Lion Server 802.1x WLAN System Profile

Similar Messages

• You cannot sign in to the Cisco Unified MeetingPlace Web Server interface using preconfigured system profiles

  Hi
  I recently upgrade tp 7.0.3  from 7.0.2.
  While upgrade i found that i am not able to login to the web server with the admin id "admin" default created in the application server.
  The same id i can login to application server  , but not in wewb server.
  I am getting the mentioned error "You cannot sign in to the Cisco Unified MeetingPlace Web Server interface using preconfigured system profiles".
  However if i create a new user in application server and tried logging with the  same in the web server it is working fine..
  is it a known behaviour wirh the upgrade or i m facing some issue.
  Hope i can find a solution here.
  Regards
  RC

  RC,
  This behavior is stemming from a change in MP 7.0 MR2 to disable the MPWeb login for system profiles.  This was an internal change made by the developers to restrict the log on to the MPWeb page by the default accounts created in MeetingPlace upon installation.  The change now displays this error when the admin account is attempted to be used for MPWeb login, as you experienced-
  Error:[22953] You cannot sign in to the Cisco Unified MeetingPlace Web Server interface using preconfigured system profiles.
  You should be able to log into MPWeb using any other user profile that you have either created manually or pulled in from LDAP/Active Directory.  You just cannot use the admin account.  This is reserved for login to the MP Application Server Administration page only.  I am going to work to get this information added to the MP 7.0 documentation with a note for changed behavior in MR2 and above.  Here is the note from MP 8.0 documentation-
  Note: You cannot use this preconfigured admin profile to access the Cisco Unified MeetingPlace Web Server interface. Instead enter the User ID and password information from one of the other user profiles that have system administrator privileges to sign in to the Web Server.
  Please let me know if you have any further questions.
  Thank You,
  Gerry

• XServe G5, Leopard Server 10.5.8, System Profiler error

  This is the same issue as discussed in this archived thread:
  http://discussions.apple.com/message.jspa?messageID=10747734
  Running System Profiler and selecting "Memory" displays an error and no information, and logs these errors:
  2010-06-29 10:27:24.768 system_profiler[2673:10b] * -[NSCFData boolValue]: unrecognized selector sent to instance 0x3a83b0
  2010-06-29 10:27:24.771 system_profiler[2673:10b] Exception while calling [SPMemoryReporter updateDictionary:]
  * -[NSCFData boolValue]: unrecognized selector sent to instance 0x3a83b0
  I can see the overall memory amount via "About This Macintosh", but I cannot see the configuration (how much in which slots). Anyone got a fix for this yet?
  Thanks,
  -- MB

  Hi
  What does issuing:
  sudo system_profiler SPMemoryDataType
  Show? It does not exactly address your problem but it should at least give you the information you want? Have you tried creating another test admin account on the Server itself using the Accounts tab in System Preferences and logging in with it? Does the problem go away?
  If it does log back in with the default admin account, delete the newly created test admin account and clear out all the preferences/plists in /Users/adminhome/Library/Preferences. Create a folder on the desktop and place them all in there in case you need some of them later on - you more than likely wont. Clear out everything in /Users/adminhome/Library/Caches as well. Restart the server. Hopefully that might help?
  Tony

• Mac OS X Lion Server Roaming Profiles

  I have Mac OS X Lion Server on my iMac and want to setup "Roaming Profiles" to be able to go into any one of my macs, laptops and desktops, and log in to the same profile. Any one know if this is possible and if so, how to do this???

  You should be able to do this in the Workgroup Manager like http://www.dummies.com/how-to/content/how-to-configure-mobility-settings-on-lion -server-.html or in the Profile Manager. Depends on your setup.

• Fresh Install of Mountain Lion how do I export users from Lion Server

  I've been having some issues with Lion Server, mainly Kerberos related and Profile Manager. So I want to start fresh with Mountain Lion.
  I've installed ML and Server, and profile manager is working now for the first time (yay!)
  Now I want to Import all my existing Open Directory users from Lion, I don't want to Import the entire OD though because I think some of my kerberos issues will just get carried over to ML.
  I would like to just export the Users to a file then use ML server to import users from file, but I can't see an option to export in Lion Server, I have tried doing it from WGM on Lion but the 'users' file is not recognised by ML server

  Great thanks for the reply, I'll try it tonight when everyone has logged off.
  Yeah I was very pleased initially with kerberos on Lion, it worked great to start with, now I'm just getting expired tickets for a default realm when some users log in, yet other users continue to work fine.
  I was planning to slowly install Mountain Lion Server and test is thouroghly but I've had a bit of a disaster that if forcing me to go live with ML server quicker than I wanted to!
  Basically because on Lion Server I have all the Service Data on a separate drive, and I upgraded to ML server on a backup copy of Lion Server just to see what it was like, though now I've rebooted the original Lion drive but half of the services are now screwwed up because the ML Server must have changed them, so things like Wiki Server and Profile Manager are now broken from the Lion Server boot, they just show "Error Reading Settings"
  I realise now I should have moved the Service data back to the local drive before doing a test upgrade so I wouldn't have messed it up! but now it seems like my best way forward is a fresh install of ML Server

• How do I perform a clean install of Lion Server?

