Managing OpenLDAP, Configuring Ldap | Apple Mac OS X Server specs

Parameter (dirserv:)	Description
passwordOptionsString	Default = "usingHistory=0 usingExpirationDate=0
	usingHardExpirationDate=0 requiresAlpha=0
	requiresNumeric=0 expirationDateGMT=12/31/69
	hardExpireDateGMT=12/31/69
	maxMinutesUntilChangePassword=0
	maxMinutesUntilDisabled=0 maxMinutesOfNonUse=0
	maxFailedLoginAttempts=0 minChars=0 maxChars=0
	passwordCannotBeName=0"

NetInfoRunStatus	Default = ""

LDAPSSLCertificatePath	Default = ""

masterServer	Default = ""

LDAPServerType	Default = "standalone"

NetInfoDomain	Default = ""

replicationWhen	Default = "periodic"

useSSL	Default = "YES"

LDAPDefaultPrefix	Default = "dc=<domain>,dc=com"

LDAPTimeoutUnits	Default = "minutes"

LDAPServerBackend	Default = "BerkeleyDB"

Managing OpenLDAP

Open Directory uses OpenLDAP, the open source implementation of LDAP, to provide directory services for mixed-platform environments. A common language for directory access lets you consolidate information from different platforms and define a single name space for all network resources. Whether you have Mac, Windows, or Linux computers on your network, you can set up and manage a single directory eliminating the need to maintain a separate directory or separate user records for each platform.

Configuring LDAP

The OpenLDAP server daemon is slapd, located in /usr/libexec/. slapd is launched automatically by the LDAP startup item. The primary configuration files for OpenLDAP are kept in /etc/openldap/. There you will find the slapd.conf file, which contain basic configuration information. Most of the configuration for Open Directory is stored in the slapd_macosxserver.conf file. An include statement in the slapd.conf file includes slapd_macosxserver.conf.

Although the directives in these files can be modified using the administration applications, it’s advisable that you not modify these directives. Instead, use your own configuration file by adding an include directive for it in the slapd.conf file.

Chapter 15 Working with Open Directory

253

Image 253

Apple Mac OS X Server manual Managing OpenLDAP, Configuring Ldap, PasswordOptionsString

