tcp for port 5222 to yourserver’s host name. For example:

_xmpp-client._tcp 86400 IN SRV 0 1 5222 server.example.com

These SRV records let users have an iChat address like [email protected]. Without these SRV records, iChat addressesmust include your server’s full host name (for example, [email protected]).


If you have a network router that shares its Internet connection with computers on your intranet, such as an AirPort Extreme BaseStation (802.11n) or a Time Capsule, the router isolates your intranet from the Internet. These Internet-sharing routers protect yourintranet against malicious attacks from the Internet by blocking communications that originate outside the intranet.

Computers on the Internet can’t access your server unless you configure your router to expose specific services on the Internet. Forexample, you might expose your wiki and web services on the Internet, but not file sharing. You can still control access to wikis byrequiring users to log in to view them. The process of exposing individual services to the Internet is called port mapping or portforwarding.

Internet users can access your exposed services by using an Internet host name, such as server.mycompany.com, that youregister with a public DNS registrar or a DNS hosting service. Your registered host name points to the public IP address you gotfrom your Internet service provider and configured your router to use. Internet users can also access your exposed services byusing your public IP address directly instead of by using an Internet host name.

When using your Internet host name or public IP address to access a specific service, such as your wiki service, users actuallyreach your router. If you exposed the service, your router forwards the request to your server. If you didn’t expose the service, therouter doesn’t forward the request, and the user can’t get that service from your server.

If you want to let Internet users with accounts on your server access services that aren’t exposed to the Internet, you can turn onVPN service. It provides a secure remote connection to all services on your intranet.

RELATED TOPICS

Router port mappingManage AirPort port mapping and Wi-Fi loginRegister the server’s Internet host nameAbout VPN


If you have a cable router, DSL router, or other network router that shares its Internet connection with computers on your intranet,you can manually configure the router to protect your intranet while allowing access to selected services from the Internet. Youconfigure your router to forward requests for individual services to your server. This process is called port mapping or portforwarding, because each service communicates through an abstract, numbered communication port. Unlike the Ethernet port onyour computer, these ports aren’t physical.

You can configure port mapping on an AirPort device by using the Server app. For information, see Manage AirPort port mappingand Wi-Fi login.

You can manually configure port mapping on most Internet routers by using their configuration software. Usually, the configurationsoftware consists of several webpages. Using a web browser on any computer connected to your intranet, you go to the webpagewith settings for port mapping or port forwarding. In some cases, you can select standard services such as web or VPN andspecify that each be mapped to your server’s IP address. In other cases, you must enter port numbers for services and enter yourserver’s IP address for each one.

For a list of services and the corresponding ports for which you might want to set up port mapping or forwarding, see Services andports.

Port mapping for network and server protection

Router port mapping




If you have an AirPort Extreme Base Station (802.11n) or a Time Capsule, Lion Server can automatically manage it to protect yourintranet, while allowing access to selected services from the Internet.

You can use the Server app to designate public services that can be accessed by computers on the Internet. Lion Serverconfigures your AirPort device to expose those public services on the Internet. The process of exposing individual services to theInternet is called port mapping or port forwarding. For more information, see Port mapping for network and server protection.

You can also let users log in to your wireless network with their user name and password instead of the Wi-Fi network password.In this case, your server provides Remote Authentication Dial In User Service (RADIUS) for your AirPort device and authorizes alluser accounts on the server to access your wireless network. For more information, see About RADIUS for AirPort.

Your AirPort device must have its Connection Sharing option set to “Share a public IP address” (that is, an Internet connection) inorder for Lion Server to manage it. The advanced option IPv6 Mode must be set to Tunnel. The “default host” option should also beturned off, which is the default setting.

You should make sure the AirPort device has a secure password instead of the default password, which is public. You need toknow the AirPort device password—not the Wi-Fi network password—to turn on AirPort management.

RELATED TOPIC

Manage AirPort port mapping and Wi-Fi login


The Server app can manage an AirPort device to give Internet computers access to selected services, and to let users log in to yourwireless network with their name and password. The Server app can manage an AirPort Extreme Base Station (802.11n) or a TimeCapsule.

To be managed, your AirPort device must have its Connection Sharing option set to “Share a public IP address” (that is, an Internetconnection). The advanced option IPv6 Mode must be set to Tunnel. The “default host” option should also be turned off, which isthe default setting.

If don’t use the Server app to manage your router, you can use the router’s configuration software to protect your server and yourintranet. For information, see Router port mapping.

Add or remove public services

You can use the Server app to designate public services that can be accessed by computers on the Internet. Lion Serverconfigures your AirPort device to expose those public services on the Internet. The process of exposing individual services to theInternet is called port mapping or port forwarding. For more information, see Port mapping for network and server protection.

1. In the Server app sidebar, select your AirPort device.

The AirPort device is listed in the Hardware section of the sidebar.

2. To expose a service to computers on the Internet, click the Add button (+) and choose the service from the pop-up menu.

If the service you want to add isn’t listed in the pop-up menu, choose Other, and then enter the service name and port. For alist of services, see Services and ports.

Note: Exposing web service also exposes wiki, web calendar, webmail, and Profile Manager services.

3. To stop a listed service from accepting connections initiated by computers on the Internet, select the service and click theDelete button (–).

4. To apply your changes, click Restart AirPort. If asked, enter the password for your AirPort device.

Important: Restarting your AirPort device interrupts its services for all computers on your intranet for up to a minute. AirPortdevice services may include Internet access, DHCP service, and a shared disk for Time Machine backup or other uses.

When entering the password to authorize restarting the wireless device, use the password for your AirPort device, not thepassword for your Wi-Fi network. Lion Server remembers this password, so you don’t have to enter it again unless your

AirPort port mapping

Manage AirPort port mapping and Wi-Fi login

change it on your AirPort device.

Services that aren’t in the Public Services list can get incoming connections only from the server’s intranet.

Allow user name and password login over Wi-Fi

You can let users log in to your wireless network with their user name and password instead of the Wi-Fi network password. In thiscase, your server provides Remote Authentication Dial In User Service (RADIUS) for your AirPort device and authorizes all useraccounts on the server to access your wireless network. For more information, see About RADIUS for AirPort.

1. In the Server app sidebar, select your AirPort device.

The AirPort device is listed in the Hardware section of the sidebar.

2. If you want users to log in to your wireless network with their user account credentials, select “Allow user name and passwordlogin over Wi-Fi.”

Important: Your server will lose its connection to the AirPort device, unless the two are connected via a wired Ethernetnetwork.

Don’t select this option if you want to let users log in to your wireless network with the Wi-Fi network password.

You can turn off RADIUS using the AirPort Utility app (in the Utilities folder in Launchpad).

3. To apply your changes, restart your AirPort device by entering its password and clicking Set.

Important: Restarting your AirPort device interrupts its services for all computers on your intranet for up to a minute. AirPortdevice services may include Internet access, DHCP service, and a shared disk for Time Machine backup or other uses.

When entering the password to authorize restarting the AirPort device, use the password for the device, not the password foryour Wi-Fi network. Lion Server remembers this password, so you don’t have to enter it again unless your change it on yourAirPort device.

Selecting this option starts RADIUS on your server, registers the selected AirPort device with RADIUS, and authorizes all useraccounts on the server to access your wireless network.


Lion Server can provide Remote Authentication Dial In User Service (RADIUS) for your AirPort Extreme Base Station (802.11n) orTime Capsule. RADIUS keeps your wireless network secure by making sure it’s used only by authorized users.

With RADIUS, users log in to your wireless network by entering the name and password of a user account on your server. Theycan’t log in to your wireless network with the Wi-Fi network password, which is configured on the AirPort Extreme Base Station orTime Capsule. Without RADIUS, anonymous users who learn your Wi-Fi network password can log in to your wireless network.

When a user tries to access the wireless network of an AirPort Extreme Base Station or a Time Capsule, the device communicateswith RADIUS on your server using Extensible Authentication Protocol (EAP) to authenticate and authorize the user. Users are givenaccess to the network if their user credentials are valid and they are authorized to use the AirPort Extreme Base Station or TimeCapsule. A user who isn’t authorized can’t access the network through the AirPort Extreme Base Station or Time Capsule.

You turn on RADIUS for Lion Server by selecting your Apple wireless device in the Server app sidebar and selecting “Allow usersname and password login over Wi-Fi.” The Server application starts RADIUS on your server, registers the selected Apple wirelessdevice with RADIUS, and authorizes all user accounts on the server to access your wireless network.


If your server connects to the Internet through a cable router, DSL router, or other network router, you can configure port forwarding(or port mapping) to allow access to some services from the Internet while protecting other services and other computers on yournetwork.

Use the following table to determine the port numbers for the services you want to expose on the Internet. Configure your router to

About RADIUS for AirPort

Services and ports

forward only those ports to your server’s IP address.

Some Internet routers may you to specify TCP or UDP for each port, while other routers don’t. For specific information about how toconfigure port forwarding on your router, see its documentation. If your router is an AirPort Extreme Base Station (802.11n) or aTime Capsule, you can use the Server app to configure port forwarding. For information, see Manage AirPort port mapping and Wi-Fi login.

If your intranet has a separate firewall device, and you want to allow access to some services outside your intranet, ask the firewalladministrator to open the firewall for the communications ports and protocols that your services use. Use the following table todetermine the port numbers you need to have open on the firewall.

Serv ice Port TCP or UDP

Address Book Server

Address Book Server SSL

8008

8443

TCP

TCP

iCal Server

iCal Server SSL

8008

8443

TCP

TCP

iChat Server

iChat Server SSL

iChat server-to-server

iChat Server fi le transfer

iChat local

iChat audio/video RTP and RTCP

5222

5223

5269

7777

5678

16384–16403

TCP

TCP

TCP

TCP

UDP

UDP

File sharing SMB

File sharing AFP

139

548

TCP

TCP

Mail service SMTP standard

Mail service POP3

Mail service IMAP

Mail service SMTP submission

Mail cl ients IMAP SSL

Mail cl ients POP3 SSL

25

110

143

587

993

995

TCP

TCP

TCP

TCP

TCP

TCP

Remote login SSH (Secure Shell) 22 TCP

Screen sharing VNC 5900 TCP

Web service HTTP

Web service HTTPS

Web service custom website

Note: Exposing web service also exposes wiki,web calendar, webmail, and Profi le Managerservices.

80

443

YourPortNumber

TCP

TCP

TCP

VPN L2TP ISAKMP/IKE

VPN L2TP

VPN L2TP IKE NAT Traversal

VPN L2TP ESP (firewall only)

VPN PPTP

500

1701

4500

IP protocol 50

1723

UDP

UDP

UDP

n/a

TCP


You can use the Server app on an administrator computer to set up and manage your server over the network. You can install the

Prepare an administrator computer

Server app on a Mac that isn’t a server, making it an administrator computer. If you have more than one server, they already havethe Server app installed, and you can use them as administrator computers.

As illustrated below, you use the Server app on the administrator computer to check server status, manage accounts and services,and view or change server system settings. The remote server doesn’t need a display.

1. Install the Server app on a Mac you want to be an administrator computer by doing either of the following:

Copy from your server.

You can copy the Server app from your server to a Mac that you want to be an administrator computer.

Install from the Mac App Store.

After purchasing Lion Server from the App Store on your server, you can install it free of charge on a Mac you want to be anadministrator computer. You open the App Store on the prospective administrator computer, find Lion Server in the AppStore, click Buy, and provide the Apple ID you used to purchase Lion Server. The Server app is downloaded to theadministrator computer.

2. Open the Server app you installed in step 1, and then choose Manage > Connect to Server.

The “Choose a Mac” dialog appears. If the “Welcome to Server” dialog appears instead, choose Manage > Connect to Serveragain.

3. You can now select another Mac to manage, or select a Mac that's ready for server setup, and then click Continue.

For additional instructions, see Manage Lion Server remotely or Set up a server remotely.

Note: If you select This Mac (that is, the Mac you’re working on) and click Continue, the Server app makes the Mac a server.


Managing users, groups, and services is easy with the Server app. You can change advanced settings and configure advancedaccounts and services not available in the Server app by using advanced administration tools. If your server doesn’t have theadvanced tools (in the Server folder in Launchpad), you can install them.

For information about advanced tools, accounts, services, and settings, see Lion Server tools.

To add the administration tools to your server, download the Server Admin Tools for Mac OS X Lion Server from theAppleCare Support Downloads website at www.apple.com/support/downloads/, and then install the downloaded software.


For more information, see these resources.

Lion Server website (www.apple.com/macosx/server/)

Enter the gateway to extensive product and technology information.

Use advanced tools for more services

More information

http://www.apple.com/support/downloads/

http://www.apple.com/macosx/server/)

Lion Server Support website (www.apple.com/support/l ionserver/)

Access hundreds of articles from Apple’s support organization.

Apple Training and Certi fication website (www.apple.com/training/)

Hone your server administration skil ls with instructor-led or self-paced training, and differentiate yourself with certi fication.

Apple Discussions website (discussions.apple.com)

Share questions, knowledge, and advice with other administrators.

Apple Mailing Lists website (www.lists.apple.com)

Subscribe to mailing lists so you can communicate with other administrators using email.

Lion server fundamentals ► The Server app

Starting a service makes it available to users on your network, and stopping a service makes it unavailable.

Start a service

Starting a service makes it available for users on your network.

1. In the Server app sidebar, select the service you want to start.

2. Click the On/Off switch to turn on the service.

3. If a dialog asks whether you want to allow Internet access to the service you turned on, click Allow to configure your AirPortdevice and make the service accessible to Internet users.

Click Don’t Allow if you don’t want the service to be accessible to computers on the Internet, or if you’re not sure. You canchange Internet access to services later by selecting your AirPort device in the Server sidebar. For more information, seeManage AirPort port mapping and Wi-Fi login.

The dialog appears only if your AirPort device is listed in the Server sidebar and you turned on a service that the Server appcan manage on your AirPort device.These services include Address Book, iCal, iChat, Mail, and Web.

If you have an Internet router that isn’t lis ted in the Server s idebar, you can configure it to allow Internet access to services.This process is called port forwarding or port mapping. For Information, see Router port mapping.

Stop a service

Stopping a service makes it unavailable to users on your network.

1. In the Server app sidebar, select the service you want to stop.

2. Click the On/Off switch to turn off the service.


You can connect the Server app to a Mac server over the network and manage users, groups, services, and system information onthe remote server. The remote server must have Mac OS X Lion Server.

1. If necessary, install the Server app on the Mac you want to use for administering your server.

For instructions, see Prepare an administrator computer.

2. In the Server app, choose Manage > Connect to Server.

3. Select the server you want to manage, and then click Continue.

Start or stop a service

Manage Lion Server remotely

http://www.apple.com/support/lionserver/)

http://www.apple.com/training/)

http://www.lists.apple.com)

If you want to manage a server that isn’t listed, such as a server outside your intranet, select Other Mac, click Continue, andthen enter its host name or IP address.

4. Enter an administrator name and password for the server you selected, and then click Connect.

Lion server fundamentals ► The Server app ► Manage general settings

If you use the Server app to allow remote login, you can use SSH (Secure Shell) to log in to your server from another computer.

Allow remote login using SSH

1. Select the server in the Server app sidebar, and click Settings.

2. Select “Allow remote login using SSH.”

Selecting this option also enables the secure FTP (sftp) service.

Allowing remote login to your server can make your server less secure. For information about keeping your server secure, searchMac Help for “Protect the information on your Mac.”

Log in from another computer

You can log in to your server by using the ssh command-line tool on another computer. You can’t use Telnet to log in to your server.

Open the Terminal app or another SSH client app and enter an ssh command as follows:

ssh -l username [IP address]

For example, if your user name is ravi and your computer’s IP address is 192.168.1.100, enter:

ssh -l ravi 192.168.1.100

For more information, see the man page for ssh.


You can use the Server app to let other computers view your screen and control your server. The other computer’s user seeswhat’s on your screen and can open, move, and close files and windows, open apps, and even restart the server.

If you allow screen sharing and remote management, your server can be observed and controlled by screen sharing softwareusing the VNC protocol on another computer or Apple Remote Desktop on another Mac. VNC screen sharing is included withMac OS X Lion and Mac OS X Snow Leopard. It’s also available for Windows computers and for iPhone, iPad, and iPod touch.Apple Remote Desktop is available from the Mac App Store.


2. Select “Enable screen sharing and remote management.”

Selecting this option in the Server app only allows screen sharing and Apple Remote Desktop access by the administratoraccount created when the server was initially set up.

If you want to specify who can share your screen and what capabilities Apple Remote Desktop users have, use the Sharing paneof System Preferences.


Allow remote login to your server

Allow screen sharing and remote management

Allow remote administration

If you use the Server app to allow remote administration, your server can be administered by the Server app on another Mac.

1. Select the server in the Server app sidebar and click Settings.

2. Select “Allow remote administration using Server.”

RELATED TOPICS

Manage Lion Server remotelyPrepare an administrator computer


You can regulate system resources for better performance as a dedicated server. The server can be more responsive to userswhose computers and mobile devices get services from it, while being less responsive when you use apps on it.


2. Select “Dedicate system resources to server services.”

This change takes effect when the server restarts.

Lion server fundamentals ► The Server app ► Manage network settings

You can see and change your server’s computer name and local hostname by using the Server app.

The computer name, which you can change, identifies the server to users who are browsing for shared computers in the Finder.

The local hostname, also known as the local network name, is a name users can use to get all services from your server on yourintranet. By default, the local hostname is the computer name followed by .local. You can change the first part of the localhostname, but it always ends with .local. The local hostname can’t include spaces; they’re replaced with hyphens (-). Capitalizationdoesn’t matter in a local hostname. For example, if the computer name is Server, the local hostname is initially Server.local orserver.local. If the computer name is Design Team Server, the default local hostname is Design-Team-Server.local or design-team-server.local.

Bonjour is an Apple networking technology that makes it easy to set up and use devices and services on a network. BecauseBonjour-compatible devices and services advertise their availability, it’s easy for users (or an application or service) to find devicesand services that they want to use. For example, if you turn on file sharing service, Mac OS X Lion users on your intranet see yourserver in the Shared section of the Finder sidebar.

1. To find your server’s computer name, select the server in the Server app sidebar and click Network.

2. To find the local hostname and optionally change the computer name or the local hostname, click Edit next to the computername.

You can see and change the computer name and the local hostname in the dialog that appears.

The computer name can be 63 Roman characters or fewer. It can include spaces, but avoid using =, :, or @.

RELATED TOPIC

Find or change your server’s host name


You can see and change your server’s host name by using the Server app. If you change the host name, you may also need toupdate the DNS server for your network, and users’ computers may need to be reconfigured.

Improve performance as a dedicated server

Find or change your server’s name

Find or change your server’s host name

The host name is the full, unique name that identifies the server on your intranet and (optionally) on the Internet—for example,server.mycompany.com or server.mycompany.private.

The DNS server for your intranet must be configured to map the host name to the server’s intranet IP address. If another serveron your intranet provides DNS service, ask the DNS server administrator for help.

If you want Internet users to access your server by using its host name, an Internet DNS hosting service must configure its DNSservers to map the host name to your server’s Internet IP address.

1. To find your server’s host name, select the server in the Server app sidebar and click Network.

2. To change the host name, click Edit next to the host name, and proceed through the Change Host Name assistant.

For information about settings in a Change Host Name assistant pane, click the Help button in the pane.

After changing your server’s host name, the DNS server for your network must be updated so that the new host name points to yourserver’s IP address. Also, a reverse lookup of the IP address must point to the new host name.

If your DNS service is provided by a DNS hosting service, your ISP, or another server on your network, ask the provider to updateyour server’s DNS records. If your server provides its own DNS service, you can use Server Admin to update it. For informationabout Server Admin, see Lion Server tools.

Users who have installed profiles from your server can update their Macs to use the server’s new host name by getting newprofiles and installing them. Lion Server automatically creates a new profile each time a user downloads one, and uses theserver’s current host name in the new profiles.

Changing your server’s host name may disrupt the connections of users’ computers that have Mac OS X Lion. If this happens,users need to remove your server from their list of network account servers and then add it again. For information, search Mac Helpfor “Join your Mac to a network account server.”

RELATED TOPIC

Find or change your server’s name


The Server app displays your server’s IP address, and you can change it in the Network pane of System Preferences. If you changethe IP address, you may also need to update the DNS server for your network, and users’ computers may need to be reconfigured.If your server has multiple network interfaces, you can find and change each one’s IP address.

To find your server’s IP address, select the server in the Server app sidebar and click Network.

The numeric IP address appears below the Interfaces heading, to the right of network interface name. If your server hasmultiple interfaces, each is listed.

To change the IP address, open System Preferences, click Network, select the network service listed on the left, and enter anIP address on the right.

You can’t change the IP address if the Configure IPv4 setting is Using DHCP. In this case, the DHCP server for your networkassigns an IP address to your server. The DHCP server should be configured to assign your server the same IP address allthe time. This feature is called static mapping or DHCP reservations. If you have an Internet router, it’s probably your DHCPserver, and you should see its documentation for instructions.

If the IP address can’t be edited, you can enable editing by changing the Configure IPv4 setting to Manually or “Using DHCPwith manual address.”

After changing your server’s IP address, the DNS server for your network must be updated so that your server’s host name pointsto the new IP address. Also, a reverse lookup of the new IP address must point to your server’s host name.

If your DNS service is provided by your ISP or another server on your network, ask your ISP or the DNS server administrator toupdate your server’s DNS records. If your server provides its own DNS service, you can use Server Admin to update it. Forinformation about Server Admin, see Lion Server tools.

Changing your server’s IP address may disrupt the connections of users’ computers that have Mac OS X Lion. If this happens,users need to remove your server from their list of network account servers and then add it back. For more information, search Mac

Find or change your server’s IP address

Help for “Join your Mac to a network account server.”


You can see information about your server’s disks and their contents by using the Server app. The Storage pane displays a list ofavailable disks and the amount of space available on each disk. You can browse the folders and files on a disk, create newfolders, and change access permissions.

1. In the Server app sidebar, select the server, and then click Storage.

2. Choose how you want to browse disk contents by clicking a View button in the lower left corner of the Storage pane.

To view disks, folders, and files in a lis t, click the List View button. List view shows the amount of available space as anumber and a graph. You can show or hide disk and folder contents by clicking disclosure triangles in lis t view.

To view disks, folders, and files in columns, click the Column View button. You can resize or expand columns as follows:

To resize columns, drag the bottom of a column divider (where two vertical lines appear)

To resize all columns at once, hold down the Option key as you drag

To expand a column to reveal its longest item, double-click the column divider

To expand all columns to reveal their longest items, Option-double-click any column divider

To expand all columns equally to reveal the longest item, hold down Shift-Option while double-clicking any columndivider

To resize columns, Control-click a column divider and choose from the shortcut menu

3. To create a new folder, select the disk or folder you want to contain it, and then choose New Folder from the Action pop-upmenu.

4. To change an item’s access permissions, select the item and choose Edit Permissions from the Action pop-up menu.

For detailed instructions, see Set folder access permissions.

5. To propagate a folder’s access permission to the items it contains, select the folder and choose Propagate Permissionsfrom the Action pop-up menu.

Important: Propagation begins as soon as you click OK, and you can’t undo propagation. Before clicking OK, make sure youselect the folder and permission settings you intend.

Lion server fundamentals ► The Server app ► Monitor serv ers

The Server app shows the overall status of each service.

In the Server s idebar, look for a green status indicator next to each service icon.

A service with a status indicator is turned on and operating normally. A service without an indicator is turned off.

RELATED TOPIC



You can see general information about your server by using the Server app. The server’s Overview pane displays the Mac modelname, processor, serial number, storage capacity, memory s ize, startup disk, system version, and amount of time since the lastsystem restart.


Check server status


1. In the Server app sidebar, select the server by name, and then click Overview.

2. To see more information about the startup disk and any other disks connected to the server, click the arrow next to the startupdisk name.

You’ll see the Storage pane, which highlights the startup disk in the list of available disks.

RELATED TOPIC



Use the Stats pane of the Server app to get a picture of server activity over time. You can find out when the server is likely to bebusy, whether it’s operating near capacity, and when it’s likely to be least used.

Choose a type of activity and a time period from the pop-up menus.

Processor Usage:

Memory Usage:

Network Traffic:

You can also monitor server activity by using the Server Status widget on the server or on another computer.

For information, see Use the Server Status widget.

If the server has a display, you can use Activity Monitor (in the Utilities folder in Launchpad) on the server.

Activity Monitor shows the processes and applications currently open on the computer. You can use Activity Monitor to monitorshort-term processor workload, disk activity, and network activity. For information, see Activity Monitor Help.


You can use the Server app to view messages about important events that have occurred on the server. Each alert message noteswhen the event occurred, briefly describes the event, outlines available recovery options for resulting problems, and may assist youin recovery. Lion Server sends alerts about low disk space, software updates, expiring SSL certificates, email viruses, and networkconfiguration changes.

View alerts and resolve resulting problems

1. To view a list of alerts, select Alerts in the Server sidebar.

Alerts you haven’t viewed are displayed in bold.

2. To view the description and recovery options for an alert, select the alert in the list, and then choose View Alert from the Actionpop-up menu.

You can also view an alert by double-clicking it in the list.

3. To recover from a problem associated with the alert, use the controls or follow the instructions under the Recovery Optionsheading.

Clear all alerts

Select Alerts in the Server sidebar, and then choose Clear All from the Action pop-up menu.



Monitor the workload of the server’s processor or processors.

See how much memory the server has been using.

Track how much incoming and outgoing data the server transfers over the network.

Track server alerts

You can use the Server app to change the email addresses Lion Server sends alerts to. Lion Server sends alerts about low diskspace, software updates, expiring SSL certificates, email suspected of having a virus, and network configuration changes.

1. Select Alerts in the Server sidebar.

2. Choose Configure Email Addresses from the Action pop-up menu.

3. Enter the email address you want alerts sent to, or enter multiple email addresses separated by commas.


You can use the Server Status widget to monitor the status of Lion Server, either on the server itself or from another computer withMac OS X Lion.

1. Open Dashboard, and look for the Server Status widget.

You can open Dashboard by clicking its icon in Launchpad or pressing its keyboard shortcut, which is usually the F12 key.

If you don’t see the Server Status widget in Dashboard, click Dashboard’s Open button (+), and then click or drag the ServerStatus widget from the widget bar. You can use multiple Server Status widgets to see more than one aspect of a server’sstatus at once or to monitor other servers on the network.

For more information, search Mac Help for “Dashboard and widgets.”

2. If you see the Server, User Name, and Password fields, enter the server’s DNS name or IP address followed by anadministrator name and password, and then click Done.

3. When the Server Status widget is connected to a server, it displays a graph and other status information about the server andits services. You can:

Monitor processor usage, network load, or disk usage by clicking an icon below the graph.

Change the processor or network graph’s time period to one hour, day, or week by clicking the graph.

If your server has more than one disk, view the status of each disk in turn by clicking the disk usage graph.

Check the status indicator and activity statistics for the listed services. A green indicator means the service is running.

Connect to a different server by moving the mouse to the upper-left corner of the widget and clicking the Info button (i).

RELATED TOPICS

Check server statusMonitor server stats


For security, you can close the Server app window when you aren’t actively using it to manage users, groups, services, or systeminformation. Leaving a server connection open on an unattended server makes it easier for an unauthorized person to makechanges to users, groups, or services.

You can close the Server app connections by doing any of the following:

Close the Server app window.

Choose Manage > Close.

Quit the Server app.

Change the email address for server alerts

Use the Server Status widget

Close the Server app connections


For security, create a user account that isn’t an administrator account, and use that account when you don’t need administratorprivileges. Limit the number of people with administrator privileges. If you have enabled the root user and no longer need it,disable it.

1. Create a standard user account in the Users & Groups pane of System Preferences on the server.

2. In the server’s login window, use a standard user account instead of an administrator account.

3. Use your administrator account with any application that requires administrator privileges.

For example, use your administrator name and password with the Server app when you need to manage users, groups, orservices.

The new user account also appears in the Users pane of the Server app, and it can be used to access services provided by yourserver from a user’s computer on the network.


If users can access a service on the local network but not via the Internet, try these solutions.

If you have an Internet router, you may need to configure port forwarding (also known as port mapping) on it.

For more information, see Router port mapping.

If your server is managing an AirPort device, select it in the Server sidebar and make sure the desired service is lis ted underPublic Services.

For more information, see Manage AirPort port mapping and Wi-Fi login.

Make sure your server’s Internet host name is registered on the Internet, and check the DNS server configuration on theuser’s computer.

For more information, see Register the server’s Internet host name, and search Mac Help for “Test your DNS server.”

Lion server fundamentals ► Server Admin ► Server Admin UI Reference

The Server Admin interface is shown here, with each element explained in the table.

Reduce the use of administrator accounts

If users can’t access a service via the Internet

Server Admin main window description

Server l ist

This shows servers, groups, smart groups, and if needed, administeredservices for each server.

You select a group to view a status summary for grouped computers. Youselect a computer for i ts overview and server settings. You select a server’sservice to control and configure the service.

Tool bar

This shows available context buttons for configuration panes. If a buttonis grayed out or can’t be cl icked, you do not have administrativepermissions to access i t.

Main work area

This shows status and configuration options. This looks different for eachservice and for each context button selected.

All servers

This shows computers added to Server Admin, regardless of status.

Available servers

This l ists the local-network scanner, which you can use to discover serversto add to your server l ist.

Server

This shows the hostname of the managed server. Select to showasummary that includes a hardware, operating system, active service, andsystem status.

Service

This shows an administered service for a server. Select to get servicestatus, logs, and configuration options. Green indicates a running service.

Group

This shows an administrator-created group of servers. Select to view astatus summary for grouped computers. For more information, see Add aserver group.

Smart group

This shows an automatic group, populated with servers that meet apredetermined cri teria. For more information, see Add a smart group.

Add button

This shows a pop-up menu of i tems to add to the Server list: servers,groups, and smart groups.

Action button

This shows a pop-up menu of actions possible for a selected service orserver, including disconnect server, share the server’s screen, and so forth.

Refresh button

This allows you to send a status request to computers in the Server l ist.

Service start/stop button

When a service is selected, this button al lows you to start or stop theservice, as relevant.


The Server Admin interface is shown here, with each element explained in the table.

Server Admin consolidated server view

Server l ist

This shows servers, groups, smart groups, and if needed, the administeredservices for each server.

You select a group to view a status summary for grouped computers. Youselect a computer for i ts overview and server settings. You select a server’sservice to control and configure the service.

Status l ist

This shows available information that includes:

Host name

OS version

CPU load

Network throughput

Approximate disk usage

Uptime

Number of connected file sharing users

All servers

This shows computers added to Server Admin, regardless of status.

Available servers

This l ists the local-network scanner, which you can use to discover serversto add to your server l ist.

Server

This shows the hostname of the managed server. Select to show asummary that includes a hardware, operating system, active service, andsystem status.

Service

This shows an administered service for a server. Select to get servicestatus, logs, and configuration options. Green indicates a running service.

Group

This shows an administrator created group of servers. Select to view astatus summary for grouped computers. For more information, see Add aserver group.

Smart group

This shows an automatic group, populated with servers that meet apredetermined cri teria. For more information, see Add a smart group.

Add button

This shows a pop-up menu of i tems to add to the Server list: servers,groups, and smart groups.

Action button

This shows a pop-up menu of actions possible for a selected service, orserver, including disconnect server, share the server’s screen, and so forth.

Refresh button

This allows you to send a status request to computers in the Server list.


This pane provides a list for Server Admin application preferences which are explained in the following table.

Preference Default Description

Require valid digital signature (SSL) This ensures that the server uses a valid SSLcertificate for encryption.

Try to resolve IP addresses to DNS names On This performs a DNS lookup for IP addresses.

Use computer name in list This uses the Mac OS computer name insteadof the host name.

Expand new server in l ist on login On This shows al l services enabled foradministration in the server l ist.

Show icons in file browser In the Sharing pane, this shows the icon and thefi le name.

Show system accounts in users and groupsbrowser

This shows users and groups that are hiddenbecause they belong to operating system

Server Admin preference pane

processes.

Don't warn i f a service port is blocked by firewall On This skips a check on the IP firewall when savingservice port number preferences.

Alert user on server errors On This provides additional information for basicserver errors.

Auto-refresh status every ___ seconds 60 This sets the poll frequency for status updates.

List a maximum of ___ users or groups 100 This l imits the number of users or groups shownin the user and group drawer.


The Settings pane of Server Admin has configuration options for a server. The settings include additional services, networksettings, time services, and administration options.

After selecting the server, you select the Settings pane for the following options:

Section Contains

General Additional services for remote contact and monitoring. Services includeNTP, SNMP, SSH, and Remote Desktop managment. Generalpane'>Sample Screen.

Network Server names and a network interface l ist. Network pane'>Sample Screen.

Date and Time Settings time zones, and automatic time. Date & Time pane'>SampleScreen.

Alerts Options for what conditions trigger an email to an administrator. Alertspane'>Sample Screen.

Services A l ist of services that can can be shown in Server Admin foradministration. Services pane'>Sample Screen.

RELATED INFORMATION

Control access to servicesImport and export Server Admin preferencesImport and export service settingsAdd or remove services in the server view


You can find configuration and reference information for services found in Server Admin by visiting the Lion Server resource page.

Lion server fundamentals ► Server Admin ► Using Server Admin

Add servers to Server Admin to control and configure them, and group them to find and organize them.

Add a server

Add servers to Server Admin to control and configure them.

The servers you can administer using Server Admin appear in the Servers list on the left side of the application window.

Add the server to the Servers lis t and log in to it in one of two ways:

Server settings reference

Get more server instructions

Add servers and server groups

Click Add (+) in the bottom action bar and choose Add Server.

Choose Server > Add Server from the menu bar.

Add a server group

Server Admin displays computers in groups in the Server List section of the application's window.

The default server group is called All Servers. This is a list of administered computers that you have added and authenticated to.You can create other groups to organize the computers on your network.

You can make more specific, targeted groups of servers from your All Servers list. First, create blank lis ts and then add serversfrom the All Servers list.

You can do the following with server groups:

Create as many groups as you want

Add servers to more than one lis t

Group lis ts according to geographic region, functionality, hardware configuration, and even color

You can click a group name to see a status overview of servers in the group.

1. Under the Server list at the bottom of the Server Admin window, click Add (+).

2. Select Add Group and name the group.

To rename groups, click the group and let the mouse hover over the name for a few seconds. When the name becomeseditable, rename the group.

3. Drag the servers from the All Servers group to the new group.

RELATED INFORMATION

Smart group criteria


You can create a server list that populates based on custom criteria. This is referred to as a smart group. Server Admin displayscomputers in groups in the Server List section of the application's window. The default server lis t is called the All Servers list. Thisis a list of administered computers that you have added and authenticated to.

You can match the following criteria:

Visible services

Running services

Network throughput

CPU utilization

IP address

OS version

1. Under the Server list at the bottom of the Server Admin window, click Add (+).

2. Select Add Smart Group.

3. Name the smart group.

4. Define the criteria for servers to appear in the list and click OK.

The group appears in the Server list.

RELATED INFORMATION


Add a smart group


You can remove a server, server group, or smart group from the Servers list.

If a server in the Servers lis t appears gray, double-click the server or click the Connect button in the toolbar to log in again. Toenable auto-reconnect the next time you open Server Admin, select “Remember this password in my keychain” while you log in.

1. Select the item to remove.

2. If it's a server, disconnect from the server:

Click the Perform Action button in the bottom action bar and choose Disconnect.

Choose Server > Disconnect from the menu bar.

3. Remove the item you've selected:

If it's a server, click the Perform Action button in the bottom action bar and choose Remove Server, or choose Server >Remove Server from the menu bar.

If it's a group or server group, click the Perform Action button in the bottom action bar and choose Remove Group, or pressDelete on the keyboard.

RELATED INFORMATION



After you make a server group, you can add, subtract, or reorder servers in the group.

To rename groups, use the normal Mac file renaming method:

1. Click the group and let the mouse hover over the name for a few seconds.

2. When the name becomes editable, rename the group.

To add servers to the group, drag the servers from the All Servers group to the new group.

To remove servers from the group, select the servers and press Delete.

To rearrange servers in a group, drag a server in the list and drag it to a new place in the list.

RELATED INFORMATION



After making a smart group, you can change the name and filter criteria.


Visible services

Running services

Network throughput

CPU utilization

IP address

OS version

Remove servers, server groups, and smart groups

Edit a server group

Edit a smart group

1. Double-click the smart group to edit.

2. Rename the smart group, if needed.

3. Edit the criteria that orders how servers appear in the list and click OK.

The group appears in the Server list.

RELATED INFORMATION



After you create a smart group, a server added to the All Server lis t (or other specified list) that matches the criteria is added to thesmart group.


Visible services

Running services

Network throughput

CPU utilization

IP address

OS version

RELATED INFORMATION

Add servers and server groupsAdd a smart groupRemove servers, server groups, and smart groupsEdit a server groupEdit a smart group


Before you can set up services using Server Admin, you must add the service to the server view.

For example, by default, no services can be seen for your server. As you select services to administer, configuration panes becomeaccessible in a lis t underneath your computer name.

When you select services from the list, those services appear underneath the server hostname in the server list.

Services available for administration are:

DHCP

DNS

Firewall

Mail

NAT

NetBoot

Open Directory

Podcast Producer

Push Notify (when administering Snow Leopard Server remotely)

RADIUS


Add or remove services in the server view

Software Update

Xgrid

1. In Server Admin, select a server.

2. Click the Settings button in the toolbar and then click the Services tab.

3. To add a service, select the checkbox for the service.

4. To remove a service, deselect the checkbox for the service.

RELATED INFORMATION

Server settings referenceServer Admin available services

Lion server fundamentals ► Server Admin ► Serv ice settings

You can use Server Admin to configure which users and groups can use services hosted by a server.

You set up access to services to users and groups using SACLs. You can set up the same access to all services, or you canselect a service and customize its access settings.

Access controls are s imple. Choose between allowing all users and groups to use services or allowing selected users andgroups to use services. You can separately specify access controls for individual services, or you can define one set of controlsthat applies for services hosted by the server.

You can also control user access to several services using the Server app. For example, only the Server app can control useraccess to Podcast and Time Machine services. For information, see Control a user’s access to services.

1. Select a server in the Servers list.

2. Click Settings, then click Access.

3. Click Services.

4. Choose a service and then choose whether to allow everyone access to it or whether to allow specified users to access theservice.

5. If you have chosen to specify users, add the users and groups as needed.

RELATED INFORMATION


Control access to services


To copy service settings from one server to another, or to save service settings in a plist file for reuse later, use the Export ServerAdmin Preferences command in Server Admin. Use Import Server Admin Preferences to use them.

Import Server Admin preferences

To copy Server Admin preferences from one server to another or to save service settings in a plist file for reuse later, use the ImportServer Admin Preferences command in Server Admin.

1. Select the target server to receive the settings.

2. From the menu bar, choose Server > Import > Server Admin Preferences.

3. Find and select the saved service file.

The only file you can use with this function is a properly formatted XML-based plist file, generated from the settings export.

4. Click Open.

Export Server Admin preferences

To copy service settings from one server to another or to save service settings in a plist file for reuse later, use the Export ServerAdmin Preferences command in Server Admin.

1. Select the server.

2. From the menu bar, choose Server > Export > Server Admin Preferences.

3. Select the services whose settings you want to copy.

4. Click Save.

The file that is created contains service configuration information as a plist XML document.

RELATED INFORMATION



The Settings pane of Server Admin has configuration options for a server. The settings include additional services, networksettings, time services, and administration options. You can move the settings between administrator computers.

Import service settings

To copy service settings from one server to another, or to save service settings in a plist file for reuse later, use the Export ServiceSettings command in Server Admin.

1. Select the target server to receive the settings.

2. From the menu bar, choose Server > Import > Service Settings.

3. Find and select the saved service file.

The only file you can use with this function is a properly formatted XML-based plist file, generated from the settings export.

4. Click Open.

Export service settings

To copy service settings from one server to another or to save service settings in a plist file for reuse later, use the Export ServiceSettings command in Server Admin.

1. Select the server.

Import and export Server Admin preferences

Import and export service settings

2. From the menu bar, choose Server > Export > Service Settings.

3. Select the services whose settings you want to copy.

4. Click Save.

The file that is created contains service configuration information as a plist XML document.

RELATED INFORMATION


Lion server fundamentals ► Using the Command Line

A command-line interface (CLI) is an alternative to graphical applications for interacting with and controlling your computer.

Lion Server provides graphical applications—primarily Server app and Server Admin—to address common administration tasks.However, there are situations where using the CLI might be appropriate. These situations include:

Configuring advanced options that aren’t supported by graphical applications

Configuring remotely from a computer that doesn’t have Server app or Server Admin installed—for example, a computer withWindows, Linux, or another UNIX-based operating system

Performing tasks that are repetitive or that must be run at predefined times

Editing text files, usually to change advanced configuration settings and preferences

The primary way to access the CLI in Mac OS X is with the Terminal application. Other ways to access the CLI are discussed inrelated topics. Each window in Terminal contains an execution context, called a shell, which is separate from all other executioncontexts.

The shell is an interactive programming language interpreter, with a specialized syntax for executing commands and writingstructured programs (shell scripts). Different shells have slightly different capabilities and programming syntax. Although you canuse any shell, the examples in this book use bash, the startup shell for Mac OS X and the default user shell.

UNIX

Mac OS X and Mac OS X Server are built on the foundation of the UNIX operating system. UNIX-based operating systems includeBSD, GNU/Linux, AIX, and Solaris. The shared heritage of these operating systems means that many programs are compatibleacross this larger family, with minimal changes.

The unique underpinnings of each brand of UNIX are what distinguish them from each other. To support programs and utilitiesthat work across multiple flavors of UNIX, some specifications are set by regulatory bodies. One such specification is The OpenGroup’s Single UNIX Specification. Mac OS X v10.5 and later conform to v3 of this specification, which implies conformance to theSUSv3 and POSIX 1003.1 specifications for the C API, shell utilities, and threads. Code that complies with the UNIX-03specification works on Mac OS X Server and on other compliant systems.

For more information about the Single UNIX Specification v3, see www.unix.org/version3/.

The shell

In UNIX-based operating systems, the shell is the fundamental user interface. The shell is an environment that presents a textprompt to the user and accepts keyboard input from the user.

In Mac OS X, the shell is easily accessed through Terminal, but there are other options. The shell can be invoked interactively, or bya text file with commands to the shell given in a standard format. There are several shells available in Mac OS X, each with its ownstrengths and capabilities. Shells in Mac OS X include bash, csh, ksh, sh, tcsh, and zsh.

For information about these shells, see their man pages.

RELATED INFORMATION

Use the command line to access remote computers

Lion server fundamentals ► Using the Command Line ► Introducing the command line

About the command-line environment of Lion Server

Access the shell with the Terminal app

http://www.unix.org/version3/

To open Terminal, click the Terminal icon in the dock or in the Utilities folder in Launchpad.

Each window in Terminal represents another instance of a shell process. Terminal presents a prompt when it’s ready to accept acommand. The prompt you see depends on your Terminal and shell preferences, but it often includes the name of the host you’relogged in to, your current working folder, your user name, and a prompt symbol. For example, if a user named mariah is using thedefault bash shell, the prompt appears as: server1:~ mariah$ This indicates that she is logged in to a computer namedserver1 as the user named mariah, and her current folder is her home folder, indicated by the tilde (~).


To quit a shell session, enter the command exit.

This ensures that commands the shell is actively running are closed. If anything’s still in progress, the shell warns you.


To execute a command in the shell, enter the complete pathname of the tool’s executable file, followed by arguments, and thenpress Return.

If a command is located in one of the shell’s known folders, you can omit path information and enter the command name. The listof known folders is stored in the shell’s PATH environment variable and includes the folders containing most command-line tools.

For example, to run the ls command in the current user’s home folder, enter the following at the command line and press Return:host:~ mariah$ ls

The shell looks through the list of folders in the PATH variable until it finds a program named ls; in this case, it finds ls in /bin, andruns /bin/ls.

To run a command in the current user’s home folder, precede it with the folder specifier. For example, to runMyCommandLineProg, use the following: host:~ mariah$ ~/MyCommandLineProg

To open an application, use the open command: open -a MyProg.app

When entering commands, if you get the message command not found, check your spelling. Here’s an example:

server:/ mariah$ opne -a TextEdit.app-bash: opne: command not foundIf this error recurs, the command you’re trying to run might not be in your default search path.

Add the path before the command name: server:/ mariah$ sudo /System/Library/ServerSetup/serversetup -getHostname server.example.com

or change your working folder to the folder that contains the tool:

server:/ mariah$ cd /System/Library/ServerSetup server:/System/Library/ServerSetupmariah$ sudo ./serversetup -getHostnameserver.example.comor define the path for this session and then run the command:

server:/ mariah$ PATH=“$PATH:/System/Library/ServerSetup”server:/ mariah$ sudo serversetup -getHostnameserver.example.com


To terminate the current command, press Control-C.

This keyboard shortcut sends an abort signal to the command. In most cases this causes the command to terminate, although

Close the shell

Execute commands and run tools

Terminate commands

commands can install signal handlers to trap this signal and respond differently.


Most commands operate on files and folders, whose locations are identified by paths. The folder names that make up a path areseparated by s lashes. For example, the path to the Terminal application is /Applications/Utilities/Terminal.app.

Standard shortcuts used to represent specific folders are shown in the following table. They are specified relative to the currentfolder, and can eliminate the need to enter full paths.

Shortcut Description

. A single period represents the current folder. For example, the string“./Test.c” represents the Test.c file in the current folder.

.. Two periods represent the parent folder of the current folder. Forexample, the string “../Test” represents a sibling folder (named Test) ofthe current folder.

~[username] The ti lde character represents the home folder of the logged-in user. Forexample, to specify the Documents folder of the current user, you wouldspecify ~/Documents.

To specify another user’s Document folder, use their short name precededby the ti lde (~) character—for example, ~jsmith/Documents.

In Mac OS X, this folder is in the local /Users folder or on a network server.

For a list of short names on your system, enter dscl . -list/Users. Most of these users aren’t traditional user accounts with home

directories, but you should be able to find the short name of known userson the computer.

File and folder names can include letters, numbers, a period, or the underscore character. Avoid most other characters, includingspace characters. Although some Mac OS X file systems permit the use of these other characters, including spaces, you mightneed to add single or double quotation marks around pathnames that contain them.

For individual characters, you can also “escape” the character—that is, put a backslash character immediately before the characterin your string. For example, the pathname My Disk is “My Disk” or My\ Disk.


Many commands used to manage a server must be executed by an administrator user or the root user.

For example, entering server:~ mariah$ shutdown gives you the following error: shutdown: NOT super-user

This is because the shutdown command can be run only by the root user or by an administrative user with special privileges. To

run commands in this super user mode, use the sudo command. sudo stands for “super user do.”

The following example works, so don’t run it unless you want to restart your computer: server:~ mariah$ sudo shutdown

You’ll be prompted for the password of the current user.

Only users designated as admin users can execute commands with sudo. If you’re logged in as a user who isn’t an admin user,

you can substitute users by entering su adminUsername, where adminUsername is the name of a user in the Admin group. Afteryou enter that user’s password, a new shell is launched from the existing shell, as that user.

If a command requires it, you can use su to log in as the root user. Under normal circumstances you don’t need to use the rootuser account.

If you su to the root user, be especially careful, because you have sufficient privileges to make changes that can cause your serverto stop working.

Specify files and folders

Commands requiring root or administrator privileges

For more information about the sudo and su commands, see their man pages.


Most command-line documentation comes in the form of man (short for manual) pages.

Man pages provide reference information for shell commands, tools, and high-level concepts.

To access a man page entry, enter $ man command

Replace command with the name of the command you want to find information about. The man page contains details about thecommand, its options and parameters, and proper use.

For help using the man command itself, enter $ man man

You can press the Space bar to go to the next page, the B key to go back a page, or the Return key to scroll forward one line at atime. Press the Q key to exit the man page.

You can search the contents of a man page by pressing the "/" key followed by the word you’re looking for. If multiple instances arefound, use the P and N keys to access the previous and next instances of the term.

If you don’t know the name of a man page, you can search the topics by entering $ man -k topic

Replace topic with a word that would be contained in the description of the man page you might be looking for.

For example: $ man -k "directory service" returns references to the dscacheutil, dscl, and whois man pages.

You can also find links to related man pages at the bottom of a man page in the See Also section.

If Xcode tools are installed, you can view man pages Xcode by selecting “Open man page...” from the Help menu.

There are also several third-party graphical Mac OS X applications available for viewing man pages. You can find one by choosingMac OS X Software from the Apple menu and then searching for “man page.”


You can run command-line tools on remote computers.

There are three methods for connecting to the command-line environment of a remote computer:

SSH

Apple Remote Destkop (ARD)

X11

RELATED INFORMATION

SSH (Secure Shell)Apple Remote DesktopX11

Lion server fundamentals ► Installation and setup ► Installation

If your Mac isn’t a server, you can make it one by installing Lion Server.

Before following the steps below to make your Mac a server:

Make sure your Mac has Mac OS X Lion installed. If your Mac has Mac OS X Snow Leopard, you can upgrade it to Lion. Forinformation, see www.apple.com.

Check Lion Server requirements

Get help for command-line tools

Use the command line to access remote computers

Make your Mac a server

http://www.apple.com

Check your DHCP server’s configuration

Register an Internet host name

Consider disk preparation options

1. On the Mac you want to make a server, open the Mac App Store, and get Mac OS X Lion Server.

The Server app is installed and opens automatically.

2. Click Configure in the Welcome to Server window, and then follow the onscreen instructions to begin installing and setting upLion Server software.

After you enter the name and password of an administrator account on your Mac, the Server app downloads additional LionServer software, installs it, and configures your Mac as a server.

RELATED TOPIC

After setting up Lion Server

Lion server fundamentals ► Installation and setup ► Installation

There are three ways to install Lion Server.

Install Server components on Lion

This method works after Lion is installed over a client version of Snow Leopard.

If you need Lion Server-compatible versions of the advanced administration tools, you can download them from AppleCaresupport.

Install Lion Server over Snow Leopard Server

If you have an existing Snow Leopard Server installation, you can purchase and install Lion from the Mac App Store. The Mac AppStore allows you to install both Lion and the Server components as a s ingle unit.

After Lion Server is installed over Snow Leopard Server, the Snow Leopard Server advanced administration tools (Server Admin,Workgroup Manager, and others) are deleted. If you need Lion Server-compatible versions of advanced administration tools,download them from AppleCare support.

Clean Installation

This method begins with starting a Lion Server installation. Instead of choosing a disk partition with an existing operating systemon it, you install Lion Server on a blank disk partition. You get a clean install of Lion Server and you can configure the server fromscratch.

Lion server fundamentals ► Installation and setup ► Setup

If you have a new server or a computer with Lion Server newly installed, you can set it up over the network by using the Server appon an administrator computer. The server you’re setting up doesn’t need a display.

1. Prepare your DHCP server for the new server, and if you have a DNS server, prepare it also.

If you have an Internet router, it’s probably your DHCP server. Your DNS server may be administered by your Internet serviceprovider or a DNS hosting service, or it may be another server on your intranet. For more information, see DHCP serverconfiguration for your server and Register the server’s Internet host name.

2. Make sure the new server has an active connection to the same network as the administrator computer you’re using.

3. If the server is off, turn it on.

When the server starts up, the server setup assistant opens and waits for setup to begin.

4. On your administrator computer, open the Server app, choose Manage > Connect to Server, select the new server in the

Types of installation

Set up a server remotely

“Choose a Mac” dialog, and click Continue.

The new server may be listed with a name generated from the computer model and the Ethernet hardware address (the MACaddress), or with a name from your DNS server.

If the server you want to set up is listed in the Server app sidebar, you can begin setup by selecting it and clicking Set Up ThisMac.

5. Enter the new server’s complete hardware serial number.

You can find the serial number on the case of the product, on the original product packaging, and on the original productreceipt or invoice. For more information about finding the serial number, see the Apple Support article atsupport.apple.com/kb/HT1349.

Match the capitalization of the serial number when you type it.

6. Click Continue, and proceed through the server setup assistant panes.

After server setup is complete, you can take additional steps to enhance the security, accessibility, and overall usefulness of yournew server. For information, see After setting up Lion Server.

RELATED TOPIC

Prepare an administrator computer


Automatic server setup is not supported in Lion Server.

WARNING: Your existing AutoServerSetup.plist may continue to function normally, or it may cause unintentional configuration.

If you perform a clean installation, Server Assistant finds and tries to apply the settings in the plist file.

If you perform a clean installation and run the Server Assistant locally, a file at /System/Library/ServerSetup/AutoServerSetup.plistcontains the setup data for the server. This file can be reused only with other clean installations of Lion Server.

WARNING: This method of server configuration is not supported, and may not function as intended.


For Apple's administration applications to function, specific ports must be enabled. In addition, other ports must be enabled foreach service you want to run on your server.

Port number and type Tool used

22 TCP SSH command-l ine shell

311 TCP Server Admin (with SSL)

625 TCP Workgroup Manager

389, 686 TCP Directory

4111 TCP Xgrid Admin


After manual setup, the firewall is off by default, and therefore all ports are open.

When the firewall is on, all ports are blocked except the following for all originating IP addresses:

About AutoServerSetup.plist

Ports used for administration

Ports open by default

Port number and type Serv ice

22 TCP SSH command-l ine shell

311 TCP Server Admin (with SSL)

626 UDP Serial number support

625 TCP Remote Directory Access

ICMP incoming and outgoing standard ping

53 UDP host name resolution


After completing initial setup of Lion Server, you can take steps to enhance the security, accessibility, and usefulness of your newserver.

Enhance the security, accessibility, and usefulness of your new server by following the advice in the Next Steps section of theServer app.

Install available updates to Lion Server by using Software Update.

So users can authenticate for services, do either or both of the following:

Create user accounts on your server.

Connect to a network account server (also called a directory server) in your organization to let people use their existingaccounts.

Turn on and customize services you want to provide, view server information and change it as needed, and track server alerts.

Allow access to services over the Internet by doing either or both of the following:

To make specific services publicly available on the Internet, configure port mapping on your AirPort device or other router.

To let users securely access all services via the Internet without making services publicly available, use VPN service.

Protect the information on your Mac by using a strong administrator password, securing the server when it’s idle, reducing theuse of administrator accounts, and logging out when you finish using an administrator account. For instructions, search MacHelp for “Protect the information on your Mac.”

Lion server fundamentals ► Planning and best practices

Installation planning is especially important if you’re integrating Lion Server into an existing network or preparing to set up multipleservers. But even single-server environments can benefit from a brief assessment of the needs you want a server to address.

The major goals of the planning phase are to make sure that:

Server user and administrator needs are addressed by the servers you deploy

Server and service prerequis ites that affect installation and initial setup are identified

Use these topics to stimulate your thinking. They don't present a rigorous planning guide, nor do they provide the details you needto determine whether to implement a service and assess its resource requirements. Instead, view these topics as an opportunityto think about how to maximize the benefits of Lion Server in your environment.

Planning, like design, isn’t a linear process. The topics don't require you to follow a mandatory sequence. Different topics presentsuggestions that could be implemented simultaneously or iteratively.

RELATED TOPICS

After setting up Lion Server

Planning server usage

Setting up a planning teamIdentifying servers to set upUnderstanding physical infrastructure requirementsDetermining services to host on each serverEnsuring proper operational conditionsMinimize the need to relocate servers after setupAbout load balancing


To improve the availability of your server, reduce or eliminate single points of failure. A single point of failure is any component inyour server environment that, if it fails, causes your server to fail.

Some single points of failure include:

Computer system

Hard disk

Power supply

Although it is almost impossible to eliminate all single points of failure, minimize them as much as possible. For example, using abackup computer and a file storage pool for Lion Server eliminates the computer as a single point of failure.

Although master and backup computers can fail at once or one after the other, the possibility of such an event happening isnegligible.

Another way to prevent a computer from failing is to use a backup power source and take advantage of hardware RAID to mirror thehard disk. With hardware RAID, if the main disk fails, the system can still access the same data on the mirror drive, as is the casewith Xserve.


Before setting up a server, try to place it in its final network location (IP subnet).

If you’re concerned about preventing unauthorized or premature access during setup, set up a firewall to protect the server whilefinalizing its configuration.

If you can’t avoid moving a server after initial setup, you must change settings that are sensitive to network location before you canuse the server. For example, the server’s IP address and host name, stored in directories and configuration files on the server,must be updated.

Minimize the time the server is in its temporary location so the amount of information to change is limited.

Postpone configuring services that depend on network settings until the server is in its final location.

Such services include Open Directory replication, Apache settings (such as virtual domains), DHCP, and other networkinfrastructure settings that other computers depend on.

Wait to import final user accounts.

Limit accounts to test accounts so you minimize the user-specific network information (such as home folder location) that youmust change after the move.

After you move the server, you can change its IP address in the Network pane of System Preferences (or use thenetworksetup tool).

You probably will need to manually adjust service and system settings. For more information on how to do this, seeUnderstanding changes to the server IP address or network identity.

Reconfigure the search policy of computers (such as user computers and DHCP servers) that are configured to use theserver in its original location.

Eliminating single points of failure

Minimize the need to relocate servers after setup


One factor that can cause services to become unavailable is server overload. A server has limited resources and can service alimited number of requests s imultaneously. If the server gets overloaded, it slows down and can eventually crash.

One way to overcome this problem is to distribute the load among a group of servers (a server farm) using a third-party load-balancing device. Clients send requests to the device, which then forwards the request to the first available server based on apredefined algorithm. The clients see only a single virtual address, that of the load-balancing device.

Many load-balancing devices also function as switches, providing two functions in one, which reduces the amount of hardware youneed to use.

Note: A load-balancing device must be able to handle the aggregate (combined) traffic of the servers connected to it. Otherwise,the device becomes a bottleneck, which reduces the availability of your servers. Not all services are conducive to load balancingeven with a third party product. For those that are you may need shared storage in order for it to be effective.

Load balancing provides several advantages:

High availability: Distributing the load among multiple servers helps you reduce the chances that a server will fail due to serveroverload.

Fault tolerance: If a server fails , traffic is transparently redirected to other servers. There might be a brief disruption of service if,for example, a server fails while a user is downloading a file from shared storage, but the user can reconnect and restart thefile download process.

Scalability: If demand for your services increases, you can transparently add more servers to your farm to keep up withdemand.

Better performance: By sending requests to the least-busy servers, you can respond faster to user requests.


Server administrators must make sure that adequate security measures are implemented to protect a server from attacks. Acompromised server risks the resources and data on the server and risks the resources and data on other connected systems.The compromised system can then be used as a base to launch attacks on other systems inside or outside your network.

Security best practices

Securing servers requires an assessment of the cost of implementing security with the likelihood of a successful attack and theimpact of that attack. It is not possible to eliminate all security risks but it is possible to minimize risks to efficiently deal with them.

Best practices for server system administration include the following:

Update your systems with critical security patches and updates.

Check for updates regularly.

Install antivirus tools, use them regularly, and update virus definition files and software regularly.

Although viruses are less prevalent on the Mac platform than on Windows, viruses still pose a risk.

Restrict physical access to the server.

Because local access generally allows an intruder to bypass most system security, secure the server room, server racks, andnetwork junctures. Use security locks. Locking your systems is a prudent thing to do.

Make sure there is adequate protection from physical damage to servers and ensure that the climate control functions in theserver room.

Take additional precautions to secure servers.

For example, enable firmware passwords, encrypt passwords where possible, and secure backup media.

Secure logical access to the server.

For example, remove or disable unnecessary accounts. Accounts for outside parties should be disabled when not in use.

Configure SACLs as needed.

Use SACLs to specify who can access services.

About load balancing

Security best practices

Configure ACLs as needed.

Use ACLs to control who can access share points and their contents.

Protect any account with root or system administrator privileges by following recommended password practices using strongpasswords.

Do not use administrator (UNIX “admin” group) accounts for daily use.

Restrict the use of administration privileges by keeping the admin login and password separate from daily use.

Back up critical data on the system regularly, with a copy stored at a secure off-site location.

Backup media is of little use in recovery if it is destroyed with the computer during a fire. Test your backup and recoverycontingency plans to ensure that recovery actually works.

Review system audit logs regularly and investigate unusual traffic.

Disable services that are not required on your system.

A vulnerability that occurs in any service on your system can compromise the entire system. In some cases, the defaultconfiguration (out of the box) of a system leads to exploitable vulnerabilities in services that were enabled implicitly.

Turning on a service opens up a port that users can access your system from. Although enabling Firewall service helps avoidunauthorized access, an inactive service port remains a vulnerability that an attacker might exploit.

Enable firewall service on servers, especially at the network frontier and DMZ.

Your server’s firewall is the first line of defense against unauthorized access. Consider also a third-party hardware firewall asan additional line of defense if your server is highly prone to attack.

If needed, install a local firewall on critical or sensitive servers.

Implementing a local firewall protects the system from an attack that might originate in the organization’s network or from theInternet.

For additional protection, implement a local Virtual Private Network (VPN) that provides a secure encrypted tunnel forcommunication between a client computer and your server application. Some network devices provide a combination offunctions: firewall, intrusion detection, and VPN.

Administer servers remotely.

Manage your servers remotely using applications like Server app, Server Admin, Server Monitor, RAID Admin, and AppleRemote Desktop. Minimizing physical access to the systems reduces the possibility of mischief.

Use secure passwords.

Many applications and services require that you create passwords to authenticate. Mac OS X includes applications that helpcreate complex passwords (using Password Assistant), and securely store your passwords (using Keychain Access).

Lion server fundamentals ► Server monitoring

Detecting potential problems allows you to take steps to resolve them before they impact the availability of your servers.

In addition, getting early warning when a problem occurs allows you to take corrective action quickly and minimize disruption toyour services.

About monitoring tools

Track server alerts


Monitor server status overviews using Server Admin

About Server Monitor

About RAID Admin for server monitoring

About Console for server monitoring

Using disk monitoring tools

Using network monitoring tools

Monitoring server availability

Use server status notification in Server Admin

Other monitoring help topicsUsing remote kernel core dumps

About Simple Network Management Protocol (SNMP)

About Logging

About notification and event monitoring daemons

View running daemons

Planning a monitoring policyGathering data about your systems is a basic function of good administration. Different types of data-gathering are used fordifferent purposes:

Historical data collection

Historical data is gathered for analysis. This could be used for IT planning, budgeting, and getting a baseline for normal serverconditions and operations. What kinds of data do you need for these purposes? How long does it need to be kept? How oftendoes it need to be updated? How far in the past does it need to be collected?

Real-time monitoring

Real-time monitoring is for alerts and detecting problems as they happen. What are you monitoring? How often? Does thatdata tell you what you need to know? Are some of these real-time collections for historical purposes?

Debugging

Recurring problems can be analyzed and fixed if properly tracked. Even if you don’t control source code, good debugging logsand data can increase the ability of the developer to address your issues. How can you capture what is going wrong? Howoften? Does that data tell you what you need to know? Are they problems you can fix on your end, or do you need vendorsupport?

Planning monitoring response

The response to your monitoring is as important as the data collection. In the same way a backup policy is pointless without arestore strategy, a monitoring policy makes little sense without a response policy.

Several factors can be considered for a monitoring response:

What are relevant response methods? In other words, how will the response take place?

What is the time to response? What is an acceptable interval between failure and response?

What are the scaling considerations? Can the response plan work with all expected (and even unexpected) frequencies offailure?

Are there testing monitoring systems in place? How do you know the monitoring policy is catching the data you need, and howdo you know the responses are timely and appropriate? Have you tested the monitoring system recently?

Lion server fundamentals ► Server monitoring ► Monitor servers

The Server app shows the overall status of each service.

In the Server s idebar, look for a green status indicator next to each service icon.

A service with a status indicator is turned on and operating normally. A service without an indicator is turned off.

RELATED TOPIC



Check server status

You can see general information about your server by using the Server app. The server’s Overview pane displays the Mac modelname, processor, serial number, storage capacity, memory s ize, startup disk, system version, and amount of time since the lastsystem restart.

1. In the Server app sidebar, select the server by name, and then click Overview.

2. To see more information about the startup disk and any other disks connected to the server, click the arrow next to the startupdisk name.

You’ll see the Storage pane, which highlights the startup disk in the list of available disks.

RELATED TOPIC



Use the Stats pane of the Server app to get a picture of server activity over time. You can find out when the server is likely to bebusy, whether it’s operating near capacity, and when it’s likely to be least used.

Choose a type of activity and a time period from the pop-up menus.

Processor Usage:

Memory Usage:

Network Traffic:

You can also monitor server activity by using the Server Status widget on the server or on another computer.

For information, see Use the Server Status widget.

If the server has a display, you can use Activity Monitor (in the Utilities folder in Launchpad) on the server.

Activity Monitor shows the processes and applications currently open on the computer. You can use Activity Monitor to monitorshort-term processor workload, disk activity, and network activity. For information, see Activity Monitor Help.


You can use the Server app to view messages about important events that have occurred on the server. Each alert message noteswhen the event occurred, briefly describes the event, outlines available recovery options for resulting problems, and may assist youin recovery. Lion Server sends alerts about low disk space, software updates, expiring SSL certificates, email viruses, and networkconfiguration changes.

View alerts and resolve resulting problems

1. To view a list of alerts, select Alerts in the Server sidebar.

Alerts you haven’t viewed are displayed in bold.

2. To view the description and recovery options for an alert, select the alert in the list, and then choose View Alert from the Actionpop-up menu.

You can also view an alert by double-clicking it in the list.

3. To recover from a problem associated with the alert, use the controls or follow the instructions under the Recovery Optionsheading.

Clear all alerts



Monitor the workload of the server’s processor or processors.

See how much memory the server has been using.

Track how much incoming and outgoing data the server transfers over the network.

Track server alerts

Select Alerts in the Server sidebar, and then choose Clear All from the Action pop-up menu.


You can use the Server app to change the email addresses Lion Server sends alerts to. Lion Server sends alerts about low diskspace, software updates, expiring SSL certificates, email suspected of having a virus, and network configuration changes.

1. Select Alerts in the Server sidebar.

2. Choose Configure Email Addresses from the Action pop-up menu.

3. Enter the email address you want alerts sent to, or enter multiple email addresses separated by commas.


You can use the Server Status widget to monitor the status of Lion Server, either on the server itself or from another computer withMac OS X Lion.

1. Open Dashboard, and look for the Server Status widget.

You can open Dashboard by clicking its icon in Launchpad or pressing its keyboard shortcut, which is usually the F12 key.

If you don’t see the Server Status widget in Dashboard, click Dashboard’s Open button (+), and then click or drag the ServerStatus widget from the widget bar. You can use multiple Server Status widgets to see more than one aspect of a server’sstatus at once or to monitor other servers on the network.

For more information, search Mac Help for “Dashboard and widgets.”

2. If you see the Server, User Name, and Password fields, enter the server’s DNS name or IP address followed by anadministrator name and password, and then click Done.

3. When the Server Status widget is connected to a server, it displays a graph and other status information about the server andits services. You can:

Monitor processor usage, network load, or disk usage by clicking an icon below the graph.

Change the processor or network graph’s time period to one hour, day, or week by clicking the graph.

If your server has more than one disk, view the status of each disk in turn by clicking the disk usage graph.

Check the status indicator and activity statistics for the listed services. A green indicator means the service is running.

Connect to a different server by moving the mouse to the upper-left corner of the widget and clicking the Info button (i).

RELATED TOPICS

Check server statusMonitor server stats

Lion server fundamentals ► Backing up the serv er

All storage systems can fail eventually. Either through equipment wear and tear, accident, or disaster, your data and configurationsettings are vulnerable to loss. You should have a backup plan in place to prevent or minimize your data loss. For an expandedintroduction, see About backup and restore policies.

Backup strategies

Change the email address for server alerts

Use the Server Status widget

Backup policy

There are many types of backup files, and within each type are many formats and methods. Each backup type serves a uniquepurpose and has its own considerations.

These backup types are not mutually exclusive. They exemplify different approaches to copying data for backup purposes. Forexample, Time Machine uses a full file-level copy as a base backup; then it uses incremental backups to create snapshots of acomputer’s data on a given day.

Full images

Full images are byte-level copies of data. They capture the state of the hard disk down to the most basic storage unit. Thesebackups also keep copies of the disk filesystem and the unused or erased portion of the disk in question.They can be used forforensic study of the source disk medium. Such detail often makes file restoration unwieldy.

Full Image backups are often compressed and are only decompressed to restore the entire file set.

Full file-level copies

Full file-level copies are backups that are kept as duplicates. They do not capture the finest detail of unused portions of the sourcedisk, but they do provide a full record of the files as they existed at the time of backup. If a file changes, the next full file-level backupcopies the entire data set in addition to the file that changed.

Incremental backups

Incremental backups start with file-level copies, but they only copy files changed since the last backup. This saves storage spaceand captures changes as they happen.

SnapshotsSnapshots are copies of data as it was in the past. You can make snapshots from collections of files, or more often from links toother files in a backup file set. Snapshots are useful for making backups of volatile data (data that changes quickly), like databasesin use or mail servers sending and receiving mail.

Backup mediaSeveral factors help you determine what type of backup media to choose.

Cost

Use cost per GB to determine what media to choose. For example, if your storage needs are limited, you can justify higher costper GB, but if you need a large amount of storage, cost becomes a big factor in your decision.

One of the most cost-effective storage solutions is a hard disk RAID. It provides a low cost per GB, and it doesn’t require thespecial handling needed by other cost-effective storage types, such as tape drives.

Capacity

If you back up only a small amount of data, low-capacity storage media can do the job. But to back up large amounts of data,use high-capacity devices, such as a RAID.

Speed

When your goal is to keep your server available most of the time, restoration speed becomes a big factor in deciding whichmedia to choose. Tape backup systems can be very cost effective, but they are much slower than RAID.

Reliability

Successful restoration is the goal of a good backup strategy. If you can’t restore lost data, the effort and cost you spent inbacking up data is wasted and the availability of your services is compromised.

Therefore, it’s important that you choose highly reliable media to prevent data loss. For example, tapes are more reliable thanhard disks because they don’t contain moving parts.

Archive life

You never know when you’ll need your backed up data. Therefore, choose media that is designed to last for a long time. Dust,humidity, and other factors can damage storage media and result in data loss.

Backup schedulingBacking up files requires time and resources.

Before deciding on a backup plan, consider the following questions:

How much data will be backed up?

How much time will the backup take?

When does the backup need to happen?

What else is the computer doing during that time?

What sort of resource allocation is necessary?

For example, how much network bandwidth is necessary to accommodate the load? How much space on backup drives, orhow many backup tapes are required? What sort of drain on computing resources will occur during backup? What personnelare necessary for the backup?

Different kinds of backup require different answers to these questions. For example, an incremental file copy might take less timeand copy less data than a full file copy (because only a fraction of any given data set will have changed since the last backup).

Therefore an incremental backup might be scheduled during a normal use period because the impact to users and systems maybe very low. However, a full image backup might have a very strong impact for users and systems, if done during the normal useperiod.

Command-line backup and restoration toolsLion Server provides several command-line tools for data backup and restoration For more information about these commands,see their respective man pages.

rsync

Use to keep a backup copy of your data in sync with the original. The tool rsync only copies the files that have changed. By defaultrsync does not preserve extended attributes in files necessary for many Lion Server services.

dittoUse to perform full backups.

tarUse to perform full backups.

asrUse to back up and restore a volume in block copy mode. If the tool is in file copy mode, it does not preserve all necessaryextended attributes in files.

pg_dumpall and psql

Use pg_dumpall to generate a text file of SQL commands that can recreate all databases as they were when the file was saved.

Use psql to restore the PostgreSQL databases by executing the SQL commands in the text file output by pg_dumpall.

WARNING: The pg_dumpall and psql tools perform a unified backup and restore of all services that use PostgresSQLdatabases. These tools back up and restore Address Book, iCal, Podcast, Profile Manager, and Wiki services together. If you usepsql in order to restore the database for one of these services, it also restores the databases for the other services, and you losechanges made since backing up the databases of all these services.

For information about backing up and restoring PostgreSQL databases, see Chapter 24 of the PostgreSQL 9.0.4 Documentationat www.postgresql.org/docs/9.0/interactive/backup.html.

Backup verificationYou should have a strategy for regularly conducting test restorations. Some third-party software providers support this functionality.However, if you’re using your own backup solution, develop the necessary test procedures.

Backup rotation schemeA backup rotation scheme determines the most efficient way to back up data over a specific period of time.

An example of a rotation scheme is the grandfather-father-son rotation scheme. In this scheme, you perform incremental dailybackups (son), and full weekly (father) and monthly (grandfather) backups.

In the grandfather-father-son rotation scheme, the number of media sets you use for backup determines how much backup historyyou have. For example, if you use eight backup sets for daily backups, you have eight days of daily backup history because you’llrecycle media sets every eight days.

http://www.postgresql.org/docs/9.0/interactive/backup.html

Other backup policy considerationsConsider the following additional items for your backup policy.

Should file compression be used? If so, what kind?

Are there onsite and offsite backups and archives?

Are there special needs for the type of data being stored? For example, for Mac OS X files, can the backup utility preserve filemetadata, resource forks, and Access Control List (ACL) privileges?

Is there sensitive data, such as passwords, social security numbers, phone numbers, medical records, or other legallyprotected information, that requires special treatment, and that must not be backed up without understanding where the datawill flow and be stored?

Data restorationNo backup policy or solution is complete without having accompanying plans for data restoration. Depending on what is beingrestored, you may have different practices and procedures. For example, your organization may have specific tolerances for howlong critical systems can be out of use while the data is restored.

Consider the following questions:

How long will it take to restore data at each level of granularity?

For example, how long will a deleted file or email take to restore? How long will a full hard disk image take to restore? Howlong would it take to return the whole network to its state three days ago?

What process is most effective for each type of restore?

For example, why would you roll back the entire server for a single lost file?

How much administrator action is necessary for each type of restore? How much automation must be developed to best useadministrators’ time?

Under what circumstances are restores initiated? Who and what can start a restore and for what reasons?

Restore practices and procedures must be tested regularly. A backup data set that does not restore correctly cannot be considereda trustworthy backup. Backup integrity is measured by restore fidelity.


You can back up server files automatically using Time Machine, a comprehensive backup solution. Time Machine automaticallymakes a complete backup of all files on the computer to a locally attached external hard drive, an available internal hard disk, or aremote network file system. It also keeps track as files are created, updated, or deleted over time. Time Machine backs up thechanges and creates a history of the file system that you can navigate by date. You can use its intuitive time-based visual browserto search back through time to find and restore any files that were backed up.

You set backup options in the Time Machine pane of System Preferences on the server. You can set up a list of folders and disksthat you want to exclude from backup. Time Machine automatically excludes temporary files and cache files located in /tmp/,/Library/Logs/, /Library/Caches/, and /Users/username/Library/Caches/.

Note: If the server is a portable computer, you may improve performance of a portable computer by turning off Time Machine localsnapshots. For instructions, see Turn off Time Machine local snapshots.

Time Machine automatically backs up data and settings for these services: Address Book, File Sharing, iCal, iChat, Mail, Podcast,Profile Manager, Time Machine, VPN, Web, and Wiki. Time Machine also automatically backs up some settings for other services,but you may not be able to completely restore settings changed with Server Admin or with command-line tools.

After using Time Machine to back up your server, you can restore your server to a previous state.

For information about backing up and restoring with Time Machine, search Mac Help for “Back up your Mac.”


Server backup and restore

Turn off Time Machine local snapshots

You may improve performance of a portable computer by turning off Time Machine local snapshots.

If your server is a portable computer, Time Machine may use the internal disk to store local snapshots of files that have changed.Storing these local snapshots may degrade server performance. You can turn off saving of local snapshots by using the tmutilcommand-line tool.

Open Terminal (located in Launchpad's Utility folder), and enter:

$ sudo tmutil disablelocal

Lion server fundamentals ► Network identity

When you change a server’s IP address, host name, local hostname, or computer name, additional configuration steps might beneeded for each service provided. Each service relies on IP addresses or names differently; therefore, the combination of stepsrelies on your individual setup.

Learn more about how network identy changes affects:

Infrastructure services

Collaboration services

File services

Mail services

Podcast services

Web and wiki services

Other services


Three names are used by Lion Server: computer name, local hostname, and host name. They are used by different parts of thesystem for different reasons, and are not linked. Changing the computer name and the local hostname is not the same thing aschanging the host name.

The computer name is a user-friendly name for the system and is shown in the Finder and tools like Apple Remote Desktop.

The local hostname is a domain name, usable only on the local network, and is published to other services that are Bonjour-aware.

The host name is the Internet host name, which is a fully qualified domain name. Only the host name is the Internet-routable namethat services use for network identity.


You can change the host name of a server after setup, but it is not recommended. You can use the scutil command-line tool toset the host name.

The host name is the Internet host name, which is a fully qualified domain name. Only the host name is the Internet-routable namethat services use for network identity.

The Server app includes an assistant for changing the server's host name. The assistant can also be used to change the server'snetwork address. The assistant reconfigures services to use the new host name and any other changes to the networkconfiguration. For information, see Find or change your server’s host name.

If you change a server’s host name after setup, the name must be changed with your DNS service provider.

Understanding changes to the server IP address or network identity

Understanding Lion Server names

Change the server's host name after setup

Until the server’s host name matches the name with the DNS service provider, several services will not function. Changing yourhost name can have significant unintended consequences, depending on the services your server provides.

For information on the effects of changing the host name, see Understanding IP address or network identity changes oninfrastructure services.

Note: If you choose not to use Server App to change the host name, the changeip command-line tool is still available, but notrecommended.

Use Server App to change the server’s host name.

See Find or change your server’s host name

If you choose not to use Server App, use scutil to change the host name.

sudo scutil --set (ComputerName|LocalHostName|HostName) <NewName.domain.tld>

Command example:

sudo scutil --set HostName newhost.example.com


You can use the scutil command-line tool to set the computer name and local hostname.

The computer name is a user-friendly name for the system and is shown in the Finder and tools like Apple Remote Desktop.

The local hostname is a domain name, usable only on the local network, and is published to other services which are Bonjour-aware.

Use scutil to change the computer name and local hostname.

sudo scutil --set ComputerName <newComputertitle>sudo scutil --set LocalHostName <newLocalHosttitle>


You can change the IP address of a server using the Network pane of System Preferences or the networksetup tool.

Do not turn off the primary network interface and then turn it back on with a different address. Several services will not get theneeded notification to update their configuration.

Changing your IP address can have significant unintended consequences, depending on the services your server provides. Forinformation on the effects of changing the IP addresses, see Understanding IP address or network identity changes oninfrastructure services.

The changeip command-line tool can accomplish manually what is done automatically, and it is still available.

IP address changes and Server App

The Server app detects and posts an alert about network configuration changes, including host name change and networkaddress change. The alert contains a button that reconfigures services to use the new network configuration. It does this byrunning the changeip command-line tool. The automated resolution takes care of services managed by the Server app. Forinformation, see Find or change your server’s IP address.

Network infrastructure serv ices ► DHCP

Change the server’s computer name and the local hostname

Changing the IP address of a server

About DHCP service

If your organization has more clients than IP addresses, you can benefit from using Dynamic Host Configuration Protocol (DHCP)service. IP addresses are assigned as needed, and when they’re not needed, they can be used by other clients. You can use acombination of static and dynamic IP addresses for your network.

DHCP service lets you administer and distribute IP addresses to computers from your server. When you configure the DHCPserver, you assign a block of IP addresses that can be made available to clients.

Each time a computer configured to use DHCP starts up, it looks for a DHCP server on your network. If it finds a DHCP server, theclient computer then requests an IP address. The DHCP server checks for an available IP address and sends it to the computerwith a lease period (the length of time the client computer can use the address) and configuration information.

Organizations can benefit from the features of DHCP service, such as the ability to set Domain Name System (DNS) andLightweight Directory Access Protocol (LDAP) options for computers without needing to configure each client.

You can use the DHCP module in Server Admin to:

Configure and administer DHCP service

Create and administer subnets

Configure DNS, LDAP, and Windows Internet Naming Service (WINS) options for client computers

View DHCP address leases

Creating subnetsSubnets are groupings of computers on a network that simplify administration. You can organize subnets any way that is useful toyou. For example, you can create subnets for groups in your organization or for floors of a building.

After you group computers into subnets, you can configure options for all computers on a subnet at one time instead of settingoptions for individual computers.

Each subnet needs a way to connect to other subnets. A hardware device called a router typically connects subnets.

Assigning IP addresses dynamically

With dynamic address allocation, an IP address is assigned for a limited period of time (the lease time) or until the computerdoesn’t need the IP address, whichever comes first.

By using short leases, DHCP can reassign IP addresses on networks that have more computers than IP addresses. Leases arerenewed if the address isn’t needed by another computer.

Addresses allocated to VPN clients are distributed much like DHCP addresses, but they don’t come out of the same range ofaddresses as DHCP. If you plan on using VPN, leave some addresses unallocated by DHCP for use by VPN.

Using static IP addresses

Static IP addresses are assigned to a computer or device once and then don’t change. You can assign static IP addresses tocomputers that must have a continuous Internet presence, such as web servers. Other devices that must be continuously availableto network users, such as printers, can also benefit from static IP addresses.

Static IP addresses can be set up manually by entering the IP address on the computer (or other device) that is assigned theaddress, or by configuring DHCP to provide the same address to a specific computer or device on each request.

Manually configured static IP addresses avoid potential issues that some services can have with DHCP-assigned addresses, andthey don’t suffer from the delay that DHCP requires to assign an address.

DHCP-assigned addresses permit address configuration changes at the DHCP server rather than at each client.

Don’t include manually assigned static IP address ranges in the range distributed by DHCP.

You can set up DHCP to always serve the same address to the same computer. For more information, see Use DHCP to assignstatic IP addresses.

Locating the DHCP server

When a computer looks for a DHCP server, it broadcasts a message. If your DHCP server is on a different subnet from thecomputer, make sure the routers that connect your subnets can forward client broadcasts and DHCP server responses.

A relay agent or router on your network that can relay BootP communications works for DHCP. If you don’t have a means to relayBootP communications, place the DHCP server on the same subnet as your client.

Interacting with other DHCP servers

You might already have DHCP servers on your network, such as AirPort Base Stations.

Lion Server can coexist with other DHCP servers as long as each DHCP server uses a unique pool of IP addresses.

If AirPort Base Stations are on separate subnets, configure your routers to forward client broadcasts and DHCP server responsesas described in Locating the DHCP server.

Using multiple DHCP servers on a network

You can have multiple DHCP servers on the same network. However, they must be configured properly to prevent interference witheach other. Each server needs a unique pool of IP addresses to distribute.

Assigning reserved IP addressesSome IP addresses can’t be assigned, including addresses reserved for loopback and broadcasting. Your ISP won’t assign theseaddresses to you. If you try to configure DHCP to use these addresses, you’re warned that the addresses are invalid and you mustenter valid addresses.

Network infrastructure serv ices ► DHCP ► Set up DHCP

Here is an overview of the basic steps for setting up DHCP service.

Note: If you used Gateway Setup Assistant to configure ports on your server when you installed Lion Server, some DHCPinformation is configured. Follow the steps in this section to finish configuring DHCP service.

Before you begin

For issues to keep in mind when you set up DHCP service, read About DHCP service.

Enable DHCP service

Before configuring DHCP service, enable DHCP. See Enable DHCP service.

Create subnets

Use Server Admin to create a pool of IP addresses that are shared by the client computers on your network. You create one rangeof shared addresses per subnet. These addresses are assigned by the DHCP server when a client issues a request. See CreateDHCP subnets.

Configure DHCP log settings

You can log the activity and errors in DHCP service to help you identify use patterns and problems with your server.

DHCP service records diagnostic messages in the system log file. To keep this file from growing too large, you can suppressmost messages by changing log settings in the Logging pane of DHCP service settings. See Configure log settings for DHCPservice.

Start DHCP service

After you configure DHCP, start the service to make it available. See Start DHCP service.


Before you can configure DHCP settings, you must Enable DHCP service in Server Admin.

1. Open Server Admin and connect to the server.

2. Click Settings.

3. Click Services.

4. Select the DHCP checkbox.

5. Click Save.


DHCP setup overview

Enable DHCP service

Subnets are groupings of computers on the same network that can be organized by location (for example, floors of a building) or byusage (for example, eighth-grade students). Each subnet has at least one range of IP addresses assigned to it.


2. Click the triangle at the left of the server.

The list of services appears.

3. From the expanded Servers list, select DHCP.

4. Click Subnets.

5. Click the Add button (+).

6. Enter a descriptive name for the new subnet.

7. Enter a starting and ending IP address for this subnet range.

Addresses must be contiguous and they can’t overlap other subnet ranges.

8. Enter the subnet mask for the network address range.

9. From the pop-up menu, choose the network interface to host DHCP service.

10. Enter the IP address of the router for this subnet.

If the server you’re configuring is the router for the subnet, enter this server’s internal LAN IP address as the router’s address.

11. Define a lease time in hours, days, weeks, or months.

12. If you want to set DNS, LDAP, or WINS information for this subnet, enter these now.

For more information, see Set the DNS server for a DHCP subnet, Set LDAP options for a subnet, and Set WINS options for asubnet.

13. Click Save.

14. To enable the subnet, select the Enable checkbox.

15. Click Save.


You can create a DHCP subnet using serveradmin. The subnetID parameter is a unique number that identifies the subnet. Itcan be any number not assigned to another subnet on the server. Also, it can include embedded hyphens (-).

Parameter Description

subnetID A unique number that identi fies the subnet. Can be any number notassigned to another subnet on the server. Can include embeddedhyphens (-).

Other parameters The standard subnet settings described in serveradmin man pages.

For information about setting DHCP subnet parameters, see serveradmin man pages.

For information about serveradmin, see its man page.

To create a DHCP subnet:

Note: Include the special first setting (ending with = create). This is how you tell serveradmin to create the settings arraywith the specified subnet ID.

$ sudo serveradmin settings

Create DHCP subnets

Use serveradmin to create DHCP subnets

dhcp:subnets:_array_id:subnetID = create

dhcp:subnets:_array_id:subnetID:descriptive_name = descriptiondhcp:subnets:_array_id:subnetID:net_range_start = start-addressdhcp:subnets:_array_id:subnetID:net_range_end = end-address

dhcp:subnets:_array_id:subnetID:net_mask = maskdhcp:subnets:_array_id:subnetID:selected_port_name = port

dhcp:subnets:_array_id:subnetID:dhcp_router = routerdhcp:subnets:_array_id:subnetID:lease_time_secs = lease-time

dhcp:subnets:_array_id:subnetID:dhcp_enabled = (yes|no)Control-D

To view DHCP configurations settings:

$ sudo serveradmin settings dhcp


You can choose the level of detail for DHCP service logs:

Low (errors only): Indicates conditions where you must take immediate action (for example, if the DHCP server can’t start up).This level corresponds to bootpd reporting in quiet mode with the “-q” flag.

Medium (errors and warnings): Alerts you to conditions where data is inconsistent but the DHCP server can still operate. Thislevel corresponds to default bootpd reporting.

High (all events): Records activity by DHCP service, including routine functions. This level corresponds to bootpd reporting inverbose mode with the “-v” flag.





4. Click Settings.

5. From the Log Level pop-up menu, choose the logging option you want.

6. Click Save.


The value can be ["LOW"|"MEDIUM"|"HIGH"].

To set up the log detail level:

$ sudo serveradmin set dhcp:logging_level = value



Configure log settings for DHCP service

Use serveradmin to configure log settings for DHCP service

Start DHCP service

You start DHCP service to provide IP addresses to users. You must have at least one subnet created and enabled.





4. Click the Start DHCP button (below the Servers list).

If the Firewall service is running, a warning appears asking you to verify that all ports used by DHCP are open. Click OK.

The service runs until you stop it. It restarts when your server is restarted.


You start DHCP service to provide IP addresses to users. You must have at least one subnet created and enabled.

To start DHCP service:

$ sudo serveradmin start dhcp


Network infrastructure serv ices ► DHCP ► Manage DHCP

When starting or stopping DHCP, you must have at least one subnet created and enabled.





4. Click Stop Now.


When stopping DHCP, you must have at least one subnet created and enabled.

To stop DHCP service:

$ sudo serveradmin stop dhcp



Use Server Admin to change DHCP subnet settings. You can change IP address range, subnet mask, network interface, router, or

Use serveradmin to adjust log information collection for DHCP service

Stop DHCP service

Use serveradmin to stop DHCP service

Change DHCP subnet settings

lease time.





4. Click Subnets.

5. Select a subnet.

6. Make your changes.

Changes can include adding DNS, LDAP, or WINS information. You can also redefine address ranges or redirect the networkinterface that responds to DHCP requests.

7. Click Save.

If DHCP is running, you are prompted to restart DHCP for changes to take effect. Otherwise, changes take effect the next timeyou start DHCP.


To change a DHCP setting:

$ sudo serveradmin settings dhcp:setting = value

To change several DHCP settings:

$ sudo serveradmin settingsdhcp:setting = valuedhcp:setting = valuedhcp:setting = value[...]Control-D

To view all DHCP settings:

$ sudo serveradmin settings dhcp


setting A DHCP service setting.

value A relevant value for the setting.

For information about setting DHCP subnet parameters, see serveradmin man pages.



You can delete subnets and subnet IP address ranges so they are no longer distributed to computers.


Use serverdmin to change DHCP subnet settings

Delete DHCP subnets




4. Click Subnets.

5. Select a subnet.

6. Click the Delete button (–).

7. Click Save.



You can temporarily shut down a subnet without losing its settings. No IP addresses from the subnet’s range are distributed onthe selected interface to any computer until you reenable the subnet.





4. Click Subnets.

5. Deselect the Enable checkbox next to the subnet to disable.

6. Click Save.



You can change how long IP addresses on a subnet are available to computers.





4. Click Subnets.

5. Select a subnet.

6. From the Lease Time pop-up menu, choose a time scale (hours, days, weeks, or months).

7. In the Lease Time field, enter a number.

8. Click Save.


Disable subnets temporarily

Change IP address lease times for a subnet


You can determine the DNS servers and default domain name a subnet should use. DHCP service provides this information tocomputers in the subnet.





4. Click Subnets.

5. Select a subnet.

6. Click DNS.

7. Enter the primary and secondary name server IP addresses you want DHCP clients to use.

8. Enter the default domain of the subnet.


9. Click Save.


Use the same subnetID used to create the subnet.



dns-server-n To specify additional DNS servers, add dhcp_name_server settings,

incrementing _array_index:n for each additional value.


To set DNS options for a subnet:

$ sudo serveradmin settingsdhcp:subnets:_array_id:subnetID:dhcp_domain_name_server:_array_index:0 = dns-server-1dhcp:subnets:_array_id:subnetID:dhcp_domain_name_server:_array_index:1 = dns-server-2dhcp:subnets:_array_id:subnetID:dhcp_domain_name = domainControl-D



You can use DHCP to provide your clients with LDAP server information, but Mac OS X v10.5 or later clients won't automatically bind

Set the DNS server for a DHCP subnet

Use serveradmin to set the DNS server for a DHCP subnet

Set LDAP options for a subnet

to the LDAP server. The order in which the LDAP servers appear in the list determines their search order in the automatic OpenDirectory search policy.

If you are using this Mac server as an LDAP master, LDAP options are populated with the necessary configuration information. Ifyour LDAP master server is another computer, you must know the domain name or IP address of the LDAP database to use, andyou must know the LDAP search base.





4. Click Subnets.

5. Select a subnet.

6. Click LDAP.

7. Enter the domain name or IP address of the LDAP server for this subnet.

8. Enter the search base for LDAP searches.

9. If you’re using a nonstandard port, enter the LDAP port number.

10. If necessary, select LDAP over SSL.

Use this option to secure LDAP communication.

11. Click Save.



Use the same subnetID you used to create the subnet.




To set LDAP options for a subnet:

$ sudo serveradmin settingsdhcp:subnets:_array_id:subnetID:dhcp_ldap_url:_array_index:0 = ldap-serverControl-D



You can give more information to computers running Windows on a subnet by adding Windows-specific settings to the DHCP-supplied network configuration data. These Windows-specific settings permit Windows clients to browse Network Neighborhood.

You must know the domain name or IP address of the Windows Internet Naming Service/NetBIOS Name Server (WINS/NBNS)

Use serveradmin to set LDAP options for a subnet

Set WINS options for a subnet

primary and secondary servers (usually the IP address of the DHCP server), and the NetBIOS over TCP/IP (NBT) node type.

The following are possible node types:

Hybrid (h-node): Checks the WINS server and then broadcasts.

Peer (p-node): Checks the WINS server for name resolution.

Broadcast (b-node): Broadcasts for name resolution (most commonly used).

Mixed (m-node): Broadcasts for name resolution and then checks the WINS server.

The NetBIOS Datagram Distribution (NBDD) server works with NBNS to route datagrams to computers on another subnet.

The NetBIOS Scope ID isolates NetBIOS communication on a network. The NetBIOS Scope ID is appended to the NetBIOS nameof the computer. Computers that have the same NetBIOS Scope ID can communicate.

NBDD Server and the NetBIOS Scope ID are typically not used, but you might need them depending on your Windows clients ’configuration and Windows network infrastructure.





4. Click Subnets.

5. Select a subnet.

6. Click WINS.

7. Enter the domain name or IP address of the WINS/NBNS primary and secondary servers for this subnet.

8. Enter the domain name or IP address of the NBDD server for this subnet.

9. From the pop-up menu, choose the NBT node type.

10. Enter the NetBIOS Scope ID.

11. Click Save.



Use the same subnetID you used to create the subnet.




To set WINS options for a subnet:

$ sudo serveradmin settingsdhcp:subnets:_array_id:subnetID:WINS_secondary_server = wins-server-2dhcp:subnets:_array_id:subnetID:WINS_primary_server = wins-server-1dhcp:subnets:_array_id:subnetID:WINS_NBDD_server = nbdd-serverdhcp:subnets:_array_id:subnetID:WINS_node_type = node-type

Use serveradmin to set WINS options for a subnet

dhcp:subnets:_array_id:subnetID:WINS_scope_id = scope-IDControl-D



You can always assign the same address to specific computers. This helps simplify configuration when using DHCP and lets youhave static servers or services.

To keep the same IP address for a computer, you must know the computer’s Ethernet address (also known as the MAC orhardware address). Each network interface has its own Ethernet address.

If a computer is connected to a wired network and a wireless network, it uses a different Ethernet address for each networkconnection.





4. Click Static Maps.

5. Click Add Computer.

6. Enter the name of the computer.

7. In the Network Interfaces lis t, click the column to enter the following information:

MAC address of the computer that needs a static address

IP address to assign to the computer

8. If your computer has other network interfaces that require static IP addresses, click the Add button (+) and enter the IPaddress to assign for each interface.

9. Click OK.

10. Click Save.



Static Map Parameter Description

mapID A unique ID code for the map entry. The ID must be unique for eachstatic map defined on the server.

ip_address IP address of host.

name Host’s DNS name.

en_address Host’s Ethernet address.

To assign a static map:


Use DHCP to assign static IP addresses

Use serveradmin to assigning static IP addresses

dhcp:static_maps:_array_id:examplehost/mapID = createdhcp:static_maps:_array_id:examplehost/mapID:ip_address = "1.2.3.4"dhcp:static_maps:_array_id:examplehost/mapID:name = "examplehost"dhcp:static_maps:_array_id:examplehost/mapID:en_address = "00:30:a1:a2:a1:23"Control-D

For information about static map IDs, see serveradmin man pages.



You can change static mappings or remove them as needed.





4. Click Static Maps.

5. Select a mapping to Edit or Remove.

6. Click Edit or Remove.

If you are editing the mapping, make changes you want, then click OK.

7. Click Save.


Network infrastructure serv ices ► DHCP ► Monitor DHCP

The status overview shows the following summary of DHCP service:

Whether the service is running

How many clients it has

When the service was started

How many IP addresses are statically assigned from your subnets

The last time the client database was updated





4. Click Overview to view whether the service is running, when it started, the number of static maps, the number of clientsconnected, and when the last database update occurred.


Remove or change static address maps

Check DHCP service status

To see summary status of DHCP service:

$ sudo serveradmin status dhcp

To see detailed status of the DHCP service:

$ sudo serveradmin fullstatus dhcp



If you’ve enabled logging for DHCP service, you can check the system log for DHCP errors.

The log view is the system.log file filtered for bootpd. Use the Filter field to search for specific entries.





4. Click Log.

5. To search for specific entries, use the Filter field (upper right corner).


To view DHCP log entries:

$ tail /var/log/system.log

For information about tail, see its man page.


The DHCP Clients window gives the following information for each client:

The IP address served to the client

The number of days of lease time left (or the number of hours and minutes, if less than 24 hours)

The DHCP client ID (usually the same as the hardware address)

The computer name

The hardware address




Use serveradmin to check DHCP service status

View DHCP log entries

Use serveradmin to view DHCP log entries

View the DHCP client list


4. Click Clients.

To sort the list by different criteria, click a column heading.


The Server Admin application’s DHCP module enables administrators to specify an LDAP server URL for each subnet. To specifymultiple LDAP server URLs, edit the /etc/bootpd.plist file or use the serveradmin command-line tool (from a Terminal window).

Edit the /etc/bootpd.plist file to add multiple LDAP server URLs

After you create a subnet using DHCP in Server Admin and specify a single LDAP server URL, you can inspect and modify settingsby editing the /etc/bootpd.plist file.

1. Open the /etc/bootpd.plist file in an editor.

2. Locate the tag <string> between the tag <array> of the dhcp_ldap_url key.

<key>dhcp_ldap_url</key><array><string>ldap://server.example.com/dc=server,dc=example,dc=com</string></array>

3. Add another LDAP server URL by inserting a <string> tag below the existing <string> tag and entering your LDAP server URLbetween the open <string> and closed </string> tags.

<key>dhcp_ldap_url</key><array><string>ldap://server.example.com/dc=server,dc=example,dc=com</string><string>ldap://server2.example.com/dc=server2,dc=example,dc=com</string></array>

4. Save the bootpd.plist file and exit your editor.

5. If DHCP is running, use Terminal to restart DHCP service so it can pick up the revised configuration.

$ sudo serveradmin stop DHCP$ sudo serveradmin start DHCP

Use serveradmin to add multiple LDAP server URLs

After you create a subnet using Server Admin DHCP and specify an LDAP server URL, you can inspect and modify settings usingserveradmin. Do the following.

1. Inspect DHCP subnet settings in Terminal by entering:

$ sudo serveradmin settings dhcp:subnets

Example result (excerpt)

...

dhcp:subnets:_array_id:498D8E6D-88A8-4048-8B3C-14D96F317447:dhcp_ldap_ url:_array_index:0 = "lda…

...

2. Prepare a file with the serveradmin commands to add a second LDAP Server URL.

Because the elements of the dhcp_ldap_url array are not individually accessible, you cannot use the serveradmincreate/delete idiom.

Example file contents:

Configure DHCP to use extra LDAP server URLs

dhcp:subnets:_array_id:498D8E6D-88A8-4048-8B3C-14D96F317447:dhcp_ldap_ url:_array_index:0 = "lda…dhcp:subnets:_array_id:498D8E6D-88A8-4048-8B3C-14D96F317447:dhcp_ldap_ url:_array_index:1 = "lda…

Note: Array indexes start with 0. The old URL entry must be present even though you are adding a second one. The entriesmust be in order.

3. Use the serveradmin tool to apply the settings from the file by entering:

$ sudo serveradmin settings < filename

Example result (the settings are confirmed):

dhcp:subnets:_array_id:498D8E6D-88A8-4048-8B3C-14D96F317447:dhcp_ldap_ url:_array_index:0 = "lda…dhcp:subnets:_array_id:498D8E6D-88A8-4048-8B3C-14D96F317447:dhcp_ldap_ url:_array_index:1 = "lda…

4. If DHCP is running, restart DHCP service so it can pick up the revised configuration by entering:

$ sudo serveradmin stop DHCP$ sudo serveradmin start DHCP


The DHCP section of Server Admin permits each subnet address range to be enabled or disabled. When the subnet is enabled,the DHCP server allocates addresses in its range and dispenses other network information to clients that are configured as UsingDHCP.

When the subnet is disabled, the DHCP server does not allocate addresses from the subnet address range pool but it doesdispense other network information (such as DNS and LDAP server addresses) to clients that are configured as “Using DHCPwith manual address” (static maps), as long as the client address is in the subnet range.

Enabling and disabling the subnet disables automatic address allocation for the address range but it does not disable DHCPserver responses to a client whose address is in the subnet range.


You can configure clients to use DHCP to obtain IP addresses.

1. Choose Apple > System Preferences and then click Network.

2. From the Services list, select the network connection service for your account (such as Built-in Ethernet)

3. From the Configure pop-up menu, select Using DHCP.


You can configure clients to use static IP addresses.

1. Choose Apple > System Preferences and then click Network.

2. From the Services list, select the network connection service for your account (such as Built-in Ethernet).

3. From the Configure pop-up menu, choose one of the following methods:

Manually: enter the IP address, subnet mask, router, and DNS information in the relevant fields.

Using DHCP with manual address: enter the IP address and DNS information in the relevant fields.

DHCP service for Mac OS X clients using DHCP with a manual address

Configure DHCP on clients

Configure a static IP address on a client

If your DHCP server is using static mapping, configure client computers to use DHCP. When your client computers connect to yournetwork they will always obtain the same IP address. The static mapping uses the MAC address of the client computer todetermine the IP address the client gets assigned to.


Request for Comments (RFC) documents provide an overview of a protocol or service and explain how the protocol shouldbehave.

If you’re a novice server administrator, you’ll probably find the background information in an RFC helpful. If you’re an experiencedserver administrator, you can find technical details about a protocol in its RFC document.

You can search for RFC documents by number at www.ietf.org/rfc.html. For details about DHCP, see RFC 2131.

For more information about advanced configuration options, see the bootpd man page.

Network infrastructure serv ices ► RADIUS

Wireless networking gives companies greater network flexibility, seamlessly connecting laptop users to the network and givingthem the freedom to move within the company while staying connected to the network.

You use RADIUS to authorize Open Directory users and groups so they can access AirPort Base Stations on a network. Byconfiguring RADIUS and Open Directory you can control who has access to your wireless network.

RADIUS works with Open Directory and Password Server to grant authorized users access to the network through an AirPort BaseStation. When a user attempts to access an AirPort Base Station, AirPort communicates with the RADIUS server using ExtensibleAuthentication Protocol (EAP) to authenticate and authorize the user.

Users are given access to the network if their user credentials are valid and they are authorized to use the AirPort Base Station. If auser is not authorized, he or she cannot access the network through the AirPort Base Station.

Network infrastructure serv ices ► RADIUS ► Set Up RADIUS

The following steps outline the tasks to configure and set up RADIUS service.

Turn RADIUS OnBefore you can configure the service, turn RADIUS on. see Enable RADIUS.

Add AirPort Base Stations to a RADIUS server

Decide which AirPort Base Stations to add to the RADIUS server. See Add AirPort Base Stations to a RADIUS server.

Remotely configure an AirPort Base StationUse Server Admin to configure AirPort Base Stations. See Remotely configure AirPort Base Stations.

Configure RADIUS to use certificates

Use Server Admin to configure RADIUS to use certificates to trust Base Stations. See Configure RADIUS to use certificates.

Start RADIUSTo start RADIUS, see Start or stop RADIUS.


More DHCP information

About RADIUS

RADIUS setup overview

Enable RADIUS

http://www.ietf.org/rfc.html

Before you can configure RADIUS settings, turn on RADIUS service in Server Admin.


2. Click Settings, then click Services.

3. Select the RADIUS checkbox.

4. Click Save.


You can use the RADIUS configuration assistant to configure RADIUS. The configuration assistant guides you through the RADIUSconfiguration process and lets you start RADIUS.




3. From the expanded Servers list, select RADIUS.

4. Click Overview.

5. Click Configure RADIUS Service.

6. In the RADIUS Server Certificate pane, select one of the following:

If you select “Choose an existing certificate,” choose the certificate from the pop-up menu and click Continue.

If you want to create a self-s igned certificate, use Certificate Assistant. For more information, see Server Admin Help.

7. From the Available Base Stations list, select the Base Station you want and click Add.

8. Enter the password of the Base Station in the Base Station Password field, then click Add.

To remove a Base Station from the Selected Base Stations lis t, select it and click Remove.

9. Click Continue.

10. In the RADIUS Allow Users pane, you can restrict user access:

If you select “Allow all users,” all users access to the Base Stations you select.

If you select “Restrict to members of group,” only users of a group can access the Base Stations you select.

11. Click Continue.

12. In the RADIUS setting confirmation pane, verify your settings.

You can also print or save you RADIUS configuration settings.

13. Click Confirm.


You can use radiusconfig to configure RADIUS.

To view RADIUS settings:

$ sudo radiusconfig -appleversion -getconfig -getconfigxml -nascount -naslist -naslistxml -ver -…

To configure RADIUS parameters:

$ sudo radiusconfig -setconfig key value [key value E]

Use the configuration assistant to configure RADIUS

Use radiusconfig to configure RADIUS


Key The name of the key to configure in the radiusd.conf or eap.conf fi les.

value The value of the key.

For information about RADIUS server settings, see RADIUS command-line settings. For information about radiusconfig, see itsman page.


You use the Base Stations pane of RADIUS in Server Admin to add AirPort Base Stations that will use RADIUS service. You canadd up to 64 Base Stations to RADIUS.

1. On the management computer, open Server Admin.



3. In the expanded Servers list, click RADIUS.

4. Click Base Stations.

5. Below the AirPort Base Stations lis t, click the Add button (+) .

6. Enter the following AirPort Base Station information:

Name: Specify the name of the AirPort Base Station.

Type: Specify the model of the AirPort Base Station.

IP Address: Specify the IP address of the AirPort Base Station.

Shared Secret and Verify: Specify a shared secret. The shared secret is not a password for authentication, nor does itgenerate encryption keys to establish secure tunnels between nodes. It is a token that key management systems use totrust each other. You must enter the shared secret on the server as well as a client.

7. Click Add.


If your network has AirPort Base Stations that announce themselves using Bonjour, use the Base Stations pane of RADIUS inServer Admin to add them to your RADIUS server. You can add up to 64 Base Stations to RADIUS.






5. Below the AirPort Base Stations lis t, click Browse.

A lis t of AirPort Base Stations found through Bonjour appears. It shows all AirPort Base Stations on the server's local subnetand all Wide-Area Bonjour domains known to the server. This includes search domains lis ted in Network Preferences thathave AirPort Base Stations and AirPort Base Stations you added to a MobileMe account as a Back to My Mac (BTMM) enabledserver.

6. From the list of AirPort Base Stations, choose an AirPort Base Station to add to your RADIUS server.


Add Bonjour-enabled AirPort Base Stations to a RADIUS server

7. In the “Base station password” field, enter the password for the AirPort Base Station.

8. Click Add.

When the base station is added it is configured to use WPA2 Enterprise for client authentication through TTLS. It also sets arandom shared secret for communication between the Base Station and RADIUS on the server.

The shared secret is not a password for authentication, nor does it generate encryption keys to establish secure tunnelsbetween nodes. It is a token that key management systems use to trust each other.


You can remotely configure AirPort Base Stations to use a RADIUS server in Server Admin.






5. In the AirPort Base Stations list, highlight the AirPort Base Station and then click Edit.

If prompted, enter the AirPort administrator password.

6. Click OK.


You can use Server Admin to configure RADIUS to use custom certificates. Using a certificate increases the security andmanageability of AirPort Base Stations.





4. Click Settings

5. From the RADIUS Certificate pop-up menu, choose a certificate.

If you don’t have a certificate and want to create one, click Manage Certificates. For more information about creatingcertificates, see Server Admin Help.

6. Click Save.


You can use radiusconfig to import certificates for RADIUS.