  There seem to be many sites documenting how to pull out the ESD image and burn a bootable copy of Lion.
  What I'd like to know is how do I perform a clean installation of Lion Server?
  Is it possible to just install Lion and then open the App Store and install from Purchase without being charged again?

  Okay....so Apple does have a guide related to Mass deployment which includes a rough way to do a clean OS X Server clean install. You need to use a NetBoot Lion Server as a boot, but it works.
  http://support.apple.com/kb/HT4746
  Use these steps to create a NetRestore image of an un-configured Lion Server:
  Install OS X Lion, and then Lion Server. This server will be used to create the NetRestore image.
  On the server, install the app named "Install Mac OS X Lion" from the Mac App Store (a network connection is required for this process).
  Install the Server Admin Tools from http://support.apple.com/downloads/ on the server.
  Open the "Install Mac OS X Lion" application, and install to an empty volume. This volume can be a spare partition or external hard drive. Be sure to click the Customize button and to select the Lion Server software.
  Once installation is complete, the server will restart from the newly installed volume.  Instead of completing the setup assistant, press Command-Q to quit the assistant.
  Select the option to shut the server down.
  Restart the server and hold the Option key.
  When the Startup Manager appears, select the volume which you've already configured Lion Server on.
  Open System Image Utility and create a NetRestore image from the newly installed (and still un-configured) volume. If you'd prefer to image the volume after it has already been configured, you can proceed with the setup assistant before booting back to the original installation created in step 1.

• I want to setup my mac os x lion server

  I bought the mac mini server with lion server last week. I want to setup the server for mail server ical server, web server, file share. now my office network has a static ip address in the internet, i have a router can provide the port forward, i registed the domain in the ISP. ISP server provide the DNS. can you tell me how to setup the server step by step.
  thanks

  You should be able to do this in the Workgroup Manager like http://www.dummies.com/how-to/content/how-to-configure-mobility-settings-on-lion -server-.html or in the Profile Manager. Depends on your setup.

• How can I creat a 802.1x Profile without Lion Server? I miss the plus-button in Lion to creat a 802.1x Profile.

  How can I creat a 802.1x Profile without Lion Server? I miss the plus-button in the Network Configuration (OS X Lion) to creat a 802.1x Profile.

  Tried this?
  http://blog.affien.com/archives/2011/03/16/802-1x-configuration-profile-on-lion- mac-os-x-10-7/

• In Snow Leopard, is there a way to import a wireless 802.1x System Profile via Terminal?  If so how?

  I am trying to deploy a Snow Leopard image via Casper running on a Lion server.  Everything works fine but I'd like to be able to have the image include a wireless 802.1x system profile without having to do it manually post.  I had it as part of my base image but for whatever reason it breaks during the process so I'd like to be able to create a task sequence to deploy it during the image process.  What's the best way to do this?  Thanks in advance!

  Hey SchenkerBob,
  It is possible to disable non-system fonts temporarily for all applications using the Font Book application. This article explains how to do so -
  Mac Basics: Font Book - Apple Support
  In particular -
  Disable and enable specific fonts
  In situations where you'd like to prevent a font from being available in applications, but you don't want to completely remove the font from your Mac, you can use Font Book to disable the font.
  In Font Book, click "All Fonts" in the Collection column.
  Click the name of the font in the Font column.
  Choose Disable "Font Name" Family from the Edit menu.
  Since it might be problematic to have to disable each font individually, you can create a collection of fonts and disable the collection. See the article for how to create a font collection -
  Organize fonts as collections
  When working with fonts, you may discover that you use certain fonts frequently, but rarely use others. To make it easier to find the font you are looking for, you can organize your fonts into collections.
  From the Font Book File menu, choose New Collection.
  Type in a name for the new collection.
  Click "All Fonts" in the Collection column.
  Drag the fonts that you want from the Font column onto the name of your new collection in the Collection column.
  You can then disable collections of fonts -
  You can also disable or enable all fonts in a collection: Click the name of the collection in the Collection column, then choose Disable "Collection Name" or EnableCollection Name" " from the Edit menu. 
  Thanks for using Apple Support Communities.
  Happy computing,
  Brett L 

• How To Install A (Almost) Working Lion Server With Profile Management/SSL/OD/Mail/iCal/Address Book/VNC/Web/etc.