Contents

Mac OS X Server Apple Computer, Inc Apple Computer, Inc. All rights reserved Contents Locating Computers for Installation Installing Server SoftwareSpecifying the Target Computer Volume Preparing the Target Volume for a Clean Installation Configuring Network Interfaces Setting Network PreferencesViewing or Changing Media Settings Managing Network Port Configurations Mounting and Unmounting Volumes Working with Disks and VolumesMounting Volumes Unmounting Volumes 141 Listing Connected Users 142 163 171 214 Apache Tomcat JBoss Server 215 MySQL Database Contents 265 Configuring the Active Directory Plug-In Glossary AppendixIndex Contents About This Guide Commands and Other Terminal Text Using This GuideCommand Parameters and Options Understanding Notation Conventions Commands Requiring Root Privileges Default Settings Create and manage users, groups, and computer lists. Set up Install Mac OS X Server and set it up for the first timeThis guide Tells you how to Earlier versions of the server Set up and manage QuickTime streaming services Manage directory and authentication services This guide Tells you how to Opening Terminal Executing Commands Path string Description Specifying Files and FoldersTest.c file in the current folder Folder Redirecting Input and Output Modifying Flow ControlRedirect Description Following command in a Terminal window Using Environment Variables Executing Commands and Running Tools Repeating Commands Correcting Typing ErrorsIncluding Paths Using Drag and Drop Searching for Text Within a File An example of a configured crontab file Terminating CommandsScheduling Tasks Viewing Command Information Sending Commands to a Remote ComputerTo access a man $ hdiutil help $ dig -h $ diff --help Executing Commands How SSH Works Understanding Secure Shell Password-Less Logins Using SSH Keys Updating SSH Key Fingerprints Controlling Access to SSH Service What is an SSH Man-in-the-Middle Attack? Using SSH Connecting to a Remote ComputerTo access a remote computer using ssh You’re prompted for the user’s password To enable Telnet access Using TelnetTo disable Telnet access To access a remote computer using telnet To use installer to install Mac OS X Server software Installing Server Software Locating Computers for Installation Preparing the Target Volume for a Clean Installation Specifying the Target Computer VolumeTo list volumes available for server software To list computers on the local network Installing from Multiple CDs Automating Server SetupRestarting After Installation To save a configuration file during server setup Creating a Configuration File Installing Server Software and Finishing Basic Setup Customizing a Configuration File Working with an Encrypted Configuration FileTo provide a passphrase in a file To provide a passphrase interactively Sample Configuration File Installing Server Software and Finishing Basic Setup Installing Server Software and Finishing Basic Setup Storing a Configuration File in an Accessible Location Configuring the Server Remotely from the Command Line Using the serversetup Tool Changing Server SettingsUsing the serveradmin Tool General and Network Preferences Viewing, Validating, and Setting the Software Serial NumberTo display the server’s software serial number To set the server software serial number To install an update To check for available updatesUpdating Server Software To validate a server software serial number Moving a Server Installing Server Software and Finishing Basic Setup Automatic Restart Restarting a ComputerTo restart the local computer To restart a remote computer immediately Shutting Down a Computer Changing a Remote Computer’s Startup DiskManipulating Open Firmware Nvram Variables Folder Usage Monitoring and Restarting Critical Services Restarting or Shutting Down a Computer Viewing or Changing the Date and Time Viewing or Changing the Computer NameTo display the computer name To change the computer name Viewing or Changing the System Time Viewing or Changing the System DateViewing or Changing the System Time Zone Viewing or Changing Network Time Server Usage Viewing or Changing Sleep Settings Viewing or Changing the Energy Saver SettingsViewing or Changing Automatic Restart Settings Viewing or Changing the Startup Disk Settings Changing the Power Management Settings Viewing or Changing the International Settings Viewing or Changing the Sharing SettingsViewing or Changing Remote Login Settings Viewing or Changing Apple Event Response Disables the buttons and 1 enables the buttons Viewing and Changing the Login SettingsTo view the current setting Configuring Network Interfaces Setting Network Preferences Viewing Port Names and Hardware Addresses Managing Network Interface InformationViewing or Changing MTU Values Viewing or Changing Media Settings Managing Network Port ConfigurationsCreating or Deleting Port Configurations Activating Port Configurations To change the order of the port configurations Managing TCP/IP SettingsChanging a Server’s IP Address Run the