Publishing iCal - which URL of lion server in private network???

Similar Messages

• Publish an iWeb site using Lion Server

  Does any one know how to publish an iWeb site using Lion Server.
  I've been getting failures every time I try to publish using ftp server choise.
  HELP!!!

  I solved this by turning off passive mode. I was using iWeb and Rapid Weaver for creating websites and had the same problem. Now they both work fine on the transfer. Hope this helps.
  JR

• Delete (reset) ical & adressbook on the lion server?

  Hello
  I have change some DNS-Entries on my lion server. (new hosttname). Ich checked everthing with "sudo changeip -checkhostname" and it seems to work fine. Also the OD.
  Now it sorted out that i have some Problems with my ical & adressbook server.
  How can i delete them an make the straight new, so that i got a new entry for the old
  /principals/__uids__/94ACA880-F72E-4738-9F22-AE9607C1DF89/
  At this moments a couple of time a day it complain that their is now connection for this Calender. Also the Adressbook refuse to save new entries.
  I both want to reset this ical & adressbook server part, but i can't find how to do it?
  Regards
  Gérard

  Hello
  Here ist the error I got on the Lion & Snow Leopard Clients
  Die URL „https://xyz123.dyndns.org:8443/principals/__uids__/94ACA880-F72E-4738-9F22-AE960 7C1DF89/“ hat folgenden HTTP-Fehler verursacht: 404. Vergewissern Sie sich, dass die URL korrekt ist.
  I think the messege is clear also for english speaking persion.
  It gives an HTTP Error 404? but I thought I don't use http at all?

• I want to add a new Lion server to my network.

  I am at the screen asking me if I I want to setup a new server or Transfer. Right now we have a 10.6 server that is doing the heavy lifting in our network.
  My end goal is to use the new lion server to authenticate users, file sharing to osx and ios, vpn and maybe some server apps down the road.
  My 10.6 server is now doing all of that. (minus the ios sharing and vpn)
  What I like is to make the 10.6 server have some file sharing duties and well and a few other server apps, while the new Lion server authicates users, ect.
  Will I be better off using the transfer wizard or just setting up new then configuring the two servers.
  Thanks!
  If I have left out any important details please ask me.
  -=fred=-

  You don't need to configure it manually. Just choose
  Settings > Mail, Contact, Calendars > Add Account > Google
  and enter your Gmail email and password.

• Lion server in windows network

  what are the steps if possible, to migrate a Windows Server 2003 network, into a mac mini with lion server, and terabytes of data storage connected?

  Too vague of a question.  What does your server 2003 network do that needs to be migrated?  Just a file server or more than that?

• Remove Server from /private/Network/Servers?

  I'm integrated with a Windows AD Network. We moved this user's home directory to another server but the old server still shows up in /private/Network/Servers and if the woman tries to save something to the old server instead of going to the server (since it doesn't exist anymore) it saves it to the hard drive under /private/network/servers/servername/directory
  Reading online I read about something going into "dscl" and changing to /search/mounts or something like that but trying to use the "delete" command in there doesn't work.
  Anything you can tell me?

  Hi,
  If you are under All Servers dashboard, you may right click on the server which you want to remove and select “Remove Server”. If you want to remove a server from a Server Group,
  you may right click on the server which you want to remove and select “Remove Server from Group”.
  Please note, you cannot remove the current server from the All Servers dashboard.
  Regards,
  Arthur Li
  TechNet Subscriber Support
  If you are
  TechNet Subscription user and have any feedback on our support quality, please send your feedback
  here.
  Arthur Li
  TechNet Community Support

• Build a gateway server for private network ???

  Hello all good friends,
  I has a private network, and one Linux box with public IP address, two NICs connecting direct to ISP. Now, I want to set up this linux box to operate as Gateway server so that all my private networks can use Internet. I have asked this question to many peoples and got much suggestions such as install IPchains (NAT server), IPtables (NAT server), SQUID (Proxy server), ... But until now the big question to me is which software is the best one, I mean which software allow my private network accessing to Internet fastest ? (Proxy server or NAT server only ?) and which one is the most secure ? Besides, you know another opinion, please tell with me if you don't mind.
  I very grateful to all of you answers me in all my life.
  Tu from Vietnam

  Best thing I would suggest is to buy a Gateway Router. I have D-Link 804, but you can buy anything that pleases you more or suits your demands. Also this way, you donot have to have a computer "turned-on" all the time. Some other advantages are that functions like DHCP, NAT and other features are built into the router. This way you can connect upto 253 Computers to a router and also have a 100Mb/sec, internal home network. You can also go for the wireless option, if you have more money to spend. Just look up on the net for more information.
  i2l2

• How to change the default view of published iCal's URL

  I am publishing an iCal for a nonprofit group and link to the calendar from the group's website. The default URL given (in the send publish email option) leads to the week view of the current week. I would prefer the link to take site visitors to the month view of the calendar. If I go to the month view and copy the URL for it, and use that for the link, I have to change the URL each month, because the URL that comes from the month view will only show the month it was at the time I copied the URL -- it will not change with the new month. Does anyone have any idea of how I can change the URL so that it leads to the month view of whatever the current month is?
  I should note that I know how to change the default view in the my browser, but I would rather not have to explain how to do this to all the people viewing the calendar -- just wanting the correct month view to show up when they click the link, without having to change it each month.
  I would be so grateful if anyone has some insight on this!
  Thanks.