  I recently installed a fresh version of Lion Server after attempting to fix a broken upgrade. With some help from others, I've managed to get all the new features working and have kept notes, having found that many or most of the necessary installation steps for both the OS and its services are almost entirely undocumented. When you get them working, they work great, but the entire process is very fragile, with simple setup steps causing breaks or even malicious behaviors. In case this is useful to others, here are my notes.
  Start with an erased, virgin, single guid partitioned drive. Not an upgrade. Not simply a repartitioned drive. Erased. Clean. Anything else can and probably will break the Lion Server install, as I discovered myself more than once. Before erasing my drive, I already had Lion and made a Lion install DVD from instructions widely available on the web. I suppose you could also boot into the Lion recovery partition and use disk utility to erase the OS X partition then install a new partition, but I cut a DVD. The bottom line is to erase any old OS partitions. And of course to have multiple, independent backups: I use both Time Machine with a modified StdExclusions.plist and Carbon Copy Cloner.
  Also, if you will be running your own personal cloud, you will want to know your domain name ahead of time, as this will be propagated everywhere throughout server, and changing anything related to SSL on Lion Server is a nightmare that I haven't figured out. If you don't yet have a domain name, go drop ten dollars at namecheap.com or wherever and reserve one before you start. Soemday someone will document how to change this stuff without breaking Lion Server, but we're not there yet. I'll assume the top-level domain name "domain.com" here.
  Given good backups, a Lion Install DVD (or Recovery Partition), and a domain name, here are the steps, apparently all of which must be more-or-less strictly followed in this order.
  DVD>Disk Utility>Erase Disk  [or Recovery Partition>Disk Utility>Erase Partition]
  DVD>Install Lion
  Reboot, hopefully Lion install kicks in
  Update, update, update Lion (NOT Lion Server yet) until no more updates
  System Preferences>Network>Static IP on the LAN (say 10.0.1.2) and Computer name ("server" is a good standbye)
  Terminal>$ sudo scutil --set HostName server.domain.com
  App Store>Install Lion Server and run through the Setup
  Download install Server Admin Tools, then update, update, update until no more updates
  Server Admin>DNS>Zones [IF THIS WASN'T AUTOMAGICALLY CREATED (mine wasn't): Add zone domain.com with Nameserver "server.domain.com." (that's a FQDN terminated with a period) and a Mail Exchanger (MX record) "server.domain.com." with priority 10. Add Record>Add Machine (A record) server.domain.com pointing to the server's static IP. You can add fancier DNS aliases and a simpler MX record below after you get through the crucial steps.]
  System Prefs>Network>Advanced>Set your DNS server to 127.0.0.1
  A few DNS set-up steps and these most important steps:
  A. Check that the Unix command "hostname" returns the correct hostname and you can see this hostname in Server.app>Hardware>Network
  B. Check that DNS works: the unix commands "host server.domain.com" and "host 10.0.1.2" (assuming that that's your static IP) should point to each other. Do not proceed until DNS works.
  C. Get Apple Push Notification Services CA via Server.app>Hardware>Settings><Click toggle, Edit... get a new cert ...>
  D. Server.app>Profile Manager>Configure... [Magic script should create OD Master, signed SSL cert]
  E. Server.app>Hardware>Settings>SSL Certificate> [Check to make sure it's set to the one just created]
  F. Using Server.app, turn on the web, then Server.app>Profile Manager> [Click on hyperlink to get to web page, e.g. server.domain.com/profilemanager] Upper RHS pull-down, install Trust Profile
  G. Keychain Access>System>Certificates [Find the automatically generated cert "Domain", the one that is a "Root certificate authority", Highlight and Export as .cer, email to all iOS devices, and click on the authority on the device. It should be entered as a trusted CA on all iOS devices. While you're at it, highlight and Export... as a .cer the certificate "IntermediateCA_SERVER.DOMAIN.COM_1", which is listed an an "Intermediate CA" -- you will use this to establish secure SSL connections with remote browsers hitting your server.]
  H. iOS on LAN: browse to server.domain.com/mydevices> [click on LHS Install trust cert, then RHS Enroll device.
  I. Test from web browser server.domain.com/mydevices: Lock Device to test
  J. ??? Profit
  12. Server Admin>DNS>Zones> Add convenient DNS alias records if necessary, e.g., mail.domain.com, smtp.domain.com, www.domain.com. If you want to refer to your box using the convenient shorthand "domain.com", you must enter the A record (NOT alias) "domain.com." FQDN pointing to the server's fixed IP. You can also enter the convenient short MX record "domain.com." with priority 11. This will all work on the LAN -- all these settings must be mirrored on the outside internet using the service from which you registered domain.com.
  You are now ready to begin turning on your services. Here are a few important details and gotchas setting up cloud services.
  Firewall
  Server Admin>Firewall>Services> Open up all ports needed by whichever services you want to run and set up your router (assuming that your server sits behind a router) to port forward these ports to your router's LAN IP. This is most a straightforward exercise in grepping for the correct ports on this page, but there are several jaw-droppingly undocumented omissions of crucial ports for Push Services and Device Enrollment. If you want to enroll your iOS devices, make sure port 1640 is open. If you want Push Notifications to work (you do), then ports 2195, 2196, 5218, and 5223 must be open. The Unix commands "lsof -i :5218" and "nmap -p 5218 server.domain.com" (nmap available from Macports after installing Xcode from the App Store) help show which ports are open.
  SSH
  Do this with strong security. Server.app to turn on remote logins (open port 22), but edit /etc/sshd_config to turn off root and password logins.
  PermitRootLogin no
  PasswordAuthentication no
  ChallengeResponseAuthentication no
  I'm note sure if toggling the Allow remote logins will load this config file or, run "sudo launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist ; sudo launchctl load -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist" to restart the server's ssh daemon.
  Then use ssh-keygen on remote client to generate public/private keys that can be used to remotely login to the server.
  client$ ssh-keygen -t rsa -b 2048 -C client_name
  [Securely copy ~/.ssh/id_rsa.pub from client to server.]
  server$ cat id_rsa.pub > ~/.ssh/known_hosts
  I also like DenyHosts, which emails detected ssh attacks to [email protected]. It's amazing how many ssh attacks there are on any open port 22. Not really an added security feature if you've turned off password logins, but good to monitor. Here's a Lion Server diff for the config file /usr/share/denyhosts:
  $ diff denyhosts.cfg-dist denyhosts.cfg
  12c12
  < SECURE_LOG = /var/log/secure
  > #SECURE_LOG = /var/log/secure
  22a23
  > SECURE_LOG = /var/log/secure.log
  34c35
  < HOSTS_DENY = /etc/hosts.deny
  > #HOSTS_DENY = /etc/hosts.deny
  40a42,44
  > #
  > # Mac OS X Lion Server
  > HOSTS_DENY = /private/etc/hosts.deny
  195c199
  < LOCK_FILE = /var/lock/subsys/denyhosts
  > #LOCK_FILE = /var/lock/subsys/denyhosts
  202a207,208
  > LOCK_FILE = /var/denyhosts/denyhosts.pid
  > #
  219c225
  < ADMIN_EMAIL =
  > ADMIN_EMAIL = [email protected]
  286c292
  < #SYSLOG_REPORT=YES