changeip tool To change a server’s IP addressTo change the IP address of a standalone server To view TCP/IP settings for port en0 To list TCP/IP settings for a configurationTo view TCP/IP settings for a particular port or device To change TCP/IP settings for a particular port or device Viewing or Changing DNS Servers Working with VLANs Enabling TCP/IPIeee 802.3ad Ethernet Link Aggregation Configuring Ethernet Link Aggregation Configuring a Network Interface Managing Snmp Settings Managing AppleTalk Settings Open the /etc/hostconfig file Locate the line Installing SnmpStarting Snmp Immediately above it, add this line To start the snmp agent manually Configuring SnmpTo identify the process id To stop snmpd To view the snmp.conf file Collecting Snmp Information from the HostTo start snmpd, execute this as root Other options in the menu you were working in are Viewing or Changing FTP Proxy Settings Managing Proxy Settings Viewing or Changing Secure Web Proxy Settings Viewing or Changing Web Proxy SettingsViewing or Changing Streaming Proxy Settings Viewing or Changing Gopher Proxy Settings Viewing or Changing Socks Firewall Proxy Settings Managing AirPort SettingsViewing or Changing Proxy Bypass Domains Computer Name Managing the Computer, Host, and Bonjour NamesHostname Command displays 0 if the name was changed Managing Preference Files and the Configuration DaemonBonjour Name To display the server’s Bonjour name To set the hostname of a system Changing Network LocationsTo get the hostname of a system To view the current locations This example, the network location will switch to AirPortComputer will respond with output similar to the following Understanding Disks, Partitions, and the File System Mounting and Unmounting Volumes Unmounting Volumes Mounting VolumesTo unmount a volume To view a list of currently mounted file systems Displaying Disk Information To enable diskspacemonitorMonitoring Disk Space To display disk information Reclaiming Disk Space Using Log-Rolling Scripts Erasing, Modifying, Verifying, and Repairing Disks To mount a drive To get mount info about a partitionTo erase and repartition a disk Command Description To format a Mac OS Extended volume as case-sensitive HFS+Partitioning and Formatting Disks Partitioning a Disk Labeling a Disk Checking for Disk ProblemsFormatting a Disk To fomat a disk Enabling Journaling for an Existing Volume Checking to See If Journaling is EnabledTo see if journaling is enabled To enable journaling Understanding Spotlight Technology Enabling Journaling When You Erase a DiskDisabling Journaling Enabling and Disabling Spotlight Performing Spotlight Searches To enable Spotlight on your serverRestart your server To view the metadata of a file Controlling Spotlight Indexing Managing RAID Volumes To image a boot volume Imaging and Cloning Volumes Using ASRTo repair a failed mirror To restore a volume from an image Understanding Accounts Working with Users and Groups Creating a Local Administrator User Account for a Server Administering and Creating AccountsTo create a local administrator user account To create an local administrator user with a specific UID To create a domain administrator user account Creating a Domain Administrator User Account Creating a Nonadministrator User Account Checking a User’s Administrator PrivilegesTo find the Guid of the administrator user To see if a user is a server administrator Specify the user ID, replacing 1234 with the new user’s ID 102 Removing a User Account Retreiving a User’s GuidTo retrieve a user’s Guid Review the Guid for a particular user Disable the user account by entering the following command Revoking a User’s Right to Access His or Her AccountTo prevent a user from logging To terminate all of a user’s processes To reenable a user account that is disabled Checking a Server User’s Name, UID, or Password To change a user account attribute to a new value Modifying a User AccountAttribute Description To create a mobile account Creating a Mobile User Account To flush the cache Managing Home FoldersCreating a User’s Home Folder To create a home folder for a particular user To create a home folder for users in the local domain Administering Group AccountsMounting a User’s Home Folder To mount a user’s shared home directory on an AFP server To add a group account Creating a Group Account Removing a Group Account You can remove group accounts by using the dscl toolTo remove a group account Adding a User to a Group You can add users to a group using the dscl toolTo add a user to a group Removing a User from a Group You can remove users from a group by using the dscl toolTo remove a user from a group Review the new settings of the group To create a nested group Creating and Deleting Nested GroupTo verify a nested group To unnest a group Editing Group RecordsTo display the information about a particular group To delete a group Creating a Group Folder Viewing the Workgroup a User Selects at LoginTo create a group folder See the CreateGroupFolder man page for more