Apple Mac OS X Server (Administrator’s Guide) Bedienungsanleitung

Mac OS X ServerAdministrator’s Guide034-9285.S4AdminPDF 6/27/02 2:07 PM Page 1

10 Contents Customizing Group Directory Settings 172Working With Group and Computer Preferences 173Deleting a Group Account 173Finding

100 Chapter 2 3 Select LDAPv3 in the list of services, then click Configure.4 If the list of server configurations is hidden, click Show Options.5 Sel

Directory Services 1016 Click the Connection tab and change any of the settings.Configuration Name identifies this configuration in the list of LDAPv3

102 Chapter 2 6 Click the Search & Mappings tab.7 Select the mappings that you want to use as a starting point, if any.Click “Read from Server”

Directory Services 103To remove a mapping for an attribute, select the attribute in the Record Types and Attributes List. Then click the item that y

104 Chapter 2 Using an Active Directory ServerYour Mac OS X Server, like any computer with Mac OS X version 10.2, can use Open Directory to access a

Directory Services 105After creating a new Active Directory server configuration, you should add the server to an automatic search policy supplied by

106 Chapter 2 Accessing an Existing LDAPv2 DirectoryYou can configure a Mac OS X computer to retrieve administrative data from one or more LDAPv2 ser

Directory Services 1073 Select LDAPv2 in the list of services, then click Configure.4 Create a new configuration or duplicate an existing configuration

108 Chapter 2 Select “Use anonymous access” if Open Directory should connect to the LDAPv2 server without using a name and password. Select “Use the

Directory Services 109Select Users in the Record Type list. Then edit the “Maps to” value to specify a search base on the LDAPv2 server that provide

Contents 11 Choosing a Password 192Migrating Passwords 193Setting Up Password Validation Options 193Storing Passwords in User Accounts

110 Chapter 2 Select GroupMembership in the Data Type column. Then edit the “Maps to” value to identify the LDAPv2 attribute that stores a list of u

Directory Services 111To create a shared NetInfo domain:1 Open the Open Directory Assistant application.2 Enter the connection and authentication in

112 Chapter 2 m With static binding, you specify the address and NetInfo tag of the shared NetInfo domain. This is most commonly used when the share

Directory Services 113Adding a Machine Record to a Parent NetInfo DomainMac OS X computers can bind their directory domains to a parent NetInfo doma

114 Chapter 2 5 To delete a port property, select it and choose Delete from the Edit menu. 6 To add a property, choose New Property from the Directo

Directory Services 115Using Berkeley Software Distribution (BSD) Configuration FilesHistorically, UNIX computers have stored administrative data in

116 Chapter 2 You can specify different BSD configuration files by editing the DSFFPlugin.plist file. This file contains structured text in XML format a

Directory Services 117The dictionary that defines a BSD configuration file has the fields specified in the table below. You can see examples of these fie

118 Chapter 2 Setting Up Data in BSD Configuration FilesIf you want a Mac OS X computer to get administrative data from BSD configuration files, the d

Directory Services 1195 When you finish configuring the remote computer, choose Disconnect from the Server menu on your computer.Monitoring Directory

12 Contents Mac OS X User in Shared NetInfo Domain Can’t Log In 204Kerberos Users Can’t Authenticate 204 4 Sharing 205 Privileges 2

121CHAPTER33 Users and Groups User and group accounts play a fundamental role in a server’s day-to-day operations:m A user account stores data Mac O

122 Chapter 3 How User Accounts Are UsedWhen you define a user’s account, you specify the information needed to prove the user’s identity: user name

Users and Groups 123If Mac OS X finds a user account containing the name entered by the user, it attempts to validate the password associated with th

124 Chapter 3 m A non-Apple LDAP server can be used to validate the password.Clients needing password validation, such as login window and the AFP s

Users and Groups 125Directory and File Owner AccessWhen a directory or file is created, the file system stores the UID of the user who created it. Whe

126 Chapter 3 Local Mac OS X Computer AdministrationAny user who belongs to the group “admin” in the local directory domain of any Mac OS X computer

Users and Groups 127Mail SettingsYou can create a Mac OS X Server mail service account for a user by setting up mail settings in the user’s account.

128 Chapter 3 Group DirectoriesWhen you define a group, you can also specify a directory for storing files you want group members to share. The locati

Users and Groups 129When a managed user logs in, the preferences that take effect are a combination of his user preferences and preferences set up f

Contents 13 Changing Share Point Owner and Privilege Settings 217Changing the Protocols for a Share Point 218Deleting an NFS Client from a

130 Chapter 3 Predefined AccountsThe following table describes the user accounts that are created automatically when you install Mac OS X (unless ot

Users and Groups 131The following table characterizes the group accounts that are created automatically when you install Mac OS X.Predefined group n

132 Chapter 3 Setup Overview These are the major user and group administration activities:m Step 1: Before you begin, do some planning.m Step 2: S

Users and Groups 133Make sure that any user who will be using Workgroup Manager to add and change users and groups in directory domains has director

134 Chapter 3 m “Creating User Accounts in Directory Domains on Mac OS X Server” on page 137 and “Creating Read-Write LDAPv3 User Accounts” on page

Users and Groups 135Step 9: Review user and group account information as neededWorkgroup Manager makes it easy for you to review and optionally upda

136 Chapter 3 Note: If all the domains have not been finalized when you are ready to start adding accounts, simply add them to any domain that alrea

Users and Groups 137m Decide who you want to be able to administer users and groups and make sure they have administrator privileges. “Administratio

138 Chapter 3 4 Click the lock to be authenticated as a directory domain administrator.5 From the Server menu, choose New User. 6 Specify settings f

Users and Groups 1393 Use the At pop-up menu to open the domain in which the user’s account resides.4 Click the lock to be authenticated.5 Click the

14 Contents Enabling AppleTalk Browsing for Apple File Service 232Setting Maximum Connections for Apple File Service 232Turning On Access L

140 Chapter 3 m 0 through 9m _ (underscore)m - (hyphen)m . (period)m (space)For example, Dr. Arnold T. Smith. You can use Workgroup Manager to edi

Users and Groups 141m _ (underscore)m - (hyphen)m . (period)Typically, short names contain eight or fewer characters.You can use Workgroup Manager t

142 Chapter 3 Consider an example that consists of three shared directory domains. Tony Smith has an account in the Students domain, and Tom Smith h

Users and Groups 143If Tony has a user record in his local directory domain that has the same names and password as his record in the Students domai

144 Chapter 3 When Tom attempts to access MyDoc, Mac OS X searches the login hierarchy for user records with short names that match those associated

Users and Groups 145Defining PasswordsSee “Understanding Password Validation” on page 189 for details about setting up and managing passwords.Assign

146 Chapter 3 6 Click Privileges to specify what the user should be able to administer in the domain. By default, the user has no directory domain p

Users and Groups 147To work with login settings using Workgroup Manager:1 In Workgroup Manager, open the account you want to work with if it is not

148 Chapter 3 In Workgroup Manager, use the Groups tab in the user account window to work with group settings. See “Administering Group Accounts” on

Users and Groups 149To open the account, click the Account button, then use the At pop-up menu to open the directory domain where the account reside

Contents 15 Secure FTP Environment 244User Environments 245On-the-Fly File Conversion 247Custom FTP Root 248Kerberos Authentication

150 Chapter 3 Working With Mail Settings for UsersYou can create a Mac OS X Server mail service account for a user by specifying mail settings for t

Users and Groups 1514 The Mail Server field contains the DNS name or IP address of the server to which the user’s mail should be routed. When you ent

152 Chapter 3 In Workgroup Manager, use the Print tab in the user account window to work with a user’s print quotas:m Select None (the default) to d

Users and Groups 1534 Click “Per Queue,” then use the Queue Name pop-up menu to select the print queue for which you want to define a user quota. If

154 Chapter 3 Working With Managed UsersSee Chapter 6, “Client Management: Mac OS X,” and Chapter 10, “Client Management: Mac OS 9 and OS 8,” for in

Users and Groups 155Disabling a User AccountTo disable a user account, you canm delete the account (see “Deleting a User Account” on page 154)m chan

156 Chapter 3 Distributing Home Directories Across Multiple ServersThe following illustration depicts using one Mac OS X Server for storing user acc

Users and Groups 157Setting Up Home Directories for Users Defined in Existing Directory ServersWhen you integrate Mac OS X Server into an environmen

158 Chapter 3 1 Retrieving user information. When the user logs in, the Mac OS X computer retrieves the user’s account from Active Directory and aut

Users and Groups 1593 Setting up home directory access. Next, the server retrieves the user’s Active Directory record and authenticates the user. Th

16 Contents Viewing Current NFS Exports 258Supporting Client Computers 259Supporting Mac OS X Clients 259Connecting to the Apple File S

160 Chapter 3 Choosing a Protocol for Home DirectoriesYou can set up home directories so they can be accessed using either AFP or NFS.The preferred

Users and Groups 161Because of the way home directory disk quotas work, you may want to set up home directory share points on a partition different

162 Chapter 3 Defining No Home DirectoryYou can use Workgroup Manager to avoid creating a home directory for a user whose account is stored in a Net

Users and Groups 163Defining a Network Home Directory In Workgroup Manager, you can set up a home directory for users defined in shared directory dom

164 Chapter 3 To open an account, click the Account button, then use the At pop-up menu to open the directory domain where the user’s account reside

Users and Groups 1653 Specify the disk quota using the Disk Quota field and the adjacent pop-up menu.Defining Default Home Directories for New UsersY

166 Chapter 3 To create a group account:1 Ensure that the directory services of the Mac OS X Server you are using has been configured to access the d

Users and Groups 167Changing Group AccountsYou can use Workgroup Manager to change a group account that resides in a NetInfo or LDAPv3 directory dom

168 Chapter 3 In Workgroup Manager, use the Members tab in the group account window to work with member settings.When the name of a user in the Memb

Users and Groups 1692 Click the Members tab. 3 Select the user or users you want to remove from the group, then click Remove.Naming a GroupA group h