  > SYSLOG_REPORT=YES
  Network Accounts
  User Server.app to create your network accounts; do not use Workgroup Manager. If you use Workgroup Manager, as I did, then your accounts will not have email addresses specified and iCal Server WILL NOT COMPLETELY WORK. Well, at least collaboration through network accounts will be handled clunkily through email, not automatically as they should. If you create a network account using Workgroup Manager, then edit that account using Server.app to specify the email to which iCal invitations may be sent. Server.app doesn't say anything about this, but that's one thing that email address entry is used for. This still isn't quite solid on Lion Server, as my Open Directory logs on a freshly installed Lion Server are filled with errors that read:
  2011-12-12 15:05:52.425 EST - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':
       User 'uname' (/LDAPv3/127.0.0.1) - ID 1031 - UUID 98B4DF30-09CF-42F1-6C31-9D55FE4A0812 - SID S-0-8-83-8930552043-0845248631-7065481045-9092
  Oh well.
  Email
  Email aliases are handled with the file /private/etc/postfix/aliases. Do something like this
  root:           myname
  admin:          myname
  sysadmin:       myname
  certadmin:      myname
  webmaster:      myname
  my_alternate:   myname
  Then run "sudo newaliases". If your ISP is Comcast or some other large provider, you probably must proxy your outgoing mail through their SMTP servers to avoid being blocked as a spammer (a lot of SMTP servers will block email from Comcast/whatever IP addresses that isn't sent by Comcast). Use Server.app>Mail to enter your account information. Even then, the Lion Server default setup may fail using this proxy. I had to do this with the file /private/etc/postfix/main.cf:
  cd /etc/postfix
  sudo cp ./main.cf ./main.cf.no_smtp_sasl_security_options
  sudo echo 'smtp_sasl_security_options = noanonymous' >> ./main.cf
  sudo serveradmin stop mail
  sudo serveradmin start mail
  Finally, make sure that you're running a blacklisting srevice yourself! Server Admin>Mail>Filter> Use spamhaus.org as a blacklister. Finally, set up mail to use strong Kerberos/MD5 settings under on Server Admin>Mail>Advanced. Turn off password and clear logins. The settings should be set to "Use" your SSL cert, NOT "Require". "Require" consistently breaks things for me.
  If you already installed the server's Trust Certificate as described above (and opened up the correct ports), email to your account should be pushed out to all clients.
  iCal Server
  Server.app>Calendar>Turn ON and Allow Email Invitations, Edit... . Whatever you do, do NOT enter your own email account information in this GUI. You must enter the account information for local user com.apple.calendarserver, and the password for this account, which is stored in the System keychain: Keychain Access>System> Item com.apple.servermgr_calendar. Double-click and Show Password, copy and paste into Server.app dialog. This is all described in depth here. If you enter your own account information here (DO NOT!), the iCal Server will delete all Emails in your Inbox just as soon as it reads them, exactly like it works for user com.apple.calendarserver. Believe me, you don't want to discover this "feature", which I expect will be more tightly controlled in some future update.
  Web
  The functionality of Server.app's Web management is pretty limited and awful, but a few changes to the file /etc/apache2/httpd.conf will give you a pretty capable and flexible web server, just one that you must manage by hand. Here's a diff for httpd.conf:
  $ diff httpd.conf.default httpd.conf
  95c95
  < #LoadModule ssl_module libexec/apache2/mod_ssl.so
  > LoadModule ssl_module libexec/apache2/mod_ssl.so
  111c111
  < #LoadModule php5_module libexec/apache2/libphp5.so
  > LoadModule php5_module libexec/apache2/libphp5.so
  139,140c139,140
  < #LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  < #LoadModule encoding_module libexec/apache2/mod_encoding.so
  > LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  > LoadModule encoding_module libexec/apache2/mod_encoding.so
  146c146
  < #LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  > LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  177c177
  < ServerAdmin [email protected]
  > ServerAdmin [email protected]
  186c186
  < #ServerName www.example.com:80
  > ServerName domain.com:443
  677a678,680
  > # Server-specific configuration
  > # sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart
  > Include /etc/apache2/mydomain/*.conf
  I did "sudo mkdir /etc/apache2/mydomain" and add specific config files for various web pages to host. For example, here's a config file that will host the entire contents of an EyeTV DVR, all password controlled with htdigest ("htdigest ~uname/.htdigest EyeTV uname"). Browsing to https://server.domain.com/eyetv points to /Users/uname/Sites/EyeTV, in which there's an index.php script that can read and display the EyeTV archive at https://server.domain.com/eyetv_archive. If you want Apache username accounts with twiddles as in https://server.domain.com/~uname, specify "UserDir Sites" in the configuration file.
  Alias /eyetv /Users/uname/Sites/EyeTV
  <Directory "/Users/uname/Sites/EyeTV">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  Alias /eyetv_archive "/Volumes/Macintosh HD2/Documents/EyeTV Archive"
  <Directory "/Volumes/Macintosh HD2/Documents/EyeTV Archive">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  I think you can turn Web off/on in Server.app to relaunch apached, or simply "sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart".
  Securely copy to all desired remote clients the file IntermediateCA_SERVER.DOMAIN.COM_1.cer, which you exported from System Keychain above. Add this certificate to your remote keychain and trust it, allowing secure connections between remote clients and your server. Also on remote clients: Firefox>Advanced>Encryption>View Certificates>Authorities>Import...> Import this certificate into your browser. Now there should be a secure connection to https://server.domain.com without any SSL warnings.
  One caveat is that there should be a nice way to establish secure SSL to https://domain.com and https://www.domain.com, but the automagically created SSL certificate only knows about server.domain.com. I attempted to follow this advice when I originally created the cert and add these additional domains (under "Subject Alternate Name Extension"), but the cert creation UI failed when I did this, so I just gave up. I hope that by the time these certs expire, someone posts some documentation on how to manage and change Lion Server SSL scripts AFTER the server has been promoted to an Open Directory Master. In the meantime, it would be much appreciated if anyone can post either how to add these additional domain names to the existing cert, or generate and/or sign a cert with a self-created Keychain Access root certificate authority. In my experience, any attempt to mess with the SSL certs automatically generated just breaks Lion Server.
  Finally, if you don't want a little Apple logo as your web page icon, create your own 16×16 PNG and copy it to the file /Library/Server/Web/Data/Sites/Default/favicon.ico. And request that all web-crawling robots go away with the file /Library/Server/Web/Data/Sites/Default/robots.txt:
  User-agent: *
  Disallow: /
  Misc
  VNC easily works with iOS devices -- use a good passphrase. Edit /System/Library/LaunchDaemons/org.postgresql.postgres.plist and set "listen_addresses=127.0.0.1" to allow PostgreSQL connections over localhost. I've also downloaded snort/base/swatch to build an intrusion detection system, and used Macports's squid+privoxy to build a privacy-enhanced ad-blocking proxy server.