  Carlo,
  The fact that this question has been left unanswered for over 2 months seems a little negligent on the part of Apple Support.
  This Forum is unfortunately not Apple Support. According to Apple:
  What is Apple Discussions and how can it help me? 
"Apple Discussions is a user-to-user support forum where experts and other Apple product users get together to discuss Apple products. You'll find a wealth of information about your favorite Apple hardware and software products that will help you get the most out of your purchase. You can participate in discussions about various products and topics, find solutions to help you resolve issues, ask questions, get tips and advice, and more.
  If you have a technical question about an Apple product, be sure to check out Apple's support resources first by consulting the application Help menu on your computer and visiting our Support site to view articles and more on our product support pages."
  In direct response to your questions, I would say that (as observed by the OP) anyone who subscribes to a published calendar can make a change to their desired view using the "Preferences" icon which is displayed underneath the mini-month calendars.
  There is no way that I know of to directly or conveniently change the time-range. There may be workarounds, but I could not find a suitable solution for you.
  I would recommend that you provide iCal Feedback, if you are interested in informing Apple of your desires.
  ;~)

• Lion Server VPN dual network cards

  I have a XServe running Lion 10.7.3.  When I connect to the vpn I can only connect to the server and nothing else on the network. How can I set it up to see the whole network?

  Simple. Configure your VPN correctly.
  Of course, you might have done that, but since you're so light on details there's no way for us to know.
  From your description, though, it sounds like you haven't configured the server to hand out the right range of VPN networks. When a client connects, the VPN server sends it a list of networks/subnets to send over the VPN tunnel - e.g. "hi, client, send me all traffic for 10.1.2.0/24".
  If you haven't set this then the the client doesn't know what traffic to send over the VPN vs. sending to the public internet. That's what I assume is going on here, but I could be wrong.
  If you have got the routing correct the next issue would be DNS - have you set the right (internal) DNS server in the VPN server settings, so that the server knows to tell the clients what DNS server to use? If you haven't then the client will continue to use its normal DNS server which likely doesn't know anything about your internal network hostnames. Pinging a resource by IP address rather than hostname would be a simple check for this.
  So check your VPN configuration and report back if that's not a solution. Either way it likely comes down to a configuration error on the server.

• Publish iCal Local Account Calendar on OS X Server

  I'd like to publish my iCal calendar (iCal>Calendar>Publish...>Publish on: A private server) on my OS X Server 10.6.7 ().
  Whenever I attempt to do this using my local account on tthe server, I get the error:
  http://username@domain_name/Home.ics is not a location that supports this request.
  I've tried all the obvious stuff: turning off the firewall, sanity checking the iCal service authentication settings, everything obvious. I believe that this is an authentication issue for local accounts on OS X Server. Because the server is set up as a standalone (i.e., no network accounts, all local accounts), Open Directory is turned off, and there's no Kerberos authentication that I'm aware of.
  Would someone please tell me how how to publish iCal calendars of local accounts on OS X Server?

  According to iCal Server Administration, OS X Server requires an Open Directory account, so you cannot publish your local account's iCal calendar.
  You can, however, use iCal itself and a modification of the OS X Hint "Publish iCal calendars with local WebDAV server" to publish local account calendars.
  0. Server Admin>Web>Sites Turn on the Web with an enabled host name. Make sure that WebDAV is enabled under Server Admin>Web>Sites>Options. Enable SSL with your server's certificate under Server Admin>Web>Sites>Security to ensure that your personal calendar information is SSL encrypted over the web.
  1. Append this directive to the end of the file /private/etc/apache2/httpd.conf:
  Include /private/etc/apache2/other/*.conf
  and make sure that there's no conf file in ./other that you may not wish to load, such as httpd-userdir.conf. Move these to *.conf.original or some such if necessary.
  2. Create the file /private/etc/apache2/other/httpd-webdav.conf with the contents:
  # WebDAV configureation for Publishing local account iCal calendars
  #  Based in part on Mac OS X Hint "iPublish iCal calendars with local WebDAV server Apps"
  # http://hints.macworld.com/article.php?story=20020912065811863
  # copied from /etc/apache2/sites/0000_any_443_myserver.conf
  # which is automatically generated by Server Admin>Web
  # No need to replicate these directives here, so comment out
  #<IfModule mod_dav.c>
  #       DAVLockDB "/var/run/davlocks/.davlock100"
  #       DAVMinTimeout 600
  #</IfModule>
  <IfModule mod_dav.c>
    <Directory "/Library/WebServer/Documents/webdav">
      DAV On
      AuthType Digest
      AuthName 'WebDAV'
      AuthDigestFile /private/etc/apache2/httpd/.htdigest
      AuthGroupFile /dev/null
  #    <LimitExcept GET HEAD OPTIONS>
        require valid-user
  #    </LimitExcept>
    </Directory>
  </IfModule>
  3. Create the apache htdigest authentication file:
  $ mkdir /private/etc/apache2/httpd
  $ chmod 0755 /private/etc/apache2/httpd
  $ touch /private/etc/apache2/httpd/.htdigest
  $ chmod 0644 /private/etc/apache2/httpd/.htdigest
  $ htdigest /private/etc/apache2/httpd/.htdigest WebDAV username
  Adding password for username in realm WebDAV.
  New password: md5 hashed password
  Re-type new password: md5 hashed password
  4. Create the WebDAV directory:
  $ mkdir /Library/WebServer/Documents/webdav
  $ chown www:www /Library/WebServer/Documents/webdav
  $ chmod 0755 /Library/WebServer/Documents/webdav
  $ mkdir /Library/WebServer/Documents/webdav/iCal
  $ chown www:www /Library/WebServer/Documents/webdav/iCal
  $ chmod 0755 /Library/WebServer/Documents/webdav/iCal
  and sanity check that the OS X Server davlocks directory /var/run/davlocks exists [it should!] and has www:www ownership with permissions 755 [it should!].
  5. Sanity check your apache config files:
  $ apachectl -t
  should yield "Syntax OK". Then Server Admin>Web>Stop and Start to restart your web server with the new configuration.
  5. Under your local account on OS X Server, iCal>Calendar>Publish... Publish on a private server with the URL:
  https://osxserver/webdav/iCal
  using OS X Server's local account username/password. Success will be reported with a URL of your calendar on the server.
  6. Under another client account from which you wish to subscript to your OS X Server local account's Calender, iCal>Calender>Subscribe... Enter the URL on OS X Server. You will be prompted for the htdigest name/password pair you created above -- enter this, not the username/password of your local account on OS X Server. Even though you should be protecting this channel with SSL and md5, don't reuse your username/password to access the WebDAV directory you created. You will now be subscribed to your local account's iCal Calendar residing on OS X Server.

