Archive for category: Ask AFP548

Intranet Solution for Mac OS X Server?

For several months I've been searching for a complete solution that can offer access control, authentication, integrated search indexing of all content and content management itself for a company intranet that can dispense the following to our internal users:

  • Training videos, shared contacts, job aid resources and content management
  • A PHP based web front end to access our databases of clients, cases, task management, etc.

We're running Leopard Server, Kerberos, LDAP and all that other fun stuff. But we also are a mixed platform environment with remote branch offices running isolated windows domain workgroups, accessing our intranet from across a VPN. (not my doing)

The problem that I'm having is that I cannot find any one great solution, application or API that can integrate our intranet with our LDAP on Leopard Server for authentication on a remote intranet proxy. I don't just want to rely on creating a secured realm, I want something smarter. I also want this solution to be as simple as possible from the end user's perspective and do things like allow local unauthenticated (or kerberos) access from workstations on our LAN or workstations on our site to site VPN, that traffic is trusted and should be able to totally bypass authentication or at least allow authentication to happen in the background.

 Maybe I'm asking for too much in search of a solution but I don't want to make our users re-signon when they want to switch from our database front end to view training materials, or to access webmail, or view the collaboration wiki content. I also don't want users to have to rely on 5 different methods of searching our intranet to find what they're looking for as well.

I figure that for what I want to do, I will have to:

  1. Come up with a custom spotlight search API for Apache, that will not only singularly index web content, but integrate database content as well.
  2. Figure out how to modify apache to openly serve the site to trusted internal IP addresses or use WebDAV with kerberos single sign-on.
  3. Come up with a public web proxy where remote users can authenticate with their LDAP credentials and then access the intranet from remote locations.

So if anybody has a suggestion to accomplish any of this on Leopard Server, or knows of a great resource on how to do any of the following, like: modify the spotlight search plugin for apache, integrate LDAP authentication within a web page, modify apache to only allow certain IP addresses to access a site, use one authentication session ID to access other secured sites, view PDF, word, excel files on a shared volume through a web front end or how to create a remote sign-on proxy. If you have any thoughts on this or know something that would help, let me know.


Read more

Mobile Accounts for students

 Ed. Note: This is a fairly common question that we get. Sizing is always a pain, especially when you're moving into a new setup. So if you have any wisdom on the matter, please post in the comments.

We are a K-12 school (K-8 at one site and 6-12 at the other) that is using a Mac Pro at each site to house home folders as well as run OD

My first question is this:  Should one server be handling both of these tasks?  If not, is there a economical way to change this.  I ask because when a class atempts to logon, there is a serious bottle-neck!  To eliminate this at one site, I made the older students (that have larger home folders) mobile with assigned seating in the lab of iMacs.  This seems to have solved the speed issue and I'd like to try something similar at the other site which has a laptop cart of macbooks as its lab. 

So here's the second question: How many accounts can live on a single workstation and work well?

Any help you could offer would be great!

Server & Clients 10.5.6


Read more

Open Directory Across Four Locations?

I have to set up the IT infrastructure for a company that has 4 different offices.  Two of the sites have Apple based clients and the other two have windows based clients.  All of the servers are Xserves.  I hope to set up a single Open Directory structure that can handle Mail, a Corporate Intranet Site, a Corporate Website, Home Folders (for both the OSX and Windows laptops/desktops), Job Folders, and Backup for all of these.  There will be roughly 75 users at the HQ, and less than 20 users at each of the 3 satellite offices.

Our current equipment includes 2 or more Xserves at every location
(plus Xserve RAIDs at the main office), 55 iMacs / Mac Pros, 13 MacBook
Pros / Airs, 30 Windows Desktops, and 7 Windows Laptops.  Our network
infrastructure is gigabit at all of the locations.

each office has it’s own Open Directory master and separate fileservers
for Job Folders and Home Folders.  The Corporate office hosts the mail,
websites, and backup for all offices.

Any help or advice for creating this infrastructure in a secure and reliable way would be greatly appreciated!