  Privacy Enhancing Filtering Proxy and SSH Tunnel
  Lion Server comes with its own web proxy, but chaining Squid and Privoxy together provides a capable and effective web proxy that can block ads and malicious scripts, and conceal information used to track you around the web. I've posted a simple way to build and use a privacy enhancing web proxy here. While you're at it, configure your OS and browsers to block Adobe Flash cookies and block Flash access to your camera, microphone, and peer networks. Read this WSJ article series to understand how this impacts your privacy. If you configure it to allow use for anyone on your LAN, be sure to open up ports 3128, 8118, and 8123 on your firewall.
  If you've set up ssh and/or VPN as above, you can securely tunnel in to your proxy from anywhere. The syntax for ssh tunnels is a little obscure, so I wrote a little ssh tunnel script with a simpler flexible syntax. This script also allows secure tunnels to other services like VNC (port 5900). If you save this to a file ./ssht (and chmod a+x ./ssht), example syntax to establish an ssh tunnel through localhost:8080 (or, e.g., localhost:5901 for secure VNC Screen Sharing connects) looks like:
  $ ./ssht 8080:[email protected]:3128
  $ ./ssht 8080:alice@:
  $ ./ssht 8080:
  $ ./ssht 8018::8123
  $ ./ssht 5901::5900  [Use the address localhost:5901 for secure VNC connects using OS X's Screen Sharing or Chicken of the VNC (sudo port install cotvnc)]
  $ vi ./ssht
  #!/bin/sh
  # SSH tunnel to squid/whatever proxy: ssht [-p ssh_port] [localhost_port:][user_name@][ip_address][:remotehost][:remote_port]
  USERNAME_DEFAULT=username
  HOSTNAME_DEFAULT=domain.com
  SSHPORT_DEFAULT=22
  # SSH port forwarding specs, e.g. 8080:localhost:3128
  LOCALHOSTPORT_DEFAULT=8080      # Default is http proxy 8080
  REMOTEHOST_DEFAULT=localhost    # Default is localhost
  REMOTEPORT_DEFAULT=3128         # Default is Squid port
  # Parse ssh port and tunnel details if specified
  SSHPORT=$SSHPORT_DEFAULT
  TUNNEL_DETAILS=$LOCALHOSTPORT_DEFAULT:$USERNAME_DEFAULT@$HOSTNAME_DEFAULT:$REMOT EHOST_DEFAULT:$REMOTEPORT_DEFAULT
  while [ "$1" != "" ]
  do
    case $1
    in
      -p) shift;                  # -p option
          SSHPORT=$1;
          shift;;
       *) TUNNEL_DETAILS=$1;      # 1st argument option
          shift;;
    esac
  done
  # Get local and remote ports, username, and hostname from the command line argument: localhost_port:user_name@ip_address:remote_host:remote_port
  shopt -s extglob                        # needed for +(pattern) syntax; man sh
  LOCALHOSTPORT=$LOCALHOSTPORT_DEFAULT
  USERNAME=$USERNAME_DEFAULT
  HOSTNAME=$HOSTNAME_DEFAULT
  REMOTEHOST=$REMOTEHOST_DEFAULT
  REMOTEPORT=$REMOTEPORT_DEFAULT
  # LOCALHOSTPORT
  CDR=${TUNNEL_DETAILS#+([0-9]):}         # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      LOCALHOSTPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEPORT
  CDR=${TUNNEL_DETAILS%:+([0-9])}         # delete shortest trailing :+([0-9])
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEHOST
  CDR=${TUNNEL_DETAILS%:*}                # delete shortest trailing :*
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEHOST=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # USERNAME
  CDR=${TUNNEL_DETAILS#*@}                # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%@}                            # delete @
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      USERNAME=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # HOSTNAME
  HOSTNAME=$TUNNEL_DETAILS
  if [ "$HOSTNAME" == "" ]                # no hostname given
  then
      HOSTNAME=$HOSTNAME_DEFAULT
  fi
  ssh -p $SSHPORT -L $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT -l $USERNAME $HOSTNAME -f -C -q -N \
      && echo "SSH tunnel established via $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT\n\tto $USERNAME@$HOSTNAME:$SSHPORT." \
      || echo "SSH tunnel FAIL."