• How To Install A (Almost) Working Lion Server With Profile Management/SSL/OD/Mail/iCal/Address Book/VNC/Web/etc.

  I recently installed a fresh version of Lion Server after attempting to fix a broken upgrade. With some help from others, I've managed to get all the new features working and have kept notes, having found that many or most of the necessary installation steps for both the OS and its services are almost entirely undocumented. When you get them working, they work great, but the entire process is very fragile, with simple setup steps causing breaks or even malicious behaviors. In case this is useful to others, here are my notes.
  Start with an erased, virgin, single guid partitioned drive. Not an upgrade. Not simply a repartitioned drive. Erased. Clean. Anything else can and probably will break the Lion Server install, as I discovered myself more than once. Before erasing my drive, I already had Lion and made a Lion install DVD from instructions widely available on the web. I suppose you could also boot into the Lion recovery partition and use disk utility to erase the OS X partition then install a new partition, but I cut a DVD. The bottom line is to erase any old OS partitions. And of course to have multiple, independent backups: I use both Time Machine with a modified StdExclusions.plist and Carbon Copy Cloner.
  Also, if you will be running your own personal cloud, you will want to know your domain name ahead of time, as this will be propagated everywhere throughout server, and changing anything related to SSL on Lion Server is a nightmare that I haven't figured out. If you don't yet have a domain name, go drop ten dollars at namecheap.com or wherever and reserve one before you start. Soemday someone will document how to change this stuff without breaking Lion Server, but we're not there yet. I'll assume the top-level domain name "domain.com" here.
  Given good backups, a Lion Install DVD (or Recovery Partition), and a domain name, here are the steps, apparently all of which must be more-or-less strictly followed in this order.
  DVD>Disk Utility>Erase Disk  [or Recovery Partition>Disk Utility>Erase Partition]
  DVD>Install Lion
  Reboot, hopefully Lion install kicks in
  Update, update, update Lion (NOT Lion Server yet) until no more updates
  System Preferences>Network>Static IP on the LAN (say 10.0.1.2) and Computer name ("server" is a good standbye)
  Terminal>$ sudo scutil --set HostName server.domain.com
  App Store>Install Lion Server and run through the Setup
  Download install Server Admin Tools, then update, update, update until no more updates
  Server Admin>DNS>Zones [IF THIS WASN'T AUTOMAGICALLY CREATED (mine wasn't): Add zone domain.com with Nameserver "server.domain.com." (that's a FQDN terminated with a period) and a Mail Exchanger (MX record) "server.domain.com." with priority 10. Add Record>Add Machine (A record) server.domain.com pointing to the server's static IP. You can add fancier DNS aliases and a simpler MX record below after you get through the crucial steps.]
  System Prefs>Network>Advanced>Set your DNS server to 127.0.0.1
  A few DNS set-up steps and these most important steps:
  A. Check that the Unix command "hostname" returns the correct hostname and you can see this hostname in Server.app>Hardware>Network
  B. Check that DNS works: the unix commands "host server.domain.com" and "host 10.0.1.2" (assuming that that's your static IP) should point to each other. Do not proceed until DNS works.
  C. Get Apple Push Notification Services CA via Server.app>Hardware>Settings><Click toggle, Edit... get a new cert ...>
  D. Server.app>Profile Manager>Configure... [Magic script should create OD Master, signed SSL cert]
  E. Server.app>Hardware>Settings>SSL Certificate> [Check to make sure it's set to the one just created]
  F. Using Server.app, turn on the web, then Server.app>Profile Manager> [Click on hyperlink to get to web page, e.g. server.domain.com/profilemanager] Upper RHS pull-down, install Trust Profile
  G. Keychain Access>System>Certificates [Find the automatically generated cert "Domain", the one that is a "Root certificate authority", Highlight and Export as .cer, email to all iOS devices, and click on the authority on the device. It should be entered as a trusted CA on all iOS devices. While you're at it, highlight and Export... as a .cer the certificate "IntermediateCA_SERVER.DOMAIN.COM_1", which is listed an an "Intermediate CA" -- you will use this to establish secure SSL connections with remote browsers hitting your server.]
  H. iOS on LAN: browse to server.domain.com/mydevices> [click on LHS Install trust cert, then RHS Enroll device.
  I. Test from web browser server.domain.com/mydevices: Lock Device to test
  J. ??? Profit
  12. Server Admin>DNS>Zones> Add convenient DNS alias records if necessary, e.g., mail.domain.com, smtp.domain.com, www.domain.com. If you want to refer to your box using the convenient shorthand "domain.com", you must enter the A record (NOT alias) "domain.com." FQDN pointing to the server's fixed IP. You can also enter the convenient short MX record "domain.com." with priority 11. This will all work on the LAN -- all these settings must be mirrored on the outside internet using the service from which you registered domain.com.
  You are now ready to begin turning on your services. Here are a few important details and gotchas setting up cloud services.
  Firewall
  Server Admin>Firewall>Services> Open up all ports needed by whichever services you want to run and set up your router (assuming that your server sits behind a router) to port forward these ports to your router's LAN IP. This is most a straightforward exercise in grepping for the correct ports on this page, but there are several jaw-droppingly undocumented omissions of crucial ports for Push Services and Device Enrollment. If you want to enroll your iOS devices, make sure port 1640 is open. If you want Push Notifications to work (you do), then ports 2195, 2196, 5218, and 5223 must be open. The Unix commands "lsof -i :5218" and "nmap -p 5218 server.domain.com" (nmap available from Macports after installing Xcode from the App Store) help show which ports are open.
  SSH
  Do this with strong security. Server.app to turn on remote logins (open port 22), but edit /etc/sshd_config to turn off root and password logins.
  PermitRootLogin no
  PasswordAuthentication no
  ChallengeResponseAuthentication no
  I'm note sure if toggling the Allow remote logins will load this config file or, run "sudo launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist ; sudo launchctl load -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist" to restart the server's ssh daemon.
  Then use ssh-keygen on remote client to generate public/private keys that can be used to remotely login to the server.
  client$ ssh-keygen -t rsa -b 2048 -C client_name
  [Securely copy ~/.ssh/id_rsa.pub from client to server.]
  server$ cat id_rsa.pub > ~/.ssh/known_hosts
  I also like DenyHosts, which emails detected ssh attacks to [email protected]. It's amazing how many ssh attacks there are on any open port 22. Not really an added security feature if you've turned off password logins, but good to monitor. Here's a Lion Server diff for the config file /usr/share/denyhosts:
  $ diff denyhosts.cfg-dist denyhosts.cfg
  12c12
  < SECURE_LOG = /var/log/secure
  > #SECURE_LOG = /var/log/secure
  22a23
  > SECURE_LOG = /var/log/secure.log
  34c35
  < HOSTS_DENY = /etc/hosts.deny
  > #HOSTS_DENY = /etc/hosts.deny
  40a42,44
  > #
  > # Mac OS X Lion Server
  > HOSTS_DENY = /private/etc/hosts.deny
  195c199
  < LOCK_FILE = /var/lock/subsys/denyhosts
  > #LOCK_FILE = /var/lock/subsys/denyhosts
  202a207,208
  > LOCK_FILE = /var/denyhosts/denyhosts.pid
  > #
  219c225
  < ADMIN_EMAIL =