information To import users and groups Importing Users and Groups Writing a Record Description Creating a Character-Delimited User Import FileNumber of attributes in each account record 121 Using the StandardGroupRecord Shorthand Using the StandardUserRecord ShorthandAn example user account looks like this Some examples of permission settings Setting PermissionsViewing Permissions Use one of the following values to set the permission level Setting the umask for Individual Users Use the chmod tool to change permissions for an item Changing PermissionsSee the chmod man page for more information Changing the Owner Securing System AccountsChanging the Group Securing Initial System Accounts Enter the root password when prompted To disable root loginSecuring the Root Account Restricting Use of the sudo Tool Securing Single-User Boot To set the Open Firmware password for increased security Setting Password PolicyComputer should restart and display the login window To view the global password policy To change a user’s passwordTo set the minimum password length to 5 characters To set a more secure global password policy Finding User Account Information Access the help prompt and enter the command nameSee the pwpolicy man page for more information To query for a user by name 132 Managing Share Points Working with File Services Creating a Share Point Listing Share PointsTo list existing share points To create a share point Modifying a Share Point To change share point settings Starting and Stopping AFP Service Managing the AFP ServiceChecking AFP Service Status Viewing AFP Settings List of AFP Settings Changing AFP SettingsTo change a setting To change several settings Authentication mode. Can be Allow an administrator user to masquerade as another userWhether the AFP service should restart automatically when Location of the error log Login greeting message Record user logins in the activity logLast time the login greeting was set or updated Default = -1unlimited List of AFP serveradmin Commands To list connected users Listing Connected UsersValue returned by getConnectedUsers Sending a Message to AFP Users Disconnecting AFP UsersTo send a message To disconnect users To cancel a user disconnect Canceling a User DisconnectComputer will repond with the following output Value Description To list service statistic samples Listing AFP Service StatisticsComputer will respond with the following output To view the latest entries in a log Viewing AFP Log FilesTo display the log paths Value displayed by Starting and Stopping NFS Service Managing the NFS ServiceChecking NFS Service Status Viewing NFS Service Settings Starting FTP Service Managing the FTP ServiceStopping FTP Service Checking FTP Service Status List of FTP Service Settings Changing FTP Service SettingsParameter ftp Description Displays a banner message that appears when Directory in which the FTP content is storedPrompted to log in to the FTP. Customize to your Own preferences Viewing the FTP Transfer Log List of FTP serveradmin CommandsChecking for Connected FTP Users Starting and Stopping SMB/CIFS Service Managing the SMB/CIFS ServiceChecking SMB/CIFS Service Status Viewing SMB/CIFS Service Settings List of SMB/CIFS Service Settings Changing SMB/CIFS Service SettingsParameter smb Description Advanced pane of Windows service settings in the Server Browser service. Can be set toLow errors and warnings only Medium service start and stop, authentication failures Pane of the Windows service settings in the Server Admin Server’s NetBIOS name. Can be set to a maximumWindows service settings in the Server Admin This corresponds to the Wins Registration Off and Enable Listing SMB/CIFS Users List of SMB/CIFS serveradmin Commands Listing SMB/CIFS Service Statistics Disconnecting SMB/CIFS UsersTo list SMB/CIFS connections Computer responds with the following output Location of the SMB service log Viewing SMB/CIFS Service LogsLocation of the name service log Managing ACLs Following are the permissions applicable to folders Using chmod to Modify ACLsTo grant a user write permission for a file To deny a guest read permission for a file Output should look like the following To view the ACL of a file 160 Understanding the Print Process Working with the Print Service Starting and Stopping Print Service Performing Print Service TasksTo start print service To stop print service Viewing Print Service Settings Checking the Status of Print ServiceChanging Print Service Settings Parameter print Description Print Service Settings Parameter printDescription Queue Data Array Command printcommand= Description Managing the Print ServiceFollowing is an example of a queue array parameter block Listing Queues Pausing a QueueListing Jobs and Job Information To pause a queue To hold a job Holding a JobTo release the job Viewing Cover Pages Viewing Print Service Log FilesTo obtain a list of available cover pages 170 Starting and Stopping NetBoot Service Understanding the NetBoot ServiceTo start NetBoot service To stop NetBoot service