• 802.1x System Profile HELP, Please!!!

  Server : Xserve, 10.8.5
  Clients : Mix, 10.6.8, 10.8.5
  To who ever may be able to help me,
  I am the tech director for a school district and manage about 800 Apple laptops ranging from old MacBooks to the latest MacBook Pro. We utilize the LDAP service on our Apple server for authentication via 802.1x. Our entire district uses Aruba Network controllers and access points to privde wireless to our clients. For termination we use PEAP and EAP-GTC. Please don't ask me why we are using those methods, it was set up like that before I started and I am not very familiar with all these protocols and authentication methods. All of our students have network only accounts, nothing is ever saved to the client devices, so they require the system profile to be configured in order for the wireless to be active at the log-in window. I have preconfigured each of our 10.6 clients to authenticate this way with a preconfigured user name and password stored in a profile that I exported from the network preferences, because you used to be able to do that.
  Now I am sitting on a pile of newly shipped MacBookPros that, guess what, have 10.8 on them and I am dealing with profiles made by profile manager. Obviously I am here because this is not going well.
  I have created a profile in Profile Manager that has all the information I can provide.
  Interface is set to WiFi
  SSID is set properly
  It is a hidden network, so that box is checked
  Auto Join is checked
  I have no Proxy
  Security type is WPA2
  I have checked, to Use as a log in window configuration
  PEAP is checked
  Password is entered
  I have also added the certificate that the wireless network asks for when manually connecting
  Additionally, I have looked at the profile in Text Edit and confirmed all of the key values are correct.
  The profile will successfully install but it will never connect to the network, it will just sit there authenticating. I can manually connect just fine using the same user name and password I used in the profile. I am stuck. If anyone has any tips for me, I would greatly appreciate it.

  I am experiencing exactly the same issue in my environment. Same setup: System-level profile configured via Casper, with 802.1x authentication at the loginwindow enabled. Users are able to log in using directory based accounts, but the connection then drops and the profile seems to disappear completely! It is no longer visible in the profiles preference pane, and the network will not function again until the user selects the SSID manually and reauthenticates.
  Did you ever find a resolution for this issue? Please help!
  -Andy