  > ADMIN_EMAIL = [email protected]
  286c292
  < #SYSLOG_REPORT=YES
  > SYSLOG_REPORT=YES
  Network Accounts
  User Server.app to create your network accounts; do not use Workgroup Manager. If you use Workgroup Manager, as I did, then your accounts will not have email addresses specified and iCal Server WILL NOT COMPLETELY WORK. Well, at least collaboration through network accounts will be handled clunkily through email, not automatically as they should. If you create a network account using Workgroup Manager, then edit that account using Server.app to specify the email to which iCal invitations may be sent. Server.app doesn't say anything about this, but that's one thing that email address entry is used for. This still isn't quite solid on Lion Server, as my Open Directory logs on a freshly installed Lion Server are filled with errors that read:
  2011-12-12 15:05:52.425 EST - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':
       User 'uname' (/LDAPv3/127.0.0.1) - ID 1031 - UUID 98B4DF30-09CF-42F1-6C31-9D55FE4A0812 - SID S-0-8-83-8930552043-0845248631-7065481045-9092
  Oh well.
  Email
  Email aliases are handled with the file /private/etc/postfix/aliases. Do something like this
  root:           myname
  admin:          myname
  sysadmin:       myname
  certadmin:      myname
  webmaster:      myname
  my_alternate:   myname
  Then run "sudo newaliases". If your ISP is Comcast or some other large provider, you probably must proxy your outgoing mail through their SMTP servers to avoid being blocked as a spammer (a lot of SMTP servers will block email from Comcast/whatever IP addresses that isn't sent by Comcast). Use Server.app>Mail to enter your account information. Even then, the Lion Server default setup may fail using this proxy. I had to do this with the file /private/etc/postfix/main.cf:
  cd /etc/postfix
  sudo cp ./main.cf ./main.cf.no_smtp_sasl_security_options
  sudo echo 'smtp_sasl_security_options = noanonymous' >> ./main.cf
  sudo serveradmin stop mail
  sudo serveradmin start mail
  Finally, make sure that you're running a blacklisting srevice yourself! Server Admin>Mail>Filter> Use spamhaus.org as a blacklister. Finally, set up mail to use strong Kerberos/MD5 settings under on Server Admin>Mail>Advanced. Turn off password and clear logins. The settings should be set to "Use" your SSL cert, NOT "Require". "Require" consistently breaks things for me.
  If you already installed the server's Trust Certificate as described above (and opened up the correct ports), email to your account should be pushed out to all clients.
  iCal Server
  Server.app>Calendar>Turn ON and Allow Email Invitations, Edit... . Whatever you do, do NOT enter your own email account information in this GUI. You must enter the account information for local user com.apple.calendarserver, and the password for this account, which is stored in the System keychain: Keychain Access>System> Item com.apple.servermgr_calendar. Double-click and Show Password, copy and paste into Server.app dialog. This is all described in depth here. If you enter your own account information here (DO NOT!), the iCal Server will delete all Emails in your Inbox just as soon as it reads them, exactly like it works for user com.apple.calendarserver. Believe me, you don't want to discover this "feature", which I expect will be more tightly controlled in some future update.
  Web
  The functionality of Server.app's Web management is pretty limited and awful, but a few changes to the file /etc/apache2/httpd.conf will give you a pretty capable and flexible web server, just one that you must manage by hand. Here's a diff for httpd.conf:
  $ diff httpd.conf.default httpd.conf
  95c95
  < #LoadModule ssl_module libexec/apache2/mod_ssl.so
  > LoadModule ssl_module libexec/apache2/mod_ssl.so
  111c111
  < #LoadModule php5_module libexec/apache2/libphp5.so
  > LoadModule php5_module libexec/apache2/libphp5.so
  139,140c139,140
  < #LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  < #LoadModule encoding_module libexec/apache2/mod_encoding.so
  > LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  > LoadModule encoding_module libexec/apache2/mod_encoding.so
  146c146
  < #LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  > LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  177c177
  < ServerAdmin [email protected]
  > ServerAdmin [email protected]
  186c186
  < #ServerName www.example.com:80
  > ServerName domain.com:443
  677a678,680
  > # Server-specific configuration
  > # sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart
  > Include /etc/apache2/mydomain/*.conf
  I did "sudo mkdir /etc/apache2/mydomain" and add specific config files for various web pages to host. For example, here's a config file that will host the entire contents of an EyeTV DVR, all password controlled with htdigest ("htdigest ~uname/.htdigest EyeTV uname"). Browsing to https://server.domain.com/eyetv points to /Users/uname/Sites/EyeTV, in which there's an index.php script that can read and display the EyeTV archive at https://server.domain.com/eyetv_archive. If you want Apache username accounts with twiddles as in https://server.domain.com/~uname, specify "UserDir Sites" in the configuration file.
  Alias /eyetv /Users/uname/Sites/EyeTV
  <Directory "/Users/uname/Sites/EyeTV">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  Alias /eyetv_archive "/Volumes/Macintosh HD2/Documents/EyeTV Archive"
  <Directory "/Volumes/Macintosh HD2/Documents/EyeTV Archive">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  I think you can turn Web off/on in Server.app to relaunch apached, or simply "sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart".
  Securely copy to all desired remote clients the file IntermediateCA_SERVER.DOMAIN.COM_1.cer, which you exported from System Keychain above. Add this certificate to your remote keychain and trust it, allowing secure connections between remote clients and your server. Also on remote clients: Firefox>Advanced>Encryption>View Certificates>Authorities>Import...> Import this certificate into your browser. Now there should be a secure connection to https://server.domain.com without any SSL warnings.
  One caveat is that there should be a nice way to establish secure SSL to https://domain.com and https://www.domain.com, but the automagically created SSL certificate only knows about server.domain.com. I attempted to follow this advice when I originally created the cert and add these additional domains (under "Subject Alternate Name Extension"), but the cert creation UI failed when I did this, so I just gave up. I hope that by the time these certs expire, someone posts some documentation on how to manage and change Lion Server SSL scripts AFTER the server has been promoted to an Open Directory Master. In the meantime, it would be much appreciated if anyone can post either how to add these additional domain names to the existing cert, or generate and/or sign a cert with a self-created Keychain Access root certificate authority. In my experience, any attempt to mess with the SSL certs automatically generated just breaks Lion Server.
  Finally, if you don't want a little Apple logo as your web page icon, create your own 16×16 PNG and copy it to the file /Library/Server/Web/Data/Sites/Default/favicon.ico. And request that all web-crawling robots go away with the file /Library/Server/Web/Data/Sites/Default/robots.txt:
  User-agent: *
  Disallow: /
  Misc
  VNC easily works with iOS devices -- use a good passphrase. Edit /System/Library/LaunchDaemons/org.postgresql.postgres.plist and set "listen_addresses=127.0.0.1" to allow PostgreSQL connections over localhost. I've also downloaded snort/base/swatch to build an intrusion detection system, and used Macports's squid+privoxy to build a privacy-enhanced ad-blocking proxy server.