Contents 17 Setting Up Group Accounts 271Setting Up Computer Accounts 271Creating a Computer Account 272Creating a Preset for Computer

170 Chapter 3 2 In the Name or “Short name” field on the Members tab, review or edit the names. Before saving a new name, Workgroup Manager checks to

Users and Groups 171Creating Group DirectoriesBefore you can designate a directory as a group directory, you must create a share point for the direc

172 Chapter 3 Check “Mount group volume at startup” to automatically display the group directory in the Finder.Customizing Group Directory SettingsW

Users and Groups 173Working With Group and Computer PreferencesSee Chapter 6, “Client Management: Mac OS X,” and Chapter 10, “Client Management: Mac

174 Chapter 3 After you choose directory domains, all the accounts residing in those domains are listed. You can sort the list by clicking a column

Users and Groups 175To list accounts in directory domains accessible from a server:1 In Workgroup Manager, log in to a server from which the directo

176 Chapter 3 Shortcuts for Working With Users and GroupsWhen using Workgroup Manager to work with user and group accounts, several shortcuts can sa

Users and Groups 1773 To create a preset using data in an existing user account, open the account. To create a preset using an empty user account, c

178 Chapter 3 Renaming PresetsTo rename a preset:1 Open Workgroup Manager on the server where the preset has been defined.2 Click the Accounts button

Users and Groups 179m XML files created by exporting accounts on Mac OS X Server versions 10.1 and earlier.m Character-delimited files created by expo

18 Contents Editing Preferences for Multiple Records 287Disabling Management for Specific Preferences 287Managing Applications Preferences

180 Chapter 3 To import accounts using Workgroup Manager:1 Create a character-delimited or XML file containing the accounts to import, and place it i

Users and Groups 1817 In the First User ID field, enter the UID at which to begin assigning UIDs to new user accounts for which the import file contai

182 Chapter 3 -s imports accounts from an XML file formatted as “Using XML Files Created With Mac OS X Server 10.1 or Earlier” on page 186 describes.

Users and Groups 183-s startingUIDspecifies the starting UID to use when importing from an ASIP XML file or a character-delimited file that contains ne

184 Chapter 3 -y ipAddressis the IP address of a remote Mac OS X Server from which the directory domain is visible.-Vadds the version number of dsim

Users and Groups 185file names the file to which you want to export accounts, including the path to the file. For example, /tmp/Export1. The file shoul

186 Chapter 3 2 Open the Terminal application and type the dsimportexport command. The dsimportexport tool is located in /usr/sbin. Using XML Files

Users and Groups 187m commentm indication of whether user can log in m <password format> and <password text>. m Apple mail datam indicat

188 Chapter 3 Writing a Record DescriptionA record description identifies the fields in each record you want to import from a character-delimited file;

Users and Groups 189jim:Adl47E$:408:20:J. Smith, Jr., M.D.:/Network/Servers/somemac/Homes/jim:/bin/cshUsing the StandardUserRecord ShorthandWhen the

Contents 19 Controlling User Access to Remote Servers 299Controlling User Access to Folders 300Preventing Users From Ejecting Disks 300

190 Chapter 3 m Using LDAP bind authentication with a non-Apple LDAPv3 directory server. Clients needing password validation, such as login window a

Users and Groups 191Contrasting Password Validation OptionsHere are the pros and cons of the options for validating a user’s password:m Storing a pa

192 Chapter 3 m Using an LDAP server. This option, like Kerberos, offers a way to integrate your Mac OS X Server into an existing authentication sch

Users and Groups 193m Windows service accepts 7-bit ASCII passwords.m Server Settings accepts 7-bit or 8-bit ASCII passwords.Migrating Passwords Whe

194 Chapter 3 A user’s password is stored in the user account in an encrypted form, derived by feeding a random number along with the clear text pas

Users and Groups 195Using a Password ServerThe Password Server stores passwords, but never allows passwords to be read. Passwords can only be set an

196 Chapter 3 m Data about the user that is useful in log records, such as the short name. m Password policy data. Setting Up a Password ServerThe a

Users and Groups 1975 On the Advanced tab, click Options to set up the user’s password policy. Click OK when you are done.The password ID is a uniqu

198 Chapter 3 m Telnet serverThese services have been “Kerberized.” Only services that have been Kerberized can use Kerberos to validate a user.Unde

Users and Groups 1993 The client contacts the KDC with the ticket-granting ticket when it wants to use a particular Kerberized service.4 The KDC iss

K Apple Computer, Inc. © 2002 Apple Computer, Inc. All rights reserved. Under the copyright laws, this publication may not be copied, in whole or in

20 Contents 7 Print Service 315 What Printers Can Be Shared? 316Who Can Use Shared Printers? 317Setup Overview 317Before You Begin

200 Chapter 3 4 On Mac OS X Server, place the edu.mit.Kerberos configuration file in /Library/Preferences/. This file is not sensitive, so it can be pl

Users and Groups 201Enabling Kerberos Authentication for TelnetTo set up Telnet support, edit the /etc/inetd.conf file to enable Telnet.Solving Probl

202 Chapter 3 m To back up a Password Server, back up these two files: /var/db/authserver/authservermain and /var/db/authserver/authserverfree. Make

Users and Groups 203m You must be a domain administrator for any Apple directory domain storing the account.m The directory domain must be a NetInfo

204 Chapter 3 m If an AFP client prior to version 3.8.3 fails to authentiocate, use AFP 2-Way Random authentication in Password Server for these old

205CHAPTER44 SharingThe Sharing module of Workgroup Manager lets you share information with clients of the Mac OS X Server and control access to sha

206 Chapter 4 Note: QuickTime Streaming Server and WebDAV have their own privileges settings. For information about QTSS, refer to the QTSS online

Sharing 207EveryoneEveryone is any user who can log in to the file server: registered users, guests, anonymous FTP users, and Web site visitors.Priv

208 Chapter 4 Share Points in the Network GlobeThe Network globe on OS X clients represents the Darwin /Network directory. By default, the Network g

Sharing 209Step 1: Read “Before You Begin”Read “Before You Begin” on page 209 for issues you should consider before sharing information on your netw

Contents 21 Deleting a Print Queue 329Managing Print Jobs 329Monitoring a Print Job 329Stopping a Print Job 330Putting a Print Job

210 Chapter 4 Conversely, you might want to set up share points using a single protocol even though you have different kinds of clients. For example

Sharing 211m Set privileges for Everyone to None for files and folders that guest users should not access. Items with this privilege setting can only

212 Chapter 4 Note: You should not assign Write Only access privileges to a file or share point. Only folders inside a share point should be assigne

Sharing 2135 Select “SMB clients see custom name for this item” if you want the item to appear with a name different from its real one. 6 Enter the

214 Chapter 4 7 In the text box that appears, type the IP address or host name to add the client to the “Computer or Netgroup” list. 8 Select ”Map R

Sharing 2158 For the Mount option:Choose “dynamically in Network/Servers” if you want client users to see share points in the/Network/Servers folder

216 Chapter 4 Turning Sharing OffBecause sharing is not a service, you cannot turn sharing on and off on a Mac OS X Server. You “turn sharing off ”

Sharing 217To view share points on a server:1 In Workgroup Manager, click Sharing.2 Click the Share Points tab. Copying Privileges to Enclosed Items

218 Chapter 4 Changing the Protocols for a Share PointYou use the Advanced pane of Workgroup Manager to change the protocols for a share point.To ch

Sharing 2192 In Workgroup Manager, click Sharing.3 Select Share Points and select the folder you want to use as a drop box. 4 Select the Sharing tab

22 Contents Starting or Stopping Web Service 343Starting Web Service Automatically 343Modifying MIME Mappings 343Setting Up Persistent

221CHAPTER55 File ServicesFile services enable clients of the Mac OS X Server to access files, applications, and other resources over a network. Mac

222 Chapter 5 You must configure and turn on file services in order for clients to be able to access shared information—the volumes and folders that y

File Services 223Client Computer RequirementsFor information on client computer requirements, see “Supporting Client Computers” on page 259.Setup Ov

224 Chapter 5 Apple File ServiceApple file service allows Macintosh client users to connect to your server and access folders and files as if they wer

File Services 225Before You Set Up Apple File ServiceIf you asked the Server Assistant to configure Apple file service when you installed Mac OS X Ser

226 Chapter 5 This option is selected automatically when you start the server and in most cases it’s best to leave it selected.6 Select “Enable brow

File Services 227Guest access is a convenient way to provide occasional users with access to files and other items in share points that allow guest a

228 Chapter 5 The server closes the log at the end of each archive period, renames the log to include the current date, and then opens a new log file

File Services 229This ensures that server resources are available to active users. Mac OS X version 10.2 (and later) clients will be able to resume

Contents 23 WebMail and Your Mail Server 359WebMail Protocols 359Enabling WebMail 359Configuring WebMail 360Setting Up Secure Socket

230 Chapter 5 To view Apple file service status:1 In Server Status, locate the name of the server you want to monitor in the Devices & Services

File Services 2315 Click Shutdown.Note: Stopping the server disables the “Start Apple File Service on system startup” option. Starting Up Apple Fil

232 Chapter 5 Enabling AppleTalk Browsing for Apple File ServiceIf you enable browsing with AppleTalk, users can see your servers and other network

File Services 233Archiving Apple File Service LogsYou can specify how often the contents of the access and error logs for Apple file service are save

234 Chapter 5 Disconnecting Idle Users From the Apple File ServerYou can set Apple file service to automatically disconnect users who are connected t

File Services 235If you change the message, users will see the new message the next time they connect to the server.5 Click Save.Sending a Message t

236 Chapter 5 Windows Services SpecificationsBefore You Set Up Windows ServicesIf you plan to provide Windows services on your Mac OS X Server, read

File Services 237Authentication Manager is supported for upgrades from earlier versions of Mac OS X Server (10.1 and earlier). Existing users will c

238 Chapter 5 If practical, make the server name match its unqualified DNS host name. For example, if your DNS server has an entry for your server as

File Services 239The maximum number of simultaneous users is also limited by the type of license you have. For example, if you have a 10-user licens

24 Contents Where Mail Is Stored 373How User Account Settings Affect Mail Service 373What Mail Service Can Do About Junk Mail 373SMTP A

240 Chapter 5 3 Click the Neighborhood tab. 4 Under WINS Registration, choose whether you want to register with a WINS server, either locally or ext

File Services 241To set automatic startup:1 In Server Settings, click the File & Print tab.2 Click Windows and choose Configure Windows Services.