To configure RADIUS certificates:

$ sudo radiusconfig -installcerts private-key certificate [trusted-ca-list [yes | no [common-name…

Remotely configure AirPort Base Stations


Use radiusconfig to configure RADIUS certificates


private-key The fi le path to the cl ient’s private key to use in the certi ficate

certificate The fi le path to the certi ficate

trusted-ca-list The fi le path to the trusted CA list

yes A request to check a certificate revocation l ist

no A request to not check a certi ficate revocation l ist

common-name The common name

This command changes eap.conf to contain an active TLS section and configures the certificates. This command also replacesthe random file and creates the dh file if absent.

For information about radiusconfig, see its man page.


RADIUS service creates entries in the system log for error and alert messages. You can archive these log entries.





4. Click Settings.

5. Select the “Archive radiusd log for the past __ days” checkbox and enter the number of days to archive.

6. Click Save.


You can use radiusconfig to archive RADUIS service logs.

To configure the rotation of RADIUS service logs:

$ sudo radiusconfig -rotatelog [-n file-count] base-file

To configure the automatic rotation of RADIUS service logs:

$ sudo radiusconfig -autorotatelog [on | off] [-n file-count]


file-count Specifies the number of log files to preserve.

base-file Specifies the name of the log file.

on Enables automatic log rotation.

off Disables automatic log rotation.

Archive RADIUS service logs

Use radiusconfig to archive service logs



You use Server Admin to start or stop RADIUS. When you stop RADIUS, make sure no users are connected to AirPort BaseStations your RADIUS server manages.





4. Below the Servers list, click Start RADIUS or Stop RADIUS.

The service can take a few seconds to start or stop.


You can use radiusconfig to stop or start RADIUS.

To start the RADIUS server:

$ sudo radiusconfig -start

To stop the RADIUS server:

$ sudo radiusconfig -stop



To change settings for RADIUS, use the following parameters with the radiusconfig tool.

Command Option Description

-appleversion Displays the version of the tool, including the build version.

-getconfig Displays configuration data stored in the radiusd.conf and eap.conf fi lesin an abbreviated, user-friendly format.

-getconfigxml Displays configuration data stored in the radiusd.conf and eap.conf fi lesin xml plist format.

-nascount Displays the number of RADIUS clients.

-naslist Displays the l ist of RADIUS cl ients formatted for the cl ients.conf file.

-naslistxml Displays the l ist of RADIUS cl ients in xml pl ist format.

-ver Displays a specific bui ld version.

-help Displays usage information.

Start or stop RADIUS

Use radiusconfig to start or stop RADUIS

RADIUS command-line settings

-q Suppresses prompts.


You can enable or disable Transport Level Security (TLS) by modifying the TLS section of the eap.conf file.

To enable TLS:

$ sudo radiusconfig -enable-tls

To disable TLS:

$ sudo radiusconfig -disable-tls

Network infrastructure serv ices ► RADIUS ► Manage RADIUS

You can use Server Admin to check the status of RADIUS.





4. Click Overview to see whether the service is running, the number of client base stations, and when it was started.


RADIUS creates entries in the system log for error and alert messages. You can filter the log to narrow the number of viewable logentries and make it easier to find an entry.





4. Click Logs.

5. Choose a log to view (radiusconfig or radiusd).


You can restrict access to RADIUS by creating a group of users and adding them to the service access control list (SACL) ofRADIUS.



Enable or diable transport level security (TLS)

Check RADIUS Status

View RADIUS logs

Edit RADIUS access



4. Click Settings, then click Edit Allowed Users.

5. Select “For selected services below,” then select RADIUS.

6. Click Services.

7. Select “Allow only users and groups below.”


9. From the Users & Groups window, drag users or groups to the “Allow only users and groups below” list.

If you don’t see a recently created user, click the Refresh button (below the Servers lis t).

If you want to remove users from the “Allow only users and groups below” lis t, select the users or user groups and click theDelete button (–).

Only users in the list can use RADIUS service.


You can use Server Admin to delete AirPort Base Stations from the RADIUS server.

When you delete AirPort Base Stations, make sure the stations are disconnected from the network. Otherwise, unauthorized usersmight access your network.






5. In the AirPort Base Station list, highlight a Base Station and click Remove.

6. Verify you want to remove the Base Station by clicking Remove again.


You can use Server Admin to edit an AirPort Base Station record on your RADIUS server.






5. In the AirPort Base Station list, highlight the Base Station to modify and click the Edit button.

6. Modify the Base Station information and click Save.


Delete AirPort Base Stations

Edit an AirPort Base Station record

You can use Server Admin to save an AirPort Base Station internet connect file.






5. In the AirPort Base Station list, highlight the base station.

6. Click Save Internet Connect File.

7. In the Save As field, enter the name.

8. From the Where pop-up menu, choose the location to save the file.

9. In the Wireless Network Name (SSID) field, enter the wireless network name.

10. Click Save.


Use the radiusconfig tool to add, import, remove, and configure RADIUS clients.

To add RADIUS clients:

$ sudo radiusconfig -addclient nas-name shortname [type]

To import RADIUS clients:

$ sudo radiusconfig -importclients xml-plist-file

To remove RADIUS clients:

$ sudo radiusconfig -removeclient nas-name [nas-name ...]

To assign an access control group to a client of the RADIUS service:

$ sudo radiusconfig -setgroup nas-namegroup-name


nas-name The name of the client

shortname The shortname of the cl ient

type (Optional) The type of the cl ient

xml-plist-file The name of the fi le, including the path, to import clients from

group-name The name of the access control group


Network infrastructure serv ices ► SSH key authentication

Save an AirPort Base Station Internet connect file

Use radiusconfig to manage RADIUS clients

SSH is a network protocol that establishes a secure channel between your computer and a remote computer. It uses public-keycryptography to authenticate the remote computer. It also provides traffic encryption and data integrity exchanged betweencomputers. Key-based authentication is helpful for such tasks as automating file transfers and backups and for creating failoverscripts because it allows computers to communicate without a user needing to enter a password.

Important: Key-based authentication has risks. If the private key you generate becomes compromised, unauthorized users canaccess your computers. You must determine whether the advantages of key-based authentication are worth the risks.

SSH is frequently used to log in to a remote machine to execute commands, but you can also use it to create a secure data tunnel,forwarding through an arbitrary TCP port. You can also use SSH to transfer files using SFTP and SCP. By default, an SSH serveruses the standard TCP port 22.

Lion Server uses OpenSSH as the basis for its SSH tools. Notably, portable home directory synchronization and Open Directoryreplication are provided via SSH.


This is the process of setting up key-based SSH login authentication on Lion Server.

To set up key-based SSH, you must generate the keys the two computers will use to establish and validate the identity of eachother.

This doesn’t authorize all users of the computer to have SSH access. Keys must be generated for each user account. To do this,you must run the following commands in Terminal.

The process must be repeated for each user that needs to open key-based SSH sessions.


1. Verify that an .ssh folder exists in your home folder by entering the command: ls -ld ~/.ssh

If .ssh is listed in the output, move to step 2. If .ssh is not listed in the output, run mkdir -m 700 ~/.ssh and continue tostep 2.

2. Change directories in the shell to the hidden .ssh directory by entering the following command: cd ~/.ssh

3. Generate the public and private keys by entering the following command: ssh-keygen -b 1024 -t rsa -f id_rsa -P''

The -b flag sets the length of the keys to 1,024-bits, -t indicates to use the RSA hashing algorithm, -f sets the file name asid_rsa, and -P followed by two single-quote marks sets the private key password to be null. The null private key passwordallows for automated SSH connections.

Keys are equivilant to passwords, so keep them private and protected.

4. Copy the public key into the authorized key file by entering the following command: cat id_rsa.pub >>authorized_keys2

5. Set the permissions on the private key so the file can only be changed by the owner: chmod go-rwx ~/.ssh/.id_rsa

6. Copy the public key and the authorized key lists to the specified user’s home folder on the remote computer by entering thefollowing command: scp authorized_keys2 username@remotemachine:~/.ssh/

To establish two-way communication between servers, repeat this process on the second computer.


A cluster of servers is an ideal environment for using key-based SSH.

Key-Based SSH login

Generate a key pair for SSH authentication

Key-Based SSH with scripting sample

mailto:username@remotemachine:~/.ssh/

The following Perl script is a trivial scripting example that should not be implemented, but it demonstrates connecting over an SSHtunnel to servers defined in the variable serverList, running softwareupdate, installing available updates, and restarting thecomputer if necessary.

The script assumes that key-based SSH was set up for an “admin” user on all servers to be updated.

#!/usr/bin/perl # \@ is the escape sequence for the "@" symbol. my @serverList = ('admin\@exampleserver1.example.com', 'admin\@exampleserver2.example.com'); foreach $server (@serverList) { open SBUFF, "ssh $server -x -o batchmode=yes 'softwareupdate -i -a' |"; while(<SBUFF>) { my $flag = 0; chop($_); #check for restart text in $_ my $match = "Please restart immediately"; $count = @{[$_ =~ /$match/g]}; if($count > 0) { $flag = 1; } } close SBUFF; if($flag == 1) { "ssh $server -x -o batchmode=yes shutdown -r now" } }

Network infrastructure serv ices ► DNS

When users want to connect to a network resource such as a web or file server, they typically request it by domain name (such aswww.example.com) rather than by IP address (such as 192.168.12.12). The Domain Name System (DNS) is a distributeddatabase that maps IP addresses to domain names so users can find the resources by name rather than numerical address.

A DNS server keeps a list of domain names and the IP addresses associated with each name. When a computer needs to find theIP address for a name, it sends a message to the DNS server, which is also known as a name server.

The name server looks up the IP address and sends it back to the computer. If the name server doesn’t have the IP addresslocally, it sends messages to other name servers on the Internet until the IP address is found.

Setting up and maintaining a DNS server is a complex process. Therefore, many administrators rely on their Internet ServiceProvider (ISP) for DNS service. In this case, you only need to configure your network preferences with the IP address of the nameserver, which is provided by your ISP.

If you don’t have an ISP to handle DNS requests for your network and any of the following are true, you must set up your own DNSservice:

You can’t use DNS from your ISP or other source.

You plan on making frequent changes to the name space and want to maintain it yourself.

You have a mail server on your network and you have difficulties coordinating with the ISP that maintains your domain.

You have security concerns because your network’s computer names and addresses are accessible to an outsideorganization (your ISP).

Lion Server uses Berkeley Internet Name Domain (BIND) v9.4.1 for its implementation of DNS protocols. BIND is an open-sourceimplementation and is used by most name servers on the Internet.

About DNS service

mailto:@exampleserver1.example.com


http://www.example.com)


Zones are the basic organizational unit of DNS. Zones contain records and are defined by how they acquire those records and howthey respond to DNS requests.

There are three basic zones:

Primary

Secondary

Forward

Other kinds of zones are not covered here.

Primary zones

A primary zone has the master copy of the zone’s records and provides authoritative answers to lookup requests.

Secondary zones

A secondary zone is a copy of a primary zone and is stored on a secondary name server. It has the following characteristics:

Each secondary zone has a lis t of primary servers that it contacts for updates to records in the primary zone. Secondaries mustbe configured to request the copy of the primary zone data.

Secondary zones use zone transfers to get copies of the primary zone data.

Secondary name servers can take lookup requests like primary servers.

By using several secondary zones linked to one primary, you can distribute DNS query loads across several computers and makesure lookup requests are answered if the primary name server is down.

Secondary zones also have a refresh interval. This interval determines how often the secondary zone checks for changes from theprimary zone. You can change the zone refresh interval by using the BIND configuration file. For more information, seewww.isc.org/sw/bind.

Forward Zones

A forward zone directs lookup requests for that zone to other DNS servers. Forward zones don’t zone transfers.

Often, forward zone servers are used to provide DNS service to a private network behind a firewall. In this case, the DNS servermust have access to the Internet and a DNS server outside the firewall.

Forward zones also cache responses to queries they pass on. This can improve the performance of lookups by clients that usethe forward zone.

Server Admin does not support creation or modification of a forward zone. To create a forward zone, you must configure BINDmanually at the command line. For details, see the BIND documentation.


Each zone contains a number of records. These records are requested when a computer translates a domain name (likewww.example.com) to an IP number. Web browsers, mail clients, and other network applications rely on zone records to contactthe correct server.

Primary zone records are queried by others across the Internet so they can connect to your network services.

Several types of DNS records are available for configuration by Server Admin:

DNS record Description

Address (A) Stores the IP address associated with a domain name.

Canonical Name (CNAME) Stores an al ias in connection with the real name of a server. Forexample, mail .apple.com might be an al ias for a computer with a real

DNS zones

DNS machine records

http://www.isc.org/sw/bind

http://www.example.com)

canonical name of MailSrv473.apple.com.

Mail Exchanger (MX) Stores the domain name of the computer used for mail in a zone.

Name Server (NS) Stores the authoritative name server for a zone.

Pointer (PTR) Stores the domain name of an IP address (reverse lookup).

Text (TXT) Stores a text string as a response to a DNS query.

Service (SRV) Stores information about the services a computer provides.

Hardware Info (HINFO) Stores information about a computer’s hardware and software.

Lion Server simplifies the creation of these records by focusing on the computer being added to the zone, rather than the records.When you add a computer record to a zone, Lion Server creates the zone records that resolve to a computer address. With thismodel, you can focus on what your computers do in your domain, rather than which record types apply to its functions.

If you need access to other kinds of records, you must edit the BIND configuration files manually. For details, seewww.isc.org/sw/bind.


With Bonjour, you can share nearly anything, including files, media, printers, and other devices, in innovative and easier ways. Itsimplifies traditional network-based activities like file sharing and printing by providing dynamic discoverability of file servers andBonjour-enabled network printers.

Bonjour begins by s implifying the otherwise complex process of configuring devices for a network. To communicate with otherdevices using IP, a device needs special information like an IP address, a subnet mask, DNS addresses, a DNS name, andpreconfigured search paths. Understanding these cryptic details and performing the subsequent configuration can be daunting forthe average user.

When a new computer or device is added to a network by means of autoconfiguration, like a DHCP server, Bonjour configures thedevice using a technique called link-local addressing. (If a DHCP server is available, Bonjour uses the assigned IP address.)

With link-local addressing, the computer randomly selects an IP address from a defined range of addresses set aside by theInternet Assigned Numbers Authority (IANA) for link-local addressing and assigns that address to itself. Addresses are in therange 169.254.xxx.xxx.

The device then sends a message over the network to determine whether another device is using the address. If the address is inuse, the device randomly selects addresses until it finds one that is available. When the device has assigned itself an IP address,it can send and receive IP traffic on the network.

Mac OS X Server v10.5 or later supports Wide-Area Bonjour browsing that allows computers and devices that support Bonjour tocommunicate across LANs, subnets, and the Internet.


Because the issues involved with DNS administration are complex and numerous, do not set up DNS service on your networkunless you’re an experienced DNS administrator.

A good source of information about DNS is DNS and BIND, 5th edition, by Paul Albitz and Cricket Liu (O’Reilly and Associates,2006).

Note: Apple can help you locate a network consultant to implement DNS service. You can contact Apple Professional Services andApple Consultants Network on the web at consultants.apple.com.

Consider creating a mail alias, such as “hostmaster,” that receives mail and delivers it to the person that runs the DNS server atyour site. This permits users and other DNS administrators to contact you regarding DNS problems.

Set up at least one primary and one secondary name server. That way, if the primary name server shuts down, the secondaryname server can continue to provide service. A secondary server gets its information from the primary server by periodicallycopying all domain information from the primary server.

Bonjour and link-local addressing

Before you set up DNS service


After a name server is provided with the name/address pair of a host in another domain (outside the domain it serves), theinformation is cached, ensuring that IP addresses for recently resolved names are stored for later use.

DNS information is usually cached on your name server for a set time, referred to as a time-to-live (TTL) value. When the TTL valuefor a domain name/IP address pair has expired, the entry is deleted from the name server’s cache and your server requests theinformation as needed.


If you’re using an external DNS name server and you entered its IP address in the Gateway Setup Assistant, you don’t need to doanything else. If you’re setting up your own DNS server, you must do the following.

Register your domain nameDomain name registration is managed by IANA. IANA registration makes sure that domain names are unique across the Internet.(For more information, see http://www.iana.org.)

If you don’t register your domain name, your network can’t communicate over the Internet.

After you register a domain name, you can create subdomains as long as you set up a DNS server on your network to track thesubdomain names and IP addresses.

For example, if you register the domain name example.com, you could create subdomains such as host1.example.com,mail.example.com, or www.example.com. A server in a subdomain could be named primary.www.example.com orbackup.www.example.com.

The DNS server for example.com tracks information for its subdomains, such as host (computer) names, static IP addresses,aliases, and mail exchangers.

If your ISP handles your DNS service, you must inform them of changes you make to your domain name, including addedsubdomains.

The range of IP addresses used with a domain must be clearly defined before setup. These addresses are used exclusively forone specific domain, never by another domain or subdomain. Coordinate the range of addresses with your network administratoror ISP.

Learn and plan

If you’re new to DNS, learn and understand DNS concepts, tools, and features of Lion Server and BIND. See Find more DNSinformation.

When you’re ready, plan your DNS service. Consider the following questions:

Do you need a local DNS server? Does your ISP provide DNS service? Can you use multicast DNS names instead?

How many servers do you need? How many additional servers do you need for backup DNS purposes? For example, shouldyou designate a second or third computer for DNS service backup?

What is your security strategy to deal with unauthorized use?

How often should you schedule periodic inspections or tests of DNS records to verify data integrity?

How many services or devices (such as intranet websites or network printers) need a name?

There are two ways to configure DNS service on a Mac server:

Use Server Admin. This is the recommended method.

Edit the BIND configuration file. BIND is the set of programs used by Lion Server that implements DNS. One of those programsis the name daemon, or named. To set up and configure BIND, you must change the configuration file and the zone file. Theconfiguration file is /etc/named.conf.

The zone file name is based on the name of the zone. For example, the zone file example.com is/var/named/example.com.zone.

If you edit named.conf to configure BIND, don’t change the inet settings of the controls statement. Otherwise, Server Admincan’t retrieve status information for DNS.

The inet settings should look like this:

Overview of DNS setup

http://www.iana.org.)




controls {inet 127.0.0.1 port 54 allow {any;}keys { "rndc-key"; };};

Important: In Mac OS X Server v10.6 or later, the configuration and zone files used by Server Admin have changed. If you editnamed.conf and zone files manually from Terminal, the information is used by DNS. However, the information does not appear inthe DNS zones pane of Server Admin. Also, changes made in Server Admin are not made to named.conf.

Turn DNS service on

Before configuring DNS service, turn on DNS. See Turn on DNS service.

Create a DNS zone and add machine records

Use Server Admin to set up DNS zones. See Configure DNS service primary zone settings. After adding a primary zone, ServerAdmin creates a name server record with the same name as the Source of Authority (SOA).

For each zone you create, Mac OS X Server creates a reverse lookup zone. Reverse lookup zones translate IP addresses todomain names. (Compare with normal lookups, which translate domain names to IP addresses.)

Use Server Admin to add records to your zone. Create an Address record for every computer or device (such as a printer or fileserver) that has a static IP address and needs a name. Various DNS zone records are created from DNS machine entries.

Configure secondary zones

If necessary, use Server Admin to configure secondary zones. See Configure DNS service secondary zone settings.

Configure BonjourUse Server Admin to configure Bonjour settings. See Configure DNS service Bonjour settings.

Configure logging

Use Server Admin to specify the information that gets logged by DNS service and to specify the location of the log file. See ChangeDNS log detail levels.

(Optional) Set up a mail exchange (MX) record

If you provide mail service over the Internet, set up an MX record for your server. See Configure DNS for Mail service.

Configure your firewall

Configure your firewall to make sure DNS service is protected from attack and accessible to your clients. See Defend againstserver mining.

Start DNS service

Lion Server includes a simple interface for starting and stopping DNS service. See Start DNS service.


Lion Server manages DNS entries more efficiently than Mac OS X Server v10.5. To take advantage of this, DNS records created onMac OS X Server v10.5 must be upgraded.

After you upgrade to Lion Server and enable on DNS in Server Admin, the upgrade pane appears the first time you click DNS. (Theupgrade pane appears only if you upgraded to Lion Server from a version prior to Mac OS X Server v10.5. It does not appear if LionServer was newly installed.)

The upgrade pane has two options:

Don’t Upgrade: If you choose to not upgrade your configuration, you cannot use Server Admin to automatically configure DNS.You can manually configure files using the /etc/named.conf file for DNS configuration and the /var/named file for Zoneconfiguration.

Upgrade: The Upgrade option converts DNS file records and then allows access to the DNS panes of Server Admin.

When upgrading, backup files are created. If the files must be restored, they can be restored manually. Backup files are savedin the same folders where the original files are located.

Upgrade your DNS configuration

Network infrastructure serv ices ► DNS ► Set up DNS

Before you can configure DNS settings, turn on DNS service in Server Admin.


2. Click Settings.

3. Click Services.

4. Select the DNS checkbox.

5. Click Save.


Use Server Admin to create a local DNS zone file and add records to it.

Important: In Mac OS X Server v10.6 and Mac OS X Lion Server, the configuration and zone files used by Server Admin havechanged. If you edit the named.conf and zone files manually from Terminal, the information is used by DNS. However, theinformation does not appear in the DNS zones pane of Server Admin. Also, changes made in Server Admin are not made to thenamed.conf file. It is recommended that you use Server Admin.




3. From the expanded Servers list, select DNS.

4. Click Zones.

5. Click Add Zone, then choose “Add Primary Zone (Master).”

6. Select a new zone.

7. In the Primary Zone Name field, enter the zone name.

This is the domain name of the primary server.

8. Enter the mail address of the zone’s administrator.

9. Select “Allows zone transfer” to permit secondary zones to get copies of the primary zone data.

10. Add name servers for this zone by clicking the Add button (+) and entering the name in the Name Servers field.

11. Add mail exchangers for this zone by clicking the Add button (+) and entering the name in the Mail Exchangers field.

This field is the basis for the computer’s MX record.

12. In the Priority field, specify a mail server precedence number .

Delivering mail servers try to deliver mail at lower numbered mail servers first.

13. Click Expiration and enter the number of hours for each setting

Enter the amount of time the zone is valid. This is the zone’s time to live (TTL) value. It determines how long queryresponse information can remain cached in remote DNS systems before requerying the authoritative server.

Enter the interval of time that the secondary zones should refresh from the primary zone.

Enter the interval of time between each retry if the refresh of the secondary zone fails.

Enter the amount of time after refreshing before the zone data expires.

14. Click Add Record, then choose Add Alias (CNAME).

Turn on DNS service

Configure DNS service primary zone settings

To see a list of records for a zone, click the triangle at the left of the zone.

15. Select newAlias lis ted under the primary zone.

You can add as many aliases as you want.

16. In the Alias Name field, enter the alternate name for your computer.

To use the fully qualified name for the Alias, select the Fully Qualified checkbox and enter the fully qualified domain name.

This field is the basis for CNAME records of the computer. Reverse lookup Pointer records are created for the computer.

17. In the Destination field, enter the computer name you are creating the alias for.

To use the fully qualified name for the Destination, select the Fully Qualified checkbox and enter the fully qualified domainname.

18. Click Add Record, then choose Add Machines (A).

19. Under the primary zone, select newMachine, then enter the following machine information.

In the Machine Name field, enter the hostname of the computer.

This field is the basis for the A record of the computer. Reverse lookup Pointer records are created for the computer.

Click the Add button (+), then enter the IP address of the computer.

Enter information about the hardware and software of the computer in the relevant text boxes.

These are the basis for the HINFO record of the computer.

Enter comments about the computer in the Comments text box.

This field is the basis for the TXT record of the computer. You can store almost any text string in the comments text box upto 255 ASCII characters.

For example, you can include the physical location of the computer (Upstairs server closet B) or the computer’s owner(John’s Computer) or any other information about the computer.

20. Click Add Record, then choose “Add Service (SRV).”

The DNS SRV record is an entry that informs client computers that a service is on a domain. These records help computerswith the location of a service on a domain.

For more information, see Add a service record to a DNS zone.

21. Under the primary zone, select a service type and enter the service information.

22. Click Save.


A secondary zone is a copy of a primary zone stored on a secondary name server. Each secondary zone keeps a list of primaryservers it contacts for updates to records in the primary zone.

Secondary zones must be configured to request the copy of primary zone data. Secondary zones use zone transfers to get copiesof primary zone data.

Secondary name servers can take lookup requests like primary servers.

1. Make sure the primary server is correctly configured and that zone transfers are enabled on the primary server; then openServer Admin and connect to the server.




4. Click Zones.

5. Click Add Zone, then choose “Add Secondary Zone (Slave).”

Configure DNS service secondary zone settings

6. Select the new zone.

7. In the Secondary Zone Name field, enter a zone name.

The zone name is the same as the primary zone defined on the primary name server.

8. Below the Primary DNS Servers lis t, click the Add button (+).

9. Enter the IP addresses for each primary server in this secondary zone.

10. Click Save.


With Bonjour, you can easily connect a computer or other device to an existing wired or wireless Ethernet network, or you cancreate instant networks of multiple devices without additional network configuration.

If your computers or devices support Bonjour, it broadcasts and discovers services from other computers or devices usingBonjour. You can quickly and easily network computers and devices that support Bonjour.

Bonjour requires no configuration for computers or devices on your local subnet. Devices on the same subnet that support Bonjourand have it turned on find each other. However, to provide Bonjour-browsing across subnets or on the Internet, you must set up adedicated Bonjour browse domain that allows Bonjour-supported devices to locate services from anywhere on the Internet.

Using Server Admin you can designate any domain you set up in DNS as the domain for Bonjour browsing. You can then add SRVrecords to the Bonjour browsing domain for each service type.

These services appear on computers that have the Bonjour browsing domain entered as a search domain in NetworkPreferences. You can add the Bonjour browsing domain to the search domain of each computer manually or through DHCP.

For mobile clients, enter the search domain manually so they have Bonjour browsing access from anywhere. For more informationabout adding SRV records, see Add a service record to a DNS zone.





4. Click Bonjour.

5. Select the “Enable automatic client Bonjour browsing for domain” checkbox and enter the Fully Qualified Domain Name(FQDN) of the domain used for Bonjour browsing (for example, bonjour.company.com).

This sets a default Bonjour browsing domain for primary zones.

6. Click Save.


You use the Settings pane in DNS to set the detail level of the DNS service log. You might want a highly detailed log for debuggingor a less detailed log that only shows critical warnings.

You set recursive queries, which the DNS server fully answers (or gives an error). If the query is unanswered, it is forwarded to theIP addresses you add in the Forwarder IP Addresses lis t.





Configure DNS service Bonjour settings

Configure DNS service settings

4. Click Settings.

5. From the Log Level pop-up menu, choose the detail level as follows:

Choose Critical to record only critical errors, such as hardware errors.

Choose Error to record errors not including warning messages.

Choose Warning to record warnings and errors.

Choose Notice to record only important messages, warnings, and errors.

Choose Information to record most messages.

Choose Debug to record all messages.

The log location is /Library/Logs/named.log.

6. Below the “Accept recursive queries from the following networks” list, click the Add button (+) to add networks that recursivequeries are accepted from, then enter the network address in the list.

7. Below the “Forwarder IP Addresses” list, click the Add button (+) to add networks that unauthorized queries get forwarded to,then enter the network address in the lis t.

8. Click Save.


You can use serveradmin to view DNS service settings.

To view a setting:

$ sudo serveradmin settings dns:setting

To view a group of settings:

$ sudo serveradmin settings dns:zone:_array_id:localhost:*Enter as much of the name as you want, stopping at a colon (:), and then entering an asterisk (*) as a wildcard for theremaining parts of the name.

To view all service configuration settings:

$ sudo serveradmin settings dnsTo modify your server’s DNS configuration, use serveradmin. However, it is more straightforward to work with DNS and BINDusing the standard tools and techniques described in the many books on the subject. (For an example, see DNS and BIND byPaul Albitz and Cricket Liu.)



Use Server Admin to start DNS service. Remember to restart DNS service when you make changes to DNS service in ServerAdmin.





4. Click Start DNS (below the Servers list).

Use serveradmin to view DNS service settings

Start DNS service

The service can take a few seconds to start.


You can start DNS service using serveradmin

To start the service:

$ sudo serveradmin start dns


Network infrastructure serv ices ► DNS ► Manage DNS

You can use Server Admin to check the status of DNS service.




3. From the expanded Servers list, select DNS

4. Click Overview to see whether the service is running, when it was started, and the number of zones allocated.

5. Click Log to review the service log.

Use the Filter field above the log to search for specific entries.


You can use serveradmin to view DNS service status.

To see summary status of the service:

$ sudo serveradmin status dns

To see detailed status of the service:

$ sudo serveradmin fullstatus dns



DNS service creates entries in the system log for error and alert messages. The log file is named.log. You can filter the log tonarrow the number of viewable log entries and make it easier to find those you want to see.

1. Open Server Admin and connect to the server


Use serveradmin to start DNS service

Check DNS service status

Use serveradmin to check DNS status

View DNS service logs



4. Click Log and use the Filter field above the log to search for specific entries.


To view the latest entries in a log:

$ tail log-file

To display the log path:

$ sudo serveradmin command dns:command = getLogPathsThe default log path is /Library/Logs/named.log.



You can change the detail level of the DNS service log. You might want a highly detailed log for debugging or a less detailed logthat only shows critical warnings.





4. Click Settings.

5. Choose the detail level from the Log Level pop-up menu as follows:

Choose Critical to record only critical errors, such as hardware errors.

Choose Error to record errors not including warning messages.

Choose Warning to record warnings and errors.

Choose Notice to record only important messages, warnings, and errors.

Choose Information to record most messages.

Choose Debug to record all messages.

6. Click Save.


To view a summary of the DNS service workload, use the serveradmin getStatistics command.

Enter the following from the command line in Terminal:

$ sudo serveradmin command dns:command = getStatistics

The computer responds with output similar to the following:

Use serveradmin to view DNS logs

Change DNS log detail levels

View DNS service statistics

dns:queriesArray:_array_index:0:name = "NS_QUERIES"dns:queriesArray:_array_index:0:value = -1dns:queriesArray:_array_index:1:name = "A_QUERIES"dns:queriesArray:_array_index:1:value = -1dns:queriesArray:_array_index:2:name = "CNAME_QUERIES"dns:queriesArray:_array_index:2:value = -1dns:queriesArray:_array_index:3:name = "PTR_QUERIES"dns:queriesArray:_array_index:3:value = -1dns:queriesArray:_array_index:4:name = "MX_QUERIES"dns:queriesArray:_array_index:4:value = -1dns:queriesArray:_array_index:5:name = "SOA_QUERIES"dns:queriesArray:_array_index:5:value = -1dns:queriesArray:_array_index:6:name = "TXT_QUERIES"dns:queriesArray:_array_index:6:value = -1dns:nxdomain = 0dns:nxrrset = 0dns:reloadedTime = ""dns:success = 0dns:failure = 0dns:recursion = 0dns:startedTime = "2003-09-10 11:24:03 -0700"dns:referral = 0



Use Server Admin to stop DNS service.





4. Click Stop DNS (below the Servers list).

5. Click Stop Now.


You can use serveradmin to stop DNS service.

To stop the service:

$ sudo serveradmin stop dns


Stop DNS service

Use serveradmin to stop DNS serivce


In DNS, zone data is replicated among authoritative DNS servers by means of zone transfers. Secondary DNS servers(secondaries) use zone transfers to acquire their data from primary DNS servers (primaries). You must enable zone transfers touse secondaries.





4. Click Zones.

5. Select the primary zone to change.

6. Click General.

7. Select or deselect “Allows zone transfer” to permit secondary zones to get copies of the primary zone data.

8. Click Save.


Recursion fully resolves domain names into IP addresses. Applications depend on the DNS server to perform this function. OtherDNS servers that query your DNS servers don’t need to perform the recursion.

To prevent malicious users from changing the primary zone’s records (referred to as cache poisoning) and to prevent unauthorizeduse of the server for DNS service, you can restrict recursion. However, if you restrict your private network from recursion, users can’tuse your DNS service to look up names outside of your zones.

Disable recursion only if:

No clients are using this DNS server for name resolution.

No servers are using it for forwarding.





4. Click Settings.

5. Below the “Accept recursive queries from the following networks” list, click the Add button (+).

6. Enter the IP addresses for the servers that DNS will accept recursive queries from.

You can also enter IP address ranges.

7. Click Save.

If you enable recursion, consider disabling it for external IP addresses but enabling it for LAN IP addresses by editing the BINDnamed.conf file. However, edits you make to named.conf do not show up in the DNS section of Server Admin. To completelydisable recursion, remove all entries from the network list. For more information about BIND, see www.isc.org/sw/bind.

Network infrastructure serv ices ► DNS ► Manage DNS zones

Enable or disable DNS zone transfers

Enable DNS recursion


Use Server Admin to add a primary zone to your DNS server.





4. Click Zones.

5. Click Add Zone, then choose Add Primary Zone (Master).

6. Select the new zone.

7. In the Primary Zone Name field, enter the zone name.

This is the fully qualified domain name of the primary server.

8. Enter the mail address of the zone’s administrator.

9. Select “Allows zone transfer” to permit secondary zones to get copies of the primary zone data.

10. Add nameservers for this zone by clicking the Add button (+) and entering the name in the Nameservers field.

11. Add mail exchangers for this zone by clicking the Add button (+) and entering the name in the Mail Exchangers field.

This field is the basis for the computer’s MX record.

12. In the Priority field, specify a mail server precedence number.

Delivering mail servers try to deliver mail at lower numbered mail servers first.

13. Click Expiration and enter the number of hours for each setting:

Enter the amount of time the zone is valid. This is the zone’s time to live (TTL) setting. It determines how long queryresponse information can remain cached in remote DNS systems before requerying the authoritative server.

Enter the interval of time that the secondary zones should refresh from the primary zone.

Enter the interval of time between each retry if the refresh of the secondary zone fails.

Enter the amount of time after refreshing before the zone data expires.

14. Click Save.


Use Server Admin to add a secondary zone to your DNS server.

Perform the following steps on the secondary server.

1. Make sure the primary server is correctly configured and that zone transfers are enabled on the primary server.

2. On the secondary server, open Server Admin and connect to the secondary server.




5. Click Zones.

6. Click Add Zone, then click Add Secondary Zone (Slave).

7. Select a new zone.

Add a primary zone

Add a secondary zone

8. In the Secondary Zone Name field, enter a zone name.

The zone name is the same as the primary zone defined on the primary name server.

9. Below the Primary Zone addresses lis t, click the Add button (+).

10. Enter the IP addresses for each primary server in the secondary zone.

11. Click Save.


If a DNS server cannot resolve a DNS query locally, it can use a forwarder to handle the query. The DNS server forwards therequest to another DNS server that can respond to the DNS query. This can be used across separate subnets and networks.

Use Server Admin to add forwarder IP addresses.





4. Click Settings.

5. Below the Forwarder IP Addresses list, click the Add button (+).

6. Enter the IP addresses for the DNS server that will receive forwarded unresolved DNS queries.

7. Click Save.


Use Server Admin to change zone settings. You might need to change the administrator mail address or domain name of a zone.





4. Click Zones.

5. Select the zone to change.

6. Change the zone information as needed.

7. Click Save.


When you delete a zone, all records associated with it are deleted.



Set forwarder IP addresses

Change a zone

Delete a zone



4. Click Zones.

5. Select the zone to delete.

6. Below the Zones list, click Remove.

7. Click Save.


You might already have a BIND zone file from a DNS server of another platform. If so, instead of entering the information in ServerAdmin manually, you can use the BIND zone file with your Mac server.

Using an existing zone file requires:

Root access permissions to the BIND configuration file (/etc/named.conf)

The working zone directory (/var/named/)

A basic knowledge of BIND and the Terminal application

Otherwise, use the Server Admin DNS tools.

Important: In Lion Server, if you edit named.conf and zone files manually from Terminal, the information is used by DNS. However,the information does not appear in the DNS zones pane of Server Admin. Also, changes made in Server Admin are not made tonamed.conf. It is recommended that you use Server Admin.

1. Verify that you have root privileges.

2. Add the zone directive to the BIND configuration file, /etc/named.conf.

For example, for zone xyz.com described in zone file db.xyz.com in the working zone folder/var/named/, the zone directive mightlook like this:

zone "xyz.com" IN { // Forward lookup zone for xyz.comtype master; // It's a primary zonefile "db.xyz.com"; // Zone info stored in /var/named/db.xyz.comallow-update { none; };};

3. Confirm that the zone file is added to the /var/named/ working zone folder.

4. Restart DNS service using Server Admin.


Network infrastructure serv ices ► DNS ► Manage DNS records

You must add records for each computer the DNS primary zone has responsibility for. Do not add records for computers the zonedoesn’t control.

An alias record or canonical name (CNAME) record is used to create aliases that point to other names. If you want this computer tohave more than one name, add alias records to the zone.


Import a BIND zone file

Add an alias record to a DNS zone




4. Click Zones.

5. Select the zone this record is to be added to.

6. Click Add Record, then choose Add Alias (CNAME).

This adds the alias record to the zone.

7. Select newAlias lis ted under the primary zone, then enter the alias information.

In the Alias Name field, enter the alternate name for your computer.


This field is the basis for CNAME records of the computer. Reverse lookup Pointer records are created for the computer.

Add as many aliases as you want.



9. Click Save.

Add as many aliases as you want by adding additional alias records.


You must add records for each computer the DNS primary zone has responsibility for. Do not add records for computers the zonedoesn’t control.

A machine record or address (A) record is used to associate a domain name with an IP address. Therefore, there can be only onemachine for each IP address because there can’t be duplicate IP addresses in a zone.





4. Click Zones.


6. Click Add Record, then choose Add Machine (A).

This adds the machine record to the zone.

7. Select newMachine lis ted under the zone, then enter the following machine information.

In the Machine Name field, enter the hostname of the computer.

This field is the basis for the A record of the computer. Reverse lookup Pointer records are created for the computer.

Click the Add button (+), then enter the IP address of the computer.

Enter information about the hardware and software of the computer in the relevant text boxes. These are the basis for theHINFO record of the computer.

Enter comments about the computer in the Comment text box.

This field is the basis for the TXT record of the computer.

You can store up to 255 ASCII characters in the comments text box. You can include the physical location of the computer(for example, Upstairs server closet B), the computer’s owner (for example, John’s Computer), or other information about

Add a machine record to a DNS zone

the computer.

8. Click Save.


Service (SRV) records are used to define services available on a domain. These records help computers with the location of aservice on a domain.





4. Click Zones.


6. Click Add Record, then choose Add Service (SRV).

This adds the service record to the zone.

7. In the Service Name field, enter the well-known name of the service.

8. From the Service Type pop-up menu, select a service type.

If the service type for the service you are providing is not lis ted, enter the name in the Service Type field. The service you areproviding should use a syntax similar to _application protocol name._tcp | _udp.

9. In the Host field, enter the DNS name of the server that is providing the service.

10. To use the fully qualified domain name of the domain server, select the Fully Qualified checkbox.

11. In the Port field, enter the port number for the service you are providing.

For example, if you are providing http service, use port 80.

12. In the Priority field, enter priority number.

The priority number is used when multiple hosts are configured for the same service. The priority determines which host istried first.

13. In the Weight field, enter a weight number.

The weight number is used as a relative weight for records with the same priority.

14. In the TXT field, enter additional information about the service.

This creates a TXT record for the service.

15. Click Save.


If you change the namespace for the domain, you must update DNS records as often as that namespace changes. Upgradinghardware or adding to a domain name might also require updating DNS records.

You can duplicate a record and then edit it, saving configuration time.




Add a service record to a DNS zone

Change a record in a DNS zone


4. Click Zones.

5. Click the triangle at the left of the zone that has the computer record to be edited.

The list of records appears.

6. Select the record to be edited and make changes in the fields below the lis t.

7. Click Save.


When a computer is no longer associated with a domain name or usable address, delete the associated records.





4. Click Zones.

5. Click the triangle at the left of the zone that has the computer record to be deleted.

The list of records appears.

6. Select the record to be deleted and click Remove below the lis t.

7. Click Save.

Network infrastructure serv ices ► DNS ► Secure DNS

DNS spoofing is adding false data to the DNS server’s cache. This enables hackers to:

Redirect real domain name queries to alternative IP addresses.

For example, a falsified A record for a bank could point a computer user’s browser to a different IP address that is controlled bythe hacker. A duplicate website could fool users into giving their bank account numbers and passwords to the hacker.

Also, a fals ified mail record could enable a hacker to intercept mail sent to or from a domain. If the hacker then forwards thatmail to the correct mail server after copying the mail, this can go undetected.

Prevent proper domain name resolution and access to the Internet.

This is the most benign of DNS spoof attacks. It merely makes a DNS server appear to be malfunctioning.

The most effective method to guard against these attacks is vigilance. This includes maintaining up-to-date software and auditingDNS records regularly.

If exploits are found in the current version of BIND, the exploits are patched and a security update is made available for Lion Server.Apply all such security patches. Regular audits of your DNS records can help prevent these attacks.


Server mining is the practice of getting a copy of a complete primary zone by requesting a zone transfer. In this case, a hackerpretends to be a secondary zone to another primary zone and requests a copy of the primary zone’s records.

With a copy of your primary zone, the hacker can see what kinds of services a domain offers and the IP addresses of the serversthat offer them. He or she can then try specific attacks based on those services. This is reconnaissance before another attack.

Delete a record from a DNS zone

DNS spoofing

Defend against server mining

To defend against this attack, specify which IP addresses have permission to request zone transfers (your secondary zoneservers) and deny all others.

Zone transfers are accomplished over TCP on port 53. To limit zone transfers, block zone transfer requests from anyone but yoursecondary DNS servers. To specify zone transfer IP addresses:

1. Create a firewall filter that permits only IP addresses that are inside your firewall to access TCP port 53.

2. Follow the instructions for configuring firewall rules, using the following settings:

Packet: Allow

Port: 53

Protocol: TCP

Source IP: the IP address of your secondary DNS server

Destination IP: the IP address of your primary DNS server


Another common reconnaissance technique used by malicious users is to profile your DNS service. First a hacker makes a BINDversion request. The server reports the version of BIND that is running. Then the hacker compares the response to known exploitsand vulnerabilities for that version of BIND.

To defend against this attack, configure BIND to respond with something other than what it is. To alter BIND's version response:

1. Open a command-line text editor (for example vi, emacs, or pico).

2. Open named.conf for editing.

3. To the options brackets of the configuration file, add the following:

version "[your text, maybe 'we're not telling!']";

4. Save named.conf.


This kind of attack is common and easy. A hacker sends so many service requests and queries that a server uses all itsprocessing power and network bandwidth trying to respond. The hacker prevents legitimate use of the service by overloading it.

It is difficult to prevent this type of attack before it begins. Constant monitoring of the DNS service and server load enables anadministrator to catch the attack early and mitigate its damaging effect.

The easiest way to guard against this attack is to block the offending IP address with your firewall. Unfortunately, this means theattack is already underway and the hacker’s queries are being answered and the activity logged.

Service piggybacking

This attack is done not so much by malicious intruders but by common Internet users who learn the trick from other users. Theymight feel that the DNS response time with their own ISP is too slow, so they configure their computer to query another DNS serverinstead of their own ISP’s DNS servers. Effectively, there are more users accessing the DNS server than were planned for.

You can guard against this type of attack by limiting or disabling DNS recursion. If you plan to offer DNS service to your LAN users,they need recursion to resolve domain names, but don’t provide this service to Internet users.

To prevent recursion entirely, see Enable DNS recursion.

The most common balance is permitting recursion for requests coming from IP addresses in your own range but denyingrecursion to external addresses.

BIND enables you to specify this in its configuration file, named.conf. Edit named.conf to include the following:

Defend against DNS service profiling

Denial of service (DoS) and service piggybacking attacks

options {...allow-recursion{127.0.0.0/8;[your internal IP range of addresses, like 192.168.1.0/27];};};For more information, see the BIND documentation.

Network infrastructure serv ices ► DNS ► Common DNS administration tasks

Configuring DNS for mail service involves creating MX records in DNS for your mail servers. If your ISP provides DNS service,contact the ISP so they can enable your MX records. Follow these steps only if you provide your own DNS service.

You might want to set up multiple servers for redundancy. If so, create an MX record for each auxiliary server.





4. Click Zones.


6. Click the triangle at the left of the zone.

The list of records appear.

7. Click Add Record, then choose Add Machine (A).

This adds a machine record to the zone.

8. In the Machine Name field, enter the hostname of the computer.

To use the fully qualified name of the computer, select the Fully Qualified checkbox and enter the fully qualified domain nameof the computer.

This field is the basis for the A record of the computer. Reverse lookup pointer records are created for the computer.

9. Click the Add button (+) and enter the IP addresses for the computer.

10. In the relevant text boxes, enter information about the hardware and software of the computer.

11. In the Comment text box, enter comments about the computer.

This field is the basis for the TXT record of the computer.

You can store up to 255 ASCII characters in the comments text box. You can include the physical location of the computer (forexample, Upstairs server closet B), the computer’s owner (for example, John’s Computer), or any other information about thecomputer.

12. Click Save.

13. To add other names that you want this computer to have, click Add Record and choose Add Alias (CNAME).

Add as many aliases as you want for your server.

14. In the Alias Name field, enter the alternate name for your computer.


This field is the basis for the CNAME records of the computer. Reverse lookup pointer records are created for the computer

Configure DNS for Mail service



16. Click Save

17. From the expanded Servers list, select Mail.

18. Click Settings, then click Advanced.

19. Click Hosting.

20. Next to the Local Host Aliases Field, click the Add button (+).

21. In the Local Host Alias field, enter the alias name you created earlier.

22. Click OK, then click Save.

23. Repeat Steps 7 through 22 for each mail server.


If you’re behind a NAT gateway, you have a set of IP addresses that are usable only in the NAT environment. If you were to assign adomain name to these addresses outside the NAT gateway, none of the domain names would resolve to the correct computer. Formore information about NAT, enter NAT in the help search field.

However, you can run DNS service behind the gateway, assigning host names to NAT IP addresses. This way, if you’re behind theNAT gateway, you can enter domain names rather than IP addresses to access servers, services, and workstations.

Your DNS server should also have a Forwarding zone to send DNS requests outside of the NAT gateway to permit resolution ofnames outside the routed area.

Your client network settings should specify the DNS server behind the NAT gateway. The process of setting up one of thesenetworks is the same as setting up a private network. For more information, see Link a LAN to the Internet through one IP address.

If you set up namespace behind the NAT gateway, names entered by users outside the gateway won’t resolve to addressesbehind it. Set the DNS records outside the NAT-routed area to point to the NAT gateway and use NAT port forwarding to accesscomputers behind the NAT gateway. For more information, see Configure port forwarding.

Lion’s Multicast DNS feature permits you to use hostnames on your local subnet that end with the .local suffix without enablingDNS. Any service or device that supports Multicast DNS permits the use of user-defined namespace on your local subnet withoutsetting up and configuring DNS.


BIND permits simple load distribution using an address-shuffling method known as round robin. You set up a pool of IPaddresses for several hosts mirroring the same content, and BIND cycles the order of these addresses as it responds to queries.

Round robin can’t monitor current server load or processing power. It only cycles the order of an address list for a given host name.

You enable round robin by adding multiple IP address entries for a given hostname. For example, suppose you want to distributeweb server traffic between three servers on your network that all mirror the same content. The servers have the IP addresses192.168.12.12, 192.168.12.13, and 192.168.12.14. You would add three machine records with three IP addresses, each with thesame domain name.

When DNS service encounters multiple entries for one host, its default behavior is to answer queries by sending this list in acycled order. The first request gets the addresses in the order A, B, C. The next request gets the order B, C, A, then C, A, B, and soon.

To mitigate the effects of local caching, you might want the zone’s time-to-live (TTL) number to be fairly short.


Set up namespace behind a NAT gateway

Network load distribution (round robin)

You can have one server that supplies all Internet services (such as mail or web). These services can run on one computer with asingle IP address.

You can have multiple host names in the same zone for a single server. For example, you might want to have the domain namewww.example.com resolve to the same IP address as ftp.example.com or mail.example.com. This domain appears to be severalservers to anyone accessing the services, but they are all one server at one IP address.

Setting up DNS records for this service is easy: add aliases to the machine DNS record. Setting up DNS names for these servicesdoes not enable or configure the services. It provides names that are easy to remember for each service offered. This can simplifysetup and configuration of the client software for each service.

For example, for every service you want to show, do the following:

Create mail.example.com to enter on mail clients.

Be sure to select the mail server checkbox on the machine pane.

Create www.example.com to enter on web browsers.

Create afp.example.com for Apple File Sharing in the Finder.

Create ftp.example.com to enter on FTP clients.

As your needs grow, you can add computers to the network to handle these services. Then, remove the alias from the machine’sDNS record and create a record for the new machine, and your client’s settings can remain the same.


One server can supply all Internet services (such as mail or web) for several domain names. For example, the domain namewww.example.com can resolve to the same IP address as www.server.org. This domain appears as servers, but they are all oneserver at one IP address.

Setting up DNS records for this service is easy: add a DNS zone and then add host names and server information to that zone.

Setting up DNS names for these services does not enable or configure the service for the domain names. This configuration isused with virtual domain hosting in mail and web services.


You can configure clients to use a DNS server to convert internet names to IP addresses so you don’t need to know the IP addressof a server you are trying to reach.

1. Choose Apple > System Preferences, and then click Network.

2. From the services list, select the network connection services you use to connect to the Internet (such as Ethernet).

3. In the DNS Server field, enter the IP address for the primary DNS server you want to use.

To enter addresses for several servers enter a comma between addresses.

To find out which DNS server you should be using, check with your network administrator.

DNS server addresses are provided by DHCP service.


For more information about DNS and BIND, see the following:

Host serveral Internet services with a single IP address

Host multiple domains on the same server

Configure a client to use your DNS server

Find more DNS information


ftp://ftp.example.com


ftp://ftp.example.com


http://www.server.org

DNS and BIND, 5th edition, by Paul Albitz and Cricket Liu (O’Reilly and Associates, 2006)

The International Software Consortium website: www.isc.org and www.isc.org/sw/bind

Request for Comments (RFC) documents provide an overview of a protocol or service and explain how the protocol shouldbehave.

If you’re a novice server administrator, you’ll probably find some of the background information in an RFC helpful.

If you’re an experienced server administrator, you can find technical details about a protocol in its RFC document.

You can search for RFC documents by number at http://www.ietf.org/rfc.html.

A, PTR, CNAME, MX. (For more information, see RFC 1035.)

AAAA. (For more information, see RFC 1886.)

Network infrastructure serv ices ► Firewall serv ice ► Understanding firewalls

Services such as Web and FTP are identified on your server by a TCP or User Datagram Protocol (UDP) port number. When acomputer tries to connect to a service, Firewall service scans the rule list for a matching port number.

When a packet arrives at a network interface and the firewall is enabled, the packet is compared to each rule, starting with thelowest-numbered (highest-priority) rule. When a rule matches the packet, the action specified in the rule (such as permit or deny)is taken. Then, depending on the action, more rules can be applied.

The rules you set are applied to TCP packets and UDP packets. In addition, you can set up rules for restricting Internet ControlMessage Protocol (ICMP) or Internet Group Management Protocol (IGMP) using advanced rule creation.

Important: When you start Firewall service the first time, only ports essential to remote administration of the server are open,including secure shell (22) and several others. Other ports are dynamically opened to permit specific responses to queriesinitiated from the server. To permit remote access to other services on your computer, open more ports using the Services sectionof the Settings pane.

If you plan to share data over the Internet and you don’t have a dedicated router or firewall to protect your data from unauthorizedaccess, use Firewall service. This service works well for small to medium businesses, schools, and small or home offices.

Large organizations with a firewall can use Firewall service to exercise a greater degree of control over their servers. For example,workgroups in a large business, or schools in a school system, can use Firewall service to control access to their own servers.

Firewall service also provides stateful packet inspection, which determines whether an incoming packet is a legitimate responseto an outgoing request or part of an ongoing session. This permits packets that would otherwise be denied.

About Firewall service

http://www.isc.org




Understanding firewall rules requires understanding how IP addressing works.

IP address

IP addresses consist of four segments with values between 0 and 255 (the range of an 8-bit number), separated by dots (forexample, 192.168.12.12).

The segments in IP addresses go from general to specific. For example, the first segment might belong to all computers in acompany and the last segment might belong to a specific computer on one floor of a building.

Address ranges

When you create an address group using Server Admin, you enter an IP address and a subnet mask. The three types of addressnotations permitted are:

A single address: 192.168.2.1

A range expressed with CIDR notation: 192.168.2.1/24

A range expressed with netmask notation: 192.168.2.1:255.255.255.0

Server Admin shows the resulting address range. You can change the range by changing the subnet mask.

When you indicate a range of potential values for any segment of an address, that segment is called a wildcard. The followingtable gives examples of address ranges created to achieve specific goals.

Goal Example IP address Enter this in the address field Address range affected

Create a rule that specifies a singleIP address.

10.221.41.33 10.221.41.33 or 10.221.41.33/32 10.221.41.33

(single address)

Create a rule that leaves the fourthsegment as a wildcard.

10.221.41.33 10.221.41.33/24 10.221.41.0 to 10.221.41.255

Create a rule that leaves part of thethird segment and al l of the fourthsegment as a wildcard.

10.221.41.33 10.221.41.33/22 10.221.40.0 to 10.221.43.255

Create a rule that applies to al lincoming addresses.

Select “Any” All IP addresses

Multiple IP addresses

A server can support multiple homed IP addresses, but Firewall service applies one set of rules to all server IP addresses. If youcreate multiple alias IP addresses, the rules you create apply to all of those IP addresses.


When you create an address group using Server Admin, you enter an IP address and a subnet mask.

The three types of address notations permitted are:

A single address: 192.168.2.1

A range expressed with CIDR notation: 192.168.2.1/24

A range expressed with netmask notation: 192.168.2.1:255.255.255.0

Server Admin shows the resulting address range. You can change the range by changing the subnet mask.

When you indicate a range of potential values for any segment of an address, that segment is called a wildcard. The followingtable gives examples of address ranges created to achieve specific goals.

Understanding IP addressing

Using address ranges

Goal Example IP address Enter this in the address field Address range affected

Create a rule that specifies a singleIP address.

10.221.41.33 10.221.41.33 or 10.221.41.33/32 10.221.41.33

(single address)

Create a rule that leaves the fourthsegment as a wildcard.

10.221.41.33 10.221.41.33/24 10.221.41.0 to 10.221.41.255

Create a rule that leaves part of thethird segment and al l of the fourthsegment as a wildcard.

10.221.41.33 10.221.41.33/22 10.221.40.0 to 10.221.43.255

Create a rule that applies to al lincoming addresses.

Select “Any” All IP addresses


You must enable the firewall to use NAT. Enabling NAT creates a divert rule in the firewall configuration.

Although Server Admin permits NAT service and Firewall service to be enabled and disabled independently, NAT service canoperate only if both NAT and Firewall services are enabled. An essential part of NAT is the packet divert rule used in the firewall.

The firewall rule you set up instructs the firewall how to route network traffic coming from the network behind the NAT gateway.When you have a LAN behind a NAT gateway, you must create or know the address group that corresponds to the LAN.


Lion Server uses an adaptive firewall that dynamically generates a firewall rule if a user or an IP address generates 10 consecutivefailed login attempts.

About the adaptive firewallThe adaptive firewall helps to prevent your computer from being attacked by unauthorized users. The adaptive firewall does notrequire configuration and is active when you turn on your firewall.

When too many network requests are made of the server in too short a time period, the adaptive firewall creates a temporary rulefor ipfw and ip6fw that blocks the network activity. After a set time period, the temporary firewall rules is removed and ipfw andip6fw are returned to their normal set or rules. By default, the generated rule blocks the offending IP address for 15 minutes,preventing access.

Although the adaptive firewall automatically engages, an administrator can customize the firewall's reaction by:

Adding an IP number or address range permanently to a whitelist

Adding an IP number or address range permanently to a blacklist

Changing the blocking time period

Changing the adaptive firewall's reporting behavior

Adaptive firewall files and utilities

The adaptive firewall consists of the following parts:

Utility or file Purpose

/usr/l ibexec/afctl The executable

/etc/af.pl ist The plist format config fi le for afctl

/System/Library/LaunchDaemons/com.apple.afctl.pl ist The launchd pl ist for afctl

/var/db/af/whitel ist The fi le used to store the whitelist

Using Firewall service with NAT

Adaptive firewall

/var/db/af/blacklist The fi le used to store the l ist of blocked addresses

/System/Library/CoreServices/AdaptiveFirewall .bundle/Contents/MacOS/hb_summaryA tool that summarizes the host blocking activity of afctl

For more information see the man pages for afctl and hb_summary.


When you configure and use Firewall service in Server Admin, by default ipfw and ip6fw are started. However, all IPv6 trafficexcept for local traffic is blocked.

You can override the IPv6 rules by using the ip6fw tool, but after Firewall service or the server is restarted your rules areoverwritten.

Using Server Admin, you can control how a firewall manages the IPv6 firewall with the following two keys in the/etc/ipfilter/ip_address_groups.plist file:

<key>IPv6Mode</key><string>DenyAllExceptLocal</string><key>IPv6Control</key><true/>

The IPv6Mode key allows you to control which IPv6 rules are applied. There are three possible settings for the IPv6Mode key:

DenyAllExceptLocal

DenyAll

NoRules

By default, the IPv6Mode key has the string set to DenyAllExceptLocal. This setting applies the following rules, which denies allIPv6 traffic but permits local network traffic:

add 1 allow udp from any to any 626add 1000 allow all from any to any via lo0add 1100 allow all from any to ff02::/1665000 deny ipv6 from any to any

If you set the IPv6Mode string to DenyAll, only the following rule is applied, blocking all IPv6 traffic.

65000 deny ipv6 from any to any

If you set the IPv6Mode string to NoRules, no rules are created for IPv6. If your network is entirely IPv6, you might want to use thisrule and use the ip6fw tool to create override rules for IPv6 and create a script that reapplies the rules when Firewall service or theserver restarts.

The IPv6Control key allows you to set a Boolean value that determines if ip6fw starts or stops when ipfw starts or stops. If the

value is set to true, ip6fw starts and stops when ipfw start or stops. If the value is set to false, only ipfw starts or stops. By defaultthe value is set to true.


This section describes common uses of Firewall service in network administration. Your firewall is the first line of defense againstunauthorized network intruders, malicious users, and network virus attacks that can harm data or abuse network resources.

Controlling or enabling peer-to-peer network usage

Sometimes network administrators must control the use of Peer-to-Peer (P2P) file sharing applications. Such applications mightuse network bandwidth and resources improperly or disproportionately. P2P file sharing might also pose a security or intellectualproperty risk for a business.

About IPv6 firewall rules

Common network administration tasks that use Firewall service

You can disable P2P networking by blocking incoming and outgoing traffic on the port number used by the P2P application. Youmust determine the port used for each P2P network in question. By default, Lion Server’s firewall blocks ports not specificallyopened.

You can limit P2P network usage to IP addresses behind the firewall. To do so, open the P2P port for your LAN interface butcontinue to block the port on the interface connected to the Internet (the WAN interface). To learn how to make a firewall rule, seeConfigure advanced firewall rules (CLI) or Configure advanced firewall rules.

Controlling or enabling network game usage

Sometimes network administrators must control the use of network games. The games might use network bandwidth andresources improperly or disproportionately.

You can disable network gaming by blocking traffic incoming and outgoing on the port number used by the game. You mustdetermine the port used for each network game in question. By default, Lion Server’s firewall blocks all ports not specificallyopened.

You can limit network game usage to IP addresses behind the firewall. To do so, open the relevant port on your LAN interface butcontinue to block the port on the interface connected to the Internet (the WAN interface). Some games require a connection to agaming service for play, so this might not be effective.

You can open the firewall to specific games, permitting network games to connect to other players and game services outside thefirewall. To do this, open up the relevant port on your LAN and WAN interface. Some games require more than one port to be open.For networking details, consult the game’s documentation.

Blocking Junk Mail

This section describes how to reject mail from a junk mail sender with an IP address of 17.128.100.0 (for example) and accept allother Internet mail.

Important: To block incoming SMTP mail, set up specific address ranges in rules you create. For example, if you set a rule on port25 to deny mail from all addresses, you prevent mail from being delivered to users.


For more information about accessing and implementing the features of ipfw, the tool that controls Firewall service, see theipfwman page.

Request for Comments (RFC) documents provide an overview of a protocol or service and describe how the protocol shouldbehave.

If you’re a novice server administrator, you’ll probably find the background information in an RFC helpful.

If you’re an experienced server administrator, you can find all technical details about a protocol in its RFC document.

The RFC section of the following website contains several RFC numbers for various protocols: www.ietf.org/rfc.html.

The Internet Assigned Number Authority (IANA) maintains a list of well known ports and TCP and UDP ports that have beenassigned by the organization for various protocols. The lis t can be found at www.iana.org/assignments/port-numbers.

Also, important multicast addresses are documented in the most recent Assigned Numbers RFC, currently RFC 1700.


The following tables show the TCP and UDP port numbers commonly used by Mac OS X computers and Lion Servers. Use theseports when you set up access rules. To view the RFCs referenced in the tables, see www.faqs.org/rfcs.

1–499

Port Description Reference

7 TCP, UDP Echo RFC 792

20 TCP FTP data RFC 959

Where to find more information

TCP and UDP port reference


http://www.iana.org/assignments/port-numbers

http://www.faqs.org/rfcs

21 TCP FTP control RFC 959

22 TCP, UDP Secure Shell (SSH); Open Directory replicasetup

23 TCP, UDP Telnet RFC 854

25 TCP, UDP Mail: SMTP RFC 821

53 TCP, UDP DNS RFC 1034

67 UDP DHCP server (BootP), NetBoot server

68 UDP DHCP cl ient

69 UDP Trivial File Transfer Protocol (TFTP)

79 TCP, UDP Finger RFC 1288

80 TCP HTTP—web RFC 2068

88 TCP, UDP Kerberos V5 KDC RFC 1510

106 TCP, UDP Open Directory Password Server (with 3659)

110 TCP, UDP Mail: POP3 RFC 1081

111 TCP, UDP Remote Procedure Call (RPC) RFC 1057

113 TCP, UDP Authentication service RFC 931

115 TCP Simple Fi le Transfer Protocol (SFTP)

119 TCP Network News Transfer Protocol (NNTP) RFC 977

123 TCP, UDP Network Time Protocol RFC 1305

137 TCP, UDP Windows Name Service (WINS)

138 TCP, UDP Windows NETBIOS browsing

139 TCP Windows file and print service (SMB/CIFS) RFC 100

143 TCP Mail: IMAP RFC 2060

161 UDP Simple Network Management Protocol (SNMP)

192 UDP AirPort administration

201–208 TCP AppleTalk

311 TCP Server Admin over SSL, AppleShare IP remoteweb administration, Server Monitor, ServerAdmin (servermgrd), Workgroup Manager(DirectoryService)

389 TCP LDAP (directory) RFC 2251

407 TCP, UDP Timbuktu

427 TCP, UDP SLP (Service Location Protocol)

443 TCP HTTPS—secure web over SSL

445 TCP Microsoft Domain Server

465 TCP Mail: SMTP

497 TCP, UDP Dantz Retrospect

500–3999


500 UDP VPN ISAKMP/IKE

513 UDP Who

514 TCP Shell, syslog

514 UDP Syslog

515 TCP LPR print spooling RFC 1179

532 TCP NetNews

548 TCP AFP (Apple Fi ling Protocol)

554 TCP, UDP QTSS RTSP streaming RFC 2326

587 TCP Mail: SMTP submission

591 TCP FileMaker web access

600–1023 TCP, UDP Mac OS X RPC-based services

625 TCP Remote Directory Access

626 UDP Serial number support for Snow Leopard Serverand earl ier

631 TCP, UDP IPP printer sharing

636 TCP LDAP over SSL

660 TCP Server administration using Server Settings

687 TCP Server administration using Server Admin

749 TCP, UDP Kerberos administration and changepw usingthe kadmind command-l ine tool

985 TCP NetInfo static port

993 TCP Mail: IMAP over SSL

995 TCP, UDP Mail: POP3 over SSL

1099, 8043 TCP Remote RMI and RMI/IIOP access to JBoss

1220 TCP QTSS administration

1694 TCP IP Failover

1701 UDP VPN L2TP

1723 TCP VPN PPTP RFC 2637

2000 TCP Mail: Custom fil tering (sieve)

2049 TCP, UDP Network Fi le System (NFS)

2336 TCP Mobile account sync

2399 TCP FileMaker data access layer

3004 TCP iSync

3031 TCP, UDP Program Linking, remote AppleEvents

3283 TCP, UDP Apple Remote Desktop (with 5900)

3306 TCP MySQL

3632 TCP XCode distributed compiler


3689 TCP iTunes music sharing

3690 TCP Subversion version control

4000–50999


4111 TCP Xgrid

4500 UDP VPN IKE NAT traversal

5003 TCP, UDP FileMaker name binding and transport

5060 UDP iChat session initiation

5100 TCP Camera and scanner sharing

5190 TCP UDP iChat, AOL Instant Messenger, and iChat fi letransfer

5222 TCP iChat Server (Jabber/XMPP)

5223 TCP iChat Server (Jabber/XMPP) over SSL

5269 TCP iChat Server to server (Jabber/XMPP)

5297 UDP iChat local subnet

5298 TCP, UDP iChat local subnet

5678 UDP iChat AV behind NAT

5353 UDP Multicast DNS (Bonjour, mDNSResponder)

5432 TCP Apple Remote Desktop 2.0 database

5900 TCP, UDP VNC (Mac OS X screen sharing, Apple RemoteDesktop 2.0)

5988, 5989 TCP Apple Remote Desktop 2.0 CIM/OpenWBEM

6970–6999 UDP QTSS RTP streaming

7070 TCP, UDP QTSS RTSP Automatic Router ConfigurationProtocol (ARCP)

7777 TCP iChat Server—fi le transfer proxy

8000–8999 TCP Web service

8000–8001 TCP QTSS MP3 streaming

8005 TCP Tomcat remote shutdown

8008, 8443 TCP iCal Server and iCal Server SSL

8080 TCP HTTP—web service alternative (Apache 2default)

8088 TCP Software Update server

8080, 8443, 9006 TCP Tomcat standalone and JBoss

8800, 8843 TCP Address Book Server and Address Book ServerSSL

9007 TCP Tomcat remote web server access to AIP port

16384–16403 UDP iChat audio/video RTP and RTCP

42000–42999 TCP iTunes radio streams

49152–65535 TCP FTP service PASV port range

50003 TCP, UDP FileMaker Server service (Windows) or daemon(Mac OS X)

50006 TCP, UDP FileMaker Server Helper service (Windows) or

daemon (Mac OS)

A–Z by service

Port Serv ice

548 TCP AFP (Apple Fi ling Protocol)

192 UDP AirPort administration

3283 TCP, UDP Apple Remote Desktop (with 5900)

5988, 5989 TCP Apple Remote Desktop 2.0 CIM/OpenWBEM

5432 TCP Apple Remote Desktop 2.0 database

201–208 TCP AppleTalk

113 TCP, UDP Authentication service

5100 TCP Camera and scanner sharing

497 TCP, UDP Dantz Retrospect

68 UDP DHCP client

67 UDP DHCP server (BootP), NetBoot server

53 TCP, UDP DNS

7 TCP, UDP Echo

2399 TCP FileMaker data access layer

5003 TCP, UDP FileMaker name binding and transport

50006 TCP, UDP FileMaker Server Helper service (Windows) or daemon (Mac OS)

50003 TCP, UDP FileMaker Server service (Windows) or daemon (Mac OS X)

591 TCP FileMaker web access

79 TCP, UDP Finger

21 TCP FTP control

20 TCP FTP data

49152–65535 TCP FTP service PASV port range

443 TCP HTTPS—secure web over SSL

80 TCP HTTP—web

8080 TCP HTTP—web service alternative (Apache 2 default)

16384–16403 UDP iChat audio/video RTP and RTCP

5678 UDP iChat AV behind NAT

5297 UDP iChat local subnet

5298 TCP, UDP iChat local subnet

5222 TCP iChat Server (Jabber/XMPP)

5223 TCP iChat Server (Jabber/XMPP) over SSL

5269 TCP iChat Server to server (Jabber/XMPP)

7777 TCP iChat Server—fi le transfer proxy

5060 UDP iChat session initiation

5190 TCP UDP iChat, AOL Instant Messenger, and iChat fi le transfer

1694 TCP IP fai lover

631 TCP, UDP IPP printer sharing

3004 TCP iSync

3689 TCP iTunes music sharing

42000–42999 TCP iTunes radio streams

749 TCP, UDP Kerberos administration and changepw using the kadmind command-l inetool

88 TCP, UDP Kerberos V5 KDC

389 TCP LDAP (directory)

636 TCP LDAP over SSL

515 TCP LPR print spooling

600–1023 TCP, UDP Mac OS X RPC-based services

2000 TCP Mail: Custom fil tering (sieve)

143 TCP Mail: IMAP

993 TCP Mail: IMAP over SSL

110 TCP, UDP Mail: POP3)

995 TCP, UDP Mail: POP3 over SSL

25 TCP, UDP Mail: SMTP

587 TCP Mail: SMTP submission

445 TCP Microsoft Domain Server

2336 TCP Mobile account sync

5353 UDP Multicast DNS (Bonjour, mDNSResponder)

3306 TCP MySQL

985 TCP NetInfo static port

532 TCP NetNews

2049 TCP, UDP Network Fi le System (NFS)

119 TCP Network News Transfer Protocol (NNTP)

123 TCP, UDP Network T ime Protocol



3031 TCP, UDP Program l inking, remote AppleEvents

1220 TCP QTSS administration

8000–8001 TCP QTSS MP3 streaming

6970–6999 UDP QTSS RTP streaming

7070 TCP, UDP QTSS RTSP Automatic Router Configuration Protocol (ARCP)

554 TCP, UDP QTSS RTSP streaming

625 TCP Remote directory access

111 TCP, UDP Remote procedure cal l (RPC)

1099, 8043 TCP Remote RMI and RMI/IIOP access to JBoss

22 TCP, UDP Secure shell (SSH)

626 UDP Serial number support for Snow Leopard Server

311 TCP Server Admin over SSL, AppleShare IP remote web administration,Server Monitor, Server Admin (servermgrd), Workgroup Manager(DirectoryService)

687 TCP Server administration using Server Admin

660 TCP Server administration using Server Settings

514 TCP Shell, syslog

115 TCP Simple Fi le Transfer Protocol (SFTP)

161 UDP Simple Network Management Protocol (SNMP)

427 TCP, UDP SLP (Service Location Protocol)

8088 TCP Software Update server

3690 TCP Subversion version control

514 UDP Syslog

23 TCP, UDP Telnet

407 TCP, UDP Timbuktu

8005 TCP Tomcat remote shutdown

9007 TCP Tomcat remote web server access to AIP port

8080, 8443, 9006 TCP Tomcat standalone and JBoss

69 UDP Trivial Fi le Transfer Protocol (TFTP)

5900 TCP, UDP VNC (Mac OS X screen sharing, Apple Remote Desktop 2.0)

4500 UDP VPN IKE NAT traversal

500 UDP VPN ISAKMP/IKE

1701 UDP VPN L2TP

1723 TCP VPN PPTP

8000–8999 TCP Web service

513 UDP Who

139 TCP Windows file and print service (SMB/CIFS)

137 TCP, UDP Windows Name Service (WINS)

138 TCP, UDP Windows NETBIOS browsing

3632 TCP XCode distributed compiler

4111 TCP Xgrid


The rules in the Firewall Settings Services pane operate with the rules shown in the Advanced pane.

Usually, the broad rules in the Advanced pane block access for all ports. These are lower-priority (higher-numbered) rules and areapplied after the rules in the Services pane.

The rules created with the Services pane open access to specific services and are higher priority. They take precedence over thosecreated in the Advanced pane.

Rule mechanism and precedence

If you create multiple rules in the Advanced pane, the precedence for a rule is determined by the rule number. This numbercorresponds to the order of the rule in the Advanced pane.

Rules can be reordered by dragging them in the list in the Firewall Settings Advanced pane.

For most normal uses, opening access to designated services in the Advanced pane is sufficient. If necessary, add more rulesusing the Advanced pane.


A subnet mask indicates the segments in the specified IP address that can vary on a network and by how much.

The subnet mask is given in Classless InterDomain Routing (CIDR) notation. It consists of the IP address followed by a slash (/)and a number from 1 to 32, called the IP prefix.

An IP prefix identifies the number of significant bits used to identify a network.

For example, 192.168.2.1/16 means that the first 16 bits (the first two sets of numbers separated by periods) are used to representthe network (so every machine on the network begins with 192.168) and the remaining 16 bits (the last two numbers separated byperiods) are used to identify hosts. Each machine has a unique set of trailing numbers.

Subnet masks can be given in another notation, which is the IP address followed by a colon (:) and the netmask. A netmask is agroup of 4 numbers, each from 0 to 255, separated by periods equivalent to the slash in CIDR notation.

Addresses with subnet masks in CIDR notation correspond to address notation subnet masks.

CIDR Corresponds to netmask Number of addresses in the range

/1 128.0.0.0 4.29x10 9

/2 192.0.0.0 2.14x10 9

/3 224.0.0.0 1.07x10 9

/4 240.0.0.0 5.36x10 8

/5 248.0.0.0 1.34x10 8

/6 252.0.0.0 6.71x10 7

/7 254.0.0.0 3.35x10 7

/8 255.0.0.0 1.67x10 7

/9 255.128.0.0 8.38x10 6

/10 255.192.0.0 4.19x10 6

/11 255.224.0.0 2.09x10 6

/12 255.240.0.0 1.04x10 6

/13 255.248.0.0 5.24x10 5

/14 255.252.0.0 2.62x10 5

/15 255.254.0.0 1.31x10 5

/16 255.255.0.0 65536

/17 255.255.128.0 32768

/18 255.255.192.0 16384

/19 255.255.224.0 8192

/20 255.255.240.0 4096

/21 255.255.248.0 2048

About the subnet mask

/22 255.255.252.0 1024

/23 255.255.254.0 512

/24 255.255.255.0 256

/25 255.255.255.128 128

/26 255.255.255.192 64

/27 255.255.255.224 32

/28 255.255.255.240 16

/29 255.255.255.248 8

/30 255.255.255.252 4

/31 255.255.255.254 2

/32 255.255.255.255 1

Network infrastructure serv ices ► Firewall serv ice ► Setting up firewalls

After you decide the types of rules to configure, use the following steps to set up Firewall service.

Step 1: Learn and plan

If you’re new to working with Firewall service, learn and understand firewall concepts, tools, and features of Lion Server.

Then determine which services to provide access to. Mail, Web, and FTP services generally require access from computers on theInternet. File and Print services are more likely to be restricted to your local subnet.

After you decide the services to protect using Firewall service, determine the IP addresses you want to access your server and theIP addresses you want to deny. Then configure the suitable rules.

Step 2: Turn Firewall service on

In Server Admin, select Firewall and click Start Firewall. By default, this blocks all incoming ports except those used to configure theserver remotely. If you’re configuring the server locally, turn off external access immediately.

Important: If you add or change a rule after starting Firewall service, the new rule affects connections established with the server.For example, if you deny access to your FTP server after starting Firewall service, computers connected to your FTP server aredisconnected.

Step 3: Configure firewall address groups settings

Create an IP address group that the firewall rules apply to. By default, an IP address group is created for all incoming IPaddresses. Rules applied to this group affect all incoming network traffic.

Step 4: Configure firewall service settings

Activate service rules for each address group. In the Services pane, you can activate rules based on address groups asdestination IP numbers.

Step 5: Configure firewall logging settings

Use logging settings to enable Firewall service event logging. You can also set what types and how many packets get logged.

Step 6: Configure firewall advanced settings

Configure advanced firewall rules to further configure other services, strengthen network security, and fine-tune your network trafficthrough the firewall.

By default, UDP traffic is blocked, except traffic arriving in response to an outgoing query. Apply rules to UDP ports sparingly, if at all,because denying some UDP responses could inhibit normal networking operations.

If you configure rules for UDP ports, don’t select “Log all allowed packets” in the Firewall Logging settings pane in Server Admin.Because UDP is a connectionless protocol, every packet to a UDP port is logged if you select this option.

Firewall setup overview

Step 7: Turn Firewall service on

You turn Firewall service on using Server Admin.

Important: If you add or change a rule after starting Firewall service, the new rule affects connections established with the server.For example, if you deny all access to your FTP server after starting Firewall service, computers connected to your FTP server aredisconnected.


What a firewall rule is

A firewall rule is a set of characteristics for an IP packet, coupled with an action to be taken for each packet that matches thecharacteristics. The characteristics might include the protocol, source or destination address, source or destination port, ornetwork interface.

Addresses might be expressed as a single IP address or might include a range of addresses.

A service port might be expressed as a single value, a list of values, or a range of values.

The IP address and subnet mask determine the range of IP addresses the rule applies to, and can be set to apply to alladdresses.

Basic firewall practices

By default, Lion Server uses a simple model for a useful, secure firewall. If a firewall is too restrictive, the network behind it can betoo isolated. If a firewall is too permissive, it fails to secure the assets behind it.

Adhering to the following aspects of the basic model provides maximum flexibility and utility with minimum risk:

Permit essential IP activity.

Essential IP activity includes those network activities necessary to use IP and function in an IP environment. These activitiesinclude operations such as loopback and are expressed as high-priority (low-numbered) rules, visible in the Advanced pane ofFirewall service settings. These rules are configured for you.

Permit service-specific activity.

Service-specific activity refers to network packets destined for specific service ports, such as web or mail services. Bypermitting traffic to access ports with designated, configured services, you permit access through the firewall on a per-servicebasis.

These services are expressed as medium-priority rules and correspond to check boxes in the Service pane of Firewallsettings. You make these changes based on your settings and address groups.

Deny packets not already permitted.

This is the final catch-all practice. If a packet or traffic to a port is unsolicited, the packet or traffic is discarded and not permittedto reach its destination. This is expressed as low-priority (high-numbered) rules, visible in the Advanced pane of Firewallservice settings. A basic set of deny rules for the firewall is created by default.


You can use serveradmin to start the service.

Before you turn on Firewall service, make sure you’ve set up rules permitting access from IP addresses you choose; otherwise, noone can access your server.

By default, Firewall service blocks incoming TCP connections and denies UDP packets, except those received in response tooutgoing requests from the server.

If you add or change a rule after starting Firewall service, the new rule affects connections established with the server. Forexample, if you deny all access to your FTP server after starting Firewall service, computers connected to your FTP server aredisconnected.

About firewall rules

Start Firewall service (CLI)

sudo serveradmin start ipfilter


You can use Server Admin to start the service.


By default, Firewall service blocks incoming TCP connections and denies UDP packets, except those received in response tooutgoing requests from the server.

If you add or change a rule after starting Firewall service, the new rule affects connections established with the server. Forexample, if you deny all access to your FTP server after starting Firewall service, computers connected to your FTP server aredisconnected.




3. From the expanded Servers list, select Firewall.

4. Below the Servers list, click the Start Firewall button.


You use serveradmin to stop Firewall service.

sudo serveradmin stop ipfilter


You use Server Admin to stop Firewall service.





4. Click Stop Firewall.

5. Click Stop Now.


Before you can configure firewall settings, you must turn Firewall service on in Server Admin.


Start Firewall service

Stop Firewall service (CLI)

Stop Firewall service

Enable firewall administration

2. Click Settings.

3. Click Services.

4. Select the Firewall checkbox.

5. Click Save.

Network infrastructure serv ices ► Firewall serv ice ► Configuring firewalls

You use the Advanced Settings pane in Server Admin to configure specific rules for Firewall service.

Firewall rules contain originating and destination IP addresses with subnet masks. They also specify what to do with incomingnetwork traffic. You can apply a rule to all IP addresses, a specific IP address, or a range of IP addresses.

Addresses can be listed as individual addresses (192.168.2.2), IP address and subnet mask in CIDR notation (192.168.2.0/24),or IP address and subnet mask in netmask notation (192.168.2.0:255.255.255.0).


rule A unique rule number.

Other parameters The standard rule settings described under Firewall command-lineparameters.

Add a rule:

$ sudo serveradmin settingsipfilter:rules:_array_id:rule= createipfilter:rules:_array_id:rule:source = sourceipfilter:rules:_array_id:rule:protocol = protocolipfilter:rules:_array_id:rule:destination = destinationipfilter:rules:_array_id:rule:action = actionipfilter:rules:_array_id:rule:enableLocked = (yes|no)ipfilter:rules:_array_id:rule:enabled = (yes|no)ipfilter:rules:_array_id:rule:log = (yes|no)ipfilter:rules:_array_id:rule:readOnly = (yes|no)ipfilter:rules:_array_id:rule:source-port = portControl-D


You use the Advanced Settings pane in Server Admin to configure specific rules for Firewall service.

Firewall rules contain originating and destination IP addresses with subnet masks. They also specify what to do with incomingnetwork traffic. You can apply a rule to all IP addresses, a specific IP address, or a range of IP addresses.

Addresses can be listed as individual addresses (192.168.2.2), IP address and subnet mask in CIDR notation (192.168.2.0/24),or IP address and subnet mask in netmask notation (192.168.2.0:255.255.255.0).






Configure advanced firewall rules (CLI)

Configure advanced firewall rules


Alternatively, you can select a rule similar to the one you want to create, click Duplicate, and then click Edit.

6. In the Action pop-up menu, select whether this rule permits or denies access.

If you choose Other, enter the action desired (for example, log).

7. From the Protocol pop-up menu, choose a protocol.

If you choose Other, enter the protocol desired (for example, icmp, esp, ipencap).

8. From the Service pop-up menu, choose a service.

To select a nonstandard service port, choose Other.

9. If needed, choose to log all packets that match the rule.

10. For the source of filtered traffic, choose an address group from the Source:Address pop-up menu.

If you don’t want to use an existing address group, choose Other and enter the source IP address range (using CIDRnotation) to filter.

If you want it to apply to any address, choose “any” from the pop-up menu.

11. If you selected a nonstandard service port, enter the source port number.

12. For the destination of filtered traffic, choose an address group from the Destination:Address pop-up menu.

If you don’t want to use an existing address group, choose Other and enter the destination IP address range (using CIDRnotation).

If you want it to apply to any address, choose “any” from the pop-up menu.

13. If you selected a nonstandard service port, enter the destination port number.

14. From the Interface pop-up menu that this rule will apply to, choose In or Out.

In refers to the packets being sent to the server.

Out refers to the packets being sent from the server.

15. If you select Other, enter the interface name (en0, en1, fw1, and so on).

16. Click OK.

17. Click Save to apply the rule immediately.


An ipfw configuration, or ruleset, is made of a lis t of rules numbered from 1 to 65535. The file where you can define your rules is/etc/ipfilter/ipfw.conf. Firewall service reads this file but doesn’t modify it. Its contents are annotated and include commented-outrules you can use as models.

Packets are passed to ipfw from a number of places in the protocol stack. (Depending on the source and destination of the

packet, ipfw can be invoked multiple times on the same packet.) The packet passed to the firewall is compared with each rule inthe firewall ruleset. When a match is found, the action corresponding to the matching rule is performed.

Important: Misconfiguring the firewall can put your computer in an unusable state, possibly shutting down network services andrequiring console access to regain control of it.

You can configure ipfw with a variety of commands.

For information about command-line parameters, see Firewall command-line parameters. For information about serveradminand ipfw, see their man pages.


About firewall rules in the ipfw configuration file

Edit or delete advanced firewall rules

You can remove or edit advanced firewall rules. If you think you’ll use a rule again and only want to disable it, you can deselect therule rather than deleting it. If you edit a rule after turning on Firewall service, your changes affect connections established with theserver. For example, if computers are connected to your web server and you change the rule to deny all access to the server,connected computers are disconnected.






5. To edit the services lis t, click the Edit button (/) below the Advanced Rules lis t, edit the rule as needed, and then click OK.

6. To delete a rule, click the Delete button (–) below the Advanced Rules list.

Default rules, designated by the lock icon, cannot be edited or deleted.

7. Click Save.


You can remove or edit ports in the Services lis t. This enables you to customize service choices for your convenience.






5. Select the service you want to change, then do the following:

a. To edit the service list, click the Edit button (/) below the services list.

b. To delete the service list, click the Delete button (—) below the services list.

6. Edit the name, port, or protocol as needed, and click OK.

7. Click Save.


By default, Firewall service permits UDP connections and blocks incoming TCP connections on ports that are not essential forremote administration of the server. Also, by default, stateful rules are in place that permit specific responses to outgoing requests.


You can easily permit standard services through the firewall without advanced and extensive configuration. Standard servicesinclude:

SSH access

Web service

Apple File service

Windows File service

Edit or delete items in the services list

Configure for standard services (CLI)

DNS/Multicast DNS

ICMP Echo Reply (incoming pings)

IGMP

PPTP VPN

L2TP VPN

iTunes Music Sharing



setting An ipfilter service setting. See Firewall command-l ine parameters.

value A value for the setting.


To view a setting: $ sudo serveradmin settings ipfilter: setting

To view a group of settings: $ sudo serveradmin settings ipfilter:ipAddressGroups:*

Enter as much of the name as you want, stopping at a colon (:), and then entering an asterisk (*) as a wildcard for theremaining parts of the name.

To view all service configuration settings: $ sudo serveradmin settings ipfilter

To change a setting: $ sudo serveradmin settings ipfilter: setting= value

To change several settings: $ sudo serveradmin settingsipfilter: setting= valueipfilter: setting=valueipfilter: setting= value[...]Control-D


By default, Firewall service permits UDP connections and blocks incoming TCP connections on ports that are not essential forremote administration of the server. Also, by default, stateful rules are in place that permit specific responses to outgoing requests.


You can easily permit standard services through the firewall without advanced and extensive configuration. Standard servicesinclude:

SSH access

Web service

Apple File service

Windows File service

DNS/Multicast DNS

ICMP Echo Reply (incoming pings)

IGMP

PPTP VPN

L2TP VPN

iTunes Music Sharing

Configure for standard services







5. From the “Editing Services for” pop-up menu, select an address group.

6. For the address group, choose to permit all traffic from any port or to permit traffic on designated ports.

7. For each service you want the address group to use, select Allow.

If you don’t see the service you need, add a port and description to the services lis t.

To create a custom rule, see Configure advanced firewall rules (CLI) or Configure advanced firewall rules.

8. Click Save.


You can add custom ports to the Services list. This enables you to open specific ports to address groups without creating anadvanced IP rule.






5. Below the services list, click the Add button (+).

6. Enter a rule name for the service.

7. Enter a single port (for example, 22) or a port range (for example, 650-750).

8. Choose a protocol.

If you want a protocol other than TCP or UDP, use the Advanced settings to create a custom rule.

9. Click OK

10. Click Save.


You can hide your firewall by choosing not to send a connection failure notification to any connection that is blocked by the firewall.This is called stealth mode and it effectively hides your server’s closed ports.

For example, if a network intruder tries to connect to your server, even if the port is blocked, he or she knows that there is a serverand can find other ways to intrude.

If stealth mode is enabled, instead of being rejected, the hacker won’t receive notification that an attempted connection took place.

Add to the services list

Enable stealth mode






5. Select “Enable for TCP,” “Enable for UDP,” or both, as needed.

6. Click Save.


The priority level of an advanced firewall rule is determined by its order in the Advanced Rules list. Default rules that are lockedcannot be reordered in the list.






5. Drag the rules to reorder them in the needed sequence.

Default rules, which are designated by the lock icon, cannot be reordered.

6. Click Save.


You can define groups of IP addresses for firewall rules. Then you can use these groups to organize and target the rules.

The “any” address group is for all addresses. Two other IP address groups are present by default, intended for the entire 10-netrange of private addresses and the entire 192.168-net range of private addresses.

Addresses can be listed as individual addresses (192.168.2.2), IP addresses and subnet mask in CIDR notation(192.168.2.0/24), or IP addresses and subnet mask in netmask notation (192.168.2.0:255.255.255.0).





4. Click Settings, then click Address Groups.

5. Below the Address Group pane, click the Add button (+).

6. In the Group name field, enter a group name.

7. Use the Add (+) and Delete button (—)s to the enter the IP addresses you want the rules to affect.

To indicate any IP address, use the word “any.”

8. Click OK.

9. Click Save.

Change the order of advanced firewall rules

Configure address groups settings


Use Server Admin to create address groups for Firewall service.






5. Below the IP Address Groups list, click the Add button (+).

6. In the Group name field, enter a group name.

7. Use the Add (+) and Delete button (—)s to enter the addresses and subnet mask you want the rules to affect.

To indicate any IP address, use the word “any.”

8. Click OK.

9. Click Save.


You can duplicate address groups from your firewall rule lis t. This can help speed configuration of similar address groups.






5. From the IP Address Groups list, select the group name.

6. Below the IP Address Groups list, click the Duplicate button.

7. Make the required modifications and click OK.

8. Click Save.


You can edit address groups to change the range of IP addresses affected.

The default address group is for all addresses. You can remove address groups from your firewall rule list. The rules associatedwith those addresses are also deleted.

Addresses can be listed as individual addresses (192.168.2.2), IP address and network mask in CIDR notation (192.168.2.0/24),or IP address and network mask in netmask notation (192.168.2.0:255.255.255.0).



Create an address group

Duplicate an address group

Edit or delete an address group




5. From the IP Address Groups list, select the group name.

6. To edit an IP address group, click the Edit button (/) below the list, edit the Group name or addresses as needed, and thenclick OK.

7. To delete an IP address group, click the Delete button (—) below the list.

8. Click Save.

Network infrastructure serv ices ► Firewall serv ice ► Monitoring firewalls

You can choose the types of packets to log. You can log the packets that are denied access, the packets that are permitted access,or both.

Each logging option can generate many log entries, but you can limit the volume of entries by:

Logging only permitted packets or denied packets, instead of all packets

Logging packets only as long as necessary

Using the Logging Settings pane to limit the total number of packets

Adding a count rule in the Advanced Settings pane to record the number of packets that match the characteristics you’reinterested in measuring





4. Click Settings, then click Logging.

5. Select the “Enable logging” checkbox and choose to log permitted packets, denied packets, or a designated number ofpackets.

6. Click Save.


Use Server Admin to check the status of Firewall service.


See summary status of the service:

sudo serveradmin status ipfilter

See detailed status of the service, including rules:

sudo serveradmin fullstatus ipfilter


Configure firewall logging settings

Check the status of Firewall service (CLI)

Check the status of Firewall service

Use Server Admin to check the status of Firewall service.





4. Click Overview to see whether the service is running, the number of active static and dynamic rules configured, the number ofmatching packets, and the number of bytes in matching packets handled by the firewall.

5. Click Log to review the Firewall service log.

To search for specific entries, use the Filter field above the log.

6. To view a list of active firewall rules, click Active Rules.

A lis t of rules appears, with a description of each rule in ipfw code format, the priority, packet count, and total bytes handled.


Use Server Admin to view a s imple summary of active firewall rules.

The Active Rules pane shows the number of packets and bytes associated with each rule.

When a change is made to the configuration of the firewall using Server Admin, the old firewall rules are flushed, new rules aregenerated and saved in a file, and the ipfw command is invoked to load the rules into service.

As part of the flush operation, the number of packets and bytes associated with each rule are cleared.

The Active Rules pane provides a snapshot of the state of the firewall. When viewing this pane, dynamic rules might be shown withstatic rules.

Dynamic rules come and go in a matter of seconds, in response to network activity. They are the result of rules that include a keep-state clause (stateful rules). The Active Rules pane shows the rule number of the stateful rule that was triggered to create thedynamic rule.





4. Click Active Rules.

A lis t of the rules appears, with a description of each rule in ipfw code format, the priority, packet count, and total byteshandled.


Viewing denied packets can help you identify problems and troubleshoot Firewall service.






View firewall active rules

View denied packets

5. Make sure “Log all denied packets” is selected.

If you have not turned on logging for a rule, see Edit or delete advanced firewall rules.

6. To view log entries, click Log.

7. In the text filter box, enter the word “unreach.”


Each rule you set up in Server Admin corresponds to rules in the underlying firewall software. Log entries show you when the rulewas applied, the IP address of the client and server, and other information. The log view shows the contents of /var/log/ipfw.log.See examples at Firewall log examples.

See where the ipfilter service log is located.

sudo serveradmin command ipfilter:command = getLogPathsipfilter:systemLog = "/var/log/ipfw.log"

View the latest entries in the log:

sudo taillog-file


Each rule you set up in Server Admin corresponds to rules in the underlying firewall software. Log entries show you when the rulewas applied, the IP address of the client and server, and other information. The log view shows the contents of /var/log/ipfw.log.See examples at Firewall log examples.





4. Click Log.

To search for specific entries, use the Filter field above the log. You can refine the view using the text filter box.


Viewing the packets filtered by firewall rules can help you identify problems and troubleshoot Firewall service.






5. Make sure “Log all allowed packets” is selected.

If you have not turned on logging for a rule, see Edit or delete advanced firewall rules.

6. To view log entries, click Log.

View the Firewall service log (CLI)

View the Firewall service log

View packets logged by firewall rules

7. Enter the word “Accept” in the text filter box.


The filters you create in Server Admin correspond to rules in the underlying filtering software. Log entries show you the ruleapplied, the IP address of the client and server, and other information.

For information about tail and serveradmin, see their man pages.

Log example 1

Dec 12 13:08:16 ballch5 mach_kernel: ipfw: 65000 Unreach TCP 10.221.41.33:2190 192.168.12.12:80 invia en0

This entry shows that Firewall service used rule 65000 to deny (unreach) the remote client at 10.221.41.33:2190 from accessingserver 192.168.12.12 on Web port 80 through Ethernet port 0.

Log example 2

Dec 12 13:20:15 mayalu6 mach_kernel: ipfw: 100 Accept TCP 10.221.41.33:721 192.168.12.12:515 in viaen0

This entry shows that Firewall service used rule 100 to permit the remote client at 10.221.41.33:721 to access the server192.168.12.12 on the LPR printing port 515 through Ethernet port 0.

Log example 3

Dec 12 13:33:15 smithy2 mach_kernel: ipfw: 10 Accept TCP 192.168.12.12:49152 192.168.12.12:660 outvia lo0

This entry shows the NAT divert rule applied to an outbound packet. In this case it diverts the rule to service port 660, which is theport the NAT daemon uses.

Network infrastructure serv ices ► Firewall serv ice ► Advanced firewall topics

Advanced firewall configuration settings accept any input, assuming you are correctly configuring a rule. Errors are not noticed untilthe rules are saved and Server Admin applies all rules using the ipfw command.

Then, the first rule with a syntax error causes the operation to stop, and an error message is logged.

This error message does not indicate which rule is invalid, but all valid rules before the invalid one are loaded in the firewall.

The following section describes how you can determine which rule is invalid.

1. Read the error message in the log.

2. Wait a few minutes for Server Admin to show the active rules in the Firewall Overview pane.

3. Compare the list of active rules in the Firewall Overview pane with the rule lis t in the Settings section.

4. Inspect the contents of /etc/ipfilter/ipfw.conf.apple file to see which rules Server Admin tried to load in the firewall.

The first rule in the file that is not present in the Firewall Overview pane is likely the invalid one. However, there might be moreinvalid rules after that one.

5. If the rule corresponds to one from the Advanced Settings pane, disable it or correct it.

Disabled rules appear in the /etc/ipfilter/ipfw.conf.apple file preceded by a comment character so they are not processed bythe ipfw tool.


Firewall log examples

Troubleshoot advanced firewall rules

You can disable Firewall service using Terminal.

In Terminal, enter the following at the command line: sudo /usr/sbin/sysctl -w net.inet.ip.fw.enable=0


A server can become unreachable for remote administration due to an error with the firewall configuration. In such a case, youmust reset the firewall to its default state so Server Admin can access the server. This recovery procedure requires you to use thecommand-line interface and must be done by an administrator who has physical access to the server.

1. Disconnect the server from the Internet.

2. Restart the server in s ingle-user mode by holding down the Command–s keys during startup.

3. Remove or rename the address groups file found at /etc/ipfilter/ip_address_groups.plist.

4. Remove or rename the ipfw configuration file found at /etc/ipfilter/ipfw.conf.

5. Force-flush the firewall rules by entering the following in Terminal: sudo ipfw -f flush

6. Edit the /etc/hostconfig file and set IPFILTER=-YES-.

7. Complete the startup sequence in the login window by entering exit:

The computer starts up with the default firewall rules and firewall enabled. Use Server Admin to refine the firewallconfiguration.

8. Log in to your server’s local administrator account to confirm that the firewall is restored to its default configuration.

9. Reconnect your host to the Internet.

Network infrastructure serv ices ► Gateway Setup Assistant

Gateway Setup Assistant helps you easily set up a Mac server to share your Internet connection with your local network. After youconfigure a few settings, the assistant can start sharing the server connection.

Depending on your configuration choices, the assistant performs the following when it sets up the server:

Assigns the server a static IP address for each internal network interface.

The address assigned is 192.168.x.1. The value used for x is determined by the network interface’s order in the NetworkSystem Preference pane. For example, for the first interface on the list, x is 0; for the second interface, x is 1.

Enables DHCP to allocate addresses on the internal network, removing existing DHCP subnets.

Sets aside specific internal (192.168.x.x) addresses for DHCP use.

Without VPN started, each interface can allocate addresses from 192.168.x.2 to 192.168.x.254.

(Optional) Enables VPN to permit authorized external clients to connect to the local network.

VPN L2TP is enabled, so you must enter a shared secret (a passphrase) for client connections to use.

Sets aside specific internal addresses (192.168.x.x) for VPN use.

If VPN is selected, half of the allotted IP addresses in the DHCP range are reserved for VPN connections. The addresses192.168.x.128–192.168.x.254 are allotted to VPN connections.

Enables the firewall to help secure the internal network.

Address groups are added for each internal network interface, with all traffic permitted from the newly created DHCP addressranges to any destination address.

Disable Firewall service (CLI)

Reset the firewall to the default setting

About Gateway Setup Assistant

Enables network address translation (NAT) on the internal network and adds a NAT divert rule to the IP firewall to direct networktraffic to the correct computer. This also protects the internal network from unsolicited external connections.

Enables DNS on the server, configured to cache lookups, to improve DNS response for internal clients.

When configuring these settings, you can review the proposed changes before committing to them and overwriting existingsettings.

You can make further changes to the service configuration using Server Admin. For network services, see the relevant section inthis book for information.

If you run the Gateway Setup Assistant again, it overwrites manual settings you made.

To use the Setup Assistant, see Run Gateway Setup Assistant.


You run Gateway Setup Assistant from the NAT Service Overview pane in Server Admin.

Gateway Setup Assistant requires two network interfaces. For example, if you have a Mac mini with Lion Server, you may want toconnect an Apple USB Ethernet adapter or equivalent before running Gateway Setup Assistant.

For more information about Gateway Setup Assistant, see About Gateway Setup Assistant.



3. Select the NAT checkbox, then click Save.



5. From the expanded Servers list, select NAT.

6. Click Overview

7. Click Gateway Setup Assistant.

8. Follow the directions in the assistant, click Continue after each page, read the final configuration summary carefully, andmake sure you approve of the settings before finalizing the configuration.

WARNING: Although you can use the Gateway Setup Assistant to configure remote servers, you can accidentally cut off youradministrator access to the remote server after the gateway is complete. This can happen because the firewall is enabledand may deny remote access to the server. To prevent this, make sure your firewall is configured to permit remote access.


Connecting wireless clients to the Internet through a Mac server gateway provides the following advantages over using AirPortBase Station built-in functions:

Advanced firewall control

DHCP allocation of static IP addresses

DNS caching

Incoming VPN connections to the LAN

If you do not need these advanced functions, use the AirPort Base Station to connect your wireless clients to the Internet withoutusing Mac server between the Base Station and the Internet.

To take advantage of the gateway’s features, you use the Base Station as a bridge between your wireless clients and the gateway.Each client connects to the Base Station, and the Base Station sends network traffic through the gateway.

Run Gateway Setup Assistant

Connect a wireless LAN to the Internet

Wireless clients must be able to connect to the AirPort Base Station’s wireless network to be linked to the gateway.

After this process, computers connected to the AirPort Base Station:

Can get IP addresses and network settings configured using DHCP

Can access the Internet if the gateway is connected to the Internet

Can’t be accessed by unauthorized network connections originating from the wired connection to the Internet

Can be accessed over the Internet by authorized VPN clients (if VPN is configured)

Can benefit from DNS lookup caching in the gateway, which speeds DNS resolution

1. Plug the connection to the Internet into the Ethernet 1 (en0) port.

2. Connect the AirPort Base Station port (the WAN port, if there are two) to the Ethernet 2 (en1) port.

3. Connect the AirPort Base Station port (the WAN port, if there are two) to the Ethernet 2 (en1) port.

You can open it from the /Applications/Utilities/ folder.

4. Select a Base Station and then choose Manual Setup from the Base Station menu.

5. Enter the Base Station password if necessary.

6. Click Internet in the toolbar, then click Internet Connection.

7. From the Connect Using pop-up menu, choose Ethernet.

8. From the Configure IPv4 pop-up menu, choose Using DHCP.

9. From the Connection Sharing pop-up menu, choose Off (Bridge Mode).

10. To change Base Station settings, click Update.



13. Select the NAT checkbox.

14. Click Save.




17. Click Overview, then click Gateway Setup Assistant.

18. Click Continue.

19. For your WAN (Internet) interface, designate Built-In Ethernet 1.

20. For your LAN (sharing) interface, designate Built-In Ethernet 2.

Your LAN interface is the one connected to your local network. Computers on the LAN share the server’s Internet connectionthrough the server’s WAN interface.

If your server has more than one interface available (Ethernet port 2, Ethernet port 3, and so on), choose those you want toenable.

21. Choose whether to make this gateway a VPN entry point to your LAN.

If you enable VPN, you need a shared secret. A shared secret is a passphrase that users must provide to securely connect tothe VPN gateway. It should be a very secure passphrase, not a password of a user or administrator on the gateway server.

To set a very secure passphrase, use Password Assistant in Account Preferences.

22. Inspect and confirm the changes.

You can fine-tune the settings from this base configuration but you perform additional configuration in Server Admin.

For example, you can use Server Admin to assign IP addresses to specific computers. To do this, add static address mappings in

the DHCP section’s Settings tab. For more information, see Use DHCP to assign static IP addresses.

You can also change firewall settings to permit connections from the Internet to the LAN. To do this, change the firewall settings,opening up IP ports as needed, and configure port forwarding in the NAT pane to designate which computer on the LAN is toaccept incoming traffic.


You can use Gateway Setup Assistant to connect a wired LAN to the Internet. Your LAN can consist of any number of computersconnected to each other through Ethernet hubs and switches, but the LAN must have one point of contact with the Internet (thegateway).

Your gateway has one connection to the Internet and one connection to the LAN. All other computers access the Internet throughyour gateway. You can configure your Mac server to be a gateway to the Internet, which requires that your server have two Ethernetports (en0 and en1). Port en0 should be connected to the Internet and en1 should be connected to your LAN.

After this process, computers on the LAN:

Can get IP addresses and network settings that were configured using DHCP

Can access the Internet if the gateway is connected to the Internet

Can’t be accessed by unauthorized network connections originating from the Internet




2. Plug the connection to your LAN into the Ethernet 2 (en1) port.




6. Click Save.





10. Click Continue.

If your server has existing DHCP, DNS, NAT, and VPN configurations, you are prompted to overwrite those configurations. Tooverwrite configurations, click Overwrite to continue.

11. From the Gateway WAN Interface pop-up menu, choose Ethernet 1 (en0) for your WAN interface, then click Continue.

12. From the list of network interfaces, select the Ethernet 2 checkbox for you LAN interface and click Continue.



13. (Optional) To make your gateway server a VPN entry point to your LAN, select “Enable VPN for this server.”

If you enable VPN, you need a shared secret. A shared secret is a passphrase that users provide to connect to the VPNgateway. It should be a very secure passphrase, not the password of a user or administrator on the gateway server.

To set a very secure passphrase, use Password Assistant in Account Preferences. For more information, see Mac OS XServer Security Configuration.

Connect a wired LAN to the Internet

14. Click Continue.

15. Inspect and confirm your setup.

16. Click Continue.

NAT and all dependent services will be configured and started.

17. Click Close.


You can use Gateway Setup Assistant to connect a wired LAN and wireless clients to the Internet. Your LAN can consist of anynumber of computers connected to each other through Ethernet hubs and switches, but the LAN must have one point of contactwith the Internet (the gateway).

Your LAN must also have an AirPort Base Station to connect the wireless computers to the wired network. Your wireless clientsmust be able to connect to the AirPort Base Station’s wireless network to be linked to the wired LAN.

After this process, computers on the LAN and those connected to the AirPort Base Station:

Can get IP addresses and network settings configured using DHCP

Can access the Internet, if the gateway is connected to the Internet

Can’t be accessed by unauthorized network connections originating from the wired connection to the Internet




2. Plug the connection to your LAN into the Ethernet 2 (en1) port.

3. Connect the AirPort Base Station port (the WAN port, if there are two) to the wired network.

4. Using AirPort Utility, configure the Base Station to connect using Ethernet and to get its address using DHCP.

You can open it from the /Applications/Utilities/ folder.

5. Select the Base Station and then choose Manual Setup from the Base Station menu.

6. Enter the Base Station password if necessary.

7. Click Internet in the toolbar, then click Internet Connection.

8. From the Connect Using pop-up menu, choose Ethernet.

9. From the Configure IPv4 pop-up menu, choose Using DHCP.

10. From the Connection Sharing pop-up menu, choose Off (Bridge Mode).

11. To change Base Station settings, click Update.




15. Click Save.





19. Click Continue.

Connect a wired LAN and wireless clients to the Internet

20. For your WAN (Internet) interface, designate Ethernet 1.

21. For your LAN (sharing) interface, designate Ethernet 2.



22. Choose whether to make this gateway a VPN entry point to your LAN.

If you enable VPN, you need a shared secret. A shared secret is a passphrase that users must provide to securely connect tothe VPN gateway. It should be a very secure passphrase, not a password of a user or administrator on the gateway server.

To set a very secure passphrase, use Password Assistant in Account Preferences.

23. Inspect and confirm the changes.

Network infrastructure serv ices ► NAT

Network Address Translation (NAT) is a protocol you use to give multiple computers access to the Internet using only oneassigned public or external IP address. NAT permits you to create a private network that accesses the Internet through a NATrouter or gateway. NAT is sometimes referred to as IP masquerading.

The NAT router takes traffic from your private network and remembers internal addresses that have made requests. When the NATrouter receives a response to a request, it forwards it to the originating computer. Traffic that originates from the Internet does notreach computers behind the NAT router unless port forwarding is enabled.

Enabling NAT on a Lion Server often requires detailed control over DHCP, so DHCP is configured separately in Server Admin. Tolearn more about DHCP, see DHCP setup overview.

Enabling NAT also creates a divert rule in the firewall configuration. Server Admin permits NAT service and Firewall service to beenabled and disabled independently. However for NAT service to function, NAT service and Firewall service must be enabled. Thisis because an essential part of NAT is the packet divert rule. That rule is added to the firewall when NAT service is enabled, butFirewall service must be turned on for the packet divert rule, or any firewall rule, to have effect.

The natd daemon process controls NAT service. For information about how to access natd features and implement them, see thenatd man page.

Request for Comments (RFC) documents provide an overview of a protocol or service and details about how the protocol shouldbehave.


If you’re an experienced server administrator, you can find the technical details about a protocol in its RFC document.

You can search for RFC documents by number at www.ietf.org/rfc.html.

For NAT descriptions, see:

RFC 1631

RFC 3022


To configure a network segment as a NAT LAN, you must complete several steps. Each is necessary to create a functioning privatenetwork behind a NAT gateway. A detailed example of the setup is found in Link a LAN to the Internet through one IP address.

You can also configure NAT using Gateway Setup Assistant, which configures each of these services and starts NAT. For moreinformation, see About Gateway Setup Assistant.

The following provides an overview of the configuration process.