  Privacy Enhancing Filtering Proxy and SSH Tunnel
  Lion Server comes with its own web proxy, but chaining Squid and Privoxy together provides a capable and effective web proxy that can block ads and malicious scripts, and conceal information used to track you around the web. I've posted a simple way to build and use a privacy enhancing web proxy here. While you're at it, configure your OS and browsers to block Adobe Flash cookies and block Flash access to your camera, microphone, and peer networks. Read this WSJ article series to understand how this impacts your privacy. If you configure it to allow use for anyone on your LAN, be sure to open up ports 3128, 8118, and 8123 on your firewall.
  If you've set up ssh and/or VPN as above, you can securely tunnel in to your proxy from anywhere. The syntax for ssh tunnels is a little obscure, so I wrote a little ssh tunnel script with a simpler flexible syntax. This script also allows secure tunnels to other services like VNC (port 5900). If you save this to a file ./ssht (and chmod a+x ./ssht), example syntax to establish an ssh tunnel through localhost:8080 (or, e.g., localhost:5901 for secure VNC Screen Sharing connects) looks like:
  $ ./ssht 8080:[email protected]:3128
  $ ./ssht 8080:alice@:
  $ ./ssht 8080:
  $ ./ssht 8018::8123
  $ ./ssht 5901::5900  [Use the address localhost:5901 for secure VNC connects using OS X's Screen Sharing or Chicken of the VNC (sudo port install cotvnc)]
  $ vi ./ssht
  #!/bin/sh
  # SSH tunnel to squid/whatever proxy: ssht [-p ssh_port] [localhost_port:][user_name@][ip_address][:remotehost][:remote_port]
  USERNAME_DEFAULT=username
  HOSTNAME_DEFAULT=domain.com
  SSHPORT_DEFAULT=22
  # SSH port forwarding specs, e.g. 8080:localhost:3128
  LOCALHOSTPORT_DEFAULT=8080      # Default is http proxy 8080
  REMOTEHOST_DEFAULT=localhost    # Default is localhost
  REMOTEPORT_DEFAULT=3128         # Default is Squid port
  # Parse ssh port and tunnel details if specified
  SSHPORT=$SSHPORT_DEFAULT
  TUNNEL_DETAILS=$LOCALHOSTPORT_DEFAULT:$USERNAME_DEFAULT@$HOSTNAME_DEFAULT:$REMOT EHOST_DEFAULT:$REMOTEPORT_DEFAULT
  while [ "$1" != "" ]
  do
    case $1
    in
      -p) shift;                  # -p option
          SSHPORT=$1;
          shift;;
       *) TUNNEL_DETAILS=$1;      # 1st argument option
          shift;;
    esac
  done
  # Get local and remote ports, username, and hostname from the command line argument: localhost_port:user_name@ip_address:remote_host:remote_port
  shopt -s extglob                        # needed for +(pattern) syntax; man sh
  LOCALHOSTPORT=$LOCALHOSTPORT_DEFAULT
  USERNAME=$USERNAME_DEFAULT
  HOSTNAME=$HOSTNAME_DEFAULT
  REMOTEHOST=$REMOTEHOST_DEFAULT
  REMOTEPORT=$REMOTEPORT_DEFAULT
  # LOCALHOSTPORT
  CDR=${TUNNEL_DETAILS#+([0-9]):}         # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      LOCALHOSTPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEPORT
  CDR=${TUNNEL_DETAILS%:+([0-9])}         # delete shortest trailing :+([0-9])
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEHOST
  CDR=${TUNNEL_DETAILS%:*}                # delete shortest trailing :*
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEHOST=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # USERNAME
  CDR=${TUNNEL_DETAILS#*@}                # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%@}                            # delete @
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      USERNAME=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # HOSTNAME
  HOSTNAME=$TUNNEL_DETAILS
  if [ "$HOSTNAME" == "" ]                # no hostname given
  then
      HOSTNAME=$HOSTNAME_DEFAULT
  fi
  ssh -p $SSHPORT -L $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT -l $USERNAME $HOSTNAME -f -C -q -N \
      && echo "SSH tunnel established via $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT\n\tto $USERNAME@$HOSTNAME:$SSHPORT." \
      || echo "SSH tunnel FAIL."