• Mountain Lion Server- Profile Manager- No such file or directory

  When trying to start Profile Manager I recieve this message:
  I have tried the following fix provided by Apple:
  /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/wipeDB. sh
  However, my problem seems to exist a step before this is even useful. I have been all over the Apple Support Community and web looking for an answer, but everyone seems to assume all problems exist at a point where you don't receive the following from the Console:
  ProfileManager[29045]: devicemgrd: Terminating on unhandled exception No such file or directory - /var/devicemgr/ServiceData/Data/migration at /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/webserver/devi cemgrd:238:in `initialize'
  /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/webserver/devic emgrd:238:in `new'
  /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/webserver/devic emgrd:238:in `SetupRails'
  /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/webserver/devic emgrd:158:in `Run'
  /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/webserver/devic emgrd:851
  com.apple.launchd[1]: (com.apple.devicemanager[29045]) Exited with code: 1
  com.apple.launchd[1]: (com.apple.devicemanager) Throttling respawn: Will start in 9 seconds
  serveradmin[28989]: servermgr_devicemgr: response statusCode: 503
  serveradmin[28989]: servermgr_devicemgr: waiting for devicemgr to respond
  serveradmin[28989]: servermgr_devicemgr: response statusCode: 503
  serveradmin[28989]: servermgr_devicemgr: waiting for devicemgr to respond
  serveradmin[28989]: servermgr_devicemgr: response statusCode: 503
  serveradmin[28989]: servermgr_devicemgr: waiting for devicemgr to respond
  serveradmin[28989]: servermgr_devicemgr: response statusCode: 503
  serveradmin[28989]: servermgr_devicemgr: waiting for devicemgr to respond
  ProfileManager[29053]: Failed to delete '/var/devicemgr/ServiceData/Data/tmp'. No such file or directory - /var/devicemgr/ServiceData/Data/tmp
  serveradmin[28989]: servermgr_devicemgr: response statusCode: 503
  serveradmin[28989]: servermgr_devicemgr: waiting for devicemgr to respond
  ProfileManager[29053]: devicemgrd: Terminating on unhandled exception No such file or directory - /var/devicemgr/ServiceData/Data/migration at /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/webserver/devi cemgrd:238:in `initialize'
  /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/webserver/devic emgrd:238:in `new'
  /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/webserver/devic emgrd:238:in `SetupRails'
  /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/webserver/devic emgrd:158:in `Run'
  /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/webserver/devic emgrd:851
  com.apple.launchd[1]: (com.apple.devicemanager[29053]) Exited with code: 1
  com.apple.launchd[1]: (com.apple.devicemanager) Throttling respawn: Will start in 9 seconds
  serveradmin[28989]: servermgr_devicemgr: response statusCode: 503
  serveradmin[28989]: servermgr_devicemgr: waiting for devicemgr to respond
  serveradmin[28989]: servermgr_devicemgr: response statusCode: 503
  serveradmin[28989]: servermgr_devicemgr: waiting for devicemgr to respond
  serveradmin[28989]: servermgr_devicemgr: response statusCode: 503
  serveradmin[28989]: servermgr_devicemgr: waiting for devicemgr to respond
  serveradmin[28989]: servermgr_devicemgr: response statusCode: 503
  serveradmin[28989]: servermgr_devicemgr: waiting for devicemgr to respond
  ProfileManager[29061]: Failed to delete '/var/devicemgr/ServiceData/Data/tmp'. No such file or directory - /var/devicemgr/ServiceData/Data/tmp
  serveradmin[28989]: servermgr_devicemgr: response statusCode: 503
  serveradmin[28989]: servermgr_devicemgr: waiting for devicemgr to respond
  ProfileManager[29061]: devicemgrd: Terminating on unhandled exception No such file or directory - /var/devicemgr/ServiceData/Data/migration at /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/webserver/devi cemgrd:238:in `initialize'
  /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/webserver/devic emgrd:238:in `new'
  /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/webserver/devic emgrd:238:in `SetupRails'
  /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/webserver/devic emgrd:158:in `Run'
  /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/webserver/devic emgrd:851
  com.apple.launchd[1]: (com.apple.devicemanager[29061]) Exited with code: 1
  com.apple.launchd[1]: (com.apple.devicemanager) Throttling respawn: Will start in 9 seconds
  serveradmin[28989]: posting dist not
  ProfileManager[29069]: Failed to delete '/var/devicemgr/ServiceData/Data/tmp'. No such file or directory - /var/devicemgr/ServiceData/Data/tmp
  I'm looking for a solution that doesn't involve reinstalling Mountain Lion if that is at all possible. It seems to me like it should, as that's not so much a solution as just starting over. If you need more from Console, just let me know. Also, I have tried all the threads that relate to restarting, rebooting, or reconfiguring Device Manager and none of them work; at the end I still get the message "No such file or directory."
  Thanks for the help!

  Finally figured the problem out on my own. Thank you to the apple support community for all your help. Full story, I installed OSX Server and then changed the Service Data location to an external hard drive. After that the Profile Manager immediately stopped working. Several reinstallations later and still not working. The problem was not even a little related to /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/wipeDB .sh, which is the answer everyone else on the internet was giving. The problem was that Profile Manager was no longer installed/installing for whatever reason. So, I went in and reinstalled just Profile Manager from the Server.app and now everything is working great. If things stop working I'll update this post. This is how:
  To begin, delete /private/var/devicemgr. This file is created during the install and if it already exists, the install won't work.
  Open terminal and copy sudo /Applications/Server.app/Contents/ServerRoot/System/Library/ServerSetup/CommonE xtras/80-devicemgrcommon.sh
  That is all I had to do and Profile Manager works great for me now. Hope this helps someone.