242 Chapter 5 The list includes the users’ names, IP addresses, and duration of connections. A button at the bottom of the pane lets you disconnect

File Services 2432 Click Windows and choose Configure Windows Services.3 Click the Access tab.4 Click Unlimited, or type the maximum number of connec

244 Chapter 5 Assigning the Windows Server to a WorkgroupUsers see the workgroup name in the Network Neighborhood window. If you have Windows domain

File Services 245User EnvironmentsMac OS X Server provides three different user environments that determine how the FTP root, share points, and home

246 Chapter 5 Note that in this example, /Users, /Volumes/Data, and /Volumes/Photos are FTP share points. All users can see the home directories of

File Services 247Home Directory OnlyIn the Restricted user environment, real users are confined to their home directories and do not have access to t

248 Chapter 5 The table below shows common file extensions and the type of compression they designate.Custom FTP RootFor increased security, Mac OS X

File Services 249Restrictions on Anonymous FTP Users (Guests)Enabling anonymous FTP poses a security risk to your server and data because you open y

Contents 25 Controlling IMAP Connections Per User 386Terminating Idle IMAP Connections 387Changing the IMAP Port Number 387Working With

250 Chapter 5 Step 6: Create an “uploads” folder for FTP users (optional)If you enabled anonymous access in Step 2, you may want to create a folder

File Services 2519 In the “Administrator E-mail Address” field, enter an email address if you want to provide a way for users to contact the administ

252 Chapter 5 5 In the “Log Anonymous Users” section, select the events you want to appear in the FTP log for anonymous users. You can select FTP Co

File Services 253To stop FTP service:1 In Server Settings, click the File & Print tab.2 Click FTP and choose Stop FTP.Setting Up Anonymous FTP S

254 Chapter 5 Specifying the FTP Authentication MethodYou use the Advanced pane of Configure FTP Service to specify the authentication method.To spec

File Services 2552 Click FTP and choose Configure FTP Service.3 Click the Logging tab.4 Select the log options for real users: FTP Commands, Rule Vi

256 Chapter 5 Network File System (NFS) ServiceNetwork File System is the protocol used for file services on UNIX computers. Use NFS to provide file s

File Services 257Step 1: Before You BeginRead “Before You Set Up NFS Service” on page 256 for issues you should keep in mind when you set up NFS ser

258 Chapter 5 User Datagram Protocol (UDP) doesn’t break data into packets, so it uses fewer system resources. It’s more scalable than TCP, and a go

File Services 259To view current NFS exports:m In Terminal, enter “showmount -e”.If this command does not return results within a few seconds, there

26 Contents Limiting Delivery Attempts in Mail Service 402Sending Nondelivery Reports to Postmaster 403Monitoring Mail Status 403Viewin

260 Chapter 5 3 Click Connect.4 Enter your user name and password, then click Connect.5 Select the server volume you want to use and click OK.Settin

File Services 261m TCP/IPm AppleShare 3.7 or later Go to the Apple support Web site at www.apple/support/ to find out the latest version of AppleShar

262 Chapter 5 See “Ensuring the Best Cross-Platform Experience” on page 236 for information about setting up a dedicated share point for Windows use

File Services 263Solving Problems With File ServicesSolving Problems With Apple File ServiceUser Can’t Find the Apple File Serverm Make sure the net

264 Chapter 5 m Go to the DOS prompt on the client computer and type “ping [IP address],” where “IP address” is your server’s address. If the ping f

File Services 265m See if there are any problems with directory services, and if the directory services server is operating and connected to the net

267CHAPTER66 Client Management: Mac OS XWorkgroup Manager provides network administrators with a centralized method of managing Mac OS X workstation

268 Chapter 6 This chapter summarizes certain aspects of Mac OS X client management, describes how to set up Mac OS X computer accounts using Workgr

Client Management: Mac OS X 269Before You BeginYou should consider taking advantage of client management ifm you want to provide users with a consis

Contents 27 The Multi-User Items Folder 419How the Multi-User Items Folder Is Updated 420How Macintosh Manager Works With Directory Service

270 Chapter 6 Step 3: Make sure users and their home directories existUse Workgroup Manager to set up user accounts and home directories. Once users

Client Management: Mac OS X 271If users have local accounts on specific computers, you can still manage their user preferences on the client computer

272 Chapter 6 When a computer starts up, it checks directory services for a computer account record that contains its Ethernet address and uses sett

Client Management: Mac OS X 273Note: Computers cannot belong to more than one list, and you cannot add computers to the Guest Computers account.Cre

274 Chapter 6 3 Click the lock and enter your user name and password.4 Click the Computers tab, then click List.5 Choose the preset you want to use

Client Management: Mac OS X 2752 Use the At pop-up menu to find the directory domain that contains the computer account you want to modify, then clic

276 Chapter 6 6 In the List pane, select one or more computers in that account’s computer list.7 Click Remove.Deleting a Computer AccountIf you no l

Client Management: Mac OS X 277Managing Guest ComputersIf an unknown computer (one that isn’t already in a computer account) connects to your networ

278 Chapter 6 If you do not select settings or preferences for the Guest Computers account, guest computers are not managed. However, if the person

Client Management: Mac OS X 279Making Computers Available to All UsersIf you want, you can make computers in a list available to any user in any gro

28 Contents Granting a User System Access 434Changing Advanced Settings 434Limiting a User’s Disk Storage Space 435Updating User Inform

280 Chapter 6 8 If you want to show only certain workgroups to users during login, select “Restrict to groups below,” and add groups to the list.9 C

Client Management: Mac OS X 281m The user does not have administrator privileges, but has a local account.Set up a local administrator account on th

282 Chapter 6 In addition to various settings for users, groups, and computer accounts, Workgroup Manager provides control over these preferences:Ma

Client Management: Mac OS X 283About the Preferences CacheOnly local user accounts use a preference cache. The preference cache is created on the lo

284 Chapter 6 3 Click the lock and enter your user name and password.4 Click the Computers tab and select a computer account from the list.5 Click C

Client Management: Mac OS X 285Managing a Preference OnceIf you want to manage a preference initially for users, but allow them to make changes if t

286 Chapter 6 6 In each tab for that preference, choose a management setting. Then select preference settings or fill in information you want to use.

Client Management: Mac OS X 2872 Use the At pop-up menu to find the directory domain that contains the user account you want, then click Preferences.

288 Chapter 6 Two preferences (Printing and Media Access) do not have a management settings bar for each tab. Instead, a management bar is displayed

Client Management: Mac OS X 2898 When you have finished adding applications to the list, click Apply Now.Preventing Users From Opening Applications

Contents 29 Restricting Access to Printers 448Setting Print Quotas 448Allowing Users to Exceed Print Quotas 448Setting Up a System Acce

290 Chapter 6 5 Click the Applications preference icon, then click Items.6 Set the management setting to Always.7 If you have not already created a

Client Management: Mac OS X 2918 Click Apply Now.Managing Classic PreferencesClassic Preferences are used to set Classic startup options, select the

292 Chapter 6 3 Click the lock and enter your user name and password.4 Select a user, group, or computer account in the account list.5 Click the Cla

Client Management: Mac OS X 2932 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences.3 Cli

294 Chapter 6 5 Click Advanced and set the management setting to Always.6 Deselect “Hide other Apple menu items.”7 Click Apply Now.Adjusting Classic

Client Management: Mac OS X 2952 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences.3 Cli

296 Chapter 6 7 To add individual applications, regular folders, and documents to the Dock, click Add to browse and select the item you want.To remo

Client Management: Mac OS X 297These items still appear in the top-level directory when a user clicks the Computer icon in a Finder window toolbar.T

298 Chapter 6 Making File Extensions VisibleA file extension usually appears at the end of a file name (for example, “.txt” or “.jpg”). Applications u

Client Management: Mac OS X 2992 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences.3 Cli

3 Contents Preface How to Use This Guide 39 What’s Included in This Guide 39Using This Guide 40Setting Up Mac OS X Server for the First

30 Contents Creating Login Messages for Computers 460Customizing Panel Names 460Managing Portable Computers 461Portable Computers With

300 Chapter 6 2 Use the At pop-up menu to find the directory domain that contains the account you want, then click Preferences.3 Click the lock and e

Client Management: Mac OS X 3015 Click Commands and set the management setting to Always.6 Deselect Eject.7 Click Apply Now.Hiding the Burn Disc Com

302 Chapter 6 5 Click Commands and set the management setting to Always.6 Deselect “Restart/Shut Down.”7 Click Apply Now.As an additional preventive

Client Management: Mac OS X 303Adjusting the Appearance of Finder Window ContentsItems in Finder windows can be viewed in a list or as icons. You ca

304 Chapter 6 11 Click Computer View and adjust Icon View and List View settings for the computer view. Available settings are similar to those avai

Client Management: Mac OS X 3054 Select a user, group, or computer account in the account list, then click the Internet preference icon.5 Click Web

306 Chapter 6 Select “Show local users” to include local user accounts in the list.Select “Show network users” to include network users in the list.