About NAT

NAT LAN configuration overview


Choose your NAT gateway and interface functions

You must locate the NAT gateway on a Lion Server computer with at least two network interfaces: one to connect to the Internet (theWAN port), and one to connect to your private network segment (the LAN port).

Decide how NAT LAN clients get IP addressesYou can assign your own static IP address in the approved ranges for private LANs or you can use Lion Server’s DHCP feature toassign addresses for you.

Configure the gateway’s network settings

You assign your public IP address to the WAN port and you assign your internal gateway’s address to the LAN port.

Enable NAT service

Before configuring NAT service, you must turn NAT on. See Enable NAT service.

Configure NAT settings

Use the NAT settings to set the network interface. See Configure NAT service.

Configure port forwarding settings

Use the Terminal application to direct incoming traffic to your NAT network to a specific IP address behind the NAT gateway. SeeConfigure port forwarding.

Start NAT service

After you configure NAT, start the service to make it available. See Start or stop NAT service.

Start Firewall service

For NAT service to operate, you must enable NAT service and Firewall service. See Enable firewall administration.

(Conditional) Configure and start DHCP service

If clients have their addresses dynamically assigned, configure DHCP and start it now. See DHCP setup overview.


You use Server Admin to start and stop NAT service on your default network interface. Starting NAT service does not start DHCP onthe NAT interface, so you must manage LAN addressing separately.

Starting NAT service is not the same as configuring a network segment as a NAT LAN.

For NAT service to operate, you must enable NAT service and Firewall service. For more information, see Enable firewalladministration.





4. Click the Start NAT button below the Servers list.

When the service is running, the Stop NAT button is available.


To manage NAT service, use the following commands with the serveradmin tool.

Command (nat:command=) Description

getLogPaths Find the location of the log used by NAT service.

Start or stop NAT service

NAT command-line settings

updateNATRuleInIpfw Update the firewall rules defined in the ipfilter service to reflect

changes in NAT settings.

writeSettings Equivalent to the standard serveradmin settings command, but

also returns a setting indicating whether the service must be restarted.


To change settings for NAT service, use the following parameters with the serveradmin tool.

Parameter (nat:) Description

deny_incoming yes|no

Default= no

log_denied yes|no

Default= no

clamp_mss yes|no

Default= yes

reverse yes|no

Default= no

log yes|no

Default= yes

proxy_only yes|no

Default= no

dynamic yes|no

Default= yes

use_sockets yes|no

Default= yes

interface yes|no

Default= en0

unregistered_only yes|no

Default= no

same_ports yes|no

Default= yes

Network infrastructure serv ices ► NAT ► Configure NAT

NAT service settings

Enable NAT service

Before you can configure NAT settings, you must enable NAT service in Server Admin.


2. Click Settings.

3. Click Services.


5. Click Save.


You use Server Admin to indicate which network interface is connected to the Internet or other external network.

Configuring NAT service is not the same as configuring a network segment as a NAT LAN.





4. Click Settings.

5. Select “IP Forwarding and Network Address Translation (NAT).”

6. From the “External network interface” pop-up menu, choose the network interface that connects to the Internet or externalnetwork.

7. Click Save.


You can direct traffic coming in to your NAT network to a specific IP address behind the NAT gateway. This is called port forwarding.

Port forwarding lets you set up computers on the internal network that handle incoming connections without exposing othercomputers to outside connections. For example, you could set up a web server behind NAT service and forward incoming TCPconnection requests on port 80 to the designated web server.

You can’t forward the same port to multiple computers, but you can forward many ports to one computer.

Enabling port forwarding requires the use of the Terminal application and administrator access to root privileges through sudo.

You must also create a plist file. The contents of the plist file are used to generate /etc/nat/natd.conf.apple, which is passed to theNAT daemon when it is started.

Do not try to edit /etc/nat/natd.conf.apple directly. If you use a plist editor instead of a command-line text editor, alter the followingprocedure to suit. To forward port traffic:

1. If the file /etc/nat/natd.plist doesn’t exist, make a copy of the default NAT daemon plist.

$ sudo cp /etc/nat/natd.plist.default /etc/nat/natd.plist

2. Using a Terminal editor, add the following block of XML text to /etc/nat/natd.plist before the two lines at the end the file (</dict>and </plist>), substituting your settings where indicated by italics:

<key>redirect_port</key><array><dict>

Configure NAT service

Configure port forwarding

<key>proto</key><string>tcp or udp</string><key>targetIP</key><string>LAN_ip</string><key>targetPortRange</key><string>LAN_ip_range</string><key>aliasIP</key><string>WAN_ip</string><key>aliasPortRange</key><string>WAN_port_range</string></dict></array>

3. Save your file changes.

4. Enter the following commands in Terminal:

$ sudo serveradmin stop nat$ sudo serveradmin start nat

5. Verify that your changes remain by inspecting the /etc/nat/natd.conf.apple file.

The changes made, except for comments and those settings that Server Admin can change, are used by server configurationtools (Server Admin, Gateway Setup Assistant, and serveradmin).

6. Configure NAT service in Server Admin as needed.

For more information, see Configure NAT service.

7. Click Save.

8. Start NAT service.


You can forward ports to an IP address. The ports on the WAN side do not need to be the same as the ports on the LAN side, butthey must correspond.

For example, if you forward 10 consecutive ports from the WAN side, you must forward them to 10 consecutive ports on the LANside, but they don’t need to be the same 10.

Single port forwarding

This example shows the setting to forward TCP port 80 (web service) connections on the WAN address 17.128.128.128 to TCPport 80 (web service) on the private LAN address 192.168.1.1.

Add the following to the /etc/nat/natd.plist file:

<key>redirect_port</key><array><dict><key>proto</key><string>tcp</string><key>targetIP</key><string>192.168.1.1</string><key>targetPortRange</key><string>80</string><key>aliasIP</key>

Port forwarding examples

<string>17.128.128.128</string><key>aliasPortRange</key><string>80</string></dict></array>

Multiple port forwarding

This example shows the setting to forward TCP and UDP ports 600-1023 (NetInfo, full range) connections on the WAN address17.128.128.128 to corresponding ports on the private LAN address 192.168.1.1.

Add the following to the /etc/nat/natd.plist file:

<key>redirect_port</key><array><dict><key>proto</key><string>tcp</string><key>targetIP</key><string>192.168.1.1</string><key>targetPortRange</key><string>600-1023</string><key>aliasIP</key><string>17.128.128.128</string><key>aliasPortRange</key><string>600-1023</string></dict></array><array><dict><key>proto</key><string>udp</string><key>targetIP</key><string>192.168.1.1</string><key>targetPortRange</key><string>600-1023</string><key>aliasIP</key><string>17.128.128.128</string><key>aliasPortRange</key><string>60-1023</string></dict></array>

Testing port forwarding rules

After you configure port forwarding rules you can test them by accessing the service from the public IP address of your NAT router. Ifyou successfully access the services, you have properly configured and tested your port forwarding rule.

For example, if you have a website hosted on a computer with the private IP address of 192.168.1.10 and your NAT router has apublic IP address of 219.156.13.13 and a port forwarding rule that forwards port 80 to IP address 192.168.1.10, you would accessthe website by entering the public IP address (http://219.156.13.13) into your web browser.

If your port forwarding rules are correct, your port is forwarded to the computer that is hosting the website (192.168.1.10).

http://219.156.13.13)


You can use a computer as a gateway between network segments without translating IP addresses between public and privateranges. This is called IP address forwarding. Lion Server supports IP address forwarding and can be configured using ServerAdmin.

You can have various network configurations that would use a gateway without NAT. For example, a server might be translatingprivate IP addresses to public addresses using NAT, but your Lion Server gateway might be routing information between privateaddress subnets. Likewise, you might want to run a firewall between network segments in your own LAN.

Any condition where you want to route network traffic through the server without masquerading IP addresses is a condition thatinvolves IP address forwarding.

The steps for creating a gateway for address forwarding are the same as those for creating a NAT LAN. This means that networkports must be properly configured and that Firewall service must be enabled.





4. Click Settings.

5. Select “IP Forwarding only.”

6. Click Save.


To configure NAT service:

$ sudo serveradmin settingsnat:enable_natportmap= value

nat:interface = valueControl-D

To view all settings:

$ sudo serveradmin settings nat


enable_natportmap yes|no

Default = yes

interface The network port.

Default = "en0"

For more information about command-line parameters for NAT, see NAT service settings.



Create a gateway without NAT

Use serveradmin to configure NAT service

Use serveradmin to start and stop NAT service

You use serveradmin to start and stop NAT service on your default network interface.

To start NAT service:

$ sudo serveradmin start nat

To stop NAT service:

$ sudo serveradmin stop nat



You can use serveradmin to view the NAT status overview to see if the service is running and how many protocol links are active.

To view NAT status overview:

$ sudo serveradmin status nat

To see detailed NAT status overview:

$ sudo serveradmin fullstatus nat


Network infrastructure serv ices ► NAT ► Monitor NAT

To view the contents of the NAT service log or to view log paths, use tail or another file lis ting tool.

To view the latest entries in the log:

$ tail log-file

To view the log path:

$ sudo serveradmin command nat:command = getLogPaths

The computer responds with the following output:

nat:natLog = nat-log

Value Description

nat-log The location of the NAT service log.

Default = /var/log/alias.log

For more information about NAT commands, see NAT service settings. For information about tail and cat, see their man pages.

Network infrastructure serv ices ► NAT ► Monitor NAT

The NAT status overview lets you see if the service is running and how many protocol links are active.

Use serveradmin to view NAT status overview

View the NAT service log and log path

View the NAT status overview





4. Click Overview to see whether the service is running, when it started, and the number of TCP, UDP, and ICMP links.

Network infrastructure serv ices ► NAT ► Common NAT tasks

To link a LAN, you need a Mac server with two network interfaces: one to connect to the Internet and one to connect to your privatenetwork.

The steps below use the following configuration as an example:

Ethernet interface names and functions: Ethernet Built-in (connected to Internet), PCI Ethernet Slot 1 (connected to internalnetwork)

Internet or public IP address: 17.254.0.3 (example only; your IP number is provided by your ISP)

Internet or public DNS IP address: 17.254.1.6 (example only; your IP number is provided by your ISP)

Private network IP address range and netmask: 192.168.0.2–192.168.0.254 (also expressed as192.168.0.0/24 or192.168.0.0:255.255.255.0)

Server’s private network IP address: 192.168.0.1

LAN client IP address settings: Configure IPv4 Using DHCP

This last setting is not required because NAT can be used with static IP addresses instead of DHCP. However, configuring thissetting makes it easier to configure computers.

Internet-enabled games allow multiple players to connect online over a LAN. This is known as a LAN party. Setting up a LAN partyis essentially the same as the process described below with the following considerations:

Open only the ports necessary to play an Internet-enabled game.

If the game is played only inside the LAN, don’t open the firewall to game ports.

If you have computers joining and leaving the LAN, use DHCP for client address configuration.

1. On the gateway server, open the Network pane of System Preferences.

2. In the active Network screen, make sure the interface Built-in Ethernet is at the top of the lis t of interfaces; if not, drag it to thetop of the list.

This sets the default gateway in the routing table. The top interface is always configured for the Internet or WAN.

3. Make sure the IP address and settings for Ethernet 1 are your public address settings from your ISP.

In this example they are:

IP address: 17.254.0.3

Netmask: 255.255.252.0

DNS: 17.254.1.6

4. Make sure the IP address and settings for Ethernet 2 or PCI Ethernet Slot 1 are your local address settings.

In this example, they are:

IP address: 192.168.0.1

Netmask: 255.255.255.0

DNS: 17.254.1.6

5. If necessary, click Apply Now.

Link a LAN to the Internet through one IP address





9. Click Subnets and create a subnet for the internal LAN with the following configuration parameters:

Subnet name: whatever you want

Starting IP address: 192.168.0.2

Ending IP address: 192.168.0.254

Subnet mask: 255.255.255.0

Network interface: en1

Router: 192.168.0.1

Lease time: whatever you want

DNS: 17.254.1.6

For detailed information about configuring DHCP, see Create DHCP subnets.

10. To start DHCP service, click the Start DHCP button below the Servers list.

11. In Server Admin, choose NAT from the expanded Servers list.

12. Configure NAT using the following setting:

External network interface: en0

13. If necessary, click Save.

14. To start NAT service, click the Start NAT button below the Servers lis t.

15. In Server Admin, choose Firewall from the expanded Servers list.

16. Create firewall rules to permit access to and from your private network.

For example, create an IP address group named Private LAN for the addresses 192.168.0.0/16.

For more information, see Create an address group.

17. To start Firewall service, click the Start Firewall button below the Servers list.

18. Start any services you want the private LAN to access (web, SSH, file sharing, and so on) using the Private LAN group.

19. Start any services you want the Internet to access on your private LAN (web, SSH, file sharing, and so on) using the “any”address group.

20. Click Save.

Network infrastructure serv ices ► NAT ► Common NAT tasks

A virtual server is a gateway server that sends services behind a NAT firewall to real servers on a port-by-port basis.

For example, suppose you have a NAT gateway named domain.example.com with an address of 17.100.0.1 that is set to forwardweb traffic (port 80) to 10.0.0.5 (port 80) behind the firewall and that sends packet requests for ssh traffic (port 22) to 10.0.0.15 (port22).

In this example, the NAT gateway is not really serving the web content. The server at 10.0.0.5 is, but it is invisible to the clientsbrowsing the web site.

Viewed from the Internet you have one server, but viewed from behind the NAT barrier, you have as many or as few as you need.You can use this setup for load balancing or as an organizational scheme for the network’s topography.

Virtual servers also enable you to easily reroute network traffic to other computers on the LAN by reconfiguring the gateway.

Set up virtual servers

Virtual servers require three service configurations:

NAT: NAT service must be configured with port forwarding of the virtual port.

DNS: The DNS record for the server should accept a few aliases of common services and resolve them to the same IPaddress.

Firewall: The firewall must permit traffic on specific ports to have access to the NAT LAN.

In this example, you set up a NAT gateway and route two domain names and services to different computers behind the gatewayfirewall. Assume the following configuration details:

Ethernet interface names and functions: Ethernet Built-in (connected to Internet), PCI Ethernet Slot 1 (connected to internalnetwork)

Internet or public IP address: 17.100.0.1 (example only, your IP number and netmask information will be provided by your ISP)

Private network IP address range and netmask: 192.168.0.0–192.168.0.255 (also expressed as 192.168.0.0/24 or192.168.0.0:255.255.255.0)

Gateway server’s private network IP address: 192.168.0.1

Web server’s private network IP address: 192.168.0.2

Mail server’s private network IP address: 192.168.0.3

Web and mail server’s IP address settings: Configure IPv4 Using DHCP

This last setting is not required because NAT can be used with static IP addresses instead of DHCP. However, configuring thissetting makes it easier to configure computers.

Now all web traffic to www.example.com is forwarded to the internal server at 192.168.0.2, and incoming mail traffic sent tomail.example.com is delivered to the internal server at 192.168.0.3.

To change the servers behind the NAT (for example, to perform a hardware upgrade), change the DHCP static IP address to theEthernet addresses of the new servers. The new servers are assigned the existing internal IP addresses designated for web andmail, and the gateway forwards the traffic to the new servers seamlessly.





4. Click Subnets and create an address group for the internal LAN with the following configuration parameters:

Subnet name: whatever you want

Starting IP address: 192.168.0.2

Ending IP address: 192.168.0.254

Subnet mask: 255.255.255.0

Network interface: en1

Router: 192.168.0.1

Lease time: whatever you want

DNS: provided by ISP

Static mapping (web): web server’s Ethernet address mapped to 192.168.0.2

Static mapping (mail): mail server’s Ethernet address mapped to 192.168.0.3

For more information, see Create DHCP subnets and Use DHCP to assign static IP addresses.

5. To start DHCP service, click the Start DHCP button (below the Servers lis t).

6. In Server Admin, choose NAT from the expanded Servers list.

7. Configure NAT using the following settings:


External network interface: en0

Port forwarding: TCP port 80 (web) to 192.168.0.2

Port forwarding: TCP port 25 (mail) to 192.168.0.3

For more information about configuring port forwards, see Configure port forwarding.

8. Click Save.

9. To start NAT service, click the Start NAT button below the Servers lis t.

10. In Server Admin, choose Firewall from the expanded Servers list.

11. Create Firewall rules to permit access to your private network.

For more information, see Create an address group.

12. Enable the two services you want the Internet to access on your private LAN (web and SMTP mail) using the “any” addressgroup.

13. Click Save.

14. To start Firewall service, click the Start Firewall button (below the Servers list).

15. Contact your DNS provider (usually your ISP) to add two aliases to your gateway server’s DNS record.

Request an A record with the name www.example.com to the IP address 17.100.0.1.

Request an MX record with the name mail.example.com to the same IP address.

These records are in addition to existing A and CNAME records for your domain.

Network infrastructure serv ices ► NetBoot

NetBoot service is built upon protocols, files, and folder structures that are described below.

The NetBoot, NetInstall, and NetRestore features of Mac OS X offer you alternatives for managing the operating system andapplication software that your Macintosh clients (or even other servers) require to start and do their work. Instead of going fromcomputer to computer to install operating system and application software from CDs, you can prepare an installation image thatinstalls on each computer when it starts up. You can also choose to not install software and have client computers start up (orboot) from an image stored on the server. (In some cases, clients don’t even need their own hard disk.)

Using NetBoot and NetInstall, your client computers can start from a standardized Mac OS configuration suited to specific tasks.Because the client computers start from the same image, you can quickly update the operating system for users by updating asingle boot image.

NetBoot requires a boot image. NetInstall requires an installation image.

A boot image (.dmg file) is a file that looks and acts like a mountable disk or volume. NetBoot images contain the system softwareneeded to act as a startup disk for client computers over the network.

An installation image (.nbi folder) is an image that starts up the client computer long enough to install software from the image.The client can then start up from its own hard disk.

Boot images and installation images are disk images. The main difference is that a .dmg file is a proper disk image and a .nbifolder is a bootable network volume (which contains a .dmg disk image file). Disk images are files that behave like disk volumes.

You can set up multiple NetBoot or NetInstall images to suit the needs of groups of clients or you can provide copies of the sameimage on multiple NetBoot servers to distribute the client startup load. You can also use a NetRestore image to quickly restore avolume.

NetBoot service can be used with NetBoot and NetInstall images along with Mac OS X client management services to provide apersonalized work environment for each user.

Disk Images

The disk images contain the system software and applications used over the network by client computers. These tools can beinstalled on a client computer with the Server Administration Tools image. The name of a disk image file typically ends in .img or.dmg. Disk Utility—part of Mac OS X Lion—can mount disk image files as volumes on the desktop.

About NetBoot service


You use System Image Utility to create Mac OS X Lion NetBoot or NetInstall images, using a Mac OS X Lion installation volume oran existing system volume as the source. For information about creating images, see System Image Utility help.

NetBoot Share Points

NetBoot service sets up share points to make images and shadow files available to clients. Shadow files are used for NetBootclients that don’t use their local hard disks to write out data when booted.

NetBoot service creates share points for storing NetBoot and NetInstall images in /Library/NetBoot/ on each volume you enableand names them NetBootSPn, where n is 0 for the first share point and increases by 1 for each extra share point.

For example, if you decide to store images on three server disks, NetBoot service sets up three share points named NetBootSP0,NetBootSP1, and NetBootSP2.

The share points for client shadow files are also created in /Library/NetBoot/ and are named NetBootClientsn, where n is the sharepoint number.

You can create and enable NetBootSPn and NetBootClientsn share points on other server volumes using the NetBoot ServiceGeneral settings in Server Admin.

WARNING: Don’t rename a NetBoot share point or the volume it resides on. Don’t stop sharing a NetBoot share point unless youfirst deselect the share point for images and shadow files in Server Admin.

Use NetBoot and NetInstall Images on Other Servers

You can also specify the path of a NetBoot image residing on a different NFS server. When creating image files, you can specifywhich server the image will reside on. See Use images stored on remote servers.

Client Information FileNetBoot service gathers information about a client the first time a client selects a NetBoot or NetInstall volume to start from theStartup Disk. NetBoot service stores this information in the /var/db/bsdpd_clients file.

Shadow Files

Many clients can read from the same NetBoot image, but when a client must write back to its startup volume (such as print jobsand other temporary files), NetBoot service redirects the written data to the client’s shadow files, which are separate from regularsystem and application software.

Shadow files preserve the unique identity of each client while it is running from a NetBoot image. NetBoot service transparentlymaintains changed user data in shadow files while reading unchanged data from the shared system image. Shadow files arerecreated at startup, so changes made to a user’s startup volume are lost at restart.

For example, if a user saves a document to the startup volume, after a restart that document is gone. This behavior preserves thecondition of the environment the administrator set up. Therefore users must have accounts on a file server on the network to savedocuments.

Balance the Shadow File Load

NetBoot service creates an AFP share point on each server volume you specify (see Choose where shadow files are stored) anddistributes client shadow files across them as a way of balancing the load for NetBoot clients. There is no performance gain if thevolumes are partitions on the same disk. See Distribute shadow files.

Allocation of Shadow Files for Mac OS X Lion NetBoot Clients

When a client computer starts from a Mac OS X Lion NetBoot image, it creates shadow files on a server NetBootClientsn sharepoint or, if no share point is available, on a drive local to the client. For information about changing this behavior, see Choosewhere shadow files are stored.

NetBoot Image FolderWhen you create a Mac OS X Lion NetBoot image with System Image Utility, the utility creates a NetBoot image folder whose nameends with .nbi and stores in it the NetBoot image with other files (see the following table) required to start a client computer overthe network.

File Description

booter Startup fi le that the firmware uses to begin the startup process

mach.macosx UNIX kernel

mach.macosx.mkext Drivers

System.dmg Startup image fi le (can include application software)

NBImageInfo.plist Property l ist fi le

System Image Utility stores the folder whose name ends with .nbi on the NetBoot server in /Library/NetBoot/NetBootSPn/image.nbi(where n is the volume number and image is the name of the image). You can save directly to this folder or you can create theimage elsewhere (even on another computer) and copy it to the /Library/NetBoot/NetBootSPn folder later.

Files for PowerPC-based Macintosh computers are stored in the ppc folder for Mac OS X Server v10.5 images, while previousimages might storePowerPC files in the root of the .nbi folder. Files for Intel-based Macintosh computers are stored in the i386folder. Mac OS X Server v10.6 and later do not support imaging of PowerPC-based computers.

You use System Image Utility to set up NetBoot image folders. The utility lets you:

Name the image

Choose the image type (NetBoot or NetInstall)

Provide an image ID

Choose the default language

Choose the computer models the image supports

Create unique sharing names

Specify a default user name and password

Enable automatic installation for installation images

Add package or preinstalled applications

For information about creating images, see Create NetBoot images.

Property List File

The property list file NBImageInfo.plist stores image properties. The following table gives more information about the property lis tfile for Mac OS X Lion image files.

Property Type Description

Architectures Array An array of strings of the architectures the imagesupports.

BootFi le String Name of boot fi le: booter.

Index Integer 1–4095 indicates a local image unique to theserver.

4096–65535 is a duplicate, identical imagestored on multiple servers for load balancing.

IsDefault Boolean True specifies this image fi le as the default bootimage on the subnet

IsEnabled Boolean Sets whether the image is available to NetBoot(or Network Image) clients.

IsInstal l Boolean True specifies a Network Instal l image; Falsespecifies a NetBoot image.

Name String Name of the image as i t appears in the Mac OSX Lion Preferences pane.

RootPath String Specifies the path to the disk image on theserver, or the path to an image on anotherserver. See Use images stored on remoteservers.

Type String NFS or HTTP.

SupportsDiskless Boolean True directs the NetBoot server to allocate spacefor the shadow files needed by diskless cl ients.

Description String Text describing the image.

Language String A code specifying the language to be usedwhile starting from the image.

Initial values in NBImageInfo.plist are set by System Image Utility and you usually don’t need to change the property list file directly.Some values are set by Server Admin. If you must edit a property list file, you can use TextEdit or Property List Editor, found in theUtilities folder on the Server Administration Tools image.

Boot Server Discovery Protocol (BSDP)

NetBoot service uses an Apple-developed protocol based on DHCP known as Boot Server Discovery Protocol (BSDP). Thisprotocol provides a way of discovering NetBoot servers on a network.

NetBoot clients obtain their IP information from a DHCP server and their NetBoot information from BSDP. BSDP offers built-insupport for load balancing. See Performance and load balancing.

BootP Server

NetBoot service uses a BootP server (bootpd) to provide necessary information to client computers when they try to start from animage on the server.

If BootP clients on your network request an IP address from the NetBoot BootP server, this request fails because the NetBootBootP server doesn’t have addresses to offer. To prevent the NetBoot BootP server from responding to requests for IP addresses,use the dscl command-line tool to open the local folder on the NetBoot server and add a key named bootp_enabled with no valueto the /config/dhcp/ folder

Boot Files

When you create a Mac OS X Lion NetBoot image with System Image Utility, the utility generates the following boot files and storesthem on the NetBoot server in /Library/NetBoot/NetBootSPn/image.nbi (where n is the volume number and image is the name ofthe image):

booter

mach.macosx

mach.macosx.mkext

Note: If you turn on NetBoot service when installing Mac OS X Lion, the installer creates the NetBootSP0 share point on the serverboot volume. Otherwise, you can set up NetBootSPn share points by choosing where to store NetBoot images from the list ofvolumes in the General pane of NetBoot Service settings in Server Admin.

Trivial File Transfer Protocol (TFTP)

NetBoot service uses Trivial File Transfer Protocol (TPTP) to send boot files from the server to the client. When you start a NetBootclient, the client sends a request for startup software. The NetBoot server then delivers the booter file to the client using TFTPdefault port 69.

Client computers access the startup software on the NetBoot server from the location where the image was saved.

These files are typically stored in the /private/tftpboot/NetBoot/NetBootSPn/ folder. This path is a symbolic link toLibrary/NetBoot/NetBootSPn/image.nbi (where n is the volume number and image is the name of the image).

Using Images Stored on Other Servers

You can store Mac OS X Lion NetBoot or NetInstall images on NFS servers other than the NetBoot server. For more information,see Use images stored on remote servers.

Security

You can restrict access to NetBoot service on a case-by-case basis by listing the hardware addresses (also known as theEthernet or MAC addresses) of computers that you want to permit or deny access to.

The hardware address of a client computer is added to the NetBoot Filtering list when the client starts up using NetBoot and is, bydefault, enabled to use NetBoot service. You can specify other services. See Restrict NetBoot clients by filtering addresses.

NetInstall Images

A NetInstall image is an image that starts up the client computer long enough to install software from the image. The client canthen start up from its own hard disk. In the same way that a NetBoot image replaces the role of a hard disk, a NetInstall image is areplacement for an installation DVD.

Like a bootable CD, NetInstall is a convenient way to reinstall the operating system, applications, or other software onto the local

hard disk. For system administrators deploying large numbers of computers with the same version, NetInstall can be very useful.NetInstall does not require the insertion of a CD into each NetBoot client because startup and installation information is deliveredover the network.

When you create a NetInstall image with System Image Utility, you can automate the installation process by limiting interaction atthe client computer.

Because an automatic network installation can be configured to erase the contents of the local hard disk before installation, dataloss can occur. You must control access to this type of NetInstall image and must communicate the implications of using them tothose using these images. Before using automatic network installations, it is always wise to inform users to back up critical data.

You can perform software installations through NetInstall using a collection of packages or an entire disk image (depending on thesource used to create the image).

For more information about preparing NetInstall images to install software over the network, see System Image Utility help CreateNetInstall images.

Application for setting up and managing images

You use the following Lion Server applications to set up and manage NetBoot, NetInstall, and NetRestore:

System Image Utility, to create Mac OS X Lion NetBoot, NetInstall, and NetRestore disk images. This utility is installed with LionServer software in the /Applications/Server/ folder.

Server Admin, to enable and configure NetBoot service and supporting services. You can download Server Admin Tools athttp://support.apple.com/downloads/. The Server Admin Tools are installed in the /Applications/Server/ folder.

PackageMaker, to create package files you use to add software to disk images.

Property List Editor, to edit property lis ts such as NBImageInfo.plist.

Note: To create an image, you must have valid Mac OS X Lion image sources or volumes. You cannot create an image of thestartup disk you are running on.

Network infrastructure serv ices ► NetBoot

Before you set up NetBoot on your server, make yourself familiar with your network configuration, including the DHCP services itprovides. Be sure you meet the following requirements:

You’re the server administrator.

You’re familiar with network setup.

You know the DHCP configuration.

You might need to work with your network staff to change network topologies, switches, routers, and other network settings

Client computer requirements

All systems supported by Mac OS X Lion can use NetBoot to start from a Mac OS X Lion disk image on a server. At the time of thispublication, this includes any Intel-based Macintosh computer.

You must install the latest firmware updates on all client computers. Firmware updates are available from the Apple supportwebsite: www.apple.com/support/.

Client computer RAM requirements

NetBoot client computers must have at least 512 MB of RAM.

Network Install client computers must also have 512 MB of RAM.

Software updates for NetBoot system disk images

You must use the latest system software when creating NetBoot disk images. New Macintosh computers require updates ofsystem software, so if you have new Macintosh clients you must update your NetBoot images.

To update a Mac OS X Lion disk image, you must recreate the image. New images can easily be recreated by running a savedimage creation workflow. For more information, see System Image Utility Help.

Ethernet support on client computers

NetBoot considerations and requirements

http://support.apple.com/downloads/

http://www.apple.com/support/

NetBoot is supported only over built-in Ethernet connections. Multiple Ethernet ports are not supported on client computers. Clientsmust have at least 100-Mbit Ethernet adapters.

Network hardware requirements

The type of network connections you must use depends on the number of clients you expect to boot over the network:

For booting fewer than 10 clients (100-Mbit Ethernet)

For booting 10–50 clients (100-Mbit switched Ethernet)

For booting more than 50 clients (Gigabit Ethernet)

These are estimates for the number of clients supported.

Network service requirements

Depending on the types of clients you want to boot or install, your NetBoot server must also provide the following supportingservices.

Serv ice prov ided by NetBoot serv er For booting Mac computers with hard disks For booting Mac computers without harddisks

DHCP Optional Optional

NFS Required i f no HTTP Required if no HTTP

AFP Not required Required

HTTP Required i f no NFS Required if no NFS

TFTP Required Required

Note: DHCP service is lis ted as optional because although it is required for NetBoot it can be provided by a server other than theNetBoot server. Services marked required must be running on the NetBoot server.

NetBoot and AirPort

The use of AirPort wireless technology to boot clients using NetBoot is not supported by Apple and is discouraged.

Capacity planningThe number of NetBoot client computers your server can support depends on how your server is configured, when your clientsroutinely start, the server’s hard disk space, and a number of other factors. When planning for your server and network needs,consider these factors:

Ethernet speed: 100Base-T or faster connections are required for client computers and the server. As you add clients, youmight need to increase the speed of your server’s Ethernet connections. Ideally you want to take advantage of the GigabitEthernet capacity built in to your Mac server hardware to connect to a Gigabit switch. From the switch, connect Gigabit Ethernetor 100-Mbit Ethernet to each NetBoot client.

Hard disk capacity and number of images: Boot and installation images occupy hard disk space on server volumes,depending on the size and configuration of the system image and the number of images being stored. Images can bedistributed across multiple volumes or multiple servers. For more information, see Performance and load balancing.

Hard disk capacity and number of users: If you have a large number of diskless clients, consider adding a separate file serverto your network to store temporary user documents. Because the system software for a disk image is written to a shadowimage for each client booting from the disk image, you can get a rough estimate for the required hard disk capacity required bymultiplying the s ize of the shadow image by the number of clients.

Number of Ethernet ports on the switch: Distributing NetBoot clients over multiple Ethernet ports on your switch offers aperformance advantage. Each port must serve a distinct segment.

Network infrastructure serv ices ► NetBoot ► Set up NetBoot serv ice

Here is an overview of the basic steps for setting up NetBoot service.

Evaluate and update your network, servers, and client computers as necessary

NetBoot setup overview

The number of client computers you can support using NetBoot is determined by the number of servers you have, how they’reconfigured, hard disk storage capacity, and other factors. See NetBoot considerations and requirements.

Depending on the results of this evaluation, you might want to add servers or hard disks, add Ethernet ports to your server, ormake other changes to your servers. You might also want to set up more subnets for BootP clients, depending on the number ofclients you support.

You might also want to implement subnets on this server (or other servers) to take advantage of NetBoot filtering.

To provide authentication and personalized work environments for NetBoot client users by using Workgroup Manager, set upworkgroups and import users from the Mac server Users & Groups database before you create disk images. Make sure you haveat least one administrator user assigned to the Workgroup Manager for Mac OS X Lion client.

Create disk images for client computers

You can set up Mac OS X Lion disk images for client computers to start from. To create Mac OS X Lion disk images, you useSystem Image Utility. See System Image Utility Help.

You might also want to restrict access to NetBoot images by using Model Filtering. See System Image Utility Help.

To create application packages that you can add to an image, use PackageMaker. Application software packages can be installedby themselves or with Mac OS X Lion system software. See System Image Utility Help.

Set up DHCP

NetBoot requires a DHCP server running on the local server or on another server on the network. Make sure you have a range of IPaddresses sufficient to accommodate the number of clients that will use NetBoot at the same time. For more information aboutconfiguring DHCP, see Server Admin Help.

If your NetBoot server also supplies DHCP service, you might get better performance if you configure your server as a gateway.That is, configure your subnets to use the server’s IP address as the router IP address.

Configure and turn on NetBoot service

You use the NetBoot settings in Server Admin to configure NetBoot on your server.

You turn on NetBoot service using Server Admin. See Start NetBoot and related services and Enable images.

(Optional) Set up Ethernet address filteringNetBoot filtering is performed based on the client computer hardware address. Each client’s hardware address is registered whenthe client selects a NetBoot or NetInstall volume from the startup disk. You can permit or deny specific clients by address. SeeRestrict NetBoot clients by filtering addresses.

Test your NetBoot setup

Because there is a risk of data loss or bringing down the network (by misconfiguring DHCP), test your NetBoot setup beforeimplementing it. Test each Macintosh model you support to verify that there are no problems booting into the image on a specifiedhardware type.

Set up client computers to use NetBoot

When you’re satisfied that NetBoot is working on all types of client computers, set up the client computers to start from the NetBootdisk images.

You can use the client computer’s Startup Disk System Preference pane to select a startup disk image from the server and thenrestart the computer. See Select a NetBoot boot image.

You can also restart the client computer and hold down the N key until the NetBoot icon starts flashing on the screen. The clientstarts from the default image on the NetBoot server. See Start up using the N key.


Before you can configure NetBoot settings, you must turn NetBoot service on in Server Admin.


2. Click Settings.

Enable NetBoot service

3. Click Services.

4. Click the NetBoot checkbox.

5. Click Save.


You use General settings to enable NetBoot service on at least one port and select where image and client data resides.




3. From the expanded Servers list, select NetBoot.

4. Click Settings, then click General.

5. In the Enable column, click the checkbox next to the network ports you want to use for serving images.

6. In the Images column, click the checkbox to choose where to store images.

7. In the Client Data column, click the checkbox for each local disk volume where you want to store shadow files used by Mac OSX Lion diskless clients.

8. Click Save.


You use Images settings to enable images and select the default image.





4. Click Settings, then click Images.

5. Enable the images you want clients to use, specify if they are available for diskless clients, and choose the protocol fordelivering them.

If you’re not sure which protocol to use, choose NFS.

6. In the Default column, click the checkbox to select the default image.

You must select separate default images for Intel-based and PowerPC-based Macintosh clients.

7. Click Save.


To restrict client computers, you can set up filters that allow or deny access to NetBoot service depending on the computer’s MACaddress.

You can enter a MAC address as canonical or noncanonical in the filter list. The canonical form of a MAC address contains leadingzeros and lowercase hex digits separated by a “:”. For example, 01:a1:0c:32:00:b0 is the canonical form of a MAC address and

Configure NetBoot General settings

Configure Images settings

Configure filter settings

1:a1:c:32:0:b0 is the noncanonical form of the same MAC address.





4. Click Settings, then click Filters.

5. Select “Enable NetBoot/DHCP filtering.”

6. Select “Allow only clients lis ted below (deny others)” or “Deny only clients listed below (allow others).”

7. Use the Add button (+) and Delete button (–) to set up the lis t of client addresses, and click OK.

To look up a MAC address, enter the client’s DNS name or IP address in the Host Name field and click Find.

To find the hardware address for a computer using Mac OS X Lion, look on the TCP/IP pane of the computer’s Networkpreference or run Apple System Profiler.

8. Click Save.

Note: You can also restrict access to a NetBoot image by selecting the name of the image in the Images pane of NetBootservice settings in Server Admin, clicking the Edit (/) button, and providing the required information.


You use Logging settings to choose the level of detail recorded in the service log.






5. From the pop-up menu, choose the log detail level (Low, Medium, or High).

6. Click Save.


You can use serveradmin to configure NetBoot settings.

To configure a NetBoot service setting:

$ sudo serveradmin settings netboot:logging_level = value

To view NetBoot service configuration settings:

$ sudo serveradmin settings netboot


logging_level Default = Medium

Possible values are Low, Medium, or High.

Configure NetBoot Logging settings

Use serveradmin to configure NetBoot logging

For information about command-line parameters, see NetBoot service settings. For information about serveradmin, see its manpage.


For older computers, such as tray-loading iMac or Power Macintosh G3 (Blue and White) computers, to use NetBoot, you mustenable NetBoot 1.0. You can do so by using the dscl tool.

Note: NetBoot 1.0 and 2.0 can run on the same network simultaneously.

Enter the following:

$ sudo dscl . create /config/dhcp old_netboot_enabled port_list

$ sudo killall bootpd


port_list List of ports you want to enable for NetBoot 1.0, formatted l ike en0Men1 en2.


NetBoot service uses AFP, NFS, DHCP, Web, and TFTP services, depending on the types of clients you’re trying to boot. (SeeNetBoot considerations and requirements.) You can use Server Admin to start DHCP, Web, and NetBoot services. You can usether Server app to start AFP. NFS and TFTP services start automatically.




3. If you boot diskless Mac OS X Lion clients, start AFP service in the Server app by selecting File Sharing and then turn it on.

4. If your server is providing DHCP service, make sure the DHCP service is configured and running; otherwise, DHCP servicemust be supplied by another server on your network.

If your NetBoot server is also supplying DHCP service, you might get better performance if you configure your server as agateway. That is, configure your subnets to use the server’s IP address as the router IP address.



7. Select which network ports to use for providing NetBoot service.

You can select one or more network ports to serve NetBoot images. For example, if you have a server with two networkinterfaces, each connected to a network, you can choose to serve NetBoot images on both networks.

8. Click Images.

9. Select the images to serve.

10. Click Save.

11. Click the Start NetBoot button (below the Servers list).


Enable NetBoot 1.0 for older NetBoot clients

Start NetBoot and related services

You can use serveradmin to start NetBoot services using the command line.

To start NetBoot and supporting services:

$ sudo serveradmin start netboot

If you get the following response, you have not enabled NetBoot on a network port:

$ netboot:state = "STOPPED"$ netboot:status = 5000



You can use serveradmin to enable images on your server, to make the images available to client computers for NetBootstartups.

To enable disk images:

$ sudo serveradmin settings netboot:netBootImagesRecordsArray:_array_index:n:IsEnabled = yes


netBootImagesRecordsArray:_array_index:n:IsEna… Default = noSets whether the image is available to NetBoot.

n Specifies the array index number of the volume you want to set as thedefault image.


Network infrastructure serv ices ► NetBoot ► Manage images

If you add a second NetBoot server to a network, have your users reselect their NetBoot image in the Startup Disk control pane orpreferences pane. This causes the NetBoot server load to be redistributed between the servers.

You can also force redistribution of the load by deleting the /var/db/bsdpd_clients file from the existing NetBoot server.

Note: After deleting the bsdpd_clients file, the server does not remember which clients selected which NetBoot or NetInstallvolumes via Startup Disk. Unless the clients reselect their intended NetBoot or NetInstall volumes, the clients boot into the defaultimage on the server.

Similarly, if you’re recovering from a server or infrastructure failure and your clients are starting up from a reduced number ofNetBoot servers, delete the bsdpd_clients file from the running servers so clients can again start from among the entire set ofservers.

The bsdpd_clients file holds the Ethernet MAC addresses of the computers that have selected the server as their NetBoot server.

As long as a client has an entry in an available server’s bsdpd_clients file, it always starts from that server. If that server becomesunavailable, the clients locate and associate themselves with an available server until you remove their entries (or the files) fromtheir servers.

Note: If a client is registered on more than one server because an unavailable server comes back on line, the client starts up from

Start NetBoot from the command line

Enable images from the command line

Balance NetBoot image access

the server with the fewest number of clients that started from it.


You must enable disk images on your server to make the images available to client computers for NetBoot startups.






5. For each image you want your clients to see, click the checkbox in the Enable column.

6. Click Save.


You can use Server Admin to choose volumes for storing NetBoot and NetInstall images.

WARNING: Don’t rename a NetBoot share point or the volume it resides on. Don’t use Server Admin to stop sharing for a NetBootshare point unless you first deselect the share point for images and shadow files.






5. In the list of volumes (in the lower half of the pane), click the checkbox in the Images column for each volume you want to storeimage files on.

6. Click Save.


You can use serveradmin to choose volumes for storing NetBoot and NetInstall images.

To specify a volume to store image files:

$ sudo serveradmin settingsnetboot:netBootStorageRecordsArray:_array_index:n:sharepoint = value

netboot:netBootStorageRecordsArray:_array_index:n:clients = valuenetboot:netBootStorageRecordsArray:_array_index:n:ignorePrivs = value

netboot:netBootStorageRecordsArray:_array_index:n:volType = valuenetboot:netBootStorageRecordsArray:_array_index:n:path = value

netboot:netBootStorageRecordsArray:_array_index:n:volName = value

Enable images

Choose where images are stored

Choose where images are stored, from the command line

netboot:netBootStorageRecordsArray:_array_index:n:volIcon = valuenetboot:netBootStorageRecordsArray:_array_index:n:okToDeleteClients = value

netboot:netBootStorageRecordsArray:_array_index:n:okToDeleteSharepoint = valueControl–D

Parameter (netboot:) Description

netBootStorageRecordsArray:_array_index:n:sharepointFirst parameter in an array describing a volume available to serveimages.

Default = "no"

netBootStorageRecordsArray:_array_index:n:clients Default = "no"

netBootStorageRecordsArray:_array_index:n:ignorePrivsDefault = "false"

netBootStorageRecordsArray:_array_index:n:volType Default = voltype

Example: "hfs"

netBootStorageRecordsArray:_array_index:n:path Default = "/"

netBootStorageRecordsArray:_array_index:n:volName Default = name

netBootStorageRecordsArray:_array_index:n:volIcon Default = icon

netBootStorageRecordsArray:_array_index:n:okToDeleteClientsDefault = "yes"

netBootStorageRecordsArray:_array_index:n:okToDeleteSharepointDefault = "yes"

n The array index number of the volume you want as the default image.



When a diskless client boots, shadow (temporary) files are stored on the server. You can use Server Admin to specify which servervolumes are used to store the shadow files.

WARNING: Don’t rename a NetBoot share point or the volume it resides on. Don’t use Server Admin to stop sharing for a NetBootshare point unless you first deselect the share point for images and shadow files.



The list of services appears



5. In the list of volumes (in the lower half of the pane), click the checkbox in the Client Data column for the volumes to storeshadow files on.

6. Click Save.


Choose where shadow files are stored

Use serveradmin to choose where shadow files are stored

You can use serveradmin to specify which server volumes are used to store shadow files.

To specify a volume to store shadow files:

$ sudo serveradmin settingsnetboot:netBootStorageRecordsArray:_array_index:n:sharepoint = valuenetboot:netBootStorageRecordsArray:_array_index:n:clients = yes

netboot:netBootStorageRecordsArray:_array_index:n:ignorePrivs = valuenetboot:netBootStorageRecordsArray:_array_index:n:volType = value

netboot:netBootStorageRecordsArray:_array_index:n:path = valuenetboot:netBootStorageRecordsArray:_array_index:n:volName = value

netboot:netBootStorageRecordsArray:_array_index:n:volIcon = valuenetboot:netBootStorageRecordsArray:_array_index:n:okToDeleteClients = valuenetboot:netBootStorageRecordsArray:_array_index:n:okToDeleteSharepoint = value

Control–D


netBootStorageRecordsArray:_array_index:n:sharepointFirst parameter in an array describing a volume available to serveimages.

Default = "no"

netBootStorageRecordsArray:_array_index:n:clients Default = "no"

netBootStorageRecordsArray:_array_index:n:ignorePrivsDefault = "false"

netBootStorageRecordsArray:_array_index:n:volType Default = voltype

Example: "hfs"

netBootStorageRecordsArray:_array_index:n:path Default = "/"

netBootStorageRecordsArray:_array_index:n:volName Default = name

netBootStorageRecordsArray:_array_index:n:volIcon Default = icon

netBootStorageRecordsArray:_array_index:n:okToDeleteClientsDefault = "yes"

netBootStorageRecordsArray:_array_index:n:okToDeleteSharepointDefault = "yes"

n The array index number of the volume you want to set as the defaultimage.



You can store NetBoot or NetInstall images on separate remote servers other than the NetBoot server. You must copy the imagesfrom the NetBoot server to the remote server and then configure the remote server to use the images.

1. Copy the image.nbi folder from the NetBoot server to the remote server on a NetBoot sharepoint(/Library/NetBoot/NetBootSPn).

If the image is on the remote server, you can create the .nbi folder on the NetBoot server by duplicating an existing .nbi folderand adjusting the values in its NBImageInfo.plist file.

Use images stored on remote servers

2. Open Server Admin and connect to the remote server.





6. For each image you want your clients to see from the remote server, click the checkbox in the Enable column.

7. Select the protocol you want NetBoot to use when serving your image (NFS or HTTP).

8. Click Save.


The default image is the image used when you start up a client computer while holding down the N key, providing that the clienthasn’t selected a NetBoot or NetInstall volume via Startup Disk. See Start up using the N key.

If you created more than one startup disk image, you can use NetBoot service settings in Server Admin to select the default startupimage.

Important: If you have diskless clients, set their boot image as the default image.

If you have more than one NetBoot server on the network, a client uses the default image from the first server that responds. Thereis no way to control which default image is used when more than one is available.






5. In the Default column, click the checkbox next to the image.

You can select separate default images for Intel-based and PowerPC-based Macintosh computers. The architecture columnshows the image type. Mac OS X Lion images can boot Intel-based Macintosh computers only.

6. Click Save.


You can use serveradmin to set the default image used when you start up a client computer while holding down the N key.

To specify the default image:

$ sudo serveradmin settings netboot:netBootImagesRecordsArray:_array_index:n:IsDefault = yes


netBootImagesRecordsArray:_array_index:n:IsDefaultyes

Specifies this image fi le as the default boot image on the subnet.


Specify the default image

Use serveradmin to specify the default image



You can use Server Admin to make an image available for booting client computers that have no local disk drives. Setting animage for diskless booting instructs the NetBoot server to allocate space for the client’s shadow files.






5. In the Diskless column, click the box next to the image in the list.

6. Click Save.

Important: If you have diskless clients, set their NetBoot image as the default image.

For help specifying where the client’s shadow files are stored, see Choose where shadow files are stored.


You can use serveradmin to make an image available for booting client computers that have no local disk drives.

To set an image for a diskless boot:

$ sudo serveradmin settings netboot:netBootImagesRecordsArray:_array_index:n:SupportsDiskless = yes


netBootImagesRecordsArray:_array_index:n:SupportsDiskless yes

Directs the NetBoot server to al locate space for shadow files needed bydiskless cl ients.




The filtering feature of NetBoot service lets you restrict access to the service based on the client’s Ethernet hardware (MAC)address. A client’s hardware address is added to the filter list the first time it starts from an image on the server and is permittedaccess by default, so it is usually not necessary to enter hardware addresses manually.

1. Open Server Admin and connect to the server



Set an image for diskless booting

Use serveradmin to set an image for diskless booting

Restrict NetBoot clients by filtering addresses


4. Click Settings, then click Filters.

5. Select “Enable NetBoot/DHCP filtering.”

6. Select “Allow only clients lis ted below (deny others)” or “Deny only clients listed below (allow others).”

7. Use the Add button (+) and Delete button (–) to set up the lis t of client addresses, and click OK.

To look up a MAC address, enter the client’s DNS name or IP address in the Host Name field and click Find.

To find the hardware address for a computer using Mac OS X Lion, look on the TCP/IP pane of the computer’s Networkpreference or run Apple System Profiler.

8. Click Save.

Note: You can also restrict access to a NetBoot image by selecting the name of the image in the Images pane of NetBootservice settings in Server Admin, clicking the Edit (/) button, and providing the required information.


You can use serveradmin to restrict NetBoot clients.

To enable disk images:

$ sudo serveradmin settingsnetboot:netBootFiltersRecordsArray:_array_index:n:hostName = valuenetboot:netBootFiltersRecordsArray:_array_index:n:filterType = valuenetboot:netBootFiltersRecordsArray:_array_index:n:hardwareAddress = valueControl–D


netBootFil tersRecordsArray:_array_index:n:hostName The host name of the fi l tered computer, i f avai lable.

netBootFil tersRecordsArray:_array_index:n:fil terType Whether the specified computer is al lowed or denied access.

Options:

"allow"

"deny"

netBootFil tersRecordsArray:_array_index:n:hardwareAddress The Ethernet hardware (MAC) address of the fil tered computer.

n The array index number of the volume you want to set as the defaultimage.



A network boot starts when the client computer broadcasts for computers that will respond to Boot Service Discovery Protocol(BSDP). By default, routers are usually configured to block broadcast traffic to reduce the amount of unnecessary data flowing toother parts of the network.

To provide NetBoot service across subnets, you must configure the router to pass on BSDP traffic to the NetBoot server. To see ifyour router is capable of passing BSDP traffic, check with your router manufacturer. Sometimes this is also referred to as using aDHCP helper or a DHCP relay agent.

Use serveradmin to restrict NetBoot clients by filtering addresses

Set up NetBoot service across subnets

Network infrastructure serv ices ► NetBoot ► Set up NetBoot clients

NetBoot service enables you to configure client computers without locally installed operating systems or even without installeddisk drives. Systemless or diskless clients can start from a NetBoot server using the N key method. (See Start up using the N key.)

After the client computer starts, you can use Startup Disk preferences to select the NetBoot disk image as the startup disk for theclient. That way you no longer need to use the N key method to start the client from the server.

Removing the system software from client computers gives you more control over user environments. By forcing the client to startup from the server and using client management to deny access to the client computer local hard disk, you can prevent users fromsaving files to the local hard disk.


Client computers must have an Ethernet connection to the network that the NetBoot server is on and use DHCP to obtain an IPaddress.


On a client computer use Startup Disk preferences to select a NetBoot boot image.

1. In System Preferences, select Startup Disk.

2. Select the network volume to start the computer with.

3. Click Restart.

The NetBoot icon appears and the computer starts from the selected image.


You can enable a multicast image server using the Mac server Multicast asr command. Multicast asr can restore multiple clientssimultaneously from one looping multicast of an asr disk image. An asr disk image is the same as a NetRestore image that youcreate using System Image Utility.

Each client can receive the NetRestore image at any time during a multicast of the image, and the client continues receiving thefirst part of the next multicast until the client receives the complete NetRestore image.

The server multicasts only one copy of the NetRestore image at a time, and all clients receive this copy.

If the server finishes multicasting the NetRestore image and a client is still requesting the image, the server multicasts the imageagain. Thus, using multicast asr to stream images to multiple clients doesn’t congest the network nearly as much as NetworkInstall with multiple clients.

To enable the image server, use the asr tool with the -server flag and a correctly built image and plist file.

To start a multicast server for a specified image:

$ asr -source compressed image -server configuration.plistThe image does not start multicasting on the network until a client attempts to start a restore. The server continues tomulticast the image until the process is terminated.

To configure a client to receive a multicast stream:

$ sudo asr -source asr://hostname -target targetvol -eraseThe client receives the multicast stream from hostname and saves it to the client.

Set up diskless clients

Select a NetBoot boot image

Image multiple clients using the multicast asr command

To overwrite an existing image, add -erase. Using -erase with -target indicates an image should be overwritten whendoing a multicast.

For information about asr, see its man page.


On a client computer use Startup Disk preferences to select a NetInstall image.

1. In System Preferences, select Startup Disk.

2. Select the network volume to start the computer with.

3. Click Restart.

The NetBoot icon appears, the computer starts from the selected image, and the installer runs.


You can use this method to start up any supported client computer from a NetBoot disk image. When you start up with the N key,the client computer starts up from the default NetBoot disk image. If multiple servers are present, the client starts up from thedefault image of the first server to respond.

Note: For more information about using the N key when starting the system, see the manual that was provided with the computer.Some computers have extra capabilities.

If an older client computer requires BootP for IP addressing (such as a tray-loading iMac, blue and white PowerMac G3, or oldercomputer), use this method for starting up from a NetBoot disk image. Older computers don’t support selecting a NetBoot startupdisk image from the Startup Disk control pane or preferences pane.

The N key also provides a way to start up client computers that don’t have system software installed. See Set up diskless clients.

1. Start up (or restart) the client computer and hold down the N key immediately after you hear the startup tone (while the screenis still black).

You can release the N key when the NetBoot icon appears in the center of the screen.

2. If a login window appears, enter your name and password.

The network disk image has an icon typical of server volumes.


By default, a Mac OS X Lion NetBoot client places its shadow files in a NetBootClientsn share point on the server, where n is theshare point number. If no such share point is available, the client tries to store its shadow files on a local hard disk.

For Mac OS X v10.3 and later images set for diskless booting, you can change this behavior by using a text editor to specify a valuefor the NETBOOT_SHADOW variable in the image /etc/hostconfig file.

Note: This value is set in the /etc/hostconfig file in the image .dmg file, not in the server hostconfig file.

These values are permitted:

Value of NETBOOT_SHADOW Client shadow file behav ior

-NETWORK- (Default) Try to use a server NetBootClientsn share point for storingshadow fi les. If no server share point is available, use a local drive.

Select a NetInstall image

Start up using the N key

Change how NetBoot clients allocate shadow files

-NETWORK_ONLY- Try to use a server NetBootClientsn share point for storing shadow files. Ifno server share point is available, don’t boot.

-LOCAL- Try to use a local drive for storing shadow fi les. If no local drive isavailable, use a server NetBootClientsn share point.

-LOCAL_ONLY- Try to use a local drive for storing shadow fi les. If no local drive isavailable, don’t boot.

Network infrastructure serv ices ► NetBoot ► Manage NetBoot serv ice

The Server Admin and System Image Utility applications provide a graphical interface for managing NetBoot service in Lion Server.In addition, you can manage NetBoot service from the command line by using Terminal.

These applications are included with Lion Server and can be installed on another computer with Mac OS X Lion, making thatcomputer an administrator computer. For more information about setting up an administrator computer, see the serveradministration chapter of Getting Started.

Server Admin

Server Admin provides access to tools you use to set up, manage, and monitor NetBoot service and other services. You use ServerAdmin to:

Set up Lion Server as a DHCP server and configure NetBoot service to use NetBoot and NetInstall images. For instructions,see NetBoot setup overview.

Manage and monitor NetBoot service.

For more information about using Server Admin, see Server Admin help or Advanced Server Administration. This guide includesinformation about:

Opening and authenticating in Server Admin

Working with specific servers

Administering services

Using SSL for remote server administration

Customizing the Server Admin environment

Server Admin is installed in /Applications/Server/.

Server app

The Server app provides management of clients of Lion Server. For information about using the Server app, see Server app Help.This includes:

Creating users and group

Administering accounts

Server app is installed in /Applications/.

Workgroup Manager

The Workgroup Manager application provides comprehensive management of clients of Lion Server. For information about usingWorkgroup Manager, see Workgroup Manager Help. This includes:

Opening and authenticating in Workgroup Manager


Customizing the Workgroup Manager environment

Workgroup Manager is installed in /Applications/Server/.

System Image Utility

System Image Utility is a tool to create and customize NetBoot, NetInstall, and NetRestore images. With System Image Utility, youcan:

Tools for managing NetBoot service

Create NetBoot images that can be booted to the Finder.

Create NetInstall images from a DVD or existing Mac OS X Lion partition.

Create NetRestore images from an existing volume.

Assemble a workflow that creates customized NetBoot and NetInstall images.

For instructions on using System Image Utility, see System Image Utility help.

System Image Utility is installed in /Applications/Server/.

Command-line tools

A full range of command-line tools is available for administrators who prefer to use command-driven server administration. Forremote server management, submit commands in a secure shell (SSH) session. You can enter commands on a Mac computerusing the Terminal application, located in the /Applications/Utilities/ folder.


The best way to prevent clients from using NetBoot on the server is to disable NetBoot service on all Ethernet ports.





4. Click the Stop NetBoot button (below the Servers list) and perform one of the following tasks:

To stop service on a specific Ethernet port, click Settings, click General, and deselect the Enable checkbox for the port.

To stop serving a specific image, click Settings, click Images, and deselect the Enable checkbox for the image.

To stop service to a client, click Settings, click Filters, select Enable NetBoot Filtering, choose “Deny only clients lis tedbelow,” and add the client’s hardware address to the list.


You can use serveradmin to turn off NetBoot service.

To stop NetBoot service or disable images:

$ sudo serveradmin stop netboot



Disabling an image prevents client computers from starting using the image.





Turn off NetBoot service

Use serveradmin to turn off NetBoot service

Disable a boot or installation image


5. In the Enable column, deselect the checkbox for the image.

6. Click Save.


You can use serveradmin to disable an image, preventing client computers from starting using the image.

To stop NetBoot service or disable images:

$ sudo serveradmin stop netboot



You can use Server Admin to see a lis t of clients that have booted from the server.





4. Click Clients.

5. To update the lis t, click the Refresh button (below the Servers list).

Note: This is a cumulative lis t–a list of all clients that have connected–not a lis t of connected clients. The last boot time is shownfor each client.


You can use Server Admin to see a lis t of clients that are booted from the server. NetInstall clients display install progressinformation.





4. Click Connections.

5. To update the lis t, click the Refresh button (below the Servers list).


Use serveradmin to disable boot or installation images

View a list of NetBoot clients

View a list of NetBoot connections

Check the status of NetBoot and related services

You can use Server Admin to check the status of NetBoot service and the services (such as NFS and HTTP) it uses.





4. Click Overview to see if the service is running, when the last client update occurred, and which related services are running foran image type.

5. To review the event log, click Log.

6. To see a list of NetBoot clients that have booted from the server, click Clients.

7. To see a list of connected users, click Connections.

The list includes the client computer name, IP address, the percentage complete, and the status.


You can use serveradmin to check the status of NetBoot service and the services (such as NFS and HTTP) it uses.

To see if the service is running:

$ sudo serveradmin status netboot

To see the complete service status:

$ sudo serveradmin fullstatus netboot



You can use Server Admin to view a log containing diagnostic information.





4. Click Log, then use the Filter field to search for specific entries.


You can use serveradmin to view a log containing diagnostic information.

To view the latest entries in a log:

$ tail log-file

To see where service logs are located:

Use serveradmin to check the status of NetBoot and related services

View the NetBoot service log

Use serveradmin to view the NetBoot service log

$ sudo serveradmin command netboot:command = getLogPaths

For information about tail and serveradmin, see its man page.


For good startup performance, the NetBoot server must be available to the client computer relying on it. To provide responsive andreliable NetBoot service, set up multiple NetBoot servers in your network.

Many sites using NetBoot service achieve acceptable responsiveness by staggering the boot times of client computers to reducenetwork load. Generally, it isn’t necessary to boot client computers at the same time; rather, client computers are booted early inthe morning and remain booted throughout the work day.

You can program staggered startup times using the Energy Saver preferences pane.

Load balancing NetBoot images

If heavy usage and simultaneous client startups are overloading a NetBoot server and causing delays, consider load balancing byadding extra NetBoot servers to distribute the demands of the client computers across multiple servers.

When incorporating multiple NetBoot servers, use switches in your network infrastructure. The shared nature of hubs creates asingle shared network on which extra servers must vie for time.


If you set up more than one NetBoot server on your network, you can place copies of a specific NetBoot image on multiple serversto distribute the load. By assigning the copies the same image index ID in the range 4096–65535, you can advertise them to yourclients as a single image to avoid confusion.

Note: You must customize the image by creating a workflow with the Create Image action to assign the image an index ID.

1. Locate the image file on the server where the original image is stored.

2. If the image index ID is 4095 or lower, recreate the image and modify the index ID using the Create Image action in aworkflow, then assign the image an index ID in the range 4096–65535.

For more information, see System Image Utility Help

The image ID can be changed from Server Admin by double-clicking the Image ID field and entering the new ID.

3. Create copies or move image files to other servers.

4. On each server, use Server Admin to enable the image for NetBoot service.

Clients still see the image listed only once in Startup Disk preferences, but the server that delivers its copy of the image isselected based on server activity.

Smaller improvements can be achieved by distributing NetBoot images across multiple disk drives on a single server.


Even with a single NetBoot server, you might improve performance by distributing copies of an image across multiple disk driveson the server. By assigning the copies the same image index ID in the range 4096–65535, you can advertise them to your clientsas a single image.

Important: Don’t distribute images across different partitions of the same physical disk drive. Doing so does not improve, and caneven reduce, performance.

Performance and load balancing

Distribute NetBoot images across servers

Distribute NetBoot images across server disk drives






5. In the Images column, select the checkbox for each volume to store images on.

Choose volumes on different physical disk drives.

6. Click Save, then click Images.

7. If the image’s index is 4095 or lower, double-click the ID, enter an index in the range 4096–65535, and save the change.

8. Open Terminal and use the scp secure copy tool to copy the image to the NetBootSPn share points on the other volumes.

For example:

$ scp /Library/NetBoot/NetBootSP0/image.nbi [admin_name]@[ip_address]:/Volumes/Drive2/Library/Ne…

where [admin_name] is an admin login and [ip_address] is the correct IP address for that server.

You are prompted for the password of the admin login.


Clients starting up from Mac OS X Lion diskless images store shadow files on the server.

By default, NetBoot for Mac clients creates a share point for client shadow files on the server boot volume. (You can change thisbehavior. See Choose where shadow files are stored.)

You can use Server Admin to see this share point and to add others. The share points are named NetBootClientsn, where n is theshare point number.

Share points are numbered starting with zero. For example, if your server has two disk volumes, the default shadow-file folder isNetBootClients0 on the boot volume. If you use Server Admin to specify that client data will also be stored on the second volume,the folder is named NetBootClients1. NetBoot stores the first client’s shadow files on NetBootClients0, the second client’s shadowfiles on NetBootClients1, the third client’s shadow files on NetBootClients2, and so on.

Likewise, with three volumes and eight clients, the first, fourth, and seventh clients use the first volume; the second, fifth, andeighth clients use the second volume; and the third and sixth clients use the third volume. This load balancing is automatic andusually provides optimal performance.

To prevent shadow files from being placed on a specific volume, use the NetBoot Service General settings in Server Admin.Deselect the client data checkbox for any volume you don’t want shadow files placed in.

You can also prevent shadow files from being placed on a specific volume or partition by deleting the hidden file/Library/NetBoot/.clients, which is a symbolic link, and then stopping and restarting NetBoot service.


General Netboot settings

To configure general NetBoot service setting from Terminal, use the following parameters with the serveradmin tool.


filterEnabled A parameter that specifies whether cl ient fi l tering is enabled.

Default = "no"

An array of values for each server volume used to store boot or

Distribute shadow files

NetBoot service settings

netBootStorageRecordsArray... instal lation images. For a description, see The storage record array.

netBootFiltersRecordsArray... An array of values for each computer explicitly al lowed or disallowedaccess to images. For a description, see The fil ters record array.

netBootImagesRecordsArray... An array of values for each boot or instal lation image stored on theserver. For a description, see The image record array.

netBootPortsRecordsArray... An array of values for each server network port used to del iver boot orinstal lation images. For a description, see The port record array.

The storage record array

An array of the following values appears in NetBoot service settings for each volume on the server used to store boot or installationimages.


netBootStorageRecordsArray:_array_index:n:sharepoint

The first parameter in an array describing a volume available to serveimages.

Default = "no"

netBootStorageRecordsArray:_array_index:n:clients

Default = "no"

netBootStorageRecordsArray:_array_index:n:ignorePrivs

Default = "false"

netBootStorageRecordsArray:_array_index:n:volType

Default = "voltype"

Example:"hfs"

netBootStorageRecordsArray:_array_ index:n:path Default = "/"

netBootStorageRecordsArray:_array_index:n:volName

Default = "name"

netBootStorageRecordsArray:_array_index:n:volIcon

Default = "icon"

netBootStorageRecordsArray:_array_index:n:okToDeleteClients

Default = "yes"

netBootStorageRecordsArray:_array_index:n:okToDeleteSharepoint

Default = "yes"

The filters record array

An array of the following values appears in NetBoot service settings for each computer explicitly allowed or denied access toimages stored on the server.


netBootFiltersRecordsArray:_array_index:n:hostName

The host name of the fil tered computer, i f avai lable.

netBootFiltersRecordsArray:_array_index:n:filterType

Whether the specified computer is al lowed or denied access.

Options:

"allow" "deny"

netBootFiltersRecordsArray:_array_index:n:hardwareAddress

The Ethernet hardware (MAC) address of the fil tered computer.

The image record array

An array of the following values appears in NetBoot service settings for each image stored on the server.


netBootImagesRecordsArray:_array_ index:n:Name The name of the image as i t appears in the Startup Disk control panel(Mac OS 9) or Preferences pane (Mac OS X).

netBootImagesRecordsArray:_array_index:n:IsDefault

yesSpecifies this image fi le as the default boot image on the subnet.

netBootImagesRecordsArray:_array_index:n:RootPath

The path to the .dmg file.

netBootImagesRecordsArray:_array_index:n:isEdited

Whether the image is edited.

netBootImagesRecordsArray:_array_index:n:BootFile

Name of the boot ROM file: booter.

netBootImagesRecordsArray:_array_index:n:Description

Arbitrary text describing the image.

netBootImagesRecordsArray:_array_index:n:SupportsDiskless

yesDirects the NetBoot server to al locate space for shadow files needed bydiskless cl ients.

netBootImagesRecordsArray:_array_ index:n:Type NFSM or HTTP

netBootImagesRecordsArray:_array_index:n:pathToImage

The path to the parameter l ist file in the .nbi folder on the serverdescribing the image.

netBootImagesRecordsArray:_array_ index:n:Index 1–4095Indicates a local image unique to the server.

4096–65535 is a duplicate, identical image stored on multiple servers

for load balancing.

netBootImagesRecordsArray:_array_index:n:IsEnabled

Sets whether the image is available to NetBoot (or Network Image)cl ients.

netBootImagesRecordsArray:_array_index:n:IsInstall

yesSpecifies a network installation image.

noSpecifies a NetBoot image.

The port record array

An array of the following items is included in the NetBoot service settings for each network port on the server set to deliver images.


netBootPortsRecordsArray:_array_index:m:isEnabledAtIndex

The first parameter in an array describing a network interface availablefor responding to netboot requests.

Default = "no"

netBootPortsRecordsArray:_array_index:m:nameAtIndex

Default = "devname"

Example: "Built-in Ethernet"

netBootPortsRecordsArray:_array_ Default = "dev"

index:m:deviceAtIndex Example: "en0"

Network infrastructure serv ices ► NetBoot ► Solve NetBoot problems

Make sure a DHCP service is available on your network. It can be provided by DHCP on a Mac server or another server.

Make sure required services are started on the server. See NetBoot considerations and requirements. Open Server Admin andverify the following:

If you’re booting Mac OS X Lion diskless clients, AFP is started

If you’re using HTTP instead of NFS to deliver images, Web service is started


If your NetBoot client computers do not start:

Sometimes a computer might not start immediately because other computers are putting a heavy demand on the network. Waita few minutes and try starting again.

Make sure cables are properly connected and that the computer and server are getting power.

If you installed memory or an expansion card in the client computer, make sure it is installed properly.

If the computer has a local hard disk with a System Folder on it, disconnect the Ethernet cable and try to start the computer fromthe local hard disk, then reconnect the Ethernet cable and try to start the computer from the network.

Boot the client computer from a local disk and verify that it is getting an IP address from DHCP.

On a diskless or systemless client, start from a system CD and use Startup Disk preferences to select a boot image.


You can’t edit the name of an image with System Image Utility after you create it. However, there are other ways to change thename, shown below.

Change the name of an uncompressed image

1. Mount the image in Finder by opening the .nbi folder containing the image and double-clicking it.

2. Open Terminal and enter the following command to rename the image:

$ sudo diskutil rename /Volumes/imagenew_nameReplace image with the name of the image to rename and new_name with the new name of the image.

3. When prompted, enter your administrator password.

The name of the image changes.

4. Unmount the image.

5. Remount the image to verify that it is renamed.

Change the name of a compressed image

1. Mount the image in Finder by opening the .nbi folder containing the image and double-clicking it.

2. Open Disk Utility.

NetBoot troubleshooting tips

If NetBoot clients computers don't start

If you want to change the image name

3. Select the image and click Convert.

4. In the Save As field, enter a name.

5. Select a different location to save the image to.

For example, save the image on the Desktop folder.

6. From the Image Format menu, choose read/write.

7. Click Save.


9. Mount the new image in the Finder.

10. Open a Terminal window and enter the following to rename the image:

$ sudo diskutil rename /Volumes/imagenew_nameReplace image with the name of the image to rename and new_name with the new name of the image.

11. When prompted, enter your administrator password.

The name of the image changes.


13. Remount the image to verify that the image is renamed.


15. Remove the original image from the .nbi folder and store it somewhere else.

16. In Disk Utility, select the new image and click Convert.

17. Give the image the same name as the one it had inside the .nbi folder.

18. In the Where field, select the .nbi folder.

19. From the Format menu, choose Compressed.

20. Click Save.

21. Test the new image to make sure it mounts properly.

22. Discard the old image.

Network infrastructure serv ices ► Network Time Protocol (NTP)

Using NTP service for time synchronization is important for reducing confusion that can be caused if time stamps are out of sync.

From shared file systems to billing services, correct timekeeping is a necessity. However, clocks on computers throughout anetwork can have widely different time stamps. Network Time Protocol (NTP) synchronizes the clocks in networked computers to areference clock. NTP helps make sure that all computers on a network report the same time.

If an isolated network (or even a computer) is unsynchronized, services that use time and date stamps (such as Mail service, orWeb service with timed cookies) send wrong time and date stamps and are out of sync with other computers across the Internet.

For example, a mail message could arrive minutes or years before it was sent (according to the time stamp), and a reply to thatmessage could come before the original was sent.

How NTP works

NTP uses Universal Time Coordinated (UTC) as its reference time. UTC is based on an atomic resonance, and clocks that runaccording to UTC are often referred to as atomic clocks.

On the Internet, authoritative NTP servers (known as Stratum 1 servers) track the current UTC time. Other subordinate servers(known as Stratum 2 and 3 servers) regularly query Stratum 1 servers and estimate the time taken to send and receive the query.They then factor this estimate with the query result to set the Stratum 2 or 3 servers’ time. The estimates are correct to thenanosecond.

About NTP

Your LAN can then query Stratum 3 servers for the time. An NTP client computer on your network then takes the UTC time referenceand converts it using its own time zone setting to local time, and sets its internal clock accordingly.

NTP on your network

Lion Server can act as an NTP client, receiving authoritative time from an Internet time server, and as an authoritative time serverfor a network. Your local clients can query your server to set their clocks.

If you set your server to answer time queries, set it to also query an authoritative time server on the Internet.

Find more information about NTPThe working group, documentation, and FAQ for NTP can be found at www.ntp.org.

Listings of publicly accessible NTP servers and their use policies can be found at support.ntp.org/bin/view/Servers/WebHome.




You can search for RFC documents by number at www.ietf.org/rfc.html.

The official specification of NTP is RFC 1305.

RELATED TOPICS

Configure NTP service on clientsSet up NTP service


If you have a local time server, you can configure clients to query your time server for the network date and time. By default, clientscan query Apple’s time server.

Use the following instructions to set your clients to query your time server.

1. Open System Preferences.

2. Click Date & Time.

3. Select the “Set date & time automatically” checkbox.

4. Select and delete the text in the field rather than using the pop-up menu.

5. Enter the host name of your time server.

Your host name can be a domain name (such as time.example.com) or an IP address.

6. Close System Preferences.

RELATED TOPIC

About NTP


If you run NTP service on your network, make sure your designated NTP server can access a higher-authority time server. Appleprovides a Stratum 2 time server for customer use at time.apple.com.

Make sure your firewall permits NTP queries to an authoritative time server on UDP port 123, and that it also permits incomingqueries from local clients on the same port.


Configure NTP service on clients

Set up NTP service

http://www.ntp.org


2. Click Settings, then click Date & Time.

3. Make sure your server is configured to “Set date & time automatically.”

4. From the pop-up menu, choose the server to act as a time server.

5. Click General.

6. Select the Network Time Server (NTP) checkbox.

7. Click Save.

RELATED TOPIC

About NTP

Network infrastructure serv ices ► SSL Certificates

If you've assigned a certificate to a particular service, or to all services as a group, you can replace those certificates. You mightreplace the default self-signed certificate with one that's been signed by a third-party, or you might need to replace an expiredcertificate. See .

If you receive a s igned certificate from a third-party, it should have an extension of .cer, .crt, or .p12.

RELATED INFORMATION

Obtain a CA–signed certificate


If your server doesn’t have an SSL certificate or if you need another one, start by creating a self-s igned certificate.

1. Select the server under Hardware in the Server app sidebar.

2. Click Settings and then click the Edit button at the right of SSL Certificate.

3. From the Action pop-up menu, choose Manage Certificates.

4. Click the Add button (+) and choose Create Self-Signed Certificate from the pop-up menu.

5. In the Name field of the Certificate Assistant, enter your server's fully qualified host name (for example, server.example.com)and click Continue.

Leave the other settings unchanged. Identity Type should be Self Signed Root, Certificate Type should be SSL Server, and“Let me override defaults” should be deselected.

You can choose the new self-s igned certificate for the server. For information, see Using an SSL certificate.

You can also use the new self-signed certificate to request a signed certificate from a certificate authority. For instructions, seeObtain a signed certificate.


If you have files containing an SSL certificate and matching private key, you can import them and then use the certificate to secureservices provided by your server.

The SSL keys and certificates must be in Privacy Enhanced Mail (PEM) format. If your certificates and keys aren’t in PEM format, youmust convert them.

Replace certificates

Obtaining a Signed Certificate

Create a self-signed certificate

Import a certificate identity

1. In the Finder, locate the files containing the certificate and matching private key, and put the files where you can see themwhile using Server Preferences (for example, on the desktop).

2. In the Server app, select your server's name under Hardware in the Server app sidebar.

3. In the Settings pane, click the Edit button at the right of SSL Certificate.


5. Click + and then choose Import a Certificate Identity from the menu.

6. Drag the files containing the certificate and private key to the middle of the dialog.

7. Click the Import button and if prompted, enter the private key passphrase.


If your server requires a s igned SSL certificate, use a self-signed certificate to request a signed certificate from an externalcertificate authority (CA).

To obtain a s igned certificate from a CA, you need a self-s igned certificate. For instructions on creating a self-s igned certificate,see Create a self-signed certificate.

You can obtain a valid s igned certificate by using the server’s self-signed certificate to generate a certificate signing request (CSR)file, which you send to a known CA. If your request satisfies the authority, it generates and sends you a signed certificate. There isusually a fee involved with this service.




4. In the Manage Certificates sheet, select the self-s igned certificate you want to use to generate the CSR.

5. From the Action pop-up menu, choose Generate Certificate Signing Request (CSR).

6. Save the CSR file.

Some certificate authorities ask you to enter the CSR text in a field on a webpage instead of uploading a file. In that case, youcan copy and paste the text to the CA's website.

7. Upload the CSR file to a CA following the instructions on their website.

On the CA's website, look for SSL Certificates.

You can use the CA of your choice. Here are a few CAs:

Thawte, Inc. (www.thawte.com)

VeriSign, Inc. (www.verisign.com)

Comodo Group, Inc. (www.comodo.com)

After receiving your signed certificate from the CA, you can use it to replace your self-signed certificate. For information, see Use anSSL certificate.


Your server can use an SSL certificate to provide additional security for services.

The server can use an SSL certificate to identify itself electronically and communicate securely with users’ computers and otherservers on the local network and the Internet. The SSL certificate provides additional security for Address Book, iCal, iChat, mail,and web services. These services can use the certificate to securely encrypt and decrypt data they send to and receive from


Use an SSL certificate

http://www.thawte.com)

http://www.verisign.com)

http://www.comodo.com)

applications on users’ computers.

You can use the self-signed certificate created for your server when you set it up, or a self-signed certificate you created, but users’applications won’t trust these and will display messages asking if the user trusts your certificate. Using a signed certificaterelieves users from the uncertainty and tedium of manually accepting your certificate in these messages. A man-in-the-middlespoofing attack is possible with a self-s igned certificate, but not with a signed certificate, and that means users can trust theservices they access.



3. From the Action pop-up menu, choose an available certificate.

If the pop-up menu doesn’t contain certificates, create a self-s igned certificate. For instructions, see Create a self-signedcertificate.

To use a previously generated SSL certificate, import it.

RELATED INFORMATION

Obtain a CA–signed certificateReplace certificates

Network infrastructure serv ices ► VPN ► About VPN

VPN (virtual private network) service lets remote users connect to your intranet over the Internet. VPN (virtual private network)service lets users connect to your intranet from home or other remote locations over the Internet. Users make a secure VPNconnection to access services you have’t made public on the Internet. For example, organizations typically make file sharingavailable only on their own intranets, requiring their remote users to connect using VPN to access shared files.

VPN service and your server’s firewall can both allow access to services from outside your intranet. The difference is that VPNservice requires authentication for access, but allowing access through the firewall doesn’t require authentication. If VPN service ison, you don’t need to expose some services to the Internet through your firewall. For example, you might set the firewall to exposeonly your web services to the Internet, so the public can view your wikis and custom websites (subject to authentication and accessrestrictions you impose). Your server’s users can access other services—file sharing, Address Book, iCal, iChat, and mail—through a VPN connection.

To ensure confidentiality, authentication, and communications integrity, VPN service uses the L2TP protocol with a shared secret.The shared secret is like a passphrase, but it isn’t used to authenticate client computer users for a VPN connection. Instead, itallows the server to trust client computers that have the shared secret, and it allows client computers to trust the server that has thesecret. Both server and client computers must have the shared secret.

Users’ computers must be configured to make VPN connections. Users’ computers with Mac OS X Lion can be configuredautomatically. For information, see Provide secure remote access with VPN.

If you want to allow access to VPN service on the Internet and you have a cable router, DSL router, or other network router:

Your router must have port forwarding (port mapping) configured for VPN service. For information about port forwarding, seePort mapping for network and server protection.

Your router and VPN users’ routers must be configured so that they don’t assign conflicting IP addresses. For information, seeProvide VPN service through an Internet router.

If you want to allow access to VPN service outside your intranet and your intranet has a separate firewall device, ask the firewalladministrator to open the firewall for the ports and protocols that VPN service uses. For a list of ports, see Services and ports.


VPNs stress security by requiring strong authentication of identity and encrypted data transport between the nodes for data privacyand dependability.

About VPN

VPN and security

The following sections contain information about each supported transport and authentication method.

Transport protocolsThere are two encrypted transport protocols: Layer Two Tunneling Protocol, Secure Internet Protocol (L2TP/IPSec), and Point–to–Point Tunneling Protocol (PPTP). You can enable either or both protocols. Each has its own strengths and requirements.

L2TP/IPSec

L2TP/IPSec uses strong IPSec encryption to tunnel data to and from network nodes. It is based on Cisco’s L2F protocol.

IPSec requires security certificates (self-s igned or signed by a certificate authority such as Veris ign) or a predefined shared secretbetween connecting nodes.

The shared secret must be entered on the server and the client.

The shared secret is not a password for authentication, nor does it generate encryption keys to establish secure tunnels betweennodes. It is a token that the key management systems use to trust each other.

L2TP is Mac OS X Server’s preferred VPN protocol because it has superior transport encryption and can be authenticated usingKerberos.

PPTP

PPTP is a commonly used Windows standard VPN protocol. PPTP offers good encryption (if strong passwords are used) andsupports a number of authentication schemes. It uses the user-provided password to produce an encryption key.

By default, PPTP supports 128-bit (strong) encryption. PPTP also supports the 40-bit (weak) security encryption.

PPTP is necessary if you have Windows clients with versions earlier than Windows XP or if you have Mac OS X v10.2.x clients orearlier.

Authentication methodMac OS X Server L2TP VPN uses Kerberos v5 or Microsoft’s Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2)for authentication. Mac OS X Server PPTP VPN exclusively uses MS-CHAPv2 for authentication.

Kerberos is a secure authentication protocol that uses a Kerberos Key Distribution Server as a trusted third party to authenticate aclient to a server.

MS-CHAPv2 authentication encodes passwords when they’re sent over the network, and stores them in a scrambled form on theserver. This method offers good security during network transmission. It is also the standard Windows authentication scheme forVPN.

A Mac OS X Server PPTP VPN can also use other authentication methods. Each method has its own strengths and requirements.These other authentication methods for PPTP are not available in Server Admin.

VPN service with a third-party LDAP domainTo use VPN service for users in a third-party LDAP domain (an Active Directory or Linux OpenLDAP domain), you must be able touse Kerberos authentication. If you need to use MSCHAPv2 to authenticate users, you can’t offer VPN service for users in a third-party LDAP domain.


The Internet Engineering Task Force (IETF) developed formal standards for L2TP/ IPsec user authentication.




You can search for RFC documents by number at the website www.ietf.org/rfc.html.

For L2TP description, see RFC 2661.

For IPsec, see RFC 4301 and 4309.

More information about L2TP/IPsec


For PPTP description, see RFC 2637.

For Kerberos version 5, see RFC 1510.

Network infrastructure serv ices ► VPN ► Manage VPN

You can use the Server app to turn on VPN service and customize its settings.

VPN (virtual private network) service lets users connect to your intranet from home or other remote locations over the Internet.Users make a secure VPN connection to access services you have’t made public on the Internet. For example, organizationstypically make file sharing available only on their own intranets, requiring their remote users to connect using VPN to accessshared files.

Start VPN service







Start VPN service from the command line

You can start VPN service from the command line.

Open Terminal (located in /Applications/Utilities/), and enter:

$ sudo serveradmin start vpn


Change the VPN shared secret

You can use the Server app to change the shared secret that the server and a client computer use for authentication when makinga VPN connection. Periodically changing the shared secret improves VPN security but is inconvenient, because users must alsochange the shared secret on computers they use for VPN connections.

1. In the Server app sidebar, select VPN and then enter a new secret.

The shared secret should be at least 8 characters (preferably 20 or more) and can include any character you can type. Initially,the shared secret is 20 random characters. The maximum length is 256 UTF-8 characters, and surplus characters areignored.

You can use Password Assistant to help you compose a new shared secret. Select Users in the s idebar, choose ResetPassword from the Action pop-up menu, click the Key button to the right of the New Password field, and then click Cancel andselect VPN again in the sidebar. Password Assistant remains open, and you can use it to generate a new shared secret thatyou copy from the Suggestion field and paste into the Shared Secret field.

2. If you want to verify the secret, select “Show shared secret.”

After you change the secret on the server, all VPN users must make the same change in their VPN configurations.

Change the IP address range for VPN

Provide secure remote access with VPN

Change the IP address range for VPN

You can use the Server app to change the range of addresses you want the server to reserve for assigning to remote computerswhen they make a VPN connection to the server. For example, you might make the range larger to make more IP addressesavailable for VPN connections.

1. In the VPN pane of the Server app, change the first or last IP address in the range.

Important: These addresses on the server’s network must not be used by other computers or devices on the network. Thisrange of addresses must not include any static IP addresses in use on the network and must not overlap the range of IPaddresses that the DHCP server assigns.

The range of addresses needs to be large enough for the maximum number of remote computers with concurrent VPNconnections. VPN service assigns an IP address to a remote computer for the duration of a VPN connection. When theremote computer disconnects, VPN service reclaims the IP address.

2. If you have an Internet router that provides DHCP service, such as an AirPort Extreme Base Station (802.11n) or TimeCapsule, you may need to adjust its IP address range so that the DHCP and VPN address ranges don’t overlap.

To configure an AirPort Base Station, use AirPort Utility (in the Utilities folder in Launchpad). For information about changingthe settings of an Internet router, see its documentation.

The IP address that VPN service assigns to a remote computer for its VPN connection doesn’t replace the IP address that theremote computer is already using to connect to the Internet. The remote computer keeps this IP address and any other IPaddresses it’s using, and adds the IP address assigned to it for VPN.

Create a VPN configuration profile

You can use the Server app to create a configuration profile that sets up Macs and iOS devices for your VPN service. After usersopen the profile, they can make a VPN connection to your server and intranet via the Internet.

1. In the Server app sidebar, select VPN, and then click Save Configuration Profile.

2. Specify a filename and location for the configuration profile, enter the host name or IP address of your server on the Internet,and then click Save.

The host name is the full, unique name that you registered with your domain name registrar, such as server.example.com.For more information, see Register the server’s Internet host name.

After you create a profile, you can have users install it on Macs and on iOS devices such as iPhone, iPad, and iPod touch.Distribute the profile to users by email, or post it to a website. When users open the email attachment or the downloaded profile,they're prompted to start the installation process.

You can also distribute profiles over the network directly to iOS devices and Macs by using Profile Manager. For information, seeProvide user configuration profiles.

Note: While VPN service is turned on, make sure the server isn’t configured to use the “Back to My Mac” option of MobileMe. Theserver isn’t using this option unless it’s signed in to a MobileMe account and “Back to My Mac” is turned on in the MobileMe pane ofSystem Preferences. VPN service and "Back to My Mac" conflict because both need to use UDP port 4500.

RELATED TOPICS

About VPNProvide VPN service through an Internet routerStop VPN service from the command lineControl a user’s access to services


If you have an Internet router, users who also have Internet routers can’t access your VPN service if their intranet addresses beginwith the same three numbers as yours. For example, if your server’s IP address is 192.168.1.101, users can’t access your VPNservice from other intranets with addresses that begin 192.168.1.

Ask users to change their intranet addresses

Provide VPN service through an Internet router

You can ask VPN users to change the IP addresses on their home networks to not begin with the same three numbers as theIP addresses on your intranet.

For example, if your intranet IP addresses begin 192.168.1, ask VPN users to use IP addresses beginning with 192.168.2 ontheir home networks.

Private networks can use addresses beginning with 192.168.0 through 192.168.254, 10.0.0 through 10.254.254, and172.16.0 through 172.31.254. In all cases, use subnet mask 255.255.255.0.

Change your intranet addresses

To avoid conflicts with VPN users’ IP addresses, you can use an uncommon IP address range on your intranet.

Change the IP addresses of your server and all other devices on your intranet to not use the most common defaults onInternet routers, which are 10.0.1, 192.168.0, and 192.168.1.

You can simply pick a different number between 2 and 254 for the third number of your intranet IP addresses. For example, ifyour intranet IP addresses begin with 192.168.1, change them to begin with 192.168.58 or 192.168.177. If your intranet IPaddresses begin with 10.0.1, change them to begin with 10.0.29 or 10.0.103. You can also use 172.16.0 through 172.31.255.In all cases, use subnet mask 255.255.255.0.

Be sure to change the IP addresses that your Internet router or other DHCP server assigns to computers on your intranet. Ifyou have an AirPort Extreme Base Station (802.11n) or a Time Capsule, use AirPort Utility (located in the Utilities folder inLaunchpad). For instructions, see AirPort Utility Help. For information about configuring another kind of Internet router, see itsdocumentation.

RELATED TOPICS

About VPNFind or change your server’s IP address


You can enable or disable the L2TP protocol and change its settings from the command line.

You must designate an IPSec shared secret (if you don’t use a signed security certificate), the IP address allocation range forusers, and the group that uses the VPN service (if needed).

If L2TP and PPTP are used, each protocol should have a separate, nonoverlapping address range.

When configuring VPN, make sure the firewall allows VPN traffic on needed ports with the following settings:

For the “any” address group, enable GRE, ESP, VPN L2TP (port 1701), and VPN ISAKMP/ IKE (port 500).

For the “192.168-net” address group, choose to allow all traffic.

1. Open Terminal (located in /Applications/Utilities/), and enter:


Authenticate if requested. When you run this command, you no longer see the command-line prompt, but you can enter serversettings to change them.

2. Enter the following:

vpn:Servers:com.apple.ppp.l2tp:enabled = yesvpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:_array_index:0 = valuevpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:_array_index:1 = valuevpn:Servers:com.apple.ppp.l2tp:Server:LoadBalancingEnabled = valuevpn:Servers:com.apple.ppp.l2tp:Server:LoadBalancingAddress = valuevpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorProtocol:_array_ index:0 = valuevpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorPlugins:_array_index:0 = valuevpn:Servers:com.apple.ppp.l2tp:Radius:Server:_array_index:0:Address = value

Change L2TP settings

vpn:Servers:com.apple.ppp.l2tp:Radius:Server:_array_ index:0:SharedSecret = valuevpn:Servers:com.apple.ppp.l2tp:Radius:Server:_array_index:1:Address = valuevpn:Servers:com.apple.ppp.l2tp:Radius:Server:_array_ index:1:SharedSecret = valuevpn:Servers:com.apple.ppp.l2tp:IPSec:AuthenticationMethod = valuevpn:Servers:com.apple.ppp.l2tp:L2TP:IPSecSharedSecretValue = valuevpn:Servers:com.apple.ppp.l2tp:IPSec:LocalCertificate = valueThe settings you entered follow:

Setting (in vpn:Servers:com.apple.ppp.l2tp:) Default Set this to

enabled no yes

IPv4:DestAddressRanges _empty_array value

Server:LoadBalancingEnabled 0 value

Server:LoadBalancingAddress 1.2.3.4 value

PPP:AuthenticatorProtocol:_array_index:n

"MSCHAP2" value

PPP:AuthenticatorPlugins:_array_index:n

"DSAuth" value

Radius:Server:_array_index:0:Address

1.1.1.1 value

Radius:Server:_array_index:0:SharedSecret

1 value


2.2.2.2 value


2 value

IPSec:AuthenticationMethod "SharedSecret" value

L2TP:IPSecSharedSecretValue "" value

IPSec:LocalCertificate "" value

3. When you finish changing settings, hold down the Control key and press D.


You can enable or disable the PPTP protocol and change its settings from the command line.

You should designate an encryption key length (128 bit recommended for best transport security), the IP address allocation rangefor your clients, and the group that uses the VPN service (if needed).

If you enable PPTP, make sure all VPN clients support 128-bit PPTP connections for greatest transport security. Using only 40-bittransport security is a serious security risk.

If you use L2TP and PPTP, each protocol should have a separate, nonoverlapping address range.

When configuring VPN, make sure the firewall allows VPN traffic on needed ports with the following settings:

For the “any” address group, enable GRE, ESP, VPN L2TP (port 1701), and IKE (port 500).

Change PPTP settings

For the “192.168-net” address group, choose to allow all traffic.



Authenticate if requested. When you run this command, you no longer see the command-line prompt, but you can enter serversettings to change them.

2. Enter the following:

vpn:Servers:com.apple.ppp.pptp:enabled = yesvpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:0 = valuevpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:1 = valuevpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorProtocol:_array_ index:0 = valuevpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorPlugins:_array_index:0 = valuevpn:Servers:com.apple.ppp.pptp:Radius:Server:_array_index:0:Address = valuevpn:Servers:com.apple.ppp.pptp:Radius:Server:_array_ index:0:SharedSecret = valuevpn:Servers:com.apple.ppp.pptp:Radius:Server:_array_index:1:Address = valuevpn:Servers:com.apple.ppp.pptp:Radius:Server:_array_ index:1:SharedSecret = valuevpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeysize40 = valuevpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeysize128 = valueThe settings you entered follow:

Setting (invpn:Servers:com.apple.ppp.pptp:)

Default Set this to

enabled no yes

IPv4:DestAddressRanges _empty_array value

PPP:AuthenticatorProtocol:_array_index:n

MSCHAP2 value

PPP:AuthenticatorPlugins:_array_index:n

DSAuth value


1.1.1.1 value


1 value


2.2.2.2 value


2 value

PPP:MPPEKeysize40 0 value

PPP:MPPEKeysize128 0 value

3. When you finish changing settings, hold down the Control key and press D.


You limit access to the VPN by using Firewall service.

Limit VPN access to specific IP addresses

When configuring the firewall for L2TP and PPTP, you must configure GRE, ESP, and IKE to permit VPN access through thefirewall.

By default, Firewall service blocks incoming VPN connections, but you can provide limited VPN access to specific IP addresses forsecurity or ease of administration.





4. Click Settings.

5. Select Advanced, then click the Add button (+).

6. From the Action pop-up menu, choose “Allow.”

7. From the Protocol pop-up menu, choose an option.

If you use L2TP for VPN access, choose UDP.

If you use PPTP for VPN access, choose TCP.

8. From the Service pop-up menu, choose VPN L2TP or VPN PPTP.

The relevant destination port is added to the Port field.

9. (Optional) Select the “Log all packets matching this rule” checkbox.

10. From the address pop-up menu of the Source section, choose Other and enter the source IP address range (using CIDRnotation) that you want to give access to the VPN.

You can also specify a port in the Port field of the Source section.

Computers that have an IP address in the IP address range that you specified in the source IP address field, communicatingon the source port you specified, can connect to the VPN service.

11. From the Destination Address pop-up menu, choose the address group that contains the VPN server (for the destination offiltered traffic).

If you don’t want to use an existing address group, select Other and enter the destination IP address range (with CIDRnotation).

You can also specify a port in the Port field of the Source section.

12. From the Interface pop-up menu that this rule applies to, choose “In.”

“In” refers to the packets coming into the server.

13. Click OK.


15. From the Action pop-up menu, choose “Allow.”

16. From the Protocol pop-up menu, choose a protocol or Other:

If you are adding GRE or ESP, choose Other and enter “any” in the field.

If you are adding VPN ISAKMP/IKE, choose UDP.

17. From the Service pop-up menu, choose a service:

If you are adding GRE, choose “GRE - Generic Routing Encapsulation protocol.”

If you are adding ESP, choose “ESP - Encapsulating Security Payload protocol.”

If you are adding VPN ISAKMP/IKE, choose “VPN ISAKMP/IKE.” Destination port 500 is added to the Port field.

18. From the Address pop-up menu of the Source section, choose “any.”

19. In the Port field of the Source section, enter “any.”

20. From the Address pop-up menu of the Destination section, choose “any.”

21. In the Port field of the Destination section, enter a port number.

If you are adding VPN ISAKMP/IKE, enter 500 if it is not shown.

22. From the Interface pop-up menu, choose “Other” and enter “any” in the Other field of the Interface section.

23. Click OK.

24. Repeat steps 14 through 23 for GRE, ESP, and VPN ISAKMP/IKE.

25. Click Save to apply the filter immediately.


You can view VPN status information by using the serveradmin command-line tool. You can see whether the L2TP and PPTPprotocols are enabled, how many clients are connected, when the service started, and where log files are located.


View VPN status


$ sudo serveradmin status vpn

View detailed VPN status


$ sudo serveradmin fullstatus vpn


You can monitor the VPN log from the command line.

Monitoring VPN logs helps you make sure your VPN is running properly. VPN logs can help you troubleshoot problems.

For information about tail, see its man page.

View a VPN log


$ tail log-file

View the log path


$ sudo serveradmin command vpn:command = getLogPaths


You can use a VPN to link a computer to a main network, and you can also link networks.

View VPN status

View the VPN log

Link remote networks

When two networks are linked they can interact as if they are physically connected. Each site must have its own connection to theInternet but the private data is sent encrypted between the sites.

This type of link is useful for connecting satellite offices to an organization’s main office LAN.

Linking multiple remote LAN sites to a main LAN requires using the s2svpnadmin command-line utility to administer s ite-to-siteVPN.

To use s2svpnadmin you need root privilege access through sudo. For more about s2svpnadmin, see the s2svpnadmin manpage.

Linking multiple remote LAN sites to a main LAN can require the creation of a security certificate. The s2svpnadmin tool can createlinks using shared-secret authentication (both sites have a password in their configuration files) or certificate authentication. Touse certificate authentication, you must create the certificate before running s2svpnadmin.

You can only make site-to-site VPN connections using L2TP/IPSec VPN connections. You cannot link two sites using PPTP andthese instructions.

This example uses the following settings:

Setting Description or example

Desired VPN type L2TP

Authentication Using shared secret

Shared secret prDwkj49fd!254

Internet or public IP address of the VPN main LAN gateway (“Site 1”) A.B.C.D

Internet or public IP address of the VPN remote LAN gateway (“Site 2”) W.X.Y.Z

Private IP address of site 1 192.168.0.1

Private IP address of site 2 192.168.20.1

Private network IP address range and netmask for site 1 192.168.0.0–192.168.0.255 (also expressed as 192.168.0.0/16 or192.168.0.0:255.255.0.0)

Private network IP address range and netmask for site 2 192.168.20.0– 192.168.20.255 (also expressed as 192.168.20.0/24 or192.168.0.0:255.255.0.0)

Organization’s DNS IP address 192.168.0.2

The result of this configuration is an auxiliary, remote LAN, connected to a main LAN using L2TP.

Run s2svpnadmin on both site gateways


$ sudo s2svpnadmin

2. Enter the relevant number for “Configure a new site-to-site server.”

3. Enter an identifying configuration name (no spaces).

For this example, you could enter “site_1” on site 1’s gateway, and so on.

4. Enter the gateway’s public IP address.

For this example, enter A.B.C.D on site 1’s gateway and W.X.Y.Z on site 2’s gateway.

5. Enter the other site’s public IP address.

For this example, enter W.X.Y.Z on site 1’s gateway and A.B.C.D on site 2’s gateway.

6. Enter “s” for shared secret authentication, and enter the shared secret “prDwkj49fd!254.”

If you are using certificate authentication, enter “c” and choose the installed certificate you want to use.

7. Enter at least one addressing policy for the configuration.

8. Enter a local subnet network address (for example, 192.168.0.0 for site 1 and 192.168.20.0 for s ite 2).

9. For the address range, enter the prefix bits in CIDR notation.

In this example, the CIDR notation for the subnet range is 192.168.2.0/24 for s ite 1, so you enter 24.

10. Enter a remote subnet network address (for example, 192.168.20.0 for site 1 and 192.168.0.0 for site 2).

11. For the address range, enter the prefix bits in CIDR notation.

In this example, the CIDR notation for the subnet range is 192.168.2.0/24 for s ite 1, so you enter 24.

12. If you have more addressing policies, enter them now; otherwise, press Return.

If you had more sites to connect or a more complex address setup (linking only parts of your main LAN and the remote LAN),you would make more addressing policies for this site configuration now.

Repeat steps 7 through 12 for each new addressing policy.

13. Press “y” to enable the site configuration.

You can verify your settings by choosing to show the configuration details of the server and entering the configuration name (inthis example, “site_1”).

14. Exit s2svpnadmin.

Configure the firewall on both site gateways

1. Create an address group for each server with only the server’s public IP address.

In this example, name the first group Site 1 and enter the public IP address of the server. Then name the second group Site 2and enter the public IP address of the other server.

2. Open the firewall to external VPN connections by enabling L2TP (port 1701) connections and IKE NAT Traversal (port 4500) inthe “any” address group.

3. Create the following Advanced IP filter rules on both site gateways:

Filter Rule 1 Setting

Action: Allow

Protocol: UDP

Source Address: Site 1

Destination Address: Site 2

Interface: Other; enter “isakmp”


Action: Allow

Protocol: UDP



Interface: Other; enter “isakmp”


Action: Allow

Protocol: Other; enter “esp”




Action: Allow

Protocol: Other; enter “esp”




Action: Allow

Protocol: Other; enter “ipencap”




Action: Allow

Protocol: Other; enter “ipencap”




Action: Allow

Protocol: Other; enter “gre”




Action: Allow

Protocol: Other; enter “gre”



These rules permit the encrypted traffic to be passed to both hosts.

4. Save your changes.

5. Start or restart the firewall, as needed.

Start VPN service on both site gateways

1. For both VPN gateways, open Server Admin and connect to the server.



3. Select VPN from the expanded Servers list.

If you used s2svpnadmin correctly, the Start button should be enabled and ready to use.

4. Click Start VPN.

You should now be able to access a computer on the remote LAN from the local LAN. To verify the link, use ping or someother means.

Network infrastructure serv ices ► Push Notification

Push notification provides increased server responsiveness to clients and reduced server load.

What is it?

Push notification lets a server notify a user of changes (a new email, or an event change), without the user requesting an update. Aservice (like iCal or mail) maintains a simple connection with the client, and the service informs the client that there’s new data.

This differs from previous methods (polling or pull notification), where calendar and mail applications contacted the server atregular intervals requesting data. Using the polling method of notification, the server must attend to each request, no matterwhether the user has new data waiting.

With the push method of client updating, only users with new data are contacted, and only as needed.

For best server performance, use push notification. It makes your server more responsive and reduces server workload.

Lion Server push notification cannot host thrid-party iOS apps push notifications. Lion Server push notification does provide pushnotification for mail, calendar, and Address Book services hosted on Lion Server and accessed using Apple's iOS clients (Mail,Calendar, Contacts).

What uses it?

Push notification is available for the following services:

Address Book service

iCal service

Mail service

Push notification service must be running the same OS version as every service using it, even if the services aren’t running on thesame server.

Clients must support push notification to make use of it. Apple’s client applications on Mac OS X v10.6 and iOS 5.0 clientapplications support push notification service. Third-party client applications may support it.

To make a secure connection between the server and the clients, you need a transport encryption certificate installed on the serverand ready for use.

Apple provides a transport encryption certificate when you provide an Apple ID and password in the push notification settings.

RELATED TOPICS

Start push notification serviceChange a push certificate’s Apple IDRevoke push notification connection permissionRenew a push notification certificatePush notification certificate


To secure push notifications, supply your organization’s Apple ID and password. Do not use a personal Apple ID associated (forexample, one that’s already associated with iTunes or Apple’s Developer Center).

Before enabling push notification

To enable secure push notifications, you need an encryption certificate. Apple can issue a certificate to someone with a knownidentity, such as an Apple ID. The Server app uses this certificate signed by Apple to encrypt push notifications from the server toany client that needs a notification.

Item Description Example

Apple ID This is the user name registered with Apple. Usean Apple ID associated with your organization,and not a personal Apple ID.

[email protected]

About push notification

Push notification certificate


Password This is the password associated with the AppleID, not the administrator password for the server.

jCvuZvRMIvTTY1

Acquire Certi ficate Click to continue enabling push notifications.

Create one now. Click to open Safari to a webpage for creatingor retrieving an Apple ID.

After enabling push notification

Once you enable push notification, you can change the Apple ID associated with the certificate, renew the certificate, or revoke thecertificate.

Item Description Action

Apple ID This is the user name registered with Apple. Click Change to reissue a certi ficate under adifferent Apple ID.

Expires The certificate is good unti l the l isted date. Youmust renew the certi ficate to avoid interruptedservice.

Click Renew to reissue a certificate with thesame Apple ID, but with an extended expirationdate.

Manage your certi ficates This is a l ink to the Apple Push Certi ficatesPortal.

You revoke compromised certi ficates using theportal. Cl ick the phrase to open the correct URLin Safari.

RELATED TOPICS

About push notificationStart push notification serviceChange a push certificate’s Apple IDRevoke push notification connection permissionRenew a push notification certificate


To forcibly disable push notifications, you revoke the connection's encryption certificate. After you revoke the certificate, your servercan no longer send push notifications.

If the private key portion of your certificate is compromised, revoke the certificate. A compromised certificate can’t ensureauthenticity, integrity, or privacy of push notifications. This means users can’t trust that push notifications came from your server,weren’t tampered with in transit, and haven’t been seen surreptitiously.

The private key is a file and can be compromised by theft of the server, the disk it’s stored on, or its backup media. The private keycan also be compromised by anyone who has access to your server.

1. Log in to the Apple Push Certificates Portal.

Sign in with the Apple ID you used to request the certificate.

2. In the Mac OS X Server Certificates section, locate the certificate for the desired server.

3. Click Revoke in the Actions column, and confirm the action.

4. When you finish, sign out.

RELATED TOPICS

About push notificationStart push notification serviceChange a push certificate’s Apple IDRenew a push notification certificatePush notification certificate

Revoke push notification connection permission


You enable push notification using the Server app.

When you enable push notification, you must supply an Apple ID associated with your organization. Using a personal Apple ID isn’trecommended. You must have, or be ready to create, an Apple ID before you can turn on the service.

1. Select the server in the Hardware section of the Server app sidebar.

2. Select Enable Apple push notifications.

3. Enter the Apple ID and password.

If you don’t have an Apple ID for your organization, follow the link to create one.

4. Click Get certificate.

RELATED TOPICS

About push notificationChange a push certificate’s Apple IDRevoke push notification connection permissionRenew a push notification certificatePush notification certificate


You must periodically renew certificates used to provide encrypted notification. Renewing a certificate creates a new certificate witha new expiration date.


2. Next to Enable Apple push notifications, click Edit

3. Next to the expiration date, click Renew.

4. Supply the Apple ID and password.

5. Click Renew certificate.

RELATED TOPICS

About push notificationStart push notification serviceChange a push certificate’s Apple IDRevoke push notification connection permissionPush notification certificate


If you previously enabled push notification and acquired a certificate from Apple, you can change the Apple ID associated with thecertificate.

WARNING: Changing your Apple ID replaces the existing certificate and disrupts notifications to registered devices. Users mustreregister their Macs and iOS devices with the Apple Push Notification Service.


Start push notification service

Renew a push notification certificate

Change a push certificate’s Apple ID

2. Next to Enable Apple push notifications, click Edit.

3. Next to the Apple ID, click Change.

A warning states that changing the Apple ID disrupts existing push notifications until users reregister their devices with theservice.

4. Read the warning and click Continue.

5. Supply the Apple ID and password.

6. Click Renew certificate.

RELATED TOPICS

About push notificationStart push notification serviceRevoke push notification connection permissionRenew a push notification certificatePush notification certificate

Lion Server user management ► Manage users and groups

You can manage client accounts using the Server app, the Profile Manager website, and Workgroup Manager. Ideally, you createand manage accounts in the Server app, and configure and manage preferences and application settings in the Profile Managerwebsite.

In the Users and Groups panes of the Server app, you can configure essential user and group account settings. In the servicepanes of the Server app, you can configure and turn on services for these users and groups.

In the Profile Manager website, you can create configuration profiles, which configure preferences, install certificates, and changeapplication settings. You access the Profile Manager website by clicking links in the Profile Manager pane of the Server app. Youcan deploy configuration profiles over a network, or distribute them using email or the web. You can use configuration profiles tomanage computers, and mobile devices such as iPhone, iPod touch, or iPad.

Workgroup Manager is an app you can use to configure user and group account settings and manage preferences. You can’tconfigure or turn on services for users and groups. You can manage computers but you can’t manage mobile devices. For moreinformation about Workgroup Manager, see User Management for Mac OS X Server v10.6 at support.apple.com/manuals/.

RELATED TOPICS

About user accountsAbout configuration profiles

Lion Server user management ► Manage users and groups ► About accounts

You need an administrator account on your server to create user accounts, create groups, change server settings, and performother tasks using the Server app. With an administrator account, you can also make changes to locked preferences in SystemPreferences, install software on the server, and perform other tasks that standard users can’t.

Initially, your server has a primary administrator account but no other administrator accounts. If you enable a network accountserver (also known as a directory server) on the server, your server will have a primary administrator account and a directoryadministrator account.