• IChat & iCal can't authenticate to Lion Server 10.7.2

  I've enabled iChat and iCal Server through our local 10.7.2 Server which has DNS set up correctly. I can add the server account via a client's System Preferences (under other - Mac OS X server) and it authenticates with my shortname correctly.
  However, when I load iCal or iChat, I get this error message:
  iChat can't login to servername.ourdomain.co.nz because your login ID or password is incorrect.
  Where the account is [email protected]
  The password and username is correct.
  Console throws this error:
  >22/11/11 3:03:31.135 PM imagent: [Warning] XMPPConnection: Error: Error Domain=XMPPErrorDomain Code=105 "The operation couldn�t be completed. (XMPPErrorDomain error 105.)" UserInfo=0x7f81bbe2a3e0 {XMPPErrorText=service requested for unknown domain}
  DNS is set up correctly and we are using a FQDN to connect (it's working for Profile Management, Software Update Server and Web Services) but I can't get iChat or iCal to work correctly.
  How can I get clients to authenticate?
  I have also asked this question on Serverfault, here: http://serverfault.com/questions/333468/ichat-and-ical-cant-authenticate-to-lion -server-10-7-2

  Where are you adding these users? You should be adding them on the Lion SERVER, in the server app, under Accounts -> Users. I presume you are running open directory?
  I am adding them on the Lion Server, under Accounts -> Users. 
  The usernames have no domain in them. So, example name might be steve. When you are adding a new user on the lion server through serverapp, the user name shown in the box that says "Account Name" is what goes in the user name fields in iCal and address book. Those are added by adding a new account within iCal or Address Book app on the client.
  I'm only using the short name to add the accounts on the Lion client. However, both iCal and iChat require a FQDN as part of the login - they amend @servername.domain.co.nz as part of the account. This is normal behavior for both iChat and iCal on Lion Server.
  "I can add the server account via a client's System Preferences (under other - Mac OS X server)". Where!? I don't see any other - Mac OS X server on any client. I assume Mac clients? Are you doing Lion server network accounts? Local accounts?
  Anyway, the name that is the user name is the short name. There is no domain part. So, not sure why you have a domain part to the name. The domain gores in the server address in address book or iCal.
  You're correct - you only add the shortname in the client's system preferences, but iChat and iCal add the FQDN part to the login.
  Here is what the dialogue box that I am talking about on the client:

• Does anyone know how to publish a site using Lion server.