Client Management: Mac OS X 3076 Select “Hide Restart and Shut Down buttons in the Login Window.”7 Click Apply Now.Login Items PreferencesSettings f

308 Chapter 6 Managing Media Access PreferencesMedia Access preferences let you control settings for and access to CDs, DVDs, the local hard drive,

Client Management: Mac OS X 309Controlling the Use of Recordable DiscsIf a computer has the appropriate hardware, users can “burn discs” or write in

Contents 31 Applications Don’t Work Properly or Don’t Open 472Users Can’t Drag and Drop Between Applications 473Users Can’t Open Files From

310 Chapter 6 To restrict access to internal and external disks:1 Open Workgroup Manager.2 Use the At pop-up menu to find the directory domain that c

Client Management: Mac OS X 3113 Click the lock and enter your user name and password.4 Select a user, group, or computer account in the account lis

312 Chapter 6 Select a printer in the Available Printers list, then click “Add to List” to make that printer available in the User’s Printer List.If

Client Management: Mac OS X 3133 Click the lock and enter your user name and password.4 Select a user, group, or computer account in the account lis

314 Chapter 6 To restrict access to a specific printer:1 Open Workgroup Manager.2 Use the At pop-up menu to find the directory domain that contains t

315CHAPTER77 Print ServicePrint service lets you share network printers for clients of the Mac OS X Server. You share printers by setting up print q

316 Chapter 7 What Printers Can Be Shared?Mac OS X Server supports PostScript-compatible printers connected to your network using AppleTalk or the L

Print Service 317Who Can Use Shared Printers?Shared printers can be used over the network by users who submit print jobs using AppleTalk, LPR, or Se

318 Chapter 7 Step 2: Start up and configure print serviceUse Server Settings to start up and configure the print service. Print service configuration

Print Service 319Before You BeginBefore you set up print service, determine which protocols are used for printing by client computers. When you confi

32 Contents Administrator Requirements 486Server Requirements 486Client Computer Requirements 487Network Requirements 488Capacity P

320 Chapter 7 If you choose None, print jobs sent to the default queue will not be accepted by the server (and therefore will not be printed).7 Sele

Print Service 321You’ll probably need to change the queue name if users who print to your queues have restrictions on printer names they can use. Fo

322 Chapter 7 The Open Directory printer is named using the queue name defined in the Print module of Server Settings. LPR clients do not support nam

Print Service 323Setting Up Printing on Client ComputersMac OS X ClientsMac OS X users must add shared print queues to their Print Center printer li

324 Chapter 7 Mac OS 8 and Mac OS 9 ClientsMac OS 8 and 9 support both AppleTalk and LPR printers. Users can set up printing to a server print queue

Print Service 325Windows ClientsTo enable printing by Windows users who submit jobs using SMB, make sure Windows services are running and that one o

326 Chapter 7 Stopping Print ServiceYou use the File & Print pane in Server Settings to stop print service.To stop print service:1 In Server Set

Print Service 327Putting a Print Queue on Hold (Stopping a Print Queue)To prevent jobs in a queue from printing, put the print queue on hold. Printi

328 Chapter 7 Note: If you change the name of a print queue that has already been shared, print jobs sent by users to the old queue name will not b

Print Service 329Selecting a Default Print QueueSpecifying a default print queue simplifies setup for printing from client computers to LPR print que

Contents 33 Supporting Client Computers 505Updating the Startup Disk Control Panel 505Setting Up “System-Less” Clients 506Selecting a N

330 Chapter 7 The Queue Monitor window displays all the current print jobs in priority order. It also indicates the current status of the active (pr

Print Service 331To restart a print job:1 In Server Settings, click the File & Print tab.2 Click Print and choose Show Print Monitor.3 Select th

332 Chapter 7 3 Select the queue containing the job, then click Show Queue Monitor.4 Select the job and click Set Priority.5 Select the priority you

Print Service 333Viewing Print LogsPrint service has two kinds of logs: print service and print queue. Print service logs record such events as when

334 Chapter 7 Deleting Print Log ArchivesThe log files are stored in /Library/Logs/PrintService. You can clear out unwanted archive files by deleting

Print Service 335m Make sure the printer is turned on and that there are no problems with the printer itself (out of paper, paper jams, and so on).m

337CHAPTER88 Web ServiceWeb service in Mac OS X Server offers an integrated Internet server solution. Web service is easy to set up and manage, so y

338 Chapter 8 Before You BeginThis section provides information you need to know before you set up Web service for the first time. You should read th

Web Service 339Hosting More Than One Web SiteYou can host more than one Web site simultaneously on your Web server. Depending on how you configure yo

34 Contents Practical Example 521Setting Up Sample Configuration Files 521Configuring Clients 522Check Your Configuration 523Load Dist

340 Chapter 8 You can avoid this problem by carefully setting access privileges for the site files using the Sharing module of Server Settings. Mac O

Web Service 341MIME type mappings are divided into two subfields separated by a forward slash, such as “text/plain.” Mac OS X Server includes a list

342 Chapter 8 Step 3: Assign privileges for your Web siteThe Apache process running on the server must have access to the Web site’s files and folder

Web Service 343Starting or Stopping Web ServiceYou start and stop Web service from the Server Settings application.To start or stop Web service:1 In

344 Chapter 8 5 Type the file suffix that describes the type of data in files handled by this mapping.6 Choose a Web server response from the Response

Web Service 345Setting Up Proxy Caching for Web ServiceA proxy lets users check a local server for frequently used files. You can use a proxy to spee

346 Chapter 8 4 Type the URL of the Web site you want to block in the field and click Add. Or click Import to import a list of Web sites. 5 Click Sav

Web Service 3473 In the General pane, select “Enable WebDAV support,” then click the Sites tab.4 Select a Web site and click Edit, click the Options

348 Chapter 8 Checking Web Service StatusIn the Server Settings application, you can check to see the current state of the server and the performanc

Web Service 3494 Enter a name for the new port configuration and choose the port you are configuring from the Port pop-up menu. Click OK.5 Choose the

Contents 35 Preventing Denial-of-Service Attacks 537Creating IP Filter Rules Using ipfw 538Reviewing IP Filter Rules 539Creating IP Fil

350 Chapter 8 2 Drag the contents of your previous Web folder to your new Web folder.3 In Server Settings, log in to the server where the Web site i

Web Service 35110 Click Save, then restart Web service.Setting the Default Page for a Web SiteThe default page appears when a user connects to your

352 Chapter 8 m you do not anticipate heavy usage of your Web sitem most of the pages on your Web site are generated dynamicallyThe performance cach

Web Service 353To enable indexing for a Web site:1 In Server Settings, click the Internet tab.2 Click Web and choose Configure Web Service.3 Click th

354 Chapter 8 The default realm name is the name of the Web site.7 Type the path to the location in the Web site to which you want to limit access.I

Web Service 355m If a CGI is to be used by all sites, install it in the /Library/WebServer/CGI-Executables folder. In this case, clients must includ

356 Chapter 8 3 In Server Settings, click Web and add “index.shtml” to the set of default index files for each virtual host.By default, the mime_maco

Web Service 3575 Choose the server response from the pop-up menu, or type the file type in the Return MIME Type field.If you return a CGI, make sure y

358 Chapter 8 To enable PHP:1 In the Terminal application, use a text editor to edit /etc/httpd/httpd.conf2 Enable PHP by removing the comment chara

Web Service 359Users access your Web site’s WebMail page by appending /WebMail to the URL of your site. For example,http://mysite.example.com/WebMai

36 Contents Understanding Key Fingerprints 554dsimportexport 555Log Rolling Scripts 555diskspacemonitor 556diskutil 557installe

360 Chapter 8 For details on mail settings in user accounts, see “Working With Mail Settings for Users” on page 150 in Chapter 3, “Users and Groups.

Web Service 361m Sent Folder is the name of the IMAP folder where mail service puts messages after sending them. The default is Sent Messages.m Draf

362 Chapter 8 To generate a CSR for your server:1 Log in to your server using the root password and open the Terminal application.2 At the prompt, t

Web Service 363Keep these important points in mind when purchasing your certificate:m You must provide an InterNIC-registered domain name that’s regi

364 Chapter 8 Solving ProblemsUsers Can’t Connect to a Web Site on Your Serverm Make sure that Web service is turned on and the site is enabled.m Ch

Web Service 365Installing and Viewing Web ModulesModules “plug in” to the Apache Web server software and add functionality to your Web site. Apache

366 Chapter 8 mod_redirectacgi_appleThis module works in conjunction with the ACGI Enabler Application to allow users to execute ACGI programs (Mac

Web Service 367perl.apache.orgMySQLMySQL provides a relational database management solution for your Web server. With this open-source software, you

369CHAPTER99 Mail ServiceMail service in Mac OS X Server allows network users to send and receive email over your network or across the Internet. Th

Contents 37 Appendix AOpen Directory Data Requirements 573 User Data That Mac OS X Server Uses 573Standard Data Types in User Records

370 Chapter 9 Mail Service ProtocolsA standard mail setup uses SMTP to send outgoing email and POP and IMAP to receive incoming email. Mac OS X Serv

Mail Service 371Internet Message Access Protocol (IMAP)Internet Message Access Protocol (IMAP) is the solution for people who need to receive mail f

372 Chapter 9 How Mail Service Uses SSLThe mail service supports secure IMAP connections with mail client software that requests them. If a mail cli

Mail Service 373Where Mail Is StoredThe mail service keeps track of email messages in a small database, but the database does not contain the messag

374 Chapter 9 You can also take steps to prevent senders of junk mail from using your server as a relay point. A relay point or open relay is a serv

Mail Service 375SMTP Authentication and Restricted SMTP Relay CombinationsThe following table describes the results of using SMTP authentication and

376 Chapter 9 What Mail Service Doesn’t DoMail service provided by Mac OS X Server does not supportm mailing listsm virtual domains ([email protected]

Mail Service 377Setup OverviewYou can have mail service set up and started as part of the Mac OS X Server installation process. An option for settin

378 Chapter 9 m If you use Mac OS X Server to provide DNS service, create your own MX records as described in “Using DNS With Mail Service” on page

Mail Service 379m “Limiting Junk Mail” on page 398m “Working With Undeliverable Mail” on page 402Step 7: Set up accounts for mail usersEach person w