Primary administrator account

The server always has a primary administrator account, whose name and password you entered while setting up the server. Theprimary administrator account is stored in the server’s local directory with user accounts you create in the Users & Groups pane ofSystem Preferences. You can use this administrator account on the server, and you can use it to manage your server over thenetwork from another Mac.

Directory administrator account

About tools for client management

About administrator accounts

By default, Mac OS X Lion includes a local directory, but doesn’t enable a network account server, which manages networkaccounts. In the Server app, you can enable a network account server.

If your server has a network account server, the server also has a directory administrator account. This account has the passwordyou entered during setup, but its name is Directory Administrator and its short name is diradmin. If you migrated to Mac OS X Lionfrom Mac OS X Server v10.6, the name and short name of the directory administrator account is migrated over.

The directory administrator account is stored in the network account server, along with user accounts you create in the Users paneof the Server app. If a malfunction makes the primary administrator account unusable, you can use the server's directoryadministrator account to authenticate in the Server app and manage the server locally or remotely.

By default, the directory administrator account isn’t shown in the Users pane of the Server app. You can view the directoryadministrator and all other administrator and system accounts by choosing View > Show System Accounts.

Primary and directory administrator accounts compared

The following table compares the primary administrator account and the directory administrator account.

Feature Primary administrator Directory administrator

Name and short name Specified during setup Directory administrator and diradmin

Stored in the server’s local directory Yes No

Stored in the server’s network account server No Yes

Can be used from an administrator computer Yes Yes

Administrators on an upgraded server

If your server was previously upgraded or migrated from a standard or workgroup configuration of Mac OS X Server v10.5 Leopard,you have different administrator accounts. Your primary administrator account is in your server’s directory. This is a directoryadministrator account, and it has the name and short name specified during Leopard Server setup. You also have anadministrator account stored on your server, and it has the name Local Administrator and short name localadmin. For moreinformation about these accounts, see Getting Started for Mac OS X Server v10.5. It’s available on the Apple Manuals website atsupport.apple.com/manuals/.

Administrator account security

To keep your server secure:

Don’t share an administrator name or password with anyone.

Log out when you leave your server, or set up a locked screen saver using the Security pane of System Preferences. If youleave your server while you’re logged in and the screen is unlocked, someone could make changes using your administratorprivileges.

Turn off Automatic login in the Users & Groups pane, under Login Options of System Preferences. If the server logs in as anadministrator, someone can restart the server to gain access as an administrator.

For added security, routinely log in on the server using a standard user account. Use your administrator name and passwordwhen you open the Server app or another application that requires administrator privileges.

RELATED TOPICS

View system and administrator accountsAbout user accounts

Lion Server user management ► Manage users and groups ► About accounts

User accounts on your server let users gain access to services provided by the server. A user account contains the informationneeded to prove the user’s identity for services that require authentication. A user account also provides a centralized place to storea user’s contact information and other data.

You can add user accounts in the Users pane of the Server app by:

Creating accounts

About user accounts

Importing existing accounts, if your organization has a network account server (also known as a directory server) that yourserver is connected to

Importing from a file

You can import user accounts individually. You can also automatically import all user accounts that are members of a group.

The Users pane of the Server app lists local user accounts (including user accounts created in System Preferences), networkaccounts stored in your server’s network account server, and imported user accounts.

Local user accounts

Users with administrator privileges on their Macs can create local user accounts using the Users & Groups pane of SystemPreferences. These local user accounts are stored on the user’s computer. Local user accounts have home folders on thecomputer and can be used to log in to the computer. Users can’t use their computers’ local user accounts to access the serverover the network. Users can use the server's local user accounts to access the server over the network.

Like users’ Macs, your server has local accounts in addition to server accounts and, possibly, imported accounts. Your server’slocal accounts can be used to log in to the server, and a local account with administrator privileges can be used to administer theserver. For information about administrator privileges, see About administrator accounts.

Network accounts

Network accounts are stored in your server’s network account server or in a connected network account server. You can use Serverapp or Server Admin to enable a network account server on your server. If you don’t enable the network account server, then allaccounts you create on the server are stored in the server’s local directory. Accounts stored in the server’s local directory can beused to authenticate to services hosted by the server but they can’t be used to log in.

Imported user accounts

Imported user accounts remain in your organization’s network account server. Imported user accounts can access your server’sservices. You can let imported users administer your server, or be a member of groups stored on your server.

When someone uses an imported user account, your server combines the account information stored in the network accountserver with additional privileges given by your server.

Types of user accounts comparedYour server can have its own network accounts or use accounts from an existing network server. You can also import accounts,which stores a synced copy of the network account from another network server on your network server.

Here’s a comparison of the four types of accounts:

Feature Local accounts Network accounts on yourserver

Network accounts from anexisting network server

Imported accounts

Where the account isstored:

Local directory Local network server Another network server Another network server,synced to local networkserver

Who creates this: A user with an administratoraccount on the computerusing System Preferences,or using the Server app ifthe server’s network accountserver is disabled, orWorkgroup Manager

You (a server administrator),using the Server app orWorkgroup Manager

The network accountserver’s administrator

The network accountserver’s administrator

Membership in networkgroups:

Allowed Allowed Allowed Allowed

System Preferencessupport:

Allows editing (includingchanging the password),local group membership

Can change password Can change password Can change password

Local access to server’sservices:

Full access Full access Wiki only Full access

Remote access to server’sservices:

Full access Full access Wiki only Full access

Access to group sharedfolders:

Full access Full access Full access Full access

Home folder on server: Yes Yes No No

RELATED TOPICS

About administrator accountsCreate a user accountImport users from another network account serverImport users and groups from a file

Lion Server user management ► Manage users and groups ► Work w ith users

You can import users and groups from XML or character-delimited text files, which is an easy way to quickly set up accounts.

You can use Workgroup Manager or the dsexport command-line tool to create XML or character-delimited text files of accounts inyour network server. For more information about Workgroup Manager, see User Management for Mac OS X Server v10.6 atsupport.apple.com/manuals/. For information about how to use dsexport, enter man dsexport in Terminal.

You assign passwords to users after importing, because passwords aren’t included in import files.

1. If your server is not set up to host network accounts, set it up to do so.

When you're viewing the Server app, if the Manage > Manage Network Accounts option is listed, your server is not set up tohost network accounts. For information about setting up your server to host network accounts, see Host network accounts.

2. In the Server app, choose Manage > Import Accounts from File.

3. Select the file to import and then click Open.

RELATED TOPICS

Use advanced tools for more servicesHost network accountsReset a user’s passwordChange a user’s account settingsCreate a user accountCreate groups


You can use the Server app to delete user accounts that are no longer needed.

Deleting a user account cancels its group memberships and stops its access to group services and private wikis. Deleting a useraccount also deletes the user’s mail stored on the server. A deleted user account can no longer access calendars and addressbook information on the server.

Deleting a user account doesn’t remove the user’s backup data. If the Time Machine preferences on the deleted user’s computerwere set to use the server for backup storage, the user’s backup data remains in /Shared Items/Backups/ on the backup diskspecified in the Time Machine pane of the Server app.

1. In the Users pane of the Server app, select the user account to delete.


RELATED TOPIC

Create a user account


Import users and groups from a file

Delete a user account

You can change a user’s name, picture, administrator privileges, and groups the user is in.

You can also edit advanced user settings such the user ID, the group the user belongs in, the user’s short name, other shortnames for the user (also known as aliases), the login shell, and the home folder. These advanced settings are set when youcreate or import the user account.

Be careful when changing these settings, because invalid settings can prevent the user from logging in.

Change basic user account settings

1. In the Users pane of the Server app, double-click a user account.

The user’s account information is shown.

2. Do the following:

To do this Do this

Change the user’s name In the Full Name field, enter the user’s name.

The name can be up to 255 characters (or as few as 85 Japanesecharacters), and can include spaces.

Choose whether the user is a server administrator Select or deselect “Allow user to administer this server.”

Choose where the user's home folder is located Choose a folder from the Home Folder pop-up menu.

The Home Folder pop-up menu appears i f your server has fi le sharingturned on and at least one share point enables home folders.

Add the user to a group Click Add (+) and then enter the name of a group in the server’sdirectory. The name autocompletes as you type. Select a group nameto add the user to the group. If the name doesn’t autocomplete, makesure you spelled the group name correctly.

You can add users to groups on your server, but you can’t add users togroups in directory domains you’re connected to.

Remove a user from a group Select a group and then cl ick Remove (–).

Al l user accounts on your server are included in the Workgroup group.Don’t remove users from this group.

Change the user’s picture Click the silhouette or the existing user picture and select a standardpicture, or cl ick Edit Picture for a customized picture.

When you cl ick Edit Picture, you can take a picture with yourcomputer’s camera or choose a graphic fi le on your computer. Aftertaking or choosing a picture, you can drag the picture to pan it or usethe sl ider to zoom it.

When you finish customizing the picture, cl ick Set.

3. Click Done to save your changes to the user account.

Change advanced user account settings

1. In the Users pane of the Server app, Control-click a user account and choose Advanced Options.

The following settings are available:

Setting Description

User ID This numerical ID is used for folder and fi le permissions.

Group This is the UNIX group the user belongs to. Typically, this should bethe "staff" group.

Account Name This is the user's account name.

Aliases These are other account names the user can use to log in.

Change a user’s account settings

Login Shell This is the user's UNIX shell. By default, this is /bin/bash.

Home Directory This is the location of the user's home folder.

2. If you change settings, click OK.

RELATED TOPICS

Reset a user’s passwordEnable shared home foldersControl a user’s access to servicesChange a user’s or group’s nameChange a user’s or group’s pictureCreate a user accountImport users from another network account server


When you give a user a home folder on your server, the user can log in to their computer using the account information stored onthe server. Because the user’s home folder is on the server, files they save are stored on the server.

1. If you haven’t done so, set up your server to host network accounts.

For information, see Host network accounts.

2. Enable a shared home folder if you haven’t done so.

For information, see Enable shared home directory folders.


4. Choose a folder from the Home Folder pop-up menu and then click Done.

If the Home Folder pop-up menu doesn’t appear, you don’t have a shared home folder enabled.

If you choose Local Only, the user won’t have a home folder on the server and can’t log in using the account informationstored on the server.


Use the Server app to control users’ access to services.

You can restrict users access to services listed in the Server app except Web and Wiki services. Web and Wiki services have morecustomizable access control.

For websites, you can limit access on a per-s ite level. For example, if your server is hosting two websites, www.example1.com andwww.example2.com, you can give users access to www.example1.com but not to www.example2.com.

Wikis have their own access controls, so you can restrict who’s allowed to create wikis. When you create a wiki, you can designateothers as administrators. Wiki administrators can choose who has access to the wiki and whether they can read and write or justread wiki content.

1. In the Server app, click Users.

2. Control-click the user and choose “Edit Access to Services.”

3. In the dialog that appears, select the checkboxes for services you want the user to access, then click OK.

RELATED TOPICS

Publish a website

Choose a user’s home folder location

Control a user’s access to services

http://www.example1.com




Choose group services


In the Server app, you can reset the passwords of user accounts in your server’s directory domain, but you can’t reset thepasswords of imported user accounts.

A user can use System Preferences to change his or her password.

1. In the Users pane of the Server app, control-click a user and then choose Reset Password.

2. Enter the user’s new password in the New Password and Verify fields and then click Change Password.

You can use Password Assistant to help you choose a password. Click the button next to the New Password field to see howsecure the password is. The user can change this password in the Users & Groups pane of System Preferences on theuser’s computer.

RELATED TOPICS

Change a user’s account settingsSet the global password policy


In the Server app, you can set a global password policy that's applied to all non-admin users. Changes take effect the next timeusers log in.

There are two types of policies: disabling login when specific conditions are met, and password restrictions.

The server enforces password policies for users. For example, a user’s password policy can specify a password expirationinterval. If the user tries to log in and the server determines that the user’s password has expired, the user must replace theexpired password, and then the user can log in.

Password policies can disable a user account on a specified date, after a number of days, after a period of inactivity, or after anumber of failed login attempts. Password policies can also require passwords to be a minimum length, contain at least oneletter, contain at least one numeral, differ from the account name, differ from recent passwords, or be changed periodically.

Password policies don’t affect administrator accounts. Administrators are exempt from password policies, because they canchange these policies, and because enforcing password policies on administrators could subject them to denial-of-serviceattacks.

1. In the Users pane of the Server app, choose Edit Global Password Policy from the Action pop-up menu.

2. Select the options to enable and then click OK.

RELATED TOPIC

Reset a user’s password


If a user has a managed device, you can issue a remote wipe or lock command, and for iOS devices, reset their passcode. Youcan also use Profile Manager to remotely wipe or lock devices and to configure them.


2. Click Wipe or Lock next to a device.

Reset a user’s password

Set the global password policy

Wipe or lock user devices

If no devices are listed, the user doesn’t have managed devices.

RELATED TOPIC

About configuration profiles


You can host network accounts on your server, which gives users remote access to your server’s services.

If you don’t host network accounts on your server, accounts you create on your server are local accounts. When you host networkaccounts on your server, you can create network accounts in the Server app, or create local accounts in System Preferences.

Other servers can import network accounts hosted on your server. When another server imports an account from your server, auser with an imported account can use services from other servers but still use the user name and password stored on yourserver.

Accounts you create in Server app prior to setting it up to host network accounts are local accounts.

The following icons appear at the right of a user's or group's portrait to indicate whether the account is a local, network, or importedaccount:

Graphic Description

(none) Local account

Network account

Imported account

Hosting network accounts on your server is also known as setting up an Open Directory master.

1. In the Server app, choose Manage > Manage Network Accounts.

If Manage Network Accounts isn’t listed, your server hosts network accounts.

2. In the assistant that appears, click Next.

3. In the Directory Administrator step, enter a name and password for the directory administrator account, then click Next.

The directory administrator account can manage the network server, server services, and administer the computer. Choose astrong password.

4. In the Organization Information step, enter the name of your organization and a valid email address, then click Next.

The information you provide is used to set up the certificate server.

5. In the Confirm Settings step, make sure the information you enter is correct, and then click Set Up.

RELATED TOPICS

About user accountsCreate a user accountImport users from another network account serverImport a group from another network account server

Lion Server user management ► Manage users and groups ► Work w ith groups

You can create groups with the Server app.

1. In the Groups pane of the Server app, click the Add button (+).

Host network accounts

Create groups

2. In the Full Name field, enter the group name.

The name can be up to 255 characters (or as few as 85 Japanese characters), and can include spaces.

3. In the Group Name field, enter the group’s short name.

If you don’t want to use the generated short name, enter a different short name.

After the account is created, you can’t change the short name.

The short name typically is eight or fewer characters, but can be up to 255 Roman characters. Use only the characters athrough z, A through Z, 0 through 9, . (period), _ (underscore), or - (hyphen).

4. To associate a picture with the group account, click the s ilhouette and select a standard picture, or click Edit Picture for acustomized picture.

When you click Edit Picture, you can take a picture with your computer’s camera or choose a graphic file on your computer.After taking or choosing a picture, you can drag the picture to pan it or use the slider to zoom it.

When you finish customizing the picture, click Set.

5. Click Done to create the group account.

RELATED TOPICS

Choose group servicesAdd or remove group membersChange a user’s or group’s nameChange a user’s or group’s pictureDelete a group


You can use the Server app to delete group accounts that are no longer needed.

1. In the Groups pane of the Server app, select a group.


RELATED TOPIC

Create groups


In the Server app, you can create groups composed of users with accounts on your server’s network account server (also knownas a directory server), your server’s local directory, or your organization’s directory.

If your server is connected to a network account server, your group members can include users and groups from the networkaccount server. External members don’t have user accounts on your server and can’t access your server’s services except for wikiservice. They can access the group’s shared folder and the wikis the group has permission to view.

Add a group member

1. In the Groups pane of the Server app, double-click a group name, or select a group and click Edit (pencil).

The group’s account information is shown.

2. Click Add (+) and then enter a user name or group name.

The name autocompletes as you type. If the name doesn’t autocomplete, make sure you spelled the name correctly. Thislooks up local and network account names—including those in the external network account server, if your server isconnected to one.

Delete a group

Add or remove group members

3. Select a user name to add the user to the group.

4. Click Done to save your changes to the group account.

Add several group members



2. Click Add (+) and enter a user name.

3. Select Browse in the list that appears.

A window listing all local and network users and groups appears. The lis t also includes users and groups in the externalnetwork account server, if your server is connected to one. If there are too many accounts to list in the window, you won’t seeaccounts until you search for them.

4. Drag users and groups from the window to the Members list.

To select a range of users and groups, hold down the Shift key while selecting users and groups. To select or deselect them,hold down the Command key while clicking.

5. Click Done to save changes to the group account.

Remove a group member

1. In the Groups pane of the Server app, double-click a group name or select a group and click Edit (pencil).


2. Select a group member and click Remove (–).

3. Click Done to save changes to the group account.

RELATED TOPICS

Change a user’s group membershipChange a user’s or group’s nameChange a user’s or group’s pictureChoose group servicesCreate groups


It’s easy to change which groups a user belongs to.

By default, users belong to the Workgroup group. Don't remove users from this group, because you need a group that all usersbelong to.

1. In the Users pane of the Server app, double-click a user.

2. Do any of the following:

To add a group, click the Add button (+) and then enter the name of the group.

The name autocompletes as you type. If the name doesn’t autocomplete, make sure you spelled the group’s namecorrectly. This looks up local and network account names, including in the external network account server (also known asa directory server), if your server is connected to one.

To remove a group, select the group and then click Remove (–).

RELATED TOPICS

Add or remove group membersChange a user’s account settings

Change a user’s group membership


You can change an account’s full name, but you can’t change its short name.

Names can be up to 255 characters (or as few as 85 Japanese characters), and can include spaces.

1. Do one of the following:

To change a user’s name, in the Users pane of the Server app, double-click a user.

To change a group’s name, in the Users pane of the Server app, double-click a group.

2. Edit the Full Name field and then click Done.

RELATED TOPICS

Change a user’s account settingsChange a user’s or group’s pictureReset a user’s passwordChoose group services


You can change the picture for users and groups.

You can’t change the picture for an imported account if the network account server (also known as a directory server) has a pictureset for the account.


To change a user’s picture, in the Users pane of the Server app, double-click a user.

To change a group’s picture, in the Groups pane of the Server app, double-click a group.


To use an included picture, click the picture area and choose a picture from the pop-up menu.

To use a picture from your computer, find the picture in Finder and drag the picture to the picture area.

3. To edit the picture, do any of the following:

To do this Do this

Replace the picture with a picture you’ve used recently. Click Recent Pictures, then cl ick a picture.

Replace the picture with a picture from your computer. Click Choose.

Take a picture using a video camera attached to your computer. Click the camera button.

Move the picture. Drag it up, down, or sideways.

Crop the picture. Drag the slider.

Apply a visual effect. Click the Visual Effects button (swirl), scrol l through the availableeffects, and select the effect you want.

RELATED TOPICS

Change a user’s or group’s nameChange a user’s account settingsChoose group services

Change a user’s or group’s name

Change a user’s or group’s picture


You can enable group services that create a shared folder for the group, make group members iChat buddies, and create a wiki forthe group.

Shared folders are stored in /Groups/groupname/ on the server. Users can access them by connecting toafp://servername/Groups/groupname/.

If your server runs iChat service, users have Jabber-based iChat accounts and you can make group members iChat buddies.



2. Enable or disable the following services:

Option Description

Give this group a shared folder. Select this option to create a shared folder for the group in/Groups/groupname/ on the server. When group members log in, theycan access this folder by connecting toafp://servername/Groups/groupname/ in the Finder, and then uploadfi les to i t.

Make group members iChat buddies. Select this option to include group members as iChat buddies. Whengroup members open iChat, the server is included as an iChat server,and group members are included in the l ist.

Create Group Wiki. Click this button to create a private wiki for the group. Group memberscan create and edit content in the wiki.

3. Click Done to save your changes.

RELATED TOPICS

Add or remove group membersControl a user’s access to servicesMake all group members iChat buddiesSet up a group file sharing folder


You can automatically make all members of a group iChat buddies.

When group members open iChat, the server is included as an iChat server, and group members are included in the list.

1. In the Groups pane of the Server app, double-click a group.

2. Select “Make group members iChat buddies.”

RELATED TOPIC



You can set up a group file sharing folder.

All members of the group have full access to the folder, including uploading, downloading, and deleting files.


Make all group members iChat buddies

Set up a group file sharing folder

Shared folders are stored in /Groups/groupname/ on the server.

1. In the Groups pane of the Server app, double-click a group.

2. Select “Give this group a shared folder” and then click Done.

After the shared folder is created, you can click the arrow button next to the option to view the contents of the shared folder.

RELATED TOPICS

Add or remove group membersChoose group servicesControl a user’s access to servicesMake all group members iChat buddies

Lion Server user management ► Manage users and groups ► Work w ith other network account servers

You can connect your server to a network account server (also known as a directory server), which gives users on the networkaccount server access to wiki service and group shared folders.

Your server can connect to a Mac Open Directory server that has Mac OS X Lion Server or Mac OS X v10.6 Snow Leopard Server. If ithas Snow Leopard Server, it must have v10.6.8 or later to authenticate users for your server’s podcast service and wiki service.

Your server can also connect to a Windows Active Directory server or to a third-party LDAP server. If your server connects to anLDAP server, you might need to use the Directory Utility app to change your server’s LDAP server mappings.

If your server is connected to a network account server, groups on your server can include users and groups from the networkaccount server. People with user accounts on other network account servers don’t have user accounts on your server and can’taccess your server’s services except for wiki service. They can access the group’s shared folder and wikis that the group haspermission to view.

If you import an account from another network account server, the imported account can access your server’s services. You canalso make an imported user be an administrator for your server, be a member of groups in your server, or have a home folder onyour server.

1. In the Server app, choose Manage > Connect to Directory.

If your server isn't set up to host network accounts, the "Configure Network Users and Groups" assistant appears. After youcomplete this assistant, the "Connect to Directory" assistant appears.

For information about setting up your server to host network accounts, see Host network accounts.

2. Proceed through the assistant that appears, then when the assistant asks you to enter the server address of the directoryserver that has the accounts to import, enter it and click Next.

3. If the dialog expands to show fields for Client Computer ID, User Name, and Password, enter the name and password of auser account on the directory server.

For an Open Directory server, you can enter the name and password of a standard user account; you don’t need to use adirectory administrator account. Depending on the network account server settings, you might be able to connect withoutauthentication by leaving these fields blank, although this is less secure.

For an Active Directory server, you can enter the name and password of an Active Directory administrator account or astandard user account that has the “Add workstations to domain” privilege.

4. In the Confirm Settings step, make sure all settings are correct and then click Set Up.

When you connect to another network server, the Manage menu no longer lists Connect to Directory. When you create users orgroups, you can now import accounts.

Connect to your first network account server using the Server app, and connect to additional network account servers using SystemPreferences. You can also disconnect from network account servers using System Preferences. For information about joiningnetwork account servers in System Preferences, see System Preferences Help.

RELATED TOPICS

Connect to another network account server

Import users from another network account serverImport a group from another network account server


If your server connects to your organization’s network account server, you can import users’ existing accounts.

Imported user accounts remain in your organization’s network account server. Imported users have access to all services on yourserver. Accounts that aren’t imported can’t access those services, except for wiki service.

You can also import groups, which imports all members of the group.



2. In the Users pane of the Server app, click the Add button (+).

A New User dialog appears.

3. From the Type pop-up menu, choose “Imported user from directory.”

If you don’t see the Type pop-up menu, your server isn’t connected to a network account server in your organization. Forinformation on connecting to a network account server, see Connect to another network account server.

If your organization doesn’t have a network account server (other than your server), you can’t import users but you can createuser accounts.

4. Type part or all of the user’s name in the search field; then, when you see the name, select it and click Import.

5. When you finish importing user accounts, click Done.

Imported user accounts have a blue arrow in the lower-right corner of their user picture in the Users pane.

RELATED TOPICS

Connect to another network account serverAbout user accountsImport a group from another network account server


If your server connects to your organization’s network account server (also known as a directory server), you can import groupaccounts, which imports all group members’ user accounts.

Imported accounts can use all services on the server. External accounts that aren’t imported can only use wiki service.

Imported group accounts are synced. If people are added to or removed from the imported group on your organization’s networkaccount server, their imported user accounts gain or lose access services on the server. You can add group members to the groupbut you can’t remove group members who you didn’t add.



2. In the Groups pane of the Server app, click the Add button (+).

The New Group dialog appears.

3. From the Type pop-up menu, choose “Imported group from directory.”

If you don’t see the Type pop-up menu, your server isn’t connected to a network account server in your organization.

Import users from another network account server

Import a group from another network account server

If your organization doesn’t have a network account server (other than your server), you can’t import groups but you can creategroup accounts.

4. Type part or all of the group name in the search field; then, when you see the name, select it and click Import.

5. When you finish importing user accounts, click Done.

Imported group accounts have a blue arrow in the lower-right corner of their group picture in the Groups pane.

RELATED TOPICS

Connect to another network account serverAbout user accountsImport users from another network account server

Lion Server user management ► Manage users and groups ► View accounts in the Server app

It’s easy to sort the lis t of users or groups by name, account name, or ID.

“Name” refers to the user’s or group’s full name, and “account name” refers to the user’s or group’s short name. The ID isassigned to users and groups when they’re created. Recently created accounts typically have higher IDs than older accounts.

In the Users or Groups pane of the Server app, Control-click a user or group, choose Arrange By, and then choose anoption.

RELATED TOPIC

Change a user’s account settings

Lion Server user management ► Manage users and groups ► View accounts in the Server app

By default, the Users pane of the Server app lis ts all user accounts and the primary administrator account, but it doesn’t list systemaccounts, the root account, and the directory administrator account.

These accounts aren’t lis ted because you shouldn’t edit them, nor should you use them to log in on client computers.

In the Server app, choose View > Show System Accounts.

If you’re already showing system accounts, hide them by choosing View > Hide System Accounts.

RELATED TOPIC

About administrator accounts

Lion Server user management ► Profile Manager

Profile Manager makes it easy to configure your user's Mac OS X Lion computers and iOS devices so they're set up to use yourcompany or school resources and so they have the settings your organization requires.

Components of Profile Manager

Profile Manager consists of three parts that work together to let you specify how clients are configured, how to administer devices,and how to deliver the configurations to users and devices.

Web-based Administration Tool

The Profile Manager web app is where you configure settings for devices, manage enrolled devices and device groups, andexecute or monitor tasks on enrolled devices.

Sort the list of users or groups

View system and administrator accounts

About Profile Manager

Self-Service User Portal

Profile Manager's user portal is an easy to use, secure website for distributing settings you define using the administrationtool. Users connect to the web-based portal using their device then. Then, after they log in, the settings that you assigned tothem are available for download and installation. Users also utilize this site to enroll devices for mobile device management, ifyou're using Profile Manager as a mobile device management server.

Mobile Device Management Server

Profile Manager also provides a device management (MDM) server that lets you remotely manage enrolled Mac OS X Lion andiOS devices. After a device is enrolled with Profile Manager, you can update its configuration over the network without userinteraction, as well as execute tasks such as reporting or locking and wiping the device.

Understanding user and device groups

Each user, user group, device, and device group can have a default group of settings. This allows you to easily share basesettings for devices or people that need them. For example, to configure a teacher's iPad, create a user account for the teacherthen place that user in the "teachers" and "iPad" groups. This assigns them two collections of default settings—one from eachgroup—and you can then create assign additional settings that are tailored to the user.

Other types of user and device groups that you might find useful are "lab Mac," "field sales iPhone," and "student notebooks." Forthe latter group, for example, the default settings might include restrictions or specific network settings.

Understanding configuration profiles

Behind the scenes, Profile Manager works by creating and distributing configuration profiles. Configuration profiles are XML files(.mobileconfig) that contain payloads that define groups of settings. When the profile is installed on a Mac OS X Lion or iOS device,the settings it defines are applied.

Each user, device, and group have default configuration profiles so you can quickly provide a base level of settings, then you canfurther assign additional configuration profiles to customize the settings to meet your organizational requirements. For example, toenforce restrictions and configure user's devices to use your VPN, create a configuration profile with a restrictions payload and aVPN payload. Because both payloads are in the same profile, the user must install both. If they remove the configuration profile toavoid the restrictions, their VPN access is also removed.

Distributing configuration profiles

After you defined the settings for users and their devices, you can distribute the configuration profiles to users in the followingways:

Manual distribution

You can download configuration profiles (.mobileconfig files) from Profile Manager's administration tool, then send them toyour users via email or post them to a website you create. When users receive or download the file, they can install them ontheir device.

User self-service

Users can download and install the settings from Profile Manager's built-in user portal. The user portal ensures that usersreceive the configuration profiles you assign to them or their group.

Remote Device management

You can enable Profile Manager's mobile device management server, which allows you to remotely install, remove, and updateconfiguration profiles on enrolled devices.

Managing a Mac lab

You can use Profile Manager to maintain a student laboratory of Macs, ensuring that they're configured identically. When you buildthe network system image for the lab, include configuration profiles that enroll the computers for remote device management byProfile Manager.

Managing policies on devices

In addition to general configuration settings, Profile Manager allows you to enforce organization policies. For example, you canspecify passcode policies, define the types of networks devices can connect to, and enforce restrictions such as preventing theuse of cameras on iOS devices. If you're managing the devices remotely, you can install updated policies, without user action ornotification.

Remotely locking or wiping a lost device

Devices that you remotely manage can be locked or wiped using Profile Manager's administration tool. For Mac OS X Lion devices,locking shuts down the computer and installs an EFI passcode so it cannot be started up without providing the passcode. On iOSdevices, locking invokes the lock screen and enforces the passcode, if any, installed on the device.

Wiping a device removes all user data. On iOS devices, the device is restored to factory defaults.

For iOS devices, you can also reset a user's passcode when they've forgotten it. This temporarily removes the device passcode (for60 minutes). When the user unlocks the device, they are immediately required to enter a new passcode that meets the criteriaspecified by the configuration profiles installed on the device.


Configuration profiles are XML files that load settings and authorization information onto a Mac OS X Lion computer or an iOSdevice. They contain client security policies and restrictions, VPN configuration information, Wi-Fi settings, email and calendaraccounts, authentication credentials that permit a computer to work with your enterprise systems, and several other types ofsettings.

Some VPN and Wi-Fi settings, such as 802.1x parameters, can be set only by a configuration profile. You create configurationprofiles using Profile Manager.

Each configuration profile contains one or more payloads. A payload is a collection of settings, such as VPN specifications, in theconfiguration profile. Some payloads are for use only with Mac OS X Lion computers, some are only for iOS devices, and someapply to both.

When you create a configuration profile, you do so for users, devices, or groups of users and devices. Profile Manager tailors thepayloads depending on which you choose. The settings will apply at that level. For example, settings that apply only to users arenot available when you're creating a device configuration profile.

Although you can create a single configuration profile that contains all payloads for your organization, consider creating separateprofiles that let you enforce policies while granting access, as well as provide updates to settings that are subject to change. Forexample, you might create a configuration profile that sets up a user's access to email but also enforces restrictions or passcodesettings. To have access to messages, users must also accept your security policies.

You can distribute configuration profiles by email, on your own webpage, or by using Profile Manager's built-in user portal. Whenusers open the email attachment or download the profile using Safari on their device, they're prompted to begin installation. Youcan also use Profile Manager as a mobile device management server, which allows you to send new and updated profiles tousers after they enroll their devices.

Except for passwords, users generally can't change settings in a configuration profile. Accounts configured by a profile can only beremoved by deleting the profile. On iOS devices, you can mark a profile as being locked to the device, so when installed it canremoved only by wiping the device of all data (or by entering a passcode).


Use Server app to start Profile Manager service. It provides administrators with a configuration profile editor, a user portal whereusers can download configuration profiles, and, optionally, a mobile device management server for automatic profile distributionand other management tasks.

1. Open Server, log in to a server, and in the Services list, click Profile Manager.

2. Click the On button.

Wait a moment while Profile Manager service starts.

3. To send the URL of the Profile Manager server to a user so they can log in and download the configuration profiles youassigned to them, click User Portal, then copy the URL from the browser window that opens.

For information about how users interact with Profile Manager, click Open Profile Manager and choose Help from the usermenu.

4. To enable Profile Manager to act as a mobile device management server, click the Configure button in the DeviceManagement section of the pane.

For information about mobile device management, click Open Profile Manager and choose Help from the user menu.

5. To create configuration profiles and assign them to users, click Open Profile Manager.

About configuration profiles

Provide user configuration profiles

When the Profile Manager webapp opens in your web browser, log in with your administrator account.

Lion Server user management ► Open Directory serv ices ► About Open Directory

A directory service provides a central repository for information about computer users and resources in an organization.

Storing administrative data in a central repository has many benefits:

It reduces data entry effort.

It certifies that network services and clients have consistent information about users and resources.

It simplifies administration of users and resources.

It provides identification, authentication, and authorization information for other network services.

In education and enterprise environments, directory services are the ideal way to manage users and computing resources.Organizations with as few as 10 people can benefit by deploying a directory service.

Directory services are doubly beneficial: they simplify system and network administration, and they simplify a user’s experience onthe network.

With directory services, administrators can maintain information about all users—such as their names, passwords, and locationsof network home directories—centrally, rather than on each computer. Directory services can also maintain centralized informationabout printers, computers, and other network resources.

Centralizing information about users and resources can reduce the system administrator’s information management burden, andeach user has a centralized user account for logging in on any authorized computer on the network.

With centralized directory service and file service set up to host network home folders, wherever a user logs in, the user gets thesame home folder, personal desktop, and individual preferences. The user always has access to personal networked files andcan easily locate and use authorized network resources.

Directory services and directory domains

A directory service acts as an intermediary between application and system software processes, which need information aboutusers and resources, and the directory domains that store the information.

As shown in the following illustration, Open Directory provides directory services for Macs and Mac servers.

Open Directory can access information in one or several directory domains. A directory domain stores information in a specializeddatabase that is optimized to handle many requests for information and to find and retrieve information quickly.

Processes running on Mac computers can use Open Directory services to save information in directory domains. For example,when you create a user account with Workgroup Manager, Open Directory stores user name and other account information in adirectory domain. You can then review user account information in Workgroup Manager, which uses Open Directory to retrieve theuser information from a directory domain.

Other application and system software processes can also use the user account information stored in directory domains. Whensomeone attempts to log in to a Mac, the login process uses Open Directory services to validate the user name and password.

Open Directory and directory services


Like Mac OS X Lion, Open Directory has a UNIX heritage. Open Directory provides access to administrative data that UNIX systemsgenerally keep in configuration files, which require painstaking work to maintain. (Some UNIX systems still rely on configurationfiles.) Open Directory consolidates the data and distributes it for ease of access and maintenance.

Data consolidation

For years, UNIX systems have stored administrative information in a collection of files located in the /etc directory, as show in thefollowing illustration.

This scheme requires each UNIX computer to have its own set of files, and processes that are running on a UNIX computer readits files when they need administrative information.

If you’re experienced with UNIX, you probably know about the files in the /etc directory—group, hosts, hosts.equiv, master.passwd,and so forth. For example, a UNIX process that needs a user’s password consults the /etc/master.passwd file. The/etc/master.passwd file contains a record for each user account. A UNIX process that needs group information consults the/etc/group file.

Open Directory consolidates administrative information, simplifying the interaction between processes and the administrative datathey create and use:

Processes no longer need to know how and where administrative data is stored. Open Directory gets the data for them. If aprocess needs the location of a user’s home folder, the process has Open Directory retrieve the information.

Open Directory finds the requested information and then returns it, insulating the process from the details of how the information isstored, as shown in the following illustration.

A historical perspective

If you set up Open Directory to access administrative data from more than one directory domain, Open Directory consults thedomains as needed.

Some data stored in a directory domain is identical to data stored in UNIX configuration files. For example, the home folderlocation, real name, user ID, and group ID are stored in user records of a directory domain instead of the standard /etc/passwd file.

However, a directory domain stores much more data to support functions that are unique to Mac OS X Lion, such as support formanaging Mac client computers.

Data distribution

A characteristic of UNIX configuration files is that the administrative data they contain is available only to the computer they arestored on. Each computer has its own UNIX configuration files.

With UNIX configuration files, each computer that someone wants to use must have that person’s user account settings stored onit, and each computer must store the account settings for every person who can use the computer. To set up a computer’s networksettings, the administrator must to go to the computer and enter the IP address and other information that identifies the computeron the network.

Similarly, when user or network information must be changed in UNIX configuration files, the administrator must make thechanges on the computer where the files reside. Some changes, such as network settings, require the administrator to make thesame changes on multiple computers. This approach becomes unwieldy as networks grow in size and complexity.

Open Directory solves this problem by letting you store administrative data in a directory domain that can be managed by a networkadministrator from one location. Open Directory lets you distribute the information so it is visible on a network to the computers thatneed it and the administrator who manages it, as shown in the following illustration.


Open Directory makes it possible to consolidate and maintain network information easily in a directory domain, but this informationhas value only if application and system software processes running on network computers access the information.

Here are some ways in which Mac OS X Lion system and application software use directory data:

Uses of directory data

Login: Workgroup Manager can create user records in a directory domain, and these records can be used to authenticateusers who log in to Mac and Windows computers. When a user specifies a name and a password in the login window, thelogin process asks Open Directory to authenticate the name and password. Open Directory uses the name to find the user’saccount record in a directory domain and uses other data in the user record to validate the password.

Folder and file access: After logging in, a user can access files and folders. Mac OS X Lion uses other data from the userrecord to determine the user’s access privileges for each file or folder.

Home folders: Each user record in a directory domain stores the location of the user’s home folder. This is where the userkeeps personal files, folders, and preferences. A user’s home folder can be located on a computer the user always uses or itcan be located on a network file server.

Automount share points: Share points can be configured to automount (appear automatically) in the /Network folder (theNetwork globe) in the Finder windows of client computers. Information about these automount share points is stored in adirectory domain. Share points are folders, disks, or disk partitions you make accessible over the network.

Mail account settings: Each user’s record in a directory domain specifies whether the user has mail service, which mailprotocols to use, how to present incoming mail, whether to alert the user when mail arrives, and so forth.

Resource usage: Disk, print, and mail quotas can be stored in each user record of a directory domain.

Managed client information: The administrator can manage the Mac OS X environment of users whose account records arestored in a directory domain. The administrator makes mandatory preference settings that are stored in the directory domainand override users’ personal preferences.

Group management: In addition to user records, a directory domain also stores group records. Each group record affects allusers who are in the group. Information in group records specifies preference settings for group members. Group records alsodetermine access to files, folders, and computers.

Managed network views: The administrator can set up custom views that users see when they select the Network icon in thesidebar of a Finder window. Because these managed network views are stored in a directory domain, they’re available when auser logs in.

Access to directory services

Open Directory can access directory domains for the following kinds of directory services:

Lightweight Directory Access Protocol (LDAP), an open standard common in mixed environments of Macintosh, UNIX, andWindows systems. LDAP is the native directory service for shared directories in Lion Server.

Local directory domain, the local directory service for Mac OS X and Mac OS X Server v10.6 or later.

Active Directory, the directory service of Microsoft Windows 2000 and 2003 servers and later.

Network Information System (NIS), the directory service of many UNIX servers.

BSD flat files, the legacy directory service of UNIX systems.


Information in a directory domain is organized by record type. Record types are specific categories of information such as users,groups, and computers. For each record type, a directory domain can contain any number of records. Each record is a collection ofattributes, and each attribute has values.

If you think of each record type as a spreadsheet that contains a category of information, records are like the rows of thespreadsheet, attributes are like spreadsheet columns, and each spreadsheet cell contains values.

For example, when you define a user account by using Workgroup Manager, you are creating a user record (a record of the “user”record type). The settings you configure for the user account—short name, full name, home folder location, and so on—becomevalues of attributes in the user record. The user record and the values of its attributes reside in a directory domain.

In some directory services, such as LDAP and Active Directory, directory information is organized by object class. Like record types,object classes define categories of information. An object class defines similar information, named entries, by specifying attributesthat an entry must or may contain.

For an object class, a directory domain can contain multiple entries, and each entry can contain multiple attributes. Some attributeshave a single value, while others have multiple values. For example, the inetOrgPerson object class defines entries that contain

Inside a directory domain

user attributes.

The inetOrgPerson class is a standard LDAP class defined by RFC 2798. Other standard LDAP object classes and attributes aredefined by RFC 2307. Open Directory’s default object classes and attributes are based on these RFCs.

A collection of attributes and record types or object classes provides a blueprint for the information in a directory domain. Thisblueprint is named the schema of the directory domain. However, Open Directory uses a directory-based schema that is differentfrom a locally based stored schema.

Using a locally based schema configuration file can be complex. The issue with an Open Directory master that services replicaservers is that if you change or add an attribute to the locally based schema of a Open Directory master, you must also make thatchange to each replica. Depending on the number of replicas you have, the manual update process can take an enormousamount of time.

If you don’t make the same schema change locally on each replica, your replica servers generate errors and fail when values forthe newly added attribute are sent to replica servers.

To eliminate this possibility of failure, Mac OS X Lion uses a directory-based schema that is stored in the directory database and isupdated for each replica server from the replicated directory database. This keeps the schema for replicas synchronized andprovides greater flexibility to make changes to the schema.

About the structure of LDAP entries

In an LDAP directory, entries are arranged in a hierarchical treelike structure. In some LDAP directories, this structure is based ongeographic and organizational boundaries. More commonly, the structure is based on Internet domain names.

In a s imple directory organization, entries representing users, groups, computers, and other object classes are immediately belowthe root level of the hierarchy, as shown here:

An entry is referenced by its distinguished name (DN), which is constructed by taking the name of the entry, referred to as therelative distinguished name (RDN), and concatenating the names of its ancestor entries.

For example, the entry for Anne Johnson could have an RDN of uid=anne and a DN of uid=anne, cn=users, dc=example, dc=com.

The LDAP service retrieves data by searching the hierarchy of entries. The search can begin at any entry. The entry where thesearch begins is the search base.

You can designate a search base by specifying the distinguished name of an entry in the LDAP directory. For example, the searchbase cn=users, dc=example, dc=com specifies that the LDAP service begin searching at the entry whose cn attribute has a valueof “users.”

You can also specify how much of the LDAP hierarchy to search below the search base. The search scope can include allsubtrees below the search base or the first level of entries below the search base. If you use command-line tools to search anLDAP directory, you can also restrict the search scope to include only the search base entry.


Where you store your server’s user information and other administrative data is determined by whether the data must be shared.This information can be stored in the server’s local directory domain or in a shared directory domain.

About the Local directory domain

Every Mac computer has a local directory domain. A local directory domain’s administrative data is vis ible only to applications andsystem software running on the computer where the domain resides. It is the first domain consulted when a user logs in orperforms any operation that requires data stored in a directory domain.

When the user logs in to a Mac, Open Directory searches the computer’s local directory domain for the user’s record. If the local

Local and shared directory domains

directory domain contains the user’s record (and if the user entered the correct password), the login process proceeds and theuser gets access to the computer.

After login, the user could choose “Connect to Server” from the Go menu and connect to a Mac server for file service. In this case,Open Directory on the server searches for the user’s record in the server’s local directory domain.

If the server’s local directory domain has a record for the user (and if the user enters the correct password), the server grants theuser access to file services, as shown below:

When you set up a Mac, its local directory domain is created and populated with records. For example, a user record is created forthe user who performed the installation. It contains the user name and password entered during setup and other information, suchas a unique ID for the user and the location of the user’s home folder.

About shared directory domains

Although, Open Directory on any Mac can store administrative data in the computer’s local directory domain, the real power of OpenDirectory is that it lets multiple Mac computers share administrative data by storing the data in shared directory domains.

When a computer is configured to use a shared domain, administrative data in the shared domain is also visible to applicationsand system software running on that computer.

If Open Directory does not find a user’s record in the local directory domain of a Mac computer, Open Directory can search for theuser’s record in any shared domains the computer has access to.

In the following example, the user can access both computers because the shared domain accessible from both computerscontains a record for the user.

Shared domains generally reside on servers because directory domains store extremely important data, such as the data forauthenticating users.

Access to servers is usually tightly restricted to protect the data on them. In addition, directory data must always be available.Servers often have extra hardware features that enhance their reliability, and servers can be connected to uninterruptible powersources.

Shared data in existing directory domains

Some organizations—such as universities and worldwide corporations—maintain user information and other administrative datain directory domains on UNIX or Windows servers. Open Directory can search these non-Apple domains and shared OpenDirectory domains of Lion Server systems, as shown in the illustration below.

The order in which Mac OS X Lion searches directory domains is configurable. A search policy determines the order in which MacOS X Lion searches directory domains. Search policies are explained in Open Directory search policies.

Lion Server user management ► Open Directory serv ices ► Guidelines and management

Keeping information in shared directory domains gives you more control over your network, gives more users access to theinformation, and makes it easier to maintain the information. The amount of control and convenience depends on the effort you putinto planning shared domains.

The goal of directory domain planning is to design the simplest arrangement of shared domains that gives your Mac users easyaccess to the network resources they need and that minimizes the time you spend maintaining user records and otheradministrative data.

Planning guidelines

If you do not share user and resource information among multiple Macs, very little directory domain planning is necessary,because everything can be accessed from a local directory domain.

However, make sure that all individuals who use a Mac have user accounts on that computer. These user accounts reside in thelocal directory domain on the computer.

In addition, everyone who needs to use Mac server’s file service, mail service, or other services that require authentication musthave a user account in the server’s local directory domain.

With this arrangement, each user has two accounts, one for logging in to a computer and one for accessing services of a Macserver, as illustrated in the following figure.

When the user attempts to access the file service, the file server accesses the shared directory domain to verify the user account.Because the user computer and the file server are connected to the shared directory domain, the user account on the shareddirectory domain is used to access a computer and the file service without needing a local account on each computer.

The user logs in to the local directory domain of the Mac and then uses a different account to log in to the local directory domain ofthe file services server.

To share information among Mac computers and servers, you must set up at least one shared directory domain. With thisarrangement, each user needs an account only in the shared directory domain.

With this one account, the user can log in to Mac OS X Lion on any computer that’s configured to access the shared directorydomain. The user can also use this same account to access services of any Mac server that’s configured to access the shareddirectory domain.

Open Directory planning

The following figure illustrates a configuration with a shared directory domain. The figure shows a user logging in to a Mac using ashared directory domain account. Then the shared directory domain account is also used to access a file service.

In many organizations, a single shared directory domain is adequate. It can handle hundreds of thousands of users andthousands of computers sharing the same resources, such as printer queues, share points for home directories, share points forapplications, and share points for documents.

Replicating the shared directory domain can increase the capacity or performance of the directory system by configuring multipleservers to handle the directory system load for the network.

Larger, more complex organizations can benefit from extra shared directory domains. The following figure shows how one suchcomplex organization might organize its directory domains.

If you have a large organization and you want to increase the performance and capacity of your network directory domain, you canadd multiple directory domains to your network. Also, by using multiple directory domains you can load-balance your corporatedirectory domain.

There are different methods of configuring multiple directory domains. By analyzing your network topology you can determine thebest method for your network. The following are optional configurations of multiple directory domains:

Open Directory with an existing domain. You can configure an Open Directory server on a network that has an existing directorydomain such as an Active Directory or Open Directory domain.

For example, if your organization has an existing Active Directory server that supports Windows and Mac client computers, youcan add an Open Directory server to better support Mac users. The two servers can exist on the same network and provideredundant directory domains for Windows and Mac clients.

You also configure Lion Server to handle cross-domain authorization if a Kerberos realm exists.

If you have an existing Active Directory server, you can connect an Open Directory server to it and you can easily add users fromthe Active Directory server into your Open Directory server. These users are referred to as augment users.

For more information about augment records, see Integrate with existing directory domains. For more information about addingaugments to user records, see User Management.

Open Directory Master Server with replicas. You can also create an Open Directory master server with replicas. The replicaservers have a copy of the Open Directory master’s directory domain for load balancing and redundancy.

For example, your organization could have an Open Directory master at your headquarters and place replicas of that server ateach remote location. This prevents users at remote locations from experiencing delayed logins.

Cascading replication. You can also use cascading replication, where replicas of an Open Directory master have replicas. If areplica is a direct member of the Open Directory master and it has replicas it is called a relay.

For example, If your organization has 32 replicas and you must add another replica, you can reorganize your network topologyand have your replicas become relays by adding replicas to a replica (or relay).

Cascading replication load-balances the Open Directory master by minimizing the number of replicas it must directly manage.

Estimating directory and authentication requirements

In addition to considering how to distribute directory data among multiple domains, you must also consider the capacity of eachdirectory domain. The size of your directory domain depends on your network requirements.

One factor is the performance of the database that stores directory information. The LDAP directory domain of a Mac server usesthe Berkeley DB database, which remains efficient with 200,000 records. A server hosting a directory domain of that size must havesufficient hard disk space to store all the records.

The number of connections a directory service can handle is harder to measure because directory service connections occur in thecontext of the connections of all services the server provides. With Lion Server, a server dedicated to Open Directory has a limit of1,000 simultaneous client computer connections.

The Open Directory server can provide LDAP and authentication services to more client computers, because not all computersneed these services at the same time. Each computer connects to the LDAP directory for up to two minutes, and connections to theOpen Directory Password Server are even more brief.

Determining what the fraction is—the percentage of computers that make connections at the same time—can be difficult.

For example, computers that have a single user who spends all day working on graphics files need Open Directory servicesrelatively infrequently.

In contrast, computers in a lab have many users logging in throughout the day, each with a different set of managed clientpreference settings, and these computers place a relatively high load on Open Directory services.

In general, you can correlate Open Directory usage with login and logout. These activities generally dominate directory andauthentication services for any system.

The more frequently users log in and out, the fewer computers an Open Directory server (or any directory and authentication server)can support. You need more Open Directory servers if users log in frequently. You can get by with fewer Open Directory servers ifwork sessions are long and login is infrequent.

Identifying servers for hosting shared domains

If you need more than one shared domain, identify the servers where the shared domains should reside. Shared domains affectmany users, so they should reside on Mac servers that have the following characteristics:

Restricted physical access

Limited network access

High-availability technologies, such as uninterruptible power supplies

Select computers that are not replaced frequently and that have adequate capacity for expanding directory domains. Although youcan move a shared domain after it is set up, it might be necessary to reconfigure the search policies of computers that connect tothe shared domain so users can continue to log in.


Lion Server supports replication of the LDAP directory service, the Open Directory Password Server, and the Kerberos KDC.

By replicating your directory and authentication services you can:

Move directory information closer to a population of users in a geographically distributed network, improving performance ofdirectory and authentication services to these users.

Achieve redundancy, so users see little disruption in service if a directory system fails or becomes unreachable.

One server has a primary copy of the shared LDAP directory domain, Open Directory Password Server, and Kerberos KDC. This

Replicate Open Directory services

server is referred to as an Open Directory master. Each Open Directory replica is a separate server with a copy of the master’sLDAP directory, Open Directory Password Server, and Kerberos KDC.

An Open Directory server can have up to 32 replicas. Each replica can have 32 replicas of itself, providing 1,056 replicas in a two-tier hierarchy.

Access to the LDAP directory on a replica is read only. Changes to user records and other account information in the LDAPdirectory can be made only on the Open Directory master.

The Open Directory master updates its replicas when there are changes to the LDAP directory. The master can update replicasevery time a change occurs, or you can set up a schedule so updates occur at regular intervals. The fixed schedule option is best ifreplicas are connected to the master by a s low network link.

Passwords and password policies can be changed on any replica. If a user’s password or password policy are changed on morethan one replica, the most recent change prevails.

The updating of replicas relies on the clocks of the master and replicas being in sync. If replicas and the master have differenttimes, updating could be arbitrary. The date, time, and time zone information must be correct on the master and replicas, and theyshould use the same network time service to keep their clocks in sync.

Avoid having only one replica on either s ide of a slow network link. If a replica is separated from other replicas by a slow networklink and the one replica fails, clients of the replica will fail over to a replica on the other side of the slow network link. As a result,their directory services can slow markedly.

If your network has a mix of Mac OS X Server v10.6 and Lion Server, one version can’t be a replica of a master of the other version.An Open Directory master of Lion Server won’t replicate to v10.6, nor will an Open Directory master of v10.6 replicate to Lion Server:

Replica version Lion Serv er master Mac OS X Serv er v 10.6 master

Lion Server repl ica yes no

Mac OS X Server v10.6 replica No Yes

Replica sets

A replica set is an automatic configuration that requires each service that Open Directory manages (LDAP, Password Server, andKerberos) to look for and use the same replica server. This helps ensure that client computers choose the same replica serverwhen using Open Directory services and helps prevent slow login.

Cascading replicationMac OS X v10.4 used a hub-spoke model for replicating Open Directory master servers. This required each Open Directory masterto maintain a transaction record for each replica server.

The following illustration shows the hub-spoke model used in Mac OS X v10.4.

In addition, there was no predefined limit to how many replica servers an Open Directory master could manage.

If an Open Directory master had 1,000 replicas to manage, it could have performance issues if replicas continued to be added.This is similar to having one manager for 1,000 employees, which is an unmanageable situation.

Mac OS X Server v10.5 and later use cascading replication to improve scalability and resolve performance issues with the olderhub-spoke model of replication. The use of cascading replication helps limit the number of replica servers that can be supportedby a s ingle Open Directory master server.

A single Open Directory master server can have up to 32 replicas and each replica can have up to 32 replicas, which gives you1,056 replicas of a single Open Directory master server.

This creates a two-tier hierarchy of replica servers. The first tier of replicas, which are the direct members of the Open Directorymaster, are called relays if they have replicas, because they relay the data to the second tier of replicas.

Also, cascading replication does not require that a single Open Directory master server maintain a transaction record of eachreplica server. The master server only keeps a maximum of 32 replica transaction records, which improves performance.

The following illustration shows the two-tier hierarchy of the cascading replication model.

Planning the upgrade of multiple Open Directory replicas

If your Open Directory master manages more than 32 replicas, your organization must migrate to a cascading replication. Thecascading replication model will improve your Open Directory server performance.

When planning for your migration, consider the locations of your replica servers and your network topology to help determine howto reorganize your replicas into a hierarchal structure.

For example, you do not want to have an Open Directory master on the West coast replicating to a replica on the East coast.

Note: If your Open Directory master has fewer than 32 replicas, migration is not necessary.

Load balancing in small, medium, and large environments

Do not use service load-balancing software from third parties with Open Directory servers.

Load-balancing software can cause unpredictable problems for Open Directory computers. It can interfere with the automatic loadbalancing and failover behavior of Open Directory in Mac OS X Lion and Lion Server.

Mac computers seek the nearest available Open Directory server—master or replica. A computer’s nearest Open Directory masteror replica is the one that responds most quickly to the computer’s request for an Open Directory connection.

Replication in a multibuilding campus

A network that spans multiple buildings might have slower network links between buildings than the link within each building. Thenetwork links between buildings might also be overloaded.

These conditions can adversely affect the performance of computers that get Open Directory services from a server in anotherbuilding. As a result, you may want to set up an Open Directory replica in each building.

Depending on need, you may even want to set up an Open Directory replica on each floor of a multistory building. Each replicaprovides efficient directory and authentication services to client computers in its vicinity. The computers do not need to makeconnections with an Open Directory server across the slow, crowded network link between buildings.

Having more replicas has a disadvantage. Replicas communicate with each other and with the master over the network. Thisnetwork communication overhead increases as you add replicas. Adding too many replicas can add more network traffic betweenbuildings in the form of replication updates than it removes in the form of Open Directory client communications.

When deciding how many replicas to deploy, consider how heavily the computers use Open Directory services. If the computersare relatively light users of Open Directory services and your buildings are connected by fairly fast network links (such as 100 MbpsEthernet), you probably do not need a replica in each building.

You can reduce the communication overhead between Open Directory replicas and the master by scheduling how often the OpenDirectory master updates the replicas. You might not need the replicas updated every time a change occurs in the master.Scheduling less frequent updates of replicas improves network performance.

Using an Open Directory master, replica, or relay with NAT

If your network has an Open Directory server on the private network s ide of a network address translation (NAT) router (or gateway),including the NAT router of Mac server, only computers on the private network side of the NAT router can connect to the OpenDirectory server’s LDAP directory domain.

Computers on the public network side of the NAT router can’t connect to the LDAP directory domain of an Open Directory master orreplica that’s on the private network side.

If an Open Directory server is on the public network s ide of a NAT router, computers on the private network and the public networksides of the NAT router can connect to the Open Directory server’s LDAP directory.

If your network supports mobile clients such as MacBooks that move between the private LAN of your NAT gateway and theInternet, you can set up VPN service for mobile users so they can use VPN to connect to the private network and the Open Directorydomain.

Open Directory master and replica compatibility

The Open Directory master and its replicas must use the same version of Lion Server. In addition:

An Open Directory master using Lion Server won’t replicate to Mac OS X Server v10.6.

Mac OS X Server v10.6 or later can’t be a replica of an Open Directory master using Lion Server.

An Open Directory master using Lion Server can replicate to an Open Directory replica using Lion Server.

If you have an Open Directory master and replicas that use Mac OS X Server v10.6, upgrade them to Lion Server at the same time.First, upgrade the master; then, upgrade the replicas. Clients of the master and replicas continue to receive directory andauthentication services during the upgrade.

While you are upgrading the master, its clients fail over to the nearest replica. When you upgrade replicas one at a time, clients failback to the upgraded master.

Upgrading an Open Directory master from Mac OS X Server v10.6 or later severs ties to existing replicas. After upgrading eachOpen Directory replica to Lion Server, it is a standalone directory service and you must make it a replica again.

Mixing Active Directory and Open Directory master and replica services

There are some special considerations when introducing Open Directory Servers into an Active Directory environment. Ifprecautions are not taken, mixed results will occur on client and server functionality.

Also, avoid mixing Authenticated Directory Binding and Active Directory on the same client or server. Authenticated binding makesuse of Kerberos as does Active Directory. Using both will cause unexpected behavior or nonfunctioning authentication servicesunless care is taken, as detailed below.

When mixing Open Directory and Active Directory, you can only use Kerberos credentials from one system or another for singlesign-on purposes. You cannot have users exist in Active Directory and Open Directory and use both Kerberos credentials to usesingle sign-on to access a server that is Kerberized.

In other words, you cannot sign into an Active Directory account and expect to use single sign-on with a server that is part of theOpen Directory Kerberos realm.

Kerberos is used in Active Directory and Open Directory environments. Kerberos makes assumptions about determining the realmof a server when Kerberos tickets are used. The following is an example of mixing an Active Directory Kerberos realm with an OpenDirectory master Kerberos realm:

Active Directory Domain = example.com

Active Directory Kerberos realm = EXAMPLE.COM

Open Directory Server master = server1.example.com

Open Directory Kerberos realm = SERVER1.EXAMPLE.COM

When Kerberos attempts to obtain a ticket-granting-ticket (TGT) for using LDAP with server1.example.com, it requestsldap/[email protected] unless the domain_realm entity is present in the configuration. The domain_realmentity for Open Directory assumes that all example.com entities belong to SERVER1.EXAMPLE.COM. This prevents connectivity tothe Active Directory domain named example.com.

To mix Authenticated Directory Binding and Active Directory, your Active Directory Domain and Open Directory realms and serversmust be in a different hierarchy. For example:

Active Directory Domain = example.com

mailto:ldap/[email protected]

Active Directory Kerberos realm = EXAMPLE.COM

Open Directory Server master = server1.od.example.com

Open Directory Server realm = “OD.EXAMPLE.COM”

Or

Active Directory Domain = ads.example.com

Active Directory Kerberos realm = ADS.EXAMPLE.COM

Open Directory Server master = server1.od.example.com

Open Directory Kerberos realm = OD.EXAMPLE.COM

In both examples, a new DNS domain zone must be created, and forward and reverse DNS entries must exist for the servers sothat if an IP address is used for the Open Directory server, it gets the expected name. For example, IP addressserver1.od.example.com = 10.1.1.1, so a lookup of 10.1.1.1 should be equal to server1.od.example.com, notserver1.example.com.


If your network has a directory domain, you can integrate another directory domain server into your network. There are manyreasons why you might want to have two directory domains, such as providing better support and management of networkcomputers.

Integrating with cross-domain authorization

If your network has a directory domain, you can add another directory domain server to your network that uses your existingdirectory domain’s database to authorize user access. This configuration is referred to as cross-domain authorization andrequires that your servers support Kerberos.

If you use cross-domain authorization, one server is a pseudomaster server and the other is a subordinate server. Usersauthenticate to the pseudomaster server using a method of authentication, so if a user authenticates, he or she receives aKerberos ticket.

When the user attempts to access a service that is offered by the subordinate server, the subordinate server accepts and validatesthe user’s Kerberos ticket, which was given by the pseudomaster server, to authorize the user.

The Kerberos ticket has Privilege Attribute Certificate (PAC) information, which contains the user name, user IDs (UIDs), and groupmembership IDs (GIDs).

The subordinate server uses this information to verify that the user is authorized to use the service. It does so by comparing theUID or GID to the access control list (ACL) of the service the user is requesting to access.

Using cross-domain authorization keeps you from needing to create different user names and passwords for your subordinatedirectory domain server. You can use the same user names and passwords from the corporate directory domain along with thePAC information to authorize user access.

Cross-domain authorization is an ideal configuration if you are not permitted to directly edit groups in the corporate directorydomain.

You can use cross-domain authorization between an Active Directory server and a Mac OS X Lion Open Directory server or betweentwo Mac OS X Lion Open Directory servers. Cross-domain authorization does not work on a Mac OS X v10.4 server. To use PACinformation, the pseudomaster server must have a Kerberos realm for the subordinate server to join.

To create a subordinate for a directory system you must join your server to an Active Directory or Open Directory server that hasKerberos configured and running. Then, using Server Admin, you must promote your Open Directory server to an Open Directorymaster. The subordinate server determines that it is subordinate to an Active Directory or Open Directory server and configuresitself accordingly.

You can also have a replica of your subordinate Open Directory server. To create a replica of a subordinate directory server, joinyour server to the pseudomaster and subordinate server. Then configure the server to be a replica of the subordinate server.

If you don’t join the server to both the pseudo-master and subordinate server, it is blocked or fails to become a replica.

Integrating with a magic triangle

Integrate with existing directory domains

A magic triangle, also referred to as the golden triangle, is the connecting of two directory domains where one controls theauthentication and the other manages Mac OS X Lion settings.

Mac OS X Lion supports the connection of an Active Directory server to an Open Directory server or two Open Directory serversconnected together. This creates a magic triangle that is made up of three parts: the directory server providing authentication, thesecond directory server, and the Mac client computers.

When configuring a magic triangle, one server must be the primary server and the other the secondary server. The secondaryserver must join the primary server and its Kerberos realm. There can only be one Kerberos realm in a magic triangle.

For example, you can configure an Active Directory server as a primary server to host the Kerberos Distribution Center (KDC) andcontain user and group records. Then you can configure an Open Directory server as a secondary server and connect it to theActive Directory server and its Kerberos realm.

The Active Directory server manages authentication requests while the Open Directory server manages preference and policysettings of client computers.

All services of your Open Directory servers can be Kerberized through the Kerberos realm of the Active Directory server. Clientcomputers are connected to the Active Directory and Open Directory servers.

Integrating with augment recordsIf you integrate with an existing directory domain using a magic triangle, you can augment user records from the primary directorydomain to the secondary directory domain.

When you augment user records from a primary directory domain to a secondary directory domain, you can add data to theserecords. These user records are labeled as augmented in Workgroup Manager. The augmented record information is used by thesecondary directory domain and is not viewable from the primary directory domain server where the original records reside.

For example, if you configure a magic triangle with an Active Directory server as the primary server and an Open Directory server asthe secondary server, you can augment user records from the Active Directory server to the Open Directory server. After youaugment these records you can add information, such as setting a login picture.

Augments do not affect the original user record. Augments provide additional information specific to the directory domain theaugment user logs in to. By keeping the users in the Active Directory domain and augmenting them into the Open Directorydomain, users can use Mac server-specific features. Also, it prevents users from needing two passwords or accounts.

Integrating without schema changesMac OS X Lion integrates with most LDAP-based directories without needing to change the schema of your directory server.However, some record types might not be recognized or maintained by your server’s directory schema.

When you integrate Mac computers with your directory server, you might want to add a record type or object class to the directoryschema to better manage and support Mac client computers.

For example, by default there may not be a Picture record type in your directory schema for Mac users, but you can add it to yourdirectory schema so Picture records can be stored in the directory database.

To add records or attributes to your directory schema, consult your directory domain administrator for instructions.

Integrating with schema changes

If you are adding Mac computers to a directory domain, you can make schema changes to the directory domain server to bettersupport Mac client computers.

When you add a record type or attribute to the directory schema, investigate whether you have a record type or attribute that canmap to it in the existing schema. If you don’t have a s imilar record type or attribute that you can map to, add the record type orattribute to your schema. This is referred to as extending your schema.

When you extend your schema you might need to change the default access control lis t (ACL) of specific attributes so computeraccounts can read the user properties. For example, you can configure a Mac to access basic user account information in an ActiveDirectory domain of a Windows 2000 or Windows 2003 or later server.

Avoiding Kerberos conflicts with multiple directoriesIf you set up an Open Directory master on a network that has an Active Directory domain, your network will have two Kerberosrealms: An Open Directory Kerberos realm and an Active Directory Kerberos realm.

For practical purposes, other servers on the network can use only one Kerberos realm. When you set up a file server, mail server,or other server that can use Kerberos authentication, you must choose one Kerberos realm.

A Mac server must belong to the same Kerberos realm as its client users. The realm has only one authoritative Kerberos server,

which is responsible for all Kerberos authentication in the realm. The Kerberos server can only authenticate clients and servers inits realm. The Kerberos server can’t authenticate clients or services that are part of a different realm.

Only user accounts in the chosen Kerberos realm will have single sign-on abilities. User accounts in the other realm can stillauthenticate, but they won’t have single sign-on.

If you’re configuring a server to access multiple directory systems and each have a Kerberos realm, plan carefully for the useraccounts that will use Kerberized services. You must know the intent of having access to two directory services. You must join theserver to the realm whose companion directory domain contains the user accounts that must use Kerberos and single sign-on.

For example, you might want to configure access to an Active Directory realm for its user records and an Open Directory LDAPdirectory for the Mac OS X Lion records and attributes that aren’t in Active Directory, such as group and computer records.

Other servers could join the Active Directory Kerberos realm or the Open Directory Kerberos realm. In this case, the other serversshould join the Active Directory Kerberos realm so Active Directory user accounts have single sign-on.

If you also have user accounts in the Open Directory server’s LDAP directory, users can still authenticate to them, but the OpenDirectory user accounts won’t use Kerberos or have single sign-on. They’ll use Open Directory Password Server authenticationmethods.

You could put all Mac users in the Open Directory domain and all Windows users in the Active Directory domain, and they could allauthenticate, but only one population could use Kerberos.

Do not configure an Open Directory master or replica to also access an Active Directory domain (or any other directory domain witha Kerberos realm). If you do, the Open Directory Kerberos realm and the Active Directory Kerberos realm will try to use the sameconfiguration files on the Open Directory server, which disrupts Open Directory Kerberos authentication.

To avoid a Kerberos configuration file conflict, don’t use an Open Directory server as a workstation for managing users in anotherKerberos server’s directory domain, such as an Active Directory domain. Instead, use an administrator computer (a Mac computerwith server administration tools installed) that’s configured to access the related directory domains.

If you must use an Open Directory server to manage users in another server’s directory domain, make sure the other directorydomain is not part of the Open Directory server’s authentication search policy.

To further avoid a Kerberos configuration file conflict, don’t use an Open Directory server to provide services that access a differentKerberos server’s directory domain.

For example, if you configure AFP file service to access Open Directory and Active Directory, don’t use an Open Directory server toprovide the file service. Use another server and join it to the Kerberos realm of one directory service or the other.

Theoretically, servers or clients can belong to two Kerberos realms, such as an Open Directory realm and an Active Directoryrealm. Multiple-realm Kerberos authentication requires very advanced configuration, which includes setting up Kerberos serversand clients for cross-realm authentication, and revising Kerberized service software so it can belong to multiple realms.

To configure your network to use one Kerberos realm providing single sign-on for two directory domains, such as Active Directoryand Open Directory, disable Kerberos on your Open Directory master and connect it to the Active Directory domain.

This provides a Kerberos realm for both directory domains and Kerberized services. Also, users on either domain can use singlesign-on authentication.

For more information about disabling Kerberos on an Open Directory master, see Disable Kerberos after setting up an OpenDirectory master.


You can improve the performance of Open Directory services by adding memory to the server and having it provide fewer services.This strategy also applies to every other service of a Mac server. The more you can dedicate an individual server to a specific task,the better its performance is.

Beyond that general strategy, you can also improve Open Directory server performance by assigning the LDAP database to its owndisk and the Open Directory logs to another disk.

If your network includes replicas of an Open Directory master, you can improve network performance by scheduling less-frequentupdates of replicas. Updating less frequently means the replicas have less up-to-date directory data, so you must strike a balancebetween higher network performance and less accuracy in your replicas.

For greater redundancy of Open Directory services, set up extra servers as Open Directory replicas or use servers with RAID sets.

Improve directory service performance


With Lion Server, a server with a shared LDAP directory domain also provides Open Directory authentication.

It is important to protect the authentication data stored by Open Directory. This authentication data includes the Open DirectoryPassword Server database and the Kerberos database, which must also be protected. Therefore, make sure an Open Directorymaster and all Open Directory replicas are secure by following these guidelines:

Keep your server behind a locked door, and always log it out. Physical security of a server that is an Open Directory master orreplica is paramount.

Secure the media you use to back up an Open Directory Password Server database and a Kerberos database. Having yourOpen Directory servers behind locked doors won’t protect a backup tape that you leave on your desk.

Do not use a server that is an Open Directory master or replica to provide other services. If you can’t dedicate servers to beOpen Directory masters and replicas, minimize the number of services they provide.

One of the other services could have a security breach that gives someone access to the Kerberos or Open DirectoryPassword Server databases. Dedicating servers to provide Open Directory services is an optimal practice but is not required.

Set up service access control lis ts (SACLs) for the login window and secure shell (SSH) to limit who can log in to an OpenDirectory master or replica.

Avoid using a RAID volume that’s shared with other computers as the startup volume of a server that is an Open Directorymaster or replica. A security breach on one of the other computers could jeopardize the security of the Open Directoryauthentication information.

Set up the firewall service to block all ports except those listed here for directory, authentication, and administration protocols:

Open Directory Password Server uses ports 106 and 3659.

The Kerberos KDC uses TCP/UDP port 88, and TCP/UDP port 749 is used for Kerberos administration.

The shared LDAP directory uses TCP port 389 for an ordinary connection and TCP port 636 for an SSL connection.

Workgroup Manager uses TCP port 311 and 625.

Server Admin uses TCP port 311.

SMB uses TCP/UDP ports 137, 138, 139, and 445.

In summary, the most secure and best practice is to:

Equip the Open Directory master computer with an uninterruptible power supply.

Dedicate each server that is an Open Directory master or replica to provide only Open Directory services.

Set up a firewall on these servers to provide only the following: directory access, authentication, and administration protocols(LDAP, Password Server, Kerberos, and Workgroup Manager).

Physically secure each Open Directory server and all backup media used with it.

Replicating directory and authentication data over the network is a minimal security risk. Password data is securely replicatedusing random keys negotiated during each replication session. The authentication portion of replication traffic—the Open DirectoryPassword Server and the Kerberos KDC—is fully encrypted.

For extra security, configure network connections between Open Directory servers to use network switches rather than hubs. Thisisolates authentication replication traffic to trusted network segments.

Service access control lists (SACLs)Mac OS X Lion uses SACLs to authorize user access to a service. SACLs are made up of access control entries (ACEs) thatdetermine the access privileges a user has to a service.

You can use SACLs to allow or deny user access to an Open Directory master or replica by setting SACLs for the login window andSSH. This restricts access to the service.

You can also use SACLs to set administrator access to Open Directory. This does not restrict access to the service; instead, itspecifies who can administer or monitor the service. For more information about setting administrator SACLs, see Configure OpenDirectory service access control.

Open Directory security

SACLs provide greater control when specifying the administrators that have access to monitor and manage the service. Only usersand groups lis ted in an SACL have access to its corresponding service. For example, to give administrator access to users orgroups for the Open Directory service on your server, add them to the Open Directory SACL as an ACE.


The Server Admin, Directory Utility, and Workgroup Manager applications provide a graphical interface for managing Open Directoryservices in Lion Server. In addition, you can manage Open Directory services from the command line by using Terminal.

These applications are included with Lion Server and can be installed on another computer with Mac OS X Lion, making thatcomputer an administrator computer.

You can also install Server Admin on a computer with Mac OS X Lion and use it to manage Open Directory on any server on yourlocal network and elsewhere. You can also manage Open Directory remotely by using command-line tools from a Mac computer ora non-Macintosh computer.

Server Admin

Server Admin provides access to tools you use to set up, manage, and monitor Open Directory services and other services. Youuse Server Admin to:

Set up a Mac server as an Open Directory master, an Open Directory replica, a server that’s connected to a directory system, ora standalone directory service with only a local directory domain. For more information, see Set up Open Directory services.

Set up more Mac server systems to use the Kerberos KDC of an Open Directory master or replica. For more information, seeSet up Open Directory services.

Configure LDAP options on an Open Directory master. For more information, see Set up Open Directory services.

Configure DHCP service to supply an LDAP server address to Mac computers with automatic search policies.

Set up password policies that apply to all users who don’t have overriding individual password policies. For more information,see Set password policies for users.

Monitor Open Directory services. For more information, see Maintaining Open Directory Services.

Server Admin is in /Applications/Server/.

Directory Utility

Directory Utility determines how a Mac computer uses directory services, discovers network services, and searches directoryservices for authentication and contacts information. You use Directory Utility to:

Configure advanced connections to LDAP directories, an Active Directory domain, and a Network Information Services (NIS)domain

Configure data mapping for LDAP directories

Define policies for searching multiple directory services for authentication and contact information

Enable or disable types of directory services and types of network service discovery

View directory entries in raw form by using Directory Editor. For more information, see View or edit directory data.

Directory Utility can connect to other servers on your network so you can configure them remotely.

For more information about using Directory Utility, see Directory Utility Help.

Directory Utility is installed on every Mac and can be accessed through Users & Groups preferences.

Server app

The Server app provides management of Mac server users. Use the Server app to:

Set up and manage user accounts and group accounts. For more information, see Server app help.

Manage share points for file services. For more information, see the sections on file sharing in the Server app help.

Workgroup Manager

Workgroup Manager provides comprehensive management of Mac OS X Server clients. You use Workgroup Manager to:

Manage Open Directory services

Set up and manage user accounts, group accounts, and computer groups.

Manage share points for file services and user home folders.

Control what Mac OS X users see when they select the Network globe in a Finder s idebar.

View directory entries in raw form by using the Inspector.

For information about using Workgroup Manager, see Workgroup Manager Help.


Command-line tools

A full range of command-line tools is available for administrators who prefer to use command-driven server administration.

For remote server management, submit commands in an SSH session.

You can enter commands on Mac servers and computers using Terminal, located in /Applications/Utilities/.

Lion Server user management ► Open Directory serv ices ► Set up Open Directory

Open Directory services—directory services and authentication services—are an essential part of a network’s infrastructure. Theseservices have a significant effect on other network services and on users. Therefore you must set up Open Directory correctly fromthe beginning. Here is a summary of the major tasks you perform to set up Open Directory services. For detailed information abouteach step, see the pages indicated.

Before you begin, do some planning

Before setting up Open Directory services for the first time:

Understand the uses of directory data and assess your directory needs.

Identify the services that require data from directory domains and determine which users need access to those services.

Users whose information can be managed most easily on a server should be defined in the shared LDAP directory of a Macserver that is an Open Directory master. Some of these users can be defined in directory domains on other servers, such as anActive Directory domain on a Windows server.

These concepts are discussed in Open Directory and directory services.

Assess whether you need more than one shared domain. If so, decide which users will be defined in each shared domain. Formore information, see Open Directory search policies.

Determine which authentication options users need. For available options, see Monitor Open Directory authentication. Decidewhether to have replicas of your Open Directory master. For guidelines, see Open Directory planning.

Select server administrators carefully. Provide administrator passwords only to people you trust. Have as few administrators aspossible. Don’t delegate administrator access for minor tasks, such as changing settings in a user record.

Directory information vitally affects everyone whose computers use it.

Turn on Open Directory service.

Use Server Admin to turn the Open Directory service on. After the service is on, you can configure Open Directory service settings.For more information about turning on Open Directory service, see Turn on Open Directory service.

Set up a standalone directory service

To set up servers that won’t get authentication and other administrative information from another directory service, see Set up astandalone directory service.

Set up an Open Directory master

To set up a server to provide directory and authentication services, see Replicate Open Directory services and Set up an OpenDirectory master.

Set up an Open Directory replica

To set up servers to provide failover directory and authentication services or remote directory and authentication services for fastclient interaction on distributed networks, see Set up an Open Directory replica or relay.

Set up Open Directory services

Set up Open Directory relays for cascading replication

To set up a server to be a replica or relay of an Open Directory master so it can provide directory information and authenticationinformation to computers, see Replicate Open Directory services.

Set up servers that connect to other directory systemsIf you have file servers or other servers that access directory and authentication services, see Configure access to an OpenDirectory server.

Set up single sign-on Kerberos authentication

If you have an Open Directory master, you can configure other servers to join its Kerberos realm. If you set up an Open Directorymaster without Kerberos, you can set up Kerberos later. For more information, see Set up single sign-on Kerberos authentication.

Set up client computers to connect to directory services

If you have an Open Directory master, you must configure client computers to access its directory domain. You can also configurecomputers to access other directory services such as Microsoft Active Directory. See Configure access to an Open Directory serverand Configure access to an Active Directory domain.


Before you can configure Open Directory settings, you must turn on Open Directory service in Server Admin.


2. Click Settings.

3. Click Services.

4. Select the Open Directory checkbox.

5. Click Save.


Using Server Admin, you can set up a Mac server to use only the server’s local directory domain. The server does not providedirectory information to other computers or get directory information from an existing system. (The local directory domain can’t beshared.)

If you change a Mac server to get directory information only from its local directory domain, user records and other information thatthe server retrieved from a shared directory domain become unavailable. The user records and other information in the shareddirectory domain are deleted.

Files and folders on the server can become unavailable to users whose accounts are in the shared directory domain.

If the server was an Open Directory master and other servers were connected to it, the following can occur:

Services can be disrupted on the connected servers when user accounts and other information in the shared directory domainbecome unavailable.

Users whose accounts are in the shared directory domain might not be able to access files and folders on the Open Directorymaster and on other servers that were connected to its shared LDAP directory domain.

You can archive a copy of the Open Directory master’s directory and authentication data before changing it to an Open Directorystandalone directory service. For more information, see Archive an Open Directory master.

You can also export users, groups, and computer groups from the Open Directory master before changing it to a standalonedirectory service.



Turn on Open Directory service

Set up a standalone directory service


3. From the expanded Servers list, select Open Directory.


5. Click Change.

The Open Directory Assistant opens.

6. Choose from the following:

If your server is an Open Directory master, select "Destroy Master and set up standalone directory," then click Continue.

If your server is an Open Directory replica, select "Decommission replica and set up standalone directory," click Continue,enter the root password for the Open Directory master, enter the domain administrator's login credentials, and then clickContinue.

7. Confirm the configuration setting, then click Continue.

8. If you are sure that users and services no longer need access to the directory data stored in the shared directory domain thatthe server has been hosting or is connected to, click Done.


Using Server Admin, you can set up a Mac server to be an Open Directory master so it can provide directory information andauthentication information to other systems.

Lion Server provides directory information by hosting a shared LDAP directory domain. In addition, the server authenticates userswhose accounts are stored in the shared LDAP directory domain.

An Open Directory master has an Open Directory password server, which supports all conventional authentication methodsrequired by Lion Server services. In addition, an Open Directory master can provide Kerberos authentication for single s ign-on.

If you want the Open Directory master to provide Kerberos authentication for single sign-on, DNS must be available on the networkand must be correctly configured to resolve the fully qualified DNS name of the Open Directory master server to its IP address.DNS must also be configured to resolve the IP address to the server’s fully qualified DNS name.

Important: If you’re changing an Open Directory replica to an Open Directory master, the procedure you follow depends on whetherthe replica replaces the master or becomes an extra master:

To promote a replica to replace a nonfunctional master, follow the instructions in Promote an Open Directory replica instead ofthe instructions here.

To change a replica to an extra master, decommission the replica as described in Decommission an Open Directory replica,then make it a master by following the steps in this topic.

Note: If a Mac server was connected to a directory system and you make the server an Open Directory master, it remainsconnected to the other directory system. The server searches for user records and other information in its shared LDAP directorydomain before searching in other directory systems it is connected to.

Important: If your Lion Server is an Open Directory master, it has a diradmin user. When binding two directory servers, they shouldnot have the same directory administrator user name (diradmin). If two Lion Servers are configured as Open Directory masters andare bound to each other, they become an invalid configuration and can cause random failures.

Make one of the Open Directory master servers a standalone server, then recreate it using Server Admin with a unique usernamefor the directory administrator instead of the default diradmin.






If the Role option is set to Open Directory Replica and you want to make a new Open Directory master, change the server roleto Standalone. For more information, see Setting Up a Standalone Directory Service.


If you want to change an Open Directory replica to a master, promote the replica to be a master instead of making a newmaster. For more information, see Promote an Open Directory replica.

5. Click Change.

This opens the Open Directory Assistant.

6. Select "Set up an Open Directory Master," then click Continue.

If your DNS Server is not configured, a message about s ingle sign-on being unavailable appears. To use single sign-on,close the assistant and configure your DNS. If you don’t want to use single s ign-on, click Continue to configure your OpenDirectory master without s ingle s ign-on.

7. Enter the following Master Directory Administrator information, then click Continue:

Name, Short Name, User ID, Password: You must create a user account for the primary administrator of the LDAPdirectory. This account is not a copy of the administrator account in the server’s local directory domain.

Make the names and user ID of the LDAP directory administrator different from the names and user IDs of user accounts inthe local directory domain.

Also, to prevent the directory administrator account from being listed in the login window, assign the directory administratoraccount a user ID below 100. Accounts with user IDs below 100 are not lis ted in the login window.

Note: To connect your Open Directory Master to other directory domains, specify a unique name and user ID for each domain.Don’t use the suggested diradmin user ID. Use a name that helps you distinguish the directory domain that the directoryadministrator controls.

8. Enter the following Master Domain information, then click Continue:

Kerberos Realm: This field is set to the server’s DNS name, converted to capital letters. This is the convention for naminga Kerberos realm. You can enter a different name if necessary.

Search Base: This field is set to a search base suffix for the new LDAP directory, derived from the domain portion of theserver’s DNS name. You can enter a different search base suffix or leave it blank. If you leave this field blank, the LDAPdirectory’s default search base suffix is used.

9. Confirm settings, then click Continue.

10. Confirm that the Open Directory master is functioning by clicking Overview (near the top of the Server Admin window, withOpen Directory selected in the Servers list).

The status of items lis ted in the Open Directory overview pane should say Running. If Kerberos remains stopped and youwant it running, see If Kerberos is stopped on an Open Directory master or replica.

After setting up a Mac server to be an Open Directory master, you can change its binding policy, security policy, passwordpolicy, replication frequency, and LDAP protocol options. For more information, see Set a binding policy for an Open Directoryserver, Set the search timeout interval for LDAP service, and Set a security policy for an Open Directory server.

You can configure other computers with Mac OS X Lion or Mac OS X Lion Server to access the server’s shared LDAP directorydomain. For more information, see Configure access to an LDAP directory.


You can enable domain login on a Windows 2000 computer by joining it to an Open Directory Lion Server. Joining the Windowsdomain requires the name and password of an LDAP directory administrator account.

You can delegate this task to someone with a local administrator account on the Windows computer. In this case, you may want tocreate a temporary LDAP directory administrator account with limited privileges.

1. Log in to Windows 2000 using a local administrator account.

2. Open the Control Panel, then open System.

3. Click Network Identification, then click Properties.

4. Enter a computer name, click Domain, enter the domain name of the Open Directory Lion Server, and click OK.

To look up the domain name of the server, open Server Admin on the server or an administrator computer, select Open

Set up Windows 2000 for domain login

Directory in the Servers lis t, click Settings, then click General.

5. Enter the name and password of an LDAP directory administrator and click OK.


You can enable domain login on a Windows XP computer by joining it to an Open Directory Lion Server. Joining the Windowsdomain requires the name and password of an LDAP directory administrator account.

You can delegate this task to someone with a local administrator account on the Windows computer. In this case, you may want tocreate a temporary LDAP directory administrator account with limited privileges.

1. Log in to Windows XP using a local administrator account.

2. Open the Control Panel, then open System.

3. Click Computer Name, then click Change.


To look up the domain name of the server, open Server Admin on the server or an administrator computer, select OpenDirectory in the Servers lis t, click Settings, then click General.



You can enable domain login on a Windows Vista or Windows 7 computer by joining it to an Open Directory Lion Server. Joiningthe Windows domain requires the name and password of an LDAP directory administrator account.

You can delegate this task to someone with a local administrator account on the Windows computer. In this case, you might wantto create a temporary LDAP directory administrator account with limited privileges.

Note: Only Windows Vista Ultimate, Windows Vista Business edition, Windows 7 Ultimate, and Windows 7 Professional canconnect to a domain.

1. Log in to Windows Vista using a local administrator account.

2. Open the Control Panel, then open System and Maintenance (Windows Vista) or System and Security (Windows 7).

3. Click System, then click Change Settings.

4. Click Computer Name, then click Change.


To look up the domain name of the server, open Server Admin on the server or an administrator computer, select OpenDirectory in the Servers lis t, click Settings, then click General.



Using Server Admin, you can set up a Mac server to be a replica or relay of an Open Directory master so it can provide the samedirectory information and authentication information to other systems as the master.

The replica or relay server hosts a read-only copy of the master’s LDAP directory domain. The replica or relay server also hosts aread/write copy of the Open Directory Password Server and the Kerberos Key Distribution Center (KDC).

A replica is considered to be a relay if it is a direct member of the Open Directory master and it has replicas.

Set up Windows XP for domain login

Set up Windows Vista or Windows 7 for domain login

Set up an Open Directory replica or relay

Open Directory replicas or relays provide these benefits:

In a wide area network (WAN) of local area networks (LANs) interconnected by slow links, replicas on the LANs provide serversand client computers with fast access to user accounts and other directory information.

A replica provides redundancy. If the Open Directory master fails, computers connected to it switch to a nearby replica. Thisautomatic failover behavior is a feature of Mac OS X and Mac OS X Server v10.4 and 10.5 or later.

Note: If your network has a mix of Mac OS X Server versions 10.6 and Lion Server, one version can’t be a replica of a master of theother version. An Open Directory master of Lion Server won’t replicate to Mac OS X Server v10.6, nor will an Open Directory masterof Mac OS X Server v10.6 replicate to Lion Server.

When you set up an Open Directory replica, all directory and authentication data must be copied to it from the Open Directorymaster. Replication can take several seconds or several minutes, depending on the size of the directory domain. Replication overa slow network link can take a long time.

During replication, the master cannot provide directory or authentication services. You can’t use user accounts in the master LDAPdirectory to log in or authenticate for services until replication is finished.

To minimize the disruption of directory service, set up a replica before the master LDAP directory is fully populated or at a time ofday when the directory service is not needed. Having another replica set up will insulate clients of directory service from problems ifthe master becomes unavailable.

To make more than one server a replica of an Open Directory master, create the replicas one at a time. If you try to create tworeplicas simultaneously, one attempt succeeds and the other fails. A subsequent attempt to establish the second replica shouldsucceed.

You can have up to 32 replicas of an Open Directory master. These direct members of the Open Directory master server are knownas relays. Each relay can have up to 32 replicas of itself, giving you 1056 replicas in a two-tier hierarchy.

If you change a Mac server that was connected to another directory system to be an Open Directory replica, the server remainsconnected to the other directory system. The server searches for user records and other information in its shared LDAP directorydomain before searching in other directory systems it is connected to.





Click Settings, then click General.

4. Click Change.


5. Choose “Set up an Open Directory Replica,” then click Continue.

6. Enter the following requested information:

IP address or DNS name of Open Directory master: Enter the IP address or DNS name of the server that is the OpenDirectory master.

Root password on Open Directory master: Enter the password of the Open Directory master system’s root user (username system administrator).

Domain administrator’s short name: Enter the name of an LDAP directory domain administrator account.

Domain administrator’s password: Enter the password of the administrator account whose name you entered.

7. Click Continue.

8. Confirm the Open Directory configuration settings, then click Continue.

9. Click Close.

10. Make sure the date, time, and time zone are correct on the replica and the master.

The replica and the master should use the same network time service so their clocks remain in sync.

After you set up an Open Directory replica, other computers will connect to it as needed.

Computers with v10.3 or v10.4 of Mac OS X or Mac OS X Server maintain a list of Open Directory replicas. If one of these computerscan’t contact the Open Directory master for directory and authentication services, the computer connects to the nearest replica ofthe master.

You can configure Macs to connect to an Open Directory replica instead of the Open Directory master for directory andauthentication services. On each Mac computer, you can use Users & Groups preferences to create an LDAPv3 configuration foraccessing the replica’s LDAP directory.

The Open Directory master updates the replica. You can configure the master to update its replicas at a specific interval orwhenever the master directory changes.


If an Open Directory master or its replicas become unavailable, client computers that use Mac OS X v10.5 or later find an availablereplica and connect to it.

Replicas only permit clients to read directory information. Directory information about a replica can’t be modified withadministration tools such as Workgroup Manager.

Users whose password type is Open Directory can change their passwords on computers that are connected to Open Directoryreplicas. The replicas synchronize password changes with the master. If the master is unavailable for a while, the replicassynchronize password changes with the master when it becomes available again.

If the Open Directory master fails permanently and you have a current archive of its data, you can restore the data to a new master.Alternatively, you can promote a replica to be the master. For more information, see Restore an Open Directory master andPromote an Open Directory replica.

If you replace a failed master by promoting a replica to be the master, you can manually reconfigure each computer and server toconnect to this new master or one of its replicas. You do this by using Account preferences (or Directory Utility for advancedconnections) on each computer or server to create an LDAPv3 configuration that specifies how the computer accesses the newmaster or an available replica.


Using Server Admin, you can set up a Mac server to get user records and other directory information from another server’s shareddirectory domain. The other server also provides authentication for its directory information.

A Mac server still gets directory information from its own local directory domain and provides authentication for this local directoryinformation.

Important: Changing a Mac server to be connected to another directory system instead of being an Open Directory master turns offits shared LDAP directory domain, with the following ramifications:

User records and other information in the shared directory domain are deleted.

If other servers were connected to the master directory domain, their services may be disrupted when user accounts and otherinformation in the deactivated directory domain become unavailable.

Users who had accounts in the deactivated directory domain might not be able to access files and folders on the OpenDirectory master and on other servers that were connected to the master directory domain.






5. Click Change.

Open Directory failover

Set up a connection to a directory server


6. Choose “Connected to another directory,” then click Continue.

7. Confirm the configuration settings, then click Continue.

8. If the server was an Open Directory master and you are sure that users and services no longer need access to the directorydata stored in the shared directory domain that the server has been hosting, click Done.

9. Click the Open Directory Utility button to configure access to directory systems.

10. If the server you’re configuring has access to a directory system that also hosts a Kerberos realm, you can join the server tothe Kerberos realm.

To join the Kerberos realm, you need the name and password of a Kerberos administrator or a user who has been delegatedthe authority to join the realm. For more information, see Join a server to a Kerberos realm.


Using Server Admin and Users & Groups preferences (or Directory Utility for advanced connections), you can set up a Mac serverto join an Active Directory domain hosted by a Windows 2000 or 2003 server.

A server that joins an Active Directory domain can provide file, print, and other services to users with accounts in the Active Directorydomain.

The domain member server gets authentication services from Active Directory. The domain member server does not provideauthentication services to other domain member servers.






5. Click Change.

The Open Directory Assitant opens.

6. Choose “Connected to another directory,” then click Continue.


8. Click Done.

9. To configure advanced settings for your Active Directory connection, click Open Directory Utility.

For more information about advanced connections to an Active Directory server, see Configure access to an Active Directorydomain. Begin at step 4.

10. Open System Preferences and click Accounts.

11. In the lower left corner of System Preferences, click the lock and authenticate when prompted.

12. Click Login Options.

13. Click Directory Services.


15. From the “Add a new directory of type” pop-up menu, choose Active Directory, then enter the following:

Active Directory Domain: Specify the DNS name of the Active Directory server.

Computer ID: Optionally edit the ID you want Active Directory to use for your server. This is the server’s NetBIOS name. Thename should contain no more than 15 characters, no special characters, and no punctuation.

If practical, make the server name match its unqualified DNS host name. For example, if your DNS server has an entry foryour server as “server.example.com,” give your server the name “server.”

Set up a server as an Active Directory domain member

AD Administrator Username and Password: Enter the user name and password of a user that has authorization to addcomputers to Active Directory.

16. Click OK and then click Done.

17. Close System Preferences.





21. Click Setting, then click General.

22. Click Join Kerberos to join the server to the Active Directory Kerberos realm.

23. Enter the following information:

Administrator Name: Enter the Kerberos server administrator’s user name.

Password: Enter the Kerberos server administrator password.

Realm Name: Enter the realm name of the Kerberos server.

DNS/Bonjour Name of KDC: Enter the DNS or Bonjour name of the Kerberos server.

24. Click OK.

25. From the Servers list, select SMB.


27. Verify that the server is now a member of the Active Directory domain.

You can change the server’s optional description, which appears in the Network Places window on Windows computers.

After setting up an Active Directory domain member, you might want to change access restrictions, logging detail level, code page,domain browsing, or WINS registration. Then if Windows services aren’t running, you can start them.


Setting up single sign-on Kerberos authentication involves these tasks:

Make DNS available on the network and configure it to resolve the fully qualified DNS name of the Open Directory master server(or other Kerberos server) to its IP address. Also, configure DNS to resolve the IP address to the server’s fully qualified DNSname.

Have an administrator set up a directory system to host a Kerberos realm. For more information about setting up a Mac serverto host a Kerberos realm, see Setting up an Open Directory Kerberos realm.

Have a Kerberos administrator of an Open Directory master delegate the authority to join servers to the Open Directorymaster’s Kerberos realm.The administrator does not need delegated authority. A Kerberos administrator has implicit authorityto join any server to the Kerberos realm. See Delegate authority to join an Open Directory Kerberos realm.

Have a Kerberos administrator or users with delegated authority join servers to the Kerberos realm, which then provides singlesign-on Kerberos authentication for services provided by the servers that have joined. See Join a server to a Kerberos realm.

Set all computers using Kerberos to the correct date, time, and time zone, and configure them to use the same network timeserver. Kerberos depends on the clocks of all participating computers being in sync.

When you are configuring an Open Directory master, make sure DNS is correctly configured and running before you start OpenDirectory service for the first time. If DNS is not configured properly or is not running when you start Open Directory, Kerberos doesnot function properly.

When Open Directory is started for the first time, Kerberos uses DNS to generate configuration settings. If your DNS server is notavailable when Kerberos is initially started, its configurations are invalid and it does not work properly.

Set up single sign-on Kerberos authentication

After Kerberos is running and has generated its configuration file, it no longer completely depends on DNS and changes to DNSdo not affect Kerberos.

The individual services of Lion Server do not require configuration for s ingle sign-on or Kerberos.

The following services are ready for single sign-on Kerberos authentication on every server with Lion Server that has joined or isan Open Directory master or replica:

Login window

Mail service

AFP

FTP

SMB (as a member of an Active Directory Kerberos realm)

iChat service

Print service

NFS

Xgrid service

VPN

Apache web service

LDAPv3 directory service (on an Open Directory master or replica).

Setting up an open directory Kerberos realm

You can provide single sign-on Kerberos authentication on your network by setting up an Open Directory master.

You can set up an Open Directory master during initial configuration that follows installation of Lion Server, but if you set up a Macserver to have a different Open Directory role, you can change its role to that of Open Directory master by using Server Admin.

For more information, see Set up an Open Directory master and Start Kerberos after setting up an Open Directory master.

A server that is an Open Directory master requires no other configuration to support s ingle sign-on Kerberos authentication forKerberized services that the server provides.

The server can also support single sign-on Kerberos authentication for Kerberized services of other servers on the network. Theother servers must be set up to join the Open Directory Kerberos realm.

For more information, see Delegate authority to join an Open Directory Kerberos realm, and Join a server to a Kerberos realm.

Important: An Open Directory master requires DNS to be properly configured so it can provide Kerberos and single sign-onauthentication. In addition:

DNS service must be configured to resolve the fully qualified DNS names of all servers (including the Open Directory master) totheir IP addresses and to provide the corresponding reverse lookups. For more information about setting up DNS service, seeNetwork Services Administration.

The Open Directory master server’s Network preferences must be configured to use the DNS server that resolves the server’sname. (If the Open Directory master server provides its own DNS service, its Network preferences must be configured to useitself as a DNS server.)


Using Server Admin, a Kerberos administrator or a user whose account has the properly delegated authority can join a Mac serverto a Kerberos realm.

The server can join only one Kerberos realm. It can be an Open Directory Kerberos realm, an Active Directory Kerberos realm, oran existing realm based on MIT Kerberos.

To join an Open Directory Kerberos realm, you need a Kerberos administrator account or a user account with delegated Kerberosauthority. For more information, see Delegate authority to join an Open Directory Kerberos realm.

Join a server to a Kerberos realm

1. Make sure the server you want to join to the Kerberos realm is configured to access the shared directory domain of theKerberos server.

To confirm, open Directory Utility (located under Account preferences) on the server you want to join to the Kerberos realm, orconnect to the server using Directory Utility on another computer. Click Search Policy, then click Authentication and make surethe Kerberos server’s directory domain is listed.

If it is not listed, see Directory server connections for instructions on configuring access to the directory.

2. Open Server Admin and connect to the server you want to join to the Kerberos realm.





6. Confirm that the role is connected to a directory server, then click Join Kerberos and enter the following information:

For an Open Directory Kerberos realm or an Active Directory Kerberos realm, choose the realm from the pop-up menu andenter the name and password of a Kerberos administrator or a user with delegated Kerberos authority for the server.

For an MIT-based Kerberos realm, enter the name and password of a Kerberos administrator, the Kerberos realm name,and the DNS name of the Kerberos KDC server.


If Kerberos doesn’t start when you set up an Open Directory master, you can use Server Admin to start it manually, but first youmust fix the problem that prevented Kerberos from starting. Usually the problem is that DNS isn’t correctly configured or isn’trunning.

Note: After you manually start Kerberos, users whose accounts have Open Directory passwords and were created in the OpenDirectory master’s LDAP directory while Kerberos was stopped might need to reset their passwords the next time they log in. Auser account is therefore affected only if all recoverable authentication methods for Open Directory passwords were disabled whileKerberos was stopped.





4. Click Refresh (or choose View > Refresh) and verify the status of Kerberos as reported in the Overview pane.

If Kerberos is running, there’s nothing more to do.

5. Use Network Utility (in /Applications/Utilities/) to do a DNS lookup of the Open Directory master’s DNS name and a reverselookup of the IP address.

If the server’s DNS name or IP address doesn’t resolve correctly:

In the Network pane of System Preferences, look at the TCP/IP settings for the server’s primary network interface (usuallybuilt-in Ethernet). Make sure the first DNS server lis ted is the one that resolves the Open Directory server’s name.

Check the configuration of DNS and make sure it’s running.

6. In Server Admin, select Open Directory for the master server, click Settings, then click General.

7. Click Kerberize, then enter the following information:

Administrator Name and Password: You must authenticate as an administrator of the Open Directory master’s LDAPdirectory.

Realm Name: This field is set to be the server’s DNS name converted to capital letters. This is the convention for naminga Kerberos realm. If necessary, enter a different name.

Start Kerberos after setting up an Open Directory master


If your Open Directory server is in an existing directory environment that has a Kerberos realm running and you want to join it oravoid having a realm conflict, you can disable the Kerberos realm that is created when you set up your Open Directory master. Todisable a Kerberos realm on an Open Directory Master Server:

1. Open Terminal.

2. Enter the following command:

$ sudo sso_util remove -k -a username -p password -r NAME.OF.KERBEROSREALM

Replace username, password, and NAME.OF.KERBEROSREALM with the user name and password of the Open Directoryadministrator and the name of the Kerberos realm that was created when you configured your Open Directory Master.

The Open Directory Overview pane of Server Admin should show the Kerberos service status as stopped.


Using Server Admin, you can delegate the authority to join a server to an Open Directory master server for s ingle s ign-on Kerberosauthentication.

You can delegate authority to user accounts. The accounts you delegate authority to must have a password type of Open Directoryand must reside in the LDAP directory of the Open Directory master server. The dependent server you are delegating authority formust use Mac OS X Server v10.3 or later.

Note: If an account with delegated Kerberos authority is deleted and recreated on the Open Directory master server, the newaccount does not have authority to join the dependent server to the Open Directory master’s Kerberos realm. If you want therecreated account to have delegated Kerberos authority, you must add a new Kerberos record for the recreated account.

A Kerberos administrator (that is , an Open Directory LDAP administrator) doesn’t need delegated authority to join dependentservers to the Open Directory Kerberos realm. A Kerberos administrator has implicit authority to join any server to the Kerberosrealm.

1. In Workgroup Manager, create a computer group in the LDAP directory domain of the Open Directory master server, or selectan existing computer group in this directory:

To select an existing computer group, click Accounts or choose View > Accounts, click the Computer Group button (above theaccounts list), and select the computer group to use. If the LDAP server doesn’t have a computer group that you want to addthe dependent server to, you can create one:

a. Click Accounts, then click the Computers button (above the accounts list).

b. Click the small globe icon above the list of accounts and use the pop-up menu to open the Open Directory master’s LDAPdirectory.

c. Click the lock and authenticate as an administrator of the LDAP directory.

d. Click the Computers Group button (above the accounts list), then click New Computer Group or choose Server > NewComputer Group.

e. Enter a list name (for example, Kerberized Servers).

2. Click Members, then click the Add button (+) to open the computer drawer.

3. Drag computers and computer groups from the drawer to the members lis t.

4. Click Save to save changes to the computer group.

5. Click Preferences and make sure the computer group has no managed preference settings.

If any item in the array of preference categories has a small arrow next to its icon, the item has managed preference settings.To remove managed preferences from an item, click the item, select Not Managed, and click Apply Now. If the item hasmultiple panes, select Not Managed in each pane, then click Apply Now.

Disable Kerberos after setting up an Open Directory master

Delegate authority to join an Open Directory Kerberos realm

6. To delegate Kerberos authority to user accounts, create the accounts:

a. Make sure you are working in the LDAP directory of the Open Directory master server.

If necessary, click the small globe icon and use the pop-up menu to open this directory, then click the lock andauthenticate as an administrator of this directory.

b. Click the Users button (on the left), then click New User or choose Server > New User.

c. Enter a name, short name, and password.

d. Make sure “User can access account” or “User may administer this server” are not selected.

You can change settings in other panes, but do not change the User Password Type setting in the Advanced pane. A userwith delegated Kerberos authority must have an Open Directory password.

7. Click Save to save the new user account.

8. Open Server Admin and connect to the Open Directory master server.




11. Click Settings, then click General

12. Confirm that the Role is Open Directory Master, then click Add Kerberos Record and enter the following information:

Administrator Name: Enter the name of an LDAP directory administrator on the Open Directory master server.

Administrator Password: Enter the password of the administrator account you entered.

Configuration Record Name: Enter the fully qualified DNS name.

Delegated Administrators: Enter a short or long name for each user account to which you want to delegate Kerberosauthority for the specified server.

13. Click Add, then click Save to delegate Kerberos authority as specified.

To delegate authority for more than one dependent server, repeat this procedure for each one.

Lion Server user management ► Open Directory serv ices ► Search policies

Each Mac has a search policy, also commonly referred to as a search path, that specifies which directory domains Open Directorycan access, such as the computer’s local directory domain and a particular shared directory.

The search policy also specifies the order in which Open Directory accesses directory domains. Open Directory searches eachdirectory domain and stops searching when it finds a match. For example, Open Directory stops searching for a user record whenit finds a record whose user name matches the name it’s looking for.

Search policy levels

A search policy can include only the local directory domain, the local directory domain and a shared directory, or the local directorydomain and multiple shared directories.

On a network with a shared directory, several computers generally access the shared directory. This arrangement can be depictedas a tree-like structure with the shared directory at the top and local directories at the bottom.

Local directory domain search policy

The simplest search policy consists only of a computer’s local directory domain. In this case, Open Directory looks for userinformation and other administrative data only in the local directory domain of each computer.

If a server on the network hosts a shared directory, Open Directory does not look there for user information or administrative databecause the shared directory is not part of the computer’s search policy.

The following illustration shows two computers on a network that only search their own local directory domain for administrativedata.

Open Directory search policies

Two-level search policies

If one server on the network hosts a shared directory, all computers on the network can include the shared directory in their searchpolicies. In this case, Open Directory looks for user information and other administrative data first in the local directory domain. IfOpen Directory doesn’t find the information it needs in the local directory domain, it looks in the shared directory.

The following illustration shows two computers and a shared directory domain on a network. The computers are connected to theshared directory domain and have it in their search policy.

Here’s a scenario in which a two-level search policy might be used:

Each class (English, math, science) has its own computer. The students in each class are defined as users in the local domain ofthat class’s computer. All three of these local domains have the same shared domain, in which all instructors are defined.

Instructors, as members of the shared domain, can log in to all class computers. The students in each local domain can log in toonly the computer where their local account resides.

Local domains reside on their respective computers but a shared domain resides on a server accessible from the local domain’scomputer. When an instructor logs in to any of the three class computers and cannot be found in the local domain, Open Directorysearches the shared domain.

In the following example, there is only one shared domain, but in more complex networks, there may be more shared domains.

Multilevel search policies

If more than one server on the network hosts a shared directory, the computers on the network can include two or more shareddirectories in their search policies.

As with s impler search policies, Open Directory looks for user information and other administrative data first in the local directorydomain. If Open Directory does not find the information it needs in the local directory domain, it searches each shared directory inthe sequence specified by the search policy.

Here’s a scenario in which more than one shared directory might be used:

Each class (English, math, science) has a server that hosts a shared directory domain. Each classroom computer’s search policyspecifies the computer’s local domain, the class’s shared domain, and the school’s shared domain.

The students in each class are defined as users in the shared domain of that class’s server, so each student can log in to anycomputer in the class. Because the instructors are defined in the shared domain of the school server, they can log in to anyclassroom computer.

You can affect an entire network or a group of computers by choosing the domain in which to define administrative data. The higherthe administrative data resides in a search policy, the fewer places it must to be changed as users and system resources change.

Probably the most important aspect of directory services for administrators is planning directory domains and search policies.These should reflect the resources to share, the users to share them among, and the way you want to manage your directory data.

Automatic search policies

Mac computers can be configured to set search policies automatically. An automatic search policy consists of two parts, one ofwhich is optional:

Local directory domain

Shared LDAP directory (optional)

A computer’s automatic search policy always begins with the computer’s local directory domain. If a Mac is not connected to anetwork, the computer searches its local directory domain for user accounts and other administrative data.

The automatic search policy then determines whether the computer is configured to connect to a shared local directory domain.The computer can be connected to a shared local directory domain, which can in turn be connected to another shared localdirectory domain, and so on.

A local directory domain connection, if any, constitutes the second part of the automatic search policy. For more information, seeInside a directory domain.

An automatic search policy offers convenience and flexibility, especially for mobile computers. If a computer with an automaticsearch policy is disconnected from the network, connected to a different network, or moved to a different subnet, the automaticsearch policy can change.

If the computer is disconnected from the network, it uses its local directory domain. If the computer is connected to a differentnetwork or subnet, it can change its local directory domain connection.

With an automatic search policy, a computer doesn’t need to be reconfigured to get directory and authentication services in its newlocation.