  I have made a web site using I web and was trying to publish it using FTP and lion server but was quite sure were to find the server address and other required info.
  If anyone can help it'd be greatly appreciated.
  Thanks

  You shouldn't need to use ftp to publish a site when using a server, this is the whole point, that you are not uploading anywhere external, but are hosting yourself on a dedicated computer running a server.
  This is not really the place to ask.  There should be more forums here that are specially dedicated to Lion server issues.
  Try looking at the pages on the Apple site under info on Lion server and there should be a user manual for you to look at for Lion sever.  Try looking at this.
  This is an iWeb forum so not really the right place to ask questions regarding server issues.

• Native iOS L2TP VPN not working on Lion Server

  Hi Folks,
  I have a very strange issue concerning making VPN work on two iOS devices I have. I have recently setup Lion Server on a MacMini here in the office with L2TP VPN using a shared secrert phrase and a password authentication.
  I have Lion running on an a MacBook Air (which I setup VPN using the provisioning profile "VPN.mobileprovision") and Snow Leopard running on an iMac. (VPN was set up manually). Both systems have been tested to work both inside and outsideof my internal network as I have tested with an air card.
  I also have an iPhone running 4.3.4/4.3.5 that I setup by emailing the provisioning profile and and iPad 1 running iOS 5 beta 4 setup with the vpn provisioning profile. Neither the iPad nor iPhone seem to work at all either internally nor externally. In fact I never see any activity in the vpnd.log when I attempt to connect to with these devices. All I get is the standard "The L2TP-VPN server did not respond. Try reconnecting. ..."
  Based on my success with the OSX Clients both inside and outside my local network I feel it is safe to say that I do not think the issue resides on the Lion Server nor the network/firewall configuration. I am running a Time Capsule with FW 7.5.2/7.4.2. There was no change in behavior with either version of the Time capsule firmware for the clients whether they were OSX or iOS. I must be clearly missing something here and I don't know what. Any help any of you could provide would be greatly appreciated. Thanks!
  Please see the below settings for my VPN Settings on the host and iOS client
  root# serveradmin settings vpn
  vpn:vpnHost = ""
  vpn:Servers:com.apple.ppp.pptp:Server:Logfile = "/var/log/ppp/vpnd.log"
  vpn:Servers:com.apple.ppp.pptp:Server:VerboseLogging = 1
  vpn:Servers:com.apple.ppp.pptp:Server:MaximumSessions = 128
  vpn:Servers:com.apple.ppp.pptp:DNS:OfferedSearchDomains:_array_index:0 = "ri.cox.net"
  vpn:Servers:com.apple.ppp.pptp:DNS:OfferedServerAddresses:_array_index:0 = "192.168.15.1"
  vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:0:SharedSecret = "1"
  vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:0:Address = "1.1.1.1"
  vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:1:SharedSecret = "2"
  vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:1:Address = "2.2.2.2"
  vpn:Servers:com.apple.ppp.pptp:enabled = no
  vpn:Servers:com.apple.ppp.pptp:Interface:SubType = "PPTP"
  vpn:Servers:com.apple.ppp.pptp:Interface:Type = "PPP"
  vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoFailure = 5
  vpn:Servers:com.apple.ppp.pptp:PPP:DisconnectOnIdle = 1
  vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorEAPPlugins:_array_index:0 = "EAP-RSA"
  vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorACLPlugins:_array_index:0 = "DSACL"
  vpn:Servers:com.apple.ppp.pptp:PPP:CCPEnabled = 1
  vpn:Servers:com.apple.ppp.pptp:PPP:IPCPCompressionVJ = 0
  vpn:Servers:com.apple.ppp.pptp:PPP:ACSPEnabled = 1
  vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoEnabled = 1
  vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoInterval = 60
  vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize128 = 1
  vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorProtocol:_array_index:0 = "MSCHAP2"
  vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize40 = 0
  vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorPlugins:_array_index:0 = "DSAuth"
  vpn:Servers:com.apple.ppp.pptp:PPP:Logfile = "/var/log/ppp/vpnd.log"
  vpn:Servers:com.apple.ppp.pptp:PPP:VerboseLogging = 1
  vpn:Servers:com.apple.ppp.pptp:PPP:DisconnectOnIdleTimer = 7200
  vpn:Servers:com.apple.ppp.pptp:PPP:CCPProtocols:_array_index:0 = "MPPE"
  vpn:Servers:com.apple.ppp.pptp:IPv4:ConfigMethod = "Manual"
  vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:0 = "192.168.15.224"
  vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:1 = "192.168.15.254"
  vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteAddresses = _empty_array
  vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteTypes = _empty_array
  vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteMasks = _empty_array
  vpn:Servers:com.apple.ppp.l2tp:Server:LoadBalancingAddress = "1.2.3.4"
  vpn:Servers:com.apple.ppp.l2tp:Server:MaximumSessions = 128
  vpn:Servers:com.apple.ppp.l2tp:Server:LoadBalancingEnabled = 0
  vpn:Servers:com.apple.ppp.l2tp:Server:Logfile = "/var/log/ppp/vpnd.log"
  vpn:Servers:com.apple.ppp.l2tp:Server:VerboseLogging = 1
  vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedSearchDomains:_array_index:0 = "ri.cox.net"
  vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedServerAddresses:_array_index:0 = "192.168.15.1"
  vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:0:SharedSecret = "1"
  vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:0:Address = "1.1.1.1"
  vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:1:SharedSecret = "2"
  vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:1:Address = "2.2.2.2"
  vpn:Servers:com.apple.ppp.l2tp:enabled = yes
  vpn:Servers:com.apple.ppp.l2tp:Interface:SubType = "L2TP"
  vpn:Servers:com.apple.ppp.l2tp:Interface:Type = "PPP"
  vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoFailure = 5
  vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdle = 1
  vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorEAPPlugins:_array_index:0 = "EAP-KRB"
  vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorACLPlugins:_array_index:0 = "DSACL"
  vpn:Servers:com.apple.ppp.l2tp:PPP:VerboseLogging = 1
  vpn:Servers:com.apple.ppp.l2tp:PPP:IPCPCompressionVJ = 0
  vpn:Servers:com.apple.ppp.l2tp:PPP:ACSPEnabled = 1
  vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoInterval = 60
  vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoEnabled = 1
  vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorProtocol:_array_index:0 = "MSCHAP2"
  vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorPlugins:_array_index:0 = "DSAuth"
  vpn:Servers:com.apple.ppp.l2tp:PPP:Logfile = "/var/log/ppp/vpnd.log"
  vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdleTimer = 7200
  vpn:Servers:com.apple.ppp.l2tp:IPSec:SharedSecretEncryption = "Keychain"
  vpn:Servers:com.apple.ppp.l2tp:IPSec:LocalIdentifier = ""
  vpn:Servers:com.apple.ppp.l2tp:IPSec:SharedSecret = "com.apple.ppp.l2tp"
  vpn:Servers:com.apple.ppp.l2tp:IPSec:AuthenticationMethod = "SharedSecret"
  vpn:Servers:com.apple.ppp.l2tp:IPSec:RemoteIdentifier = ""
  vpn:Servers:com.apple.ppp.l2tp:IPSec:IdentifierVerification = "None"
  vpn:Servers:com.apple.ppp.l2tp:IPSec:LocalCertificate = <>
  vpn:Servers:com.apple.ppp.l2tp:IPv4:ConfigMethod = "Manual"
  vpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:_array_index:0 = "192.168.15.241"
  vpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:_array_index:1 = "192.168.15.249"
  vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteAddresses = _empty_array
  vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteTypes = _empty_array
  vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteMasks = _empty_array
  vpn:Servers:com.apple.ppp.l2tp:L2TP:Transport = "IPSec"