LL9285.Book Page 38 Tuesday, June 25, 2002 3:59 PM

380 Chapter 9 m If your server will provide mail service over the Internet, you need a registered domain name. You also need to determine whether yo

Mail Service 381Requiring or Allowing Kerberos AuthenticationYou can choose to require, allow, or disallow the Kerberos authentication method for al

382 Chapter 9 If a domain name in this list does not have an MX record, only your mail service recognizes it. External mail sent to this domain name

Mail Service 383Limiting Incoming Message SizeYou can set a maximum size for incoming messages. The default is 10,240 kilobytes (10 megabytes).To se

384 Chapter 9 NotifyMail must also be enabled in each user account. For instructions, see “Enabling Mail Service Account Options” on page 150 of Cha

Mail Service 3854 Click POP3 Options.5 Enter the DNS name you want your mail service to use when responding to POP connections, then click Save.Chan

386 Chapter 9 3 Click the Protocols tab and select Enable IMAP, if it is not already checked.4 Click IMAP Options.5 Select “Require CRAM-MD5 authent

Mail Service 3874 Enter the number of connections you want to allow, then click Save.The default setting is 32, and the maximum is 128. A value of z

388 Chapter 9 Sending Nonlocal MailIf your mail service currently allows sending only local mail, you can change a setting to allow sending mail to

Mail Service 389Working With Settings for SMTP MailThe mail service includes a Simple Mail Transfer Protocol (SMTP) service for sending mail. Subjec

39 PREFACE How to Use This Guide What’s Included in This Guide This guide consists primarily of chapters that tell you how to administer individual

390 Chapter 9 m You may need to use this setting to deliver outgoing mail through a firewall set up by your organization. In this case, your organiza

Mail Service 391Changing the Incoming SMTP Port NumberYou can change the port number on which your SMTP service receives incoming mail from other se

392 Chapter 9 3 Click the Protocols tab and choose Other Mail Transfer Agent from the pop-up menu.4 Click Save.5 Start the other mail transfer agent

Mail Service 393If the permissions for the root directory are rwxrwxr-t then they have been changed to the standard for a Mac OS X client. To correc

394 Chapter 9 Changing Where Mail Is StoredYou can change where mail is stored on the server. The default location is /Library/AppleMailServer.To ch

Mail Service 395When your mail client connects on the IMAP administrator port, you see all the messages stored on the server. Each user’s mailbox ap

396 Chapter 9 The cleanup operation takes place without any feedback. During cleanup, a number of messages are written in the mail service repair lo

Mail Service 397Updating the DNS Cache in Mail ServiceThe mail service stores verified domain names in a cache and does not verify the cached informa

398 Chapter 9 Limiting Junk MailYou can configure mail settings to decrease the amount of junk mail that your mail service delivers to users. You can

Mail Service 399Enter a single IP address, such as 192.168.123.55.Enter an IP address range, such as 192.168.40-43.*.Enter an IP address/netmask, su

4 Contents Network File System (NFS) Service 49File Transfer Protocol (FTP) 50Print Service 50Web Service 51Mail Service 51Maci

40 Preface m Chapter 10, “Client Management: Mac OS 9 and OS 8,” addresses client management for Mac OS 8 and 9 computer users, describing how to

400 Chapter 9 Note: Reverse-lookups of IP addresses may slow the performance of your mail service because lookups involve more contact with DNS ser

Mail Service 401Rejecting Mail From Blacklisted SendersYou can have your mail service check an Open Relay Behavior-modification System (ORBS) server

402 Chapter 9 If your SMTP service does not use port 25, which is standard for incoming SMTP mail, enter your incoming SMTP port number instead. 4 A

Mail Service 4033 Click the Outgoing Mail tab.4 Enter the number of hours you want the mail service to attempt to deliver a message before the messa

404 Chapter 9 This section also describes how Mac OS X Server reclaims disk space used by logs and how you can reclaim space manually.Viewing Overal

Mail Service 405To view a mail service log:1 In Server Status, select Mail in the Devices & Services list. 2 Click the Logs tab.3 Choose a log f

406 Chapter 9 Configuring Email Client SoftwareUsers must configure their email client software to connect to your mail service. The following table

Mail Service 407Creating Additional Email Addresses for a UserMail service allows each individual user to have more than one email address. Every us

408 Chapter 9 Backing Up and Restoring Mail FilesYou can back up the mail service data by making a copy of the mail service folder. If you need to r

Mail Service 409m For more information on MX records, see “DNS and Electronic Mail” in DNS and BIND, 3rd edition, by Paul Albitz, Cricket Liu, and M

How to Use This Guide 41 Setting Up Mac OS X Server for the First Time If you haven’t installed and set up Mac OS X Server, do so now. m Refer to

411CHAPTER1010 Client Management: Mac OS 9 and OS 8Macintosh Manager provides network administrators with a centralized method of managing Mac OS 9

412 Chapter 10 Transition Strategies for Macintosh ManagerIf you are migrating to Macintosh Manager 2.2 from an earlier version, you can do a simple

Client Management: Mac OS 9 and OS 8 413Depending upon the computer being used, the network configuration, and access privileges, the user may have a

414 Chapter 10 Finding ApplicationsApproved applications for Panels and Restricted Finder workgroups are located in the “Items for workgroup name” f

Client Management: Mac OS 9 and OS 8 415m 16-bit monitor recommended if using the Panels environmentAdministrator Computer RequirementsSoftwarem Mac

416 Chapter 10 for the clients. The administrator computer can have access to more printers and applications than clients but shouldn’t have access

Client Management: Mac OS 9 and OS 8 417The computer locates Macintosh Manager servers (any Mac OS X Server with Macintosh Manager server processes

418 Chapter 10 Client computers using different languages can connect to the same server provided the server language script matches the client lang

Client Management: Mac OS 9 and OS 8 419Macintosh Manager users cannot access other users’ home directories, nor can they change network settings (A

420 Chapter 10 m Groups folder: This folder contains a folder for each Macintosh Manager workgroup and database files that store information about M

Client Management: Mac OS 9 and OS 8 421The only information shared between Macintosh Manager and Workgroup Manager is the user ID, which is stored

422 Chapter 10 Although the users, groups, and computers databases are not part of a larger relational database, each refers to information stored i

Client Management: Mac OS 9 and OS 8 423For Mac OS 8 clients: Preferences are stored in the Preferences folder in the System Folder on the client c

424 Chapter 10 m Install the Macintosh Manager server software on the server containing the Mac OS image that NetBoot client computers will use to s

Client Management: Mac OS 9 and OS 8 425Step 6: Create workgroups for usersWorkgroups let you group users together and apply the same settings to al

426 Chapter 10 Working With Macintosh Manager PreferencesMacintosh Manager preference settings let you choose a sorting method for users and workgro

Client Management: Mac OS 9 and OS 8 427If you don’t see the template, open Macintosh Manager Preferences and make sure “Show templates” is selected

428 Chapter 10 If you have fewer than 10,000 users to import, you can also use the Import All feature.Collecting User Information in a Text FileYou

Client Management: Mac OS 9 and OS 8 429Finding Specific Imported UsersYou can use the “Select Users By” feature to search for Macintosh Manager use

43CHAPTER11 Administering Your ServerMac OS X Server is a powerful server platform that delivers a complete range of services to users on the Intern

430 Chapter 10 For more information about using the guest user account, see “Setting Up a Guest User Account” on page 431.m All Other ComputersAny c

Client Management: Mac OS 9 and OS 8 431Setting Up a Guest User AccountBecause the Guest account does not require individual user names and password

432 Chapter 10 A Macintosh Manager administrator’s administrative privileges do not apply in Mac OS X Workgroup Manager tools. For example, a Macint

Client Management: Mac OS 9 and OS 8 433To designate a workgroup administrator:1 In Macintosh Manager, click Users.2 Select one or more users in the

434 Chapter 10 This is a good place to put user-specific information (for example, a student’s grade level or an employee’s office location) or keywor

Client Management: Mac OS 9 and OS 8 4353 Select access settings and set quotas.Initially, users of all types can log in to only one computer at a t

436 Chapter 10 Setting Up WorkgroupsIn the Members pane of the Workgroups pane, you can create new workgroups, change an existing workgroup’s name o

Client Management: Mac OS 9 and OS 8 4372 Click New and type a name for the workgroup.3 Choose an environment type from the Environment pop-up menu.

438 Chapter 10 Modifying an Existing WorkgroupAfter a workgroup is created, you can change its name or environment type and add or remove members. A

Client Management: Mac OS 9 and OS 8 4394 Select items in the Volume list that you want to add to the Shortcut Items list and click Add.To remove it

44 Chapter 1 Networking and SecurityYou can choose from several user authentication options, ranging from Kerberos or Lightweight Directory Access P

440 Chapter 10 The computer can search local volumes and mounted server volumes. If the original item is on a server volume that is not mounted, the

Client Management: Mac OS 9 and OS 8 441To protect the desktop:1 In Macintosh Manager, click Workgroups, and then click Privileges.2 Select a workgr

442 Chapter 10 Allowing Users to Take Screen ShotsSpecial key combinations let users take a picture of the computer screen (called a “screen shot”)

Client Management: Mac OS 9 and OS 8 443Setting Access Privileges for Menu ItemsFor certain Finder menus, you can decide which menu items users can

444 Chapter 10 Folder Access PrivilegesMacintosh Manager allows four levels of access privileges for workgroup folders:Selecting Privileges for Work

Client Management: Mac OS 9 and OS 8 4452 Click Workgroups, then click Privileges.3 Select one or more workgroups in the Workgroups list.4 In the Pr

446 Chapter 10 Providing Access to Server VolumesIf workgroup members need to use files and applications that are not stored on the Macintosh Manager

Client Management: Mac OS 9 and OS 8 447Using Printers SettingsPrinters settings let you control access to workgroup printers and limit the number o

448 Chapter 10 Restricting Access to PrintersYou can restrict access to a printer by removing it from the Selected Printers list or by requiring a p

Client Management: Mac OS 9 and OS 8 4493 Click Save.Setting Up a System Access PrinterIf the printer you want to use doesn’t support desktop printi