Read more

Communigate Pro with LDAP Authentication

With all the issues related to Sarbanes-Oxley compliancy, and contracts being written to cover all losses and lawsuits related to any security breach in network setup these days, along with the desire for System Administrators to manage all of their user accounts from one location, I’ve been looking into getting an existing Communigate Pro mail setup authenticating to OS X Server’s built in Open Directory.

Read on for more…

Read more

How to Delete Old User Mailboxes

We have quite a large turnover of staff, and over a period of time I noticed that once users accounts were deleted in WGM, (and indeed none functional), their mailboxes were still present and showing up in SA.

There is a how-to floating about (url below) which will kill these mailboxes, but it seems it only works prior to deleting user in WGM.

Anyone any ideas?

How-to url:

This how-to is accurate overall, but there are a few nuances that you might be missing that aren’t explicitly spelled out in the paper.

Read on for the solution…

Read more

Ask AFP548: Get list of when passwords will expire?

I want to send an email to users letting them know that their password is about to expire (we have them set to expire after 30 days, so this happens frequently). Tinkering with our Tiger server, it seems that mkpassdb doesn’t provide any useful data. Neither does pwpolicy. Using:

pwpolicy -a adminusr -p adminpwd -u sbrown -getpolicy

always returns (no matter what user or expiration)


as its result. Is there any easy way to get this information that works with Tiger? Am I not using pwpolicy correctly?

BTW, I saw a post here where someone mentions that with AD, UAM, and ActiveX it may be possible to get this info, but we aren’t using AD.

Read on for one possible answer…

Read more

PHP / MySQL Issues on Tiger Server

Some of you may be familiar with CMS solutions like Mambo and Joomla. Very cool, very easy to set up etc. Until you get to Tiger.

Well go to do that on a Tiger Server and am running into an issue between PHP and MySQL. I can login into MySQL, create a database, assign privs etc. When I got to link the db to Joomla, the PHP says the username and password are wrong.

This is using MySQL 4.1 and the default install of PHP on 10.4.3. I came across some postings about the socket location changing from /tmp to /etc, but nothing real concrete. One suggestion was to move to PHP5.

Any thoughts?

Read on for thoughts on a solution…

Read more

Tiger broke Password Service

Since upgrading my OD master and replicas from 10.3.9 to 10.4.2, the Password Service pegs both processors on the OD master for 8-10 minutes whenever a password is changed. Doesn’t matter whether the password is changed from WGM, terminal, or managed client. No crashes occur, nothing written to System log, all else seems normal. The following consistent System log entries are also new since the upgrade.

Read more

Workgroup Maintenance Schedules?

Not exactly an OS X Server issue, but still a question for the admins here: I admin a smallish design studio (15 or so users) and am working to put together a schedule for regular maintenance. As it is, backups and a few things happen automatically, but tasks like permissions repair, clearing caches, directory repairs and optimisation – the stuff that requires I kick someone off their machine – tend to happen only sporadically, when a user goes on vacation, or on nights and weekends when I’d rather be doing other things. I’ve also got several laptop users that take their machines with them every night, so it’s hard for me to get anything done on them without disrupting their work. Are there any suggestions from the peanut gallery for a realistic maintenance schedule – how often should I really be running these things? – as well as a realistic way of keeping up with it? i.e. do folks set iCal reminders, cron tasks, sticky notes?

Read more

1:1 Laptop Program Server Infrastructure

I am part of a team designing the infrastructure for a 1:1 Laptop Program. We will have roughly 1,000 users, four different buildings, and mobile home directories. In addition, we will have several graphic labs (G5’s), lit labs (eMacs), and libraries (iMacs). Lastly, we will also have several labs of windoze machines for business apps.

Originally, we were looking to one Dual G5 X-server loaded with memory to serve as an Open Directory Master to manage desktops, laptops, and host the users’ home folders. Recently, we were advised to explore adding replica servers to lessen the load on the single box.

Are we expecting too much out of a single machine?
How many additional replicas should we add for 1,000 users?
Is there a guideline – for example – 100 users per replica?

Any help would be appreciated. Thanks!

Read more