  Issue is resolved. I used the initial random generated shared secret that was generated by Lion Server. The shared secret has special characters. IOS did not like the special characters. See iPhone Console Log below:
  Jul 26 20:00:36 iPhone-4 racoon[718] <Info>: [718] INFO: @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/)
  Jul 26 20:00:36 iPhone-4 racoon[718] <Info>: [718] INFO: Reading configuration from "/etc/racoon/racoon.conf"
  Jul 26 20:00:36 iPhone-4 racoon[718] <Info>: [718] ERROR: /var/run/racoon/68.9.232.78.conf:6: "?gLA" syntax error
  Jul 26 20:00:36 iPhone-4 racoon[718] <Info>: [718] ERROR: fatal parse failure (1 errors)
  That is why I never saw any attempt to connect. The actual process would bomb out before attempting to make a connection to the server.
  The shared secret key was:
  Y|WNwvM_O"?gLA$F@adT
  Looks like it was the " or the ? symbols.
  Once I changed the shared secret key the issue went away and the iPhone and iPad could connect to vpn without issue.
  Figured I'd let you all know

• Lion server and SSI

  I wanted to have some SSI elements on my site, which I'm hosting off my iMac (I know it's not the best setup, but it works well, considering my site isn't tremendously popular). I tried to test wether it supported SSI by creating an HTML document, then an SHTML document, with this source code:
  <HTML>
  <TITLE>Test File</TITLE>
  <!--#config timefmt="%A" --> <!--#echo var="DATE_LOCAL" -->
  </HTML>
  as advised by HTMLGoodies. The code is supposed to display the day of the week on the page. If it didn't, I was supposed to try it with an SHTML file. Niether worked.
  Is there any way to enable SSI in Lion Server 10.7.1?

  The following is the Apache doc on Server Side Includes: http://httpd.apache.org/docs/1.3/howto/ssi.html
  It describes how Apache (which is what LION server is using) needs to be configured to allow for SSI.
  Instead of configuring Apache to work differently than LION set it up (there can be issues where LION will disregard your settings, overwrite them, etc.), I would recommend creating an .htaccess file in the main folder of your site with the following content:
  Options +Includes
  AddType text/html .shtml
  AddHandler server-parsed .shtml
  That will configure just your site (not the whole server) to allow SSI.
  Good luck!
  ~Mike