Custom search policiesFor example, a custom search policy could specify that an Active Directory domain be searched before an Open Directory server’sshared directory domain. Users can configure their computer to log in using their user records from the Active Directory domainand have their preferences managed by group and computer records from the Open Directory domain.

A custom search policy generally does not work in multiple network locations or while not connected to a network because it relieson the availability of specific directory domains on the network.

If a portable computer is disconnected from its usual network, it no longer has access to the shared directory domains on itscustom search policy. However, the disconnected computer still has access to its local directory domain because it is the firstdirectory domain on every search policy.

The portable computer user can log in using a user record from the local directory domain, which can include mobile useraccounts. These mirror user accounts from the shared directory domain that the portable computer accesses when it’s connectedto its usual network.

Search policies for authentication and contactsA Mac computer has a search policy for finding authentication information and it has a separate search policy for finding contactinformation:

Open Directory uses the authentication search policy to locate and retrieve user authentication information and otheradministrative data from directory domains.

Open Directory uses the contacts search policy to locate and retrieve name, address, and other contact information fromdirectory domains. Address Book uses this contact information, and other applications can be programmed to use it as well.

Each search policy can be automatic, custom, or local directory domain only.

Lion Server user management ► Open Directory serv ices ► Authentication

Each user account has a password type that determines how the user account is authenticated. In a local directory domain, thestandard password type is shadow password.

For user accounts in the LDAP directory of Lion Server, the standard password type is Open Directory. User accounts in the LDAPdirectory can also have a password type of crypt password.

Authentication and authorization

Services such as the login window and Apple Filing Protocol (AFP) service request user authentication from Open Directory.Authentication is part of the process by which a service determines whether it should grant a user access to a resource. Usuallythis process also requires authorization.

Authentication proves a user’s identity, and authorization determines what the authenticated user is permitted to do. A user typicallyauthenticates by providing a valid name and password. A service can then authorize the authenticated user to access specificresources. For example, file service authorizes full access to folders and files that an authenticated user owns.

About password types

You experience authentication and authorization when you use a credit card. The merchant authenticates you by comparing yoursignature on the sales slip to the signature on your credit card. Then the merchant submits your authorized credit card accountnumber to the bank, which authorizes payment based on your account balance and credit limit.

Open Directory authenticates user accounts, and service access control lists (SACLs) authorize use of services. If Open Directoryauthenticates you, the SACL for login window determines whether you can log in, then the SACL for AFP service determineswhether you can connect for file service, and so on.

Some services also determine whether a user is authorized to access specific resources. This authorization can require retrievingother user account information from the directory domain. For example, AFP service needs the user ID and group membershipinformation to determine which folders and files the user is authorized to read from and write to.

Open Directory passwords

When a user’s account has a password type of Open Directory, the user can be authenticated by Kerberos or the Open DirectoryPassword Server. Kerberos is a network authentication system that uses credentials issued by a trusted server. Open DirectoryPassword Server supports the traditional password authentication methods that some clients of network services require.

Kerberos and Open Directory Password Server do not store the password in the user’s account. Instead, they store passwords insecure databases apart from the directory domain, and passwords can never be read. Passwords can only be set and verified.

Malicious users might attempt to log in over the network hoping to gain access to Kerberos and Open Directory Password Server.Open Directory logs can alert you to unsuccessful login attempts. (See View Open Directory status and logs.)

Open Directory passwords are required for domain login from a Windows workstation to a Mac server and can be used toauthenticate for Windows file service. This type of password can be validated using many authentication methods, includingNTLMv2 and NTLMv1. Open Directory passwords are stored in a secure database, not in user accounts.

User accounts in the following directory domains can have Open Directory passwords:

The LDAP directory of a Mac server

The local directory domain of a Mac server

Shadow passwords

Shadow passwords support similar authentication methods as Open Directory Password Server depending on the hash types thatare enabled.

A shadow password is stored as several hashes in the user account. The attribute which contains the password is protected so itcan only be read only by the root user account.

Only user accounts that are stored in a computer’s local directory domain can have a shadow password.

Crypt passwords

A crypt password is stored in a hash in the user account. This strategy, historically named basic authentication, is most compatiblewith software that must access user records directly.

Crypt authentication supports a maximum password length of eight bytes (eight ASCII characters). If a longer password is enteredin a user account, only the first eight bytes are used for crypt password validation. Shadow passwords and Open Directorypasswords are not subject to this length limit.

For secure transmission of passwords over a network, crypt supports the DHX authentication method.

Crypt passwords are not stored in clear text; they are concealed and made unreadable by encryption. A crypt password isencrypted by supplying the clear text password with a random number to a mathematical function, known as a one-way hashfunction. A one-way hash function always generates the same encrypted value from particular input but cannot be used to recreatethe original password from the encrypted output it generates.

To validate a password using the encrypted value, Mac OS X Lion applies the function to the password entered by the user andcompares it with the value stored in the user account or shadow file. If the values match, the password is considered valid.

Determine which authentication options to use

To authenticate a user, Open Directory must determine which authentication option to use—Kerberos, Open Directory PasswordServer, or shadow password. The user’s account contains information that specifies which authentication option to use. Thisinformation is named the authentication authority attribute.

Open Directory uses the name provided by the user to locate the user’s account in the directory domain. Then Open Directoryconsults the authentication authority attribute in the user’s account and learns which authentication option to use.

You can change a user’s authentication authority attribute by changing the password type in the Advanced pane of Workgroup

Manager, as shown in the following table. For more information, see Change the password type to shadow password.

Password type Authentication authority Attribute in user record

Open Directory Open Directory Password Server and Kerberos1 Either or both:

;ApplePasswordServer;

;Kerberosv5;

Shadow password Password file for each user, readable only bythe root user account

Either:

;ShadowHash;

ShadowHash;HASHLIST:<list of hash types>

Crypt password Encoded password in user record Either:

;basic;

no attribute at all

You enable single s ign-on Kerberos authentication for a user account in an LDAP directory of Lion Server by setting the account’spassword type to Open Directory in the Advanced pane of Workgroup Manager.

If the attribute in the user record is ;ShadowHash; without a list of enabled authentication methods, default authentication methodsare enabled. The lis t of default authentication methods is different for Mac OS X Lion.

The authentication authority attribute can specify multiple authentication options. For example, a user account with an OpenDirectory password type normally has an authentication authority attribute that specifies both Kerberos and Open DirectoryPassword Server.

A user account doesn’t need to include an authentication authority attribute. If a user’s account contains no authentication authorityattribute, a Mac server assumes a crypt password is stored in the user’s account.

Offline attacks on passwords

Because crypt passwords are stored in user accounts, they are potentially subject to attack.

User accounts in a shared directory domain are accessible on the network. Anyone on the network who has Workgroup Manageror knows how to use command-line tools can read the contents of user accounts, including crypt passwords stored in them.

Open Directory passwords and shadow passwords aren’t stored in user accounts, so these passwords can’t be read fromdirectory domains.

A malicious attacker, or cracker, could use Workgroup Manager or UNIX commands to copy user records to a file. The cracker canthen transport this file to a system and use various techniques to decode crypt passwords stored in user records. After decoding acrypt password, the cracker can log in unnoticed with a legitimate user name and crypt password.

This form of attack is known as an offline attack because it does not require successive login attempts to gain access to a system.

An effective way to thwart password cracking is to use good passwords and avoid using crypt passwords. A password shouldcontain letters, numbers, and symbols in combinations that can’t be easily guessed by unauthorized users.

Good passwords should not consist of actual words. They can include digits and symbols (such as # or $), or they can consist ofthe first letter of all words in a phrase. Use both uppercase and lowercase letters.

Shadow passwords and Open Directory passwords are far less susceptible to offline attack because they are not stored in userrecords.

Shadow passwords are stored in separate files that can be read only by someone who knows the password of the root useraccount (also known as the system administrator).

Open Directory passwords are stored securely in the Kerberos KDC and in the Open Directory Password Server database. Auser’s Open Directory password can’t be read by other users, not even by a user with administrator rights for Open Directoryauthentication. (This administrator can change only Open Directory passwords and password policies.)

Crypt passwords are not considered secure. They should be used only for user accounts that must be compatible with UNIXclients that require them. Being stored in user accounts, they’re too accessible and therefore subject to offline attack. Althoughstored in an encoded form, they’re relatively easy to decode.


Lion Server uses Kerberos for single sign-on authentication, which relieves users from entering a name and password separatelyfor every service. With single sign-on, a user always enters a name and password in the login window. Thereafter, the user doesnot need to enter a name and password for AFP service, mail service, or other services that use Kerberos authentication.

To take advantage of single sign-on, users and services must be Kerberized—configured for Kerberos authentication—and usethe same Kerberos KDC server.

User accounts that reside in an LDAP directory of a Mac server and have a password type of Open Directory use the server’s built-in KDC. These user accounts are configured for Kerberos and single sign-on. The server’s Kerberized services use the server’sbuilt-in KDC and are configured for single s ign-on.

This Mac server KDC can also authenticate users for services provided by other servers. Having more servers with Lion Server usethe Mac server KDC requires only minimal configuration.

Kerberos authentication

Kerberos was developed at MIT to provide secure authentication and communication over open networks like the Internet. It’snamed for the three-headed dog that guarded the entrance to the underworld of Greek mythology.

Kerberos provides proof of identity for two parties. It enables you to prove who you are to network services you want to use. It alsoproves to your applications that network services are genuine, not spoofed.

Like other authentication systems, Kerberos does not provide authorization. Each network service determines what you arepermitted to do based on your proven identity.

Kerberos permits a client and a server to identify each other much more securely than typical challenge-response passwordauthentication methods. Kerberos also provides a single sign-on environment where users authenticate only once a day, week, orother period of time, thereby easing authentication frequency.

Lion Server offers integrated Kerberos support that virtually anyone can deploy. In fact, Kerberos deployment is so automatic thatusers and administrators may not realize it’s deployed.

Mac OS X v10.3 and later use Kerberos when someone logs in using an account set for Open Directory authentication. It is thedefault setting for user accounts in the Mac server LDAP directory. Other services provided by the LDAP directory server, such asAFP and mail service, also use Kerberos automatically.

If your network has other servers with Lion Server, joining them to the Kerberos server is easy, and most of their services useKerberos automatically.

Alternatively, if your network has a Kerberos system such as Microsoft Active Directory, you can set up your Mac server and Macs touse it for authentication.

Lion Server and Mac OS X v10.3 or later support Kerberos v5. Lion Server and Mac OS X v10.6 or later do not support Kerberos v4.

The Internet is inherently insecure, yet few authentication protocols provide real security. Malicious hackers can use readilyavailable software tools to intercept passwords being sent over a network.

Many applications send passwords unencrypted, and these are ready to use as soon as they’re intercepted. Even encryptedpasswords are not completely safe. Given enough time and computing power, encrypted passwords can be cracked.

To isolate passwords on your private network you can use a firewall, but this does not solve all problems. For example, a firewalldoes not provide security against disgruntled or malicious insiders.

Kerberos was designed to solve network security problems. It never transmits the user’s password across the network, nor does itsave the password in the user’s computer memory or on disk. Therefore, even if the Kerberos credentials are cracked orcompromised, the attacker does not learn the original password, so he or she can potentially compromise only a small portion ofthe network.

In addition to superior password management, Kerberos is also mutually authenticated. The client authenticates to the service,and the service authenticates to the client. A man-in-the-middle or spoofing attack is impossible when you are using Kerberizedservices, and that means users can trust the services they are accessing.

Kerberos is available on every major platform, including Mac OS X Lion, Windows, Linux, and other UNIX variants.

Moving beyond passwords

Network authentication is difficult: to deploy a network authentication method, the client and server must agree on theauthentication method. Although it is possible for client/server processes to agree on a custom authentication method, getting

Single sign-on authentication

pervasive adoption across a suite of network protocols, platforms, and clients is virtually impossible.

For example, suppose you want to deploy smart cards as a network authentication method. Without Kerberos, you must changeevery client/server protocol to support the new method. The list of protocols includes SMTP, POP, IMAP, AFP, SMB, HTTP, FTP, IPP,SSH, QuickTime Streaming, DNS, LDAP, local directory domain, RPC, NFS, AFS, WebDAV, and LPR, and goes on and on.

Considering all the software that does network authentication, deploying a new authentication method across the entire suite ofnetwork protocols would be a daunting task. Although this might be feasible for software from one vendor, you’d be unlikely to getall vendors to change their client software to use your new method. Further, you’d probably also want your authentication to work onmultiple platforms (such as Mac OS X Lion, Windows, and UNIX).

Due to the design of Kerberos, a client/server binary protocol that supports Kerberos doesn’t even know how the user provesidentity. Therefore you only need to change the Kerberos client and the Kerberos server to accept a new proof of identity such as asmart card. As a result, your entire Kerberos network has now adopted the new proof-of-identity method, without deploying newversions of client and server software.

Kerberos provides a central authentication authority for the network. All Kerberos-enabled services and clients use this centralauthority. Administrators can centrally audit and control authentication policies and operations.

Kerberos can authenticate users for the following services of a Mac server:

Login window

Mail service

AFP file service

FTP file service

SMB file service (as a member of an Active Directory Kerberos realm)

VPN service

Apache web service

LDAP directory service

iChat service

Print service

NFS file service

Xgrid service

These services have been Kerberized whether they are running or not. Only services that are Kerberized can use Kerberos toauthenticate a user. Lion Server includes command-line tools for Kerberizing other services that are compatible with MIT-basedKerberos.

Breaking the barriers to Kerberos deployment

Until recently Kerberos was a technology for universities and government sites. It wasn’t more widely deployed because adoptionbarriers needed to be taken down.

Mac OS X Lion and Mac OS X Server v10.3 or later eliminate the following historical barriers to adoption of Kerberos:

An Administrator had to set up a Kerberos KDC. This was difficult to deploy and administer.

There was no standard integration with a directory system. Kerberos only does authentication. It doesn’t store user accountdata such as user ID (UID), home folder location, or group membership. The administrator had to determine how to integrateKerberos with a directory system.

Servers had to be registered with the Kerberos KDC. This added an extra step to the server setup process.

After setting up a Kerberos server, the administrator had to visit all client computers and configure each one to use Kerberos.This was time consuming and required editing configuration files and using command-line tools.

You needed a suite of Kerberized applications (server and client software). Some of the basics were available but porting themand adapting them to work with your environment was difficult.

Not all network protocols used for client-server authentication are Kerberos-enabled. Some network protocols still requiretraditional challenge-response authentication methods and there is no standard way to integrate Kerberos with these legacynetwork authentication methods.

Kerberos client supports failover so if one KDC is offline it can use a replica, but the administrator had to figure out how to setup a Kerberos replica.

Administration tools were never integrated. Tools for creating and editing user accounts in the directory domain didn’t knowanything about Kerberos, and the Kerberos tools knew nothing about user accounts in directories. Setting up a user recordwas a site-specific operation based on how the KDC was integrated with the directory system.

Single sign-on experience

Kerberos is a credential or ticket-based system. The user logs in once to the Kerberos system and is issued a ticket with a lifespan. During the life span of this ticket the user doesn’t need to authenticate again to access a Kerberized service.

The user’s Kerberized client software, such as the Mail application, presents a valid Kerberos ticket to authenticate the user for aKerberized service. This provides a single sign-on experience.

A Kerberos ticket is like a press pass to a jazz festival held at multiple nightclubs over a three-day weekend. You prove your identityonce to get the pass. Until the pass expires, you can show it at any nightclub to get a ticket for a performance. All participatingnightclubs accept your pass without seeing your proof of identity again.


After upgrading to Lion Server, you may need to configure some services to use single sign-on Kerberos authentication. Theseservices either weren’t configured to use Kerberos or weren’t included with the earlier version of Mac OS X Server.

If this condition exists, a message about it appears when you connect to the server in Server Admin. The message appears in theOverview pane when you select the server (not a service) in the Servers lis t.

1. Open Server Admin and connect to the upgraded server.





5. Click Kerberize Services, then enter the name and password of an LDAP directory administrator account.

Services that were already configured to use Kerberos are not affected.


Kerberized services are configured to authenticate principals who are known to a Kerberos realm. You can think of a realm as aKerberos database or authentication domain that contains validation data for users, services, and sometimes servers, which areall known as principals.

For example, a realm contains principals’ secret keys, which are the result of a one-way function applied to passwords.

Service principals are generally based on randomly generated secrets rather than passwords.

Here are examples of realm and principal names. Realm names are capitalized by convention to distinguish them from DNSdomain names:

Realm: MYREALM.EXAMPLE.COM

User principal: [email protected]

Service principal: afpserver/[email protected]

There are several phases to Kerberos authentication. In the first phase, the client obtains credentials to be used to request accessto Kerberized services. In the second phase, the client requests authentication for a specific service. In the final phase, the clientpresents those credentials to the service.

The following illustration summarizes these activities. The service and the client can be the same entity (such as the login window)

Configure services for Kerberos after upgrading

Kerberos principal and realm


mailto:afpserver/[email protected]

or two entities (such as a mail client and the mail server).

Kerberos authentication process

1. The client authenticates to a Kerberos KDC, which interacts with realms to access authentication data.

This is the only step in which passwords and associated password policy information are checked.

2. The KDC issues a ticket-granting ticket to the client.

The ticket is the credential needed when the client wants to use Kerberized services and is good for a configurable period oftime, but it can be revoked before expiration. It is cached on the client until it expires.

3. The client contacts the KDC with the ticket-granting ticket when it wants to use a Kerberized service.

4. The KDC issues a ticket for that service.

5. The client presents the ticket to the service.

6. The service authenticates the client by verifying that the ticket is valid.

After authenticating the client, the service determines if the client is authorized to use the service.

Kerberos only authenticates clients; it does not authorize them to use services. For example, many services use Mac server’sservice access control lis ts (SACLs) to determine whether a client is authorized to use the service.

Kerberos never sends a password or password policy information to a service. After a ticket-granting ticket is obtained, nopassword information is provided.

Time is very important with Kerberos. If the client and the KDC are out of sync by more than a few minutes, the client fails to achieveauthentication with the KDC. The date, time, and time zone information must be correct on the KDC server and clients, and theserver and clients should all use the same network time service to keep their clocks in sync.

For more information about Kerberos, go to the MIT Kerberos website at web.mit.edu/kerberos/www/index.html.


For compatibility with various services, Lion Server can use several authentication methods to validate Open Directory passwordsand shadow passwords.

For Open Directory passwords, Lion Server uses the standard Simple Authentication and Security Layer (SASL) mechanism tonegotiate an authentication method between a client and a service.

For shadow passwords, the use of SASL depends on the network protocol. The following authentication methods are supported:

Method Network security Storage security Uses

APOP Encrypted, with clear text fal lback Clear text POP mail service

CRAM-MD5 Encrypted, with clear text fal lback Encrypted IMAP mail service, LDAP service

DHX Encrypted Encrypted AFP file service, Open Directoryadministration

Digest-MD5 Encrypted Encrypted Login window, mail service

MS-CHAPv2 Encrypted Encrypted VPN service

About Open Directory password server and shadow password authentication methods

NTLMv1 and NTLMv2 Encrypted Encrypted SMB services (Windows NT/98 orlater)

WebDAV-Digest Encrypted Clear text WebDAV fi le service (iDisk)

Open Directory supports many authentication methods because each service that requires authentication uses some methods butnot others. For example, AFP service uses one set of authentication methods, web services use another set of methods, mailservice uses another set, and so on.

Some authentication methods are more secure than others. The more secure methods use stronger algorithms to encode theinformation they transmit between client and server. The more secure authentication methods also store hashes, which can’teasily be recovered from the server. Less secure methods store a recoverable, clear-text password.

Open Directory does not provide a mechanism for reading or retrieving a user's existing password, but an administrator can useWorkgroup Manager to set a user’s password.

If you connect Mac OS X Server v10.4 or later to a directory domain of Mac OS X Server v10.3 or earlier, users defined in the olderdirectory domain cannot be authenticated with the NTLMv2 method. This method may be required to securely authenticate someWindows users for the Windows services of Mac OS X Server v10.4 or later.

Open Directory Password Server in Mac OS X Server v10.4 or later supports NTLMv2 authentication, but Password Server in MacOS X Server v10.3 or earlier does not support NTLMv2.

If you connect Mac OS X Server v10.3 or later to a directory domain of Mac OS X Server v10.2 or earlier, users defined in the olderdirectory domain cannot be authenticated with the MS-CHAPv2 method. This method may be required to securely authenticateusers for the VPN service of Mac OS X Server v10.3 or later.

Open Directory Password Server in Mac OS X Server v10.3 or later supports MS-CHAPv2 authentication, but Password Server inMac OS X Server v10.2 does not support MS-CHAPv2.

Disable Open Directory authentication methods

To make Open Directory password storage on the server more secure, you can selectively disable authentication methods.

For example, if no clients are going to use Windows services, you can disable the NTLMv1, NTLMv2, and LAN Managerauthentication methods to prevent storing passwords on the server using these methods. Then someone who gains unauthorizedaccess to the server’s password database can’t exploit weaknesses in these authentication methods to crack passwords.

Important: If you disable an authentication method, its hash is removed from the password database the next time the userauthenticates. If you enable an authentication method that was disabled, every Open Directory password must be reset to add thenewly enabled method’s hash to the password database. Users can reset their own passwords, or a directory administrator cando it.

Disabling an authentication method makes the Open Directory Password Server database more secure if an unauthorized usergains physical access to an Open Directory server (master or replica) or to media containing a backup of the Open Directorymaster.

Someone who gains access to the password database can try to crack a user’s password by attacking the hash or recoverabletext stored in the password database by any authentication method. Nothing is stored in the password database by a disabledauthentication method, leaving one less avenue of attack open to a cracker who has physical access to the Open Directory serveror a backup of it.

Some hashes stored in the password database are easier to crack than others. Recoverable authentication methods store clear(plainly readable) text. Disabling authentication methods that store clear text or weaker hashes increases password databasesecurity more than disabling methods that store stronger hashes.

If you believe your Open Directory master, replicas, and backups are secure, select all authentication methods. If you’re concernedabout the physical security of any Open Directory server or its backup media, disable some methods.

Note: Disabling authentication methods does not increase the security of passwords while they are transmitted over the network.Only password database security is affected. In fact, disabling some authentication methods might require clients to configuretheir software to send passwords over the network in clear text, thereby compromising password security in a different way.

Disable shadow password authentication methods

You can selectively disable authentication methods to make passwords stored in shadow password files more secure. Forexample, if a user doesn’t use mail service or web services, you can disable the WebDAV-Digest and APOP methods for the user.Then someone who gains access to the shadow password files on a server can’t recover the user’s password.

Important: If you disable a shadow password authentication method, its hash is removed from a user’s shadow password file the

next time the user authenticates. If you enable an authentication method that was disabled, the newly enabled method’s hash isadded to the user’s shadow password file the next time the user authenticates for a service that can use a clear-text password,such as a login window or AFP. Alternatively, you can reset the user’s password to add the newly enabled method’s hash. Theuser can reset the password, or a directory administrator can do it.

Disabling an authentication method makes the shadow password more secure if a malicious user gains physical access to aserver’s shadow password files or to media containing a backup of the shadow password files. Someone who gains access tothe password files can try to crack a user’s password by attacking the hash or recoverable text stored by any authenticationmethod.

Nothing is stored by a disabled authentication method, leaving one less avenue of attack open to a cracker who has physicalaccess to a server’s shadow password files or a backup of them.

Hashes stored by some authentication methods are easier to crack than others. With recoverable authentication methods, originalclear-text passwords can be reconstructed from what is stored in the file. Disabling the authentication methods that storerecoverable or weaker hashes increases shadow password file security more than disabling methods that store stronger hashes.

If you believe a server’s shadow password files and backups are secure, select all authentication methods. If you’re concernedabout the physical security of the server or its backup media, disable unused methods.

Note: Disabling authentication methods does not increase the security of passwords while they are transmitted over the network.Only password storage security is affected. Disabling some authentication methods might require clients to configure theirsoftware to send passwords over the network in clear text, thereby compromising password security in a different way.

Contents of the Open Directory password server database

Open Directory Password Server maintains an authentication database separate from the directory domain. Open Directory tightlyrestricts access to the authentication database.

Open Directory Password Server stores the following information in its authentication database for each user account that has apassword type of Open Directory:

The user’s password ID, a 128-bit value assigned when the password is created. It is also stored in the user’s record in thedirectory domain and is used as a key for finding a user’s record in the Open Directory Password Server database.

The password, stored in recoverable (clear text) or hashed (encrypted) forms. The form depends on the authentication method.

A recoverable password is stored for the APOP and WebDAV authentication methods. For all other methods, the record storesa hashed (encrypted) password. If no authentication method requiring a clear-text password is enabled, the Open Directoryauthentication database stores only hashes of passwords.

The user’s short name, for use in log messages viewable in Server Admin.

Password policy data.

Time stamps and other usage information, such as last login time, last failed validation time, count of failed validations, andreplication information.

LDAP bind authentication

For user accounts that reside in an LDAP directory on a non-Apple server, Open Directory attempts to use LDAP bindauthentication. Open Directory sends the LDAP directory server the name and password supplied by the authenticating user. If theLDAP server finds a matching user record and password, authentication succeeds.

If the LDAP directory service and the client computer’s connection to it are configured to send clear text passwords over thenetwork, LDAP bind authentication can be insecure.

Open Directory tries to use a secure authentication method with the LDAP directory. If the directory doesn’t support secure LDAPbind and the client’s LDAPv3 connection permits sending a clear-text password, Open Directory reverts to simple LDAP bind.

To prevent clear-text authentication, make sure your LDAP servers don’t accept clear-text passwords.

In this case, you can secure simple LDAP bind authentication by setting up access to the LDAP directory through the SecureSockets Layer (SSL) protocol. SSL makes access secure by encrypting all communications with the LDAP directory.

For more information, see Change the security policy for an LDAP connection and Change the connection settings for an LDAP orOpen Directory server.


Using Server Admin, you can select authentication methods for user accounts whose password type is Open Directory. The OpenDirectory Password Server supports available authentication methods for compatibility with client software.

If users never use client software that requires a specific authentication method, disable the method. For more information, seeAbout Open Directory password server and shadow password authentication methods.

If you disable an authentication method, its hash is removed from the password database the next time the user authenticates. Ifyou enable an authentication method that was disabled, you must reset every Open Directory password to add the enabledmethod’s hash to the password database. The user can reset the password, or a directory administrator can do it.

To enable or disable authentication methods for user accounts whose password type is Shadow Password, see Selectauthentication methods for shadow password users.

1. Open Server Admin and connect to an Open Directory master server.




4. Click Settings, then click Policies.

5. Click Authentication, select the authentication methods you want enabled, and deselect the authentication methods you wantdisabled.

6. Click Save.

Replicas of the Open Directory master inherit the authentication method settings for Open Directory passwords in the LDAPdirectory

You can also use pwpolicy to enable and disable authentication methods for a user with an Open Directory password. For more

information about pwpolicy, see its man page.


Using Workgroup Manager, you can select authentication methods for a user account whose password type is Shadow Password.

A shadow password supports available authentication methods for compatibility with client software. If you know the user will neveruse client software that requires an authentication method, disable the method. For more information, see About Open Directorypassword server and shadow password authentication methods.

If you disable an authentication method, its hash is removed from the user’s shadow password file the next time the userauthenticates.

If you enable an authentication method that was disabled, the enabled method’s hash is added to the user’s shadow passwordfile the next time the user authenticates for a service that can use a clear-text password, such as a login window or AFP.

Alternatively, the user’s password can be reset to add the newly enabled method’s hash. The user can reset the password, or adirectory administrator can do it.

To enable or disable authentications for user accounts whose password type is Open Directory, see Select authenticationmethods for Open Directory passwords.

1. In Workgroup Manager, open the account you want to work with (if it is not open).

To open an account, click the Accounts button, then click the Users button. Click the small globe icon above the list of usersand choose from the pop-up menu to open the local directory domain where the user’s account resides.

Click the lock and authenticate as a directory domain administrator, then select the user in the list.

2. Click Advanced, then click Security.

Select authentication methods for Open Directory passwords

Select authentication methods for shadow password users

You can click Security only if the password type is Shadow Password.

3. Select the authentication methods you want enabled, deselect the authentication methods you want disabled, then click OK.

4. Click Save.

You can also use pwpolicy to enable and disable authentication methods for a user with an Shadow password. For more

information about pwpolicy, see its man page.

Lion Server user management ► Open Directory serv ices ► Manage user authentication

You can use Workgroup Manager to change the password of a user account defined in any directory domain you have read/writeaccess to. For example, you can change the password of a user account in the LDAP directory of an Open Directory master.

Important: If you change the password of a user account that’s used to authenticate a computer’s LDAP directory connection, youmust make the same change to the affected computer’s LDAP connection settings or configure the LDAP directory and allconnections to it to use trusted binding.

For more information, see Change the password used for authenticating an LDAP connection, Set a binding policy for an OpenDirectory server, and Stop trusted binding with an LDAP directory.

1. Open Workgroup Manager (located /Applications/Server/), click the Accounts button, and then click the User button.

2. Open the directory domain that contains the user account whose password you want to change, and authenticate as anadministrator of the domain.

To open a directory domain, click the small globe icon above the lis t of users and choose from the pop-up menu.

If the user’s password type is Open Directory, you must authenticate as an administrator whose password type is OpenDirectory.

3. Select the account whose password needs to be changed.

4. Enter a password in the Basic pane, then click Save.

5. Tell the user the new password so he or she can log in.

After the user logs in to a Mac with the new password, the user can change the password by clicking Accounts in SystemPreferences.

If you change the password of an account whose password type is Open Directory and the account resides in the LDAP directory ofan Open Directory replica or master, the change becomes synchronized with the master and its replicas. The Mac serversynchronizes changes to Open Directory passwords among a master and its replicas.


You can use Workgroup Manager to simultaneously select multiple user accounts and change them to have the same passwordtype and the same temporary password.

1. Open Workgroup Manager (located /Applications/Server/), click the Accounts button, and then click the User button.

2. Open the directory domain that contains the user account whose password types and passwords you want to reset andauthenticate as an administrator of the domain.

To open a directory domain, click the small globe icon above the lis t of users and choose from the pop-up menu.

To set the password type to Open Directory, you must authenticate as an administrator whose password type is OpenDirectory.

3. Command–click or Shift–click user accounts to select accounts whose password type must be changed.

Change a user's password

Assign a temporary password to multiple users

4. Enter a password in the Basic pane, then set the User Password Type option in the Advanced pane.

5. Click Save.

6. Tell the users the temporary password so they can log in.

After logging in with the temporary password, users can change the password by clicking Accounts in System Preferences.

If you change the password of accounts whose password type is Open Directory and the accounts reside in the LDAP directory ofan Open Directory replica or master, the change becomes synchronized with the master and its replicas. A Mac serversynchronizes changes to Open Directory passwords among a master and its replicas.


The password associated with a user’s account must be entered by the user when he or she authenticates for login or otherservices. The password is case sensitive (except for SMB-LAN Manager passwords) and is masked on the screen as it is entered.

Regardless of the password type you choose for a user, here are guidelines for composing a password for Lion Server useraccounts:

A password should contain letters, numbers, and symbols in combinations that won’t be easily guessed by unauthorizedusers. Passwords should not consist of words. Good passwords include digits and symbols (such as # or $), or they consistof the first letter of all words in a phrase. Use both uppercase and lowercase letters.

Avoid spaces and Option-key combinations.

Avoid characters that can’t be entered on computers the user will use or that might require knowing a special keystrokecombination to enter correctly on different keyboards and platforms.

Some network protocols do not support passwords that contain leading spaces, embedded spaces, or trailing spaces.

A zero-length password is not recommended. Open Directory and some systems (such as LDAP bind) do not support a zero-length password.

For maximum compatibility with computers and services your users might access, use only ASCII characters for passwords.

Password TypesYou can set password types for users in the Advanced pane of Workgroup Manager. You can choose any of the followingpassword types:

Open Directory: Enables multiple legacy authentication methods and also enables single sign-on Kerberos authentication ifthe user’s account is in the LDAP directory of an Open Directory master or replica. Open Directory passwords are storedseparately from the directory domain in the Open Directory Password Server database and the Kerberos KDC.

Shadow password: Enables multiple legacy authentication methods for user accounts in the local directory domain. Shadowpasswords are stored separately from the directory domain in files readable only by the root user account.

Crypt password: Provides basic authentication for a user account in a shared directory domain. A crypt password is stored inthe user account record in the directory domain. A crypt password is required to log in to Mac OS X v10.1 or earlier.

For more information about password types, see About password types.


Using Workgroup Manager, you can specify that a user account have an Open Directory password stored in secure databasesapart from the directory domain. User accounts in the following directory domains can have Open Directory passwords:

LDAP directory domain on Mac OS X Server v10.3–v10.6 and Lion Server

Local directory domain of Mac OS X Server v10.3 or a server upgraded from v10.3

Directory domain on Mac OS X Server v10.2 that is configured to use a Password Server

The Open Directory password type supports single sign-on using Kerberos authentication. It also supports the Open Directory

Composing a Password

Change the password type to Open Directory

Password Server, which offers Simple Authentication and Security Layer (SASL) authentication protocols, including APOP, CRAM-MD5, DHX, Digest-MD5, MS-CHAPv2, NTLMv2, NTLM (also referred to as Windows NT or SMB-NT), and WebDAV-Digest.

Note: To set a user account’s password type to Open Directory, you must have administrator rights for Open Directoryauthentication in the directory domain that contains the user account. This means you must authenticate as a directory domainadministrator whose password type is Open Directory. For more information, see Assign administrator rights for Open Directoryauthentication.

1. Make sure the user’s account resides in a directory domain that supports Open Directory authentication.

The directory domains that support Open Directory authentication are listed earlier in this topic.

2. In Workgroup Manager (located /Applications/Server/), open the account to work with (if it is not open).

To open an account, click the Accounts button, then click the Users button. Click the small globe icon above the list of usersand choose from the pop-up menu to open the directory domain where the user’s account resides.

Click the lock and authenticate as a directory domain administrator whose password type is Open Directory, then select theuser in the list

3. Click Advanced.

4. From the User Password Type pop-up menu, choose Open Directory.

5. When prompted, enter and verify a new password, then click Ok.

The password must contain no more than 512 bytes (512 characters or fewer, depending on the language), although thenetwork authentication protocol can impose different limits (for example, 128 characters for NTLMv2 and NTLM). Forguidelines on choosing passwords, see Composing a Password.

6. In the Advanced pane, click Options to set up the user’s password policy, and click OK after you finish specifying options.

If you select “Disable login: on specific date,” use the up and down arrows to set the date.

If you select an option that requires resetting (changing) the password, remember that not all protocols support changingpasswords. For example, users can’t change their passwords when authenticating for IMAP mail service.

The password ID is a unique 128-bit number assigned when the password is created in the Open Directory Password Serverdatabase. It can be helpful for troubleshooting, because it appears in the Password Server log when a problem occurs. Formore information, see View Open Directory status and logs.

7. Click Save.


Using Workgroup Manager, you can specify that a user have a shadow password stored in a secure file apart from the directorydomain. Only users whose accounts reside in the local directory domain can have a shadow password.

Note: You can only assign local user accounts to use shadow passwords.

1. In Workgroup Manager (located /Applications/Server/), open the account to work with (if it is not open).

To open an account, click the Accounts button, then click the Users button. Click the small globe icon above the list of usersand choose from the pop-up menu to open the local directory domain where the user’s account resides.

Click the lock and authenticate as a directory domain administrator, then select the user in the list.

2. Click Advanced.

3. From the User Password Type pop-up menu, choose Shadow Password.

4. When prompted, enter and verify a password, then click Ok.

A long password is truncated for some authentication methods. Up to 128 characters of the password are used for NTLMv2and NTLM, and the first 14 characters are used for LAN Manager.

For guidelines on choosing passwords, see Composing a Password.

5. In the Advanced pane, click Options to set up the user’s password policy, then click OK after you finish specifying options.

Change the password type to shadow password

If you select “Disable login: on specific date,” use the up and down arrows to set the date.

If you use a policy that requires user password changing, remember that not all protocols support changing passwords. Forexample, users can’t change their passwords when authenticating for IMAP mail service.

6. In the Advanced pane, click Security to enable or disable authentication methods for the user, then click OK after you finish.

For more information, see Set password policies for users.

7. Click Save.


You can use pwpolicy to change password policies globally from the command-line.

To change the password policy:

$ pwpolicy -a authenticator -setglobalpolicy "option=value..."For example, to require that an authenticator’s password be a minimum of 12 characters and have no more than 3 failedlogin attempts, enter the following in a Terminal window, where authenticator is the authenticator’s name.

$ pwpolicy -a authenticator -setglobalpolicy "minChars=12 maxFailedLoginAttempts=3"

For more information about pwpolicy, see its man page.


Using Workgroup Manager, you can set password policies for user accounts whose password type is Open Directory or ShadowPassword. The password policy for a user overrides the global password policy defined in the Authentication Settings pane ofOpen Directory service in Server Admin.

The password policy for a mobile user account applies when the account is used while the mobile computer is disconnected fromthe network. The password policy from the corresponding network user account applies while the mobile computer is connected tothe network.

Administrator accounts are exempt from password policies.

To set a password policy for a user account that has an Open Directory password, you must have administrator rights for OpenDirectory authentication in the directory domain that contains the user account. This means you must authenticate as a directorydomain administrator whose password type is Open Directory.

For more information, see Assign administrator rights for Open Directory authentication.

Kerberos and Open Directory Password Server maintain password policies separately. A Mac server synchronizes Kerberospassword policy rules with Open Directory Password Server password policy rules.

Do not use the Options button in the Advanced pane to set up password policies for directory domain administrators. Passwordpolicies are not enforced for administrator accounts. Directory domain administrators must be able to change the passwordpolicies of user accounts.

1. In Workgroup Manager, open the account to work with (if it is not open).

To open an account, click the Accounts button, then click the Users button. Click the small globe icon above the list of usersand choose from the pop-up menu to open the directory domain where the user’s account resides.

Click the lock and authenticate as a directory domain administrator whose password type is Open Directory, then select theuser in the list.

2. Click Advanced, then click Options.

You can click Options only if the password type is Open Directory or Shadow Password.

Use pwpolicy to change password policies

Set password policies for users

3. Change password policy options, then click OK.

If you select an option that requires resetting (changing) the password, remember that some service protocols don’t permitusers to change passwords. For example, users can’t change their passwords when authenticating for IMAP mail service.

4. Click Save.


You can use pwpolicy to set an individual user account password policy.

To change the password policy of a user account:

$ pwpolicy -a authenticator -setpolicy -u user "option=value..."For example, to require that an authenticator’s password be a minimum of 12 characters and have no more than 3 failedlogin attempts, enter the following in a Terminal window, where authenticator is the authenticator’s name and user is theuser’s name.

$ pwpolicy -a authenticator -setpolicy -u user "minChars=12 maxFailedLoginAttempts=3"

For information about pwpolicy, see its man page.


Using Workgroup Manager and an administrator account with rights to work with Open Directory password settings, you canassign these rights to other user accounts in the same directory domain.

To assign these rights, your user account must have an Open Directory password and privileges to administer user accounts. Thisrequirement protects the security of passwords stored in the Kerberos KDC and the Open Directory Password Server database.

1. In Workgroup Manager (located /Applications/Server/), open the account, click Advanced, and make sure Password Type isset to Open Directory password.

For more information, see Changing the Password Type to Open Directory.

2. Click Privileges and choose Full in the Administration capabilities pop-up menu.

To restrict the administration capabilities, choose Limited.

3. Click Save.


When you export user accounts whose password type is Open Directory or shadow password, passwords are not exported. Thisprotects the security of the Open Directory Password Server database and shadow password files.

Before importing, you can use a spreadsheet application to open the file of exported users and set their passwords, which theycan change the next time they log in.

For instructions on working with files of exported users, see Workgroup Manager Help.

After importing user accounts, you have the following options for setting passwords:

You can set all imported accounts to use a temporary password, which each user can change the next time he or she logs in.For more information, see Assign a temporary password to multiple users.

You can set the password of each imported user account in the Basic pane of Workgroup Manager. For more information, seeChange a user's password.

Use pwpolicy to set password policies for a single user account

Assign administrator rights for Open Directory authentication

Set passwords of exported or imported users

Lion Server user management ► Open Directory serv ices ► Maintain Open Directory serv ices

You can use Server Admin to control which users can log in to a Mac server using the login window. Users with serveradministrator privileges can always log in to the server.


2. Click Setting, then click Access.

3. Click Services.

4. Select “For selected services below” and select Login Window in the list on the left.

5. Select “Allow only users and groups below” and edit the list of users and groups that you want to log in using the server’slogin window:

Add users or groups that can use the login window by clicking the Add button (+) and dragging users or groups from theUser & Groups window to the list.

Remove users or groups from the list by selecting them and clicking the Remove button (–).

6. Click Save.

If “Allow all users and groups” is selected when you select “For selected services below” in step 4, all services except loginwindow permit access to all users and groups.

If you want to restrict who can access a listed service in addition to the login window, select the service in the list, select “Allow onlyusers and groups below,” and add users and groups to the list.

If you want all users to log in using the server’s login window, select Login Window, then select “Allow all users and groups.”


You can use Server Admin to control which users can open a command-line connection to a Mac server using the ssh commandin Terminal. Users with server administrator privileges can always open a connection using ssh.

The ssh command uses the Secure Shell (SSH) service. For information about using the ssh command, see its man page.



3. Click Services.

4. Select “For selected services below” and select SSH in the list on the left.

5. Select “Allow only users and groups below” and edit the list of users and groups that need SSH access to the server:

Add users or groups that can open SSH connections by clicking the Add button (+) and dragging users or groups from theUser & Groups window to the list.

Remove users or groups from the list by selecting one or more and clicking the Remove button (–).

6. Click Save.

If “Allow all users and groups” is selected when you select “For selected services below” in step 4, all services except SSH willpermit access to all users and groups.

If you want to restrict who can access a listed service besides SSH, select the service in the list, select “Allow only users andgroups below,” and add user and groups to the list.

If you want all users to be able to open an SSH connection to the server, select SSH, then select “Allow all users and groups.”

Control access to a server's login window

Control access to SSH service


You can configure Open Directory service access control by configuring service access control lists (SACLs) using Server Admin.

SACLs enable you to specify which administrators have access to Open Directory.

Only users and groups listed in an SACL have access to the corresponding service. For example, to give administrator access tousers or groups for the Open Directory service on your server, add them to the Open Directory SACL.



3. Click Administrator.

4. Select the level of restriction you want for the services:

To restrict access to all services, select “For all services.”

To set access permissions for individual services, select “For selected services below” and then select Open Directoryfrom the Service list.

5. Click the Add button (+) to open the Users & Groups window.

6. Drag users and groups from the Users & Groups window to the list.

7. Set user permissions:

To grant administrator access, choose Administrator from the Permission pop-up menu next to the user name.

To grant monitoring access, choose Monitor from the Permission pop-up menu next to the user name.

8. Click Save.


Using Server Admin, you can confirm that the Open Directory master is functioning properly.





4. Click Overview.

5. Make sure the status of all items listed in the Open Directory overview pane is “Running.”

If any item is stopped, click Refresh (or choose View > Refresh). If Kerberos remains stopped, see If Kerberos is stopped onan Open Directory master or replica.


Using Server Admin, you can check the status of replica creation and ongoing replication.




Configure Open Directory service access control

Check the status of an Open Directory server

Monitor replias and relays of an Open Directory master


4. Click Settings, then click General, to see a list of replicas and the status of each one.

The status for a new replica indicates whether it was created successfully. Thereafter, the status indicates whether the mostrecent replication attempt was successful.


You can use Server Admin to view status information and logs for Open Directory services. The following logs are available:

Directory services server log

Directory services error log

kadmin log

kdc log

LDAP log

Password service server log

Password service error log

Password service replication log

slapconfig log





4. Click Overview to see status information.

5. Click Logs and use the View pop-up menu to choose the log you want to see.

The path to the log file appears above the log.

6. Optionally, enter text in the filter field and press Return to show only lines containing the text you entered.


You can use password service logs, vis ible using Server Admin, to monitor failed login attempts for suspicious activity.

Open Directory uses logs to record failed authentication attempts, including IP addresses that generate them. Periodically reviewthe logs to determine whether there are a large number of failed trials for the same password ID, indicating that somebody mightbe generating login guesses.





4. Click Logs and choose the kdc log or a password service log from the View pop-up menu.


View Open Directory status and logs

Monitor Open Directory authentication

Workgroup Manager can import all types of records into the LDAP directory of an Open Directory master. This includes users,groups, computer groups, computers, and all other standard Mac OS X record types.

Important: If you import user or group records from a file exported by Mac OS X Server v10.3 or earlier, each imported record isassigned a globally unique ID (GUID).

To make sure that GUIDs and their relationships to specific users and groups remain the same (if you need to reimport the sameusers and groups), create an export file using Workgroup Manager in Lion Server. Use the Lion Server export file instead of theexport file created using the earlier server version.

For a list of record types and attributes that can be imported, see the following file:/System/Library/Frameworks/OpenDirectory.framework/Frameworks/CFOpenDirectory.framework/Headers/CFOpenDirectoryConstants.h

For more information about exporting users and groups using Workgroup Manager and on importing records of any type, seeWorkgroup Manager Help.


Using Server Admin, you can configure an Open Directory master to permit or require trusted binding between the LDAP directoryand the computers that access it. Replicas of an Open Directory master inherit the master’s binding policy.

Trusted LDAP binding is mutually authenticated. The computer proves its identity by using an LDAP directory administrator’s nameand password to authenticate to the LDAP directory. The LDAP directory proves its authenticity by means of an authenticatedcomputer record created in the directory when you set up trusted binding.

Note: To use trusted LDAP binding, clients need Mac OS X v10.6 or Lion or Mac OS X v10.6 Server or Lion Server. Clients usingv10.5 can use anonymous binding, but can’t set up trusted binding.

Important: If your Lion Server is an Open Directory master, it has a diradmin user. When binding two directory servers, they shouldnot have the same directory administrator user name (diradmin). If two Lion Servers are configured as Open Directory masters andare bound to each other, they become an invalid configuration and can cause random failures. Make one of the Open Directorymaster servers a standalone server, then recreate it using Server Admin with a unique username for the directory administratorinstead of the default diradmin.






5. Click Binding, then set the directory binding options you want:

To permit trusted binding, select “Enable authenticated directory binding.”

6. Click Save.

Important: If you choose “Encrypt all packets (requires SSL or Kerberos)” and “Enable authenticated directory binding,” make sureyour users are using one or the other for binding and not both.


Using Server Admin, you can configure a security policy for access to the LDAP directory of an Open Directory master.

Replicas of the Open Directory master inherit the master’s security policy.

Note: If you change the security policy for the LDAP directory of an Open Directory master, you must disconnect and reconnect

Import records

Set a binding policy for an Open Directory server

Set a security policy for an Open Directory server

(unbind and rebind) every computer connected (bound) to this LDAP directory.






5. Click Binding, then set the security options you want:

Disab le clear text passwords determines whether clients can send passwords as clear text if the passwords can’t bevalidated using any authentication method that sends an encrypted password. For more information, see Selectauthentication methods for shadow password users and Select authentication methods for Open Directory passwords.

Encrypt all packets (requires SSL or Kerberos) requires the LDAP server to encrypt directory data using SSL or Kerberosbefore sending it to client computers.

Digitally sign all packets (requires Kerberos) certifies that directory data from the LDAP server won’t be intercepted andmodified by another computer while en route to client computers.

Block man-in-the-middle attacks (requires Kerberos) protects against a rogue server posing as the LDAP server. This isbest used with the “Digitally s ign all packets” option.

Disab le client-side caching prevents client computers from caching LDAP data locally.

Allow users to edit their own contact information permits users to change contact information on the LDAP server.

6. Click Save.

Important: If you choose “Encrypt all packets (requires SSL or Kerberos)” and “Enable authenticated directory binding,” make sureyour users are using one or the other for binding and not both.

Based on the settings here, the security options can also be configured on each client of an Open Directory master or replica. If anoption is selected here, it can’t be deselected for a client. For more information about configuring these options on a client, seeChange the security policy for an LDAP connection.


Using Server Admin, you can prevent one type of denial-of-service attack on a Mac server by limiting the number of search resultsreturned by the server’s shared LDAP directory domain. Limiting the number of search results prevents a malicious user from tyingup the server by sending it multiple all-inclusive LDAP search requests.

1. Open Server Admin and connect to the Open Directory master or an Open Directory replica server.




4. Click Settings, then click LDAP.

5. Enter the maximum number of returned search results in the “Return a maximum of __ search results” field.

6. Click Save.


Using Server Admin, you can prevent one type of denial-of-service attack on a Mac server by limiting the amount of time the serverspends on one search of its shared LDAP directory domain.

Limit search results for LDAP service

Set the search timeout interval for LDAP service

Setting a search timeout prevents a malicious user from tying up the server by sending it an exceptionally complex LDAP searchrequest.






5. Enter a search timeout interval in the “Search times out in __” field.

Set the time interval using the pop-up menu.

6. Click Save.


Using Server Admin, you can enable Secure Sockets Layer (SSL) for encrypted communications between an Open Directoryserver’s LDAP directory domain and computers that access it.

SSL uses a digital certificate to provide a certified identity for the server. You can use a self-s igned certificate or a certificateobtained from a certificate authority.

For information about defining, obtaining, and installing certificates on your server, see Server Admin Help.

SSL communications for LDAP use port 636. If SSL is disabled for LDAP service, communications are sent as clear text on port389.






5. Select the Enable SSL checkbox.

6. Use the Certificate pop-up menu to choose an SSL certificate that you want LDAP service to use.

The menu lis ts all SSL certificates installed on the server. To use a certificate not lis ted, choose Manage Certificates from thepop-up menu. For more information about certificates, see Server Admin Help.

7. Click Save.

For more information about exporting users and groups using Workgroup Manager and on importing records of any type, seeWorkgroup Manger Help.


SSL uses a digital certificate to provide a certified identity for the server. You can use custom digital certificates to configure SSL foryour network environment.

The following steps describe the command-line method for creating custom certificates and provide instructions for implementingthem in Server Admin. To create an Open Directory service certificate:

1. Generate a private key for the server in the /usr/share/certs/ folder:

Set up SSL for LDAP service

Create a custom SSL configuration for LDAP

If the /usr/share/certs folder does not exist, create it.

$ sudo openssl genrsa -out ldapserver.key 2048

2. Generate a certificate signing request (CSR) for the certificate authority (CA) to sign:

$ sudo openssl req -new -key ldapserver.key -out ldapserver.csr

3. Fill out the following fields as completely as possible, making certain that the Common Name field matches the domainname of the LDAP server exactly, and leaving the challenge password and optional company name blank:

Country Name:State or Province Name:Locality Name (city):Organization Name:Organizational Unit Name:Common Name:Email Address:

4. Sign the ldapserver.csr request with the openssl command.

$ sudo openssl ca -in ldapserver.csr -out ldapserver.crt

5. When prompted, enter the CA passphrase to continue and complete the process.

The certificate files needed to enable SSL on the LDAP server are now in the /usr/share/certs/ folder.





9. Select the Enable SSL checkbox.

10. Use the Certificate pop-up menu to choose an SSL certificate that you want LDAP service to use.

The menu lis ts all SSL certificates that have been installed on the server. To use a certificate not listed, choose ManageCertificates from the pop-up menu. For more information about certificates, see Server Admin Help.

11. Click Save.


There is not much difference between a relay and replica. Both have a read-only copy of the Open Directory master’s LDAPdirectory domain and also a read/write copy of the Open Directory Password Server and the Kerberos Key Distribution Center(KDC).

A relay is a direct member replica of an Open Directory master and it has replicas that it replicates to.

You can make an Open Directory replica into a relay by ensuring the following:

The replica is a direct replica of the Open Directory master (first-tier).

The replica has replicas (supports up to 32 replicas).

For more information about relays, see Integrate with existing directory domains.


When a client connects to an Open Directory server, it may connect to an Open Directory master or to its replica. These

Make an Open Directory replica into a relay

Configure locales

connections can become unbalanced, meaning you have more connections to your OD master server than its replica.

If you have replicas on your network, you can configure locales to specify which Open Directory servers clients should use and youcan load balance your client connection between your Open Directory master and its replicas.

Locales are groups of servers that service a specified subnet. These servers are given a locale name similar to an Active Directoryforest name.

After configuring an Open Directory master and its replicas, two locales are configured by default.

The first locale includes all of the Open Directory master's replicas, even those outside the subnet. This is created as a failsafe forthe client if no locales are available for connection on the client's subnet.

The second locale is based on the subnet of the Open Directory master. This can include some of its replicas if they are on thesame subnet. Servers and clients on the same subnet use that Open Directory master and its replicas for directory service.





4. Click Settings, then click Locales.

5. From the Locale list, click the Add button (+).

6. Enter a name in the Name field for the locale.

This named is similar to an Active Directory forest name and is used by clients to connect to the locale.

7. (Optional) In the Comment field, enter a comment about the locale.

8. Click the Add button (+) below the Server list.

9. From the list of Open Directory servers, choose the Open Directory servers you want in your locale by selecting the checkboxnext to the server and then click OK.

10. Click the Add button (+) below the Subnets list.

11. Enter the subnet or subnets that will use the locale servers and click OK.

You can enter multiple subnets.

12. Click Save.


If an Open Directory master fails and you cannot recover it from a backup, you can promote a replica to be a master. The newmaster (promoted replica) uses the directory and authentication databases of the replica.

After doing this, you must convert all other replicas of the old master to standalone directory services and then make them replicasof the new master.

Use this procedure only to replace an Open Directory master with its replica. To keep the Open Directory master in operation andmake its replica another master, do not use this procedure. Instead, decommission the replica and then make it a master asdescribed in Decommission an Open Directory replica and Set up an Open Directory master.

1. Open Server Admin and connect to the replica server you want to promote to a master.





5. Click Change.

Promote an Open Directory replica

This opens the Open Directory Assistant.

6. Select Promote replication to an Open Directory Master, then click Continue.

7. Enter the following Master Domain Administrator information, then click Continue.

Short Name, Password: You must create a user account for the primary administrator of the LDAP directory. This account isnot a copy of the administrator account in the server’s local directory domain. Make the short names of the LDAP directoryadministrator different from names of user accounts in the local directory domain.

Note: If you plan to connect your Open Directory master to other directory domains, pick a unique name and user ID for eachdomain. Don’t use the suggested diradmin user ID. Use a name that helps you identify the directory domain that the directoryadministrator controls.

8. Enter the following Master Domain information, then click Continue.

Kerberos Realm: This field is preset to be the same as the server’s DNS name, converted to capital letters. This is theconvention for naming a Kerberos realm. You can enter a different name if necessary.

Search Base: This field is preset to a search base suffix for the new LDAP directory, derived from the domain portion of theserver’s DNS name. You can enter a different search base suffix or leave it blank. If you leave this field blank, the LDAPdirectory’s default search base suffix is used.

9. Confirm settings, then click Continue.

This saves your settings and restarts the service.

10. Click Done.

11. In Server Admin, connect to another replica of the old master.





15. Click Change.


16. Choose Set up a Standalone Directory, then click Continue.

17. Confirm the Open Directory configuration setting, then click Continue.

18. If you are sure that users and services no longer need access to the directory data stored in the shared directory domain thatthe server has been hosting or was connected to, click Close.


19. Click Change.


20. Choose Set up an Open Directory Replica, then click Continue.

21. Enter the following information:

IP address or DNS name of Open Directory master: Enter the IP address or DNS name of the server that is the OpenDirectory master.




22. Click Continue.


24. Click Done.


25. For each replica of the old master, repeat steps 11–23.

26. Make sure the date, time, and time zone are correct on the replicas and the master.

The replicas and the master should use the same network time service so their clocks remain in sync.

If other computers were connected to the old Open Directory master’s LDAP directory, reconfigure their connections to use the newmaster’s LDAP directory.

Each Mac and Mac server with a custom search policy that included the old master’s LDAP directory must be reconfigured toconnect to the new master’s LDAP directory. Use the Services and Authentication panes of Directory Utility (located in Users &Groups preferences).

For more information, see Reconfigure LDAP directory access.


You can take an Open Directory replica server out of service by making it a standalone server or by connecting it to another systemfor directory and authentication services.

1. Verify that the network connection is working between the Open Directory master and the replica you want to decommission.

Port 389 or 636 must be open between master and replica while decommissioning the replica. LDAP uses port 389 if SSL isdisabled or port 636 if SSL is enabled on the master.

Important: If you decommission a replica while there is no network connectivity between it and the master, thedecommissioned replica remains in the master’s lis t of replicas. The master tries to replicate to the decommissioned replicaas specified in the General settings pane for Open Directory service on the master server.

2. In Server Admin, connect to the replica you want to decommission.





6. Click Change.


7. Choose Decommission replica and set up a standalone directory or Decommission replica and connect to another directoryand enter the following information.




8. Click Continue.

9. Confirm the Open Directory configuration setting, then click Continue.

10. If you are sure that users and services no longer need access to the directory data stored in the shared directory domain thatthe server has been hosting or was connected to, click Done.

This saves your setting and restarts the service.

Assuming there is a network connection between the Open Directory master and the replica, the master is updated to nolonger connect to the replica.

11. If you chose “Decommission replica and connect to another directory” from the Open Directory Assistant, click the OpenDirectory Utility button to configure access to directory systems.

For more information about configuring access to a directory service, see Directory Utility Help.

Decommission an Open Directory replica


You can use Server Admin to archive a copy of an Open Directory master’s directory and authentication data. You can archive acopy of the data while the Open Directory master is in service.

The following files are archived:

LDAP directory database and configuration files

Open Directory password server database

Kerberos database and configuration files

Local directory domain and shadow password database

If you have a reliable archive of an Open Directory master, you effectively have an archive of all its replicas. If a replica develops aproblem, you can change its Open Directory role to standalone server and then set up the server as if it were a new server, with anew host name, and set it up as a replica of the same master as before.

Important: Carefully safeguard the archive media that contains a copy of the Open Directory password database, the Kerberosdatabase, and the Kerberos keytab file. The archive contains passwords of all users who have an Open Directory password, bothin the shared LDAP directory domain and in the local directory domain. Your security precautions for the archive media should beas stringent as for the Open Directory master server.

1. Open Server Admin and connect to Open Directory master server.




4. Click Archive.

5. In the Archive in field, enter the path to the folder where you want the Open Directory data archived, then click the Archivebutton.

You can enter the folder path or click Choose to select it.

6. Enter a name and password to use in encrypting the archive, then click OK.


You can use Server Admin or the slapconfig command-line tool to restore an Open Directory master’s directory andauthentication data from an archive.

If you use Server Admin, you can restore to a server that is an Open Directory master. The following files are restored by mergingthe archive with the existing master:

LDAP directory database and configuration files

Open Directory password server database

Kerberos database and configuration files

If conflicts are encountered during the merge operation, the existing record takes precedence over the one in the archive. Thearchive record is ignored. Conflicts are recorded in the s lapconfig log file (/Library/Logs/slapconfig.log), which you can view usingServer Admin. See View Open Directory status and logs.

Instead of restoring an Open Directory master from an archive, you might get better results by promoting a replica to be the master.The replica might have more recent directory and authentication data than the archive.

After restoring an Open Directory master from an archive, you must recreate your Open Directory replicas.

Important: Don’t restore an archive as a means of porting directory and authentication data from one system to another. Instead,

Archive an Open Directory master

Restore an Open Directory master

export from the source directory and import to the target directory. For more information about exporting and importing directorydata, see Workgroup Manager Help.


The target server must have the same Kerberos realm name as the master that the archive was created from.




4. Click Archive.

5. In the Restore from field, enter the path to the Open Directory archive file, then click the Restore button.

You can enter the path or click Choose to select the archive file.

6. Enter the password that was used to encrypt the archive when it was created, then click OK.

7. When the restore operation finishes, check the slapconfig log for information about conflicts or other events that occurredwhile restoring.

8. Convert existing Open Directory replica servers to Open Directory standalone servers and then make them replicas of the newmaster.

For more information, see Set up a standalone directory service and Set up an Open Directory replica or relay.


Instead of restoring to a server that is an Open Directory master, you can restore to a standalone server. This server becomes anOpen Directory master with directory and authentication data from the archive.

The restored data includes the LDAP, Kerberos, and password server files lis ted above, plus the local directory domain andassociated shadow password files.

In addition, slapconfig preserves the local user account you used in the login window. After restoring, the master contains theuser account records from the archive plus the account you used in the login window.

If the archive contains a user account that conflicts with the account you used in the login window, the account from the archive isignored.

WARNING: If you restore a standalone server, the existing directory records and authentication data are not retained, except for theuser account you used in the login window.

To replace the directory and authentication data on a standalone server with data from an Open Directory archive, enter:

$ sudo slapconfig -restoredb archive-pathReplace archive-path with the path to the archive file.

For more information about slapconfig, see its man page.


To provide directory services for mixed-platform environments, Open Directory uses OpenLDAP, the open source implementationof LDAP. A common language for directory access lets you consolidate information from different platforms and define a singlename space for network resources.

Whether you have Mac, Windows, or Linux computers on your network, you can set up and manage a single directory, eliminatingthe need to maintain a separate directory or separate user records for each platform.

Use slapconfig to restore an Open Directory master

Manage OpenLDAP

Configure OpenLDAP

The OpenLDAP server daemon is slapd, in /usr/libexec/. The primary configuration files for OpenLDAP are located in/etc/openldap/. There you find the slapd.conf and slapd_macosxserver.conf files, which contains configuration information.

slapd reads and writes configuration information to the config backend database /etc/openldap/slapd.d, which is anotherdatabase, by the search base cn=config. The old /etc/openldap/slapd.conf and slapd_macosxserver.conf files are created byslapd but are not read by slapd and should only be used for a reference to the one-to-one corresponding configurations in theolcGlobal object class under the config entry. The attributes and object classes have a prefix of olc.

The directory administrator can modify configuration settings such as ACL or schema settings by using Workgroup Manager withthe inspector mode turned on or using dscl. Also, some sizelimit, timelimit, and SSL settings should only be set using ServerAdmin.

Use slapd and slurpd Daemons to configure LDAP

To configure the slapd and slurpd LDAP daemons and related search policies, use the slapconfig tool. For more information,

see the slapconfig man page.

Standard distribution tools

Two types of tools come with OpenLDAP:

Tools that operate directly on the LDAP databases—these tools begin with slap.

Tools that go through the LDAP protocol—these tools begin with ldap.

You must run the slap tools on the computer hosting the LDAP database. When using the slap tools, shut down the LDAPservice. If you don’t, your database can get out of sync.

These tools are included in the standard OpenLDAP distribution:

Tool Used to

/usr/bin/ldapadd Add entries to the LDAP directory.

/usr/bin/ldapcompare Compare a directory entry’s actual attributes with known attributes.

/usr/bin/ldapdelete Delete entries from the LDAP directory.

/usr/bin/ldapmodify Change an entry’s attributes.

/usr/bin/ldapmodrdn Change an entry’s relative distinguished name (RDN).

/usr/bin/ldappasswd Set the password for an LDAP user.

Apple recommends using passwd instead of ldappasswd. For more

information, see the passwd man page.

/usr/bin/ldapsearch Search the LDAP directory.

/usr/bin/ldapwhoami Obtain the primary authorization identity associated with a user.

/usr/sbin/slapadd Add entries to the LDAP directory.

/usr/sbin/slapcat Export LDAP Directory Interchange Format files.

/usr/sbin/slapindex Regenerate directory indexes.

/usr/sbin/slappasswd Generate user password hashes


The following LDAPv3 plug-in parameters are used in the file /Library/Preferences/DirectoryService/DSLDAPv3PlugInConfig.plist.

Delay rebind

This parameter specifies how long the LDAP plug-in waits before attempting to reconnect to a server that fails to respond. You can

LDAP idle rebinding options

increase this value to prevent continuous reconnection attempts.

<key>Delay Rebind Try in seconds </key><integer>n</integer>

You can find this parameter in the DSLDAPv3PlugInConfig.plist file near <key>OpenClose Timeout in seconds</key>. If not,add it there.

Idle timeout

This parameter specifies how long the LDAP plug-in s its idle before disconnecting from the server. You can adjust this value toreduce overloading the server’s connections from remote clients.

<key>Idle Timeout in minutes</key><integer>n</integer>

If this parameter doesn’t exist in the DSLDAPv3PlugInConfig.plist file, add it near <key>OpenClose Timeout inseconds</key>


The ldapsearch tool connects to an LDAP server, authenticates, finds entries, and returns attributes of the entries found. To querythe LDAP server for a user's information:

Enter the following command, replacing the example search base (cn=users, dc=example, dc=com) with an actual searchbase:

$ ldapsearch -H ldap://127.0.0.1 -b cn=users,dc=example,dc=comBy default, ldapsearch tries to connect to the LDAP server using the Simple Authentication and Security Layer (SASL)method. If the server doesn’t support this method, you see this error message:

ldap_sasl_interactive_bind_s: No such attribute (16)To avoid this error, include the -x option when you enter the command. For example:

$ ldapsearch -h 192.168.100.1 -b "dc=example,dc=com" -xThe -x option forces ldapsearch to use simple authentication instead of SASL. The -x option also works on other LDAPtools.

You can also use ldapsearch for debugging issues with LDAP, independent of the directory services LDAPv3 plug-in.

For example, you can read the root directory server entry (DSE) like the following (where -LLL omits some output, -xmeans no SASL, -h specifies the hostname, -b specifies the search base and -s specifies the type of search):

$ ldapsearch -LLL -x -h ldap.psu.edu -b "" -s basedn:namingcontexts: CN=SCHEMAnamingcontexts: CN=LOCALHOSTnamingcontexts: CN=PWDPOLICYnamingcontexts: CN=IBMPOLICIESnamingcontexts: DC=PSU,DC=EDUsubschemasubentry: cn=schemasupportedextension: 1.3.18.0.2.12.1supportedextension: 1.3.18.0.2.12.3supportedextension: 1.3.18.0.2.12.5supportedextension: 1.3.18.0.2.12.6supportedextension: 1.3.18.0.2.12.15supportedextension: 1.3.18.0.2.12.16

Search the LDAP server

supportedextension: 1.3.18.0.2.12.17supportedextension: 1.3.18.0.2.12.19supportedextension: 1.3.18.0.2.12.44supportedextension: 1.3.18.0.2.12.24supportedextension: 1.3.18.0.2.12.22supportedextension: 1.3.18.0.2.12.20supportedextension: 1.3.18.0.2.12.28supportedextension: 1.3.18.0.2.12.30supportedextension: 1.3.18.0.2.12.26supportedextension: 1.3.6.1.4.1.1466.20037supportedextension: 1.3.18.0.2.12.35supportedextension: 1.3.18.0.2.12.40supportedextension: 1.3.18.0.2.12.46supportedextension: 1.3.18.0.2.12.37supportedcontrol: 2.16.840.1.113730.3.4.2supportedcontrol: 1.3.18.0.2.10.5supportedcontrol: 1.2.840.113556.1.4.473supportedcontrol: 1.2.840.113556.1.4.319supportedcontrol: 1.3.6.1.4.1.42.2.27.8.5.1supportedcontrol: 1.2.840.113556.1.4.805supportedcontrol: 2.16.840.1.113730.3.4.18supportedcontrol: 1.3.18.0.2.10.15supportedcontrol: 1.3.18.0.2.10.18security: noneport: 389supportedsaslmechanisms: CRAM-MD5supportedsaslmechanisms: DIGEST-MD5supportedldapversion: 2supportedldapversion: 3ibmdirectoryversion: 5.2ibm-ldapservicename: tr17n01.aset.psu.eduibm-serverId: 0f876740-64d2-102b-8f0b-8ab9d7eaa702ibm-supportedacimechanisms: 1.3.18.0.2.26.3ibm-supportedacimechanisms: 1.3.18.0.2.26.4ibm-supportedacimechanisms: 1.3.18.0.2.26.2vendorname: International Business Machines (IBM)vendorversion: 5.2ibm-sslciphers: N/Aibm-slapdisconfigurationmode: FALSEibm-slapdSizeLimit: 200ibm-slapdTimeLimit: 900ibm-slapdDerefAliases: alwaysibm-supportedAuditVersion: 2ibm-sasldigestrealmname: tr17n01.aset.psu.edu

If the server is an OpenLDAP server, specify + for operational attributes or specify the attributes of interest:

$ ldapsearch -LLL -x -h xtra.apple.com -b "" -s base +

dn:structuralObjectClass: OpenLDAProotDSEnamingContexts: dc=apple,dc=comsupportedControl: 2.16.840.1.113730.3.4.18supportedControl: 2.16.840.1.113730.3.4.2supportedControl: 1.3.6.1.4.1.4203.1.10.1supportedControl: 1.2.840.113556.1.4.1413supportedControl: 1.2.840.113556.1.4.1339supportedControl: 1.2.840.113556.1.4.319supportedControl: 1.2.826.0.1.334810.2.3supportedExtension: 1.3.6.1.4.1.1466.20037supportedExtension: 1.3.6.1.4.1.4203.1.11.1supportedExtension: 1.3.6.1.4.1.4203.1.11.3supportedFeatures: 1.3.6.1.4.1.4203.1.5.1supportedFeatures: 1.3.6.1.4.1.4203.1.5.2supportedFeatures: 1.3.6.1.4.1.4203.1.5.3supportedFeatures: 1.3.6.1.4.1.4203.1.5.4supportedFeatures: 1.3.6.1.4.1.4203.1.5.5supportedLDAPVersion: 3supportedSASLMechanisms: CRAM-MD5supportedSASLMechanisms: GSSAPIsubschemaSubentry: cn=Subschema

Usually the namingContexts value is the first thing you want to determine:

$ ldapsearch -LLL -x -h xtra.apple.com -b "" -s base namingContextsdn:namingContexts: dc=apple,dc=com

After you determine the value, search for a record with a command, like this:

$ ldapsearch -LLL -x -h xtra.apple.com -b "dc=apple,dc=com"uid=ajohnson uid cndn: uid=ajohnson,cn=users,dc=apple,dc=comuid: ajohnsoncn: Anne Johnson


Lightweight Directory Interchange Format (LDIF) is a file format used to represent LDAP entries in text form. LDAP tools such asldappadd, ldapmodify, and ldapsearch read and write LDIF files.

Here is an example of an LDIF file containing three entries. Multiple entries in an LDIF file are separated by blank lines.

dn: cn=Mei Chen,dc=example,dc=comcn: Mei Chencn: M Chenobjectclass: persondescription: file:///tmp/babssn: Chendn: cn=Anne Johnson,dc=example,dc=com

Use LDIF files

cn: Anne Johnsonecn: A Johnsonobjectclass: personsn: Johnsondn: cn=Tom Clark,dc=example,dc=comcn: Tom Clarkcn: T Clarkobjectclass: personsn: Clark

WARNING: LDAP tools can modify or add entries to the LDAP directory. Changing raw data in a directory can have unexpected andundesirable consequences. You could inadvertently incapacitate users or computers, or you could unintentionally authorize usersto access more resources.

To load an LDIF file into the LDAP directory:

$ ldapadd -H ldap://appleserver.example.com -f myusers.ldifReplace appleserver.example.com with the location of the LDAP directory and myusers.ldif with the name of your LDIF file.


If your computer is connected to an Active Directory server, you can use the dsconfigad command to Kerberize your services withthe Active Directory Kerberos realm. This is commonly used when configuring a magic triangle with an Active Directory server and aOpen Directory server.

Enter the following command to Kerberize your services with an Active Directory server:

$ sudo dsconfigad -enablesso


Use dscl, a general-purpose tool, for operating on directory domains. You can create, read, and manage directory data. If invoked

without commands, dscl runs in an interactive mode, reading commands from standard input.

The following example shows basic dscl tool uses:

To verify that you can access an LDAPv3 directory:

$ dscl localhost> cd /LDAPv3/directory.example.com/Users> ls

You should see a list of the server’s network user accounts.

For more information, see the dscl man page.


Use dseditgroup to manipulate a single named group record on the default local directory domain or on the specified directory

domain. The following examples show uses for dseditgroup. To manipulate a group record:

Kerberize services with an Active Directory server

Manage directory service domains

Manipulate a single named group record

To view the attributes of a group in the local directory domain:

$ dseditgroup -o read groupname

To create a group in a domain:

$ dseditgroup -o create -n /LDAPv3/ldap.example.com -u diradmin_name -P diradmin_password -r "Gr…

To create a Windows group in a domain and set the domain group relative identifier (RID):

$ dseditgroup -o create -n /LDAPv3/ldap.example.com -u diradmin_name -P diradmin_password -r "Gr…$ dscl -u diradmin_name -P diradmin_password /LDAPv3/ldap.example.com -create /Groups/groupname …

To delete a group from a domain:

$ dseditgroup -o delete -n /LDAPv3/ldap.example.com -u diradmin_name -P diradmin_password groupn…


diradmin_name Name of the directory administrator

diradmin_password Password of the directory administrator

Group Name Real name to add or replace

comment Comment or add or replace

1234 Time-to-l ive, in seconds, to add or replace

some keyword Keyword to add

groupname Group name

For more information, see the dseditgroup man page.


Use dsconfigldap to add or remove LDAP server configurations in directory services.

To add an LDAP server:

$ dsconfigldap -v -a myldap.example.com

To remove an LDAP server:

$ dsconfigldap -v -r myldap.example.com


Use dsconfigad to configure the Active Directory connector from the command-line. dsconfigad has the same functionality forconfiguring the Active Directory connector as Directory Utility.

To add a computer to a directory:

$ dsconfigad -a computerid -u "administrator" -ou "CN=Computers,OU=Engineering,DC=ads,DC=demo,DC=…


Add or remove LDAP server configurations

Configure the Active Directory connector

computerid The computer ID to add to the domain.

administrator The user name of a network account that has administrator privi leges.

CN=Computers,OU=Engineering,DC=ads,DC=demo,DC=com The LDAP domain name of the container used for adding the computer.If this is not specified, i t defaults to the container.

domain The ful ly-qualified domain name of the domain used when adding thecomputer to the directory.

For more information, see the dsconfigad man page.

Lion Server user management ► Open Directory serv ices ► Solve Open Directory problems

An Open Directory master requires properly configured DNS so it can provide single sign-on Kerberos authentication.

1. Make sure DNS service is configured to resolve fully qualified DNS names and provide corresponding reverse lookups.

DNS must resolve fully qualified DNS names and provide reverse lookups for the master server, replica servers, and otherservers that are members of the Kerberos realm.

To perform a DNS lookup of a server’s DNS name and a reverse lookup of the server’s IP address, you can use the Lookuppane of Network Utility (in /Applications/Utilities).

For more information about setting up DNS service, see Server Admin Help.

2. Make sure the Open Directory master server’s host name is the correct fully qualified DNS name, not the server’s localhostname.

For example, the host name might be ods.example.com but should not be ods.local.

You can see the host name by opening Terminal and entering hostname.

If the Open Directory server’s host name isn’t its fully qualified DNS name, temporarily clear the lis t of DNS servers and clickApply in the Open Directory server’s Network preferences. Then re-enter DNS server IP addresses, starting with the primaryDNS server that resolves the Open Directory server’s name, and click Apply in Network Preferences.

If the Open Directory server’s host name still isn’t its fully qualified DNS name, restart the server.

3. Make sure the Open Directory master server’s Network preferences are configured to use the DNS server that resolves theserver’s name.

If the Open Directory master server provides its own DNS service, the server’s Network preferences must be configured touse itself as a DNS server.

4. After confirming the correct DNS configuration for the server, start Kerberos.

See Start Kerberos after setting up an Open Directory master.


If you try to create two replicas simultaneously, one attempt succeeds and the other fails. A subsequent attempt to establish thesecond replica should succeed. If you still can’t create the second replica, go to folder /var/run/, look for the file slapconfig.lock, andremove it if it exists. Also, view the /Library/Logs/slapconfig.log log file. Alternatively, restart the server.


Make sure your replica has not reached its capacity of 32 replicas. Also make sure that you are not connecting to a second tier

If Kerberos is stopped on an Open Directory master or replica

If you can't create an Open Directory replica

If you can't connect a replica to your relay

replica instead of a first tier relay.


Before you try to turn the server into a replica of the subordinate Open Directory server, make sure you connect the server to thesame Active Directory server as the Open Directory master server you are attempting to connect to. Your replicas must have accessto the Active Directory server for Kerberos to work.


If a Mac experiences a startup delay while a message about LDAP or directory services appears above the progress bar, thecomputer could be trying to access an LDAP directory that is not available on your network. Consider the following:

A pause during startup is normal if a portable computer is not connected to the network that the LDAP server is connected to.

Use Directory Services under Login Option in Account preferences to make sure the local directory domain and LDAPconfigurations are correct.

Use the Network pane of System Preferences to make sure the computer’s network location and other network settings arecorrect.

Inspect the physical network connection for faults.


To change the password of a user whose password type is Open Directory, you must be an administrator of the directory domainwhere the user’s record resides. In addition, your user account must have a password type of Open Directory.

The user account specified when the Open Directory master was set up (using Server Assistant or the Open Directory servicesettings in Server Admin) normally has an Open Directory password. You can use this account to set up other user accounts asdirectory domain administrators with Open Directory passwords.

If all else fails, enable the root user account and use it to set up a user account as a directory administrator with an Open Directorypassword. For information on enabling the root account, see Directory Utility Help (located in the Server app > Tool > DirectoryUtility.)


If a user can access some services that require authentication but not others, temporarily change the user’s password to a s implesequence of characters, such as “password.”

If this solves the problem, the user’s previous password contained characters that were not recognized by all services. Forexample, some services accept spaces in passwords while others don’t.


Users whose accounts are stored on a server with Mac OS X Server v10.2 can’t authenticate to VPN service provided by Mac OS XServer v10.3-10.6 or Lion Server. VPN service requires the MS-CHAPv2 authentication method, which isn’t supported in Mac OS XServer v10.2.

If you can't join an Open Directory replica to an Open Directory that's a subordinate of an ActiveDirectory server

If a delay occurs during startup

If you can't change a user's Open Directory password

If a user can't access some services

If users can't authenticate for VPN service

To enable affected users to log in, move their user accounts to a server with Mac OS X Server v10.3–10.6 or Lion Server.Alternatively, if possible, upgrade the older server to Lion Server or later.


To change a user’s password type to Open Directory authentication, you must be an administrator of the directory domain wherethe user’s record resides. In addition, your user account must be configured for Open Directory authentication.

The user account specified when the Open Directory master was set up (using Server Assistant or the Open Directory servicesettings in Server Admin) has an Open Directory password. You can use this account to set up other user accounts as directorydomain administrators with Open Directory passwords.


Users can’t log in using accounts in a shared directory domain if the server hosting the directory isn’t accessible. A server canbecome inaccessible due to a problem with the network, the server software, or the server hardware.

Problems with the server hardware or software affect users trying to log in to a Mac computer. Network problems can affect someusers but not others, depending on where the network problem is.

Users with mobile user accounts can still log in to a Mac they used previously, and users affected by these problems can log in byusing a local user account defined on the computer, such as the user account created during setup after installing Mac OS X Lion.


After configuring a connection to an Active Directory domain in the Service pane of Directory Utility (located in Users & Groupspreferences) and adding it to a custom search policy in the Authentication pane, wait 10 or 15 seconds for the change to takeeffect. Attempts to log in immediately with an Active Directory account do not succeed.


When a user or service that uses Kerberos experiences authentication failures, try these remedies:

Kerberos authentication is based on encrypted time stamps. If there’s more than a 5-minute difference between the KDC,client, and service computers, authentication may fail.

Make sure the clocks for all computers are synchronized using the Network Time Protocol (NTP) service of a Lion server oranother network time server. For information about the NTP service, see NTP.

Make sure Kerberos is running on the Open Directory master and replicas. See If Kerberos is stopped on an Open Directorymaster or replica.

If a Kerberos server used for password validation is not available, reset the user’s password to use a server that is available.

Make sure the server providing the Kerberized service has access to the Kerberos server’s directory domain, and make surethis directory domain contains the accounts for users who are trying to authenticate using Kerberos. For information aboutconfiguring access to directory domains, see Directory server connections.

For an Open Directory server’s Kerberos realm, make sure the client computer is configured to access the Open Directoryserver’s LDAP directory using the correct search base suffix. The client’s LDAPv3 search base suffix setting must match theLDAP directory’s search base setting. The client’s LDAPv3 search base suffix can be blank if it gets its LDAP mappings fromthe server. If so, the client uses the LDAP directory’s default search base suffix.

To check the client’s search base suffix setting, open Directory Utility (located in Users & Groups preferences), show the listof LDAPv3 configurations, and choose the item from the LDAP Mappings pop-up menu that’s already selected in the menu.

If you can't change a user's password type to Open Directory

If users can't log in with accounts in a shared directory domain

If you can't log in as an Active Directory user

If users can't authenticate using single sign-on Kerberos

For more information, see Change the connection settings for an LDAP or Open Directory server.

To check the LDAP directory’s search base setting, open Server Admin and look in the Protocols pane of the Settings panefor Open Directory service.

For information that can help you solve problems, see the KDC log. Also see View Open Directory status and logs.

If Kerberos was not running when user records were created, imported, or updated from an earlier Mac OS X version, theymight not be enabled for Kerberos authentication:

A record isn’t enabled for Kerberos if its authentication authority attribute lacks the ;Kerberosv5; value. Use the DirectoryEditor in Directory Utility to see the values of a user record’s authentication authority attribute. For more information, seeDirectory Utility Help.

Enable Kerberos for a user record by changing its password type. Set the password type to Shadow Password, then set itto Open Directory. For more information, see Change the password type to shadow password and Change the passwordtype to Open Directory.

If users can’t authenticate using single sign-on or Kerberos for services provided by a server that is joined to an Open Directorymaster’s Kerberos realm, the server’s computer record might be incorrectly configured in the Open Directory master’s LDAPdirectory. The server’s name in the computer group account must be the server’s fully qualified DNS name, not just the server’shost name. For example, the name could be server2.example.com but not just server2.

1. Delete the server from the computer group account in the LDAP directory.

For more information about this and the next step, see Workgroup Manager Help.

2. Add the server to the computer group again.

3. Delegate authority again for joining the server to the Open Directory master’s Kerberos realm.

For more information, see Delegate authority to join an Open Directory Kerberos realm.

4. Rejoin the server to the Open Directory Kerberos realm.

For more information, see Join a server to a Kerberos realm.


If a user with delegated Kerberos authority can’t join a server to an Open Directory master’s Kerberos realm, the server’s computerrecord might be incorrectly configured in the Open Directory master’s LDAP directory.

The server’s address in the computer group account must be the server’s primary Ethernet address. The primary Ethernetaddress is the Ethernet ID of the first Ethernet port in the list of network port configurations shown in the server’s Networkpreferences pane.

1. Delete the server from the computer group account in the LDAP directory

For more information about this and the next step, see Workgroup Manager Help.

2. Add the server to the computer group again.

3. Delegate authority again for joining the server to the Open Directory master’s Kerberos realm.

Skip this step if you can use a Kerberos administrator account (LDAP directory administrator account) to rejoin the server tothe Kerberos realm.

For more information, see Delegate authority to join an Open Directory Kerberos realm.

4. Rejoin the server to the Open Directory Kerberos realm.


Lion Server user management ► Open Directory serv ices ► Command-line parameters for Open Directory

If you can't join a server to an Open Directory Kerberos realm

Command-Line parameters for Open Directory

Open Directory service settings

To change settings for the Open Directory service, use the following parameters with the serveradmin tool. Be sure to adddirserv: to the beginning of any parameter you use.


repl icationUnits Default = "days"

replicaLastUpdate Default = ""

LDAPSettings:LDAPDataBasePath Default = ""

repl icationPeriod Default = 4

LDAPSettings:LDAPSearchBase Default = ""

passwordOptionsString Default = "usingHistory=0 usingExpirationDate=0usingHardExpirationDate=0 requiresAlpha=0requiresNumeric=0 expirationDateGMT=12/31/69hardExpireDateGMT=12/31/69maxMinutesUntilChangePassword=0maxMinutesUntilDisabled=0 maxMinutesOfNonUse=0maxFailedLoginAttempts=0 minChars=0 maxChars=0passwordCannotBeName=0"

LDAPSettings:LDAPSSLCerti ficatePath Default = ""

masterServer Default = ""

LDAPServerType Default = "standalone"

replicationWhen Default = "periodic"

LDAPSettings:useSSL Default = "YES"

LDAPDefaultPrefix Default = "dc=domain,dc=com"

LDAPSettings:LDAPTimeoutUnits Default = "minutes"

LDAPSettings:LDAPServerBackend Default = "BerkeleyDB"

OpenLDAP standard distribution tools

Two types of tools come with OpenLDAP:

Tools that operate directly on the LDAP databases—these tools begin with slap.

Tools that go through the LDAP protocol—these tools begin with ldap.

You must run the slap tools on the computer hosting the LDAP database. When using slap tools, shut down the LDAP service. Ifyou don’t, your database can get out of sync.

These tools are included in the standard OpenLDAP distribution.

Tool Used to

/usr/bin/ldapadd Add entries to the LDAP directory.

/usr/bin/ldapcompare Compare a directory entry’s actual attributes with known attributes

/usr/bin/ldapdelete Delete entries from the LDAP directory.

/usr/bin/ldapmodify Change an entry’s attributes.

/usr/bin/ldapmodrdn Change an entry’s relative distinguished name (RDN).

/usr/bin/ldappasswd Set the password for an LDAP user. Apple recommends using passwdinstead of ldappasswd. For more information, see the passwd man

page.

/usr/bin/ldapsearch Search the LDAP directory.

/usr/bin/ldapwhoami Obtain the primary authorization identity associated with a user.

/usr/sbin/slapadd Add entries to the LDAP directory.

/usr/sbin/slapcat Export LDAP Directory Interchange Format files.

/usr/sbin/slapindex Regenerate directory indexes.

/usr/sbin/slappasswd Generate user password hashes.

Lion Server user management ► Directory Utility ► Get started

Directory Utility is used for configuring advanced connections to directory servers. For basic connections to Open Directory andActive Directory domains, use the Network Accounts Server options in the Login Options sections of Users & Groups preferences.For instructions, click the Help button for the Login Options section of User & Groups preferences.

You can customize the advanced settings of Directory Utility to work with your computer and software applications. You can useDirectory Utility (located in Users & Groups preferences) to set up and manage how a computer with Mac OS X Lion or a serverwith Mac OS X Lion server accesses directory domains.

You can use the advanced features of Directory Utility to configure NFS mount records, services, search policies, and remotecomputers.

The following are advanced features of Directory Utility:

Connect: configures a client computer or server remotely.

Services: configures directory servers that users can access.

Search Policy: configures where the computer searches for user authentication and contact information.

Directory Editor: configures records and attributes in a directory domain or local directory.

Accessing LDAP directories

You can configure a computer with Mac OS X or a server with Mac OS X Server to access specific LDAP directories, including theLDAP directory of a Mac OS X Server Open Directory master.

Accessing an Active Directory domainYou can configure a computer with Mac OS X or a server with Mac OS X Server to access an Active Directory domain on a Windows2000 or Windows 2003 or later server. To learn more, click the topics below.

Accessing an NIS domain

You can create a configuration that specifies how Mac OS X accesses an NIS domain.

Using BSD configuration files

You can use Open Directory to retrieve administrative data from BSD configuration files such as /etc/master.passwd, also knownas BSD flat files.

View and edit directory data

You can view or edit raw directory data by using Directory Editor in Directory Utility. When using Directory Editor you can seedirectory data and edit directory data. For example, you can use Directory Editor to change a user’s first short name.


You can use Users & Groups preferences to connect computers to directory servers. You can view lis ts of directory servers yourcomputer is connected to by clicking Edit in the Login Options pane of Users & Groups preferences. Your Mac computer accessesthe servers in the lis t for user information and other administrative data stored in the directory domain of directory servers.

About Directory Utility

Directory server connections

When you add or delete a server in the Directory Servers list, the entries associated with that directory server are added or deletedfrom the Services, Authentication, and Contacts list. However, if you remove the associated entries in the Services, Authentication,and Contacts lis t, the directory server is not removed from the Directory Servers list.

For more information about using Users & Groups preferences to add directory servers, search Mac Help for network accountserver.

A Mac computer can connect to an Open Directory, Active Directory, or LDAP directory server. If you don’t know which server toconnect to, ask your network administrator.

Important: If your computer name contains a hyphen, you might not be able to join or bind to a directory domain such as LDAP orActive Directory. To establish binding, use a computer name that does not contain a hyphen.


When adding an Open Directory server, you must know the server name or IP address and whether the server uses SecureSockets Layer (SSL).

Important: If your computer name contains a hyphen, you might not be able to join or bind to a Directory Domain such as LDAP orOpen Directory. To establish binding, use a computer name that does not contain a hyphen.

1. Open System Preferences and click Users & Groups.

2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator.

3. Click Login Options, then click Join or Edit.

If you see an Edit button, your computer has at least one connection to a directory server.

4. Click Open Directory Utility.


6. Click Services.

7. In the list of services, select LDAPv3 and click the Edit button (/).

8. Click New, then click Edit.

By default, the new directory connection is enabled. For more information about enabling or disabling a directory connection,see Enable or disable directory service.

9. Enter a name in the Configuration Name field.

10. Enter the server name or IP address of the Open Directory server in the Server Name or IP Address field.

11. Select “Encrypt using SSL” if you want Open Directory to use Secure Sockets Layer (SSL) for connections.

Before you select this, ask your Open Directory administrator to determine if SSL is needed.

If Directory Utility can’t contact the Open Directory server, you might need to adjust your configuration access settings. Formore information, see Change the connection settings for an LDAP or Open Directory server.

12. Click Search & Mappings.

13. From the “Access this LDAPv3 server using” pop-up menu, choose Open Directory and enter a search base.

You must enter a search base suffix or the computer can’t find information in the Open Directory. Typically, the search basesuffix is derived from the server’s DNS host name. For example, the search base suffix could be“dc=ods,dc=example,dc=com” for a server whose DNS host name is ods.example.com.

For more information about setting up searches and mappings for an LDAP server, see Configure LDAP Searches &Mappings.

14. If the directory server supports trusted binding, click Bind and enter the name of the computer and the name and password ofa directory administrator.

The binding might be optional.

Trusted binding is mutual: each time the computer connects to the LDAP directory, they authenticate each other. If trusted

Configure access to an Open Directory server

binding is set up or the LDAP directory doesn’t support trusted binding, the Bind button does not appear. Make sure yousupplied the correct computer name.

If you see an alert saying that a computer record exists, try again using a different computer name, or click Overwrite to replacethe existing computer record.

The existing computer record might be abandoned, or it might belong to another computer.

If you replace an existing computer record, notify the LDAP directory administrator in case replacing the record disablesanother computer. In this case, the LDAP directory administrator must give the disabled computer a different name and add itback to the computer group it belonged to.

For more information, see Set up trusted binding for an LDAP directory.

15. Click Security.

If Open Directory requires authentication to connect, select “Use authentication when connecting” and enter the distinguishedname and password of a user account in the directory.

An authentication connection is not mutual: the LDAP server authenticates the client but the client doesn’t authenticate theserver.

The distinguished name can specify any user account that has permission to see data in the directory. For example, a useraccount whose short name is dirauth on an LDAP server and whose address is ods.example.com would have thedistinguished name uid=dirauth,cn=users,dc=ods,dc=example,dc=com.

For more information, see Change the security policy for an LDAP connection.

Important: If the distinguished name or password are incorrect, you can log in to the computer using a user account from theLDAP directory.

16. Click OK to finish creating the Open Directory connection.

17. Click OK to finish configuring LDAPv3 options.

If you want the computer to access the LDAP directory you created a configuration for, add the directory to a custom search policy inthe Authentication pane and the Contacts pane of Search Policy in Directory Utility, then make sure it is enabled in Services. Forinformation about creating search policies, see Define search policies. For information about enabling a directory service, seeEnable or disable directory service.

Important: If you change the IP address and computer name of your Mac server using changeip while you are connected to adirectory server, you must disconnect and reconnect to the directory server to update the directory with the new computer name andIP address. If you do not disconnect and reconnect to the directory server, the directory does not update and continues to use theold computer name and IP address.


You can use Directory Utility on your computer to remotely set up and manage how a Mac server accesses directory services.

1. Open System Preferences on your computer and click Users & Groups.






6. From the File menu, choose Connect.

7. Enter the following connection and authentication information for the server you want to configure.

Address: Enter the DNS host name or IP address of the server you want to configure.

User Name: Enter the user name of an administrator on the server.

Set up Directory Utility on a remote server

Password: Enter the password for the user name.

8. Click Connect.

9. Click the Services, Search Policy, and Directory Editor tabs and change settings as needed.

Changes you make affect the remote server you connected to in the previous steps.

10. From the File menu on your computer, choose Disconnect.


The root account is an unrestricted administrator account used to perform changes to critical system files. You can enable the rootaccount and change its password using Directory Utility.

Enable the root account

You can use Directory Utility to enable the root account. If you enable the root account, use a complex password that containsalphanumeric and special characters, to prevent the password from being compromised.

WARNING: The root account is an unrestricted administrator account used to perform changes to critical system files. Even if youare logged in as an administrator, you must use the root account or sudo to perform critical system tasks.

Avoid using the root account to log in to a computer remotely or locally. Instead, use the sudo command-line tool to perform tasks

that require root user privileges. You can restrict access to sudo by adding users to the /etc/sudoers/ file. If you log in using the rootaccount, log out as soon as you finish performing tasks that require root user privileges.







6. Choose Edit > Enable Root User.

Change the root account password

You can use Directory Utility (located in Users & Groups preferences) to change the root account password. When changing theroot password, use a complex password that contains alphanumeric and special characters, to prevent the password from beingcompromised.

WARNING: The root account is an unrestricted administrator account used to perform changes to critical system files. Even if youare logged in as an administrator, you must use the root account or sudo to perform critical system tasks.

Avoid using the root account to log in to a computer remotely or locally. Instead, use the sudo command-line tool to perform tasks

that require root user privileges. You can restrict access to sudo by adding users to the /etc/sudoers/ file. If you log in using the rootaccount, log out as soon as you finish performing tasks that require root user privileges.







6. Choose Edit > Change Root Password

Root account

7. When prompted, enter the new root password in the Password and Verify fields.

8. Click OK.

Lion Server user management ► Directory Utility ► LDAP directories

Using Directory Utility, you can specify how your Mac computer accesses an LDAPv3 directory if you know the DNS host name or IPaddress of the LDAP directory server.

If the directory is not hosted by a server that supplies its own mappings (such as a Mac server) you must know the search baseand the template for mapping Mac OS X data to the directory’s data.

Supported mapping templates are:

Open Directory Server, for a directory that uses the Mac server schema

Active Directory, for a directory hosted by a Windows 2000, Windows 2003, or later server

RFC 2307, for most directories hosted by UNIX servers

The LDAPv3 plug-in fully supports Open Directory replication and failover. If the Open Directory master becomes unavailable, theplug-in falls back to a nearby replica.

To specify custom mappings for the directory data, follow the instructions in Configure access to an LDAP directory manuallyinstead of the instructions here.

Important: If your computer name contains a hyphen, you might not be able to join or bind to a Directory Domain such as LDAP orActive Directory. To establish binding, use a computer name that does not contain a hyphen.







6. Click Services.


8. Click New, then click Edit.

By default, the new directory connection is enabled. For more information about enabling or disabling a directory connection,see Enable or disable directory service.

9. Enter a name in the Configuration Name field.

10. Enter the LDAP server’s DNS host name or IP address in the Server Name or IP Address field.

11. Select “Encrypt using SSL” if you want Open Directory to use Secure Sockets Layer (SSL) for connections with the LDAPdirectory.

Before you select this, ask your Open Directory administrator to determine if SSL is needed.

If Directory Utility can’t contact the LDAP server, you might need to adjust your configuration access settings. For moreinformation, see Change the connection settings for an LDAP or Open Directory server.

12. Click Search & Mappings.

13. From the "Access this LDAPv3 server using" pop-up menu, choose Open Directory and enter a search base.

Typically, the search base suffix is derived from the server’s DNS host name. For example, the search base suffix could be“dc=ods,dc=example,dc=com” for a server whose DNS host name is ods.example.com.

Configure access to an LDAP directory

14. If the directory server supports trusted binding, click Bind and enter the name of the computer and the name and password ofa directory administrator.

The binding might be optional.

Trusted binding is mutual: each time the computer connects to the LDAP directory, they authenticate each other. If trustedbinding is set up or the LDAP directory doesn’t support trusted binding, the Bind button does not appear. Make sure yousupply the correct computer name.

If you see an alert saying that a computer record exists, try again using a different computer name, or click Overwrite to replacethe existing computer record.

The existing computer record might be abandoned, or it might belong to another computer.

If you replace an existing computer record, notify the LDAP directory administrator in case replacing the record disablesanother computer. In this case, the LDAP directory administrator must give the disabled computer a different name and add itback to the computer group it belonged to.

15. Click Security.

If the Active Directory requires authentication to connect, select “Use authentication when connecting” and enter thedistinguished name and password of a user account in the directory.

An authentication connection is not mutual: the LDAP server authenticates the client but the client doesn’t authenticate theserver.

The distinguished name can specify any user account that has permission to see data in the directory. For example, a useraccount whose short name is dirauth on an LDAP server and whose address is ods.example.com would have thedistinguished name uid=dirauth,cn=users,dc=ods,dc=example,dc=com.

Important: If the distinguished name or password are incorrect, you can log in to the computer using a user account from theLDAP directory.

16. Click OK to finish creating the LDAP connection.

17. Click OK to finish configuring LDAPv3 options.

If you want the computer to access the LDAP directory you created a configuration for, add the directory to a custom search policy inthe Authentication pane and the Contacts pane of Search Policy in Directory Utility, then make sure it is enabled in Services. Forinformation about creating search policies, see Define search policies. For information about enabling a directory service, seeEnable or disable directory service.


You can change, duplicate, or delete configuration settings for an LDAP server. If your LDAP server access requirements change,you can change them. If you are adding a similar LDAP server that only needs minor connection setting changes, you can duplicatethe settings of an existing LDAP connection. If you need to delete an LDAP connection, you can delete it.

Change a configuration for accessing an LDAP directory

You can use Directory Utility to change the settings of an LDAP directory configuration. The configuration settings specify how OpenDirectory accesses an LDAPv2 or LDAPv3 directory.

If the LDAP configuration was provided by DHCP, it can’t be changed, so this type of configuration is dimmed in the LDAPconfigurations list.







Reconfigure LDAP directory access

6. Click Services.


8. If the lis t of server configurations is hidden, click Show Options.

9. Make changes as needed to the following settings:

Enable: Click a checkbox to enable or disable access to an LDAP directory server.

Configuration Name: Double-click a configuration name to edit it.

Server Name or IP Address: Double-click a server name or IP address to change it.

LDAP Mapping: From the pop-up menu, choose a template, enter the search base suffix for the LDAP directory, and clickOK.

If you choose a template, you must enter a search base suffix or the computer can’t find information in the LDAP directory.Typically, the search base suffix is derived from the server’s DNS host name. For example, for a server whose DNS hostname is ods.example.com, the search base suffix is “dc=ods,dc=example,dc=com.”

If you choose From Server instead of a template, a search base suffix is not needed. In this case, Open Directoryassumes the search base suffix is the first level of the LDAP directory.

If you choose Custom, you must set up mappings between the Mac OS X record types and attributes and the classes andattributes of the LDAP directory you’re connecting to. For more information, see Configure LDAP Searches & Mappings.

SSL: Click the checkbox to enable or disable encrypted communications using the SSL protocol. Before you select theSSL checkbox, ask your Open Directory administrator if SSL is needed.

10. To change the following default settings for this LDAP configuration, click Edit to display the options for the selected LDAPconfiguration, make changes, and click OK when you finish editing the LDAP configuration options:

Click Connection to set timeout options, specify a custom port, ignore server referrals, or force use of the LDAPv2 (read-only) protocol. For more information, see Change the connection settings for an LDAP or Open Directory server.

Click Search & Mappings to set up searches and mappings for an LDAP server. For more information, see Set up trustedbinding for an LDAP directory.

Click Security to set up an authenticated connection (instead of trusted binding) and other security policy options. For moreinformation, see Change the security policy for an LDAP connection.

Click Bind to set up trusted binding, or click Unbind to stop trusted binding. (You might not see these buttons if the LDAPdirectory doesn’t permit trusted binding.) For more information, see Set up trusted binding for an LDAP directory.

11. To finish changing the configuration to access an LDAP directory, click OK.

Duplicate a configuration for accessing an LDAP directory

You can use Directory Utility to duplicate a configuration that specifies how Mac OS X accesses an LDAPv3 or LDAPv2 directory.After duplicating an LDAP directory configuration, you can change its settings to make it different from the original configuration.

1. On your computer, open System Preferences and click Users & Groups.






6. Click Services.



9. In the list, select a server configuration and then click Duplicate.

10. Change the duplicate configuration’s settings:

Enable: Click a checkbox to enable or disable access to an LDAP directory server.

Configuration Name: Double-click a configuration name to edit it.

Server Name or IP Address: Double-click a server name or IP address to change it.

LDAP Mapping: Choose a template from the pop-up menu, then enter the search base suffix for the LDAP directory andclick OK.

If you choose a template, you must enter a search base suffix or the computer can’t find information in the LDAP directory.Typically, the search base suffix is derived from the server’s DNS host name. For example, for a server whose DNS hostname is ods.example.com, the search base suffix is “dc=ods,dc=example,dc=com.“

If you choose From Server instead of a template, a search base suffix is not needed. In this case, Open Directoryassumes the search base suffix is the first level of the LDAP directory.

If you choose Custom, you must set up mappings between the Mac OS X record types and attributes and the classes andattributes of the LDAP directory you’re connecting to. For more information, see Configure LDAP Searches & Mappings.

SSL: Click the checkbox to enable or disable encrypted communications using the SSL protocol. Before you select theSSL checkbox, ask your Open Directory administrator if SSL is needed.

11. To change the following default settings for the duplicate LDAP configuration, click Edit to display the options, make changes,and click OK when you finish editing them:

Click Connection to set up trusted binding (if the LDAP directory supports it), set timeout options, specify a custom port,ignore server referrals, or force use of the LDAPv2 (read-only) protocol. For more information, see Change the connectionsettings for an LDAP or Open Directory server.

Click Search & Mappings to set up searches and mappings for an LDAP server. For more information, see Set up trustedbinding for an LDAP directory.

Click Security to set up an authenticated connection (instead of trusted binding) and other security policy options. For moreinformation, see Change the security policy for an LDAP connection.

Click Bind to set up trusted binding, or click Unbind to stop trusted binding. (You might not see these buttons if the LDAPdirectory doesn’t permit trusted binding.) For more information, see Set up trusted binding for an LDAP directory.

12. To finish changing the duplicate configuration, click OK.

13. If you want the computer to access the LDAP directory specified by the duplicate configuration you created, add the directory toa custom search policy in the Authentication or Contacts pane of Search Policy in Directory Utility and make sure LDAPv3 isenabled in the Services pane.

For more information, see Enable or disable directory service, and Define search policies.

Delete a configuration for accessing an LDAP or Open Directory server

You can use Directory Utility to delete a configuration that specifies how the computer accesses an LDAPv3 or LDAPv2 directory.

If the LDAP configuration was provided by DHCP, it can’t be changed, so this configuration option is dimmed in the LDAPconfigurations list.







6. Click Services.



9. In the list, select a server configuration and click Delete, then click OK.

10. Choose from the following:

If you see an alert saying the computer is bound to the LDAP directory and you want to stop trusted binding, click OK and

then enter the name and password of an LDAP directory administrator (not a local computer administrator).

If you see an alert saying the computer can’t contact the LDAP server, you can click OK to forcibly stop trusted binding. Ifyou forcibly stop trusted binding, this computer still has a computer record in the LDAP directory. Notify the LDAP directoryadministrator so the administrator knows to remove the computer from the computer group.

The deleted configuration is removed from the custom search policies for authentication and contacts.


You can use Directory Utility to set up trusted binding between the computer and an LDAP directory that supports trusted binding.The binding is mutually authenticated by an authenticated computer record that’s created in the directory when you set up trustedbinding.

The computer can’t be configured to use trusted LDAP binding and a DHCP-supplied LDAP directory. Trusted LDAP binding isinherently static, but DHCP-supplied LDAP is dynamic.

Important: If you are in a dual directory configuration, avoid trusted binding to a server that is not being used for authentication. Thisprevents Kerberos realm conflicts between the two directory servers. Also avoid trusted binding clients whose hostname is notstatically assigned. Changes in hostname affect the name of the computer account and may require rebinding. Use anonymousbinding instead.

Important: In Lion Server, every server by default is an Open Directory master and every Open Directory master has a diradminuser. When binding two directory servers, they should not have the same directory administrator user name (diradmin). If twodefault installation of Lion Server are bound to each other they become an invalid configuration, and can cause random failures.

Make one Open Directory master server a standalone server, then recreate it using Server Admin with a unique username for thedirectory administrator, instead of the default diradmin.

To use trusted LDAP binding, clients need Mac OS X v10.6 or later or Mac OS X v10.6 Server or later. Clients using v10.5 can useanonymous binding, but can’t set up trusted binding.



3. Click Login Options, then click Edit.



6. Click Services.



9. In the list, select a server configuration and click Edit.

Several options appear, including the Bind button. If the Bind button doesn’t appear, the LDAP directory doesn’t supporttrusted binding.

10. Click Bind, then enter the following credentials and click OK.

Enter the name of the computer and the name, and password of an LDAP directory domain administrator. The computername can’t be in use by another computer for trusted binding or other network services.

11. Verify that you supplied the correct computer name.

If you see an alert saying that a computer record exists, click Cancel to go back and change the computer name, or clickOverwrite to replace the existing computer record.

The existing computer record might be abandoned or it might belong to another computer. If you replace an existing computerrecord, notify the LDAP directory administrator so that replacing the record won't disable another computer.

In such a situation, the LDAP directory administrator must give the disabled computer another name and add it to thecomputer group it belonged to, using a different name for that computer.

Set up trusted binding for an LDAP directory

12. To finish setting up trusted binding, click OK.


Using Directory Utility, you can configure a stricter security policy for an LDAPv3 connection than the security policy of the LDAPdirectory. For example, if the LDAP directory’s security policy permits clear-text passwords, you can set an LDAPv3 connection tonot permit clear-text passwords.

Setting a stricter security policy protects your computer from a malicious hacker trying to use a rogue LDAP server to gain control ofyour computer.

The computer must communicate with the LDAP server to show the state of the security options. Therefore when you changesecurity options for an LDAPv3 connection, the computer’s authentication search policy should include the LDAPv3 connection.

The permissible settings of an LDAPv3 connection’s security options are subject to the LDAP server’s security capabilities andrequirements. For example, if the LDAP server doesn’t support Kerberos authentication, several LDAPv3 connection securityoptions are disabled.






6. Click Search Policy.

7. Click Authentication and make sure the LDAPv3 directory you want is listed in the search policy.

For more information about adding the LDAPv3 directory to the authentication search policy, see Define search policies.

8. Click Services.



11. Select the configuration for the directory you want, then click Edit.

12. Click Security and then change any of the following settings.

Note: The security settings here and on the corresponding LDAP server are determined when the LDAP connection is set up.The settings aren’t updated when server settings are changed.

If any of the last four options are selected but disabled, the LDAP directory requires them. If any of these options areunselected and disabled, the LDAP server doesn’t support them.

Use authentication when connecting: Determines whether the LDAPv3 connection authenticates itself with the LDAPdirectory by supplying the specified distinguished name and password. This option is not vis ible if the LDAPv3 connectionuses trusted binding with the LDAP directory.

Bound to the directory as: Specifies the credentials the LDAPv3 connection uses for trusted binding with the LDAPdirectory. This option and the credentials can’t be changed here. Instead, you can unbind and then bind again withdifferent credentials. For more information, see Stop trusted binding with an LDAP directory and Set up trusted binding foran LDAP directory. This option is not visible unless the LDAPv3 connection uses trusted binding.