Administering Your Server 45Open Directory Services User and group information is used by your server to authenticate users and authorize their acce

450 Chapter 10 Choosing a Location for Storing Group DocumentsYou can use a group documents location to store folders and files you would like to mak

Client Management: Mac OS 9 and OS 8 451For computers that start up using NetBoot, you must follow special procedures to copy items to the Startup I

452 Chapter 10 A computer cannot belong to more than one list.To set up a computer list:1 In Macintosh Manager, click Computers, and then click List

Client Management: Mac OS 9 and OS 8 453Creating a Computer List TemplateYou can use a template to apply the same initial settings to new computer l

454 Chapter 10 Using Workgroup Settings for ComputersYou use settings in the Workgroups pane of the Computers pane to control access to computers.Co

Client Management: Mac OS 9 and OS 8 4554 Click Save.When the computer disconnects from the server, the computer still displays the login screen, bu

456 Chapter 10 2 Select a computer list.3 Under User Email Addresses, type the default domain name, the incoming (POP) mail server address, and the

Client Management: Mac OS 9 and OS 8 457Allowing Access to All CDs and DVDsUsing computer security settings, you can allow user access to CDs and DV

458 Chapter 10 3 Click Save.Allowing Specific Applications to Be Opened by Other ApplicationsYou can allow specific applications to act as helper app

Client Management: Mac OS 9 and OS 8 459Allowing Users to Switch Servers After Logging InOrdinarily, after users log in, they cannot switch to anoth

46 Chapter 1 High AvailabilityTo maximize server availability, Mac OS X Server includes technology for monitoring server activity, monitoring and re

460 Chapter 10 4 Click Save.Using Computer Login SettingsComputer login settings allow you to choose how users log in, what messages they see, and w

Client Management: Mac OS 9 and OS 8 461To customize a panel name:1 In Macintosh Manager, click Computers.2 Click Log-In and select a computer list.

462 Chapter 10 If the user is the local administrator, he or she has total access to the all folders and applications on the computer, including the

Client Management: Mac OS 9 and OS 8 463Using Macintosh Manager ReportsMacintosh Manager provides a number of different reports to help you keep tra

464 Chapter 10 Verifying Login Information Using KerberosIf all users must authenticate using Kerberos, follow the steps below. For more information

Client Management: Mac OS 9 and OS 8 465m If you want to limit the preferences copied, you can choose to copy only Internet preferences and administ

466 Chapter 10 3 Select the disc name and click Add to make it available in Macintosh Manager. To remove an available item, select it and click Remo

Client Management: Mac OS 9 and OS 8 467After a user’s first login, Macintosh Manager checks the user’s Preferences folder and compares it to the con

468 Chapter 10 Forced preferences are copied to the appropriate location depending upon the client operating system. The processes are explained bel

Client Management: Mac OS 9 and OS 8 469m When a user logs in: Macintosh Manager scans the Preserved Preferences folder and builds a list containin

Administering Your Server 47Directory ServicesDirectory services let you use a central data repository for user and network information your server

470 Chapter 10 Solving ProblemsThis section describes some problems you may encounter while using Macintosh Manager and provides troubleshooting tip

Client Management: Mac OS 9 and OS 8 471Selecting “Local User” in the Multiple Users Control Panel Doesn’t WorkYou cannot use both Macintosh Manager

472 Chapter 10 The Server Doesn’t Appear in the AppleTalk ListMac OS X Server does not support AppleTalk network connections to Apple Filing Protoco

Client Management: Mac OS 9 and OS 8 473You can create a folder called “Other Applications•” and then put the Applications folder (and all of its co

475CHAPTER1111 DHCP ServiceDynamic Host Configuration Protocol (DHCP) service lets you administer and distribute IP addresses to client computers fro

476 Chapter 11 Creating SubnetsSubnets are groupings of computers on the same network that simplify administration. You can organize subnets any way

DHCP Service 477Interacting With Other DHCP ServersYou may already have other DHCP servers on your network, such as AirPort base stations. Mac OS X

478 Chapter 11 m In the General pane of the subnet settings window, you need to set a range of IP addresses for each subnet, and specify the router

DHCP Service 479As the service is starting up or shutting down, a globe flashes on the DHCP/NetBoot icon. When the service is turned on, the globe ap

48 Chapter 1 Search PoliciesBefore a user can log in to or connect with a Mac OS X client or server, he or she must enter a name and password associ

480 Chapter 11 To modify a listed server, click the server name. Edit the name, search base, port, and SSL settings. Click Apply to update the LDAP

DHCP Service 481Monitoring DHCP Client ComputersThe DHCP client list shows the following information for each client computer in the database: m DHC

482 Chapter 11 To change subnet settings:1 In Server Settings, click the Network tab.2 Click DHCP/NetBoot and choose Configure DHCP.3 Select a subnet

DHCP Service 4836 Enter the IP address of each NetInfo parent server, then click Save.Click Use Defaults if you want to use the server’s default Net

484 Chapter 11 To see DHCP log entries:1 In Server Settings, click the General tab.2 Click Log Viewer and choose System Software.3 Choose System Log

485CHAPTER1212 NetBootNetBoot lets you start up Macintosh client computers from disk images on a Mac OS X Server. A disk image is a file that looks a

486 Chapter 12 The Mac OS X Server product includes the following CDs that contain applications and files specific to NetBoot: m Mac OS X Server Admin

NetBoot 487These are estimates for the number of clients supported. See “Capacity Planning” on page 488 for a more detailed discussion of the optima

488 Chapter 12 You cannot update Mac OS X disk images directly. To “update” your Mac OS X disk images, you must create new ones. See “Creating a Mac

NetBoot 489m Location of server and client: NetBoot clients that require static IP addresses (NetBoot 1.0) must be located on the same subnet as th

Administering Your Server 49Static file server listings can also be published in a non-Apple directory domain, making it easy for computers in your c

490 Chapter 12 m enable automatic installation (Network Install only)m add additional package or preinstalled applications (Network Install only)Not

NetBoot 491Mac OS X property listBoot Server Discovery Protocol (BSDP)NetBoot uses an Apple-created extension to BootP and DHCP called Boot Server D

492 Chapter 12 TFTP and the Boot ROM FileNetBoot uses the Trivial File Transfer Protocol (TFTP) to send the boot ROM from the server to the client.

NetBoot 493NetBoot creates share points on all available server volumes to store client shadow images as a way of providing load balancing for NetBo

494 Chapter 12 Some older client computers require BootP for getting an IP address assignment when using NetBoot. (See “Network Requirements” on pag

NetBoot 495Step 3: Set up DHCPNetBoot requires that you have a DHCP—either on the local server or on a remote server on the network. You need to mak

496 Chapter 12 Any client: Restart the computer and hold down the N key until the NetBoot icon starts flashing on the screen. The client starts up f

NetBoot 497If you haven’t inserted a Mac OS X install CD, you will be prompted to do so.The image file is created and saved in a NetBoot image folder

498 Chapter 12 To install the preconfigured Mac OS 9 disk image:m Open NetBoot.pkg on the NetBoot, Mac OS 9 CD.The Installer installs the Mac OS 9 N

NetBoot 499NetBoot Desktop Admin creates a copy of the disk image. This may take several minutes, and you should not interrupt the process. When it

Contents 5 2 Directory Services 65 Storage for Data Needed by Mac OS X 66A Historical Perspective 67Data Consolidation 68Data Distr

50 Chapter 1 NFS does not support name/password authentication. It relies on client IP addresses to authenticate users and on client enforcement of

500 Chapter 12 Clicking Discard removes the changes you’ve made to the disk image.11 Start the NetBoot client computer again, and log back in to all

NetBoot 501Configuring NetBoot on Your ServerYou use DHCP/NetBoot module of Server Settings to configure your Mac OS X Server to provide NetBoot serv

502 Chapter 12 To start DHCP:1 Open Server Settings and click the Network tab.2 Click DHCP/NetBoot and choose Start DHCP Service. Enabling NetBoot D

NetBoot 5034 Select an image and deselect the Enable checkbox.Updating Mac OS X Disk ImagesBecause Network Image Utility works by creating disk imag

504 Chapter 12 To allow or deny client access to the NetBoot service: 1 Open Server Settings and click the Network tab.2 Click DHCP/NetBoot and choo

NetBoot 505The bsdpd_clients file on any given server holds the Ethernet Media Access Control (MAC) addresses of the machines that have selected this

506 Chapter 12 Setting Up “System-Less” ClientsNetBoot makes it possible to configure client computers without locally installed operating systems. “

NetBoot 507The network disk image appears with a distinctive icon.Starting Up Using the N KeyYou can use this method to start up any supported clien

508 Chapter 12 m If the computer has a local hard disk with a System Folder on it, disconnect the Ethernet cable and try to start up the computer fr

509CHAPTER1313 Network InstallNetwork Install lets you install Mac OS X system and other software onto client computers over the network. Network In

Administering Your Server 51m impose print quotas to limit printer usageSee Chapter 7, “Print Service,” for information about print service.Web Serv

510 Chapter 13 A package is a collection of compressed files and other information used to install software onto a computer. The contents of a packag

Network Install 511Step 2: Create a Mac OS X installer disk imageUse Network Image Utility to create one or more Mac OS X installer images. See “Cre

512 Chapter 13 4 Enter an Image ID.The Image ID lets you mount multiple identical disk images (on multiple servers) without each of them showing up

Network Install 5133 On the volume that gets mounted, Control-click the OSInstall.mpkg file at the following location:volume/System/Installation/Pack

514 Chapter 13 To enable installer disk images:1 In Server Settings, click the Network tab.2 Click DHCP/NetBoot and choose Configure DHCP/NetBoot.3 C

515CHAPTER1414 DNS ServiceWhen your clients want to connect to a network resource such as a Web or file server, they typically request it by its doma

516 Chapter 14 Before You Set Up DNS ServiceThis section contains information you should consider before setting up DNS on your network. The issues

DNS Service 517If you want to change your mail server or redirect mail, you have to notify potential senders of a new address for your users. Or, yo

518 Chapter 14 For example, a server in a domain would be host1.example.com, a server in a subdomain would be host2.good.example.com. The DNS server

DNS Service 519To start or stop DNS service:1 In Server Settings, click the Network tab.2 Click DNS Service and choose Start DNS or Stop DNS.When th

52 Chapter 1 With remote mail administration you can manage the message database from any IMAP client. Realtime Blackhole List support allows you to

520 Chapter 14 m Canonical Name (CName): Asks for the “real name” of a server when given a “nickname” or alias. For example, mail.apple.com might h

DNS Service 521Zone Data FilesZone data files consist of paired address files and reverse lookup files. Address records link host names (host1.example.