Viewing NetBoot Settings Checking NetBoot Service StatusChanging NetBoot Settings Volume parameter array Changing General Netboot Service SettingsParameter netboot Description Storage Record Array Image Record Array Filters Record Array To enable NetBoot Enabling NetBoot 1.0 for Older NetBoot ClientsPort Record Array Using hdiutil to Work with System Images Booting from an ImageWorking with System Images Updating an Image Imaging Multiple Clients Using Multicast asr Using asr to Restore System Images To configure a client to receive a multicast stream Choosing a Boot Device Using systemsetup Postfix Agent Understanding the Mail Service Mailman Cyrus Starting and Stopping Mail Service Managing the Mail ServiceChecking the Status of Mail Service Viewing Mail Service Settings Parameter mail Description Mail Service Settings Default = 1s Default = 500sDefault = domain Default = += Default = postfix Default = 0sDefault = 1000s Default = -=+ Default = flush Default = flockDefault = 60s Default = postdrop Default = /usr/bin Default = 10sDefault = mail Default = none Default = 7d Default = smtpDefault = qmgr Default = fcntl Default = showq Default = errorDefault = 5d Default = host Default = active Default = incomingDefault = deferred Default = bounce Default = $home Default = virtualDefault = rewrite Default = 600s Default = hash Default = 30sDefault = Default Default = c Default = auxprop Default = cyrus 193 Listing Mail Service Statistics Mail serveradmin CommandsTo list samples Default = srvr.log Viewing the Mail Service LogsTo display the log locations Location of the server log Backing Up the Mail Files Reconstructing the Mail Database Generating a CSR and Creating a Keychain Setting Up SSL for Mail ServiceEnter a key size at the next prompt, and then press Return 199 Obtaining an SSL Certificate Accessing the Server CertificatesImporting an SSL Certificate into the Keychain To import an SSL certificate into the keychain See the certadmin man page for more information Creating a Password FileTo create a password file To list the certificates stored in the System keychain Enabling Sieve Scripting Configuring Mailboxes Reload the mail service To enable Sieve supportEnabling Sieve Support Sample Sieve Scripts Basic Sort and Anti-Junk Mail Filter Script Self-Defined Forwarding Script Sieve Scripting Resources 206 Files Location Understanding Web Technology Starting and Stopping Web Service Managing the Web ServiceChecking Web Service Status Viewing Web Settings Serveradmin and Apache Settings Changing Web SettingsChanging Settings Using serveradmin Viewing Service Logs Web serveradmin CommandsViewing Service Statistics Listing Hosted Sites V1-Number of requests per second Value you want to display. Valid valuesV2-Throughput bytes/sec V3-Cache requests per second Addsite File Example Script for Adding a WebsiteAddsite.in File To run the script Tuning the Server Performance Apache Tomcat Working with Application Servers and JavaJBoss Server To start Apache Tomcat MySQL Database To install the default databaseTo start JBoss, enter the following To stop JBoss, enter the following To create a database To set the root passwordTo set the network option To start mysqld Managing Network Services Working with Network Services Starting and Stopping Dhcp Service Managing the Dhcp ServiceChecking the Status of Dhcp Service Viewing Dhcp Service Settings Dhcp Service Settings Changing Dhcp Service SettingsTo see a list of available service settings To change a single Dhcp setting About Subnet IDs Dhcp Subnet Settings ArraySubnet Parameter Not set default General pane of the subnet settings in the ServerWins pane of the subnet settings in the Server Lease time in seconds Adding a Dhcp Subnet Corresponds to the NetBIOS Scope ID field in the WinsTo add a subnet Domain name such as apple.com To add a static map Adding a Dhcp Static MapAbout Static Map IDs Viewing the Dhcp Service Log List of Dhcp serveradmin CommandsCommand Dhcpcommand=Description Determine the location of the Dhcp service logs Starting and Stopping the DNS Service Managing the DNS ServiceChecking the Status of DNS Service Viewing DNS Service Settings DNS Service Settings Changing DNS Service SettingsList of DNS serveradmin Commands Viewing the DNS Service Log Managing the Firewall Service Configuring IP Forwarding Checking the Status of Firewall Service Starting and Stopping Firewall ServiceViewing Firewall Service Settings Firewall Startup Firewall Service Settings Changing Firewall Service SettingsParameter ipfilter Description Ipfilter Groups with Rules Array Defining Firewall RulesAdding Rules by Modifying ipfw.conf Unmodified ipfw.conf file Ping cracker.evil.org to determine its IP address Adding Rules Using serveradminTo add a rule An example of this would be similar to the following Ipfilter Rules Array Firewall serveradmin Commands Viewing Firewall Service Log Managing the NAT ServiceUsing Firewall Service to Simulate Network Activity Location of the ipfilter service log Checking the Status