Disable clear text passwords: Determines whether the password is to be sent as clear text if it can’t be validated using anauthentication method that sends an encrypted password.

Digitally s ign all packets (requires Kerberos): Certifies that directory data from the LDAP server hasn’t been interceptedand modified by another computer while en route to your computer.

Encrypt all packets (requires SSL or Kerberos): Requires the LDAP server to encrypt directory data using SSL or Kerberosbefore sending it to your computer. Before you select “Encrypt all packets (requires SSL or Kerberos)”, ask your OpenDirectory administrator if SSL is needed.

Change the security policy for an LDAP connection

Block man-in-the-middle attacks (requires Kerberos): Protects against a rogue server posing as the LDAP server. Best ifused with the “Digitally sign all packets” option.


You can enable the use of LDAP bind authentication for a user account stored in an LDAP directory domain. When you use thispassword validation technique, you rely on the LDAP server that contains the user account to authenticate the user’s password.

Important: If your computer name contains a hyphen, you might not be able to join or bind to a directory domain such as LDAP orActive Directory. To establish binding, use a computer name that does not contain a hyphen.

1. Make sure the Mac computer that needs to authenticate the user account has a connection to the LDAP directory where theuser account resides and that the computer’s search policy includes the LDAP directory connection.

For information about configuring LDAP server connections and the search policy, see Configure access to an LDAP directory.

If you configure an LDAP connection that doesn’t map the password and authentication authority attributes, bindauthentication occurs automatically. For more information, see Configure LDAP Searches & Mappings.

2. If you configure the connection to permit clear-text passwords, also configure it to use SSL to protect the clear-text passwordwhile it is in transit.

For more information, see Change the security policy for an LDAP connection and Change the connection settings for an LDAP orOpen Directory server.

Lion Server user management ► Directory Utility ► Active Directory

You can configure Mac to access basic user account information in an Active Directory domain of a Windows 2000 or later server.This is possible because of an Active Directory connector for Directory Utility. This Active Directory connector is listed in theServices pane of Directory Utility.

You do not need to make schema changes to the Active Directory domain to get basic user account information. You might want tochange the default access control list (ACL) of specific attributes so computer accounts can read user properties.

The Active Directory connector generates all attributes required for Mac OS X authentication from standard attributes in ActiveDirectory user accounts. The connector also supports Active Directory authentication policies, including password changes,expirations, forced changes, and security options.

Mac OS X supports packet encryption and packet-s igning options for all Windows Active Directory domains. This functionality is onby default as “allow.” You can change the default setting to disabled or required by using the dsconfigad command-line tool. Thepacket encryption and packet s igning options ensure all data to and from the Active Directory Domain for record lookups isprotected.

The Active Directory connector dynamically generates a unique user ID and a primary group ID based on the user account’sGlobally Unique ID (GUID) in the Active Directory domain. The generated user ID and primary group ID are the same for each useraccount, even if the account is used to log in to different Mac computers.

Alternatively, you can force the Active Directory connector to map the user ID to Active Directory attributes that you specify.

The Active Directory connector generates a group ID based on the Active Directory group account’s GUID. You can also force theplug-in to map the group ID for group accounts to Active Directory attributes that you specify.

When someone logs in to a Mac using an Active Directory user account, the Active Directory connector can mount the Windowsnetwork home folder specified in the Active Directory user account as the user’s home folder. You can specify whether to use thenetwork home specified by Active Directory’s standard home Directory attribute or by Mac OS X's home Directory attribute (if theActive Directory schema is extended to include it).

Alternatively, you can configure the plug-in to create a local home folder on the startup volume of the Mac client computer. In thiscase, the plug-in also mounts the user’s Windows network home folder (specified in the Active Directory user account) as anetwork volume, like a share point. Using the Finder, the user can then copy files between the Windows home folder network

Enable LDAP bind authentication for a user

About Active Directory access

volume and the local Mac home folder.

The Active Directory connector can also create mobile accounts for users. A mobile account has a local home folder on the startupvolume of the Mac client computer. (The user also has a network home folder as specified in the user’s Active Directory account.)

A mobile account caches the user’s Active Directory authentication credentials on the Mac client computer. The cached credentialspermit the user to log in using the Active Directory name and password when the client computer is disconnected from the ActiveDirectory server.

A mobile account has a local home folder on the startup volume of the Mac client computer. (The user also has a network homefolder as specified in the user’s Active Directory account.)

If the Active Directory schema is extended to include Mac OS X record types (object classes) and attributes, the Active Directoryconnector detects and accesses them.

For example, the Active Directory schema could be changed using Windows administration tools to include Mac OS X managedclient attributes. This schema change enables the Active Directory connector to support managed client settings made using theServer app.

Mac clients assume full read access to attributes that are added to the directory. Therefore, it might be necessary to change theACL of those attributes to permit computer groups to read these added attributes.

The Active Directory connector discovers all domains in an Active Directory forest. You can configure the plug-in to permit usersfrom any domain in the forest to authenticate on a Mac computer. Alternatively, you can permit only specific domains to beauthenticated on the client.

The Active Directory connector fully supports Active Directory replication and failover. It discovers multiple domain controllers anddetermines the closest one. If a domain controller becomes unavailable, the plug-in falls back to another nearby domain controller.

The Active Directory connector uses LDAP to access Active Directory user accounts and Kerberos to authenticate them. The ActiveDirectory connector does not use Microsoft’s proprietary Active Directory Services Interface (ADSI) to get directory or authenticationservices.


Using the Active Directory connector listed in Directory Utility, you can configure a Mac to access basic user account information inan Active Directory domain on a Windows server.

The Active Directory connector generates all attributes required for Mac OS X authentication. No changes to the Active Directoryschema are required.

The Active Directory connector detects and accesses standard Mac OS X record types and attributes (such as the attributesrequired for Mac OS X client management), if the Active Directory schema is extended to include them.

WARNING: With the advanced options of the Active Directory connector, you can map to the Mac OS X unique user ID (UID), primarygroup ID (GID), and group GID attribute to the correct attributes that have been added to the Active Directory schema. However, ifyou change the setting of these mapping options later, users might lose access to previously created files.

Important: If your computer name contains a hyphen you might not be able to join or bind to a Directory Domain such as LDAP orActive Directory. To establish binding, use a computer name that does not contain a hyphen.






6. Click Services.

7. In the list of services, select Active Directory and click the Edit button (/).

8. Enter the DNS host name of the Active Directory domain you want to bind to the computer you’re configuring.

The administrator of the Active Directory domain can tell you the DNS host name to enter.

Configure access to an Active Directory domain

9. If necessary, edit the Computer ID.

The Computer ID is the name the computer is known by in the Active Directory domain, and it’s preset to the name of thecomputer. You might change this to conform to your organization’s established scheme for naming computers in the ActiveDirectory domain. If you’re not sure, ask the Active Directory domain administrator.

10. (Optional) Set advanced options.

If the advanced options are hidden, click Show Advanced Options and set options in the User Experience, Mappings, andAdministrative panes. You can also change advanced option settings later.

11. Click Bind, use the following to authenticate as a user who has rights to bind a computer to the Active Directory domain, selectthe search policies you want Active Directory added to (see below), and click OK:

Username and Password: You might be able to authenticate by entering the name and password of your Active Directoryuser account, or the Active Directory domain administrator might need to provide a name and password.

Computer OU: Enter the organizational unit (OU) for the computer you’re configuring.

Use for authentication: Use to determine whether Active Directory is added to the computer’s authentication search policy.

Use for contacts: Use to determine whether Active Directory is added to the computer’s contacts search policy.

When you click OK, Directory Utility sets up trusted binding between the computer you’re configuring and the Active Directoryserver. The computer’s search policies are set according to the options you selected when you authenticated, and ActiveDirectory is enabled in Directory Utility’s Services pane.

With the default settings for Active Directory advanced options, the Active Directory forest is added to the computer’sauthentication search policy and contacts search policy if you selected “Use for authentication” or “Use for contacts.”

However, if you deselect “Allow authentication from any domain in the forest” in the Administrative advanced options panebefore clicking Bind, the nearest Active Directory domain is added instead of the forest.

You can change search policies later by adding or removing the Active Directory forest or individual domains. For moreinformation, see Define search policies.

12. (Optional) Join the server to the Active Directory Kerberos realm:

a. On the server or an administrator computer that can connect to the server, open Server Admin and select Open Directoryfor the server.

b. Click Settings, then click General.

c. Click Join Kerberos, then choose the Active Directory Kerberos realm from the pop-up menu and enter credentials for alocal administrator on this server.



You can enable or disable mobile Active Directory user accounts on a computer that is configured to use Directory Utility’s ActiveDirectory connector. Users with mobile accounts can log in using their Active Directory credentials when the computer is notconnected to the Active Directory server.

The Active Directory connector caches credentials for a user’s mobile account when the user logs in while the computer isconnected to the Active Directory domain. This credential caching does not require changing the Active Directory schema.

If the Active Directory schema is extended to include Mac OS X Lion managed client attributes, those mobile account settings areused instead of the Active Directory connector mobile account setting.

You can have mobile accounts created automatically or you can require that Active Directory users confirm creation of a mobileaccount.




Set up mobile user accounts in Active Directory



6. Click Services.


8. If the advanced options are hidden, click Show Advanced Options.

9. Click User Experience, then click “Create mobile account at login,” and optionally click “Require confirmation before creating amobile account.”

Note the following:

If both options are selected, each user decides whether to create a mobile account during login. When a user logs in toMac OS X using an Active Directory user account, or when logging in as a network user, the user sees a dialog withcontrols for creating a mobile account immediately.

If the first option is selected and the second option is unselected, mobile accounts are created when users log in.

If the first option is not selected, the second option is disabled.

10. Click OK.


On a computer that’s configured to use the Directory Utility Active Directory connector, you can enable or disable network homefolders or local home folders for Active Directory user accounts.

With network home folders, a user’s Windows network home folder is mounted as the Mac OS X home folder when the user logsin.

You determine whether the network home folder location is obtained from the Active Directory standard homeDirectory attribute orfrom the Mac OS X homeDirectory attribute, if the Active Directory schema is extended to include it.

With local home folders, each Active Directory user who logs in has a home folder on the Mac OS X startup disk. In addition, theuser’s network home folder is mounted as a network volume, like a share point. The user can copy files between this networkvolume and the local home folder.






6. Click Services.



9. Click User Experience.

10. If you want Active Directory user accounts to have local home folders in the computer’s /Users folder, click “Force local homefolder on startup disk.”

This option is not available if “Create mobile account at login” is selected.

11. To use the Active Directory standard attribute for the home folder location, select “Use UNC path from Active Directory to derivenetwork home location” and then choose from the following protocols for accessing the home folder:

To use the standard Windows protocol SMB, choose smb from the “Network protocol to be used” pop-up menu.

To use the standard Macintosh protocol AFP, choose afp from the “Network protocol to be used” pop-up menu.

12. To use the Mac OS X attribute for the home folder location, deselect “Use UNC path from Active Directory to derive network

Set up home folders for Active Directory user accounts

home location.”

To use the Mac OS X attribute, the Active Directory schema must be extended to include it.

13. Click OK.

If you change the name of a user account in the Active Directory domain, the server creates a home folder (and subfolders) for theuser account the next time it is used for logging in to a Mac OS X computer. The user can still navigate to the old home folder andsee its contents in the Finder.

You can prevent creation of a home folder by renaming the old folder before the user next logs in.


On a computer that’s configured to use Directory Utility’s Active Directory connector, you can specify the DNS host name of theserver whose Active Directory domain you want the computer to access by default.

If the server becomes unavailable in the future, the Active Directory connector reverts to another nearby server in the forest.

If this option is deselected, the Active Directory connector determines the closest Active Directory domain in the forest.






6. Click Services.



9. Click Administrative.

10. Select “Prefer this domain server” and enter the DNS host name of the Active Directory server.

11. Click OK.


On a computer that’s configured to use Directory Utility’s Active Directory connector, you can identify Active Directory group accountswhose members you want to have administrator privileges for the computer.

Users that are members of these Active Directory group accounts can perform administrative tasks such as installing software onthe Mac computer you are configuring.






6. Click Services.


Specify a preferred Active Directory server

Change the Active Directory groups that can administer the computer


9. Click Administrative.

10. Select “Allow administration by” and change the list of Active Directory group accounts whose members you want to haveadministrator privileges:

Add a group by clicking the Add button (+) and entering the Active Directory domain name, a backslash, and the groupaccount name (for example, ADS\Domain Admins, IL2\Domain Admins).

Delete a group by selecting it in the list and then clicking the Delete button (–).

11. Click OK.


If the computer is using Directory Utility’s Active Directory connector to bind to an Active Directory server, you can unbind thecomputer from the Active Directory server.

You can forcibly unbind if the computer can’t contact the server or if the computer record is removed from the server.






6. Click Services.


8. Click Unbind, authenticate as a user who has rights to terminate a connection to the Active Directory domain, and click OK.

If you see an alert saying the credentials weren’t accepted or the computer can’t contact Active Directory, click Force Unbind toforcibly break the connection.

If you forcibly unbind, Active Directory still contains a computer record for this computer. Notify the Active Directoryadministrator so the administrator knows to remove the computer record.

Lion Server user management ► Directory Utility ► Serv ice access

You can use Directory Utility to enable or disable the use of Active Directory services provided by a Windows server. Active Directoryis the directory service of Windows 2000 and later servers.

If you disable Active Directory services and Active Directory domains are part of a custom search policy, they are lis ted in red in theAuthentication or Contacts pane of Search Policy in Directory Utility.







6. Click Services.

Unbind from an Active Directory Server

Enable or disable Active Directory service


8. Next to Active Directory connection, select or deselect the Enable checkbox and click OK.

Lion Server user management ► Directory Utility ► Serv ice access

You can use Directory Utility to enable or disable access to directory services that use LDAPv2 and LDAPv3. A single DirectoryUtility plug-in named LDAPv3 provides access to LDAP2 and LDAPv3.

The directory services provided by a Mac server use LDAPv3, as do many other servers. LDAPv3 is an open standard common inmixed networks of Macintosh, UNIX, and Windows systems. Some servers use the older version, LDAPv2, to provide directoryservice.

If you disable LDAP directory services and LDAP directories are part of a custom search policy, they are listed in red in theAuthentication or Contacts pane of Search Policy in Directory Utility.







6. Click Services.


8. Next to LDAPv3, select or deselect the Enable checkbox and click OK.

Lion Server user management ► Directory Utility ► Search policies

Each Mac computer has a search policy, also commonly referred to as a search path, that specifies which directory domains OpenDirectory can access, such as the computer’s local directory domain and a shared directory.

The search policy also specifies the order in which Open Directory accesses directory domains. Open Directory searches eachdirectory domain and stops searching when it finds a match. For example, Open Directory stops searching for a user record whenit finds a record whose user name matches the name it’s looking for.

Directory Utility defines the following search policies:

Authentication: Mac OS X uses the authentication search policy to locate and retrieve user authentication information and otheradministrative data from directory domains.

Contacts: Mac OS X uses the contacts search policy to locate and retrieve name, address, and other contact information fromdirectory domains. The Address Book application on your Mac computer uses this contact information. Other applications canalso be programmed to use it.

Each search policy consists of a list of directory domains. The order of directory domains in the lis t defines the search policy.Starting at the top of the list, Mac OS X searches each lis ted directory domain until it finds the information it needs or reaches theend of the lis t without finding the information.

The authentication and contacts search policies can have one of the following settings:

Automatic: Starts with the local directory domain and includes LDAP directory domains that the computer is connected to.

Local directory: Includes only the local directory domain.

Custom path: Starts with the local directory domain and includes your choice of LDAP directories, an Active Directory domain,shared directory domains, BSD configuration files, and an NIS domain.

Enable or disable LDAP directory services

Advanced search policy settings

The /BSD/local folder is always included in the search path, and is always grayed out.

Lion Server user management ► Directory Utility ► Search policies

You can define search policies for the directory servers you are connected to. You can define automatic, custom, and local directorysearch policies.

Define automatic search policies

Using Directory Utility, you can configure a Mac computer’s authentication and contacts search policies to be defined automatically.

An automatically defined search policy includes the local directory domain. It can also include an LDAP directory server specified bythe DHCP service.

This is the default configuration for the authentication and contacts search policies.

Note: Some applications, such as Mail and Address Book, can access LDAP directories directly, without using Open Directory. Toset up one of these applications to access LDAP directories directly, open the application and set the correct preference.

After changing the search policy in the Authentication pane or the Contacts pane of Directory Utility, wait 10 or 15 seconds for thechange to take effect. Attempts to log in using an account from a directory domain that uses the authentication search policy areunsuccessful until changes to it take effect.







6. Click Search Policy and choose a search policy:

Authentication: Shows the search policy used for authentication and most other administrative data.

Contacts: Shows the search policy used for contact information in applications such as Address Book.

7. From the Search pop-up menu, choose Automatic, then click Apply.

8. In System Preferences, make sure the computer’s Network preferences are configured to use DHCP or DHCP with a manualIP address.

Define custom search policies

Using Directory Utility, you can configure a Mac computer’s authentication and contacts search policies to use a custom list ofdirectory domains.

A custom list starts with the computer’s local directory domain and can include Open Directory (and other LDAP directorydomains), an Active Directory domain, shared directory domains, BSD configuration files, and an NIS domain.

If a directory domain specified on a computer’s custom search policy is not available, a delay occurs when the computer starts up.







Define search policies


6. Click Search Policy and choose a search policy.



7. From the Search pop-up menu, choose “Custom path.”

8. Add directory domains as needed by clicking Add, selecting directories, and clicking Add again.

9. Change the order of the listed directory domains as needed by dragging them up or down the lis t.

10. Remove lis ted directory domains that you don’t want in the search policy by selecting them and clicking the Delete button (–).

11. Confirm the removal by clicking OK, then click Apply.

Define local directory search policies

Using Directory Utility, you can configure a Mac computer’s authentication and contacts search policies to use only the computer’slocal directory.

A search policy that uses only the local directory limits the access a computer has to authentication information and otheradministrative data.

If you restrict a computer’s authentication search policy to use only the local directory, only users with local accounts can log in.








6. Click Search Policy and choose a search policy:



7. From the Search pop-up menu, choose “Local directory,” then click Apply.

Lion Server user management ► Directory Utility ► Records and attributes

You can use the Directory Editor in Directory Utility to add or delete records.

WARNING: Deleting records can cause the server to behave erratically or stop working. Don’t delete records unless you knowthey’re not needed for proper server functioning.

WARNING: After using the Directory Editor to delete user or computer records, use command-line tools to delete the correspondingKerberos identity and Password Server slot. If you leave an orphaned Kerberos identity or Password Server slot, it can conflict witha user or computer record created later.




Add or delete records



6. Click Directory Editor.

7. From the Viewing pop-up menu, choose the record type to modify.

8. From the in-node pop-up menu, choose the directory domain or local directory to modify, and authenticate as an administratorof the domain or local directory.

To authenticate, click the Lock button next to the directory that you chose.

9. To add a record, click the Add button (+) (below the list of records) and enter a name for the record in the value pane.

Depending on the record you add, you might need to make changes to the attribute values of the record.

10. To delete a record, select the record to delete, then click the Delete (-) button (below the list of records).

You cannot revert the deleting of a record.

If you are sure this is the record you want to delete, click Delete.

11. Click Save.


You can use the Directory Editor in Directory Utility to add or delete record attributes.

WARNING: Deleting record attributes can cause the server to behave erratically or stop working. Don’t delete record attributesunless you know they’re not needed for proper server functioning.







7. From the Viewing pop-up menu, choose the record type to edit.

8. From the in-node pop-up menu, choose the directory domain or local directory to edit, and authenticate as an administrator ofthe domain or local directory.

To authenticate, click the Lock button next to the directory that you chose.

9. From the records list, select the record to edit.

You can also search the record type you've selected by using the search field above the record list.

10. Add an attribute to a record:

a. Click the Add button (+) (below the list of attributes), choose an attribute from the New attributes of type pop-up menu, andclick OK.

b. Enter a value for the new attribute.

If you choose Native from the New attribute of type pop-up menu, enter the name of a native record in the box that appearsbelow the pop-up menu, then click OK.

11. To delete a record attribute, select the record attribute to delete, then click the Delete button (-) (below the list of records).

12. Click Save.


Add or delete record attributes

You can view or edit raw directory data by using the Directory Editor.

WARNING: Changing raw data in a directory can have unexpected and undesirable consequences. You could inadvertentlyincapacitate users or computers, or you could unintentionally authorize users to access more resources.







7. From the Viewing pop-up menu, choose the record type to view or edit.

8. From the in-node pop-up menu, choose the directory domain or local directory to view or edit, and authenticate as anadministrator of the domain or local directory.

To authenticate, click the Lock button next to the directory you chose.

9. From the records list, select the record to view or edit.

You can also search the record type you chose by using the search field above the record list.

10. From the attributes list (next to the records list), select the attribute name to view or edit.

The value of the attribute you select appears in the value pane (below the attribute list). You can modify the attribute value inthe value pane.

Depending on the attribute you select, you can change how the value appears in the value pane by clicking Image, Text, orData.

Some attribute values are grayed out and cannot be modified.

11. To save your changes to the record, click Save.

Lion Server user management ► Security ► RADIUS

Wireless networking gives companies greater network flexibility, seamlessly connecting laptop users to the network and givingthem the freedom to move within the company while staying connected to the network.

You use RADIUS to authorize Open Directory users and groups so they can access AirPort Base Stations on a network. Byconfiguring RADIUS and Open Directory you can control who has access to your wireless network.

RADIUS works with Open Directory and Password Server to grant authorized users access to the network through an AirPort BaseStation. When a user attempts to access an AirPort Base Station, AirPort communicates with the RADIUS server using ExtensibleAuthentication Protocol (EAP) to authenticate and authorize the user.

Users are given access to the network if their user credentials are valid and they are authorized to use the AirPort Base Station. If auser is not authorized, he or she cannot access the network through the AirPort Base Station.

Lion Server user management ► Security ► RADIUS ► Set Up RADIUS

The following steps outline the tasks to configure and set up RADIUS service.

Turn RADIUS On

View or edit directory data

About RADIUS

RADIUS setup overview

Before you can configure the service, turn RADIUS on. see Enable RADIUS.

Add AirPort Base Stations to a RADIUS serverDecide which AirPort Base Stations to add to the RADIUS server. See Add AirPort Base Stations to a RADIUS server.

Remotely configure an AirPort Base Station

Use Server Admin to configure AirPort Base Stations. See Remotely configure AirPort Base Stations.

Configure RADIUS to use certificatesUse Server Admin to configure RADIUS to use certificates to trust Base Stations. See Configure RADIUS to use certificates.

Start RADIUS

To start RADIUS, see Start or stop RADIUS.


Before you can configure RADIUS settings, turn on RADIUS service in Server Admin.



3. Select the RADIUS checkbox.

4. Click Save.


You can use the RADIUS configuration assistant to configure RADIUS. The configuration assistant guides you through the RADIUSconfiguration process and lets you start RADIUS.





4. Click Overview.

5. Click Configure RADIUS Service.

6. In the RADIUS Server Certificate pane, select one of the following:

If you select “Choose an existing certificate,” choose the certificate from the pop-up menu and click Continue.

If you want to create a self-s igned certificate, use Certificate Assistant. For more information, see Server Admin Help.

7. From the Available Base Stations list, select the Base Station you want and click Add.

8. Enter the password of the Base Station in the Base Station Password field, then click Add.

To remove a Base Station from the Selected Base Stations lis t, select it and click Remove.

9. Click Continue.

10. In the RADIUS Allow Users pane, you can restrict user access:

If you select “Allow all users,” all users access to the Base Stations you select.

If you select “Restrict to members of group,” only users of a group can access the Base Stations you select.

11. Click Continue.

Enable RADIUS

Use the configuration assistant to configure RADIUS

12. In the RADIUS setting confirmation pane, verify your settings.

You can also print or save you RADIUS configuration settings.

13. Click Confirm.


You can use radiusconfig to configure RADIUS.

To view RADIUS settings:

$ sudo radiusconfig -appleversion -getconfig -getconfigxml -nascount -naslist -naslistxml -ver -…

To configure RADIUS parameters:

$ sudo radiusconfig -setconfig key value [key value E]


Key The name of the key to configure in the radiusd.conf or eap.conf fi les.

value The value of the key.

For information about RADIUS server settings, see RADIUS command-line settings. For information about radiusconfig, see itsman page.


You use the Base Stations pane of RADIUS in Server Admin to add AirPort Base Stations that will use RADIUS service. You canadd up to 64 Base Stations to RADIUS.






5. Below the AirPort Base Stations lis t, click the Add button (+) .

6. Enter the following AirPort Base Station information:

Name: Specify the name of the AirPort Base Station.

Type: Specify the model of the AirPort Base Station.

IP Address: Specify the IP address of the AirPort Base Station.

Shared Secret and Verify: Specify a shared secret. The shared secret is not a password for authentication, nor does itgenerate encryption keys to establish secure tunnels between nodes. It is a token that key management systems use totrust each other. You must enter the shared secret on the server as well as a client.

7. Click Add.


Use radiusconfig to configure RADIUS


If your network has AirPort Base Stations that announce themselves using Bonjour, use the Base Stations pane of RADIUS inServer Admin to add them to your RADIUS server. You can add up to 64 Base Stations to RADIUS.






5. Below the AirPort Base Stations lis t, click Browse.

A lis t of AirPort Base Stations found through Bonjour appears. It shows all AirPort Base Stations on the server's local subnetand all Wide-Area Bonjour domains known to the server. This includes search domains lis ted in Network Preferences thathave AirPort Base Stations and AirPort Base Stations you added to a MobileMe account as a Back to My Mac (BTMM) enabledserver.

6. From the list of AirPort Base Stations, choose an AirPort Base Station to add to your RADIUS server.

7. In the “Base station password” field, enter the password for the AirPort Base Station.

8. Click Add.

When the base station is added it is configured to use WPA2 Enterprise for client authentication through TTLS. It also sets arandom shared secret for communication between the Base Station and RADIUS on the server.

The shared secret is not a password for authentication, nor does it generate encryption keys to establish secure tunnelsbetween nodes. It is a token that key management systems use to trust each other.


You can remotely configure AirPort Base Stations to use a RADIUS server in Server Admin.






5. In the AirPort Base Stations list, highlight the AirPort Base Station and then click Edit.

If prompted, enter the AirPort administrator password.

6. Click OK.


You can use Server Admin to configure RADIUS to use custom certificates. Using a certificate increases the security andmanageability of AirPort Base Stations.



Add Bonjour-enabled AirPort Base Stations to a RADIUS server

Remotely configure AirPort Base Stations




4. Click Settings

5. From the RADIUS Certificate pop-up menu, choose a certificate.

If you don’t have a certificate and want to create one, click Manage Certificates. For more information about creatingcertificates, see Server Admin Help.

6. Click Save.


You can use radiusconfig to import certificates for RADIUS.

To configure RADIUS certificates:

$ sudo radiusconfig -installcerts private-key certificate [trusted-ca-list [yes | no [common-name…


private-key The fi le path to the cl ient’s private key to use in the certi ficate

certificate The fi le path to the certi ficate

trusted-ca-list The fi le path to the trusted CA list

yes A request to check a certificate revocation l ist

no A request to not check a certi ficate revocation l ist

common-name The common name

This command changes eap.conf to contain an active TLS section and configures the certificates. This command also replacesthe random file and creates the dh file if absent.



RADIUS service creates entries in the system log for error and alert messages. You can archive these log entries.





4. Click Settings.

5. Select the “Archive radiusd log for the past __ days” checkbox and enter the number of days to archive.

6. Click Save.


Use radiusconfig to configure RADIUS certificates

Archive RADIUS service logs

You can use radiusconfig to archive RADUIS service logs.

To configure the rotation of RADIUS service logs:

$ sudo radiusconfig -rotatelog [-n file-count] base-file

To configure the automatic rotation of RADIUS service logs:

$ sudo radiusconfig -autorotatelog [on | off] [-n file-count]


file-count Specifies the number of log files to preserve.

base-file Specifies the name of the log file.

on Enables automatic log rotation.

off Disables automatic log rotation.



You use Server Admin to start or stop RADIUS. When you stop RADIUS, make sure no users are connected to AirPort BaseStations your RADIUS server manages.





4. Below the Servers list, click Start RADIUS or Stop RADIUS.

The service can take a few seconds to start or stop.


You can use radiusconfig to stop or start RADIUS.

To start the RADIUS server:

$ sudo radiusconfig -start

To stop the RADIUS server:

$ sudo radiusconfig -stop



Use radiusconfig to archive service logs

Start or stop RADIUS

Use radiusconfig to start or stop RADUIS

To change settings for RADIUS, use the following parameters with the radiusconfig tool.

Command Option Description

-appleversion Displays the version of the tool, including the build version.

-getconfig Displays configuration data stored in the radiusd.conf and eap.conf fi lesin an abbreviated, user-friendly format.

-getconfigxml Displays configuration data stored in the radiusd.conf and eap.conf fi lesin xml plist format.

-nascount Displays the number of RADIUS clients.

-naslist Displays the l ist of RADIUS cl ients formatted for the cl ients.conf file.

-naslistxml Displays the l ist of RADIUS cl ients in xml pl ist format.

-ver Displays a specific bui ld version.

-help Displays usage information.

-q Suppresses prompts.


You can enable or disable Transport Level Security (TLS) by modifying the TLS section of the eap.conf file.

To enable TLS:

$ sudo radiusconfig -enable-tls

To disable TLS:

$ sudo radiusconfig -disable-tls

Lion Server user management ► Security ► RADIUS ► Manage RADIUS

You can use Server Admin to check the status of RADIUS.





4. Click Overview to see whether the service is running, the number of client base stations, and when it was started.


RADIUS creates entries in the system log for error and alert messages. You can filter the log to narrow the number of viewable log

RADIUS command-line settings

Enable or diable transport level security (TLS)

Check RADIUS Status

View RADIUS logs

entries and make it easier to find an entry.





4. Click Logs.

5. Choose a log to view (radiusconfig or radiusd).


You can restrict access to RADIUS by creating a group of users and adding them to the service access control list (SACL) ofRADIUS.





4. Click Settings, then click Edit Allowed Users.

5. Select “For selected services below,” then select RADIUS.

6. Click Services.

7. Select “Allow only users and groups below.”


9. From the Users & Groups window, drag users or groups to the “Allow only users and groups below” list.

If you don’t see a recently created user, click the Refresh button (below the Servers lis t).

If you want to remove users from the “Allow only users and groups below” lis t, select the users or user groups and click theDelete button (–).

Only users in the list can use RADIUS service.


You can use Server Admin to delete AirPort Base Stations from the RADIUS server.

When you delete AirPort Base Stations, make sure the stations are disconnected from the network. Otherwise, unauthorized usersmight access your network.






5. In the AirPort Base Station list, highlight a Base Station and click Remove.

6. Verify you want to remove the Base Station by clicking Remove again.

Edit RADIUS access

Delete AirPort Base Stations


You can use Server Admin to edit an AirPort Base Station record on your RADIUS server.






5. In the AirPort Base Station list, highlight the Base Station to modify and click the Edit button.

6. Modify the Base Station information and click Save.


You can use Server Admin to save an AirPort Base Station internet connect file.






5. In the AirPort Base Station list, highlight the base station.

6. Click Save Internet Connect File.

7. In the Save As field, enter the name.

8. From the Where pop-up menu, choose the location to save the file.

9. In the Wireless Network Name (SSID) field, enter the wireless network name.

10. Click Save.


Use the radiusconfig tool to add, import, remove, and configure RADIUS clients.

To add RADIUS clients:

$ sudo radiusconfig -addclient nas-name shortname [type]

To import RADIUS clients:

$ sudo radiusconfig -importclients xml-plist-file

To remove RADIUS clients:

$ sudo radiusconfig -removeclient nas-name [nas-name ...]

To assign an access control group to a client of the RADIUS service:

Edit an AirPort Base Station record

Save an AirPort Base Station Internet connect file

Use radiusconfig to manage RADIUS clients

$ sudo radiusconfig -setgroup nas-namegroup-name


nas-name The name of the client

shortname The shortname of the cl ient

type (Optional) The type of the cl ient

xml-plist-file The name of the fi le, including the path, to import clients from

group-name The name of the access control group


Lion Server user management ► Security ► SSH key authentication

SSH is a network protocol that establishes a secure channel between your computer and a remote computer. It uses public-keycryptography to authenticate the remote computer. It also provides traffic encryption and data integrity exchanged betweencomputers. Key-based authentication is helpful for such tasks as automating file transfers and backups and for creating failoverscripts because it allows computers to communicate without a user needing to enter a password.


SSH is frequently used to log in to a remote machine to execute commands, but you can also use it to create a secure data tunnel,forwarding through an arbitrary TCP port. You can also use SSH to transfer files using SFTP and SCP. By default, an SSH serveruses the standard TCP port 22.

Lion Server uses OpenSSH as the basis for its SSH tools. Notably, portable home directory synchronization and Open Directoryreplication are provided via SSH.


This is the process of setting up key-based SSH login authentication on Lion Server.

To set up key-based SSH, you must generate the keys the two computers will use to establish and validate the identity of eachother.

This doesn’t authorize all users of the computer to have SSH access. Keys must be generated for each user account. To do this,you must run the following commands in Terminal.

The process must be repeated for each user that needs to open key-based SSH sessions.


1. Verify that an .ssh folder exists in your home folder by entering the command: ls -ld ~/.ssh

If .ssh is listed in the output, move to step 2. If .ssh is not listed in the output, run mkdir -m 700 ~/.ssh and continue tostep 2.

2. Change directories in the shell to the hidden .ssh directory by entering the following command: cd ~/.ssh

3. Generate the public and private keys by entering the following command: ssh-keygen -b 1024 -t rsa -f id_rsa -P''

The -b flag sets the length of the keys to 1,024-bits, -t indicates to use the RSA hashing algorithm, -f sets the file name as

Key-Based SSH login

Generate a key pair for SSH authentication

id_rsa, and -P followed by two single-quote marks sets the private key password to be null. The null private key passwordallows for automated SSH connections.

Keys are equivilant to passwords, so keep them private and protected.

4. Copy the public key into the authorized key file by entering the following command: cat id_rsa.pub >>authorized_keys2

5. Set the permissions on the private key so the file can only be changed by the owner: chmod go-rwx ~/.ssh/.id_rsa

6. Copy the public key and the authorized key lists to the specified user’s home folder on the remote computer by entering thefollowing command: scp authorized_keys2 username@remotemachine:~/.ssh/

To establish two-way communication between servers, repeat this process on the second computer.


A cluster of servers is an ideal environment for using key-based SSH.

The following Perl script is a trivial scripting example that should not be implemented, but it demonstrates connecting over an SSHtunnel to servers defined in the variable serverList, running softwareupdate, installing available updates, and restarting thecomputer if necessary.

The script assumes that key-based SSH was set up for an “admin” user on all servers to be updated.

#!/usr/bin/perl # \@ is the escape sequence for the "@" symbol. my @serverList = ('admin\@exampleserver1.example.com', 'admin\@exampleserver2.example.com'); foreach $server (@serverList) { open SBUFF, "ssh $server -x -o batchmode=yes 'softwareupdate -i -a' |"; while(<SBUFF>) { my $flag = 0; chop($_); #check for restart text in $_ my $match = "Please restart immediately"; $count = @{[$_ =~ /$match/g]}; if($count > 0) { $flag = 1; } } close SBUFF; if($flag == 1) { "ssh $server -x -o batchmode=yes shutdown -r now" } }

Lion Server user management ► Security ► Administrator permissions

Lion Server can use another level of access control for added security. Administrators can be limited to specific services they canconfigure. These limitations are enacted on a server-by-server basis.

This method can be used by an administrator with no restrictions to assign administrative duties to other admin group users.

This results in a tiered administration model, where some administrators have more privileges than others for their assignedservices. This results in a kind of access control for individual server features and services.

Key-Based SSH with scripting sample

About administration level privileges

mailto:username@remotemachine:~/.ssh/



You can determine which services other admin group users can modify. To do this, the administrator making the determinationmust have full, unmodified access.


You can use a non-Mac computer that offers SSH support, such as a UNIX workstation, to administer Lion Server using command-line tools.

You can also use any computer that can run a VNC viewer to administer Lion Server. Administering the server via VNC is the sameas using the server's keyboard, mouse, and monitor locally. You use all the same utilities that Lion uses, but virtually over VNC.

You enable a VNC server on Lion Server by enabling Screen Sharing in the Sharing pane of System Preferences.

Use this command line tool To

serveradmin Configure and monitor services and administrator access

ssh Connect to a server using a UNIX command shell .

asr Perform mass disk imaging tasks.

bootpd Control DHCP service parameters.

calendarserver_manage_principals Add locations and resources to your iCal server.

calendarserver_purge_principals Remove locations and resources to your iCal server.

defaults Read and write system or application preferences.

diskuti l Modify, verify, and repair local disks.

dscacheuti l Gather information, statistics and initiate queries to the Directory Servicecache.

dscl Configure and alter Directory Services.

dsconfigad Configure and modify Active Directory services.

dseditgroup Manipulate group directory records.

freshclam Update the mail service anti-virus database.

hdiuti l Manipulate disk images.

installer Instal l software packages.

kdcsetup Configure an Apple Open Directory KDC.

kickstart Modify Remote Desktop settings and access.

launchctl Control launchd.

networksetup Configure network settings in System Preferences.

osascript Run AppleScripts from the command l ine.

pwpolicy Get and set password policy.

radiusconfig Configure the RADIUS services via radiusd.

sa-learn Train SpamAssassin's Baysian fil ter.

security Manipulate keychains and the Security framework.

slapconfig Configure slapd and related daemons.

systemsetup Configure certain machine settings in System Preferences.

Many additional standard UNIX tools are available like: chmod, mkdir, chown, sudo, tar, pax, rsync, cp, scp, ditto, gzip, tail, syslog,

Using a non-Mac computer for administration

exit, su, srm, less, cat, passwd, shutdown.


You can decide if a user or group can monitor or administer a server or service without giving them the full power of a UNIXadministrative user. Assigning effective permissions to users creates a tiered administration, where some but not alladministrative duties can be carried out by designated individuals.

1. Open Server Admin.

2. Select a server, click the Settings button in the toolbar, and then click the Access tab.

3. Click the Administrators tab.

4. Select whether to define administrative permissions for all services on the server or for select services.

5. If you define permissions by service, select the related checkbox for each service you want to turn on. If you definepermissions by service, be sure to assign administrators to all the active services on the server.

6. Click the Add button (+) to add a user or group from the users and group window.

To remove administrative permissions, select a user or group and click the Remove (-) button.

7. For each user or group, select the permissions level next to the user or group name.

You can choose Monitor or Administer. The capabilities of Server Admin to administer the server are limited by this settingwhen the server is added to the Server list.


Before you can set up services using Server Admin, you must add the service to the server view.

You can add items to Server Admin's service list using the command line.

For example, by default, no services can be seen for your server. As you select services to administer, configuration panes becomeaccessible in a lis t underneath your computer name.

When you select services from the list, those services appear underneath the server hostname in the server list.

sudo serveradmin settings info:serviceConfig:services:com.apple.ServerAdmin.<servicename>:configured = yes


You can grant individuals and groups specific administrative permissions without adding them to the UNIX “admin” group. In otherwords, you can make them administrator users.

There are two tiers of permissions:

Administer: This level of permission is analogous to being in the UNIX admin group. You can change any setting on the serverfor the designated server and service only.

Monitor: This level of permission allows you to view Overview panes, Log panes, and other information panes in Server Admin,as well as general server status data in server status lis ts. You do not have access to any saved service settings.

Any user or group can be given these permissions for all services or for selected services. The permissions are stored on a per-server basis.

The only users that can change the tiered administration access list are users that are in the UNIX admin group.

Server Admin updates to reflect what operations are possible for a user's permissions. For example, some services are hidden or

Define tiered administrative permissions

Add and remove services in the server view

Tiered administration permissions

the Settings pane is dimmed when you can only monitor that service.

Because the feature is enforced on the server side, the permissions also impact the usage of serveradmin, dscl, dsimport, andpwpolicy command-line tools because these tools are limited to the permissions configured for the administrator in use.

Lion Server user management ► Security ► Serv ice access

You use a Service Access Control List (SACL) to enforce who can use a service. It is not a means of authentication. It is a list ofthose who have access rights to use a service.

SACLs allow you to add a layer of access control on top of standard and ACL permissions.

Only users and groups in an SACL can access its corresponding service. For example, to prevent users from accessing AFPshare points on a server, including home folders, remove the users from the AFP service’s SACL.

Server Admin in Lion Server allows you to configure SACLs. Open Directory authenticates user accounts and SACLs authorize useof services. If Open Directory authenticates you, the SACL for login window determines whether you can log in, the SACL for AFPservice determines whether you can connect for Apple file service, and so on.


You can use Server Admin to configure which users and groups can use services hosted by a server.

You set up access to services to users and groups using SACLs. You can set up the same access to all services, or you canselect a service and customize its access settings.

Access controls are s imple. Choose between allowing all users and groups to use services or allowing selected users andgroups to use services. You can separately specify access controls for individual services, or you can define one set of controlsthat applies for services hosted by the server.

You can also control user access to several services using the Server app. For example, only the Server app can control useraccess to Podcast and Time Machine services. For information, see Control a user’s access to services.

1. Select a server in the Servers list.

2. Click Settings, then click Access.

3. Click Services.

4. Choose a service and then choose whether to allow everyone access to it or whether to allow specified users to access theservice.

Service level security

Control access to services

5. If you have chosen to specify users, add the users and groups as needed.

RELATED INFORMATION



Use the Server app to control users’ access to services.

You can restrict users access to services listed in the Server app except Web and Wiki services. Web and Wiki services have morecustomizable access control.

For websites, you can limit access on a per-s ite level. For example, if your server is hosting two websites, www.example1.com andwww.example2.com, you can give users access to www.example1.com but not to www.example2.com.

Wikis have their own access controls, so you can restrict who’s allowed to create wikis. When you create a wiki, you can designateothers as administrators. Wiki administrators can choose who has access to the wiki and whether they can read and write or justread wiki content.

1. In the Server app, click Users.

2. Control-click the user and choose “Edit Access to Services.”

3. In the dialog that appears, select the checkboxes for services you want the user to access, then click OK.

RELATED TOPICS

Publish a websiteChoose group services

Lion Server user management ► Security ► File permissions ► About permissions

An important aspect of computer security involves granting and denying permissions. A permission is the ability to perform aspecific operation, such as gaining access to data or executing code. Permissions are granted at the level of folders, files, orapplications. Use the Server app to set up file service permissions.

The term privileges refers to the combination of ownership and permissions, while the term permissions refers to the permissionsettings that each user category can have (Read & Write, Read Only, Write Only, and None).

If you’re new to Mac OS X Lion and aren’t familiar with UNIX-based systems, there are differences in the way ownership andpermissions are handled compared to Windows.

To increase security and reliability, Mac OS X Lion sets many system folders (for example, /Library/) to be owned by the root user(literally, a user named root). You can’t change or delete files and folders unless you’re logged in as root.

Be careful—there are few restrictions on what you can do when you log in as root, and changes to system data can causeproblems. An alternative to logging in as root is to use the sudo command.

Note: The Finder calls the root user system.

By default, files and folders are owned by the user who creates them. After they’re created, items keep their privileges (acombination of ownership and permissions) even when moved, unless the privileges are explicitly changed by their owner or anadministrator.

Therefore, new files and folders you create aren’t accessible by users if they’re created in a folder that users don’t have privilegesfor. When setting up share points, make sure that items have the correct access privileges for the users you want to share themwith.



Permissions in the Mac OS X Lion environment





Mac OS X Lion supports two kinds of file and folder permissions:

Standard Portable Operating System Interface (POSIX) permissions

Access Control Lists (ACLs)

Standard POSIX permissions let you control access to files and folders based on three categories of users: Owner, Group, andOthers. Although these permissions give you some control over who can access a file or a folder, they lack the flexibility andgranularity that many organizations require in dealing with complex user environments.

This is where ACLs come in handy. An ACL provides an extended set of permissions for a file or folder, and lets you set multipleusers and groups as owners. ACLs are also compatible with Windows Server 2003, Windows XP, Windows Vista, and Windows 7giving you added flexibility in a multiplatform environment.


There are four types of standard POSIX access permissions that you can assign to a share point, folder, or file: Read & Write,Read Only, Write Only, and None. The following table shows how these permissions affect user access to shared items (files,folders, and share points).

Users can Read & Write Read Only Write Only None

Open a shared fi le Yes Yes No No

Copy a shared fi le Yes Yes No No

Edit a shared fi le Yes No No No

Move items to a sharedfolder or share point

Yes No Yes No

Move items from a sharedfolder or share point

Yes No No No

Note: WebDAV has separate permissions settings.

Explicit permissions

Share points and the shared items they contain (including folders and files) have separate permissions. If you move an item to adifferent folder, it keeps its permissions and doesn’t adopt the permissions of the folder where you moved it.

In the following illustration, the second folder (Designs) and the third folder (Documents) were assigned permissions differentfrom those of their parent folders:

The user categories Owner, Group, and Others

You can assign standard POSIX access permissions separately to three categories of users:

Owner—A user who creates an item (file or folder) on the file server is its owner and automatically has Read & Writepermissions for that folder. By default, the owner of an item and the server administrator are the only users who can change itsaccess privileges (but you can enable a group or others to use the item). The administrator can also transfer ownership of theshared item to another user.

Note: When you copy an item to a drop box on a Mac file server, ownership of the item doesn’t change. Only the owner of the

Kinds of permissions

Standard permissions

drop box or root has access to its contents.

Group—You can put users who need the same access to files and folders in group accounts. Only one group can be assignedaccess permissions to a shared item. For more information about creating groups, search Help for Users & Groups.

Others—Others is any user (registered user or guest) who can log in to the file server.

Hierarchy of permissions

If a user is included in more than one category of users, each of which has different permissions, these rules apply:

Group permissions override Others permissions.

Owner permissions override Group permissions.

For example, when a user is the owner of a shared item and a member of the group assigned to it, the user has the permissionsassigned to the owner.

The more restrictive permissions always take precedence. For example, if a user belongs to a group that has No Access assignedto an item while the Others permissions are set to Read & Write access, the item with No Access privilege overrides the Otherssetting, denying the user access to the item.

Client users and permissions

Users of AppleShare Client software can set access privileges for files and folders they own. Users who use Windows file sharingservices can also set access privileges.

Standard permission propagation

The Server app lets you specify which standard permissions to propagate. For example, you can propagate only the permission forOthers to all descendants of a folder and leave the permissions for Owner and Group unchanged. For more information, seePropagate access permissions.


When standard POSIX permissions aren’t enough, use access control lists (ACLs). An ACL is a list of access control entries(ACEs), each specifying the permissions to be granted or denied to a group or user and how these permissions are propagatedthroughout a folder hierarchy.

ACLs in Mac OS X Lion let you set file and folder access permissions for multiple users and groups in addition to standard POSIXpermissions. This makes it easy to set up collaborative environments with smooth file sharing and uninterrupted workflows,without compromising security.

ACLs provide an extended set of permissions for a file or folder, to give you more granularity when assigning privileges thanstandard permissions would provide. For example, rather than giving a user full write permissions, you can restrict him or her tocreate only folders and not files.

Only the Mac OS Extended volume format provides local file system support for ACLs. In addition, only SMB and AFP protocolsprovide network file system support for ACLs in Windows and Apple networks, respectively.

Apple’s ACL model supports 13 permissions for controlling access to files and folders, as described in the following table.

Permission name Type Description

Change Permissions Administration User can change standard permissions.

Take Ownership Administration User can change the fi le’s or folder’s ownershipto himself or herself.

Read Attributes Read User can view the fi le’s or folder’s attributes (forexample, name, date, and size).

Read Extended Attributes Read User can view the fi le’s or folder’s attributesadded by third-party developers.

List Folder Contents (Read Data) Read User can l ist folder contents and read fi les.

Traverse Folder (Execute Fi le) Read User can open subfolders and run a program.

Read Permissions Read User can view the fi le’s or folder’s standard

Access control lists (ACLs)

permissions using the Get Info or Terminalcommands.

Write Attributes Write User can change the fi le’s or folder’s standardattributes.

Write Extended Attributes Write User can change the fi le’s or folder’s otherattributes.

Create Files (Write Data) Write User can create fi les and change fi les.

Create Folder (Append Data) Write User can create subfolders and add data to fi les.

Delete Write User can delete fi le or folder.

Delete Subfolders and Fi les Write User can delete subfolders and fi les.

In addition to these permissions, the Apple ACL model defines four types of inheritance that specify how these permissions arepropagated:

Apply to this folder: Apply (Administration, Read, and Write) permissions to this folder.

Apply to child folders: Apply permissions to subfolders.

Apply to child files: Apply permissions to the files in this folder.

Apply to all descendants: Apply permissions to descendants. To learn how this option works with the previous two, see Accesscontrol entries (ACEs).

The ACL use model

The ACL use model focuses on access control at the folder level, with most ACLs applied to files as the result of inheritance.

Folder-level control determines which users have access to the contents of a folder. Inheritance determines how a defined set ofpermissions and rules pass from the container to the objects in it.

Without this model, administration of access control would quickly become a nightmare, because you would need to create andmanage ACLs on thousands or millions of files.

Controlling access to files through inheritance also frees applications from maintaining extended attributes or explicit ACEs whensaving a file, because the system applies inherited ACEs to files. For information about explicit ACEs, see Access control entries(ACEs).

ACLs and standard permissions

You can set ACL permissions for files and folders in addition to standard permissions. For more information about how Mac OS XLion uses ACL and standard permissions to determine what users can and cannot do to a file or folder, see Access control entries(ACEs).

ACL managementIn Mac OS X Lion, you create and manage ACLs in the Server app. The Get Info window in the Finder displays the logged-in user’seffective permissions. For information about setting up and managing ACLs, see Set folder access permissions and Controlaccess to a shared folder.

In addition to using the Server app to set and view ACL permissions, you can also use the ls and chmod command-line tools. Forinformation, see their man pages.

You define ACLs for share points, files, and folders using the Server app.


An ACE is an entry in an ACL that specifies, for a group or a user, access permissions to a file or folder and the rules ofinheritance.

What’s stored in an ACE

An ACE contains the following fields:

Access control entries (ACEs)

User or Group. An ACE stores a universally unique ID for a group or user, which permits unambiguous resolution of identity.

Type. An ACE supports two permission types, Allow and Deny, which determine whether permissions are granted or denied.

In the Server app, you can only set the Allow permissions type. You can use the ls and chmod command-line tools to set thedeny permissions type. For information, see their man pages.

Permission. This field stores the settings for the 13 permissions supported by the Apple ACL model.

Inherited. This field specifies whether the ACE is inherited from the parent folder.

Applies To. This field specifies what the ACE permission is for.

Explicit and inherited ACEs

The Server app supports two types of ACEs:

Explicit ACEs, which are those you create in an ACL. See Set folder access permissions.

Inherited ACEs, which are ACEs you created for a parent folder that were inherited by a descendant file or folder.

Note: Inherited ACEs cannot be edited unless you make them explicit.

Understanding inheritance

ACL inheritance lets you specify how permissions pass from a folder to its descendants.

The Apple ACL inheritance model

The Apple ACL inheritance model defines four options that you select or deselect in the Server app to control the application ofACEs (in other words, how to propagate permissions through a folder hierarchy):

Inheritance option Description

Apply to this folder Apply (Administration, Read, and Write) permissions to this folder

Apply to chi ld folders Apply permissions to subfolders

Apply to chi ld files Apply permissions to the fi les in this folder

Apply to al l descendants Apply permissions to all descendants

Note: If you want an ACE to apply to al l descendants without exception,you must select the “Apply to chi ld folders” and “Apply to chi ld fi les”options in addition to this option.

Mac OS X Lion propagates ACL permissions at two well-defined times:

At file or folder creation time—when you create a file or folder, the kernel determines what permissions the file or folder inheritsfrom its parent folder.

When initiated by administrator tools—for example, when using the Propagate Permissions option in the Server app.

The following figure shows how the Server app propagates two ACEs (managers and design_team) after ACE creation. Bold textrepresents an explicit ACE and regular text represents an inherited ACE.

ACL inheritance combination

When you set inheritance options for an ACE in the Server app, you can choose from 12 unique inheritance combinations forpropagating ACL permissions.

Inheritance

Apply to this folder

Apply to chi ld fi les


Apply to all descendants

Inheritance


Apply to chi ld folders



Inheritance





Inheritance





Inheritance





Inheritance





Inheritance





Inheritance





Inheritance





Inheritance





Inheritance





Inheritance





ACL permission propagation

The Server app lets you force the propagation of ACLs. Although this is done automatically by the Server app, there are cases whenyou might want to manually propagate permissions:

You can propagate permissions to handle exceptions. For example, you might want ACLs to apply to all descendants except fora subtree of your folder hierarchy. In this case, you define ACEs for the root folder and set them to propagate to descendants.Then, you select the root folder of the subtree and propagate permissions to remove the ACLs from descendants of thatsubtree.

In the following example, the items in white had their ACLs removed by manually propagating ACLs.

You can propagate permissions in order to reapply inheritance in cases where you removed a folder’s ACLs and decided toreapply them.

You can propagate permissions to clear all ACLs at once instead of going through a folder hierarchy and manually removingACEs.

When you propagate permissions, the permissions of bundles and root-owned files and folders aren’t changed.

For more information about how to manually propagate permissions, see Propagate access permissions.

Rules of precedence

Mac OS X Lion uses the following rules to control access to files and folders:

Without ACEs, POSIX permissions apply. If a file or folder has no ACEs defined for it, Mac OS X Lion applies standard POSIXpermissions.

With ACEs, order is important. If a file or folder has ACEs defined for it, Mac OS X Lion starts with the first ACE in the ACL andworks its way down the list until the requested permission is satisfied or denied.

You can change the ACE order from the command line using the chmod command.

Allow permissions are cumulative. When evaluating Allow permissions for a user in an ACL, Mac OS X Lion defines the user’spermissions as the union of all permissions assigned to the user, including standard POSIX permissions.

After evaluating ACEs, Mac OS X Lion evaluates the standard POSIX permissions defined for the file or folder. Then, based on theevaluation of ACL and standard POSIX permissions, Mac OS X Lion determines the type of access a user has to a shared file orfolder.


Mac OS X Lion combines traditional POSIX permissions with ACLs. This combination provides great flexibility and fine granularityin controlling access to files and folders. However, if you’re not careful in how you assign privileges, it may be hard for you to keeptrack of how permissions are assigned.

With 17 permissions, you can choose from a staggering 98,304 combinations. Add to that a sophisticated folder hierarchy, manyusers and groups, and many exceptions, and you have a recipe for considerable confusion.

The following are useful tips and advice to help you get the most out of access control in Mac OS X Lion.

Manage permissions at the group level

Assign permissions to groups first, and assign permissions to individual users only when there is an exception.

For example, you can assign all teachers in a school district Read and Write permissions to a specific share point, but deny AnneJohnson, a temporary teacher, permission to read a specific folder in the share point’s folder hierarchy.

Using groups is the most efficient way of assigning permissions. After creating groups and assigning them permissions, you canadd or remove users without reassigning permissions.

Gradually add permissions

Assign only necessary permissions and then add permissions only when needed. As long as you use Allow permissions,Mac OS X Lion combines the permissions.

Permissions in practice

For example, you can assign the Students group partial reading permissions on an entire share point. Then, where needed in thefolder hierarchy, you can give the group more read and write permissions.

Use the deny rule only when necessary

When Mac OS X Lion encounters a Deny permission, it stops evaluating other permissions the user might have for a file or folderand applies the Deny permission. Therefore, use Deny permissions only when absolutely necessary. Keep a record of these Denypermissions so you can delete them when they aren’t needed.

Always propagate permissionsInheritance is a powerful feature, so take advantage of it. By propagating permissions down a folder hierarchy, you save yourselfthe time and effort required to manually assign permissions to descendants.

Protect applications from being modified

If you share applications, make sure you set their permissions so that no one except a trusted few can change them. This is avulnerability that attackers can exploit in order to introduce viruses or Trojan horses in your environment.

Keep it simple

You can complicate file access management unnecessarily, if you’re not careful. Keep it simple. If standard POSIX permissions dothe job, use those, but if you must use ACLs, avoid customizing permissions if you don’t need to.

Use simple folder hierarchies if feasible. A little strategic planning can help you create effective and manageable sharedhierarchies.


The most effective method of securing your network is to assign correct privileges for each file, folder, and share point you create.

Restricting access to file services

You can use the Server app to restrict which users or groups have access to files, folders, and share points.

Restricting access to everyone

Be careful when creating and granting access to share points, especially if you’re connected to the Internet. Granting access toEveryone could expose your data to anyone on the Internet.

Restricting guest access

When you configure any file service, you can turn on guest access. Guests are users who connect to the server anonymouslywithout entering a user name or password. Users who connect anonymously are restricted to files and folders that have privilegesset to Everyone.

To protect your information from unauthorized access, and to prevent people from introducing software that might damage yourinformation or equipment, take the following precautions by using File Sharing in the Server app:

Depending on the controls you want to place on guest access to a share point, consider the following options:

Set privileges for Everyone to None for files and folders that guests shouldn’t access. Items with this privilege setting canbe accessed only by the item’s owner or group.

Put all files available to guests in one folder or set of folders and then assign the Read Only privilege to the Everyonecategory for that folder and each file in it.

Assign Read & Write privileges to the Everyone category for a folder only if guests must be able to change or add items inthe folder. Make sure you keep a backup copy of information in this folder.

Disable access to guests or anonymous users over AFP and SMB.

Share individual folders instead of entire volumes. The folders should contain only those items you want to share.

Lion Server user management ► Security ► File permissions ► Manage permissions

You can set file and folder access permissions with the Server app. Mac OS X Lion provides two ways to control access to files and

Security considerations

Set folder access permissions

folders: standard permissions and ACL permissions. Standard permissions provide basic control. ACL permissions provide moreflexibility and control, but are more complex.

Set standard permissions

You can use the Server app to set standard permissions—Read & Write, Read Only, Write Only, or None—to control access to afolder and its contents. You can set different permissions for one user (the owner), one group, and all other users who log in. Youcan also set standard permissions on individual files. Standard permissions are also called POSIX permissions.

1. In the Server app sidebar, select the server and then click Storage.

2. Select the folder whose access permissions you want to change, and then choose Edit Permissions from the Action pop-upmenu.

3. To grant access to a different user, double-click the current user name and enter a different user account name.

As you type, the Server app looks up matching user accounts and displays them in lis t. Clicking a lis ted user grants accesspermissions to that user.

4. To grant access to a different group, double-click the current group name and type the name of the new group.

As you type, the Server app looks up matching group accounts and displays them in a list. Clicking a listed group grantsaccess permissions to it.

5. To change the permission level for the user, group, or others, click the current setting in the Permission column and choose asetting from the pop-up menu.

The permission level you set for Others applies to any user who logs in but isn’t the specified user or a member of thespecified group.

Set ACL permissions

You can use the Server app to set ACL permissions for a folder or a file. An ACL consists of Access Control Entries (ACEs), whichyou can add and change.

Each entry applies to a specific user or group. For each entry, you can set 13 permissions, giving you much finer control overaccess than you have with standard permissions. For example, entries in an ACL can grant delete permission separately fromwrite permission, so a user can edit a file but can’t delete it.

The first entry in the list takes precedence over the second, which takes precedence over the third, and so on. For example, if thefirst entry denies a user the right to edit a file, other entries that allow the same user editing permissions are ignored. The entriesin the ACL also take precedence over standard permissions.


2. Select the folder or file whose access permissions you want to change, then choose Edit Permissions from the Action pop-upmenu.

3. To add an entry, click the Add button (+) and enter the name of the user or group you want to set specific access permissionsfor.

As you type, the Server app looks up matching user and group accounts and displays them in a lis t. Clicking a user or groupgrants access permissions to the user or group.

4. To change the permission level for an entry, click the current setting in the Permission column and choose a setting from thepop-up menu.

Choice Description

Full Control Has full administration, read, write, and inheritance permissions.

Read & Write: Has full read, write, and inheritance permissions.

Read: Has full read and inheritance permissions.

Write: Has full write and inheritance permissions.

Custom: Doesn’t have ful l administration, read, write, or inheritancepermissions.

By default, each new entry has full read and inheritance permissions.

5. To change detailed permission settings for an entry, click the disclosure triangle next to the entry, optionally click theadditional disclosure triangles that appear, and select or deselect permission settings.

For information about the detailed permission settings, see Access control lists (ACLs) and Access control entries (ACEs).

RELATED TOPIC

Remove an ACL entry


You can use the Server app to propagate a folder’s permissions to all the folders and files it contains. You can specify whichstandard permissions to propagate: owner name, group name, owner permissions, group permissions, and permissions forothers. You can propagate a folder’s complete ACL, but you can’t propagate individual entries that constitute the ACL.


2. Select the folder whose access permissions you want to propagate, and then choose Propagate Permissions from the Actionpop-up menu.

3. Select the permissions you want to propagate, and then click OK.


RELATED TOPICS

Remove a folder’s inherited ACL entriesRemove an ACL entry


You can use the Server app to remove ACL permission entries you’ve added. Each entry defines a user’s or group’s accesspermission to a folder or file.


2. Select the folder or file whose access permissions you want to change, and then choose Edit Permissions from the Actionpop-up menu.

3. To remove an entry from the permission list, select the entry and click the Delete button (–).

RELATED TOPIC



When sorting an ACL canonically, the Server app first lis ts all entries that deny permission, then the entries that grant permission.ACL entries that deny permission have a permission type of Deny. Entries that grant permission have a permission type of Allow.

All ACL entries created with the Server app are the Allow type. Permissions of the Deny type can exist on disks used with Mac OS Xv10.6 or earlier. Permissions of the Deny type can be created on Lion Server disks by using the chmod command-line tool. For

information about chmod, see its man page.

Propagate access permissions

Remove an ACL entry

Sort an ACL canonically


2. Select the folder or file whose ACL list you want to sort, and then choose Edit Permissions from the Action pop-up menu.

3. Choose “Sort Access Control List Canonically” from the Action pop-up menu in the Edit Permissions dialog.

RELATED TOPIC



If you don’t want inherited ACL entries to apply to a folder or file, you can remove those entries using the Server app.

Unlike explicit ACL entries, inherited ACL entries appear dimmed in the Server app’s dialog for editing access permissions.



3. Choose “Remove Inherited Entries” from the Action pop-up menu in the Edit Permissions dialog.

RELATED TOPICS

Apply ACL inheritance to folders and filesMake inherited ACL entries explicitSet folder access permissions


If you want to change inherited ACL entries for a folder or file, you must make the inherited entries explicit.



3. Choose “Make Inherited Entries Explicit” from the Action pop-up menu in the Edit Permissions dialog.

You can now edit the ACL entries.

RELATED TOPICS

Remove a folder’s inherited ACL entriesSet folder access permissions


If you removed all the ACL entries from a folder or file and want to restore inherited entries, you can use the Server app topropagate the parent folder’s ACL. All descendants of the parent folder inherit the propagated ACL.

1. In the Server sidebar, select the server and then click Storage.

2. Select the parent folder of the item whose ACL inheritance you want to restore, and then choose Propagate Permissions fromthe Action pop-up menu.

Remove a folder’s inherited ACL entries

Make inherited ACL entries explicit

Apply ACL inheritance to folders and files

3. Select the Access Control List option, deselect all other options, and then click OK.


RELATED TOPIC



When sharing files and folders between computers, you can set custom permissions to grant or restrict access to those files andfolders.

Before you begin setting custom file and folder permissions, you might want to investigate how the file and folder are to be shared,who has access, and what type of access you want users to have. A recommended way to manage file and folder permissions isto create groups of users who share the same privileges.

Depending on your network environment, you can use standard permissions (also referred to as POSIX permissions), ACL, orboth to manage file or folder access.

The following table shows examples of the standard permissions and ACL permissions necessary to configure some commonfolder-sharing settings.

Folder ACL (Everyone) POSIX

Drop box Permission Type: Al low

Select the fol lowing checkboxes:

Traverse Folder

Create Files

Create Folder

All inheritance options

Owner: read, write, execute

Group: read, write, execute

Other: write

Set the owner to root and set the group toadmin.

Backup share Permission Type: Al low


List Folder Contents

Create Files

Create Folder



Other: no permissions


Home folder Permission Type: Deny

Delete




Group: read only

Other: read only

Lion Server user management ► Security ► SSL Certificates

If you've assigned a certificate to a particular service, or to all services as a group, you can replace those certificates. You mightreplace the default self-signed certificate with one that's been signed by a third-party, or you might need to replace an expiredcertificate. See .

If you receive a s igned certificate from a third-party, it should have an extension of .cer, .crt, or .p12.

RELATED INFORMATION



Common folder permissions

Replace certificates

Obtaining a Signed Certificate

If your server doesn’t have an SSL certificate or if you need another one, start by creating a self-s igned certificate.




4. Click the Add button (+) and choose Create Self-Signed Certificate from the pop-up menu.

5. In the Name field of the Certificate Assistant, enter your server's fully qualified host name (for example, server.example.com)and click Continue.

Leave the other settings unchanged. Identity Type should be Self Signed Root, Certificate Type should be SSL Server, and“Let me override defaults” should be deselected.

You can choose the new self-s igned certificate for the server. For information, see Using an SSL certificate.

You can also use the new self-signed certificate to request a signed certificate from a certificate authority. For instructions, seeObtain a signed certificate.


If you have files containing an SSL certificate and matching private key, you can import them and then use the certificate to secureservices provided by your server.

The SSL keys and certificates must be in Privacy Enhanced Mail (PEM) format. If your certificates and keys aren’t in PEM format, youmust convert them.

1. In the Finder, locate the files containing the certificate and matching private key, and put the files where you can see themwhile using Server Preferences (for example, on the desktop).

2. In the Server app, select your server's name under Hardware in the Server app sidebar.

3. In the Settings pane, click the Edit button at the right of SSL Certificate.


5. Click + and then choose Import a Certificate Identity from the menu.

6. Drag the files containing the certificate and private key to the middle of the dialog.

7. Click the Import button and if prompted, enter the private key passphrase.


If your server requires a s igned SSL certificate, use a self-signed certificate to request a signed certificate from an externalcertificate authority (CA).

To obtain a s igned certificate from a CA, you need a self-s igned certificate. For instructions on creating a self-s igned certificate,see Create a self-signed certificate.

You can obtain a valid s igned certificate by using the server’s self-signed certificate to generate a certificate signing request (CSR)file, which you send to a known CA. If your request satisfies the authority, it generates and sends you a signed certificate. There isusually a fee involved with this service.



Create a self-signed certificate

Import a certificate identity



4. In the Manage Certificates sheet, select the self-s igned certificate you want to use to generate the CSR.

5. From the Action pop-up menu, choose Generate Certificate Signing Request (CSR).

6. Save the CSR file.

Some certificate authorities ask you to enter the CSR text in a field on a webpage instead of uploading a file. In that case, youcan copy and paste the text to the CA's website.

7. Upload the CSR file to a CA following the instructions on their website.

On the CA's website, look for SSL Certificates.

You can use the CA of your choice. Here are a few CAs:

Thawte, Inc. (www.thawte.com)

VeriSign, Inc. (www.verisign.com)

Comodo Group, Inc. (www.comodo.com)

After receiving your signed certificate from the CA, you can use it to replace your self-signed certificate. For information, see Use anSSL certificate.


Your server can use an SSL certificate to provide additional security for services.

The server can use an SSL certificate to identify itself electronically and communicate securely with users’ computers and otherservers on the local network and the Internet. The SSL certificate provides additional security for Address Book, iCal, iChat, mail,and web services. These services can use the certificate to securely encrypt and decrypt data they send to and receive fromapplications on users’ computers.







RELATED INFORMATION

Obtain a CA–signed certificateReplace certificates

User collaboration serv ices ► Address Book serv ice ► About Address Book serv ice

Address Book service provides a consolidated, server-hosted contact lis t.

Address Book Server is the contact service for Lion Server. Built on open standard protocols, Address Book Server provides asimple–to–implement, secure, hosted address book solution. You can access personal and group contacts across multiple

Use an SSL certificate

Provide centralized contact information

http://www.thawte.com)

http://www.verisign.com)

http://www.comodo.com)

computers within a workgroup, a small business, or a large corporation.

Address Book Server is the Lion Server–hosted contact management solution for your organization’s needs. It provides thefollowing:

Access to client address books anywhere there's a Web connection

Integration with Address Book, Mail, iCal, and iChat in Mac OS X version 10.6 and later

Compatibility with any applications that use the standard Address Book framework

vCard caching for offline access

Address Book Server provides secure, centralized storage for contact infomation. The server uses the CardDAV protocol, based onthe widely used WebDAV protocol. It stores contacts as standard vCards for easy sharing.

For more information about which clients can access Address Book Server, see Address Book Server client applications.

Address Book Server also lets you access contact information in your organization's directory by including directory users in yourAddress Book search results.

Before starting Address Book service, you may need to update your network's DNS records, if needed.

Start Address Book service







Add users, if needed


2. In the Full Name field, enter the user’s name.


3. In the Account Name field, enter the user’s short name.


After the account is created, you can’t change this short name.


Note: If a user has a short name on a Mac, try to use the same short name for the user’s account on the server. Having thesame short name helps with the user’s access to services.

4. Enter the user’s password in the Password and Verify fields.

You can use Password Assistant to help you choose a password. Click the button at the right of the Password field to seehow secure the password is. The user can change this password in the Users & Groups pane of System Preferences on theuser’s computer.

5. To associate a picture with the user account, click the silhouette and select a standard picture, or click Edit Picture for acustomized picture.

When you click Edit Picture, you can take a picture with your computer’s camera or choose a graphic file on your computer.After taking or choosing a picture, you can drag the picture to pan it, or use the slider to zoom it. When you finish customizing

the picture, click Set.

6. Click Done to create the user account.

Allow directory searches

Directory contact searching lets Address Book Server clients search the directory services Address Book Server is bound to.

This can include Lion Server–based computers that are configured to use Open Directory. It can also include existing LDAP orActive Directory implementation.

When directory searches are enabled, Address Book Server users can search their own contacts, the directory of users, and othershared directory contacts with a single search.

1. In the Server app, select the Address Book pane.

2. Select Include directory contacts in search.


Address Book Server uses two front-end tools for configuration.

serveradmin

Server App

In each case, the front-end tools reads from a configuration plist file (/etc/caldavd/carddavd.plist) to set service parameters. Theplist file is an XML property list that specifies server options such as:

The network TCP port to bind to

Whether to use SSL

The names and locations of support files


You can customize Address Book Server settings using serveradmin for advanced control.

Setting Description

Directory Searching This allows cl ients bound to Address Book Server to get contacts andgroups from directory servers that Address Book Server is bound to.

To change this setting, see Configure directory search for Address Bookservice

MaxCollectionsPerHome This is the maximum number of address books a user can create.

To change this setting, see Change Address Book service user quotas.

MaxResourcesPerCollection This is the maximum number of contacts that a user can create in eachaddress book.


MaxResourceSize This is the maximum size in bytes of each contact.


Authentication This is the authentication method required for address book access.

To change this setting, see Choose and enable secure authentication forAddress Book server.

Host Name This is the ful ly qualified domain name in DNS. It should be in thereverse lookup domain as well .

Configuration tools

Address Book configuration options

To change this setting, see Change the Address Book server host name.

SSL This determines whether or not to use SSL encryption of network traffic.

To change this setting, see Enable secure network traffic for Address Bookserver.

HTTP Port Number This is the port that Address Book Server uses for connections. Thedefault port is 8800.

To change this setting, see Change the Address Book server port number.

Log Level This is the degree of granularity with which Address Book Server logs arerecorded. The default log level is Info.

To change this setting, see Change the Address Book server logginglevel.


From the command line, use serveradmin to start and stop service.

sudo serveradmin start addressbook

sudo serveradmin stop addressbook


Several clients can find users and groups in an Address Book server.

Apple applications

The following Apple applications can use Lion Server’s Address Book Server.

The version of Address Book that ships with Mac OS X v10.6 has built-in support for CardDAV andAddress Book Server.

The version of Mail that ships with Mac OS X v10.6 has built-in support for Address Book Server, which isconfigured in the Composing pane of Mail preferences.

The version of iChat that ships with Mac OS X v10.6 has built-in support for finding users and groups withAddress Book Server.

The version of Contacts that ships with iOS 4.0 has built-in support for CardDAV and AddressBook Server.

Third-Party applications

Any applications that use the Address Book framework also inherit support for Address Book Server, if the computer is bound to aserver that has Address Book Server.

For a client to use Address Book Server, the client must support the CardDAV protocol. Any application that supports the CardDAVprotocol works with Address Book Server, although it might not take advantage of Mac OS X–specific additions to the CardDAVprotocol.

RELATED TOPIC

Provide centralized contact information

User collaboration serv ices ► Address Book serv ice ► Configure Address Book

Start or stop Address Book service

Address Book Server client applications

Address Book 5.0 or later.

Mail 4.0 or later.

iChat 5.0 or later.

Contacts app for iOS 4.0 or later.

Configure directory search for Address Book service

Directory searching lets Address Book service clients search the directory services that Address Book service is bound to. This caninclude Mac OS X Server v10.5 implementations that are configured with the Directory application. It can also include any existingLDAP or Active Directory implementations.

1. Use serveradmin via the Terminal app to change the EnableSearchAddressBook flag from “false” to “true”.

sudo serveradmin settings addressbook:EnableSearchAddressBook = "<true>"

The default value for <setting> is “false”.

2. Enable either (or both) searching of user accounts available available to Address Book Server or public shared contacts (asdesignated in Mac OS X Server v10.5).

a. To share the the user accounts, enter:

sudo serveradmin settings addressbook:DirectoryAddressBook:params:queryUserRecords = "true"b. To share the contacts, enter:

sudo serveradmin settings addressbook:DirectoryAddressBook:params:queryPeopleRecords = "true"

3. Restart Address Book service.

sudo serveradmin stop addressbooksudo serveradmin start addressbook


After setting up Address Book server, you can change the host name of Address Book server. It should be a fully qualified domainname matched with a reverse lookup record. Make the needed changes to your firewall, to allow network access to the server.

1. Use serveradmin via the Terminal app to change the setting.

sudo serveradmin settings addressbook:ServerHostName = "<hostname>"

The default value for <hostname> is blank, meaning it is the hostname of the current server.

Command example:

sudo serveradmin settings addressbook:ServerHostName = "chatter.example.com"




You can change the port number clients will used to connect to Address Book Server. When setting up Address Book service, it isset to use TCP port 8800. If you want to change the port, you can do so with the command line. Make the appropriate changes toyour firewall, to allow network access to the server.


sudo serveradmin settings addressbook:HTTPPort = "<PortNumber>"

The default value for <PortNumber> is “8800”.

Command example:

sudo serveradmin settings addressbook:HTTPPort = "8841"

Change the Address Book server host name

Change the Address Book server port number




Each Address Book user has a disk quota. This quota is the total possible size of all the user’s address books and vCards.Quotas aren’t set on a per-user basis. They are set globally for all users. Each of those settings also affects the calendar server.Don’t let the total of all your users’ quotas exceed the storage capacity of the data store.

1. Use serveradmin via the Terminal app to set the quota limits.

sudo serveradmin set addressbook:MaxCollectionsPerHome = "<Number>"sudo serveradmin set addressbook:MaxResourcesPerCollection = "<Number>"sudo serveradmin set addressbook:MaxResourceSize = "<FileSize>"

Key Description Default value

MaxCollectionsPerHome the maximum number of address books a usercan create

50

MaxResourcesPerCollection the maximum number of contacts that a usercan create in each address book.

10000

MaxResourceSize the maximum size in bytes of each contact 1048576

Command example:

sudo serveradmin set addressbook:MaxCollectionsPerHome = "100"sudo serveradmin set addressbook:MaxResourcesPerCollection = "12000"sudo serveradmin set addressbook:MaxResourceSize = "209715200"




Users authenticate to Address Book Server through one of the following methods:

Authentication type Description

Kerberos v.5 This method uses strong encryption and is used in Mac OS X Lion forsingle sign-on to services offered by Lion Server. It is the recommendedauthentication method supported by Lion Server. Selecting this methodrequires the exclusive use of Kerberos authentication.

Digest This is HTTP Digest access authentication (RFC 2617). It features goodencryption of user passwords over the network without the use of a trustedthird-party (l ike the Kerberos realm), and is usable without maintaining aKerberos infrastructure. Selecting this method requires the exclusive useof Digest authentication.

Basic This is plain text authentication.

Use serveradmin via the Terminal app to enable MD5 Digest authentication.

Change Address Book service user quotas

Choose and enable secure authentication for Address Book server

sudo serveradmin set addressbook:Authentication:Digest:Enabled = "<setting>"

The default value for <setting> is “yes”.

Command example:

sudo serveradmin set addressbook:Authentication:Digest:Enabled = "yes"

Use serveradmin via the Terminal app to enable Kerberos authentication.

sudo serveradmin set addressbook:Authentication:Kerberos:Enabled = "<setting>"


Command example:

sudo serveradmin set addressbook:Authentication:Kerberos:Enabled = "yes"

If you choose Kerberos authentication, make sure you set the Kerberos principal via the Terminal app.

sudo serveradmin set addressbook:Authentication:Kerberos:ServicePrincipal = "<hostname>"

The default value for <hostname> is “blank”, meaning it is set for the localhost.

Command example:

sudo serveradmin set addressbook:Authentication:Kerberos:ServicePrincipal = "SAMPLE.REALM.EXAMPL…

Use serveradmin via the Terminal app to enable plain text authentication.

sudo serveradmin set addressbook:Authentication:Basic:Enabled = "<setting>"

The default value for <setting> is “no”.

Command example:

sudo serveradmin set addressbook:Authentication:Basic:Enabled = "yes"

Restart Address Book service.



When you enable Secure Sockets Layer (SSL), you encrypt all the data sent between Address Book Server and the client. Toenable SSL, you must select a Certificate. If you use the Default self-signed certificate, a client must choose to trust the certificatebefore it can make a secure connection. You can use a certificate on the server, or choose to use a certificate on another computer.

Use serveradmin via the Terminal app to change the SSL port number.

sudo serveradmin set addressbook:SSLPort = "<PortNumber>"


Command example:

sudo serveradmin set addressbook:SSLPort = "8882"

Use serveradmin via the Terminal app to set the pem SSL certificate source location.

sudo serveradmin set addressbook:SSLCertificate = "<CertLocation>"

The default value for <CertLocation> is “/etc/certificates/”.

Command example:

sudo serveradmin set addressbook:SSLCertificate = "/etc/certificates/"

Enable secure network traffic for Address Book server

Use serveradmin via the Terminal app to set the pem private key source location.

sudo serveradmin set addressbook:SSLPrivateKey = "<PrivateKeyLoc>"

The default value for <PrivateKeyLoc> is “/etc/certificates/”.

Command example:

sudo serveradmin set addressbook:SSLPrivateKey = "/etc/certificates/"

Use serveradmin via the Terminal app to set the pem authority chain file source location.

sudo serveradmin set addressbook:SSLAuthorityChain = "<ChainFile>"

The default value for <ChainFile> is “/etc/certificates/”.

Command example:

sudo serveradmin set addressbook:SSLAuthorityChain = "/etc/certificates/"

Use serveradmin via the Terminal app to redirect insecure requests to the SSL port, if needed.

sudo serveradmin set addressbook:RedirectHTTPToHTTPS = "<setting>"


Command example:

sudo serveradmin set addressbook:RedirectHTTPToHTTPS = "yes"

Restart Address Book service.


User collaboration serv ices ► Address Book serv ice ► Monitoring Address Book

The default logging level for Address Book Server is Warning. The Warning level of logging provides the second–lowest level ofdetail. You can change this to the lowest level (Error) or a higher level (Info or Debug).

1. Use serveradmin via the Terminal app to change the log level.

sudo serveradmin set addressbook:DefaultLogLevel = "<LogLevel>"

The default value for <Level> is “warn”.

Replace LogLevel with one of the following:

error

warn

info

debug

Command example:

sudo serveradmin set addressbook:DefaultLogLevel = "debug"




Change the Address Book server logging level

You can view and filter the logs to troubleshoot the service or monitor overall service reliability. Address Book Server keeps twologs: one for access (/var/log/caldavd/access.log) and one for errors (/var/log/caldavd/error.log). It shares its logs with the calendarservice logs.

Use one of the following command-line tool to read the log files:

less or

cat to view the logs, or use

tail to actively watch changes to a log file. For example, to track the error log: tail -f/var/log/carddavd/error.log

For more information about using these command-line tools, see their man pages.


You can find information about the state of Address Book Server, including whether it’s running, when it started running, and howmany requests are being made, using the command line.

Use serveradmin via the Terminal app to see vital statistics about the service.

sudo serveradmin status addressbook

User collaboration serv ices ► Calendar serv ice ► Understanding Calendar

iCal Server is the shared calendar service.

Built on open standard protocols, iCal Server provides integration with leading calendaring programs. It’s easy to share calendars,schedule meetings, and coordinate events in a workgroup, a small business, or a large corporation.

iCal Server provides a full calendaring solution, including:

Attachments: Events can have file attachments associated with them, so every event participant can have a copy of a file ormeeting agenda.

Delegation (proxy) support: Other users can be authorized to view your calendar events, track subordinates, resources, or otherdesignated calendar users. Proxies allow event-scheduling delegation as well.

Directory support: iCal Server works with Open Directory and Active Directory to provide calendar service for users.

Mail notifications: Event attendees without calendar accounts can get an email invitation with event information.

Event invitations: Users can invite others to an event. When the recipient acknowledges the invitation, the scheduler gets theRSVP.

Detailed access controls: iCal Server fully supports access control lists (ACLs) for events and attachments.

Free/busy browsing: When scheduling an event, a user can see if invitees are available to accept an invitation.

Location and resource scheduling: Resources (projectors, cars, and so forth) and locations can have calendars and can beinvited to events.

Multiple calendars: Each person or resource can have multiple calendars. Users can organize their calendars as needed.

Push notification: Changes made to calendars and events are pushed to clients immediately.

Server-side scheduling: Event invitations are processed on the server, freeing the client for better performance.

Before starting iCal service, you might need to .

View Address Book server logs

View Address Book server vital status

Manage shared calendars

update your network’s DNS records

Start iCal service







Add users, if needed












When you click Edit Picture, you can take a picture with your computer’s camera or choose a graphic file on your computer.After taking or choosing a picture, you can drag the picture to pan it, or use the slider to zoom it. When you finish customizingthe picture, click Set.


Create iCal resources and locations

Users and groups aren’t the only parts of a calendaring system. Resources like projectors, microscopes, or cameras, andlocations like conference rooms or buildings, must be scheduled, but they can’t keep their own calendar. These resources andlocations are like users and groups. They accept event invitations, and they have scheduling constraints. Therefore, they exist asprincipal entities on the calendar server for other users and groups to include in event invitations.

Using the Server app, you can make a calendar for each resource and location in your organization.

To have a delegate (or proxy) manage a location or resource calendar, the user of the iCal service must already exist beforeassigning delegate roles.

Created locations and resources are reservable and can be set to accept event invitations automatically or through a delegate.

1. Click Add (+) to add a location or resource.

2. Enter the calendar type:

Location

Resource

3. Enter a name for the location or resource.

4. Choose how the location or resource will accept event invitations and mark the event as “Busy”.

Automatically

With Delegate Approval

5. Choose a delegate for the location or resource.

Delegates are required, if the location or resource is set to accept invitations with delegate approval. Delegates can also viewand edit the resource calendar, even if they don’t approve invitations.

The delegate must be an existing iCal Server user or group. Only one delegated user or group can be assigned.

Enable email invitations

Attendees can be invited via email if they don’t have an iCal Server account.

When using the mail service on the same server as iCal service, iCal Server is already configured to send email notifications. Allyou have to do is to turn on mail notifications and mail service.

When an event attendee is added by email address and the host name of the email address isn’t the same host name as thecalendar server, iCal Server can send a message to the attendee with the event information. iCal Server must have its mailaccount in the mail system.

iCal Server must be able to send mail to an outgoing mail server (an SMTP server) for relay, so you need the SMTP server hostname and listening port. You must also make sure there are no firewalls blocking access to the mail server from the calendarserver. The SMTP server must be configured to relay mail from the calendar server as well.

iCal Server also requires access to an incoming mail server, POP or IMAP, for invitation notifications.

These instructions assume the mail servers are configured and functioning.

Email notifications can only be exchanged with external users. Users with an account on your iCal Server will receive a standardinvitation in their calendar client software.

1. Create an email user account in the mail system, and note the mail address, account name, and password.

For example, the iCal Server could access the account “[email protected].”

If you need help creating a user account and giving it mail access, see Create a user account.

2. If you aren't using the same server to send mail and server calendars, get the following settings for the incoming Mail serverfrom the mail administrator:

Setting information Example

Server protocol POP or IMAP

Email address [email protected]

Host name mail.example.com

Listening port 143

Does mail service use SSL? yes or no

User name and password a user name l ike [email protected]

3. If you aren't using the same server to send mail and server calendars, get the following settings for the outgoing (SMTP) Mailserver from the mail administrator:


Host name smtp.example.com

Listening port 25

Makes the calendar accept all invitations in which they’re received.

Holds event invitations until the designated delegate approves the invitation. You must provide adelegate.






Required authentication method, i f any CRAM-MD5 or Kerberos

4. In the Server app, select the iCal Server pane.

5. Select Allow invitations using email addresses.

6. If you aren't using the same server to send mail and server calendars, click Edit to configure the settings.

7. Enter the Mail server information, and then click Next.

RELATED TOPICS

About calendar resources and locationsDelete iCal resources and locations


iCal Server uses any of four front-end tools.

All these tools read from a configuration plist file (/etc/caldavd/caldavd.plist) to set service parameters. The plist file is an XMLproperty lis t that specifies server options such as:

The network TCP port to bind to

Whether to use SSL

The names and locations of support files

Tool Description

Server app An app that focuses on easy configuration using built-in default settings.

serveradmin A command-l ine tool used to automate service configuration tasks andremote administration.

caldavd A command-l ine tool used for the command-l ine interface of Darwinserver.

calendarserver_manage_principals A command-l ine tool used to add locations and resources to your iCalserver.

calendarserver_purge_principals A command-l ine tool used to remove locations and resources to your iCalserver.


To add an iCal Server account to iCal, you must know the following settings for the user name and calendar server location. Someof these settings are usable by other CalDAV clients.

For all accountsThe calendar user’s short name

For example, John Doe might have “johndoe” as a short name.

The calendar user login name

The calendar user login name takes the form of <calendar user’s short name>@< iCal Server domain name> in iCal.

The iCal Server domain name

About iCal Server configuration tools

Account settings for iCal clients


This domain name is the fully qualified domain name of the calendar server (for example, cal.example.com).

You can use only the domain name (for example, example.com) if the domain has an SRV DNS record for calendar service.

The iCal Server port number

This is the TCP port that the iCal Server is listen on.

Whether the iCal Server uses SSL encryption or not

The calendar account location for account creation

If automatic discovery fails, the account URL is http://server:port/principals/users/username/

If the calendar client doesn’t support automatic discovery (like Mac OS X v10.5 iCal 3.0), the account URL ishttp://server:port/calendars/__uids__/<<GUID>> where GUID is the user’s globally unique identifier.

Optional

The user GUID

The user GUID is a Distributed Computing Environment (DCE) compatible universally unique identifier string created by thedirectory service for a user when his or her directory record is created.

It usually looks something like this: 95432C72-0035-4399-9447-8531601AA699.


In addition to backing up the configuration files, you should back up the data store.

The location of the data store is shown in the Settings tab of the iCal Server administration pane of Server Admin.

Because iCal Server files are both postgres database and flat files, you need to use a backup procedure that backs up both kindsof files. You should maintain the original files’ POSIX permissions and ACL entries. Your backup solution must preserve extendedattributes.

You don’t need to back up calendar database files in the file hierarchy. They are disposable.

Your backup software needs root access to the /Library/Server/Calendar and Contacts/ folder (or whatever path you configuredusing serveradmin) and its subfolders to back them up.

Lion Server provides several command-line tools for data backup and restoration:

pg_dump. Use to generate a text file with SQL commands that, when fed back to the server, will recreate the database in thesame state as it was at the time of the dump.

psql. Use to read in the text files created by pg_dump.

rsync -E. Use to keep a backup copy of your data in sync with the original. The -E flag is mandatory because it preserves file

extended attributes. The rsync tool only copies files that have changed, but always copies extended attributes.

ditto. Use to perform full file-level backups.

asr. Use to back up and restore a volume at disk block-level. Ifasrdegrades to file copy mode, rather than block copy mode, it

does not copy necessary extended attributes. Make sureasris performing a block copy, not a file copy.

cp and scp. Use these tools to copy files and preserve extended attributes for iCal Server.

tar, pax, and gzip. Use these tools to archive and compress data for use with iCal Server.

Note: You can use the launchctl command to automate data backup using the mentioned commands. For more information

about using launchd, see its man page.


About backing up and restoring calendar files

About administration configuration files

Administer iCal Server using the Server app, or serveradmin. If the Server app, or serveradmin are unavailable, you canconfigure and run iCal Server from the command-line, using built-in tools.

The following files are used to run iCal Server:

/etc/caldavd/caldavd.plist: The main configuration file for caldavd

The file contains an XML property lis t of server options and provides information such as the port to bind to and whether to useSSL. You can specify the names of other files.

/var/log/caldavd/access.log: The server’s main log file

/var/run/caldavd.pid: The server’s process ID file

/usr/share/caldavd: Implementation and support files


Calendar event data is stored in a postgres database, with some support files in the file system.

This is different from Snow Leopard Server, where all calendar data files were stored on the file system. Now only attachments andthe proxy database are stored on the file system. All other calendar data is stored in a database.

When backing up calendar server files, make sure to back up the /Library/Server/Calendar and Contacts/ directory and thepostgres databases.

Database files

iCal Server uses database files for various purposes. It uses a postgres database to store calendar data. It uses sqlite files tostore proxy relationships. To troubleshoot or resolve problems, an administrator needs to use postgres database queries.Teaching postgres database manipulation is beyond the scope of this topic.

To access the database, you need to use postgres and pg_ctl command-line tools.

File system files

By default, the root data store location is /Library/Server/Calendar and Contacts/, but you can specify another location using theserveradmin command-line tool. When setting this path in the command line tool, it is an absolute path.

The Calendar and Contacts folder contains 2 folders: Data and Documents. When setting the location of these two folders in thecommand line tool, the paths are relative to the root data store location.

The Data folder contains the sqlite databases for proxies, and an xml list of resources and locations in the calendar system.

The Document folder contains event attachments.

To access the files, you need root access to the /Library/Server/Calendar and Contacts/ folder and its subfolders (or whatever pathyou configured using serveradmin).


Users can create and remove calendar events in their own calendars in iCal Server. When users want to have someone else edittheir personal calendars, they delegate (or assign a proxy for) calendar management.

iCal Server supports calendar viewing and editing delegates, allowing designated persons to read or write a user’s calendars.

Calendar delegation isn’t configured on the server side. To set up a user or group delegate, you use calendar client software. Youuse the Server app to choose delegates for resource and location calendars.

To learn how to configure calendar delegation, see the documentation for your calendar client.

User collaboration serv ices ► Calendar serv ice ► Configure Calendar

Understanding the data store and file hierarchy for iCal Server

Calendar proxies and delegates

When setting up iCal Server, you specify the host name of the iCal server. Configure the service to use a fully qualified domainname. It should be a fully qualified domain name matched with a reverse lookup record. If left blank, the calendar server defaults tothe local hostname.

Make this change in the DNS SRV records before completing this step.

sudo serveradmin set calendar:ServerHostName = "hostname"

Use a fully qualified domain name for hostname.

sudo serveradmin set calendar:ServerHostName = "cal.example.com"


You can change the network port numbers than iCal Server uses.

When setting up iCal Server, the server is set to use TCP port 8008 for unencrypted connections and 8442 for SSL connections.

Use serveradmin via the Terminal app to change the unencrypted connection setting.

sudo serveradmin set calendar:HTTPPort = "<PortNumber>"


Command example:

sudo serveradmin set calendar:HTTPPort = "9009"

Use serveradmin via the Terminal app to change the SSL connection setting.

sudo serveradmin set calendar:HTTPPort = "<SSLPortNumber>"

The default value for <SSLPortNumber> is “8443”.

Command example:

sudo serveradmin set calendar:HTTPPort = "8484"


Apple’s iCal Server supports push notification for calendar invitations and events. Instead of having the calendar client constantlyaccess the calendar server to search for new event invitations, the client maintains a very light network connection and the serverinforms the client if the client has received an event invitation, or if an event has changed. See About push notification for moreinformation and links to related topics.





Setting the iCal Server Host Name

Setting the iCal Server port number

Set iCal push notification server

Enable email invitations





1. Create an email user account in the mail system, and note the mail address, account name, and password.

For example, the iCal Server could access the account “[email protected].”

If you need help creating a user account and giving it mail access, see Create a user account.

2. If you aren't using the same server to send mail and server calendars, get the following settings for the incoming Mail serverfrom the mail administrator:


Server protocol POP or IMAP

Email address [email protected]

Host name mail.example.com

Listening port 143



3. If you aren't using the same server to send mail and server calendars, get the following settings for the outgoing (SMTP) Mailserver from the mail administrator:


Host name smtp.example.com

Listening port 25



Required authentication method, i f any CRAM-MD5 or Kerberos

4. In the Server app, select the iCal Server pane.

5. Select Allow invitations using email addresses.

6. If you aren't using the same server to send mail and server calendars, click Edit to configure the settings.

7. Enter the Mail server information, and then click Next.


The data store is where the server stores user calendars and event attachments. The default location is /Library/Server/Calendarand Contacts/. Change the default calendar data store location using serveradmin. If you change the data store location, youmust set the proper permissions on the new data store location.

The data store location is relative to the local file system, so if the storage location is on a network volume, enter the localfilesystem mount point and not a network URL.

If you have a data store fully populated with user calendars, you must move the files when you change the location. To see how to

Change the calendar data store location





move the files, see Understanding the data store and file hierarchy for iCal Server.

1. Create new directory, if needed.

sudo mkdir new_path

The default value for <new_path> is the new location of the data store.

Command example:

sudo mkdir /Volumes/NetworkDrive/CalendarData/

2. Give the target directory the right permissions.

sudo chown _calendar:_calendar new_path sudo chmod 740 new_path

The value for <new_path> is the new location of the data store.

Command example:

sudo chown _calendar:_calendar /Volumes/NetworkDrive/CalendarData/sudo chmod 740 /Volumes/NetworkDrive/CalendarData/

3. Use serveradmin via the Terminal app to set the location.

sudo serveradmin set calendar:ServerRoot = "<NewLocation>"

Command example:

sudo serveradmin set calendar:ServerRoot = "/Volumes/NetworkDrive/CalendarData/"


The maximum attachment size is the maximum total s ize of all the data in an event, including text in the Notes field.

Each event on a calendar has a file of a determinate size. There is no limit to the total number of external files attached to a singleevent except for the calendar user’s storage quota, and external attached files do not count against the maximum attachment s ize.

Use serveradmin via the Terminal app to change the file size in bytes.

sudo serveradmin set calendar:MaximumAttachmentSize = "<file_size>"

The default value for <file_size> is “1048576”.

Command example:

sudo serveradmin set calendar:MaximumAttachmentSize = "2097152"


The calendar server has several different quota types:

the maximum size in bytes for all attachments

the maximum number of calendars a user can create

the maximum number of events and tasks that a user can create in each calendar

the maximum size in bytes of each event or task

You can use the command line to change the user’s quota.

Each calendar user has a disk quota. Quotas are not set on a per-user basis. They are set globally for all users. Do not allow the

Changing the maximum attachment size

Changing Calendar User Quotas

total of all your users' quotas to exceed the storage capacity of the data store

Use serveradmin via the Terminal app to set the quota limits.

sudo serveradmin set calendar:UserQuota = "<FileSize>"sudo serveradmin set calendar:MaxCollectionsPerHome = "<Number>"sudo serveradmin set calendar:MaxResourcesPerCollection = "<Number>"sudo serveradmin set calendar:MaxResourceSize = "<FileSize>"

Key Description Default value

UserQuota the maximum size in bytes for al l attachments 104857600

MaxCollectionsPerHome the maximum number of calendars a user cancreate

50

MaxResourcesPerCollection the maximum number of events and tasks thata user can create in each calendar

10000

MaxResourceSize the maximum size in bytes of each event ortask

1048576

Command example:

sudo serveradmin set calendar:UserQuota = "209715200"sudo serveradmin set calendar:MaxCollectionsPerHome = "100"sudo serveradmin set calendar:MaxResourcesPerCollection = "12000"sudo serveradmin set calendar:MaxResourceSize = "209715200"



Using calendarserver_manage_principals, you can make a calendar for each resource and location in your organization.

To use resources and locations with iCal Server, you need an Open Directory Master to hold the resource and location records. Ifusers aren’t authenticating to an Open Directory system (for example, if they are authenticating to an Active Directory system), theresource and location records must be in an Open Directory Master server, which is bound to the users ' directory system.

These settings can be changed with the calendarserver_manage_principals command-line tool.

The Server app adds calendars for resources and locations to the iCal server, but you use the command-line toolcalendarserver_manage_principals command-line tool to choose delegates for resource and location calendars.

For information on how to use calendarserver_manage_principals, see its man page.

Use calendarserver_manage_principals via the Terminal app to add a resource or location.

sudo calendarserver_manage_principals --add {locations|resources} 'full name' --set-auto-schedul…

Command example:

sudo calendarserver_manage_principals --add locations 'Conference Room' --set-auto-schedule=true

Use calendarserver_manage_principals via the Terminal app to remove a resource or location.

sudo calendarserver_manage_principals --remove {locations|resources} 'full name'

Command example:

Edit Calendar Resources and Locations using the Command Line

sudo calendarserver_manage_principals --remove locations 'Conference Room'









1. Set the following parameters using the Terminal.

sudo serveradmin set calendar:Scheduling:iMIP:Enabled = "yes"

2. If you aren't using the same server for mail service, set the following parameters:

sudo serveradmin set calendar:Scheduling:iMIP:Receiving:Server = "<mail server host name>"sudo serveradmin set calendar:Scheduling:iMIP:Receiving:UseSSL = <yes or no>sudo serveradmin set calendar:Scheduling:iMIP:Receiving:Username = "<iCal Server’s user name>"sudo serveradmin set calendar:Scheduling:iMIP:Receiving:Type = "<POP or IMAP>"sudo serveradmin set calendar:Scheduling:iMIP:Receiving:Password = "<plaintext password>"sudo serveradmin set calendar:Scheduling:iMIP:Receiving:Port = <POP or IMAP port number>sudo serveradmin set calendar:Scheduling:iMIP:MailGatewayServer = "localhost"sudo serveradmin set calendar:Scheduling:iMIP:MailGatewayPort = 62310sudo serveradmin set calendar:Scheduling:iMIP:Sending:Server = "<SMTP hostname>"sudo serveradmin set calendar:Scheduling:iMIP:Sending:Port = <SMTP port number>sudo serveradmin set calendar:Scheduling:iMIP:Sending:Address = "<iCal Server’s user name>"sudo serveradmin set calendar:Scheduling:iMIP:Sending:Port = "<SMTP port number>"


If your calendar is hosted on a CalDAV server (for example, through your workplace) you must set up your account in iCal so it canshare information with the CalDAV server.

1. Choose iCal > Preferences and then click Accounts.

2. In the bottom-left corner of the preferences pane, click the Add button (+) to add an account.

3. From the Account type pop-up menu, select Automatic.

4. Enter the user short name and calendar server address.

For example, John Doe (with a user short name of “johndoe” enters “[email protected]”.

The calendar server address is the fully qualified domain name of the calendar server (for example, cal.example.com). You

Enable email invitations (CLI)

Adding an iCal Server account to an iCal client


can use only the domain name (for example, example.com) if the domain has an SRV DNS record for calendar service.

5. Click Create.

You return to the Account Information pane of the account.

6. In the Refresh Calendars pop-up menu, specify how often you want your computer to update the information it shares with theserver (for example, to look for meeting invitations or update changes you’ve made to your calendar).

7. Set the general times you want to be available for meetings and events.

For example, if you work part time and want coworkers to schedule meetings with you only on weekdays between noon and5:00 p.m., select Weekdays and enter the times in the adjacent fields.

If your availability includes weekends or only some weekdays, select Custom, click Edit, and then make selections to set youravailability.


An iCal Server can host personal calendars for another Lion Server computer that is offering wiki service.

When Lion Server computer is running Wiki Server, the “My Page” starting point for wiki users can link to a built-in web calendar.The web calendar is a client for iCal Server and reads and writes to a user’s CalDAV account calendar. However, the computerproviding the wiki service doesn’t need to also provide calendar service. You can designate a different server to act as the calendarserver.

You might want to do this because:

You choose to spread services across several servers.

You have a calendar server and are adding wiki service.

You have a large, distributed calendar server infrastructure, and moving service on to the web server is impractical.

When you set up iCal Server to provide the calendar service for a wiki, Wiki Server provides access to the calendars, so users whodo not have wiki privileges do not have calendar service.

Use serveradmin via the Terminal app to change the setting.

sudo serveradmin set calendar:Authentication:Wiki:Enabled = "<setting>"


The other possible value is “yes”.

Command example:

sudo serveradmin set calendar:Authentication:Wiki:Enabled = "yes"

Use serveradmin via the Terminal app to designate the Wiki server.

sudo serveradmin set calendar:Authentication:Wiki:Hostname = "<DNSWikiServer>"

The default value for <DNSWikiServer> is the Wiki server's fully qualified domain name.

Command example:

sudo serveradmin set calendar:Authentication:Wiki:Hostname = "wikiweb.example.com"

Use serveradmin via the Terminal app to encrypt the connection.

sudo serveradmin set set calendar:Authentication:Wiki:UseSSL = "(yes|no)"

The default value is “no”.

Command example:

sudo serveradmin set set calendar:Authentication:Wiki:UseSSL = "yes"

Make iCal Server Host a Wiki Server’s Calendar


You can create separate calendars for different areas of your life (work, home, school, and so on). iCal client makes it easy tomake new calendars. If you are using some other calendar client (like Sunbird or Outlook), consult that application’s help to createa calendar.

1. Select File > New Calendar > Your CalDAV calendar.

If you do not select a calendar under the CalDAV account, the calendar is created locally, not on the iCal server.

2. Enter a name for your calendar and press the Return key.

User collaboration serv ices ► Calendar serv ice ► Calendar Security

Security for iCal Server consists of securing the authentication and the data transport.

Secure the authentication

This means using a method of authenticating users that is secure and doesn’t transmit login credentials in clear text over thenetwork. The high-security authentication used pervasively in Lion Server is Kerberos v5.

To learn how to configure secure authentication, see Secure Authentication in iCal Server.

Secure the data transport

This means encrypting the network traffic between the calendar client and the calendar server. When the transport is encrypted, noone can analyze the network traffic and reconstruct the contents of the calendar. iCal Server uses SSL to encrypt the data transport.

To learn how to configure and enable SSL for iCal Server, see Secure iCal Server network traffic and Secure iCal Server networktraffic (CLI).


Users authenticate to iCal Server through any combination of the following methods: Kerberos, Digest, or Basic.

You can set the required authentication method using serveradmin. To enable the highest security, choose “Kerberos.” Digestauthentication requires no additional configuration.

Important: Neither the iCal app on Lion or the Calendar app on iOS support Kerberos authentication.

To use Kerberos authentication, you must have an existing Kerberos password authentication and encryption system in place forusers. If you use Kerberos, make the relevant changes to your firewall to allow network access to the Kerberos server from thecalendar server.

Authentication type Description

Kerberos v.5 This method uses strong encryption and is used in Mac OS X Lion forsingle sign-on to services offered by Lion Server. It is the recommendedauthentication method supported by Lion Server. Selecting this methodrequires the exclusive use of Kerberos authentication.

Digest This is HTTP Digest access authentication (RFC 2617). It features goodencryption of user passwords over the network without the use of a trustedthird-party (l ike the Kerberos realm), and is usable without maintaining aKerberos infrastructure. Selecting this method requires the exclusive useof Digest authentication.

Basic This is plain text authentication.

Create a calendar on an iCal Server using iCal client

About iCal Server security methods

Secure Authentication in iCal Server

Use serveradmin via the Terminal app to enable Digest MD5 authentication.

sudo serveradmin set calendar:Authentication:Digest:Enabled = "(yes|no)"

The default value is “yes”.

Command example:

sudo serveradmin set calendar:Authentication:Digest:Enabled = "yes"

Use serveradmin via the Terminal app to enable Kerberos.

sudo serveradmin set calendar:Authentication:Kerberos:Enabled = (yes|no)


Command example:

sudo serveradmin set calendar:Authentication:Kerberos:Enabled = "yes"

Use serveradmin via the Terminal app to set the Kerberos Principle hostname.

sudo serveradmin set calendar:Authentication:Kerberos:ServicePrincipal = "<Hostname>"

The default value for <setting> is blank, meaning the localhost.

Command example:

sudo serveradmin set calendar:Authentication:Kerberos:ServicePrincipal = "REALM.EXAMPLE.COM"

Use serveradmin via the Terminal app to change the setting for Basic authentication.

sudo serveradmin set calendar:Authentication:Basic:Enabled = "(yes|no)"


Command example:

sudo serveradmin set calendar:Authentication:Basic:Enabled = "no"


When you enable Secure Sockets Layer (SSL), you encrypt all data sent between the iCal server and the client.

To enable SSL, you must select a Certificate. If you use the default self-s igned certificate, the clients must choose to trust thecertificate before they can make a secure connection.

You can choose to use or redirect SSL access. Choosing to use SSL access allows the iCal Server to accept connections from theunencrypted and encrypted SSL ports. Redirecting SSL access makes iCal server lis ten for and accept connections over thedesignated SSL port, and redirects requests for the HTTP port and sends them to the HTTPS port.

Use serveradmin via the Terminal app to change the SSL port number.

sudo serveradmin set calendar:SSLPort = "<PortNumber>"


Command example:

sudo serveradmin set calendar:SSLPort = "8882"

Use serveradmin via the Terminal app to set the pem SSL certificate source location.

sudo serveradmin set calendar:SSLCertificate = "<CertLocation>"

The default value for <CertLocation> is “/etc/certificates/”.

Command example:

Secure iCal Server network traffic (CLI)

sudo serveradmin set calendar:SSLCertificate = "/etc/certificates/"

Use serveradmin via the Terminal app to set the pem private key source location.

sudo serveradmin set calendar:SSLPrivateKey = "<PrivateKeyLoc>"

The default value for <PrivateKeyLoc> is “/etc/certificates/”.

Command example:

sudo serveradmin set calendar:SSLPrivateKey = "/etc/certificates/"

Use serveradmin via the Terminal app to set the pem authority chain file source location.

sudo serveradmin set calendar:SSLAuthorityChain = "<ChainFile>"

The default value for <ChainFile> is “/etc/certificates/”.

Command example:

sudo serveradmin set calendar:SSLAuthorityChain = "/etc/certificates/"

Use serveradmin via the Terminal app to redirect insecure requests to the SSL port, if needed.

sudo serveradmin set calendar:RedirectHTTPToHTTPS = "<setting>"


Command example:

sudo serveradmin set calendar:RedirectHTTPToHTTPS = "yes"


When you enable Secure Sockets Layer (SSL), you encrypt all data sent between the iCal server and the client.

To enable SSL, you must select a Certificate. If you use the default self-s igned certificate, the clients must choose to trust thecertificate before they can make a secure connection.

You can choose to use or redirect SSL access. Choosing to use SSL access allows the iCal Server to accept connections from theunencrypted and encrypted SSL ports. Redirecting SSL access makes iCal server lis ten for and accept connections over thedesignated SSL port, and redirects requests for the HTTP port and sends them to the HTTPS port.