522 Chapter 14 3 In the “Go to the folder:” sheet, enter “/etc” (no quotation marks) and click the Go button.4 Locate the file named.conf and rename

DNS Service 523Check Your ConfigurationTo verify the steps were successful, launch the Terminal application located in /Applications/Utilities and e

524 Chapter 14 If it’s unlikely that your local area network will ever be connected to the Internet and you want to use TCP/IP as the protocol for t

525CHAPTER1515 Firewall ServiceFirewall service is software that protects the network applications running on your Mac OS X Server. Turning on Firew

526 Chapter 15 The picture below illustrates this process.The port filters you create are applied to TCP packets and can also be applied to User Data

Firewall Service 527Before You Set Up Firewall ServiceWhen you start Firewall service, the default configuration denies access to all incoming packet

528 Chapter 15 The segments in a mask go from general to specific, so the earlier a zero appears in the segments of the subnet mask, the wider the re

Firewall Service 529IP Address PrecedenceIf you create multiple filters for a port number, the filter that contains the most specific address range has

Administering Your Server 53NetBoot can simplify the administration and reduce the support normally associated with large-scale deployments of netwo

530 Chapter 15 Block Junk MailTo reject email from a junk mail sender with an IP address of 17.128.100.0 and accept all other Internet email:Allow a

Firewall Service 531Step 2: Add filters to the IP filter listRead “Before You Set Up Firewall Service” on page 527 to learn how IP filters work and h

532 Chapter 15 To set Firewall service to start automatically each time your computer starts up:1 In Server Settings, click the Network tab.2 Click

Firewall Service 5337 If you choose “a range of IP addresses,” enter a subnet mask or click Use My Subnet to use the computer’s subnet mask.The resu

534 Chapter 15 To configure Firewall service:1 In Server Settings, click the Network tab.2 Click Firewall and choose Configure Firewall.3 Select “Sta

Firewall Service 535Log Example 2Dec 12 13:20:15 mayalu6 mach_kernel: ipfw: 100 Accept TCP 10.221.41.33:721 192.168.12.12:515 in via en0This entry s

536 Chapter 15 UDP ports above 1023 are allocated dynamically by certain services, so their exact port numbers may not be determined in advance.To s

Firewall Service 5375 Click Save, then restart Firewall service.Any IP filters you create allow NetInfo access for the IP addresses you specify. By d

538 Chapter 15 5 Click Save, then restart Firewall service.Creating IP Filter Rules Using ipfwYou can use the ipfw command in conjunction with the F

Firewall Service 539Reviewing IP Filter RulesTo review the rules currently defined for your server, use the Terminal application to submit the ipfw s

54 Chapter 1 DHCPDHCP helps you administer and distribute IP addresses dynamically to client computers from your server. From a block of IP addresse

540 Chapter 15 For more information, consult the man pages for ipfw.Port ReferenceThe following tables show the TCP and UDP port numbers commonly us

Firewall Service 541389 LDAP (directory) RFC 2251427 SLP (service location)443 SSL (HTTPS)514 shell515 LPR (printing) RFC 1179532 netnews548 AFP (Ap

542 Chapter 15 UDP port Used for Reference7 echo53 DNS67 DHCP server (BootP)68 DHCP client69 Trivial File Transfer Protocol (TFTP)111 Remote Procedu

Firewall Service 543Solving ProblemsThis section reviews some common Firewall service issues and provides possible solutions.You Can’t Access the Se

545CHAPTER1616 SLP DA ServiceService Location Protocol Directory Agent (SLP DA) provides structure to the services (or resources) available on a net

546 Chapter 16 Step 1: Define scopesTo define scopes, you need to decide how you want to organize the computers on your network. A scope can be a log

SLP DA Service 547Step 5: Assign network services to each scopeOnce you’ve created a scope, you can assign network services to it.1 In the Registere

548 Chapter 16 3 Choose a service type from the Show pop-up menu.4 Click the disclosure triangle next to a scope name to see the services registered

SLP DA Service 549Deregistering Services in SLP DA ServiceIf a service is no longer available to network clients you must manually remove the servic

Administering Your Server 55Anything that can be addressed using a URL can be a network service—for example, file servers and WebDAV servers. When a

550 Chapter 16 Each SLP log entry includes a code that indicates the type of event that has occurred.Using the Attributes ListServices may advertise

551CHAPTER1717 Tools for Advanced UsersThis chapter describes tools, and techniques intended for use by experienced server administrators. The follo

552 Chapter 17 Terminal You use the Terminal application to run command-line tools. Most of the tools described in this chapter are command-line too

Tools for Advanced Users 553Understanding UNIX Command-Line StructureUNIX commands share some basic conventions. First you enter the name of the too

554 Chapter 17 2 At the prompt, type ssh, then a hyphen, the flag “l” (lower case L, for “login”) followed by the user name of an administrator of th

Tools for Advanced Users 555If you see a warning message about a “man in the middle attack” when you try to connect using SSH, the RSA key fingerprin

556 Chapter 17 m The script /etc/periodic/weekly/600.weekly.server is intended to run weekly, but is currently empty. Its configuration file is /etc/d

Tools for Advanced Users 557m By default, two predefined action scripts are executed when the thresholds are reached. The default alert script is /et

558 Chapter 17 installer You can use the installer tool to install software packages from a CD-ROM on a mounted remote server volume. This tool does

Tools for Advanced Users 559-config formats the command-line installation arguments for later use. You can redirect the output to a configuration file

56 Chapter 1 Highlighting Server ApplicationsThis section introduces you to the applications, tools, and techniques you use to set up and administer

560 Chapter 17 2 Open Terminal on another Mac OS X Server or administrator computer and log in to the server as root using SSH. For example, type:

Tools for Advanced Users 561softwareupdateYou use softwareupdate to find new versions of software and install them on a remote server.To use software

562 Chapter 17 m Type “systemsetup -setrestartpowerfailure on” to restart the server automatically after a power failure.m To restart the server aut

Tools for Advanced Users 563m create new network servicesm set the order of network servicesm configure the TCP/IP options of the network servicesm s

564 Chapter 17 Configuring TCP/IP SettingsYou can use networksetup to configure TCP/IP settings:m To specify a manual configuration for a network serv

Tools for Advanced Users 565m To turn AppleTalk on, type “networksetup -setappletalk <network service> on”. m To turn passive FTP on, type “ne

566 Chapter 17 Simple Network Management Protocol (SNMP) ToolsSNMP is a set of standard protocols used to manage and monitor multiplatform computer

Tools for Advanced Users 567Enabling IP FailoverIP failover allows a secondary server to acquire the IP address of a primary server if the primary s

m If status messages are interrupted on only one network, the secondary server sends email notification of a network anomaly, but does not acquire the

Tools for Advanced Users 569Enabling IP FailoverYou enable IP failover by adding command lines to the file /etc/hostconfig on the primary and the seco

Administering Your Server 57log rolling scripts Periodically roll, compress, and delete server log filespage 555diskspacemonitor Monitor percentage-f

570 Chapter 17 Notification OnlyYou can use a script named “Test” located in the failover scripts directory to control whether, in the event of a fa

Tools for Advanced Users 571PreAcq20.StopSAPreAcq30.CleanupTmp<Acquire IP address>PostAcq10.StartTimerPostAcq20.StartApache<Primary server

573APPENDIXAA Open Directory Data RequirementsThis appendix contains tables that specify the data requirements of Open Directory domains. Use the in

574 Appendix A Standard Data Types in User RecordsThe following table specifies the standard data types found in Open Directory user records.All serv

Open Directory Data Requirements 575UniqueID: a unique user identifier, used for access privilege managementUnsigned 32-bit ASCII string of digits 0–

576 Appendix A MCXSettings:stores preferences for a managed userMac OS Xproperty listAuthenticationAuthority:an XML description of the user’s defined

Open Directory Data Requirements 577Format of the MailAttribute Data TypeEnsure that each MailAttribute data type you configure your server to retrie

578 Appendix A POP3LoginState A required case-insensitive keyword indicating whether the user is allowed to access mail via POP. It must be set to o

Open Directory Data Requirements 579NotificationStaticIPValue An optional IP address, in bracketed, dotted decimal format ([xxx.xxx.xxx.xxx]). If thi

58 Chapter 1 Administering a Server From Different ComputersYou can use the server applications to manage the local server or to manage a remote ser

580 Appendix A Standard Data Types in Group RecordsThe following table specifies the standard data types found in Open Directory group records.Data t

581GlossaryThis glossary defines terms and spells out abbreviations you may encounter while working with online help or the “Mac OS X Server Administ

582 Glossary CGI (Common Gateway Interface) A script or program that adds dynamic functions to a Web site. A CGI sends information back and forth be

Glossary 583dynamic IP address An IP address that is assigned for a limited period of time or until the client computer no longer needs the IP addr

584 Glossary I, J, KIANA (Internet Assigned Numbers Authority) An organization responsible for allocating IP addresses, assigning protocol parameter

Glossary 585Mmail host The computer that provides your mail service.managed client A user, group, or computer whose access privileges and/or prefe

586 Glossary Network File System (NFS) A client/server protocol that uses TCP/IP to allow remote users to access files as though they were local. NFS