of NAT Service Starting and Stopping NAT ServiceViewing NAT Service Settings Changing NAT Service Settings NAT serveradmin Commands NAT Service SettingsParameter nat Description Port Mapping Viewing the NAT Service Log Starting and Stopping VPN Service Managing the VPN ServiceChecking the Status of VPN Service Viewing VPN Service Settings List of VPN Service Settings Changing VPN Service SettingsDefault = Keychain Default = IPSec Default = L2TP Default = ManualDefault = PPP Default = Dsacl Default = Mppe Default = PptpDefault = EAP-RSA Viewing the VPN Service Log List of VPN serveradmin CommandsVPN Service Log on this Restarted. See Using the serveradmin Tool on Location of the VPN service log Configuring Site-to-Site VPNSite-to-Site VPN Adding a VPN Keyagent User IP Failover Prerequisites Setting Up IP FailoverIP Failover Operation Hardware Requirements Enabling IP Failover To enable IP failover Notification Only Configuring IP FailoverPre and Post Scripts To restore the NAT service to its default configuration Restoring the Default Configuration for Server ServicesEnabling PPP Dial-In Re-create the two default records To restore the Dhcp service to its default configurationTo restore the Qtss service to its default configuration To restore the DNS service to its default configuration To restore the VPN service to its default configuration Testing Your Open Directory Configuration Using General Directory ToolsUnderstanding Open Directory Changing Open Directory Service Settings Testing Open Directory Plug-insModifying a Directory Domain Registering URLs with SLP PasswordOptionsString Configuring LdapLDAPTimeoutUnits Default = minutes LDAPServerBackend Managing OpenLDAP Standard Distribution Tools Configuring slapd and slurpd DaemonsTool Used to Idle Timeout Delay RebindIdle Rebinding Options Searching the Ldap Server 256 257 Using Ldif Files Managing NetInfo Configuring NetInfoAdditional Information About Ldap Open Directory Password Server Managing Open Directory PasswordsViewing or Changing Password Policies Enabling or Disabling Authentication Methods Backing Up the Kerberos Database Kerberos and Apple Single Sign-OnTo dump the KDC’s database To load KDC data from a dumped file Principal Management To add a service principalTo add a principal To delete a principal Operating on Directory Service Directory Domains Using Directory Service ToolsUsing kadmin to kerberize a service To kerberize a service from a terminal running on that host Manipulating a Single Named Group Record Finding Network Information Configuring the Active Directory Plug-In Adding or Removing Ldap Server ConfigurationsTo add an Ldap server To remove an Ldap server 266 Understanding QuickTime Streaming Server Performing Qtss Service Tasks Checking Qtss Service Status Starting and Stopping the Qtss ServiceViewing Qtss Settings Changing Qtss Settings Descriptions of Settings Qtss SettingsDefault = qtaccess Look in the sample file for Default = admin Default = digest Managing Qtss Default = qtssListing Current Connections Logs on For connections v1, this is integer average number Viewing Qtss Service StatisticsConnections Forcing Qtss to Reread its Preferences Send a HUP signal to this processTo force Qtss to reread its preferences List the Qtss processes Resetting the Streaming Server Admin User Name and Password Configuring Streaming SecurityTo set up Sites/Streaming/ in older home folders To reset the user name and password Creating an Access File Controlling Access to Streamed Media Quotation marks Between terms, make sure you enclose the entire messagePath and filename of the user file Qtusers Adding User Accounts and Passwords Accessing Protected MediaAdding or Deleting Groups Making Changes to the User or Group File Creating Reference Movies Manipulating QuickTime and MP4 MoviesCreate QuickTime Atom ref movie with extension .qtl Create XML text ref movie with extension .qtl 280 Configuring Your System Logging Configuring the Log File Local Logging To enable remote logging on a client computer Configuring Remote Logging on a Client ComputerConfiguring Remote Logging on a Server Remote Logging Open /etc/rc and locate the following line Or match a single host like this PCI RAID Card Command Reference 286 287 288 Computer account See computer list Glossary Directory node See directory domain Full name See long name 292 293 294 Relay point See open relay Search path See search policy 297 298 Securing Chgrp tool ACL access control list Access136 Example Stopping service Naming 41 Restoring images Logs Lpr Backup Cyrus Mail files Error messages command not found Executing commands Dynamic Host Configuration Protocol. See DhcpImage Booting from 176 updating Disk journaling Backing up Principal management 262 tools and utilities Kerberosautoconfig tool 261 keychain QuickTime Streaming Server. See Qtss 302 AFP DNS Used by ldapsearch 255 scheduling tasks Time, viewing or changing 57 Stopping service 239 Terminating commandsViewing service logs Tools for remote configuration