The server can use an SSL certificate to identify itself electronically and communicate securely with users’ computers and otherservers on the local network and the Internet. The SSL certificate provides additional security for Address Book, iCal, iChat, mail,and web services. These services can use the certificate to securely encrypt and decrypt data they send to and receive fromapplications on users’ computers.








Secure iCal Server network traffic

For security, privacy, or disk usage reasons, you might need to delete unused calendars.

After calendar files and folders are created in the data store, they are not removed when a user, group, or resource is removedfrom the directory. This could potentially cause unintended service behavior if a user, group, or resource is created at a future timewith the same name as the defunct one.

Important: Delete data with extreme caution. The deletion tool has a “trial run” function that lets you see what would be deleted witha given command without deleting any information.

For more information on calendarserver_purge_principals and calendarserver_manage_principals, see theirrespective man pages.

1. Use calendarserver_manage_principals via the Terminal app to list the locations or resources.

sudo calendarserver_manage_principals --list-principals (users|groups|locations|resources)

Use “users”, “groups”, “locations”, or “resources” as desired.

Command example:

sudo calendarserver_manage_principals --list-principals locations

This lists all locations or resources, including the name of the location/resource, the record name, and the UUID of the record.

Full name Record name UUID--------- ----------- ----SampleLocation 7697ca41-4d75-40a2-9c57-c507ceea5f9f 7697ca41-4d75-40a2-9c57-c507ceea5f9f

2. Use calendarserver_purge_principals via the Terminal app to delete the events associated with the UUID.

sudo calendarserver_purge_principals UUID

UUID is the UUID of the desired record.

Command example:

sudo calendarserver_purge_principals 7697ca41-4d75-40a2-9c57-c507ceea5f9f

User collaboration serv ices ► Calendar serv ice ► Monitor Calendar

iCal Server keeps two logs: one for access and one for errors. You can view and filter the logs to troubleshoot the service ormonitor overall service reliability.

You can configure logs to give more tailored information.

The settings usually range from very verbose (reporting everything that’s happening in the server) or very quiet (reporting only themost dire errors).

Level Description

Error Logs only critical errors. This produces the least amount of output, but i t ismore focused on problems.

Warning Logs al l errors, including innocuous errors l ike timeouts, and includescritical errors.

Info Logs normal operating actions as well as errors. This is a fairly detai ledlog.

Debug Logs al l information of everything to fine detail . Use this setting only fordebugging purposes, and then set i t back to another level after the logcapture is complete.

Delete unused events and calendars

Set logging levels

sudoserveradmin set calendar:DefaultLogLevel = "log_level_key"

The default log level key is 'info' sudo serveradmin set calendar:DefaultLogLevel = "debug"


iCal Server keeps two logs: one for access and one for errors. You can view and filter the logs to troubleshoot the service ormonitor service reliability.

Use serveradmin via the Terminal app to monitor the access log.

tail -F /var/log/caldavd/access.log

Use serveradmin via the Terminal app to monitor the error log.

tail -F /var/log/caldavd/error.log


Service logs sometimes require archiving. Rotating the logs regularly can improve performance in searching the logs and reduceused disk space. Enabling this setting allows logs to be archived and refreshed.

sudoserveradmin set calendar:RotateAccessLog = yes

User collaboration serv ices ► Calendar serv ice ► Manage Calendar

You determine if a user can authenticate to an iCal Server by adding him or her to a group called com.apple.access_calendar. Youcan use the Server Admin service access feature to add the users and groups to the group.

If you manage users using Workgroup Manager and want to add calendar permissions to a user, you must add the user to the iCalSACL list.

If you manage users with Server App and add calendar permissions to a user, the user gets the correct service access control list(SACL) setting for calendar use automatically.

1. Add a user to the group. You must provide the directory administrator password.

dseditgroup -o edit -n /LDAPv3/LDAP_server_hostname -u directory_admin_username -p -a username -…

dseditgroup -o edit -n /LDAPv3/directory.example.com -u diradmin -p -a john_appleseed -t user co…

2. Add a group to the group. You must provide the directory administrator password.

dseditgroup -o edit -n /LDAPv3/LDAP_server_hostname -u directory_admin_username -p -a group_to_b…dseditgroup -o edit -n /LDAPv3/directory.example.com -u diradmin -p -a staff -t group com.apple.…

User collaboration serv ices ► Calendar serv ice ► Manage Calendar

You determine if a user can authenticate to an iCal Server by adding him or her to a group called com.apple.access_calendar. Youcan use the Server Admin service access feature to add the users and groups to the group.

View iCal server logs

Rotating access logs

Create the iCal Server’s Service Access Control List

Create the iCal Server’s Service Access Control List

If you manage users using Workgroup Manager and want to add calendar permissions to a user, you must add the user to the iCalSACL list.

If you manage users with Server App and add calendar permissions to a user, the user gets the correct service access control list(SACL) setting for calendar use automatically.

1. Open Server Admin and select the server from the Servers list.

2. Click Access.

3. From the Service list, make sure “For all services” or “iCal Server” is selected.

“For all services” makes changes to all services. Selecting “iCal Server” only changes the SACL for iCal Server.

4. To provide unrestricted access to iCal Server, click “Allow all users and groups”.

5. To restrict access to specific users and groups:

a. Select Allow only users and groups below.

b. Click the Add button (+) to open the Users & Groups drawer.

c. Drag users and groups from the Users & Groups drawer to the list.

6. To provide push notification, repeat these steps for iChat server as well.

User collaboration serv ices ► Calendar serv ice ► Resources and locations


You can make a calendar for each resource and location in your organization.

RELATED TOPICS

Create iCal resources and locationsDelete iCal resources and locations


You can remove iCal service resource and location calendars.

1. Before deleting the location or resource, delete the events associated with them.

a. Use calendarserver_manage_principals via the Terminal app to list the locations or resources.

sudo calendarserver_manage_principals --list-principals (locations|resources)

Use “locations” or “resources” as desired.

Command example:

sudo calendarserver_manage_principals --list-principals locations

This lists all locations or resources, including the name of the location/resource, the record name, and the UUID of therecord.

Full name Record name UUID--------- ----------- ----Test Room 1 7697ca41-4d75-40a2-9c57-c507ceea5f9f 7697ca41-4d75-40a2-9c57-c507ceea5…

b. In the list, find the resource or location you want to remove.

About calendar resources and locations

Delete iCal resources and locations

c. Use calendarserver_purge_principals via the Terminal app to delete the locations or resources using the UUID ofthe record.

sudo calendarserver_purge_principals UUID

UUID is the UUID of the desired record.

Command example:

sudo calendarserver_purge_principals 7697ca41-4d75-40a2-9c57-c507ceea5f9f

2. In the iCal Server pane of Server app, select a location or resource.

3. Click Remove (–).

RELATED TOPICS

About calendar resources and locationsCreate iCal resources and locations



Using the Server app, you can make a calendar for each resource and location in your organization.

To have a delegate (or proxy) manage a location or resource calendar, the user of the iCal service must already exist beforeassigning delegate roles.

Created locations and resources are reservable and can be set to accept event invitations automatically or through a delegate.

1. Click Add (+) to add a location or resource.

2. Enter the calendar type:

Location

Resource

3. Enter a name for the location or resource.

4. Choose how the location or resource will accept event invitations and mark the event as “Busy”.

Automatically

With Delegate Approval

5. Choose a delegate for the location or resource.

Delegates are required, if the location or resource is set to accept invitations with delegate approval. Delegates can also viewand edit the resource calendar, even if they don’t approve invitations.

The delegate must be an existing iCal Server user or group. Only one delegated user or group can be assigned.

RELATED TOPICS

About calendar resources and locationsDelete iCal resources and locations


Create iCal resources and locations

Makes the calendar accept all invitations in which they’re received.

Holds event invitations until the designated delegate approves the invitation. You must provide adelegate.

Setting a delegate using iCal client

A read-only delegate is another user who can see your calendar items, including free-busy times, but not change them.Sometimes this is called a proxy user.

This setting is useful for locations and resources. If you make a user or group a read-only delegate for the resource, the delegatecan see the details of the resource’s use, rather than whether the resource is busy.

Delegates can also be made to read and write to your calendar. You might have another person add or delete events on yourcalendar. This is a good feature for users with administrative assistants.

Delegates can only be chosen from users with iCal Server in the same authentication directory as you. For example, if your usercredentials are stored in a directory like Open Directory, the delegate must also be a user in your Open Directory system.

1. In iCal, open Preferences > Accounts.

2. Select the account to share with the delegate.

3. Select the Delegation tab.

4. Click the Edit button next to “Manage access to my account.”

5. In the sheet that drops down, click the Add button (+).

6. Enter the account name to designate as a delegate.

If you want the delegate to change your calendar, check Allow Write.

7. Click Done.

User collaboration serv ices ► iChat serv ice ► Understanding iChat

iChat Server provides instant messaging within and outside a server user's organization.

iChat Server lets users collaborate by chatting and sharing information using instant messaging and data transfer. This real-timeinteraction between computer users promotes collaboration without the delay of mail responses and blog postings or the expenseof telephone communication or face-to-face meetings.

This collaboration might include:

Brainstorming solutions, making plans, reporting progress, and exchanging design images

Exchanging weblinks and files for use as real-time references, or for follow-up viewing Generating iChat transcripts when youwant a written record of interactions without taking notes

Conducting weekly staff or project meetings, which can also facilitate collaboration among geographically-dispersed teammembers

Using built-in computer microphones for audio chat Using video cameras for videoconferencing—a direct, personal, andengaging form of collaboration

Before starting iChat service, you may need to update your network's DNS records, if needed.

Start iChat service






If you have an Internet router that isn’t lis ted in the Server s idebar, you can configure it to allow Internet access to services.

Provide instant messaging

This process is called port forwarding or port mapping. For Information, see Router port mapping.

Create a user account

You can create a user account for each person who uses the services provided by your server.












When you click Edit Picture, you can take a picture with your computer’s camera or choose a graphic file on your computer.After taking or choosing a picture, you can drag the picture to pan it, or use the slider to zoom it. When you finish customizingthe picture, click Set.


Allow iChat Buddies From Other Servers

iChat service can let your chat server communicate with other servers using iChat service, allowing buddies from other serversbesides your own. Server-to-server chat communication is called federation. If you want to control which servers can be federatedwith your own, see Approve server-to-server chat connections.

To establish communication between servers on different networks, administrators must configure domain name server (DNS),network address translation (NAT), and firewalls, as needed.

1. In the Server app, select the iChat service pane.

2. Click Enable server-to-server federation.

If this is the first time you've enabled federation, a configuration sheet appears. Otherwise, click Edit to get the configurationsheet.

3. Select Require secure server-to-server federation to restrict communication to SSL encrypted connections.

Secure federation requires the federated server to accept SSL encrypted connections. You can change which SSL certificateis used for encryption by using the certificate managment feature of Server app. For more information, see Use an SSLcertificate.

Save chat transcripts

An iChat client can be configured to record its own chat transcripts.

The iChat Server can also be configured to record all chat messages.

The client recording capability is useful to the individual iChat user, while the server message logging capability is intended foradministrative and auditing purposes.

Chat transcripts are saved at /Library/Server/iChat/Data/message_archives.

1. In the Server app, select the iChat service pane.

2. Click Archive all chat messages.

RELATED TOPICS

Change a user’s account settingsChange a user’s group membershipChange a user’s or group’s nameChange a user’s or group’s pictureDelete a user accountImport users from another network account server

RELATED TOPICS

Provide instant messagingApprove server-to-server chat connectionsSave chat transcriptsAbout iChat Server technologiesAbout secure connections for iChat Server

RELATED TOPICS

Provide instant messagingAllow iChat Buddies From Other ServersApprove server-to-server chat connectionsAbout iChat Server technologiesAbout secure connections for iChat Server


Here is an overview of the steps for setting up iChat service.

Step 1: Configure and start Open Directory

iChat uses Open Directory to authenticate users and must be configured before setting up iChat.


Step 2: (Optional) Set up the Firewall service

If you are using a firewall, iChat requires specific ports to be open for iChat features to function.

For more information about configuring Firewall service, see:

Configure for standard services

Configure for standard services (CLI)

Step 3: Turn the iChat service on

Before you configure iChat, turn it on.

Start a service

Step 4: Configure iChat advanced settings

Configure additional settings to add host domains, select an SSL certificate, choose your authentication method, and enableserver-to-server federation.

Configure iChat advanced settings

Step 5: Configure iChat logging settings

Change message logging settings to specify where to archive the iChat message logs. Set syslog levels for service activity.

Log all iChat messages

Set iChat service error log levels

Step 6: Restart iChat

Restart iChat on the server.

iChat Service setup overview


As with other services, iChat authentication is based on Open Directory or any other Lightweight Directory Access Protocol (LDAP)server bound to the iChat Server.

Integrating with Directory Services

iChat accesses user accounts through directory services and cannot directly access the LDAP server. You can also bind yourserver to other LDAP servers, enabling users on other LDAP servers to authenticate with your iChat Server.


iChat screen names look a lot like email addresses. They consist of a user name and an associated iChat server.

iChat screen names are Jabber IDs and use the general format user-short-name@iChat-domain-name (for example,[email protected]).

The user-short-name component is the short name of a user defined in the Open Directory search path of the iChat Server. TheiChat-domain-name component identifies the iChat Server.

To use iChat, you must have a Jabber ID and you must know the Jabber IDs of everyone you want to chat with. Your Jabber ID iscreated when your user account is created in Open Directory.


iChat uses Open Directory to authenticate users and service access control lists (SACLs) to verify that users are authorized to useiChat.

Before you can use iChat:

You must be defined in the Open Directory search path of that server.

You must be authorized to use iChat service on that server


You can use any jabber client with iChat service. You can use any instant messaging applications with iChat service as long as theapplication supports the Jabber protocol. iChat supports instant messaging applications on Windows, Linux, and popularpersonal digital assistants (PDAs).


iChat configuration settings are stored in configuration files that correspond to the main jabberd process and to each of itscomponent processes. These files define settings for the Jabber server and XMPP features supported by Jabber.

Component Location

jabberd (startup and watchdog script) /etc/jabberd/jabberd.cfg

router (inter-module message routing) /etc/jabberd/router.xml

sm (session manager) /etc/jabberd/sm.xml

About integrating iChat service with directory services

Understanding iChat screen names

Set up Open Directory before iChat service

Clients for iChat service

iChat configuration file locations


C2S (client-to-server communications) /etc/jabberd/c2s.xml

S2S (server-to-server communications) /etc/jabberd/s2s.xml

Multi-user chat room configuration /etc/jabberd/Rooms.pl ist


There are 3 log locations for iChat service.

iChat service logs are located in the following locations:

The iChat service log is located in /var/log/system.log.

The iChat file proxy log is located in /private/var/jabberd/log/proxy65.log.

The iChat service migration log is located in /Library/Logs/Migration/jabbermigrator.log.


iChat requires specific ports to be open on your server.

If you have a firewall configured or you are using the Lion Server firewall, you must enable these ports before you can use iChat.

If you run iChat Server on a secure network behind a firewall, you don’t need to configure firewall settings as long ascommunication between users is within the network. Firewall settings are required when communicating outside the firewall.

Depending on the iChat functions you require, make sure the following ports are open.

Ports Description

1080 SOCKS5 protocol uses this port for fi le transfers.

5060 iChat Session Initiation Protocol (SIP), required to use audio or videochat.

5190 iChat Instant Messenger.

This is the only port required for basic Instant Messenger use.

5222 TCP This port is used exclusively for TLS connections i f an SSL certi ficate isenabled. Otherwise, this port is used for nonencrypted connections. TLSencryption is preferred, because TLS connections are more secure thanlegacy SSL connections.

5223 TCP This port is used for legacy SSL connections i f an SSL certi ficate isenabled.

5269 TCP This port is used for encrypted TLS server-to-serverconnections, as well asnonencrypted connections. TLS encryption is preferred, because TLSconnections are more secure than legacy SSL connections.

5678 iChat uses this local UDP to determine the user’s external IP address.

5297, 5298 Older versions of iChat use this port for BonJour IM. (Mac OS X v10.5 andlater use dynamic ports.)

7777 The Jabber Proxy65 module uses this port for iChat Server fi le transferproxy.

16402 In Mac OS X 10.5 or later, this port can be used for SIP signaling.

16384-16403 Mac OS X 10.4 and earl ier use these ports for audio or video chat. Audioand video packets are sent using RTP and RTCP, and traffic is

iChat service log locations

Firewall ports for iChat service

exchanged in .Mac (MobileMe) to determine the user’s external portinformation.


You can start and stop iChat service using the command line.

sudoserveradmin start jabber

sudoserveradmin stop jabber

User collaboration serv ices ► iChat serv ice ► Configuring iChat

You use serveradmin to add host domains, choose an SSL certificate and authentication method, and configure XMPP server-to-server federation settings.

Set the iChat authentication method

iChat supports three methods of authentication: standard, Kerberos, or any.

The "standard" method enables all methods except for plain authentication when no SSL is enabled. The "Kerberos" methodenables only Kerberos authentication. The "any" method enables all possible authentication types.

Administrators must use Server app, Server Admin, or serveradmin to configure an Open Directory master (with Kerberosenabled) to allow Kerberos authentication. Otherwise, the server can be configured to use the Kerberos Domain Controller (KDC)on another host. However, the Kerberos realm hosted by the KDC must match the realm served by the iChat Server.

Kerberos authentication is the most secure.


sudo serveradmin settings jabber:authLevel = "METHOD"

The default value for <METHOD> is ANYMETHOD.

The other possible values are STANDARD and KERBEROS.

Command example:

sudo serveradmin settings jabber:authLevel = "STANDARD"

Use SSL encryption with iChat service

You can maximize the privacy of chats by implementing SSL with iChat service. SSL uses a digital certificate to validate the identityof the server and to establish secure, encrypted data exchanges for client-to-server and server-to-server connections.

iChat uses SSL to encrypt chat messages that are sent over the network. However, if your iChat Server is logging chat messages,the messages are stored on the server in an unencrypted format. These unencrypted chat messages can be easily viewed by yourserver administrator. For information about message logging, see Set iChat service error log levels.

The digital certificate can be a self-s igned certificate or a certificate imported from a certificate authority. For information aboutdefining, obtaining, and installing certificates on your server, see Use an SSL certificate.

Use serveradmin via the Terminal app to set the certificate locations to require encryption.

sudo serveradmin settings jabber:sslCAFile = "Certificate authority pem file location"sudo serveradmin settings jabber:sslKeyFile = "Key file pem location"

The default locations for Certificate authority pem file location and Key file pem location are “/etc/certificates/cert.chain.pem”and “/etc/certificates/cert.concat.pem”.

Start or stop iChat service (CLI)

Configure iChat advanced settings

Command example:

sudo serveradmin settings jabber:sslCAFile = "/etc/certificates/example.private.2413CD435CEA9484…sudo serveradmin settings jabber:sslKeyFile = "/etc/certificates/example.private.2413CD435CEA948…

Use serveradmin via the Terminal app to set the network ports for SSL traffic.

sudo serveradmin settings jabber:jabberdClientPortSSL = "port"

The default value for <port> is “5223”.

Command example:

sudo serveradmin settings jabber:jabberdClientPortSSL = "15223"

Set up iChat service on virtually hosted domains

You can provide iChat service to users of virtual domains on the server.

iChat requires that your host have a host name to be used as the Jabber realm by the iChat Server that is resolvable using DNS.This host name is used as the Jabber realm by the iChat Server, and clients use this realm to connect to the service.

Clients use a Jabber Identifier (JID) to authenticate and interact with the server. The JID uses the format user@realm (for example,[email protected]). In this example, your iChat Server would be configured to host the realmchatserver.example.com.

DNS resolution directs clients to your server when they resolve that host name. To support multiple realms, DNS should beconfigured appropriately. For more information, see Overview of DNS setup.

Use serveradmin via the Terminal app to add hosted chat domains.

sudo serveradmin settings jabber:hostsCommaDelimitedString = "FQDN,FQDN2"

The default value for FQDN is the iChat server's host name.

The other possible values are fully qualified domain names separated by commas.

Command example:

sudo serveradmin settings jabber:hostsCommaDelimitedString = "chatserver.example.com,chat.exampl…

Set up server-to-server iChat communication

When S2S federation is enabled, communication with most other XMPP-compliant chat servers is enabled, including the ability tofederate with other jabber services like Google Talk.

Using serveradmin, you can take advantage of additional options for securing S2S communications. These options includelimiting domains you can connect to.


1. Use serveradmin via the Terminal app to define the network port for federation.

sudo serveradmin settings jabber:jabberdS2SPort = "port"

The default value for setting is “5269”.

Command example:

sudo serveradmin settings jabber:jabberdS2SPort = "15269"

2. Use serveradmin via the Terminal app to require SSL connections for federation.

sudo serveradmin settings jabber:requireSecureS2S = "setting"

The default value for setting is “no”.


If you need to set SSL certificate information, see Use SSL encryption with iChat service.


Command example:

sudo serveradmin settings jabber:requireSecureS2S = "yes"

3. Use serveradmin via the Terminal app to limit domains your server connects to.

a. First, set the domain restriction flag.

sudo serveradmin settings jabber:s2sRestrictDomains = "setting"



Command example:

sudo serveradmin settings jabber:s2sRestrictDomains = "yes"b. Create the lis t of allowed domains.

sudo serveradmin set jabber:s2sAllowedDomains:_array_id:0 = createsudo serveradmin set jabber:s2sAllowedDomains:_array_id:0 = "domain name"sudo serveradmin set jabber:s2sAllowedDomains:_array_id:1 = createsudo serveradmin set jabber:s2sAllowedDomains:_array_id:1 = "domain name"

Command example:

sudo serveradmin set jabber:s2sAllowedDomains:_array_id:0 = createsudo serveradmin set jabber:s2sAllowedDomains:_array_id:0 = "otherserver.example.com"sudo serveradmin set jabber:s2sAllowedDomains:_array_id:1 = createsudo serveradmin set jabber:s2sAllowedDomains:_array_id:1 = "onemore.example.com"


Use serveradmin to configure iChat to save chat messages in a location of your choice and to specify when to archive themessage log.

The iChat Server can also be configured to record all chat messages. The client recording capability is useful to the individualiChat user, while the server message logging capability is intended for administrative and auditing purposes.

Archiving saves disk space by compressing older message logs. The compressed message archives are saved indefinitely untilremoved by the administrator.


sudo serveradmin settings jabber:enableSavedChats = "setting"


The other possible value is “no”.

Command example:

sudo serveradmin settings jabber:enableSavedChats = "yes"

2. Use serveradmin via the Terminal app to set the message archive location.

sudo serveradmin settings jabber:savedChatsLocation = "filepath"

The default value for filepath is “/Library/Server/iChat/Data/message_archives”.

Command example:

sudo serveradmin settings jabber:savedChatsLocation = "/Volumes/StorageArray/iChat/Data/message_…

3. Use serveradmin via the Terminal app to define how often the messages are archived.

Log all iChat messages

sudo serveradmin settings jabber:savedChatsArchiveInterval = "day_interval"

The default value for day_interval is “7”.

Command example:

sudo serveradmin settings jabber:savedChatsArchiveInterval = "14"


You can maximize the privacy of chats by implementing SSL with iChat service. SSL uses a digital certificate to validate the identityof the server and to establish secure, encrypted data exchanges for client-to-server and server-to-server connections.

iChat uses SSL to encrypt chat messages that are sent over the network. However, if your iChat Server is logging chat messages,the messages are stored on the server in an unencrypted format. These unencrypted chat messages can be easily viewed by yourserver administrator. For information about message logging, see Set iChat service error log levels.

The digital certificate can be a self-s igned certificate or a certificate imported from a certificate authority. For information aboutdefining, obtaining, and installing certificates on your server, see Use an SSL certificate.

Use serveradmin via the Terminal app to set the certificate locations to require encryption.



Command example:


Use serveradmin via the Terminal app to set the network ports for SSL traffic.

sudo serveradmin settings jabber:jabberdClientPortSSL = "port"

The default value for <port> is “5223”.

Command example:

sudo serveradmin settings jabber:jabberdClientPortSSL = "15223"


iChat supports three methods of authentication: standard, Kerberos, or any.

The "standard" method enables all methods except for plain authentication when no SSL is enabled. The "Kerberos" methodenables only Kerberos authentication. The "any" method enables all possible authentication types.

Administrators must use Server app, Server Admin, or serveradmin to configure an Open Directory master (with Kerberosenabled) to allow Kerberos authentication. Otherwise, the server can be configured to use the Kerberos Domain Controller (KDC)on another host. However, the Kerberos realm hosted by the KDC must match the realm served by the iChat Server.

Kerberos authentication is the most secure.


sudo serveradmin settings jabber:authLevel = "METHOD"

The default value for <METHOD> is ANYMETHOD.

Use SSL encryption with iChat service

Set the iChat authentication method

The other possible values are STANDARD and KERBEROS.

Command example:

sudo serveradmin settings jabber:authLevel = "STANDARD"


You can configure iChat preferences so that when user accounts are added through the Server app they become buddies. Whenusers are removed, they are deleted from the buddies list.


sudo serveradmin settings jabber:enableAutoBuddy = "setting"


The other possible value is “no”.

Command example:

sudo serveradmin settings jabber:enableAutoBuddy = "yes"


Lion Server's iChat service uses the syslog for logging information about the service. You use serveradmin change the amount ofinformation sent to the log in order to debug service issues.

The log levels add different amounts of data to the syslog. The higher the number, the more information is sent to the log:

Level name Syslog level number

EMERGENCY 0

ALERT 1

CRITICAL 2

ERROR 3

WARNING 4

NOTICE 5

INFO 6

DEBUG 7

Use serveradmin via the Terminal app to change the log level.

sudo serveradmin settings jabber:logLevel = "level"

The default value for level is “ERROR”.

The other possible values are EMERGENCY, ALERT, CRITICAL, WARNING, NOTICE, INFO, and DEBUG.

Command example:

sudo serveradmin settings jabber:logLevel = "DEBUG"


Turn auto-buddy support on

Set iChat service error log levels

If you can change the domain that is associated with your iChat service users.



Use serveradmin via the Terminal app to change the hosted domain.

sudo serveradmin settings jabber:hostsCommaDelimitedString = "FQDN"


Command example:

sudo serveradmin settings jabber:hostsCommaDelimitedString = "newchatservername.example.com"

User collaboration serv ices ► iChat serv ice ► Federation and hosting

When S2S federation is enabled, communication with most other XMPP-compliant chat servers is enabled, including the ability tofederate with other jabber services like Google Talk.

Using serveradmin, you can take advantage of additional options for securing S2S communications. These options includelimiting domains you can connect to.


1. Use serveradmin via the Terminal app to define the network port for federation.

sudo serveradmin settings jabber:jabberdS2SPort = "port"

The default value for setting is “5269”.

Command example:

sudo serveradmin settings jabber:jabberdS2SPort = "15269"

2. Use serveradmin via the Terminal app to require SSL connections for federation.




If you need to set SSL certificate information, see Use SSL encryption with iChat service.

Command example:


3. Use serveradmin via the Terminal app to limit domains your server connects to.

a. First, set the domain restriction flag.

sudo serveradmin settings jabber:s2sRestrictDomains = "setting"



Change the iChat service domain

Set up server-to-server iChat communication


Command example:

sudo serveradmin settings jabber:s2sRestrictDomains = "yes"b. Create the lis t of allowed domains.

sudo serveradmin set jabber:s2sAllowedDomains:_array_id:0 = createsudo serveradmin set jabber:s2sAllowedDomains:_array_id:0 = "domain name"sudo serveradmin set jabber:s2sAllowedDomains:_array_id:1 = createsudo serveradmin set jabber:s2sAllowedDomains:_array_id:1 = "domain name"

Command example:

sudo serveradmin set jabber:s2sAllowedDomains:_array_id:0 = createsudo serveradmin set jabber:s2sAllowedDomains:_array_id:0 = "otherserver.example.com"sudo serveradmin set jabber:s2sAllowedDomains:_array_id:1 = createsudo serveradmin set jabber:s2sAllowedDomains:_array_id:1 = "onemore.example.com"


Using serveradmin, you can secure server-to-server communication with certificates.

Lion Server includes a preinstalled, default, self-signed certificate or you can select your own certificate. The selected certificate isused for client-to-server communications on ports 5222 and 5223 and for server-to-server communications.

Jabber provides the following ports:

5222, which accepts TLS connections if an SSL certificate is enabled

5223, which accepts legacy SSL connections if an SSL certificate is enabled

SSL encrypts your chat message over the network between client-to-server and server-to-server connections. However, if youriChat Server is logging chat messages, your messages are stored in an unencrypted format that can be easily viewed by theserver administrator. For information about message logging, see Log all iChat messages.

This restricts S2S communication and allows only iChat to connect with servers that support encrypted connections throughSSL/TLS. This means that only servers that support TLS are allowed to communicate with your iChat Server.

This option requires a Secure Socket Layer (SSL) certificate to be installed, which is used to secure the S2S federation. For moreinformation, see Use SSL encryption with iChat service.

1. If SSL encryption hasn't been enabled yet, use serveradmin via the Terminal app to set the certificate locations to requireencryption.



Command example:


2. Use serveradmin via the Terminal app to require encrypted server-to-server communication.




Command example:


Use certificates to secure server-to-server iChat communication


You can provide iChat service to users of virtual domains on the server.



DNS resolution directs clients to your server when they resolve that host name. To support multiple realms, DNS should beconfigured appropriately. For more information, see Overview of DNS setup.

Use serveradmin via the Terminal app to add hosted chat domains.

sudo serveradmin settings jabber:hostsCommaDelimitedString = "FQDN,FQDN2"


The other possible values are fully qualified domain names separated by commas.

Command example:

sudo serveradmin settings jabber:hostsCommaDelimitedString = "chatserver.example.com,chat.example…


Use Server Admin to set SACL permissions for administrators to monitor and manage iChat.


2. Click Access.

3. Click Administrators.

4. Select the level of restriction you want for the services.


To set access permissions for individual services, select “For selected services below” and select the services from theService list.

5. Click the Add button (+) to open the Users & Groups window.

6. Drag users and groups to the list from the Users & Groups window.

7. Set the user’s permission.

To grant administrator access, choose Administer from the Permission pop-up menu next to the user name.


8. Click Save.

User collaboration serv ices ► File Sharing

To let users access a specific folder from a computer or iOS device, you designate that folder as a shared folder.

You must enable file sharing before you can designate shared folders. Some folders are enabled as shared folders by default.

Set up iChat service on virtually hosted domains

Set administrative permissions for iChat

Enable file sharing for a folder


These are indicated in the main File Sharing window of Server app.

1. To add a new shared folder, click plus (+) at the bottom of the window.

2. Navigate to your chosen volume or folder.

3. Click Choose.

The folder you selected is now enabled as a shared folder. If File Sharing is off when you add a new shared folder, File Sharing willbe turned on.

RELATED INFORMATION

Control access to a shared folderChoose which kinds of computers and devices can access file sharesEnable shared home folders


You can enable or disable access to each shared folder listed in the File Sharing pane of Server App. You can specify which usersand groups have read and write access to each shared folder and its contents. You can give access to all users with accounts onyour server, or only the specific users and groups you select. You can also allow guest access for any shared folder.

Enable file sharing if it isn’t already enabled.

1. In the File Sharing pane of the Server app, select the shared folder in the list.

2. Double-click the selected folder or click the pencil icon.

3. To change the access users or groups have to a shared folder and its contents, select "Read & Write," "Read Only," "WriteOnly," or "No Access" next to that user or group name, then change it to the needed access level.

You can also add or delete users and groups that have access to a shared folder by clicking Add (+) or Delete (–).

4. To let users access a folder without logging in, select the checkbox labeled "Allow guest users to access this share."

The access level changes the next time the user or group connects to the shared folder.

RELATED INFORMATION

Create a user accountKinds of permissionsAccess control lists (ACLs)


File sharing service in Lion Server lets you specify a protocol that other computers or devices use to access your file shares.Disabling or enabling certain protocols lets you determine which kinds of computer devices connect to your server.



2. Double-click the selected folder or click the pencil icon.

3. Click to select the checkboxes for sharing with Mac, Windows, or iOS devices. To use a file share as a home folder, enableMac or Windows as needed for the share.

You can select one or all three file sharing protocols for any share. If you don't select a protocol, the file share becomesunavailable.

Users need to log out and log in again before using the shared folder as their home folder.

Control access to a shared folder

Choose which kinds of computers and devices can access file shares

RELATED INFORMATION

Enable shared home folders


Computers on the same network as your file sharing server can use shared folders for user home folders. Designating a sharedfolder as a home folder causes the user's computer to connect to your file sharing server, and when the user logs in, they beginusing that shared folder as their home folder.



2. Double-click the folder or click the pencil icon.

3. Click to select "Make available for home directories."

4. Choose "AFP for Mac computers only" or "SMB for Mac and Windows computers," depending on the computer the users useto connect to your file sharing server.

Users must log out and log in again before using the shared folder as their home folder.

RELATED INFORMATION

Choose which kinds of computers and devices can access file shares

User collaboration serv ices ► File Sharing ► File permissions ► About permissions

An important aspect of computer security involves granting and denying permissions. A permission is the ability to perform aspecific operation, such as gaining access to data or executing code. Permissions are granted at the level of folders, files, orapplications. Use the Server app to set up file service permissions.

The term privileges refers to the combination of ownership and permissions, while the term permissions refers to the permissionsettings that each user category can have (Read & Write, Read Only, Write Only, and None).

If you’re new to Mac OS X Lion and aren’t familiar with UNIX-based systems, there are differences in the way ownership andpermissions are handled compared to Windows.

To increase security and reliability, Mac OS X Lion sets many system folders (for example, /Library/) to be owned by the root user(literally, a user named root). You can’t change or delete files and folders unless you’re logged in as root.

Be careful—there are few restrictions on what you can do when you log in as root, and changes to system data can causeproblems. An alternative to logging in as root is to use the sudo command.

Note: The Finder calls the root user system.

By default, files and folders are owned by the user who creates them. After they’re created, items keep their privileges (acombination of ownership and permissions) even when moved, unless the privileges are explicitly changed by their owner or anadministrator.

Therefore, new files and folders you create aren’t accessible by users if they’re created in a folder that users don’t have privilegesfor. When setting up share points, make sure that items have the correct access privileges for the users you want to share themwith.


Mac OS X Lion supports two kinds of file and folder permissions:

Standard Portable Operating System Interface (POSIX) permissions

Enable shared home folders

Permissions in the Mac OS X Lion environment

Kinds of permissions

Access Control Lists (ACLs)

Standard POSIX permissions let you control access to files and folders based on three categories of users: Owner, Group, andOthers. Although these permissions give you some control over who can access a file or a folder, they lack the flexibility andgranularity that many organizations require in dealing with complex user environments.

This is where ACLs come in handy. An ACL provides an extended set of permissions for a file or folder, and lets you set multipleusers and groups as owners. ACLs are also compatible with Windows Server 2003, Windows XP, Windows Vista, and Windows 7giving you added flexibility in a multiplatform environment.


There are four types of standard POSIX access permissions that you can assign to a share point, folder, or file: Read & Write,Read Only, Write Only, and None. The following table shows how these permissions affect user access to shared items (files,folders, and share points).

Users can Read & Write Read Only Write Only None

Open a shared fi le Yes Yes No No

Copy a shared fi le Yes Yes No No

Edit a shared fi le Yes No No No

Move items to a sharedfolder or share point

Yes No Yes No

Move items from a sharedfolder or share point

Yes No No No

Note: WebDAV has separate permissions settings.

Explicit permissions

Share points and the shared items they contain (including folders and files) have separate permissions. If you move an item to adifferent folder, it keeps its permissions and doesn’t adopt the permissions of the folder where you moved it.

In the following illustration, the second folder (Designs) and the third folder (Documents) were assigned permissions differentfrom those of their parent folders:

The user categories Owner, Group, and Others

You can assign standard POSIX access permissions separately to three categories of users:

Owner—A user who creates an item (file or folder) on the file server is its owner and automatically has Read & Writepermissions for that folder. By default, the owner of an item and the server administrator are the only users who can change itsaccess privileges (but you can enable a group or others to use the item). The administrator can also transfer ownership of theshared item to another user.

Note: When you copy an item to a drop box on a Mac file server, ownership of the item doesn’t change. Only the owner of thedrop box or root has access to its contents.

Group—You can put users who need the same access to files and folders in group accounts. Only one group can be assignedaccess permissions to a shared item. For more information about creating groups, search Help for Users & Groups.

Others—Others is any user (registered user or guest) who can log in to the file server.

Standard permissions

Hierarchy of permissions

If a user is included in more than one category of users, each of which has different permissions, these rules apply:

Group permissions override Others permissions.

Owner permissions override Group permissions.

For example, when a user is the owner of a shared item and a member of the group assigned to it, the user has the permissionsassigned to the owner.

The more restrictive permissions always take precedence. For example, if a user belongs to a group that has No Access assignedto an item while the Others permissions are set to Read & Write access, the item with No Access privilege overrides the Otherssetting, denying the user access to the item.

Client users and permissions

Users of AppleShare Client software can set access privileges for files and folders they own. Users who use Windows file sharingservices can also set access privileges.

Standard permission propagation

The Server app lets you specify which standard permissions to propagate. For example, you can propagate only the permission forOthers to all descendants of a folder and leave the permissions for Owner and Group unchanged. For more information, seePropagate access permissions.


When standard POSIX permissions aren’t enough, use access control lists (ACLs). An ACL is a list of access control entries(ACEs), each specifying the permissions to be granted or denied to a group or user and how these permissions are propagatedthroughout a folder hierarchy.

ACLs in Mac OS X Lion let you set file and folder access permissions for multiple users and groups in addition to standard POSIXpermissions. This makes it easy to set up collaborative environments with smooth file sharing and uninterrupted workflows,without compromising security.

ACLs provide an extended set of permissions for a file or folder, to give you more granularity when assigning privileges thanstandard permissions would provide. For example, rather than giving a user full write permissions, you can restrict him or her tocreate only folders and not files.

Only the Mac OS Extended volume format provides local file system support for ACLs. In addition, only SMB and AFP protocolsprovide network file system support for ACLs in Windows and Apple networks, respectively.

Apple’s ACL model supports 13 permissions for controlling access to files and folders, as described in the following table.

Permission name Type Description

Change Permissions Administration User can change standard permissions.

Take Ownership Administration User can change the fi le’s or folder’s ownershipto himself or herself.

Read Attributes Read User can view the fi le’s or folder’s attributes (forexample, name, date, and size).

Read Extended Attributes Read User can view the fi le’s or folder’s attributesadded by third-party developers.

List Folder Contents (Read Data) Read User can l ist folder contents and read fi les.

Traverse Folder (Execute Fi le) Read User can open subfolders and run a program.

Read Permissions Read User can view the fi le’s or folder’s standardpermissions using the Get Info or Terminalcommands.

Write Attributes Write User can change the fi le’s or folder’s standardattributes.

Write Extended Attributes Write User can change the fi le’s or folder’s other

Access control lists (ACLs)

attributes.

Create Files (Write Data) Write User can create fi les and change fi les.

Create Folder (Append Data) Write User can create subfolders and add data to fi les.

Delete Write User can delete fi le or folder.

Delete Subfolders and Fi les Write User can delete subfolders and fi les.

In addition to these permissions, the Apple ACL model defines four types of inheritance that specify how these permissions arepropagated:

Apply to this folder: Apply (Administration, Read, and Write) permissions to this folder.

Apply to child folders: Apply permissions to subfolders.

Apply to child files: Apply permissions to the files in this folder.

Apply to all descendants: Apply permissions to descendants. To learn how this option works with the previous two, see Accesscontrol entries (ACEs).

The ACL use model

The ACL use model focuses on access control at the folder level, with most ACLs applied to files as the result of inheritance.

Folder-level control determines which users have access to the contents of a folder. Inheritance determines how a defined set ofpermissions and rules pass from the container to the objects in it.

Without this model, administration of access control would quickly become a nightmare, because you would need to create andmanage ACLs on thousands or millions of files.

Controlling access to files through inheritance also frees applications from maintaining extended attributes or explicit ACEs whensaving a file, because the system applies inherited ACEs to files. For information about explicit ACEs, see Access control entries(ACEs).

ACLs and standard permissions

You can set ACL permissions for files and folders in addition to standard permissions. For more information about how Mac OS XLion uses ACL and standard permissions to determine what users can and cannot do to a file or folder, see Access control entries(ACEs).

ACL management

In Mac OS X Lion, you create and manage ACLs in the Server app. The Get Info window in the Finder displays the logged-in user’seffective permissions. For information about setting up and managing ACLs, see Set folder access permissions and Controlaccess to a shared folder.

In addition to using the Server app to set and view ACL permissions, you can also use the ls and chmod command-line tools. Forinformation, see their man pages.

You define ACLs for share points, files, and folders using the Server app.


An ACE is an entry in an ACL that specifies, for a group or a user, access permissions to a file or folder and the rules ofinheritance.

What’s stored in an ACE

An ACE contains the following fields:

User or Group. An ACE stores a universally unique ID for a group or user, which permits unambiguous resolution of identity.

Type. An ACE supports two permission types, Allow and Deny, which determine whether permissions are granted or denied.

In the Server app, you can only set the Allow permissions type. You can use the ls and chmod command-line tools to set thedeny permissions type. For information, see their man pages.

Permission. This field stores the settings for the 13 permissions supported by the Apple ACL model.

Access control entries (ACEs)

Inherited. This field specifies whether the ACE is inherited from the parent folder.

Applies To. This field specifies what the ACE permission is for.

Explicit and inherited ACEs

The Server app supports two types of ACEs:

Explicit ACEs, which are those you create in an ACL. See Set folder access permissions.

Inherited ACEs, which are ACEs you created for a parent folder that were inherited by a descendant file or folder.

Note: Inherited ACEs cannot be edited unless you make them explicit.

Understanding inheritanceACL inheritance lets you specify how permissions pass from a folder to its descendants.

The Apple ACL inheritance model

The Apple ACL inheritance model defines four options that you select or deselect in the Server app to control the application ofACEs (in other words, how to propagate permissions through a folder hierarchy):

Inheritance option Description

Apply to this folder Apply (Administration, Read, and Write) permissions to this folder

Apply to chi ld folders Apply permissions to subfolders

Apply to chi ld files Apply permissions to the fi les in this folder

Apply to al l descendants Apply permissions to all descendants

Note: If you want an ACE to apply to al l descendants without exception,you must select the “Apply to chi ld folders” and “Apply to chi ld fi les”options in addition to this option.

Mac OS X Lion propagates ACL permissions at two well-defined times:

At file or folder creation time—when you create a file or folder, the kernel determines what permissions the file or folder inheritsfrom its parent folder.

When initiated by administrator tools—for example, when using the Propagate Permissions option in the Server app.

The following figure shows how the Server app propagates two ACEs (managers and design_team) after ACE creation. Bold textrepresents an explicit ACE and regular text represents an inherited ACE.

ACL inheritance combinationWhen you set inheritance options for an ACE in the Server app, you can choose from 12 unique inheritance combinations forpropagating ACL permissions.

Inheritance





Inheritance





Inheritance





Inheritance





Inheritance





Inheritance





Inheritance





Inheritance





Inheritance





Inheritance





Inheritance





Inheritance





ACL permission propagation

The Server app lets you force the propagation of ACLs. Although this is done automatically by the Server app, there are cases whenyou might want to manually propagate permissions:

You can propagate permissions to handle exceptions. For example, you might want ACLs to apply to all descendants except fora subtree of your folder hierarchy. In this case, you define ACEs for the root folder and set them to propagate to descendants.Then, you select the root folder of the subtree and propagate permissions to remove the ACLs from descendants of thatsubtree.

In the following example, the items in white had their ACLs removed by manually propagating ACLs.

You can propagate permissions in order to reapply inheritance in cases where you removed a folder’s ACLs and decided toreapply them.

You can propagate permissions to clear all ACLs at once instead of going through a folder hierarchy and manually removingACEs.

When you propagate permissions, the permissions of bundles and root-owned files and folders aren’t changed.

For more information about how to manually propagate permissions, see Propagate access permissions.

Rules of precedence

Mac OS X Lion uses the following rules to control access to files and folders:

Without ACEs, POSIX permissions apply. If a file or folder has no ACEs defined for it, Mac OS X Lion applies standard POSIXpermissions.

With ACEs, order is important. If a file or folder has ACEs defined for it, Mac OS X Lion starts with the first ACE in the ACL andworks its way down the list until the requested permission is satisfied or denied.

You can change the ACE order from the command line using the chmod command.

Allow permissions are cumulative. When evaluating Allow permissions for a user in an ACL, Mac OS X Lion defines the user’spermissions as the union of all permissions assigned to the user, including standard POSIX permissions.

After evaluating ACEs, Mac OS X Lion evaluates the standard POSIX permissions defined for the file or folder. Then, based on theevaluation of ACL and standard POSIX permissions, Mac OS X Lion determines the type of access a user has to a shared file orfolder.


Mac OS X Lion combines traditional POSIX permissions with ACLs. This combination provides great flexibility and fine granularityin controlling access to files and folders. However, if you’re not careful in how you assign privileges, it may be hard for you to keeptrack of how permissions are assigned.

With 17 permissions, you can choose from a staggering 98,304 combinations. Add to that a sophisticated folder hierarchy, manyusers and groups, and many exceptions, and you have a recipe for considerable confusion.

The following are useful tips and advice to help you get the most out of access control in Mac OS X Lion.

Manage permissions at the group levelAssign permissions to groups first, and assign permissions to individual users only when there is an exception.

For example, you can assign all teachers in a school district Read and Write permissions to a specific share point, but deny AnneJohnson, a temporary teacher, permission to read a specific folder in the share point’s folder hierarchy.

Using groups is the most efficient way of assigning permissions. After creating groups and assigning them permissions, you canadd or remove users without reassigning permissions.

Gradually add permissionsAssign only necessary permissions and then add permissions only when needed. As long as you use Allow permissions,Mac OS X Lion combines the permissions.

For example, you can assign the Students group partial reading permissions on an entire share point. Then, where needed in thefolder hierarchy, you can give the group more read and write permissions.

Use the deny rule only when necessaryWhen Mac OS X Lion encounters a Deny permission, it stops evaluating other permissions the user might have for a file or folderand applies the Deny permission. Therefore, use Deny permissions only when absolutely necessary. Keep a record of these Denypermissions so you can delete them when they aren’t needed.

Always propagate permissions

Inheritance is a powerful feature, so take advantage of it. By propagating permissions down a folder hierarchy, you save yourselfthe time and effort required to manually assign permissions to descendants.

Protect applications from being modified

If you share applications, make sure you set their permissions so that no one except a trusted few can change them. This is avulnerability that attackers can exploit in order to introduce viruses or Trojan horses in your environment.

Keep it simple

You can complicate file access management unnecessarily, if you’re not careful. Keep it simple. If standard POSIX permissions dothe job, use those, but if you must use ACLs, avoid customizing permissions if you don’t need to.

Use simple folder hierarchies if feasible. A little strategic planning can help you create effective and manageable sharedhierarchies.

Permissions in practice


The most effective method of securing your network is to assign correct privileges for each file, folder, and share point you create.

Restricting access to file services

You can use the Server app to restrict which users or groups have access to files, folders, and share points.

Restricting access to everyone

Be careful when creating and granting access to share points, especially if you’re connected to the Internet. Granting access toEveryone could expose your data to anyone on the Internet.

Restricting guest access

When you configure any file service, you can turn on guest access. Guests are users who connect to the server anonymouslywithout entering a user name or password. Users who connect anonymously are restricted to files and folders that have privilegesset to Everyone.

To protect your information from unauthorized access, and to prevent people from introducing software that might damage yourinformation or equipment, take the following precautions by using File Sharing in the Server app:

Depending on the controls you want to place on guest access to a share point, consider the following options:

Set privileges for Everyone to None for files and folders that guests shouldn’t access. Items with this privilege setting canbe accessed only by the item’s owner or group.

Put all files available to guests in one folder or set of folders and then assign the Read Only privilege to the Everyonecategory for that folder and each file in it.

Assign Read & Write privileges to the Everyone category for a folder only if guests must be able to change or add items inthe folder. Make sure you keep a backup copy of information in this folder.

Disable access to guests or anonymous users over AFP and SMB.

Share individual folders instead of entire volumes. The folders should contain only those items you want to share.

User collaboration serv ices ► File Sharing ► File permissions ► Manage permissions

You can set file and folder access permissions with the Server app. Mac OS X Lion provides two ways to control access to files andfolders: standard permissions and ACL permissions. Standard permissions provide basic control. ACL permissions provide moreflexibility and control, but are more complex.

Set standard permissions

You can use the Server app to set standard permissions—Read & Write, Read Only, Write Only, or None—to control access to afolder and its contents. You can set different permissions for one user (the owner), one group, and all other users who log in. Youcan also set standard permissions on individual files. Standard permissions are also called POSIX permissions.


2. Select the folder whose access permissions you want to change, and then choose Edit Permissions from the Action pop-upmenu.

3. To grant access to a different user, double-click the current user name and enter a different user account name.

As you type, the Server app looks up matching user accounts and displays them in lis t. Clicking a lis ted user grants accesspermissions to that user.

4. To grant access to a different group, double-click the current group name and type the name of the new group.

As you type, the Server app looks up matching group accounts and displays them in a list. Clicking a listed group grantsaccess permissions to it.

5. To change the permission level for the user, group, or others, click the current setting in the Permission column and choose a

Security considerations


setting from the pop-up menu.

The permission level you set for Others applies to any user who logs in but isn’t the specified user or a member of thespecified group.

Set ACL permissions

You can use the Server app to set ACL permissions for a folder or a file. An ACL consists of Access Control Entries (ACEs), whichyou can add and change.

Each entry applies to a specific user or group. For each entry, you can set 13 permissions, giving you much finer control overaccess than you have with standard permissions. For example, entries in an ACL can grant delete permission separately fromwrite permission, so a user can edit a file but can’t delete it.

The first entry in the list takes precedence over the second, which takes precedence over the third, and so on. For example, if thefirst entry denies a user the right to edit a file, other entries that allow the same user editing permissions are ignored. The entriesin the ACL also take precedence over standard permissions.


2. Select the folder or file whose access permissions you want to change, then choose Edit Permissions from the Action pop-upmenu.

3. To add an entry, click the Add button (+) and enter the name of the user or group you want to set specific access permissionsfor.

As you type, the Server app looks up matching user and group accounts and displays them in a lis t. Clicking a user or groupgrants access permissions to the user or group.

4. To change the permission level for an entry, click the current setting in the Permission column and choose a setting from thepop-up menu.

Choice Description

Full Control Has full administration, read, write, and inheritance permissions.

Read & Write: Has full read, write, and inheritance permissions.

Read: Has full read and inheritance permissions.

Write: Has full write and inheritance permissions.

Custom: Doesn’t have ful l administration, read, write, or inheritancepermissions.

By default, each new entry has full read and inheritance permissions.

5. To change detailed permission settings for an entry, click the disclosure triangle next to the entry, optionally click theadditional disclosure triangles that appear, and select or deselect permission settings.

For information about the detailed permission settings, see Access control lists (ACLs) and Access control entries (ACEs).

RELATED TOPIC

Remove an ACL entry


You can use the Server app to propagate a folder’s permissions to all the folders and files it contains. You can specify whichstandard permissions to propagate: owner name, group name, owner permissions, group permissions, and permissions forothers. You can propagate a folder’s complete ACL, but you can’t propagate individual entries that constitute the ACL.


2. Select the folder whose access permissions you want to propagate, and then choose Propagate Permissions from the Action

Propagate access permissions

pop-up menu.

3. Select the permissions you want to propagate, and then click OK.


RELATED TOPICS

Remove a folder’s inherited ACL entriesRemove an ACL entry


You can use the Server app to remove ACL permission entries you’ve added. Each entry defines a user’s or group’s accesspermission to a folder or file.



3. To remove an entry from the permission list, select the entry and click the Delete button (–).

RELATED TOPIC



When sorting an ACL canonically, the Server app first lis ts all entries that deny permission, then the entries that grant permission.ACL entries that deny permission have a permission type of Deny. Entries that grant permission have a permission type of Allow.

All ACL entries created with the Server app are the Allow type. Permissions of the Deny type can exist on disks used with Mac OS Xv10.6 or earlier. Permissions of the Deny type can be created on Lion Server disks by using the chmod command-line tool. For

information about chmod, see its man page.


2. Select the folder or file whose ACL list you want to sort, and then choose Edit Permissions from the Action pop-up menu.

3. Choose “Sort Access Control List Canonically” from the Action pop-up menu in the Edit Permissions dialog.

RELATED TOPIC



If you don’t want inherited ACL entries to apply to a folder or file, you can remove those entries using the Server app.

Unlike explicit ACL entries, inherited ACL entries appear dimmed in the Server app’s dialog for editing access permissions.



Remove an ACL entry

Sort an ACL canonically


3. Choose “Remove Inherited Entries” from the Action pop-up menu in the Edit Permissions dialog.

RELATED TOPICS

Apply ACL inheritance to folders and filesMake inherited ACL entries explicitSet folder access permissions


If you want to change inherited ACL entries for a folder or file, you must make the inherited entries explicit.



3. Choose “Make Inherited Entries Explicit” from the Action pop-up menu in the Edit Permissions dialog.

You can now edit the ACL entries.

RELATED TOPICS

Remove a folder’s inherited ACL entriesSet folder access permissions


If you removed all the ACL entries from a folder or file and want to restore inherited entries, you can use the Server app topropagate the parent folder’s ACL. All descendants of the parent folder inherit the propagated ACL.

1. In the Server sidebar, select the server and then click Storage.

2. Select the parent folder of the item whose ACL inheritance you want to restore, and then choose Propagate Permissions fromthe Action pop-up menu.

3. Select the Access Control List option, deselect all other options, and then click OK.


RELATED TOPIC



When sharing files and folders between computers, you can set custom permissions to grant or restrict access to those files andfolders.

Before you begin setting custom file and folder permissions, you might want to investigate how the file and folder are to be shared,who has access, and what type of access you want users to have. A recommended way to manage file and folder permissions isto create groups of users who share the same privileges.

Depending on your network environment, you can use standard permissions (also referred to as POSIX permissions), ACL, orboth to manage file or folder access.

The following table shows examples of the standard permissions and ACL permissions necessary to configure some common

Make inherited ACL entries explicit

Apply ACL inheritance to folders and files

Common folder permissions

folder-sharing settings.

Folder ACL (Everyone) POSIX

Drop box Permission Type: Al low


Traverse Folder

Create Files

Create Folder

All inheritance options



Other: write


Backup share Permission Type: Al low


List Folder Contents

Create Files

Create Folder



Other: no permissions


Home folder Permission Type: Deny

Delete




Group: read only

Other: read only

User collaboration serv ices ► Mail

Mail service in Mac OS X Lion allows network users to send and receive mail over your network or across the Internet.

Mail service sends and receives mail using the following standard Internet mail protocols:

Simple Mail Transfer Protocol (SMTP)

Internet Message Access Protocol (IMAP)

Post Office Protocol (POP)

A standard mail client setup uses SMTP to send outgoing mail and POP and IMAP to receive incoming mail. Mac OS X Lionincludes an SMTP service and a combined POP and IMAP service.

Mail service also uses a Domain Name System (DNS) service to determine the destination IP address of outgoing mail.

The following image gives an overview of how the components of Mac OS X Lion Mail service interact:

Mail service architecture


Mail is transferred from incoming mail storage to the mail recipient’s inbox by a local delivery agent (LDA). The LDA handles localdelivery, making mail accessible by the user’s mail application.

Mac OS X Lion uses Postfix as its mail transfer agent (MTA). Postfix fully supports SMTP. Your mail users set their mailapplication’s outgoing mail server to your Mac OS X Lion running Postfix.

Postfix is easy to administer. Its basic configuration can be managed through Server Admin and therefore it does not rely on editingthe configuration file.

Postfix uses multiple layers of defense to protect the server computer from intruders:

There is no direct path from the network to the security-sensitive local delivery tools.

Postfix does not trust the contents of its queue files or the contents of its IPC messages.

Postfix filters sender-provided information before exporting it via environment variables.

Nearly every Postfix application can run with fixed low privileges and no ability to change ID, run with root privileges, or run asany other user.

Postfix uses the configuration files main.cf and master.cf in /etc/postfix/. When Server Admin modifies Postfix settings, it overwritesthe main.cf file.

If you make a manual change to the configuration file of Postfix, Server Admin overwrites your changes the next time you use it tomodify the Mail service configuration.

The spool files for Postfix are located in /Library/Server/Mail/Data/spool/ and the log file is /var/log/mail.log. For more informationabout Postfix, see www.postfix.org.

If you use another MTA (such as Sendmail), you can’t configure Mail service with Mac OS X administration tools.

To use Sendmail instead of Postfix, disable the current SMTP service through Postfix, then install and configure Sendmail. Formore information about Sendmail, see www.sendmail.org.


Mail transfer agent (MTA)

http://www.postfix.org

http://www.sendmail.org

After a mail delivery connection is made and the message is accepted for local delivery (relayed mail is not screened), the mailserver can screen it before delivery.

Mac OS X Lion uses SpamAssassin (from spamassassin.apache.org) to analyze the text of a message, and gives it a probabilityrating for being junk mail. No junk mail filter is 100% accurate in identifying unwanted mail. For this reason the junk mail filter inMac OS X Lion doesn’t delete or remove junk mail from being delivered. Instead, it marks the mail as potential junk mail.

The user can then decide if it’s really unsolicited commercial mail and deal with it accordingly. Many mail clients use the ratingsthat SpamAssassin adds as a guide in classifying mail for the user.

Mac OS X Lion uses ClamAV (from www.clamav.net) to scan mail messages for viruses. If a suspected virus is found, you candeal with it in several ways. The virus definitions are kept up to date (if enabled) via the Internet using a process called freshclam.

RELATED INFORMATION

Mail service filtering


Mail is stored in an outgoing queue awaiting transfer to a remote server or in a local mail store accessible by local mail users.

Outgoing mail location

By default, outgoing mail messages are stored in the following spool directory on the startup disk in/Library/Server/Mail/Data/spool/.

This location is temporary, and the mail is stored until it’s transferred to the Internet. These locations can be moved to anyaccessible volume if you create a symlink link to the new location.

Incoming mail location

Mail service stores each message as a separate file in a mail folder for each user. Incoming mail is stored on the startup disk in/Library/Server/Mail/Data/mail/.

You can change the location of mail folders and indexes to another folder, disk, or disk partition. You can even specify a sharedvolume on another server as the location of the mail folder, although using a shared volume negatively affects performance.

For remotely mounted file systems, NFS isn’t recommended. The incoming mail remains on the server until deleted by a mail useragent (MUA).

Mail storage can also be split across multiple partitions or stored on an Xsan cluster. This can be done to scale Mail service or tofacilitate data backup.

RELATED INFORMATION

Set up mail server clustering with Xsan


Mail is transferred from incoming mail storage to the mail recipient’s inbox by a local delivery agent (LDA). The LDA handles localdelivery, making mail accessible by the user’s mail application.

Two protocols are available from the Mac OS X LDA: POP and IMAP. Mac OS X Lion uses Dovecot to provide POP and IMAP service.Your mail users set their mail application’s incoming mail server to your Mac OS X Lion running Dovecot.

More information about Dovecot can be found at http://www.dovecot.org/.

Dovecot

Dovecot is an open-source enterprise mail system for use in small to large enterprise environments. Dovecot developers havefocused on security, scalability, and ease of administration.

Each message is stored as a separate file in a mail folder for each user. This design gives the server advantages in efficiency,scalability, and administration. User access to mail is primarily through software using IMAP or POP3.

Mail screening

Where mail is stored

Local delivery agent (LDA)

http://www.clamav.net)

http://www.dovecot.org/

Dovecot uses the configuration files /etc/dovecot/dovecot.conf and /etc/dovecot/conf.d/*. Server Admin uses the files in/etc/dovecot/default/. Dovecot logs its events in /var/log/mailaccess.log. The Dovecot mail store is located in/Library/Server/Mail/Data/mail/.

The Dovecot delivery application receives mail from the Postfix delivery agent and stores the mail in user spool files in/Library/Server/Mail/Data/mail/GUID where GUID is the Globally Unique ID (GUID) of the mail user. The user can then use IMAP orPOP to retrieve messages.

After receiving mail from external MTAs, you can apply virus filtering or junk mail filtering to the messages. Mac OS X Lion usesClamAV and Spam Assassin for these tasks.

Internet Message Access Protocol (IMAP)

IMAP is the solution for people who use more than one computer to receive mail. IMAP is a client-server mail protocol that allowsusers to access mail from anywhere on the Internet.

With IMAP, a user’s mail is delivered to the server and stored in a remote mailbox on the server. To users, mail appears as if itwere on the local computer.

A key difference between IMAP and POP is that with IMAP the mail isn’t removed from the server until the user deletes it.

The IMAP user’s computer can ask the server for message headers, ask for the bodies of specified messages, or search formessages that meet certain criteria. These messages are downloaded as the user opens them.

IMAP connections are persistent and remain open, maintaining a load on the server and possibly the network as well.

Post Office Protocol (POP)

POP is used only for receiving mail, not for sending mail.

The POP service is like a post office, storing mail and delivering it to a specific address. Mail service stores incoming POP mailuntil users connect to Mail service and download their waiting mail.

After a user’s computer downloads POP mail, the mail is stored only on the user’s computer. The user’s computer disconnectsfrom Mail service, and the user can read, organize, and reply to the received POP mail.

An advantage of using POP is that your server doesn’t need to store mail that users have downloaded. Therefore, your serverdoesn’t need as much storage space as it would using IMAP.

However, because the mail is removed from the server, if the user’s computer sustains damage and loses mail files, there’s noway to recover these files without using data backups.

Another advantage of POP is that POP connections are transitory. After mail is transferred, the connection is dropped and the loadon the network and mail server is removed.

POP isn’t the best choice for users who access mail from more than one computer, such as a home computer, an office computer,and a laptop while on the road. When a user retrieves mail via POP, the mail is downloaded to the user’s computer and is usuallyremoved from the server. If the user logs in later from a different computer, the user can’t see previously downloaded mail.

RELATED INFORMATION

Mail screening


Mail is delivered to its final recipient using a mail user agent (MUA). MUAs are usually referred to as mail clients or mailapplications. These mail clients often run on the user’s local computer.

Each user’s mail application must be configured to send messages to the outgoing server and receive messages from theincoming server. These configurations can affect your server’s processing load and available storage space. Users can alsoaccess mail through Webmail.


Mail service makes use of network services to ensure delivery of mail.

User interaction with Mail service

Use network services with Mail service

Before sending mail, your Mail service will probably have a DNS service determine the Internet Protocol (IP) address of thedestination.

The DNS service is necessary because people typically address their outgoing mail by using a domain name, such asexample.com, rather than an IP address, such as 198.162.12.12. To send an outgoing message, Mail service must know the IPaddress of the destination. Mail service relies on a DNS service to look up domain names and determine the corresponding IPaddresses. The DNS service can be provided by your ISP or by Lion Server.

Additionally, a mail exchange (MX) record can provide redundancy by listing an alternate mail host for a domain. If the primary mailhost isn’t available, the mail can be sent to the alternate mail host. An MX record can list several mail hosts, each with a prioritynumber. If the lowest priority host is busy, mail can be sent to the host with the next lowest priority, and so on.

Without a properly configured MX record in DNS, mail might not reach your intended server.

How Mail service uses DNS

The sending server reads the mail recipient’s domain name (what comes after the @ in the To address).

The sending server looks up the MX record for that domain name to find the receiving server.

If the MX record is found, the message is sent to the receiving server.

If the lookup fails to find an MX record for the domain name, the sending server assumes that the receiving server has thesame name as the domain name, so the sending server does an Address (A) lookup on that domain name and attempts tosend the file there.

User collaboration serv ices ► Mail ► Mail serv ice setup

Before setting up Mail service for the first time, complete the following.

If you are upgrading from a previous version of Mac OS X Server, you might need to take special steps to upgrade Mail service.

Decide whether to use POP, IMAP, or both for accessing mail.

If your server provides Mail service over the Internet, obtain a registered domain name.

Determine whether your ISP will create your MX records or whether you’ll create them using your own DNS service.

Identify the people who will use Mail service but who don’t have user accounts in a directory domain accessible to Mail service.Then create user accounts for these mail users.

Determine your authentication and transport security needs.

RELATED INFORMATION

Use network services with Mail serviceProvide SMTP authenticationProvide IMAP and POP authenticationSecure Mail service with SSL


Lion Server provides two primary applications and one primary command-line tool to help you set up and manage Mail service.

Server Admin: Use to start, stop, configure, maintain, and monitor Mail service when you install Lion Server.

Server app:Use to create user accounts for mail users and configure each user’s mail options.

serveradmin: Use to manage Mail service from the command-line remotely via ssh or locally through the Terminalapplication.


Before you set up Mail service

Mail service management tools

Configure DNS for Mail service

Configuring DNS for Mail service entails enabling MX records with your DNS server. If you have an ISP that provides DNS service,contact the ISP so they can enable your MX records.

Follow these steps if you provide your own DNS service using Lion Server.

1. In Server Admin, choose a server, then select DNS.

2. Click the Zones button in the toolbar.

3. Select the zone that the MX record will be added to.

4. If there are no zones, create one.

5. If the mail server does not have a machine record (A), add one.

6. Click the + button in the Mail Exchangers list.

7. Enter the mail server’s hostname.

8. Set a mail server precedence number.

Mail servers try to deliver mail at lower numbered mail servers first.

9. Click OK to Save.

To set up multiple servers for redundancy, add MX records with different precedence numbers.


You can have Mail service set up and start as part of the Lion Server installation process.

An option for setting up Mail service appears in the Setup Assistant application, which runs at the conclusion of the installationprocess. If you select this option, Mail service is set up as follows:

SMTP, POP, and IMAP are active and use standard ports.

Junk mail filter is on.

Virus filtering is on.

Quotas are not enforced.

Incoming messages larger than 10 MB are refused.

Mailing lists are inactive.

Standard authentication methods are used (not Kerberos), with POP and IMAP set for clear-text passwords (APOP and CRAM-MD5 turned off) and SMTP authentication turned off. If your server is an Open Directory master, Kerberos, CRAM-MD5, andAPOP are used.

Mail is delivered only locally. (No mail is sent over the Internet.)

Mail relay is unrestricted.

You can also use the configuration assistant to set up Mail service. This interactive assistant helps you select options andsettings. If you use the configuration assistant, you should already have MX records set properly. After using the assistant, you canuse Server Admin, Server app, and the serveradmin command-line tool to customize your configuration.


You must turn on Mail service administration before you can use Server Admin to configure or enable it. This allows Server Adminto start, stop, and change settings for Mail service.

1. Open Server Admin.

Automatic configuration of Mail service

Enable Mail service administration with Server Admin

2. Select a server, click the Settings button in the toolbar, and then click the Services tab.

3. Select the checkbox for Mail service.

You can now configure and control Mail service using Server Admin.

User collaboration serv ices ► Mail ► Mail serv ice configuration

Mail service includes an SMTP service for sending mail. Subject to restrictions that you control, the SMTP service also transfersmail to and from Mail service on other servers. If your mail users send messages to another Internet domain, your SMTP servicedelivers the outgoing messages to the other domain’s Mail service. Other Mail services deliver messages for your mail users toyour SMTP service, which then transfers the messages to your POP service and IMAP service.

If you don’t choose a method of SMTP authentication or authorized specific SMTP servers to relay for, the SMTP server allowanonymous SMTP mail relay and is considered an open relay. Open relays are bad because junk mail senders can exploit therelay to hide their identities and send illegal junk mail without penalty.

There is a difference between relaying mail and accepting delivery of mail. Relaying mail means passing mail from one (possiblyexternal) mail server or a local user’s mail client to another (third) mail server. Accepting delivery means receiving mail from a(possibly external) mail server to be delivered to the server’s mail users. Mail addressed to local recipients is still accepted anddelivered.

Enabling authentication for SMTP requires authentication from any selected authentication method prior to relaying mail.

SMTP authentication is used with restricted SMTP mail transfer to limit junk mail propagation.

Enable SMTP access

SMTP is used for transferring mail between Mail service and sending mail from users’ mail clients. The SMTP Mail service storesoutgoing mail in a queue until it has found the mail exchange server at the mail’s destination. Then it transfers the mail to thedestination server for handling and eventual delivery.

SMTP service is required for outgoing Mail service and for accepting delivery of mail from mail servers outside your organization.

1. In Server Admin, select a computer in the Servers list, then select Mail.

2. Click Settings.

3. Select the General tab.

4. Click Enable SMTP.

5. Select “Allow incoming mail,” if wanted.

6. If you allow incoming mail, enter the domain name to accept mail for and the mail server’s host name.

7. Click Save.

By default SMTP is enabled on port 25. If port 25 is blocked in your environment, change the port that SMTP uses.

Require SMTP authentication

If your Mail service requires SMTP authentication, your server cannot be used as an open relay by anonymous users. Someonewho wants to use your server as a relay point must first provide the name and password of a user account on your server.

Although SMTP authentication applies primarily to mail relay, your local mail users must also authenticate before sending mail.This means your mail users must have mail client software that supports SMTP authentication or they can’t send mail to remoteservers. Mail sent from external mail servers and addressed to local recipients is still accepted and delivered.

Relaying outgoing mail through another server

Rather than delivering outgoing mail to its destinations, your SMTP Mail service can relay outgoing mail to another server.

Normally, when an SMTP server receives a message addressed to a remote recipient, it attempts to send that message to thatserver or the server specified in the MX record, if it exists. Depending on your network setup, this method of mail transport might not

Configure outgoing Mail service

be wanted or even possible. You might then need to relay outbound messages through a specific server.

You might need to use this method to deliver outgoing mail through the firewall set up by your organization. In this case, yourorganization must designate a server for relaying mail through the firewall.

This method can be useful if your server has slow or intermittent connections to the Internet.

Do not attempt to relay mail through a mail server outside your organization’s control without the relay administrator’s permission.Trying to do so will label you as a Mail service abuser.


2. Click Settings.


4. Click “Relay outgoing mail through host” and enter the DNS name or IP address of the server that provides SMTP relay.

5. Click Save.

Saving mail messages for monitoring and archival purposes

You can configure Mail service to send a blind carbon copy (Bcc) of each incoming or outgoing message to a user or group. Youmight want to do this to monitor or archive messages. Senders and receivers of mail don’t know that copies of their mail are beingarchived.

You can set up the user or group to receive Bccs using POP, then set up a client mail application to log in periodically and cleanout the account by retrieving all new messages. Otherwise, you might want to periodically copy and archive the messages from thedestination directory using automated shell commands.

You can set up filters in the mail client to highlight types of messages. Additionally, you can archive all messages for legalreasons.


2. Click Settings.


4. Click the “Copy all mail to” checkbox and enter a user or group name.

5. Click Save.

RELATED INFORMATION

Provide SMTP authenticationSecure Mail service with SSL


You can restrict outgoing mail by only relaying through approved hosts to relay mail, rejecting other specifc hosts or blacklistedhosts, or filtering your SMTP connections.

Restricting SMTP relay

Your Mail service can restrict SMTP relay by allowing only approved hosts to relay mail. You create the list of approved servers.Approved hosts can relay through Mail service without authenticating. Servers not on the list cannot relay mail through Mail serviceunless they authenticate first. All hosts, approved or not, can deliver mail to your local mail users without authenticating. Mailservice can log connection attempts made by hosts not on your approved lis t.


2. Click Settings.

3. Select the Relay tab.

4. Click the “Accept SMTP relays only from these hosts and networks” checkbox.

5. Edit the list of hosts by choosing one of the following:

Restrict outgoing mail

Click the Add button (+) to add a host to the lis t.

Click the Remove button (-) to delete the selected host on the list.

Click the Edit button (/) to change a host on the list.

When adding to the lis t, Server Admin accepts a variety of notations. You can:

Enter a single IP address or the network/netmask pattern, such as 192.168.40.0/21.

Enter a host name, such as mail.example.com.

Enter an Internet domain name, such as example.com.

The following table describes the results of using restricted SMTP relay and SMTP authentication in various combinations.

SMTP requires authentication Restricted SMTP relay Result

On Off All mail servers must authenticate before Mailservice accepts mail for relay. Your local mailusers must also authenticate to send mail out.

On On Approved mail servers can relay withoutauthentication. Servers you haven’t approvedcan relay after authenticating with Mail service.

Off On Mail service can’t be used for open relay.Approved mail servers can relay (withoutauthenticating). Servers that you haven’tapproved can’t relay unless they authenticate,but they can deliver to your local mail users.Your local mail users don’t need to authenticateto send mail. This is the most commonconfiguration.

Rejecting SMTP connections from specific servers

Mail service can reject unauthorized SMTP connections from hosts on a disapproved hosts lis t that you create.

Mail from hosts on this list is denied and the SMTP connections are closed after posting a 554 SMTP connection refused error.


2. Click Settings.


4. Click the “Refuse all messages from these hosts and networks” checkbox.

5. Edit the list of hosts by choosing one of the following:

Click the Add button (+) to add a host to the lis t.

Click the Remove button (-) to delete a host on the lis t.

Click the Edit button (/) to change a host on the list.





Rejecting mail from blacklisted senders

Mail service can reject mail from SMTP servers that are blacklisted as open relays by a Real-time Blacklist (RBL) Server. Mailservice uses an RBL server that you specify. RBLs are sometimes called b lack-hole servers.

Blocking unsolicited mail from blacklisted senders might not be completely accurate. Sometimes it prevents valid mail from beingreceived.


2. Click Settings.


4. Click the “Use these junk mail rejection servers” checkbox.

5. Edit the list of servers by adding the DNS name of an RBL server:

Click the Add button (+) to add a server to the lis t, then enter the domain name of a RBL server, such as rbl.example.com.

Click the Remove button (-) to delete the server from the list.

Click the Edit button (/) to change the server.





Filtering SMTP connections

You can use Lion Server Firewall service to allow or deny access to your SMTP Mail service from specific IP addresses.

Filtering disallows communication between an originating host and your mail server. Mail service doesn’t receive the incomingconnection and no SMTP error is generated or sent back to the client.

1. In Server Admin, select Firewall in the Computers & Services pane.

2. Create a firewall IP filter using the instructions in Network Services Administration, using the following settings:

Access: denied

Port number :25 (or your incoming SMTP port, if you use a nonstandard port)

Protocol: TCP

Source: the IP address or address range you want to block

Destination: your mail server’s IP address

3. If you want, log the packets to monitor the SMTP abuse.

4. Add more filters for the SMTP port to allow or deny access from other IP addresses or address ranges.


You can protect your server from being an open relay (which indiscriminately relays mail to other mail servers) by requiring SMTPauthentication.

Requiring authentication ensures that only known users—people with user accounts on your server—can send mail from yourmail servers.

You can configure Mail service to require secure authentication using CRAM-MD5, Kerberos, or less secure authenticationmethods using plain text or login.

Plain authentication sends mail passwords as plain text over the network. Login authentication sends a minimally secure crypthash of the password over the network. You might allow these less secure authentication methods, which don’t encryptpasswords, if some users have mail client software that doesn’t support secure methods.

If you configure Mail service to require CRAM-MD5, mail users’ accounts must be set to use a password server that has CRAM-MD5 enabled.

Before enabling Kerberos authentication for incoming Mail service, you must integrate Mac OS X with a Kerberos server. If you’reusing Lion Server for Kerberos authentication, this is already done for you.

Enabling SMTP authentication will:

Provide SMTP authentication

Make your users authenticate with their mail client before accepting mail to send.

Frustrate mail server abusers who are trying to send mail through your system without your consent.

Enabling multiple methods allows a client to use any of the enabled methods. To require any of these authentication methods,enable only one method.

To allow secure SMTP authentication


2. Click Settings.

3. Select the Advanced tab.

4. Select Security.

5. Click the CRAM-MD5 or Kerberos checkbox in the SMTP section.

6. Click Save.

To allow less secure authentication


2. Click Settings.


4. Select Security.

5. In the SMTP section, click the Plain or Login checkbox.

6. Click Save.

If you use the Server Setup Assistant and make your server an Open Directory Master, Kerberos and CRAM-MD5 are enabled. Toforce only one method to be used for authentication, deselect the one you do not want used.


When configuring incoming Mail service, you configure mail to be retrieved by users and mail client applications.

Configuring incoming Mail service involves these basic steps:Choose and enable the type of access (POP, IMAP, or both).Choose a method for authentication of the mail client.Choose a policy for secure transport of mail data over SSL.

The following sections explain how to enable IMAP and POP access.

Enable IMAP access

IMAP is a client-server mail protocol that allows users to access mail from the Internet. With IMAP, mail is delivered to the serverand stored in a remote mailbox on the server. To users, mail appears as if it were on the local computer.

A key difference between IMAP and POP is that with IMAP the mail isn’t removed from the server until the user deletes it. IMAPconnections are persistent and remain open, maintaining load on the server and possibly the network as well.


2. Click Settings.


4. Click Enable IMAP.

5. Enter the number of concurrent connections you want to allow, then click Save.

6. Click Save.

Configure incoming Mail service

7. Continue and configure security for IMAP authentication and transport.

Enable POP access

POP is used for receiving mail. The POP Mail service stores incoming POP mail until users have their computers connect to Mailservice and download their waiting mail. After a user’s computer downloads POP mail, the mail is stored only on the user’scomputer.

An advantage of using POP is that your server doesn’t need to store mail that users have downloaded.

POP isn’t the best choice for users who access mail from more than one computer, such as a home computer, an office computer,and a laptop while on the road because after messages are accessed by one computer, they are deleted from the server.


2. Click Settings.


4. Click Enable POP.

5. Click Save.

6. Continue and configure security for IMAP authentication and transport.

Choose no incoming mail retrieval

You can choose SMTP Mail service but not supply POP or IMAP service for incoming mail retrieval. If neither POP nor IMAP isenabled, incoming mail from other mail servers is still delivered to users but they can’t access their mail with their mail clientapplications.

Mail accepted for local delivery is queued until POP or IMAP services are enabled, delivery to /var/mail/ is enabled, or the messageexpires and a Non Delivery Receipt (NDR) is sent to the sender (after 72 hours by default).

If delivery to /var/mail/ is enabled, users can still access mail using UNIX mail tools such as PINE or ELM. Messages delivered to/var/mail/ are not available for delivery to users with Dovecot if POP or IMAP are enabled again.

If POP and IMAP are disabled, you can change where incoming mail is stored from its default location at/Library/Server/Mail/Data/mail/GUID to /var/mail/username.


2. Click Settings.


4. Click the “Deliver to /var/mail/” checkbox.

5. Click Save.

Save mail messages for monitoring and archival purposes

You can configure Mail service to send a blind carbon copy (Bcc) of each incoming or outgoing message to a user or group. Youmight want to do this to monitor or archive messages. Senders and receivers of mail don’t know that copies of their mail are beingarchived.

You can set up the user or group to receive Bccs using POP, then set up a client mail application to log in periodically and cleanout the account by retrieving all new messages. Otherwise, you might want to periodically copy and archive the messages from thedestination directory using automated shell commands.

You can set up filters in the mail client to highlight types of messages. Additionally, you can archive all messages for legalreasons.


2. Click Settings.


4. Click the “Copy all mail to” checkbox and enter a user or group name.

5. Click Save.

RELATED INFORMATION

Provide IMAP and POP authenticationSecure Mail service with SSL


Your IMAP/POP Mail service (Dovecot) can protect user passwords by requiring that connections use a secure authentication usingKerberos, CRAM-MD5 (for IMAP), or APOP (for POP) or less secure authentication methods using plain text or login.

When a user connects with secure authentication, the user’s mail client software encrypts the user’s password before sending itto your IMAP service.

Plain authentication sends mail passwords as plain text over the network. Login authentication sends a minimally secure crypthash of the password over the network. You might allow these less secure authentication methods, which don’t encryptpasswords, if some users have mail client software that doesn’t support the secure methods.

Make sure your users’ mail applications and user accounts support the method of authentication you choose. If you configure Mailservice to require CRAM-MD5, you must set mail accounts to use a Lion Server Password Server that has CRAM-MD5 enabled.

Before enabling Kerberos authentication for incoming Mail service, you must integrate Mac OS X with a Kerberos server. If you’reusing Lion Server for Kerberos authentication, this is already done for you.

Enabling SMTP Authentication will:

Make your users authenticate with their mail client before accepting mail to send.

Frustrate mail server abusers who are trying to send mail through your system without your consent.

Enabling multiple methods allows a client to use any of the enabled methods. To require any of these authentication methods,enable only one method.

To set secure IMAP and POP authentication


2. Click Settings.


4. Select Security.

5. Select CRAM-MD5 or Kerberos (as needed) in the IMAP section.

6. Click Save.

To set less secure IMAP and POP authentication


2. Click Settings.


4. Select Security.

5. Click the Login, PLAIN, or Clear checkbox in the IMAP list.

6. Click Save.

If you use the Server Setup Assistant and make your server and Open Directory Master, Kerberos, CRAM-MD5 (for IMAP), and APOP(for POP) are enabled. To force only one method to be used for authentication, deselect the one you do not want used.


Provide IMAP and POP authentication

Secure Sockets Layer (SSL) connections ensure that the data sent between your mail server and your users’ mail clients isencrypted. This allows secure and confidential transport of mail messages across a local network.

SSL transport doesn’t provide secure authentication. It only provides secure transfer from your mail server to your clients. Forincoming mail, Mail service supports secure mail connections with mail client software that requests them. If a mail client requestsan SSL connection, Mail service can comply if that option is enabled.

Mail service still provides non-SSL (unencrypted) connections to clients that don’t request SSL. The configuration of each mailclient determines whether it connects with SSL or not.

For outgoing mail, Mail service supports secure mail connections between SMTP servers. If an SMTP server requests an SSLconnection, Mail service can comply if that option is enabled. Mail service can still allow non-SSL (unencrypted) connections to mailservers that don’t request SSL.

Configure SSL transport

If Mail service is started from the Server app, the default self-s igned certificate is used for SSL transport. You can change this toanother certificate if needed.

1. Select your server in the Hardware section of the Server app sidebar.

2. Select the Settings pane.

3. Click the Edit button next to SSL Certificate.

4. Choose the certificate for the SMTP or Pop and IMAP server as needed.

RELATED INFORMATION

Replace certificatesCreate a self-s igned certificateImport a certificate identityObtain a CA–signed certificateUse an SSL certificate


Most settings are exposed in Server Admin and can be changed there. Many settings can also be accessed through theserveradmin command-line tool.

Find the name of the setting to change and then submit your setting as an argument to serveradmin.

For example, to disable POP email service:

$ sudo serveradmin settings mail:imap:enable_pop = no$ sudo serveradmin stop mail$ sudo serveradmin start mail

If you make a change, you may need to stop and restart Mail service. For more specific configuration of Postfix and Dovecot youmight want to configure them directly. For information about configuring these tools, see the following: For Postfix, seewww.postfix.org; for Dovecot IMAP/POP, see www.dovecot.org.


WebMail is a web-based mail user agent (MUA). It allows a web browser such as Apple’s Safari to compose, read, and forwardmail like any other mail client. Lion Server’s WebMail functionality is provided by a software package called Roundcube atroundcube.net.

WebMail relies on your mail server to provide the Mail service. WebMail cannot provide Mail service independent of the mail server.WebMail uses the Mail service of your Lion Server computer.

Secure Mail service with SSL

Change Mail service settings from the command line

Enable Webmail

http://www.postfix.org;

http://www.dovecot.org

WebMail uses standard mail protocols and requires your mail server to support them. These protocols are:

IMAP, for retrieving incoming mail

SMTP, for exchanging mail with other mail servers (sending outgoing mail and receiving incoming mail)

WebMail doesn’t support retrieving incoming mail via POP. Even if your mail server has POP enabled, WebMail doesn’t use it.

1. Enable and configure your mail server.

2. Launch Server App from the Launchpad.

3. In the Server app sidebar, select Mail

4. Check Enable WebMail.


To set up a Mailman mailing list, you enable the service, define a list name, and add subscribers to the list.

When you create a mailing list, you must specify a master password that gives you control over all lists. Do not use anadministrator’s or user’s login password. You must also specify the mail addresses of other administrators who need the masterpassword.

Enable mailing lists

Before you can define mailing lis ts and subscribers, you must enable the list service and create the administrator’s default mailinglist.

When you enable mailing lists, you also create a password that allows administration of all lis ts on the server and a special list formailing list administrators. Mailing list administrators get a copy of the master list password and error notifications.

Note: This list (called Mailman) must exist for mailing lis ts to function. Do not remove the master list.


2. Click Settings.

3. Select the Mailing Lists tab.

4. Click Enable Mailman Mailing Lists.

5. Enter the master list password.

6. Enter the mail addresses of the list administrators, then click OK.

You must enter at least one administrator who will receive notifications about the mailing list service.

7. Click Save.

The Mailman list is created and the master password is sent to the indicated administrators.

Create a mailing list

Mailing lists distribute a s ingle mail message to multiple recipients. After you create a mailing list, mail sent to the list’s address issent to all subscribers. Mailing lists have list administrators who can change lis t membership and lis t features.

Lists can be self-subscribing, so list administrators don’t need to add and remove subscribers. The subscribers can do sothemselves.

Note: Mailing lists cannot be renamed or corrected after creation. This is a limitation of Mailman, the list software used by LionServer. Although you can change the case of a list name using Mailman’s web interface, Server Admin doesn’t allow changing thelist name in any way.

To rename or correct a list name, you must create a list and add existing users to the new list. This results in a Welcome messagebeing sent to all listed users.


Set up a Mailman mailing list

2. Click Settings.


4. Under the Lists pane, click the Add button (+).

5. Enter the list’s name.

The list name is the mail account name that mailing list users send their mail to. The name isn’t case sensitive and cannotcontain spaces.

6. Enter the list administrator’s mail address, then click Edit.

If you only enter a name, it must be a username on the server. If you enter username@domain, the administrator doesn’tneed to be a local user.

7. Click Users May Self Subscribe, if desired.

8. Choose the default language for the list.

You can choose English, French, German, Japanese, Korean, Russian, or Spanish. This setting encodes the text generatedby the list for the default language.

9. Choose additional languages to be supported by the list.

This setting also encodes the text generated by the list for the default language.

10. Click OK.

11. Click Save.

You can now add subscribers to the list. If you allow users to self-subscribe, they can subscribe using mail or the webadministration page.

Set a list's maximum message length a mailing list

You can set the maximum size message that the list accepts. You can disallow large attachments by setting a small maximumsize, or you can allow file collaboration by setting an unlimited message size.


2. Click Settings.


4. Select the list whose message length you want to set.

5. Under the Lists pane, click the Edit button (/).

6. Enter the maximum message length (in KB).

If you enter 0, the maximum length is unlimited.

7. Click OK.

8. Choose the default language for the list.

You can choose English, French, German, Japanese, Korean, Russian, or Spanish. This setting encodes the text generatedby the list for the default language.

9. Choose additional languages to be supported by the list.

This setting also encodes the text generated by the list for the default language.

10. Click OK.

11. Click Save.

Create a mailing list description

You use the web interface to set the mailing list description. Web services must be enabled to access the web-based interface.

Sometimes it’s difficult to know the scope and subject matter of a mailing list from the short list name. The list information pagecontains a description of the list, the subject matter it covers, and (optionally) who is permitted to subscribe. These details areespecially good for self-subscription lists. A potential subscriber can decide whether to subscribe based on the list’s description.

1. In a web browser, enter the URL of the list administration page.

This is usually server.domain.tld/mailman/admin/listname.

2. Enter the master list password and click “Let me in.”

This is not the user’s login password. The master lis t password was set when mailing lists were enabled on the server. Itwas mailed to lis t administrators designated at that time.

3. Make sure that General Options is selected from the Configuration Categories link section.

4. Enter a short phrase in the description text box.

5. In the info text box, enter information about the list, its rules, and its content expectations.

6. Click Submit Your Changes.

Customize the mailing list welcome message

You use the web interface to set the mailing list welcome message. Web services must be enabled to access the web interface.

When subscribers join a mailing list, by assignment or self-subscription, they receive an automated welcome message. Themessage explains where to find the list archives and how to unsubscribe. You can customize it by adding text, describing the listculture and rules, or including other information for the subscribers.






4. Enable “Send welcome message to newly subscribed members.”

5. Enter the text to include in the “List-specific text prepended” text box.


Customize the mailing list unsubscribe message

You use the web interface to set the mailing list unsubscribe message. Web services must be enabled to access the webinterface.

When a user is unsubscribed from a mailing list, by the list administrator or by unsubscribing, the user receives an automatedunsubscribe message. The message confirms the unsubscribing. You can customize it by adding information you want users tohave upon leaving the list.



2. Enter the master list password and click “Let me in.”



4. Enable “Send goodbye message to members.”

5. Enter the text to include in the “Text sent to people leaving the lis t” text box.


Enable a mailing list moderator

You use the web interface to set mailing list moderation. Web services must be enabled to access the web interface.

You can create a moderated list where the posts must be approved by a list administrator before the post is sent. You designatelist moderators who have limited administrative privileges. They can’t change list options but they can approve or rejectsubscription requests and postings.

When moderators enter their password in the list administration page, they get a page with their own moderating tasks available.






4. Enter the list moderator addresses to include in the “The list moderator mail addresses” text box.


6. In the Configuration Categories link section, select Password Options.

7. Enter a password in the moderator password field and confirm it.


Set mailing list bounce options

You use the web interface to set mailing list bounce options. Web services must be enabled to access the web interface.

When a list message bounces and returns to the list server, you can choose how the list server handles the resulting bouncemessage.





3. In the Configuration Categories link section, select Bounce Processing.

4. Select bounce processing options.

Each option section has a link to a help page that explains the option setting.


Designate a mailing list as private

You use the web-based interface to set a list’s privacy options. Web services must be enabled to access the web-based interface.

You might not want to show some lists on the web list access page. To designate a lis t as private so it isn’t shown, seeserver.domain.tld/mailman/listinfo.





3. In the Configuration Categories link section, select Bounce Processing.

4. Select bounce processing options.

Each option has a link to a help page that explains the option.


Add subscribers

Use Server Admin to add mailing lis t subscribers to a list. Mailing list subscribers do not need an account (mail or file access) onthe list’s server. Any mail address can be added to the list. You must have an existing list to add a subscriber.


2. Click Settings.


4. Select the list to add a subscriber to.

5. Under the Members pane, click the Add button (+).

6. Enter the recipient’s mail address.

If you’re entering multiple subscribers, enter the recipient mail addresses or drop a text list into the User Identifiers box. If thesubscribers are users on the mail server, you can use the Users and Groups button to add local groups to the list.

7. Choose from the following subscriber privileges:

Users subscribed to list:

Users may post to list:

Users can administer list:

8. Click OK.


Mail service uses SpamAssassin to filter spam, or junk mail, from incoming mail messages. Mail service uses ClamAV to detectviruses in mail messages. Both tools are managed in the Filters pane of Mail Settings in Server Admin.

Enable junk mail screening (Bayesian filters)

Before you can benefit from mail screening, it must be enabled. While enabling screening, you configure screening parameters.

Bayesian mail filtering is the classification of mail messages based on statistics. Each message is analyzed and word frequencystatistics are saved. Mail messages that have more of the same words as those in junk mail receive a higher marking ofprobability that they are also junk mail. When the message is screened, the server adds a header (”X-Spam-Level”) with the junkmail probability score.

For example, suppose you have 400 mail messages where 200 of them are junk and 200 are good mail. When a messagearrives, its text is compared to the 200 junk mail and the 200 good messages. The filter assigns the incoming message aprobability of being junk or good, depending on what group it most resembles.

Bayesian filtering has shown itself to be a very effective method of finding junk mail if the filter has enough data to compare. Onestrength of this method is the more mail you get and classify (a process called training), the more accurate the next round ofclassification is. Even if junk mail senders alter their mailings, the filter takes that into account the next time around.


2. Click Settings.

3. Select the Filters tab.

4. Select Scan Mail for Junk Mail.

5. Set the level of permissiveness (Cautious, Moderate, Aggressive).

The permissiveness meter sets how many junk mail flags can be applied to a message before it is processed as junk mail. Ifyou set it to “Least permissive,” mildly suspicious mail is tagged and processed as junk mail. If you set it to “Mostpermissive,” it takes a high score (in other words, many junk mail characteristics) to mark it as junk.

6. Choose from the following to deal with junk mail messages:

Choice Description

Bounced Sends the message back to the sender. You can optionally send amail notification of the bounce to a mail account, probably the

This means the user will receive mail sent to the list address.

This means the list will accept mail from the user.

This means the user has administrative privileges for the list.

Mail service filtering

postmaster.

Deleted Deletes the message without del ivery. You can optionally send a mailnoti fication of the bounce to a mail account, probably the postmaster.

Delivered Delivers the message even though it’s probably junk mail. You canoptionally add text to the subject l ine, indicating that the message isprobably junk mail, or encapsulate the junk mail as a MIMEattachment.

Redirected Delivers the message to someone other than the intended recipient.

7. Choose how often to update the junk mail database.

8. Click Save.

Training the junk mail filter with user help

1. Enable junk mail filtering.

2. Create two local accounts: junkmail and notjunkmail.

3. Use Sever app to enable them to receive mail.

4. Instruct mail users to redirect junk mail messages that have not previously been tagged as junk mail tojunkmail@<yourdomain>.

5. Instruct mail users to redirect real mail messages that were wrongly tagged as junk mail to notjunkmail@<yourdomain>.Each day at 2:15 am, the junk mail filter will learn what is junk and what was mistaken for junk.

6. Delete the messages in the junkmail and notjunkmail accounts daily.

Training the junk mail filter without user interaction

You can also train the junk mail filter by giving it known junk and good mail messages. Accurate training requires a large sample,so a minimum of 200 messages of each type is advised.

1. Choose a mailbox of 200 messages made of only junk mail.

2. Use Terminal and the filter’s command-line training tool to analyze and remember junk mail using the following command:sa-learn --showdots --spam sample junk mail directory/*

3. Choose a mailbox of 200 messages made of only good mail.

4. Use Terminal and the filter’s command-line training tool to analyze and remember good mail using the following command:sa-learn --showdots --ham sample good mail directory/*

If the junk mail filter fails to identify a junk mail message, train it again so it can do better next time. Use sa-learn again with the --spam argument on the mislabeled message. Likewise, if you get a false positive (a good message marked as junk mail), usesa-learn again with the --ham argument to further train the filter.

Filtering mail by language and locale

You can filter incoming mail based on locales or languages. Mail messages composed in foreign text encodings are oftenerroneously marked as junk mail. You can configure your mail server to not mark messages from designated originating countriesor languages as junk mail.


2. Click Settings.


4. Select Scan Email for Junk Mail.

5. Click the Edit (/) button next to Accepted Languages to change the list, select the language encodings to allow as non-junkmail, and click OK.

6. Click the Edit (/) button next to Accepted Locales to change the list, select the country codes to allow as non-junk mail, andclick OK.

7. Click Save.

Enabling Virus Screening

Before you can benefit from mail screening, it must be enabled. While enabling screening, you configure screening parameters.

Lion Server uses ClamAV (from www.clamav.net) to scan mail messages for viruses. If a suspected virus is found, you can dealwith it several ways, described below. The virus definitions are kept up to date (if enabled) via the Internet using a process calledfreshclam.


2. Click Settings.


4. Select Scan Email for Viruses.

5. Choose from the following to deal with junk mail messages.

Choice Description

Bounced Sends the message back to the sender. You can optionally send amail notification of the bounce to a mail account (probably thedomain’s postmaster) and notify the intended recipient.

Deleted Deletes the message without del ivery. You can optionally send a mailnoti fication to a mail account, probably the postmaster, as well as theintended recipient.

Redirected Delivers the message to a designated address for further analysis.

6. Choose whether to notify the intended recipient if the message was filtered.

7. Choose how often to update the virus database.

A minimum of twice a day is suggested. Some administrators choose eight times a day.

8. Click Save.


Lion Server supports Sieve scripts to process server-s ide mail rules.

For Sieve to function, you must enable its communications port.

Sieve is an Internet standard mail filtering language for server-side filtering. Sieve scripts interact with incoming mail before finaldelivery.

Sieve acts much like rules in mail programs to sort or process mail based on user- defined criteria. Sieve can provide suchfunctions as vacation notifications, message sorting, and mail forwarding.

Sieve scripts are kept for each user on the mail server at /Library/Server/Mail/Data/rules/GUID. The directory is owned by Mailservice, so users normally don’t have access to it and can’t put their scripts there for mail processing. For security purposes, usersand administrators upload their scripts to a Sieve process, managesieve, which transports the scripts to the mail process for theuser.

Place scripts for all users in the central script repository at /usr/sieve/.

By default, Sieve has the vacation extension.

To enable Sieve support


2. Click Settings.

Server-side mail rules

http://www.clamav.net)


4. Select Enable server side mail rules.

RELATED INFORMATION

Sample Sieve Scripts


A quota is set for all users in Server app.

Mail quotas define how much disk space a user’s mail can use on the mail server. Although you don’t set a mail user’s quota inServer Admin, you do manage quota enforcement and your server’s response to quota violation.

Mail quotas are especially important if the mail server hosts many IMAP accounts. IMAP doesn’t require mail to be removed fromthe server when read, so IMAP users who get large attachments can fill their quotas quickly.

Limit incoming message size

You can set a maximum size for incoming messages. The default is 10 MB. You might not want to allow large attachments thatadd to the message size.


2. Click Settings.

3. Select the Quotas tab.

4. Click the “Refuse messages larger than” checkbox and enter the number of megabytes as the limit.

5. Click Save.

Enable mail quotas for users

You can enable limits to mail storage on server. This is especially important if you use IMAP for incoming messages because mailmessages aren’t necessarily deleted when downloaded to the user.

1. In the Mail Server pane of the Server app, select the checkbox labeled "Limit mail to 200 MB per user."

2. Optionally, change the default 200 MB to your limit.

View a user's quota usage

When a mail user is over quota, Server Admin (in the Mail> Maintenance > Accounts pane) reports a percent free, which isnegative. This percent is proportional to the amount the user is over quota.

For example, suppose a user has a 200 MB quota and has received 205 MB of mail. This is 5 MB over quota, which is 2.5% overquota. Server Admin reports this as “-2.5% of quota.”

Configure quota warnings

When a user’s mailbox approaches its storage quota, you can warn users of an impending quota violation. You choose whether towarn the mail user, how often to warn him or her, and at what point to send the warning.


2. Click Settings.


4. Click Enable quota warnings.

5. Enter the maximum percentage of storage usage before a warning is sent.

6. Enter the frequency of the warning notice, in number of days.

7. To customize the quota warning notification, click Edit Quota Warning Message and customize the message.

8. Click Save.

Manage mail quotas

Configure quota violation responses

When a mail user has more mail in storage than is allowed for his or her quota, the mail server recognizes a quota violation. Thereare typically two responses to quota violation: a violation notice, and suspension of mail service.


2. Click Settings.


4. Click Enable Quota Warnings.

5. To customize the quota violation notification, click Edit Quota Warning Message, then customize the message.

6. To suspend mail service for users who exceed their quotas, select “Disable a user’s incoming mail when they exceed 100%of quota.”

7. To customize the over-quota message, click Edit Over Quota Error Message and then customize the message.

8. Click Save.


Users must configure their mail client software to connect to Mail service. The following table details the information most mailclients need and the source of the information in Lion Server.

Mail client softw are Lion Serv er Examples

User name Full name of the user Vivian Li

Account name or Account ID Short name of user account vivian

Password Password of user account

Host name, Mail server, Mail host Mail server’s ful l DNS name or IP address, asused when you log in to the server in ServerAdmin

mail.example.com, 192.168.50.1

Mail address User’s short name, followed by the @ symbol,followed by one of the following:

Server’s Internet domain (i f the mail serverhas an MX record in DNS)

Mail server’s full DNS name

Server’s IP address in brackets

[email protected],[email protected],vivian@[192.168.50.1]

SMTP host, SMTP server Same as host name mail.example.com, 192.168.50.1

POP host, POP server Same as host name mail.example.com, 192.168.50.1

IMAP host, IMAP server Same as host name mail.example.com, 192.168.50.1

SMTP user Short name of user account vivian

SMTP password Password of user account


With Xsan, you can cluster multple mail servers that share the mail store. This provides mission-critical redundancy and highperformance and allows you to easily maintain the pooled storage using Xsan tools and software.

Each server also has a primary SMTP spool file. If a server goes offline, another node in the cluster takes over processing of thefailed sever’s spool file. This happens automatically, but you see it noted in log files.

Configure mail client applications

Set up mail server clustering with Xsan



You can configure your mail server to join an existing mail cluster as a new member of the cluster, or you can migrate a mailserver’s mail store to another server that is a member of the cluster.

If Xsan software is installed, you can also create a cluster, with the current server becoming the cluster’s first member.


2. Click Advanced.

3. Click Clustering.

4. Click the Change button, then follow the onscreen instructions that appear.

After a server has joined a cluster, changes to mail server settings, such as SMTP, POP, IMAP, and logging, affect all serversin the cluster.

When you remove the last member of a cluster, you must designate a server to take over as a standard mail server.

User collaboration serv ices ► Mail ► Monitor Mail serv ice

Mail service log settings are customizable.

Mail service logs can show the following levels of reported detail:

Level Description

Debug All debugging information

Information Connection transactions, del ivery attempts, authentication attempts

Notice Authentication fai lures

Critical Errors that require prompt administration attention

Warning All warnings and errors

Errors All errors

You can choose log detail for each service category (outgoing, incoming, or junk mail filter).

Set the Mail service log detail


2. Click Settings.

3. Select the Logging tab.

4. Select the service whose log detail you want to set:

Serv ice Description

SMTP Outgoing mail and connections from external mail servers

POP/IMAP Incoming mail retrieval for users

Junk Mail/Virus The junk Mail service

5. From the Log Detail Level pop-up menu, choose a detail level.

6. Click Save.

Archiving Mail service logs by schedule

Set Mail service logging options

Lion Server archives Mail service logs after a specified time.

Each archive log is compressed and uses less disk space than the original log file. You can customize the schedule to archive thelogs after a set period of time, measured in days.

1. In Server Admin, select Mail in the Computer & Services lis t.

2. Click Settings.

3. Select the Logging tab.

4. Click “Archive Logs Every ____ Days.”

5. Enter the number of days.

6. Click Save.


Use the serveradmin command to view mail service settings from the command line.

To view Mail service configuration settings

$ sudo serveradmin settings mail

To view a specific setting

$ sudo serveradmin settings mail:setting

To view a group of settings

You can view a group of settings that have part of their names in common by entering as much of the name as you want, stoppingat a colon (:), and entering an asterisk (*) as a wildcard for the remaining parts of the name.

Example: $ sudo serveradmin settings mail:imap:*


You can obtain an overview of Mail service that reports whether the service is running, when Mail service started, and incoming andoutgoing connections by protocol.

To see an overview of Mail service activity


2. Click the Overview button.

To see a summary status of Mail service from the command line

$ sudo serveradmin status mail

To see a detailed status of Mail service from the command line

$ sudo serveradmin fullstatus mail

View Mail service settings from the command line

View an overview of Mail service activity


Viewing Mail service logs and reclaiming space used by logs.

Mail service maintains the following logs:

Log Description

Mail Access General Mail service information is stored in this log.

IMAP Log IMAP activity is stored in this log.

POP Log POP activity is stored in this log.

SMTP Log SMTP activity is stored in this log.

Mail ing List Logs These record Mailman activity, including service, error, delivery, del iveryfailures, postings, and subscriptions.

Junk Mail and Virus Logs These record activity for mail fi ltering, including virus definition updates(freshclam log), virus scanning (clamav log), and mail fi l tering (amavislog).

To view a Mail service log


2. Click the Logs button.

3. From the View pop-up menu, choose a log type.

4. Click Save.

From the command line

You can use tail or another file-listing tool to view the contents of Mail service logs.

1. Use the serveradmin getLogPaths command to see where Mail service logs are located: $ sudo serveradmincommand mail:command = getLogPaths

2. View the latest entries in your selected log with the tail command.

a. To view the last 10 entries in the Junk Mail/Virus Scanning log: $ tail /var/log/amavis.log

b. To view any number of entries: $ tail -n lines /var/log/amavis.log

Replace lines with the number of lines you want to view.

c. To watch new additions to the log file: $ tail -f /var/log/amavis.log

Control-C stops the tail command from watching the log file and returns your command prompt.

Reclaim disk space used by Mail service log archives

Lion Server reclaims disk space used by Mail service logs when they reach a specified s ize or age. You can use thediskspacemonitor command-line tool to monitor disk space when you want, and delete or move the log archives. For additional

information, see the diskspacemonitor man page.

To search for specific entries, use the text filter box in the window.


Server Admin can list the users who are connected to Mail service. For each user, you see the user name, IP address of the clientcomputer, type of mail account (IMAP or POP), number of connections, and connection length.

View Mail service logs

View the Mail connections list


2. Click the Connections button.


You can use Server Admin to see a lis t of users who have used their mail accounts at least once. For each account, you see theuser name, disk space quota, disk space used, and percentage of space available to the user.

Mail accounts that have never been used aren’t listed.


2. Click Maintenance.

3. Click the Accounts button.


You might need to check mail that is waiting to be sent. If you have a message backlog, or if you have interrupted outbound mail,you might have a number of items in the queue. Additionally, you might want to monitor mail delivery to ensure that mail is beingdelivered to local and remote hosts.

Check the outgoing mail queue



3. Click the Mail Queue tab.

4. To inspect a message, select it.

Clear messages from the outgoing mail queue

Your outgoing mail queue might have a backlog of messages. These are messages that can’t be sent for any number of reasons:the message might be improperly addressed, the destination server might be unresponsive, or the destination account might beover quota. In such circumstances, you might want to clear messages from the queue backlog.




4. Select the message to delete.

5. Click Delete.

Retry sending undelivered outgoing messages

Sometimes the outgoing mail queue has undelivered messages that are properly addressed, but for some reason the messagesaren’t sent (for example, if the destination server is down, or if the firewall is blocking the outgoing port for SMTP).

You can attempt to send the messages again. Normally, the mail server attempts to resend, but you can activate it manuallyinstead of waiting.




View Mail accounts

Monitor the outgoing mail queue

4. Select the message to retry sending.

To select more than one message, hold down the Shift or Command keys.

5. Click Retry.

While doing this you can monitor the logs to see what might be causing the problem.

RELATED INFORMATION

View Mail service logs


You can use the serveradmin getHistory command to display a log of periodic samples of the number of user connectionsand the data throughput.

Samples are taken once each minute.

1. In Terminal, enter the following:

$ sudo serveradmin command

The serveradmin command prompt appears.

2. Enter the following in the serveradmin command prompt:

mail:command = getHistorymail:variant = statisticmail:timeScale = scale

Replace statistic and scale with the following:


statistic The value you want to display. Valid values include:

v1 - Number of connected users (average during sampling period)

v2 - Data throughput (bytes/sec)

scale The length of time in seconds, ending with the current time you wantto see samples for. For example, to see 24 hours of data, you would

specify mail:timeScale = 86400.

3. Press Control-D to save and exit the serveradmin command prompt.

The computer responds with the following output:

mail:nbSamples = <samples>mail:v2Legend = "throughput"mail:samplesArray:_array_index:0:vn = <sample>mail:samplesArray:_array_index:0:t = <time>mail:samplesArray:_array_index:1:vn = <sample>mail:samplesArray:_array_index:1:t = <time>[...]mail:samplesArray:_array_index:i:vn = <sample>mail:samplesArray:_array_index:i:t = <time>mail:v1Legend = "connections"afp:currentServerTime = <servertime>


View Mail service statistics

<samples> The total number of samples l isted.

<sample> The numerical value of the sample. For connections (v1), this is integer

average number of users. For throughput, (v2), this is integer bytes per

second.