• I installed Lion Server and when I click on the Profile Manager I get an error and nothing shows - I can't figure out how to re install Lion Server to fix this - any ideas

  I installed Lion Server on my Mac Pro.  Everything looked to be working until I checked Profile Manager and I get an error message "Error Reading Settings"  Not sure how to fix it.  Tried to download Server agian but can't.

  Look at /usr/lib/libpq library. I have had the same problem. There were following files:
  -rwxr-xr-x  1 root  wheel  163680 30 jul 21:17 /usr/lib/libpq.5.4.dylib
  lrwxr-xr-x  1 root  wheel      15 30 jul 21:20 /usr/lib/libpq.dylib -> libpq.5.4.dylib
  Result for command sudo /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/wipeDB .sh was:
  Password:
  devicemgr:state = "STOPPED"
  postgres:state = "RUNNING"
  (in /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend)
  Couldn't drop device_management : #<RuntimeError: Please install the postgresql adapter: `gem install activerecord-postgresql-adapter` (dlopen(/Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backen d/vendor/gems/pg-0.9.0/lib/pg_ext.bundle, 9): Library not loaded: /usr/lib/libpq.5.dylib
    Referenced from: /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/vendor /gems/pg-0.9.0/lib/pg_ext.bundle
    Reason: image not found - /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/vendor /gems/pg-0.9.0/lib/pg_ext.bundle)>
  (in /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend)
  Please install the postgresql adapter: `gem install activerecord-postgresql-adapter` (dlopen(/Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backen d/vendor/gems/pg-0.9.0/lib/pg_ext.bundle, 9): Library not loaded: /usr/lib/libpq.5.dylib
    Referenced from: /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/vendor /gems/pg-0.9.0/lib/pg_ext.bundle
    Reason: image not found - /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/vendor /gems/pg-0.9.0/lib/pg_ext.bundle)
  /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/vendor/ rails/activerecord/lib/active_record/connection_adapters/abstract/connection_spe cification.rb:76:in `establish_connection'
  /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/vendor/ rails/railties/lib/tasks/databases.rake:69:in `create_database'
  /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/vendor/ rails/railties/lib/tasks/databases.rake:31
  /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/rake.rb: 636:in `call'
  /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/rake.rb: 636:in `execute'
  /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/rake.rb: 631:in `each'
  /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/rake.rb: 631:in `execute'
  /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/rake.rb: 597:in `invoke_with_call_chain'
  /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/monitor. rb:242:in `synchronize'
  /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/rake.rb: 590:in `invoke_with_call_chain'
  /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/rake.rb: 583:in `invoke'
  /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/rake.rb: 2051:in `invoke_task'
  /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/rake.rb: 2029:in `top_level'
  /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/rake.rb: 2029:in `each'
  /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/rake.rb: 2029:in `top_level'
  /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/rake.rb: 2068:in `standard_exception_handling'
  /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/rake.rb: 2023:in `top_level'
  /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/rake.rb: 2001:in `run'
  /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/rake.rb: 2068:in `standard_exception_handling'
  /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/rake.rb: 1998:in `run'
  /usr/bin/rake:31
  Couldn't create database for {"adapter"=>"postgresql", "username"=>"_devicemgr", "encoding"=>"UTF8", "pool"=>5, "database"=>"device_management"}
  devicemgr:state = "STARTING"
  There was missing symlink to right version of libpq dynamic library!
  After I entered the following commands and now it works well for me:
  $ cd /usr/lib
  $ sudo ln -s libpq.5.4.dylib libpq.5.dylib
  $ sudo /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/wipeDB .sh
  devicemgr:state = "STOPPED"
  postgres:state = "RUNNING"
  (in /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend)
  (in /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend)
  devicemgr:state = "RUNNING"
  Milan

• System preferences in lion server not responding

  My System Preferences iin Lion Server are not responding.
  when I try to open any application in the system preferences panel, it never opens
  How can I fix this?

  Boot with your bootable backup/clone and restore it. If you don't have one, boot with your install disc and restore your Time Machine backup from some point in the past before the problem cropped up. Don't have one of those either? Then, boot with the install disc and reinstall Snow Leopard. That should restore all functionality without mucking with anything else. Then, run Software Update to get to something other than the 10.6 that your profile is showing, namely 10.6.4, the latest version, repair permissions, and restart.

• Regarding mountain lion server: clients experience intermittent service connections. the server system log has the following error- Client handshake failed (6):113: Server not accepting client connections (any ideas???)

  regarding mountain lion server: clients experience intermittent service connections. the server system log has the following error- Client handshake failed (6):113: Server not accepting client connections. any suggestions would be greatly appreciated - thank you

  Hi Jason
  I was getting the same behavior after Apple support had me delete some plist files to get Airplay going. I was also getting the following error:
  the error occurred while processing a command of type 'writesettings' in the plug-in 'server vpn'
  I went into ~/Library/Preferences/ and /Library/Preferences/ and deleted every plist contating the word server. I had to re-set up my server (meaning walk through some intial steps) but all of my settings were still there after that and everything started working again.
  Just a thought, obviously try at your own risk but it worked for me.
  Kellen