Glossary 587preferences cache A storage place for computer preferences and preferences for groups associated with that computer. Cached preferences

588 Glossary search policy A list of directory domains searched by a Mac OS X computer when it needs configuration information; also the order in whi

Glossary 589TTCP (Transmission Control Protocol) A method used along with the Internet Protocol (IP) to send data in the form of message units betw

Administering Your Server 59You’ll find Open Directory Assistant in /Applications/Utilities/. For information about how to use the application, see C

590 Glossary WWebDAV (Web-based Distributed Authoring and Versioning) A live authoring environment that allows client users to check out Web pages,

591IndexAaccess logs 227access privilegesabout 124, 205administrator 206copying 217directory services and 71everyone 207explicit vs. inherited

592 Index AFP (Apple Filing Protocol) 224AirPort base stationsDHCP service and 477All Other Computers account 429, 452All Other Users account 429

Index 593about 83adding Active Directory server to 105adding LDAPv2 server to 107adding LDAPv3 server to 99, 100LDAPv3 mappings supplied by 103

594 Index using Windows services 262client computers, Mac OS 8 and 9setting up printing 324client computers, Mac OS 9selecting NetBoot startup imag

Index 595Configure Web Service window 342CRAM-MD5 385, 389cross-platform issues for file service 236CSR (certificate signing request) 361–362custom

596 Index planning 82, 85–87, 91search policies for 82–84directory domain hierarchydefined 582directory domainsSee also BSD configuration files, LDAP

Index 597importing users and groups 181import parameters 181status information and logs 179Dynamic Host Configuration Protocol. See DHCPdynamic IP

598 Index filtering UDP ports 535–536filters 527–529IP address precedence 529IP filter rules 538–540logs, setting up 534–535managing 531–538more i

Index 599data types 580preparing for setup 135guest (predefined group account) 131guest accessallowing 238FTP service 249restricting 210Windows

6 Contents Configuring Open Directory Service Protocols 93Setting Up Search Policies 94Using the Automatic Search Policy 95Defining a Cus

60 Chapter 1 Major Workgroup Manager TasksAfter login, the user account window appears, with lists of user, group, and computer accounts in the serv

600 Index secure authentication 385settings 385–387terminating idle connections 387IMAP (Internet Message Access Protocol)defined 584importing and

Index 601integrating Mac OS X with Kerberos server 199Macintosh Manager 464mail service authentication 381services supporting 197solving problem

602 Index FTP 254mail service 404print service 325, 332–334reclaiming disk space 555reclaiming space used by 405Server Monitor 63SLP DA 549SSL

Index 603setting file-level security 441setting idle logout 456setting media access 441setting preferences 426setting storage quotas 435setting

604 Index DNS lookup for 396domain name list 381features not supported 376features of 369filtering SMTP connections 401forwarding undeliverable m

Index 605user records 574–577mappingsBSD configuration files 116LDAPv2 108LDAPv3 101MBONEdefined 585messages, mail. See mail serviceMIBSdefined 58

606 Index security 493server requirements 486setting up Mac OS 9 disk image 497, 498setting up on Mac OS X Server 496setup overview 493–496shado

Index 607discovery protocols 72networksetup 562NFSdefined 586nfsd daemons 257defined 586NFS serviceabout 256configuring settings 257described 2

608 Index root user 137validating 189validation strategies 189Password Server 264administration 196authentication protocols 195authentication w

Index 609preference management, Mac OS Xabout 284Applications Items settings 288Applications preference 288Applications System Preferences settin

Administering Your Server 61Click the service modules arranged on the Server Settings tabs to choose commands that let you work with individual serv

610 Index key features of 50monitoring 325printers supported 316protocols supported 317setting up 319setting up Mac OS 8 and 9 clients 324setti

Index 611root domain 77, 111See also shared directory domainsroot password 137root user accountbacking up 202round robin 523routers 546RTSPdefin

612 Index adding print queues to Open Directory domains 321administrator access to mail database 395allowing guest access to Apple file service 234

Index 613holding print queues 327IMAP authentication 385IMAP case-sensitive folders 386IMAP connections per user 386IMAP ports 387IMAP response

614 Index opening within Workgroup Manager 60populating Active Directory domains with 105populating LDAPv3 domains with 103Server Side Includes Se

Index 615described 545managing 547–550monitoring 549planning 545preparing for setup 545registering a service 548setting up 545–547starting 5

616 Index defined 588System Preferencessetting up multiple IP addresses for a port 348System Services predefined account 130systemsetup 561TTCPdefin

Index 617access privileges 125authenticating 123authentication 122changing 138comments 147connecting without logging in 123creating in Mac OS

618 Index uucp (predefined group account) 131Vvirtual hostsmail service 381Virtual Private Network ( VPN)defined 589virtual userdefined 589VPNdefined

Index 619assigning privileges 342connecting to 342connection problems 364default Page 351default page 341default Web Folder 349directory listi

62 Chapter 1 m To retrieve online information, use the Help menu. It provides help for server administrators about Server Status as well as other Ma

620 Index changing group accounts 167changing owner and access privileges for share point 217changing share points’ protocols 218changing user acc

Index 621about 128defined 590Mac OS 9 and 8 436planning 136World privileges for NFS 210World Wide Web Server predefined account 130Write Only pr

Administering Your Server 63m The system identifier lights on the front and back of an Xserve server light when service is required. Use Server Monit

64 Chapter 1 Where to Find More Information Regardless of your server administration experience, you may want to take advantage of the wide range of

65CHAPTER22 Directory ServicesDirectory services provide a central repository for information about the systems, applications, and users in an organ

66 Chapter 2 The Open Directory architecture also includes Open Directory Password Server. A Password Server can securely store and validate the pas

Directory Services 67Whether you use Workgroup Manager or System Preferences to create a user account, the user information is stored in a directory

68 Chapter 2 Data ConsolidationFor years, UNIX systems have stored administrative information in a collection of files located in the /etc directory.

Directory Services 69Processes no longer need to know how and where administrative data is stored. Open Directory gets the data for them. If a proce

Contents 7 Setting Up Data in BSD Configuration Files 118Configuring Directory Access on a Remote Computer 118Monitoring Directory Services

70 Chapter 2 Open Directory solves this problem by letting you store administrative data in a directory domain that can be managed by a system admin

Directory Services 71m Folder and file access. After logging in successfully, a user can access files and folders. Mac OS X uses another data item fro

72 Chapter 2 For example, when you define a user by using the Accounts module of Workgroup Manager, you are creating a user record (a record of the u

Directory Services 73In fact, Open Directory can provide information about network services both from service discovery protocols and from directory

74 Chapter 2 m Lightweight Directory Access Protocol (LDAP), an open standard commonly used in mixed environmentsm NetInfo, the Apple directory serv

Directory Services 75After login, the user may choose Connect To Server from the Go menu and connect to a file server on a computer running Mac OS X

76 Chapter 2 Similarly, you can make network resources such as printers visible to certain computers by setting up printer records in a shared domai

Directory Services 77While some devices may need to be used only by specific departments, other resources, such as personnel forms, may need to be sh

78 Chapter 2 Shared Data in Existing Directory DomainsSome organizations—such as universities and worldwide corporations—maintain user information a

Directory Services 79Two-Level HierarchiesThe simplest hierarchy is a two-level hierarchy:Here’s a scenario in which a two-level hierarchy might be

8 Contents Creating User Accounts in Directory Domains on Mac OS X Server 137Creating Read-Write LDAPv3 User Accounts 138Changing User Acco

80 Chapter 2 While local domains reside on their respective servers, a shared domain can reside on any Mac OS X Server accessible from the local dom

Directory Services 81More Complex HierarchiesOpen Directory also supports multilevel domain hierarchies. Complex networks with large numbers of user

82 Chapter 2 You can affect an entire network or just a group of computers by choosing which domain to publish administrative data in. The higher th

Directory Services 83If the local domain does not contain the user’s record, Open Directory goes to the next directory domain in the search policy.I

84 Chapter 2 Next the automatic search policy looks at the binding of shared NetInfo domains. The computer’s local domain may be bound to a shared N

Directory Services 85Directory Domain PlanningKeeping information in shared directory domains gives you more control over your network, allows more

86 Chapter 2 Larger, more complex organizations can benefit from a deeper directory domain hierarchy. Controlling Data AccessibilityHierarchies that

Directory Services 87m printers being moved among locationsYou’ll want to try to make each directory domain applicable to all the computers that use

88 Chapter 2 Authentication With a Password ServerWhen a user’s account is configured to use a Password Server, the user’s password is not stored in

Directory Services 89m The password, stored in recoverable or hashed form. The form depends on the network authentication protocols enabled for the

Contents 9 Defining a Guest User 154Deleting a User Account 154Disabling a User Account 155Administering Home Directories 155Distrib

90 Chapter 2 m Server Status. Use to monitor directory services and view directory services logs. Located in /Applications/Utilities.Experts can als

Directory Services 91Step 4: Implement search policiesSet up search policies so that all computers have access to the shared directory domains they

92 Chapter 2 Decide whether to use an Open Directory Password Server. Decide which Mac OS X Server will host the Password Server. See “Open Director

Directory Services 93For Address, enter the DNS name or IP address of the server that you want to configure.For User Name, enter the user name of an

94 Chapter 2 m LDAPv3, a newer version of the popular directory services protocol, which Open Directory uses to access (read and write) data in Open

Directory Services 95You can configure the authentication search policy for a Mac OS X Server or other Mac OS X computer by using the Directory Acces

96 Chapter 2 Note: Make sure the computer has been configured to access the LDAP servers, Active Directory servers, NetInfo domains, and BSD configur

Directory Services 97Changing Basic LDAPv3 SettingsYou can use the Directory Access application to change basic settings for accessing LDAPv3 server

98 Chapter 2 4 From the Location pop-up menu, choose the network location that you want to see, or use Automatic.5 Click Show Options or Hide Option

Directory Services 998 Enter the search base for your LDAPv3 server and click OK.If you chose a template in step 7, you must enter a search base, or