<time> The time when the sample was measured. A standard UNIX time (numberof seconds since September 1, 1970). Samples are taken every 60seconds.

User collaboration serv ices ► Mail ► Solve Mail serv ice problems

Mail service must act very fast for a short period of time. It sits idle until a user reads or sends a message, then it transfers themessage immediately. Therefore, it puts intense but brief demands on the server.

As long as other services do not place heavy continuous demands on a server (for example, as a QuickTime streaming serverwould), the mail server can typically handle several hundred connected users.

As the number of connected mail users increases, the demand of Mail service on the server increases. If Mail service performanceneeds improvement, try the following:

Move the mail storage location to its own hard disk or hard disk partition.

Run other services on a different server, especially services that place frequent heavy demands on the server.


Mail messages might be undeliverable for several reasons. Incoming mail might be undeliverable because it has a misspelledaddress or is addressed to a deleted user account. Outgoing mail might be undeliverable because it’s misaddressed or thedestination mail server isn’t working.

You can configure Mail service to:

Forward undeliverable incoming mail. Mail service can forward messages that arrive for unknown local users to another localperson or a group in your organization. Whoever receives forwarded mail that’s incorrectly addressed (with a typo in theaddress, for example) can forward it to the correct recipient. If forwarding of these undeliverable messages isn’t explicitlyenabled, the messages are returned to sender.

Limit the number of attempts to deliver problematic outgoing mail.

Report failed delivery attempts.

Use a different timeout value to increase the chance of connection success.


To receive 8-bit character-encoded mail messages, disable the default conversion that Postfix performs. Use the postconfcommand-line tool to disable the setting.

By default, many mail systems that use 8-bit character encoding for text (like Asian language mail systems) convert from 8-bit MIMEto 7-bit characters. This has the unfortunate effect of garbling the mail.

1. Log in to your server as the administrator.

2. In Terminal, enter the following command: sudo postconf -e disable_mime_output_conversion=yes.

This disables the special processing of Content-Type headers while delivering mail.

Improve performance

If mail is undeliverable

Configure additional Mail service support for 8-bit MIME

User collaboration serv ices ► Podcast

Lion Server introduces a new podcast library that integrates with Wiki Server 3.

With Mac OS X Lion, podcasting is even easier. Use the new Podcast Publisher application to develop the content for yourpodcasts. (Podcast Publisher is included with Mac OS X Lion and can be found in the Utilities folder of Launchpad.) You thenupload them to the Lion Server podcast library. The podcast library is integrated with Wiki Server 3, giving your users a consistentexperience across wiki pages and podcasts. It also makes your management of the podcast library easier than ever for you.

The Lion Server podcast library:

Gives users a clean, consistent, page where they can discover new and interesting podcasts.

Allows you to assign content control to other administrators, allowing them to easily remove outdated or otherwise irrelevantcontent.

Provides a s imple mechanism for you to limit who can see episodes on a particular feed using the same users and groupsthat Wiki Server 3 uses.

Note: If you have an existing Podcast Producer infrastructure, you can continue to use that with Lion Server. As well as havingaccess to Podcast Composer and Podcast Capture as before, you can also send content generated in Podcast Publisher directlyto a Podcast Producer workflow.

User collaboration serv ices ► Podcast

To set up a podcast library, download and install the server components of Mac OS X Lion.

You can set up a podcast library to provide a common location for publishing podcasts. You can share podcast episodes to thepodcast library from the Podcast Publisher application in Mac OS X Lion or from podcast workflows you set up using PodcastComposer in earlier versions of Mac OS X Server.

1. Open the Server app and select the Podcast service on the left, under Services.

If you have more than one server, select Podcast for the server that will host the podcast library.

2. Use the "Podcast library is viewable by" pop-up menu to choose who can access the library:

Anyone: Allows all users to view podcast episodes in the library.

Authenticated Users: Allows only users in the server's user lis t to view episodes.

Podcast Owners: Allows only users in the Administrators lis t to view library content.

3. Optionally, add users to the Administrators lis t.

Click the Add button (+) below the list, then choose a user from the lis t that appears. Podcast library administrators can deleteother people's podcasts from the podcast library.

4. Click the On/Off button at the top of the pane to enable the library.

Users can share their podcasts with a podcast library from Podcast Publisher by specifying the address of the podcast libraryserver in Podcast Publisher Preferences and then choosing Podcast Library from the Share menu.

User collaboration serv ices ► Podcast ► Use Podcast Publisher

The new Podcast Publisher application in Mac OS X Lion makes it easy to create and publish podcasts.

Use Podcast Publisher to record video of you, your computer display, or a narrated screen recording and organize theserecordings into unique podcasts. You can also import audio and video you have on your computer. Then share the podcasts to

About the Lion Server podcast libary

Set up a podcast library

About Podcast Publisher

iTunes on your computer, distribute them via email, save them to your desktop, or publish them to a Podcast Library where otherscan subscribe to and view them using iTunes.

If you already use a Podcast Library hosted by the Podcast Producer service in Mac OS X Server v10.6 or later, you can publishthere too.

RELATED INFORMATION

Create a podcastSet up a podcast library


A Podcast allows you to group audio files, video files, PDFs, and ePub documents about a topic or along a theme and share thatcontent from a single Internet address. Other people can go to the same Internet address and see new information you add to yourpodcast.

These episodes in your podcast are unique, so you can mix audio and video files and PDF and ePub documents in a singlepodcast. You can create as many different podcasts as you like and as many episodes as you want in each podcast.


After you create a podcast, you share it so others can view content you add to the podcast.

A podcast has an address on the Internet that people can connect or subscribe to. People subscribe to a published podcast with aprogram like iTunes. When you publish episodes to your podcast, they are added to a subscriber's iTunes library. For this tohappen, someone must host the podcast. Lion Server includes a way for you to easily host your own podcasts. This is called thePodcast service or the Podcast Library.

Podcast Publisher sends your podcasts to the Podcast Library in Lion Server. If your organization is using Podcast Producer, youcan also send your podcasts to it. To look at or share a specific episode before sending it to the Podcast Library, you can alsoshare it through email, save it to your computer, or open it in iTunes on your computer.


1. Open Podcast Publisher (in Applications/Utilities) and click New Podcast in the lower-left corner of the window.

If you're opening Podcast Publisher for the first time, there's a new podcast ready for you.

2. Enter a podcast title, then click the "(+) Add a new episode…" note.

This title is for the entire podcast series. Each episode in the podcast has its own title, which you can set later.

3. Add content by recording from a camera attached to your computer or from audio or movie files you have.

For more information, see Record content for an episode and Add existing content to a podcast.

4. Add episode information that your podcast subscribers can see in iTunes (or other applications they use to view yourpodcast).

For more information, see Add information about your podcasts.

5. Preview the episode.

Click the Play (right-facing triangle) button in the timeline below the podcast episode.

6. Share the episode.

Choose how to share the episode from the Share menu, or click the Share button. For information, see Publish a podcast.

RELATED INFORMATION

Understand podcasts and episodes

How people see your podcasts

Create a podcast

Record content for an episodeAdd existing content to a podcastPublish a podcast


You can record video content for an episode from your computer screen, or from the built-in (or attached) camera on yourcomputer. You can also record audio content.

1. Select a podcast.

If you have more than one podcast, use the Right Arrow and Left Arrow keys to navigate between them. If you're in therecording screen for an episode, click All Podcasts to return to the episode preview pane.

2. Add content using one of the following:

Record video from camera:

Record your computer screen:

Record audio:

If the wrong New Audio Episode or New Video Episode button appears, click the arrow at the right of the button that isshowing and select the action you want.


You must have a valid media type to import into a podcast. Valid media types include:

Content File type

Audio MP3

MPEG4

AIFF

Video Quicktime Movie

MPEG4

MPEG

3GPP

Document PDF

ePub

If you have an audio or video file that must be converted to a valid media type, try using Quicktime Player. The Pages app (availableon the Mac App Store) lets you save documents as PDFs or ePub files.

You can use audio and video files and some documents that you have on your computer to make podcasts.

1. From the File menu, select Import Media.

2. Navigate to your content and select Import.

Record content for an episode

Click the New Video Episode button below the episode preview pane. When the recordingpane appears, move the toggle at the lower left to the left to select the film strip icon. When you're ready, click the recordbutton and click it again when you finish recording.

Click the New Video Episode button below the episode preview pane. When the recordingpane appears, move the toggle at the lower left to the right to select the screen icon. Use the record button to start and stoprecording. Speak as you record your actions to provide narration. The Podcast Publisher window does not appear in therecording. You can minimize it to get it out of the way or leave it open during recording.

Click the New Audio Episode button below the episode preview pane. Use the record button to start andstop recording.

Add existing content to a podcast


Add supporting information to podcast episodes

You can modify the title and add comments, an author, dates, and related information to any episode in your podcast.

1. If you haven't already, open the episode in the editing pane of Podcast Publisher.

If you just opened Podcast Publisher, navigate to the podcast and the episode. If you're in the recording screen for theepisode, click Cancel to return to the episode view.

2. Click on an item in the episode view.

3. Click the Info button at the top left.

4. Enter a title, the author's name, and text to describe the basic information about the episode.

You can enter more information and find out the URL to that episode by clicking the Show Advanced button.

5. When you finish annotating, click the Info button again, or click outside of the Info panel to dismiss it.

Viewers can see the information you provide by clicking the Info button in iTunes when they watch the episode.


To share a finished podcast episode, you can open the episode in iTunes on the computer where it was created, email theepisode to others, put a copy of the episode on your desktop, or publish the episode to a Podcast Library.

1. In Podcast Publisher, select the episode to share.

The Share button appears at the right, below the episode preview. If you don't see the Share button, try again to select theepisode or, if you're in the recording pane, click Cancel.

2. Click the Share menu or the Share button and choose how to share the episode.

iTunes: Adds the episode to the iTunes library. Audio and video files are added to Music and Movies, PDF and ePubsdocuments are added to Books.

Mail: Creates an email message with the episode as an attachment. Recipients of your email can use iTunes to view yourpodcast episode.

Podcast Library: Publishes the episode in the Podcast Library on the server you choose. A confirmation messageappears when the episode is published. A button in the message lets you announce the episode in email. Anyone withaccess to the library can view the episode, and it appears in iTunes for users who subscribe to the podcast.

RELATED INFORMATION

Set up a podcast library

User collaboration serv ices ► Podcast ► Work with legacy podcast tools

Podcast Capture is a part of the Podcast Producer solution. Use Podcast Capture to capture and upload audio and videoQuickTime movies to a Podcast Producer server for encoding and publishing. You can also use Podcast Capture to upload filesfor processing and publishing as a single podcast.

Set up Podcast Capture

Set up podcast capture for the first time

Add information about your podcasts

Publish a podcast

Use Podcast Capture

Bind a Mac to a Podcast Producer server

Configure general Podcast Capture preferences

Configure audio/visual Podcast Capture preferences

Use Podcast Capture

Log in

Record and upload audio from a single source

Record and upload video from a single source

Record and upload video from dual sources

Record and upload a screen recording

Monitor transfers

Upload files

Browse episodes

Log out

About workflows

User collaboration serv ices ► Podcast ► Work with legacy podcast tools

Podcast Composer simplifies and speeds up the process of building workflows by providing a simple graphical user interface.You provide information about the workflow, without writing XML code or worrying about where to store resources and credentials.

The Import stage

Select the input source of the content your workflow processes.

Configure Single Source

Configure Dual Source

Configure Montage

The Edit stage

Brand your podcast with titles and opening and closing movies.

Add and configure an introduction movie

Add a title movie

Add a watermark and an introduction overlay

Add and configure an exit movie

Configure transitions

Preview the podcast

The Export stage

Select output formats for your podcast.

Add QuickTime encoding formats

Add compressor formats

The Publish stage

Configure destinations for your podcast.

Send content to the Podcast Producer Library

Send content to an Apple wiki server

Use Podcast Composer

Send content using file transfer protocols

Send content to the Watch folder of Final Cut Server

Send content to a shared folder

Send content to a workflow

The Notify stage

Use different technologies to notify others about your podcast.

Add email notifications

Add iChat notifications

Add iTunes podcast directory notifications

Add iTunes U notifications

Add third-party service notifications

User collaboration serv ices ► Web ► Overv iew

Use the Web pane of the Server app to host websites on your computer.

Use web service to publish custom websites that you have created (or someone has created for you) using website developmentsoftware. You can restrict access to each website to a specific group or restrict parts of the website to specific groups. You canalso specify each website’s IP address, an access port, and the folder where website files are stored on the server. A customwebsite is also called a virtual host.

If you want to allow Internet access to your websites and you have a cable router, DSL router, or other network router, your routermust have port forwarding (port mapping) configured for web services. If your local network has a separate firewall device, ask thefirewall administrator to open the firewall for the ports that web services use. If you add custom websites that use access portnumbers other than 80, configure port forwarding for those ports as well.

Web service shares Apache server with other services such as wiki and Profile Manager service. For information aboutcustomizing Apache settings, enter man webapp.plist in Terminal.

RELATED TOPIC

Publish a website


Web service is based on Apache, an open source HTTP web server.

In addition to the standard plugin modules distributed with Apache, Mac OS X Lion provides an expanded set of modules, whichsupport PHP, Python, and directory-based authentication, including Kerberos.

Web applications, such as the Roundcube mail client, use the PostgreSQL database management system.

In the Server app, you can configure web service to host custom websites. For information about customizing Apache settings,enter man webapp.plist in Terminal.


PostgreSQL provides a relational database management solution for your web server.

With this open source software, you can link data in different tables or databases and provide the information on your website.

About web service

About web technologies

About PostgreSQL

Wiki and Device Manager services require a PostgreSQL server, so it starts when either of these services are turned on. Forinformation about PostgreSQL, view its documentation at http://www.example.com/postgresql/ (replace www.example.com withyour server’s URL).

For PostgreSQL documentation, see www.postgresql.org/docs/.

User collaboration serv ices ► Web ► Work with web serv ice

Because many services rely on Apache, turning off web service doesn't stop Apache.

Turning on web service does the following:

If Apache isn't turned on, it turns on Apache.

It enables access through the default virtual host to content in the default document root, which is located at/Library/Server/Web/Data/Sites/Default/.

It enables access to any custom sites added in the Server app.

You can use the Server app or the command line to start or stop web service.

If you need to customize your web server settings, you can edit Apache configuration files and start web service from the commandline.

Start web service in the Server app

Use the Server app to start web service.

1. In the Server app, click Web.

If web service has never been turned on before, click Enable Service.

If web service was previously turned on, the Enable Service dialog doesn’t appear.

2. Choose “On” from the pop-up menu under the service name in the Web pane.

Start web service from the command line

You should start web service by using the serveradmin command or by using the Server app, instead of using the apachectlcommand.

The apachectl command acts like a master switch. If you turn off apachectl, you turn off Podcast, device manager, wiki, and web

services. If you use the Server app or the serveradmin command, you can separately turn on and off services.

The servermgr_web plugin manages web service state for the serveradmin command. For information about servermgr_web,

enter man servermgr_web in Terminal.

Enter the following command in Terminal:

serveradmin start web

Stop web service in the Server app

Use the Server app to stop web service.

1. In the Server app, click Web.

If web service is already turned off, an Enable Service dialog appears.

2. Choose Off in the pop-up menu under the service name.

Stop web service from the command line

You can stop web service from the command line.

Enter the following command in Terminal:

Start or stop web service



http://www.postgresql.org/docs/

serveradmin stop web


Web service uses the standard Apache log format, so you can view them using Console, command-line tools, or third-party loganalysis tools.

Apache logs are located in /var/log/apache2/, which is mirrored to /Library/Logs/WebServer/. You can also view/Library/Logs/WebConfig.log.

The PostgreSQL log is /Library/Logs/PostgreSQL.log.

View web service logs in Console

You can use Console to view Apache log messages.

1. Open Console (located in Launchpad, in the Utilities folder).

2. Under Files, navigate to the logs to view and click the logs to view them.

For example, to view the Apache error log, click the disclosure triangle for /private/var/log, click the disclosure triangle forapache2, and then click error_log.

View web service logs from the command line

You can view web service logs using the command line.

To view the latest entries in a log, enter:

$ tail log-file

Replace log-file with the path of the log file.


The default web service performance settings are tuned to recommended values. You can customize performance settings suchas the maximum number of client connections and how long to stay connecteded before timing out.

To tune website performance, you can edit /etc/apache2/httpd.conf. This Apache configuration file includes key performance tuningsettings such as:

Setting Description

MaxClients 1024 Enter the maximum number of simultaneous connections. The range is 1to 1024 connections.

You can use a percentage of the maximum number of processesavailable instead of a hard value by fol lowing the value with a "%"character. For example:

MaxClients 50%

ServerLimit 1024 Enter the upper limit for the MaxClients setting. This is typical ly set to thesame value as MaxClients.

You can use a percentage of the maximum number of processesavailable instead of a hard value by fol lowing the value with a "%"character. For example:

ServerLimit 50%

Timeout 300 Enter the length of time before a connection to your web server times

View web service logs

Tune web service performance

out. T imeouts occur when a user is viewing web pages but not interactingwith the site.

MinSpareServers 1

MaxSpareServers 10

Enter the minimum and maximum number of spare server processes.These settings regulate the creation of idle spare server processes. Keepin mind the following:

For minimum spare servers processes, i f there are fewer than therequired minimum spare servers processes, the server adds spareservers processes at a rate of one per second.

For maximum spare servers processes, i f more than the maximumnumber of spare servers processes are idle, the server stops addingspare servers processes beyond the maximum l imit.

StartServers 1 Enter the number of spare servers that get created at startup.

MaxKeepAliveRequests 100 Enter the maximum number of persistent connections to the server. Therange is 1 to 2,048 connections.

KeepAliveTimeout 15 Enter the amount of time that can pass between requests before thesession is disconnected by the web server. The range for connectiontimeout is 0 to 9,999 seconds

User collaboration serv ices ► Web ► Create websites

You can create a website using web development software of your choice, or have someone do it for you, and then copy thewebsite files to your server. Then use the Server app to publish your websites.

You can secure your website by enabling Secure Sockets Layer (SSL). You can create a self-s igned SSL certificate in the Serverapp, or use one from a certificate authority (CA).

When you turn on web service, a default website is created and custom websites you create are enabled. This website respondsto all server IP addresses and host names on port 80. If you enable SSL, the default website responds to port 443, and a websiteon port 80 redirects everything to port 443. The website initially uses a placeholder page that you can replace with your own.

If you need a website to use a specific IP address, or if you want to change settings such as the host name, port, or access control,you can create custom websites. For example, you can create multiple custom websites with different hostnames, serving thesame content by sharing the same document root folder.

The websites you publish with the Server app are also known as virtual hosts.

Create a custom website

Use the Server app to publish a website.

1. In the Web pane of the Server app, click the Add button (+).

A dialog with options appears.

2. Customize your website using the following.

Setting Description

Domain Name Enter the website’s ful ly quali fied domain name.

IP Address If your server has multiple IP addresses, choose the IP address used toaccess the website.

Store Site Files In Choose a folder on your local computer to store your website fi les. Thisfolder should include an index.html or index.php file to act as yourwebsite homepage.

To view the folder contents, cl ick View Document Root Contents at thebottom of the setup dialog.

Who Can Access Choose who can access folders in the website. By default, everyone

Publish a website

can access all folders. If you choose Customize, you can restrict accessto subfolders of your website to groups you create in the Server app.

3. Click Done.

4. If web service isn’t turned on, click the On/Off switch to turn on the service.

To change website settings after creating a custom website, select the website in the Web pane of the Server app and click theEdit button (pencil). You can’t change the host name or document root folder settings.

Add or change webpages on your website

To change what’s available on the website, change the files in your website’s document root folder.

Use the Server app to find your website’s document root. The default document root is/Library/Server/Web/Data/Sites/domainname/.

1. In the Web pane of the Server app, select the website and click the Edit button (pencil).

A dialog with options appears. The document root is shown in the Store Site Files In pop-up menu.

2. Click View Document Root Contents.

The Finder opens to the document root location. Change the files in this folder to change what’s available on the website.

RELATED TOPICS

Start or stop a serviceSSL certificatesUse an SSL certificate


You can enable Secure Sockets Layer (SSL) for websites and wikis to make them more secure.

The server can use an SSL certificate to identify itself electronically and communicate securely with computers and other serverson the local network and the Internet. The SSL certificate provides additional security for websites and wikis.

You can use the self-signed certificate created for your server when you set it up, or a self-signed certificate you created, but users’browsers won’t trust these and will display messages asking if the user trusts your certificate. You can avoid this by using asigned certificate.

When you enable SSL for websites, it enables SSL for all web applications, such as wikis. The URLs for your websites and wikisstart with https instead of http. If you go to the http URL for your website, you are redirected to the https version. Also, SSL websitesuse port 443, while non-SSL encrypted websites use port 80.

1. In the Server app, select your server (below Hardware on the left s ide of the Server application).

2. Click Settings, and then click the Edit button at the right of SSL Certificate.

3. Choose one of the following:

To do this Do this

Use an SSL certi ficate for iCal, Address Book, iChat, Mail, and webservices

Choose a certi ficate from the Certi ficate pop-up menu.

Use an SSL certi ficate for just web service Choose Custom in the Certificate pop-up menu. In the l ist thatappears, choose an SSL certi ficate from pop-up menu at the right ofweb service.

RELATED TASKS


Make websites and wikis more secure


Use case-sensitive disk volume formats such as Mac OS Extended (Case-sensitive) or Mac OS Extended (Case-sensitive,Journaled) to serve access-controlled web content. In these volume formats, folders named “Protected” and “PrOtECted” are twodifferent folders.

The Mac OS Extended volume format preserves the case of file names but does not distinguish between a file or folder named“Protected” and one named “PrOtECted.” The mod_hfs_apple module, which is enabled by default, prevents using caseinsensitivity to bypass security. Without mod_hfs_apple, this insensitivity could be an issue when your web content resides on thistype of volume and you are attempting to restrict access to all or part of your web content.

If you require browsers to use a name and a password for Read-Only access to content in a folder named “Protected,” browsersmust authenticate to access the following URLs:

http://example.com/Protected

http://example.com/Protected/secret

http://example.com/Protected/sECreT

Without the mod_hfs_apple module enabled, they could bypass it by using something like the following:

http://example.com/PrOtECted

http://example.com/PrOtECted/secret

http://example.com/PrOtECted/sECreT

Note: The mod_hfs_apple module operates on folders. It is not intended to prevent access to individual files. A file named “secret”can be accessed as “seCREt”. This is correct behavior, and doesn’t enable bypassing security.

For information about choosing who can access secure web content, see Publish a website.


If you host a website and have an SSL certificate associated with web service, you can enable a web page that users can use tochange their password.

If you enable wiki service, a Change Password link appears at the bottom of the default wiki server home page.

The change password page is located at https://websiteURL/changepassword.

1. In the Web pane of the Server app, select a website and click Edit (pencil).

2. Select "Allow users to change their password."

If "Allow users to change their password" is deactivated, you don't have an SSL certificate associated with web service. Forinformation about using SSL certificates, see Using an SSL certificate.

3. Click Done.


RELATED TASKS

Host wikis on your server

User collaboration serv ices ► Web ► Work with open source applications

Apache is the open source HTTP web server provided with Mac OS X Lion. You can use Server Utility to manage web service anduse the default Apache settings. To change advanced Apache settings, edit Apache configuration files and change or add Apachemodules.

Secure web content on case-insensitive file systems

Let users change their password

Work with Apache

http://example.com/Protected

http://example.com/Protected/secret

http://example.com/Protected/sECreT

http://example.com/PrOtECted

http://example.com/PrOtECted/secret

http://example.com/PrOtECted/sECreT

Mac OS X Lion runs Apache web server v2.2 as a 64-bit process on 64-bit computers.

In a clean installation of Mac OS X Lion Server, Apache v2.2 is installed. If you are using Apache v1.3 on Mac OS X Server v10.5 andyou upgrade to Mac OS X Lion, Apache 2.2 is installed using its default configuration, and your Apache v1.3 configuration files arepreserved in the /etc/httpd-1.3/ folder. You can migrate Apache using one of the following methods:

Use the apache1_config_helper script to help automate the Apache v1.3 to v2.2 migration.

Use a text editor to customize the Apache configuration.

The locations of key Apache files and folders are listed in the following table.

File or folder Location

Web service configuration fi les /etc/apache2/

Main web service configuration fi le /etc/apache2/httpd.conf

Website configuration files /etc/apache2/sites/

Template for new websites created in the Server app /etc/apache2/sites_disabled/uid_default_default.conf

Web application configuration files /etc/apache2/webapps/

Executable file /usr/sbin/httpd

Web modules /usr/l ibexec/apache2/

Error log /var/log/apache2/ (with a symlink that lets the folder be viewed as/Library/Logs/WebServer/)

Temporari ly disabled websites /etc/apache2/sites_disabled/

Static content /Library/Server/Web/Data/Sites/Default/ (default)

CGI fi les /Library/WebServer/CGI-Executables/

Files in /etc/apache2/sites/ are read and processed by Apache when it performs a hard or soft (graceful) restart. You disable sitesby moving them from /etc/apache2/sites/ to /etc/apache2/sites_disabled/ and restarting web service.

Each time you save changes, the server restarts. If you edit a file using a text editor that creates a temporary or backup copy, theserver restart might fail because two files with almost identical names are present. To avoid this problem, delete temporary orbackup files created when editing files in this folder.

For information about important Apache configuration files, see the ReadMe.txt file in /etc/apache2/. For Apache web server v2.2documentation, see http://httpd.apache.org/docs/2.2/.

For information about web application configuration files, enter man webapp.plist in Terminal.


You can enable or disable PHP for websites using the Server app.

You can write PHP scripts to create dynamic web content or web applications.

1. In the Web pane of the Server app, select "Enable PHP web applications" to enable PHP or deselect "Enable PHP webapplications" to disable PHP.

If webmail is turned on, PHP is enabled and can't be disabled.


RELATED TASKS

Enable Webmail

Enable or disable PHP

http://httpd.apache.org/docs/2.2/


You can restore the default Apache configuration without reinstalling Mac OS X Lion.

The folders with Apache configuration files have read-only .default files that store default Apache settings. You can run a commandin Terminal that replaces all changed configuration files with these default files.

For information about important Apache configuration files, see the ReadMe.txt file in /etc/apache2/.

1. Open Terminal.


$ sudo serveradmin command web:command=restoreFactorySettings


Web service allows you to run web applications and web application frameworks such as MacRuby and Ruby on Rails.

Mac OS X Server v10.6 used a Mongrel server to support Ruby on Rails applications. Mac OS X Lion uses control_tower forMacRuby and the Thin web server for Ruby on Rails.

For information about control_tower, enter man control_tower in Terminal.

For information about the Thin web server, see the Thin web site at code.macournoyer.com/thin/. For a list of Thin web serveroptions, enter thin in Terminal.

In addition to using the Server app, you can start or stop web service and configure web service settings by using theservermgr_web and webappctl commands. For information about these commands, enter man servermgr_web and manwebappctl in Terminal. You can define the web applications managed by servermgr_web by editing plist files located in

/etc/apache2/webapps/. For information about these plist files, enter man webapp.plist in Terminal.

User collaboration serv ices ► Web ► Manage web modules

Apache includes modules that add functionality to your website. Apache comes with several standard modules, and you canpurchase additional modules from software vendors or download them from the Internet. You can find information about availableApache modules at www.apache.org/docs/mod.

Before enabling or disabling modules, you should have a specific functionality goal and fully understand the implications.

Some web modules are mutually exclusive or are interdependent. Here are some examples:

auth_digest_module and digest_module must never be enabled simultaneously.

proxy_module must be enabled if proxy_connect_module, proxy_ftp_module, proxy_http_module, proxy_ajp_module, orproxy_balancer_module are enabled.

dav_module and dav_fs_module should be in the same state.

mod_dav_svn requires that mod_dav and mod_dav_fs are enabled.

encoding_module requires that headers_module, dav_module, and dav_fs_module are enabled.

cache_module is required for mem_cache_module and disk_cache_module.

mod_userdir is disabled by default.

mod_userdir_apple, a secure replacement for mod_userdir, does not distinguish between nonexistent users and users whocannot access userdir. mod_userdir_ apple is also disabled by default.

When mod_userdir and mod_userdir_apple are disabled, a browser can’t access content from a user’s Sites folder. For

Restore the default web configuration

Work with web applications

About Apache web modules

http://www.apache.org/docs/mod

example, if your server is named example.com and the user’s short name is refuser, the content of the Sites folder can nolonger be accessed at http://example.com/~refuser.

mod_userdir and mod_userdir_apple must never be enabled simultaneously.

mod_bonjour is disabled by default, but requires at least one of the two mod_userdir modules for full functionality.


The open source mod_encoding module adds WebDAV support for non-ASCII file names. To support non-ASCII file names, youmust enable mod_encoding and dav_module.

By default, mod_encoding is disabled. The module is installed and configuration directives are present in the Apache config file.These aren’t activated because the LoadModule and AddModule directives that inform Apache about mod_encoding are disabled.

The Apache configuration file contains a specific set of configuration directives that should be sufficient for most needs. To modifydirectives you must use a text editor and edit the /etc/apache2/httpd.conf file.

mod_encoding supports the following server configuration directives:

EncodingEngine directive

This directive enables and disables mod_encoding. Correct operation of mod_encoding also requires that the special version ofmod_dav, mod_ dav_encoding, be enabled as well.

Syntax Default

EncodingEngine [ on | off ] Off

AddClientEncoding directive

Although WebDAV clients are expected to send data in UTF-8 or any other properly detectable style, some clients send data in nonautodetectable platform-local encoding, thus requiring this directive, which maps encoding names to client types.

This directive specifies encodings expected from each client type. The clients are identified by agent name. The agent name canbe specified as a pattern using extended regexp. Never use “.*” for agent name. Instead, use DefaultClientEncoding.

This module uses CoreFoundation’s CFString and supports all encoding supported by it. In general, IANA-registered encodingnames are supported.

Syntax Default

AddClientEncoding agent-name encoding[encoding...]

None

DefaultClientEncoding directiveThis directive tells the default set of encodings what to expect from various clients. You don’t need to specify UTF-8 because it isthe default.

Syntax Default

DefaultClientEncoding encoding [encoding...] UTF-8

NormalizeUsername directiveThis directive is introduced to support the behavior of Windows XP when accessing a password-protected resource. Windows XPclients prepend “hostname\” to the real username. Enabling this option strips off the “hostname\” part, so only “real” username ispassed to the authentication module.

Syntax Default

NormalizeUsername [ on | off ] Off

About the mod_encoding module

http://example.com/~refuser


By default, web service includes several Macintosh-specific web modules.

mod_auth_apple

This module provides basic authentication. This is based on Apache’s mod_auth_basic but is modified to use Open Directoryrather than htaccess files.

mod_hfs_apple

This module requires users to enter URLs for Mac OS Extended volumes using the correct case (lowercase or uppercase). Thismodule adds security for case-insensitive volumes.

mod_auth_digest_apple

This module provides a newer form of digest authentication when possible. This is based on Apache’s mod_auth_digest but ismodified to use Open Directory rather than htdigest files. It is disabled by default because it requires that the Open Directorymaster use Mac OS X v10.6 or later.

mod_digest_apple

This module provides an older form of digest authentication. This is based on Apache’s mod_digest but is modified to use OpenDirectory rather than htdigest files.

mod_spnego_apple

This module provides Kerberos authentication for Open Directory users using the SPNEGO/Negotiate protocol.

mod_encoding

This module allows WebDAV files to include Japanese characters in their names. Apple customized this open source module andmodified WebDAV module mod_dav.

mod_bonjourThis module allows administrators to control how websites are registered with multicast DNS.


In addition to the large set of plugin modules distributed with the Apache web server, and the custom plugin modules developed byApple, web service includes the following open source plugin modules.

mod_jk

This module allows proxied access to Java Servlets and JavaServer Pages through the web server.

This module is disabled by default.

php5_module, also known as libphp5.c

This module enables PHP Hypertext Preprocessor (PHP). You can use PHP to deliver dynamic web content by using a server-side,HTML-embedded scripting language resembling C. Like the other two language modules (mod_python and mod_perl), thismodule allows scripts to run in Apache’s address space, which is much faster than running them separately as CGIs.

This module is disabled by default but is enabled when you enable Webmail in the Server app.

For more information about this module, see www.php.net/.

mod_perl

This module integrates the Perl interpreter into the web server, letting existing Perl CGI scripts run without modification. Thisintegration means that the scripts run faster and consume fewer system resources.


For more information about this module, see perl.apache.org/.

mod_encoding

About Macintosh-specific web modules

About open source component modules

http://www.php.net/

This module adds WebDAV support for non-ASCII file names.


For more information about mod_encoding, see About the mod_encoding module.

mod_xsendfile

This module is a small Apache2 module that processes X-SENDFILE headers registered by the original output handler. If itencounters the presence of such a header, it discards all output and sends the file specified by that header instead, using Apacheinternals and including all optimizations like caching-headers and sendfile or mmap if configured. It is useful for processing scriptoutput of PHP, Perl, or other CGI programs.

This module is disabled by default, but is enabled when Wiki starts.

For additional information about mod_xsendfile, download a version and read additional documentation provided in the sourcedistribution from tn123.org/mod_xsendfile/.

mod_python

This module allows you to write web-based applications in Python that run much faster than traditional CGI scripts. It also providesthe ability to retain database connections and other data between hits and access to Apache internals.

For additional information about mod_python, download your own version and read additional documentation provided in thesource distribution from www.modpython.org/.

User collaboration serv ices ► Wiki

Wiki service lets you host content-rich websites that users can easily edit in their web browsers. Wiki service is a standaloneservice that doesn’t require web service.

Wiki service hosts web clients for Podcast service. Turn on Podcast service, and the wiki service turns on a web client for it.

When users connect to the wiki server, they can create wikis, which can include user-created pages, uploaded files, a blog, and acalendar. All users have personal websites called My Page, which they can use to create pages and blog posts, and upload files.

Users set access permissions for their own wikis, and for their pages and files in My Page. Users can give access privileges toother users and groups on your network server or other connected network servers.

In the Server app, you can choose which users are allowed to create wikis.

For information about working with wikis, pages, files, and calendars, see Wiki Help. To access Wiki Help from any wiki page,choose Help from the Action pop-up menu.

RELATED TOPICS

Host wikis on your serverChoose group services


When you turn on wiki service, you can use wikis to easily share information with your friends, family, and coworkers.

A wiki is a collection of pages and files that a group of people can view and add to. Traditional websites have webmasters andcontent producers who create content for others to view. When you create a wiki, you choose who can create and edit content. Youcan use wikis as an intranet for your organization or team, an information hub for a community group, or as a place to shareinformation with your family and friends.

Wikis can be viewed in any web browser, and on iOS devices such as iPad, iPhone, and iPod touch. You can create and edit wikicontent on your computer using any web browser that supports modern web technologies.

About wiki service

Share information using wikis

http://www.modpython.org/

With a few clicks, you can create wikis, choose who can view and edit them, and create and edit wiki pages.

Configure wiki service

In the Server app, you can set up your server to host wikis.

You can allow all users in your directory and connected directories to create wikis or you can restrict wiki creation. Users whocreate wikis can set access privileges, including who's allowed to own, edit, or just view their wikis.

1. In the Wiki pane of the Server app, choose an option from the "Wikis can be created by" pop-up menu.

To allow all users in your local directory, on your network server, and on connected network servers to create wikis,

choose "all users" from the "Wikis can be created by" pop-up menu. Click the On/Off switch next to Wiki to turn onthe service, and you're done.

To restrict who can create wikis, choose "only some users," and continue following this task.

2. If you chose "only some users," use the dialog to give or remove access for users and groups.

To do this Do this

Give access to a user or group Click the Add button . Enter the name of a user or group in the newentry that appears. As you type, the Server app searches for amatching user or group. If the user or group you want to give access toappears, select the name from the l ist.

Remove access from a user or group Select a user or group and cl ick the Remove button .

3. Click OK.

4. If wiki service isn’t turned on, click the On/Off switch next to Wiki to turn on the service.

Create a wiki

1. If you're not logged in to the wiki server, click the Log In button , enter your user name and password, and then click Log In.

2. Click the Create pop-up menu and choose New Wiki.

3. In the "Create a new wiki" dialog, enter a name for the wiki and a description.

You can later change the name of the wiki. The description is shown when users click the Info button next to the wiki'sname in the Wikis page.

4. Click Upload Image, and then select an image that represents the wiki.

The icon is shown next to the wiki name, and in the Wikis page. The image you upload is resized and stretched. Choose a 48by 48 pixel image if you don't want the image to change.

5. Click Next.

6. In the "Set wiki access" dialog, give people or groups access to the wiki by entering their names in the field above the lis t ofusers and groups. As you type, the wiki server searches for matching names. Click a name to add it to the access list.

7. Use the pop-up menus to change access permissions associated with each person or group.

Here are the options you can choose:

Option Description

Owner Can change wiki settings, and read and write content.

Read & write Can read and write content.

Read Can read content.

No access Can't read or write content. By default, anyone not in the access l isthas no access.

8. Click Create.

Create a wiki page

1. While viewing a wiki, click the Create pop-up menu , and then choose "New Page in 'wiki name.'"

If "New Page in 'wiki name'" doesn't appear, you don't have permission to create pages in the wiki you're viewing. If you'reviewing one of your My Page pages, instead of "New Page in 'wiki name'," a "New Page in My Documents" link appears. Clickthis link to create a standalone document.

2. Enter the name of the page, and then click Add.

Edit a wiki page

1. If you're not logged in to the wiki server, click the Log In button , enter your user name and password, and then click Log In.

2. If you're viewing a blog and not a single blog post, click the title of a blog post to view it.

You can't edit a blog post while viewing the entire blog.

3. While viewing the wiki page or blog post you want to edit, click the Edit button in the navigation toolbar.

If you don't have permission to edit the wiki page or blog post, the Edit button is deactivated.

After you click the Edit button, the editing toolbar replaces the navigation toolbar.

4. To change the page's title, click the page's title and edit it.

5. Enter text in the body of the wiki page or blog post, and use the editing toolbar.

The editing toolbar includes the following:

Click this To do this

Insert a fi le.

Insert a picture.

Insert a movie or audio fi le.

Insert a table.

Insert a block of HTML, in which you can embed elements of othersites, l ike YouTube.

Change the paragraph style for the paragraph the pointer is in.

Change the text style for the selected text.

Insert a link to another wiki page or blog post, or to another website.

Change al ignment for the selected paragraphs to left, center, right, orjusti fied.

Change whether selected paragraphs are a bul leted or numbered l ist.

Indent or outdent the selected paragraph or l ist item.

Cancel al l editing changes.

Save al l editing changes.

6. When you finish editing the page, click the Save button.


In the Server app, you can set up your server to host wikis.

You can allow all users in your directory and connected directories to create wikis or you can restrict wiki creation. Users whocreate wikis can set access privileges, including who’s allowed to own, edit, or view their wikis. They can grant access privileges tousers in your local directory, on your network server, and on connected network servers.

1. In the Wiki pane of the Server app, choose an option from the "Wikis can be created by" pop-up menu.

To allow all users in your local directory, on your network server, and on connected network servers to create wikis,

choose "all users" from the "Wikis can be created by" pop-up menu. Click the On/Off switch next to Wiki to turn onthe service, and you're done.

To restrict who can create wikis, choose "only some users," and continue following this task.

2. If you chose "only some users," use the dialog to give or remove access for users and groups.

To do this Do this

Give access to a user or group Click the Add button . Enter the name of a user or group in the newentry that appears. As you type, the Server app searches for amatching user or group. If the user or group you want to give access toappears, select the name from the l ist.

Remove access from a user or group

Host wikis on your server

Select a user or group and cl ick the Remove button .

3. Click OK.

4. If wiki service isn’t turned on, click the On/Off switch next to Wiki to turn on the service.

RELATED TOPICS

About wiki serviceChoose group services


You can change wiki authentication settings such as the redirect path, security requirements, login expiration, and type ofauthentication used.

You can change wiki authentication settings by editing /etc/collabd/webauthd.plist.

Redirect path

When a user tries to view a wiki page with restricted access and the user hasn't logged in yet, the page loads after logging in. If theuser tries to go to http://wikiserverurl/auth, the user is asked to log in. After logging in, the user is redirected to the path you set.

Change the redirect path by editing this key:

Key Default Description

default_redirect_url_path /wiki Change /wiki to the location in

http://wikiserverurl/ you want to send users to.

Security requirements

Wiki service includes several security options.

The security_requires list includes these options:


security_requires This l ist contains these options:

same_host

web_scheme

whitel ist_only

The l ist can contain these options:

logout_requires_token

same_host

web_scheme

whitel ist_only

You can enable any or all of the following options by adding them to the security_requires lis t:

Option Description

logout_requires_token To log out, the wiki needs to provide a logout_token with a value that is ahash of the user's unique identifier with a shared secret.

same_host Requires that the redirect goes to the same host that the login or logoutrequest came from.

web_scheme Requires that the redirect can only go to http:// or https://.

whitel ist_only Requires that the redirect can only go to a l ist of top level URLs definedin /etc/col labd/redirect_whitelist.pl ist.

Login expirationSeveral settings are related to how long users stay logged in before being logged out. When users log in, they're presented with a

Configure wiki authentication settings

Remember Me checkbox, which when selected can save the users login credentials for a customizable period of time. If usersclear the browser's cookies, their login credential timers are reset.

Change login expiration settings by editing these keys:


loginExpirySeconds 1209600 Set this to how long a user stays logged in i f theuser selects the Remember Me checkbox. Thedefault is 2 weeks (entered in seconds).

forgetMeExpirySeconds 86399 Set this to how long a user stays logged in i f theuser doesn't select the Remember Me checkbox.The default is 2 weeks (entered in seconds).

enableRememberMe true Set this to true to enable the Remember Mecheckbox. Set this to false to disable theRemember Me checkbox.

rememberOnByDefault true Set this to true to select the Remember Mecheckbox by default. Set this to false to deselectthe Remember Me checkbox by default.

Authentication

You can choose what kind of authentication is used by editing this key:


authenticator digest You can set this to:

digest

plaintext

Digest authentication is more secure than plaintext authentication.


You can change wiki service settings by editing plist files.

You can change the following settings by editing /etc/collabd/collabcored.plist:


collabd_url http://localhost:4444/ Set this to the server running col labd.

webauth_url http://localhost:8086/auth Set this to the server running webauth.

use_inline_webauth true Set this to true to use an inl ine dialog forauthentication. Set this to false to redirect thebrowser to the webauth URL.

use_sandbox_server true Set this to true to use a sandbox server. Set thisto false to bypass the sandbox server. Settingthis to false is a security risk due to XSS issues.

sandbox_path /cc-sandbox Set this to the location of sandbox downloads.

quicklook_conf_path /etc/col labd/quicklook.pl ist This pl ist fi le l ists al l fi le extensions can userscan use the Quick Look feature on.

disable_people_view false Set this to true to disable the People page inthe wiki. Set this to false to enable the People

Configure wiki service settings

page in the wiki.

disable_projects_view false Set this to true to disable the Wikis page in thewiki. Set this to false to enable the Wikis page inthe wiki.

max_attachment_file_size 524288000 Set this to the number of bytes al lowed foruploaded fi les and media. The default is 500MB (in bytes).

You can change the following settings by editing /etc/collabd/collabd.plist:


LogFilePath /var/log/collabd/collabd.log Set this to where col labd writes i ts log to.

LogLevel warning Set this to the level of items being logged. Youcan set this to any of the fol lowing:

emergency

alert

critical

error

warning

notice

info

debug

Setting this to debug provides the mostinformation, but i t can use a lot of hard diskspace.

Fi leDataPath /Library/Server/Wiki/Fi leData Set this to where uploaded fi les are stored. Thispath must have read and write access by the_teamsserver user and read access by the _wwwuser.

Fi l tersEnabled true Set this to true to fil ter potential ly maliciousHTML. Set this to false to al low use of al lHTML. Allowing all HTML is a large securityrisk.

AutolinkEnabled true Set this to true to l ink URLs in wiki pages. Setthis to false to disable automatic l inking.

Hardw are administrative serv ices ► Time Machine serv ice

Time Machine service offers a backup destination on your server to Time Machine users. Use the Time Machine pane of the Serverapp to make server disk space available for backing up users’ computers, or to change the disk used for storing user backups.

Time Machine service is available to users with Mac OS X Lion, Snow Leopard, and Leopard. Mac OS X Lion and Snow Leopardusers who haven’t selected a backup disk in the Time Machine pane of System Preferences are automatically asked whether theywant to use the server as a storage location. Other users need to open the Time Machine pane of System Preferences and changethe backup disk.

1. In the Server app sidebar, select Time Machine.

2. Click the On/Off switch to turn on Time Machine service.

3. Select a disk to use as the destination for users’ backups, and then click Use for Backup.

Time Machine service creates the Backups shared folder on the disk you select.

Provide a Time Machine destination

4. To choose a different disk as the backup destination, click Edit.

If you turn on Time Machine service when file sharing service is off, file sharing service turns on automatically.

If you change the backup disk, users’ Time Machine preferences that were set to use the server for backup storage willautomatically begin using the Backups folder in its new location.

After selecting a different backup disk, advise users that their first backup will take longer because it’s a full backup. Time Machineservice doesn’t copy users’ backup data from the old Backups folder to the new Backups folder.

You can control each user’s access to the server’s Time Machine backup storage in the Users pane of the Server app.

RELATED TOPIC


Hardw are administrative serv ices ► Time Machine serv ice

If the server runs out of space for backing up users’ Macs, you can connect another disk to the server and make it the storagelocation in the Time Machine pane of the Server app. Users whose Time Machine preferences were set to use the server forbackup storage will automatically begin using the server’s new backup disk.

After selecting a different backup disk, you should advise users that their first backup will take longer because it’s a full backup.Time Machine service doesn’t copy users’ backup data from the old backup disk to the new backup disk.

RELATED TOPIC

Provide a Time Machine destination

Hardw are administrative serv ices ► Software Update

Software Update offers you ways to manage Macintosh software updates from Apple on your network. In an uncontrolledenvironment, users might connect to Apple Software Update servers at any time and update their computers with software that isnot approved by your IT group.

Using local Software Update servers, your client computers access only the software updates you permit from software lists thatyou control, improving your ability to manage computer software updates. For example you can:

Download software updates from Apple Software Update servers to a local server for sharing with local network clients andreduce the amount of bandwidth used outside your network.

Direct users, groups, and computers to specific local Software Update servers using managed preferences.

Manage the software update packages users can access by enabling and disabling packages at the local server.

Mirror updates between Apple Software Update servers and your server to make sure you have the most current updates.

Note: Software Update does not update software on the server. For information about keeping your server software current, seeServer Admin Help.

Note: You can’t use Software Update to provide third-party software updates.

The process that starts Software Update is swupd_syncd. When you start Software Update, it contacts Apple’s Software Updateserver and requests a list of available software to download locally.

You can copy (store packages locally) and enable (make the packages available to users) any files in the lis t. You can also limituser bandwidth for updates and choose to automatically copy and enable newer updates from the Apple server.

Note: Software Update stores its configuration information in the /etc/swupd/swupd.conf file.

Catalogs

When Software Update starts, your Software Update server receives a list of available software updates from the Apple SoftwareUpdate service. Your server synchronizes the contents of the software catalog with Apple’s Software Update server when yourestart your server or when you enter the following command:

If the server runs out of space for backing up users’ Macs

Software Update

$ sudo -u _softwareupdate /usr/sbin/swupd_syncd -sync

WARNING: It is not recommended to refresh the service using the swupd_syncd daemon directly. Doing so can change the file

permissions of downloaded updates, making future sync operations fail. If you must sync using swupd_syncd directly, use the -uoption with the _softwareupdate user name to prevent the changing of file permissions.

To manually update the catalog, select the Refresh button in the Updates pane of Software Update settings.

Changes in the Apple published catalog are immediately reflected on your local server. Deprecated software packages aredisabled when a replacement package for that update is enabled. An administrator can disable the new software package andcontinue offering the deprecated package.

Installation packages

Software Update supports pkm.en and .tar file types, recognized only by Mac OS X v10.4 and later. As you copy updates on yourserver, your server downloads and stores update packages in the /var/db/swupd/ folder.

This path can be modified to store the packages in an alternate location.

Note: Lion Server supports only Apple-specific software packages for use with your update server. Modified Apple and third-partyupdate software packages cannot be shared.

After packages are copied locally, you can enable them for users to update their software. Mac clients running Software Updatesee only enabled packages in the list of available software for their computer.

Deprecated software packages are disabled when a replacement package for that update is enabled. An administrator candisable the new software package and continue offering the deprecated package.

Stay up-to-date with the Apple Server

To keep your service synchronized with the most current information, your Software Update server must always remain in contactwith the Apple server. Software Update service regularly checks with Apple Software Update to update usage information and sendlists of newly available software to the updates catalog on your server as they become available.

The Apple Software Update server executes the swupd_syncd synchronization daemon to make sure the latest update packages

are available. The scheduled execution of swupd_syncd is controlled by launchd by means of the StartCalendarInterval setting at/System/Library/LaunchDaemons/com.apple.swupdate.sync.plist.

Limit user bandwidth

Software Update lets you limit the bandwidth that client computers can use when downloading software updates from yourSoftware Update server.

Setting a limit on the bandwidth enables you to control traffic on your network and prevents Software Update clients from slowingthe network. For example, if you limit the bandwidth to 56 Kbps, each software update client can download updates at 56 Kbps. Iffive clients connect simultaneously to the server, the total bandwidth used by the clients will be 280 Kbps (56 Kbps x 5).

Limit Software Update server bandwidth

A new feature in Lion Server Software Update server is the syncBandwidth. This feature can be used to limit the server'sbandwidth back to Apple. Similar to the user bandwidth limit setting, it's value is expressed in KBytes/second (for example, 1024 =1048576 Bytes/second).

Setting a limit on the server's bandwidth enable you to minimize impact of the Software Update server on your organizations limitedexternal bandwidth.

Revoked files

On a rare occasion Apple might provide a software update and want to revoke or deprecate a package from circulation.

If Apple revokes the update package, the package is removed from your catalog and stored packages, making it unavailable toclients.

If Apple deprecates a software package and provides a replacement package, the older software package is disabled, making itunavailable to clients. The package remains in your catalog and stored packages until you remove it.

An administrator can disable the new software package and continue offering the deprecated package.

Software Update package format

You can’t make your own Software Update packages. For security considerations and to protect from attackers faking packages,the Software Update package installer won’t install a package unless it is signed by Apple.

In addition, Software Update works only with the package format supported in Mac OS X Server v10.4 or later.

Log filesThe log files for Software Update are located in the /var/log/swupd/ folder. The log files record Software Update events as theyoccur.

The log files for Software Update include the following:

swupd_syncd_log: logs the swupd_syncd daemon

swupd_error_log: reports messages from the httpd daemon controlled by Software Update

swupd_access_log: reports messages from the httpd daemon controlled by Software Update

The logs can be viewed in Server Admin in the Software Update Logs panel or using the Console application located in the/Applications/Utilities/ folder.

Collected information

The Apple Software Update server collects the following information from client Software Update servers:

Language

Type

Browser

Hardw are administrative serv ices ► Software Update

The Workgroup Manager and Server Admin applications provide a graphical interface for managing Software Update in LionServer. In addition, you can manage Software Update from the command line by using Terminal.

Server AdminServer Admin provides access to tools you use to set up, manage, and monitor Windows services and other services. You useServer Admin to:

Set up Mac OS X Server as a Software Update server. For instructions, see Configure Software Update general settings.

Manage and monitor Software Update service.

For more information about using Server Admin, see Server Admin Help:

Opening and authenticating in Server Admin

Working with specific servers

Administering services

Using SSL for remote server administration

Server Admin is installed in /Applications/Server/.

Workgroup Manager

Workgroup Manager provides comprehensive management of clients of Mac OS X Server. You use Workgroup Manager to setpreferences by user, group, or computer to access your Software Update server. For more information about how to configuremanaged preferences for the Software Update server, see Workgroup Manager Help.

For information about using Workgroup Manager, see Workgroup Manager Help. This includes:

Opening and authenticating in Workgroup Manager


Customizing the Workgroup Manager environment


Command-line tools

A full range of command-line tools is available for administrators who prefer to use command-driven server administration. For

Tools for managing Software Update

remote server management, submit commands in a secure shell (SSH) session. You can enter commands using the Terminalapplication, located in the /Applications/Utilities/ folder.

Hardw are administrative serv ices ► Software Update ► Set up Software Update

Here is an overview of the basic steps for configuring your Software Update server. This includes setting up Software Updateservice, configuring client computer access to the server, and testing.

Evaluate and update your network, servers, and client computers as necessary

The number of client computers you can support using Software Update is determined by the number of servers you have, howthey’re configured, hard disk storage capacity, and other factors. See Considerations and requirements.

Depending on the results of this evaluation, you might want to add servers or hard disks, add Ethernet ports, or make otherchanges to your servers.

For your client computers to use the local Software Update service, you must update them to Mac OS X v10.4 or later.

Create your Software Update service plan

Decide which users will access Software Update.

You might have groups who need unlimited access while others might need a more limited choice of software updates. Such aplan requires more than one Software Update server with client computers bound using directory services to manage userpreferences.

Configure the Software Update server

Decide how to copy and enable software updates from Apple: automatically or manually. Set the maximum bandwidth you want asingle computer to use when downloading update packages from your server. See Configure Software Update general settings.

Start Software UpdateYour server synchronizes with the Apple Software Update server by requesting a catalog of available updates. If you chose toautomatically copy updates, your server will download all available software update packages. See Start Software Update.

(Optional) Manually copy and enable selected packages

If you do not choose to automatically copy and enable all Apple software updates, you must manually select software updatepackages to copy and enable. See Copy and enable selected updates from Apple.

Set up client computers to use the correct Software Update server

Set preferences in Workgroup Manager by user, group, or computer to access your Software Update server. For more informationabout how to configure managed preferences for the Software Update server, see Workgroup Manager Help.

Test your Software Update server setup

Test Software Update by requesting software updates from the server using a client bound to preferences you set in WorkgroupManager. Make sure the packages are accessible to your users.


Before you set up Software Update on your server, you must be familiar with your network configuration and you must meet thefollowing requirements:

You’re the server administrator.

You’re familiar with network setup.

You might also need to work with your networking staff to change network topologies, switches, routers, and other networksettings.


Macintosh computers running Mac OS X v10.5 or later that are networked to a server running Mac OS X Server v10.5 or later can

Software Update set up overview

Considerations and requirements

use Software Update to update Apple software.

Network hardware requirements

The type of network connections to use depends on the number of clients you expect to serve software updates to:

To provide regular updates to fewer than 10 clients, use 100-Mbit Ethernet.

To provide regular updates to 10–50 clients, use 100-Mbit switched Ethernet.

To provide regular updates to more than 50 clients, use Gigabit Ethernet.

These are estimates for the number of clients supported.

Note: In Lion Server, Software Update operates across all network interfaces that TCP/IP is configured for.

Capacity planning

The number of client computers your server can support when accessing Software Update depends on how your server isconfigured, when and how often your clients check for updates, the s ize of the updates, and a number of other factors.

When planning for your server and network needs, consider these main factors:

Ethernet speed: 100Base-T or faster connections are required for client computers and the server. As you add clients, youmight need to increase the speed of the Ethernet connections of your server.

Ideally you want to take advantage of the Gigabit Ethernet capacity built in to your Mac server hardware to connect to a Gigabitswitch. From the switch, connect Gigabit Ethernet or 100-Mbit Ethernet to each Macintosh client.

Hard disk capacity and number of packages: Software Update packages can occupy considerable hard disk space on servervolumes, depending on the size and configuration of the package and the number of packages being stored.

Number of Ethernet ports on the switch: Distributing Macintosh clients over multiple Ethernet ports on your switch offers aperformance advantage. Each port must serve a distinct segment.

Number of Software Update servers on the network: You might want to provide different software updates to various groups ofusers. By configuring directory services you can offer different update services by network or hardware type, each targeting adifferent Software Update server on the network.

Note: You can’t configure Software Update servers to talk to one another.

Software Update storage

Software updates can easily take a large amount of disk space over time and cause problems with system resources. In aproduction environment, it is important to prevent the system disk from becoming full and causing instability.

To eliminate the possibility of software updates filling a volume, system administrators normally limit the type of data being storedon the root partition and place data that could grow substantially in size on other partitions. For example, you could use an XserveRAID to store software updates.

By default, software updates are stored in the /var/db/swupd/ folder. To store software updates in another location, choose adifferent partition or volume in the Software Update General settings pane.

Consider which Software Update packages to offerBefore you set up Software Update, consider whether to provide all or only part of Apple’s software updates. Your client computersmight run application software that requires a specific version of Apple software for the application to operate correctly.

You can configure your Software Update server to serve only Software Update packages you approve. Restricting access to updatepackages might help prevent maintenance and compatibility problems with your computers.

You can restrict client access in a Software Update server by disabling automatic mirror-and-enable functions in the GeneralSettings pane. You manage specific updates in the Updates pane of the Software Update server.

Organize your enterprise client computers

You might have individuals, groups, or groups of computers with common needs for only a few software update packages, whileothers might need unrestricted access to all software updates.

To provide varied access to software update packages, you must set up multiple Software Update servers. Use managedpreferences to configure these computers to access a specific Software Update server.

For more information about how to configure managed preferences for the Software Update server, see Workgroup Manager Help.


Storing software updates can take up large amounts of disk space. You can prevent the overloading of your disk by changing thedefault storage location of software updates from /var/db/swupd/ folder to a partition or volume with a larger capacity.




3. From the expanded Servers list, select Software Update.

4. If Software Update is started, click the Stop Software Update button.

5. Click General.

6. Click Choose and select the location to store downloaded software updates.

7. Click Save.

8. (Optionally) If software updates were previously downloaded, use Terminal to copy the default software update folder to thenew location:

$ sudo cp -p /private/var/db/swupd/html /Volumes/My_Volume/My_Software_Updates_Folder/

9. Click the Start Software Update button to confirm the operation.

10. (Optionally) Use Terminal to delete the previous storage location to reclaim startup volume space:

$ sudo rm -rf /private/var/db/swupd/html


Before you can configure Software Update settings, you must turn on Software Update in Server Admin.


2. Click Settings.

3. Click Services.

4. Select the Software Update checkbox.

5. Click Save.


You can use the General settings to set system update copy and enable settings, to remove obsolete updates, and to limit userbandwidth.





4. Click Settings.

Modify existing Software Update storage

Turn on Software Update

Configure Software Update general settings

5. To limit client user bandwidth, select “Limit user bandwidth for updates to” and enter the maximum rate of update bandwidthper user.

6. From the pop-up menu, choose KB/second or MB/second.

7. Click Choose and select where the Software Update catalog and downloads will be stored.

The default location is /var/db/swupd/.

8. To specify a port that software updates are provided through, enter a port number in the “Provide updates using port” field.

9. To keep a copy of the software updates on your server, select “Copy __ updates from Apple” and choose from the followingoptions.

If you want all updates copied from the Apple update server, choose “all” in the pop-up menu.

If you want only new updates copied from the Apple update server, choose “all new” in the pop-up menu.

10. To immediately enable all software updates for client users, select “Automatically enable copied updates.”

Enabling this feature retrieves all Apple published catalog updates and disables deprecated software packages that have areplacement package available. An administrator can disable the new software package and continue offering the deprecatedpackage.

If this feature is not selected and an administrator manually enables updates, disabling of deprecated software packages isperformed as individual replacement packages are enabled.

11. To remove obsolete software updates from the Software Update storage location, select the “Delete outdated software updatepackages” checkbox.

Enabling this feature does not remove obsolete or deprecated software updates from the local Software Update catalog.

12. Click Save.


You can use Updates settings to refresh the software update catalog, to copy and enable individual updates, and to view specificupdate information.

Downloading Apple updates disables deprecated software packages that have a replacement package available. An administratorcan disable the new software package and continue offering the deprecated package.

To configure Updates settings





4. Click Updates.

5. Click the Refresh button to synchronize with the Apple server.

An unscheduled synchronization does not change or delay the next scheduled synchronization operation, which occurs every24 hours at 03:00 (local time) by default.

An administrator can change the scheduled synchronization time by modifying the StartCalendarInterval > Hour value at/System/Library/LaunchDaemons/com.apple.swupdate.sync.plist. To restore default launchd settings, remove thecom.apple.swupdate.sync.plist file and restart Software Update.

6. Click Copy Now to copy software updates to your server.

7. Select the checkbox in the Enable column for each update you want to make available to client computers.

The Enable column is disabled if the “Automatically enable copied updates” checkbox is selected. To manually enable ordisable updates, deselect this checkbox in the Settings pane.

Configure Updates settings

8. Click Save.


Use Server Admin to start Software Update.





4. Click the Start Software Update button (below the Servers lis t).


To load-balance the distribution of Software Update across multiple Software Update servers or to conserve bandwidth to theInternet, you can change the /etc/swupd/swupd.plist file to redirect where your Software Update server obtains software updates.

By redirecting your Software Update server, you can have multiple Software Update servers on your private network. However, onlyone Software Update server needs access outside your private Intranet to obtain software updates from the Apple Software Updateserver. Then each additional server can access the internal server to obtain the software updates.

1. On the internal Software Update server, open Terminal.


$ sudo vi /etc/swupd/swupd.plist

3. Locate the following metaIndexURL key:

...<key>metaIndexURL</key><string>http://swscan.apple.com/content/meta/mirror-config-1.plist</string>

4. Change the URL in the tags <string></string> to the location of your selected Software Update server.

For example:

<key>metaIndexURL</key><string>http://myserver.example.com:8088/catalogs.sucatalog</string>

5. Save the changes and exit Terminal.


Lion Server provides the ability to publish separate catalogs for specific versions of Mac OS X. This allows each client to view onlythe updates that relate to the operating system installed on that system.

Lion Server supports catalogs for Mac OS X v10.5 or later clients.

If you are not using client management and are using Mac OS X v10.5, you can use the defaults command in Terminal to point

unmanaged client computers to a Software Update server. You must be an administrator to use the defaults command.

Start Software Update

Redirect your Software Update server

Point unmanaged clients to a Software Update server

http://swscan.apple.com/content/meta/mirror-config-1.plist</string>

To point unmanaged clients to a Software Update server

1. Make a backup copy of the /Library/Preferences/com.apple.SoftwareUpdate.plist file, if it exists.

2. On the unmanaged client, open Terminal.


$ sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL URLReplace URL with the URL of the Software Update server, including the port number and the name of the catalog file for thespecific version of Mac OS X.

For example, for Mac OS X v10.5:

http://su.domain_name.com:8088/index-leopard.merged-1.sucatalogYou can verify your change using the following command:

$ defaults read /Library/Preferences/com.apple.SoftwareUpdate CatalogURLTo point the unmanaged client computer back to the Apple Software Update server, use the following command:

$ sudo defaults delete /Library/Preferences/com.apple.SoftwareUpdate CatalogURL

You can revert these changes by replacing the /Library/Preferences/com.apple.SoftwareUpdate.plist file with the backup copy youmade in step 1.

Hardw are administrative serv ices ► Software Update ► Manage Software Update

Use Server Admin to manually update the updates catalog.

Note: Downloading Apple updates disables deprecated software packages that have a replacement package available. Anadministrator can disable the new software package and continue offering the deprecated package.





4. Click Updates.

5. Click the Refresh button.


Use Server Admin to check the status of Software Update.





4. To see whether the service is running, when it started, when it last checked for updates, the number of updates that arecopied or enabled, and whether auto-copy and auto-enable are turned on, click Overview.

5. To review the Software Update service log, click Log.

Manually refresh the updates catalog from the Apple server

Check the status of Software Update

http://su.domain_name.com:8088/index-leopard.merged-1.sucatalog


Use Server Admin to stop Software Update.





4. Click the Stop Software Update button (below the Servers lis t).


Use Server Admin to limit user bandwidth.





4. Click General.

5. Select “Limit user bandwidth for updates to.”

6. Enter the maximum rate of update bandwidth per user.

7. From the pop-up menu, choose KB/second or MB/second.

8. Click Save.


A new feature in Lion Server Software Update server is the syncBandwidth. This feature can be used to limit the Software Updateserver's bandwidth back to Apple. Similar to the user bandwidth limit setting, it's value is expressed in KBytes/second (for example,1024 = 1048576 Bytes/second).

A value of zero disables the feature and allows syncing to occur at the maximum bandwidth of the server and WAN connection. ThesyncBandwidth setting can be used to minimize impact the of Software Update server where organizations may have limitedexternal bandwidth.

This setting is not supported in the Server Admin, but can be accessed using the serveradmin command line tool:

To set the Software Update server's bandwidth:

$ sudo serveradmin settings swupdate:syncBandwith = 1024

Note: This value sets an average rate limit and instantaneous transfer rates may slightly exceed the cap for short durations.


Stop Software Update

Limit user bandwidth for Software Update

Limit Software Update server bandwidth

Automatically copy and enable updates from Apple

Use Server Admin to copy and enable software updates automatically from Apple.

Enabling this feature retrieves all Apple published catalog updates and disables deprecated software packages that have areplacement package available. An administrator can disable the new software package and continue offering the deprecatedpackage.

If this feature is not selected and an administrator manually enables updates, disabling of deprecated software packages isperformed as individual replacement packages are enabled.





4. Click General.

5. Select “Copy __ updates from Apple” and choose from the pop-up menu:

If you want all updates copied from the Apple update server, choose “all.”

If you want only new updates copied from the Apple update server, choose “all new.”

6. Select “Automatically enable copied updates.”

7. Click Save.


Use Server Admin to copy selected software updates automatically from Apple.

Downloading Apple updates disables deprecated software packages that have a replacement package available. An administratorcan disable the new software package and continue offering the deprecated package.





4. Click General.

5. Make sure “Copy __ updates from Apple” is deselected.

6. Make sure “Automatically enable copied updates” is deselected.

7. Click Save.

8. Click Updates.

9. Click Copy Now to copy software updates to your server.

This copies software updates to your server.

10. To enable individual software updates, select the checkbox in the Enable column of the update.

11. Click Save.


Use Server Admin to remove obsolete software updates from packages stored on the server. You can configure Software Updateto automatically purge obsolete updates.

Copy and enable selected updates from Apple

Remove obsolete software updates

Enabling this feature does not remove obsolete or deprecated software updates from the local Software Update catalog.





4. Click General.

5. Select the “Delete outdated software update packages” checkbox.

6. Click Save.


Software updates are stored in the /var/db/swupd/ folder by default. Sometimes you might want to locate a specific software updatefile. Each software update that is copied to the server is stored with product ID numbers for a file name.

To make sure you are selecting the correct software update file, correlate the file name (product ID) with the software updateproduct ID in Server Admin. Each software update lis ts their product ID below the description field in the Updates Settings pane ofServer Admin.





4. Click Updates.

5. Select the software update from the lis t.

The software update product ID is displayed below the description field.

Hardw are administrative serv ices ► Software Update ► Solve Software Update problems

Make sure required services are installed.

Make sure the Software Update packages you enable are meant for the client accessing them.

If you detect poor response from the Software Update server, check the network load. For more information, seeConsiderations and requirements.

Delete old updates to make space for new ones.

If Software Update update packages aren't visible to client computers

Make sure the packages are enabled in Server Admin.

If the Software Update server won't sync with the Apple serverMake sure the Apple server is accessible.

If a client computer can't access the Software Update server

Make sure the client can access the network.

Make sure the client’s Software Update managed preference points to the Software Update server.

Make sure the Software Update server is running.

Identify individual software update files

General solutions to Software Update problems

Hardw are administrative serv ices ► System Image Utility ► Get started

The NetBoot, NetInstall, and NetRestore features of Mac OS X offer you alternatives for managing the operating system andapplication software that your Macintosh clients (or even other servers) require to start and do their work. Instead of going fromcomputer to computer to install operating system and application software from CDs, you can prepare an installation image thatinstalls on each computer when it starts up. You can also choose to not install software and have client computers start up (orboot) from an image stored on the server. (In some cases, clients don’t even need their own hard disk.)

Using NetBoot and NetInstall, your client computers can start from a standardized Mac OS configuration suited to specific tasks.Because the client computers start from the same image, you can quickly update the operating system for users by updating asingle boot image.

NetBoot requires a boot image. NetInstall requires an installation image.

A boot image (.dmg file) is a file that looks and acts like a mountable disk or volume. NetBoot images contain the system softwareneeded to act as a startup disk for client computers over the network.

An installation image (.nbi folder) is an image that starts up the client computer long enough to install software from the image.The client can then start up from its own hard disk.

Boot images and installation images are disk images. The main difference is that a .dmg file is a proper disk image and a .nbifolder is a bootable network volume (which contains a .dmg disk image file). Disk images are files that behave like disk volumes.

You can set up multiple NetBoot or NetInstall images to suit the needs of groups of clients or you can provide copies of the sameimage on multiple NetBoot servers to distribute the client startup load. You can also use a NetRestore image to quickly restore avolume.

NetBoot service can be used with NetBoot and NetInstall images along with Mac OS X client management services to provide apersonalized work environment for each user.

Application for setting up and managing images

You use the following Lion Server applications to set up and manage NetBoot, NetInstall, and NetRestore:

System Image Utility, to create Mac OS X Lion NetBoot, NetInstall, and NetRestore disk images. This utility is installed with LionServer software in the /Applications/Server/ folder.

Server Admin, to enable and configure NetBoot service and supporting services. You can download Server Admin Tools athttp://support.apple.com/downloads/. The Server Admin Tools are installed in the /Applications/Server/ folder.

PackageMaker, to create package files you use to add software to disk images.

Property List Editor, to edit property lis ts such as NBImageInfo.plist.

Note: To create an image, you must have valid Mac OS X Lion image sources or volumes. You cannot create an image of thestartup disk you are running on.


You can create NetBoot images of Mac OS X that you can then use to start client computers over the network.

You can also assemble a workflow to create a NetBoot image that permits advanced customization of your images. For moreinformation, see About workflows.

You must purchase a Mac OS X user license for each client that starts from a NetBoot or NetInstall disk image.

1. Log in as an administrator user.

2. Open System Image Utility (in the /Applications/Server/ folder).

3. In the left sidebar, select the image source.

If no image sources are listed, mount a valid Mac OS X Lion installation image or a valid Mac OS X Lion boot volume.

To create an image, you must have valid Mac OS X Lion image sources or volumes. If you download Mac OS X Lion install

About System Image Utility

Create NetBoot images

http://support.apple.com/downloads/

assistant from the App Store and install it, a valid Mac OS X Lion image source appears in the source list. You cannot createan image of the startup disk you are running on.

4. Select NetBoot Image and click Continue.

5. In the Network Disk field, enter a name for your image.

This name identifies the image in the Startup Disk preferences pane on client computers.

6. (Optional) In the Description field, enter notes or other information to help you characterize the image.

Clients can’t see the description information.

7. If the image is served from more than one server, select the checkbox below the description field.

This option generates an index ID for NetBoot server load balancing.

8. Click Create.

9. In the Save As dialog, choose where to save the image.

If NetBoot service is configured on a network port and Server Admin is set to serve images from a volume, the Netboot serviceshare point folder NetBootSPn appears in the pop-up menu.

Important: Do not attempt to edit content in the image destination folder while the image is being created.


Use System Image Utility to create a NetInstall image that you can use to install software on client computers over the network. Youcan find this application in the /Applications/Server/ folder.

To create an image, you must have valid Mac OS X Lion image sources or volumes. If you download Mac OS X Lion installassistant from the App Store and install it, a valid Mac OS X Lion image source appears in the source list. You cannot create animage of the startup disk you are running on.




4. Select NetInstall Image and click Continue.






This assigns an index ID to the image for NetBoot service load balancing.

8. Click Create.


If you don’t want to use the image name you entered earlier, change it by entering a name in the Save As field.

If you’re creating the image on the same server that will serve it, choose a volume from the Serve from NetBoot share point onpop-up menu.

For this option to appear in the pop-up menu, NetBoot service must be configured on a network port and Server Admin mustbe set to serve images from a volume.

To save the image somewhere else, choose a location from the Where pop-up menu or click the triangle next to the Save Asfield and navigate to a folder.

Create NetInstall images



If you have a client computer that’s already configured, you can use System Image Utility to create a NetRestore image based onthat client configuration. You can create a NetRestore image of a Mac OS X Lion volume that is used to restore client computersover the network using NetBoot service or Apple Software Recovery asr tool. When you create a NetRestore image, you arecreating a clone of a volume.

You can also use the asr tool to restore a system image onto a volume or to clone volumes. If you have multiple client computers

to restore, you can use asr to retore them simultaneously.

You must start up from a volume other than the one you’re using as the image source. For example, you could start up from anexternal FireWire hard disk or a second partition on the client computer hard disk. You can’t create the image on a volume over thenetwork.

You can also assemble a workflow to create a NetRestore image that permits advanced customization of your images. For moreinformation, see About workflows.

To create an image, you must have valid Mac OS X Lion image sources or volumes. If you download Mac OS X Lion installassistant from the App Store and install it, a valid Mac OS X Lion image source appears in the source list. You cannot create animage of the startup disk you are running on.




If no image sources are listed, mount a valid Mac OS X Lion installation image or a valid Mac OS X Lion boot volume.

4. Select NetRestore Image and click Continue.






This assigns an index ID to the image for NetBoot service load balancing.

8. Click Create.



If you’re creating the image on the same server that will serve it, choose a volume from the Serve from NetBoot share point onpop-up menu.

For this option to appear in the pop-up menu, NetBoot service must be configured on a network port and Server Admin mustbe set to serve images from a volume.


10. Click Save and authenticate if prompted.



Create NetRestore images

If a client computer is configured, you can use System Image Utility to create a NetBoot or NetInstall image based on that clientconfiguration.

You must start up from a volume other than the one you’re using as the image source. For example, you could start up from anexternal FireWire hard disk or a second partition on the client computer hard disk. You can’t create the image on a volume over thenetwork.

To create an image, you must have valid Mac OS X Lion image sources (volumes or installation image). You cannot create animage of the startup disk you are running on.

1. Start up the computer from a partition other than the one you’re imaging.

2. Install System Image Utility on the client computer.

3. Open System Image Utility on the client computer (in the /Applications/Server/ folder).


5. From the expanded lis t, select the image source.

6. Select the type of image you want to create and click Continue:

If your client computers will start up from this image, select NetBoot.

If your image will be installed on a hard disk, Select NetInstall.

If your image is a clone of a volume, Select NetRestore.

7. In the Image Name field, enter a name for your image.





This option generates an index ID for NetBoot server load balancing.

10. For NetBoot images, if your source volume is a Mac OS X Lion Installation image, enter a user name, short name, andpassword (in the Password and Verify fields) for the administrator account in Create Administrator Account.

You can log in to a booted client using this account.

11. Click Create.




13. Click Save and authenticate if prompted.


14. After the image is created on the client computer, copy it to the /Library/NetBoot/NetBootSPn share point on the server for useby NetBoot service.

Images should be stored in this folder.

Hardw are administrative serv ices ► System Image Utility ► Workflows

System Image Utility harnesses the power of Automator to help you create custom images by assembling workflows. The basicbuilding block of a workflow is an automator action. You define the image customization by assembling automator actions into a

Create an image from a configured computer

About workflows

workflow.

Instead of being a do-it-all tool, an action is purpose-designed to perform a single task well. By combining several actions into aworkflow, you can quickly accomplish a specific task that no one action can accomplish on its own.

Each action performs a single task, such as customizing a software package or adding a user account.

You use workflows to create customized NetInstall or NetBoot images depending on the goals of your task:

Workflows that create custom NetInstall images assemble an image that installs the OS onto the computer, either originatingfrom installation DVDs or from an installed OS volume. This image boots into the installer environment or similar shellenvironment and performs the workflow steps you define.

Workflows that create custom NetBoot images assemble a bootable image from installation DVDs or from an installed OSvolume. This image can be directly installed onto a target volume using the asr command-line tool or NetBoot.

For more information, see Assemble workflows.


To assemble a workflow from a set of actions, drag and drop the actions from the Automator Library in the sequence you wantthem to run. Each action in the workflow corresponds to a step you must perform manually.

Each action has options and settings you can configure. System Image Utility connects these action components with the types ofdata that are flowing from one action to another.

You can save your assembled workflows to reuse later.


You can update or modify workflows by adding them to System Image Utility.

1. Open System Image Utility.

2. Click the Add button (+) and select Add Existing Workflow.

3. Select the workflow to add to System Image Utility.

Workflows have the .workflow file extension.

4. Click Open.


You can remove workflows from System Image Utility.

1. Log in as an administrator user and open System Image Utility.

2. In the left sidebar, click the triangle next to Workflows.

The list of workflows appears.

3. Select the workflow to remove and click File > Remove Workflow.

4. Click Remove to confirm the action.

The workflow is removed from System Image Utility but is not deleted from your computer.


Assemble workflows

Add workflows

Remove workflows

Use image workflows to create Mac OS X Lion NetBoot and NetInstall images. Workflows let you manually define the contents ofyour image in System Image Utility.

An image workflow must start with the Define Image Source action and end with the Create Image action. Also, actions in aworkflow must be connected. If not, the workflow is invalid and the actions are not processed.



3. In the image source list, click the triangle at the left of Sources.

The list of sources appears.

4. From the expanded lis t, select the image source.

When you select the source, this action chooses a default image type based on the contents of the selected source.

5. Choose which type of image you are creating (NetInstall, NetBoot, or NetRestore image).

6. Click Customize for advanced image creation options.

This opens the workflow pane and Automator Library.

The Define Image Source action is present as the first component in the workflow.

7. Configure the Define Image Source action for your image.

This action is required at the beginning of all image workflows. See Configure the Define Image Source action.

8. From Automator Library, choose additional actions that your customized image requires and drag them into the Workflowpane between the Define Image Source action and the Create Image action.

9. Assemble the actions in the order you like, configuring each action as you go.

For more information on configuring the actions, see About workflows.

10. Add the Create Image action to the end of your workflow.

This action is required at the end of image workflows. See Configure the Create Image action.

11. Save the workflow by clicking Save, then enter the name of your workflow in the Save As field and choose where to save theworkflow.

To save the workflow somewhere else, choose a location from the Where pop-up menu or click the triangle next to the SaveAs field and navigate to a folder.

12. Click Save.

13. To start the workflow, click Run and authenticate if prompted.



You can use the automator command-line tool to run a workflow.

The following command runs a workflow with somevariable set to somevalue in the myworkflow.workflow file.

$ automator -D somevariable=somevalue myworkflow.workflow

For more information, see the automator man pages.

Hardw are administrative serv ices ► Xgrid

Assemble an image workflow

Use automator to run a workflow

Xgrid makes it easy to turn an ad hoc group of Mac computers into a low-cost supercomputer.

Xgrid is ideal for individual researchers, specialized collaborators, and application developers. For example:

Scientists can search biological databases on a cluster of Xserve systems.

Engineers can perform finite element analyses on their workgroup’s desktops.

Animators can render images using Mac systems across multiple corporate locations.

Research teams can enlist colleagues and interested laypeople in Internet-scale volunteer grids to perform long-runningscientific calculations.

Anyone needing to perform CPU-intensive calculations can simultaneously run a single job across multiple computers,dramatically improving throughput and responsiveness.

With Xgrid functionality integrated into Lion Server, system administrators can quickly enable Xgrid on Macs throughout theircompany, turning idle CPU cycles into a productive cluster at no incremental cost.

Many desktop computers s it idle during the day, in the evening, and on weekends. The assembly of these systems into acomputational grid is known as desktop recovery. This method of grid construction enables you to vastly improve yourcomputational capacity without purchasing extra hardware, and Xgrid makes the software configuration a straightforward task.

For a server to function as a controller, Xgrid requires Mac OS X Server v10.4 with a minimum of 256 MB of RAM or Mac OS X Serverv10.5 or later, with 1 GB of RAM. To operate as an agent in a grid, Xgrid requires Mac OS X v10.3 or later with a minimum of 128 MBof RAM (256 MB advisable) or Mac OS X v10.4 or later, with 512 MB or RAM. All Xgrid participants must have a network connection.As always, the more RAM a system has, the better it performs, especially for high-performance computing applications.

A grid is a group of computers working together to solve a s ingle problem. The systems in a grid can be loosely coupled,geographically dispersed and, to some extent, heterogeneous. In contrast, systems in a cluster are often homogeneous,colocated, and strictly managed.

Highly dispersed grids, such as SETI@Home, enable individuals to donate their spare processor cycles to a cause. In officeenvironments, large rendering or simulation jobs can be distributed across systems left idle overnight. These can even be used toaugment a dedicated computational cluster, which is available to Xgrid clients at all times.

Xgrid has no limitations on the amount of computational power it can support. The performance of the grid depends on thesystems participating, the software running, and the network, among other factors. However, individual applications stronglyinfluence the performance of the grid.

You determine if an application is improved by being deployed on a computational grid. In the best case, application performancemight scale linearly with the size of the grid. In the worst case, the addition of agents to a grid can cause a job to be completed ineven more time than if there were fewer agents. (In such a situation, tasks become so small that the overhead associated withdistributing the increased number of tasks supersedes the performance gain of using more agents.) Be aware of theseconsiderations.

Many proprietary projects enable you to participate in a large computational grid. Often these projects, such as SETI@Home andFightAIDS@Home, are tied to a specific scientific purpose. They usually have easy-to-install software that enables any volunteer toparticipate in that project, and they frequently take the form of a screen saver or background process.

You don’t need to think in terms of thousands or millions of seldom-used computers to see the significance of a computationalgrid. For example, computers used by university students or corporate employees often work fewer hours than the hours they s itidle at night or on weekends. These computers could contribute productively to the work of a grid without diminishing theirusefulness to the students or employees.

Other grid projects are designed for large-scale computational grids, such as the Globus Alliance (a group founded by universitiesand researchers), with flexible resource management tools and more intelligent grid deployment methods. Instead of developingneatly packaged applications for a specific grid, such projects provide comprehensive frameworks for application deployment.

Xgrid enables users to participate in a computational grid of their choice while still providing the flexibility of a more genericframework for grid developers when deploying grid applications. Xgrid provides the primary benefits of both:

Easy grid configuration and deployment

Straightforward yet flexible job submission

Automatic controller discovery by agents and clients

About Xgrid and computational grids

Flexible architecture based on open standards

Support for the UNIX security model, including Kerberos s ingle sign-on or regular password authentication

Choice between a command-line interface or an API-based model for grid interaction

Common types of grids and grid computing styles

Xgrid can be used in tightly coupled clusters, worldwide grids, and everything in between. This immense flexibility enables you todeploy grids of almost any nature.

Three topologies are commonly used for Xgrid deployments.

Xgrid clustersComputational clusters are sets of systems dedicated to computation. In a cluster, systems are typically colocated in a rack,connected using gigabit Ethernet or another high-performance network, and strictly managed for maximum performance.

Cluster systems are often entirely homogeneous: their operating systems are the same versions, they have the same softwareinstalled, and they generally have the same processor, disk, and RAM configurations.

Xgrid enables administrators to easily configure the distributed resource management functionality of the cluster. Each server inthe system runs the agent software, and the head node in the cluster runs the controller software.

Xgrid distributes tasks across the cluster. In clusters, failure rates are generally very low. Systems are rarely, if ever, offline, andtheir resources are not shared with general user tasks. Clusters are the most efficient but most expensive model of distributedcomputing.

Local gridsSystems that are under common administration in a company, university computer lab, or other managed environment can oftenbe easily assembled into a grid for desktop recovery. These systems are often on a local area network (LAN) and they aregenerally managed by a single organization. As a result, they provide good network performance and offer substantialmanageability.

Because these systems are often also used as day-to-day workstations, users can easily interrupt grid tasks by moving themouse, resetting the system, or even accidentally disconnecting the system from the network. In such cases, a task might fail aspart of an Xgrid job. The Xgrid controller eventually reassigns the failed task to another agent, and the job completes successfully.

In local grids, performance is limited by such situations and by the varying performance of any given agent on the grid.

Distributed gridsWhen a system is permitted to donate its time, a distributed grid is formed.

The Xgrid agent enables a user to specify any IP address or host name for its controller. By specifying a grid, a user can dedicatehis or her CPU time to that grid no matter where the controller is located.

The manager of the controller has no direct management control or knowledge of the agent system but is nonetheless able toharness its CPU time.

Distributed grids have very high failure rates for jobs but place a very low burden for the grid administrator. With very, very largejobs, high task failure rates might not substantially affect the performance of the grid if such failures can be rapidly reassigned toother available agents.

Network performance can also be a consideration because data is sent over the Internet, rather than over a local network, toagents connected to a grid. The monetary cost of such distributed grids is extremely low.


The Xgrid three-tier architecture simplifies the distribution of complicated tasks. Its user clients, grid controllers, and computationalagents work together to streamline the process of assembling nodes, submitting jobs, and retrieving results.

The primary components of a computational grid perform the following functions:

An agent runs one task at a time per CPU; therefore, a multiprocessor computer can run multiple tasks s imultaneously.

A controller queues tasks, distributes those tasks to agents, and handles task reassignment.

Xgrid components

Animators can render images using Mac systems across multiple corporate locations.

A client submits jobs to the Xgrid controller in the form of multiple tasks. (A client can be any computer running Mac OS X v10.4or later or Mac OS X Server v10.4 or later.)

In principle, the agent, controller, and client can run on the same server, but it is often more efficient to have a dedicated controllernode.

ClientAny system can be an Xgrid client if it is running Mac OS X v10.4 or later and has a network connection to the Xgrid controllersystem. In general, the client can connect to only a single controller.

Depending on how a controller is configured, the client must supply a password or be authenticated by Kerberos (single sign-on)before submitting a job to the grid.

A user submits a job to the controller from a system running the Xgrid client software, usually a command-line tool accessed withthe Terminal application. The job can specify the controller or use multicast DNS (mDNS) to dynamically discover the first availablecontroller. When the job is complete, the controller notifies the client and the client can retrieve the results of the job.

ControllerThe Xgrid controller manages communications among the computational resources of a grid. The controller requires Mac OS XServer v10.4 or later. The controller accepts network connections from clients and agents. It receives job submissions from clients,divides the jobs into tasks, dispatches tasks to agents, and returns results to clients.

Although there can be more than one Xgrid controller running on a subnet, there can only be one controller per logical grid.

Each controller can have an arbitrary number of agents connected, but Apple has tested 128 agents per controller. However, thereis no software limitation on the number of agents, and users of Xgrid can choose to exceed 128 agents on a controller at their ownrisk, with a theoretical maximum equal to the number of available sockets on the controller system.

AgentXgrid agents run the computational tasks of a job.

In Lion Server, the agent is turned off by default. When an agent is turned on and becomes active at startup, it registers with acontroller. (An agent can be connected to only one controller at a time.) The controller sends instructions and data to the agent asneeded for the controller’s jobs. After it receives instructions from the controller, the agent performs its assigned tasks and sendsthe results back to the controller.

By default, agents seek to bind to the first available controller on the LAN. Alternatively, you can specify that it bind to a specificcontroller.

You can also specify whether an agent is always available or is available only when the computer is idle. A computer is consideredidle when it has no mouse or keyboard input and ignores CPU and network activity. If a user returns to a computer that is running agrid task, the computer continues to run the task until it is finished.

By default, the agent on a Mac Server is dedicated and the agent on a Mac OS X computer (not a server) is configured to accepttasks only when the computer has had no user input for 15 minutes.


Xgrid can scale from small clusters of a few computers up to large organization-wide grids. Xgrid supports up to 128 agents, anynumber of jobs comprising up to 100,000 queued tasks, up to 128 MB of submitted data per job, and up to 128 MB of results perjob.

These are recommended limits and are not enforced by the software. You may choose to exceed these limits at your own risk.

Hardw are administrative serv ices ► Xgrid ► Setup Xgrid

Plan your grid and set up the Xgrid agent and controller. Xgrid s implifies deployment and management of computational grids.

Requirements and capacities

Configure Xgrid service

Using Server Admin you can configure Xgrid to set up computer groups (grids or clusters) and allow users to easily submitcomplex computations to these grids (local, remote, or both), as an ad hoc grid or a centrally managed cluster.

Setup overview

Here is an overview of the steps for setting up the Xgrid service:

Identify the Xgrid environment you need. Before configuring Xgrid, you must define the grid environment you’ll create. Inparticular, you must decide the following:

The kind of authentication to use. See Authentication methods for Xgrid.

Where to host your controller. See Host the grid controller.

How you will manage the controller. See Manage Xgrid and Monitor grid activity.

Prior to configuring, enable Xgrid service. See Enable Xgrid service.

Optionally, configure Xgrid using the Xgrid service configuration assistant. This assistant helps with Xgrid configuration byautomating many settings. See Configure Xgrid with the Xgrid service configuration assistant.

Configure your server as an Xgrid controller using Server Admin. See Configure controller settings.

Start Xgrid on the server using Server Admin. See Start Xgrid.

Configure your server as an Xgrid agent. See Configure an Xgrid agent (server).

Configure your Mac OS X computers as Xgrid agents. See Configure an Xgrid agent (Lion client).

Determine and implement a plan for redundency. See About Xgrid redundancy and Set up Xgrid redundancy.

Hardw are administrative serv ices ► Xgrid ► Setup Xgrid

Learn how to use Xgrid command-line tools and the Terminal application to submit jobs to a grid and to get information aboutjobs. After you configure an Xgrid controller and add agents to a grid, you use the Terminal application to send a job to the grid.

Structure jobs for Xgrid

Carefully planning and structuring a job can result in efficient use of the grid. For example, the best structure for a job that requiresmultiple searches of a large database might be to divide the database into multiple sections and provide a section to each agentin the grid.

About job stylesDifferent styles of jobs often require different handling. Similarly, the way a job is structured influences how efficiently the gridcompletes it.

Consider the following job styles:

Everything is in one single large job, with numerous small tasks.

Everything is divided into medium-sized jobs, where each job has roughly as many tasks as there are nodes in the grid. (Thistype of job is usually created by a meta job script, which divides the job into smaller chunks, each of which is a job.)

An entire workflow is composed of several interrelated jobs.

Deciding how to structure a job can involve experimentation to discover the best way to complete it.

For example, you might create a simple, small version of a job in two styles, such as by planning all tasks in one job or bysubdividing a job into multiple tiny jobs. Running both experimental jobs under similar conditions in the grid will give you a goodidea of which job style is better suited to those conditions.

About job failureXgrid jobs can rely on message-passing interface (MPI) APIs. For jobs that rely on MPI, if a single task fails , the entire job fails andmust be resubmitted. Therefore do not use MPI-based jobs on grids with high task-failure rates.

Jobs that are more parallel in nature are generally unaffected by occasional task failures. Tasks are typically reassigned to otheravailable agents to complete the job. Most jobs fall into this category.

Submit a job

Use Xgrid from the command line

You submit jobs to a grid using the command-line tool and Terminal. Example code is available on the Apple developer website(developer.apple.com) for alternative methods of submitting jobs. Also, If you have Developer Tools installed you can view theexamples located in /Developer/Examples/Xgrid/.

When you submit a job to a grid make sure you use a universal binary. This assures that your job has the correct architecture nomatter what architecture the grid agents provide.

Also, make sure you set your deployment target correctly. For example, if you are building a tool for Mac OS X v10.6 you must buildwith Mac OS X v10.6 as your deployment target.

For more information about the syntax and options for the Xgrid command-line tool, see the xgrid man pages.

Some developers and organizations offer specialized applications for submitting jobs to a grid. Or you can create an applicationusing Apple’s developer tools for Xgrid.

When determining whether to use the xgrid command-line tool or another method for submitting jobs, consider these points:

If the job is s imple, use the command-line tool.

If you use a shell script, use the command-line tool.

If you want to use Xgrid as part of an application with a graphical user interface (GUI), use the Xgrid API to create the GUI orincorporate it in an existing application. For more information about the API, see Xgrid Reference atdeveloper.apple.com/documentation/.

Examples of Xgrid job submission and results retrieval

The following Terminal commands are examples of jobs a client can submit to the controller.

$ xgrid -h <controller> -p <password> -job submit /bin/echo "Hello, World!"

This job runs /bin/echo on the controller and agent systems with the “Hello, World!” parameter.

$ xgrid -h <controller> -p <password> -job results -id <id>This command shows the results of the job with the id indicated.For an executable shell script marked hello.sh:

#!/bin/sh/bin/echo "Hello, World!"

The following command copies the shell script hello.sh to the Xgrid controller and agent systems and runs the script. bin/echo/must be installed on the agent system. The hello.sh script must have its executable bit set before it can execute.

xgrid -h <controller> -p <password> -job submit hello.sh

RELATED INFORMATION

View job status from the command lineRetrieving job results from the command line

Hardw are administrative serv ices ► Xgrid ► Manage Xgrid

After you set up an Xgrid controller, you can use Xgrid Admin to manage a grid. You can use Xgrid Admin on the server or on aremote computer that is running Mac OS X v10.5 or later.

Xgrid Admin is a tool you use to monitor grids and manage agents and jobs. You can add controllers and agents to monitor andspecify agents that have not joined a grid. You also use Xgrid Admin to pause, stop, or restart jobs. You can managecomputational grids with Xgrid Admin. A computational grid is a fixed group of agents with a dedicated queue. There can bemultiple grids per controller but an agent can belong to only one grid. You cannot move an agent between grids while a job (or atask) is running.

Use Xgrid Admin

Xgrid Admin enables you to monitor grids and manage agents and jobs. You can:

Check the status of a grid and its activity, including the number of agents working and available, the processing power in useand available, and the number of jobs running and pending

Add or remove controllers and grids to manage

See a list of agents in a grid and the CPU power available and in use for each agent

Manage a grid using Xgrid Admin

Add or remove agents in a grid

See a list of jobs in a grid, the date and time each job was submitted, its progress, and the active CPU power for the job

Remove jobs in a grid

Stop a job in progress

Restart a job that was stopped or is complete

Xgrid Admin provides controls in its graphical interface and menu commands for all of its options.

You can also use the Xgrid command-line tool to perform these tasks.

RELATED INFORMATION

Manage controllersManage agentsManage jobsManage gridsStatus indicators in Xgrid AdminUse Xgrid from the command line

Hardw are administrative serv ices ► Xgrid ► Manage Xgrid

Server Admin in Lion Server enables you to configure service access control lists (SACLs), which enable you to specify whichusers and groups have access to Xgrid and which administrators can manage it. Using SACLs enables you to add another layer ofaccess control in addition to password and Kerberos authentication. Only users and groups listed in an SACL have access to itscorresponding service.

Set Xgrid SACL permissions for users and groups

You use Server Admin to set SACL permissions for users and groups to access Xgrid service.


2. Click Settings.

3. Click Access.

4. Click Services.



To set access permissions for individual services, select “For selected services below,” then select a service from theService list.

6. To provide unrestricted access to services, click “Allow all users and groups.”

7. To restrict access to users and groups:

Select “Allow only users and groups below.”

Click the Add button (+) to open the Users and Groups window.

Drag users and groups from the Users and Groups window to the lis t.

8. Click Save.

Set Xgrid SACL permissions for administrators

Use Server Admin to set SACL permissions for administrators to monitor and manage Xgrid.


2. Click Settings.

3. Click Access.

Manage client access to Xgrid

4. Click Administrators.



To set access permissions for individual services, select “For selected services below,” then select a service from theService list.

6. Open the Users and Groups window by clicking the Add button (+).

7. From the Users and Groups window, drag users and groups to the list.

8. Set user permissions:

To grant administrator access, choose Administer from the Permission pop-up menu next to the user name.


9. Click Save.

Hardw are administrative serv ices ► Xgrid ► Solve Xgrid Problems

If an agent is a server, make sure the agent service is enabled and the Xgrid service is started.

The Xgrid controller is the only component of Xgrid that has an open port (port 4111) and requires a firewall opening. This meansthe Xgrid controller is the only component that advertises on or responds to queries over Bonjour. When enabling the controller,make sure firewall port 4111 is open on your computer’s firewall (enabled in the Sharing Pane of System Preferences) or yourcorporate firewall (if accepting agents or clients outside your organization).

Agents and clients access the controller through a Bonjour lookup or an explicit hostname/IP address. Then they initiate aconnection to the controller over a user port, avoiding the need to perform privileged operation or opening the firewall.


You can secure Xgrid using SSH by making a tunnel between specific clients or agents and the controller or by running over atunnel as a specific user.

Create an SSH tunnel from the client or agent to the controller

The simplest way to secure Xgrid using SSH is to create a tunnel from the client or the agent to the controller.

1. Create the tunnel: $ ssh [email protected] -L 4111:controller.hostname.com:4111

2. Have the agent or client connect to localhost instead of the controller.

By doing this, SSH tunnels to the remote connection. You can use other ports on the local machine and even tunnel throughan intermediary host.

To run an Xgrid agent over an SSH tunnel as a specific user

Using Terminal, enter the following: $ ssh -R 20000:192.168.1.100:4111 [email protected]/usr/libexec/xgrid/ GridAgent -ServiceName localhost:20000 -RequireControllerPassword NO -UsesRendezvous NO -OnlyWhenIdle NO -BindToFirstAvailable NO

20000 is the port to tunnel through the ssh connection, 192.168.1.100:4111 is the address and port number of the

controller, user is the name of the user to connect, and 192.168.1.102 is the address of the remote computer to run theagent.

If your agents can’t connect to the Xgrid controller

Use Xgrid over SSH



By default, each Xgrid agent (one per machine) accepts as many tasks as there are CPUs on that host, as reported by $ sysctlhw.ncpu.

Agents assume that tasks are single-threaded, so they run two tasks to make best use of a dual-CPU system.

To run multithreaded tasks that take up both CPUs, edit the agent configuration file/Library/Preferences/com.apple.xgrid.agent.plist.

To make it always only accept a single task, change the MaximumTaskCount line to MaximumTaskCount=1.

Note: This must be done explicitly for each agent, and is permanent until reversed. You can’t specify this kind of constraint as partof a job submission.


GridStuffer is a third-party Cocoa application created by Charles Parnot of Stanford to manage multitask jobs. It provides a friendlyGUI for many common Xgrid tasks.

GridStuffer is available at http://cmgm.stanford.edu/~cparnot/xgrid-stanford/html/goodies/GridStuffer-info.html. A companioncommand-line tool, xgridstatus, provides an easy way to retrieve information about your grid and jobs. Xgridstatus isavailable at http://cmgm.stanford.edu/~cparnot/xgrid-stanford/html/goodies/xgridstatus-info.html.


Third-party agents are available that run Xgrid jobs on non-Mac platforms. You are responsible for ensuring that your tasks containand call relevant platform-specific code.

There is no intrinsic support for heterogeneous execution, although there is nothing that relies on Mac-specific technology.

The primary technical requirement is a sufficiently functional BEEP protocol stack. Several open source implementations areavailable, of varying quality.

You can download Curtis Campbell's cross-platform Java-based Xgrid agent at sourceforge.net/projects/xgridagent-java/.


When the Xgrid controller is restarted by Server Admin, the xgridctl tool, a power-outage, or a kernel panic, the following occurs:

Clients and agents are disconnected.

Tasks running when the controller restarted are stopped.

Partial data from killed tasks is discarded. (Data from finished tasks is saved and can be retrieved as usual.)

Queued jobs and tasks are saved and run as usual.

Tasks are started/restarted as agents reconnect and become available.


The Xgrid controller and agent should restart automatically if they crash. CrashReporter logs can be found in/Library/Logs/CrashReporter. Xgrid logs notices, warnings, and errors to the console as well as to log files in /Library/Logs/Xgrid.

If you run tasks on multi-CPU computers

If you submit a large number of jobs

If you want to use Xgrid on other platforms

If the Xgrid controller must be restarted

If Xgrid has crashed

http://cmgm.stanford.edu/~cparnot/xgrid-stanford/html/goodies/GridStuffer-info.html

http://cmgm.stanford.edu/~cparnot/xgrid-stanford/html/goodies/xgridstatus-info.html


The Xgrid controller is a 32-bit process and keeps most job input and output data in memory. This means that the controller cancrash if your jobs require a large amount of input or produce a large amount of output.

You can use a shared filesystem (such as Xsan or NFS) to share large amounts of data between distributed processes.


For Xgrid to use SSO, you need the following:

The agent must have the host’s user principal in the system keytab.

The Kerberos database on the Kerberos domain controller must contain the agent’s principal.

The controller’s realm must be the default realm on the agent computer.

The agent’s principal is created in the Kerberos domain controller and is put in the agent’s keytab if the agent computer is boundto the OD master using _AUTHENTICATED BINDING_ with Directory access. Otherwise, you must use kadmin to create theprincipal in the Kerberos domain controller and export it to the keytab.

For example, the computer hosting the agent must have the host’s user principal in the system keytab, as shown here:

$ hostname:~ user$ sudo klist -k$ Password:$ Keytab name: FILE:/etc/krb5.keytab KVNO Principal---- -------------------------------------------------------------- 1 [email protected] 1 [email protected] 1 [email protected] Kerberos database on the KDC must contain the agent’s principal, as in the following:

$ sudo kadmin.local -q "get_principal hostname.apple.com"Authenticating as principal root/[email protected] with password.Principal: [email protected] date: [never]Last password change: Tue Apr 12 17:46:41 PDT 2005Password expiration date: [none]Maximum ticket life: 0 days 10:00:00Maximum renewable life: 7 days 00:00:00Last modified: Tue Apr 12 17:46:41 PDT 2005 (root/[email protected]. COM)Last successful authentication: [never]Last failed authentication: [never]Failed password attempts: 0Number of keys: 4Key: vno 1, Triple DES cbc mode with HMAC/sha1, no saltKey: vno 1, ArcFour with HMAC/md5, no saltKey: vno 1, DES cbc mode with CRC-32, no saltKey: vno 1, DES cbc mode with CRC-32, Version 4Attributes: REQUIRES_PRE_AUTHPolicy: [none]The controller’s realm must be the default realm on the agent computer, as shown:

$ cat /Library/Preferences/edu.mit.Kerberos# WARNING This file is automatically created, if you wish to make changes

If you are trying to submit jobs over 2 GB

If you want to enable Kerberos/SSO for Xgrid




mailto:root/[email protected]


# delete the next two lines# autogenerated from : /LDAPv3/xgridtest.apple.com# generation_id : 1637891359[libdefaults] default_realm = XGRIDTEST.APPLE.COM[realms] XGRIDTEST.APPLE.COM = { kdc = xgridtest.apple.com admin_server = xgridtest.apple.com }[domain_realm] apple.com = XGRIDTEST.APPLE.COM .apple.com = XGRIDTEST.APPLE.COM

Hardw are administrative serv ices ► Link aggregation

Although not common, the failure of a switch, cable, or network interface card can cause your server to become unavailable. Toeliminate these single points of failure, you can use link aggregation or trunking. This technology, also known as IEEE 802.3ad, isbuilt into Lion Server.

Link aggregation allows you to aggregate or combine multiple physical links connecting your Mac to a link aggregation device (aswitch or another Mac) into a single logical link. The result is a fault-tolerant link with a bandwidth equal to the sum of thebandwidths of the physical links.

For example, you can set up an Xserve with four 1-Gbit/s ports (en1, en2, en3, and en4) and use the Network pane of SystemPreferences to create a link aggregate port configuration (bond0) that combines en1, en2, en3, and en4 into one logical link.

The resulting logical link has a bandwidth of 4 Gbit/s. This link also provides fault tolerance. If a physical link fails, your Xserve'sbandwidth shrinks, but the Xserve can still service requests as long as not all physical links fail at once.

Link aggregation also allows you to take advantage of existing or inexpensive hardware to increase the bandwidth of your server.For example, you can form a link aggregate from a combination of multiple 100-Mbit/s links or 1-Gbit/s links.


IEEE 802.3ad Link Aggregation defines a protocol called Link Aggregation Control Protocol (LACP) that is used by Lion Server toaggregate (combine) multiple ports into a link aggregate (a virtual port) that can be used for TCP and UDP connections.

When you define a link aggregate, the nodes on each side of the aggregate (for example, a computer and a switch) use LACP overeach physical link to:

Determine whether the link can be aggregated

Maintain and monitor the aggregation

If a node doesn't receive LACP packets from its peer (the other node in the aggregate) regularly, it assumes the peer is no longeractive and removes the port from the aggregate.

In addition to LACP, Lion Server uses a frame distribution algorithm to map a conversation to a specific port. This algorithm sendspackets to the system on the other end of the aggregate only if packet reception is enabled. In other words, the algorithm won'tsend packets if the other system isn't lis tening.

Mapping a conversation to a specific port guarantees that packet reordering does not occur.


About link aggregation

About the Link Aggregation Control Protocol (LACP)

Set up link aggregation in Lion Server

You create a link aggregate on your computer in the Network pane of System Preferences. To set up your Lion Server for linkaggregation, you need a Mac with two or more IEEE 802.3ad-compliant Ethernet ports. In addition, you need at least one IEEE802.3ad-compliant switch or another Lion Server computer with the same number of ports.

By default, the system gives the link aggregate the interface name bond <num>,where <num> is a number indicating precedence.For example, the first link aggregate is named bond0, the second is bond1, and the third is bond2.

The interface name bond <num> assigned by the system is different from the name you give to the link aggregate portconfiguration. The interface name is for use at the command line, but the port configuration name is for use in the Network pane ofSystem Preferences.

For example, if you enter the command ifconfig -a, the output refers to the link aggregate using the interface name and not theport configuration name:

bond0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500inet6 fe80::2e0:edff:fe08:3ea6 pre…

You do not delete or remove a link bond from the Network Pane of System Preferences. You remove the bond through the ManageVirtual Interfaces sheet used to create the bond.

1. Log in to the server as an administrative user.


3. Click Network.

4. Click the Gear button and choose Manage Virtual Interfaces in the pop-up menu.

5. Click the Add button (+) and select New Link Aggregate in the pop-up menu.

Note: You only see this option if you have two or more Ethernet interfaces on your system.

6. In the Name field, enter the name of the link aggregate.

7. Select the ports to aggregate from the list.

8. Click Create.

9. Click Done.


You can monitor the status of a link aggregate in Lion and Lion Server using the Status pane of the Network pane of SystemPreferences.


2. Click Network.

3. From the list of network interfaces on the left, choose the link aggregate port virtual interface.

4. Click Advanced in the lower right side of the window.

5. Select the Bond Status tab.

The Sending and Receiving status indicators are color-coded. Green means the link is active (turned on) and connected.Yellow means the link is active but not connected. Red means the link can't send or receive traffic. The Status pane displays alist containing a row for each physical link in the link aggregate. For each link, you can view the name of the network interface,its speed, its duplex setting, the status indicators for incoming and outgoing traffic, and an overall assessment of the status.

6. To view more information about a link, click the corresponding entry in the lis t.


Computer to computer

Monitor link aggregation status

Link aggregation scenarios

In this scenario, you connect the servers directly using the physical links of the link aggregate.

This allows the two servers to communicate at a higher speed without the need for a switch. This configuration is ideal forensuring back-end redundancy.

Computer to switch

In this scenario, you connect your server to a switch configured for 802.3ad link aggregation.

The switch should have bandwidth for handling incoming traffic equal to or greater than that of the link aggregate (logical link) youdefine on your server.

For example, if you create an aggregate of four 1-Gbit/s links, use a switch that can handle incoming traffic (from clients) at 4 Gbit/sor more. Otherwise, the increased bandwidth advantage in the link aggregate won't be fully realized.

Note: For information about how to configure your switch for 802.3ad link aggregation, see the documentation provided by theswitch manufacturer.

Computer to switch-pair

In this scenario, you improve on the computer-to-switch scenario by using two switches to eliminate the switch as a s ingle point offailure.

For example, you can connect two links to the master switch and the remaining links to the backup switch. As long as the masterswitch is active, the backup switch remains inactive. If the master switch fails, the backup switch takes over transparently.

Although this scenario adds redundancy that protects the server from becoming unavailable if the switch fails, it results indecreased bandwidth.

Lion Server_ Advanced Administration

Documents

Transcript of Lion Server_ Advanced Administration